systemd System and Service Manager CHANGES WITH 256-rc1: Announcements of Future Feature Removals and Incompatible Changes: * Support for automatic flushing of the nscd user/group database caches will be dropped in a future release. * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it. To forcibly reenable cgroup v1 support, SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command line. The meson option 'default-hierarchy=' is also deprecated, i.e. only cgroup v2 ('unified' hierarchy) can be selected as build-time default. * Previously, systemd-networkd did not explicitly remove any bridge VLAN IDs assigned on bridge master and ports. Since version 256, if a .network file for an interface has at least one valid setting in the [BridgeVLAN] section, then all assigned VLAN IDs on the interface that are not configured in the .network file are removed. * systemd-gpt-auto-generator will stop generating units for ESP or XBOOTLDR partitions if it finds mount entries for or below the /boot/ or /efi/ hierarchies in /etc/fstab. This is to prevent the generator from interfering with systems where the ESP is explicitly configured to be mounted at some path, for example /boot/efi/ (this type of setup is obsolete but still commonly found). * The behavior of systemd-sleep and systemd-homed has been updated to freeze user sessions when entering the various sleep modes or when locking a homed-managed home area. This is known to cause issues with the proprietary NVIDIA drivers. Packagers of the NVIDIA proprietary drivers may want to add drop-in configuration files that set SYSTEMD_SLEEP_FREEZE_USER_SESSION=false for systemd-suspend.service and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for systemd-homed.service. * systemd-tmpfiles and systemd-sysusers, when given a relative configuration file path (with at least one directory separator '/'), will open the file directly, instead of searching for the given partial path in the standard locations. The old mode wasn't useful because tmpfiles.d/ and sysusers.d/ configuration has a flat structure with no subdirectories under the standard locations and this change makes it easier to work with local files with those tools. * systemd-tmpfiles now properly applies nested configuration to 'R' and 'D' stanzas. For example, with the combination of 'R /foo' and 'x /foo/bar', /foo/bar will now be excluded from removal. General Changes and New Features: * Various programs will now attempt to load the main configuration file from locations below /usr/lib/, /usr/local/lib/, and /run/, not just below /etc/. For example, systemd-logind will look for /etc/systemd/logind.conf, /run/systemd/logind.conf, /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf, and use the first file that is found. This means that the search logic for the main config file and for drop-ins is now the same. Similarly, kernel-install will look for the config files in /usr/lib/kernel/ and the other search locations, and now also supports drop-ins. systemd-udevd now supports drop-ins for udev.conf. * A new 'systemd-vpick' binary has been added. It implements the new vpick protocol, where a "*.v/" directory may contain multiple files which have versions (following the UAPI version format specification) embedded in the file name. The files are ordered by version and the newest one is selected. systemd-nspawn --image=/--directory=, systemd-dissect, and the RootDirectory=, RootImage=, ExtensionImages=, and ExtensionDirectories= settings for units now support the vpick protocol and allow the latest version to be selected automatically if a "*.v/" directory is specified as the source. * Encrypted service credentials may now be made accessible to unprivileged users. systemd-creds gained new options --user/--uid= for encrypting/decrypting a credential for a specific user. * New command-line tool 'importctl' to download, import, and export disk images via systemd-importd is added with the following verbs: pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar, export-raw, list-transfers, cancel-transfer. This functionality was previously available in "machinectl", where it was exclusively for machine image. The new "importctl" generalizes this for sysext, confext, portable service images, too. Service Management: * New system manager setting ProtectSystem= has been added. It is analogous to the unit setting, but applies to the whole system. It is enabled by default in the initrd. * New unit setting WantsMountsFor= has been added. It is analogous to RequiresMountsFor=, but with a Wants= dependency instead of Requires=. This new logic is used in various places where mounts were added as dependencies for other settings (WorkingDirectory=-…, PrivateTmp=yes, cryptsetup lines with 'nofail'). * New unit setting MemoryZSwapWriteback= can be used to control the new memory.zswap.writeback cgroup knob added in kernel 6.8. * The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope() D-Bus method to devolve some processes from a service into a new scope. This new scope will remain even if the original service unit is restarted. Control group properties of the new scope are copied from the originating unit, so various limits are retained. * Units now expose properties EffectiveMemoryMax=, EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the most stringent limit systemd is aware of for the given unit. * A new unit file specifier %D expands to $XDG_DATA_HOME (for user services) or /usr/share/ (for system services). * AllowedCPUs= now supports specifier expansion. * What= setting in .mount and .swap units now accepts fstab-style identifiers, for example UUID=… or LABEL=…. * RestrictNetworkInterfaces= now supports alternative network interface names. * PAMName= now implies SetLoginEnvironment=yes. * systemd.firstboot=no can be used on the kernel command-line to disable interactive queries, but allow other first boot configuration to happen based on credentials. * The system's hostname can be configured via the systemd.hostname system credential. * The systemd binary will no longer chainload sysvinit's "telinit" binary when called under the init/telinit name on a system that isn't booted with systemd. This previously has been supported to make sure a distribution that has both init systems installed can be reasonably switched from one to the other via a simple reboot. Distributions apparently have lost interest in this, and the functionality has not been supported on the primary distribution this was still intended for for a longer time, and hence has been removed now. * A new concept called "capsules" has been introduced. "Capsules" encapsulate additional per-user service managers, whose users are transient and are only defined as long as the service manager is running (implemented via DynamicUser=1). These service managers run off home directories defined in /var/lib/capsules/, where is a the capsule's name. These home directories can contain regular per-user services and other units. A capsule is started via a simple "systemctl start capsule@.service". See the capsule@.service(5) man page for further details. Various systemd tools (including, and most importantly, systemctl and systemd-run) have been updated to interact with capsules via the new "--capsule="/"-C" switch. * .socket units gained a new setting PassFileDescriptorsToExec=, taking a boolean value. If set to true the file descriptors the socket unit encapsulates are passed to the ExecStartPost=, ExecStopPre=, ExecStopPost= using the usual $LISTEN_FDS interface. This may be used for doing additional initializations on the sockets once they are allocated (for example, install an additional eBPF program on them). * The .socket setting MaxConnectionsPerSource= (which so far put a limit on concurrent connections per IP in Accept=yes socket units), now also has an effect on AF_UNIX sockets: it will put a limit on the number of simultaneous connections from the same source UID (as determined via SO_PEERCRED). This is useful for implementing IPC services in a simple Accept=yes mode. * The service manager will now maintain a counter of soft reboot cycles the system went through so far. It may be queried via the D-Bus APIs. * systemd's execution logic now supports the new pidfd_spawn() API introduced by glibc 2.39, which allows us to invoke a subprocess in a target cgroup and get a pidfd back in a single operation. * systemd/PID 1 will now send an additional sd_notify() message to its supervising VMM or container manager reporting the selected hostname ("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at boot. Moreover, the service manager will send additional sd_notify() messages ("X_SYSTEMD_UNIT_ACTIVE=") whenever a target unit is reached. This can be used by VMMs/container managers to schedule access to the system precisely. For example, the moment a system reports "ssh-access.target" being reached a VMM/container manager knows it can now connect to the system via SSH. Finally, a new sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment PID 1 successfully completed installation of its various UNIX process signal handlers (i.e. the moment where SIGRTMIN+4 sent to PID 1 will start to have the effect of shutting down the system cleanly). Journal: * systemd-journald can now forward journal entries to a socket (AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be specified in journald.conf via a new option ForwardAddress= or via the 'journald.forward_address' credential. Log records are sent in the Journal Export Format. A related setting MaxLevelSocket= has been added to control the maximum log levels for the messages sent to this socket. * systemd-vmspawn gained a new --forward-journal= option to forward the virtual machine's journal entries to the host. This is done over a AF_VSOCK socket, i.e. it does not require networking in the guest. * journalctl gained option '-i' as a shortcut for --file=. * journalctl gained a new -T/--exclude-identifier= option to filter out certain syslog identifiers. * journalctl gained a new --list-namespaces option. * systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets (so it can be used to receive entries forwarded by systemd-journald). * systemd-journal-gatewayd allows restricting the time range of retrieved entries with a new "realtime=[]:[]" URL parameter. * systemd-cat gained a new option --namespace= to specify the target journal namespace to which the output shall be connected. * systemd-bsod gained a new option --tty= to specify the output TTY Device Management: * /dev/ now contains symlinks that combine by-path and by-{label,uuid} information: /dev/disk/by-path//by-/ This allows distinguishing partitions with identical contents on multiple storage devices. This is useful, for example, when copying raw disk contents between devices. * systemd-udevd now creates persistent /dev/media/by-path/ symlinks for media controllers. For example, the uvcvideo driver may create /dev/media0 which will be linked as /dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller. * A new unit systemd-udev-load-credentials.service has been added to pick up udev.conf drop-ins and udev rules from credentials. * An allowlist/denylist may be specified to filter which sysfs attributes are used when crafting network interface names. Those lists are stored as hwdb entries ID_NET_NAME_ALLOW_=0|1 and ID_NET_NAME_ALLOW=0|1. The goal is to avoid unexpected changes to interface names when the kernel is updated and new sysfs attributes become visible. * A new unit tpm2.target has been added to provide a synchronization point for units which expect the TPM hardware to be available. A new generator "systemd-tpm2-generator" has been added that will insert this target whenever it detects that the firmware has initialized a TPM, but Linux hasn't loaded a driver for it yet. * systemd-backlight now properly supports numbered devices which the kernel creates to avoid collisions in the leds subsystem. * systemd-hwdb update operation can be disabled with a new environment variable SYSTEMD_HWDB_UPDATE_BYPASS=1. systemd-hostnamed: * systemd-hostnamed now exposes the machine ID and boot ID via D-Bus. It also exposes the hosts AF_VSOCK CID, if available. * systemd-hostnamed now provides a basic Varlink interface. * systemd-hostnamed exports the full data in os-release(5) and machine-info(5) via D-Bus and Varlink. * hostnamectl now shows the system's product UUID and hardware serial number if known. Network Management: * systemd-networkd now provides a basic Varlink interface. * systemd-networkd's ARP proxy support gained a new option to configure a private VLAN variant of the proxy ARP supported by the kernel under the name IPv4ProxyARPPrivateVLAN=. * systemd-networkd now exports the NamespaceId and NamespaceNSID properties via D-Bus and Varlink. (which expose the inode and NSID of the network namespace the networkd instance manages) * systemd-networkd now supports IPv6RetransmissionTimeSec= and UseRetransmissionTime= settings in .network files to configure retransmission time for IPv6 neighbor solicitation messages. * networkctl gained new verbs 'mask' and 'unmask' for masking networkd configuration files such as .network files. * 'networkctl edit --runtime' allows editing volatile configuration under /run/systemd/network/. * The implementation behind TTLPropagate= network setting has been removed and the setting is now ignored. * systemd-network-generator will now pick up .netdev/.link/.network/ networkd.conf configuration from system credentials. * systemd-networkd will now pick up wireguard secrets from credentials. * systemd-networkd's Varlink API now supports enumerating LLDP peers. * .link files now support new Property=, ImportProperty=, UnsetProperty= fields for setting udev properties on a link. * The various .link files that systemd ships for interfaces that are supposed to be managed by systemd-networkd only now carry a ID_NET_MANAGED_BY=io.systemd.Network udev property ensuring that other network management solutions honouring this udev property do not come into conflict with networkd, trying to manage these interfaces. * .link files now support a new ReceivePacketSteeringCPUMask= setting for configuring which CPUs to steer incoming packets to. systemd-nspawn: * systemd-nspawn now provides a /run/systemd/nspawn/unix-export/ directory where the container payload can expose AF_UNIX sockets to allow them them to be accessed from outside. * systemd-nspawn will tint the terminal background for containers in a blueish color. This can be controller with the new --background= switch. * systemd-nspawn gained support for the 'owneridmap' option for --bind= mounts to map the target directory owner from inside the container to the owner of the directory bound from the host filesystem. * systemd-nspawn now supports moving Wi-Fi network devices into a container, just like other network interfaces. systemd-resolved: * systemd-resolved now reads RFC 8914 EDE error codes provided by upstream DNS services. * systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS records, as well as RFC 2915 NAPTR records. * resolvectl gained a new option --relax-single-label= to allow querying single-label hostnames via unicast DNS on a per-query basis. * systemd-resolved's Varlink IPC interface now supports resolving DNS-SD services as well as an API for resolving raw DNS RRs. * systemd-resolved's .dnssd DNS_SD service description files now support DNS-SD "subtypes" via the new SubType= setting. * systemd-resolved's configuration may now be reloaded without restarting the service. (i.e. "systemctl reload systemd-resolved" is now supported) SSH Integration: * An sshd config drop-in to allow ssh keys acquired via userdbctl (for example expose by homed accounts) to be used for authorization of incoming SSH connections. * A small new unit generator "systemd-ssh-generator" has been added. It checks if the sshd binary is installed. If so, it binds it via per-connection socket activation to various sockets depending on the execution context: • If the system is run in a VM providing AF_VSOCK support, it automatically binds sshd to AF_VSOCK port 22. • If the system is invoked as a full-OS container and the container manager pre-mounts a directory /run/host/unix-export/, it will bind sshd to an AF_UNIX socket /run/host/unix-export/ssh. The idea is the container manager bind mounts the directory to an appropriate place on the host as well, so that the AF_UNIX socket may be used to easily connect from the host to the container. • sshd is also bound to an AF_UNIX socket /run/ssh-unix-local/socket, which may be to use ssh/sftp in a "sudo"-like fashion to access resources of other local users. • Via the kernel command line option "systemd.ssh_listen=" and the system credential "ssh.listen" sshd may be bound to additional, explicitly configured options, including AF_INET/AF_INET6 ports. In particular the first two mechanisms should make dealing with local VMs and full OS containers a lot easier, as SSH connections will *just* *work* from the host – even if no networking is available whatsoever. systemd-ssh-generator optionally generates a per-connection socket activation service file wrapping sshd. This is only done if the distribution does not provide one on its own under the name "sshd@.service". The generated unit only works correctly if the SSH privilege separation ("privsep") directory exists. Unfortunately distributions vary wildly where they place this directory. An incomprehensive list: • /usr/share/empty.sshd/ (new fedora) • /var/empty/ • /var/empty/sshd/ • /run/sshd/ (debian/ubuntu?) If the SSH privsep directory is placed below /var/ or /run/ care needs to be taken that the directory is created automatically at boot if needed, since these directories possibly or always come up empty. This can be done via a tmpfiles.d/ drop-in. You may use the "sshdprivsepdir" meson option provided by systemd to configure the directory, in case you want systemd to create the directory as needed automatically, if your distribution does not cover this natively. Recommendations to distributions, in order to make things just work: • Please provide a per-connection SSH service file under the name "sshd@.service". • Please move the SSH privsep dir into /usr/ (so that it is truly immutable on image-based operating systems, is strictly under package manager control, and never requires recreation if the system boots up with an empty /run/ or /var/). • As an extension of this: please consider following Fedora's lead here, and use /usr/share/empty.sshd/ to minimize needless differences between distributions. • If your distribution insists on placing the directory in /var/ or /run/ then please at least provide a tmpfiles.d/ drop-in to recreate it automatically at boot, so that the sshd binary just works, regardless in which context it is called. * A small tool "systemd-ssh-proxy" has been added, which is supposed to act as counterpart to "systemd-ssh-generator". It's a small plug-in for the SSH client (via ProxyCommand/ProxyUseFdpass) to allow it to connect to AF_VSOCK or AF_UNIX sockets. Example: "ssh vsock/4711" connects to a local VM with cid 4711, or "ssh unix/run/ssh-unix-local/socket" to connect to the local host via the AF_UNIX socket /run/ssh-unix-local/socket. systemd-boot and systemd-stub and Related Tools: * TPM 1.2 PCR measurement support has been removed from systemd-stub. TPM 1.2 is obsolete and – due to the (by today's standards) weak cryptographic algorithms it only supports – does not actually provide the security benefits it's supposed to provide. Given that the rest of systemd's codebase never supported TPM 1.2, the support has now been removed from systemd-stub as well. * systemd-stub will now measure its payload via the new EFI Confidential Computing APIs (CC), in addition to the pre-existing measurements to TPM. * confexts are loaded by systemd-stub from the ESP as well. * kernel-install gained support for --root= for the 'list' verb. * bootctl now provides a basic Varlink interface and can be run as a daemon via a template unit. * systemd-measure gained new options --certificate=, --private-key=, and --private-key-source= to allow using OpenSSL's "engines" or "providers" as the signing mechanism to use when creating signed TPM2 PCR measurement values. * ukify gained support for signing of PCR signatures via OpenSSL's engines and providers. * ukify now supports zboot kernels. * systemd-boot now supports passing additional kernel command line switches to invoked kernels via an SMBIOS Type #11 string "io.systemd.boot.kernel-cmdline-extra". This is similar to the pre-existing support for this in systemd-stub, but also applies to Type #1 Boot Loader Specification Entries. * systemd-boot's automatic SecureBoot enrollment support gained support for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was supported). It also now supports UEFI "Custom" mode. * The pcrlock policy is saved in an unencrypted credential file "pcrlock..cred" under XBOOTLDR/ESP in the /loader/credentials/ directory. It will be picked up at boot by systemd-stub and passed to the initrd, where it can be used to unlock the root file system. * systemd-pcrlock gained an --entry-token= option to configure the entry-token. * systemd-pcrlock now provides a basic Varlink interface and can be run as a daemon via a template unit. * systemd-pcrlock's TPM nvindex access policy has been modified, this means that previous pcrlock policies stored in nvindexes are invalidated. They must be removed (systemd-pcrlock remove-policy) and recreated (systemd-pcrlock make-policy). For the time being systemd-pcrlock remains an experimental feature, but it is expected to become stable in the next release, i.e. v257. * systemd-pcrlock's --recovery-pin= switch now takes three values: "hide", "show", "query". If "show" is selected the automatically generated recovery PIN is shown to the user. If "query" is selected then the PIN is queried from the user. systemd-run/run0: * systemd-run is now a multi-call binary. When invoked as 'run0', it provides as interface similar to 'sudo', with all arguments starting at the first non-option parameter being treated the command to invoke as root. Unlike 'sudo' and similar tools, it does not make use of setuid binaries or other privilege escalation methods, but instead runs the specified command as a transient unit, which is started by the system service manager, so privileges are dropped, rather than gained, thus implementing a much more robust and safe security model. As usual, authorization is managed via Polkit. * systemd-run/run0 will now tint the terminal background on supported terminals: in a reddish tone when invoking a root service, in a yellowish tone otherwise. This may be controlled and turned off via the new --background= switch. * systemd-run gained a new option '--ignore-failure' to suppress command failures. Command-line tools: * 'systemctl edit --stdin' allows creation of unit files and drop-ins with contents supplied via standard input. This is useful when creating configuration programmatically; the tool takes care of figuring out the file name, creating any directories, and reloading the manager afterwards. * 'systemctl disable --now' and 'systemctl mask --now' now work correctly with template units. * 'systemd-analyze architectures' lists known CPU architectures. * 'systemd-analyze --json=…' is supported for 'architectures', 'capability', 'exit-status'. * 'systemd-tmpfiles --purge' will purge (remove) all files and directories created via tmpfiles.d configuration. * systemd-id128 gained new options --no-pager, --no-legend, and -j/--json=. * hostnamectl gained '-j' as shortcut for '--json=pretty' or '--json=short'. * loginctl now supports -j/--json=. * resolvectl now supports -j/--json= for --type=. * systemd-tmpfiles gained a new option --dry-run to print what would be done without actually taking action. * varlinkctl gained a new --collect switch to collect all responses of a method call that supports multiple replies and turns it into a single JSON array. * systemd-dissect gained a new --make-archive option to generate an archive file (tar.gz and similar) from a disk image. systemd-vmspawn: * systemd-vmspawn gained a new --firmware= option to configure or list firmware definitions for Qemu, a new --tpm= option to enable or disable the use of a software TPM, a new --linux= option to specify a kernel binary for direct kernel boot, a new --initrd= option to specify an initrd for direct kernel boot, a new -D/--directory option to use a plain directory as the root file system, a new --private-users option similar to the one in systemd-nspawn, new options --bind= and --bind-ro= to bind part of the host's file system hierarchy into the guest, a new --extra-drive= option to attach additional storage, and -n/--network-tap/--network-user-mode to configure networking. * A new systemd-vmspawn@.service can be used to launch systemd-vmspawn as a service. * systemd-vmspawn gained the new --console= and --background= switches that control how to interact with the VM. As before, by default an interactive terminal interface is provided, but now with a background tinted with a greenish hue. * systemd-vmspawn can now register its VMs with systemd-machined, controlled via the --register= switch. * machinectl's start command (and related) can now invoke images either as containers via `systemd-nspawn` (switch is --runner=nspawn, the default) or as VMs via `systemd-vmspawn` (switch is --runner=vmspawn, or short -V). * systemd-vmspawn now supports two switches --pass-ssh-key= and --ssh-key-type= to optionally set up transient SSH keys to pass to the invoked VMs in order to be able to SSH into them once booted. systemd-repart: * systemd-repart gained new options --generate-fstab= and --generate-crypttab= to write out fstab and crypttab files matching the generated partitions. * systemd-repart gained a new option --private-key-source= to allow using OpenSSL's "engines" or "providers" as the signing mechanism to use when creating verity signature partitions. * systemd-repart gained a new DefaultSubvolume= setting in repart.d/ drop-ins that allow configuring the default btrfs subvolume for newly formatted btrfs file systems. Libraries: * libsystemd gained new call sd_bus_creds_new_from_pidfd() to get a credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to retrieve the pidfd from a credentials object. * sd-bus' credentials logic will now also acquire peer's UNIX group lists and peer's pidfd if supported and requested. * RPM macro %_kernel_install_dir has been added with the path to the directory for kernel-install plugins. * The liblz4, libzstd, liblzma, libkmod, libgcrypt dependencies have been changed from regular shared library dependencies into dlopen() based ones. * The sd-journal API gained a new call sd_journal_stream_fd_with_namespace() which is just like sd_journal_stream_fd() but creates a log stream targeted at a specific log namespace. systemd-cryptsetup/systemd-cryptenroll: * systemd-cryptenroll can now enroll directly with a PKCS11 public key (instead of a certificate). * systemd-cryptsetup/systemd-cryptenroll now may lock a disk against a PKCS#11 provided EC key (before it only supported RSA). * systemd-cryptsetup gained support for crypttab option link-volume-key= to link the volume key into the kernel keyring when the volume is opened. * systemd-cryptenroll will no longer enable Dictionary Attack Protection (i.e. turn on NO_DA) for TPM enrollments that do not involve a PIN. DA should not be necessary in that case (since key entropy is high enough to make this unnecessary), but risks accidental lock-out in case of unexpected PCR changes. * systemd-cryptenroll now supports enrolling a new slot while unlocking the old slot via TPM2 (previously unlocking only worked via password or FIDO2). Documentation: * The remaining documentation that was on https://freedesktop.org/wiki/Software/systemd/ has been moved to https://systemd.io/. * A new text describing the VM integration interfaces of systemd has been added: https://systemd.io/VM_INTERFACE * The sd_notify() man page has gained an example with C code that shows how to implement the interface in C without involving libsystemd. systemd-homed, systemd-logind, systemd-userdbd: * systemd-homed now supports unlocking of home directories when logging in via SSH. Previously home directories needed to be unlocked before an SSH login is attempted. * JSON User Records have been extended with a separate public storage area called "User Record Blob Directories". This is intended to store the user's background image, avatar picture, and other similar items which are too large to fit into the User Record itself. systemd-homed, userdbctl, and homectl gained support for blob directories. homectl gained --avatar= and --login-background= to control two specific items of the blob directories. * A new "additionalLanguages" field has been added to JSON user records (as supported by systemd-homed and systemd-userdbd), which is closely related to the pre-existing "preferredLanguage", and allows specifying multiple additional languages for the user account. It is used to initialize the $LANGUAGES environment variable when used. * A new pair of "preferredSessionType" and "preferredSessionLauncher" fields have been added to JSON user records, that may be used to control which kind of desktop session to preferable activate on logins of the user. * homectl gained a new verb 'firstboot', and a new systemd-homed-firstboot.service unit uses this verb to create users in a first boot environment, either from system credentials or by querying interactively. * systemd-logind now supports a new "background-light" session class which does not pull in the user@.service unit. This is intended in particular for lighter weight per-user cron jobs which do require any per-user service manager to be around. * The per-user service manager will now be tracked as a distinct "manager" session type among logind sessions of each user. * homectl now supports an --offline mode, by which certain account properties can be changed without unlocking the home directory. * systemd-logind gained a new org.freedesktop.login1.Manager.ListSessionsEx() method that provides additional metadata compared to ListSessions(). loginctl makes use of this to list additional fields in list-sessions. * systemd-logind gained a new org.freedesktop.login1.Manager.Sleep() method that automatically redirects to SuspendThenHibernate(), Suspend(), HybridSleep(), or Hibernate(), depending on what is supported and configured, a new configuration setting SleepOperation=, and an accompanying helper method org.freedesktop.login1.Manager.CanSleep() and property org.freedesktop.login1.Manager.SleepOperation. 'systemctl sleep' calls the new method to automatically put the machine to sleep in the most appropriate way. Credential Management: * systemd-creds now provides a Varlink IPC API for encrypting and decrypting credentials. * systemd-creds' "tpm2-absent" key selection has been renamed to "null", since that's what it actually does: "encrypt" and "sign" with a fixed null key. --with-key=null should only be used in very specific cases, as it provides zero integrity or confidentiality protections. (i.e. it's only safe to use as fallback in environments lacking both a TPM and access to the root fs to use the host encryption key, or when integrity is provided some other way.) * systemd-creds gained a new switch --allow-null. If specified, the "decrypt" verb will decode encrypted credentials that use the "null" key (by default this is refused, since using the "null" key defeats the authenticated encryption normally done). Suspend & Hibernate: * The sleep.conf configuration file gained a new MemorySleepMode= setting for configuring the sleep mode in more detail. * A tiny new service systemd-hibernate-clear.service has been added which clears hibernation information from the HibernateLocation EFI variable, in case the resume device is gone. Normally, this variable is supposed to be cleaned up by the code that initiates the resume from hibernation image. But when the device is missing and that code doesn't run, this service will now do the necessary work, ensuring that no outdated hibernation image information remains on subsequent boots. Unprivileged User Namespaces & Mounts: * A small new service systemd-nsresourced.service has been added. It provides a Varlink IPC API that assigns a free, transiently allocated 64K UID/GID range to an uninitialized user namespace a client provides. It may be used to implement unprivileged container managers and other programs that need dynamic user ID ranges. It also provides interfaces to then delegate mount file descriptors, control groups and network interfaces to user namespaces set up this way. * A small new service systemd-mountfsd.service has been added. It provides a Varlink IPC API for mounting DDI images, and returning a set of mount file descriptors for it. If a user namespace fd is provided as input, then the mounts are registered with the user namespace. To ensure trust in the image it must provide Verity information (or alternatively interactive polkit authentication is required). * The systemd-dissect tool now can access DDIs fully unprivileged by using systemd-nsresourced/systemd-mountfsd. * If the service manager runs unprivileged (i.e. systemd --user) it now supports RootImage= for accessing DDI images, also implemented via the systemd-nsresourced/systemd-mountfsd. * systemd-nspawn may now operate without privileges, if a suitable DDI is provided via --image=, again implemented via systemd-nsresourced/systemd-mountfsd. Other: * timedatectl and machinectl gained option '-P', an alias for '--value --property=…'. * Various tools that pretty-print config files will now highlight configuration directives. * varlinkctl gained support for the "ssh:" transport. This requires OpenSSH 9.4 or newer. * systemd-sysext gained support for enabling system extensions in mutable fashion, where a writeable upperdir is stored under /var/lib/extensions.mutable/, and a new --mutable= option to configure this behaviour. An "ephemeral" mode is not also supported where the mutable layer is configured to be a tmpfs that is automatically released when the system extensions are reattached. * Coredumps are now retained for two weeks by default (instead of three days, as before). * portablectl --copy= parameter gained a new 'mixed' argument, that will result in resources owned by the OS (e.g.: portable profiles) to be linked but resources owned by the portable image (e.g.: the unit files and the images themselves) to be copied. * systemd will now register MIME types for various of its file types (e.g. journal files, DDIs, encrypted credentials …) via the XDG shared-mime-info infrastructure. (Files of these types will thus be recognized as their own thing in desktop file managers such as GNOME Files.) * systemd-dissect will now show the detected sector size of a given DDI in its default output. * systemd-portabled now generates recognizable structured log messages whenever a portable service is attached or detached. * Verity signature checking in userspace (i.e. checking against /etc/verity.d/ keys) when activating DDIs can now be turned on/off via a kernel command line option systemd.allow_userspace_verity= and an environment variable SYSTEMD_ALLOW_USERSPACE_VERITY=. * ext4/xfs file system quota handling has been reworked, so that quotacheck and quotaon are now invoked as per-file-system templated services (as opposed to single system-wide singletons), similar in style to the fsck, growfs, pcrfs logic. This means file systems with quota enabled can now be reasonably enabled at runtime of the system, not just at boot. * "systemd-analyze dot" will now also show BindsTo= dependencies. * systemd-debug-generator gained the ability add in arbitrary units based on them being passed in via system credentials. * A new kernel command-line option systemd.default_debug_tty= can be used to specify the TTY for the debug shell, independently of enabling or disabling it. Contributions from: A S Alam, AKHIL KUMAR, Abraham Samuel Adekunle, Adrian Vovk, Adrian Wannenmacher, Alan Liang, Alberto Planas, Alexander Zavyalov, Anders Jonsson, Andika Triwidada, Andres Beltran, Andrew Sayers, Antonio Alvarez Feijoo, Arthur Zamarin, Artur Pak, AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann, Black-Hole1, Bryan Jacobs, Burak Gerz, Carlos Garnacho, Chandra Pratap, Chris Simons, Christian Wesselhoeft, Clayton Craft, Colin Geniet, Colin Walters, Costa Tsaousis, Cristian Rodríguez, Daan De Meyer, Damien Challet, Dan Streetman, David Tardon, David Venhoek, Diego Viola, Dionna Amalie Glaze, Dmitry Konishchev, Edson Juliano Drosdeck, Eisuke Kawashima, Eli Schwartz, Emanuele Giuseppe Esposito, Eric Daigle, Evgeny Vereshchagin, Felix Riemann, Fernando Fernandez Mancera, Florian Schmaus, Franck Bui, Frantisek Sumsal, Friedrich Altheide, Gabríel Arthúr Pétursson, Gaël Donval, Georges Basile Stavracas Neto, Gerd Hoffmann, GNOME Foundation, Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald Brinkmann, Heinrich Schuchardt, Henry Li, Holger Assmann, Ivan Kruglov, Ivan Shapovalov, Jakub Sitnicki, James Muir, Jan Engelhardt, Jan Macku, Jeff King, JmbFountain, Joakim Nohlgård, Julius Alexandre, Jörg Behrmann, Keian, Kirk, Kristian Klausen, Krzesimir Nowak, Lars Ellenberg, Lennart Poettering, Luca Boccassi, Ludwig Nussel, Lukáš Nykrýn, Luxiter, Maanya Goenka, Mariano Giménez, Markus Merklinger, Martin Ivicic, Martin Trigaux, Martin Wilck, Matt Layher, Matt Muggeridge, Matteo Croce, Matthias Lisin, Max Gautier, Max Staudt, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, MrSmör, Nandakumar Raghavan, Nick Cao, Nick Rosbrook, Ole Peder Brandtzæg, Ondrej Kozina, Oğuz Ersen, Pablo Méndez Hernández, Pierre GRASSER, Piotr Drąg, QuonXF, Rafaël Kooi, Raito Bezarius, Reid Wahl, Renjaya Raga Zenta, Richard Maw, Roland Hieber, Ronan Pigott, Rose, Ross Burton, Sam Leonard, Samuel BF, Sergei Zhmylev, Sergey A, Shulhan, SidhuRupinder, Sludge, Stuart Hayhurst, Susant Sahani, Takashi Sakamoto, Temuri Doghonadze, Thilo Fromm, Thomas Blume, TobiPeterG, Tomáš Pecka, Topi Miettinen, Tycho Andersen, Unique-Usman, Usman Akinyemi, Vasiliy Kovalev, Vasiliy Stelmachenok, Vishal Chillara Srinivas, Vitaly Kuznetsov, Vito Caputo, Vladimir Stoiakin, Werner Sembach, Will Springer, Winterhuman, Xiaotian Wu, Yu Watanabe, Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek, Zmyeir, aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti, hfavisado, hulkoba, ksaleem, medusalix, mille-feuille, mkubiak, mooo, msizanoen, networkException, nl6720, r-vdp, runiq, samuelvw01, sharad3001, sushmbha, wangyuhang, zzywysm, İ. Ensar Gülşen, Štěpán Němec, 我超厉害, 김인수 — Happy Place, 2024-04-XX CHANGES WITH 255: Announcements of Future Feature Removals and Incompatible Changes: * Support for split-usr (/usr/ mounted separately during late boot, instead of being mounted by the initrd before switching to the rootfs) and unmerged-usr (parallel directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …) has been removed. For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html * We intend to remove cgroup v1 support from a systemd release after the end of 2023. If you run services that make explicit use of cgroup v1 features (i.e. the "legacy hierarchy" with separate hierarchies for each controller), please implement compatibility with cgroup v2 (i.e. the "unified hierarchy") sooner rather than later. Most of Linux userspace has been ported over already. * Support for System V service scripts is now deprecated and will be removed in a future release. Please make sure to update your software *now* to include a native systemd unit file instead of a legacy System V script to retain compatibility with future systemd releases. * Support for the SystemdOptions EFI variable is deprecated. 'bootctl systemd-efi-options' will emit a warning when used. It seems that this feature is little-used and it is better to use alternative approaches like credentials and confexts. The plan is to drop support altogether at a later point, but this might be revisited based on user feedback. * systemd-run's switch --expand-environment= which currently is disabled by default when combined with --scope, will be changed in a future release to be enabled by default. * "systemctl switch-root" is now restricted to initrd transitions only. Transitions between real systems should be done with "systemctl soft-reboot" instead. * The "ip=off" and "ip=none" kernel command line options interpreted by systemd-network-generator will now result in IPv6RA + link-local addressing being disabled, too. Previously DHCP was turned off, but IPv6RA and IPv6 link-local addressing was left enabled. * The NAMING_BRIDGE_MULTIFUNCTION_SLOT naming scheme has been deprecated and is now disabled. * SuspendMode=, HibernateState= and HybridSleepState= in the [Sleep] section of systemd-sleep.conf are now deprecated and have no effect. They did not (and could not) take any value other than the respective default. HybridSleepMode= is also deprecated, and will now always use the 'suspend' disk mode. Service Manager: * The way services are spawned has been overhauled. Previously, a process was forked that shared all of the manager's memory (via copy-on-write) while doing all the required setup (e.g.: mount namespaces, CGroup configuration, etc.) before exec'ing the target executable. This was problematic for various reasons: several glibc APIs were called that are not supposed to be used after a fork but before an exec, copy-on-write meant that if either process (the manager or the child) touched a memory page a copy was triggered, and also the memory footprint of the child process was that of the manager, but with the memory limits of the service. From this version onward, the new process is spawned using CLONE_VM and CLONE_VFORK semantics via posix_spawn(3), and it immediately execs a new internal binary, systemd-executor, that receives the configuration to apply via memfd, and sets up the process before exec'ing the target executable. The systemd-executor binary is pinned by file descriptor by each manager instance (system and users), and the reference is updated on daemon-reexec - it is thus important to reexec all running manager instances when the systemd-executor and/or libsystemd* libraries are updated on the filesystem. * Most of the internal process tracking is being changed to use PIDFDs instead of PIDs when the kernel supports it, to improve robustness and reliability. * A new option SurviveFinalKillSignal= can be used to configure the unit to be skipped in the final SIGTERM/SIGKILL spree on shutdown. This is part of the required configuration to let a unit's processes survive a soft-reboot operation. * System extension images (sysext) can now set EXTENSION_RELOAD_MANAGER=1 in their extension-release files to automatically reload the service manager (PID 1) when merging/refreshing/unmerging on boot. Generally, while this can be used to ship services in system extension images it's recommended to do that via portable services instead. * The ExtensionImages= and ExtensionDirectories= options now support confexts images/directories. * A new option NFTSet= provides a method for integrating dynamic cgroup IDs into firewall rules with NFT sets. The benefit of using this setting is to be able to use control group as a selector in firewall rules easily and this in turn allows more fine grained filtering. Also, NFT rules for cgroup matching use numeric cgroup IDs, which change every time a service is restarted, making them hard to use in systemd environment. * A new option CoredumpReceive= can be set for service and scope units, together with Delegate=yes, to make systemd-coredump on the host forward core files from processes crashing inside the delegated CGroup subtree to systemd-coredump running in the container. This new option is by default used by systemd-nspawn containers that use the "--boot" switch. * A new ConditionSecurity=measured-uki option is now available, to ensure a unit can only run when the system has been booted from a measured UKI. * MemoryAvailable= now considers physical memory if there are no CGroup memory limits set anywhere in the tree. * The $USER environment variable is now always set for services, while previously it was only set if User= was specified. A new option SetLoginEnvironment= is now supported to determine whether to also set $HOME, $LOGNAME, and $SHELL. * Socket units now support a new pair of PollLimitBurst=/PollLimitInterval= options to configure a limit on how often polling events on the file descriptors backing this unit will be considered within a time window. * Scope units can now be created using PIDFDs instead of PIDs to select the processes they should include. * Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the manager to dump the list of currently pending jobs. * If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and machinectl bind and mount-image verbs will now cause the new mount to replace the old mount (if any), instead of overmounting it. * Units now have MemoryPeak, MemorySwapPeak, MemorySwapCurrent and MemoryZSwapCurrent properties, which respectively contain the values of the cgroup v2's memory.peak, memory.swap.peak, memory.swap.current and memory.zswap.current properties. This information is also shown in "systemctl status" output, if available. TPM2 Support + Disk Encryption & Authentication: * systemd-cryptenroll now allows specifying a PCR bank and explicit hash value in the --tpm2-pcrs= option. * systemd-cryptenroll now allows specifying a TPM2 key handle (nv index) to be used instead of the default SRK via the new --tpm2-seal-key-handle= option. * systemd-cryptenroll now allows TPM2 enrollment using only a TPM2 public key (in TPM2B_PUBLIC format) – without access to the TPM2 device itself – which enables offline sealing of LUKS images for a specific TPM2 chip, as long as the SRK public key is known. Pass the public to the tool via the new --tpm2-device-key= switch. * systemd-cryptsetup is now installed in /usr/bin/ and is no longer an internal-only executable. * The TPM2 Storage Root Key will now be set up, if not already present, by a new systemd-tpm2-setup.service early boot service. The SRK will be stored in PEM format and TPM2_PUBLIC format (the latter is useful for systemd-cryptenroll --tpm2-device-key=, as mentioned above) for easier access. A new "srk" verb has been added to systemd-analyze to allow extracting it on demand if it is already set up. * The internal systemd-pcrphase executable has been renamed to systemd-pcrextend. * The systemd-pcrextend tool gained a new --pcr= switch to override which PCR to measure into. * systemd-pcrextend now exposes a Varlink interface at io.systemd.PCRExtend that can be used to do measurements and event logging on demand. * TPM measurements are now also written to an event log at /run/log/systemd/tpm2-measure.log, using a derivative of the TCG Canonical Event Log format. Previously we'd only log them to the journal, where they however were subject to rotation and similar. * A new component "systemd-pcrlock" has been added that allows managing local TPM2 PCR policies for PCRs 0-7 and similar, which are hard to predict by the OS vendor because of the inherently local nature of what measurements they contain, such as firmware versions of the system and extension cards and suchlike. pcrlock can predict PCR measurements ahead of time based on various inputs, such as the local TPM2 event log, GPT partition tables, PE binaries, UKI kernels, and various other things. It can then pre-calculate a TPM2 policy from this, which it stores in an TPM2 NV index. TPM2 objects (such as disk encryption keys) can be locked against this NV index, so that they are locked against a specific combination of system firmware and state. Alternatives for each component are supported to allowlist multiple kernel versions or boot loader version simultaneously without losing access to the disk encryption keys. The tool can also be used to analyze and validate the local TPM2 event log. systemd-cryptsetup, systemd-cryptenroll, systemd-repart have all been updated to support such policies. There's currently no support for locking the system's root disk against a pcrlock policy, this will be added soon. Moreover, it is currently not possible to combine a pcrlock policy with a signed PCR policy. This component is experimental and its public interface is subject to change. systemd-boot, systemd-stub, ukify, bootctl, kernel-install: * bootctl will now show whether the system was booted from a UKI in its status output. * systemd-boot and systemd-stub now use different project keys in their respective SBAT sections, so that they can be revoked individually if needed. * systemd-boot will no longer load unverified Devicetree blobs when UEFI SecureBoot is enabled. For more details see: https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c * systemd-boot gained new hotkeys to reboot and power off the system from the boot menu ("B" and "O"). If the "auto-poweroff" and "auto-reboot" options in loader.conf are set these entries are also shown as menu items (which is useful on devices lacking a regular keyboard). * systemd-boot gained a new configuration value "menu-disabled" for the set-timeout option, to allow completely disabling the boot menu, including the hotkey. * systemd-boot will now measure the content of loader.conf in TPM2 PCR 5. * systemd-stub will now concatenate the content of all kernel command-line addons before measuring them in TPM2 PCR 12, in a single measurement, instead of measuring them individually. * systemd-stub will now measure and load Devicetree Blob addons, which are searched and loaded following the same model as the existing kernel command-line addons. * systemd-stub will now ignore unauthenticated kernel command line options passed from systemd-boot when running inside Confidential VMs with UEFI SecureBoot enabled. * systemd-stub will now load a Devicetree blob even if the firmware did not load any beforehand (e.g.: for ACPI systems). * ukify is no longer considered experimental, and now ships in /usr/bin/. * ukify gained a new verb inspect to describe the sections of a UKI and print the contents of the well-known sections. * ukify gained a new verb genkey to generate a set of key pairs for signing UKIs and their PCR data. * The 90-loaderentry kernel-install hook now supports installing device trees. * kernel-install now supports the --json=, --root=, --image=, and --image-policy= options for the inspect verb. * kernel-install now supports new list and add-all verbs. The former lists all installed kernel images (if those are available in /usr/lib/modules/). The latter will install all the kernels it can find to the ESP. systemd-repart: * A new option --copy-from= has been added that synthesizes partition definitions from the given image, which are then applied by the systemd-repart algorithm. * A new option --copy-source= has been added, which can be used to specify a directory to which CopyFiles= is considered relative to. * New --make-ddi=confext, --make-ddi=sysext, and --make-ddi=portable options have been added to make it easier to generate these types of DDIs, without having to provide repart.d definitions for them. * The dm-verity salt and UUID will now be derived from the specified seed value. * New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be configured in repart.d/ configuration files. * A new Subvolumes= setting is now supported in repart.d/ configuration files, to indicate which directories in the target partition should be btrfs subvolumes. * A new --tpm2-device-key= option can be used to lock a disk against a specific TPM2 public key. This matches the same switch the systemd-cryptenroll tool now supports (see above). Journal: * The journalctl --lines= parameter now accepts +N to show the oldest N entries instead of the newest. * journald now ensures that sealing happens once per epoch, and sets a new compatibility flag to distinguish old journal files that were created before this change, for backward compatibility. Device Management: * udev will now create symlinks to loopback block devices in the /dev/disk/by-loop-ref/ directory that are based on the .lo_file_name string field selected during allocation. The systemd-dissect tool and the util-linux losetup command now supports a complementing new switch --loop-ref= for selecting the string. This means a loopback block device may now be allocated under a caller-chosen reference and can subsequently be referenced without first having to look up the block device name the caller ended up with. * udev also creates symlinks to loopback block devices in the /dev/disk/by-loop-inode/ directory based on the .st_dev/st_ino fields of the inode attached to the loopback block device. This means that attaching a file to a loopback device will implicitly make a handle available to be found via that file's inode information. * udevadm info gained support for JSON output via a new --json= flag, and for filtering output using the same mechanism that udevadm trigger already implements. * The predictable network interface naming logic is extended to include the SR-IOV-R "representor" information in network interface names. This feature was intended for v254, but even though the code was merged, the part that actually enabled the feature was forgotten. It is now enabled by default and is part of the new "v255" naming scheme. * A new hwdb/rules file has been added that sets the ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces that should usually only be configured with link-local addressing (IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or Thunderbolt networking. systemd-networkd and NetworkManager (soon) will make use of this information to apply an appropriate network configuration by default. * The ID_NET_DRIVER property on network interfaces is now set relatively early in the udev rule set so that other rules may rely on its use. This is implemented in a new "net-driver" udev built-in. Network Management: * The "duid-only" option for DHCPv4 client's ClientIdentifier= setting is now dropped, as it never worked, hence it should not be used by anyone. * The 'prefixstable' ipv6 address generation mode now considers the SSID when generating stable addresses, so that a different stable address is used when roaming between wireless networks. If you already use 'prefixstable' addresses with wireless networks, the stable address will be changed by the update. * The DHCPv4 client gained a RapidCommit option, true by default, which enables RFC4039 Rapid Commit behavior to obtain a lease in a simplified 2-message exchange instead of the typical 4-message exchange, if also supported by the DHCP server. * The DHCPv4 client gained new InitialCongestionWindow= and InitialAdvertisedReceiveWindow= options for route configurations. * The DHCPv4 client gained a new RequestAddress= option that allows to send a preferred IP address in the initial DHCPDISCOVER message. * The DHCPv4 server and client gained support for IPv6-only mode (RFC8925). * The SendHostname= and Hostname= options are now available for the DHCPv6 client, independently of the DHCPv4= option, so that these configuration values can be set independently for each client. * The DHCPv4 and DHCPv6 client state can now be queried via D-Bus, including lease information. * The DHCPv6 client can now be configured to use a custom DUID type. * .network files gained a new IPv4ReversePathFilter= setting in the [Network] section, to control sysctl's rp_filter setting. * .network files gaiend a new HopLimit= setting in the [Route] section, to configure a per-route hop limit. * .network files gained a new TCPRetransmissionTimeoutSec= setting in the [Route] section, to configure a per-route TCP retransmission timeout. * A new directive NFTSet= provides a method for integrating network configuration into firewall rules with NFT sets. The benefit of using this setting is that static network configuration or dynamically obtained network addresses can be used in firewall rules with the indirection of NFT set types. * The [IPv6AcceptRA] section supports the following new options: UsePREF64=, UseHopLimit=, UseICMP6RateLimit=, and NFTSet=. * The [IPv6SendRA] section supports the following new options: RetransmitSec=, HopLimit=, HomeAgent=, HomeAgentLifetimeSec=, and HomeAgentPreference=. * A new [IPv6PREF64Prefix] set of options, containing Prefix= and LifetimeSec=, has been introduced to append pref64 options in router advertisements (RFC8781). * The network generator now configures the interfaces with only link-local addressing if "ip=link-local" is specified on the kernel command line. * The prefix of the configuration files generated by the network generator from the kernel command line is now prefixed with '70-', to make them have higher precedence over the default configuration files. * Added a new -Ddefault-network=BOOL meson option, that causes more .network files to be installed as enabled by default. These configuration files will which match generic setups, e.g. 89-ethernet.network matches all Ethernet interfaces and enables both DHCPv4 and DHCPv6 clients. * If a ID_NET_MANAGED_BY= udev property is set on a network device and it is any other string than "io.systemd.Network" then networkd will not manage this device. This may be used to allow multiple network management services to run in parallel and assign ownership of specific devices explicitly. NetworkManager will soon implement a similar logic. systemctl: * systemctl is-failed now checks the system state if no unit is specified. * systemctl will now automatically soft-reboot if a new root file system is found under /run/nextroot/ when a reboot operation is invoked. Login management: * Wall messages now work even when utmp support is disabled, using systemd-logind to query the necessary information. * systemd-logind now sends a new PrepareForShutdownWithMetadata D-Bus signal before shutdown/reboot/soft-reboot that includes additional information compared to the PrepareForShutdown signal. Currently the additional information is the type of operation that is about to be executed. Hibernation & Suspend: * The kernel and OS versions will no longer be checked on resume from hibernation. * Hibernation into swap files backed by btrfs are now supported. (Previously this was supported only for other file systems.) Other: * A new systemd-vmspawn tool has been added, that aims to provide for VMs the same interfaces and functionality that systemd-nspawn provides for containers. For now it supports QEMU as a backend, and exposes some of its options to the user. This component is experimental and its public interface is subject to change. * "systemd-analyze plot" has gained tooltips on each unit name with related-unit information in its svg output, such as Before=, Requires=, and similar properties. * A new varlinkctl tool has been added to allow interfacing with Varlink services, and introspection has been added to all such services. This component is experimental and its public interface is subject to change. * systemd-sysext and systemd-confext now expose a Varlink service at io.systemd.sysext. * portable services now accept confexts as extensions. * systemd-sysupdate now accepts directories in the MatchPattern= option. * systemd-run will now output the invocation ID of the launched transient unit and its peak memory usage. * systemd-analyze, systemd-tmpfiles, systemd-sysusers, systemd-sysctl, and systemd-binfmt gained a new --tldr option that can be used instead of --cat-config to suppress uninteresting configuration lines, such as comments and whitespace. * resolvectl gained a new "show-server-state" command that shows current statistics of the resolver. This is backed by a new DumpStatistics() Varlink method provided by systemd-resolved. * systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers property changes. * vconsole now supports KEYMAP=@kernel for preserving the kernel keymap as-is. * seccomp now supports the LoongArch64 architecture. * seccomp may now be enabled for services running as a non-root User= without NoNewPrivileges=yes. * systemd-id128 now supports a new -P option to show only values. The combination of -P and --app options is also supported. * A new pam_systemd_loadkey.so PAM module is now available, which will automatically fetch the passphrase used by cryptsetup to unlock the root file system and set it as the PAM authtok. This enables, among other things, configuring auto-unlock of the GNOME Keyring / KDE Wallet when autologin is configured. * Many meson options now use the 'feature' type, which means they take enabled/disabled/auto as values. * A new meson option -Dconfigfiledir= can be used to change where configuration files with default values are installed to. * Options and verbs in man pages are now tagged with the version they were first introduced in. * A new component "systemd-storagetm" has been added, which exposes all local block devices as NVMe-TCP devices, fully automatically. It's hooked into a new target unit storage-target-mode.target that is suppsoed to be booted into via rd.systemd.unit=storage-target-mode.target on the kernel command line. This is intended to be used for installers and debugging to quickly get access to the local disk. It's inspired by MacOS "target disk mode". This component is experimental and its public interface is subject to change. * A new component "systemd-bsod" has been added, which can show logged error messages full screen, if they have a log level of LOG_EMERG log level. This component is experimental and its public interface is subject to change. * The systemd-dissect tool's --with command will now set the $SYSTEMD_DISSECT_DEVICE environment variable to the block device it operates on for the invoked process. * The systemd-mount tool gained a new --tmpfs switch for mounting a new 'tmpfs' instance. This is useful since it does so via .mount units and thus can be executed remotely or in containers. * The various tools in systemd that take "verbs" (such as systemctl, loginctl, machinectl, …) now will suggest a close verb name in case the user specified an unrecognized one. * libsystemd now exports a new function sd_id128_get_app_specific() that generates "app-specific" 128bit IDs from any ID. It's similar to sd_id128_get_machine_app_specific() and sd_id128_get_boot_app_specific() but takes the ID to base calculation on as input. This new functionality is also exposed in the "systemd-id128" tool where you can now combine --app= with `show`. * All tools that parse timestamps now can also parse RFC3339 style timestamps that include the "T" and Z" characters. * New documentation has been added: https://systemd.io/FILE_DESCRIPTOR_STORE https://systemd.io/TPM2_PCR_MEASUREMENTS https://systemd.io/MOUNT_REQUIREMENTS * The codebase now recognizes the suffix .confext.raw and .sysext.raw as alternative to the .raw suffix generally accepted for DDIs. It is recommended to name configuration extensions and system extensions with such suffixes, to indicate their purpose in the name. * The sd-device API gained a new function sd_device_enumerator_add_match_property_required() which allows configuring matches on properties that are strictly required. This is different from the existing sd_device_enumerator_add_match_property() matches of which one one needs to apply. * The MAC address the veth side of an nspawn container shall get assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC environment variable. * The libiptc dependency is now implemented via dlopen(), so that tools such as networkd and nspawn no longer have a hard dependency on the shared library when compiled with support for libiptc. * New rpm macros have been added: %systemd_user_daemon_reexec does daemon-reexec for all user managers, and %systemd_postun_with_reload and %systemd_user_postun_with_reload do a reload for system and user units on upgrades. * coredumpctl now propagates SIGTERM to the debugger process. Contributions from: 김인수, Abderrahim Kitouni, Adam Goldman, Adam Williamson, Alexandre Peixoto Ferreira, Alex Hudspith, Alvin Alvarado, André Paiusco, Antonio Alvarez Feijoo, Anton Lundin, Arian van Putten, Arseny Maslennikov, Arthur Shau, Balázs Úr, beh_10257, Benjamin Peterson, Bertrand Jacquin, Brian Norris, Charles Lee, Cheng-Chia Tseng, Chris Patterson, Christian Hergert, Christian Hesse, Christian Kirbach, Clayton Craft, commondservice, cunshunxia, Curtis Klein, cvlc12, Daan De Meyer, Daniele Medri, Daniel P. Berrangé, Daniel Rusek, Daniel Thompson, Dan Nicholson, Dan Streetman, David Rheinsberg, David Santamaría Rogado, David Tardon, dependabot[bot], Diego Viola, Dmitry V. Levin, Emanuele Giuseppe Esposito, Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt, felixdoerre, Felix Dörre, Florian Schmaus, Franck Bui, Frantisek Sumsal, G2-Games, Gioele Barabucci, Hugo Carvalho, huyubiao, Iago López Galeiras, IllusionMan1212, Jade Lovelace, janana, Jan Janssen, Jan Kuparinen, Jan Macku, Jeremy Fleischman, Jin Liu, jjimbo137, Joerg Behrmann, Johannes Segitz, Jordan Rome, Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm, Kingbom Dou, Kiran Vemula, Krzesimir Nowak, Laszlo Gombos, Lennart Poettering, linuxlion, Luca Boccassi, Lucas Adriano Salles, Lukas, Lukáš Nykrýn, Maanya Goenka, Maarten, Malte Poll, Marc Pervaz Boocha, Martin Beneš, Martin Joerg, Martin Wilck, Mathieu Tortuyaux, Matthias Schiffer, Maxim Mikityanskiy, Max Kellermann, Michael A Cassaniti, Michael Biebl, Michael Kuhn, Michael Vasseur, Michal Koutný, Michal Sekletár, Mike Yuan, Milton D. Miller II, mordner, msizanoen, NAHO, Nandakumar Raghavan, Neil Wilson, Nick Rosbrook, Nils K, NRK, Oğuz Ersen, Omojola Joshua, onenowy, Paul Meyer, Paymon MARANDI, pelaufer, Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg, Priit Laes, Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini, Reto Schneider, Richard Maw, Robby Red, RoepLuke, Roland Hieber, Roland Singer, Ronan Pigott, Sam James, Sam Leonard, Sergey A, Susant Sahani, Sven Joachim, Tad Fisher, Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek, Topi Miettinen, Valentin David, Valentin Lefebvre, Victor Westerhuis, Vincent Haupert, Vishal Chillara Srinivas, Vito Caputo, Warren, Weblate, Xiaotian Wu, xinpeng wang, Yaron Shahrabani, Yo-Jung Lin, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zeroskyx, Дамјан Георгиевски, наб — Edinburgh, 2023-12-06 CHANGES WITH 254: Announcements of Future Feature Removals and Incompatible Changes: * The next release (v255) will remove support for split-usr (/usr/ mounted separately during late boot, instead of being mounted by the initrd before switching to the rootfs) and unmerged-usr (parallel directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html * We intend to remove cgroup v1 support from a systemd release after the end of 2023. If you run services that make explicit use of cgroup v1 features (i.e. the "legacy hierarchy" with separate hierarchies for each controller), please implement compatibility with cgroup v2 (i.e. the "unified hierarchy") sooner rather than later. Most of Linux userspace has been ported over already. * Support for System V service scripts is now deprecated and will be removed in a future release. Please make sure to update your software *now* to include a native systemd unit file instead of a legacy System V script to retain compatibility with future systemd releases. * Support for the SystemdOptions EFI variable is deprecated. 'bootctl systemd-efi-options' will emit a warning when used. It seems that this feature is little-used and it is better to use alternative approaches like credentials and confexts. The plan is to drop support altogether at a later point, but this might be revisited based on user feedback. * EnvironmentFile= now treats the line following a comment line trailing with escape as a non comment line. For details, see: https://github.com/systemd/systemd/issues/27975 * PrivateNetwork=yes and NetworkNamespacePath= now imply PrivateMounts=yes unless PrivateMounts=no is explicitly specified. * Behaviour of sandboxing options for the per-user service manager units has changed. They now imply PrivateUsers=yes, which means user namespaces will be implicitly enabled when a sandboxing option is enabled in a user unit. Enabling user namespaces has the drawback that system users will no longer be visible (and processes/files will appear as owned by 'nobody') in the user unit. By definition a sandboxed user unit should run with reduced privileges, so impact should be small. This will remove a great source of confusion that has been reported by users over the years, due to how these options require an extra setting to be manually enabled when used in the per-user service manager, which is not needed in the system service manager. For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html * systemd-run's switch --expand-environment= which currently is disabled by default when combined with --scope, will be changed in a future release to be enabled by default. Security Relevant Changes: * pam_systemd will now by default pass the CAP_WAKE_ALARM ambient process capability to invoked session processes of regular users on local seats (as well as to systemd --user), unless configured otherwise via data from JSON user records, or via the PAM module's parameter list. This is useful in order allow desktop tools such as GNOME's Alarm Clock application to set a timer for CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A per-user service unit file may thus use AmbientCapability= to pass the capability to invoked processes. Note that this capability is relatively narrow in focus (in particular compared to other process capabilities such as CAP_SYS_ADMIN) and we already — by default — permit more impactful operations such as system suspend to local users. Service Manager: * Memory limits that apply while the unit is activating are now supported. Previously IO and CPU settings were already supported via StartupCPUWeight= and similar. The same logic has been added for the various manager and unit memory settings (DefaultStartupMemoryLow=, StartupMemoryLow=, StartupMemoryHigh=, StartupMemoryMax=, StartupMemorySwapMax=, StartupMemoryZSwapMax=). * The service manager gained support for enqueuing POSIX signals to services that carry an additional integer value, exposing the sigqueue() system call. This is accessible via new D-Bus calls org.freedesktop.systemd1.Manager.QueueSignalUnit() and org.freedesktop.systemd1.Unit.QueueSignal(), as well as in systemctl via the new --kill-value= option. * systemctl gained a new "list-paths" verb, which shows all currently active .path units, similarly to how "systemctl list-timers" shows active timers, and "systemctl list-sockets" shows active sockets. * systemctl gained a new --when= switch which is honoured by the various forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows scheduling these operations by time, similar in fashion to how this has been supported by SysV shutdown. * If MemoryDenyWriteExecute= is enabled for a service and the kernel supports the new PR_SET_MDWE prctl() call, it is used instead of the seccomp()-based system call filter to achieve the same effect. * A new set of kernel command line options is now understood: systemd.tty.term.=, systemd.tty.rows.=, systemd.tty.columns.= allow configuring the TTY type and dimensions for the tty specified via . When systemd invokes a service on a tty (via TTYName=) it will look for these and configure the TTY accordingly. This is particularly useful in VM environments to propagate host terminal settings into the appropriate TTYs of the guest. * A new RootEphemeral= setting is now understood in service units. It takes a boolean argument. If enabled for services that use RootImage= or RootDirectory= an ephemeral copy of the disk image or directory tree is made when the service is started. It is removed automatically when the service is stopped. That ephemeral copy is made using btrfs/xfs reflinks or btrfs snapshots, if available. * The service activation logic gained new settings RestartSteps= and RestartMaxDelaySec= which allow exponentially-growing restart intervals for Restart=. * The service activation logic gained a new setting RestartMode= which can be set to 'direct' to skip the inactive/failed states when restarting, so that dependent units are not notified until the service converges to a final (successful or failed) state. For example, this means that OnSuccess=/OnFailure= units will not be triggered until the service state has converged. * PID 1 will now automatically load the virtio_console kernel module during early initialization if running in a suitable VM. This is done so that early-boot logging can be written to the console if available. * Similarly, virtio-vsock support is loaded early in suitable VM environments. PID 1 will send sd_notify() notifications via AF_VSOCK to the VMM if configured, thus loading this early is beneficial. * A new verb "fdstore" has been added to systemd-analyze to show the current contents of the file descriptor store of a unit. This is backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by the service manager. * The service manager will now set a new $FDSTORE environment variable when invoking processes for services that have the file descriptor store enabled. * A new service option FileDescriptorStorePreserve= has been added that allows tuning the lifecycle of the per-service file descriptor store. If set to "yes", the entries in the fd store are retained even after the service has been fully stopped. * The "systemctl clean" command may now be used to clear the fdstore of a service. * Unit *.preset files gained a new directive "ignore", in addition to the existing "enable" and "disable". As the name suggests, matching units are left unchanged, i.e. neither enabled nor disabled. * Service units gained a new setting DelegateSubgroup=. It takes the name of a sub-cgroup to place any processes the service manager forks off in. Previously, the service manager would place all service processes directly in the top-level cgroup it created for the service. This usually meant that main process in a service with delegation enabled would first have to create a subgroup and move itself down into it, in order to not conflict with the "no processes in inner cgroups" rule of cgroup v2. With this option, this step is now handled by PID 1. * The service manager will now look for .upholds/ directories, similarly to the existing support for .wants/ and .requires/ directories. Symlinks in this directory result in Upholds= dependencies. The [Install] section of unit files gained support for a new UpheldBy= directive to generate .upholds/ symlinks automatically when a unit is enabled. * The service manager now supports a new kernel command line option systemd.default_device_timeout_sec=, which may be used to override the default timeout for .device units. * A new "soft-reboot" mechanism has been added to the service manager. A "soft reboot" is similar to a regular reboot, except that it affects userspace only: the service manager shuts down any running services and other units, then optionally switches into a new root file system (mounted to /run/nextroot/), and then passes control to a systemd instance in the new file system which then starts the system up again. The kernel is not rebooted and neither is the hardware, firmware or boot loader. This provides a fast, lightweight mechanism to quickly reset or update userspace, without the latency that a full system reset involves. Moreover, open file descriptors may be passed across the soft reboot into the new system where they will be passed back to the originating services. This allows pinning resources across the reboot, thus minimizing grey-out time further. This new reboot mechanism is accessible via the new "systemctl soft-reboot" command. * Services using RootDirectory= or RootImage= will now have read-only access to a copy of the host's os-release file under /run/host/os-release, which will be kept up-to-date on 'soft-reboot'. This was already the case for Portable Services, and the feature has now been extended to all services that do not run off the host's root filesystem. * A new service setting MemoryKSM= has been added to enable kernel same-page merging individually for services. * A new service setting ImportCredentials= has been added that augments LoadCredential= and LoadCredentialEncrypted= and searches for credentials to import from the system, and supports globbing. * A new job mode "restart-dependencies" has been added to the service manager (exposed via systemctl --job-mode=). It is only valid when used with "start" jobs, and has the effect that the "start" job will be propagated as "restart" jobs to currently running units that have a BindsTo= or Requires= dependency on the started unit. * A new verb "whoami" has been added to "systemctl" which determines as part of which unit the command is being invoked. It writes the unit name to standard output. If one or more PIDs are specified reports the unit names the processes referenced by the PIDs belong to. * The system and service credential logic has been improved: there's now a clearly defined place where system provisioning tools running in the initrd can place credentials that will be imported into the system's set of credentials during the initrd → host transition: the /run/credentials/@initrd/ directory. Once the credentials placed there are imported into the system credential set they are deleted from this directory, and the directory itself is deleted afterwards too. * A new kernel command line option systemd.set_credential_binary= has been added, that is similar to the pre-existing systemd.set_credential= but accepts arbitrary binary credential data, encoded in Base64. Note that the kernel command line is not a recommend way to transfer credentials into a system, since it is world-readable from userspace. * The default machine ID to use may now be configured via the system.machine_id system credential. It will only be used if no machine ID was set yet on the host. * On Linux kernel 6.4 and newer system and service credentials will now be placed in a tmpfs instance that has the "noswap" mount option set. Previously, a "ramfs" instance was used. By switching to tmpfs ACL support and overall size limits can now be enforced, without compromising on security, as the memory is never paged out either way. * The service manager now can detect when it is running in a 'Confidential Virtual Machine', and a corresponding 'cvm' value is now accepted by ConditionSecurity= for units that want to conditionalize themselves on this. systemd-detect-virt gained new 'cvm' and '--list-cvm' switches to respectively perform the detection or list all known flavours of confidential VM, depending on the vendor. The manager will publish a 'ConfidentialVirtualization' D-Bus property, and will also set a SYSTEMD_CONFIDENTIAL_VIRTUALIZATION= environment variable for unit generators. Finally, udev rules can match on a new 'cvm' key that will be set when in a confidential VM. Additionally, when running in a 'Confidential Virtual Machine', SMBIOS strings and QEMU's fw_cfg protocol will not be used to import credentials and kernel command line parameters by the system manager, systemd-boot and systemd-stub, because the hypervisor is considered untrusted in this particular setting. Journal: * The sd-journal API gained a new call sd_journal_get_seqnum() to retrieve the current log record's sequence number and sequence number ID, which allows applications to order records the same way as journal does internally. The sequence number is now also exported in the JSON and "export" output of the journal. * journalctl gained a new switch --truncate-newline. If specified multi-line log records will be truncated at the first newline, i.e. only the first line of each log message will be shown. * systemd-journal-upload gained support for --namespace=, similar to the switch of the same name of journalctl. systemd-repart: * systemd-repart's drop-in files gained a new ExcludeFiles= option which may be used to exclude certain files from the effect of CopyFiles=. * systemd-repart's Verity support now implements the Minimize= setting to minimize the size of the resulting partition. * systemd-repart gained a new --offline= switch, which may be used to control whether images shall be built "online" or "offline", i.e. whether to make use of kernel facilities such as loopback block devices and device mapper or not. * If systemd-repart is told to populate a newly created ESP or XBOOTLDR partition with some files, it will now default to VFAT rather than ext4. * systemd-repart gained a new --architecture= switch. If specified, the per-architecture GPT partition types (i.e. the root and /usr/ partitions) configured in the partition drop-in files are automatically adjusted to match the specified CPU architecture, in order to simplify cross-architecture DDI building. * systemd-repart will now default to a minimum size of 300MB for XFS filesystems if no size parameter is specified. This matches what the XFS tools (xfsprogs) can support. systemd-boot, systemd-stub, ukify, bootctl, kernel-install: * gnu-efi is no longer required to build systemd-boot and systemd-stub. Instead, pyelftools is now needed, and it will be used to perform the ELF -> PE relocations at build time. * bootctl gained a new switch --print-root-device/-R that prints the block device the root file system is backed by. If specified twice, it returns the whole disk block device (as opposed to partition block device) the root file system is on. It's useful for invocations such as "cfdisk $(bootctl -RR)" to quickly show the partition table of the running OS. * systemd-stub will now look for the SMBIOS Type 1 field "io.systemd.stub.kernel-cmdline-extra" and append its value to the kernel command line it invokes. This is useful for VMMs such as qemu to pass additional kernel command lines into the system even when booting via full UEFI. The contents of the field are measured into TPM PCR 12. * The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new value "auto". With this value, a kernel will be automatically analyzed, and if it qualifies as UKI, it will be installed as if the setting was to set to "uki", otherwise as "bls". * systemd-stub can now optionally load UEFI PE "add-on" images that may contain additional kernel command line information. These "add-ons" superficially look like a regular UEFI executable, and are expected to be signed via SecureBoot/shim. However, they do not actually contain code, but instead a subset of the PE sections that UKIs support. They are supposed to provide a way to extend UKIs with additional resources in a secure and authenticated way. Currently, only the .cmdline PE section may be used in add-ons, in which case any specified string is appended to the command line embedded into the UKI itself. A new 'addon.efi.stub' is now provided that can be used to trivially create addons, via 'ukify' or 'objcopy'. In the future we expect other sections to be made extensible like this as well. * ukify has been updated to allow building these UEFI PE "add-on" images, using the new 'addon.efi.stub'. * ukify now accepts SBAT information to place in the .sbat PE section of UKIs and addons. If a UKI is built the SBAT information from the inner kernel is merged with any SBAT information associated with systemd-stub and the SBAT data specified on the ukify command line. * The kernel-install script has been rewritten in C, and reuses much of the infrastructure of existing tools such as bootctl. It also gained --esp-path= and --boot-path= options to override the path to the ESP, and the $BOOT partition. Options --make-entry-directory= and --entry-token= have been added as well, similar to bootctl's options of the same name. * A new kernel-install plugin 60-ukify has been added which will combine kernel/initrd locally into a UKI and optionally sign them with a local key. This may be used to switch to UKI mode even on systems where a local kernel or initrd is used. (Typically UKIs are built and signed by the vendor.) * The ukify tool now supports "pesign" in addition to the pre-existing "sbsign" for signing UKIs. * systemd-measure and systemd-stub now look for the .uname PE section that should contain the kernel's "uname -r" string. * systemd-measure and ukify now calculate expected PCR hashes for a UKI "offline", i.e. without access to a TPM (physical or software-emulated). Memory Pressure & Control: * The sd-event API gained new calls sd_event_add_memory_pressure(), sd_event_source_set_memory_pressure_type(), sd_event_source_set_memory_pressure_period() to create and configure an event source that is called whenever the OS signals memory pressure. Another call sd_event_trim_memory() is provided that compacts the process' memory use by releasing allocated but unused malloc() memory back to the kernel. Services can also provide their own custom callback to do memory trimming. This should improve system behaviour under memory pressure, as on Linux traditionally provided no mechanism to return process memory back to the kernel if the kernel was under memory pressure. This makes use of the kernel's PSI interface. Most long-running services in systemd have been hooked up with this, and in particular systems with low memory should benefit from this. * Service units gained new settings MemoryPressureWatch= and MemoryPressureThresholdSec= to configure the PSI memory pressure logic individually. If these options are used, the $MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment variables will be set for the invoked processes to inform them about the requested memory pressure behaviour. (This is used by the aforementioned sd-events API additions, if set.) * systemd-analyze gained a new "malloc" verb that shows the output generated by glibc's malloc_info() on services that support it. Right now, only the service manager has been updated accordingly. This call requires privileges. User & Session Management: * The sd-login API gained a new call sd_session_get_username() to return the user name of the owner of a login session. It also gained a new call sd_session_get_start_time() to retrieve the time the login session started. A new call sd_session_get_leader() has been added to return the PID of the "leader" process of a session. A new call sd_uid_get_login_time() returns the time since the specified user has most recently been continuously logged in with at least one session. * JSON user records gained a new set of fields capabilityAmbientSet and capabilityBoundingSet which contain a list of POSIX capabilities to set for the logged in users in the ambient and bounding sets, respectively. homectl gained the ability to configure these two sets for users via --capability-bounding-set=/--capability-ambient-set=. * pam_systemd learnt two new module options default-capability-bounding-set= and default-capability-ambient-set=, which configure the default bounding sets for users as they are logging in, if the JSON user record doesn't specify this explicitly (see above). The built-in default for the ambient set now contains the CAP_WAKE_ALARM, thus allowing regular users who may log in locally to resume from a system suspend via a timer. * The Session D-Bus objects systemd-logind gained a new SetTTY() method call to update the TTY of a session after it has been allocated. This is useful for SSH sessions which are typically allocated first, and for which a TTY is added later. * The sd-login API gained a new call sd_pid_notifyf_with_fds() which combines the various other sd_pid_notify() flavours into one: takes a format string, an overriding PID, and a set of file descriptors to send. It also gained a new call sd_pid_notify_barrier() call which is equivalent to sd_notify_barrier() but allows the originating PID to be specified. * "loginctl list-users" and "loginctl list-sessions" will now show the state of each logged in user/session in their tabular output. It will also show the current idle state of sessions. DDIs: * systemd-dissect will now show the intended CPU architecture of an inspected DDI. * systemd-dissect will now install itself as mount helper for the "ddi" pseudo-file system type. This means you may now mount DDIs directly via /bin/mount or /etc/fstab, making full use of embedded Verity information and all other DDI features. Example: mount -t ddi myimage.raw /some/where * The systemd-dissect tool gained the new switches --attach/--detach to attach/detach a DDI to a loopback block device without mounting it. It will automatically derive the right sector size from the image and set up Verity and similar, but not mount the file systems in it. * When systemd-gpt-auto-generator or the DDI mounting logic mount an ESP or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now implied. Given that these file systems are typically untrusted, this should make mounting them automatically have less of a security impact. * All tools that parse DDIs (such as systemd-nspawn, systemd-dissect, systemd-tmpfiles, …) now understand a new switch --image-policy= which takes a string encoding image dissection policy. With this mechanism automatic discovery and use of specific partition types and the cryptographic requirements on the partitions (Verity, LUKS, …) can be restricted, permitting better control of the exposed attack surfaces when mounting disk images. systemd-gpt-auto-generator will honour such an image policy too, configurable via the systemd.image_policy= kernel command line option. Unit files gained the RootImagePolicy=, MountImagePolicy= and ExtensionImagePolicy= to configure the same for disk images a service runs off. * systemd-analyze gained a new verb "image-policy" to validate and parse image policy strings. * systemd-dissect gained support for a new --validate switch to superficially validate DDI structure, and check whether a specific image policy allows the DDI. * systemd-dissect gained support for a new --mtree-hash switch to optionally disable calculating mtree hashes, which can be slow on large images. * systemd-dissect --copy-to, --copy-from, --list and --mtree switches are now able to operate on directories too, other than images. Network Management: * networkd's GENEVE support as gained a new .network option InheritInnerProtocol=. * The [Tunnel] section in .netdev files has gained a new setting IgnoreDontFragment for controlling the IPv4 "DF" flag of datagrams. * A new global IPv6PrivacyExtensions= setting has been added that selects the default value of the per-network setting of the same name. * The predictable network interface naming logic was extended to include SR-IOV-R "representor" information in network interface names. Unfortunately, this feature was not enabled by default and can only be enabled at compilation time by setting -Ddefault-net-naming-scheme=v254. * The DHCPv4 + DHCPv6 + IPv6 RA logic in networkd gained support for the RFC8910 captive portal option. Device Management: * udevadm gained the new "verify" verb for validating udev rules files offline. * udev gained a new tool "iocost" that can be used to configure QoS IO cost data based on hwdb information onto suitable block devices. Also see https://github.com/iocost-benchmark/iocost-benchmarks. TPM2 Support + Disk Encryption & Authentication: * systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK ("Storage Root Key") as first step in the TPM2, and then use that for binding FDE to, if TPM2 support is used. This matches recommendations of TCG (see https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf) * systemd-cryptenroll and other tools that take TPM2 PCR parameters now understand textual identifiers for these PCRs. * systemd-veritysetup + /etc/veritytab gained support for a series of new options: hash-offset=, superblock=, format=, data-block-size=, hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=, fec-offset=, fec-roots= to configure various aspects of a Verity volume. * systemd-cryptsetup + /etc/crypttab gained support for a new veracrypt-pim= option for setting the Personal Iteration Multiplier of veracrypt volumes. * systemd-integritysetup + /etc/integritytab gained support for a new mode= setting for controlling the dm-integrity mode (journal, bitmap, direct) for the volume. * systemd-analyze gained a new verb "pcrs" that shows the known TPM PCR registers, their symbolic names and current values. systemd-tmpfiles: * The ACL support in tmpfiles.d/ has been updated: if an uppercase "X" access right is specified this is equivalent to "x" but only if the inode in question already has the executable bit set for at least some user/group. Otherwise the "x" bit will be turned off. * tmpfiles.d/'s C line type now understands a new modifier "+": a line with C+ will result in a "merge" copy, i.e. all files of the source tree are copied into the target tree, even if that tree already exists, resulting in a combined tree of files already present in the target tree and those copied in. * systemd-tmpfiles gained a new --graceful switch. If specified lines with unknown users/groups will silently be skipped. systemd-notify: * systemd-notify gained two new options --fd= and --fdname= for sending arbitrary file descriptors to the service manager (while specifying an explicit name for it). * systemd-notify gained a new --exec switch, which makes it execute the specified command line after sending the requested messages. This is useful for sending out READY=1 first, and then continuing invocation without changing process ID, so that the tool can be nicely used within an ExecStart= line of a unit file that uses Type=notify. sd-event + sd-bus APIs: * The sd-event API gained a new call sd_event_source_leave_ratelimit() which may be used to explicitly end a rate-limit state an event source might be in, resetting all rate limiting counters. * When the sd-bus library is used to make connections to AF_UNIX D-Bus sockets, it will now encode the "description" set via sd_bus_set_description() into the source socket address. It will also look for this information when accepting a connection. This is useful to track individual D-Bus connections on a D-Bus broker for debug purposes. systemd-resolved: * systemd-resolved gained a new resolved.conf setting StateRetentionSec= which may be used to retain cached DNS records even after their nominal TTL, and use them in case upstream DNS servers cannot be reached. This can be used to make name resolution more resilient in case of network problems. * resolvectl gained a new verb "show-cache" to show the current cache contents of systemd-resolved. This verb communicates with the systemd-resolved daemon and requires privileges. Other: * Meson >= 0.60.0 is now required to build systemd. * The default keymap to apply may now be chosen at build-time via the new -Ddefault-keymap= meson option. * Most of systemd's long-running services now have a generic handler of the SIGRTMIN+18 signal handler which executes various operations depending on the sigqueue() parameter sent along. For example, values 0x100…0x107 allow changing the maximum log level of such services. 0x200…0x203 allow changing the log target of such services. 0x300 make the services trim their memory similarly to the automatic PSI-triggered action, see above. 0x301 make the services output their malloc_info() data to the logs. * machinectl gained new "edit" and "cat" verbs for editing .nspawn files, inspired by systemctl's verbs of the same name which edit unit files. Similarly, networkctl gained the same verbs for editing .network, .netdev, .link files. * A new syscall filter group "@sandbox" has been added that contains syscalls for sandboxing system calls such as those for seccomp and Landlock. * New documentation has been added: https://systemd.io/COREDUMP https://systemd.io/MEMORY_PRESSURE smbios-type-11(7) * systemd-firstboot gained a new --reset option. If specified, the settings in /etc/ it knows how to initialize are reset. * systemd-sysext is now a multi-call binary and is also installed under the systemd-confext alias name (via a symlink). When invoked that way it will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a powerful, atomic, secure configuration management of sorts, that locally can merge configuration from multiple confext configuration images into a single immutable tree. * The --network-macvlan=, --network-ipvlan=, --network-interface= switches of systemd-nspawn may now optionally take the intended network interface inside the container. * All our programs will now send an sd_notify() message with their exit status in the EXIT_STATUS= field when exiting, using the usual protocol, including PID 1. This is useful for VMMs and container managers to collect an exit status from a system as it shuts down, as set via "systemctl exit …". This is particularly useful in test cases and similar, as invocations via a VM can now nicely propagate an exit status to the host, similar to local processes. * systemd-run gained a new switch --expand-environment=no to disable server-side environment variable expansion in specified command lines. Expansion defaults to enabled for all execution types except --scope, where it defaults to off (and prints a warning) for backward compatibility reasons. --scope will be flipped to enabled by default too in a future release. If you are using --scope and passing a '$' character in the payload you should start explicitly using --expand-environment=yes/no according to the use case. * The systemd-system-update-generator has been updated to also look for the special flag file /etc/system-update in addition to the existing support for /system-update to decide whether to enter system update mode. * The /dev/hugepages/ file system is now mounted with nosuid + nodev mount options by default. * systemd-fstab-generator now understands two new kernel command line options systemd.mount-extra= and systemd.swap-extra=, which configure additional mounts or swaps in a format similar to /etc/fstab. 'fsck' will be ran on these block devices, like it already happens for 'root='. It also now supports the new fstab.extra and fstab.extra.initrd credentials that may contain additional /etc/fstab lines to apply at boot. * systemd-getty-generator now understands two new credentials getty.ttys.container and getty.ttys.serial. These credentials may contain a list of TTY devices – one per line – to instantiate container-getty@.service and serial-getty@.service on. * The getty/serial-getty/container-getty units now import the 'agetty.*' and 'login.*' credentials, which are consumed by the 'login' and 'agetty' programs starting from util-linux v2.40. * systemd-sysupdate's sysupdate.d/ drop-ins gained a new setting PathRelativeTo=, which can be set to "esp", "xbootldr", "boot", in which case the Path= setting is taken relative to the ESP or XBOOTLDR partitions, rather than the system's root directory /. The relevant directories are automatically discovered. * The systemd-ac-power tool gained a new switch --low, which reports whether the battery charge is considered "low", similar to how the s2h suspend logic checks this state to decide whether to enter system suspend or hibernation. * The /etc/os-release file can now have two new optional fields VENDOR_NAME= and VENDOR_URL= to carry information about the vendor of the OS. * When the system hibernates, information about the device and offset used is now written to a non-volatile EFI variable. On next boot the system will attempt to resume from the location indicated in this EFI variable. This should make hibernation a lot more robust, while requiring no manual configuration of the resume location. * The $XDG_STATE_HOME environment variable (added in more recent versions of the XDG basedir specification) is now honoured to implement the StateDirectory= setting in user services. * A new component "systemd-battery-check" has been added. It may run during early boot (usually in the initrd), and checks the battery charge level of the system. In case the charge level is very low the user is notified (graphically via Plymouth – if available – as well as in text form on the console), and the system is turned off after a 10s delay. The feature can be disabled by passing systemd.battery_check=0 through the kernel command line. * The 'passwdqc' library is now supported as an alternative to the 'pwquality' library and can be selected at build time. Contributions from: 김인수, 07416, Addison Snelling, Adrian Vovk, Aidan Dang, Alexander Krabler, Alfred Klomp, Anatoli Babenia, Andrei Stepanov, Andrew Baxter, Antonio Alvarez Feijoo, Arian van Putten, Arthur Shau, A S Alam, Asier Sarasua Garmendia, Balló György, Bastien Nocera, Benjamin Herrenschmidt, Benjamin Raison, Bill Peterson, Brad Fitzpatrick, Brett Holman, bri, Chen Qi, Chitoku, Christian Hesse, Christoph Anton Mitterer, Christopher Gurnee, Colin Walters, Cornelius Hoffmann, Cristian Rodríguez, cunshunxia, cvlc12, Cyril Roelandt, Daan De Meyer, Daniele Medri, Daniel P. Berrangé, Daniel Rusek, Dan Streetman, David Edmundson, David Schroeder, David Tardon, dependabot[bot], Dimitri John Ledkov, Dmitrii Fomchenkov, Dmitry V. Levin, dmkUK, Dominique Martinet, don bright, drosdeck, Edson Juliano Drosdeck, Egor Ignatov, EinBaum, Emanuele Giuseppe Esposito, Eric Curtin, Erik Sjölund, Evgeny Vereshchagin, Florian Klink, Franck Bui, François Rigault, Fran Diéguez, Franklin Yu, Frantisek Sumsal, Fuminobu TAKEYAMA, Gaël PORTAY, Gerd Hoffmann, Gertalitec, Gibeom Gwon, Gustavo Noronha Silva, Hannu Lounento, Hans de Goede, Haochen Tong, HATAYAMA Daisuke, Henrik Holst, Hoe Hao Cheng, Igor Tsiglyar, Ivan Vecera, James Hilliard, Jan Engelhardt, Jan Janssen, Jan Luebbe, Jan Macku, Janne Sirén, jcg, Jeidnx, Joan Bruguera, Joerg Behrmann, jonathanmetzman, Jordan Rome, Josef Miegl, Joshua Goins, Joyce, Joyce Brum, Juno Computers, Kai Lueke, Kevin P. Fleming, Kiran Vemula, Klaus, Klaus Zipfel, Lawrence Thorpe, Lennart Poettering, licunlong, Lily Foster, Luca Boccassi, Ludwig Nussel, Luna Jernberg, maanyagoenka, Maanya Goenka, Maksim Kliazovich, Malte Poll, Marko Korhonen, Masatake YAMATO, Mateusz Poliwczak, Matt Johnston, Miao Wang, Micah Abbott, Michael A Cassaniti, Michal Koutný, Michal Sekletár, Mike Yuan, mooo, Morten Linderud, msizanoen, Nick Rosbrook, nikstur, Olivier Gayot, Omojola Joshua, Paolo Velati, Paul Barker, Pavel Borecki, Petr Menšík, Philipp Kern, Philip Withnall, Piotr Drąg, Quintin Hill, Rene Hollander, Richard Phibel, Robert Meijers, Robert Scheck, Roger Gammans, Romain Geissler, Ronan Pigott, Russell Harmon, saikat0511, Samanta Navarro, Sam James, Sam Morris, Simon Braunschmidt, Sjoerd Simons, Sorah Fukumori, Stanislaw Gruszka, Stefan Roesch, Steven Luo, Steve Ramage, Susant Sahani, taniishkaaa, Tanishka, Temuri Doghonadze, Thierry Martin, Thomas Blume, Thomas Genty, Thomas Weißschuh, Thorsten Kukuk, Times-Z, Tobias Powalowski, tofylion, Topi Miettinen, Uwe Kleine-König, Velislav Ivanov, Vitaly Kuznetsov, Vít Zikmund, Weblate, Will Fancher, William Roberts, Winterhuman, Wolfgang Müller, Xeonacid, Xiaotian Wu, Xi Ruoyao, Yuri Chornoivan, Yu Watanabe, Yuxiang Zhu, Zbigniew Jędrzejewski-Szmek, zhmylove, ZjYwMj, Дамјан Георгиевски, наб — Edinburgh, 2023-07-28 CHANGES WITH 253: Announcements of Future Feature Removals and Incompatible Changes: * We intend to remove cgroup v1 support from systemd release after the end of 2023. If you run services that make explicit use of cgroup v1 features (i.e. the "legacy hierarchy" with separate hierarchies for each controller), please implement compatibility with cgroup v2 (i.e. the "unified hierarchy") sooner rather than later. Most of Linux userspace has been ported over already. * We intend to remove support for split-usr (/usr mounted separately during boot) and unmerged-usr (parallel directories /bin and /usr/bin, /lib and /usr/lib, etc). This will happen in the second half of 2023, in the first release that falls into that time window. For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html * We intend to change behaviour w.r.t. units of the per-user service manager and sandboxing options, so that they work without having to manually enable PrivateUsers= as well, which is not required for system units. To make this work, we will implicitly enable user namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a user unit. The drawback is that system users will no longer be visible (and appear as 'nobody') to the user unit when a sandboxing option is enabled. By definition a sandboxed user unit should run with reduced privileges, so impact should be small. This will remove a great source of confusion that has been reported by users over the years, due to how these options require an extra setting to be manually enabled when used in the per-user service manager, as opposed as to the system service manager. We plan to enable this change in the next release later this year. For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html Deprecations and incompatible changes: * systemctl will now warn when invoked without /proc/ mounted (e.g. when invoked after chroot() into an directory tree without the API mount points like /proc/ being set up.) Operation in such an environment is not fully supported. * The return value of 'systemctl is-active|is-enabled|is-failed' for unknown units is changed: previously 1 or 3 were returned, but now 4 (EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented. * 'udevadm hwdb' subcommand is deprecated and will emit a warning. systemd-hwdb (added in 2014) should be used instead. * 'bootctl --json' now outputs a single JSON array, instead of a stream of newline-separated JSON objects. * Udev rules in 60-evdev.rules have been changed to load hwdb properties for all modalias patterns. Previously only the first matching pattern was used. This could change what properties are assigned if the user has more and less specific patterns that could match the same device, but it is expected that the change will have no effect for most users. * systemd-networkd-wait-online exits successfully when all interfaces are ready or unmanaged. Previously, if neither '--any' nor '--interface=' options were used, at least one interface had to be in configured state. This change allows the case where systemd-networkd is enabled, but no interfaces are configured, to be handled gracefully. It may occur in particular when a different network manager is also enabled and used. * Some compatibility helpers were dropped: EmergencyAction= in the user manager, as well as measuring kernel command line into PCR 8 in systemd-stub, along with the -Defi-tpm-pcr-compat compile-time option. * The '-Dupdate-helper-user-timeout=' build-time option has been renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an integer as parameter instead of a string. * The DDI image dissection logic (which backs RootImage= in service unit files, the --image= switch in various tools such as systemd-nspawn, as well as systemd-dissect) will now only mount file systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment variable. These file systems are fairly well supported and maintained in current kernels, while others are usually more niche, exotic or legacy and thus typically do not receive the same level of security support and fixes. * The default per-link multicast DNS mode is changed to "yes" (that was previously "no"). As the default global multicast DNS mode has been "yes" (but can be changed by the build option), now the multicast DNS is enabled on all links by default. You can disable the multicast DNS on all links by setting MulticastDNS= in resolved.conf, or on an interface by calling "resolvectl mdns INTERFACE no". New components: * A tool 'ukify' tool to build, measure, and sign Unified Kernel Images (UKIs) has been added. This replaces functionality provided by 'dracut --uefi' and extends it with automatic calculation of PE file offsets, insertion of signed PCR policies generated by systemd-measure, support for initrd concatenation, signing of the embedded Linux image and the combined image with sbsign, and heuristics to autodetect the kernel uname and verify the splash image. Changes in systemd and units: * A new service type Type=notify-reload is defined. When such a unit is reloaded a UNIX process signal (typically SIGHUP) is sent to the main service process. The manager will then wait until it receives a "RELOADING=1" followed by a "READY=1" notification from the unit as response (via sd_notify()). Otherwise, this type is the same as Type=notify. A new setting ReloadSignal= may be used to change the signal to send from the default of SIGHUP. user@.service, systemd-networkd.service, systemd-udevd.service, and systemd-logind have been updated to this type. * Initrd environments which are not on a pure memory file system (e.g. overlayfs combination as opposed to tmpfs) are now supported. With this change, during the initrd → host transition ("switch root") systemd will erase all files of the initrd only when the initrd is backed by a memory file system such as tmpfs. * New per-unit MemoryZSwapMax= option has been added to configure memory.zswap.max cgroup properties (the maximum amount of zswap used). * A new LogFilterPatterns= option has been added for units. It may be used to specify accept/deny regular expressions for log messages generated by the unit, that shall be enforced by systemd-journald. Rejected messages are neither stored in the journal nor forwarded. This option may be used to suppress noisy or uninteresting messages from units. * The manager has a new org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to query process ownership via a PIDFD, which is more resilient against PID recycling issues. * Scope units now support OOMPolicy=. Login session scopes default to OOMPolicy=continue, allowing login scopes to survive the OOM killer terminating some processes in the scope. * systemd-fstab-generator now supports x-systemd.makefs option for /sysroot/ (in the initrd). * The maximum rate at which daemon reloads are executed can now be limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst= options. (Or the equivalent on the kernel command line: systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In addition, systemd now logs the originating unit and PID when a reload request is received over D-Bus. * When enabling a swap device systemd will now reinitialize the device when the page size of the swap space does not match the page size of the running kernel. Note that this requires the 'swapon' utility to provide the '--fixpgsz' option, as implemented by util-linux, and it is not supported by busybox at the time of writing. * systemd now executes generator programs in a mount namespace "sandbox" with most of the file system read-only and write access restricted to the output directories, and with a temporary /tmp/ mount provided. This provides a safeguard against programming errors in the generators, but also fixes here-docs in shells, which previously didn't work in early boot when /tmp/ wasn't available yet. (This feature has no security implications, because the code is still privileged and can trivially exit the sandbox.) * The system manager will now parse a new "vmm.notify_socket" system credential, which may be supplied to a VM via SMBIOS. If found, the manager will send a "READY=1" notification on the specified socket after boot is complete. This allows readiness notification to be sent from a VM guest to the VM host over a VSOCK socket. * The sample PAM configuration file for systemd-user@.service now includes a call to pam_namespace. This puts children of user@.service in the expected namespace. (Many distributions replace their file with something custom, so this change has limited effect.) * A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can be used to override the mount units burst late limit for parsing '/proc/self/mountinfo', which was introduced in v249. Defaults to 5. * Drop-ins for init.scope changing control group resource limits are now applied, while they were previously ignored. * New build-time configuration options '-Ddefault-timeout-sec=' and '-Ddefault-user-timeout-sec=' have been added, to let distributions choose the default timeout for starting/stopping/aborting system and user units respectively. * Service units gained a new setting OpenFile= which may be used to open arbitrary files in the file system (or connect to arbitrary AF_UNIX sockets in the file system), and pass the open file descriptor to the invoked process via the usual file descriptor passing protocol. This is useful to give unprivileged services access to select files which have restrictive access modes that would normally not allow this. It's also useful in case RootDirectory= or RootImage= is used to allow access to files from the host environment (which is after all not visible from the service if these two options are used.) Changes in udev: * The new net naming scheme "v253" has been introduced. In the new scheme, ID_NET_NAME_PATH is also set for USB devices not connected via a PCI bus. This extends the coverage of predictable interface names in some embedded systems. The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in a more informative path on some embedded systems. * Partition block devices will now also get symlinks in /dev/disk/by-diskseq/-part, which may be used to reference block device nodes via the kernel's "diskseq" value. Previously those symlinks were only created for the main block device. * A new operator '-=' is supported for SYMLINK variables. This allows symlinks to be unconfigured even if an earlier rule added them. * 'udevadm --trigger --settle' now also works for network devices that are being renamed. Changes in sd-boot, bootctl, and the Boot Loader Specification: * systemd-boot now passes its random seed directly to the kernel's RNG via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which means the RNG gets seeded very early in boot before userspace has started. * systemd-boot will pass a disk-backed random seed – even when secure boot is enabled – if it can additionally get a random seed from EFI itself (via EFI's RNG protocol), or a prior seed in LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader. * systemd-boot-system-token.service was renamed to systemd-boot-random-seed.service and extended to always save a random seed to ESP on every boot when a compatible boot loader is used. This allows a refreshed random seed to be used in the boot loader. * systemd-boot handles various seed inputs using a domain- and field-separated hashing scheme. * systemd-boot's 'random-seed-mode' option has been removed. A system token is now always required to be present for random seeds to be used. * systemd-boot now supports being loaded from other locations than the ESP, for example for direct kernel boot under QEMU or when embedded into the firmware. * systemd-boot now parses SMBIOS information to detect virtualization. This information is used to skip some warnings which are not useful in a VM and to conditionalize other aspects of behaviour. * systemd-boot now supports a new 'if-safe' mode that will perform UEFI Secure Boot automated certificate enrollment from the ESP only if it is considered 'safe' to do so. At the moment 'safe' means running in a virtual machine. * systemd-stub now processes random seeds in the same way as systemd-boot already does, in case a unified kernel image is being used from a different bootloader than systemd-boot, or without any boot load at all. * bootctl will now generate a system token on all EFI systems, even virtualized ones, and is activated in the case that the system token is missing from either sd-boot and sd-stub booted systems. * bootctl now implements two new verbs: 'kernel-identify' prints the type of a kernel image file, and 'kernel-inspect' provides information about the embedded command line and kernel version of UKIs. * bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning as for kernel-install. * The JSON output of "bootctl list" will now contain two more fields: isDefault and isSelected are boolean fields set to true on the default and currently booted boot menu entries. * bootctl gained a new verb "unlink" for removing a boot loader entry type #1 file from disk in a safe and robust way. * bootctl also gained a new verb "cleanup" that automatically removes all files from the ESP's and XBOOTLDR's "entry-token" directory, that is not referenced anymore by any installed Type #1 boot loader specification entry. This is particularly useful in environments where a large number of entries reference the same or partly the same resources (for example, for snapshot-based setups). Changes in kernel-install: * A new "installation layout" can be configured as layout=uki. With this setting, a Boot Loader Specification Type#1 entry will not be created. Instead, a new kernel-install plugin 90-uki-copy.install will copy any .efi files from the staging area into the boot partition. A plugin to generate the UKI .efi file must be provided separately. Changes in systemctl: * 'systemctl reboot' has dropped support for accepting a positional argument as the argument to the reboot(2) syscall. Please use the --reboot-argument= option instead. * 'systemctl disable' will now warn when called on units without install information. A new --no-warn option has been added that silences this warning. * New option '--drop-in=' can be used to tell 'systemctl edit' the name of the drop-in to edit. (Previously, 'override.conf' was always used.) * 'systemctl list-dependencies' now respects --type= and --state=. * 'systemctl kexec' now supports XEN VMM environments. * 'systemctl edit' will now tell the invoked editor to jump into the first line with actual unit file data, skipping over synthesized comments. Changes in systemd-networkd and related tools: * The [DHCPv4] section in .network file gained new SocketPriority= setting that assigns the Linux socket priority used by the DHCPv4 raw socket. This may be used in conjunction with the EgressQOSMaps=setting in [VLAN] section of .netdev file to send the desired ethernet 802.1Q frame priority for DHCPv4 initial packets. This cannot be achieved with netfilter mangle tables because of the raw socket bypass. * The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a new QuickAck= boolean setting that enables the TCP quick ACK mode for the routes configured by the acquired DHCPv4 lease or received router advertisements (RAs). * The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised routes) now accepts three values, for high, medium, and low preference of the router (which can be set with the RouterPreference=) setting. * systemd-networkd-wait-online now supports matching via alternative interface names. * The [DHCPv6] section in .network file gained new SendRelease= setting which enables the DHCPv6 client to send release when it stops. This is the analog of the [DHCPv4] SendRelease= setting. It is enabled by default. * If the Address= setting in [Network] or [Address] sections in .network specified without its prefix length, then now systemd-networkd assumes /32 for IPv4 or /128 for IPv6 addresses. * networkctl shows network and link file dropins in status output. Changes in systemd-dissect: * systemd-dissect gained a new option --list, to print the paths of all files and directories in a DDI. * systemd-dissect gained a new option --mtree, to generate a file manifest compatible with BSD mtree(5) of a DDI * systemd-dissect gained a new option --with, to execute a command with the specified DDI temporarily mounted and used as working directory. This is for example useful to convert a DDI to "tar" simply by running it within a "systemd-dissect --with" invocation. * systemd-dissect gained a new option --discover, to search for Discoverable Disk Images (DDIs) in well-known directories of the system. This will list machine, portable service and system extension disk images. * systemd-dissect now understands 2nd stage initrd images stored as a Discoverable Disk Image (DDI). * systemd-dissect will now display the main UUID of GPT DDIs (i.e. the disk UUID stored in the GPT header) among the other data it can show. * systemd-dissect gained a new --in-memory switch to operate on an in-memory copy of the specified DDI file. This is useful to access a DDI with write access without persisting any changes. It's also useful for accessing a DDI without keeping the originating file system busy. * The DDI dissection logic will now automatically detect the intended sector size of disk images stored in files, based on the GPT partition table arrangement. Loopback block devices for such DDIs will then be configured automatically for the right sector size. This is useful to make dealing with modern 4K sector size DDIs fully automatic. The systemd-dissect tool will now show the detected sector size among the other DDI information in its output. Changes in systemd-repart: * systemd-repart gained new options --include-partitions= and --exclude-partitions= to filter operation on partitions by type UUID. This allows systemd-repart to be used to build images in which the type of one partition is set based on the contents of another partition (for example when the boot partition shall include a verity hash of the root partition). * systemd-repart also gained a --defer-partitions= option that is similar to --exclude-partitions=, but the size of the partition is still taken into account when sizing partitions, but without populating it. * systemd-repart gained a new --sector-size= option to specify what sector size should be used when an image is created. * systemd-repart now supports generating erofs file systems via CopyFiles= (a read-only file system similar to squashfs). * The Minimize= option was extended to accept "best" (which means the most minimal image possible, but may require multiple attempts) and "guess" (which means a reasonably small image). * The systemd-growfs binary now comes with a regular unit file template systemd-growfs@.service which can be instantiated directly for any desired file system. (Previously, the unit was generated dynamically by various generators, but no regular unit file template was available.) Changes in journal tools: * Various systemd tools will append extra fields to log messages when in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently this includes information about D-Bus messages when sd-bus is used, e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information about devices when sd-device is used, e.g. DEVNAME= and DRIVER=. Details of what is logged and when are subject to change. * The systemd-journald-audit.socket can now be disabled via the usual "systemctl disable" mechanism to stop collection of audit messages. Please note that it is not enabled statically anymore and must be handled by the preset/enablement logic in package installation scripts. * New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can be used to curtail disk use by systemd-journal-remote. This is similar to the options supported by systemd-journald. Changes in systemd-cryptenroll, systemd-cryptsetup, and related components: * When enrolling new keys systemd-cryptenroll now supports unlocking via FIDO2 tokens (option --unlock-fido2-device=). Previously, a password was strictly required to be specified. * systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens (except for tokens with user verification, UV) to identify tokens before authentication. Multiple FIDO2 tokens can now be enrolled at the same time, and systemd-cryptsetup will automatically select one that corresponds to one of the available LUKS key slots. * systemd-cryptsetup now supports new options tpm2-measure-bank= and tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR bank and number into which the volume key should be measured. This is automatically enabled for the encrypted root volume discovered and activated by systemd-gpt-auto-generator. * systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with "noexec,nosuid,nodev". * systemd-gpt-auto-generator will now honour the rootfstype= and rootflags= kernel command line switches for root file systems it discovers, to match behaviour in case an explicit root fs is specified via root=. * systemd-pcrphase gained new options --machine-id and --file-system= to measure the machine-id and mount point information into PCR 15. New service unit files systemd-pcrmachine.service and systemd-pcrfs@.service have been added that invoke the tool with these switches during early boot. * systemd-pcrphase gained a --graceful switch will make it exit cleanly with a success exit code even if no TPM device is detected. * systemd-cryptenroll now stores the user-supplied PIN with a salt, making it harder to brute-force. Changes in other tools: * systemd-homed gained support for luksPbkdfForceIterations (the intended number of iterations for the PBKDF operation on LUKS). * Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS, $SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS may now be used to specify additional arguments for mkfs when systemd-homed formats a file system. * systemd-hostnamed now exports the contents of /sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two new D-Bus properties: FirmwareVendor and FirmwareDate. This allows unprivileged code to access those values. systemd-hostnamed also exports the SUPPORT_END= field from os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of this to show the status of the installed system. * systemd-measure gained an --append= option to sign multiple phase paths with different signing keys. This allows secrets to be accessible only in certain parts of the boot sequence. Note that 'ukify' provides similar functionality in a more accessible form. * systemd-timesyncd will now write a structured log message with MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based on a on-disk timestamp, similarly to what it did when reaching synchronization via NTP. * systemd-timesyncd will now update the on-disk timestamp file on each boot at least once, making it more likely that the system time increases in subsequent boots. * systemd-vconsole-setup gained support for system/service credentials: vconsole.keymap/vconsole.keymap_toggle and vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous the similarly-named options in vconsole.conf. * systemd-localed will now save the XKB keyboard configuration to /etc/vconsole.conf, and also read it from there with a higher preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config file. Previously, this information was stored in the former file in converted form, and only in latter file in the original form. Tools which want to access keyboard configuration can now do so from a standard location. * systemd-resolved gained support for configuring the nameservers and search domains via kernel command line (nameserver=, domain=) and credentials (network.dns, network.search_domains). * systemd-resolved will now synthesize host names for the DNS stub addresses it supports. Specifically when "_localdnsstub" is resolved, 127.0.0.53 is returned, and if "_localdnsproxy" is resolved 127.0.0.54 is returned. * systemd-notify will now send a "RELOADING=1" notification when called with --reloading, and "STOPPING=1" when called with --stopping. This can be used to implement notifications from units where it's easier to call a program than to use the sd-daemon library. * systemd-analyze's 'plot' command can now output its information in JSON, controlled via the --json= switch. Also, new --table, and --no-legend options have been added. * 'machinectl enable' will now automatically enable machines.target unit in addition to adding the machine unit to the target. Similarly, 'machinectl start|stop' gained a --now option to enable or disable the machine unit when starting or stopping it. * systemd-sysusers will now create /etc/ if it is missing. * systemd-sleep 'HibernateDelaySec=' setting is changed back to pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is added to provide the new initial value for the new automated battery estimation functionality. If 'HibernateDelaySec=' is set to any value, the automated estimate (and thus the automated hibernation on low battery to avoid data loss) functionality will be disabled. * Default tmpfiles.d/ configuration will now automatically create credentials storage directory '/etc/credstore/' with the appropriate, secure permissions. If '/run/credstore/' exists, its permissions will be fixed too in case they are not correct. Changes in libsystemd and shared code: * sd-bus gained new convenience functions sd_bus_emit_signal_to(), sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to(). * sd-id128 functions now return -EUCLEAN (instead of -EIO) when the 128-bit ID in files such as /etc/machine-id has an invalid format. They also accept NULL as output parameter in more places, which is useful when the caller only wants to validate the inputs and does not need the output value. * sd-login gained new functions sd_pidfd_get_session(), sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(), sd_pidfd_get_user_unit(), sd_pidfd_get_slice(), sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(), but accept a PIDFD instead of a PID. * sd-path (and systemd-path) now export four new paths: SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR, SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR, SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR, * sd_notify() now supports AF_VSOCK as transport for notification messages (in addition to the existing AF_UNIX support). This is enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format. * Detection of chroot() environments now works if /proc/ is not mounted. This affects systemd-detect-virt --chroot, but also means that systemd tools will silently skip various operations in such an environment. * "Lockheed Martin Hardened Security for Intel Processors" (HS SRE) virtualization is now detected. Changes in the build system: * Standalone variants of systemd-repart and systemd-shutdown may now be built (if -Dstandalone=true). * systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for example, allow scripts to conditionalize execution on AC power supply. * The libp11kit library is now loaded through dlopen(3). Changes in the documentation: * Specifications that are not closely tied to systemd have moved to https://uapi-group.org/specifications/: the Boot Loader Specification and the Discoverable Partitions Specification. Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas, Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang, Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle, Benjamin Tissoires, berenddeschouwer, BerndAdameit, Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner, Charles Hardin, chris, Christian Brauner, Christian Göttsche, Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy, Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su, Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont, Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner, Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang, Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho, igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz, Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January, Jason A. Donenfeld, jcg, Jean-Tiare Le Bigot, Jelle van der Waa, Jeremy Linton, Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann, Jörg Thalheim, Joshua Goins, joshuazivkovic, Joshua Zivkovic, Kai-Chuan Hsieh, Khem Raj, Koba Ko, Lennart Poettering, lichao, Li kunyu, Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Lycowolf, marcel151, Marcus Schäfer, Marek Vasut, Mark Laws, Michael Biebl, Michał Kotyla, Michal Koutný, Michal Sekletár, Mike Gilbert, Mike Yuan, MkfsSion, ml, msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore, Nick Rosbrook, noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv, Phaedrus Leeds, Philipp Jungkamp, Quentin Deslandes, Raul Tambre, Ray Strode, reuben olinsky, Richard E. van der Luit, Richard Phibel, Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James, Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand, Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto, Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich, Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David, Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher, William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, наб — Warsaw, 2023-02-15 CHANGES WITH 252 🎃: Announcements of Future Feature Removals: * We intend to remove cgroup v1 support from systemd release after the end of 2023. If you run services that make explicit use of cgroup v1 features (i.e. the "legacy hierarchy" with separate hierarchies for each controller), please implement compatibility with cgroup v2 (i.e. the "unified hierarchy") sooner rather than later. Most of Linux userspace has been ported over already. * We intend to remove support for split-usr (/usr mounted separately during boot) and unmerged-usr (parallel directories /bin and /usr/bin, /lib and /usr/lib, etc). This will happen in the second half of 2023, in the first release that falls into that time window. For more details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html Compatibility Breaks: * ConditionKernelVersion= checks that use the '=' or '!=' operators will now do simple string comparisons (instead of version comparisons à la stverscmp()). Version comparisons are still done for the ordering operators '<', '>', '<=', '>='. Moreover, if no operator is specified, a shell-style glob match is now done. This creates a minor incompatibility compared to older systemd versions when the '*', '?', '[', ']' characters are used, as these will now match as shell globs instead of literally. Given that kernel version strings typically do not include these characters we expect little breakage through this change. * The service manager will now read the SELinux label used for SELinux access checks from the unit file at the time it loads the file. Previously, the label would be read at the moment of the access check, which was problematic since at that time the unit file might already have been updated or removed. New Features: * systemd-measure is a new tool for calculating and signing expected TPM2 PCR values for a given unified kernel image (UKI) booted via sd-stub. The public key used for the signature and the signed expected PCR information can be embedded inside the UKI. This information can be extracted from the UKI by external tools and code in the image itself and is made available to userspace in the booted kernel. systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been updated to make use of this information if available in the booted kernel: when locking an encrypted volume/credential to the TPM systemd-cryptenroll/systemd-creds will use the public key to bind the volume/credential to any kernel that carries PCR information signed by the same key pair. When unlocking such volumes/credentials systemd-cryptsetup/systemd-creds will use the signature embedded in the booted UKI to gain access. Binding TPM-based disk encryption to public keys/signatures of PCR values — instead of literal PCR values — addresses the inherent "brittleness" of traditional PCR-bound TPM disk encryption schemes: disks remain accessible even if the UKI is updated, without any TPM specific preparation during the OS update — as long as each UKI carries the necessary PCR signature information. Net effect: if you boot a properly prepared kernel, TPM-bound disk encryption now defaults to be locked to kernels which carry PCR signatures from the same key pair. Example: if a hypothetical distro FooOS prepares its UKIs like this, TPM-based disk encryption is now – by default – bound to only FooOS kernels, and encrypted volumes bound to the TPM cannot be unlocked on kernels from other sources. (But do note this behaviour requires preparation/enabling in the UKI, and of course users can always enroll non-TPM ways to unlock the volume.) * systemd-pcrphase is a new tool that is invoked at six places during system runtime, and measures additional words into TPM2 PCR 11, to mark milestones of the boot process. This allows binding access to specific TPM2-encrypted secrets to specific phases of the boot process. (Example: LUKS2 disk encryption key only accessible in the initrd, but not later.) Changes in systemd itself, i.e. the manager and units * The cpu controller is delegated to user manager units by default, and CPUWeight= settings are applied to the top-level user slice units (app.slice, background.slice, session.slice). This provides a degree of resource isolation between different user services competing for the CPU. * Systemd can optionally do a full preset in the "first boot" condition (instead of just enable-only). This behaviour is controlled by the compile-time option -Dfirst-boot-full-preset. Right now it defaults to 'false', but the plan is to switch it to 'true' for the subsequent release. * Drop-ins are now allowed for transient units too. * Systemd will set the taint flag 'support-ended' if it detects that the OS image is past its end-of-support date. This date is declared in a new /etc/os-release field SUPPORT_END= described below. * Two new settings ConditionCredential= and AssertCredential= can be used to skip or fail units if a certain system credential is not provided. * ConditionMemory= accepts size suffixes (K, M, G, T, …). * DefaultSmackProcessLabel= can be used in system.conf and user.conf to specify the SMACK security label to use when not specified in a unit file. * DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to specify the default timeout when waiting for device units to activate. * C.UTF-8 is used as the default locale if nothing else has been configured. * [Condition|Assert]Firmware= have been extended to support certain SMBIOS fields. For example ConditionFirmware=smbios-field(board_name = "Custom Board") conditionalizes the unit to run only when /sys/class/dmi/id/board_name contains "Custom Board" (without the quotes). * ConditionFirstBoot= now correctly evaluates as true only during the boot phase of the first boot. A unit executed later, after booting has completed, will no longer evaluate this condition as true. * Socket units will now create sockets in the SELinuxContext= of the associated service unit, if any. * Boot phase transitions (start initrd → exit initrd → boot complete → shutdown) will be measured into TPM2 PCR 11, so that secrets can be bound to a specific runtime phase. E.g.: a LUKS encryption key can be unsealed only in the initrd. * Service credentials (i.e. SetCredential=/LoadCredential=/…) will now also be provided to ExecStartPre= processes. * Various units are now correctly ordered against initrd-switch-root.target where previously a conflict without ordering was configured. A stop job for those units would be queued, but without the ordering it could be executed only after initrd-switch-root.service, leading to units not being restarted in the host system as expected. * In order to fully support the IPMI watchdog driver, which has not yet been ported to the new common watchdog device interface, /dev/watchdog0 will be tried first and systemd will silently fallback to /dev/watchdog if it is not found. * New watchdog-related D-Bus properties are now published by systemd: WatchdogDevice, WatchdogLastPingTimestamp, WatchdogLastPingTimestampMonotonic. * At shutdown, API virtual files systems (proc, sys, etc.) will be unmounted lazily. * At shutdown, systemd will now log about processes blocking unmounting of file systems. * A new meson build option 'clock-valid-range-usec-max' was added to allow disabling system time correction if RTC returns a timestamp far in the future. * Propagated restart jobs will no longer be discarded while a unit is activating. * PID 1 will now import system credentials from SMBIOS Type 11 fields ("OEM vendor strings"), in addition to qemu_fwcfg. This provides a simple, fast and generic path for supplying credentials to a VM, without involving external tools such as cloud-init/ignition. * The CPUWeight= setting of unit files now accepts a new special value "idle", which configures "idle" level scheduling for the unit. * Service processes that are activated due to a .timer or .path unit triggering will now receive information about this via environment variables. Note that this is information is lossy, as activation might be coalesced and only one of the activating triggers will be reported. This is hence more suited for debugging or tracing rather than for behaviour decisions. * The riscv_flush_icache(2) system call has been added to the list of system calls allowed by default when SystemCallFilter= is used. * The selinux context derived from the target executable, instead of 'init_t' used for the manager itself, is now used when creating listening sockets for units that specify SELinuxContextFromNet=yes. Changes in sd-boot, bootctl, and the Boot Loader Specification: * The Boot Loader Specification has been cleaned up and clarified. Various corner cases in version string comparisons have been fixed (e.g. comparisons for empty strings). Boot counting is now part of the main specification. * New PCRs measurements are performed during boot: PCR 11 for the kernel+initrd combo, PCR 13 for any sysext images. If a measurement took place this is now reported to userspace via the new StubPcrKernelImage and StubPcrInitRDSysExts EFI variables. * As before, systemd-stub will measure kernel parameters and system credentials into PCR 12. It will now report this fact via the StubPcrKernelParameters EFI variable to userspace. * The UEFI monotonic boot counter is now included in the updated random seed file maintained by sd-boot, providing some additional entropy. * sd-stub will use LoadImage/StartImage to execute the kernel, instead of arranging the image manually and jumping to the kernel entry point. sd-stub also installs a temporary UEFI SecurityOverride to allow the (unsigned) nested image to be booted. This is safe because the outer (signed) stub+kernel binary must have been verified before the stub was executed. * Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware) is now supported by sd-boot. * bootctl gained a bunch of new options: --all-architectures to install binaries for all supported EFI architectures, --root= and --image= options to operate on a directory or disk image, and --install-source= to specify the source for binaries to install, --efi-boot-option-description= to control the name of the boot entry. * The sd-boot stub exports a StubFeatures flag, which is used by bootctl to show features supported by the stub that was used to boot. * The PE section offsets that are used by tools that assemble unified kernel images have historically been hard-coded. This may lead to overlapping PE sections which may break on boot. The UKI will now try to detect and warn about this. Any tools that assemble UKIs must update to calculate these offsets dynamically. Future sd-stub versions may use offsets that will not work with the currently used set of hard-coded offsets! * sd-stub now accepts (and passes to the initrd and then to the full OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed signatures of expected PCR values, to allow sealing secrets via the TPM2 against pre-calculated PCR measurements. Changes in the hardware database: * 'systemd-hwdb query' now supports the --root= option. Changes in systemctl: * systemctl now supports --state= and --type= options for the 'show' and 'status' verbs. * systemctl gained a new verb 'list-automounts' to list automount points. * systemctl gained support for a new --image= switch to be able to operate on the specified disk image (similar to the existing --root= which operates relative to some directory). Changes in systemd-networkd: * networkd can set Linux NetLabel labels for integration with the network control in security modules via a new NetLabel= option. * The RapidCommit= is (re-)introduced to enable faster configuration via DHCPv6 (RFC 3315). * networkd gained a new option TCPCongestionControlAlgorithm= that allows setting a per-route TCP algorithm. * networkd gained a new option KeepFileDescriptor= to allow keeping a reference (file descriptor) open on TUN/TAP interfaces, which is useful to avoid link flaps while the underlying service providing the interface is being serviced. * RouteTable= now also accepts route table names. Changes in systemd-nspawn: * The --bind= and --overlay= options now support relative paths. * The --bind= option now supports a 'rootidmap' value, which will use id-mapped mounts to map the root user inside the container to the owner of the mounted directory on the host. Changes in systemd-resolved: * systemd-resolved now persists DNSOverTLS in its state file too. This fixes a problem when used in combination with NetworkManager, which sends the setting only once, causing it to be lost if resolved was restarted at any point. * systemd-resolved now exposes a Varlink socket at /run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for root. Processed DNS requests in a JSON format will be published to any clients connected to this socket. resolvectl gained a 'monitor' verb to make use of this. * systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE instead of returning SERVFAIL, as per RFC: https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 * OpenSSL is the default crypto backend for systemd-resolved. (gnutls is still supported.) Changes in libsystemd and other libraries: * libsystemd now exports sd_bus_error_setfv() (a convenience function for setting bus errors), sd_id128_string_equal (a convenience function for 128-bit ID string comparisons), and sd_bus_message_read_strv_extend() (a function to incrementally read string arrays). * libsystemd now exports sd_device_get_child_first()/_next() as a high-level interface for enumerating child devices. It also supports sd_device_new_child() for opening a child device given a device object. * libsystemd now exports sd_device_monitor_set()/get_description() which allow setting a custom description that will be used in log messages by sd_device_monitor*. * Private shared libraries (libsystemd-shared-nnn.so, libsystemd-core-nnn.so) are now installed into arch-specific directories to allow multi-arch installs. * A new sd-gpt.h header is now published, listing GUIDs from the Discoverable Partitions specification. For more details see: https://systemd.io/DISCOVERABLE_PARTITIONS/ * A new function sd_hwdb_new_from_path() has been added to open a hwdb database given an explicit path to the file. * The signal number argument to sd_event_add_signal() now can now be ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to be automatically invoked to block the specified signal. This is useful to simplify invocations as the caller doesn't have to do this manually. * A new convenience call sd_event_set_signal_exit() has been added to sd-event to set up signal handling so that the event loop automatically terminates cleanly on SIGTERM/SIGINT. Changes in other components: * systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration can now be provided via the credential mechanism. * systemd-analyze gained a new verb 'compare-versions' that implements comparisons for versions strings (similarly to 'rpmdev-vercmp' and 'dpkg --compare-versions'). * 'systemd-analyze dump' is extended to accept glob patterns for unit names to limit the output to matching units. * tmpfiles.d/ lines can read file contents to write from a credential. The new modifier char '^' is used to specify that the argument is a credential name. This mechanism is used to automatically populate /etc/motd, /etc/issue, and /etc/hosts from credentials. * tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of an inode if the specification is prefixed with ':' and the inode already exists. * Default tmpfiles.d/ configuration now carries a line to automatically use an 'ssh.authorized_keys.root' credential if provided to set up the SSH authorized_keys file for the root user. * systemd-tmpfiles will now gracefully handle absent source of "C" copy lines. * tmpfiles.d/ F/w lines now optionally permit encoding of the payload in base64. This is useful to write arbitrary binary data into files. * The pkgconfig and rpm macros files now export the directory for user units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'. * Detection of Apple Virtualization and detection of Parallels and KubeVirt virtualization on non-x86 archs have been added. * os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the user when their system will become unsupported. * When performing suspend-then-hibernate, the system will estimate the discharge rate and use that to set the delay until hibernation and hibernate immediately instead of suspending when running from a battery and the capacity is below 5%. * systemd-sysctl gained a --strict option to fail when a sysctl setting is unknown to the kernel. * machinectl supports --force for the 'copy-to' and 'copy-from' verbs. * coredumpctl gained the --root and --image options to look for journal files under the specified root directory, image, or block device. * 'journalctl -o' and similar commands now implement a new output mode "short-delta". It is similar to "short-monotonic", but also shows the time delta between subsequent messages. * journalctl now respects the --quiet flag when verifying consistency of journal files. * Journal log messages gained a new implicit field _RUNTIME_SCOPE= that will indicate whether a message was logged in the 'initrd' phase or in the 'system' phase of the boot process. * Journal files gained a new compatibility flag 'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes to the storage format that allow reducing size on disk. As with other compatibility flags, older journalctl versions will not be able to read journal files using this new format. The environment variable 'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to disable this functionality. It is enabled by default. * systemd-run's --working-directory= switch now works when used in combination with --scope. * portablectl gained a --force flag to skip certain sanity checks. This is implemented using new flags accepted by systemd-portabled for the *WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH flag now means that the attach/detach checks whether the units are already present and running will be skipped. Similarly, SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether image name matches the name declared inside of the image will be skipped. Callers must be sure to do those checks themselves if appropriate. * systemd-portabled will now use the original filename to check extension-release.NAME for correctness, in case it is passed a symlink. * systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile too. * sysext's extension-release files now support '_any' as a special value for the ID= field, to allow distribution-independent extensions (e.g.: fully statically compiled binaries, scripts). It also gained support for a new ARCHITECTURE= field that may be used to explicitly restrict an image to hosts of a specific architecture. * systemd-repart now supports creating squashfs partitions. This requires mksquashfs from squashfs-tools. * systemd-repart gained a --split flag to also generate split artifacts, i.e. a separate file for each partition. This is useful in conjunction with systemd-sysupdate or other tools, or to generate split dm-verity artifacts. * systemd-repart is now able to generate dm-verity partitions, including signatures. * systemd-repart can now set a partition UUID to zero, allowing it to be filled in later, such as when using verity partitions. * systemd-repart now supports drop-ins for its configuration files. * Package metadata logged by systemd-coredump in the system journal is now more compact. * xdg-autostart-service now expands 'tilde' characters in Exec lines. * systemd-oomd now automatically links against libatomic, if available. * systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is killed. * scope units now also provide oom-kill status. * systemd-pstore will now try to load only the efi_pstore kernel module before running, ensuring that pstore can be used. * systemd-logind gained a new StopIdleSessionSec= option to stop an idle session after a preconfigure timeout. * systemd-homed will now wait up to 30 seconds for workers to terminate, rather than indefinitely. * homectl gained a new '--luks-sector-size=' flag that allows users to select the preferred LUKS sector size. Must be a power of 2 between 512 and 4096. systemd-userdbd records gained a corresponding field. * systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment variable when generating the 'sp_lstchg' field, to ensure an image build can be reproducible. * 'udevadm wait' will now listen to kernel uevents too when called with --initialized=no. * When naming network devices udev will now consult the Devicetree "alias" fields for the device. * systemd-udev will now create infiniband/by-path and infiniband/by-ibdev links for Infiniband verbs devices. * systemd-udev-trigger.service will now also prioritize input devices. * ConditionACPower= and systemd-ac-power will now assume the system is running on AC power if no battery can be found. * All features and tools using the TPM2 will now communicate with it using a bind key. Beforehand, the tpm2 support used encrypted sessions by creating a primary key that was used to encrypt traffic. This creates a problem as the key created for encrypting the traffic could be faked by an active interposer on the bus. In cases when a pin is used, a bind key will be used. The pin is used as the auth value for the seal key, aka the disk encryption key, and that auth value will be used in the session establishment. An attacker would need the pin value to create the secure session and thus an active interposer without the pin cannot interpose on TPM2 traffic. * systemd-growfs no longer requires udev to run. * systemd-backlight now will better support systems with multiple graphic cards. * systemd-cryptsetup's keyfile-timeout= option now also works when a device is used as a keyfile. * systemd-cryptenroll gained a new --unlock-key-file= option to get the unlocking key from a key file (instead of prompting the user). Note that this is the key for unlocking the volume in order to be able to enroll a new key, but it is not the key that is enrolled. * systemd-dissect gained a new --umount switch that will safely and synchronously unmount all partitions of an image previously mounted with 'systemd-dissect --mount'. * When using gcrypt, all systemd tools and services will now configure it to prefer the OS random number generator if present. * All example code shipped with documentation has been relicensed from CC0 to MIT-0. * Unit tests will no longer fail when running on a system without /etc/machine-id. Experimental features: * BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0 and bpftool >= 7.0). * sd-boot can automatically enroll SecureBoot keys from files found on the ESP. This enrollment can be either automatic ('force' mode) or controlled by the user ('manual' mode). It is sufficient to place the SecureBoot keys in the right place in the ESP and they will be picked up by sd-boot and shown in the boot menu. * The mkosi config in systemd gained support for automatically compiling a kernel with the configuration appropriate for testing systemd. This may be useful when developing or testing systemd in tandem with the kernel. Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang, Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev, Alexander Graf, Alexander Shopov, Alexander Wilson, Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb, Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt, Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah, Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera, Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu, Chih-Hsuan Yen, Christian Brauner, Christian Göttsche, Christian Hesse, Clyde Byrd III, codefiles, Colin Walters, Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth, Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson, David Jaša, David Rheinsberg, David Seifert, David Tardon, dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck, Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee, Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li, Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal, Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01, Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt, Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz, Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt, Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku, Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller, JeroenHD, jiangchuangang, João Loureiro, Joaquín Ignacio Aramendía, Jochen Sprickerhof, Johannes Schauer Marin Rodrigues, Jonas Kümmerlin, Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink, Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick, Lennart Poettering, Leon M. George, licunlong, Li kunyu, LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi, Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123, Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro, Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl, Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert, Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen, Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov, Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch, Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang, Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt, Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi, Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh, Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume, Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc, Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa, Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas, Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap, wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб – The Great Beyond, 2022-10-31 👻 CHANGES WITH 251: Backwards-incompatible changes: * The minimum kernel version required has been bumped from 3.13 to 4.15, and CLOCK_BOOTTIME is now assumed to always exist. * C11 with GNU extensions (aka "gnu11") is now used to build our components. Public API headers are still restricted to ISO C89. * In v250, a systemd-networkd feature that automatically configures routes to addresses specified in AllowedIPs= was added and enabled by default. However, this causes network connectivity issues in many existing setups. Hence, it has been disabled by default since systemd-stable 250.3. The feature can still be used by explicitly configuring RouteTable= setting in .netdev files. * Jobs started via StartUnitWithFlags() will no longer return 'skipped' when a Condition*= check does not succeed, restoring the JobRemoved signal to the behaviour it had before v250. * The org.freedesktop.portable1 methods GetMetadataWithExtensions() and GetImageMetadataWithExtensions() have been fixed to provide an extra return parameter, containing the actual extension release metadata. The current implementation was judged to be broken and unusable, and thus the usual procedure of adding a new set of methods was skipped, and backward compatibility broken instead on the assumption that nobody can be affected given the current state of this interface. * All kernels supported by systemd mix bytes returned by RDRAND (or similar) into the entropy pool at early boot. This means that on those systems, even if /dev/urandom is not yet initialized, it still returns bytes that are of at least RDRAND quality. For that reason, we no longer have reason to invoke RDRAND from systemd itself, which has historically been a source of bugs. Furthermore, kernels ≥5.6 provide the getrandom(GRND_INSECURE) interface for returning random bytes before the entropy pool is initialized without warning into kmsg, which is what we attempt to use if available. systemd's direct usage of RDRAND has been removed. x86 systems ≥Broadwell that are running an older kernel may experience kmsg warnings that were not seen with 250. For newer kernels, non-x86 systems, or older x86 systems, there should be no visible changes. * sd-boot will now measure the kernel command line into TPM PCR 12 rather than PCR 8. This improves usefulness of the measurements on systems where sd-boot is chainloaded from Grub. Grub measures all commands its executes into PCR 8, which makes it very hard to use reasonably, hence separate ourselves from that and use PCR 12 instead, which is what certain Ubuntu editions already do. To retain compatibility with systems running older systemd systems a new meson option 'efi-tpm-pcr-compat' has been added (which defaults to false). If enabled, the measurement is done twice: into the new-style PCR 12 *and* the old-style PCR 8. It's strongly advised to migrate all users to PCR 12 for this purpose in the long run, as we intend to remove this compatibility feature in two years' time. * busctl capture now writes output in the newer pcapng format instead of pcap. * A udev rule that imported hwdb matches for USB devices with lowercase hexadecimal vendor/product ID digits was added in systemd 250. This has been reverted, since uppercase hexadecimal digits are supposed to be used, and we already had a rule with the appropriate match. Users might need to adjust their local hwdb entries. * arch_prctl(2) has been moved to the @default set in the syscall filters (as exposed via the SystemCallFilter= setting in service unit files). It is apparently used by the linker now. * The tmpfiles entries that create the /run/systemd/netif directory and its subdirectories were moved from tmpfiles.d/systemd.conf to tmpfiles.d/systemd-network.conf. Users might need to adjust their files that override tmpfiles.d/systemd.conf to account for this change. * The requirement for Portable Services images to contain a well-formed os-release file (i.e.: contain at least an ID field) is now enforced. This applies to base images and extensions, and also to systemd-sysext. Changes in the Boot Loader Specification, kernel-install and sd-boot: * kernel-install's and bootctl's Boot Loader Specification Type #1 entry generation logic has been reworked. The user may now pick explicitly by which "token" string to name the installation's boot entries, via the new /etc/kernel/entry-token file or the new --entry-token= switch to bootctl. By default — as before — the entries are named after the local machine ID. However, in "golden image" environments, where the machine ID shall be initialized on first boot (as opposed to at installation time before first boot) the machine ID will not be available at build time. In this case the --entry-token= switch to bootctl (or the /etc/kernel/entry-token file) may be used to override the "token" for the entries, for example the IMAGE_ID= or ID= fields from /etc/os-release. This will make the OS images independent of any machine ID, and ensure that the images will not carry any identifiable information before first boot, but on the other hand means that multiple parallel installations of the very same image on the same disk cannot be supported. Summary: if you are building golden images that shall acquire identity information exclusively on first boot, make sure to both remove /etc/machine-id *and* to write /etc/kernel/entry-token to the value of the IMAGE_ID= or ID= field of /etc/os-release or another suitable identifier before deploying the image. * The Boot Loader Specification has been extended with /loader/entries.srel file located in the EFI System Partition (ESP) that disambiguates the format of the entries in the /loader/entries/ directory (in order to discern them from incompatible uses of this directory by other projects). For entries that follow the Specification, the string "type1" is stored in this file. bootctl will now write this file automatically when installing the systemd-boot boot loader. * kernel-install supports a new initrd_generator= setting in /etc/kernel/install.conf, that is exported as $KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This allows choosing different initrd generators. * kernel-install will now create a "staging area" (an initially-empty directory to gather files for a Boot Loader Specification Type #1 entry). The path to this directory is exported as $KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should drop files there instead of writing them directly to the final location. kernel-install will move them when all files have been prepared successfully. * New option sort-key= has been added to the Boot Loader Specification to override the sorting order of the entries in the boot menu. It is read by sd-boot and bootctl, and will be written by kernel-install, with the default value of IMAGE_ID= or ID= fields from os-release. Together, this means that on multiboot installations, entries should be grouped and sorted in a predictable way. * The sort order of boot entries has been updated: entries which have the new field sort-key= are sorted by it first, and all entries without it are ordered later. After that, entries are sorted by version so that newest entries are towards the beginning of the list. * The kernel-install tool gained a new 'inspect' verb which shows the paths and other settings used. * sd-boot can now optionally beep when the menu is shown and menu entries are selected, which can be useful on machines without a working display. (Controllable via a loader.conf setting.) * The --make-machine-id-directory= switch to bootctl has been replaced by --make-entry-directory=, given that the entry directory is not necessarily named after the machine ID, but after some other suitable ID as selected via --entry-token= described above. The old name of the option is still understood to maximize compatibility. * 'bootctl list' gained support for a new --json= switch to output boot menu entries in JSON format. * 'bootctl is-installed' now supports the --graceful, and various verbs omit output with the new option --quiet. Changes in systemd-homed: * Starting with v250 systemd-homed uses UID/GID mapping on the mounts of activated home directories it manages (if the kernel and selected file systems support it). So far it mapped three UID ranges: the range from 0…60000, the user's own UID, and the range 60514…65534, leaving everything else unmapped (in other words, the 16-bit UID range is mapped almost fully, with the exception of the UID subrange used for systemd-homed users, with one exception: the user's own UID). Unmapped UIDs may not be used for file ownership in the home directory — any chown() attempts with them will fail. With this release a fourth range is added to these mappings: 524288…1879048191. This range is the UID range intended for container uses, see: https://systemd.io/UIDS-GIDS This range may be used for container managers that place container OS trees in the home directory (which is a questionable approach, for quota, permission, SUID handling and network file system compatibility reasons, but nonetheless apparently commonplace). Note that this mapping is mapped 1:1 in a pass-through fashion, i.e. the UID assignments from the range are not managed or mapped by `systemd-homed`, and must be managed with other mechanisms, in the context of the local system. Typically, a better approach to user namespacing in relevant container managers would be to leave container OS trees on disk at UID offset 0, but then map them to a dynamically allocated runtime UID range via another UID mount map at container invocation time. That way user namespace UID ranges become strictly a runtime concept, and do not leak into persistent file systems, persistent user databases or persistent configuration, thus greatly simplifying handling, and improving compatibility with home directories intended to be portable like the ones managed by systemd-homed. Changes in shared libraries: * A new libsystemd-core-.so private shared library is installed under /usr/lib/systemd/system, mirroring the existing libsystemd-shared-.so library. This allows the total installation size to be reduced by binary code reuse. * The tag used in the name of libsystemd-shared.so and libsystemd-core.so can be configured via the meson option 'shared-lib-tag'. Distributions may build subsequent versions of the systemd package with unique tags (e.g. the full package version), thus allowing multiple installations of those shared libraries to be available at the same time. This is intended to fix an issue where programs that link to those libraries would fail to execute because they were installed earlier or later than the appropriate version of the library. * The sd-id128 API gained a new call sd_id128_to_uuid_string() that is similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID format instead of as a simple series of hex characters. * The sd-device API gained two new calls sd_device_new_from_devname() and sd_device_new_from_path() which permit allocating an sd_device object from a device node name or file system path. * sd-device also gained a new call sd_device_open() which will open the device node associated with a device for which an sd_device object has been allocated. The call is supposed to address races around device nodes being removed/recycled due to hotplug events, or media change events: the call checks internally whether the major/minor of the device node and the "diskseq" (in case of block devices) match with the metadata loaded in the sd_device object, thus ensuring that the device once opened really matches the provided sd_device object. Changes in PID1, systemctl, and systemd-oomd: * A new set of service monitor environment variables will be passed to OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the handler unit as OnFailure=/OnSuccess=. The variables are: $MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS, $MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single handler needs to watch multiple units, use a templated handler. * A new ExtensionDirectories= setting in service unit files allows system extensions to be loaded from a directory. (It is similar to ExtensionImages=, but takes paths to directories, instead of disk image files.) 'portablectl attach --extension=' now also accepts directory paths. * The user.delegate and user.invocation_id extended attributes on cgroups are used in addition to trusted.delegate and trusted.invocation_id. The latter pair requires privileges to set, but the former doesn't and can be also set by the unprivileged user manager. (Only supported on kernels ≥5.6.) * Units that were killed by systemd-oomd will now have a service result of 'oom-kill'. The number of times a service was killed is tallied in the 'user.oomd_ooms' extended attribute. The OOMPolicy= unit file setting is now also honoured by systemd-oomd. * In unit files the new %y/%Y specifiers can be used to refer to normalized unit file path, which is particularly useful for symlinked unit files. The new %q specifier resolves to the pretty hostname (i.e. PRETTY_HOSTNAME= from /etc/machine-info). The new %d specifier resolves to the credentials directory of a service (same as $CREDENTIALS_DIRECTORY). * The RootDirectory=, MountAPIVFS=, ExtensionDirectories=, *Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=, PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=, PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=, ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=, MountFlags= service settings now also work in unprivileged user services, i.e. those run by the user's --user service manager, as long as user namespaces are enabled on the system. * Services with Restart=always and a failing ExecCondition= will no longer be restarted, to bring ExecCondition= behaviour in line with Condition*= settings. * LoadCredential= now accepts a directory as the argument; all files from the directory will be loaded as credentials. * A new D-Bus property ControlGroupId is now exposed on service units, that encapsulates the service's numeric cgroup ID that newer kernels assign to each cgroup. * PID 1 gained support for configuring the "pre-timeout" of watchdog devices and the associated governor, via the new RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration options in /etc/systemd/system.conf. * systemctl's --timestamp= option gained a new choice "unix", to show timestamp as unix times, i.e. seconds since 1970, Jan 1st. * A new "taint" flag named "old-kernel" is introduced which is set when the kernel systemd runs on is older then the current baseline version (see above). The flag is shown in "systemctl status" output. * Two additional taint flags "short-uid-range" and "short-gid-range" have been added as well, which are set when systemd notices it is run within a userns namespace that does not define the full 0…65535 UID range * A new "unmerged-usr" taint flag has been added that is set whenever running on systems where /bin/ + /sbin/ are *not* symlinks to their counterparts in /usr/, i.e. on systems where the /usr/-merge has not been completed. * Generators invoked by PID 1 will now have a couple of useful environment variables set describing the execution context a bit. $SYSTEMD_SCOPE encodes whether the generator is called from the system service manager, or from the per-user service manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether systemd considers the current boot to be a "first" boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is detected and which type of hypervisor/container manager. $SYSTEMD_ARCHITECTURE indicates which architecture the kernel is built for. * PID 1 will now automatically pick up system credentials from qemu's fw_cfg interface, thus allowing passing arbitrary data into VM systems similar to how this is already supported for passing them into `systemd-nspawn` containers. Credentials may now also be passed in via the new kernel command line option `systemd.set_credential=` (note that kernel command line options are world-readable during runtime, and only useful for credentials that require no confidentiality). The credentials that can be passed to unified kernels that use the `systemd-stub` UEFI stub are now similarly picked up automatically. Automatic importing of system credentials this way can be turned off via the new `systemd.import_credentials=no` kernel command line option. * LoadCredential= will now automatically look for credentials in the /etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if the argument is not an absolute path. Similarly, LoadCredentialEncrypted= will check the same directories plus /etc/credstore.encrypted/, /run/credstore.encrypted/ and /usr/lib/credstore.encrypted/. The idea is to use those directories as the system-wide location for credentials that services should pick up automatically. * System and service credentials are described in great detail in a new document: https://systemd.io/CREDENTIALS Changes in systemd-journald: * The journal JSON export format has been added to listed of stable interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/). * journalctl --list-boots now supports JSON output and the --reverse option. * Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and updated, BUILDING_IMAGES is new: https://systemd.io/JOURNAL_EXPORT_FORMATS https://systemd.io/BUILDING_IMAGES Changes in udev: * Two new hwdb files have been added. One lists "handhelds" (PDAs, calculators, etc.), the other AV production devices (DJ tables, keypads, etc.) that should accessible to the seat owner user by default. * udevadm trigger gained a new --prioritized-subsystem= option to process certain subsystems (and all their parent devices) earlier. systemd-udev-trigger.service now uses this new option to trigger block and TPM devices first, hopefully making the boot a bit faster. * udevadm trigger now implements --type=all, --initialized-match, --initialized-nomatch to trigger both subsystems and devices, only already-initialized devices, and only devices which haven't been initialized yet, respectively. * udevadm gained a new "wait" command for safely waiting for a specific device to show up in the udev device database. This is useful in scripts that asynchronously allocate a block device (e.g. through repartitioning, or allocating a loopback device or similar) and need to synchronize on the creation to complete. * udevadm gained a new "lock" command for locking one or more block devices while formatting it or writing a partition table to it. It is an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and usable in scripts dealing with block devices. * udevadm info will show a couple of additional device fields in its output, and will not apply a limited set of coloring to line types. * udevadm info --tree will now show a tree of objects (i.e. devices and suchlike) in the /sys/ hierarchy. * Block devices will now get a new set of device symlinks in /dev/disk/by-diskseq/, which may be used to reference block device nodes via the kernel's "diskseq" value. Note that this does not guarantee that opening a device by a symlink like this will guarantee that the opened device actually matches the specified diskseq value. To be safe against races, the actual diskseq value of the opened device (BLKGETDISKSEQ ioctl()) must still be compred with the one in the symlink path. * .link files gained support for setting MDI/MID-X on a link. * .link files gained support for [Match] Firmware= setting to match on the device firmware description string. By mistake, it was previously only supported in .network files. * .link files gained support for [Link] SR-IOVVirtualFunctions= setting and [SR-IOV] section to configure SR-IOV virtual functions. Changes in systemd-networkd: * The default scope for unicast routes configured through [Route] section is changed to "link", to make the behavior consistent with "ip route" command. The manual configuration of [Route] Scope= is still honored. * A new unit systemd-networkd-wait-online@.service has been added that can be used to wait for a specific network interface to be up. * systemd-networkd gained a new [Bridge] Isolated=true|false setting that configures the eponymous kernel attribute on the bridge. * .netdev files now can be used to create virtual WLAN devices, and configure various settings on them, via the [WLAN] section. * .link/.network files gained support for [Match] Kind= setting to match on device kind ("bond", "bridge", "gre", "tun", "veth", etc.) This value is also shown by 'networkctl status'. * The Local= setting in .netdev files for various virtual network devices gained support for specifying, in addition to the network address, the name of a local interface which must have the specified address. * systemd-networkd gained a new [Tunnel] External= setting in .netdev files, to configure tunnels in external mode (a.k.a. collect metadata mode). * [Network] L2TP= setting was removed. Please use interface specifier in Local= setting in .netdev files of corresponding L2TP interface. * New [DHCPServer] BootServerName=, BootServerAddress=, and BootFilename= settings can be used to configure the server address, server name, and file name sent in the DHCP packet (e.g. to configure PXE boot). Changes in systemd-resolved: * systemd-resolved is started earlier (in sysinit.target), so it available earlier and will also be started in the initrd if installed there. Changes in disk encryption: * systemd-cryptenroll can now control whether to require the user to enter a PIN when using TPM-based unlocking of a volume via the new --tpm2-with-pin= option. Option tpm2-pin= can be used in /etc/crypttab. * When unlocking devices via TPM, TPM2 parameter encryption is now used, to ensure that communication between CPU and discrete TPM chips cannot be eavesdropped to acquire disk encryption keys. * A new switch --fido2-credential-algorithm= has been added to systemd-cryptenroll allowing selection of the credential algorithm to use when binding encryption to FIDO2 tokens. Changes in systemd-hostnamed: * HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info to override the values gleaned from the hwdb. * A ID_CHASSIS property can be set in the hwdb (for the DMI device /sys/class/dmi/id) to override the chassis that is reported by hostnamed. * hostnamed's D-Bus interface gained a new method GetHardwareSerial() for reading the hardware serial number, as reportd by DMI. It also exposes a new method D-Bus property FirmwareVersion that encode the firmware version of the system. Changes in other components: * /etc/locale.conf is now populated through tmpfiles.d factory /etc/ handling with the values that were configured during systemd build (if /etc/locale.conf has not been created through some other mechanism). This means that /etc/locale.conf should always have reasonable contents and we avoid a potential mismatch in defaults. * The userdbctl tool will now show UID range information as part of the list of known users. * A new build-time configuration setting default-user-shell= can be used to set the default shell for user records and nspawn shell invocations (instead of the default /bin/bash). * systemd-timesyncd now provides a D-Bus API for receiving NTP server information dynamically at runtime via IPC. * The systemd-creds tool gained a new "has-tpm2" verb, which reports whether a functioning TPM2 infrastructure is available, i.e. if firmware, kernel driver and systemd all have TPM2 support enabled and a device found. * The systemd-creds tool gained support for generating encrypted credentials that are using an empty encryption key. While this provides no integrity nor confidentiality it's useful to implement codeflows that work the same on TPM-ful and TPM2-less systems. The service manager will only accept credentials "encrypted" that way if a TPM2 device cannot be detected, to ensure that credentials "encrypted" like that cannot be used to trick TPM2 systems. * When deciding whether to colorize output, all systemd programs now also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and $TERM). * Meson's new install_tag feature is now in use for several components, allowing to build and install select binaries only: pam, nss, devel (pkg-config files), systemd-boot, libsystemd, libudev. Example: $ meson build systemd-boot $ meson install --tags systemd-boot --no-rebuild https://mesonbuild.com/Installing.html#installation-tags * A new build configuration option has been added, to allow selecting the default compression algorithm used by systemd-journald and systemd-coredump. This allows to build-in support for decompressing all supported formats, but choose a specific one for compression. E.g.: $ meson -Ddefault-compression=xz Experimental features: * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in loader.conf that implements booting Microsoft Windows from the sd-boot in a way that first reboots the system, to reset the TPM PCRs. This improves compatibility with BitLocker's TPM use, as the PCRs will only record the Windows boot process, and not sd-boot itself, thus retaining the PCR measurements not involving sd-boot. Note that this feature is experimental for now, and is likely going to be generalized and renamed in a future release, without retaining compatibility with the current implementation. * A new systemd-sysupdate component has been added that automatically discovers, downloads, and installs A/B-style updates for the host installation itself, or container images, portable service images, and other assets. See the new systemd-sysupdate man page for updates. Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox, AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S, Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda, Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo, Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be, bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke, Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein, Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich, David, David Bond, Davide Cavalca, David Tardon, davijosw, dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa, Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin, Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY, Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli, Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho, Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld, Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva, Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian, Laura Barcziova, Lennart Poettering, Leviticoh, licunlong, Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi, Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993, Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk, Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala, Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton, Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný, Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud, Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin, Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer, Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill, Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof, Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco, Simon Ellmann, Sonali Srivastava, Stefan Seering, Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze, Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann, Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas, Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu, yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, наб — Edinburgh, 2022-05-21 CHANGES WITH 250: * Support for encrypted and authenticated credentials has been added. This extends the credential logic introduced with v247 to support non-interactive symmetric encryption and authentication, based on a key that is stored on the /var/ file system or in the TPM2 chip (if available), or the combination of both (by default if a TPM2 chip exists the combination is used, otherwise the /var/ key only). The credentials are automatically decrypted at the moment a service is started, and are made accessible to the service itself in unencrypted form. A new tool 'systemd-creds' encrypts credentials for this purpose, and two new service file settings LoadCredentialEncrypted= and SetCredentialEncrypted= configure such credentials. This feature is useful to store sensitive material such as SSL certificates, passwords and similar securely at rest and only decrypt them when needed, and in a way that is tied to the local OS installation or hardware. * systemd-gpt-auto-generator can now automatically set up discoverable LUKS2 encrypted swap partitions. * The GPT Discoverable Partitions Specification has been substantially extended with support for root and /usr/ partitions for the majority of architectures systemd supports. This includes platforms that do not natively support UEFI, because even though GPT is specified under UEFI umbrella, it is useful on other systems too. Specifically, systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and Portable Services use the concept without requiring UEFI. * The GPT Discoverable Partitions Specifications has been extended with a new set of partitions that may carry PKCS#7 signatures for Verity partitions, encoded in a simple JSON format. This implements a simple mechanism for building disk images that are fully authenticated and can be tested against a set of cryptographic certificates. This is now implemented for the various systemd tools that can operate with disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect, Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers. The PKCS#7 signatures are passed to the kernel (where they are checked against certificates from the kernel keyring), or can be verified against certificates provided in userspace (via a simple drop-in file mechanism). * systemd-dissect's inspection logic will now report for which uses a disk image is intended. Specifically, it will display whether an image is suitable for booting on UEFI or in a container (using systemd-nspawn's --image= switch), whether it can be used as portable service, or attached as system extension. * The system-extension.d/ drop-in files now support a new field SYSEXT_SCOPE= that may encode which purpose a system extension image is for: one of "initrd", "system" or "portable". This is useful to make images more self-descriptive, and to ensure system extensions cannot be attached in the wrong contexts. * The os-release file learnt a new PORTABLE_PREFIXES= field which may be used in portable service images to indicate which unit prefixes are supported. * The GPT image dissection logic in systemd-nspawn/systemd-dissect/… now is able to decode images for non-native architectures as well. This allows systemd-nspawn to boot images of non-native architectures if the corresponding user mode emulator is installed and systemd-binfmtd is running. * systemd-logind gained new settings HandlePowerKeyLongPress=, HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and HandleHibernateKeyLongPress= which may be used to configure actions when the relevant keys are pressed for more than 5s. This is useful on devices that only have hardware for a subset of these keys. By default, if the reboot key is pressed long the poweroff operation is now triggered, and when the suspend key is pressed long the hibernate operation is triggered. Long pressing the other two keys currently does not trigger any operation by default. * When showing unit status updates on the console during boot and shutdown, and a service is slow to start so that the cylon animation is shown, the most recent sd_notify() STATUS= text is now shown as well. Services may use this to make the boot/shutdown output easier to understand, and to indicate what precisely a service that is slow to start or stop is waiting for. In particular, the per-user service manager instance now reports what it is doing and which service it is waiting for this way to the system service manager. * The service manager will now re-execute on reception of the SIGRTMIN+25 signal. It previously already did that on SIGTERM — but only when running as PID 1. There was no signal to request this when running as per-user service manager, i.e. as any other PID than 1. SIGRTMIN+25 works for both system and user managers. * The hardware watchdog logic in PID 1 gained support for operating with the default timeout configured in the hardware, instead of insisting on re-configuring it. Set RuntimeWatchdogSec=default to request this behavior. * A new kernel command line option systemd.watchdog_sec= is now understood which may be used to override the hardware watchdog time-out for the boot. * A new setting DefaultOOMScoreAdjust= is now supported in /etc/systemd/system.conf and /etc/systemd/user.conf. It may be used to set the default process OOM score adjustment value for processes started by the service manager. For per-user service managers this now defaults to 100, but for per-system service managers is left as is. This means that by default now services forked off the user service manager are more likely to be killed by the OOM killer than system services or the managers themselves. * A new per-service setting RestrictFileSystems= as been added that restricts the file systems a service has access to by their type. This is based on the new BPF LSM of the Linux kernel. It provides an effective way to make certain API file systems unavailable to services (and thus minimizing attack surface). A new command "systemd-analyze filesystems" has been added that lists all known file system types (and how they are grouped together under useful group handles). * Services now support a new setting RestrictNetworkInterfaces= for restricting access to specific network interfaces. * Service unit files gained new settings StartupAllowedCPUs= and StartupAllowedMemoryNodes=. These are similar to their counterparts without the "Startup" prefix and apply during the boot process only. This is useful to improve boot-time behavior of the system and assign resources differently during boot than during regular runtime. This is similar to the preexisting StartupCPUWeight= vs. CPUWeight. * Related to this: the various StartupXYZ= settings (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied during shutdown. The settings not prefixed with "Startup" hence apply during regular runtime, and those that are prefixed like that apply during boot and shutdown. * A new per-unit set of conditions/asserts [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a unit skip/fail activation if the system's (or a slice's) memory/cpu/io pressure is above the configured threshold, using the kernel PSI feature. For more details see systemd.unit(5) and https://docs.kernel.org/accounting/psi.html * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or ProtectKernelLogs=yes can now be used. * The default maximum numbers of inodes have been raised from 64k to 1M for /dev/, and from 400k to 1M for /tmp/. * The per-user service manager learnt support for communicating with systemd-oomd to acquire OOM kill information. * A new service setting ExecSearchPath= has been added that allows changing the search path for executables for services. It affects where we look for the binaries specified in ExecStart= and similar, and the specified directories are also added the $PATH environment variable passed to invoked processes. * A new setting RuntimeRandomizedExtraSec= has been added for service and scope units that allows extending the runtime time-out as configured by RuntimeMaxSec= with a randomized amount. * The syntax of the service unit settings RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory= has been extended: if the specified value is now suffixed with a colon, followed by another filename, the latter will be created as symbolic link to the specified directory. This allows creating these service directories together with alias symlinks to make them available under multiple names. * Service unit files gained two new settings TTYRows=/TTYColumns= for configuring rows/columns of the TTY device passed to stdin/stdout/stderr of the service. This is useful to propagate TTY dimensions to a virtual machine. * A new service unit file setting ExitType= has been added that specifies when to assume a service has exited. By default systemd only watches the main process of a service. By setting ExitType=cgroup it can be told to wait for the last process in a cgroup instead. * Automount unit files gained a new setting ExtraOptions= that can be used to configure additional mount options to pass to the kernel when mounting the autofs instance. * "Urlification" (generation of ESC sequences that generate clickable hyperlinks in modern terminals) may now be turned off altogether during build-time. * Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec= settings that default to 200 and 2 s respectively. The ratelimit ensures that a path unit cannot cause PID1 to busy-loop when it is trying to trigger a service that is skipped because of a Condition*= not being satisfied. This matches the configuration and behaviour of socket units. * The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built as a plug-in for cryptsetup. This means the plain cryptsetup command may now be used to unlock volumes set up this way. * The TPM2 logic in cryptsetup will now automatically detect systems where the TPM2 chip advertises SHA256 PCR banks but the firmware only updates the SHA1 banks. In such a case PCR policies will be automatically bound to the latter, not the former. This makes the PCR policies reliable, but of course do not provide the same level of trust as SHA256 banks. * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports RSA primary keys in addition to ECC, improving compatibility with TPM2 chips that do not support ECC. RSA keys are much slower to use than ECC, and hence are only used if ECC is not available. * /etc/crypttab gained support for a new token-timeout= setting for encrypted volumes that allows configuration of the maximum time to wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses the logic will query the user for a regular passphrase/recovery key instead. * Support for activating dm-integrity volumes at boot via a new file /etc/integritytab and the tool systemd-integritysetup have been added. This is similar to /etc/crypttab and /etc/veritytab, but deals with dm-integrity instead of dm-crypt/dm-verity. * The systemd-veritysetup-generator now understands a new usrhash= kernel command line option for specifying the Verity root hash for the partition backing the /usr/ file system. A matching set of systemd.verity_usr_* kernel command line options has been added as well. These all work similar to the corresponding options for the root partition. * The sd-device API gained a new API call sd_device_get_diskseq() to return the DISKSEQ property of a device structure. The "disk sequence" concept is a new feature recently introduced to the Linux kernel that allows detecting reuse cycles of block devices, i.e. can be used to recognize when loopback block devices are reused for a different purpose or CD-ROM drives get their media changed. * A new unit systemd-boot-update.service has been added. If enabled (the default) and the sd-boot loader is detected to be installed, it is automatically updated to the newest version when out of date. This is useful to ensure the boot loader remains up-to-date, and updates automatically propagate from the OS tree in /usr/. * sd-boot will now build with SBAT by default in order to facilitate working with recent versions of Shim that require it to be present. * sd-boot can now parse Microsoft Windows' Boot Configuration Data. This is used to robustly generate boot entry titles for Windows. * A new generic target unit factory-reset.target has been added. It is hooked into systemd-logind similar in fashion to reboot/poweroff/suspend/hibernate, and is supposed to be used to initiate a factory reset operation. What precisely this operation entails is up for the implementer to decide, the primary goal of the new unit is provide a framework where to plug in the implementation and how to trigger it. * A new meson build-time option 'clock-valid-range-usec-max' has been added which takes a time in µs and defaults to 15 years. If the RTC time is noticed to be more than the specified time ahead of the built-in epoch of systemd (which by default is the release timestamp of systemd) it is assumed that the RTC is not working correctly, and the RTC is reset to the epoch. (It already is reset to the epoch when noticed to be before it.) This should increase the chance that time doesn't accidentally jump too far ahead due to faulty hardware or batteries. * A new setting SaveIntervalSec= has been added to systemd-timesyncd, which may be used to automatically save the current system time to disk in regular intervals. This is useful to maintain a roughly monotonic clock even without RTC hardware and with some robustness against abnormal system shutdown. * systemd-analyze verify gained support for a pair of new --image= + --root= switches for verifying units below a specific root directory/image instead of on the host. * systemd-analyze verify gained support for verifying unit files under an explicitly specified unit name, independently of what the filename actually is. * systemd-analyze verify gained a new switch --recursive-errors= which controls whether to only fail on errors found in the specified units or recursively any dependent units. * systemd-analyze security now supports a new --offline mode for analyzing unit files stored on disk instead of loaded units. It may be combined with --root=/--image to analyze unit files under a root directory or disk image. It also learnt a new --threshold= parameter for specifying an exposure level threshold: if the exposure level exceeds the specified value the call will fail. It also gained a new --security-policy= switch for configuring security policies to enforce on the units. A policy is a JSON file that lists which tests shall be weighted how much to determine the overall exposure level. Altogether these new features are useful for fully automatic analysis and enforcement of security policies on unit files. * systemd-analyze security gain a new --json= switch for JSON output. * systemd-analyze learnt a new --quiet switch for reducing non-essential output. It's honored by the "dot", "syscall-filter", "filesystems" commands. * systemd-analyze security gained a --profile= option that can be used to take into account a portable profile when analyzing portable services, since a lot of the security-related settings are enabled through them. * systemd-analyze learnt a new inspect-elf verb that parses ELF core files, binaries and executables and prints metadata information, including the build-id and other info described on: https://systemd.io/COREDUMP_PACKAGE_METADATA/ * .network files gained a new UplinkInterface= in the [IPv6SendRA] section, for automatically propagating DNS settings from other interfaces. * The static lease DHCP server logic in systemd-networkd may now serve IP addresses outside of the configured IP pool range for the server. * CAN support in systemd-networkd gained four new settings Loopback=, OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN control modes. It gained a number of further settings for tweaking CAN timing quanta. * The [CAN] section in .network file gained new TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=, SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and DataSyncJumpWidth= settings to control bit-timing processed by the CAN interface. * DHCPv4 client support in systemd-networkd learnt a new Label= option for configuring the address label to apply to configure IPv4 addresses. * The [IPv6AcceptRA] section of .network files gained support for a new UseMTU= setting that may be used to control whether to apply the announced MTU settings to the local interface. * The [DHCPv4] section in .network file gained a new Use6RD= boolean setting to control whether the DHCPv4 client request and process the DHCP 6RD option. * The [DHCPv6PrefixDelegation] section in .network file is renamed to [DHCPPrefixDelegation], as now the prefix delegation is also supported with DHCPv4 protocol by enabling the Use6RD= setting. * The [DHCPPrefixDelegation] section in .network file gained a new setting UplinkInterface= to specify the upstream interface. * The [DHCPv6] section in .network file gained a new setting UseDelegatedPrefix= to control whether the delegated prefixes will be propagated to the downstream interfaces. * The [IPv6AcceptRA] section of .network files now understands two new settings UseGateway=/UseRoutePrefix= for explicitly configuring whether to use the relevant fields from the IPv6 Router Advertisement records. * The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section has been removed. Please use the WithoutRA= and UseDelegatedPrefix= settings in the [DHCPv6] section and the DHCPv6Client= setting in the [IPv6AcceptRA] section to control when the DHCPv6 client is started and how the delegated prefixes are handled by the DHCPv6 client. * The IPv6Token= section in the [Network] section is deprecated, and the [IPv6AcceptRA] section gained the Token= setting for its replacement. The [IPv6Prefix] section also gained the Token= setting. The Token= setting gained 'eui64' mode to explicitly configure an address with the EUI64 algorithm based on the interface MAC address. The 'prefixstable' mode can now optionally take a secret key. The Token= setting in the [DHCPPrefixDelegation] section now supports all algorithms supported by the same settings in the other sections. * The [RoutingPolicyRule] section of .network file gained a new SuppressInterfaceGroup= setting. * The IgnoreCarrierLoss= setting in the [Network] section of .network files now allows a duration to be specified, controlling how long to wait before reacting to carrier loss. * The [DHCPServer] section of .network file gained a new Router= setting to specify the router address. * The [CAKE] section of .network files gained various new settings AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=, MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=, and UseRawPacketSize= for configuring CAKE. * systemd-networkd now ships with new default .network files: 80-container-vb.network which matches host-side network bridge device created by systemd-nspawn's --network-bridge or --network-zone switch, and 80-6rd-tunnel.network which matches automatically created sit tunnel with 6rd prefix when the DHCP 6RD option is received. * systemd-networkd's handling of Endpoint= resolution for WireGuard interfaces has been improved. * systemd-networkd will now automatically configure routes to addresses specified in AllowedIPs=. This feature can be controlled via RouteTable= and RouteMetric= settings in [WireGuard] or [WireGuardPeer] sections. * systemd-networkd will now once again automatically generate persistent MAC addresses for batadv and bridge interfaces. Users can disable this by using MACAddress=none in .netdev files. * systemd-networkd and systemd-udevd now support IP over InfiniBand interfaces. The Kind= setting in .netdev file accepts "ipoib". And systemd.netdev files gained the [IPoIB] section. * systemd-networkd and systemd-udevd now support net.ifname_policy= option on the kernel command-line. This is implemented through the systemd-network-generator service that automatically generates appropriate .link, .network, and .netdev files. * The various systemd-udevd "ethtool" buffer settings now understand the special value "max" to configure the buffers to the maximum the hardware supports. * systemd-udevd's .link files may now configure a large variety of NIC coalescing settings, plus more hardware offload settings. * .link files gained a new WakeOnLanPassword= setting in the [Link] section that allows to specify a WoL "SecureOn" password on hardware that supports this. * systemd-nspawn's --setenv= switch now supports an additional syntax: if only a variable name is specified (i.e. without being suffixed by a '=' character and a value) the current value of the environment variable is propagated to the container. e.g. --setenv=FOO will lookup the current value of $FOO in the environment, and pass it down to the container. Similar behavior has been added to homectl's, machinectl's and systemd-run's --setenv= switch. * systemd-nspawn gained a new switch --suppress-sync= which may be used to optionally suppress the effect of the sync()/fsync()/fdatasync() system calls for the container payload. This is useful for build system environments where safety against abnormal system shutdown is not essential as all build artifacts can be regenerated any time, but the performance win is beneficial. * systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the same value that PID 1 uses for most forked off processes. * systemd-nspawn's --bind=/--bind-ro= switches now optionally take uidmap/nouidmap options as last parameter. If "uidmap" is used the bind mounts are created with UID mapping taking place that ensures the host's file ownerships are mapped 1:1 to container file ownerships, even if user namespacing is used. This way files/directories bound into containers will no longer show up as owned by the nobody user as they typically did if no special care was taken to shift them manually. * When discovering Windows installations sd-boot will now attempt to show the Windows version. * The color scheme to use in sd-boot may now be configured at build-time. * sd-boot gained the ability to change screen resolution during boot-time, by hitting the "r" key. This will cycle through available resolutions and save the last selection. * sd-boot learnt a new hotkey "f". When pressed the system will enter firmware setup. This is useful in environments where it is difficult to hit the right keys early enough to enter the firmware, and works on any firmware regardless which key it natively uses. * sd-boot gained support for automatically booting into the menu item selected on the last boot (using the "@saved" identifier for menu items). * sd-boot gained support for automatically loading all EFI drivers placed in the /EFI/systemd/drivers/ subdirectory of the EFI System Partition (ESP). These drivers are loaded before the menu entries are loaded. This is useful e.g. to load additional file system drivers for the XBOOTLDR partition. * systemd-boot will now paint the input cursor on its own instead of relying on the firmware to do so, increasing compatibility with broken firmware that doesn't make the cursor reasonably visible. * sd-boot now embeds a .osrel PE section like we expect from Boot Loader Specification Type #2 Unified Kernels. This means sd-boot itself may be used in place of a Type #2 Unified Kernel. This is useful for debugging purposes as it allows chain-loading one a (development) sd-boot instance from another. * sd-boot now supports a new "devicetree" field in Boot Loader Specification Type #1 entries: if configured the specified device tree file is installed before the kernel is invoked. This is useful for installing/applying new devicetree files without updating the kernel image. * Similarly, sd-stub now can read devicetree data from a PE section ".dtb" and apply it before invoking the kernel. * sd-stub (the EFI stub that can be glued in front of a Linux kernel) gained the ability to pick up credentials and sysext files, wrap them in a cpio archive, and pass as an additional initrd to the invoked Linux kernel, in effect placing those files in the /.extra/ directory of the initrd environment. This is useful to implement trusted initrd environments which are fully authenticated but still can be extended (via sysexts) and parameterized (via encrypted/authenticated credentials, see above). Credentials can be located next to the kernel image file (credentials specific to a single boot entry), or in one of the shared directories (credentials applicable to multiple boot entries). * sd-stub now comes with a full man page, that explains its feature set and how to combine a kernel image, an initrd and the stub to build a complete EFI unified kernel image, implementing Boot Loader Specification Type #2. * sd-stub may now provide the initrd to the executed kernel via the LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for non-x86 architectures. * bootctl learnt new set-timeout and set-timeout-oneshot commands that may be used to set the boot menu time-out of the boot loader (for all or just the subsequent boot). * bootctl and kernel-install will now read variables KERNEL_INSTALL_LAYOUT= from /etc/machine-info and layout= from /etc/kernel/install.conf. When set, it specifies the layout to use for installation directories on the boot partition, so that tools don't need to guess it based on the already-existing directories. The only value that is defined natively is "bls", corresponding to the layout specified in https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for kernel-install that implement a different layout can declare other values for this variable. 'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the assumption that if the user installed sd-boot to the ESP, they intend to use the entry layout understood by sd-boot. It'll also write KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID (and it wasn't specified in the config file yet). Similarly, kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it wasn't specified in the config file yet). Effectively, those changes mean that the machine-id used for boot loader entry installation is "frozen" upon first use and becomes independent of the actual machine-id. Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem: images created for distribution ("golden images") are built with no machine-id, so that a unique machine-id can be created on the first boot. But those images may contain boot loader entries with the machine-id used during build included in paths. Using a "frozen" value allows unambiguously identifying entries that match the specific installation, while still permitting parallel installations without conflict. Configuring KERNEL_INSTALL_LAYOUT obviates the need for kernel-install to guess the installation layout. This fixes the problem where a (possibly empty) directory in the boot partition is created from a different layout causing kernel-install plugins to assume the wrong layout. A particular example of how this may happen is the grub2 package in Fedora which includes directories under /boot directly in its file list. Various other packages pull in grub2 as a dependency, so it may be installed even if unused, breaking installations that use the bls layout. * bootctl and systemd-bless-boot can now be linked statically. * systemd-sysext now optionally doesn't insist on extension-release.d/ files being placed in the image under the image's file name. If the file system xattr user.extension-release.strict is set on the extension release file, it is accepted regardless of its name. This relaxes security restrictions a bit, as system extension may be attached under a wrong name this way. * udevadm's test-builtin command learnt a new --action= switch for testing the built-in with the specified action (in place of the default 'add'). * udevadm info gained new switches --property=/--value for showing only specific udev properties/values instead of all. * A new hwdb database has been added that contains matches for various types of signal analyzers (protocol analyzers, logic analyzers, oscilloscopes, multimeters, bench power supplies, etc.) that should be accessible to regular users. * A new hwdb database entry has been added that carries information about types of cameras (regular or infrared), and in which direction they point (front or back). * A new rule to allow console users access to rfkill by default has been added to hwdb. * Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are now also owned by the system group "sgx". * A new build-time meson option "extra-net-naming-schemes=" has been added to define additional naming schemes for udev's network interface naming logic. This is useful for enterprise distributions and similar which want to pin the schemes of certain distribution releases under a specific name and previously had to patch the sources to introduce new named schemes. * The predictable naming logic for network interfaces has been extended to generate stable names from Xen netfront device information. * hostnamed's chassis property can now be sourced from chassis-type field encoded in devicetree (in addition to the existing DMI support). * systemd-cgls now optionally displays cgroup IDs and extended attributes for each cgroup. (Controllable via the new --xattr= + --cgroup-id= switches.) * coredumpctl gained a new --all switch for operating on all Journal files instead of just the local ones. * systemd-coredump will now use libdw/libelf via dlopen() rather than directly linking, allowing users to easily opt-out of backtrace/metadata analysis of core files, and reduce image sizes when this is not needed. * systemd-coredump will now analyze core files with libdw/libelf in a forked, sandboxed process. * systemd-homed will now try to unmount an activate home area in regular intervals once the user logged out fully. Previously this was attempted exactly once but if the home directory was busy for some reason it was not tried again. * systemd-homed's LUKS2 home area backend will now create a BSD file system lock on the image file while the home area is active (i.e. mounted). If a home area is found to be locked, logins are politely refused. This should improve behavior when using home areas images that are accessible via the network from multiple clients, and reduce the chance of accidental file system corruption in that case. * Optionally, systemd-homed will now drop the kernel buffer cache once a user has fully logged out, configurable via the new --drop-caches= homectl switch. * systemd-homed now makes use of UID mapped mounts for the home areas. If the kernel and used file system support it, files are now internally owned by the "nobody" user (i.e. the user typically used for indicating "this ownership is not mapped"), and dynamically mapped to the UID used locally on the system via the UID mapping mount logic of recent kernels. This makes migrating home areas between different systems cheaper because recursively chown()ing file system trees is no longer necessary. * systemd-homed's CIFS backend now optionally supports CIFS service names with a directory suffix, in order to place home directories in a subdirectory of a CIFS share, instead of the top-level directory. * systemd-homed's CIFS backend gained support for specifying additional mount options in the JSON user record (cifsExtraMountOptions field, and --cifs-extra-mount-options= homectl switch). This is for example useful for configuring mount options such as "noserverino" that some SMB3 services require (use that to run a homed home directory from a FritzBox SMB3 share this way). * systemd-homed will now default to btrfs' zstd compression for home areas. This is inspired by Fedora's recent decision to switch to zstd by default. * Additional mount options to use when mounting the file system of LUKS2 volumes in systemd-homed has been added. Via the $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4, $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to systemd-homed or via the luksExtraMountOptions user record JSON property. (Exposed via homectl --luks-extra-mount-options) * homectl's resize command now takes the special size specifications "min" and "max" to shrink/grow the home area to the minimum/maximum size possible, taking disk usage/space constraints and file system limitations into account. Resizing is now generally graceful: the logic will try to get as close to the specified size as possible, but not consider it a failure if the request couldn't be fulfilled precisely. * systemd-homed gained the ability to automatically shrink home areas on logout to their minimal size and grow them again on next login. This ensures that while inactive, a home area only takes up the minimal space necessary, but once activated, it provides sufficient space for the user's needs. This behavior is only supported if btrfs is used as file system inside the home area (because only for btrfs online growing/shrinking is implemented in the kernel). This behavior is now enabled by default, but may be controlled via the new --auto-resize-mode= setting of homectl. * systemd-homed gained support for automatically re-balancing free disk space among active home areas, in case the LUKS2 backends are used, and no explicit disk size was requested. This way disk space is automatically managed and home areas resized in regular intervals and manual resizing when disk space becomes scarce should not be necessary anymore. This behavior is only supported if btrfs is used within the home areas (as only then online shrinking and growing is supported), and may be configured via the new rebalanceWeight JSON user record field (as exposed via the new --rebalance-weight= homectl setting). Re-balancing is mostly automatic, but can also be requested explicitly via "homectl rebalance", which is synchronous, and thus may be used to wait until the rebalance run is complete. * userdbctl gained a --json= switch for configured the JSON formatting to use when outputting user or group records. * userdbctl gained a new --multiplexer= switch for explicitly configuring whether to use the systemd-userdbd server side user record resolution logic. * userdbctl's ssh-authorized-keys command learnt a new --chain switch, for chaining up another command to execute after completing the look-up. Since the OpenSSH's AuthorizedKeysCommand only allows configuration of a single command to invoke, this maybe used to invoke multiple: first userdbctl's own implementation, and then any other also configured in the command line. * The sd-event API gained a new function sd_event_add_inotify_fd() that is similar to sd_event_add_inotify() but accepts a file descriptor instead of a path in the file system for referencing the inode to watch. * The sd-event API gained a new function sd_event_source_set_ratelimit_expire_callback() that may be used to define a callback function that is called whenever an event source leaves the rate limiting phase. * New documentation has been added explaining which steps are necessary to port systemd to a new architecture: https://systemd.io/PORTING_TO_NEW_ARCHITECTURES * The x-systemd.makefs option in /etc/fstab now explicitly supports ext2, ext3, and f2fs file systems. * Mount units and units generated from /etc/fstab entries with 'noauto' are now ordered the same as other units. Effectively, they will be started earlier (if something actually pulled them in) and stopped later, similarly to normal mount units that are part of fs-local.target. This change should be invisible to users, but should prevent those units from being stopped too early during shutdown. * The systemd-getty-generator now honors a new kernel command line argument systemd.getty_auto= and a new environment variable $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for example useful to turn off gettys inside of containers or similar environments. * systemd-resolved now listens on a second DNS stub address: 127.0.0.54 (in addition to 127.0.0.53, as before). If DNS requests are sent to this address they are propagated in "bypass" mode only, i.e. are almost not processed locally, but mostly forwarded as-is to the current upstream DNS servers. This provides a stable DNS server address that proxies all requests dynamically to the right upstream DNS servers even if these dynamically change. This stub does not do mDNS/LLMNR resolution. However, it will translate look-ups to DNS-over-TLS if necessary. This new stub is particularly useful in container/VM environments, or for tethering setups: use DNAT to redirect traffic to any IP address to this stub. * systemd-importd now honors new environment variables $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume generation, btrfs quota setup and disk synchronization. * systemd-importd and systemd-resolved can now be optionally built with OpenSSL instead of libgcrypt. * systemd-repart no longer requires OpenSSL. * systemd-sysusers will no longer create the redundant 'nobody' group by default, as the 'nobody' user is already created with an appropriate primary group. * If a unit uses RuntimeMaxSec, systemctl show will now display it. * systemctl show-environment gained support for --output=json. * pam_systemd will now first try to use the X11 abstract socket, and fallback to the socket file in /tmp/.X11-unix/ only if that does not work. * systemd-journald will no longer go back to volatile storage regardless of configuration when its unit is restarted. * Initial support for the LoongArch architecture has been added (system call lists, GPT partition table UUIDs, etc). * systemd-journald's own logging messages are now also logged to the journal itself when systemd-journald logs to /dev/kmsg. * systemd-journald now re-enables COW for archived journal files on filesystems that support COW. One benefit of this change is that archived journal files will now get compressed on btrfs filesystems that have compression enabled. * systemd-journald now deduplicates fields in a single log message before adding it to the journal. In archived journal files, it will also punch holes for unused parts and truncate the file as appropriate, leading to reductions in disk usage. * journalctl --verify was extended with more informative error messages. * More of sd-journal's functions are now resistant against journal file corruption. * The shutdown command learnt a new option --show, to display the scheduled shutdown. * A LICENSES/ directory is now included in the git tree. It contains a README.md file that explains the licenses used by source files in this repository. It also contains the text of all applicable licenses as they appear on spdx.org. Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos, Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin, alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross, Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold, Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi, Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo, Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani, Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett, Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham, Christian Brauner, Christian Göttsche, Christian Wehrli, Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer, Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca, David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov, Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov, Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing, Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink, Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX, Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede, Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho, Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras, I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen, Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne, jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten, Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva, Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey, Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker, lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda, Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis, Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi, Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez, Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro, Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert, Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni, nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto, Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas, Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck, Ross Jennings, saikat0511, Scott Lamb, Scott Worley, Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri, StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto, Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher, Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson, Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat, Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian, xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷), Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, наб — Warsaw, 2021-12-23 CHANGES WITH 249: * When operating on disk images via the --image= switch of various tools (such as systemd-nspawn or systemd-dissect), or when udev finds no 'root=' parameter on the kernel command line, and multiple suitable root or /usr/ partitions exist in the image, then a simple comparison inspired by strverscmp() is done on the GPT partition label, and the newest partition is picked. This permits a simple and generic whole-file-system A/B update logic where new operating system versions are dropped into partitions whose label is then updated with a matching version identifier. * systemd-sysusers now supports querying the passwords to set for the users it creates via the "credentials" logic introduced in v247: the passwd.hashed-password. and passwd.plaintext-password. credentials are consulted for the password to use (either in UNIX hashed form, or literally). By default these credentials are inherited down from PID1 (which in turn imports it from a container manager if there is one). This permits easy configuration of user passwords during first boot. Example: # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo Note that systemd-sysusers operates in purely additive mode: it executes no operation if the declared users already exist, and hence doesn't set any passwords as effect of the command line above if the specified root user exists already in the image. (Note that --volatile=yes ensures it doesn't, though.) * systemd-firstboot now also supports querying various system parameters via the credential subsystems. Thus, as above this may be used to initialize important system parameters on first boot of previously unprovisioned images (i.e. images with a mostly empty /etc/). * PID 1 may now show both the unit name and the unit description strings in its status output during boot. This may be configured with StatusUnitFormat=combined in system.conf or systemd.status-unit-format=combined on the kernel command line. * The systemd-machine-id-setup tool now supports a --image= switch for provisioning a machine ID file into an OS disk image, similar to how --root= operates on an OS file tree. This matches the existing switch of the same name for systemd-tmpfiles, systemd-firstboot, and systemd-sysusers tools. * Similarly, systemd-repart gained support for the --image= switch too. In combination with the existing --size= option, this makes the tool particularly useful for easily growing disk images in a single invocation, following the declarative rules included in the image itself. * systemd-repart's partition configuration files gained support for a new switch MakeDirectories= which may be used to create arbitrary directories inside file systems that are created, before registering them in the partition table. This is useful in particular for root partitions to create mount point directories for other partitions included in the image. For example, a disk image that contains a root, /home/, and /var/ partitions, may set MakeDirectories=yes to create /home/ and /var/ as empty directories in the root file system on its creation, so that the resulting image can be mounted immediately, even in read-only mode. * systemd-repart's CopyBlocks= setting gained support for the special value "auto". If used, a suitable matching partition on the booted OS is found as source to copy blocks from. This is useful when implementing replicating installers, that are booted from one medium and then stream their own root partition onto the target medium. * systemd-repart's partition configuration files gained support for a Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these GPT partition flags for the created partitions: this is useful for marking newly created partitions as read-only, or as not being subject for automatic mounting from creation on. * The /etc/os-release file has been extended with two new (optional) variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version information for OS images that are updated comprehensively and atomically as one image. Two new specifiers %M, %A now resolve to these two fields in the various configuration options that resolve specifiers. * portablectl gained a new switch --extension= for enabling portable service images with extensions that follow the extension image concept introduced with v248, and thus allows layering multiple images when setting up the root filesystem of the service. * systemd-coredump will now extract ELF build-id information from processes dumping core and include it in the coredump report. Moreover, it will look for ELF .note.package sections with distribution packaging meta-information about the crashing process. This is useful to directly embed the rpm or deb (or any other) package name and version in ELF files, making it easy to match coredump reports with the specific package for which the software was compiled. This is particularly useful on environments with ELF files from multiple vendors, different distributions and versions, as is common today in our containerized and sand-boxed world. For further information, see: https://systemd.io/COREDUMP_PACKAGE_METADATA * A new udev hardware database has been added for FireWire devices (IEEE 1394). * The "net_id" built-in of udev has been updated with three backwards-incompatible changes: - PCI hotplug slot names on s390 systems are now parsed as hexadecimal numbers. They were incorrectly parsed as decimal previously, or ignored if the name was not a valid decimal number. - PCI onboard indices up to 65535 are allowed. Previously, numbers above 16383 were rejected. This primarily impacts s390 systems, where values up to 65535 are used. - Invalid characters in interface names are replaced with "_". The new version of the net naming scheme is "v249". The previous scheme can be selected via the "net.naming_scheme=v247" kernel command line parameter. * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a NULL bus object, for which they will return false. Or in other words, an unallocated bus connection is neither ready nor open. * The sd-device API acquired a new API function sd_device_get_usec_initialized() that returns the monotonic time when the udev device first appeared in the database. * sd-device gained a new APIs sd_device_trigger_with_uuid() and sd_device_get_trigger_uuid(). The former is similar to sd_device_trigger() but returns a randomly generated UUID that is associated with the synthetic uevent generated by the call. This UUID may be read from the sd_device object a monitor eventually receives, via the sd_device_get_trigger_uuid(). This interface requires kernel 4.13 or above to work, and allows tracking a synthetic uevent through the entire device management stack. The "udevadm trigger --settle" logic has been updated to make use of this concept if available to wait precisely for the uevents it generates. "udevadm trigger" also gained a new parameter --uuid that prints the UUID for each generated uevent. * sd-device also gained new APIs sd_device_new_from_ifname() and sd_device_new_from_ifindex() for allocating an sd-device object for the specified network interface. The former accepts an interface name (either a primary or an alternative name), the latter an interface index. * The native Journal protocol has been documented. Clients may talk this as alternative to the classic BSD syslog protocol for locally delivering log records to the Journal. The protocol has been stable for a long time and in fact been implemented already in a variety of alternative client libraries. This documentation makes the support for that official: https://systemd.io/JOURNAL_NATIVE_PROTOCOL * A new BPFProgram= setting has been added to service files. It may be set to a path to a loaded kernel BPF program, i.e. a path to a bpffs file, or a bind mount or symlink to one. This may be used to upload and manage BPF programs externally and then hook arbitrary systemd services into them. * The "home.arpa" domain that has been officially declared as the choice for domain for local home networks per RFC 8375 has been added to the default NTA list of resolved, since DNSSEC is generally not available on private domains. * The CPUAffinity= setting of unit files now resolves "%" specifiers. * A new ManageForeignRoutingPolicyRules= setting has been added to .network files which may be used to exclude foreign-created routing policy rules from systemd-networkd management. * systemd-network-wait-online gained two new switches -4 and -6 that may be used to tweak whether to wait for only IPv4 or only IPv6 connectivity. * .network files gained a new RequiredFamilyForOnline= setting to fine-tune whether to require an IPv4 or IPv6 address in order to consider an interface "online". * networkctl will now show an over-all "online" state in the per-link information. * In .network files a new OutgoingInterface= setting has been added to specify the output interface in bridge FDB setups. * In .network files the Multipath group ID may now be configured for [NextHop] entries, via the new Group= setting. * The DHCP server logic configured in .network files gained a new setting RelayTarget= that turns the server into a DHCP server relay. The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used to further tweak the DHCP relay behaviour. * The DHCP server logic also gained a new ServerAddress= setting in .network files that explicitly specifies the server IP address to use. If not specified, the address is determined automatically, as before. * The DHCP server logic in systemd-networkd gained support for static DHCP leases, configurable via the [DHCPServerStaticLease] section. This allows explicitly mapping specific MAC addresses to fixed IP addresses and vice versa. * The RestrictAddressFamilies= setting in service files now supports a new special value "none". If specified sockets of all address families will be made unavailable to services configured that way. * systemd-fstab-generator and systemd-repart have been updated to support booting from disks that carry only a /usr/ partition but no root partition yet, and where systemd-repart can add it in on the first boot. This is useful for implementing systems that ship with a single /usr/ file system, and whose root file system shall be set up and formatted on a LUKS-encrypted volume whose key is generated locally (and possibly enrolled in the TPM) during the first boot. * The [Address] section of .network files now accepts a new RouteMetric= setting that configures the routing metric to use for the prefix route created as effect of the address configuration. Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections gained matching settings for their prefix routes. (The option of the same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since it conceptually belongs there; the old option is still understood for compatibility.) * The DHCPv6 IAID and DUID are now explicitly configurable in .network files. * A new udev property ID_NET_DHCP_BROADCAST on network interface devices is now honoured by systemd-networkd, controlling whether to issue DHCP offers via broadcasting. This is used to ensure that s390 layer 3 network interfaces work out-of-the-box with systemd-networkd. * nss-myhostname and systemd-resolved will now synthesize address records for a new special hostname "_outbound". The name will always resolve to the local IP addresses most likely used for outbound connections towards the default routes. On multi-homed hosts this is useful to have a stable handle referring to "the" local IP address that matters most, to the point where this is defined. * The Discoverable Partition Specification has been updated with a new GPT partition flag "grow-file-system" defined for its partition types. Whenever partitions with this flag set are automatically mounted (i.e. via systemd-gpt-auto-generator or the --image= switch of systemd-nspawn or other tools; and as opposed to explicit mounting via /etc/fstab), the file system within the partition is automatically grown to the full size of the partition. If the file system size already matches the partition size this flag has no effect. Previously, this functionality has been available via the explicit x-systemd.growfs mount option, and this new flag extends this to automatically discovered mounts. A new GrowFileSystem= setting has been added to systemd-repart drop-in files that allows configuring this partition flag. This new flag defaults to on for partitions automatically created by systemd-repart, except if they are marked read-only. See the specification for further details: https://systemd.io/DISCOVERABLE_PARTITIONS * .network files gained a new setting RoutesToNTP= in the [DHCPv4] section. If enabled (which is the default), and an NTP server address is acquired through a DHCP lease on this interface an explicit route to this address is created on this interface to ensure that NTP traffic to the NTP server acquired on an interface is also routed through that interface. The pre-existing RoutesToDNS= setting that implements the same for DNS servers is now enabled by default. * A pair of service settings SocketBindAllow= + SocketBindDeny= have been added that may be used to restrict the network interfaces sockets created by the service may be bound to. This is implemented via BPF. * A new ConditionFirmware= setting has been added to unit files to conditionalize on certain firmware features. At the moment it may check whether running on a UEFI system, a device.tree system, or if the system is compatible with some specified device-tree feature. * A new ConditionOSRelease= setting has been added to unit files to check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">" operators may be used to check if some field has some specific value or do an alphanumerical comparison. Equality comparisons are useful for fields like ID, but relative comparisons for fields like VERSION_ID or IMAGE_VERSION. * hostnamed gained a new Describe() D-Bus method that returns a JSON serialization of the host data it exposes. This is exposed via "hostnamectl --json=" to acquire a host identity description in JSON. It's our intention to add a similar features to most services and objects systemd manages, in order to simplify integration with program code that can consume JSON. * Similarly, networkd gained a Describe() method on its Manager and Link bus objects. This is exposed via "networkctl --json=". * hostnamectl's various "get-xyz"/"set-xyz" verb pairs (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have been replaced by a single "xyz" verb (e.g. "hostnamectl hostname") that is used both to get the value (when no argument is given), and to set the value (when an argument is specified). The old names continue to be supported for compatibility. * systemd-detect-virt and ConditionVirtualization= are now able to correctly identify Amazon EC2 environments. * The LogLevelMax= setting of unit files now applies not only to log messages generated *by* the service, but also to log messages generated *about* the service by PID 1. To suppress logs concerning a specific service comprehensively, set this option to a high log level. * bootctl gained support for a new --make-machine-id-directory= switch that allows precise control on whether to create the top-level per-machine directory in the boot partition that typically contains Type 1 boot loader entries. * During build SBAT data to include in the systemd-boot EFI PE binaries may be specified now. * /etc/crypttab learnt a new option "headless". If specified any requests to query the user interactively for passwords or PINs will be skipped. This is useful on systems that are headless, i.e. where an interactive user is generally not present. * /etc/crypttab also learnt a new option "password-echo=" that allows configuring whether the encryption password prompt shall echo the typed password and if so, do so literally or via asterisks. (The default is the same behaviour as before: provide echo feedback via asterisks.) * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and systemd-homed has been updated to allow explicit configuration of the "user presence" and "user verification" checks, as well as whether a PIN is required for authentication, via the new switches --fido2-with-user-presence=, --fido2-with-user-verification=, --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which features are available, and may be enabled or disabled depends on the used FIDO2 token. * systemd-nspawn's --private-user= switch now accepts the special value "identity" which configures a user namespacing environment with an identity mapping of 65535 UIDs. This means the container UID 0 is mapped to the host UID 0, and the UID 1 to host UID 1. On first look this doesn't appear to be useful, however it does reduce the attack surface a bit, since the resulting container will possess process capabilities only within its namespace and not on the host. * systemd-nspawn's --private-user-chown switch has been replaced by a more generic --private-user-ownership= switch that accepts one of three values: "chown" is equivalent to the old --private-user-chown, and "off" is equivalent to the absence of the old switch. The value "map" uses the new UID mapping mounts of Linux 5.12 to map ownership of files and directories of the underlying image to the chosen UID range for the container. "auto" is equivalent to "map" if UID mapping mount are supported, otherwise it is equivalent to "chown". The short -U switch systemd-nspawn now implies --private-user-ownership=auto instead of the old --private-user-chown. Effectively this means: if the backing file system supports UID mapping mounts the feature is now used by default if -U is used. Generally, it's a good idea to use UID mapping mounts instead of recursive chown()ing, since it allows running containers off immutable images (since no modifications of the images need to take place), and share images between multiple instances. Moreover, the recursive chown()ing operation is slow and can be avoided. Conceptually it's also a good thing if transient UID range uses do not leak into persistent file ownership anymore. TLDR: finally, the last major drawback of user namespacing has been removed, and -U should always be used (unless you use btrfs, where UID mapped mounts do not exist; or your container actually needs privileges on the host). * nss-systemd now synthesizes user and group shadow records in addition to the main user and group records. Thus, hashed passwords managed by systemd-homed are now accessible via the shadow database. * The userdb logic (and thus nss-systemd, and so on) now read additional user/group definitions in JSON format from the drop-in directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and /usr/lib/userdb/. This is a simple and powerful mechanism for making additional users available to the system, with full integration into NSS including the shadow databases. Since the full JSON user/group record format is supported this may also be used to define users with resource management settings and other runtime settings that pam_systemd and systemd-logind enforce at login. * The userdbctl tool gained two new switches --with-dropin= and --with-varlink= which can be used to fine-tune the sources used for user database lookups. * systemd-nspawn gained a new switch --bind-user= for binding a host user account into the container. This does three things: the user's home directory is bind mounted from the host into the container, below the /run/userdb/home/ hierarchy. A free UID is picked in the container, and a user namespacing UID mapping to the host user's UID installed. And finally, a minimal JSON user and group record (along with its hashed password) is dropped into /run/host/userdb/. These records are picked up automatically by the userdb drop-in logic describe above, and allow the user to login with the same password as on the host. Effectively this means: if host and container run new enough systemd versions making a host user available to the container is trivially simple. * systemd-journal-gatewayd now supports the switches --user, --system, --merge, --file= that are equivalent to the same switches of journalctl, and permit exposing only the specified subset of the Journal records. * The OnFailure= dependency between units is now augmented with a implicit reverse dependency OnFailureOf= (this new dependency cannot be configured directly it's only created as effect of an OnFailure= dependency in the reverse order — it's visible in "systemctl show" however). Similar, Slice= now has an reverse dependency SliceOf=, that is also not configurable directly, but useful to determine all units that are members of a slice. * A pair of new dependency types between units PropagatesStopTo= + StopPropagatedFrom= has been added, that allows propagation of unit stop events between two units. It operates similar to the existing PropagatesReloadTo= + ReloadPropagatedFrom= dependencies. * A new dependency type OnSuccess= has been added (plus the reverse dependency OnSuccessOf=, which cannot be configured directly, but exists only as effect of the reverse OnSuccess=). It is similar to OnFailure=, but triggers in the opposite case: when a service exits cleanly. This allows "chaining up" of services where one or more services are started once another service has successfully completed. * A new dependency type Upholds= has been added (plus the reverse dependency UpheldBy=, which cannot be configured directly, but exists only as effect of Upholds=). This dependency type is a stronger form of Wants=: if a unit has an UpHolds= dependency on some other unit and the former is active then the latter is started whenever it is found inactive (and no job is queued for it). This is an alternative to Restart= inside service units, but less configurable, and the request to uphold a unit is not encoded in the unit itself but in another unit that intends to uphold it. * The systemd-ask-password tool now also supports reading passwords from the credentials subsystem, via the new --credential= switch. * The systemd-ask-password tool learnt a new switch --emoji= which may be used to explicit control whether the lock and key emoji (🔐) is shown in the password prompt on suitable TTYs. * The --echo switch of systemd-ask-password now optionally takes a parameter that controls character echo. It may either show asterisks (default, as before), turn echo off entirely, or echo the typed characters literally. * The systemd-ask-password tool also gained a new -n switch for suppressing output of a trailing newline character when writing the acquired password to standard output, similar to /bin/echo's -n switch. * New documentation has been added that describes the organization of the systemd source code tree: https://systemd.io/ARCHITECTURE * Units using ConditionNeedsUpdate= will no longer be activated in the initrd. * It is now possible to list a template unit in the WantedBy= or RequiredBy= settings of the [Install] section of another template unit, which will be instantiated using the same instance name. * A new MemoryAvailable property is available for units. If the unit, or the slices it is part of, have a memory limit set via MemoryMax=/ MemoryHigh=, MemoryAvailable will indicate how much more memory the unit can claim before hitting the limits. * systemd-coredump will now try to stay below the cgroup memory limit placed on itself or one of the slices it runs under, if the storage area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs, since files written on such filesystems count toward the cgroup memory limit. If there is not enough available memory in such cases to store the core file uncompressed, systemd-coredump will skip to compressed storage directly (if enabled) and it will avoid analyzing the core file to print backtrace and metadata in the journal. * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type of a path matches the configured expectations, and remove it if not. * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to specify which of the several available filesystem timestamps (access time, birth time, change time, modification time) to look at when deciding whether a path has aged enough to be cleaned. * A new IPv6StableSecretAddress= setting has been added to .network files, which takes an IPv6 address to use as secret for IPv6 address generation. * The [DHCPServer] logic in .network files gained support for a new UplinkInterface= setting that permits configuration of the uplink interface name to propagate DHCP lease information from. * The WakeOnLan= setting in .link files now accepts a list of flags instead of a single one, to configure multiple wake-on-LAN policies. * User-space defined tracepoints (USDT) have been added to udev at strategic locations. This is useful for tracing udev behaviour and performance with bpftrace and similar tools. * systemd-journald-upload gained a new NetworkTimeoutSec= option for setting a network timeout time. * If a system service is running in a new mount namespace (RootDirectory= and friends), all file systems will be mounted with MS_NOSUID by default, unless the system is running with SELinux enabled. * When enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. Some distributions so far did not install this additional file, most do however. If you distribution does not install it yet, it might make sense to change that. * Intel HID rfkill event is no longer masked, since it's the only source of rfkill event on newer HP laptops. To have both backward and forward compatibility, userspace daemon needs to debounce duplicated events in a short time window. Contributions from: Aakash Singh, adrian5, Albert Brox, Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu, Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug, Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin, borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche, Christian Hesse, Daniel Schaefer, Dan Streetman, David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea, Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing, Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais, Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede, Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov, imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku, Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu, Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann, Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel, Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti, Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi, Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard, Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný, Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq, Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans, Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan, Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds, plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff, Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt, Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon, Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani, sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay, Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux, Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev, Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб — Edinburgh, 2021-07-07 CHANGES WITH 248: * A concept of system extension images is introduced. Such images may be used to extend the /usr/ and /opt/ directory hierarchies at runtime with additional files (even if the file system is read-only). When a system extension image is activated, its /usr/ and /opt/ hierarchies and os-release information are combined via overlayfs with the file system hierarchy of the host OS. A new systemd-sysext tool can be used to merge, unmerge, list, and refresh system extension hierarchies. See https://www.freedesktop.org/software/systemd/man/systemd-sysext.html. The systemd-sysext.service automatically merges installed system extensions during boot (before basic.target, but not in very early boot, since various file systems have to be mounted first). The SYSEXT_LEVEL= field in os-release(5) may be used to specify the supported system extension level. * A new ExtensionImages= unit setting can be used to apply the same system extension image concept from systemd-sysext to the namespaced file hierarchy of specific services, following the same rules and constraints. * Support for a new special "root=tmpfs" kernel command-line option has been added. When specified, a tmpfs is mounted on /, and mount.usr= should be used to point to the operating system implementation. * A new configuration file /etc/veritytab may be used to configure dm-verity integrity protection for block devices. Each line is in the format "volume-name data-device hash-device roothash options", similar to /etc/crypttab. * A new kernel command-line option systemd.verity.root_options= may be used to configure dm-verity behaviour for the root device. * The key file specified in /etc/crypttab (the third field) may now refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is acquired by connecting to that socket and reading from it. This allows the implementation of a service to provide key information dynamically, at the moment when it is needed. * When the hostname is set explicitly to "localhost", systemd-hostnamed will respect this. Previously such a setting would be mostly silently ignored. The goal is to honour configuration as specified by the user. * The fallback hostname that will be used by the system manager and systemd-hostnamed can now be configured in two new ways: by setting DEFAULT_HOSTNAME= in os-release(5), or by setting $SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can also be configured during compilation. The environment variable is intended for testing and local overrides, the os-release(5) field is intended to allow customization by different variants of a distribution that share the same compiled packages. * The environment block of the manager itself may be configured through a new ManagerEnvironment= setting in system.conf or user.conf. This complements existing ways to set the environment block (the kernel command line for the system manager, the inherited environment and user@.service unit file settings for the user manager). * systemd-hostnamed now exports the default hostname and the source of the configured hostname ("static", "transient", or "default") as D-Bus properties. * systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel" D-Bus properties, which are supposed to contain a pair of cleaned up, human readable strings describing the system's vendor and model. It's typically sourced from the firmware's DMI tables, but may be augmented from a new hwdb database. hostnamectl shows this in the status output. * Support has been added to systemd-cryptsetup for extracting the PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded metadata header. This allows the information how to open the encrypted device to be embedded directly in the device and obviates the need for configuration in an external file. * systemd-cryptsetup gained support for unlocking LUKS2 volumes using TPM2 hardware, as well as FIDO2 security tokens (in addition to the pre-existing support for PKCS#11 security tokens). * systemd-repart may enroll encrypted partitions using TPM2 hardware. This may be useful for example to create an encrypted /var partition bound to the machine on first boot. * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2 and PKCS#11 security tokens to LUKS volumes, list and destroy them. See: https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html It also supports enrolling "recovery keys" and regular passphrases. * The libfido2 dependency is now based on dlopen(), so that the library is used at runtime when installed, but is not a hard runtime dependency. * systemd-cryptsetup gained support for two new options in /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which request synchronous processing of encryption/decryption IO. * The manager may be configured at compile time to use the fexecve() instead of the execve() system call when spawning processes. Using fexecve() closes a window between checking the security context of an executable and spawning it, but unfortunately the kernel displays stale information in the process' "comm" field, which impacts ps output and such. * The configuration option -Dcompat-gateway-hostname has been dropped. "_gateway" is now the only supported name. * The ConditionSecurity=tpm2 unit file setting may be used to check if the system has at least one TPM2 (tpmrm class) device. * A new ConditionCPUFeature= has been added that may be used to conditionalize units based on CPU features. For example, ConditionCPUFeature=rdrand will condition a unit so that it is only run when the system CPU supports the RDRAND opcode. * The existing ConditionControlGroupController= setting has been extended with two new values "v1" and "v2". "v2" means that the unified v2 cgroup hierarchy is used, and "v1" means that legacy v1 hierarchy or the hybrid hierarchy are used. * A new PrivateIPC= setting on a unit file allows executed processes to be moved into a private IPC namespace, with separate System V IPC identifiers and POSIX message queues. A new IPCNamespacePath= allows the unit to be joined to an existing IPC namespace. * The tables of system calls in seccomp filters are now automatically generated from kernel lists exported on https://fedora.juszkiewicz.com.pl/syscalls.html. The following architectures should now have complete lists: alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32, powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32. * The MountAPIVFS= service file setting now additionally mounts a tmpfs on /run/ if it is not already a mount point. A writable /run/ has always been a requirement for a functioning system, but this was not guaranteed when using a read-only image. Users can always specify BindPaths= or InaccessiblePaths= as overrides, and they will take precedence. If the host's root mount point is used, there is no change in behaviour. * New bind mounts and file system image mounts may be injected into the mount namespace of a service (without restarting it). This is exposed respectively as 'systemctl bind …' and 'systemctl mount-image …'. * The StandardOutput= and StandardError= settings can now specify files to be truncated for output (as "truncate:"). * The ExecPaths= and NoExecPaths= settings may be used to specify noexec for parts of the file system. * sd-bus has a new function sd_bus_open_user_machine() to open a connection to the session bus of a specific user in a local container or on the local host. This is exposed in the existing -M switch to systemctl and similar tools: systemctl --user -M lennart@foobar start foo This will connect to the user bus of a user "lennart" in container "foobar". If no container name is specified, the specified user on the host itself is connected to systemctl --user -M lennart@ start quux * sd-bus also gained a convenience function sd_bus_message_send() to simplify invocations of sd_bus_send(), taking only a single parameter: the message to send. * sd-event allows rate limits to be set on event sources, for dealing with high-priority event sources that might starve out others. See the new man page sd_event_source_set_ratelimit(3) for details. * systemd.link files gained a [Link] Promiscuous= switch, which allows the device to be raised in promiscuous mode. New [Link] TransmitQueues= and ReceiveQueues= settings allow the number of TX and RX queues to be configured. New [Link] TransmitQueueLength= setting allows the size of the TX queue to be configured. New [Link] GenericSegmentOffloadMaxBytes= and GenericSegmentOffloadMaxSegments= allow capping the packet size and the number of segments accepted in Generic Segment Offload. * systemd-networkd gained support for the "B.A.T.M.A.N. advanced" wireless routing protocol that operates on ISO/OSI Layer 2 only and uses ethernet frames to route/bridge packets. This encompasses a new "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of new settings in .netdev files, and a new BatmanAdvanced= setting in .network files. * systemd.network files gained a [Network] RouteTable= configuration switch to select the routing policy table. systemd.network files gained a [RoutingPolicyRule] Type= configuration switch (one of "blackhole, "unreachable", "prohibit"). systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and RouteAllowList= settings to ignore/accept route advertisements from routers matching specified prefixes. The DenyList= setting has been renamed to PrefixDenyList= and a new PrefixAllowList= option has been added. systemd.network files gained a [DHCPv6] UseAddress= setting to optionally ignore the address provided in the lease. systemd.network files gained a [DHCPv6PrefixDelegation] ManageTemporaryAddress= switch. systemd.network files gained a new ActivationPolicy= setting which allows configuring how the UP state of an interface shall be managed, i.e. whether the interface is always upped, always downed, or may be upped/downed by the user using "ip link set dev". * The default for the Broadcast= setting in .network files has slightly changed: the broadcast address will not be configured for wireguard devices. * systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=, EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength= configuration options for VLAN packet handling. * udev rules may now set log_level= option. This allows debug logs to be enabled for select events, e.g. just for a specific subsystem or even a single device. * udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and DATA_PREPARED_ID properties for block devices with ISO9660 file systems. * udev now exports decoded DMI information about installed memory slots as device properties under the /sys/class/dmi/id/ pseudo device. * /dev/ is not mounted noexec anymore. This didn't provide any significant security benefits and would conflict with the executable mappings used with /dev/sgx device nodes. The previous behaviour can be restored for individual services with NoExecPaths=/dev (or by allow- listing and excluding /dev from ExecPaths=). * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock and /dev/vhost-net are owned by the kvm group. * The hardware database has been extended with a list of fingerprint readers that correctly support USB auto-suspend using data from libfprint. * systemd-resolved can now answer DNSSEC questions through the stub resolver interface in a way that allows local clients to do DNSSEC validation themselves. For a question with DO+CD set, it'll proxy the DNS query and respond with a mostly unmodified packet received from the upstream server. * systemd-resolved learnt a new boolean option CacheFromLocalhost= in resolved.conf. If true the service will provide caching even for DNS lookups made to an upstream DNS server on the 127.0.0.1/::1 addresses. By default (and when the option is false) systemd-resolved will not cache such lookups, in order to avoid duplicate local caching, under the assumption the local upstream server caches anyway. * systemd-resolved now implements RFC5001 NSID in its local DNS stub. This may be used by local clients to determine whether they are talking to the DNS resolver stub or a different DNS server. * When resolving host names and other records resolvectl will now report where the data was acquired from (i.e. the local cache, the network, locally synthesized, …) and whether the network traffic it effected was encrypted or not. Moreover the tool acquired a number of new options --cache=, --synthesize=, --network=, --zone=, --trust-anchor=, --validate= that take booleans and may be used to tweak a lookup, i.e. whether it may be answered from cached information, locally synthesized information, information acquired through the network, the local mDNS/LLMNR zone, the DNSSEC trust anchor, and whether DNSSEC validation shall be executed for the lookup. * systemd-nspawn gained a new --ambient-capability= setting (AmbientCapability= in .nspawn files) to configure ambient capabilities passed to the container payload. * systemd-nspawn gained the ability to configure the firewall using the nftables subsystem (in addition to the existing iptables support). Similarly, systemd-networkd's IPMasquerade= option now supports nftables as back-end, too. In both cases NAT on IPv6 is now supported too, in addition to IPv4 (the iptables back-end still is IPv4-only). "IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before, retains its meaning, but has been deprecated. Please switch to either "ivp4" or "both" (if covering IPv6 is desired). * systemd-importd will now download .verity and .roothash.p7s files along with the machine image (as exposed via machinectl pull-raw). * systemd-oomd now gained a new DefaultMemoryPressureDurationSec= setting to configure the time a unit's cgroup needs to exceed memory pressure limits before action will be taken, and a new ManagedOOMPreference=none|avoid|omit setting to avoid killing certain units. systemd-oomd is now considered fully supported (the usual backwards-compatibility promises apply). Swap is not required for operation, but it is still recommended. * systemd-timesyncd gained a new ConnectionRetrySec= setting which configures the retry delay when trying to contact servers. * systemd-stdio-bridge gained --system/--user options to connect to the system bus (previous default) or the user session bus. * systemd-localed may now call locale-gen to generate missing locales on-demand (UTF-8-only). This improves integration with Debian-based distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux. * systemctl --check-inhibitors=true may now be used to obey inhibitors even when invoked non-interactively. The old --ignore-inhibitors switch is now deprecated and replaced by --check-inhibitors=false. * systemctl import-environment will now emit a warning when called without any arguments (i.e. to import the full environment block of the called program). This command will usually be invoked from a shell, which means that it'll inherit a bunch of variables which are specific to that shell, and usually to the TTY the shell is connected to, and don't have any meaning in the global context of the system or user service manager. Instead, only specific variables should be imported into the manager environment block. Similarly, programs which update the manager environment block by directly calling the D-Bus API of the manager, should also push specific variables, and not the full inherited environment. * systemctl's status output now shows unit state with a more careful choice of Unicode characters: units in maintenance show a "○" symbol instead of the usual "●", failed units show "×", and services being reloaded "↻". * coredumpctl gained a --debugger-arguments= switch to pass arguments to the debugger. It also gained support for showing coredump info in a simple JSON format. * systemctl/loginctl/machinectl's --signal= option now accept a special value "list", which may be used to show a brief table with known process signals and their numbers. * networkctl now shows the link activation policy in status. * Various tools gained --pager/--no-pager/--json= switches to enable/disable the pager and provide JSON output. * Various tools now accept two new values for the SYSTEMD_COLORS environment variable: "16" and "256", to configure how many terminal colors are used in output. * less 568 or newer is now required for the auto-paging logic of the various tools. Hyperlink ANSI sequences in terminal output are now used even if a pager is used, and older versions of less are not able to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to disable this output again. * Builds with support for separate / and /usr/ hierarchies ("split-usr" builds, non-merged-usr builds) are now officially deprecated. A warning is emitted during build. Support is slated to be removed in about a year (when the Debian Bookworm release development starts). * Systems with the legacy cgroup v1 hierarchy are now marked as "tainted", to make it clearer that using the legacy hierarchy is not recommended. * systemd-localed will now refuse to configure a keymap which is not installed in the file system. This is intended as a bug fix, but could break cases where systemd-localed was used to configure the keymap in advanced of it being installed. It is necessary to install the keymap file first. * The main git development branch has been renamed to 'main'. * mmcblk[0-9]boot[0-9] devices will no longer be probed automatically for partitions, as in the vast majority of cases they contain none and are used internally by the bootloader (eg: uboot). * systemd will now set the $SYSTEMD_EXEC_PID environment variable for spawned processes to the PID of the process itself. This may be used by programs for detecting whether they were forked off by the service manager itself or are a process forked off further down the tree. * The sd-device API gained four new calls: sd_device_get_action() to determine the uevent add/remove/change/… action the device object has been seen for, sd_device_get_seqno() to determine the uevent sequence number, sd_device_new_from_stat_rdev() to allocate a new sd_device object from stat(2) data of a device node, and sd_device_trigger() to write to the 'uevent' attribute of a device. * For most tools the --no-legend= switch has been replaced by --legend=no and --legend=yes, to force whether tables are shown with headers/legends. * Units acquired a new property "Markers" that takes a list of zero, one or two of the following strings: "needs-reload" and "needs-restart". These markers may be set via "systemctl set-property". Once a marker is set, "systemctl reload-or-restart --marked" may be invoked to execute the operation the units are marked for. This is useful for package managers that want to mark units for restart/reload while updating, but effect the actual operations at a later step at once. * The sd_bus_message_read_strv() API call of sd-bus may now also be used to parse arrays of D-Bus signatures and D-Bus paths, in addition to regular strings. * bootctl will now report whether the UEFI firmware used a TPM2 device and measured the boot process into it. * systemd-tmpfiles learnt support for a new environment variable $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes even if the root fs of the system is not itself a btrfs volume. * systemd-detect-virt/ConditionVirtualization= will now explicitly detect Docker/Podman environments where possible. Moreover, they should be able to generically detect any container manager as long as it assigns the container a cgroup. * portablectl gained a new "reattach" verb for detaching/reattaching a portable service image, useful for updating images on-the-fly. * Intel SGX enclave device nodes (which expose a security feature of newer Intel CPUs) will now be owned by a new system group "sgx". Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry, Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos, Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro, Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T, A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase, caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt, Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn, Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman, Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle, Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo, Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges, feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink, Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule, Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer, Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide, Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan, Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade, Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt, Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak, Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng, l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi, Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg, Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner, Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik, Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco, Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen, Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan, Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt, Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn, Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas, Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani, Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield, Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f, Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad, walbit-de, Whired Planck, wouter bolsterlee, Xℹ Ruoyao, Yangyang Shen, Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски — Berlin, 2021-03-30 CHANGES WITH 247: * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents "bind" and "unbind" to the Linux device model. When this kernel change was made, systemd-udevd was only minimally updated to handle and propagate these new event types. The introduction of these new uevents (which are typically generated for USB devices and devices needing a firmware upload before being functional) resulted in a number of issues which we so far didn't address. We hoped the kernel maintainers would themselves address these issues in some form, but that did not happen. To handle them properly, many (if not most) udev rules files shipped in various packages need updating, and so do many programs that monitor or enumerate devices with libudev or sd-device, or otherwise process uevents. Please note that this incompatibility is not fault of systemd or udev, but caused by an incompatible kernel change that happened back in Linux 4.14, but is becoming more and more visible as the new uevents are generated by more kernel drivers. To minimize issues resulting from this kernel change (but not avoid them entirely) starting with systemd-udevd 247 the udev "tags" concept (which is a concept for marking and filtering devices during enumeration and monitoring) has been reworked: udev tags are now "sticky", meaning that once a tag is assigned to a device it will not be removed from the device again until the device itself is removed (i.e. unplugged). This makes sure that any application monitoring devices that match a specific tag is guaranteed to both see uevents where the device starts being relevant, and those where it stops being relevant (the latter now regularly happening due to the new "unbind" uevent type). The udev tags concept is hence now a concept tied to a *device* instead of a device *event* — unlike for example udev properties whose lifecycle (as before) is generally tied to a device event, meaning that the previously determined properties are forgotten whenever a new uevent is processed. With the newly redefined udev tags concept, sometimes it's necessary to determine which tags are the ones applied by the most recent uevent/database update, in order to discern them from those originating from earlier uevents/database updates of the same device. To accommodate for this a new automatic property CURRENT_TAGS has been added that works similar to the existing TAGS property but only lists tags set by the most recent uevent/database update. Similarly, the libudev/sd-device API has been updated with new functions to enumerate these 'current' tags, in addition to the existing APIs that now enumerate the 'sticky' ones. To properly handle "bind"/"unbind" on Linux 4.14 and newer it is essential that all udev rules files and applications are updated to handle the new events. Specifically: • All rule files that currently use a header guard similar to ACTION!="add|change",GOTO="xyz_end" should be updated to use ACTION=="remove",GOTO="xyz_end" instead, so that the properties/tags they add are also applied whenever "bind" (or "unbind") is seen. (This is most important for all physical device types — those for which "bind" and "unbind" are currently generated, for all other device types this change is still recommended but not as important — but certainly prepares for future kernel uevent type additions). • Similarly, all code monitoring devices that contains an 'if' branch discerning the "add" + "change" uevent actions from all other uevents actions (i.e. considering devices only relevant after "add" or "change", and irrelevant on all other events) should be reworked to instead negatively check for "remove" only (i.e. considering devices relevant after all event types, except for "remove", which invalidates the device). Note that this also means that devices should be considered relevant on "unbind", even though conceptually this — in some form — invalidates the device. Since the precise effect of "unbind" is not generically defined, devices should be considered relevant even after "unbind", however I/O errors accessing the device should then be handled gracefully. • Any code that uses device tags for deciding whether a device is relevant or not most likely needs to be updated to use the new udev_device_has_current_tag() API (or sd_device_has_current_tag() in case sd-device is used), to check whether the tag is set at the moment an uevent is seen (as opposed to the existing udev_device_has_tag() API which checks if the tag ever existed on the device, following the API concept redefinition explained above). We are very sorry for this breakage and the requirement to update packages using these interfaces. We'd again like to underline that this is not caused by systemd/udev changes, but result of a kernel behaviour change. * UPCOMING INCOMPATIBILITY: So far most downstream distribution packages have not retriggered devices once the udev package (or any auxiliary package installing additional udev rules) is updated. We intend to work with major distributions to change this, so that "udevadm trigger -c change" is issued on such upgrades, ensuring that the updated ruleset is applied to the devices already discovered, so that (asynchronously) after the upgrade completed the udev database is consistent with the updated rule set. This means udev rules must be ready to be retriggered with a "change" action any time, and result in correct and complete udev database entries. While the majority of udev rule files known to us currently get this right, some don't. Specifically, there are udev rules files included in various packages that only set udev properties on the "add" action, but do not handle the "change" action. If a device matching those rules is retriggered with the "change" action (as is intended here) it would suddenly lose the relevant properties. This always has been problematic, but as soon as all udev devices are triggered on relevant package upgrades this will become particularly so. It is strongly recommended to fix offending rules so that they can handle a "change" action at any time, and acquire all necessary udev properties even then. Or in other words: the header guard mentioned above (ACTION=="remove",GOTO="xyz_end") is the correct approach to handle this, as it makes sure rules are rerun on "change" correctly, and accumulate the correct and complete set of udev properties. udev rule definitions that cannot handle "change" events being triggered at arbitrary times should be considered buggy. * The MountAPIVFS= service file setting now defaults to on if RootImage= and RootDirectory= are used, which means that with those two settings /proc/, /sys/ and /dev/ are automatically properly set up for services. Previous behaviour may be restored by explicitly setting MountAPIVFS=off. * Since PAM 1.2.0 (2015) configuration snippets may be placed in /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the latter it takes precedence over the former, similar to how most of systemd's own configuration is handled. Given that PAM stack definitions are primarily put together by OS vendors/distributions (though possibly overridden by users), this systemd release moves its own PAM stack configuration for the "systemd-user" PAM service (i.e. for the PAM session invoked by the per-user user@.service instance) from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all packages' vendor versions of their PAM stack definitions from /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not desired the location to which systemd installs its PAM stack configuration may be changed via the -Dpamconfdir Meson option. * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2, libpwquality and libcryptsetup have been changed to be based on dlopen(): instead of regular dynamic library dependencies declared in the binary ELF headers, these libraries are now loaded on demand only, if they are available. If the libraries cannot be found the relevant operations will fail gracefully, or a suitable fallback logic is chosen. This is supposed to be useful for general purpose distributions, as it allows minimizing the list of dependencies the systemd packages pull in, permitting building of more minimal OS images, while still making use of these "weak" dependencies should they be installed. Since many package managers automatically synthesize package dependencies from ELF shared library dependencies, some additional manual packaging work has to be done now to replace those (slightly downgraded from "required" to "recommended" or whatever is conceptually suitable for the package manager). Note that this change does not alter build-time behaviour: as before the build-time dependencies have to be installed during build, even if they now are optional during runtime. * sd-event.h gained a new call sd_event_add_time_relative() for installing timers relative to the current time. This is mostly a convenience wrapper around the pre-existing sd_event_add_time() call which installs absolute timers. * sd-event event sources may now be placed in a new "exit-on-failure" mode, which may be controlled via the new sd_event_source_get_exit_on_failure() and sd_event_source_set_exit_on_failure() functions. If enabled, any failure returned by the event source handler functions will result in exiting the event loop (unlike the default behaviour of just disabling the event source but continuing with the event loop). This feature is useful to set for all event sources that define "primary" program behaviour (where failure should be fatal) in contrast to "auxiliary" behaviour (where failure should remain local). * Most event source types sd-event supports now accept a NULL handler function, in which case the event loop is exited once the event source is to be dispatched, using the userdata pointer — converted to a signed integer — as exit code of the event loop. Previously this was supported for IO and signal event sources already. Exit event sources still do not support this (simply because it makes little sense there, as the event loop is already exiting when they are dispatched). * A new per-unit setting RootImageOptions= has been added which allows tweaking the mount options for any file system mounted as effect of the RootImage= setting. * Another new per-unit setting MountImages= has been added, that allows mounting additional disk images into the file system tree accessible to the service. * Timer units gained a new FixedRandomDelay= boolean setting. If enabled, the random delay configured with RandomizedDelaySec= is selected in a way that is stable on a given system (though still different for different units). * Socket units gained a new setting Timestamping= that takes "us", "ns" or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket options. * systemd-repart now generates JSON output when requested with the new --json= switch. * systemd-machined's OpenMachineShell() bus call will now pass additional policy metadata data fields to the PolicyKit authentication request. * systemd-tmpfiles gained a new -E switch, which is equivalent to --exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run --exclude=/sys. It's particularly useful in combination with --root=, when operating on OS trees that do not have any of these four runtime directories mounted, as this means no files below these subtrees are created or modified, since those mount points should probably remain empty. * systemd-tmpfiles gained a new --image= switch which is like --root=, but takes a disk image instead of a directory as argument. The specified disk image is mounted inside a temporary mount namespace and the tmpfiles.d/ drop-ins stored in the image are executed and applied to the image. systemd-sysusers similarly gained a new --image= switch, that allows the sysusers.d/ drop-ins stored in the image to be applied onto the image. * Similarly, the journalctl command also gained an --image= switch, which is a quick one-step solution to look at the log data included in OS disk images. * journalctl's --output=cat option (which outputs the log content without any metadata, just the pure text messages) will now make use of terminal colors when run on a suitable terminal, similarly to the other output modes. * JSON group records now support a "description" string that may be used to add a human-readable textual description to such groups. This is supposed to match the user's GECOS field which traditionally didn't have a counterpart for group records. * The "systemd-dissect" tool that may be used to inspect OS disk images and that was previously installed to /usr/lib/systemd/ has now been moved to /usr/bin/, reflecting its updated status of an officially supported tool with a stable interface. It gained support for a new --mkdir switch which when combined with --mount has the effect of creating the directory to mount the image to if it is missing first. It also gained two new commands --copy-from and --copy-to for copying files and directories in and out of an OS image without the need to manually mount it. It also acquired support for a new option --json= to generate JSON output when inspecting an OS image. * The cgroup2 file system is now mounted with the "memory_recursiveprot" mount option, supported since kernel 5.7. This means that the MemoryLow= and MemoryMin= unit file settings now apply recursively to whole subtrees. * systemd-homed now defaults to using the btrfs file system — if available — when creating home directories in LUKS volumes. This may be changed with the DefaultFileSystemType= setting in homed.conf. It's now the default file system in various major distributions and has the major benefit for homed that it can be grown and shrunk while mounted, unlike the other contenders ext4 and xfs, which can both be grown online, but not shrunk (in fact xfs is the technically most limited option here, as it cannot be shrunk at all). * JSON user records managed by systemd-homed gained support for "recovery keys". These are basically secondary passphrases that can unlock user accounts/home directories. They are computer-generated rather than user-chosen, and typically have greater entropy. homectl's --recovery-key= option may be used to add a recovery key to a user account. The generated recovery key is displayed as a QR code, so that it can be scanned to be kept in a safe place. This feature is particularly useful in combination with systemd-homed's support for FIDO2 or PKCS#11 authentication, as a secure fallback in case the security tokens are lost. Recovery keys may be entered wherever the system asks for a password. * systemd-homed now maintains a "dirty" flag for each LUKS encrypted home directory which indicates that a home directory has not been deactivated cleanly when offline. This flag is useful to identify home directories for which the offline discard logic did not run when offlining, and where it would be a good idea to log in again to catch up. * systemctl gained a new parameter --timestamp= which may be used to change the style in which timestamps are output, i.e. whether to show them in local timezone or UTC, or whether to show µs granularity. * Alibaba's "pouch" container manager is now detected by systemd-detect-virt, ConditionVirtualization= and similar constructs. Similar, they now also recognize IBM PowerVM machine virtualization. * systemd-nspawn has been reworked to use the /run/host/incoming/ as place to use for propagating external mounts into the container. Similarly /run/host/notify is now used as the socket path for container payloads to communicate with the container manager using sd_notify(). The container manager now uses the /run/host/inaccessible/ directory to place "inaccessible" file nodes of all relevant types which may be used by the container payload as bind mount source to over-mount inodes to make them inaccessible. /run/host/container-manager will now be initialized with the same string as the $container environment variable passed to the container's PID 1. /run/host/container-uuid will be initialized with the same string as $container_uuid. This means the /run/host/ hierarchy is now the primary way to make host resources available to the container. The Container Interface documents these new files and directories: https://systemd.io/CONTAINER_INTERFACE * Support for the "ConditionNull=" unit file condition has been deprecated and undocumented for 6 years. systemd started to warn about its use 1.5 years ago. It has now been removed entirely. * sd-bus.h gained a new API call sd_bus_error_has_names(), which takes a sd_bus_error struct and a list of error names, and checks if the error matches one of these names. It's a convenience wrapper that is useful in cases where multiple errors shall be handled the same way. * A new system call filter list "@known" has been added, that contains all system calls known at the time systemd was built. * Behaviour of system call filter allow lists has changed slightly: system calls that are contained in @known will result in EPERM by default, while those not contained in it result in ENOSYS. This should improve compatibility because known system calls will thus be communicated as prohibited, while unknown (and thus newer ones) will be communicated as not implemented, which hopefully has the greatest chance of triggering the right fallback code paths in client applications. * "systemd-analyze syscall-filter" will now show two separate sections at the bottom of the output: system calls known during systemd build time but not included in any of the filter groups shown above, and system calls defined on the local kernel but known during systemd build time. * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for systemd-nspawn all system call filter violations will be logged by the kernel (audit). This is useful for tracking down system calls invoked by container payloads that are prohibited by the container's system call filter policy. * If the $SYSTEMD_SECCOMP=0 environment variable is set for systemd-nspawn (and other programs that use seccomp) all seccomp filtering is turned off. * Two new unit file settings ProtectProc= and ProcSubset= have been added that expose the hidepid= and subset= mount options of procfs. All processes of the unit will only see processes in /proc that are are owned by the unit's user. This is an important new sandboxing option that is recommended to be set on all system services. All long-running system services that are included in systemd itself set this option now. This option is only supported on kernel 5.8 and above, since the hidepid= option supported on older kernels was not a per-mount option but actually applied to the whole PID namespace. * Socket units gained a new boolean setting FlushPending=. If enabled all pending socket data/connections are flushed whenever the socket unit enters the "listening" state, i.e. after the associated service exited. * The unit file setting NUMAMask= gained a new "all" value: when used, all existing NUMA nodes are added to the NUMA mask. * A new "credentials" logic has been added to system services. This is a simple mechanism to pass privileged data to services in a safe and secure way. It's supposed to be used to pass per-service secret data such as passwords or cryptographic keys but also associated less private information such as user names, certificates, and similar to system services. Each credential is identified by a short user-chosen name and may contain arbitrary binary data. Two new unit file settings have been added: SetCredential= and LoadCredential=. The former allows setting a credential to a literal string, the latter sets a credential to the contents of a file (or data read from a user-chosen AF_UNIX stream socket). Credentials are passed to the service via a special credentials directory, one file for each credential. The path to the credentials directory is passed in a new $CREDENTIALS_DIRECTORY environment variable. Since the credentials are passed in the file system they may be easily referenced in ExecStart= command lines too, thus no explicit support for the credentials logic in daemons is required (though ideally daemons would look for the bits they need in $CREDENTIALS_DIRECTORY themselves automatically, if set). The $CREDENTIALS_DIRECTORY is backed by unswappable memory if privileges allow it, immutable if privileges allow it, is accessible only to the service's UID, and is automatically destroyed when the service stops. * systemd-nspawn supports the same credentials logic. It can both consume credentials passed to it via the aforementioned $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on to its payload. The service manager/PID 1 has been updated to match this: it can also accept credentials from the container manager that invokes it (in fact: any process that invokes it), and passes them on to its services. Thus, credentials can be propagated recursively down the tree: from a system's service manager to a systemd-nspawn service, to the service manager that runs as container payload and to the service it runs below. Credentials may also be added on the systemd-nspawn command line, using new --set-credential= and --load-credential= command line switches that match the aforementioned service settings. * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in the partition drop-ins which may be used to format/LUKS encrypt/populate any created partitions. The partitions are encrypted/formatted/populated before they are registered in the partition table, so that they appear atomically: either the partitions do not exist yet or they exist fully encrypted, formatted, and populated — there is no time window where they are "half-initialized". Thus the system is robust to abrupt shutdown: if the tool is terminated half-way during its operations on next boot it will start from the beginning. * systemd-repart's --size= operation gained a new "auto" value. If specified, and operating on a loopback file it is automatically sized to the minimal size the size constraints permit. This is useful to use "systemd-repart" as an image builder for minimally sized images. * systemd-resolved now gained a third IPC interface for requesting name resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink interface is now supported. The nss-resolve NSS module has been modified to use this new interface instead of D-Bus. Using Varlink has a major benefit over D-Bus: it works without a broker service, and thus already during earliest boot, before the dbus daemon has been started. This means name resolution via systemd-resolved now works at the same time systemd-networkd operates: from earliest boot on, including in the initrd. * systemd-resolved gained support for a new DNSStubListenerExtra= configuration file setting which may be used to specify additional IP addresses the built-in DNS stub shall listen on, in addition to the main one on 127.0.0.53:53. * Name lookups issued via systemd-resolved's D-Bus and Varlink interfaces (and thus also via glibc NSS if nss-resolve is used) will now honour a trailing dot in the hostname: if specified the search path logic is turned off. Thus "resolvectl query foo." is now equivalent to "resolvectl query --search=off foo.". * systemd-resolved gained a new D-Bus property "ResolvConfMode" that exposes how /etc/resolv.conf is currently managed: by resolved (and in which mode if so) or another subsystem. "resolvctl" will display this property in its status output. * The resolv.conf snippets systemd-resolved provides will now set "." as the search domain if no other search domain is known. This turns off the derivation of an implicit search domain by nss-dns for the hostname, when the hostname is set to an FQDN. This change is done to make nss-dns using resolv.conf provided by systemd-resolved behave more similarly to nss-resolve. * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of /tmp/ and /var/tmp/ based on file timestamps) now looks at the "birth" time (btime) of a file in addition to the atime, mtime, and ctime. * systemd-analyze gained a new verb "capability" that lists all known capabilities by the systemd build and by the kernel. * If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and advance the system clock to it at boot if it is noticed to be before that time. Previously, PID 1 would only advance the time to an epoch time that is set during build-time. With this new file OS builders can change this epoch timestamp on individual OS images without having to rebuild systemd. * systemd-logind will now listen to the KEY_RESTART key from the Linux input layer and reboot the system if it is pressed, similarly to how it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART was originally defined in the Multimedia context (to restart playback of a song or film), but is now primarily used in various embedded devices for "Reboot" buttons. Accordingly, systemd-logind will now honour it as such. This may configured in more detail via the new HandleRebootKey= and RebootKeyIgnoreInhibited=. * systemd-nspawn/systemd-machined will now reconstruct hardlinks when copying OS trees, for example in "systemd-nspawn --ephemeral", "systemd-nspawn --template=", "machinectl clone" and similar. This is useful when operating with OSTree images, which use hardlinks heavily throughout, and where such copies previously resulting in "exploding" hardlinks. * systemd-nspawn's --console= setting gained support for a new "autopipe" value, which is identical to "interactive" when invoked on a TTY, and "pipe" otherwise. * systemd-networkd's .network files gained support for explicitly configuring the multicast membership entries of bridge devices in the [BridgeMDB] section. It also gained support for the PIE queuing discipline in the [FlowQueuePIE] sections. * systemd-networkd's .netdev files may now be used to create "BareUDP" tunnels, configured in the new [BareUDP] setting. * systemd-networkd's Gateway= setting in .network files now accepts the special values "_dhcp4" and "_ipv6ra" to configure additional, locally defined, explicit routes to the gateway acquired via DHCP or IPv6 Router Advertisements. The old setting "_dhcp" is deprecated, but still accepted for backwards compatibility. * systemd-networkd's [IPv6PrefixDelegation] section and IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and IPv6SendRA= (the old names are still accepted for backwards compatibility). * systemd-networkd's .network files gained the DHCPv6PrefixDelegation= boolean setting in [Network] section. If enabled, the delegated prefix gained by another link will be configured, and an address within the prefix will be assigned. * systemd-networkd's .network files gained the Announce= boolean setting in [DHCPv6PrefixDelegation] section. When enabled, the delegated prefix will be announced through IPv6 router advertisement (IPv6 RA). The setting is enabled by default. * VXLAN tunnels may now be marked as independent of any underlying network interface via the new Independent= boolean setting. * systemctl gained support for two new verbs: "service-log-level" and "service-log-target" may be used on services that implement the generic org.freedesktop.LogControl1 D-Bus interface to dynamically adjust the log level and target. All of systemd's long-running services support this now, but ideally all system services would implement this interface to make the system more uniformly debuggable. * The SystemCallErrorNumber= unit file setting now accepts the new "kill" and "log" actions, in addition to arbitrary error number specifications as before. If "kill" the processes are killed on the event, if "log" the offending system call is audit logged. * A new SystemCallLog= unit file setting has been added that accepts a list of system calls that shall be logged about (audit). * The OS image dissection logic (as used by RootImage= in unit files or systemd-nspawn's --image= switch) has gained support for identifying and mounting explicit /usr/ partitions, which are now defined in the discoverable partition specification. This should be useful for environments where the root file system is generated/formatted/populated dynamically on first boot and combined with an immutable /usr/ tree that is supplied by the vendor. * In the final phase of shutdown, within the systemd-shutdown binary we'll now try to detach MD devices (i.e software RAID) in addition to loopback block devices and DM devices as before. This is supposed to be a safety net only, in order to increase robustness if things go wrong. Storage subsystems are expected to properly detach their storage volumes during regular shutdown already (or in case of storage backing the root file system: in the initrd hook we return to later). * If the SYSTEMD_LOG_TID environment variable is set all systemd tools will now log the thread ID in their log output. This is useful when working with heavily threaded programs. * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will not use the RDRAND CPU instruction. This is useful in environments such as replay debuggers where non-deterministic behaviour is not desirable. * The autopaging logic in systemd's various tools (such as systemctl) has been updated to turn on "secure" mode in "less" (i.e. $LESSECURE=1) if execution in a "sudo" environment is detected. This disables invoking external programs from the pager, via the pipe logic. This behaviour may be overridden via the new $SYSTEMD_PAGERSECURE environment variable. * Units which have resource limits (.service, .mount, .swap, .slice, .socket, and .slice) gained new configuration settings ManagedOOMSwap=, ManagedOOMMemoryPressure=, and ManagedOOMMemoryPressureLimitPercent= that specify resource pressure limits and optional action taken by systemd-oomd. * A new service systemd-oomd has been added. It monitors resource contention for selected parts of the unit hierarchy using the PSI information reported by the kernel, and kills processes when memory or swap pressure is above configured limits. This service is only enabled by default in developer mode (see below) and should be considered a preview in this release. Behaviour details and option names are subject to change without the usual backwards-compatibility promises. * A new helper oomctl has been added to introspect systemd-oomd state. It is only enabled by default in developer mode and should be considered a preview without the usual backwards-compatibility promises. * New meson option -Dcompat-mutable-uid-boundaries= has been added. If enabled, systemd reads the system UID boundaries from /etc/login.defs at runtime, instead of using the built-in values selected during build. This is an option to improve compatibility for upgrades from old systems. It's strongly recommended not to make use of this functionality on new systems (or even enable it during build), as it makes something runtime-configurable that is mostly an implementation detail of the OS, and permits avoidable differences in deployments that create all kinds of problems in the long run. * New meson option '-Dmode=developer|release' has been added. When 'developer', additional checks and features are enabled that are relevant during upstream development, e.g. verification that semi-automatically-generated documentation has been properly updated following API changes. Those checks are considered hints for developers and are not actionable in downstream builds. In addition, extra features that are not ready for general consumption may be enabled in developer mode. It is thus recommended to set '-Dmode=release' in end-user and distro builds. * systemd-cryptsetup gained support for processing detached LUKS headers specified on the kernel command line via the header= parameter of the luks.options= kernel command line option. The same device/path syntax as for key files is supported for header files like this. * The "net_id" built-in of udev has been updated to ignore ACPI _SUN slot index data for devices that are connected through a PCI bridge where the _SUN index is associated with the bridge instead of the network device itself. Previously this would create ambiguous device naming if multiple network interfaces were connected to the same PCI bridge. Since this is a naming scheme incompatibility on systems that possess hardware like this it has been introduced as new naming scheme "v247". The previous scheme can be selected via the "net.naming_scheme=v245" kernel command line parameter. * ConditionFirstBoot= semantics have been modified to be safe towards abnormal system power-off during first boot. Specifically, the "systemd-machine-id-commit.service" service now acts as boot milestone indicating when the first boot process is sufficiently complete in order to not consider the next following boot also a first boot. If the system is reset before this unit is reached the first time, the next boot will still be considered a first boot; once it has been reached, no further boots will be considered a first boot. The "first-boot-complete.target" unit now acts as official hook point to order against this. If a service shall be run on every boot until the first boot fully succeeds it may thus be ordered before this target unit (and pull it in) and carry ConditionFirstBoot= appropriately. * bootctl's set-default and set-oneshot commands now accept the three special strings "@default", "@oneshot", "@current" in place of a boot entry id. These strings are resolved to the current default and oneshot boot loader entry, as well as the currently booted one. Thus a command "bootctl set-default @current" may be used to make the currently boot menu item the new default for all subsequent boots. * "systemctl edit" has been updated to show the original effective unit contents in commented form in the text editor. * Units in user mode are now segregated into three new slices: session.slice (units that form the core of graphical session), app.slice ("normal" user applications), and background.slice (low-priority tasks). Unless otherwise configured, user units are placed in app.slice. The plan is to add resource limits and protections for the different slices in the future. * New GPT partition types for RISCV32/64 for the root and /usr partitions, and their associated Verity partitions have been defined, and are now understood by systemd-gpt-auto-generator, and the OS image dissection logic. Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1, Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann, Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov, Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink, Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz, Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews, Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler, huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren, Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert, Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering, lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000, Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen, Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C, Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko, Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer, Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd, Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck, williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски – Warsaw, 2020-11-26 CHANGES WITH 246: * The service manager gained basic support for cgroup v2 freezer. Units can now be suspended or resumed either using new systemctl verbs, freeze and thaw respectively, or via D-Bus. * PID 1 may now automatically load pre-compiled AppArmor policies from /etc/apparmor/earlypolicy during early boot. * The CPUAffinity= setting in service unit files now supports a new special value "numa" that causes the CPU affinity masked to be set based on the NUMA mask. * systemd will now log about all left-over processes remaining in a unit when the unit is stopped. It will now warn about services using KillMode=none, as this is generally an unsafe thing to make use of. * Two new unit file settings ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been added. They may be used to check whether a specific file system path resides on a block device that is encrypted on the block level (i.e. using dm-crypt/LUKS). * Another pair of new settings ConditionEnvironment=/AssertEnvironment= has been added that may be used for simple environment checks. This is particularly useful when passing in environment variables from a container manager (or from PAM in case of the systemd --user instance). * .service unit files now accept a new setting CoredumpFilter= which allows configuration of the memory sections coredumps of the service's processes shall include. * .mount units gained a new ReadWriteOnly= boolean option. If set it will not be attempted to mount a file system read-only if mounting in read-write mode doesn't succeed. An option x-systemd.rw-only is available in /etc/fstab to control the same. * .socket units gained a new boolean setting PassPacketInfo=. If enabled, the kernel will attach additional per-packet metadata to all packets read from the socket, as an ancillary message. This controls the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, depending on socket type. * .service units gained a new setting RootHash= which may be used to specify the root hash for verity enabled disk images which are specified in RootImage=. RootVerity= may be used to specify a path to the Verity data matching a RootImage= file system. (The latter is only useful for images that do not contain the Verity data embedded into the same image that carries a GPT partition table following the Discoverable Partition Specification). Similarly, systemd-nspawn gained a new switch --verity-data= that takes a path to a file with the verity data of the disk image supplied in --image=, if the image doesn't contain the verity data itself. * .service units gained a new setting RootHashSignature= which takes either a base64 encoded PKCS#7 signature of the root hash specified with RootHash=, or a path to a file to read the signature from. This allows validation of the root hash against public keys available in the kernel keyring, and is only supported on recent kernels (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for this mechanism has also been added to systemd-veritysetup. * .service unit files gained two new options TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to tune behaviour if a start or stop timeout is hit, i.e. whether to terminate the service with SIGTERM, SIGABRT or SIGKILL. * Most options in systemd that accept hexadecimal values prefixed with 0x in additional to the usual decimal notation now also support octal notation when the 0o prefix is used and binary notation if the 0b prefix is used. * Various command line parameters and configuration file settings that configure key or certificate files now optionally take paths to AF_UNIX sockets in the file system. If configured that way a stream connection is made to the socket and the required data read from it. This is a simple and natural extension to the existing regular file logic, and permits other software to provide keys or certificates via simple IPC services, for example when unencrypted storage on disk is not desired. Specifically, systemd-networkd's Wireguard and MACSEC key file settings as well as systemd-journal-gatewayd's and systemd-journal-remote's PEM key/certificate parameters support this now. * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other configuration files that support specifier expansion learnt six new specifiers: %a resolves to the current architecture, %o/%w/%B/%W resolve to the various ID fields from /etc/os-release, %l resolves to the "short" hostname of the system, i.e. the hostname configured in the kernel truncated at the first dot. * Support for the .include syntax in unit files has been removed. The concept has been obsolete for 6 years and we started warning about its pending removal 2 years ago (also see NEWS file below). It's finally gone now. * StandardError= and StandardOutput= in unit files no longer support the "syslog" and "syslog-console" switches. They were long removed from the documentation, but will now result in warnings when used, and be converted to "journal" and "journal+console" automatically. * If the service setting User= is set to the "nobody" user, a warning message is now written to the logs (but the value is nonetheless accepted). Setting User=nobody is unsafe, since the primary purpose of the "nobody" user is to own all files whose owner cannot be mapped locally. It's in particular used by the NFS subsystem and in user namespacing. By running a service under this user's UID it might get read and even write access to all these otherwise unmappable files, which is quite likely a major security problem. * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm, and others) now have a size and inode limits applied (50% of RAM for /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note that the implicit kernel default is 50% too, so there is no change in the size limit for /tmp and /dev/shm. * nss-mymachines lost support for resolution of users and groups, and now only does resolution of hostnames. This functionality is now provided by nss-systemd. Thus, the 'mymachines' entry should be removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf (and 'systemd' added if it is not already there). * A new kernel command line option systemd.hostname= has been added that allows controlling the hostname that is initialized early during boot. * A kernel command line option "udev.blockdev_read_only" has been added. If specified all hardware block devices that show up are immediately marked as read-only by udev. This option is useful for making sure that a specific boot under no circumstances modifies data on disk. Use "blockdev --setrw" to undo the effect of this, per device. * A new boolean kernel command line option systemd.swap= has been added, which may be used to turn off automatic activation of swap devices listed in /etc/fstab. * New kernel command line options systemd.condition_needs_update= and systemd.condition_first_boot= have been added, which override the result of the ConditionNeedsUpdate= and ConditionFirstBoot= conditions. * A new kernel command line option systemd.clock_usec= has been added that allows setting the system clock to the specified time in µs since Jan 1st, 1970 early during boot. This is in particular useful in order to make test cases more reliable. * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows systemd-coredump to save core files for suid processes. When saving the core file, systemd-coredump will use the effective uid and gid of the process that faulted. * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is now automatically set to "Y" at boot, in order to enable pstore generation for collection with systemd-pstore. * We provide a set of udev rules to enable auto-suspend on PCI and USB devices that were tested to correctly support it. Previously, this was distributed as a set of udev rules, but has now been replaced by by a set of hwdb entries (and a much shorter udev rule to take action if the device modalias matches one of the new hwdb entries). As before, entries are periodically imported from the database maintained by the ChromiumOS project. If you have a device that supports auto-suspend correctly and where it should be enabled by default, please submit a patch that adds it to the database (see /usr/lib/udev/hwdb.d/60-autosuspend.hwdb). * systemd-udevd gained the new configuration option timeout_signal= as well as a corresponding kernel command line option udev.timeout_signal=. The option can be used to configure the UNIX signal that the main daemon sends to the worker processes on timeout. Setting the signal to SIGABRT is useful for debugging. * .link files managed by systemd-udevd gained options RxFlowControl=, TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in order to configure various flow control parameters. They also gained RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo frame ring buffer sizes. * networkd.conf gained a new boolean setting ManageForeignRoutes=. If enabled systemd-networkd manages all routes configured by other tools. * .network files managed by systemd-networkd gained a new section [SR-IOV], in order to configure SR-IOV capable network devices. * systemd-networkd's [IPv6Prefix] section in .network files gained a new boolean setting Assign=. If enabled an address from the prefix is automatically assigned to the interface. * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which controls delegated prefixes assigned by DHCPv6 client. The section has three settings: SubnetID=, Assign=, and Token=. The setting SubnetID= allows explicit configuration of the preferred subnet that systemd-networkd's Prefix Delegation logic assigns to interfaces. If Assign= is enabled (which is the default) an address from any acquired delegated prefix is automatically chosen and assigned to the interface. The setting Token= specifies an optional address generation mode for Assign=. * systemd-networkd's [Network] section gained a new setting IPv4AcceptLocal=. If enabled the interface accepts packets with local source addresses. * systemd-networkd gained support for configuring the HTB queuing discipline in the [HierarchyTokenBucket] and [HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may be configured in the [PFIFO] section, "GRED" in [GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake" in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and [DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO], "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF" in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass]. * systemd-networkd gained support for a new Termination= setting in the [CAN] section for configuring the termination resistor. It also gained a new ListenOnly= setting for controlling whether to only listen on CAN interfaces, without interfering with traffic otherwise (which is useful for debugging/monitoring CAN network traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have been added to configure various CAN-FD aspects. * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=. When enabled, DHCPv6 will be attempted right-away without requiring an Router Advertisement packet suggesting it first (i.e. without the 'M' or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option DHCPv6Client= that may be used to turn off the DHCPv6 client even if the RA packets suggest it. * systemd-networkd's [DHCPv4] section gained a new setting UseGateway= which may be used to turn off use of the gateway information provided by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be used to configure how to process leases that lack a lifetime option. * systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new setting SendVendorOption= allowing configuration of additional vendor options to send in the DHCP requests/responses. The [DHCPv6] section gained a new SendOption= setting for sending arbitrary DHCP options. RequestOptions= has been added to request arbitrary options from the server. UserClass= has been added to set the DHCP user class field. * systemd-networkd's [DHCPServer] section gained a new set of options EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server information about these three protocols in the DHCP lease. It also gained support for including "MUD" URLs ("Manufacturer Usage Description"). Support for "MUD" URLs was also added to the LLDP stack, configurable in the [LLDP] section in .network files. * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source' mode. Also, the sections now support a new setting SourceMACAddress=. * systemd-networkd's .netdev files now support a new setting VLANProtocol= in the [Bridge] section that allows configuration of the VLAN protocol to use. * systemd-networkd supports a new Group= setting in the [Link] section of the .network files, to control the link group. * systemd-networkd's [Network] section gained a new IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6 link local address is generated. * A new default .network file is now shipped that matches TUN/TAP devices that begin with "vt-" in their name. Such interfaces will have IP routing onto the host links set up automatically. This is supposed to be used by VM managers to trivially acquire a network interface which is fully set up for host communication, simply by carefully picking an interface name to use. * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric= which sets the route priority for routes specified by the DHCP server. * systemd-networkd's [DHCPv6] section gained a new setting VendorClass= which configures the vendor class information sent to DHCP server. * The BlackList= settings in .network files' [DHCPv4] and [IPv6AcceptRA] sections have been renamed DenyList=. The old names are still understood to provide compatibility. * networkctl gained the new "forcerenew" command for forcing all DHCP server clients to renew their lease. The interface "status" output will now show numerous additional fields of information about an interface. There are new "up" and "down" commands to bring specific interfaces up or down. * systemd-resolved's DNS= configuration option now optionally accepts a port number (after ":") and a host name (after "#"). When the host name is specified, the DNS-over-TLS certificate is validated to match the specified hostname. Additionally, in case of IPv6 addresses, an interface may be specified (after "%"). * systemd-resolved may be configured to forward single-label DNS names. This is not standard-conformant, but may make sense in setups where public DNS servers are not used. * systemd-resolved's DNS-over-TLS support gained SNI validation. * systemd-nspawn's --resolv-conf= switch gained a number of new supported values. Specifically, options starting with "replace-" are like those prefixed "copy-" but replace any existing resolv.conf file. And options ending in "-uplink" and "-stub" can now be used to propagate other flavours of resolv.conf into the container (as defined by systemd-resolved). * The various programs included in systemd can now optionally output their log messages on stderr prefixed with a timestamp, controlled by the $SYSTEMD_LOG_TIME environment variable. * systemctl gained a new "-P" switch that is a shortcut for "--value --property=…". * "systemctl list-units" and "systemctl list-machines" no longer hide their first output column with --no-legend. To hide the first column, use --plain. * "systemctl reboot" takes the option "--reboot-argument=". The optional positional argument to "systemctl reboot" is now being deprecated in favor of this option. * systemd-run gained a new switch --slice-inherit. If specified the unit it generates is placed in the same slice as the systemd-run process itself. * systemd-journald gained support for zstd compression of large fields in journal files. The hash tables in journal files have been hardened against hash collisions. This is an incompatible change and means that journal files created with new systemd versions are not readable with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean environment variable for systemd-journald.service is set to 0 this new hardening functionality may be turned off, so that generated journal files remain compatible with older journalctl implementations. * journalctl will now include a clickable link in the default output for each log message for which a URL with further documentation is known. This is only supported on terminal emulators that support clickable hyperlinks, and is turned off if a pager is used (since "less" still doesn't support hyperlinks, unfortunately). Documentation URLs may be included in log messages either by including a DOCUMENTATION= journal field in it, or by associating a journal message catalog entry with the log message's MESSAGE_ID, which then carries a "Documentation:" tag. * journald.conf gained a new boolean setting Audit= that may be used to control whether systemd-journald will enable audit during initialization. * when systemd-journald's log stream is broken up into multiple lines because the PID of the sender changed this is indicated in the generated log records via the _LINE_BREAK=pid-change field. * journalctl's "-o cat" output mode will now show one or more journal fields specified with --output-fields= instead of unconditionally MESSAGE=. This is useful to retrieve a very specific set of fields without any decoration. * The sd-journal.h API gained two new functions: sd_journal_enumerate_available_unique() and sd_journal_enumerate_available_data() that operate like their counterparts that lack the _available_ in the name, but skip items that cannot be read and processed by the local implementation (i.e. are compressed in an unsupported format or such), * coredumpctl gained a new --file= switch, matching the same one in journalctl: a specific journal file may be specified to read the coredump data from. * coredumps collected by systemd-coredump may now be compressed using the zstd algorithm. * systemd-binfmt gained a new switch --unregister for unregistering all registered entries at once. This is now invoked automatically at shutdown, so that binary formats registered with the "F" flag will not block clean file system unmounting. * systemd-notify's --pid= switch gained new values: "parent", "self", "auto" for controlling which PID to send to the service manager: the systemd-notify process' PID, or the one of the process invoking it. * systemd-logind's Session bus object learnt a new method call SetType() for temporarily updating the session type of an already allocated session. This is useful for upgrading tty sessions to graphical ones once a compositor is invoked. * systemd-socket-proxy gained a new switch --exit-idle-time= for configuring an exit-on-idle time. * systemd-repart's --empty= setting gained a new value "create". If specified a new empty regular disk image file is created under the specified name. Its size may be specified with the new --size= option. The latter is also supported without the "create" mode, in order to grow existing disk image files to the specified size. These two new options are useful when creating or manipulating disk images instead of operating on actual block devices. * systemd-repart drop-ins now support a new UUID= setting to control the UUID to assign to a newly created partition. * systemd-repart's SizeMin= per-partition parameter now defaults to 10M instead of 0. * systemd-repart's Label= setting now support the usual, simple specifier expansion. * systemd-homed's LUKS backend gained the ability to discard empty file system blocks automatically when the user logs out. This is enabled by default to ensure that home directories take minimal space when logged out but get full size guarantees when logged in. This may be controlled with the new --luks-offline-discard= switch to homectl. * If systemd-homed detects that /home/ is encrypted as a whole it will now default to the directory or subvolume backends instead of the LUKS backend, in order to avoid double encryption. The default storage and file system may now be configured explicitly, too, via the new /etc/systemd/homed.conf configuration file. * systemd-homed now supports unlocking home directories with FIDO2 security tokens that support the 'hmac-secret' extension, in addition to the existing support for PKCS#11 security token unlocking support. Note that many recent hardware security tokens support both interfaces. The FIDO2 support is accessible via homectl's --fido2-device= option. * homectl's --pkcs11-uri= setting now accepts two special parameters: if "auto" is specified and only one suitable PKCS#11 security token is plugged in, its URL is automatically determined and enrolled for unlocking the home directory. If "list" is specified a brief table of suitable PKCS#11 security tokens is shown. Similar, the new --fido2-device= option also supports these two special values, for automatically selecting and listing suitable FIDO2 devices. * The /etc/crypttab tmp option now optionally takes an argument selecting the file system to use. Moreover, the default is now changed from ext2 to ext4. * There's a new /etc/crypttab option "keyfile-erase". If specified the key file listed in the same line is removed after use, regardless if volume activation was successful or not. This is useful if the key file is only acquired transiently at runtime and shall be erased before the system continues to boot. * There's also a new /etc/crypttab option "try-empty-password". If specified, before asking the user for a password it is attempted to unlock the volume with an empty password. This is useful for installing encrypted images whose password shall be set on first boot instead of at installation time. * systemd-cryptsetup will now attempt to load the keys to unlock volumes with automatically from files in /etc/cryptsetup-keys.d/.key and /run/cryptsetup-keys.d/.key, if any of these files exist. * systemd-cryptsetup may now activate Microsoft BitLocker volumes via /etc/crypttab, during boot. * logind.conf gained a new RuntimeDirectoryInodesMax= setting to control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs instance. * A new generator systemd-xdg-autostart-generator has been added. It generates systemd unit files from XDG autostart .desktop files, and may be used to let the systemd user instance manage services that are started automatically as part of the desktop session. * "bootctl" gained a new verb "reboot-to-firmware" that may be used to query and change the firmware's 'Reboot Into Firmware Interface' setup flag. * systemd-firstboot gained a new switch --kernel-command-line= that may be used to initialize the /etc/kernel/cmdline file of the image. It also gained a new switch --root-password-hashed= which is like --root-password= but accepts a pre-hashed UNIX password as argument. The new option --delete-root-password may be used to unset any password for the root user (dangerous!). The --root-shell= switch may be used to control the shell to use for the root account. A new --force option may be used to override any already set settings with the parameters specified on the command line (by default, the tool will not override what has already been set before, i.e. is purely incremental). * systemd-firstboot gained support for a new --image= switch, which is similar to --root= but accepts the path to a disk image file, on which it then operates. * A new sd-path.h API has been added to libsystemd. It provides a simple API for retrieving various search paths and primary directories for various resources. * A new call sd_notify_barrier() has been added to the sd-daemon.h API. The call will block until all previously sent sd_notify() messages have been processed by the service manager. This is useful to remove races caused by a process already having disappeared at the time a notification message is processed by the service manager, making correct attribution impossible. The systemd-notify tool will now make use of this call implicitly, but this can be turned off again via the new --no-block switch. * When sending a file descriptor (fd) to the service manager to keep track of, using the sd_notify() mechanism, a new parameter FDPOLL=0 may be specified. If passed the service manager will refrain from poll()ing on the file descriptor. Traditionally (and when the parameter is not specified), the service manager will poll it for POLLHUP or POLLERR events, and immediately close the fds in that case. * The service manager (PID1) gained a new D-Bus method call SetShowStatus() which may be used to control whether it shall show boot-time status output on the console. This method has a similar effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1. * The sd-bus API gained a number of convenience functions that take va_list arguments rather than "...". For example, there's now sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make it easier to build wrappers that accept variadic arguments and want to pass a ready va_list structure to sd-bus. * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET flag which alters how the userdata pointer to pass to the callbacks is determined. When the flag is set, the offset field is converted as-is into a pointer, without adding it to the object pointer the vtable is associated with. * sd-bus now exposes four new functions: sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() + sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will validate strings to check if they qualify as various D-Bus concepts. * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(), SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros that simplify adding argument names to D-Bus methods and signals. * The man pages for the sd-bus and sd-hwdb APIs have been completed. * Various D-Bus APIs of systemd daemons now have man pages that document the methods, signals and properties. * The expectations on user/group name syntax are now documented in detail; documentation on how classic home directories may be converted into home directories managed by homed has been added; documentation regarding integration of homed/userdb functionality in desktops has been added: https://systemd.io/USER_NAMES https://systemd.io/CONVERTING_TO_HOMED https://systemd.io/USERDB_AND_DESKTOPS * Documentation for the on-disk Journal file format has been updated and has now moved to: https://systemd.io/JOURNAL_FILE_FORMAT * The interface for containers (https://systemd.io/CONTAINER_INTERFACE) has been extended by a set of environment variables that expose select fields from the host's os-release file to the container payload. Similarly, host's os-release files can be mounted into the container underneath /run/host. Together, those mechanisms provide a standardized way to expose information about the host to the container payload. Both interfaces are implemented in systemd-nspawn. * All D-Bus services shipped in systemd now implement the generic LogControl1 D-Bus API which allows clients to change log level + target of the service during runtime. * Only relevant for developers: the mkosi.default symlink has been dropped from version control. Please create a symlink to one of the distribution-specific defaults in .mkosi/ based on your preference. Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird, Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain, antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg, Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy, codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan, Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger, Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui, Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard, Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels, Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár, Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys, nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes, Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo, Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб – Warsaw, 2020-07-30 CHANGES WITH 245: * A new tool "systemd-repart" has been added, that operates as an idempotent declarative repartitioner for GPT partition tables. Specifically, a set of partitions that must or may exist can be configured via drop-in files, and during every boot the partition table on disk is compared with these files, creating missing partitions or growing existing ones based on configurable relative and absolute size constraints. The tool is strictly incremental, i.e. does not delete, shrink or move partitions, but only adds and grows them. The primary use-case is OS images that ship in minimized form, that on first boot are grown to the size of the underlying block device or augmented with additional partitions. For example, the root partition could be extended to cover the whole disk, or a swap or /home partitions could be added on first boot. It can also be used for systems that use an A/B update scheme but ship images with just the A partition, with B added on first boot. The tool is primarily intended to be run in the initrd, shortly before transitioning into the host OS, but can also be run after the transition took place. It automatically discovers the disk backing the root file system, and should hence not require any additional configuration besides the partition definition drop-ins. If no configuration drop-ins are present, no action is taken. * A new component "userdb" has been added, along with a small daemon "systemd-userdbd.service" and a client tool "userdbctl". The framework allows defining rich user and group records in a JSON format, extending on the classic "struct passwd" and "struct group" structures. Various components in systemd have been updated to process records in this format, including systemd-logind and pam-systemd. The user records are intended to be extensible, and allow setting various resource management, security and runtime parameters that shall be applied to processes and sessions of the user as they log in. This facility is intended to allow associating such metadata directly with user/group records so that they can be produced, extended and consumed in unified form. We hope that eventually frameworks such as sssd will generate records this way, so that for the first time resource management and various other per-user settings can be configured in LDAP directories and then provided to systemd (specifically to systemd-logind and pam-system) to apply on login. For further details see: https://systemd.io/USER_RECORD https://systemd.io/GROUP_RECORD https://systemd.io/USER_GROUP_API * A small new service systemd-homed.service has been added, that may be used to securely manage home directories with built-in encryption. The complete user record data is unified with the home directory, thus making home directories naturally migratable. Its primary back-end is based on LUKS volumes, but fscrypt, plain directories, and other storage schemes are also supported. This solves a couple of problems we saw with traditional ways to manage home directories, in particular when it comes to encryption. For further discussion of this, see the video of Lennart's talk at AllSystemsGo! 2019: https://media.ccc.de/v/ASG2019-164-reinventing-home-directories For further details about the format and expectations on home directories this new daemon makes, see: https://systemd.io/HOME_DIRECTORY * systemd-journald is now multi-instantiable. In addition to the main instance systemd-journald.service there's now a template unit systemd-journald@.service, with each instance defining a new named log 'namespace' (whose name is specified via the instance part of the unit name). A new unit file setting LogNamespace= has been added, taking such a namespace name, that assigns services to the specified log namespaces. As each log namespace is serviced by its own independent journal daemon, this functionality may be used to improve performance and increase isolation of applications, at the price of losing global message ordering. Each instance of journald has a separate set of configuration files, with possibly different disk usage limitations and other settings. journalctl now takes a new option --namespace= to show logs from a specific log namespace. The sd-journal.h API gained sd_journal_open_namespace() for opening the log stream of a specific log namespace. systemd-journald also gained the ability to exit on idle, which is useful in the context of log namespaces, as this means log daemons for log namespaces can be activated automatically on demand and will stop automatically when no longer used, minimizing resource usage. * When systemd-tmpfiles copies a file tree using the 'C' line type it will now label every copied file according to the SELinux database. * When systemd/PID 1 detects it is used in the initrd it will now boot into initrd.target rather than default.target by default. This should make it simpler to build initrds with systemd as for many cases the only difference between a host OS image and an initrd image now is the presence of the /etc/initrd-release file. * A new kernel command line option systemd.cpu_affinity= is now understood. It's equivalent to the CPUAffinity= option in /etc/systemd/system.conf and allows setting the CPU mask for PID 1 itself and the default for all other processes. * When systemd/PID 1 is reloaded (with systemctl daemon-reload or equivalent), the SELinux database is now reloaded, ensuring that sockets and other file system objects are generated taking the new database into account. * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and "quiet" has been changed to imply that instead of "systemd.show-status=auto". In this mode, only messages about errors and significant delays in boot are shown on the console. * The sd-event.h API gained native support for the new Linux "pidfd" concept. This permits watching processes using file descriptors instead of PID numbers, which fixes a number of races and makes process supervision more robust and efficient. All of systemd's components will now use pidfds if the kernel supports it for process watching, with the exception of PID 1 itself, unfortunately. We hope to move PID 1 to exclusively using pidfds too eventually, but this requires some more kernel work first. (Background: PID 1 watches processes using waitid() with the P_ALL flag, and that does not play together nicely with pidfds yet.) * Closely related to this, the sd-event.h API gained two new calls sd_event_source_send_child_signal() (for sending a signal to a watched process) and sd_event_source_get_child_process_own() (for marking a process so that it is killed automatically whenever the event source watching it is freed). * systemd-networkd gained support for configuring Token Bucket Filter (TBF) parameters in its qdisc configuration support. Similarly, support for Stochastic Fairness Queuing (SFQ), Controlled-Delay Active Queue Management (CoDel), and Fair Queue (FQ) has been added. * systemd-networkd gained support for Intermediate Functional Block (IFB) network devices. * systemd-networkd gained support for configuring multi-path IP routes, using the new MultiPathRoute= setting in the [Route] section. * systemd-networkd's DHCPv4 client has been updated to support a new SendDecline= option. If enabled, duplicate address detection is done after a DHCP offer is received from the server. If a conflict is detected, the address is declined. The DHCPv4 client also gained support for a new RouteMTUBytes= setting that allows to configure the MTU size to be used for routes generated from DHCPv4 leases. * The PrefixRoute= setting in systemd-networkd's [Address] section of .network files has been deprecated, and replaced by AddPrefixRoute=, with its sense inverted. * The Gateway= setting of [Route] sections of .network files gained support for a special new value "_dhcp". If set, the configured static route uses the gateway host configured via DHCP. * New User= and SuppressPrefixLength= settings have been implemented for the [RoutingPolicyRule] section of .network files to configure source routing based on UID ranges and prefix length, respectively. * The Type= match property of .link files has been generalized to always match the device type shown by 'networkctl status', even for devices where udev does not set DEVTYPE=. This allows e.g. Type=ether to be used. * sd-bus gained a new API call sd_bus_message_sensitive() that marks a D-Bus message object as "sensitive". Those objects are erased from memory when they are freed. This concept is intended to be used for messages that contain security sensitive data. A new flag SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods in sd-bus vtables, causing any incoming and outgoing messages of those methods to be implicitly marked as "sensitive". * sd-bus gained a new API call sd_bus_message_dump() for dumping the contents of a message (or parts thereof) to standard output for debugging purposes. * systemd-sysusers gained support for creating users with the primary group named differently than the user. * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab) gained support for growing XFS partitions. Previously it supported only ext4 and btrfs partitions. * The support for /etc/crypttab gained a new x-initrd.attach option. If set, the specified encrypted volume is unlocked already in the initrd. This concept corresponds to the x-initrd.mount option in /etc/fstab. * systemd-cryptsetup gained native support for unlocking encrypted volumes utilizing PKCS#11 smartcards, i.e. for example to bind encryption of volumes to YubiKeys. This is exposed in the new pkcs11-uri= option in /etc/crypttab. * The /etc/fstab support in systemd now supports two new mount options x-systemd.{required,wanted}-by=, for explicitly configuring the units that the specified mount shall be pulled in by, in place of the usual local-fs.target/remote-fs.target. * The https://systemd.io/ web site has been relaunched, directly populated with most of the documentation included in the systemd repository. systemd also acquired a new logo, thanks to Tobias Bernard. * systemd-udevd gained support for managing "alternative" network interface names, as supported by new Linux kernels. For the first time this permits assigning multiple (and longer!) names to a network interface. systemd-udevd will now by default assign the names generated via all supported naming schemes to each interface. This may be further tweaked with .link files and the AlternativeName= and AlternativeNamesPolicy= settings. Other components of systemd have been updated to support the new alternative names wherever appropriate. For example, systemd-nspawn will now generate alternative interface names for the host-facing side of container veth links based on the full container name without truncation. * systemd-nspawn interface naming logic has been updated in another way too: if the main interface name (i.e. as opposed to new-style "alternative" names) based on the container name is truncated, a simple hashing scheme is used to give different interface names to multiple containers whose names all begin with the same prefix. Since this changes the primary interface names pointing to containers if truncation happens, the old scheme may still be requested by selecting an older naming scheme, via the net.naming_scheme= kernel command line option. * PrivateUsers= in service files now works in services run by the systemd --user per-user instance of the service manager. * A new per-service sandboxing option ProtectClock= has been added that locks down write access to the system clock. It takes away device node access to /dev/rtc as well as the system calls that set the system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities. Note that this option does not affect access to auxiliary services that allow changing the clock, for example access to systemd-timedated. * The systemd-id128 tool gained a new "show" verb for listing or resolving a number of well-known UUIDs/128-bit IDs, currently mostly GPT partition table types. * The Discoverable Partitions Specification has been updated to support /var and /var/tmp partition discovery. Support for this has been added to systemd-gpt-auto-generator. For details see: https://systemd.io/DISCOVERABLE_PARTITIONS * "systemctl list-unit-files" has been updated to show a new column with the suggested enablement state based on the vendor preset files for the respective units. * "systemctl" gained a new option "--with-dependencies". If specified commands such as "systemctl status" or "systemctl cat" will now show all specified units along with all units they depend on. * networkctl gained support for showing per-interface logs in its "status" output. * systemd-networkd-wait-online gained support for specifying the maximum operational state to wait for, and to wait for interfaces to disappear. * The [Match] section of .link and .network files now supports a new option PermanentMACAddress= which may be used to check against the permanent MAC address of a network device even if a randomized MAC address is used. * The [TrafficControlQueueingDiscipline] section in .network files has been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix dropped from the individual setting names. * Any .link and .network files that have an empty [Match] section (this also includes empty and commented-out files) will now be rejected. systemd-udev and systemd-networkd started warning about such files in version 243. * systemd-logind will now validate access to the operation of changing the virtual terminal via a polkit action. By default, only users with at least one session on a local VT are granted permission. * When systemd sets up PAM sessions that invoked service processes shall run in, the pam_setcred() API is now invoked, thus permitting PAM modules to set additional credentials for the processes. * portablectl attach/detach verbs now accept --now and --enable options to combine attachment with enablement and invocation, or detachment with stopping and disablement. * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was fixed, which in turn exposed bugs in unit configuration of services which have Type=oneshot and should only run once, but do not have RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot service may be started again after exiting successfully, for example as a dependency in another transaction. Affected services included some internal systemd services (most notably systemd-vconsole-setup.service, which was updated to have RemainAfterExit=yes), and plymouth-start.service. Please ensure that plymouth has been suitably updated or patched before upgrading to this systemd release. See https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some additional discussion. Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis, Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt, Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek, Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin, ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming, Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange, Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard, Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser, Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu DONG – Warsaw, 2020-03-06 CHANGES WITH 244: * Support for the cpuset cgroups v2 controller has been added. Processes may be restricted to specific CPUs using the new AllowedCPUs= setting, and to specific memory NUMA nodes using the new AllowedMemoryNodes= setting. * The signal used in restart jobs (as opposed to e.g. stop jobs) may now be configured using a new RestartKillSignal= setting. This allows units which signals to request termination to implement different behaviour when stopping in preparation for a restart. * "systemctl clean" may now be used also for socket, mount, and swap units. * systemd will also read configuration options from the EFI variable SystemdOptions. This may be used to configure systemd behaviour when modifying the kernel command line is inconvenient, but configuration on disk is read too late, for example for the options related to cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to set the EFI variable. * systemd will now disable printk ratelimits in early boot. This should allow us to capture more logs from the early boot phase where normal storage is not available and the kernel ring buffer is used for logging. Configuration on the kernel command line has higher priority and overrides the systemd setting. systemd programs which log to /dev/kmsg directly use internal ratelimits to prevent runaway logging. (Normally this is only used during early boot, so in practice this change has very little effect.) * Unit files now support top level dropin directories of the form .d/ (e.g. service.d/) that may be used to add configuration that affects all corresponding unit files. * systemctl gained support for 'stop --job-mode=triggering' which will stop the specified unit and any units which could trigger it. * Unit status display now includes units triggering and triggered by the unit being shown. * The RuntimeMaxSec= setting is now supported by scopes, not just .service units. This is particularly useful for PAM sessions which create a scope unit for the user login. systemd.runtime_max_sec= setting may used with the pam_systemd module to limit the duration of the PAM session, for example for time-limited logins. * A new @pkey system call group is now defined to make it easier to allow-list memory protection syscalls for containers and services which need to use them. * systemd-udevd: removed the 30s timeout for killing stale workers on exit. systemd-udevd now waits for workers to finish. The hard-coded exit timeout of 30s was too short for some large installations, where driver initialization could be prematurely interrupted during initrd processing if the root file system had been mounted and init was preparing to switch root. If udevd is run without systemd and workers are hanging while udevd receives an exit signal, udevd will now exit when udev.event_timeout is reached for the last hanging worker. With systemd, the exit timeout can additionally be configured using TimeoutStopSec= in systemd-udevd.service. * udev now provides a program (fido_id) that identifies FIDO CTAP1 ("U2F")/CTAP2 security tokens based on the usage declared in their report and descriptor and outputs suitable environment variables. This replaces the externally maintained allow lists of all known security tokens that were used previously. * Automatically generated autosuspend udev rules for allow-listed devices have been imported from the Chromium OS project. This should improve power saving with many more devices. * udev gained a new "CONST{key}=value" setting that allows matching against system-wide constants without forking a helper binary. Currently "arch" and "virt" keys are supported. * udev now opens CDROMs in non-exclusive mode when querying their capabilities. This should fix issues where other programs trying to use the CDROM cannot gain access to it, but carries a risk of interfering with programs writing to the disk, if they did not open the device in exclusive mode as they should. * systemd-networkd does not create a default route for IPv4 link local addressing anymore. The creation of the route was unexpected and was breaking routing in various cases, but people who rely on it being created implicitly will need to adjust. Such a route may be requested with DefaultRouteOnDevice=yes. Similarly, systemd-networkd will not assign a link-local IPv6 address when IPv6 link-local routing is not enabled. * Receive and transmit buffers may now be configured on links with the new RxBufferSize= and TxBufferSize= settings. * systemd-networkd may now advertise additional IPv6 routes. A new [IPv6RoutePrefix] section with Route= and LifetimeSec= options is now supported. * systemd-networkd may now configure "next hop" routes using the [NextHop] section and Gateway= and Id= settings. * systemd-networkd will now retain DHCP config on restarts by default (but this may be overridden using the KeepConfiguration= setting). The default for SendRelease= has been changed to true. * The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option received from the server. The client will use the received SIP server list if UseSIP=yes is set. The client may be configured to request specific options from the server using a new RequestOptions= setting. The client may be configured to send arbitrary options to the server using a new SendOption= setting. A new IPServiceType= setting has been added to configure the "IP service type" value used by the client. * The DHCPv6 client learnt a new PrefixDelegationHint= option to request prefix hints in the DHCPv6 solicitation. * The DHCPv4 server may be configured to send arbitrary options using a new SendOption= setting. * The DHCPv4 server may now be configured to emit SIP server list using the new EmitSIP= and SIP= settings. * systemd-networkd and networkctl may now renew DHCP leases on demand. networkctl has a new 'networkctl renew' verb. * systemd-networkd may now reconfigure links on demand. networkctl gained two new verbs: "reload" will reload the configuration, and "reconfigure DEVICE…" will reconfigure one or more devices. * .network files may now match on SSID and BSSID of a wireless network, i.e. the access point name and hardware address using the new SSID= and BSSID= options. networkctl will display the current SSID and BSSID for wireless links. .network files may also match on the wireless network type using the new WLANInterfaceType= option. * systemd-networkd now includes default configuration that enables link-local addressing when connected to an ad-hoc wireless network. * systemd-networkd may configure the Traffic Control queueing disciplines in the kernel using the new [TrafficControlQueueingDiscipline] section and Parent=, NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=, NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=, NetworkEmulatorDuplicateRate= settings. * systemd-tmpfiles gained a new w+ setting to append to files. * systemd-analyze dump will now report when the memory configuration in the kernel does not match what systemd has configured (usually, because some external program has modified the kernel configuration on its own). * systemd-analyze gained a new --base-time= switch instructs the 'calendar' verb to resolve times relative to that timestamp instead of the present time. * journalctl --update-catalog now produces deterministic output (making reproducible image builds easier). * A new devicetree-overlay setting is now documented in the Boot Loader Specification. * The default value of the WatchdogSec= setting used in systemd services (the ones bundled with the project itself) may be set at configuration time using the -Dservice-watchdog= setting. If set to empty, the watchdogs will be disabled. * systemd-resolved validates IP addresses in certificates now when GnuTLS is being used. * libcryptsetup >= 2.0.1 is now required. * A configuration option -Duser-path= may be used to override the $PATH used by the user service manager. The default is again to use the same path as the system manager. * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for outputting the 128-bit IDs in UUID format (i.e. in the "canonical representation"). * Service units gained a new sandboxing option ProtectKernelLogs= which makes sure the program cannot get direct access to the kernel log buffer anymore, i.e. the syslog() system call (not to be confused with the API of the same name in libc, which is not affected), the /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made inaccessible to the service. It's recommended to enable this setting for all services that should not be able to read from or write to the kernel log buffer, which are probably almost all. Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey, Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe, Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson, Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng, Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering, Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos, Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar, Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel, Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage, Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek – Warsaw, 2019-11-29 CHANGES WITH 243: * This release enables unprivileged programs (i.e. requiring neither setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests by turning on the "net.ipv4.ping_group_range" sysctl of the Linux kernel for the whole UNIX group range, i.e. all processes. This change should be reasonably safe, as the kernel support for it was specifically implemented to allow safe access to ICMP Echo for processes lacking any privileges. If this is not desirable, it can be disabled again by setting the parameter to "1 0". * Previously, filters defined with SystemCallFilter= would have the effect that any calling of an offending system call would terminate the calling thread. This behaviour never made much sense, since killing individual threads of unsuspecting processes is likely to create more problems than it solves. With this release the default action changed from killing the thread to killing the whole process. For this to work correctly both a kernel version (>= 4.14) and a libseccomp version (>= 2.4.0) supporting this new seccomp action is required. If an older kernel or libseccomp is used the old behaviour continues to be used. This change does not affect any services that have no system call filters defined, or that use SystemCallErrorNumber= (and thus see EPERM or another error instead of being killed when calling an offending system call). Note that systemd documentation always claimed that the whole process is killed. With this change behaviour is thus adjusted to match the documentation. * On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to 4194304 by default, i.e. the full 22bit range the kernel allows, up from the old 16-bit range. This should improve security and robustness, as PID collisions are made less likely (though certainly still possible). There are rumours this might create compatibility problems, though at this moment no practical ones are known to us. Downstream distributions are hence advised to undo this change in their builds if they are concerned about maximum compatibility, but for everybody else we recommend leaving the value bumped. Besides improving security and robustness this should also simplify things as the maximum number of allowed concurrent tasks was previously bounded by both "kernel.pid_max" and "kernel.threads-max" and now effectively only a single knob is left ("kernel.threads-max"). There have been concerns that usability is affected by this change because larger PID numbers are harder to type, but we believe the change from 5 digits to 7 digits doesn't hamper usability. * MemoryLow= and MemoryMin= gained hierarchy-aware counterparts, DefaultMemoryLow= and DefaultMemoryMin=, which can be used to hierarchically set default memory protection values for a particular subtree of the unit hierarchy. * Memory protection directives can now take a value of zero, allowing explicit opting out of a default value propagated by an ancestor. * systemd now defaults to the "unified" cgroup hierarchy setup during build-time, i.e. -Ddefault-hierarchy=unified is now the build-time default. Previously, -Ddefault-hierarchy=hybrid was the default. This change reflects the fact that cgroupsv2 support has matured substantially in both systemd and in the kernel, and is clearly the way forward. Downstream production distributions might want to continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for their builds as unfortunately the popular container managers have not caught up with the kernel API changes. * Man pages are not built by default anymore (html pages were already disabled by default), to make development builds quicker. When building systemd for a full installation with documentation, meson should be called with -Dman=true and/or -Dhtml=true as appropriate. The default was changed based on the assumption that quick one-off or repeated development builds are much more common than full optimized builds for installation, and people need to pass various other options to when doing "proper" builds anyway, so the gain from making development builds quicker is bigger than the one time disruption for packagers. Two scripts are created in the *build* directory to generate and preview man and html pages on demand, e.g.: build/man/man systemctl build/man/html systemd.index * libidn2 is used by default if both libidn2 and libidn are installed. Please use -Dlibidn=true if libidn is preferred. * The D-Bus "wire format" of the CPUAffinity= attribute is changed on big-endian machines. Before, bytes were written and read in native machine order as exposed by the native libc __cpu_mask interface. Now, little-endian order is always used (CPUs 0–7 are described by bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on). This change fixes D-Bus calls that cross endianness boundary. The presentation format used for CPUAffinity= by "systemctl show" and "systemd-analyze dump" is changed to present CPU indices instead of the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be shown as CPUAffinity=03000000000000000000000000000… (on little-endian) or CPUAffinity=00000000000000300000000000000… (on 64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the input format. The maximum integer that will be printed in the new format is 8191 (four digits), while the old format always used a very long number (with the length varying by architecture), so they can be unambiguously distinguished. * /usr/sbin/halt.local is no longer supported. Implementation in distributions was inconsistent and it seems this functionality was very rarely used. To replace this functionality, users should: - either define a new unit and make it a dependency of final.target (systemctl add-wants final.target my-halt-local.service) - or move the shutdown script to /usr/lib/systemd/system-shutdown/ and ensure that it accepts "halt", "poweroff", "reboot", and "kexec" as an argument, see the description in systemd-shutdown(8). * When a [Match] section in .link or .network file is empty (contains no match patterns), a warning will be emitted. Please add any "match all" pattern instead, e.g. OriginalName=* or Name=* in case all interfaces should really be matched. * A new setting NUMAPolicy= may be used to set process memory allocation policy. This setting can be specified in /etc/systemd/system.conf and hence will set the default policy for PID1. The default policy can be overridden on a per-service basis. The related setting NUMAMask= is used to specify NUMA node mask that should be associated with the selected policy. * PID 1 will now listen to Out-Of-Memory (OOM) events the kernel generates when processes it manages are reaching their memory limits, and will place their units in a special state, and optionally kill or stop the whole unit. * The service manager will now expose bus properties for the IO resources used by units. This information is also shown in "systemctl status" now (for services that have IOAccounting=yes set). Moreover, the IO accounting data is included in the resource log message generated whenever a unit stops. * Units may now configure an explicit timeout to wait for when killed with SIGABRT, for example when a service watchdog is hit. Previously, the regular TimeoutStopSec= timeout was applied in this case too — now a separate timeout may be set using TimeoutAbortSec=. * Services may now send a special WATCHDOG=trigger message with sd_notify() to trigger an immediate "watchdog missed" event, and thus trigger service termination. This is useful both for testing watchdog handling, but also for defining error paths in services, that shall be handled the same way as watchdog events. * There are two new per-unit settings IPIngressFilterPath= and IPEgressFilterPath= which allow configuration of a BPF program (usually by specifying a path to a program uploaded to /sys/fs/bpf/) to apply to the IP packet ingress/egress path of all processes of a unit. This is useful to allow running systemd services with BPF programs set up externally. * systemctl gained a new "clean" verb for removing the state, cache, runtime or logs directories of a service while it is terminated. The new verb may also be used to remove the state maintained on disk for timer units that have Persistent= configured. * During the last phase of shutdown systemd will now automatically increase the log level configured in the "kernel.printk" sysctl so that any relevant loggable events happening during late shutdown are made visible. Previously, loggable events happening so late during shutdown were generally lost if the "kernel.printk" sysctl was set to high thresholds, as regular logging daemons are terminated at that time and thus nothing is written to disk. * If processes terminated during the last phase of shutdown do not exit quickly systemd will now show their names after a short time, to make debugging easier. After a longer timeout they are forcibly killed, as before. * journalctl (and the other tools that display logs) will now highlight warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs are now shown in blue color, to separate them visually from regular logs. References to configuration files are now turned into clickable links on terminals that support that. * systemd-journald will now stop logging to /var/log/journal during shutdown when /var/ is on a separate mount, so that it can be unmounted safely during shutdown. * systemd-resolved gained support for a new 'strict' DNS-over-TLS mode. * systemd-resolved "Cache=" configuration option in resolved.conf has been extended to also accept the 'no-negative' value. Previously, only a boolean option was allowed (yes/no), having yes as the default. If this option is set to 'no-negative', negative answers are not cached while the old cache heuristics are used positive answers. The default remains unchanged. * The predictable naming scheme for network devices now supports generating predictable names for "netdevsim" devices. Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD udev property. Those two changes form a new net.naming_scheme= entry. Distributions which want to preserve naming stability may want to set the -Ddefault-net-naming-scheme= configuration option. * systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm interfaces natively. * systemd-networkd's bridge FDB support now allows configuration of a destination address for each entry (Destination=), as well as the VXLAN VNI (VNI=), as well as an option to declare what an entry is associated with (AssociatedWith=). * systemd-networkd's DHCPv4 support now understands a new MaxAttempts= option for configuring the maximum number of DHCP lease requests. It also learnt a new BlackList= option for deny-listing DHCP servers (a similar setting has also been added to the IPv6 RA client), as well as a SendRelease= option for configuring whether to send a DHCP RELEASE message when terminating. * systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured separately in the [DHCPv4] and [DHCPv6] sections. * systemd-networkd's DHCP support will now optionally create an implicit host route to the DNS server specified in the DHCP lease, in addition to the routes listed explicitly in the lease. This should ensure that in multi-homed systems DNS traffic leaves the systems on the interface that acquired the DNS server information even if other routes such as default routes exist. This behaviour may be turned on with the new RoutesToDNS= option. * systemd-networkd's VXLAN support gained a new option GenericProtocolExtension= for enabling VXLAN Generic Protocol Extension support, as well as IPDoNotFragment= for setting the IP "Don't fragment" bit on outgoing packets. A similar option has been added to the GENEVE support. * In systemd-networkd's [Route] section you may now configure FastOpenNoCookie= for configuring per-route TCP fast-open support, as well as TTLPropagate= for configuring Label Switched Path (LSP) TTL propagation. The Type= setting now supports local, broadcast, anycast, multicast, any, xresolve routes, too. * systemd-networkd's [Network] section learnt a new option DefaultRouteOnDevice= for automatically configuring a default route onto the network device. * systemd-networkd's bridging support gained two new options ProxyARP= and ProxyARPWifi= for configuring proxy ARP behaviour as well as MulticastRouter= for configuring multicast routing behaviour. A new option MulticastIGMPVersion= may be used to change bridge's multicast Internet Group Management Protocol (IGMP) version. * systemd-networkd's FooOverUDP support gained the ability to configure local and peer IP addresses via Local= and Peer=. A new option PeerPort= may be used to configure the peer's IP port. * systemd-networkd's TUN support gained a new setting VnetHeader= for tweaking Generic Segment Offload support. * The address family for policy rules may be specified using the new Family= option in the [RoutingPolicyRule] section. * networkctl gained a new "delete" command for removing virtual network devices, as well as a new "--stats" switch for showing device statistics. * networkd.conf gained a new setting SpeedMeter= and SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The measured speed may be shown by 'networkctl status'. * "networkctl status" now displays MTU and queue lengths, and more detailed information about VXLAN and bridge devices. * systemd-networkd's .network and .link files gained a new Property= setting in the [Match] section, to match against devices with specific udev properties. * systemd-networkd's tunnel support gained a new option AssignToLoopback= for selecting whether to use the loopback device "lo" as underlying device. * systemd-networkd's MACAddress= setting in the [Neighbor] section has been renamed to LinkLayerAddress=, and it now allows configuration of IP addresses, too. * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is simplified: systemd-networkd will disable the sysctl (enable IPv6) if IPv6 configuration (static or DHCPv6) was found for a given interface. It will not touch the sysctl otherwise. * The order of entries is $PATH used by the user manager instance was changed to put bin/ entries before the corresponding sbin/ entries. It is recommended to not rely on this order, and only ever have one binary with a given name in the system paths under /usr. * A new tool systemd-network-generator has been added that may generate .network, .netdev and .link files from IP configuration specified on the kernel command line in the format used by Dracut. * The CriticalConnection= setting in .network files is now deprecated, and replaced by a new KeepConfiguration= setting which allows more detailed configuration of the IP configuration to keep in place. * systemd-analyze gained a few new verbs: - "systemd-analyze timestamp" parses and converts timestamps. This is similar to the existing "systemd-analyze calendar" command which does the same for recurring calendar events. - "systemd-analyze timespan" parses and converts timespans (i.e. durations as opposed to points in time). - "systemd-analyze condition" will parse and test ConditionXYZ= expressions. - "systemd-analyze exit-status" will parse and convert exit status codes to their names and back. - "systemd-analyze unit-files" will print a list of all unit file paths and unit aliases. * SuccessExitStatus=, RestartPreventExitStatus=, and RestartForceExitStatus= now accept exit status names (e.g. "DATAERR" is equivalent to "65"). Those exit status name mappings may be displayed with the systemd-analyze exit-status verb describe above. * systemd-logind now exposes a per-session SetBrightness() bus call, which may be used to securely change the brightness of a kernel brightness device, if it belongs to the session's seat. By using this call unprivileged clients can make changes to "backlight" and "leds" devices securely with strict requirements on session membership. Desktop environments may use this to generically make brightness changes to such devices without shipping private SUID binaries or udev rules for that purpose. * "udevadm info" gained a --wait-for-initialization switch to wait for a device to be initialized. * systemd-hibernate-resume-generator will now look for resumeflags= on the kernel command line, which is similar to rootflags= and may be used to configure device timeout for the hibernation device. * sd-event learnt a new API call sd_event_source_disable_unref() for disabling and unref'ing an event source in a single function. A related call sd_event_source_disable_unrefp() has been added for use with gcc's cleanup extension. * The sd-id128.h public API gained a new definition SD_ID128_UUID_FORMAT_STR for formatting a 128-bit ID in UUID format with printf(). * "busctl introspect" gained a new switch --xml-interface for dumping XML introspection data unmodified. * PID 1 may now show the unit name instead of the unit description string in its status output during boot. This may be configured in the StatusUnitFormat= setting in /etc/systemd/system.conf or the kernel command line option systemd.status_unit_format=. * PID 1 now understands a new option KExecWatchdogSec= in /etc/systemd/system.conf to set a watchdog timeout for kexec reboots. Previously watchdog functionality was only available for regular reboots. The new setting defaults to off, because we don't know in the general case if the watchdog will be reset after kexec (some drivers do reset it, but not all), and the new userspace might not be configured to handle the watchdog. Moreover, the old ShutdownWatchdogSec= setting has been renamed to RebootWatchdogSec= to more clearly communicate what it is about. The old name is still accepted for compatibility. * The systemd.debug_shell kernel command line option now optionally takes a tty name to spawn the debug shell on, which allows a different tty to be selected than the built-in default. * Service units gained a new ExecCondition= setting which will run before ExecStartPre= and either continue execution of the unit (for clean exit codes), stop execution without marking the unit failed (for exit codes 1 through 254), or stop execution and fail the unit (for exit code 255 or abnormal termination). * A new service systemd-pstore.service has been added that pulls data from /sys/fs/pstore/ and saves it to /var/lib/pstore for later review. * timedatectl gained new verbs for configuring per-interface NTP service configuration for systemd-timesyncd. * "localectl list-locales" won't list non-UTF-8 locales anymore. It's 2019. (You can set non-UTF-8 locales though, if you know their name.) * If variable assignments in sysctl.d/ files are prefixed with "-" any failures to apply them are now ignored. * systemd-random-seed.service now optionally credits entropy when applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to true for the service to enable this behaviour, but please consult the documentation first, since this comes with a couple of caveats. * systemd-random-seed.service is now a synchronization point for full initialization of the kernel's entropy pool. Services that require /dev/urandom to be correctly initialized should be ordered after this service. * The systemd-boot boot loader has been updated to optionally maintain a random seed file in the EFI System Partition (ESP). During the boot phase, this random seed is read and updated with a new seed cryptographically derived from it. Another derived seed is passed to the OS. The latter seed is then credited to the kernel's entropy pool very early during userspace initialization (from PID 1). This allows systems to boot up with a fully initialized kernel entropy pool from earliest boot on, and thus entirely removes all entropy pool initialization delays from systems using systemd-boot. Special care is taken to ensure different seeds are derived on system images replicated to multiple systems. "bootctl status" will show whether a seed was received from the boot loader. * bootctl gained two new verbs: - "bootctl random-seed" will generate the file in ESP and an EFI variable to allow a random seed to be passed to the OS as described above. - "bootctl is-installed" checks whether systemd-boot is currently installed. * bootctl will warn if it detects that boot entries are misconfigured (for example if the kernel image was removed without purging the bootloader entry). * A new document has been added describing systemd's use and support for the kernel's entropy pool subsystem: https://systemd.io/RANDOM_SEEDS * When the system is hibernated the swap device to write the hibernation image to is now automatically picked from all available swap devices, preferring the swap device with the highest configured priority over all others, and picking the device with the most free space if there are multiple devices with the highest priority. * /etc/crypttab support has learnt a new keyfile-timeout= per-device option that permits selecting the timeout how long to wait for a device with an encryption key before asking for the password. * IOWeight= has learnt to properly set the IO weight when using the BFQ scheduler officially found in kernels 5.0+. * A new mailing list has been created for reporting of security issues: systemd-security@redhat.com. For mode details, see https://systemd.io/CONTRIBUTING#security-vulnerability-reports. Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey, Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy, Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor, Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui, Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen, Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson, Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski, Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy, Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt, Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich, Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný, Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85, Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE, Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer, Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala, Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann, William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei – Camerino, 2019-09-03 CHANGES WITH 242: * In .link files, MACAddressPolicy=persistent (the default) is changed to cover more devices. For devices like bridges, tun, tap, bond, and similar interfaces that do not have other identifying information, the interface name is used as the basis for persistent seed for MAC and IPv4LL addresses. The way that devices that were handled previously is not changed, and this change is about covering more devices then previously by the "persistent" policy. MACAddressPolicy=random may be used to force randomized MACs and IPv4LL addresses for a device if desired. Hint: the log output from udev (at debug level) was enhanced to clarify what policy is followed and which attributes are used. `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/` may be used to view this. Hint: if a bridge interface is created without any slaves, and gains a slave later, then now the bridge does not inherit slave's MAC. To inherit slave's MAC, for example, create the following file: ``` # /etc/systemd/network/98-bridge-inherit-mac.link [Match] Type=bridge [Link] MACAddressPolicy=none ``` * The .device units generated by systemd-fstab-generator and other generators do not automatically pull in the corresponding .mount unit as a Wants= dependency. This means that simply plugging in the device will not cause the mount unit to be started automatically. But please note that the mount unit may be started for other reasons, in particular if it is part of local-fs.target, and any unit which (transitively) depends on local-fs.target is started. * networkctl list/status/lldp now accept globbing wildcards for network interface names to match against all existing interfaces. * The $PIDFILE environment variable is set to point the absolute path configured with PIDFile= for processes of that service. * The fallback DNS server list was augmented with Cloudflare public DNS servers. Use `-Ddns-servers=` to set a different fallback. * A new special target usb-gadget.target will be started automatically when a USB Device Controller is detected (which means that the system is a USB peripheral). * A new unit setting CPUQuotaPeriodSec= assigns the time period relatively to which the CPU time quota specified by CPUQuota= is measured. * A new unit setting ProtectHostname= may be used to prevent services from modifying hostname information (even if they otherwise would have privileges to do so). * A new unit setting NetworkNamespacePath= may be used to specify a namespace for service or socket units through a path referring to a Linux network namespace pseudo-file. * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now have an effect on .socket units: when used the listening socket is created within the configured network namespace instead of the host namespace. * ExecStart= command lines in unit files may now be prefixed with ':' in which case environment variable substitution is disabled. (Supported for the other ExecXYZ= settings, too.) * .timer units gained two new boolean settings OnClockChange= and OnTimezoneChange= which may be used to also trigger a unit when the system clock is changed or the local timezone is modified. systemd-run has been updated to make these options easily accessible from the command line for transient timers. * Two new conditions for units have been added: ConditionMemory= may be used to conditionalize a unit based on installed system RAM. ConditionCPUs= may be used to conditionalize a unit based on installed CPU cores. * The @default system call filter group understood by SystemCallFilter= has been updated to include the new rseq() system call introduced in kernel 4.15. * A new time-set.target has been added that indicates that the system time has been set from a local source (possibly imprecise). The existing time-sync.target is stronger and indicates that the time has been synchronized with a precise external source. Services where approximate time is sufficient should use the new target. * "systemctl start" (and related commands) learnt a new --show-transaction option. If specified brief information about all jobs queued because of the requested operation is shown. * systemd-networkd recognizes a new operation state 'enslaved', used (instead of 'degraded' or 'carrier') for interfaces which form a bridge, bond, or similar, and an new 'degraded-carrier' operational state used for the bond or bridge master interface when one of the enslaved devices is not operational. * .network files learnt the new IgnoreCarrierLoss= option for leaving networks configured even if the carrier is lost. * The RequiredForOnline= setting in .network files may now specify a minimum operational state required for the interface to be considered "online" by systemd-networkd-wait-online. Related to this systemd-networkd-wait-online gained a new option --operational-state= to configure the same, and its --interface= option was updated to optionally also take an operational state specific for an interface. * systemd-networkd-wait-online gained a new setting --any for waiting for only one of the requested interfaces instead of all of them. * systemd-networkd now implements L2TP tunnels. * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix= may be used to cause autonomous and onlink prefixes received in IPv6 Router Advertisements to be ignored. * New MulticastFlood=, NeighborSuppression=, and Learning= .network file settings may be used to tweak bridge behaviour. * The new TripleSampling= option in .network files may be used to configure CAN triple sampling. * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be used to point to private or preshared key for a WireGuard interface. * /etc/crypttab now supports the same-cpu-crypt and submit-from-crypt-cpus options to tweak encryption work scheduling details. * systemd-tmpfiles will now take a BSD file lock before operating on a contents of directory. This may be used to temporarily exclude directories from aging by taking the same lock (useful for example when extracting a tarball into /tmp or /var/tmp as a privileged user, which might create files with really old timestamps, which nevertheless should not be deleted). For further details, see: https://systemd.io/TEMPORARY_DIRECTORIES * systemd-tmpfiles' h line type gained support for the FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5), controlling project quota inheritance. * sd-boot and bootctl now implement support for an Extended Boot Loader (XBOOTLDR) partition, that is intended to be mounted to /boot, in addition to the ESP partition mounted to /efi or /boot/efi. Configuration file fragments, kernels, initrds and other EFI images to boot will be loaded from both the ESP and XBOOTLDR partitions. The XBOOTLDR partition was previously described by the Boot Loader Specification, but implementation was missing in sd-boot. Support for this concept allows using the sd-boot boot loader in more conservative scenarios where the boot loader itself is placed in the ESP but the kernels to boot (and their metadata) in a separate partition. * A system may now be booted with systemd.volatile=overlay on the kernel command line, which causes the root file system to be set up an overlayfs mount combining the root-only root directory with a writable tmpfs. In this setup, the underlying root device is not modified, and any changes are lost at reboot. * Similar, systemd-nspawn can now boot containers with a volatile overlayfs root with the new --volatile=overlay switch. * systemd-nspawn can now consume OCI runtime bundles using a new --oci-bundle= option. This implementation is fully usable, with most features in the specification implemented, but since this a lot of new code and functionality, this feature should most likely not be used in production yet. * systemd-nspawn now supports various options described by the OCI runtime specification on the command-line and in .nspawn files: --inaccessible=/Inaccessible= may be used to mask parts of the file system tree, --console=/--pipe may be used to configure how standard input, output, and error are set up. * busctl learned the `emit` verb to generate D-Bus signals. * systemd-analyze cat-config may be used to gather and display configuration spread over multiple files, for example system and user presets, tmpfiles.d, sysusers.d, udev rules, etc. * systemd-analyze calendar now takes an optional new parameter --iterations= which may be used to show a maximum number of iterations the specified expression will elapse next. * The sd-bus C API gained support for naming method parameters in the introspection data. * systemd-logind gained D-Bus APIs to specify the "reboot parameter" the reboot() system call expects. * journalctl learnt a new --cursor-file= option that points to a file from which a cursor should be loaded in the beginning and to which the updated cursor should be stored at the end. * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now detected by systemd-detect-virt (and may also be used in ConditionVirtualization=). * The behaviour of systemd-logind may now be modified with environment variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP, $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either skip the relevant operation completely (when set to false), or to create a flag file in /run/systemd (when set to true), instead of actually commencing the real operation when requested. The presence of /run/systemd/reboot-to-firmware-setup, /run/systemd/reboot-to-boot-loader-menu, and /run/systemd/reboot-to-boot-loader-entry, may be used by alternative boot loader implementations to replace some steps logind performs during reboot with their own operations. * systemctl can be used to request a reboot into the boot loader menu or a specific boot loader entry with the new --boot-load-menu= and --boot-loader-entry= options to a reboot command. (This requires a boot loader that supports this, for example sd-boot.) * kernel-install will no longer unconditionally create the output directory (e.g. /efi//) for boot loader snippets, but will do only if the machine-specific parent directory (i.e. /efi//) already exists. bootctl has been modified to create this parent directory during sd-boot installation. This makes it easier to use kernel-install with plugins which support a different layout of the bootloader partitions (for example grub2). * During package installation (with `ninja install`), we would create symlinks for getty@tty1.service, systemd-networkd.service, systemd-networkd.socket, systemd-resolved.service, remote-cryptsetup.target, remote-fs.target, systemd-networkd-wait-online.service, and systemd-timesyncd.service in /etc, as if `systemctl enable` was called for those units, to make the system usable immediately after installation. Now this is not done anymore, and instead calling `systemctl preset-all` is recommended after the first installation of systemd. * A new boolean sandboxing option RestrictSUIDSGID= has been added that is built on seccomp. When turned on creation of SUID/SGID files is prohibited. * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now implied if DynamicUser= is turned on for a service. This hardens these services, so that they neither can benefit from nor create SUID/SGID executables. This is a minor compatibility breakage, given that when DynamicUser= was first introduced SUID/SGID behaviour was unaffected. However, the security benefit of these two options is substantial, and the setting is still relatively new, hence we opted to make it mandatory for services with dynamic users. Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin, Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani, Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin, Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black, Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski, Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone, Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu, Yu Watanabe, Zbigniew Jędrzejewski-Szmek — Warsaw, 2019-04-11 CHANGES WITH 241: * The default locale can now be configured at compile time. Otherwise, a suitable default will be selected automatically (one of C.UTF-8, en_US.UTF-8, and C). * The version string shown by systemd and other tools now includes the git commit hash when built from git. An override may be specified during compilation, which is intended to be used by distributions to include the package release information. * systemd-cat can now filter standard input and standard error streams for different syslog priorities using the new --stderr-priority= option. * systemd-journald and systemd-journal-remote reject entries which contain too many fields (CVE-2018-16865) and set limits on the process' command line length (CVE-2018-16864). * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd again. * A new network device NamePolicy "keep" is implemented for link files, and used by default in 99-default.link (the fallback configuration provided by systemd). With this policy, if the network device name was already set by userspace, the device will not be renamed again. This matches the naming scheme that was implemented before systemd-240. If naming-scheme < 240 is specified, the "keep" policy is also enabled by default, even if not specified. Effectively, this means that if naming-scheme >= 240 is specified, network devices will be renamed according to the configuration, even if they have been renamed already, if "keep" is not specified as the naming policy in the .link file. The 99-default.link file provided by systemd includes "keep" for backwards compatibility, but it is recommended for user installed .link files to *not* include it. The "kernel" policy, which keeps kernel names declared to be "persistent", now works again as documented. * kernel-install script now optionally takes the paths to one or more initrd files, and passes them to all plugins. * The mincore() system call has been dropped from the @system-service system call filter group, as it is pretty exotic and may potentially used for side-channel attacks. * -fPIE is dropped from compiler and linker options. Please specify -Db_pie=true option to meson to build position-independent executables. Note that the meson option is supported since meson-0.49. * The fs.protected_regular and fs.protected_fifos sysctls, which were added in Linux 4.19 to make some data spoofing attacks harder, are now enabled by default. While this will hopefully improve the security of most installations, it is technically a backwards incompatible change; to disable these sysctls again, place the following lines in /etc/sysctl.d/60-protected.conf or a similar file: fs.protected_regular = 0 fs.protected_fifos = 0 Note that the similar hardlink and symlink protection has been enabled since v199, and may be disabled likewise. * The files read from the EnvironmentFile= setting in unit files now parse backslashes inside quotes literally, matching the behaviour of POSIX shells. * udevadm trigger, udevadm control, udevadm settle and udevadm monitor now automatically become NOPs when run in a chroot() environment. * The tmpfiles.d/ "C" line type will now copy directory trees not only when the destination is so far missing, but also if it already exists as a directory and is empty. This is useful to cater for systems where directory trees are put together from multiple separate mount points but otherwise empty. * A new function sd_bus_close_unref() (and the associated sd_bus_close_unrefp()) has been added to libsystemd, that combines sd_bus_close() and sd_bus_unref() in one. * udevadm control learnt a new option for --ping for testing whether a systemd-udevd instance is running and reacting. * udevadm trigger learnt a new option for --wait-daemon for waiting systemd-udevd daemon to be initialized. Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer, Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede, James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor, Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou, marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen, Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel, Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски — Berlin, 2019-02-14 CHANGES WITH 240: * NoNewPrivileges=yes has been set for all long-running services implemented by systemd. Previously, this was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). This restriction has since been lifted, but an SELinux policy update is required. (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.) * DynamicUser=yes is dropped from systemd-networkd.service, systemd-resolved.service and systemd-timesyncd.service, which was enabled in v239 for systemd-networkd.service and systemd-resolved.service, and since v236 for systemd-timesyncd.service. The users and groups systemd-network, systemd-resolve and systemd-timesync are created by systemd-sysusers again. Distributors or system administrators may need to create these users and groups if they not exist (or need to re-enable DynamicUser= for those units) while upgrading systemd. Also, the clock file for systemd-timesyncd may need to move from /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock. * When unit files are loaded from disk, previously systemd would sometimes (depending on the unit loading order) load units from the target path of symlinks in .wants/ or .requires/ directories of other units. This meant that unit could be loaded from different paths depending on whether the unit was requested explicitly or as a dependency of another unit, not honouring the priority of directories in search path. It also meant that it was possible to successfully load and start units which are not found in the unit search path, as long as they were requested as a dependency and linked to from .wants/ or .requires/. The target paths of those symlinks are not used for loading units anymore and the unit file must be found in the search path. * A new service type has been added: Type=exec. It's very similar to Type=simple but ensures the service manager will wait for both fork() and execve() of the main service binary to complete before proceeding with follow-up units. This is primarily useful so that the manager propagates any errors in the preparation phase of service execution back to the job that requested the unit to be started. For example, consider a service that has ExecStart= set to a file system binary that doesn't exist. With Type=simple starting the unit would be considered instantly successful, as only fork() has to complete successfully and the manager does not wait for execve(), and hence its failure is seen "too late". With the new Type=exec service type starting the unit will fail, as the manager will wait for the execve() and notice its failure, which is then propagated back to the start job. NOTE: with the next release 241 of systemd we intend to change the systemd-run tool to default to Type=exec for transient services started by it. This should be mostly safe, but in specific corner cases might result in problems, as the systemd-run tool will then block on NSS calls (such as user name look-ups due to User=) done between the fork() and execve(), which under specific circumstances might cause problems. It is recommended to specify "-p Type=simple" explicitly in the few cases where this applies. For regular, non-transient services (i.e. those defined with unit files on disk) we will continue to default to Type=simple. * The Linux kernel's current default RLIMIT_NOFILE resource limit for userspace processes is set to 1024 (soft) and 4096 (hard). Previously, systemd passed this on unmodified to all processes it forked off. With this systemd release the hard limit systemd passes on is increased to 512K, overriding the kernel's defaults and substantially increasing the number of simultaneous file descriptors unprivileged userspace processes can allocate. Note that the soft limit remains at 1024 for compatibility reasons: the traditional UNIX select() call cannot deal with file descriptors >= 1024 and increasing the soft limit globally might thus result in programs unexpectedly allocating a high file descriptor and thus failing abnormally when attempting to use it with select() (of course, programs shouldn't use select() anymore, and prefer poll()/epoll, but the call unfortunately remains undeservedly popular at this time). This change reflects the fact that file descriptor handling in the Linux kernel has been optimized in more recent kernels and allocating large numbers of them should be much cheaper both in memory and in performance than it used to be. Programs that want to take benefit of the increased limit have to "opt-in" into high file descriptors explicitly by raising their soft limit. Of course, when they do that they must acknowledge that they cannot use select() anymore (and neither can any shared library they use — or any shared library used by any shared library they use and so on). Which default hard limit is most appropriate is of course hard to decide. However, given reports that ~300K file descriptors are used in real-life applications we believe 512K is sufficiently high as new default for now. Note that there are also reports that using very high hard limits (e.g. 1G) is problematic: some software allocates large arrays with one element for each potential file descriptor (Java, …) — a high hard limit thus triggers excessively large memory allocations in these applications. Hopefully, the new default of 512K is a good middle ground: higher than what real-life applications currently need, and low enough for avoid triggering excessively large allocations in problematic software. (And yes, somebody should fix Java.) * The fs.nr_open and fs.file-max sysctls are now automatically bumped to the highest possible values, as separate accounting of file descriptors is no longer necessary, as memcg tracks them correctly as part of the memory accounting anyway. Thus, from the four limits on file descriptors currently enforced (fs.file-max, fs.nr_open, RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two, and keep only the latter two. A set of build-time options (-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false) has been added to revert this change in behaviour, which might be an option for systems that turn off memcg in the kernel. * When no /etc/locale.conf file exists (and hence no locale settings are in place), systemd will now use the "C.UTF-8" locale by default, and set LANG= to it. This locale is supported by various distributions including Fedora, with clear indications that upstream glibc is going to make it available too. This locale enables UTF-8 mode by default, which appears appropriate for 2018. * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by default. This effectively switches the RFC3704 Reverse Path filtering from Strict mode to Loose mode. This is more appropriate for hosts that have multiple links with routes to the same networks (e.g. a client with a Wi-Fi and Ethernet both connected to the internet). Consult the kernel documentation for details on this sysctl: https://docs.kernel.org/networking/ip-sysctl.html * The v239 change to turn on "net.ipv4.tcp_ecn" by default has been reverted. * CPUAccounting=yes no longer enables the CPU controller when using kernel 4.15+ and the unified cgroup hierarchy, as required accounting statistics are now provided independently from the CPU controller. * Support for disabling a particular cgroup controller within a sub-tree has been added through the DisableControllers= directive. * cgroup_no_v1=all on the kernel command line now also implies using the unified cgroup hierarchy, unless one explicitly passes systemd.unified_cgroup_hierarchy=0 on the kernel command line. * The new "MemoryMin=" unit file property may now be used to set the memory usage protection limit of processes invoked by the unit. This controls the cgroup v2 memory.min attribute. Similarly, the new "IODeviceLatencyTargetSec=" property has been added, wrapping the new cgroup v2 io.latency cgroup property for configuring per-service I/O latency. * systemd now supports the cgroup v2 devices BPF logic, as counterpart to the cgroup v1 "devices" cgroup controller. * systemd-escape now is able to combine --unescape with --template. It also learnt a new option --instance for extracting and unescaping the instance part of a unit name. * sd-bus now provides the sd_bus_message_readv() which is similar to sd_bus_message_read() but takes a va_list object. The pair sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout() has been added for configuring the default method call timeout to use. sd_bus_error_move() may be used to efficiently move the contents from one sd_bus_error structure to another, invalidating the source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may be used to control whether a bus connection object is automatically flushed when an sd-event loop is exited. * When processing classic BSD syslog log messages, journald will now save the original time-stamp string supplied in the new SYSLOG_TIMESTAMP= journal field. This permits consumers to reconstruct the original BSD syslog message more correctly. * StandardOutput=/StandardError= in service files gained support for new "append:…" parameters, for connecting STDOUT/STDERR of a service to a file, and appending to it. * The signal to use as last step of killing of unit processes is now configurable. Previously it was hard-coded to SIGKILL, which may now be overridden with the new KillSignal= setting. Note that this is the signal used when regular termination (i.e. SIGTERM) does not suffice. Similarly, the signal used when aborting a program in case of a watchdog timeout may now be configured too (WatchdogSignal=). * The XDG_SESSION_DESKTOP environment variable may now be configured in the pam_systemd argument line, using the new desktop= switch. This is useful to initialize it properly from a display manager without having to touch C code. * Most configuration options that previously accepted percentage values now also accept permille values with the '‰' suffix (instead of '%'). * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for DNS-over-TLS. * systemd-resolved's configuration file resolved.conf gained a new option ReadEtcHosts= which may be used to turn off processing and honoring /etc/hosts entries. * The "--wait" switch may now be passed to "systemctl is-system-running", in which case the tool will synchronously wait until the system finished start-up. * hostnamed gained a new bus call to determine the DMI product UUID. * On x86-64 systemd will now prefer using the RDRAND processor instruction over /dev/urandom whenever it requires randomness that neither has to be crypto-grade nor should be reproducible. This should substantially reduce the amount of entropy systemd requests from the kernel during initialization on such systems, though not reduce it to zero. (Why not zero? systemd still needs to allocate UUIDs and such uniquely, which require high-quality randomness.) * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP tunnels. It also gained a new option ForceDHCPv6PDOtherInformation= for forcing the "Other Information" bit in IPv6 RA messages. The bonding logic gained four new options AdActorSystemPriority=, AdUserPortKey=, AdActorSystem= for configuring various 802.3ad aspects, and DynamicTransmitLoadBalancing= for enabling dynamic shuffling of flows. The tunnel logic gained a new IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid Deployment. The policy rule logic gained four new options IPProtocol=, SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained support for the MulticastToUnicast= option. networkd also gained support for configuring static IPv4 ARP or IPv6 neighbor entries. * .preset files (as read by 'systemctl preset') may now be used to instantiate services. * /etc/crypttab now understands the sector-size= option to configure the sector size for an encrypted partition. * Key material for encrypted disks may now be placed on a formatted medium, and referenced from /etc/crypttab by the UUID of the file system, followed by "=" suffixed by the path to the key file. * The "collect" udev component has been removed without replacement, as it is neither used nor maintained. * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory=, ConfigurationDirectory= settings are used in a service the executed processes will now receive a set of environment variables containing the full paths of these directories. Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY, LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options are used. Note that these options may be used multiple times per service in which case the resulting paths will be concatenated and separated by colons. * Predictable interface naming has been extended to cover InfiniBand NICs. They will be exposed with an "ib" prefix. * tmpfiles.d/ line types may now be suffixed with a '-' character, in which case the respective line failing is ignored. * .link files may now be used to configure the equivalent to the "ethtool advertise" commands. * The sd-device.h and sd-hwdb.h APIs are now exported, as an alternative to libudev.h. Previously, the latter was just an internal wrapper around the former, but now these two APIs are exposed directly. * sd-id128.h gained a new function sd_id128_get_boot_app_specific() which calculates an app-specific boot ID similar to how sd_id128_get_machine_app_specific() generates an app-specific machine ID. * A new tool systemd-id128 has been added that can be used to determine and generate various 128-bit IDs. * /etc/os-release gained two new standardized fields DOCUMENTATION_URL= and LOGO=. * systemd-hibernate-resume-generator will now honor the "noresume" kernel command line option, in which case it will bypass resuming from any hibernated image. * The systemd-sleep.conf configuration file gained new options AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep= for prohibiting specific sleep modes even if the kernel exports them. * portablectl is now officially supported and has thus moved to /usr/bin/. * bootctl learnt the two new commands "set-default" and "set-oneshot" for setting the default boot loader item to boot to (either persistently or only for the next boot). This is currently only compatible with sd-boot, but may be implemented on other boot loaders too, that follow the boot loader interface. The updated interface is now documented here: https://systemd.io/BOOT_LOADER_INTERFACE * A new kernel command line option systemd.early_core_pattern= is now understood which may be used to influence the core_pattern PID 1 installs during early boot. * busctl learnt two new options -j and --json= for outputting method call replies, properties and monitoring output in JSON. * journalctl's JSON output now supports simple ANSI coloring as well as a new "json-seq" mode for generating RFC7464 output. * Unit files now support the %g/%G specifiers that resolve to the UNIX group/GID of the service manager runs as, similar to the existing %u/%U specifiers that resolve to the UNIX user/UID. * systemd-logind learnt a new global configuration option UserStopDelaySec= that may be set in logind.conf. It specifies how long the systemd --user instance shall remain started after a user logs out. This is useful to speed up repetitive re-connections of the same user, as it means the user's service manager doesn't have to be stopped/restarted on each iteration, but can be reused between subsequent options. This setting defaults to 10s. systemd-logind also exports two new properties on its Manager D-Bus objects indicating whether the system's lid is currently closed, and whether the system is on AC power. * systemd gained support for a generic boot counting logic, which generically permits automatic reverting to older boot loader entries if newer updated ones don't work. The boot loader side is implemented in sd-boot, but is kept open for other boot loaders too. For details see: https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT * The SuccessAction=/FailureAction= unit file settings now learnt two new parameters: "exit" and "exit-force", which result in immediate exiting of the service manager, and are only useful in systemd --user and container environments. * Unit files gained support for a pair of options FailureActionExitStatus=/SuccessActionExitStatus= for configuring the exit status to use as service manager exit status when SuccessAction=/FailureAction= is set to exit or exit-force. * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service options may now be used to configure the log rate limiting applied by journald per-service. * systemd-analyze gained a new verb "timespan" for parsing and normalizing time span values (i.e. strings like "5min 7s 8us"). * systemd-analyze also gained a new verb "security" for analyzing the security and sand-boxing settings of services in order to determine an "exposure level" for them, indicating whether a service would benefit from more sand-boxing options turned on for them. * "systemd-analyze syscall-filter" will now also show system calls supported by the local kernel but not included in any of the defined groups. * .nspawn files now understand the Ephemeral= setting, matching the --ephemeral command line switch. * sd-event gained the new APIs sd_event_source_get_floating() and sd_event_source_set_floating() for controlling whether a specific event source is "floating", i.e. destroyed along with the even loop object itself. * Unit objects on D-Bus gained a new "Refs" property that lists all clients that currently have a reference on the unit (to ensure it is not unloaded). * The JoinControllers= option in system.conf is no longer supported, as it didn't work correctly, is hard to support properly, is legacy (as the concept only exists on cgroup v1) and apparently wasn't used. * Journal messages that are generated whenever a unit enters the failed state are now tagged with a unique MESSAGE_ID. Similarly, messages generated whenever a service process exits are now made recognizable, too. A tagged message is also emitted whenever a unit enters the "dead" state on success. * systemd-run gained a new switch --working-directory= for configuring the working directory of the service to start. A shortcut -d is equivalent, setting the working directory of the service to the current working directory of the invoking program. The new --shell (or just -S) option has been added for invoking the $SHELL of the caller as a service, and implies --pty --same-dir --wait --collect --service-type=exec. Or in other words, "systemd-run -S" is now the quickest way to quickly get an interactive in a fully clean and well-defined system service context. * machinectl gained a new verb "import-fs" for importing an OS tree from a directory. Moreover, when a directory or tarball is imported and single top-level directory found with the OS itself below the OS tree is automatically mangled and moved one level up. * systemd-importd will no longer set up an implicit btrfs loop-back file system on /var/lib/machines. If one is already set up, it will continue to be used. * A new generator "systemd-run-generator" has been added. It will synthesize a unit from one or more program command lines included in the kernel command line. This is very useful in container managers for example: # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"' This will run "systemd-nspawn" on an image, invoke the specified command line and immediately shut down the container again, returning the command line's exit code. * The block device locking logic is now documented: https://systemd.io/BLOCK_DEVICE_LOCKING * loginctl and machinectl now optionally output the various tables in JSON using the --output= switch. It is our intention to add similar support to systemctl and all other commands. * udevadm's query and trigger verb now optionally take a .device unit name as argument. * systemd-udevd's network naming logic now understands a new net.naming_scheme= kernel command line switch, which may be used to pick a specific version of the naming scheme. This helps stabilizing interface names even as systemd/udev are updated and the naming logic is improved. * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and SD_ID128_ALLF to test if a 128-bit ID is set to all 0xFF bytes, and to initialize one to all 0xFF. * After loading the SELinux policy systemd will now recursively relabel all files and directories listed in /run/systemd/relabel-extra.d/*.relabel (which should be simple newline separated lists of paths) in addition to the ones it already implicitly relabels in /run, /dev and /sys. After the relabelling is completed the *.relabel files (and /run/systemd/relabel-extra.d/) are removed. This is useful to permit initrds (i.e. code running before the SELinux policy is in effect) to generate files in the host filesystem safely and ensure that the correct label is applied during the transition to the host OS. * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding mknod() handling in user namespaces. Previously mknod() would always fail with EPERM in user namespaces. Since 4.18 mknod() will succeed but device nodes generated that way cannot be opened, and attempts to open them result in EPERM. This breaks the "graceful fallback" logic in systemd's PrivateDevices= sand-boxing option. This option is implemented defensively, so that when systemd detects it runs in a restricted environment (such as a user namespace, or an environment where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD) where device nodes cannot be created the effect of PrivateDevices= is bypassed (following the logic that 2nd-level sand-boxing is not essential if the system systemd runs in is itself already sand-boxed as a whole). This logic breaks with 4.18 in container managers where user namespacing is used: suddenly PrivateDevices= succeeds setting up a private /dev/ file system containing devices nodes — but when these are opened they don't work. At this point it is recommended that container managers utilizing user namespaces that intend to run systemd in the payload explicitly block mknod() with seccomp or similar, so that the graceful fallback logic works again. We are very sorry for the breakage and the requirement to change container configurations for newer kernels. It's purely caused by an incompatible kernel change. The relevant kernel developers have been notified about this userspace breakage quickly, but they chose to ignore it. * PermissionsStartOnly= setting is deprecated (but is still supported for backwards compatibility). The same functionality is provided by the more flexible "+", "!", and "!!" prefixes to ExecStart= and other commands. * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by pam_systemd anymore. * The naming scheme for network devices was changed to always rename devices, even if they were already renamed by userspace. The "kernel" policy was changed to only apply as a fallback, if no other naming policy took effect. * The requirements to build systemd is bumped to meson-0.46 and python-3.5. Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson, Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov, asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner, David Anderson, Davide Cavalca, David Leeds, David Malcolm, David Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus, Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad, Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld, javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens, Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi, Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier, Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck, Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich, Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby, Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller, Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez, Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher, Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim, Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward, Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein — Warsaw, 2018-12-21 CHANGES WITH 239: * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id" builtin will name network interfaces differently than in previous versions for virtual network interfaces created with SR-IOV and NPAR and for devices where the PCI network controller device does not have a slot number associated. SR-IOV virtual devices are now named based on the name of the parent interface, with a suffix of "v", where is the virtual device number. Previously those virtual devices were named as if completely independent. The ninth and later NPAR virtual devices will be named following the scheme used for the first eight NPAR partitions. Previously those devices were not renamed and the kernel default (eth) was used. "net_id" will also generate names for PCI devices where the PCI network controller device does not have an associated slot number itself, but one of its parents does. Previously those devices were not renamed and the kernel default (eth) was used. * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in systemd-logind.service. Since v235, IPAddressDeny=any has been set to the unit. So, it is expected that the default behavior of systemd-logind is not changed. However, if distribution packagers or administrators disabled or modified IPAddressDeny= setting by a drop-in config file, then it may be necessary to update the file to re-enable AF_INET and AF_INET6 to support network user name services, e.g. NIS. * When the RestrictNamespaces= unit property is specified multiple times, then the specified types are merged now. Previously, only the last assignment was used. So, if distribution packagers or administrators modified the setting by a drop-in config file, then it may be necessary to update the file. * When OnFailure= is used in combination with Restart= on a service unit, then the specified units will no longer be triggered on failures that result in restarting. Previously, the specified units would be activated each time the unit failed, even when the unit was going to be restarted automatically. This behaviour contradicted the documentation. With this release the code is adjusted to match the documentation. * systemd-tmpfiles will now print a notice whenever it encounters tmpfiles.d/ lines referencing the /var/run/ directory. It will recommend reworking them to use the /run/ directory instead (for which /var/run/ is simply a symlinked compatibility alias). This way systemd-tmpfiles can properly detect line conflicts and merge lines referencing the same file by two paths, without having to access them. * systemctl disable/unmask/preset/preset-all cannot be used with --runtime. Previously this was allowed, but resulted in unintuitive behaviour that wasn't useful. systemctl disable/unmask will now undo both runtime and persistent enablement/masking, i.e. it will remove any relevant symlinks both in /run and /etc. * Note that all long-running system services shipped with systemd will now default to a system call allow list (rather than a deny list, as before). In particular, systemd-udevd will now enforce one too. For most cases this should be safe, however downstream distributions which disabled sandboxing of systemd-udevd (specifically the MountFlags= setting), might want to disable this security feature too, as the default allow-listing will prohibit all mount, swap, reboot and clock changing operations from udev rules. * sd-boot acquired new loader configuration settings to optionally turn off Windows and MacOS boot partition discovery as well as reboot-into-firmware menu items. It is also able to pick a better screen resolution for HiDPI systems, and now provides loader configuration settings to change the resolution explicitly. * systemd-resolved now supports DNS-over-TLS. It's still turned off by default, use DNSOverTLS=opportunistic to turn it on in resolved.conf. We intend to make this the default as soon as couple of additional techniques for optimizing the initial latency caused by establishing a TLS/TCP connection are implemented. * systemd-resolved.service and systemd-networkd.service now set DynamicUser=yes. The users systemd-resolve and systemd-network are not created by systemd-sysusers anymore. NOTE: This has a chance of breaking nss-ldap and similar NSS modules that embed a network facing module into any process using getpwuid() or related call: the dynamic allocation of the user ID for systemd-resolved.service means the service manager has to check NSS if the user name is already taken when forking off the service. Since the user in the common case won't be defined in /etc/passwd the lookup is likely to trigger nss-ldap which in turn might use NSS to ask systemd-resolved for hostname lookups. This will hence result in a deadlock: a user name lookup in order to start systemd-resolved.service will result in a hostname lookup for which systemd-resolved.service needs to be started already. There are multiple ways to work around this problem: pre-allocate the "systemd-resolve" user on such systems, so that nss-ldap won't be triggered; or use a different NSS package that doesn't do networking in-process but provides a local asynchronous name cache; or configure the NSS package to avoid lookups for UIDs in the range `pkg-config systemd --variable=dynamicuidmin` … `pkg-config systemd --variable=dynamicuidmax`, so that it does not consider itself authoritative for the same UID range systemd allocates dynamic users from. * The systemd-resolve tool has been renamed to resolvectl (it also remains available under the old name, for compatibility), and its interface is now verb-based, similar in style to the other ctl tools, such as systemctl or loginctl. * The resolvectl/systemd-resolve tool also provides 'resolvconf' compatibility. It may be symlinked under the 'resolvconf' name, in which case it will take arguments and input compatible with the Debian and FreeBSD resolvconf tool. * Support for suspend-then-hibernate has been added, i.e. a sleep mode where the system initially suspends, and after a timeout resumes and hibernates again. * networkd's ClientIdentifier= now accepts a new option "duid-only". If set the client will only send a DUID as client identifier. (EDIT: the option was broken, and was dropped in v255.) * The nss-systemd glibc NSS module will now enumerate dynamic users and groups in effect. Previously, it could resolve UIDs/GIDs to user names/groups and vice versa, but did not support enumeration. * journald's Compress= configuration setting now optionally accepts a byte threshold value. All journal objects larger than this threshold will be compressed, smaller ones will not. Previously this threshold was not configurable and set to 512. * A new system.conf setting NoNewPrivileges= is now available which may be used to turn off acquisition of new privileges system-wide (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also for all its children). Note that turning this option on means setuid binaries and file system capabilities lose their special powers. While turning on this option is a big step towards a more secure system, doing so is likely to break numerous pre-existing UNIX tools, in particular su and sudo. * A new service systemd-time-sync-wait.service has been added. If enabled it will delay the time-sync.target unit at boot until time synchronization has been received from the network. This functionality is useful on systems lacking a local RTC or where it is acceptable that the boot process shall be delayed by external network services. * When hibernating, systemd will now inform the kernel of the image write offset, on kernels new enough to support this. This means swap files should work for hibernation now. * When loading unit files, systemd will now look for drop-in unit files extensions in additional places. Previously, for a unit file name "foo-bar-baz.service" it would look for dropin files in "foo-bar-baz.service.d/*.conf". Now, it will also look in "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the service name truncated after all inner dashes. This scheme allows writing drop-ins easily that apply to a whole set of unit files at once. It's particularly useful for mount and slice units (as their naming is prefix based), but is also useful for service and other units, for packages that install multiple unit files at once, following a strict naming regime of beginning the unit file name with the package's name. Two new specifiers are now supported in unit files to match this: %j and %J are replaced by the part of the unit name following the last dash. * Unit files and other configuration files that support specifier expansion now understand another three new specifiers: %T and %V will resolve to /tmp and /var/tmp respectively, or whatever temporary directory has been set for the calling user. %E will expand to either /etc (for system units) or $XDG_CONFIG_HOME (for user units). * The ExecStart= lines of unit files are no longer required to reference absolute paths. If non-absolute paths are specified the specified binary name is searched within the service manager's built-in $PATH, which may be queried with 'systemd-path search-binaries-default'. It's generally recommended to continue to use absolute paths for all binaries specified in unit files. * Units gained a new load state "bad-setting", which is used when a unit file was loaded, but contained fatal errors which prevent it from being started (for example, a service unit has been defined lacking both ExecStart= and ExecStop= lines). * coredumpctl's "gdb" verb has been renamed to "debug", in order to support alternative debuggers, for example lldb. The old name continues to be available however, for compatibility reasons. Use the new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable to pick an alternative debugger instead of the default gdb. * systemctl and the other tools will now output escape sequences that generate proper clickable hyperlinks in various terminal emulators where useful (for example, in the "systemctl status" output you can now click on the unit file name to quickly open it in the editor/viewer of your choice). Note that not all terminal emulators support this functionality yet, but many do. Unfortunately, the "less" pager doesn't support this yet, hence this functionality is currently automatically turned off when a pager is started (which happens quite often due to auto-paging). We hope to remove this limitation as soon as "less" learns these escape sequences. This new behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY environment variable. For details on these escape sequences see: https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda * networkd's .network files now support a new IPv6MTUBytes= option for setting the MTU used by IPv6 explicitly as well as a new MTUBytes= option in the [Route] section to configure the MTU to use for specific routes. It also gained support for configuration of the DHCP "UserClass" option through the new UserClass= setting. It gained three new options in the new [CAN] section for configuring CAN networks. The MULTICAST and ALLMULTI interface flags may now be controlled explicitly with the new Multicast= and AllMulticast= settings. * networkd will now automatically make use of the kernel's route expiration feature, if it is available. * udevd's .link files now support setting the number of receive and transmit channels, using the RxChannels=, TxChannels=, OtherChannels=, CombinedChannels= settings. * Support for UDPSegmentationOffload= has been removed, given its limited support in hardware, and waning software support. * networkd's .netdev files now support creating "netdevsim" interfaces. * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used to query the unit belonging to a specific kernel control group. * systemd-analyze gained a new verb "cat-config", which may be used to dump the contents of any configuration file, with all its matching drop-in files added in, and honouring the usual search and masking logic applied to systemd configuration files. For example use "systemd-analyze cat-config systemd/system.conf" to get the complete system configuration file of systemd how it would be loaded by PID 1 itself. Similar to this, various tools such as systemd-tmpfiles or systemd-sysusers, gained a new option "--cat-config", which does the corresponding operation for their own configuration settings. For example, "systemd-tmpfiles --cat-config" will now output the full list of tmpfiles.d/ lines in place. * timedatectl gained three new verbs: "show" shows bus properties of systemd-timedated, "timesync-status" shows the current NTP synchronization state of systemd-timesyncd, and "show-timesync" shows bus properties of systemd-timesyncd. * systemd-timesyncd gained a bus interface on which it exposes details about its state. * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now understood by systemd-timedated. It takes a colon-separated list of unit names of NTP client services. The list is used by "timedatectl set-ntp". * systemd-nspawn gained a new --rlimit= switch for setting initial resource limits for the container payload. There's a new switch --hostname= to explicitly override the container's hostname. A new --no-new-privileges= switch may be used to control the PR_SET_NO_NEW_PRIVS flag for the container payload. A new --oom-score-adjust= switch controls the OOM scoring adjustment value for the payload. The new --cpu-affinity= switch controls the CPU affinity of the container payload. The new --resolv-conf= switch allows more detailed control of /etc/resolv.conf handling of the container. Similarly, the new --timezone= switch allows more detailed control of /etc/localtime handling of the container. * systemd-detect-virt gained a new --list switch, which will print a list of all currently known VM and container environments. * Support for "Portable Services" has been added, see doc/PORTABLE_SERVICES.md for details. Currently, the support is still experimental, but this is expected to change soon. Reflecting this experimental state, the "portablectl" binary is not installed into /usr/bin yet. The binary has to be called with the full path /usr/lib/systemd/portablectl instead. * journalctl's and systemctl's -o switch now knows a new log output mode "with-unit". The output it generates is very similar to the regular "short" mode, but displays the unit name instead of the syslog tag for each log line. Also, the date is shown with timezone information. This mode is probably more useful than the classic "short" output mode for most purposes, except where pixel-perfect compatibility with classic /var/log/messages formatting is required. * A new --dump-bus-properties switch has been added to the systemd binary, which may be used to dump all supported D-Bus properties. (Options which are still supported, but are deprecated, are *not* shown.) * sd-bus gained a set of new calls: sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to enable/disable the "floating" state of a bus slot object, i.e. whether the slot object pins the bus it is allocated for into memory or if the bus slot object gets disconnected when the bus goes away. sd_bus_open_with_description(), sd_bus_open_user_with_description(), sd_bus_open_system_with_description() may be used to allocate bus objects and set their description string already during allocation. * sd-event gained support for watching inotify events from the event loop, in an efficient way, sharing inotify handles between multiple users. For this a new function sd_event_add_inotify() has been added. * sd-event and sd-bus gained support for calling special user-supplied destructor functions for userdata pointers associated with sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new functions sd_bus_slot_set_destroy_callback, sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback, sd_bus_track_get_destroy_callback, sd_event_source_set_destroy_callback, sd_event_source_get_destroy_callback have been added. * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default. * PID 1 will now automatically reschedule .timer units whenever the local timezone changes. (They previously got rescheduled automatically when the system clock changed.) * New documentation has been added to document cgroups delegation, portable services and the various code quality tools we have set up: https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md * The Boot Loader Specification has been added to the source tree. https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md While moving it into our source tree we have updated it and further changes are now accepted through the usual github PR workflow. * pam_systemd will now look for PAM userdata fields systemd.memory_max, systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by earlier PAM modules. The data in these fields is used to initialize the session scope's resource properties. Thus external PAM modules may now configure per-session limits, for example sourced from external user databases. * socket units with Accept=yes will now maintain a "refused" counter in addition to the existing "accepted" counter, counting connections refused due to the enforced limits. * The "systemd-path search-binaries-default" command may now be use to query the default, built-in $PATH PID 1 will pass to the services it manages. * A new unit file setting PrivateMounts= has been added. It's a boolean option. If enabled the unit's processes are invoked in their own file system namespace. Note that this behaviour is also implied if any other file system namespacing options (such as PrivateTmp=, PrivateDevices=, ProtectSystem=, …) are used. This option is hence primarily useful for services that do not use any of the other file system namespacing options. One such service is systemd-udevd.service where this is now used by default. * ConditionSecurity= gained a new value "uefi-secureboot" that is true when the system is booted in UEFI "secure mode". * A new unit "system-update-pre.target" is added, which defines an optional synchronization point for offline system updates, as implemented by the pre-existing "system-update.target" unit. It allows ordering services before the service that executes the actual update process in a generic way. * Systemd now emits warnings whenever .include syntax is used. Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale, Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner, Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover, guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov, Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir, Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers, Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König, Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott, Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler, Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot, Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo, Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez, Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel, Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik, Yu Watanabe, Zbigniew Jędrzejewski-Szmek — Berlin, 2018-06-22 CHANGES WITH 238: * The MemoryAccounting= unit property now defaults to on. After discussions with the upstream control group maintainers we learnt that the negative impact of cgroup memory accounting on current kernels is finally relatively minimal, so that it should be safe to enable this by default without affecting system performance. Besides memory accounting only task accounting is turned on by default, all other forms of resource accounting (CPU, IO, IP) remain off for now, because it's not clear yet that their impact is small enough to move from opt-in to opt-out. We recommend downstreams to leave memory accounting on by default if kernel 4.14 or higher is primarily used. On very resource constrained systems or when support for old kernels is a necessity, -Dmemory-accounting-default=false can be used to revert this change. * rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update, %udev_rules_update) and the journal catalog (%journal_catalog_update) from the upgrade scriptlets of individual packages now do nothing. Transfiletriggers have been added which will perform those updates once at the end of the transaction. Similar transfiletriggers have been added to execute any sysctl.d and binfmt.d rules. Thus, it should be unnecessary to provide any scriptlets to execute this configuration from package installation scripts. * systemd-sysusers gained a mode where the configuration to execute is specified on the command line, but this configuration is not executed directly, but instead it is merged with the configuration on disk, and the result is executed. This is useful for package installation scripts which want to create the user before installing any files on disk (in case some of those files are owned by that user), while still allowing local admin overrides. This functionality is exposed to rpm scriptlets through a new %sysusers_create_package macro. Old %sysusers_create and %sysusers_create_inline macros are deprecated. A transfiletrigger for sysusers.d configuration is now installed, which means that it should be unnecessary to call systemd-sysusers from package installation scripts, unless the package installs any files owned by those newly-created users, in which case %sysusers_create_package should be used. * Analogous change has been done for systemd-tmpfiles: it gained a mode where the command-line configuration is merged with the configuration on disk. This is exposed as the new %tmpfiles_create_package macro, and %tmpfiles_create is deprecated. A transfiletrigger is installed for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles from package installation scripts. * sysusers.d configuration for a user may now also specify the group number, in addition to the user number ("u username 123:456"), or without the user number ("u username -:456"). * Configution items for systemd-sysusers can now be specified as positional arguments when the new --inline switch is used. * The login shell of users created through sysusers.d may now be specified (previously, it was always /bin/sh for root and /sbin/nologin for other users). * systemd-analyze gained a new --global switch to look at global user configuration. It also gained a unit-paths verb to list the unit load paths that are compiled into systemd (which can be used with --systemd, --user, or --global). * udevadm trigger gained a new --settle/-w option to wait for any triggered events to finish (but just those, and not any other events which are triggered meanwhile). * The action that systemd-logind takes when the lid is closed and the machine is connected to external power can now be configured using HandleLidSwitchExternalPower= in logind.conf. Previously, this action was determined by HandleLidSwitch=, and, for backwards compatibility, is still is, if HandleLidSwitchExternalPower= is not explicitly set. * journalctl will periodically call sd_journal_process() to make it resilient against inotify queue overruns when journal files are rotated very quickly. * Two new functions in libsystemd — sd_bus_get_n_queued_read and sd_bus_get_n_queued_write — may be used to check the number of pending bus messages. * systemd gained a new org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call which can be used to migrate foreign processes to scope and service units. The primary user for this new API is systemd itself: the systemd --user instance uses this call of the systemd --system instance to migrate processes if it itself gets the request to migrate processes and the kernel refuses this due to access restrictions. Thanks to this "systemd-run --scope --user …" works again in pure cgroup v2 environments when invoked from the user session scope. * A new TemporaryFileSystem= setting can be used to mask out part of the real file system tree with tmpfs mounts. This may be combined with BindPaths= and BindReadOnlyPaths= to hide files or directories not relevant to the unit, while still allowing some paths lower in the tree to be accessed. ProtectHome=tmpfs may now be used to hide user home and runtime directories from units, in a way that is mostly equivalent to "TemporaryFileSystem=/home /run/user /root". * Non-service units are now started with KeyringMode=shared by default. This means that mount and swapon and other mount tools have access to keys in the main keyring. * /sys/fs/bpf is now mounted automatically. * QNX virtualization is now detected by systemd-detect-virt and may be used in ConditionVirtualization=. * IPAccounting= may now be enabled also for slice units. * A new -Dsplit-bin= build configuration switch may be used to specify whether bin and sbin directories are merged, or if they should be included separately in $PATH and various listings of executable directories. The build configuration scripts will try to autodetect the proper values of -Dsplit-usr= and -Dsplit-bin= based on build system, but distributions are encouraged to configure this explicitly. * A new -Dok-color= build configuration switch may be used to change the colour of "OK" status messages. * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with PrivateNetwork=yes was buggy in previous versions of systemd. This means that after the upgrade and daemon-reexec, any such units must be restarted. * INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles will not exclude read-only files owned by root from cleanup. Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet, Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337, Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib, Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer, Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld, Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt, MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren, Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić) — Warsaw, 2018-03-05 CHANGES WITH 237: * Some keyboards come with a zoom see-saw or rocker which until now got mapped to the Linux "zoomin/out" keys in hwdb. However, these keycodes are not recognized by any major desktop. They now produce Up/Down key events so that they can be used for scrolling. * INCOMPATIBILITY: systemd-tmpfiles' "f" lines changed behaviour slightly: previously, if an argument was specified for lines of this type (i.e. the right-most column was set) this string was appended to existing files each time systemd-tmpfiles was run. This behaviour was different from what the documentation said, and not particularly useful, as repeated systemd-tmpfiles invocations would not be idempotent and grow such files without bounds. With this release behaviour has been altered to match what the documentation says: lines of this type only have an effect if the indicated files don't exist yet, and only then the argument string is written to the file. * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change systemd-tmpfiles behaviour: previously, read-only files owned by root were always excluded from the file "aging" algorithm (i.e. the automatic clean-up of directories like /tmp based on atime/mtime/ctime). We intend to drop this restriction, and age files by default even when owned by root and read-only. This behaviour was inherited from older tools, but there have been requests to remove it, and it's not obvious why this restriction was made in the first place. Please speak up now, if you are aware of software that requires this behaviour, otherwise we'll remove the restriction in v238. * A new environment variable $SYSTEMD_OFFLINE is now understood by systemctl. It takes a boolean argument. If on, systemctl assumes it operates on an "offline" OS tree, and will not attempt to talk to the service manager. Previously, this mode was implicitly enabled if a chroot() environment was detected, and this new environment variable now provides explicit control. * .path and .socket units may now be created transiently, too. Previously only service, mount, automount and timer units were supported as transient units. The systemd-run tool has been updated to expose this new functionality, you may hence use it now to bind arbitrary commands to path or socket activation on-the-fly from the command line. Moreover, almost all properties are now exposed for the unit types that already supported transient operation. * The systemd-mount command gained support for a new --owner= parameter which takes a user name, which is then resolved and included in uid= and gid= mount options string of the file system to mount. * A new unit condition ConditionControlGroupController= has been added that checks whether a specific cgroup controller is available. * Unit files, udev's .link files, and systemd-networkd's .netdev and .network files all gained support for a new condition ConditionKernelVersion= for checking against specific kernel versions. * In systemd-networkd, the [IPVLAN] section in .netdev files gained support for configuring device flags in the Flags= setting. In the same files, the [Tunnel] section gained support for configuring AllowLocalRemote=. The [Route] section in .network files gained support for configuring InitialCongestionWindow=, InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now understands RapidCommit=. * systemd-networkd's DHCPv6 support gained support for Prefix Delegation. * sd-bus gained support for a new "watch-bind" feature. When this feature is enabled, an sd_bus connection may be set up to connect to an AF_UNIX socket in the file system as soon as it is created. This functionality is useful for writing early-boot services that automatically connect to the system bus as soon as it is started, without ugly time-based polling. systemd-networkd and systemd-resolved have been updated to make use of this functionality. busctl exposes this functionality in a new --watch-bind= command line switch. * sd-bus will now optionally synthesize a local "Connected" signal as soon as a D-Bus connection is set up fully. This message mirrors the already existing "Disconnected" signal which is synthesized when the connection is terminated. This signal is generally useful but particularly handy in combination with the "watch-bind" feature described above. Synthesizing of this message has to be requested explicitly through the new API call sd_bus_set_connected_signal(). In addition a new call sd_bus_is_ready() has been added that checks whether a connection is fully set up (i.e. between the "Connected" and "Disconnected" signals). * sd-bus gained two new calls sd_bus_request_name_async() and sd_bus_release_name_async() for asynchronously registering bus names. Similar, there is now sd_bus_add_match_async() for installing a signal match asynchronously. All of systemd's own services have been updated to make use of these calls. Doing these operations asynchronously has two benefits: it reduces the risk of deadlocks in case of cyclic dependencies between bus services, and it speeds up service initialization since synchronization points for bus round-trips are removed. * sd-bus gained two new calls sd_bus_match_signal() and sd_bus_match_signal_async(), which are similar to sd_bus_add_match() and sd_bus_add_match_async() but instead of taking a D-Bus match string take match fields as normal function parameters. * sd-bus gained two new calls sd_bus_set_sender() and sd_bus_message_set_sender() for setting the sender name of outgoing messages (either for all outgoing messages or for just one specific one). These calls are only useful in direct connections as on brokered connections the broker fills in the sender anyway, overwriting whatever the client filled in. * sd-event gained a new pseudo-handle that may be specified on all API calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When used this refers to the default event loop object of the calling thread. Note however that this does not implicitly allocate one — which has to be done prior by using sd_event_default(). Similarly sd-bus gained three new pseudo-handles SD_BUS_DEFAULT, SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer to the default bus of the specified type of the calling thread. Here too this does not implicitly allocate bus connection objects, this has to be done prior with sd_bus_default() and friends. * sd-event gained a new call pair sd_event_source_{get|set}_io_fd_own(). This may be used to request automatic closure of the file descriptor an IO event source watches when the event source is destroyed. * systemd-networkd gained support for natively configuring WireGuard connections. * In previous versions systemd synthesized user records both for the "nobody" (UID 65534) and "root" (UID 0) users in nss-systemd and internally. In order to simplify distribution-wide renames of the "nobody" user (like it is planned in Fedora: nfsnobody → nobody), a new transitional flag file has been added: if /etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534 user and group record within the systemd codebase is disabled. * systemd-notify gained a new --uid= option for selecting the source user/UID to use for notification messages sent to the service manager. * journalctl gained a new --grep= option to list only entries in which the message matches a certain pattern. By default matching is case insensitive if the pattern is lowercase, and case sensitive otherwise. Option --case-sensitive=yes|no can be used to override this an specify case sensitivity or case insensitivity. * There's now a "systemd-analyze service-watchdogs" command for printing the current state of the service runtime watchdog, and optionally enabling or disabling the per-service watchdogs system-wide if given a boolean argument (i.e. the concept you configure in WatchdogSec=), for debugging purposes. There's also a kernel command line option systemd.service_watchdogs= for controlling the same. * Two new "log-level" and "log-target" options for systemd-analyze were added that merge the now deprecated get-log-level, set-log-level and get-log-target, set-log-target pairs. The deprecated options are still understood for backwards compatibility. The two new options print the current value when no arguments are given, and set them when a level/target is given as an argument. * sysusers.d's "u" lines now optionally accept both a UID and a GID specification, separated by a ":" character, in order to create users where UID and GID do not match. Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov, Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov, Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui, Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen, Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering, Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt, Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy, Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer, Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer, Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян Палаузов — Brno, 2018-01-28 CHANGES WITH 236: * The modprobe.d/ drop-in for the bonding.ko kernel module introduced in v235 has been extended to also set the dummy.ko module option numdummies=0, preventing the kernel from automatically creating dummy0. All dummy interfaces must now be explicitly created. * Unknown '%' specifiers in configuration files are now rejected. This applies to units and tmpfiles.d configuration. Any percent characters that are followed by a letter or digit that are not supposed to be interpreted as the beginning of a specifier should be escaped by doubling ("%%"). (So "size=5%" is still accepted, as well as "size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not valid specifiers today.) * systemd-resolved now maintains a new dynamic /run/systemd/resolve/stub-resolv.conf compatibility file. It is recommended to make /etc/resolv.conf a symlink to it. This file points at the systemd-resolved stub DNS 127.0.0.53 resolver and includes dynamically acquired search domains, achieving more correct DNS resolution by software that bypasses local DNS APIs such as NSS. * The "uaccess" udev tag has been dropped from /dev/kvm and /dev/dri/renderD*. These devices now have the 0666 permissions by default (but this may be changed at build-time). /dev/dri/renderD* will now be owned by the "render" group along with /dev/kfd. * "DynamicUser=yes" has been enabled for systemd-timesyncd.service, systemd-journal-gatewayd.service and systemd-journal-upload.service. This means "nss-systemd" must be enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these services are resolved properly. * In /etc/fstab two new mount options are now understood: x-systemd.makefs and x-systemd.growfs. The former has the effect that the configured file system is formatted before it is mounted, the latter that the file system is resized to the full block device size after it is mounted (i.e. if the file system is smaller than the partition it resides on, it's grown). This is similar to the fsck logic in /etc/fstab, and pulls in systemd-makefs@.service and systemd-growfs@.service as necessary, similar to systemd-fsck@.service. Resizing is currently only supported on ext4 and btrfs. * In systemd-networkd, the IPv6 RA logic now optionally may announce DNS server and domain information. * Support for the LUKS2 on-disk format for encrypted partitions has been added. This requires libcryptsetup2 during compilation and runtime. * The systemd --user instance will now signal "readiness" when its basic.target unit has been reached, instead of when the run queue ran empty for the first time. * Tmpfiles.d with user configuration are now also supported. systemd-tmpfiles gained a new --user switch, and snippets placed in ~/.config/user-tmpfiles.d/ and corresponding directories will be executed by systemd-tmpfiles --user running in the new systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service running in the user session. * Unit files and tmpfiles.d snippets learnt three new % specifiers: %S resolves to the top-level state directory (/var/lib for the system instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the top-level cache directory (/var/cache for the system instance, $XDG_CACHE_HOME for the user instance), %L resolves to the top-level logs directory (/var/log for the system instance, $XDG_CONFIG_HOME/log/ for the user instance). This matches the existing %t specifier, that resolves to the top-level runtime directory (/run for the system instance, and $XDG_RUNTIME_DIR for the user instance). * journalctl learnt a new parameter --output-fields= for limiting the set of journal fields to output in verbose and JSON output modes. * systemd-timesyncd's configuration file gained a new option RootDistanceMaxSec= for setting the maximum root distance of servers it'll use, as well as the new options PollIntervalMinSec= and PollIntervalMaxSec= to tweak the minimum and maximum poll interval. * bootctl gained a new command "list" for listing all available boot menu items on systems that follow the boot loader specification. * systemctl gained a new --dry-run switch that shows what would be done instead of doing it, and is currently supported by the shutdown and sleep verbs. * ConditionSecurity= can now detect the TOMOYO security module. * Unit file [Install] sections are now also respected in unit drop-in files. This is intended to be used by drop-ins under /usr/lib/. * systemd-firstboot may now also set the initial keyboard mapping. * Udev "changed" events for devices which are exposed as systemd .device units are now propagated to units specified in ReloadPropagatedFrom= as reload requests. * If a udev device has a SYSTEMD_WANTS= property containing a systemd unit template name (i.e. a name in the form of 'foobar@.service', without the instance component between the '@' and - the '.'), then the escaped sysfs path of the device is automatically used as the instance. * SystemCallFilter= in unit files has been extended so that an "errno" can be specified individually for each system call. Example: SystemCallFilter=~uname:EILSEQ. * The cgroup delegation logic has been substantially updated. Delegate= now optionally takes a list of controllers (instead of a boolean, as before), which lists the controllers to delegate at least. * The networkd DHCPv6 client now implements the FQDN option (RFC 4704). * A new LogLevelMax= setting configures the maximum log level any process of the service may log at (i.e. anything with a lesser priority than what is specified is automatically dropped). A new LogExtraFields= setting allows configuration of additional journal fields to attach to all log records generated by any of the unit's processes. * New StandardInputData= and StandardInputText= settings along with the new option StandardInput=data may be used to configure textual or binary data that shall be passed to the executed service process via standard input, encoded in-line in the unit file. * StandardInput=, StandardOutput= and StandardError= may now be used to connect stdin/stdout/stderr of executed processes directly with a file or AF_UNIX socket in the file system, using the new "file:" option. * A new unit file option CollectMode= has been added, that allows tweaking the garbage collection logic for units. It may be used to tell systemd to garbage collect units that have failed automatically (normally it only GCs units that exited successfully). systemd-run and systemd-mount expose this new functionality with a new -G option. * "machinectl bind" may now be used to bind mount non-directories (i.e. regularfiles, devices, fifos, sockets). * systemd-analyze gained a new verb "calendar" for validating and testing calendar time specifications to use for OnCalendar= in timer units. Besides validating the expression it will calculate the next time the specified expression would elapse. * In addition to the pre-existing FailureAction= unit file setting there's now SuccessAction=, for configuring a shutdown action to execute when a unit completes successfully. This is useful in particular inside containers that shall terminate after some workload has been completed. Also, both options are now supported for all unit types, not just services. * networkds's IP rule support gained two new options IncomingInterface= and OutgoingInterface= for configuring the incoming and outgoing interfaces of configured rules. systemd-networkd also gained support for "vxcan" network devices. * networkd gained a new setting RequiredForOnline=, taking a boolean. If set, systemd-wait-online will take it into consideration when determining that the system is up, otherwise it will ignore the interface for this purpose. * The sd_notify() protocol gained support for a new operation: with FDSTOREREMOVE=1 file descriptors may be removed from the per-service store again, ahead of POLLHUP or POLLERR when they are removed anyway. * A new document doc/UIDS-GIDS.md has been added to the source tree, that documents the UID/GID range and assignment assumptions and requirements of systemd. * The watchdog device PID 1 will ping may now be configured through the WatchdogDevice= configuration file setting, or by setting the systemd.watchdog_service= kernel command line option. * systemd-resolved's gained support for registering DNS-SD services on the local network using MulticastDNS. Services may either be registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or the same dir below /run, /usr/lib), or through its D-Bus API. * The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond extend the effective start, runtime, and stop time. The service must continue to send EXTEND_TIMEOUT_USEC within the period specified to prevent the service manager from making the service as timedout. * systemd-resolved's DNSSEC support gained support for RFC 8080 (Ed25519 keys and signatures). * The systemd-resolve command line tool gained a new set of options --set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=, --set-nta= and --revert to configure per-interface DNS configuration dynamically during runtime. It's useful for pushing DNS information into systemd-resolved from DNS hook scripts that various interface managing software supports (such as pppd). * systemd-nspawn gained a new --network-namespace-path= command line option, which may be used to make a container join an existing network namespace, by specifying a path to a "netns" file. Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini, Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty, Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel, Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson, Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala, Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer, Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich, Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zeal Jagannatha — Berlin, 2017-12-14 CHANGES WITH 235: * INCOMPATIBILITY: systemd-logind.service and other long-running services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP communication with the outside. This generally improves security of the system, and is in almost all cases a safe and good choice, as these services do not and should not provide any network-facing functionality. However, systemd-logind uses the glibc NSS API to query the user database. This creates problems on systems where NSS is set up to directly consult network services for user database lookups. In particular, this creates incompatibilities with the "nss-nis" module, which attempts to directly contact the NIS/YP network servers it is configured for, and will now consistently fail. In such cases, it is possible to turn off IP sandboxing for systemd-logind.service (set IPAddressDeny= in its [Service] section to the empty string, via a .d/ unit file drop-in). Downstream distributions might want to update their nss-nis packaging to include such a drop-in snippet, accordingly, to hide this incompatibility from the user. Another option is to make use of glibc's nscd service to proxy such network requests through a privilege-separated, minimal local caching daemon, or to switch to more modern technologies such sssd, whose NSS hook-ups generally do not involve direct network access. In general, we think it's definitely time to question the implementation choices of nss-nis, i.e. whether it's a good idea today to embed a network-facing loadable module into all local processes that need to query the user database, including the most trivial and benign ones, such as "ls". For more details about IPAddressDeny= see below. * A new modprobe.d drop-in is now shipped by default that sets the bonding module option max_bonds=0. This overrides the kernel default, to avoid conflicts and ambiguity as to whether or not bond0 should be managed by systemd-networkd or not. This resolves multiple issues with bond0 properties not being applied, when bond0 is configured with systemd-networkd. Distributors may choose to not package this, however in that case users will be prevented from correctly managing bond0 interface using systemd-networkd. * systemd-analyze gained new verbs "get-log-level" and "get-log-target" which print the logging level and target of the system manager. They complement the existing "set-log-level" and "set-log-target" verbs used to change those values. * journald.conf gained a new boolean setting ReadKMsg= which defaults to on. If turned off kernel log messages will not be read by systemd-journald or included in the logs. It also gained a new setting LineMax= for configuring the maximum line length in STDOUT/STDERR log streams. The new default for this value is 48K, up from the previous hardcoded 2048. * A new unit setting RuntimeDirectoryPreserve= has been added, which allows more detailed control of what to do with a runtime directory configured with RuntimeDirectory= (i.e. a directory below /run or $XDG_RUNTIME_DIR) after a unit is stopped. * The RuntimeDirectory= setting for units gained support for creating deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just one top-level directory. * Units gained new options StateDirectory=, CacheDirectory=, LogsDirectory= and ConfigurationDirectory= which are closely related to RuntimeDirectory= but manage per-service directories below /var/lib, /var/cache, /var/log and /etc. By making use of them it is possible to write unit files which when activated automatically gain properly owned service specific directories in these locations, thus making unit files self-contained and increasing compatibility with stateless systems and factory reset where /etc or /var are unpopulated at boot. Matching these new settings there's also StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=, ConfigurationDirectoryMode= for configuring the access mode of these directories. These settings are particularly useful in combination with DynamicUser=yes as they provide secure, properly-owned, writable, and stateful locations for storage, excluded from the sandbox that such services live in otherwise. * Automake support has been removed from this release. systemd is now Meson-only. * systemd-journald will now aggressively cache client metadata during runtime, speeding up log write performance under pressure. This comes at a small price though: as much of the metadata is read asynchronously from /proc/ (and isn't implicitly attached to log datagrams by the kernel, like UID/GID/PID/SELinux are) this means the metadata stored alongside a log entry might be slightly out-of-date. Previously it could only be slightly newer than the log message. The time window is small however, and given that the kernel is unlikely to be improved anytime soon in this regard, this appears acceptable to us. * nss-myhostname/systemd-resolved will now by default synthesize an A/AAAA resource record for the "_gateway" hostname, pointing to the current default IP gateway. Previously it did that for the "gateway" name, hampering adoption, as some distributions wanted to leave that hostname open for local use. The old behaviour may still be requested at build time. * systemd-networkd's [Address] section in .network files gained a new Scope= setting for configuring the IP address scope. The [Network] section gained a new boolean setting ConfigureWithoutCarrier= that tells systemd-networkd to ignore link sensing when configuring the device. The [DHCP] section gained a new Anonymize= boolean option for turning on a number of options suggested in RFC 7844. A new [RoutingPolicyRule] section has been added for configuring the IP routing policy. The [Route] section has gained support for a new Type= setting which permits configuring blackhole/unreachable/prohibit routes. * The [VRF] section in .netdev files gained a new Table= setting for configuring the routing table to use. The [Tunnel] section gained a new Independent= boolean field for configuring tunnels independent of an underlying network interface. The [Bridge] section gained a new GroupForwardMask= option for configuration of propagation of link local frames between bridge ports. * The WakeOnLan= setting in .link files gained support for a number of new modes. A new TCP6SegmentationOffload= setting has been added for configuring TCP/IPv6 hardware segmentation offload. * The IPv6 RA sender implementation may now optionally send out RDNSS and RDNSSL records to supply DNS configuration to peers. * systemd-nspawn gained support for a new --system-call-filter= command line option for adding and removing entries in the default system call filter it applies. Moreover systemd-nspawn has been changed to implement a system call allow list instead of a deny list. * systemd-run gained support for a new --pipe command line option. If used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run are directly passed on to the activated transient service executable. This allows invoking arbitrary processes as systemd services (for example to take benefit of dependency management, accounting management, resource management or log management that is done automatically for services) — while still allowing them to be integrated in a classic UNIX shell pipeline. * When a service sends RELOAD=1 via sd_notify() and reload propagation using ReloadPropagationTo= is configured, a reload is now propagated to configured units. (Previously this was only done on explicitly requested reloads, using "systemctl reload" or an equivalent command.) * For each service unit a restart counter is now kept: it is increased each time the service is restarted due to Restart=, and may be queried using "systemctl show -p NRestarts …". * New system call filter groups @aio, @sync, @chown, @setuid, @memlock, @signal and @timer have been added, for usage with SystemCallFilter= in unit files and the new --system-call-filter= command line option of systemd-nspawn (see above). * ExecStart= lines in unit files gained two new modifiers: when a command line is prefixed with "!" the command will be executed as configured, except for the credentials applied by setuid()/setgid()/setgroups(). It is very similar to the pre-existing "+", but does still apply namespacing options unlike "+". There's also "!!" now, which is mostly identical, but becomes a NOP on systems that support ambient capabilities. This is useful to write unit files that work with ambient capabilities where possible but automatically fall back to traditional privilege dropping mechanisms on systems where this is not supported. * ListenNetlink= settings in socket units now support RDMA netlink sockets. * A new unit file setting LockPersonality= has been added which permits locking down the chosen execution domain ("personality") of a service during runtime. * A new special target "getty-pre.target" has been added, which is ordered before all text logins, and may be used to order services before textual logins acquire access to the console. * systemd will now attempt to load the virtio-rng.ko kernel module very early on if a VM environment supporting this is detected. This should improve entropy during early boot in virtualized environments. * A _netdev option is now supported in /etc/crypttab that operates in a similar way as the same option in /etc/fstab: it permits configuring encrypted devices that need to be ordered after the network is up. Following this logic, two new special targets remote-cryptsetup-pre.target and remote-cryptsetup.target have been added that are to cryptsetup.target what remote-fs.target and remote-fs-pre.target are to local-fs.target. * Service units gained a new UnsetEnvironment= setting which permits unsetting specific environment variables for services that are normally passed to it (for example in order to mask out locale settings for specific services that can't deal with it). * Units acquired a new boolean option IPAccounting=. When turned on, IP traffic accounting (packet count as well as byte count) is done for the service, and shown as part of "systemctl status" or "systemd-run --wait". * Service units acquired two new options IPAddressAllow= and IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks, for configuring a simple IP access control list for all sockets of the unit. These options are available also on .slice and .socket units, permitting flexible access list configuration for individual services as well as groups of services (as defined by a slice unit), including system-wide. Note that IP ACLs configured this way are enforced on every single IPv4 and IPv6 socket created by any process of the service unit, and apply to ingress as well as egress traffic. * If CPUAccounting= or IPAccounting= is turned on for a unit a new structured log message is generated each time the unit is stopped, containing information about the consumed resources of this invocation. * A new setting KeyringMode= has been added to unit files, which may be used to control how the kernel keyring is set up for executed processes. * "systemctl poweroff", "systemctl reboot", "systemctl halt", "systemctl kexec" and "systemctl exit" are now always asynchronous in behaviour (that is: these commands return immediately after the operation was enqueued instead of waiting for the operation to complete). Previously, "systemctl poweroff" and "systemctl reboot" were asynchronous on systems using systemd-logind (i.e. almost always, and like they were on sysvinit), and the other three commands were unconditionally synchronous. With this release this is cleaned up, and callers will see the same asynchronous behaviour on all systems for all five operations. * systemd-logind gained new Halt() and CanHalt() bus calls for halting the system. * .timer units now accept calendar specifications in other timezones than UTC or the local timezone. * The tmpfiles snippet var.conf has been changed to create /var/log/btmp with access mode 0660 instead of 0600. It was owned by the "utmp" group already, and it appears to be generally understood that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp databases. Previously this was implemented correctly for all these databases excepts btmp, which has been opened up like this now too. Note that while the other databases are world-readable (i.e. 0644), btmp is not and remains more restrictive. * The systemd-resolve tool gained a new --reset-server-features switch. When invoked like this systemd-resolved will forget everything it learnt about the features supported by the configured upstream DNS servers, and restarts the feature probing logic on the next resolver look-up for them at the highest feature level again. * The status dump systemd-resolved sends to the logs upon receiving SIGUSR1 now also includes information about all DNS servers it is configured to use, and the features levels it probed for them. Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov, ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui, Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov, Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen, John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud, Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert, Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo, Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid, Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek — Berlin, 2017-10-06 CHANGES WITH 234: * Meson is now supported as build system in addition to Automake. It is our plan to remove Automake in one of our next releases, so that Meson becomes our exclusive build system. Hence, please start using the Meson build system in your downstream packaging. There's plenty of documentation around how to use Meson, the extremely brief summary: ./autogen.sh && ./configure && make && sudo make install becomes: meson build && ninja -C build && sudo ninja -C build install * Unit files gained support for a new JobRunningTimeoutUSec= setting, which permits configuring a timeout on the time a job is running. This is particularly useful for setting timeouts on jobs for .device units. * Unit files gained two new options ConditionUser= and ConditionGroup= for conditionalizing units based on the identity of the user/group running a systemd user instance. * systemd-networkd now understands a new FlowLabel= setting in the [VXLAN] section of .network files, as well as a Priority= in [Bridge], GVRP= + MVRP= + LooseBinding= + ReorderHeader= in [VLAN] and GatewayOnlink= + IPv6Preference= + Protocol= in [Route]. It also gained support for configuration of GENEVE links, and IPv6 address labels. The [Network] section gained the new IPv6ProxyNDP= setting. * .link files now understand a new Port= setting. * systemd-networkd's DHCP support gained support for DHCP option 119 (domain search list). * systemd-networkd gained support for serving IPv6 address ranges using the Router Advertisement protocol. The new .network configuration section [IPv6Prefix] may be used to configure the ranges to serve. This is implemented based on a new, minimal, native server implementation of RA. * journalctl's --output= switch gained support for a new parameter "short-iso-precise" for a mode where timestamps are shown as precise ISO date values. * systemd-udevd's "net_id" builtin may now generate stable network interface names from IBM PowerVM VIO devices as well as ACPI platform devices. * MulticastDNS support in systemd-resolved may now be explicitly enabled/disabled using the new MulticastDNS= configuration file option. * systemd-resolved may now optionally use libidn2 instead of the libidn for processing internationalized domain names. Support for libidn2 should be considered experimental and should not be enabled by default yet. * "machinectl pull-tar" and related call may now do verification of downloaded images using SUSE-style .sha256 checksum files in addition to the already existing support for validating using Ubuntu-style SHA256SUMS files. * sd-bus gained support for a new sd_bus_message_appendv() call which is va_list equivalent of sd_bus_message_append(). * sd-boot gained support for validating images using SHIM/MOK. * The SMACK code learnt support for "onlycap". * systemd-mount --umount is now much smarter in figuring out how to properly unmount a device given its mount or device path. * The code to call libnss_dns as a fallback from libnss_resolve when the communication with systemd-resolved fails was removed. This fallback was redundant and interfered with the [!UNAVAIL=return] suffix. See nss-resolve(8) for the recommended configuration. * systemd-logind may now be restarted without losing state. It stores the file descriptors for devices it manages in the system manager using the FDSTORE= mechanism. Please note that further changes in other components may be required to make use of this (for example Xorg has code to listen for stops of systemd-logind and terminate itself when logind is stopped or restarted, in order to avoid using stale file descriptors for graphical devices, which is now counterproductive and must be reverted in order for restarts of systemd-logind to be safe. See https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.) * All kernel-install plugins are called with the environment variable KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by /etc/machine-id. If the machine ID could not be determined, $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put anything in the entry directory (passed as the second argument) if $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a temporary directory is passed as the entry directory and removed after all the plugins exit. * If KERNEL_INSTALL_MACHINE_ID is set in /etc/machine-info, kernel-install will now use its value as the machine ID instead of the machine ID from /etc/machine-id. If KERNEL_INSTALL_MACHINE_ID isn't set in /etc/machine-info and no machine ID is set in /etc/machine-id, kernel-install will try to store the current machine ID there as KERNEL_INSTALL_MACHINE_ID. If there is no machine ID, kernel-install will generate a new UUID, store it in /etc/machine-info as KERNEL_INSTALL_MACHINE_ID and use it as the machine ID. Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert, Benjamin Robin, Boucman, Charles Plessy, Chris Chiu, Chris Lamb, Christian Brauner, Christian Hesse, Colin Walters, Daniel Drake, Danielle Church, Daniel Molkentin, Daniel Rusek, Daniel Wang, Davide Cavalca, David Herrmann, David Michael, Dax Kelson, Dimitri John Ledkov, Djalal Harouni, Dušan Kazik, Elias Probst, Evgeny Vereshchagin, Federico Di Pierro, Felipe Sateler, Felix Zhang, Franck Bui, Gary Tierney, George McCollister, Giedrius Statkevičius, Hans de Goede, hecke, Hendrik Westerberg, Hristo Venev, Ian Wienand, Insun Pyo, Ivan Shapovalov, James Cowgill, James Hemsing, Janne Heß, Jan Synacek, Jason Reeder, João Paulo Rechi Vita, John Paul Adrian Glaubitz, Jörg Thalheim, Josef Andersson, Josef Gajdusek, Julian Mehne, Kai Krakow, Krzysztof Jackiewicz, Lars Karlitski, Lennart Poettering, Lluís Gili, Lucas Werkmeister, Lukáš Nykrýn, Łukasz Stelmach, Mantas Mikulėnas, Marcin Bachry, Marcus Cooper, Mark Stosberg, Martin Pitt, Matija Skala, Matt Clarkson, Matthew Garrett, Matthias Greiner, Matthijs van Duin, Max Resch, Michael Biebl, Michal Koutný, Michal Sekletar, Michal Soltys, Michal Suchanek, Mike Gilbert, Nate Clark, Nathaniel R. Lewis, Neil Brown, Nikolai Kondrashov, Pascal S. de Kloe, Pat Riehecky, Patrik Flykt, Paul Kocialkowski, Peter Hutterer, Philip Withnall, Piotr Szydełko, Rafael Fontenelle, Ray Strode, Richard Maw, Roelf Wichertjes, Ronny Chevalier, Sarang S. Dalal, Sjoerd Simons, slodki, Stefan Schweter, Susant Sahani, Ted Wood, Thomas Blume, Thomas Haller, Thomas H. P. Andersen, Timothée Ravier, Tobias Jungel, Tobias Stoeckmann, Tom Gundersen, Tom Yan, Torstein Husebø, Umut Tezduyar Lindskog, userwithuid, Vito Caputo, Waldemar Brodkorb, WaLyong Cho, Yu, Li-Yu, Yusuke Nojima, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски — Berlin, 2017-07-12 CHANGES WITH 233: * The "hybrid" control group mode has been modified to improve compatibility with "legacy" cgroups-v1 setups. Specifically, the "hybrid" setup of /sys/fs/cgroup is now pretty much identical to "legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named cgroups-v1 hierarchy), the only externally visible change being that the cgroups-v2 hierarchy is also mounted, to /sys/fs/cgroup/unified. This should provide a large degree of compatibility with "legacy" cgroups-v1, while taking benefit of the better management capabilities of cgroups-v2. * The default control group setup mode may be selected both a boot-time via a set of kernel command line parameters (specifically: systemd.unified_cgroup_hierarchy= and systemd.legacy_systemd_cgroup_controller=), as well as a compile-time default selected on the configure command line (--with-default-hierarchy=). The upstream default is "hybrid" (i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but this will change in a future systemd version to be "unified" (pure cgroups-v2 mode). The third option for the compile time option is "legacy", to enter pure cgroups-v1 mode. We recommend downstream distributions to default to "hybrid" mode for release distributions, starting with v233. We recommend "unified" for development distributions (specifically: distributions such as Fedora's rawhide) as that's where things are headed in the long run. Use "legacy" for greatest stability and compatibility only. * Note one current limitation of "unified" and "hybrid" control group setup modes: the kernel currently does not permit the systemd --user instance (i.e. unprivileged code) to migrate processes between two disconnected cgroup subtrees, even if both are managed and owned by the user. This effectively means "systemd-run --user --scope" doesn't work when invoked from outside of any "systemd --user" service or scope. Specifically, it is not supported from session scopes. We are working on fixing this in a future systemd version. (See #3388 for further details about this.) * DBus policy files are now installed into /usr rather than /etc. Make sure your system has dbus >= 1.9.18 running before upgrading to this version, or override the install path with --with-dbuspolicydir= . * All python scripts shipped with systemd (specifically: the various tests written in Python) now require Python 3. * systemd unit tests can now run standalone (without the source or build directories), and can be installed into /usr/lib/systemd/tests/ with 'make install-tests'. * Note that from this version on, CONFIG_CRYPTO_USER_API_HASH, CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the kernel. * Support for the %c, %r, %R specifiers in unit files has been removed. Specifiers are not supposed to be dependent on configuration in the unit file itself (so that they resolve the same regardless where used in the unit files), but these specifiers were influenced by the Slice= option. * The shell invoked by debug-shell.service now defaults to /bin/sh in all cases. If distributions want to use a different shell for this purpose (for example Fedora's /sbin/sushell) they need to specify this explicitly at configure time using --with-debug-shell=. * The confirmation spawn prompt has been reworked to offer the following choices: (c)ontinue, proceed without asking anymore (D)ump, show the state of the unit (f)ail, don't execute the command and pretend it failed (h)elp (i)nfo, show a short summary of the unit (j)obs, show jobs that are in progress (s)kip, don't execute the command and pretend it succeeded (y)es, execute the command The 'n' choice for the confirmation spawn prompt has been removed, because its meaning was confusing. The prompt may now also be redirected to an alternative console by specifying the console as parameter to systemd.confirm_spawn=. * Services of Type=notify require a READY=1 notification to be sent during startup. If no such message is sent, the service now fails, even if the main process exited with a successful exit code. * Services that fail to start up correctly now always have their ExecStopPost= commands executed. Previously, they'd enter "failed" state directly, without executing these commands. * The option MulticastDNS= of network configuration files has acquired an actual implementation. With MulticastDNS=yes a host can resolve names of remote hosts and reply to mDNS A and AAAA requests. * When units are about to be started an additional check is now done to ensure that all dependencies of type BindsTo= (when used in combination with After=) have been started. * systemd-analyze gained a new verb "syscall-filter" which shows which system call groups are defined for the SystemCallFilter= unit file setting, and which system calls they contain. * A new system call filter group "@filesystem" has been added, consisting of various file system related system calls. Group "@reboot" has been added, covering reboot, kexec and shutdown related calls. Finally, group "@swap" has been added covering swap configuration related calls. * A new unit file option RestrictNamespaces= has been added that may be used to restrict access to the various process namespace types the Linux kernel provides. Specifically, it may be used to take away the right for a service unit to create additional file system, network, user, and other namespaces. This sandboxing option is particularly relevant due to the high amount of recently discovered namespacing related vulnerabilities in the kernel. * systemd-udev's .link files gained support for a new AutoNegotiation= setting for configuring Ethernet auto-negotiation. * systemd-networkd's .network files gained support for a new ListenPort= setting in the [DHCP] section to explicitly configure the UDP client port the DHCP client shall listen on. * .network files gained a new Unmanaged= boolean setting for explicitly excluding one or more interfaces from management by systemd-networkd. * The systemd-networkd ProxyARP= option has been renamed to IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been renamed to ReduceARPProxy=. The old names continue to be available for compatibility. * systemd-networkd gained support for configuring IPv6 Proxy NDP addresses via the new IPv6ProxyNDPAddress= .network file setting. * systemd-networkd's bonding device support gained support for two new configuration options ActiveSlave= and PrimarySlave=. * The various options in the [Match] section of .network files gained support for negative matching. * New systemd-specific mount options are now understood in /etc/fstab: x-systemd.mount-timeout= may be used to configure the maximum permitted runtime of the mount command. x-systemd.device-bound may be set to bind a mount point to its backing device unit, in order to automatically remove a mount point if its backing device is unplugged. This option may also be configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property on the block device, which is now automatically set for all CDROM drives, so that mounted CDs are automatically unmounted when they are removed from the drive. x-systemd.after= and x-systemd.before= may be used to explicitly order a mount after or before another unit or mount point. * Enqueued start jobs for device units are now automatically garbage collected if there are no jobs waiting for them anymore. * systemctl list-jobs gained two new switches: with --after, for every queued job the jobs it's waiting for are shown; with --before the jobs which it's blocking are shown. * systemd-nspawn gained support for ephemeral boots from disk images (or in other words: --ephemeral and --image= may now be combined). Moreover, ephemeral boots are now supported for normal directories, even if the backing file system is not btrfs. Of course, if the file system does not support file system snapshots or reflinks, the initial copy operation will be relatively expensive, but this should still be suitable for many use cases. * Calendar time specifications in .timer units now support specifications relative to the end of a month by using "~" instead of "-" as separator between month and day. For example, "*-02~03" means "the third last day in February". In addition a new syntax for repeated events has been added using the "/" character. For example, "9..17/2:00" means "every two hours from 9am to 5pm". * systemd-socket-proxyd gained a new parameter --connections-max= for configuring the maximum number of concurrent connections. * sd-id128 gained a new API for generating unique IDs for the host in a way that does not leak the machine ID. Specifically, sd_id128_get_machine_app_specific() derives an ID based on the machine ID in a well-defined, non-reversible, stable way. This is useful whenever an identifier for the host is needed but where the identifier shall not be useful to identify the system beyond the scope of the application itself. (Internally this uses HMAC-SHA256 as keyed hash function using the machine ID as input.) * NotifyAccess= gained a new supported value "exec". When set notifications are accepted from all processes systemd itself invoked, including all control processes. * .nspawn files gained support for defining overlay mounts using the Overlay= and OverlayReadOnly= options. Previously this functionality was only available on the systemd-nspawn command line. * systemd-nspawn's --bind= and --overlay= options gained support for bind/overlay mounts whose source lies within the container tree by prefixing the source path with "+". * systemd-nspawn's --bind= and --overlay= options gained support for automatically allocating a temporary source directory in /var/tmp that is removed when the container dies. Specifically, if the source directory is specified as empty string this mechanism is selected. An example usage is --overlay=+/var::/var, which creates an overlay mount based on the original /var contained in the image, overlaid with a temporary directory in the host's /var/tmp. This way changes to /var are automatically flushed when the container shuts down. * systemd-nspawn --image= option does now permit raw file system block devices (in addition to images containing partition tables, as before). * The disk image dissection logic in systemd-nspawn gained support for automatically setting up LUKS encrypted as well as Verity protected partitions. When a container is booted from an encrypted image the passphrase is queried at start-up time. When a container with Verity data is started, the root hash is search in a ".roothash" file accompanying the disk image (alternatively, pass the root hash via the new --root-hash= command line option). * A new tool /usr/lib/systemd/systemd-dissect has been added that may be used to dissect disk images the same way as systemd-nspawn does it, following the Bootable Partition Specification. It may even be used to mount disk images with complex partition setups (including LUKS and Verity partitions) to a local host directory, in order to inspect them. This tool is not considered public API (yet), and is thus not installed into /usr/bin. Please do not rely on its existence, since it might go away or be changed in later systemd versions. * A new generator "systemd-verity-generator" has been added, similar in style to "systemd-cryptsetup-generator", permitting automatic setup of Verity root partitions when systemd boots up. In order to make use of this your partition setup should follow the Discoverable Partitions Specification, and the GPT partition ID of the root file system partition should be identical to the upper 128-bit of the Verity root hash. The GPT partition ID of the Verity partition protecting it should be the lower 128-bit of the Verity root hash. If the partition image follows this model it is sufficient to specify a single "roothash=" kernel command line argument to both configure which root image and verity partition to use as well as the root hash for it. Note that systemd-nspawn's Verity support follows the same semantics, meaning that disk images with proper Verity data in place may be booted in containers with systemd-nspawn as well as on physical systems via the verity generator. Also note that the "mkosi" tool available at https://github.com/systemd/mkosi has been updated to generate Verity protected disk images following this scheme. In fact, it has been updated to generate disk images that optionally implement a complete UEFI SecureBoot trust chain, involving a signed kernel and initrd image that incorporates such a root hash as well as a Verity-enabled root partition. * The hardware database (hwdb) udev supports has been updated to carry accelerometer quirks. * All system services are now run with a fresh kernel keyring set up for them. The invocation ID is stored by default in it, thus providing a safe, non-overridable way to determine the invocation ID of each service. * Service unit files gained new BindPaths= and BindReadOnlyPaths= options for bind mounting arbitrary paths in a service-specific way. When these options are used, arbitrary host or service files and directories may be mounted to arbitrary locations in the service's view. * Documentation has been added that lists all of systemd's low-level environment variables: https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md * sd-daemon gained a new API sd_is_socket_sockaddr() for determining whether a specific socket file descriptor matches a specified socket address. * systemd-firstboot has been updated to check for the systemd.firstboot= kernel command line option. It accepts a boolean and when set to false the first boot questions are skipped. * systemd-fstab-generator has been updated to check for the systemd.volatile= kernel command line option, which either takes an optional boolean parameter or the special value "state". If used the system may be booted in a "volatile" boot mode. Specifically, "systemd.volatile" is used, the root directory will be mounted as tmpfs, and only /usr is mounted from the actual root file system. If "systemd.volatile=state" is used, the root directory will be mounted as usual, but /var is mounted as tmpfs. This concept provides similar functionality as systemd-nspawn's --volatile= option, but provides it on physical boots. Use this option for implementing stateless systems, or testing systems with all state and/or configuration reset to the defaults. (Note though that many distributions are not prepared to boot up without a populated /etc or /var, though.) * systemd-gpt-auto-generator gained support for LUKS encrypted root partitions. Previously it only supported LUKS encrypted partitions for all other uses, except for the root partition itself. * Socket units gained support for listening on AF_VSOCK sockets for communication in virtualized QEMU environments. * The "configure" script gained a new option --with-fallback-hostname= for specifying the fallback hostname to use if none is configured in /etc/hostname. For example, by specifying --with-fallback-hostname=fedora it is possible to default to a hostname of "fedora" on pristine installations. * systemd-cgls gained support for a new --unit= switch for listing only the control groups of a specific unit. Similar --user-unit= has been added for listing only the control groups of a specific user unit. * systemd-mount gained a new --umount switch for unmounting a mount or automount point (and all mount/automount points below it). * systemd will now refuse full configuration reloads (via systemctl daemon-reload and related calls) unless at least 16MiB of free space are available in /run. This is a safety precaution in order to ensure that generators can safely operate after the reload completed. * A new unit file option RootImage= has been added, which has a similar effect as RootDirectory= but mounts the service's root directory from a disk image instead of plain directory. This logic reuses the same image dissection and mount logic that systemd-nspawn already uses, and hence supports any disk images systemd-nspawn supports, including those following the Discoverable Partition Specification, as well as Verity enabled images. This option enables systemd to run system services directly off disk images acting as resource bundles, possibly even including full integrity data. * A new MountAPIVFS= unit file option has been added, taking a boolean argument. If enabled /proc, /sys and /dev (collectively called the "API VFS") will be mounted for the service. This is only relevant if RootDirectory= or RootImage= is used for the service, as these mounts are of course in place in the host mount namespace anyway. * systemd-nspawn gained support for a new --pivot-root= switch. If specified the root directory within the container image is pivoted to the specified mount point, while the original root disk is moved to a different place. This option enables booting of ostree images directly with systemd-nspawn. * The systemd build scripts will no longer complain if the NTP server addresses are not changed from the defaults. Google now supports these NTP servers officially. We still recommend downstreams to properly register an NTP pool with the NTP pool project though. * coredumpctl gained a new "--reverse" option for printing the list of coredumps in reverse order. * coredumpctl will now show additional information about truncated and inaccessible coredumps, as well as coredumps that are still being processed. It also gained a new --quiet switch for suppressing additional informational message in its output. * coredumpctl gained support for only showing coredumps newer and/or older than specific timestamps, using the new --since= and --until= options, reminiscent of journalctl's options by the same name. * The systemd-coredump logic has been improved so that it may be reused to collect backtraces in non-compiled languages, for example in scripting languages such as Python. * machinectl will now show the UID shift of local containers, if user namespacing is enabled for them. * systemd will now optionally run "environment generator" binaries at configuration load time. They may be used to add environment variables to the environment block passed to services invoked. One user environment generator is shipped by default that sets up environment variables based on files dropped into /etc/environment.d and ~/.config/environment.d/. * systemd-resolved now includes the new, recently published 2017 DNSSEC root key (KSK). * hostnamed has been updated to report a new chassis type of "convertible" to cover "foldable" laptops that can both act as a tablet and as a laptop, such as various Lenovo Yoga devices. Contributions from: Adrián López, Alexander Galanin, Alexander Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri, Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner, David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly, Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter, Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede, Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen, Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry, Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak, Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx, Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi, Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb, Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun, YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр Тихонов — Berlin, 2017-03-01 CHANGES WITH 232: * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and RestrictAddressFamilies= enabled. These sandboxing options should generally be compatible with the various external udev call-out binaries we are aware of, however there may be exceptions, in particular when exotic languages for these call-outs are used. In this case, consider turning off these settings locally. * The new RemoveIPC= option can be used to remove IPC objects owned by the user or group of a service when that service exits. * The new ProtectKernelModules= option can be used to disable explicit load and unload operations of kernel modules by a service. In addition access to /usr/lib/modules is removed if this option is set. * ProtectSystem= option gained a new value "strict", which causes the whole file system tree with the exception of /dev, /proc, and /sys, to be remounted read-only for a service. * The new ProtectKernelTunables= option can be used to disable modification of configuration files in /sys and /proc by a service. Various directories and files are remounted read-only, so access is restricted even if the file permissions would allow it. * The new ProtectControlGroups= option can be used to disable write access by a service to /sys/fs/cgroup. * Various systemd services have been hardened with ProtectKernelTunables=yes, ProtectControlGroups=yes, RestrictAddressFamilies=. * Support for dynamically creating users for the lifetime of a service has been added. If DynamicUser=yes is specified, user and group IDs will be allocated from the range 61184…65519 for the lifetime of the service. They can be resolved using the new nss-systemd.so NSS module. The module must be enabled in /etc/nsswitch.conf. Services started in this way have PrivateTmp= and RemoveIPC= enabled, so that any resources allocated by the service will be cleaned up when the service exits. They also have ProtectHome=read-only and ProtectSystem=strict enabled, so they are not able to make any permanent modifications to the system. * The nss-systemd module also always resolves root and nobody, making it possible to have no /etc/passwd or /etc/group files in minimal container or chroot environments. * Services may be started with their own user namespace using the new boolean PrivateUsers= option. Only root, nobody, and the uid/gid under which the service is running are mapped. All other users are mapped to nobody. * Support for the cgroup namespace has been added to systemd-nspawn. If supported by kernel, the container system started by systemd-nspawn will have its own view of the cgroup hierarchy. This new behaviour can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable. * The new MemorySwapMax= option can be used to limit the maximum swap usage under the unified cgroup hierarchy. * Support for the CPU controller in the unified cgroup hierarchy has been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting= options. This controller requires out-of-tree patches for the kernel and the support is provisional. * Mount and automount units may now be created transiently (i.e. dynamically at runtime via the bus API, instead of requiring unit files in the file system). * systemd-mount is a new tool which may mount file systems – much like mount(8), optionally pulling in additional dependencies through transient .mount and .automount units. For example, this tool automatically runs fsck on a backing block device before mounting, and allows the automount logic to be used dynamically from the command line for establishing mount points. This tool is particularly useful when dealing with removable media, as it will ensure fsck is run – if necessary – before the first access and that the file system is quickly unmounted after each access by utilizing the automount logic. This maximizes the chance that the file system on the removable media stays in a clean state, and if it isn't in a clean state is fixed automatically. * LazyUnmount=yes option for mount units has been added to expose the umount --lazy option. Similarly, ForceUnmount=yes exposes the --force option. * /efi will be used as the mount point of the EFI boot partition, if the directory is present, and the mount point was not configured through other means (e.g. fstab). If /efi directory does not exist, /boot will be used as before. This makes it easier to automatically mount the EFI partition on systems where /boot is used for something else. * When operating on GPT disk images for containers, systemd-nspawn will now mount the ESP to /boot or /efi according to the same rules as PID 1 running on a host. This allows tools like "bootctl" to operate correctly within such containers, in order to make container images bootable on physical systems. * disk/by-id and disk/by-path symlinks are now created for NVMe drives. * Two new user session targets have been added to support running graphical sessions under the systemd --user instance: graphical-session.target and graphical-session-pre.target. See systemd.special(7) for a description of how those targets should be used. * The vconsole initialization code has been significantly reworked to use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better support unicode keymaps. Font and keymap configuration will now be copied to all allocated virtual consoles. * FreeBSD's bhyve virtualization is now detected. * Information recorded in the journal for core dumps now includes the contents of /proc/mountinfo and the command line of the process at the top of the process hierarchy (which is usually the init process of the container). * systemd-journal-gatewayd learned the --directory= option to serve files from the specified location. * journalctl --root=… can be used to peruse the journal in the /var/log/ directories inside of a container tree. This is similar to the existing --machine= option, but does not require the container to be active. * The hardware database has been extended to support ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify trackball devices. MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to specify the click rate for mice which include a horizontal wheel with a click rate that is different than the one for the vertical wheel. * systemd-run gained a new --wait option that makes service execution synchronous. (Specifically, the command will not return until the specified service binary exited.) * systemctl gained a new --wait option that causes the start command to wait until the units being started have terminated again. * A new journal output mode "short-full" has been added which displays timestamps with abbreviated English day names and adds a timezone suffix. Those timestamps include more information than the default "short" output mode, and can be passed directly to journalctl's --since= and --until= options. * /etc/resolv.conf will be bind-mounted into containers started by systemd-nspawn, if possible, so any changes to resolv.conf contents are automatically propagated to the container. * The number of instances for socket-activated services originating from a single IP address can be limited with MaxConnectionsPerSource=, extending the existing setting of MaxConnections=. * systemd-networkd gained support for vcan ("Virtual CAN") interface configuration. * .netdev and .network configuration can now be extended through drop-ins. * UDP Segmentation Offload, TCP Segmentation Offload, Generic Segmentation Offload, Generic Receive Offload, Large Receive Offload can be enabled and disabled using the new UDPSegmentationOffload=, TCPSegmentationOffload=, GenericSegmentationOffload=, GenericReceiveOffload=, LargeReceiveOffload= options in the [Link] section of .link files. * The Spanning Tree Protocol, Priority, Aging Time, and the Default Port VLAN ID can be configured for bridge devices using the new STP=, Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge] section of .netdev files. * The route table to which routes received over DHCP or RA should be added can be configured with the new RouteTable= option in the [DHCP] and [IPv6AcceptRA] sections of .network files. * The Address Resolution Protocol can be disabled on links managed by systemd-networkd using the ARP=no setting in the [Link] section of .network files. * New environment variables $SERVICE_RESULT, $EXIT_CODE and $EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and encode information about the result and exit codes of the current service runtime cycle. * systemd-sysctl will now configure kernel parameters in the order they occur in the configuration files. This matches what sysctl has been traditionally doing. * kernel-install "plugins" that are executed to perform various tasks after a new kernel is added and before an old one is removed can now return a special value to terminate the procedure and prevent any later plugins from running. * Journald's SplitMode=login setting has been deprecated. It has been removed from documentation, and its use is discouraged. In a future release it will be completely removed, and made equivalent to current default of SplitMode=uid. * Storage=both option setting in /etc/systemd/coredump.conf has been removed. With fast LZ4 compression storing the core dump twice is not useful. * The --share-system systemd-nspawn option has been replaced with an (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of this functionality is discouraged. In addition the variables $SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID, $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of individual namespaces. * "machinectl list" now shows the IP address of running containers in the output, as well as OS release information. * "loginctl list" now shows the TTY of each session in the output. * sd-bus gained new API calls sd_bus_track_set_recursive(), sd_bus_track_get_recursive(), sd_bus_track_count_name(), sd_bus_track_count_sender(). They permit usage of sd_bus_track peer tracking objects in a "recursive" mode, where a single client can be counted multiple times, if it takes multiple references. * sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and sd_bus_get_exit_on_disconnect(). They may be used to make a process using sd-bus automatically exit if the bus connection is severed. * Bus clients of the service manager may now "pin" loaded units into memory, by taking an explicit reference on them. This is useful to ensure the client can retrieve runtime data about the service even after the service completed execution. Taking such a reference is available only for privileged clients and should be helpful to watch running services in a race-free manner, and in particular collect information about exit statuses and results. * The nss-resolve module has been changed to strictly return UNAVAIL when communication via D-Bus with resolved failed, and NOTFOUND when a lookup completed but was negative. This means it is now possible to neatly configure fallbacks using nsswitch.conf result checking expressions. Taking benefit of this, the new recommended configuration line for the "hosts" entry in /etc/nsswitch.conf is: hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname * A new setting CtrlAltDelBurstAction= has been added to /etc/systemd/system.conf which may be used to configure the precise behaviour if the user on the console presses Ctrl-Alt-Del more often than 7 times in 2s. Previously this would unconditionally result in an expedited, immediate reboot. With this new setting the precise operation may be configured in more detail, and also turned off entirely. * In .netdev files two new settings RemoteChecksumTx= and RemoteChecksumRx= are now understood that permit configuring the remote checksumming logic for VXLAN networks. * The service manager learnt a new "invocation ID" concept for invoked services. Each runtime cycle of a service will get a new invocation ID (a 128-bit random UUID) assigned that identifies the current run of the service uniquely and globally. A new invocation ID is generated each time a service starts up. The journal will store the invocation ID of a service along with any logged messages, thus making the invocation ID useful for matching the online runtime of a service with the offline log data it generated in a safe way without relying on synchronized timestamps. In many ways this new service invocation ID concept is similar to the kernel's boot ID concept that uniquely and globally identifies the runtime of each boot. The invocation ID of a service is passed to the service itself via an environment variable ($INVOCATION_ID). A new bus call GetUnitByInvocationID() has been added that is similar to GetUnit() but instead of retrieving the bus path for a unit by its name retrieves it by its invocation ID. The returned path is valid only as long as the passed invocation ID is current. * systemd-resolved gained a new "DNSStubListener" setting in resolved.conf. It either takes a boolean value or the special values "udp" and "tcp", and configures whether to enable the stub DNS listener on 127.0.0.53:53. * IP addresses configured via networkd may now carry additional configuration settings supported by the kernel. New options include: HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=, PrefixRoute=, AutoJoin=. * The PAM configuration fragment file for "user@.service" shipped with systemd (i.e. the --user instance of systemd) has been stripped to the minimum necessary to make the system boot. Previously, it contained Fedora-specific stanzas that did not apply to other distributions. It is expected that downstream distributions add additional configuration lines, matching their needs to this file, using it only as rough template of what systemd itself needs. Note that this reduced fragment does not even include an invocation of pam_limits which most distributions probably want to add, even though systemd itself does not need it. (There's also the new build time option --with-pamconfdir=no to disable installation of the PAM fragment entirely.) * If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO capability is now also dropped from its set (in addition to CAP_SYS_MKNOD as before). * In service unit files it is now possible to connect a specific named file descriptor with stdin/stdout/stdout of an executed service. The name may be specified in matching .socket units using the FileDescriptorName= setting. * A number of journal settings may now be configured on the kernel command line. Specifically, the following options are now understood: systemd.journald.max_level_console=, systemd.journald.max_level_store=, systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=, systemd.journald.max_level_wall=. * "systemctl is-enabled --full" will now show by which symlinks a unit file is enabled in the unit dependency tree. * Support for VeraCrypt encrypted partitions has been added to the "cryptsetup" logic and /etc/crypttab. * systemd-detect-virt gained support for a new --private-users switch that checks whether the invoking processes are running inside a user namespace. Similar, a new special value "private-users" for the existing ConditionVirtualization= setting has been added, permitting skipping of specific units in user namespace environments. Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John, Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner, Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez, Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick, Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg, Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang, Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke, Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker, Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski, Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering, Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy, Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer, Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit, Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zeal Jagannatha — Santa Fe, 2016-11-03 CHANGES WITH 231: * In service units the various ExecXYZ= settings have been extended with an additional special character as first argument of the assigned value: if the character '+' is used the specified command line it will be run with full privileges, regardless of User=, Group=, CapabilityBoundingSet= and similar options. The effect is similar to the existing PermissionsStartOnly= option, but allows configuration of this concept for each executed command line independently. * Services may now alter the service watchdog timeout at runtime by sending a WATCHDOG_USEC= message via sd_notify(). * MemoryLimit= and related unit settings now optionally take percentage specifications. The percentage is taken relative to the amount of physical memory in the system (or in case of containers, the assigned amount of memory). This allows scaling service resources neatly with the amount of RAM available on the system. Similarly, systemd-logind's RuntimeDirectorySize= option now also optionally takes percentage values. * In similar fashion TasksMax= takes percentage values now, too. The value is taken relative to the configured maximum number of processes on the system. The per-service task maximum has been changed to 15% using this functionality. (Effectively this is an increase of 512 → 4915 for service units, given the kernel's default pid_max setting.) * Calendar time specifications in .timer units now understand a ".." syntax for time ranges. Example: "4..7:10" may now be used for defining a timer that is triggered at 4:10am, 5:10am, 6:10am and 7:10am every day. * The InaccessableDirectories=, ReadOnlyDirectories= and ReadWriteDirectories= unit file settings have been renamed to InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be applied to all kinds of file nodes, and not just directories, with the exception of symlinks. Specifically these settings may now be used on block and character device nodes, UNIX sockets and FIFOS as well as regular files. The old names of these settings remain available for compatibility. * systemd will now log about all service processes it kills forcibly (using SIGKILL) because they remained after the clean shutdown phase of the service completed. This should help identifying services that shut down uncleanly. Moreover if KillUserProcesses= is enabled in systemd-logind's configuration a similar log message is generated for processes killed at the end of each session due to this setting. * systemd will now set the $JOURNAL_STREAM environment variable for all services whose stdout/stderr are connected to the Journal (which effectively means by default: all services). The variable contains the device and inode number of the file descriptor used for stdout/stderr. This may be used by invoked programs to detect whether their stdout/stderr is connected to the Journal, in which case they can switch over to direct Journal communication, thus being able to pass extended, structured metadata along with their log messages. As one example, this is now used by glib's logging primitives. * When using systemd's default tmp.mount unit for /tmp, the mount point will now be established with the "nosuid" and "nodev" options. This avoids privilege escalation attacks that put traps and exploits into /tmp. However, this might cause problems if you e.g. put container images or overlays into /tmp; if you need this, override tmp.mount's "Options=" with a drop-in, or mount /tmp from /etc/fstab with your desired options. * systemd now supports the "memory" cgroup controller also on cgroup v2. * The systemd-cgtop tool now optionally takes a control group path as command line argument. If specified, the control group list shown is limited to subgroups of that group. * The SystemCallFilter= unit file setting gained support for pre-defined, named system call filter sets. For example SystemCallFilter=@clock is now an effective way to make all clock changing-related system calls unavailable to a service. A number of similar pre-defined groups are defined. Writing system call filters for system services is simplified substantially with this new concept. Accordingly, all of systemd's own, long-running services now enable system call filtering based on this, by default. * A new service setting MemoryDenyWriteExecute= has been added, taking a boolean value. If turned on, a service may no longer create memory mappings that are writable and executable at the same time. This enhances security for services where this is enabled as it becomes harder to dynamically write and then execute memory in exploited service processes. This option has been enabled for all of systemd's own long-running services. * A new RestrictRealtime= service setting has been added, taking a boolean argument. If set the service's processes may no longer acquire realtime scheduling. This improves security as realtime scheduling may otherwise be used to easily freeze the system. * systemd-nspawn gained a new switch --notify-ready= taking a boolean value. This may be used for requesting that the system manager inside of the container reports start-up completion to nspawn which then propagates this notification further to the service manager supervising nspawn itself. A related option NotifyReady= in .nspawn files has been added too. This functionality allows ordering of the start-up of multiple containers using the usual systemd ordering primitives. * machinectl gained a new command "stop" that is an alias for "terminate". * systemd-resolved gained support for contacting DNS servers on link-local IPv6 addresses. * If systemd-resolved receives the SIGUSR2 signal it will now flush all its caches. A method call for requesting the same operation has been added to the bus API too, and is made available via "systemd-resolve --flush-caches". * systemd-resolve gained a new --status switch. If passed a brief summary of the used DNS configuration with per-interface information is shown. * resolved.conf gained a new Cache= boolean option, defaulting to on. If turned off local DNS caching is disabled. This comes with a performance penalty in particular when DNSSEC is enabled. Note that resolved disables its internal caching implicitly anyway, when the configured DNS server is on a host-local IP address such as ::1 or 127.0.0.1, thus automatically avoiding double local caching. * systemd-resolved now listens on the local IP address 127.0.0.53:53 for DNS requests. This improves compatibility with local programs that do not use the libc NSS or systemd-resolved's bus APIs for name resolution. This minimal DNS service is only available to local programs and does not implement the full DNS protocol, but enough to cover local DNS clients. A new, static resolv.conf file, listing just this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is now recommended to make /etc/resolv.conf a symlink to this file in order to route all DNS lookups to systemd-resolved, regardless if done via NSS, the bus API or raw DNS packets. Note that this local DNS service is not as fully featured as the libc NSS or systemd-resolved's bus APIs. For example, as unicast DNS cannot be used to deliver link-local address information (as this implies sending a local interface index along), LLMNR/mDNS support via this interface is severely restricted. It is thus strongly recommended for all applications to use the libc NSS API or native systemd-resolved bus API instead. * systemd-networkd's bridge support learned a new setting VLANFiltering= for controlling VLAN filtering. Moreover a new section in .network files has been added for configuring VLAN bridging in more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN]. * systemd-networkd's IPv6 Router Advertisement code now makes use of the DNSSL and RDNSS options. This means IPv6 DNS configuration may now be acquired without relying on DHCPv6. Two new options UseDomains= and UseDNS= have been added to configure this behaviour. * systemd-networkd's IPv6AcceptRouterAdvertisements= option has been renamed IPv6AcceptRA=, without altering its behaviour. The old setting name remains available for compatibility reasons. * The systemd-networkd VTI/VTI6 tunneling support gained new options Key=, InputKey= and OutputKey=. * systemd-networkd gained support for VRF ("Virtual Routing Function") interface configuration. * "systemctl edit" may now be used to create new unit files by specifying the --force switch. * sd-event gained a new function sd_event_get_iteration() for requesting the current iteration counter of the event loop. It starts at zero and is increased by one with each event loop iteration. * A new rpm macro %systemd_ordering is provided by the macros.systemd file. It can be used in lieu of %systemd_requires in packages which don't use any systemd functionality and are intended to be installed in minimal containers without systemd present. This macro provides ordering dependencies to ensure that if the package is installed in the same rpm transaction as systemd, systemd will be installed before the scriptlets for the package are executed, allowing unit presets to be handled. New macros %_systemdgeneratordir and %_systemdusergeneratordir have been added to simplify packaging of generators. * The os-release file gained VERSION_CODENAME field for the distribution nickname (e.g. VERSION_CODENAME=woody). * New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1 can be set to disable parsing of metadata and the creation of persistent symlinks for that device. * The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess" to make them available to logged-in users has been reverted. * Much of the common code of the various systemd components is now built into an internal shared library libsystemd-shared-231.so (incorporating the systemd version number in the name, to be updated with future releases) that the components link to. This should decrease systemd footprint both in memory during runtime and on disk. Note that the shared library is not for public use, and is neither API nor ABI stable, but is likely to change with every new released update. Packagers need to make sure that binaries linking to libsystemd-shared.so are updated in step with the library. * Configuration for "mkosi" is now part of the systemd repository. mkosi is a tool to easily build legacy-free OS images, and is available on github: https://github.com/systemd/mkosi. If "mkosi" is invoked in the build tree a new raw OS image is generated incorporating the systemd sources currently being worked on and a clean, fresh distribution installation. The generated OS image may be booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical UEFI PC. This functionality is particularly useful to easily test local changes made to systemd in a pristine, defined environment. See doc/HACKING for details. * configure learned the --with-support-url= option to specify the distribution's bugtracker. Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse, Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler, Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov, Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz, Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran, Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier, Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan, Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič, WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek — Berlin, 2016-07-25 CHANGES WITH 230: * DNSSEC is now turned on by default in systemd-resolved (in "allow-downgrade" mode), but may be turned off during compile time by passing "--with-default-dnssec=no" to "configure" (and of course, during runtime with DNSSEC= in resolved.conf). We recommend downstreams to leave this on at least during development cycles and report any issues with the DNSSEC logic upstream. We are very interested in collecting feedback about the DNSSEC validator and its limitations in the wild. Note however, that DNSSEC support is probably nothing downstreams should turn on in stable distros just yet, as it might create incompatibilities with a few DNS servers and networks. We tried hard to make sure we downgrade to non-DNSSEC mode automatically whenever we detect such incompatible setups, but there might be systems we do not cover yet. Hence: please help us testing the DNSSEC code, leave this on where you can, report back, but then again don't consider turning this on in your stable, LTS or production release just yet. (Note that you have to enable nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved and its DNSSEC mode for hostname resolution from local applications.) * systemd-resolve conveniently resolves DANE records with the --tlsa option and OPENPGPKEY records with the --openpgp option. It also supports dumping raw DNS record data via the new --raw= switch. * systemd-logind will now by default terminate user processes that are part of the user session scope unit (session-XX.scope) when the user logs out. This behavior is controlled by the KillUserProcesses= setting in logind.conf, and the previous default of "no" is now changed to "yes". This means that user sessions will be properly cleaned up after, but additional steps are necessary to allow intentionally long-running processes to survive logout. While the user is logged in at least once, user@.service is running, and any service that should survive the end of any individual login session can be started at a user service or scope using systemd-run. systemd-run(1) man page has been extended with an example which shows how to run screen in a scope unit underneath user@.service. The same command works for tmux. After the user logs out of all sessions, user@.service will be terminated too, by default, unless the user has "lingering" enabled. To effectively allow users to run long-term tasks even if they are logged out, lingering must be enabled for them. See loginctl(1) for details. The default polkit policy was modified to allow users to set lingering for themselves without authentication. Previous defaults can be restored at compile time by the --without-kill-user-processes option to "configure". * systemd-logind gained new configuration settings SessionsMax= and InhibitorsMax=, both with a default of 8192. It will not register new user sessions or inhibitors above this limit. * systemd-logind will now reload configuration on SIGHUP. * The unified cgroup hierarchy added in Linux 4.5 is now supported. Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to enable. Also, support for the "io" cgroup controller in the unified hierarchy has been added, so that the "memory", "pids" and "io" are now the controllers that are supported on the unified hierarchy. WARNING: it is not possible to use previous systemd versions with systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it is necessary to also update systemd in the initramfs if using the unified hierarchy. An updated SELinux policy is also required. * LLDP support has been extended, and both passive (receive-only) and active (sender) modes are supported. Passive mode ("routers-only") is enabled by default in systemd-networkd. Active LLDP mode is enabled by default for containers on the internal network. The "networkctl lldp" command may be used to list information gathered. "networkctl status" will also show basic LLDP information on connected peers now. * The IAID and DUID unique identifier sent in DHCP requests may now be configured for the system and each .network file managed by systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options. * systemd-networkd gained support for configuring proxy ARP support for each interface, via the ProxyArp= setting in .network files. It also gained support for configuring the multicast querier feature of bridge devices, via the new MulticastQuerier= setting in .netdev files. Similarly, snooping on the IGMP traffic can be controlled via the new setting MulticastSnooping=. A new setting PreferredLifetime= has been added for addresses configured in .network file to configure the lifetime intended for an address. The systemd-networkd DHCP server gained the option EmitRouter=, which defaults to yes, to configure whether the DHCP Option 3 (Router) should be emitted. * The testing tool /usr/lib/systemd/systemd-activate is renamed to systemd-socket-activate and installed into /usr/bin. It is now fully supported. * systemd-journald now uses separate threads to flush changes to disk when closing journal files, thus reducing impact of slow disk I/O on logging performance. * The sd-journal API gained two new calls sd_journal_open_directory_fd() and sd_journal_open_files_fd() which can be used to open journal files using file descriptors instead of file or directory paths. sd_journal_open_container() has been deprecated, sd_journal_open_directory_fd() should be used instead with the flag SD_JOURNAL_OS_ROOT. * journalctl learned a new output mode "-o short-unix" that outputs log lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970 UTC). It also gained support for a new --no-hostname setting to suppress the hostname column in the family of "short" output modes. * systemd-ask-password now optionally skips printing of the password to stdout with --no-output which can be useful in scripts. * Framebuffer devices (/dev/fb*) and 3D printers and scanners (devices tagged with ID_MAKER_TOOL) are now tagged with "uaccess" and are available to logged in users. * The DeviceAllow= unit setting now supports specifiers (with "%"). * "systemctl show" gained a new --value switch, which allows print a only the contents of a specific unit property, without also printing the property's name. Similar support was added to "show*" verbs of loginctl and machinectl that output "key=value" lists. * A new unit type "generated" was added for files dynamically generated by generator tools. Similarly, a new unit type "transient" is used for unit files created using the runtime API. "systemctl enable" will refuse to operate on such files. * A new command "systemctl revert" has been added that may be used to revert to the vendor version of a unit file, in case local changes have been made by adding drop-ins or overriding the unit file. * "machinectl clean" gained a new verb to automatically remove all or just hidden container images. * systemd-tmpfiles gained support for a new line type "e" for emptying directories, if they exist, without creating them if they don't. * systemd-nspawn gained support for automatically patching the UID/GIDs of the owners and the ACLs of all files and directories in a container tree to match the UID/GID user namespacing range selected for the container invocation. This mode is enabled via the new --private-users-chown switch. It also gained support for automatically choosing a free, previously unused UID/GID range when starting a container, via the new --private-users=pick setting (which implies --private-users-chown). Together, these options for the first time make user namespacing for nspawn containers fully automatic and thus deployable. The systemd-nspawn@.service template unit file has been changed to use this functionality by default. * systemd-nspawn gained a new --network-zone= switch, that allows creating ad-hoc virtual Ethernet links between multiple containers, that only exist as long as at least one container referencing them is running. This allows easy connecting of multiple containers with a common link that implements an Ethernet broadcast domain. Each of these network "zones" may be named relatively freely by the user, and may be referenced by any number of containers, but each container may only reference one of these "zones". On the lower level, this is implemented by an automatically managed bridge network interface for each zone, that is created when the first container referencing its zone is created and removed when the last one referencing its zone terminates. * The default start timeout may now be configured on the kernel command line via systemd.default_timeout_start_sec=. It was already configurable via the DefaultTimeoutStartSec= option in /etc/systemd/system.conf. * Socket units gained a new TriggerLimitIntervalSec= and TriggerLimitBurst= setting to configure a limit on the activation rate of the socket unit. * The LimitNICE= setting now optionally takes normal UNIX nice values in addition to the raw integer limit value. If the specified parameter is prefixed with "+" or "-" and is in the range -20…19 the value is understood as UNIX nice value. If not prefixed like this it is understood as raw RLIMIT_NICE limit. * Note that the effect of the PrivateDevices= unit file setting changed slightly with this release: the per-device /dev file system will be mounted read-only from this version on, and will have "noexec" set. This (minor) change of behavior might cause some (exceptional) legacy software to break, when PrivateDevices=yes is set for its service. Please leave PrivateDevices= off if you run into problems with this. * systemd-bootchart has been split out to a separate repository: https://github.com/systemd/systemd-bootchart * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be merged into the kernel in its current form. * The compatibility libraries libsystemd-daemon.so, libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so which have been deprecated since systemd-209 have been removed along with the corresponding pkg-config files. All symbols provided by those libraries are provided by libsystemd.so. * The Capabilities= unit file setting has been removed (it is ignored for backwards compatibility). AmbientCapabilities= and CapabilityBoundingSet= should be used instead. * A new special target has been added, initrd-root-device.target, which creates a synchronization point for dependencies of the root device in early userspace. Initramfs builders must ensure that this target is now included in early userspace. Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov, Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh, Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth, John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin, mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween, Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern, Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller, Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen, Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso, Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev, Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew Jędrzejewski-Szmek — Fairfax, 2016-05-21 CHANGES WITH 229: * The systemd-resolved DNS resolver service has gained a substantial set of new features, most prominently it may now act as a DNSSEC validating stub resolver. DNSSEC mode is currently turned off by default, but is expected to be turned on by default in one of the next releases. For now, we invite everybody to test the DNSSEC logic by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The service also gained a full set of D-Bus interfaces, including calls to configure DNS and DNSSEC settings per link (for use by external network management software). systemd-resolved and systemd-networkd now distinguish between "search" and "routing" domains. The former are used to qualify single-label names, the latter are used purely for routing lookups within certain domains to specific links. resolved now also synthesizes RRs for all entries from /etc/hosts. * The systemd-resolve tool (which is a client utility for systemd-resolved) has been improved considerably and is now fully supported and documented. Hence it has moved from /usr/lib/systemd to /usr/bin. * /dev/disk/by-path/ symlink support has been (re-)added for virtio devices. * The coredump collection logic has been reworked: when a coredump is collected it is now written to disk, compressed and processed (including stacktrace extraction) from a new instantiated service systemd-coredump@.service, instead of directly from the /proc/sys/kernel/core_pattern hook we provide. This is beneficial as processing large coredumps can take up a substantial amount of resources and time, and this previously happened entirely outside of systemd's service supervision. With the new logic the core_pattern hook only does minimal metadata collection before passing off control to the new instantiated service, which is configured with a time limit, a nice level and other settings to minimize negative impact on the rest of the system. Also note that the new logic will honour the RLIMIT_CORE setting of the crashed process, which now allows users and processes to turn off coredumping for their processes by setting this limit. * The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1 and all forked processes by default. Previously, PID 1 would leave the setting at "0" for all processes, as set by the kernel. Note that the resource limit traditionally has no effect on the generated coredumps on the system if the /proc/sys/kernel/core_pattern hook logic is used. Since the limit is now honoured (see above) its default has been changed so that the coredumping logic is enabled by default for all processes, while allowing specific opt-out. * When the stacktrace is extracted from processes of system users, this is now done as "systemd-coredump" user, in order to sandbox this potentially security sensitive parsing operation. (Note that when processing coredumps of normal users this is done under the user ID of process that crashed, as before.) Packagers should take notice that it is now necessary to create the "systemd-coredump" system user and group at package installation time. * The systemd-activate socket activation testing tool gained support for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram and --seqpacket switches. It also has been extended to support both new-style and inetd-style file descriptor passing. Use the new --inetd switch to request inetd-style file descriptor passing. * Most systemd tools now honor a new $SYSTEMD_COLORS environment variable, which takes a boolean value. If set to false, ANSI color output is disabled in the tools even when run on a terminal that supports it. * The VXLAN support in networkd now supports two new settings DestinationPort= and PortRange=. * A new systemd.machine_id= kernel command line switch has been added, that may be used to set the machine ID in /etc/machine-id if it is not initialized yet. This command line option has no effect if the file is already initialized. * systemd-nspawn gained a new --as-pid2 switch that invokes any specified command line as PID 2 rather than PID 1 in the container. In this mode PID 1 is a minimal stub init process that implements the special POSIX and Linux semantics of PID 1 regarding signal and child process management. Note that this stub init process is implemented in nspawn itself and requires no support from the container image. This new logic is useful to support running arbitrary commands in the container, as normal processes are generally not prepared to run as PID 1. * systemd-nspawn gained a new --chdir= switch for setting the current working directory for the process started in the container. * "journalctl /dev/sda" will now output all kernel log messages for specified device from the current boot, in addition to all devices that are parents of it. This should make log output about devices pretty useful, as long as kernel drivers attach enough metadata to the log messages. (The usual SATA drivers do.) * The sd-journal API gained two new calls sd_journal_has_runtime_files() and sd_journal_has_persistent_files() that report whether log data from /run or /var has been found. * journalctl gained a new switch "--fields" that prints all journal record field names currently in use in the journal. This is backed by two new sd-journal API calls sd_journal_enumerate_fields() and sd_journal_restart_fields(). * Most configurable timeouts in systemd now expect an argument of "infinity" to turn them off, instead of "0" as before. The semantics from now on is that a timeout of "0" means "now", and "infinity" means "never". To maintain backwards compatibility, "0" continues to turn off previously existing timeout settings. * "systemctl reload-or-try-restart" has been renamed to "systemctl try-reload-or-restart" to clarify what it actually does: the "try" logic applies to both reloading and restarting, not just restarting. The old name continues to be accepted for compatibility. * On boot-up, when PID 1 detects that the system clock is behind the release date of the systemd version in use, the clock is now set to the latter. Previously, this was already done in timesyncd, in order to avoid running with clocks set to the various clock epochs such as 1902, 1938 or 1970. With this change the logic is now done in PID 1 in addition to timesyncd during early boot-up, so that it is enforced before the first process is spawned by systemd. Note that the logic in timesyncd remains, as it is more comprehensive and ensures clock monotonicity by maintaining a persistent timestamp file in /var. Since /var is generally not available in earliest boot or the initrd, this part of the logic remains in timesyncd, and is not done by PID 1. * Support for tweaking details in net_cls.class_id through the NetClass= configuration directive has been removed, as the kernel people have decided to deprecate that controller in cgroup v2. Userspace tools such as nftables are moving over to setting rules that are specific to the full cgroup path of a task, which obsoletes these controllers anyway. The NetClass= directive is kept around for legacy compatibility reasons. For a more in-depth description of the kernel change, please refer to the respective upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671 * A new service setting RuntimeMaxSec= has been added that may be used to specify a maximum runtime for a service. If the timeout is hit, the service is terminated and put into a failure state. * A new service setting AmbientCapabilities= has been added. It allows configuration of additional Linux process capabilities that are passed to the activated processes. This is only available on very recent kernels. * The process resource limit settings in service units may now be used to configure hard and soft limits individually. * The various libsystemd APIs such as sd-bus or sd-event now publicly expose support for gcc's __attribute__((cleanup())) C extension. Specifically, for many object destructor functions alternative versions have been added that have names suffixed with "p" and take a pointer to a pointer to the object to destroy, instead of just a pointer to the object itself. This is useful because these destructor functions may be used directly as parameters to the cleanup construct. Internally, systemd has been a heavy user of this GCC extension for a long time, and with this change similar support is now available to consumers of the library outside of systemd. Note that by using this extension in your sources compatibility with old and strictly ANSI compatible C compilers is lost. However, all gcc or LLVM versions of recent years support this extension. * Timer units gained support for a new setting RandomizedDelaySec= that allows configuring some additional randomized delay to the configured time. This is useful to spread out timer events to avoid load peaks in clusters or larger setups. * Calendar time specifications now support sub-second accuracy. * Socket units now support listening on SCTP and UDP-lite protocol sockets. * The sd-event API now comes with a full set of man pages. * Older versions of systemd contained experimental support for compressing journal files and coredumps with the LZ4 compressor that was not compatible with the lz4 binary (due to API limitations of the lz4 library). This support has been removed; only support for files compatible with the lz4 binary remains. This LZ4 logic is now officially supported and no longer considered experimental. * The dkr image import logic has been removed again from importd. dkr's micro-services focus doesn't fit into the machine image focus of importd, and quickly got out of date with the upstream dkr API. * Creation of the /run/lock/lockdev/ directory was dropped from tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have been available for many years. If you still need this, you need to create your own tmpfiles.d config file with: d /run/lock/lockdev 0775 root lock - * The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction= and RebootArgument= have been moved from the [Service] section of unit files to [Unit], and they are now supported on all unit types, not just service units. Of course, systemd will continue to understand these settings also at the old location, in order to maintain compatibility. Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov, Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler, Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack, David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman, Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen, Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen, Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek, Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos, lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer, Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz, Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek — Berlin, 2016-02-11 CHANGES WITH 228: * A number of properties previously only settable in unit files are now also available as properties to set when creating transient units programmatically via the bus, as it is exposed with systemd-run's --property= setting. Specifically, these are: SyslogIdentifier=, SyslogLevelPrefix=, TimerSlackNSec=, OOMScoreAdjust=, EnvironmentFile=, ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=, ProtectSystem=, ProtectHome=, RuntimeDirectory=. * When creating transient services via the bus API it is now possible to pass in a set of file descriptors to use as STDIN/STDOUT/STDERR for the invoked process. * Slice units may now be created transiently via the bus APIs, similar to the way service and scope units may already be created transiently. * Wherever systemd expects a calendar timestamp specification (like in journalctl's --since= and --until= switches) UTC timestamps are now supported. Timestamps suffixed with "UTC" are now considered to be in Universal Time Coordinated instead of the local timezone. Also, timestamps may now optionally be specified with sub-second accuracy. Both of these additions also apply to recurring calendar event specification, such as OnCalendar= in timer units. * journalctl gained a new "--sync" switch that asks the journal daemon to write all so far unwritten log messages to disk and sync the files, before returning. * systemd-tmpfiles learned two new line types "q" and "Q" that operate like "v", but also set up a basic btrfs quota hierarchy when used on a btrfs file system with quota enabled. * tmpfiles' "v", "q" and "Q" will now create a plain directory instead of a subvolume (even on a btrfs file system) if the root directory is a plain directory, and not a subvolume. This should simplify things with certain chroot() environments which are not aware of the concept of btrfs subvolumes. * systemd-detect-virt gained a new --chroot switch to detect whether execution takes place in a chroot() environment. * CPUAffinity= now takes CPU index ranges in addition to individual indexes. * The various memory-related resource limit settings (such as LimitAS=) now understand the usual K, M, G, … suffixes to the base of 1024 (IEC). Similar, the time-related resource limit settings understand the usual min, h, day, … suffixes now. * There's a new system.conf setting DefaultTasksMax= to control the default TasksMax= setting for services and scopes running on the system. (TasksMax= is the primary setting that exposes the "pids" cgroup controller on systemd and was introduced in the previous systemd release.) The setting now defaults to 512, which means services that are not explicitly configured otherwise will only be able to create 512 processes or threads at maximum, from this version on. Note that this means that thread- or process-heavy services might need to be reconfigured to set TasksMax= to a higher value. It is sufficient to set TasksMax= in these specific unit files to a higher value, or even "infinity". Similar, there's now a logind.conf setting UserTasksMax= that defaults to 4096 and limits the total number of processes or tasks each user may own concurrently. nspawn containers also have the TasksMax= value set by default now, to 8192. Note that all of this only has an effect if the "pids" cgroup controller is enabled in the kernel. The general benefit of these changes should be a more robust and safer system, that provides a certain amount of per-service fork() bomb protection. * systemd-nspawn gained the new --network-veth-extra= switch to define additional and arbitrarily-named virtual Ethernet links between the host and the container. * A new service execution setting PassEnvironment= has been added that allows importing select environment variables from PID1's environment block into the environment block of the service. * Timer units gained support for a new RemainAfterElapse= setting which takes a boolean argument. It defaults to on, exposing behaviour unchanged to previous releases. If set to off, timer units are unloaded after they elapsed if they cannot elapse again. This is particularly useful for transient timer units, which shall not stay around longer than until they first elapse. * systemd will now bump the net.unix.max_dgram_qlen to 512 by default now (the kernel default is 16). This is beneficial for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it allows substantially larger numbers of queued datagrams. This should increase the capability of systemd to parallelize boot-up, as logging and sd_notify() are unlikely to stall execution anymore. If you need to change the value from the new defaults, use the usual sysctl.d/ snippets. * The compression framing format used by the journal or coredump processing has changed to be in line with what the official LZ4 tools generate. LZ4 compression support in systemd was considered unsupported previously, as the format was not compatible with the normal tools. With this release this has changed now, and it is hence safe for downstream distributions to turn it on. While not compressing as well as the XZ, LZ4 is substantially faster, which makes it a good default choice for the compression logic in the journal and in coredump handling. * Any reference to /etc/mtab has been dropped from systemd. The file has been obsolete since a while, but systemd refused to work on systems where it was incorrectly set up (it should be a symlink or non-existent). Please make sure to update to util-linux 2.27.1 or newer in conjunction with this systemd release, which also drops any reference to /etc/mtab. If you maintain a distribution make sure that no software you package still references it, as this is a likely source of bugs. There's also a glibc bug pending, asking for removal of any reference to this obsolete file: https://sourceware.org/bugzilla/show_bug.cgi?id=19108 Note that only util-linux versions built with --enable-libmount-force-mountinfo are supported. * Support for the ".snapshot" unit type has been removed. This feature turned out to be little useful and little used, and has now been removed from the core and from systemctl. * The dependency types RequiresOverridable= and RequisiteOverridable= have been removed from systemd. They have been used only very sparingly to our knowledge and other options that provide a similar effect (such as systemctl --mode=ignore-dependencies) are much more useful and commonly used. Moreover, they were only half-way implemented as the option to control behaviour regarding these dependencies was never added to systemctl. By removing these dependency types the execution engine becomes a bit simpler. Unit files that use these dependencies should be changed to use the non-Overridable dependency types instead. In fact, when parsing unit files with these options, that's what systemd will automatically convert them too, but it will also warn, asking users to fix the unit files accordingly. Removal of these dependency types should only affect a negligible number of unit files in the wild. * Behaviour of networkd's IPForward= option changed (again). It will no longer maintain a per-interface setting, but propagate one way from interfaces where this is enabled to the global kernel setting. The global setting will be enabled when requested by a network that is set up, but never be disabled again. This change was made to make sure IPv4 and IPv6 behaviour regarding packet forwarding is similar (as the Linux IPv6 stack does not support per-interface control of this setting) and to minimize surprises. * In unit files the behaviour of %u, %U, %h, %s has changed. These specifiers will now unconditionally resolve to the various user database fields of the user that the systemd instance is running as, instead of the user configured in the specific unit via User=. Note that this effectively doesn't change much, as resolving of these specifiers was already turned off in the --system instance of systemd, as we cannot do NSS lookups from PID 1. In the --user instance of systemd these specifiers where correctly resolved, but hardly made any sense, since the user instance lacks privileges to do user switches anyway, and User= is hence useless. Moreover, even in the --user instance of systemd behaviour was awkward as it would only take settings from User= assignment placed before the specifier into account. In order to unify and simplify the logic around this the specifiers will now always resolve to the credentials of the user invoking the manager (which in case of PID 1 is the root user). Contributions from: Andrew Jones, Beniamino Galvani, Boyuan Yang, Daniel Machon, Daniel Mack, David Herrmann, David Reynolds, David Strauss, Dongsu Park, Evgeny Vereshchagin, Felipe Sateler, Filipe Brandenburger, Franck Bui, Hristo Venev, Iago López Galeiras, Jan Engelhardt, Jan Janssen, Jan Synacek, Jesus Ornelas Aguayo, Karel Zak, kayrus, Kay Sievers, Lennart Poettering, Liu Yuan Yuan, Mantas Mikulėnas, Marcel Holtmann, Marcin Bachry, Marcos Alano, Marcos Mello, Mark Theunissen, Martin Pitt, Michael Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar, Mirco Tischler, Nick Owens, Nicolas Cornu, Patrik Flykt, Peter Hutterer, reverendhomer, Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Shawn Landden, Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-11-18 CHANGES WITH 227: * systemd now depends on util-linux v2.27. More specifically, the newly added mount monitor feature in libmount now replaces systemd's former own implementation. * libmount mandates /etc/mtab not to be regular file, and systemd now enforces this condition at early boot. /etc/mtab has been deprecated and warned about for a very long time, so systems running systemd should already have stopped having this file around as anything else than a symlink to /proc/self/mounts. * Support for the "pids" cgroup controller has been added. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a global option DefaultTasksAccounting=. * Support for the "net_cls" cgroup controller has been added. It allows assigning a net class ID to each task in the cgroup, which can then be used in firewall rules and traffic shaping configurations. Note that the kernel netfilter net class code does not currently work reliably for ingress packets on unestablished sockets. This adds a new config directive called NetClass= to CGroup enabled units. Allowed values are positive numbers for fixed assignments and "auto" for picking a free value automatically. * 'systemctl is-system-running' now returns 'offline' if the system is not booted with systemd. This command can now be used as a substitute for 'systemd-notify --booted'. * Watchdog timeouts have been increased to 3 minutes for all in-tree service files. Apparently, disk IO issues are more frequent than we hoped, and user reported >1 minute waiting for disk IO. * 'machine-id-commit' functionality has been merged into 'machine-id-setup --commit'. The separate binary has been removed. * The WorkingDirectory= directive in unit files may now be set to the special value '~'. In this case, the working directory is set to the home directory of the user configured in User=. * "machinectl shell" will now open the shell in the home directory of the selected user by default. * The CrashChVT= configuration file setting is renamed to CrashChangeVT=, following our usual logic of not abbreviating unnecessarily. The old directive is still supported for compat reasons. Also, this directive now takes an integer value between 1 and 63, or a boolean value. The formerly supported '-1' value for disabling stays around for compat reasons. * The PrivateTmp=, PrivateDevices=, PrivateNetwork=, NoNewPrivileges=, TTYPath=, WorkingDirectory= and RootDirectory= properties can now be set for transient units. * The systemd-analyze tool gained a new "set-log-target" verb to change the logging target the system manager logs to dynamically during runtime. This is similar to how "systemd-analyze set-log-level" already changes the log level. * In nspawn /sys is now mounted as tmpfs, with only a selected set of subdirectories mounted in from the real sysfs. This enhances security slightly, and is useful for ensuring user namespaces work correctly. * Support for USB FunctionFS activation has been added. This allows implementation of USB gadget services that are activated as soon as they are requested, so that they don't have to run continuously, similar to classic socket activation. * The "systemctl exit" command now optionally takes an additional parameter that sets the exit code to return from the systemd manager when exiting. This is only relevant when running the systemd user instance, or when running the system instance in a container. * sd-bus gained the new API calls sd_bus_path_encode_many() and sd_bus_path_decode_many() that allow easy encoding and decoding of multiple identifier strings inside a D-Bus object path. Another new call sd_bus_default_flush_close() has been added to flush and close per-thread default connections. * systemd-cgtop gained support for a -M/--machine= switch to show the control groups within a certain container only. * "systemctl kill" gained support for an optional --fail switch. If specified the requested operation will fail of no processes have been killed, because the unit had no processes attached, or similar. * A new systemd.crash_reboot=1 kernel command line option has been added that triggers a reboot after crashing. This can also be set through CrashReboot= in systemd.conf. * The RuntimeDirectory= setting now understands unit specifiers like %i or %f. * A new (still internal) library API sd-ipv4acd has been added, that implements address conflict detection for IPv4. It's based on code from sd-ipv4ll, and will be useful for detecting DHCP address conflicts. * File descriptors passed during socket activation may now be named. A new API sd_listen_fds_with_names() is added to access the names. The default names may be overridden, either in the .socket file using the FileDescriptorName= parameter, or by passing FDNAME= when storing the file descriptors using sd_notify(). * systemd-networkd gained support for: - Setting the IPv6 Router Advertisement settings via IPv6AcceptRouterAdvertisements= in .network files. - Configuring the HelloTimeSec=, MaxAgeSec= and ForwardDelaySec= bridge parameters in .netdev files. - Configuring PreferredSource= for static routes in .network files. * The "ask-password" framework used to query for LUKS harddisk passwords or SSL passwords during boot gained support for caching passwords in the kernel keyring, if it is available. This makes sure that the user only has to type in a passphrase once if there are multiple objects to unlock with the same one. Previously, such password caching was available only when Plymouth was used; this moves the caching logic into the systemd codebase itself. The "systemd-ask-password" utility gained a new --keyname= switch to control which kernel keyring key to use for caching a password in. This functionality is also useful for enabling display managers such as gdm to automatically unlock the user's GNOME keyring if its passphrase, the user's password and the harddisk password are the same, if gdm-autologin is used. * When downloading tar or raw images using "machinectl pull-tar" or "machinectl pull-raw", a matching ".nspawn" file is now also downloaded, if it is available and stored next to the image file. * Units of type ".socket" gained a new boolean setting Writable= which is only useful in conjunction with ListenSpecial=. If true, enables opening the specified special file in O_RDWR mode rather than O_RDONLY mode. * systemd-rfkill has been reworked to become a singleton service that is activated through /dev/rfkill on each rfkill state change and saves the settings to disk. This way, systemd-rfkill is now compatible with devices that exist only intermittendly, and even restores state if the previous system shutdown was abrupt rather than clean. * The journal daemon gained support for vacuuming old journal files controlled by the number of files that shall remain, in addition to the already existing control by size and by date. This is useful as journal interleaving performance degrades with too many separate journal files, and allows putting an effective limit on them. The new setting defaults to 100, but this may be changed by setting SystemMaxFiles= and RuntimeMaxFiles= in journald.conf. Also, the "journalctl" tool gained the new --vacuum-files= switch to manually vacuum journal files to leave only the specified number of files in place. * udev will now create /dev/disk/by-path links for ATA devices on kernels where that is supported. * Galician, Serbian, Turkish and Korean translations were added. Contributions from: Aaro Koskinen, Alban Crequy, Beniamino Galvani, Benjamin Robin, Branislav Blaskovic, Chen-Han Hsiao (Stanley), Daniel Buch, Daniel Machon, Daniel Mack, David Herrmann, David Milburn, doubleodoug, Evgeny Vereshchagin, Felipe Franciosi, Filipe Brandenburger, Fran Dieguez, Gabriel de Perthuis, Georg Müller, Hans de Goede, Hendrik Brueckner, Ivan Shapovalov, Jacob Keller, Jan Engelhardt, Jan Janssen, Jan Synacek, Jens Kuske, Karel Zak, Kay Sievers, Krzesimir Nowak, Krzysztof Kotlenga, Lars Uebernickel, Lennart Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Marcel Holtmann, Marius Thesing, Martin Pitt, Michael Biebl, Michael Gebetsroither, Michal Schmidt, Michal Sekletar, Mike Gilbert, Muhammet Kara, nazgul77, Nicolas Cornu, NoXPhasma, Olof Johansson, Patrik Flykt, Pawel Szewczyk, reverendhomer, Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Susant Sahani, Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich, Zbigniew Jędrzejewski-Szmek, Марко М. Костић — Berlin, 2015-10-07 CHANGES WITH 226: * The DHCP implementation of systemd-networkd gained a set of new features: - The DHCP server now supports emitting DNS and NTP information. It may be enabled and configured via EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS and NTP information is enabled, but no servers are configured, the corresponding uplink information (if there is any) is propagated. - Server and client now support transmission and reception of timezone information. It can be configured via the newly introduced network options UseTimezone=, EmitTimezone=, and Timezone=. Transmission of timezone information is enabled between host and containers by default now: the container will change its local timezone to what the host has set. - Lease timeouts can now be configured via MaxLeaseTimeSec= and DefaultLeaseTimeSec=. - The DHCP server improved on the stability of leases. Clients are more likely to get the same lease information back, even if the server loses state. - The DHCP server supports two new configuration options to control the lease address pool metrics, PoolOffset= and PoolSize=. * The encapsulation limit of tunnels in systemd-networkd may now be configured via 'EncapsulationLimit='. It allows modifying the maximum additional levels of encapsulation that are permitted to be prepended to a packet. * systemd now supports the concept of user buses replacing session buses, if used with dbus-1.10 (and enabled via dbus --enable-user-session). It previously only supported this on kdbus-enabled systems, and this release expands this to 'dbus-daemon' systems. * systemd-networkd now supports predictable interface names for virtio devices. * systemd now optionally supports the new Linux kernel "unified" control group hierarchy. If enabled via the kernel command-line option 'systemd.unified_cgroup_hierarchy=1', systemd will try to mount the unified cgroup hierarchy directly on /sys/fs/cgroup. If not enabled, or not available, systemd will fall back to the legacy cgroup hierarchy setup, as before. Host system and containers can mix and match legacy and unified hierarchies as they wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY environment variable to individually select the hierarchy to use for executed containers. By default, nspawn will use the unified hierarchy for the containers if the host uses the unified hierarchy, and the legacy hierarchy otherwise. Please note that at this point the unified hierarchy is an experimental kernel feature and is likely to change in one of the next kernel releases. Therefore, it should not be enabled by default in downstream distributions yet. The minimum required kernel version for the unified hierarchy to work is 4.2. Note that when the unified hierarchy is used for the first time delegated access to controllers is safe. Because of this systemd-nspawn containers will get access to controllers now, as will systemd user sessions. This means containers and user sessions may now manage their own resources, partitioning up what the system grants them. * A new special scope unit "init.scope" has been introduced that encapsulates PID 1 of the system. It may be used to determine resource usage and enforce resource limits on PID 1 itself. PID 1 hence moved out of the root of the control group tree. * The cgtop tool gained support for filtering out kernel threads when counting tasks in a control group. Also, the count of processes is now recursively summed up by default. Two options -k and --recursive= have been added to revert to old behaviour. The tool has also been updated to work correctly in containers now. * systemd-nspawn's --bind= and --bind-ro= options have been extended to allow creation of non-recursive bind mounts. * libsystemd gained two new calls sd_pid_get_cgroup() and sd_peer_get_cgroup() which return the control group path of a process or peer of a connected AF_UNIX socket. This function call is particularly useful when implementing delegated subtrees support in the control group hierarchy. * The "sd-event" event loop API of libsystemd now supports correct dequeuing of real-time signals, without losing signal events. * When systemd requests a polkit decision when managing units it will now add additional fields to the request, including unit name and desired operation. This enables more powerful polkit policies, that make decisions depending on these parameters. * nspawn learnt support for .nspawn settings files, that may accompany the image files or directories of containers, and may contain additional settings for the container. This is an alternative to configuring container parameters via the nspawn command line. Contributions from: Cristian Rodríguez, Daniel Mack, David Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe Brandenburger, Hans de Goede, Jan Alexander Steffens, Jan Synacek, Kay Sievers, Lennart Poettering, Mangix, Marcel Holtmann, Martin Pitt, Michael Biebl, Michael Chapman, Michal Sekletar, Peter Hutterer, Piotr Drąg, reverendhomer, Robin Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø — Berlin, 2015-09-08 CHANGES WITH 225: * machinectl gained a new verb 'shell' which opens a fresh shell on the target container or the host. It is similar to the existing 'login' command of machinectl, but spawns the shell directly without prompting for username or password. The pseudo machine '.host' now refers to the local host and is used by default. Hence, 'machinectl shell' can be used as replacement for 'su -' which spawns a session as a fresh systemd unit in a way that is fully isolated from the originating session. * systemd-networkd learned to cope with private-zone DHCP options and allows other programs to query the values. * SELinux access control when enabling/disabling units is no longer enforced with this release. The previous implementation was incorrect, and a new corrected implementation is not yet available. As unit file operations are still protected via polkit and D-Bus policy this is not a security problem. Yet, distributions which care about optimal SELinux support should probably not stabilize on this release. * sd-bus gained support for matches of type "arg0has=", that test for membership of strings in string arrays sent in bus messages. * systemd-resolved now dumps the contents of its DNS and LLMNR caches to the logs on reception of the SIGUSR1 signal. This is useful to debug DNS behaviour. * The coredumpctl tool gained a new --directory= option to operate on journal files in a specific directory. * "systemctl reboot" and related commands gained a new "--message=" option which may be used to set a free-text wall message when shutting down or rebooting the system. This message is also logged, which is useful for figuring out the reason for a reboot or shutdown a posteriori. * The "systemd-resolve-host" tool's -i switch now takes network interface numbers as alternative to interface names. * A new unit file setting for services has been introduced: UtmpMode= allows configuration of how precisely systemd handles utmp and wtmp entries for the service if this is enabled. This allows writing services that appear similar to user sessions in the output of the "w", "who", "last" and "lastlog" tools. * systemd-resolved will now locally synthesize DNS resource records for the "localhost" and "gateway" domains as well as the local hostname. This should ensure that clients querying RRs via resolved will get similar results as those going via NSS, if nss-myhostname is enabled. Contributions from: Alastair Hughes, Alex Crawford, Daniel Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski, Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers, Kefeng Wang, Lennart Poettering, Major Hayden, Marcel Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim, Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer, reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings, Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts, WaLyong Cho, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-08-27 CHANGES WITH 224: * The systemd-efi-boot-generator functionality was merged into systemd-gpt-auto-generator. * systemd-networkd now supports Group Policy for vxlan devices. It can be enabled via the new boolean configuration option called 'GroupPolicyExtension='. Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen — Berlin, 2015-07-31 CHANGES WITH 223: * The python-systemd code has been removed from the systemd repository. A new repository has been created which accommodates the code from now on, and we kindly ask distributions to create a separate package for this: https://github.com/systemd/python-systemd * The systemd daemon will now reload its main configuration (/etc/systemd/system.conf) on daemon-reload. * sd-dhcp now exposes vendor specific extensions via sd_dhcp_lease_get_vendor_specific(). * systemd-networkd gained a number of new configuration options. - A new boolean configuration option for TAP devices called 'VNetHeader='. If set, the IFF_VNET_HDR flag is set for the device, thus allowing to send and receive GSO packets. - A new tunnel configuration option called 'CopyDSCP='. If enabled, the DSCP field of ip6 tunnels is copied into the decapsulated packet. - A set of boolean bridge configuration options were added. 'UseBPDU=', 'HairPin=', 'FastLeave=', 'AllowPortToBeRoot=', and 'UnicastFlood=' are now parsed by networkd and applied to the respective bridge link device via the respective IFLA_BRPORT_* netlink attribute. - A new string configuration option to override the hostname sent to a DHCP server, called 'Hostname='. If set and 'SendHostname=' is true, networkd will use the configured hostname instead of the system hostname when sending DHCP requests. - A new tunnel configuration option called 'IPv6FlowLabel='. If set, networkd will configure the IPv6 flow-label of the tunnel device according to RFC2460. - The 'macvtap' virtual network devices are now supported, similar to the already supported 'macvlan' devices. * systemd-resolved now implements RFC5452 to improve resilience against cache poisoning. Additionally, source port randomization is enabled by default to further protect against DNS spoofing attacks. * nss-mymachines now supports translating UIDs and GIDs of running containers with user-namespaces enabled. If a container 'foo' translates a host uid 'UID' to the container uid 'TUID', then nss-mymachines will also map uid 'UID' to/from username 'vu-foo-TUID' (with 'foo' and 'TUID' replaced accordingly). Similarly, groups are mapped as 'vg-foo-TGID'. Contributions from: Beniamino Galvani, cee1, Christian Hesse, Daniel Buch, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov, HATAYAMA Daisuke, Ivan Shapovalov, Jan Alexander Steffens (heftig), Johan Ouwerkerk, Jose Carlos Venegas Munoz, Karel Zak, Kay Sievers, Lennart Poettering, Lidong Zhong, Martin Pitt, Michael Biebl, Michael Olbrich, Michal Schmidt, Michal Sekletar, Mike Gilbert, Namhyung Kim, Nick Owens, Peter Hutterer, Richard Maw, Steven Allen, Sungbae Yoo, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo, Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-07-29 CHANGES WITH 222: * udev does not longer support the WAIT_FOR_SYSFS= key in udev rules. There are no known issues with current sysfs, and udev does not need or should be used to work around such bugs. * udev does no longer enable USB HID power management. Several reports indicate, that some devices cannot handle that setting. * The udev accelerometer helper was removed. The functionality is now fully included in iio-sensor-proxy. But this means, older iio-sensor-proxy versions will no longer provide accelerometer/orientation data with this systemd version. Please upgrade iio-sensor-proxy to version 1.0. * networkd gained a new configuration option IPv6PrivacyExtensions= which enables IPv6 privacy extensions (RFC 4941, "Privacy Extensions for Stateless Address") on selected networks. * For the sake of fewer build-time dependencies and less code in the main repository, the python bindings are about to be removed in the next release. A new repository has been created which accommodates the code from now on, and we kindly ask distributions to create a separate package for this. The removal will take place in v223. https://github.com/systemd/python-systemd Contributions from: Abdo Roig-Maranges, Andrew Eikum, Bastien Nocera, Cédric Delmas, Christian Hesse, Christos Trochalakis, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov, Eric Biggers, Eric Cook, Felipe Sateler, Geert Jansen, Gerd Hoffmann, Gianpaolo Macario, Greg Kroah-Hartman, Iago López Galeiras, Jan Alexander Steffens (heftig), Jan Engelhardt, Jay Strict, Kay Sievers, Lennart Poettering, Markus Knetschke, Martin Pitt, Michael Biebl, Michael Marineau, Michal Sekletar, Miguel Bernal Marin, Peter Hutterer, Richard Maw, rinrinne, Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-07-07 CHANGES WITH 221: * The sd-bus.h and sd-event.h APIs have now been declared stable and have been added to the official interface of libsystemd.so. sd-bus implements an alternative D-Bus client library, that is relatively easy to use, very efficient and supports both classic D-Bus as well as kdbus as transport backend. sd-event is a generic event loop abstraction that is built around Linux epoll, but adds features such as event prioritization or efficient timer handling. Both APIs are good choices for C programs looking for a bus and/or event loop implementation that is minimal and does not have to be portable to other kernels. * kdbus support is no longer compile-time optional. It is now always built-in. However, it can still be disabled at runtime using the kdbus=0 kernel command line setting, and that setting may be changed to default to off, by specifying --disable-kdbus at build-time. Note though that the kernel command line setting has no effect if the kdbus.ko kernel module is not installed, in which case kdbus is (obviously) also disabled. We encourage all downstream distributions to begin testing kdbus by adding it to the kernel images in the development distributions, and leaving kdbus support in systemd enabled. * The minimal required util-linux version has been bumped to 2.26. * Support for chkconfig (--enable-chkconfig) was removed in favor of calling an abstraction tool /lib/systemd/systemd-sysv-install. This needs to be implemented for your distribution. See "SYSV INIT.D SCRIPTS" in README for details. * If there's a systemd unit and a SysV init script for the same service name, and the user executes "systemctl enable" for it (or a related call), then this will now enable both (or execute the related operation on both), not just the unit. * The libudev API documentation has been converted from gtkdoc into man pages. * gudev has been removed from the systemd tree, it is now an external project. * The systemd-cgtop tool learnt a new --raw switch to generate "raw" (machine parsable) output. * networkd's IPForwarding= .network file setting learnt the new setting "kernel", which ensures that networkd does not change the IP forwarding sysctl from the default kernel state. * The systemd-logind bus API now exposes a new boolean property "Docked" that reports whether logind considers the system "docked", i.e. connected to a docking station or not. Contributions from: Alex Crawford, Andreas Pokorny, Andrei Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez, Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann, David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario, Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek, Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang, Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich, Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes, Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner Fink, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-06-19 CHANGES WITH 220: * The gudev library has been extracted into a separate repository available at: https://git.gnome.org/browse/libgudev/ It is now managed as part of the Gnome project. Distributions are recommended to pass --disable-gudev to systemd and use gudev from the Gnome project instead. gudev is still included in systemd, for now. It will be removed soon, though. Please also see the announcement-thread on systemd-devel: https://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html * systemd now exposes a CPUUsageNSec= property for each service unit on the bus, that contains the overall consumed CPU time of a service (the sum of what each process of the service consumed). This value is only available if CPUAccounting= is turned on for a service, and is then shown in the "systemctl status" output. * Support for configuring alternative mappings of the old SysV runlevels to systemd targets has been removed. They are now hardcoded in a way that runlevels 2, 3, 4 all map to multi-user.target and 5 to graphical.target (which previously was already the default behaviour). * The auto-mounter logic gained support for mount point expiry, using a new TimeoutIdleSec= setting in .automount units. (Also available as x-systemd.idle-timeout= in /etc/fstab). * The EFI System Partition (ESP) as mounted to /boot by systemd-efi-boot-generator will now be unmounted automatically after 2 minutes of not being used. This should minimize the risk of ESP corruptions. * New /etc/fstab options x-systemd.requires= and x-systemd.requires-mounts-for= are now supported to express additional dependencies for mounts. This is useful for journaling file systems that support external journal devices or overlay file systems that require underlying file systems to be mounted. * systemd does not support direct live-upgrades (via systemctl daemon-reexec) from versions older than v44 anymore. As no distribution we are aware of shipped such old versions in a stable release this should not be problematic. * When systemd forks off a new per-connection service instance it will now set the $REMOTE_ADDR environment variable to the remote IP address, and $REMOTE_PORT environment variable to the remote IP port. This behaviour is similar to the corresponding environment variables defined by CGI. * systemd-networkd gained support for uplink failure detection. The BindCarrier= option allows binding interface configuration dynamically to the link sense of other interfaces. This is useful to achieve behaviour like in network switches. * systemd-networkd gained support for configuring the DHCP client identifier to use when requesting leases. * systemd-networkd now has a per-network UseNTP= option to configure whether NTP server information acquired via DHCP is passed on to services like systemd-timesyncd. * systemd-networkd gained support for vti6 tunnels. * Note that systemd-networkd manages the sysctl variable /proc/sys/net/ipv[46]/conf/*/forwarding for each interface it is configured for since v219. The variable controls IP forwarding, and is a per-interface alternative to the global /proc/sys/net/ipv[46]/ip_forward. This setting is configurable in the IPForward= option, which defaults to "no". This means if networkd is used for an interface it is no longer sufficient to set the global sysctl option to turn on IP forwarding! Instead, the .network file option IPForward= needs to be turned on! Note that the implementation of this behaviour was broken in v219 and has been fixed in v220. * Many bonding and vxlan options are now configurable in systemd-networkd. * systemd-nspawn gained a new --property= setting to set unit properties for the container scope. This is useful for setting resource parameters (e.g. "CPUShares=500") on containers started from the command line. * systemd-nspawn gained a new --private-users= switch to make use of user namespacing available on recent Linux kernels. * systemd-nspawn may now be called as part of a shell pipeline in which case the pipes used for stdin and stdout are passed directly to the process invoked in the container, without indirection via a pseudo tty. * systemd-nspawn gained a new switch to control the UNIX signal to use when killing the init process of the container when shutting down. * systemd-nspawn gained a new --overlay= switch for mounting overlay file systems into the container using the new kernel overlayfs support. * When a container image is imported via systemd-importd and the host file system is not btrfs, a loopback block device file is created in /var/lib/machines.raw with a btrfs file system inside. It is then mounted to /var/lib/machines to enable btrfs features for container management. The loopback file and btrfs file system is grown as needed when container images are imported via systemd-importd. * systemd-machined/systemd-importd gained support for btrfs quota, to enforce container disk space limits on disk. This is exposed in "machinectl set-limit". * systemd-importd now can import containers from local .tar, .raw and .qcow2 images, and export them to .tar and .raw. It can also import dkr v2 images now from the network (on top of v1 as before). * systemd-importd gained support for verifying downloaded images with gpg2 (previously only gpg1 was supported). * systemd-machined, systemd-logind, systemd: most bus calls are now accessible to unprivileged processes via polkit. Also, systemd-logind will now allow users to kill their own sessions without further privileges or authorization. * systemd-shutdownd has been removed. This service was previously responsible for implementing scheduled shutdowns as exposed in /usr/bin/shutdown's time parameter. This functionality has now been moved into systemd-logind and is accessible via a bus interface. * "systemctl reboot" gained a new switch --firmware-setup that can be used to reboot into the EFI firmware setup, if that is available. systemd-logind now exposes an API on the bus to trigger such reboots, in case graphical desktop UIs want to cover this functionality. * "systemctl enable", "systemctl disable" and "systemctl mask" now support a new "--now" switch. If specified the units that are enabled will also be started, and the ones disabled/masked also stopped. * The Gummiboot EFI boot loader tool has been merged into systemd, and renamed to "systemd-boot". The bootctl tool has been updated to support systemd-boot. * An EFI kernel stub has been added that may be used to create kernel EFI binaries that contain not only the actual kernel, but also an initrd, boot splash, command line and OS release information. This combined binary can then be signed as a single image, so that the firmware can verify it all in one step. systemd-boot has special support for EFI binaries created like this and can extract OS release information from them and show them in the boot menu. This functionality is useful to implement cryptographically verified boot schemes. * Optional support has been added to systemd-fsck to pass fsck's progress report to an AF_UNIX socket in the file system. * udev will no longer create device symlinks for all block devices by default. A deny list for excluding special block devices from this logic has been turned into an allow list that requires picking block devices explicitly that require device symlinks. * A new (currently still internal) API sd-device.h has been added to libsystemd. This modernized API is supposed to replace libudev eventually. In fact, already much of libudev is now just a wrapper around sd-device.h. * A new hwdb database for storing metadata about pointing stick devices has been added. * systemd-tmpfiles gained support for setting file attributes similar to the "chattr" tool with new 'h' and 'H' lines. * systemd-journald will no longer unconditionally set the btrfs NOCOW flag on new journal files. This is instead done with tmpfiles snippet using the new 'h' line type. This allows easy disabling of this logic, by masking the journal-nocow.conf tmpfiles file. * systemd-journald will now translate audit message types to human readable identifiers when writing them to the journal. This should improve readability of audit messages. * The LUKS logic gained support for the offset= and skip= options in /etc/crypttab, as previously implemented by Debian. * /usr/lib/os-release gained a new optional field VARIANT= for distributions that support multiple variants (such as a desktop edition, a server edition, …) Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy, Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel, Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel Mack, Daniel Mustieles, daurnimator, Davide Bettio, David Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov, Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke, Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett, Michael Biebl, Michael Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick, Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker, Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-05-22 CHANGES WITH 219: * Introduce a new API "sd-hwdb.h" for querying the hardware metadata database. With this minimal interface one can query and enumerate the udev hwdb, decoupled from the old libudev library. libudev's interface for this is now only a wrapper around sd-hwdb. A new tool systemd-hwdb has been added to interface with and update the database. * When any of systemd's tools copies files (for example due to tmpfiles' C lines) a btrfs reflink will attempted first, before bytewise copying is done. * systemd-nspawn gained a new --ephemeral switch. When specified a btrfs snapshot is taken of the container's root directory, and immediately removed when the container terminates again. Thus, a container can be started whose changes never alter the container's root directory, and are lost on container termination. This switch can also be used for starting a container off the root file system of the host without affecting the host OS. This switch is only available on btrfs file systems. * systemd-nspawn gained a new --template= switch. It takes the path to a container tree to use as template for the tree specified via --directory=, should that directory be missing. This allows instantiating containers dynamically, on first run. This switch is only available on btrfs file systems. * When a .mount unit refers to a mount point on which multiple mounts are stacked, and the .mount unit is stopped all of the stacked mount points will now be unmounted until no mount point remains. * systemd now has an explicit notion of supported and unsupported unit types. Jobs enqueued for unsupported unit types will now fail with an "unsupported" error code. More specifically .swap, .automount and .device units are not supported in containers, .busname units are not supported on non-kdbus systems. .swap and .automount are also not supported if their respective kernel compile time options are disabled. * machinectl gained support for two new "copy-from" and "copy-to" commands for copying files from a running container to the host or vice versa. * machinectl gained support for a new "bind" command to bind mount host directories into local containers. This is currently only supported for nspawn containers. * networkd gained support for configuring bridge forwarding database entries (fdb) from .network files. * A new tiny daemon "systemd-importd" has been added that can download container images in tar, raw, qcow2 or dkr formats, and make them available locally in /var/lib/machines, so that they can run as nspawn containers. The daemon can GPG verify the downloads (not supported for dkr, since it has no provisions for verifying downloads). It will transparently decompress bz2, xz, gzip compressed downloads if necessary, and restore sparse files on disk. The daemon uses privilege separation to ensure the actual download logic runs with fewer privileges than the daemon itself. machinectl has gained new commands "pull-tar", "pull-raw" and "pull-dkr" to make the functionality of importd available to the user. With this in place the Fedora and Ubuntu "Cloud" images can be downloaded and booted as containers unmodified (the Fedora images lack the appropriate GPG signature files currently, so they cannot be verified, but this will change soon, hopefully). Note that downloading images is currently only fully supported on btrfs. * machinectl is now able to list container images found in /var/lib/machines, along with some metadata about sizes of disk and similar. If the directory is located on btrfs and quota is enabled, this includes quota display. A new command "image-status" has been added that shows additional information about images. * machinectl is now able to clone container images efficiently, if the underlying file system (btrfs) supports it, with the new "machinectl clone" command. It also gained commands for renaming and removing images, as well as marking them read-only or read-write (supported also on legacy file systems). * networkd gained support for collecting LLDP network announcements, from hardware that supports this. This is shown in networkctl output. * systemd-run gained support for a new -t (--pty) switch for invoking a binary on a pty whose input and output is connected to the invoking terminal. This allows executing processes as system services while interactively communicating with them via the terminal. Most interestingly this is supported across container boundaries. Invoking "systemd-run -t /bin/bash" is an alternative to running a full login session, the difference being that the former will not register a session, nor go through the PAM session setup. * tmpfiles gained support for a new "v" line type for creating btrfs subvolumes. If the underlying file system is a legacy file system, this automatically degrades to creating a normal directory. Among others /var/lib/machines is now created like this at boot, should it be missing. * The directory /var/lib/containers/ has been deprecated and been replaced by /var/lib/machines. The term "machines" has been used in the systemd context as generic term for both VMs and containers, and hence appears more appropriate for this, as the directory can also contain raw images bootable via qemu/kvm. * systemd-nspawn when invoked with -M but without --directory= or --image= is now capable of searching for the container root directory, subvolume or disk image automatically, in /var/lib/machines. systemd-nspawn@.service has been updated to make use of this, thus allowing it to be used for raw disk images, too. * A new machines.target unit has been introduced that is supposed to group all containers/VMs invoked as services on the system. systemd-nspawn@.service has been updated to integrate with that. * machinectl gained a new "start" command, for invoking a container as a service. "machinectl start foo" is mostly equivalent to "systemctl start systemd-nspawn@foo.service", but handles escaping in a nicer way. * systemd-nspawn will now mount most of the cgroupfs tree read-only into each container, with the exception of the container's own subtree in the name=systemd hierarchy. * journald now sets the special FS_NOCOW file flag for its journal files. This should improve performance on btrfs, by avoiding heavy fragmentation when journald's write-pattern is used on COW file systems. It degrades btrfs' data integrity guarantees for the files to the same levels as for ext3/ext4 however. This should be OK though as journald does its own data integrity checks and all its objects are checksummed on disk. Also, journald should handle btrfs disk full events a lot more gracefully now, by processing SIGBUS errors, and not relying on fallocate() anymore. * When journald detects that journal files it is writing to have been deleted it will immediately start new journal files. * systemd now provides a way to store file descriptors per-service in PID 1. This is useful for daemons to ensure that fds they require are not lost during a daemon restart. The fds are passed to the daemon on the next invocation in the same way socket activation fds are passed. This is now used by journald to ensure that the various sockets connected to all the system's stdout/stderr are not lost when journald is restarted. File descriptors may be stored in PID 1 via the sd_pid_notify_with_fds() API, an extension to sd_notify(). Note that a limit is enforced on the number of fds a service can store in PID 1, and it defaults to 0, so that no fds may be stored, unless this is explicitly turned on. * The default TERM variable to use for units connected to a terminal, when no other value is explicitly is set is now vt220 rather than vt102. This should be fairly safe still, but allows PgUp/PgDn work. * The /etc/crypttab option header= as known from Debian is now supported. * "loginctl user-status" and "loginctl session-status" will now show the last 10 lines of log messages of the user/session following the status output. Similar, "machinectl status" will show the last 10 log lines associated with a virtual machine or container service. (Note that this is usually not the log messages done in the VM/container itself, but simply what the container manager logs. For nspawn this includes all console output however.) * "loginctl session-status" without further argument will now show the status of the session of the caller. Similar, "lock-session", "unlock-session", "activate", "enable-linger", "disable-linger" may now be called without session/user parameter in which case they apply to the caller's session/user. * An X11 session scriptlet is now shipped that uploads $DISPLAY and $XAUTHORITY into the environment of the systemd --user daemon if a session begins. This should improve compatibility with X11 enabled applications run as systemd user services. * Generators are now subject to masking via /etc and /run, the same way as unit files. * networkd .network files gained support for configuring per-link IPv4/IPv6 packet forwarding as well as IPv4 masquerading. This is by default turned on for veth links to containers, as registered by systemd-nspawn. This means that nspawn containers run with --network-veth will now get automatic routed access to the host's networks without any further configuration or setup, as long as networkd runs on the host. * systemd-nspawn gained the --port= (-p) switch to expose TCP or UDP posts of a container on the host. With this in place it is possible to run containers with private veth links (--network-veth), and have their functionality exposed on the host as if their services were running directly on the host. * systemd-nspawn's --network-veth switch now gained a short version "-n", since with the changes above it is now truly useful out-of-the-box. The systemd-nspawn@.service has been updated to make use of it too by default. * systemd-nspawn will now maintain a per-image R/W lock, to ensure that the same image is not started more than once writable. (It's OK to run an image multiple times simultaneously in read-only mode.) * systemd-nspawn's --image= option is now capable of dissecting and booting MBR and GPT disk images that contain only a single active Linux partition. Previously it supported only GPT disk images with proper GPT type IDs. This allows running cloud images from major distributions directly with systemd-nspawn, without modification. * In addition to collecting mouse dpi data in the udev hardware database, there's now support for collecting angle information for mouse scroll wheels. The database is supposed to guarantee similar scrolling behavior on mice that it knows about. There's also support for collecting information about Touchpad types. * udev's input_id built-in will now also collect touch screen dimension data and attach it to probed devices. * /etc/os-release gained support for a Distribution Privacy Policy link field. * networkd gained support for creating "ipvlan", "gretap", "ip6gre", "ip6gretap" and "ip6tnl" network devices. * systemd-tmpfiles gained support for "a" lines for setting ACLs on files. * systemd-nspawn will now mount /tmp in the container to tmpfs, automatically. * systemd now exposes the memory.usage_in_bytes cgroup attribute and shows it for each service in the "systemctl status" output, if available. * When the user presses Ctrl-Alt-Del more than 7x within 2s an immediate reboot is triggered. This useful if shutdown is hung and is unable to complete, to expedite the operation. Note that this kind of reboot will still unmount all file systems, and hence should not result in fsck being run on next reboot. * A .device unit for an optical block device will now be considered active only when a medium is in the drive. Also, mount units are now bound to their backing devices thus triggering automatic unmounting when devices become unavailable. With this in place systemd will now automatically unmount left-over mounts when a CD-ROM is ejected or a USB stick is yanked from the system. * networkd-wait-online now has support for waiting for specific interfaces only (with globbing), and for giving up after a configurable timeout. * networkd now exits when idle. It will be automatically restarted as soon as interfaces show up, are removed or change state. networkd will stay around as long as there is at least one DHCP state machine or similar around, that keep it non-idle. * networkd may now configure IPv6 link-local addressing in addition to IPv4 link-local addressing. * The IPv6 "token" for use in SLAAC may now be configured for each .network interface in networkd. * Routes configured with networkd may now be assigned a scope in .network files. * networkd's [Match] sections now support globbing and lists of multiple space-separated matches per item. Contributions from: Alban Crequy, Alin Rauta, Andrey Chaser, Bastien Nocera, Bruno Bottazzini, Carlos Garnacho, Carlos Morata Castillo, Chris Atkinson, Chris J. Arges, Christian Kirbach, Christian Seiler, Christoph Brill, Colin Guthrie, Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni, Erik Auerswald, Filipe Brandenburger, Frank Theile, Gabor Kelemen, Gabriel de Perthuis, Harald Hoyer, Hui Wang, Ivan Shapovalov, Jan Engelhardt, Jan Synacek, Jay Faulkner, Johannes Hölzl, Jonas Ådahl, Jonathan Boulle, Josef Andersson, Kay Sievers, Ken Werner, Lennart Poettering, Lucas De Marchi, Lukas Märdian, Lukas Nykryn, Lukasz Skalski, Luke Shumaker, Mantas Mikulėnas, Manuel Mendez, Marcel Holtmann, Marc Schmitzer, Marko Myllynen, Martin Pitt, Maxim Mikityanskiy, Michael Biebl, Michael Marineau, Michael Olbrich, Michal Schmidt, Mindaugas Baranauskas, Moez Bouhlel, Naveen Kumar, Patrik Flykt, Paul Martin, Peter Hutterer, Peter Mattern, Philippe De Swert, Piotr Drąg, Rafael Ferreira, Rami Rosen, Robert Milasan, Ronny Chevalier, Sangjung Woo, Sebastien Bacher, Sergey Ptashnick, Shawn Landden, Stéphane Graber, Susant Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen, Tim JP, Tom Gundersen, Topi Miettinen, Torstein Husebø, Umut Tezduyar Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland Hoffmann, Zbigniew Jędrzejewski-Szmek — Berlin, 2015-02-16 CHANGES WITH 218: * When querying unit file enablement status (for example via "systemctl is-enabled"), a new state "indirect" is now known which indicates that a unit might not be enabled itself, but another unit listed in its Also= setting might be. * Similar to the various existing ConditionXYZ= settings for units, there are now matching AssertXYZ= settings. While failing conditions cause a unit to be skipped, but its job to succeed, failing assertions declared like this will cause a unit start operation and its job to fail. * hostnamed now knows a new chassis type "embedded". * systemctl gained a new "edit" command. When used on a unit file, this allows extending unit files with .d/ drop-in configuration snippets or editing the full file (after copying it from /usr/lib to /etc). This will invoke the user's editor (as configured with $EDITOR), and reload the modified configuration after editing. * "systemctl status" now shows the suggested enablement state for a unit, as declared in the (usually vendor-supplied) system preset files. * nss-myhostname will now resolve the single-label hostname "gateway" to the locally configured default IP routing gateways, ordered by their metrics. This assigns a stable name to the used gateways, regardless which ones are currently configured. Note that the name will only be resolved after all other name sources (if nss-myhostname is configured properly) and should hence not negatively impact systems that use the single-label hostname "gateway" in other contexts. * systemd-inhibit now allows filtering by mode when listing inhibitors. * Scope and service units gained a new "Delegate" boolean property, which, when set, allows processes running inside the unit to further partition resources. This is primarily useful for systemd user instances as well as container managers. * journald will now pick up audit messages directly from the kernel, and log them like any other log message. The audit fields are split up and fully indexed. This means that journalctl in many ways is now a (nicer!) alternative to ausearch, the traditional audit client. Note that this implements only a minimal audit client. If you want the special audit modes like reboot-on-log-overflow, please use the traditional auditd instead, which can be used in parallel to journald. * The ConditionSecurity= unit file option now understands the special string "audit" to check whether auditing is available. * journalctl gained two new commands --vacuum-size= and --vacuum-time= to delete old journal files until the remaining ones take up no more than the specified size on disk, or are not older than the specified time. * A new, native PPPoE library has been added to sd-network, systemd's library of light-weight networking protocols. This library will be used in a future version of networkd to enable PPPoE communication without an external pppd daemon. * The busctl tool now understands a new "capture" verb that works similar to "monitor", but writes a packet capture trace to STDOUT that can be redirected to a file which is compatible with libcap's capture file format. This can then be loaded in Wireshark and similar tools to inspect bus communication. * The busctl tool now understands a new "tree" verb that shows the object trees of a specific service on the bus, or of all services. * The busctl tool now understands a new "introspect" verb that shows all interfaces and members of objects on the bus, including their signature and values. This is particularly useful to get more information about bus objects shown by the new "busctl tree" command. * The busctl tool now understands new verbs "call", "set-property" and "get-property" for invoking bus method calls, setting and getting bus object properties in a friendly way. * busctl gained a new --augment-creds= argument that controls whether the tool shall augment credential information it gets from the bus with data from /proc, in a possibly race-ful way. * nspawn's --link-journal= switch gained two new values "try-guest" and "try-host" that work like "guest" and "host", but do not fail if the host has no persistent journaling enabled. -j is now equivalent to --link-journal=try-guest. * macvlan network devices created by nspawn will now have stable MAC addresses. * A new SmackProcessLabel= unit setting has been added, which controls the SMACK security label processes forked off by the respective unit shall use. * If compiled with --enable-xkbcommon, systemd-localed will verify x11 keymap settings by compiling the given keymap. It will spew out warnings if the compilation fails. This requires libxkbcommon to be installed. * When a coredump is collected, a larger number of metadata fields is now collected and included in the journal records created for it. More specifically, control group membership, environment variables, memory maps, working directory, chroot directory, /proc/$PID/status, and a list of open file descriptors is now stored in the log entry. * The udev hwdb now contains DPI information for mice. For details see: http://who-t.blogspot.de/2014/12/building-a-dpi-database-for-mice.html * All systemd programs that read standalone configuration files in /etc now also support a corresponding series of .conf.d configuration directories in /etc/, /run/, /usr/local/lib/, /usr/lib/, and (if configured with --enable-split-usr) /lib/. In particular, the following configuration files now have corresponding configuration directories: system.conf user.conf, logind.conf, journald.conf, sleep.conf, bootchart.conf, coredump.conf, resolved.conf, timesyncd.conf, journal-remote.conf, and journal-upload.conf. Note that distributions should use the configuration directories in /usr/lib/; the directories in /etc/ are reserved for the system administrator. * systemd-rfkill will no longer take the rfkill device name into account when storing rfkill state on disk, as the name might be dynamically assigned and not stable. Instead, the ID_PATH udev variable combined with the rfkill type (wlan, bluetooth, …) is used. * A new service systemd-machine-id-commit.service has been added. When used on systems where /etc is read-only during boot, and /etc/machine-id is not initialized (but an empty file), this service will copy the temporary machine ID created as replacement into /etc after the system is fully booted up. This is useful for systems that are freshly installed with a non-initialized machine ID, but should get a fixed machine ID for subsequent boots. * networkd's .netdev files now provide a large set of configuration parameters for VXLAN devices. Similarly, the bridge port cost parameter is now configurable in .network files. There's also new support for configuring IP source routing. networkd .link files gained support for a new OriginalName= match that is useful to match against the original interface name the kernel assigned. .network files may include MTU= and MACAddress= fields for altering the MTU and MAC address while being connected to a specific network interface. * The LUKS logic gained supported for configuring UUID-specific key files. There's also new support for naming LUKS device from the kernel command line, using the new luks.name= argument. * Timer units may now be transiently created via the bus API (this was previously already available for scope and service units). In addition it is now possible to create multiple transient units at the same time with a single bus call. The "systemd-run" tool has been updated to make use of this for running commands on a specified time, in at(1)-style. * tmpfiles gained support for "t" lines, for assigning extended attributes to files. Among other uses this may be used to assign SMACK labels to files. Contributions from: Alin Rauta, Alison Chaiken, Andrej Manduch, Bastien Nocera, Chris Atkinson, Chris Leech, Chris Mayo, Colin Guthrie, Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack, Dan Williams, Dan Winship, Dave Reisner, David Herrmann, Didier Roche, Felipe Sateler, Gavin Li, Hans de Goede, Harald Hoyer, Iago López Galeiras, Ivan Shapovalov, Jakub Filak, Jan Janssen, Jan Synacek, Joe Lawrence, Josh Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Maurizio Lombardi, Michael Biebl, Michael Chapman, Michael Marineau, Michal Schmidt, Michal Sekletar, Olivier Brunel, Patrik Flykt, Peter Hutterer, Przemyslaw Kedzierski, Rami Rosen, Ray Strode, Richard Schütz, Richard W.M. Jones, Ronny Chevalier, Ross Lagerwall, Sean Young, Stanisław Pitucha, Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-12-10 CHANGES WITH 217: * journalctl gained the new options -t/--identifier= to match on the syslog identifier (aka "tag"), as well as --utc to show log timestamps in the UTC timezone. journalctl now also accepts -n/--lines=all to disable line capping in a pager. * journalctl gained a new switch, --flush, that synchronously flushes logs from /run/log/journal to /var/log/journal if persistent storage is enabled. systemd-journal-flush.service now waits until the operation is complete. * Services can notify the manager before they start a reload (by sending RELOADING=1) or shutdown (by sending STOPPING=1). This allows the manager to track and show the internal state of daemons and closes a race condition when the process is still running but has closed its D-Bus connection. * Services with Type=oneshot do not have to have any ExecStart commands anymore. * User units are now loaded also from $XDG_RUNTIME_DIR/systemd/user/. This is similar to the /run/systemd/user directory that was already previously supported, but is under the control of the user. * Job timeouts (i.e. timeouts on the time a job that is queued stays in the run queue) can now optionally result in immediate reboot or power-off actions (JobTimeoutAction= and JobTimeoutRebootArgument=). This is useful on ".target" units, to limit the maximum time a target remains undispatched in the run queue, and to trigger an emergency operation in such a case. This is now used by default to turn off the system if boot-up (as defined by everything in basic.target) hangs and does not complete for at least 15min. Also, if power-off or reboot hang for at least 30min an immediate power-off/reboot operation is triggered. This functionality is particularly useful to increase reliability on embedded devices, but also on laptops which might accidentally get powered on when carried in a backpack and whose boot stays stuck in a hard disk encryption passphrase question. * systemd-logind can be configured to also handle lid switch events even when the machine is docked or multiple displays are attached (HandleLidSwitchDocked= option). * A helper binary and a service have been added which can be used to resume from hibernation in the initramfs. A generator will parse the resume= option on the kernel command line to trigger resume. * A user console daemon systemd-consoled has been added. Currently, it is a preview, and will so far open a single terminal on each session of the user marked as Desktop=systemd-console. * Route metrics can be specified for DHCP routes added by systemd-networkd. * The SELinux context of socket-activated services can be set from the information provided by the networking stack (SELinuxContextFromNet= option). * Userspace firmware loading support has been removed and the minimum supported kernel version is thus bumped to 3.7. * Timeout for udev workers has been increased from 1 to 3 minutes, but a warning will be printed after 1 minute to help diagnose kernel modules that take a long time to load. * Udev rules can now remove tags on devices with TAG-="foobar". * systemd's readahead implementation has been removed. In many circumstances it didn't give expected benefits even for rotational disk drives and was becoming less relevant in the age of SSDs. As none of the developers has been using rotating media anymore, and nobody stepped up to actively maintain this component of systemd it has now been removed. * Swap units can use Options= to specify discard options. Discard options specified for swaps in /etc/fstab are now respected. * Docker containers are now detected as a separate type of virtualization. * The Password Agent protocol gained support for queries where the user input is shown, useful e.g. for user names. systemd-ask-password gained a new --echo option to turn that on. * The default sysctl.d/ snippets will now set: net.core.default_qdisc = fq_codel This selects Fair Queuing Controlled Delay as the default queuing discipline for network interfaces. fq_codel helps fight the network bufferbloat problem. It is believed to be a good default with no tuning required for most workloads. Downstream distributions may override this choice. On 10Gbit servers that do not do forwarding, "fq" may perform better. Systems without a good clocksource should use "pfifo_fast". * If kdbus is enabled during build a new option BusPolicy= is available for service units, that allows locking all service processes into a stricter bus policy, in order to limit access to various bus services, or even hide most of them from the service's view entirely. * networkctl will now show the .network and .link file networkd has applied to a specific interface. * sd-login gained a new API call sd_session_get_desktop() to query which desktop environment has been selected for a session. * UNIX utmp support is now compile-time optional to support legacy-free systems. * systemctl gained two new commands "add-wants" and "add-requires" for pulling in units from specific targets easily. * If the word "rescue" is specified on the kernel command line the system will now boot into rescue mode (aka rescue.target), which was previously available only by specifying "1" or "systemd.unit=rescue.target" on the kernel command line. This new kernel command line option nicely mirrors the already existing "emergency" kernel command line option. * New kernel command line options mount.usr=, mount.usrflags=, mount.usrfstype= have been added that match root=, rootflags=, rootfstype= but allow mounting a specific file system to /usr. * The $NOTIFY_SOCKET is now also passed to control processes of services, not only the main process. * This version reenables support for fsck's -l switch. This means at least version v2.25 of util-linux is required for operation, otherwise dead-locks on device nodes may occur. Again: you need to update util-linux to at least v2.25 when updating systemd to v217. * The "multi-seat-x" tool has been removed from systemd, as its functionality has been integrated into X servers 1.16, and the tool is hence redundant. It is recommended to update display managers invoking this tool to simply invoke X directly from now on, again. * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus message flag has been added for all of systemd's polkit authenticated method calls has been added. In particular this now allows optional interactive authorization via polkit for many of PID1's privileged operations such as unit file enabling and disabling. * "udevadm hwdb --update" learnt a new switch "--usr" for placing the rebuilt hardware database in /usr instead of /etc. When used only hardware database entries stored in /usr will be used, and any user database entries in /etc are ignored. This functionality is useful for vendors to ship a pre-built database on systems where local configuration is unnecessary or unlikely. * Calendar time specifications in .timer units now also understand the strings "semi-annually", "quarterly" and "minutely" as shortcuts (in addition to the preexisting "annually", "hourly", …). * systemd-tmpfiles will now correctly create files in /dev at boot which are marked for creation only at boot. It is recommended to always create static device nodes with 'c!' and 'b!', so that they are created only at boot and not overwritten at runtime. * When the watchdog logic is used for a service (WatchdogSec=) and the watchdog timeout is hit the service will now be terminated with SIGABRT (instead of just SIGTERM), in order to make sure a proper coredump and backtrace is generated. This ensures that hanging services will result in similar coredump/backtrace behaviour as services that hit a segmentation fault. Contributions from: Andreas Henriksson, Andrei Borzenkov, Angus Gibson, Ansgar Burchardt, Ben Wolsieffer, Brandon L. Black, Christian Hesse, Cristian Rodríguez, Daniel Buch, Daniele Medri, Daniel Mack, Dan Williams, Dave Reisner, David Herrmann, David Sommerseth, David Strauss, Emil Renner Berthing, Eric Cook, Evangelos Foutras, Filipe Brandenburger, Gustavo Sverzut Barbieri, Hans de Goede, Harald Hoyer, Hristo Venev, Hugo Grostabussiat, Ivan Shapovalov, Jan Janssen, Jan Synacek, Jonathan Liu, Juho Son, Karel Zak, Kay Sievers, Klaus Purer, Koen Kooi, Lennart Poettering, Lukas Nykryn, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann, Marius Tessmann, Marko Myllynen, Martin Pitt, Michael Biebl, Michael Marineau, Michael Olbrich, Michael Scherer, Michal Schmidt, Michal Sekletar, Miroslav Lichvar, Patrik Flykt, Philippe De Swert, Piotr Drąg, Rahul Sundaram, Richard Weinberger, Robert Milasan, Ronny Chevalier, Ruben Kerkhof, Santiago Vila, Sergey Ptashnick, Simon McVittie, Sjoerd Simons, Stefan Brüns, Steven Allen, Steven Noonan, Susant Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen, Timofey Titovets, Tobias Hunger, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-10-28 CHANGES WITH 216: * timedated no longer reads NTP implementation unit names from /usr/lib/systemd/ntp-units.d/*.list. Alternative NTP implementations should add a Conflicts=systemd-timesyncd.service to their unit files to take over and replace systemd's NTP default functionality. * systemd-sysusers gained a new line type "r" for configuring which UID/GID ranges to allocate system users/groups from. Lines of type "u" may now add an additional column that specifies the home directory for the system user to be created. Also, systemd-sysusers may now optionally read user information from STDIN instead of a file. This is useful for invoking it from RPM preinst scriptlets that need to create users before the first RPM file is installed since these files might need to be owned by them. A new %sysusers_create_inline RPM macro has been introduced to do just that. systemd-sysusers now updates the shadow files as well as the user/group databases, which should enhance compatibility with certain tools like grpck. * A number of bus APIs of PID 1 now optionally consult polkit to permit access for otherwise unprivileged clients under certain conditions. Note that this currently doesn't support interactive authentication yet, but this is expected to be added eventually, too. * /etc/machine-info now has new fields for configuring the deployment environment of the machine, as well as the location of the machine. hostnamectl has been updated with new command to update these fields. * systemd-timesyncd has been updated to automatically acquire NTP server information from systemd-networkd, which might have been discovered via DHCP. * systemd-resolved now includes a caching DNS stub resolver and a complete LLMNR name resolution implementation. A new NSS module "nss-resolve" has been added which can be used instead of glibc's own "nss-dns" to resolve hostnames via systemd-resolved. Hostnames, addresses and arbitrary RRs may be resolved via systemd-resolved D-Bus APIs. In contrast to the glibc internal resolver systemd-resolved is aware of multi-homed system, and keeps DNS server and caches separate and per-interface. Queries are sent simultaneously on all interfaces that have DNS servers configured, in order to properly handle VPNs and local LANs which might resolve separate sets of domain names. systemd-resolved may acquire DNS server information from systemd-networkd automatically, which in turn might have discovered them via DHCP. A tool "systemd-resolve-host" has been added that may be used to query the DNS logic in resolved. systemd-resolved implements IDNA and automatically uses IDNA or UTF-8 encoding depending on whether classic DNS or LLMNR is used as transport. In the next releases we intend to add a DNSSEC and mDNS/DNS-SD implementation to systemd-resolved. * A new NSS module nss-mymachines has been added, that automatically resolves the names of all local registered containers to their respective IP addresses. * A new client tool "networkctl" for systemd-networkd has been added. It currently is entirely passive and will query networking configuration from udev, rtnetlink and networkd, and present it to the user in a very friendly way. Eventually, we hope to extend it to become a full control utility for networkd. * .socket units gained a new DeferAcceptSec= setting that controls the kernels' TCP_DEFER_ACCEPT sockopt for TCP. Similarly, support for controlling TCP keep-alive settings has been added (KeepAliveTimeSec=, KeepAliveIntervalSec=, KeepAliveProbes=). Also, support for turning off Nagle's algorithm on TCP has been added (NoDelay=). * logind learned a new session type "web", for use in projects like Cockpit which register web clients as PAM sessions. * timer units with at least one OnCalendar= setting will now be started only after time-sync.target has been reached. This way they will not elapse before the system clock has been corrected by a local NTP client or similar. This is particular useful on RTC-less embedded machines, that come up with an invalid system clock. * systemd-nspawn's --network-veth= switch should now result in stable MAC addresses for both the outer and the inner side of the link. * systemd-nspawn gained a new --volatile= switch for running container instances with /etc or /var unpopulated. * The kdbus client code has been updated to use the new Linux 3.17 memfd subsystem instead of the old kdbus-specific one. * systemd-networkd's DHCP client and server now support FORCERENEW. There are also new configuration options to configure the vendor client identifier and broadcast mode for DHCP. * systemd will no longer inform the kernel about the current timezone, as this is necessarily incorrect and racy as the kernel has no understanding of DST and similar concepts. This hence means FAT timestamps will be always considered UTC, similar to what Android is already doing. Also, when the RTC is configured to the local time (rather than UTC) systemd will never synchronize back to it, as this might confuse Windows at a later boot. * systemd-analyze gained a new command "verify" for offline validation of unit files. * systemd-networkd gained support for a couple of additional settings for bonding networking setups. Also, the metric for statically configured routes may now be configured. For network interfaces where this is appropriate the peer IP address may now be configured. * systemd-networkd's DHCP client will no longer request broadcasting by default, as this tripped up some networks. For hardware where broadcast is required the feature should be switched back on using RequestBroadcast=yes. * systemd-networkd will now set up IPv4LL addresses (when enabled) even if DHCP is configured successfully. * udev will now default to respect network device names given by the kernel when the kernel indicates that these are predictable. This behavior can be tweaked by changing NamePolicy= in the relevant .link file. * A new library systemd-terminal has been added that implements full TTY stream parsing and rendering. This library is supposed to be used later on for implementing a full userspace VT subsystem, replacing the current kernel implementation. * A new tool systemd-journal-upload has been added to push journal data to a remote system running systemd-journal-remote. * journald will no longer forward all local data to another running syslog daemon. This change has been made because rsyslog (which appears to be the most commonly used syslog implementation these days) no longer makes use of this, and instead pulls the data out of the journal on its own. Since forwarding the messages to a non-existent syslog server is more expensive than we assumed we have now turned this off. If you run a syslog server that is not a recent rsyslog version, you have to turn this option on again (ForwardToSyslog= in journald.conf). * journald now optionally supports the LZ4 compressor for larger journal fields. This compressor should perform much better than XZ which was the previous default. * machinectl now shows the IP addresses of local containers, if it knows them, plus the interface name of the container. * A new tool "systemd-escape" has been added that makes it easy to escape strings to build unit names and similar. * sd_notify() messages may now include a new ERRNO= field which is parsed and collected by systemd and shown among the "systemctl status" output for a service. * A new component "systemd-firstboot" has been added that queries the most basic systemd information (timezone, hostname, root password) interactively on first boot. Alternatively it may also be used to provision these things offline on OS images installed into directories. * The default sysctl.d/ snippets will now set net.ipv4.conf.default.promote_secondaries=1 This has the benefit of no flushing secondary IP addresses when primary addresses are removed. Contributions from: Ansgar Burchardt, Bastien Nocera, Colin Walters, Dan Dedrick, Daniel Buch, Daniel Korostil, Daniel Mack, Dan Williams, Dave Reisner, David Herrmann, Denis Kenzior, Eelco Dolstra, Eric Cook, Hannes Reinecke, Harald Hoyer, Hong Shick Pak, Hui Wang, Jean-André Santoni, Jóhann B. Guðmundsson, Jon Severinsson, Karel Zak, Kay Sievers, Kevin Wells, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marc-Antoine Perennou, Martin Pitt, Michael Biebl, Michael Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar, Miguel Angel Ajo, Mike Gilbert, Olivier Brunel, Robert Schiele, Ronny Chevalier, Simon McVittie, Sjoerd Simons, Stef Walter, Steven Noonan, Susant Sahani, Tanu Kaskinen, Thomas Blume, Thomas Hindoe Paaboel Andersen, Timofey Titovets, Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-08-19 CHANGES WITH 215: * A new tool systemd-sysusers has been added. This tool creates system users and groups in /etc/passwd and /etc/group, based on static declarative system user/group definitions in /usr/lib/sysusers.d/. This is useful to enable factory resets and volatile systems that boot up with an empty /etc directory, and thus need system users and groups created during early boot. systemd now also ships with two default sysusers.d/ files for the most basic users and groups systemd and the core operating system require. * A new tmpfiles snippet has been added that rebuilds the essential files in /etc on boot, should they be missing. * A directive for ensuring automatic clean-up of /var/cache/man/ has been removed from the default configuration. This line should now be shipped by the man implementation. The necessary change has been made to the man-db implementation. Note that you need to update your man implementation to one that ships this line, otherwise no automatic clean-up of /var/cache/man will take place. * A new condition ConditionNeedsUpdate= has been added that may conditionalize services to only run when /etc or /var are "older" than the vendor operating system resources in /usr. This is useful for reconstructing or updating /etc after an offline update of /usr or a factory reset, on the next reboot. Services that want to run once after such an update or reset should use this condition and order themselves before the new systemd-update-done.service, which will mark the two directories as fully updated. A number of service files have been added making use of this, to rebuild the udev hardware database, the journald message catalog and dynamic loader cache (ldconfig). The systemd-sysusers tool described above also makes use of this now. With this in place it is now possible to start up a minimal operating system with /etc empty cleanly. For more information on the concepts involved see this recent blog story: https://0pointer.de/blog/projects/stateless.html * A new system group "input" has been introduced, and all input device nodes get this group assigned. This is useful for system-level software to get access to input devices. It complements what is already done for "audio" and "video". * systemd-networkd learnt minimal DHCPv4 server support in addition to the existing DHCPv4 client support. It also learnt DHCPv6 client and IPv6 Router Solicitation client support. The DHCPv4 client gained support for static routes passed in from the server. Note that the [DHCPv4] section known in older systemd-networkd versions has been renamed to [DHCP] and is now also used by the DHCPv6 client. Existing .network files using settings of this section should be updated, though compatibility is maintained. Optionally, the client hostname may now be sent to the DHCP server. * networkd gained support for vxlan virtual networks as well as tun/tap and dummy devices. * networkd gained support for automatic allocation of address ranges for interfaces from a system-wide pool of addresses. This is useful for dynamically managing a large number of interfaces with a single network configuration file. In particular this is useful to easily assign appropriate IP addresses to the veth links of a large number of nspawn instances. * RPM macros for processing sysusers, sysctl and binfmt drop-in snippets at package installation time have been added. * The /etc/os-release file should now be placed in /usr/lib/os-release. The old location is automatically created as symlink. /usr/lib is the more appropriate location of this file, since it shall actually describe the vendor operating system shipped in /usr, and not the configuration stored in /etc. * .mount units gained a new boolean SloppyOptions= setting that maps to mount(8)'s -s option which enables permissive parsing of unknown mount options. * tmpfiles learnt a new "L+" directive which creates a symlink but (unlike "L") deletes a pre-existing file first, should it already exist and not already be the correct symlink. Similarly, "b+", "c+" and "p+" directives have been added as well, which create block and character devices, as well as fifos in the filesystem, possibly removing any pre-existing files of different types. * For tmpfiles' "L", "L+", "C" and "C+" directives the final 'argument' field (which so far specified the source to symlink/copy the files from) is now optional. If omitted the same file os copied from /usr/share/factory/ suffixed by the full destination path. This is useful for populating /etc with essential files, by copying them from vendor defaults shipped in /usr/share/factory/etc. * A new command "systemctl preset-all" has been added that applies the service preset settings to all installed unit files. A new switch --preset-mode= has been added that controls whether only enable or only disable operations shall be executed. * A new command "systemctl is-system-running" has been added that allows checking the overall state of the system, for example whether it is fully up and running. * When the system boots up with an empty /etc, the equivalent to "systemctl preset-all" is executed during early boot, to make sure all default services are enabled after a factory reset. * systemd now contains a minimal preset file that enables the most basic services systemd ships by default. * Unit files' [Install] section gained a new DefaultInstance= field for defining the default instance to create if a template unit is enabled with no instance specified. * A new passive target cryptsetup-pre.target has been added that may be used by services that need to make they run and finish before the first LUKS cryptographic device is set up. * The /dev/loop-control and /dev/btrfs-control device nodes are now owned by the "disk" group by default, opening up access to this group. * systemd-coredump will now automatically generate a stack trace of all core dumps taking place on the system, based on elfutils' libdw library. This stack trace is logged to the journal. * systemd-coredump may now optionally store coredumps directly on disk (in /var/lib/systemd/coredump, possibly compressed), instead of storing them unconditionally in the journal. This mode is the new default. A new configuration file /etc/systemd/coredump.conf has been added to configure this and other parameters of systemd-coredump. * coredumpctl gained a new "info" verb to show details about a specific coredump. A new switch "-1" has also been added that makes sure to only show information about the most recent entry instead of all entries. Also, as the tool is generally useful now the "systemd-" prefix of the binary name has been removed. Distributions that want to maintain compatibility with the old name should add a symlink from the old name to the new name. * journald's SplitMode= now defaults to "uid". This makes sure that unprivileged users can access their own coredumps with coredumpctl without restrictions. * New kernel command line options "systemd.wants=" (for pulling an additional unit during boot), "systemd.mask=" (for masking a specific unit for the boot), and "systemd.debug-shell" (for enabling the debug shell on tty9) have been added. This is implemented in the new generator "systemd-debug-generator". * systemd-nspawn will now by default filter a couple of syscalls for containers, among them those required for kernel module loading, direct x86 IO port access, swap management, and kexec. Most importantly though open_by_handle_at() is now prohibited for containers, closing a hole similar to a recently discussed vulnerability in docker regarding access to files on file hierarchies the container should normally not have access to. Note that, for nspawn, we generally make no security claims anyway (and this is explicitly documented in the man page), so this is just a fix for one of the most obvious problems. * A new man page file-hierarchy(7) has been added that contains a minimized, modernized version of the file system layout systemd expects, similar in style to the FHS specification or hier(5). A new tool systemd-path(1) has been added to query many of these paths for the local machine and user. * Automatic time-based clean-up of $XDG_RUNTIME_DIR is no longer done. Since the directory now has a per-user size limit, and is cleaned on logout this appears unnecessary, in particular since this now brings the lifecycle of this directory closer in line with how IPC objects are handled. * systemd.pc now exports a number of additional directories, including $libdir (which is useful to identify the library path for the primary architecture of the system), and a couple of drop-in directories. * udev's predictable network interface names now use the dev_port sysfs attribute, introduced in linux 3.15 instead of dev_id to distinguish between ports of the same PCI function. dev_id should only be used for ports using the same HW address, hence the need for dev_port. * machined has been updated to export the OS version of a container (read from /etc/os-release and /usr/lib/os-release) on the bus. This is now shown in "machinectl status" for a machine. * A new service setting RestartForceExitStatus= has been added. If configured to a set of exit signals or process return values, the service will be restarted when the main daemon process exits with any of them, regardless of the Restart= setting. * systemctl's -H switch for connecting to remote systemd machines has been extended so that it may be used to directly connect to a specific container on the host. "systemctl -H root@foobar:waldi" will now connect as user "root" to host "foobar", and then proceed directly to the container named "waldi". Note that currently you have to authenticate as user "root" for this to work, as entering containers is a privileged operation. Contributions from: Andreas Henriksson, Benjamin Steinwender, Carl Schaefer, Christian Hesse, Colin Ian King, Cristian Rodríguez, Daniel Mack, Dave Reisner, David Herrmann, Eugene Yakubovich, Filipe Brandenburger, Frederic Crozat, Hristo Venev, Jan Engelhardt, Jonathan Boulle, Kay Sievers, Lennart Poettering, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel Holtmann, Michael Marineau, Michael Olbrich, Michał Bartoszkiewicz, Michal Sekletar, Patrik Flykt, Ronan Le Martret, Ronny Chevalier, Ruediger Oertel, Steven Noonan, Susant Sahani, Thadeu Lima de Souza Cascardo, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-07-03 CHANGES WITH 214: * As an experimental feature, udev now tries to lock the disk device node (flock(LOCK_SH|LOCK_NB)) while it executes events for the disk or any of its partitions. Applications like partitioning programs can lock the disk device node (flock(LOCK_EX)) and claim temporary device ownership that way; udev will entirely skip all event handling for this disk and its partitions. If the disk was opened for writing, the close will trigger a partition table rescan in udev's "watch" facility, and if needed synthesize "change" events for the disk and all its partitions. This is now unconditionally enabled, and if it turns out to cause major problems, we might turn it on only for specific devices, or might need to disable it entirely. Device Mapper devices are excluded from this logic. * We temporarily dropped the "-l" switch for fsck invocations, since they collide with the flock() logic above. util-linux upstream has been changed already to avoid this conflict, and we will re-add "-l" as soon as util-linux with this change has been released. * The dependency on libattr has been removed. Since a long time, the extended attribute calls have moved to glibc, and libattr is thus unnecessary. * Virtualization detection works without privileges now. This means the systemd-detect-virt binary no longer requires CAP_SYS_PTRACE file capabilities, and our daemons can run with fewer privileges. * systemd-networkd now runs under its own "systemd-network" user. It retains the CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW capabilities though, but loses the ability to write to files owned by root this way. * Similarly, systemd-resolved now runs under its own "systemd-resolve" user with no capabilities remaining. * Similarly, systemd-bus-proxyd now runs under its own "systemd-bus-proxy" user with only CAP_IPC_OWNER remaining. * systemd-networkd gained support for setting up "veth" virtual Ethernet devices for container connectivity, as well as GRE and VTI tunnels. * systemd-networkd will no longer automatically attempt to manually load kernel modules necessary for certain tunnel transports. Instead, it is assumed the kernel loads them automatically when required. This only works correctly on very new kernels. On older kernels, please consider adding the kernel modules to /etc/modules-load.d/ as a work-around. * The resolv.conf file systemd-resolved generates has been moved to /run/systemd/resolve/. If you have a symlink from /etc/resolv.conf, it might be necessary to correct it. * Two new service settings, ProtectHome= and ProtectSystem=, have been added. When enabled, they will make the user data (such as /home) inaccessible or read-only and the system (such as /usr) read-only, for specific services. This allows very light-weight per-service sandboxing to avoid modifications of user data or system files from services. These two new switches have been enabled for all of systemd's long-running services, where appropriate. * Socket units gained new SocketUser= and SocketGroup= settings to set the owner user and group of AF_UNIX sockets and FIFOs in the file system. * Socket units gained a new RemoveOnStop= setting. If enabled, all FIFOS and sockets in the file system will be removed when the specific socket unit is stopped. * Socket units gained a new Symlinks= setting. It takes a list of symlinks to create to file system sockets or FIFOs created by the specific Unix sockets. This is useful to manage symlinks to socket nodes with the same lifecycle as the socket itself. * The /dev/log socket and /dev/initctl FIFO have been moved to /run, and have been replaced by symlinks. This allows connecting to these facilities even if PrivateDevices=yes is used for a service (which makes /dev/log itself unavailable, but /run is left). This also has the benefit of ensuring that /dev only contains device nodes, directories and symlinks, and nothing else. * sd-daemon gained two new calls sd_pid_notify() and sd_pid_notifyf(). They are similar to sd_notify() and sd_notifyf(), but allow overriding of the source PID of notification messages if permissions permit this. This is useful to send notify messages on behalf of a different process (for example, the parent process). The systemd-notify tool has been updated to make use of this when sending messages (so that notification messages now originate from the shell script invoking systemd-notify and not the systemd-notify process itself. This should minimize a race where systemd fails to associate notification messages to services when the originating process already vanished. * A new "on-abnormal" setting for Restart= has been added. If set, it will result in automatic restarts on all "abnormal" reasons for a process to exit, which includes unclean signals, core dumps, timeouts and watchdog timeouts, but does not include clean and unclean exit codes or clean signals. Restart=on-abnormal is an alternative for Restart=on-failure for services that shall be able to terminate and avoid restarts on certain errors, by indicating so with an unclean exit code. Restart=on-failure or Restart=on-abnormal is now the recommended setting for all long-running services. * If the InaccessibleDirectories= service setting points to a mount point (or if there are any submounts contained within it), it is now attempted to completely unmount it, to make the file systems truly unavailable for the respective service. * The ReadOnlyDirectories= service setting and systemd-nspawn's --read-only parameter are now recursively applied to all submounts, too. * Mount units may now be created transiently via the bus APIs. * The support for SysV and LSB init scripts has been removed from the systemd daemon itself. Instead, it is now implemented as a generator that creates native systemd units from these scripts when needed. This enables us to remove a substantial amount of legacy code from PID 1, following the fact that many distributions only ship a very small number of LSB/SysV init scripts nowadays. * Privileged Xen (dom0) domains are not considered virtualization anymore by the virtualization detection logic. After all, they generally have unrestricted access to the hardware and usually are used to manage the unprivileged (domU) domains. * systemd-tmpfiles gained a new "C" line type, for copying files or entire directories. * systemd-tmpfiles "m" lines are now fully equivalent to "z" lines. So far, they have been non-globbing versions of the latter, and have thus been redundant. In future, it is recommended to only use "z". "m" has hence been removed from the documentation, even though it stays supported. * A tmpfiles snippet to recreate the most basic structure in /var has been added. This is enough to create the /var/run → /run symlink and create a couple of structural directories. This allows systems to boot up with an empty or volatile /var. Of course, while with this change, the core OS now is capable with dealing with a volatile /var, not all user services are ready for it. However, we hope that sooner or later, many service daemons will be changed upstream so that they are able to automatically create their necessary directories in /var at boot, should they be missing. This is the first step to allow state-less systems that only require the vendor image for /usr to boot. * systemd-nspawn has gained a new --tmpfs= switch to mount an empty tmpfs instance to a specific directory. This is particularly useful for making use of the automatic reconstruction of /var (see above), by passing --tmpfs=/var. * Access modes specified in tmpfiles snippets may now be prefixed with "~", which indicates that they shall be masked by whether the existing file or directory is currently writable, readable or executable at all. Also, if specified, the sgid/suid/sticky bits will be masked for all non-directories. * A new passive target unit "network-pre.target" has been added which is useful for services that shall run before any network is configured, for example firewall scripts. * The "floppy" group that previously owned the /dev/fd* devices is no longer used. The "disk" group is now used instead. Distributions should probably deprecate usage of this group. Contributions from: Camilo Aguilar, Christian Hesse, Colin Ian King, Cristian Rodríguez, Daniel Buch, Dave Reisner, David Strauss, Denis Tikhomirov, John, Jonathan Liu, Kay Sievers, Lennart Poettering, Mantas Mikulėnas, Mark Eichin, Ronny Chevalier, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-06-11 CHANGES WITH 213: * A new "systemd-timesyncd" daemon has been added for synchronizing the system clock across the network. It implements an SNTP client. In contrast to NTP implementations such as chrony or the NTP reference server, this only implements a client side, and does not bother with the full NTP complexity, focusing only on querying time from one remote server and synchronizing the local clock to it. Unless you intend to serve NTP to networked clients or want to connect to local hardware clocks, this simple NTP client should be more than appropriate for most installations. The daemon runs with minimal privileges, and has been hooked up with networkd to only operate when network connectivity is available. The daemon saves the current clock to disk every time a new NTP sync has been acquired, and uses this to possibly correct the system clock early at bootup, in order to accommodate for systems that lack an RTC such as the Raspberry Pi and embedded devices, and to make sure that time monotonically progresses on these systems, even if it is not always correct. To make use of this daemon, a new system user and group "systemd-timesync" needs to be created on installation of systemd. * The queue "seqnum" interface of libudev has been disabled, as it was generally incompatible with device namespacing as sequence numbers of devices go "missing" if the devices are part of a different namespace. * "systemctl list-timers" and "systemctl list-sockets" gained a --recursive switch for showing units of these types also for all local containers, similar in style to the already supported --recursive switch for "systemctl list-units". * A new RebootArgument= setting has been added for service units, which may be used to specify a kernel reboot argument to use when triggering reboots with StartLimitAction=. * A new FailureAction= setting has been added for service units which may be used to specify an operation to trigger when a service fails. This works similarly to StartLimitAction=, but unlike it, controls what is done immediately rather than only after several attempts to restart the service in question. * hostnamed got updated to also expose the kernel name, release, and version on the bus. This is useful for executing commands like hostnamectl with the -H switch. systemd-analyze makes use of this to properly display details when running non-locally. * The bootchart tool can now show cgroup information in the graphs it generates. * The CFS CPU quota cgroup attribute is now exposed for services. The new CPUQuota= switch has been added for this which takes a percentage value. Setting this will have the result that a service may never get more CPU time than the specified percentage, even if the machine is otherwise idle. * systemd-networkd learned IPIP and SIT tunnel support. * LSB init scripts exposing a dependency on $network will now get a dependency on network-online.target rather than simply network.target. This should bring LSB handling closer to what it was on SysV systems. * A new fsck.repair= kernel option has been added to control how fsck shall deal with unclean file systems at boot. * The (.ini) configuration file parser will now silently ignore sections whose names begin with "X-". This may be used to maintain application-specific extension sections in unit files. * machined gained a new API to query the IP addresses of registered containers. "machinectl status" has been updated to show these addresses in its output. * A new call sd_uid_get_display() has been added to the sd-login APIs for querying the "primary" session of a user. The "primary" session of the user is elected from the user's sessions and generally a graphical session is preferred over a text one. * A minimal systemd-resolved daemon has been added. It currently simply acts as a companion to systemd-networkd and manages resolv.conf based on per-interface DNS configuration, possibly supplied via DHCP. In the long run we hope to extend this into a local DNSSEC enabled DNS and mDNS cache. * The systemd-networkd-wait-online tool is now enabled by default. It will delay network-online.target until a network connection has been configured. The tool primarily integrates with networkd, but will also make a best effort to make sense of network configuration performed in some other way. * Two new service options StartupCPUShares= and StartupBlockIOWeight= have been added that work similarly to CPUShares= and BlockIOWeight= however only apply during system startup. This is useful to prioritize certain services differently during bootup than during normal runtime. * hostnamed has been changed to prefer the statically configured hostname in /etc/hostname (unless set to 'localhost' or empty) over any dynamic one supplied by dhcp. With this change, the rules for picking the hostname match more closely the rules of other configuration settings where the local administrator's configuration in /etc always overrides any other settings. Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch, Dan Kilman, Dave Reisner, David Härdeman, David Herrmann, David Strauss, Dimitris Spingos, Djalal Harouni, Eelco Dolstra, Evan Nemerson, Florian Albrechtskirchinger, Greg Kroah-Hartman, Harald Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jani Nikula, Jason St. John, Jeffrey Clark, Jonathan Boulle, Kay Sievers, Lennart Poettering, Lukas Nykryn, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Matthew Monaco, Michael Marineau, Michael Olbrich, Michal Sekletar, Mike Gilbert, Nis Martensen, Patrik Flykt, Philip Lorenz, poma, Ray Strode, Reyad Attiyat, Robert Milasan, Scott Thrasher, Stef Walter, Steven Siloti, Susant Sahani, Tanu Kaskinen, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog, WaLyong Cho, Will Woods, Zbigniew Jędrzejewski-Szmek — Beijing, 2014-05-28 CHANGES WITH 212: * When restoring the screen brightness at boot, stay away from the darkest setting or from the lowest 5% of the available range, depending on which is the larger value of both. This should effectively protect the user from rebooting into a black screen, should the brightness have been set to minimum by accident. * sd-login gained a new sd_machine_get_class() call to determine the class ("vm" or "container") of a machine registered with machined. * sd-login gained new calls sd_peer_get_{session,owner_uid,unit,user_unit,slice,machine_name}(), to query the identity of the peer of a local AF_UNIX connection. They operate similarly to their sd_pid_get_xyz() counterparts. * PID 1 will now maintain a system-wide system state engine with the states "starting", "running", "degraded", "maintenance", "stopping". These states are bound to system startup, normal runtime, runtime with at least one failed service, rescue/emergency mode and system shutdown. This state is shown in the "systemctl status" output when no unit name is passed. It is useful to determine system state, in particularly when doing so for many systems or containers at once. * A new command "list-machines" has been added to "systemctl" that lists all local OS containers and shows their system state (see above), if systemd runs inside of them. * systemctl gained a new "-r" switch to recursively enumerate units on all local containers, when used with the "list-unit" command (which is the default one that is executed when no parameters are specified). * The GPT automatic partition discovery logic will now honour two GPT partition flags: one may be set on a partition to cause it to be mounted read-only, and the other may be set on a partition to ignore it during automatic discovery. * Two new GPT type UUIDs have been added for automatic root partition discovery, for 32-bit and 64-bit ARM. This is not particularly useful for discovering the root directory on these architectures during bare-metal boots (since UEFI is not common there), but still very useful to allow booting of ARM disk images in nspawn with the -i option. * MAC addresses of interfaces created with nspawn's --network-interface= switch will now be generated from the machine name, and thus be stable between multiple invocations of the container. * logind will now automatically remove all IPC objects owned by a user if she or he fully logs out. This makes sure that users who are logged out cannot continue to consume IPC resources. This covers SysV memory, semaphores and message queues as well as POSIX shared memory and message queues. Traditionally, SysV and POSIX IPC had no lifecycle limits. With this functionality, that is corrected. This may be turned off by using the RemoveIPC= switch of logind.conf. * The systemd-machine-id-setup and tmpfiles tools gained a --root= switch to operate on a specific root directory, instead of /. * journald can now forward logged messages to the TTYs of all logged in users ("wall"). This is the default for all emergency messages now. * A new tool systemd-journal-remote has been added to stream journal log messages across the network. * /sys/fs/cgroup/ is now mounted read-only after all cgroup controller trees are mounted into it. Note that the directories mounted beneath it are not read-only. This is a security measure and is particularly useful because glibc actually includes a search logic to pick any tmpfs it can find to implement shm_open() if /dev/shm is not available (which it might very well be in namespaced setups). * machinectl gained a new "poweroff" command to cleanly power down a local OS container. * The PrivateDevices= unit file setting will now also drop the CAP_MKNOD capability from the capability bound set, and imply DevicePolicy=closed. * PrivateDevices=, PrivateNetwork= and PrivateTmp= is now used comprehensively on all long-running systemd services where this is appropriate. * systemd-udevd will now run in a disassociated mount namespace. To mount directories from udev rules, make sure to pull in mount units via SYSTEMD_WANTS properties. * The kdbus support gained support for uploading policy into the kernel. sd-bus gained support for creating "monitoring" connections that can eavesdrop into all bus communication for debugging purposes. * Timestamps may now be specified in seconds since the UNIX epoch Jan 1st, 1970 by specifying "@" followed by the value in seconds. * Native tcpwrap support in systemd has been removed. tcpwrap is old code, not really maintained anymore and has serious shortcomings, and better options such as firewalls exist. For setups that require tcpwrap usage, please consider invoking your socket-activated service via tcpd, like on traditional inetd. * A new system.conf configuration option DefaultTimerAccuracySec= has been added that controls the default AccuracySec= setting of .timer units. * Timer units gained a new WakeSystem= switch. If enabled, timers configured this way will cause the system to resume from system suspend (if the system supports that, which most do these days). * Timer units gained a new Persistent= switch. If enabled, timers configured this way will save to disk when they have been last triggered. This information is then used on next reboot to possible execute overdue timer events, that could not take place because the system was powered off. This enables simple anacron-like behaviour for timer units. * systemctl's "list-timers" will now also list the time a timer unit was last triggered in addition to the next time it will be triggered. * systemd-networkd will now assign predictable IPv4LL addresses to its local interfaces. Contributions from: Brandon Philips, Daniel Buch, Daniel Mack, Dave Reisner, David Herrmann, Gerd Hoffmann, Greg Kroah-Hartman, Hendrik Brueckner, Jason St. John, Josh Triplett, Kay Sievers, Lennart Poettering, Marc-Antoine Perennou, Michael Marineau, Michael Olbrich, Miklos Vajna, Patrik Flykt, poma, Sebastian Thorarensen, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom Gundersen, Umut Tezduyar Lindskog, Wieland Hoffmann, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-03-25 CHANGES WITH 211: * A new unit file setting RestrictAddressFamilies= has been added to restrict which socket address families unit processes gain access to. This takes address family names like "AF_INET" or "AF_UNIX", and is useful to minimize the attack surface of services via exotic protocol stacks. This is built on seccomp system call filters. * Two new unit file settings RuntimeDirectory= and RuntimeDirectoryMode= have been added that may be used to manage a per-daemon runtime directories below /run. This is an alternative for setting up directory permissions with tmpfiles snippets, and has the advantage that the runtime directory's lifetime is bound to the daemon runtime and that the daemon starts up with an empty directory each time. This is particularly useful when writing services that drop privileges using the User= or Group= setting. * The DeviceAllow= unit setting now supports globbing for matching against device group names. * The systemd configuration file system.conf gained new settings DefaultCPUAccounting=, DefaultBlockIOAccounting=, DefaultMemoryAccounting= to globally turn on/off accounting for specific resources (cgroups) for all units. These settings may still be overridden individually in each unit though. * systemd-gpt-auto-generator is now able to discover /srv and root partitions in addition to /home and swap partitions. It also supports LUKS-encrypted partitions now. With this in place, automatic discovery of partitions to mount following the Discoverable Partitions Specification (https://systemd.io/DISCOVERABLE_PARTITIONS/) is now a lot more complete. This allows booting without /etc/fstab and without root= on the kernel command line on systems prepared appropriately. * systemd-nspawn gained a new --image= switch which allows booting up disk images and Linux installations on any block device that follow the Discoverable Partitions Specification (see above). This means that installations made with appropriately updated installers may now be started and deployed using container managers, completely unmodified. (We hope that libvirt-lxc will add support for this feature soon, too.) * systemd-nspawn gained a new --network-macvlan= setting to set up a private macvlan interface for the container. Similarly, systemd-networkd gained a new Kind=macvlan setting in .netdev files. * systemd-networkd now supports configuring local addresses using IPv4LL. * A new tool systemd-network-wait-online has been added to synchronously wait for network connectivity using systemd-networkd. * The sd-bus.h bus API gained a new sd_bus_track object for tracking the lifecycle of bus peers. Note that sd-bus.h is still not a public API though (unless you specify --enable-kdbus on the configure command line, which however voids your warranty and you get no API stability guarantee). * The $XDG_RUNTIME_DIR runtime directories for each user are now individual tmpfs instances, which has the benefit of introducing separate pools for each user, with individual size limits, and thus making sure that unprivileged clients can no longer negatively impact the system or other users by filling up their $XDG_RUNTIME_DIR. A new logind.conf setting RuntimeDirectorySize= has been introduced that allows controlling the default size limit for all users. It defaults to 10% of the available physical memory. This is no replacement for quotas on tmpfs though (which the kernel still does not support), as /dev/shm and /tmp are still shared resources used by both the system and unprivileged users. * logind will now automatically turn off automatic suspending on laptop lid close when more than one display is connected. This was previously expected to be implemented individually in desktop environments (such as GNOME), however has been added to logind now, in order to fix a boot-time race where a desktop environment might not have been started yet and thus not been able to take an inhibitor lock at the time where logind already suspends the system due to a closed lid. * logind will now wait at least 30s after each system suspend/resume cycle, and 3min after system boot before suspending the system due to a closed laptop lid. This should give USB docking stations and similar enough time to be probed and configured after system resume and boot in order to then act as suspend blocker. * systemd-run gained a new --property= setting which allows initialization of resource control properties (and others) for the created scope or service unit. Example: "systemd-run --property=BlockIOWeight=10 updatedb" may be used to run updatedb at a low block IO scheduling weight. * systemd-run's --uid=, --gid=, --setenv=, --setenv= switches now also work in --scope mode. * When systemd is compiled with kdbus support, basic support for enforced policies is now in place. (Note that enabling kdbus still voids your warranty and no API compatibility promises are made.) Contributions from: Andrey Borzenkov, Ansgar Burchardt, Armin K., Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni, Harald Hoyer, Henrik Grindal Bakken, Jasper St. Pierre, Kay Sievers, Kieran Clancy, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann, Mark Oteiza, Martin Pitt, Mike Gilbert, Peter Rajnoha, poma, Samuli Suominen, Stef Walter, Susant Sahani, Tero Roponen, Thomas Andersen, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom Gundersen, Umut Tezduyar Lindskog, Uoti Urpala, Zachary Cook, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-03-12 CHANGES WITH 210: * systemd will now relabel /dev after loading the SMACK policy according to SMACK rules. * A new unit file option AppArmorProfile= has been added to set the AppArmor profile for the processes of a unit. * A new condition check ConditionArchitecture= has been added to conditionalize units based on the system architecture, as reported by uname()'s "machine" field. * systemd-networkd now supports matching on the system virtualization, architecture, kernel command line, hostname and machine ID. * logind is now a lot more aggressive when suspending the machine due to a closed laptop lid. Instead of acting only on the lid close action, it will continuously watch the lid status and act on it. This is useful for laptops where the power button is on the outside of the chassis so that it can be reached without opening the lid (such as the Lenovo Yoga). On those machines, logind will now immediately re-suspend the machine if the power button has been accidentally pressed while the laptop was suspended and in a backpack or similar. * logind will now watch SW_DOCK switches and inhibit reaction to the lid switch if it is pressed. This means that logind will not suspend the machine anymore if the lid is closed and the system is docked, if the laptop supports SW_DOCK notifications via the input layer. Note that ACPI docking stations do not generate this currently. Also note that this logic is usually not fully sufficient and Desktop Environments should take a lid switch inhibitor lock when an external display is connected, as systemd will not watch this on its own. * nspawn will now make use of the devices cgroup controller by default, and only permit creation of and access to the usual API device nodes like /dev/null or /dev/random, as well as access to (but not creation of) the pty devices. * We will now ship a default .network file for systemd-networkd that automatically configures DHCP for network interfaces created by nspawn's --network-veth or --network-bridge= switches. * systemd will now understand the usual M, K, G, T suffixes according to SI conventions (i.e. to the base 1000) when referring to throughput and hardware metrics. It will stay with IEC conventions (i.e. to the base 1024) for software metrics, according to what is customary according to Wikipedia. We explicitly document which base applies for each configuration option. * The DeviceAllow= setting in unit files now supports a syntax to allow-list an entire group of devices node majors at once, based on the /proc/devices listing. For example, with the string "char-pts", it is now possible to allow-list all current and future pseudo-TTYs at once. * sd-event learned a new "post" event source. Event sources of this type are triggered by the dispatching of any event source of a type that is not "post". This is useful for implementing clean-up and check event sources that are triggered by other work being done in the program. * systemd-networkd is no longer statically enabled, but uses the usual [Install] sections so that it can be enabled/disabled using systemctl. It still is enabled by default however. * When creating a veth interface pair with systemd-nspawn, the host side will now be prefixed with "vb-" if --network-bridge= is used, and with "ve-" if --network-veth is used. This way, it is easy to distinguish these cases on the host, for example to apply different configuration to them with systemd-networkd. * The compatibility libraries for libsystemd-journal.so, libsystem-id128.so, libsystemd-login.so and libsystemd-daemon.so do not make use of IFUNC anymore. Instead, we now build libsystemd.so multiple times under these alternative names. This means that the footprint is drastically increased, but given that these are transitional compatibility libraries, this should not matter much. This change has been made necessary to support the ARM platform for these compatibility libraries, as the ARM toolchain is not really at the same level as the toolchain for other architectures like x86 and does not support IFUNC. Please make sure to use --enable-compat-libs only during a transitional period! * The .include syntax has been deprecated and is not documented anymore. Drop-in files in .d directories should be used instead. Contributions from: Andreas Fuchs, Armin K., Colin Walters, Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni, Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper St. Pierre, Kay Sievers, Lennart Poettering, Łukasz Stelmach, Marcel Holtmann, Michael Scherer, Michal Sekletar, Mike Gilbert, Samuli Suominen, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-02-24 CHANGES WITH 209: * A new component "systemd-networkd" has been added that can be used to configure local network interfaces statically or via DHCP. It is capable of bringing up bridges, VLANs, and bonding. Currently, no hook-ups for interactive network configuration are provided. Use this for your initrd, container, embedded, or server setup if you need a simple, yet powerful, network configuration solution. This configuration subsystem is quite nifty, as it allows wildcard hotplug matching in interfaces. For example, with a single configuration snippet, you can configure that all Ethernet interfaces showing up are automatically added to a bridge, or similar. It supports link-sensing and more. * A new tool "systemd-socket-proxyd" has been added which can act as a bidirectional proxy for TCP sockets. This is useful for adding socket activation support to services that do not actually support socket activation, including virtual machines and the like. * Add a new tool to save/restore rfkill state on shutdown/boot. * Save/restore state of keyboard backlights in addition to display backlights on shutdown/boot. * udev learned a new SECLABEL{} construct to label device nodes with a specific security label when they appear. For now, only SECLABEL{selinux} is supported, but the syntax is prepared for additional security frameworks. * udev gained a new scheme to configure link-level attributes from files in /etc/systemd/network/*.link. These files can match against MAC address, device path, driver name and type, and will apply attributes like the naming policy, link speed, MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC address assignment policy (randomized, …). * The configuration of network interface naming rules for "permanent interface names" has changed: a new NamePolicy= setting in the [Link] section of .link files determines the priority of possible naming schemes (onboard, slot, MAC, path). The default value of this setting is determined by /usr/lib/net/links/99-default.link. Old 80-net-name-slot.rules udev configuration file has been removed, so local configuration overriding this file should be adapted to override 99-default.link instead. * When the User= switch is used in a unit file, also initialize $SHELL= based on the user database entry. * systemd no longer depends on libdbus. All communication is now done with sd-bus, systemd's low-level bus library implementation. * kdbus support has been added to PID 1 itself. When kdbus is enabled, this causes PID 1 to set up the system bus and enable support for a new ".busname" unit type that encapsulates bus name activation on kdbus. It works a little bit like ".socket" units, except for bus names. A new generator has been added that converts classic dbus1 service activation files automatically into native systemd .busname and .service units. * sd-bus: add a light-weight vtable implementation that allows defining objects on the bus with a simple static const vtable array of its methods, signals and properties. * systemd will not generate or install static dbus introspection data anymore to /usr/share/dbus-1/interfaces, as the precise format of these files is unclear, and nothing makes use of it. * A proxy daemon is now provided to proxy clients connecting via classic D-Bus AF_UNIX sockets to kdbus, to provide full compatibility with classic D-Bus. * A bus driver implementation has been added that supports the classic D-Bus bus driver calls on kdbus, also for compatibility purposes. * A new API "sd-event.h" has been added that implements a minimal event loop API built around epoll. It provides a couple of features that direct epoll usage is lacking: prioritization of events, scales to large numbers of timer events, per-event timer slack (accuracy), system-wide coalescing of timer events, exit handlers, watchdog supervision support using systemd's sd_notify() API, child process handling. * A new API "sd-rntl.h" has been added that provides an API around the route netlink interface of the kernel, similar in style to "sd-bus.h". * A new API "sd-dhcp-client.h" has been added that provides a small DHCPv4 client-side implementation. This is used by "systemd-networkd". * There is a new kernel command line option "systemd.restore_state=0|1". When set to "0", none of the systemd tools will restore saved runtime state to hardware devices. More specifically, the rfkill and backlight states are not restored. * The FsckPassNo= compatibility option in mount/service units has been removed. The fstab generator will now add the necessary dependencies automatically, and does not require PID1's support for that anymore. * journalctl gained a new switch, --list-boots, that lists recent boots with their times and boot IDs. * The various tools like systemctl, loginctl, timedatectl, busctl, systemd-run, … have gained a new switch "-M" to connect to a specific, local OS container (as direct connection, without requiring SSH). This works on any container that is registered with machined, such as those created by libvirt-lxc or nspawn. * systemd-run and systemd-analyze also gained support for "-H" to connect to remote hosts via SSH. This is particularly useful for systemd-run because it enables queuing of jobs onto remote systems. * machinectl gained a new command "login" to open a getty login in any local container. This works with any container that is registered with machined (such as those created by libvirt-lxc or nspawn), and which runs systemd inside. * machinectl gained a new "reboot" command that may be used to trigger a reboot on a specific container that is registered with machined. This works on any container that runs an init system of some kind. * systemctl gained a new "list-timers" command to print a nice listing of installed timer units with the times they elapse next. * Alternative reboot() parameters may now be specified on the "systemctl reboot" command line and are passed to the reboot() system call. * systemctl gained a new --job-mode= switch to configure the mode to queue a job with. This is a more generic version of --fail, --irreversible, and --ignore-dependencies, which are still available but not advertised anymore. * /etc/systemd/system.conf gained new settings to configure various default timeouts of units, as well as the default start limit interval and burst. These may still be overridden within each Unit. * PID1 will now export on the bus profile data of the security policy upload process (such as the SELinux policy upload to the kernel). * journald: when forwarding logs to the console, include timestamps (following the setting in /sys/module/printk/parameters/time). * OnCalendar= in timer units now understands the special strings "yearly" and "annually". (Both are equivalent) * The accuracy of timer units is now configurable with the new AccuracySec= setting. It defaults to 1min. * A new dependency type JoinsNamespaceOf= has been added that allows running two services within the same /tmp and network namespace, if PrivateNetwork= or PrivateTmp= are used. * A new command "cat" has been added to systemctl. It outputs the original unit file of a unit, and concatenates the contents of additional "drop-in" unit file snippets, so that the full configuration is shown. * systemctl now supports globbing on the various "list-xyz" commands, like "list-units" or "list-sockets", as well as on those commands which take multiple unit names. * journalctl's --unit= switch gained support for globbing. * All systemd daemons now make use of the watchdog logic so that systemd automatically notices when they hang. * If the $container_ttys environment variable is set, getty-generator will automatically spawn a getty for each listed tty. This is useful for container managers to request login gettys to be spawned on as many ttys as needed. * %h, %s, %U specifier support is not available anymore when used in unit files for PID 1. This is because NSS calls are not safe from PID 1. They stay available for --user instances of systemd, and as special case for the root user. * loginctl gained a new "--no-legend" switch to turn off output of the legend text. * The "sd-login.h" API gained three new calls: sd_session_is_remote(), sd_session_get_remote_user(), sd_session_get_remote_host() to query information about remote sessions. * The udev hardware database now also carries vendor/product information of SDIO devices. * The "sd-daemon.h" API gained a new sd_watchdog_enabled() to determine whether watchdog notifications are requested by the system manager. * Socket-activated per-connection services now include a short description of the connection parameters in the description. * tmpfiles gained a new "--boot" option. When this is not used, only lines where the command character is not suffixed with "!" are executed. When this option is specified, those options are executed too. This partitions tmpfiles directives into those that can be safely executed at any time, and those which should be run only at boot (for example, a line that creates /run/nologin). * A new API "sd-resolve.h" has been added which provides a simple asynchronous wrapper around glibc NSS hostname resolution calls, such as getaddrinfo(). In contrast to glibc's getaddrinfo_a(), it does not use signals. In contrast to most other asynchronous name resolution libraries, this one does not reimplement DNS, but reuses NSS, so that alternate hostname resolution systems continue to work, such as mDNS, LDAP, etc. This API is based on libasyncns, but it has been cleaned up for inclusion in systemd. * The APIs "sd-journal.h", "sd-login.h", "sd-id128.h", "sd-daemon.h" are no longer found in individual libraries libsystemd-journal.so, libsystemd-login.so, libsystemd-id128.so, libsystemd-daemon.so. Instead, we have merged them into a single library, libsystemd.so, which provides all symbols. The reason for this is cyclic dependencies, as these libraries tend to use each other's symbols. So far, we have managed to workaround that by linking a copy of a good part of our code into each of these libraries again and again, which, however, makes certain things hard to do, like sharing static variables. Also, it substantially increases footprint. With this change, there is only one library for the basic APIs systemd provides. Also, "sd-bus.h", "sd-memfd.h", "sd-event.h", "sd-rtnl.h", "sd-resolve.h", "sd-utf8.h" are found in this library as well, however are subject to the --enable-kdbus switch (see below). Note that "sd-dhcp-client.h" is not part of this library (this is because it only consumes, never provides, services of/to other APIs). To make the transition easy from the separate libraries to the unified one, we provide the --enable-compat-libs compile-time switch which will generate stub libraries that are compatible with the old ones but redirect all calls to the new one. * All of the kdbus logic and the new APIs "sd-bus.h", "sd-memfd.h", "sd-event.h", "sd-rtnl.h", "sd-resolve.h", and "sd-utf8.h" are compile-time optional via the "--enable-kdbus" switch, and they are not compiled in by default. To make use of kdbus, you have to explicitly enable the switch. Note however, that neither the kernel nor the userspace API for all of this is considered stable yet. We want to maintain the freedom to still change the APIs for now. By specifying this build-time switch, you acknowledge that you are aware of the instability of the current APIs. * Also, note that while kdbus is pretty much complete, it lacks one thing: proper policy support. This means you can build a fully working system with all features; however, it will be highly insecure. Policy support will be added in one of the next releases, at the same time that we will declare the APIs stable. * When the kernel command line argument "kdbus" is specified, systemd will automatically load the kdbus.ko kernel module. At this stage of development, it is only useful for testing kdbus and should not be used in production. Note: if "--enable-kdbus" is specified, and the kdbus.ko kernel module is available, and "kdbus" is added to the kernel command line, the entire system runs with kdbus instead of dbus-daemon, with the above mentioned problem of missing the system policy enforcement. Also a future version of kdbus.ko or a newer systemd will not be compatible with each other, and will unlikely be able to boot the machine if only one of them is updated. * systemctl gained a new "import-environment" command which uploads the caller's environment (or parts thereof) into the service manager so that it is inherited by services started by the manager. This is useful to upload variables like $DISPLAY into the user service manager. * A new PrivateDevices= switch has been added to service units which allows running a service with a namespaced /dev directory that does not contain any device nodes for physical devices. More specifically, it only includes devices such as /dev/null, /dev/urandom, and /dev/zero which are API entry points. * logind has been extended to support behaviour like VT switching on seats that do not support a VT. This makes multi-session available on seats that are not the first seat (seat0), and on systems where kernel support for VTs has been disabled at compile-time. * If a process holds a delay lock for system sleep or shutdown and fails to release it in time, we will now log its identity. This makes it easier to identify processes that cause slow suspends or power-offs. * When parsing /etc/crypttab, support for a new key-slot= option as supported by Debian is added. It allows indicating which LUKS slot to use on disk, speeding up key loading. * The sd_journal_sendv() API call has been checked and officially declared to be async-signal-safe so that it may be invoked from signal handlers for logging purposes. * Boot-time status output is now enabled automatically after a short timeout if boot does not progress, in order to give the user an indication what she or he is waiting for. * The boot-time output has been improved to show how much time remains until jobs expire. * The KillMode= switch in service units gained a new possible value "mixed". If set, and the unit is shut down, then the initial SIGTERM signal is sent only to the main daemon process, while the following SIGKILL signal is sent to all remaining processes of the service. * When a scope unit is registered, a new property "Controller" may be set. If set to a valid bus name, systemd will send a RequestStop() signal to this name when it would like to shut down the scope. This may be used to hook manager logic into the shutdown logic of scope units. Also, scope units may now be put in a special "abandoned" state, in which case the manager process which created them takes no further responsibilities for it. * When reading unit files, systemd will now verify the access mode of these files, and warn about certain suspicious combinations. This has been added to make it easier to track down packaging bugs where unit files are marked executable or world-writable. * systemd-nspawn gained a new "--setenv=" switch to set container-wide environment variables. The similar option in systemd-activate was renamed from "--environment=" to "--setenv=" for consistency. * systemd-nspawn has been updated to create a new kdbus domain for each container that is invoked, thus allowing each container to have its own set of system and user buses, independent of the host. * systemd-nspawn gained a new --drop-capability= switch to run the container with less capabilities than the default. Both --drop-capability= and --capability= now take the special string "all" for dropping or keeping all capabilities. * systemd-nspawn gained new switches for executing containers with specific SELinux labels set. * systemd-nspawn gained a new --quiet switch to not generate any additional output but the container's own console output. * systemd-nspawn gained a new --share-system switch to run a container without PID namespacing enabled. * systemd-nspawn gained a new --register= switch to control whether the container is registered with systemd-machined or not. This is useful for containers that do not run full OS images, but only specific apps. * systemd-nspawn gained a new --keep-unit which may be used when invoked as the only program from a service unit, and results in registration of the unit service itself in systemd-machined, instead of a newly opened scope unit. * systemd-nspawn gained a new --network-interface= switch for moving arbitrary interfaces to the container. The new --network-veth switch creates a virtual Ethernet connection between host and container. The new --network-bridge= switch then allows assigning the host side of this virtual Ethernet connection to a bridge device. * systemd-nspawn gained a new --personality= switch for setting the kernel personality for the container. This is useful when running a 32-bit container on a 64-bit host. A similar option Personality= is now also available for service units to use. * logind will now also track a "Desktop" identifier for each session which encodes the desktop environment of it. This is useful for desktop environments that want to identify multiple running sessions of itself easily. * A new SELinuxContext= setting for service units has been added that allows setting a specific SELinux execution context for a service. * Most systemd client tools will now honour $SYSTEMD_LESS for settings of the "less" pager. By default, these tools will override $LESS to allow certain operations to work, such as jump-to-the-end. With $SYSTEMD_LESS, it is possible to influence this logic. * systemd's "seccomp" hook-up has been changed to make use of the libseccomp library instead of using its own implementation. This has benefits for portability among other things. * For usage together with SystemCallFilter=, a new SystemCallErrorNumber= setting has been introduced that allows configuration of a system error number to be returned on filtered system calls, instead of immediately killing the process. Also, SystemCallArchitectures= has been added to limit access to system calls of a particular architecture (in order to turn off support for unused secondary architectures). There is also a global SystemCallArchitectures= setting in system.conf now to turn off support for non-native system calls system-wide. * systemd requires a kernel with a working name_to_handle_at(), please see the kernel config requirements in the README file. Contributions from: Adam Williamson, Alex Jia, Anatol Pomozov, Ansgar Burchardt, AppleBloom, Auke Kok, Bastien Nocera, Chengwei Yang, Christian Seiler, Colin Guthrie, Colin Walters, Cristian Rodríguez, Daniel Buch, Daniele Medri, Daniel J Walsh, Daniel Mack, Dan McGee, Dave Reisner, David Coppa, David Herrmann, David Strauss, Djalal Harouni, Dmitry Pisklov, Elia Pinto, Florian Weimer, George McCollister, Goffredo Baroncelli, Greg Kroah-Hartman, Hendrik Brueckner, Igor Zhbanov, Jan Engelhardt, Jan Janssen, Jason A. Donenfeld, Jason St. John, Jasper St. Pierre, Jóhann B. Guðmundsson, Jose Ignacio Naranjo, Karel Zak, Kay Sievers, Kristian Høgsberg, Lennart Poettering, Lubomir Rintel, Lukas Nykryn, Lukasz Skalski, Łukasz Stelmach, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel Holtmann, Marcos Felipe Rasia de Mello, Marko Myllynen, Martin Pitt, Matthew Monaco, Michael Marineau, Michael Scherer, Michał Górny, Michal Sekletar, Michele Curti, Oleksii Shevchuk, Olivier Brunel, Patrik Flykt, Pavel Holica, Raudi, Richard Marko, Ronny Chevalier, Sébastien Luttringer, Sergey Ptashnick, Shawn Landden, Simon Peeters, Stefan Beller, Susant Sahani, Sylvain Plantefeve, Sylvia Else, Tero Roponen, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Unai Uribarri, Václav Pavlín, Vincent Batts, WaLyong Cho, William Giokas, Yang Zhiyong, Yin Kangkai, Yuxuan Shui, Zbigniew Jędrzejewski-Szmek — Berlin, 2014-02-20 CHANGES WITH 208: * logind has gained support for facilitating privileged input and drm device access for unprivileged clients. This work is useful to allow Wayland display servers (and similar programs, such as kmscon) to run under the user's ID and access input and drm devices which are normally protected. When this is used (and the kernel is new enough) logind will "mute" IO on the file descriptors passed to Wayland as long as it is in the background and "unmute" it if it returns into the foreground. This allows secure session switching without allowing background sessions to eavesdrop on input and display data. This also introduces session switching support if VT support is turned off in the kernel, and on seats that are not seat0. * A new kernel command line option luks.options= is understood now which allows specifying LUKS options for usage for LUKS encrypted partitions specified with luks.uuid=. * tmpfiles.d(5) snippets may now use specifier expansion in path names. More specifically %m, %b, %H, %v, are now replaced by the local machine id, boot id, hostname, and kernel version number. * A new tmpfiles.d(5) command "m" has been introduced which may be used to change the owner/group/access mode of a file or directory if it exists, but do nothing if it does not. * This release removes high-level support for the MemorySoftLimit= cgroup setting. The underlying kernel cgroup attribute memory.soft_limit= is currently badly designed and likely to be removed from the kernel API in its current form, hence we should not expose it for now. * The memory.use_hierarchy cgroup attribute is now enabled for all cgroups systemd creates in the memory cgroup hierarchy. This option is likely to be come the built-in default in the kernel anyway, and the non-hierarchical mode never made much sense in the intrinsically hierarchical cgroup system. * A new field _SYSTEMD_SLICE= is logged along with all journal messages containing the slice a message was generated from. This is useful to allow easy per-customer filtering of logs among other things. * systemd-journald will no longer adjust the group of journal files it creates to the "systemd-journal" group. Instead we rely on the journal directory to be owned by the "systemd-journal" group, and its setgid bit set, so that the kernel file system layer will automatically enforce that journal files inherit this group assignment. The reason for this change is that we cannot allow NSS look-ups from journald which would be necessary to resolve "systemd-journal" to a numeric GID, because this might create deadlocks if NSS involves synchronous queries to other daemons (such as nscd, or sssd) which in turn are logging clients of journald and might block on it, which would then dead lock. A tmpfiles.d(5) snippet included in systemd will make sure the setgid bit and group are properly set on the journal directory if it exists on every boot. However, we recommend adjusting it manually after upgrades too (or from RPM scriptlets), so that the change is not delayed until next reboot. * Backlight and random seed files in /var/lib/ have moved into the /var/lib/systemd/ directory, in order to centralize all systemd generated files in one directory. * Boot time performance measurements (as displayed by "systemd-analyze" for example) will now read ACPI 5.0 FPDT performance information if that's available to determine how much time BIOS and boot loader initialization required. With a sufficiently new BIOS you hence no longer need to boot with Gummiboot to get access to such information. Contributions from: Andrey Borzenkov, Chen Jie, Colin Walters, Cristian Rodríguez, Dave Reisner, David Herrmann, David Mackey, David Strauss, Eelco Dolstra, Evan Callicoat, Gao feng, Harald Hoyer, Jimmie Tauriainen, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt, Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty, Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek — Berlin, 2013-10-02 CHANGES WITH 207: * The Restart= option for services now understands a new on-watchdog setting, which will restart the service automatically if the service stops sending out watchdog keep alive messages (as configured with WatchdogSec=). * The getty generator (which is responsible for bringing up a getty on configured serial consoles) will no longer only start a getty on the primary kernel console but on all others, too. This makes the order in which console= is specified on the kernel command line less important. * libsystemd-logind gained a new sd_session_get_vt() call to retrieve the VT number of a session. * If the option "tries=0" is set for an entry of /etc/crypttab its passphrase is queried indefinitely instead of any maximum number of tries. * If a service with a configure PID file terminates its PID file will now be removed automatically if it still exists afterwards. This should put an end to stale PID files. * systemd-run will now also take relative binary path names for execution and no longer insists on absolute paths. * InaccessibleDirectories= and ReadOnlyDirectories= now take paths that are optionally prefixed with "-" to indicate that it should not be considered a failure if they do not exist. * journalctl -o (and similar commands) now understands a new output mode "short-precise", it is similar to "short" but shows timestamps with usec accuracy. * The option "discard" (as known from Debian) is now synonymous to "allow-discards" in /etc/crypttab. In fact, "discard" is preferred now (since it is easier to remember and type). * Some licensing clean-ups were made, so that more code is now LGPL-2.1 licensed than before. * A minimal tool to save/restore the display backlight brightness across reboots has been added. It will store the backlight setting as late as possible at shutdown, and restore it as early as possible during reboot. * A logic to automatically discover and enable home and swap partitions on GPT disks has been added. With this in place /etc/fstab becomes optional for many setups as systemd can discover certain partitions located on the root disk automatically. Home partitions are recognized under their GPT type ID 933ac7e12eb44f13b8440e14e2aef915. Swap partitions are recognized under their GPT type ID 0657fd6da4ab43c484e50933c84b4f4f. * systemd will no longer pass any environment from the kernel or initrd to system services. If you want to set an environment for all services, do so via the kernel command line systemd.setenv= assignment. * The systemd-sysctl tool no longer natively reads the file /etc/sysctl.conf. If desired, the file should be symlinked from /etc/sysctl.d/99-sysctl.conf. Apart from providing legacy support by a symlink rather than built-in code, it also makes the otherwise hidden order of application of the different files visible. (Note that this partly reverts to a pre-198 application order of sysctl knobs!) * The "systemctl set-log-level" and "systemctl dump" commands have been moved to systemd-analyze. * systemd-run learned the new --remain-after-exit switch, which causes the scope unit not to be cleaned up automatically after the process terminated. * tmpfiles learned a new --exclude-prefix= switch to exclude certain paths from operation. * journald will now automatically flush all messages to disk as soon as a message at the log level CRIT, ALERT or EMERG is received. Contributions from: Andrew Cook, Brandon Philips, Christian Hesse, Christoph Junghans, Colin Walters, Daniel Schaal, Daniel Wallace, Dave Reisner, David Herrmann, Gao feng, George McCollister, Giovanni Campagna, Hannes Reinecke, Harald Hoyer, Herczeg Zsolt, Holger Hans Peter Freyther, Jan Engelhardt, Jesper Larsen, Kay Sievers, Khem Raj, Lennart Poettering, Lukas Nykryn, Maciej Wereski, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Michael Biebl, Michael Marineau, Michael Scherer, Michael Stapelberg, Michal Sekletar, Michał Górny, Olivier Brunel, Ondrej Balaz, Ronny Chevalier, Shawn Landden, Steven Hiscocks, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao, William Giokas, Zbigniew Jędrzejewski-Szmek — Berlin, 2013-09-13 CHANGES WITH 206: * The documentation has been updated to cover the various new concepts introduced with 205. * Unit files now understand the new %v specifier which resolves to the kernel version string as returned by "uname -r". * systemctl now supports filtering the unit list output by load state, active state and sub state, using the new --state= parameter. * "systemctl status" will now show the results of the condition checks (like ConditionPathExists= and similar) of the last start attempts of the unit. They are also logged to the journal. * "journalctl -b" may now be used to look for boot output of a specific boot. Try "journalctl -b -1" for the previous boot, but the syntax is substantially more powerful. * "journalctl --show-cursor" has been added which prints the cursor string the last shown log line. This may then be used with the new "journalctl --after-cursor=" switch to continue browsing logs from that point on. * "journalctl --force" may now be used to force regeneration of an FSS key. * Creation of "dead" device nodes has been moved from udev into kmod and tmpfiles. Previously, udev would read the kmod databases to pre-generate dead device nodes based on meta information contained in kernel modules, so that these would be auto-loaded on access rather then at boot. As this does not really have much to do with the exposing actual kernel devices to userspace this has always been slightly alien in the udev codebase. Following the new scheme kmod will now generate a runtime snippet for tmpfiles from the module meta information and it now is tmpfiles' job to the create the nodes. This also allows overriding access and other parameters for the nodes using the usual tmpfiles facilities. As side effect this allows us to remove the CAP_SYS_MKNOD capability bit from udevd entirely. * logind's device ACLs may now be applied to these "dead" devices nodes too, thus finally allowing managed access to devices such as /dev/snd/sequencer without loading the backing module right-away. * A new RPM macro has been added that may be used to apply tmpfiles configuration during package installation. * systemd-detect-virt and ConditionVirtualization= now can detect User-Mode-Linux machines (UML). * journald will now implicitly log the effective capabilities set of processes in the message metadata. * systemd-cryptsetup has gained support for TrueCrypt volumes. * The initrd interface has been simplified (more specifically, support for passing performance data via environment variables and fsck results via files in /run has been removed). These features were non-essential, and are nowadays available in a much nicer way by having systemd in the initrd serialize its state and have the hosts systemd deserialize it again. * The udev "keymap" data files and tools to apply keyboard specific mappings of scan to key codes, and force-release scan code lists have been entirely replaced by a udev "keyboard" builtin and a hwdb data file. * systemd will now honour the kernel's "quiet" command line argument also during late shutdown, resulting in a completely silent shutdown when used. * There's now an option to control the SO_REUSEPORT socket option in .socket units. * Instance units will now automatically get a per-template subslice of system.slice unless something else is explicitly configured. For example, instances of sshd@.service will now implicitly be placed in system-sshd.slice rather than system.slice as before. * Test coverage support may now be enabled at build time. Contributions from: Dave Reisner, Frederic Crozat, Harald Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jan Janssen, Jason St. John, Jesper Larsen, Kay Sievers, Lennart Poettering, Lukas Nykryn, Maciej Wereski, Martin Pitt, Michael Olbrich, Ramkumar Ramachandra, Ross Lagerwall, Shawn Landden, Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William Giokas, Zbigniew Jędrzejewski-Szmek — Berlin, 2013-07-23 CHANGES WITH 205: * Two new unit types have been introduced: Scope units are very similar to service units, however, are created out of pre-existing processes — instead of PID 1 forking off the processes. By using scope units it is possible for system services and applications to group their own child processes (worker processes) in a powerful way which then maybe used to organize them, or kill them together, or apply resource limits on them. Slice units may be used to partition system resources in an hierarchical fashion and then assign other units to them. By default there are now three slices: system.slice (for all system services), user.slice (for all user sessions), machine.slice (for VMs and containers). Slices and scopes have been introduced primarily in context of the work to move cgroup handling to a single-writer scheme, where only PID 1 creates/removes/manages cgroups. * There's a new concept of "transient" units. In contrast to normal units these units are created via an API at runtime, not from configuration from disk. More specifically this means it is now possible to run arbitrary programs as independent services, with all execution parameters passed in via bus APIs rather than read from disk. Transient units make systemd substantially more dynamic then it ever was, and useful as a general batch manager. * logind has been updated to make use of scope and slice units for managing user sessions. As a user logs in he will get his own private slice unit, to which all sessions are added as scope units. We also added support for automatically adding an instance of user@.service for the user into the slice. Effectively logind will no longer create cgroup hierarchies on its own now, it will defer entirely to PID 1 for this by means of scope, service and slice units. Since user sessions this way become entities managed by PID 1 the output of "systemctl" is now a lot more comprehensive. * A new mini-daemon "systemd-machined" has been added which may be used by virtualization managers to register local VMs/containers. nspawn has been updated accordingly, and libvirt will be updated shortly. machined will collect a bit of meta information about the VMs/containers, and assign them their own scope unit (see above). The collected meta-data is then made available via the "machinectl" tool, and exposed in "ps" and similar tools. machined/machinectl is compile-time optional. * As discussed earlier, the low-level cgroup configuration options ControlGroup=, ControlGroupModify=, ControlGroupPersistent=, ControlGroupAttribute= have been removed. Please use high-level attribute settings instead as well as slice units. * A new bus call SetUnitProperties() has been added to alter various runtime parameters of a unit. This is primarily useful to alter cgroup parameters dynamically in a nice way, but will be extended later on to make more properties modifiable at runtime. systemctl gained a new set-properties command that wraps this call. * A new tool "systemd-run" has been added which can be used to run arbitrary command lines as transient services or scopes, while configuring a number of settings via the command line. This tool is currently very basic, however already very useful. We plan to extend this tool to even allow queuing of execution jobs with time triggers from the command line, similar in fashion to "at". * nspawn will now inform the user explicitly that kernels with audit enabled break containers, and suggest the user to turn off audit. * Support for detecting the IMA and AppArmor security frameworks with ConditionSecurity= has been added. * journalctl gained a new "-k" switch for showing only kernel messages, mimicking dmesg output; in addition to "--user" and "--system" switches for showing only user's own logs and system logs. * systemd-delta can now show information about drop-in snippets extending unit files. * libsystemd-bus has been substantially updated but is still not available as public API. * systemd will now look for the "debug" argument on the kernel command line and enable debug logging, similar to what "systemd.log_level=debug" already did before. * "systemctl set-default", "systemctl get-default" has been added to configure the default.target symlink, which controls what to boot into by default. * "systemctl set-log-level" has been added as a convenient way to raise and lower systemd logging threshold. * "systemd-analyze plot" will now show the time the various generators needed for execution, as well as information about the unit file loading. * libsystemd-journal gained a new sd_journal_open_files() call for opening specific journal files. journactl also gained a new switch to expose this new functionality. Previously we only supported opening all files from a directory, or all files from the system, as opening individual files only is racy due to journal file rotation. * systemd gained the new DefaultEnvironment= setting in /etc/systemd/system.conf to set environment variables for all services. * If a privileged process logs a journal message with the OBJECT_PID= field set, then journald will automatically augment this with additional OBJECT_UID=, OBJECT_GID=, OBJECT_COMM=, OBJECT_EXE=, … fields. This is useful if system services want to log events about specific client processes. journactl/systemctl has been updated to make use of this information if all log messages regarding a specific unit is requested. Contributions from: Auke Kok, Chengwei Yang, Colin Walters, Cristian Rodríguez, Daniel Albers, Daniel Wallace, Dave Reisner, David Coppa, David King, David Strauss, Eelco Dolstra, Gabriel de Perthuis, Harald Hoyer, Jan Alexander Steffens, Jan Engelhardt, Jan Janssen, Jason St. John, Johan Heikkilä, Karel Zak, Karol Lewandowski, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marius Vollmer, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Tremer, Michal Schmidt, Michał Bartoszkiewicz, Nirbheek Chauhan, Pierre Neidhardt, Ross Burton, Ross Lagerwall, Sean McGovern, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar, Václav Pavlín, Zachary Cook, Zbigniew Jędrzejewski-Szmek, Łukasz Stelmach, 장동준 CHANGES WITH 204: * The Python bindings gained some minimal support for the APIs exposed by libsystemd-logind. * ConditionSecurity= gained support for detecting SMACK. Since this condition already supports SELinux and AppArmor we only miss IMA for this. Patches welcome! Contributions from: Karol Lewandowski, Lennart Poettering, Zbigniew Jędrzejewski-Szmek CHANGES WITH 203: * systemd-nspawn will now create /etc/resolv.conf if necessary, before bind-mounting the host's file onto it. * systemd-nspawn will now store meta information about a container on the container's cgroup as extended attribute fields, including the root directory. * The cgroup hierarchy has been reworked in many ways. All objects any of the components systemd creates in the cgroup tree are now suffixed. More specifically, user sessions are now placed in cgroups suffixed with ".session", users in cgroups suffixed with ".user", and nspawn containers in cgroups suffixed with ".nspawn". Furthermore, all cgroup names are now escaped in a simple scheme to avoid collision of userspace object names with kernel filenames. This work is preparation for making these objects relocatable in the cgroup tree, in order to allow easy resource partitioning of these objects without causing naming conflicts. * systemctl list-dependencies gained the new switches --plain, --reverse, --after and --before. * systemd-inhibit now shows the process name of processes that have taken an inhibitor lock. * nss-myhostname will now also resolve "localhost" implicitly. This makes /etc/hosts an optional file and nicely handles that on IPv6 ::1 maps to both "localhost" and the local hostname. * libsystemd-logind.so gained a new call sd_get_machine_names() to enumerate running containers and VMs (currently only supported by very new libvirt and nspawn). sd_login_monitor can now be used to watch VMs/containers coming and going. * .include is not allowed recursively anymore, and only in unit files. Usually it is better to use drop-in snippets in .d/*.conf anyway, as introduced with systemd 198. * systemd-analyze gained a new "critical-chain" command that determines the slowest chain of units run during system boot-up. It is very useful for tracking down where optimizing boot time is the most beneficial. * systemd will no longer allow manipulating service paths in the name=systemd:/system cgroup tree using ControlGroup= in units. (But is still fine with it in all other dirs.) * There's a new systemd-nspawn@.service service file that may be used to easily run nspawn containers as system services. With the container's root directory in /var/lib/container/foobar it is now sufficient to run "systemctl start systemd-nspawn@foobar.service" to boot it. * systemd-cgls gained a new parameter "--machine" to list only the processes within a certain container. * ConditionSecurity= now can check for "apparmor". We still are lacking checks for SMACK and IMA for this condition check though. Patches welcome! * A new configuration file /etc/systemd/sleep.conf has been added that may be used to configure which kernel operation systemd is supposed to execute when "suspend", "hibernate" or "hybrid-sleep" is requested. This makes the new kernel "freeze" state accessible to the user. * ENV{SYSTEMD_WANTS} in udev rules will now implicitly escape the passed argument if applicable. Contributions from: Auke Kok, Colin Guthrie, Colin Walters, Cristian Rodríguez, Daniel Buch, Daniel Wallace, Dave Reisner, Evangelos Foutras, Greg Kroah-Hartman, Harald Hoyer, Josh Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn, MUNEDA Takahiro, Mantas Mikulėnas, Mirco Tischler, Nathaniel Chen, Nirbheek Chauhan, Ronny Chevalier, Ross Lagerwall, Tom Gundersen, Umut Tezduyar, Ville Skyttä, Zbigniew Jędrzejewski-Szmek CHANGES WITH 202: * The output of 'systemctl list-jobs' got some polishing. The '--type=' argument may now be passed more than once. A new command 'systemctl list-sockets' has been added which shows a list of kernel sockets systemd is listening on with the socket units they belong to, plus the units these socket units activate. * The experimental libsystemd-bus library got substantial updates to work in conjunction with the (also experimental) kdbus kernel project. It works well enough to exchange messages with some sophistication. Note that kdbus is not ready yet, and the library is mostly an elaborate test case for now, and not installable. * systemd gained a new unit 'systemd-static-nodes.service' that generates static device nodes earlier during boot, and can run in conjunction with udev. * libsystemd-login gained a new call sd_pid_get_user_unit() to retrieve the user systemd unit a process is running in. This is useful for systems where systemd is used as session manager. * systemd-nspawn now places all containers in the new /machine top-level cgroup directory in the name=systemd hierarchy. libvirt will soon do the same, so that we get a uniform separation of /system, /user and /machine for system services, user processes and containers/virtual machines. This new cgroup hierarchy is also useful to stick stable names to specific container instances, which can be recognized later this way (this name may be controlled via systemd-nspawn's new -M switch). libsystemd-login also gained a new call sd_pid_get_machine_name() to retrieve the name of the container/VM a specific process belongs to. * bootchart can now store its data in the journal. * libsystemd-journal gained a new call sd_journal_add_conjunction() for AND expressions to the matching logic. This can be used to express more complex logical expressions. * journactl can now take multiple --unit= and --user-unit= switches. * The cryptsetup logic now understands the "luks.key=" kernel command line switch for specifying a file to read the decryption key from. Also, if a configured key file is not found the tool will now automatically fall back to prompting the user. * Python systemd.journal module was updated to wrap recently added functions from libsystemd-journal. The interface was changed to bring the low level interface in s.j._Reader closer to the C API, and the high level interface in s.j.Reader was updated to wrap and convert all data about an entry. Contributions from: Anatol Pomozov, Auke Kok, Harald Hoyer, Henrik Grindal Bakken, Josh Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas Marius Vollmer, Martin Jansa, Martin Pitt, Michael Biebl, Michal Schmidt, Mirco Tischler, Pali Rohar, Simon Peeters, Steven Hiscocks, Tom Gundersen, Zbigniew Jędrzejewski-Szmek CHANGES WITH 201: * journalctl --update-catalog now understands a new --root= option to operate on catalogs found in a different root directory. * During shutdown after systemd has terminated all running services a final killing loop kills all remaining left-over processes. We will now print the name of these processes when we send SIGKILL to them, since this usually indicates a problem. * If /etc/crypttab refers to password files stored on configured mount points automatic dependencies will now be generated to ensure the specific mount is established first before the key file is attempted to be read. * 'systemctl status' will now show information about the network sockets a socket unit is listening on. * 'systemctl status' will also shown information about any drop-in configuration file for units. (Drop-In configuration files in this context are files such as /etc/systemd/system/foobar.service.d/*.conf) * systemd-cgtop now optionally shows summed up CPU times of cgroups. Press '%' while running cgtop to switch between percentage and absolute mode. This is useful to determine which cgroups use up the most CPU time over the entire runtime of the system. systemd-cgtop has also been updated to be 'pipeable' for processing with further shell tools. * 'hostnamectl set-hostname' will now allow setting of FQDN hostnames. * The formatting and parsing of time span values has been changed. The parser now understands fractional expressions such as "5.5h". The formatter will now output fractional expressions for all time spans under 1min, i.e. "5.123456s" rather than "5s 123ms 456us". For time spans under 1s millisecond values are shown, for those under 1ms microsecond values are shown. This should greatly improve all time-related output of systemd. * libsystemd-login and libsystemd-journal gained new functions for querying the poll() events mask and poll() timeout value for integration into arbitrary event loops. * localectl gained the ability to list available X11 keymaps (models, layouts, variants, options). * 'systemd-analyze dot' gained the ability to filter for specific units via shell-style globs, to create smaller, more useful graphs. I.e. it is now possible to create simple graphs of all the dependencies between only target units, or of all units that Avahi has dependencies with. Contributions from: Cristian Rodríguez, Dr. Tilmann Bubeck, Harald Hoyer, Holger Hans Peter Freyther, Kay Sievers, Kelly Anderson, Koen Kooi, Lennart Poettering, Maksim Melnikau, Marc-Antoine Perennou, Marius Vollmer, Martin Pitt, Michal Schmidt, Oleksii Shevchuk, Ronny Chevalier, Simon McVittie, Steven Hiscocks, Thomas Weißschuh, Umut Tezduyar, Václav Pavlín, Zbigniew Jędrzejewski-Szmek, Łukasz Stelmach CHANGES WITH 200: * The boot-time readahead implementation for rotating media will now read the read-ahead data in multiple passes which consist of all read requests made in equidistant time intervals. This means instead of strictly reading read-ahead data in its physical order on disk we now try to find a middle ground between physical and access time order. * /etc/os-release files gained a new BUILD_ID= field for usage on operating systems that provide continuous builds of OS images. Contributions from: Auke Kok, Eelco Dolstra, Kay Sievers, Lennart Poettering, Lukas Nykryn, Martin Pitt, Václav Pavlín William Douglas, Zbigniew Jędrzejewski-Szmek CHANGES WITH 199: * systemd-python gained an API exposing libsystemd-daemon. * The SMACK setup logic gained support for uploading CIPSO security policy. * Behaviour of PrivateTmp=, ReadWriteDirectories=, ReadOnlyDirectories= and InaccessibleDirectories= has changed. The private /tmp and /var/tmp directories are now shared by all processes of a service (which means ExecStartPre= may now leave data in /tmp that ExecStart= of the same service can still access). When a service is stopped its temporary directories are immediately deleted (normal clean-up with tmpfiles is still done in addition to this though). * By default, systemd will now set a couple of sysctl variables in the kernel: the safe sysrq options are turned on, IP route verification is turned on, and source routing disabled. The recently added hardlink and softlink protection of the kernel is turned on. These settings should be reasonably safe, and good defaults for all new systems. * The predictable network naming logic may now be turned off with a new kernel command line switch: net.ifnames=0. * A new libsystemd-bus module has been added that implements a pretty complete D-Bus client library. For details see: https://lists.freedesktop.org/archives/systemd-devel/2013-March/009797.html * journald will now explicitly flush the journal files to disk at the latest 5min after each write. The file will then also be marked offline until the next write. This should increase reliability in case of a crash. The synchronization delay can be configured via SyncIntervalSec= in journald.conf. * There's a new remote-fs-setup.target unit that can be used to pull in specific services when at least one remote file system is to be mounted. * There are new targets timers.target and paths.target as canonical targets to pull user timer and path units in from. This complements sockets.target with a similar purpose for socket units. * libudev gained a new call udev_device_set_attribute_value() to set sysfs attributes of a device. * The udev daemon now sets the default number of worker processes executed in parallel based on the number of available CPUs instead of the amount of available RAM. This is supposed to provide a more reliable default and limit a too aggressive parallelism for setups with 1000s of devices connected. Contributions from: Auke Kok, Colin Walters, Cristian Rodríguez, Daniel Buch, Dave Reisner, Frederic Crozat, Hannes Reinecke, Harald Hoyer, Jan Alexander Steffens, Jan Engelhardt, Josh Triplett, Kay Sievers, Lennart Poettering, Mantas Mikulėnas, Martin Pitt, Mathieu Bridon, Michael Biebl, Michal Schmidt, Michal Sekletar, Miklos Vajna, Nathaniel Chen, Oleksii Shevchuk, Ozan Çağlayan, Thomas Hindoe Paaboel Andersen, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek CHANGES WITH 198: * Configuration of unit files may now be extended via drop-in files without having to edit/override the unit files themselves. More specifically, if the administrator wants to change one value for a service file foobar.service he can now do so by dropping in a configuration snippet into /etc/systemd/system/foobar.service.d/*.conf. The unit logic will load all these snippets and apply them on top of the main unit configuration file, possibly extending or overriding its settings. Using these drop-in snippets is generally nicer than the two earlier options for changing unit files locally: copying the files from /usr/lib/systemd/system/ to /etc/systemd/system/ and editing them there; or creating a new file in /etc/systemd/system/ that incorporates the original one via ".include". Drop-in snippets into these .d/ directories can be placed in any directory systemd looks for units in, and the usual overriding semantics between /usr/lib, /etc and /run apply for them too. * Most unit file settings which take lists of items can now be reset by assigning the empty string to them. For example, normally, settings such as Environment=FOO=BAR append a new environment variable assignment to the environment block, each time they are used. By assigning Environment= the empty string the environment block can be reset to empty. This is particularly useful with the .d/*.conf drop-in snippets mentioned above, since this adds the ability to reset list settings from vendor unit files via these drop-ins. * systemctl gained a new "list-dependencies" command for listing the dependencies of a unit recursively. * Inhibitors are now honored and listed by "systemctl suspend", "systemctl poweroff" (and similar) too, not only GNOME. These commands will also list active sessions by other users. * Resource limits (as exposed by the various control group controllers) can now be controlled dynamically at runtime for all units. More specifically, you can now use a command like "systemctl set-cgroup-attr foobar.service cpu.shares 2000" to alter the CPU shares a specific service gets. These settings are stored persistently on disk, and thus allow the administrator to easily adjust the resource usage of services with a few simple commands. This dynamic resource management logic is also available to other programs via the bus. Almost any kernel cgroup attribute and controller is supported. * systemd-vconsole-setup will now copy all font settings to all allocated VTs, where it previously applied them only to the foreground VT. * libsystemd-login gained the new sd_session_get_tty() API call. * This release drops support for a few legacy or distribution-specific LSB facility names when parsing init scripts: $x-display-manager, $mail-transfer-agent, $mail-transport-agent, $mail-transfer-agent, $smtp, $null. Also, the mail-transfer-agent.target unit backing this has been removed. Distributions which want to retain compatibility with this should carry the burden for supporting this themselves and patch support for these back in, if they really need to. Also, the facilities $syslog and $local_fs are now ignored, since systemd does not support early-boot LSB init scripts anymore, and these facilities are implied anyway for normal services. syslog.target has also been removed. * There are new bus calls on PID1's Manager object for cancelling jobs, and removing snapshot units. Previously, both calls were only available on the Job and Snapshot objects themselves. * systemd-journal-gatewayd gained SSL support. * The various "environment" files, such as /etc/locale.conf now support continuation lines with a backslash ("\") as last character in the line, similarly in style (but different) to how this is supported in shells. * For normal user processes the _SYSTEMD_USER_UNIT= field is now implicitly appended to every log entry logged. systemctl has been updated to filter by this field when operating on a user systemd instance. * nspawn will now implicitly add the CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL capabilities to the capabilities set for the container. This makes it easier to boot unmodified Fedora systems in a container, which however still requires audit=0 to be passed on the kernel command line. Auditing in kernel and userspace is unfortunately still too broken in context of containers, hence we recommend compiling it out of the kernel or using audit=0. Hopefully this will be fixed one day for good in the kernel. * nspawn gained the new --bind= and --bind-ro= parameters to bind mount specific directories from the host into the container. * nspawn will now mount its own devpts file system instance into the container, in order not to leak pty devices from the host into the container. * systemd will now read the firmware boot time performance information from the EFI variables, if the used boot loader supports this, and takes it into account for boot performance analysis via "systemd-analyze". This is currently supported only in conjunction with Gummiboot, but could be supported by other boot loaders too. For details see: https://systemd.io/BOOT_LOADER_INTERFACE * A new generator has been added that automatically mounts the EFI System Partition (ESP) to /boot, if that directory exists, is empty, and no other file system has been configured to be mounted there. * logind will now send out PrepareForSleep(false) out unconditionally, after coming back from suspend. This may be used by applications as asynchronous notification for system resume events. * "systemctl unlock-sessions" has been added, that allows unlocking the screens of all user sessions at once, similar to how "systemctl lock-sessions" already locked all users sessions. This is backed by a new D-Bus call UnlockSessions(). * "loginctl seat-status" will now show the master device of a seat. (i.e. the device of a seat that needs to be around for the seat to be considered available, usually the graphics card). * tmpfiles gained a new "X" line type, that allows configuration of files and directories (with wildcards) that shall be excluded from automatic cleanup ("aging"). * udev default rules set the device node permissions now only at "add" events, and do not change them any longer with a later "change" event. * The log messages for lid events and power/sleep keypresses now carry a message ID. * We now have a substantially larger unit test suite, but this continues to be work in progress. * udevadm hwdb gained a new --root= parameter to change the root directory to operate relative to. * logind will now issue a background sync() request to the kernel early at shutdown, so that dirty buffers are flushed to disk early instead of at the last moment, in order to optimize shutdown times a little. * A new bootctl tool has been added that is an interface for certain boot loader operations. This is currently a preview and is likely to be extended into a small mechanism daemon like timedated, localed, hostnamed, and can be used by graphical UIs to enumerate available boot options, and request boot into firmware operations. * systemd-bootchart has been relicensed to LGPLv2.1+ to match the rest of the package. It also has been updated to work correctly in initrds. * polkit previously has been runtime optional, and is now also compile time optional via a configure switch. * systemd-analyze has been reimplemented in C. Also "systemctl dot" has moved into systemd-analyze. * "systemctl status" with no further parameters will now print the status of all active or failed units. * Operations such as "systemctl start" can now be executed with a new mode "--irreversible" which may be used to queue operations that cannot accidentally be reversed by a later job queuing. This is by default used to make shutdown requests more robust. * The Python API of systemd now gained a new module for reading journal files. * A new tool kernel-install has been added that can install kernel images according to the Boot Loader Specification: https://systemd.io/BOOT_LOADER_SPECIFICATION * Boot time console output has been improved to provide animated boot time output for hanging jobs. * A new tool systemd-activate has been added which can be used to test socket activation with, directly from the command line. This should make it much easier to test and debug socket activation in daemons. * journalctl gained a new "--reverse" (or -r) option to show journal output in reverse order (i.e. newest line first). * journalctl gained a new "--pager-end" (or -e) option to jump to immediately jump to the end of the journal in the pager. This is only supported in conjunction with "less". * journalctl gained a new "--user-unit=" option, that works similarly to "--unit=" but filters for user units rather than system units. * A number of unit files to ease adoption of systemd in initrds has been added. This moves some minimal logic from the various initrd implementations into systemd proper. * The journal files are now owned by a new group "systemd-journal", which exists specifically to allow access to the journal, and nothing else. Previously, we used the "adm" group for that, which however possibly covers more than just journal/log file access. This new group is now already used by systemd-journal-gatewayd to ensure this daemon gets access to the journal files and as little else as possible. Note that "make install" will also set FS ACLs up for /var/log/journal to give "adm" and "wheel" read access to it, in addition to "systemd-journal" which owns the journal files. We recommend that packaging scripts also add read access to "adm" + "wheel" to /var/log/journal, and all existing/future journal files. To normal users and administrators little changes, however packagers need to ensure to create the "systemd-journal" system group at package installation time. * The systemd-journal-gatewayd now runs as unprivileged user systemd-journal-gateway:systemd-journal-gateway. Packaging scripts need to create these system user/group at installation time. * timedated now exposes a new boolean property CanNTP that indicates whether a local NTP service is available or not. * systemd-detect-virt will now also detect xen PVs * The pstore file system is now mounted by default, if it is available. * In addition to the SELinux and IMA policies we will now also load SMACK policies at early boot. Contributions from: Adel Gadllah, Aleksander Morgado, Auke Kok, Ayan George, Bastien Nocera, Colin Walters, Daniel Buch, Daniel Wallace, Dave Reisner, David Herrmann, David Strauss, Eelco Dolstra, Enrico Scholz, Frederic Crozat, Harald Hoyer, Jan Janssen, Jonathan Callen, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marc-Antoine Perennou, Martin Pitt, Mauro Dreissig, Max F. Albrecht, Michael Biebl, Michael Olbrich, Michal Schmidt, Michal Sekletar, Michal Vyskocil, Michał Bartoszkiewicz, Mirco Tischler, Nathaniel Chen, Nestor Ovroy, Oleksii Shevchuk, Paul W. Frields, Piotr Drąg, Rob Clark, Ryan Lortie, Simon McVittie, Simon Peeters, Steven Hiscocks, Thomas Hindoe Paaboel Andersen, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, William Giokas, Zbigniew Jędrzejewski-Szmek, Zeeshan Ali (Khattak) CHANGES WITH 197: * Timer units now support calendar time events in addition to monotonic time events. That means you can now trigger a unit based on a calendar time specification such as "Thu,Fri 2013-*-1,5 11:12:13" which refers to 11:12:13 of the first or fifth day of any month of the year 2013, given that it is a Thursday or a Friday. This brings timer event support considerably closer to cron's capabilities. For details on the supported calendar time specification language see systemd.time(7). * udev now supports a number of different naming policies for network interfaces for predictable names, and a combination of these policies is now the default. Please see this wiki document for details: https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html * Auke Kok's bootchart implementation has been added to the systemd tree. It is an optional component that can graph the boot in quite some detail. It is one of the best bootchart implementations around and minimal in its code and dependencies. * nss-myhostname has been integrated into the systemd source tree. nss-myhostname guarantees that the local hostname always stays resolvable via NSS. It has been a weak requirement of systemd-hostnamed since a long time, and since its code is actually trivial we decided to just include it in systemd's source tree. It can be turned off with a configure switch. * The read-ahead logic is now capable of properly detecting whether a btrfs file system is on SSD or rotating media, in order to optimize the read-ahead scheme. Previously, it was only capable of detecting this on traditional file systems such as ext4. * In udev, additional device properties are now read from the IAB in addition to the OUI database. Also, Bluetooth company identities are attached to the devices as well. * In service files %U may be used as specifier that is replaced by the configured user name of the service. * nspawn may now be invoked without a controlling TTY. This makes it suitable for invocation as its own service. This may be used to set up a simple containerized server system using only core OS tools. * systemd and nspawn can now accept socket file descriptors when they are started for socket activation. This enables implementation of socket activated nspawn containers. i.e. think about autospawning an entire OS image when the first SSH or HTTP connection is received. We expect that similar functionality will also be added to libvirt-lxc eventually. * journalctl will now suppress ANSI color codes when presenting log data. * systemctl will no longer show control group information for a unit if the control group is empty anyway. * logind can now automatically suspend/hibernate/shutdown the system on idle. * /etc/machine-info and hostnamed now also expose the chassis type of the system. This can be used to determine whether the local system is a laptop, desktop, handset or tablet. This information may either be configured by the user/vendor or is automatically determined from ACPI and DMI information if possible. * A number of polkit actions are now bound together with "imply" rules. This should simplify creating UIs because many actions will now authenticate similar ones as well. * Unit files learnt a new condition ConditionACPower= which may be used to conditionalize a unit depending on whether an AC power source is connected or not, of whether the system is running on battery power. * systemctl gained a new "is-failed" verb that may be used in shell scripts and suchlike to check whether a specific unit is in the "failed" state. * The EnvironmentFile= setting in unit files now supports file globbing, and can hence be used to easily read a number of environment files at once. * systemd will no longer detect and recognize specific distributions. All distribution-specific #ifdeffery has been removed, systemd is now fully generic and distribution-agnostic. Effectively, not too much is lost as a lot of the code is still accessible via explicit configure switches. However, support for some distribution specific legacy configuration file formats has been dropped. We recommend distributions to simply adopt the configuration files everybody else uses now and convert the old configuration from packaging scripts. Most distributions already did that. If that's not possible or desirable, distributions are welcome to forward port the specific pieces of code locally from the git history. * When logging a message about a unit systemd will now always log the unit name in the message meta data. * localectl will now also discover system locale data that is not stored in locale archives, but directly unpacked. * logind will no longer unconditionally use framebuffer devices as seat masters, i.e. as devices that are required to be existing before a seat is considered preset. Instead, it will now look for all devices that are tagged as "seat-master" in udev. By default, framebuffer devices will be marked as such, but depending on local systems, other devices might be marked as well. This may be used to integrate graphics cards using closed source drivers (such as NVidia ones) more nicely into logind. Note however, that we recommend using the open source NVidia drivers instead, and no udev rules for the closed-source drivers will be shipped from us upstream. Contributions from: Adam Williamson, Alessandro Crismani, Auke Kok, Colin Walters, Daniel Wallace, Dave Reisner, David Herrmann, David Strauss, Dimitrios Apostolou, Eelco Dolstra, Eric Benoit, Giovanni Campagna, Hannes Reinecke, Henrik Grindal Bakken, Hermann Gausterer, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Matthew Monaco, Michael Biebl, Michael Terry, Michal Schmidt, Michal Sekletar, Michał Bartoszkiewicz, Oleg Samarin, Pekka Lundstrom, Philip Nilsson, Ramkumar Ramachandra, Richard Yao, Robert Millan, Sami Kerola, Shawn Landden, Thomas Hindoe Paaboel Andersen, Thomas Jarosch, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek CHANGES WITH 196: * udev gained support for loading additional device properties from an indexed database that is keyed by vendor/product IDs and similar device identifiers. For the beginning this "hwdb" is populated with data from the well-known PCI and USB database, but also includes PNP, ACPI and OID data. In the longer run this indexed database shall grow into becoming the one central database for non-essential userspace device metadata. Previously, data from the PCI/USB database was only attached to select devices, since the lookup was a relatively expensive operation due to O(n) time complexity (with n being the number of entries in the database). Since this is now O(1), we decided to add in this data for all devices where this is available, by default. Note that the indexed database needs to be rebuilt when new data files are installed. To achieve this you need to update your packaging scripts to invoke "udevadm hwdb --update" after installation of hwdb data files. For RPM-based distributions we introduced the new %udev_hwdb_update macro for this purpose. * The Journal gained support for the "Message Catalog", an indexed database to link up additional information with journal entries. For further details please check: https://www.freedesktop.org/wiki/Software/systemd/catalog The indexed message catalog database also needs to be rebuilt after installation of message catalog files. Use "journalctl --update-catalog" for this. For RPM-based distributions we introduced the %journal_catalog_update macro for this purpose. * The Python Journal bindings gained support for the standard Python logging framework. * The Journal API gained new functions for checking whether the underlying file system of a journal file is capable of properly reporting file change notifications, or whether applications that want to reflect journal changes "live" need to recheck journal files continuously in appropriate time intervals. * It is now possible to set the "age" field for tmpfiles entries to 0, indicating that files matching this entry shall always be removed when the directories are cleaned up. * coredumpctl gained a new "gdb" verb which invokes gdb right-away on the selected coredump. * There's now support for "hybrid sleep" on kernels that support this, in addition to "suspend" and "hibernate". Use "systemctl hybrid-sleep" to make use of this. * logind's HandleSuspendKey= setting (and related settings) now gained support for a new "lock" setting to simply request the screen lock on all local sessions, instead of actually executing a suspend or hibernation. * systemd will now mount the EFI variables file system by default. * Socket units now gained support for configuration of the SMACK security label. * timedatectl will now output the time of the last and next daylight saving change. * We dropped support for various legacy and distro-specific concepts, such as insserv, early-boot SysV services (i.e. those for non-standard runlevels such as 'b' or 'S') or ArchLinux /etc/rc.conf support. We recommend the distributions who still need support this to either continue to maintain the necessary patches downstream, or find a different solution. (Talk to us if you have questions!) * Various systemd components will now bypass polkit checks for root and otherwise handle properly if polkit is not found to be around. This should fix most issues for polkit-less systems. Quite frankly this should have been this way since day one. It is absolutely our intention to make systemd work fine on polkit-less systems, and we consider it a bug if something does not work as it should if polkit is not around. * For embedded systems it is now possible to build udev and systemd without blkid and/or kmod support. * "systemctl switch-root" is now capable of switching root more than once. I.e. in addition to transitions from the initrd to the host OS it is now possible to transition to further OS images from the host. This is useful to implement offline updating tools. * Various other additions have been made to the RPM macros shipped with systemd. Use %udev_rules_update() after installing new udev rules files. %_udevhwdbdir, %_udevrulesdir, %_journalcatalogdir, %_tmpfilesdir, %_sysctldir are now available which resolve to the right directories for packages to place various data files in. * journalctl gained the new --full switch (in addition to --all, to disable ellipsation for long messages. Contributions from: Anders Olofsson, Auke Kok, Ben Boeckel, Colin Walters, Cosimo Cecchi, Daniel Wallace, Dave Reisner, Eelco Dolstra, Holger Hans Peter Freyther, Kay Sievers, Chun-Yi Lee, Lekensteyn, Lennart Poettering, Mantas Mikulėnas, Marti Raudsepp, Martin Pitt, Mauro Dreissig, Michael Biebl, Michal Schmidt, Michal Sekletar, Miklos Vajna, Nis Martensen, Oleksii Shevchuk, Olivier Brunel, Ramkumar Ramachandra, Thomas Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tony Camuso, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek CHANGES WITH 195: * journalctl gained new --since= and --until= switches to filter by time. It also now supports nice filtering for units via --unit=/-u. * Type=oneshot services may use ExecReload= and do the right thing. * The journal daemon now supports time-based rotation and vacuuming, in addition to the usual disk-space based rotation. * The journal will now index the available field values for each field name. This enables clients to show pretty drop downs of available match values when filtering. The bash completion of journalctl has been updated accordingly. journalctl gained a new switch -F to list all values a certain field takes in the journal database. * More service events are now written as structured messages to the journal, and made recognizable via message IDs. * The timedated, localed and hostnamed mini-services which previously only provided support for changing time, locale and hostname settings from graphical DEs such as GNOME now also have a minimal (but very useful) text-based client utility each. This is probably the nicest way to changing these settings from the command line now, especially since it lists available options and is fully integrated with bash completion. * There's now a new tool "systemd-coredumpctl" to list and extract coredumps from the journal. * We now install a README each in /var/log/ and /etc/rc.d/init.d explaining where the system logs and init scripts went. This hopefully should help folks who go to that dirs and look into the otherwise now empty void and scratch their heads. * When user-services are invoked (by systemd --user) the $MANAGERPID env var is set to the PID of systemd. * SIGRTMIN+24 when sent to a --user instance will now result in immediate termination of systemd. * gatewayd received numerous feature additions such as a "follow" mode, for live syncing and filtering. * browse.html now allows filtering and showing detailed information on specific entries. Keyboard navigation and mouse screen support has been added. * gatewayd/journalctl now supports HTML5/JSON Server-Sent-Events as output. * The SysV init script compatibility logic will now heuristically determine whether a script supports the "reload" verb, and only then make this available as "systemctl reload". * "systemctl status --follow" has been removed, use "journalctl -u" instead. * journald.conf's RuntimeMinSize=, PersistentMinSize= settings have been removed since they are hardly useful to be configured. * And I'd like to take the opportunity to specifically mention Zbigniew for his great contributions. Zbigniew, you rock! Contributions from: Andrew Eikum, Christian Hesse, Colin Guthrie, Daniel J Walsh, Dave Reisner, Eelco Dolstra, Ferenc Wágner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Mikkelsen, Martin Pitt, Michael Olbrich, Michael Stapelberg, Michal Schmidt, Sebastian Ott, Thomas Bächler, Umut Tezduyar, Will Woods, Wulf C. Krueger, Zbigniew Jędrzejewski-Szmek, Сковорода Никита Андреевич CHANGES WITH 194: * If /etc/vconsole.conf is non-existent or empty we will no longer load any console font or key map at boot by default. Instead the kernel defaults will be left intact. This is definitely the right thing to do, as no configuration should mean no configuration, and hard-coding font names that are different on all archs is probably a bad idea. Also, the kernel default key map and font should be good enough for most cases anyway, and mostly identical to the userspace fonts/key maps we previously overloaded them with. If distributions want to continue to default to a non-kernel font or key map they should ship a default /etc/vconsole.conf with the appropriate contents. Contributions from: Colin Walters, Daniel J Walsh, Dave Reisner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Tollef Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek CHANGES WITH 193: * journalctl gained a new --cursor= switch to show entries starting from the specified location in the journal. * We now enforce a size limit on journal entry fields exported with "-o json" in journalctl. Fields larger than 4K will be assigned null. This can be turned off with --all. * An (optional) journal gateway daemon is now available as "systemd-journal-gatewayd.service". This service provides access to the journal via HTTP and JSON. This functionality will be used to implement live log synchronization in both pull and push modes, but has various other users too, such as easy log access for debugging of embedded devices. Right now it is already useful to retrieve the journal via HTTP: # systemctl start systemd-journal-gatewayd.service # wget http://localhost:19531/entries This will download the journal contents in a /var/log/messages compatible format. The same as JSON: # curl -H"Accept: application/json" http://localhost:19531/entries This service is also accessible via a web browser where a single static HTML5 app is served that uses the JSON logic to enable the user to do some basic browsing of the journal. This will be extended later on. Here's an example screenshot of this app in its current state: https://0pointer.de/public/journal-gatewayd Contributions from: Kay Sievers, Lennart Poettering, Robert Milasan, Tom Gundersen CHANGES WITH 192: * The bash completion logic is now available for journalctl too. * We do not mount the "cpuset" controller anymore together with "cpu" and "cpuacct", as "cpuset" groups generally cannot be started if no parameters are assigned to it. "cpuset" hence broke code that assumed it could create "cpu" groups and just start them. * journalctl -f will now subscribe to terminal size changes, and line break accordingly. Contributions from: Dave Reisner, Kay Sievers, Lennart Poettering, Lukas Nykrynm, Mirco Tischler, Václav Pavlín CHANGES WITH 191: * nspawn will now create a symlink /etc/localtime in the container environment, copying the host's timezone setting. Previously this has been done via a bind mount, but since symlinks cannot be bind mounted this has now been changed to create/update the appropriate symlink. * journalctl -n's line number argument is now optional, and will default to 10 if omitted. * journald will now log the maximum size the journal files may take up on disk. This is particularly useful if the default built-in logic of determining this parameter from the file system size is used. Use "systemctl status systemd-journald.service" to see this information. * The multi-seat X wrapper tool has been stripped down. As X is now capable of enumerating graphics devices via udev in a seat-aware way the wrapper is not strictly necessary anymore. A stripped down temporary stop-gap is still shipped until the upstream display managers have been updated to fully support the new X logic. Expect this wrapper to be removed entirely in one of the next releases. * HandleSleepKey= in logind.conf has been split up into HandleSuspendKey= and HandleHibernateKey=. The old setting is not available anymore. X11 and the kernel are distinguishing between these keys and we should too. This also means the inhibition lock for these keys has been split into two. Contributions from: Dave Airlie, Eelco Dolstra, Lennart Poettering, Lukas Nykryn, Václav Pavlín CHANGES WITH 190: * Whenever a unit changes state we will now log this to the journal and show along the unit's own log output in "systemctl status". * ConditionPathIsMountPoint= can now properly detect bind mount points too. (Previously, a bind mount of one file system to another place in the same file system could not be detected as mount, since they shared struct stat's st_dev field.) * We will now mount the cgroup controllers cpu, cpuacct, cpuset and the controllers net_cls, net_prio together by default. * nspawn containers will now have a virtualized boot ID. (i.e. /proc/sys/kernel/random/boot_id is now mounted over with a randomized ID at container initialization). This has the effect of making "journalctl -b" do the right thing in a container. * The JSON output journal serialization has been updated not to generate "endless" list objects anymore, but rather one JSON object per line. This is more in line how most JSON parsers expect JSON objects. The new output mode "json-pretty" has been added to provide similar output, but neatly aligned for readability by humans. * We dropped all explicit sync() invocations in the shutdown code. The kernel does this implicitly anyway in the kernel reboot() syscall. halt(8)'s -n option is now a compatibility no-op. * We now support virtualized reboot() in containers, as supported by newer kernels. We will fall back to exit() if CAP_SYS_REBOOT is not available to the container. Also, nspawn makes use of this now and will actually reboot the container if the containerized OS asks for that. * journalctl will only show local log output by default now. Use --merge (-m) to show remote log output, too. * libsystemd-journal gained the new sd_journal_get_usage() call to determine the current disk usage of all journal files. This is exposed in the new "journalctl --disk-usage" command. * journald gained a new configuration setting SplitMode= in journald.conf which may be used to control how user journals are split off. See journald.conf(5) for details. * A new condition type ConditionFileNotEmpty= has been added. * tmpfiles' "w" lines now support file globbing, to write multiple files at once. * We added Python bindings for the journal submission APIs. More Python APIs for a number of selected APIs will likely follow. Note that we intend to add native bindings only for the Python language, as we consider it common enough to deserve bindings shipped within systemd. There are various projects outside of systemd that provide bindings for languages such as PHP or Lua. * Many conditions will now resolve specifiers such as %i. In addition, PathChanged= and related directives of .path units now support specifiers as well. * There's now a new RPM macro definition for the system preset dir: %_presetdir. * journald will now warn if it ca not forward a message to the syslog daemon because its socket is full. * timedated will no longer write or process /etc/timezone, except on Debian. As we do not support late mounted /usr anymore /etc/localtime always being a symlink is now safe, and hence the information in /etc/timezone is not necessary anymore. * logind will now always reserve one VT for a text getty (VT6 by default). Previously if more than 6 X sessions where started they took up all the VTs with auto-spawned gettys, so that no text gettys were available anymore. * udev will now automatically inform the btrfs kernel logic about btrfs RAID components showing up. This should make simple hotplug based btrfs RAID assembly work. * PID 1 will now increase its RLIMIT_NOFILE to 64K by default (but not for its children which will stay at the kernel default). This should allow setups with a lot more listening sockets. * systemd will now always pass the configured timezone to the kernel at boot. timedated will do the same when the timezone is changed. * logind's inhibition logic has been updated. By default, logind will now handle the lid switch, the power and sleep keys all the time, even in graphical sessions. If DEs want to handle these events on their own they should take the new handle-power-key, handle-sleep-key and handle-lid-switch inhibitors during their runtime. A simple way to achieve that is to invoke the DE wrapped in an invocation of: systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch … * Access to unit operations is now checked via SELinux taking the unit file label and client process label into account. * systemd will now notify the administrator in the journal when he over-mounts a non-empty directory. * There are new specifiers that are resolved in unit files, for the hostname (%H), the machine ID (%m) and the boot ID (%b). Contributions from: Allin Cottrell, Auke Kok, Brandon Philips, Colin Guthrie, Colin Walters, Daniel J Walsh, Dave Reisner, Eelco Dolstra, Jan Engelhardt, Kay Sievers, Lennart Poettering, Lucas De Marchi, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt, Matthias Clasen, Michael Olbrich, Pierre Schmitz, Shawn Landden, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Václav Pavlín, Yin Kangkai, Zbigniew Jędrzejewski-Szmek CHANGES WITH 189: * Support for reading structured kernel messages from /dev/kmsg has now been added and is enabled by default. * Support for reading kernel messages from /proc/kmsg has now been removed. If you want kernel messages in the journal make sure to run a recent kernel (>= 3.5) that supports reading structured messages from /dev/kmsg (see above). /proc/kmsg is now exclusive property of classic syslog daemons again. * The libudev API gained the new udev_device_new_from_device_id() call. * The logic for file system namespace (ReadOnlyDirectory=, ReadWriteDirectoy=, PrivateTmp=) has been reworked not to require pivot_root() anymore. This means fewer temporary directories are created below /tmp for this feature. * nspawn containers will now see and receive all submounts made on the host OS below the root file system of the container. * Forward Secure Sealing is now supported for Journal files, which provide cryptographical sealing of journal files so that attackers cannot alter log history anymore without this being detectable. Lennart will soon post a blog story about this explaining it in more detail. * There are two new service settings RestartPreventExitStatus= and SuccessExitStatus= which allow configuration of exit status (exit code or signal) which will be excepted from the restart logic, resp. consider successful. * journalctl gained the new --verify switch that can be used to check the integrity of the structure of journal files and (if Forward Secure Sealing is enabled) the contents of journal files. * nspawn containers will now be run with /dev/stdin, /dev/fd/ and similar symlinks pre-created. This makes running shells as container init process a lot more fun. * The fstab support can now handle PARTUUID= and PARTLABEL= entries. * A new ConditionHost= condition has been added to match against the hostname (with globs) and machine ID. This is useful for clusters where a single OS image is used to provision a large number of hosts which shall run slightly different sets of services. * Services which hit the restart limit will now be placed in a failure state. Contributions from: Bertram Poettering, Dave Reisner, Huang Hang, Kay Sievers, Lennart Poettering, Lukas Nykryn, Martin Pitt, Simon Peeters, Zbigniew Jędrzejewski-Szmek CHANGES WITH 188: * When running in --user mode systemd will now become a subreaper (PR_SET_CHILD_SUBREAPER). This should make the ps tree a lot more organized. * A new PartOf= unit dependency type has been introduced that may be used to group services in a natural way. * "systemctl enable" may now be used to enable instances of services. * journalctl now prints error log levels in red, and warning/notice log levels in bright white. It also supports filtering by log level now. * cgtop gained a new -n switch (similar to top), to configure the maximum number of iterations to run for. It also gained -b, to run in batch mode (accepting no input). * The suffix ".service" may now be omitted on most systemctl command lines involving service unit names. * There's a new bus call in logind to lock all sessions, as well as a loginctl verb for it "lock-sessions". * libsystemd-logind.so gained a new call sd_journal_perror() that works similar to libc perror() but logs to the journal and encodes structured information about the error number. * /etc/crypttab entries now understand the new keyfile-size= option. * shutdown(8) now can send a (configurable) wall message when a shutdown is cancelled. * The mount propagation mode for the root file system will now default to "shared", which is useful to make containers work nicely out-of-the-box so that they receive new mounts from the host. This can be undone locally by running "mount --make-rprivate /" if needed. * The prefdm.service file has been removed. Distributions should maintain this unit downstream if they intend to keep it around. However, we recommend writing normal unit files for display managers instead. * Since systemd is a crucial part of the OS we will now default to a number of compiler switches that improve security (hardening) such as read-only relocations, stack protection, and suchlike. * The TimeoutSec= setting for services is now split into TimeoutStartSec= and TimeoutStopSec= to allow configuration of individual time outs for the start and the stop phase of the service. Contributions from: Artur Zaprzala, Arvydas Sidorenko, Auke Kok, Bryan Kadzban, Dave Reisner, David Strauss, Harald Hoyer, Jim Meyering, Kay Sievers, Lennart Poettering, Mantas Mikulėnas, Martin Pitt, Michal Schmidt, Michal Sekletar, Peter Alfredsen, Shawn Landden, Simon Peeters, Terence Honles, Tom Gundersen, Zbigniew Jędrzejewski-Szmek CHANGES WITH 187: * The journal and id128 C APIs are now fully documented as man pages. * Extra safety checks have been added when transitioning from the initial RAM disk to the main system to avoid accidental data loss. * /etc/crypttab entries now understand the new keyfile-offset= option. * systemctl -t can now be used to filter by unit load state. * The journal C API gained the new sd_journal_wait() call to make writing synchronous journal clients easier. * journalctl gained the new -D switch to show journals from a specific directory. * journalctl now displays a special marker between log messages of two different boots. * The journal is now explicitly flushed to /var via a service systemd-journal-flush.service, rather than implicitly simply by seeing /var/log/journal to be writable. * journalctl (and the journal C APIs) can now match for much more complex expressions, with alternatives and disjunctions. * When transitioning from the initial RAM disk to the main system we will now kill all processes in a killing spree to ensure no processes stay around by accident. * Three new specifiers may be used in unit files: %u, %h, %s resolve to the user name, user home directory resp. user shell. This is useful for running systemd user instances. * We now automatically rotate journal files if their data object hash table gets a fill level > 75%. We also size the hash table based on the configured maximum file size. This together should lower hash collisions drastically and thus speed things up a bit. * journalctl gained the new "--header" switch to introspect header data of journal files. * A new setting SystemCallFilters= has been added to services which may be used to apply deny lists or allow lists to system calls. This is based on SECCOMP Mode 2 of Linux 3.5. * nspawn gained a new --link-journal= switch (and quicker: -j) to link the container journal with the host. This makes it very easy to centralize log viewing on the host for all guests while still keeping the journal files separated. * Many bugfixes and optimizations Contributions from: Auke Kok, Eelco Dolstra, Harald Hoyer, Kay Sievers, Lennart Poettering, Malte Starostik, Paul Menzel, Rex Tsai, Shawn Landden, Tom Gundersen, Ville Skyttä, Zbigniew Jędrzejewski-Szmek CHANGES WITH 186: * Several tools now understand kernel command line arguments, which are only read when run in an initial RAM disk. They usually follow closely their normal counterparts, but are prefixed with rd. * There's a new tool to analyze the readahead files that are automatically generated at boot. Use: /usr/lib/systemd/systemd-readahead analyze /.readahead * We now provide an early debug shell on tty9 if this enabled. Use: systemctl enable debug-shell.service * All plymouth related units have been moved into the Plymouth package. Please make sure to upgrade your Plymouth version as well. * systemd-tmpfiles now supports getting passed the basename of a configuration file only, in which case it will look for it in all appropriate directories automatically. * udevadm info now takes a /dev or /sys path as argument, and does the right thing. Example: udevadm info /dev/sda udevadm info /sys/class/block/sda * systemctl now prints a warning if a unit is stopped but a unit that might trigger it continues to run. Example: a service is stopped but the socket that activates it is left running. * "systemctl status" will now mention if the log output was shortened due to rotation since a service has been started. * The journal API now exposes functions to determine the "cutoff" times due to rotation. * journald now understands SIGUSR1 and SIGUSR2 for triggering immediately flushing of runtime logs to /var if possible, resp. for triggering immediate rotation of the journal files. * It is now considered an error if a service is attempted to be stopped that is not loaded. * XDG_RUNTIME_DIR now uses numeric UIDs instead of usernames. * systemd-analyze now supports Python 3 * tmpfiles now supports cleaning up directories via aging where the first level dirs are always kept around but directories beneath it automatically aged. This is enabled by prefixing the age field with '~'. * Seat objects now expose CanGraphical, CanTTY properties which is required to deal with very fast bootups where the display manager might be running before the graphics drivers completed initialization. * Seat objects now expose a State property. * We now include RPM macros for service enabling/disabling based on the preset logic. We recommend RPM based distributions to make use of these macros if possible. This makes it simpler to reuse RPM spec files across distributions. * We now make sure that the collected systemd unit name is always valid when services log to the journal via STDOUT/STDERR. * There's a new man page kernel-command-line(7) detailing all command line options we understand. * The fstab generator may now be disabled at boot by passing fstab=0 on the kernel command line. * A new kernel command line option modules-load= is now understood to load a specific kernel module statically, early at boot. * Unit names specified on the systemctl command line are now automatically escaped as needed. Also, if file system or device paths are specified they are automatically turned into the appropriate mount or device unit names. Example: systemctl status /home systemctl status /dev/sda * The SysVConsole= configuration option has been removed from system.conf parsing. * The SysV search path is no longer exported on the D-Bus Manager object. * The Names= option has been removed from unit file parsing. * There's a new man page bootup(7) detailing the boot process. * Every unit and every generator we ship with systemd now comes with full documentation. The self-explanatory boot is complete. * A couple of services gained "systemd-" prefixes in their name if they wrap systemd code, rather than only external code. Among them fsck@.service which is now systemd-fsck@.service. * The HaveWatchdog property has been removed from the D-Bus Manager object. * systemd.confirm_spawn= on the kernel command line should now work sensibly. * There's a new man page crypttab(5) which details all options we actually understand. * systemd-nspawn gained a new --capability= switch to pass additional capabilities to the container. * timedated will now read known NTP implementation unit names from /usr/lib/systemd/ntp-units.d/*.list, systemd-timedated-ntp.target has been removed. * journalctl gained a new switch "-b" that lists log data of the current boot only. * The notify socket is in the abstract namespace again, in order to support daemons which chroot() at start-up. * There is a new Storage= configuration option for journald which allows configuration of where log data should go. This also provides a way to disable journal logging entirely, so that data collected is only forwarded to the console, the kernel log buffer or another syslog implementation. * Many bugfixes and optimizations Contributions from: Auke Kok, Colin Guthrie, Dave Reisner, David Strauss, Eelco Dolstra, Kay Sievers, Lennart Poettering, Lukas Nykryn, Michal Schmidt, Michal Sekletar, Paul Menzel, Shawn Landden, Tom Gundersen CHANGES WITH 185: * "systemctl help " now shows the man page if one is available. * Several new man pages have been added. * MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole= can now be specified in journald.conf. These options allow reducing the amount of data stored on disk or forwarded by the log level. * TimerSlackNSec= can now be specified in system.conf for PID1. This allows system-wide power savings. Contributions from: Dave Reisner, Kay Sievers, Lauri Kasanen, Lennart Poettering, Malte Starostik, Marc-Antoine Perennou, Matthias Clasen CHANGES WITH 184: * logind is now capable of (optionally) handling power and sleep keys as well as the lid switch. * journalctl now understands the syntax "journalctl /usr/bin/avahi-daemon" to get all log output of a specific daemon. * CapabilityBoundingSet= in system.conf now also influences the capability bound set of usermode helpers of the kernel. Contributions from: Daniel Drake, Daniel J. Walsh, Gert Michael Kulyk, Harald Hoyer, Jean Delvare, Kay Sievers, Lennart Poettering, Matthew Garrett, Matthias Clasen, Paul Menzel, Shawn Landden, Tero Roponen, Tom Gundersen CHANGES WITH 183: * Note that we skipped 139 releases here in order to set the new version to something that is greater than both udev's and systemd's most recent version number. * udev: all udev sources are merged into the systemd source tree now. All future udev development will happen in the systemd tree. It is still fully supported to use the udev daemon and tools without systemd running, like in initramfs or other init systems. Building udev though, will require the *build* of the systemd tree, but udev can be properly *run* without systemd. * udev: /lib/udev/devices/ are not read anymore; systemd-tmpfiles should be used to create dead device nodes as workarounds for broken subsystems. * udev: RUN+="socket:…" and udev_monitor_new_from_socket() is no longer supported. udev_monitor_new_from_netlink() needs to be used to subscribe to events. * udev: when udevd is started by systemd, processes which are left behind by forking them off of udev rules, are unconditionally cleaned up and killed now after the event handling has finished. Services or daemons must be started as systemd services. Services can be pulled-in by udev to get started, but they can no longer be directly forked by udev rules. * udev: the daemon binary is called systemd-udevd now and installed in /usr/lib/systemd/. Standalone builds or non-systemd systems need to adapt to that, create symlink, or rename the binary after building it. * libudev no longer provides these symbols: udev_monitor_from_socket() udev_queue_get_failed_list_entry() udev_get_{dev,sys,run}_path() The versions number was bumped and symbol versioning introduced. * systemd-loginctl and systemd-journalctl have been renamed to loginctl and journalctl to match systemctl. * The config files: /etc/systemd/systemd-logind.conf and /etc/systemd/systemd-journald.conf have been renamed to logind.conf and journald.conf. Package updates should rename the files to the new names on upgrade. * For almost all files the license is now LGPL2.1+, changed from the previous GPL2.0+. Exceptions are some minor stuff of udev (which will be changed to LGPL2.1 eventually, too), and the MIT licensed sd-daemon.[ch] library that is suitable to be used as drop-in files. * systemd and logind now handle system sleep states, in particular suspending and hibernating. * logind now implements a sleep/shutdown/idle inhibiting logic suitable for a variety of uses. Soonishly Lennart will blog about this in more detail. * var-run.mount and var-lock.mount are no longer provided (which previously bind mounted these directories to their new places). Distributions which have not converted these directories to symlinks should consider stealing these files from git history and add them downstream. * We introduced the Documentation= field for units and added this to all our shipped units. This is useful to make it easier to explore the boot and the purpose of the various units. * All smaller setup units (such as systemd-vconsole-setup.service) now detect properly if they are run in a container and are skipped when appropriate. This guarantees an entirely noise-free boot in Linux container environments such as systemd-nspawn. * A framework for implementing offline system updates is now integrated, for details see: https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html * A new service type Type=idle is available now which helps us avoiding ugly interleaving of getty output and boot status messages. * There's now a system-wide CapabilityBoundingSet= option to globally reduce the set of capabilities for the system. This is useful to drop CAP_SYS_MKNOD, CAP_SYS_RAWIO, CAP_NET_RAW, CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE or even CAP_NET_ADMIN system-wide for secure systems. * There are now system-wide DefaultLimitXXX= options to globally change the defaults of the various resource limits for all units started by PID 1. * Harald Hoyer's systemd test suite has been integrated into systemd which allows easy testing of systemd builds in qemu and nspawn. (This is really awesome! Ask us for details!) * The fstab parser is now implemented as generator, not inside of PID 1 anymore. * systemctl will now warn you if .mount units generated from /etc/fstab are out of date due to changes in fstab that have not been read by systemd yet. * systemd is now suitable for usage in initrds. Dracut has already been updated to make use of this. With this in place initrds get a slight bit faster but primarily are much easier to introspect and debug since "systemctl status" in the host system can be used to introspect initrd services, and the journal from the initrd is kept around too. * systemd-delta has been added, a tool to explore differences between user/admin configuration and vendor defaults. * PrivateTmp= now affects both /tmp and /var/tmp. * Boot time status messages are now much prettier and feature proper english language. Booting up systemd has never been so sexy. * Read-ahead pack files now include the inode number of all files to pre-cache. When the inode changes the pre-caching is not attempted. This should be nicer to deal with updated packages which might result in changes of read-ahead patterns. * We now temporaritly lower the kernel's read_ahead_kb variable when collecting read-ahead data to ensure the kernel's built-in read-ahead does not add noise to our measurements of necessary blocks to pre-cache. * There's now RequiresMountsFor= to add automatic dependencies for all mounts necessary for a specific file system path. * MountAuto= and SwapAuto= have been removed from system.conf. Mounting file systems at boot has to take place in systemd now. * nspawn now learned a new switch --uuid= to set the machine ID on the command line. * nspawn now learned the -b switch to automatically search for an init system. * vt102 is now the default TERM for serial TTYs, upgraded from vt100. * systemd-logind now works on VT-less systems. * The build tree has been reorganized. The individual components now have directories of their own. * A new condition type ConditionPathIsReadWrite= is now available. * nspawn learned the new -C switch to create cgroups for the container in other hierarchies. * We now have support for hardware watchdogs, configurable in system.conf. * The scheduled shutdown logic now has a public API. * We now mount /tmp as tmpfs by default, but this can be masked and /etc/fstab can override it. * Since udisks does not make use of /media anymore we are not mounting a tmpfs on it anymore. * journalctl gained a new --local switch to only interleave locally generated journal files. * We can now load the IMA policy at boot automatically. * The GTK tools have been split off into a systemd-ui. Contributions from: Andreas Schwab, Auke Kok, Ayan George, Colin Guthrie, Daniel Mack, Dave Reisner, David Ward, Elan Ruusamäe, Frederic Crozat, Gergely Nagy, Guillermo Vidal, Hannes Reinecke, Harald Hoyer, Javier Jardón, Kay Sievers, Lennart Poettering, Lucas De Marchi, Léo Gillot-Lamure, Marc-Antoine Perennou, Martin Pitt, Matthew Monaco, Maxim A. Mikityanskiy, Michael Biebl, Michael Olbrich, Michal Schmidt, Nis Martensen, Patrick McCarty, Roberto Sassu, Shawn Landden, Sjoerd Simons, Sven Anders, Tollef Fog Heen, Tom Gundersen CHANGES WITH 44: * This is mostly a bugfix release * Support optional initialization of the machine ID from the KVM or container configured UUID. * Support immediate reboots with "systemctl reboot -ff" * Show /etc/os-release data in systemd-analyze output * Many bugfixes for the journal, including endianness fixes and ensuring that disk space enforcement works * sd-login.h is C++ compatible again * Extend the /etc/os-release format on request of the Debian folks * We now refuse non-UTF8 strings used in various configuration and unit files. This is done to ensure we do not pass invalid data over D-Bus or expose it elsewhere. * Register Mimo USB Screens as suitable for automatic seat configuration * Read SELinux client context from journal clients in a race free fashion * Reorder configuration file lookup order. /etc now always overrides /run in order to allow the administrator to always and unconditionally override vendor-supplied or automatically generated data. * The various user visible bits of the journal now have man pages. We still lack man pages for the journal API calls however. * We now ship all man pages in HTML format again in the tarball. Contributions from: Dave Reisner, Dirk Eibach, Frederic Crozat, Harald Hoyer, Kay Sievers, Lennart Poettering, Marti Raudsepp, Michal Schmidt, Shawn Landden, Tero Roponen, Thierry Reding CHANGES WITH 43: * This is mostly a bugfix release * systems lacking /etc/os-release are no longer supported. * Various functionality updates to libsystemd-login.so * Track class of PAM logins to distinguish greeters from normal user logins. Contributions from: Kay Sievers, Lennart Poettering, Michael Biebl CHANGES WITH 42: * This is an important bugfix release for v41. * Building man pages is now optional which should be useful for those building systemd from git but unwilling to install xsltproc. * Watchdog support for supervising services is now usable. In a future release support for hardware watchdogs (i.e. /dev/watchdog) will be added building on this. * Service start rate limiting is now configurable and can be turned off per service. When a start rate limit is hit a reboot can automatically be triggered. * New CanReboot(), CanPowerOff() bus calls in systemd-logind. Contributions from: Benjamin Franzke, Bill Nottingham, Frederic Crozat, Lennart Poettering, Michael Olbrich, Michal Schmidt, Michał Górny, Piotr Drąg CHANGES WITH 41: * The systemd binary is installed /usr/lib/systemd/systemd now; An existing /sbin/init symlink needs to be adapted with the package update. * The code that loads kernel modules has been ported to invoke libkmod directly, instead of modprobe. This means we do not support systems with module-init-tools anymore. * Watchdog support is now already useful, but still not complete. * A new kernel command line option systemd.setenv= is understood to set system wide environment variables dynamically at boot. * We now limit the set of capabilities of systemd-journald. * We now set SIGPIPE to ignore by default, since it only is useful in shell pipelines, and has little use in general code. This can be disabled with IgnoreSIPIPE=no in unit files. Contributions from: Benjamin Franzke, Kay Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen, William Douglas CHANGES WITH 40: * This is mostly a bugfix release * We now expose the reason why a service failed in the "Result" D-Bus property. * Rudimentary service watchdog support (will be completed over the next few releases.) * When systemd forks off in order execute some service we will now immediately changes its argv[0] to reflect which process it will execute. This is useful to minimize the time window with a generic argv[0], which makes bootcharts more useful Contributions from: Alvaro Soliverez, Chris Paulson-Ellis, Kay Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt, Mike Kazantsev, Ray Strode CHANGES WITH 39: * This is mostly a test release, but incorporates many bugfixes. * New systemd-cgtop tool to show control groups by their resource usage. * Linking against libacl for ACLs is optional again. If disabled, support tracking device access for active logins goes becomes unavailable, and so does access to the user journals by the respective users. * If a group "adm" exists, journal files are automatically owned by them, thus allow members of this group full access to the system journal as well as all user journals. * The journal now stores the SELinux context of the logging client for all entries. * Add C++ inclusion guards to all public headers * New output mode "cat" in the journal to print only text messages, without any meta data like date or time. * Include tiny X server wrapper as a temporary stop-gap to teach XOrg udev display enumeration. This is used by display managers such as gdm, and will go away as soon as XOrg learned native udev hotplugging for display devices. * Add new systemd-cat tool for executing arbitrary programs with STDERR/STDOUT connected to the journal. Can also act as BSD logger replacement, and does so by default. * Optionally store all locally generated coredumps in the journal along with meta data. * systemd-tmpfiles learnt four new commands: n, L, c, b, for writing short strings to files (for usage for /sys), and for creating symlinks, character and block device nodes. * New unit file option ControlGroupPersistent= to make cgroups persistent, following the mechanisms outlined in https://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups * Support multiple local RTCs in a sane way * No longer monopolize IO when replaying readahead data on rotating disks, since we might starve non-file-system IO to death, since fanotify() will not see accesses done by blkid, or fsck. * Do not show kernel threads in systemd-cgls anymore, unless requested with new -k switch. Contributions from: Dan Horák, Kay Sievers, Lennart Poettering, Michal Schmidt CHANGES WITH 38: * This is mostly a test release, but incorporates many bugfixes. * The git repository moved to: git://anongit.freedesktop.org/systemd/systemd ssh://git.freedesktop.org/git/systemd/systemd * First release with the journal https://0pointer.de/blog/projects/the-journal.html * The journal replaces both systemd-kmsg-syslogd and systemd-stdout-bridge. * New sd_pid_get_unit() API call in libsystemd-logind * Many systemadm clean-ups * Introduce remote-fs-pre.target which is ordered before all remote mounts and may be used to start services before all remote mounts. * Added Mageia support * Add bash completion for systemd-loginctl * Actively monitor PID file creation for daemons which exit in the parent process before having finished writing the PID file in the daemon process. Daemons which do this need to be fixed (i.e. PID file creation must have finished before the parent exits), but we now react a bit more gracefully to them. * Add colourful boot output, mimicking the well-known output of existing distributions. * New option PassCredentials= for socket units, for compatibility with a recent kernel ABI breakage. * /etc/rc.local is now hooked in via a generator binary, and thus will no longer act as synchronization point during boot. * systemctl list-unit-files now supports --root=. * systemd-tmpfiles now understands two new commands: z, Z for relabelling files according to the SELinux database. This is useful to apply SELinux labels to specific files in /sys, among other things. * Output of SysV services is now forwarded to both the console and the journal by default, not only just the console. * New man pages for all APIs from libsystemd-login. * The build tree got reorganized and the build system is a lot more modular allowing embedded setups to specifically select the components of systemd they are interested in. * Support for Linux systems lacking the kernel VT subsystem is restored. * configure's --with-rootdir= got renamed to --with-rootprefix= to follow the naming used by udev and kmod * Unless specified otherwise we will now install to /usr instead of /usr/local by default. * Processes with '@' in argv[0][0] are now excluded from the final shut-down killing spree, following the logic explained in: https://systemd.io/ROOT_STORAGE_DAEMONS/ * All processes remaining in a service cgroup when we enter the START or START_PRE states are now killed with SIGKILL. That means it is no longer possible to spawn background processes from ExecStart= lines (which was never supported anyway, and bad style). * New PropagateReloadTo=/PropagateReloadFrom= options to bind reloading of units together. Contributions from: Bill Nottingham, Daniel J. Walsh, Dave Reisner, Dexter Morgan, Gregs Gregs, Jonathan Nieder, Kay Sievers, Lennart Poettering, Michael Biebl, Michal Schmidt, Michał Górny, Ran Benita, Thomas Jarosch, Tim Waugh, Tollef Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek