Kiadásra került a systemd 250-es verziója

kami911 képe
Beküldte kami911 -

A Systemd 250 nagyon sok mindent újdonsággal érkezett, ami az elmúlt fél év során készült el.

A systemd 250 számos változása között megtalálhatóak a következők:

  • Support for encrypted and authenticated credentials has been added. This extends the credential logic introduced with v247 to support non-interactive symmetric encryption and authentication, based on a key that is stored on the /var/ file system or in the TPM2 chip (if available), or the combination of both (by default if a TPM2 chip exists the combination is used, otherwise the /var/ key only). The credentials are automatically decrypted at the moment a service is started, and are made accessible to the service itself in unencrypted form. A new tool 'systemd-creds' encrypts credentials for this purpose, and two new service file settings LoadCredentialEncrypted= and SetCredentialEncrypted= configure such credentials.
    • This feature is useful to store sensitive material such as SSL certificates, passwords and similar securely at rest and only decrypt them when needed, and in a way that is tied to the local OS installation or hardware.
  • systemd-gpt-auto-generator can now automatically set up discoverable LUKS2 encrypted swap partitions.
  • The GPT Discoverable Partitions Specification has been substantially extended with support for root and /usr/ partitions for the majority of architectures systemd supports. This includes platforms that do not natively support UEFI, because even though GPT is specified under UEFI umbrella, it is useful on other systems too. Specifically, systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and Portable Services use the concept without requiring UEFI.
  • The GPT Discoverable Partitions Specifications has been extended with a new set of partitions that may carry PKCS#7 signatures for Verity partitions, encoded in a simple JSON format. This implements a simple mechanism for building disk images that are fully authenticated and can be tested against a set of cryptographic certificates. This is now implemented for the various systemd tools that can operate with disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect, Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers. The PKCS#7 signatures are passed to the kernel (where they are checked against certificates from the kernel keyring), or can be verified against certificates provided in userspace (via a simple drop-in file mechanism).
  • systemd-dissect's inspection logic will now report for which uses a disk image is intended. Specifically, it will display whether an image is suitable for booting on UEFI or in a container (using systemd-nspawn's --image= switch), whether it can be used as portable service, or attached as system extension.
  • The system-extension.d/ drop-in files now support a new field SYSEXT_SCOPE= that may encode which purpose a system extension image is for: one of "initrd", "system" or "portable". This is useful to make images more self-descriptive, and to ensure system extensions cannot be attached in the wrong contexts.
  • The os-release file learnt a new PORTABLE_PREFIXES= field which may be used in portable service images to indicate which unit prefixes are supported.
  • The GPT image dissection logic in systemd-nspawn/systemd-dissect/… now is able to decode images for non-native architectures as well. This allows systemd-nspawn to boot images of non-native architectures if the corresponding user mode emulator is installed and systemd-binfmtd is running.
  • systemd-logind gained new settings HandlePowerKeyLongPress=, HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and HandleHibernateKeyLongPress= which may be used to configure actions when the relevant keys are pressed for more than 5s. This is useful on devices that only have hardware for a subset of these keys. By default, if the reboot key is pressed long the poweroff operation is now triggered, and when the suspend key is pressed long the hibernate operation is triggered. Long pressing the other two keys currently does not trigger any operation by default.
  • When showing unit status updates on the console during boot and shutdown, and a service is slow to start so that the cylon animation is shown, the most recent sd_notify() STATUS= text is now shown as well. Services may use this to make the boot/shutdown output easier to understand, and to indicate what precisely a service that is slow to start or stop is waiting for. In particular, the per-user service manager instance now reports what it is doing and which service it is waiting for this way to the system service manager.
  • The service manager will now re-execute on reception of the SIGRTMIN+25 signal. It previously already did that on SIGTERM — but only when running as PID 1. There was no signal to request this when running as per-user service manager, i.e. as any other PID than 1. SIGRTMIN+25 works for both system and user managers.
  • The hardware watchdog logic in PID 1 gained support for operating with the default timeout configured in the hardware, instead of insisting on re-configuring it. Set RuntimeWatchdogSec=default to request this behavior.
  • A new kernel command line option systemd.watchdog_sec= is now understood which may be used to override the hardware watchdog time-out for the boot.
  • A new setting DefaultOOMScoreAdjust= is now supported in /etc/systemd/system.conf + /etc/systemd/user.conf that may be used to set the default process OOM score adjustment value for processes forked off the service manager. For per-user service managers this now defaults to 100, but for per-system service managers is left as is. This means that by default now services forked off the user service manager are more likely to be killed by the OOM killer than system services or the managers themselves.
  • A new per-service setting RestrictFileSystems= as been added that restricts the file systems a service has access to by their type. This is based on the new BPF LSM of the Linux kernel. It provides an effective way to make certain API file systems unavailable to services (and thus minimizing attack surface). A new command "systemd-analyze filesystems" has been added that lists all known file system types (and how they are grouped together under useful group handles).
  • Services now support a new setting RestrictNetworkInterfaces= for restricting access to specific network interfaces.
  • Service unit files gained new settings StartupAllowedCPUs= and StartupAllowedMemoryNodes=. These are similar to their counterparts without the "Startup" prefix and apply during the boot process only. This is useful to improve boot-time behavior of the system and assign resources differently during boot than during regular runtime. This is similar to the preexisting StartupCPUWeight= vs. CPUWeight.
  • Related to this: the various StartupXYZ= settings (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied during shutdown. The settings not prefixed with "Startup" hence apply during regular runtime, and those that are prefixed like that apply during boot and shutdown.
  • A new per-unit set of conditions/asserts [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a unit skip/fail activation if the system's (or a slice's) memory/cpu/io pressure is above the configured threshold, using the kernel PSI feature. For more details see systemd.unit(5) and https://www.kernel.org/doc/html/latest/accounting/psi.html
  • The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or ProtectKernelLogs=yes can now be used.
  • The default maximum numbers of inodes have been raised from 64k to 1M for /dev, and from 400k to 1M for /tmp.
  • The per-user service manager learnt support for communicating with systemd-oomd to acquire OOM kill information.
  • A new service setting ExecSearchPath= has been added that allows changing the search path for executables for services. It affects where we look for the binaries specified in ExecStart= and similar, and the specified directories are also added the $PATH environment variable passed to invoked processes.
  • A new setting RuntimeRandomizedExtraSec= has been added for service and scope units that allows extending the runtime time-out as configured by RuntimeMaxSec= with a randomized amount.
  • The syntax of the service unit settings RuntimeDirectory=, StateDirectory=, CacheDirectory=, LogsDirectory= has been extended: if the specified value is now suffixed with a colon, followed by another filename, the latter will be created as symbolic link to the specified directory. This allows creating these service directories together with alias symlinks to make them available under multiple names.
  • Service unit files gained two new settings TTYRows=/TTYColumns= for configuring rows/columns of the TTY device passed to stdin/stdout/stderr of the service. This is useful to propagate TTY dimensions to a virtual machine.
  • A new service unit file setting ExitType= has been added that specifies when to assume a service has exited. By default systemd only watches the main process of a service. By setting ExitType=cgroup it can be told to wait for the last process in a cgroup instead.
  • Automount unit files gained a new setting ExtraOptions= that can be used to configure additional mount options to pass to the kernel when mounting the autofs instance.
  • "Urlification" (generation of ESC sequences that generate clickable hyperlinks in modern terminals) may now be turned off altogether during build-time.
  • Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec= settings that default to 200 and 2 s respectively. The ratelimit ensures that a path unit cannot cause PID1 to busy-loop when it is trying to trigger a service that is skipped because of a Condition*= not being satisfied. This matches the configuration and behaviour of socket units.
  • The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built as a plug-in for cryptsetup. This means the plain cryptsetup command may now be used to unlock volumes set up this way.
  • The TPM2 logic in cryptsetup will now automatically detect systems where the TPM2 chip advertises SHA256 PCR banks but the firmware only updates the SHA1 banks. In such a case PCR policies will be automatically bound to the latter, not the former. This makes the PCR policies reliable, but of course do not provide the same level of trust as SHA256 banks.
  • The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports RSA primary keys in addition to ECC, improving compatibility with TPM2 chips that do not support ECC. RSA keys are much slower to use than ECC, and hence are only used if ECC is not available.
  • /etc/crypttab gained support for a new token-timeout= setting for encrypted volumes that allows configuration of the maximum time to wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses the logic will query the user for a regular passphrase/recovery key instead.
  • Support for activating dm-integrity volumes at boot via a new file /etc/integritytab and the tool systemd-integritysetup have been added. This is similar to /etc/crypttab and /etc/veritytab, but deals with dm-integrity instead of dm-crypt/dm-verity.
  • The systemd-veritysetup-generator now understands a new usrhash= kernel command line option for specifying the Verity root hash for the partition backing the /usr/ file system. A matching set of systemd.verity_usr_* kernel command line options has been added as well. These all work similar to the corresponding options for the root partition.
  • The sd-device API gained a new API call sd_device_get_diskseq() to return the DISKSEQ property of a device structure. The "disk sequence" concept is a new feature recently introduced to the Linux kernel that allows detecting reuse cycles of block devices, i.e. can be used to recognize when loopback block devices are reused for a different purpose or CD-ROM drives get their media changed.
  • A new unit systemd-boot-update.service has been added. If enabled (the default) and the sd-boot loader is detected to be installed, it is automatically updated to the newest version when out of date. This is useful to ensure the boot loader remains up-to-date, and updates automatically propagate from the OS tree in /usr/.
  • sd-boot will now build with SBAT by default in order to facilitate working with recent versions of Shim that require it to be present.
  • sd-boot can now parse Microsoft Windows' Boot Configuration Data. This is used to robustly generate boot entry titles for Windows.
  • A new generic target unit factory-reset.target has been added. It is hooked into systemd-logind similar in fashion to reboot/poweroff/suspend/hibernate, and is supposed to be used to initiate a factory reset operation. What precisely this operation entails is up for the implementer to decide, the primary goal of the new unit is provide a framework where to plug in the implementation and how to trigger it.
  • A new meson build-time option 'clock-valid-range-usec-max' has been added which takes a time in µs and defaults to 15 years. If the RTC time is noticed to be more than the specified time ahead of the built-in epoch of systemd (which by default is the release timestamp of systemd) it is assumed that the RTC is not working correctly, and the RTC is reset to the epoch. (It already is reset to the epoch when noticed to be before it.) This should increase the chance that time doesn't accidentally jump too far ahead due to faulty hardware or batteries.
  • A new setting SaveIntervalSec= has been added to systemd-timesyncd, which may be used to automatically save the current system time to disk in regular intervals. This is useful to maintain a roughly monotonic clock even without RTC hardware and with some robustness against abnormal system shutdown.
  • .network files gained a new UplinkInterface in the [IPv6SendRA] section, for automatically propagating DNS settings from other interfaces.
  • The static lease DHCP server logic in systemd-networkd may now serve IP addresses outside of the configured IP pool range for the server.
  • CAN support in systemd-networkd gained four new settings Loopback=, OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN control modes. It gained a number of further settings for tweaking CAN timing quanta.
  • The [CAN] section in .network file gained new TimeQuantaNSec=, PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=, SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=, DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and DataSyncJumpWidth= settings to control bit-timing processed by the CAN interface.
  • DHCPv4 client support in systemd-networkd learnt a new Label= option for configuring the address label to apply to configure IPv4 addresses.
  • The various systemd-udevd "ethtool" buffer settings now understand the special value "max" to configure the buffers to the maximum the hardware supports.
  • systemd-udevd's .link files may now configure a large variety of NIC coalescing settings, plus more hardware offload settings.
  • systemd-analyze verify gained support for a pair of new --image= + --root= switches for verifying units below a specific root directory/image instead of on the host.
  • systemd-analyze verify gained support for verifying unit files under an explicitly specified unit name, independently of what the filename actually is.
  • systemd-analyze verify gained a new switch --recursive-errors= which controls whether to only fail on errors found in the specified units or recursively any dependent units.
  • systemd-analyze security now supports a new --offline mode for analyzing unit files stored on disk instead of loaded units. It may be combined with --root=/--image to analyze unit files under a root directory or disk image. It also learnt a new --threshold= parameter for specifying an exposure level threshold: if the exposure level exceeds the specified value the call will fail. It also gained a new --security-policy= switch for configuring security policies to enforce on the units. A policy is a JSON file that lists which tests shall be weighted how much to determine the overall exposure level. Altogether these new features are useful for fully automatic analysis and enforcement of security policies on unit files.
  • systemd-analyze security gain a new --json= switch for JSON output.
  • systemd-analyze learnt a new --quiet switch for reducing non-essential output. It's honored by the "dot", "syscall-filter", "filesystems" commands.
  • systemd-analyze security gained a --profile option that can be used to take into account a portable profile when analyzing portable services, since a lot of the security-related settings are enabled through them.
  • systemd-analyze learnt a new inspect-elf verb that parses ELF core files, binaries and executables and prints metadata information, including the build-id and other info described on: https://systemd.io/COREDUMP_PACKAGE_METADATA/
  • The [IPv6AcceptRA] section of .network files gained support for a new UseMTU= setting that may be used to control whether to apply the announced MTU settings to the local interface.
  • systemd-networkd now ships with new default .network files: 80-container-vb.network which matches host-side network bridge device created by systemd-nspawn's --network-bridge or --network-zone switch, and 80-6rd-tunnel.network which matches automatically created sit tunnel with 6rd prefix when the DHCP 6RD option is received.
  • systemd-networkd and systemd-udevd now support IP over InfiniBand interfaces. The Kind= setting in .netdev file accepts "ipoib". And systemd.netdev files gained the [IPoIB] section.
  • systemd-networkd and systemd-udevd now support net.ifname-policy= option on the kernel command-line. This is implemented through the systemd-network-generator service that automatically generates appropriate .link, .network, and .netdev files.
  • systemd-networkd's handling of Endpoint= resolution for WireGuard interfaces has been improved.
  • systemd-networkd will now automatically configure routes to addresses specified in AllowedIPs=. This feature can be controlled via RouteTable= and RouteMetric= settings in [WireGuard] or [WireGuardPeer] sections.
  • systemd-networkd will now once again automatically generate persistent MAC addresses for batadv and bridge interfaces. Users can disable this by using MACAddress=none in .netdev files.
  • .link files gained a new WakeOnLanPassword= setting in the [Link] section that allows to specify a WoL "SecureOn" password on hardware that supports this.
  • The [DHCPv4] section in .network file gained a new Use6RD= boolean setting to control whether the DHCPv4 client request and process the DHCP 6RD option.
  • The [DHCPv6PrefixDelegation] section in .network file is renamed to [DHCPPrefixDelegation], as now the prefix delegation is also supported with DHCPv4 protocol by enabling the Use6RD= setting.
  • The [DHCPPrefixDelegation] section in .network file gained a new setting UplinkInterface= to specify the upstream interface.
  • The [DHCPv6] section in .network file gained a new setting UseDelegatedPrefix= to control whether the delegated prefixes will be propagated to the downstream interfaces.
  • The [IPv6AcceptRA] section of .network files now understands two new settings UseGateway=/UseRoutePrefix= for explicitly configuring whether to use the relevant fields from the IPv6 Router Advertisement records.
  • The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section is now deprecated. Please use the WithoutRA= and UseDelegatedPrefix= settings in the [DHCPv6] section and the DHCPv6Client= setting in the [IPv6AcceptRA] section to control when the DHCPv6 client is started and how the delegated prefixes are handled by the DHCPv6 client.
  • The [CAKE] section of .network files gained various new settings AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=, MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=, and UseRawPacketSize= for configuring CAKE.
  • The IPv6Token= section in the [Network] section is deprecated, and the [IPv6AcceptRA] section gained the Token= setting for its replacement. The [IPv6Prefix] section also gained the Token= setting. The Token= setting gained 'eui64' mode to explicitly configure an address with the EUI64 algorithm based on the interface MAC address. The 'prefixstable' mode can now optionally take a secret key. The Token= setting in the [DHCPPrefixDelegation] section now supports all algorithms supported by the same settings in the other sections.
  • The [RoutingPolicyRule] section of .network file gained a new SuppressInterfaceGroup= setting.
  • The IgnoreCarrierLoss= setting in the [Network] section of .network files now allows a duration to be specified, controlling how long to wait before reacting to carrier loss.
  • The [DHCPServer] section of .network file gained a new Router= setting to specify the router address.
  • systemd-nspawn's --setenv= switch now supports an additional syntax: if only a variable name is specified (i.e. without being suffixed by a '=' character and a value) the current value of the environment variable is propagated to the container. e.g. --setenv=FOO will lookup the current value of $FOO in the environment, and pass it down to the container. Similar behavior has been added to homectl's, machinectl's and systemd-run's --setenv= switch.
  • systemd-nspawn gained a new switch --suppress-sync= which may be used to optionally suppress the effect of the sync()/fsync()/fdatasync() system calls for the container payload. This is useful for build system environments where safety against abnormal system shutdown is not essential as all build artifacts can be regenerated any time, but the performance win is beneficial.
  • systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the same value that PID 1 uses for most forked off processes.
  • systemd-nspawn's --bind=/--bind-ro= switches now optionally take uidmap/nouidmap options as last parameter. If "uidmap" is used the bind mounts are created with UID mapping taking place that ensures the host's file ownerships are mapped 1:1 to container file ownerships, even if user namespacing is used. This way files/directories bound into containers will no longer show up as owned by the nobody user as they typically did if no special care was taken to shift them manually.
  • When discovering Windows installations sd-boot will now attempt to show the Windows version.
  • The color scheme to use in sd-boot may now be configured at build-time.
  • sd-boot gained the ability to change screen resolution during boot-time, by hitting the "r" key. This will cycle through available resolutions and save the last selection.
  • sd-boot learnt a new hotkey "f". When pressed the system will enter firmware setup. This is useful in environments where it is difficult to hit the right keys early enough to enter the firmware, and works on any firmware regardless which key it natively uses.
  • sd-boot gained support for automatically booting into the menu item selected on the last boot (using the "@saved" identifier for menu items).
  • sd-boot gained support for automatically loading all EFI drivers placed in the /EFI/systemd/drivers/ subdirectory of the EFI System Partition (ESP). These drivers are loaded before the menu entries are loaded. This is useful e.g. to load additional file system drivers for the XBOOTLDR partition.
  • systemd-boot will now paint the input cursor on its own instead of relying on the firmware to do so, increasing compatibility with broken firmware that doesn't make the cursor reasonably visible.
  • sd-boot now embeds a .osrel PE section like we expect from Boot Loader Specification Type #2 Unified Kernels. This means sd-boot itself may be used in place of a Type #2 Unified Kernel. This is useful for debugging purposes as it allows chain-loading one a (development) sd-boot instance from another.
  • sd-boot now supports a new "devicetree" field in Boot Loader Specification Type #1 entries: if configured the specified device tree file is installed before the kernel is invoked. This is useful for installing/applying new devicetree files without updating the kernel image.
  • Similarly, sd-stub now can read devicetree data from a PE section ".dtb" and apply it before invoking the kernel.
  • sd-stub (the EFI stub that can be glued in front of a Linux kernel) gained the ability to pick up credentials and sysext files, wrap them in a cpio archive, and pass as an additional initrd to the invoked Linux kernel, in effect placing those files in the /.extra/ directory of the initrd environment. This is useful to implement trusted initrd environments which are fully authenticated but still can be extended (via sysexts) and parameterized (via encrypted/authenticated credentials, see above).
  •  Credentials can be located next to the kernel image file (credentials specific to a single boot entry), or in one of the shared directories (credentials applicable to multiple boot entries).
  • sd-stub now comes with a full man page, that explains its feature set and how to combine a kernel image, an initrd and the stub to build a complete EFI unified kernel image, implementing Boot Loader Specification Type #2.
  • sd-stub may now provide the initrd to the executed kernel via the LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for non-x86 architectures.
  • bootctl learnt new set-timeout and set-timeout-oneshot commands that may be used to set the boot menu time-out of the boot loader (for all or just the subsequent boot).
  • bootctl and kernel-install will now read KERNEL_INSTALL_MACHINE_ID and KERNEL_INSTALL_LAYOUT from kernel/install.conf. The first variable specifies the machine-id to use for installation. It would previously be used if set in the environment, and now it'll also be read automatically from the config file. The second variable is new. When set, it specifies the layout to use for installation directories on the boot partition, so that tools don't need to guess it based on the already-existing directories. The only value that is defined natively is "bls", corresponding to the layout specified in https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for kernel-install that implement a different layout can declare other values for this variable.
  •  'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the assumption that if the user installed sd-boot to the ESP, they intend to use the entry layout understood by sd-boot. It'll also write KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID (and it wasn't specified in the config file yet). Similarly, kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it wasn't specified in the config file yet). Effectively, those changes mean that the machine-id used for boot loader entry installation is "frozen" upon first use and becomes independent of the actual machine-id.
  •  Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem: images created for distribution ("golden images") are built with no machine-id, so that a unique machine-id can be created on the first boot. But those images may contain boot loader entries with the machine-id used during build included in paths. Using a "frozen" value allows unambiguously identifying entries that match the specific installation, while still permitting parallel installations without conflict.
  •  Configuring KERNEL_INSTALL_LAYOUT obviates the need for kernel-install to guess the installation layout. This fixes the problem where a (possibly empty) directory in the boot partition is created from a different layout causing kernel-install plugins to assume the wrong layout. A particular example of how this may happen is the grub2 package in Fedora which includes directories under /boot directly in its file list. Various other packages pull in grub2 as a dependency, so it may be installed even if unused, breaking installations that use the bls layout.
  • bootctl and systemd-bless-boot can now be linked statically.
  • systemd-sysext now optionally doesn't insist on extension-release.d/ files being placed in the image under the image's file name. If the file system xattr user.extension-release.strict is set on the extension release file, it is accepted regardless of its name. This relaxes security restrictions a bit, as system extension may be attached under a wrong name this way.
  • udevadm's test-builtin command learnt a new --action= switch for testing the built-in with the specified action (in place of the default 'add').
  • udevadm info gained new switches --property=/--value for showing only specific udev properties/values instead of all.
  • A new hwdb database has been added that contains matches for various types of signal analyzers (protocol analyzers, logic analyzers, oscilloscopes, multimeters, bench power supplies, etc.) that should be accessible to regular users.
  • A new hwdb database entry has been added that carries information about types of cameras (regular or infrared), and in which direction they point (front or back).
  • A new rule to allow console users access to rfkill by default has been added to hwdb.
  • Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are now also owned by the system group "sgx".
  • A new build-time meson option "extra-net-naming-schemes=" has been added to define additional naming schemes schemes for udev's network interface naming logic. This is useful for enterprise distributions and similar which want to pin the schemes of certain distribution releases under a specific name and previously had to patch the sources to introduce new named schemes.
  • The predictable naming logic for network interfaces has been extended to generate stable names from Xen netfront device information.
  • hostnamed's chassis property can now be sourced from chassis-type field encoded in devicetree (in addition to the existing DMI support).
  • systemd-cgls now optionally displays cgroup IDs and extended attributes for each cgroup. (Controllable via the new --xattr= + --cgroup-id= switches.)
  • coredumpctl gained a new --all switch for operating on all Journal files instead of just the local ones.
  • systemd-coredump will now use libdw/libelf via dlopen() rather than directly linking, allowing users to easily opt-out of backtrace/metadata analysis of core files, and reduce image sizes when this is not needed.
  • systemd-coredump will now analyze core files with libdw/libelf in a forked, sandboxed process.
  • systemd-homed will now try to unmount an activate home area in regular intervals once the user logged out fully. Previously this was attempted exactly once but if the home directory was busy for some reason it was not tried again.
  • systemd-homed's LUKS2 home area backend will now create a BSD file system lock on the image file while the home area is active (i.e. mounted). If a home area is found to be locked, logins are politely refused. This should improve behavior when using home areas images that are accessible via the network from multiple clients, and reduce the chance of accidental file system corruption in that case.
  • Optionally, systemd-homed will now drop the kernel buffer cache once a user has fully logged out, configurable via the new --drop-caches= homectl switch.
  • systemd-homed now makes use of UID mapped mounts for the home areas. If the kernel and used file system support it, files are now internally owned by the "nobody" user (i.e. the user typically used for indicating "this ownership is not mapped"), and dynamically mapped to the UID used locally on the system via the UID mapping mount logic of recent kernels. This makes migrating home areas between different systems cheaper because recursively chown()ing file system trees is no longer necessary.
  • systemd-homed's CIFS backend now optionally supports CIFS service names with a directory suffix, in order to place home directories in a subdirectory of a CIFS share, instead of the top-level directory.
  • systemd-homed's CIFS backend gained support for specifying additional mount options in the JSON user record (cifsExtraMountOptions field, and --cifs-extra-mount-options= homectl switch). This is for example useful for configuring mount options such as "noserverino" that some SMB3 services require (use that to run a homed home directory from a FritzBox SMB3 share this way).
  • systemd-homed will now default to btrfs' zstd compression for home areas. This is inspired by Fedora's recent decision to switch to zstd by default.
  • Additional mount options to use when mounting the file system of LUKS2 volumes in systemd-homed has been added. Via the $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4, $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to systemd-homed or via the luksExtraMountOptions user record JSON property. (Exposed via homectl --luks-extra-mount-options)
  • homectl's resize command now takes the special size specifications "min" and "max" to shrink/grow the home area to the minimum/maximum size possible, taking disk usage/space constraints and file system limitations into account. Resizing is now generally graceful: the logic will try to get as close to the specified size as possible, but not consider it a failure if the request couldn't be fulfilled precisely.
  • systemd-homed gained the ability to automatically shrink home areas on logout to their minimal size and grow them again on next login. This ensures that while inactive, a home area only takes up the minimal space necessary, but once activated, it provides sufficient space for the user's needs. This behavior is only supported if btrfs is used as file system inside the home area (because only for btrfs online growing/shrinking is implemented in the kernel). This behavior is now enabled by default, but may be controlled via the new --auto-resize-mode= setting of homectl.
  • systemd-homed gained support for automatically re-balancing free disk space among active home areas, in case the LUKS2 backends are used, and no explicit disk size was requested. This way disk space is automatically managed and home areas resized in regular intervals and manual resizing when disk space becomes scarce should not be necessary anymore. This behavior is only supported if btrfs is used within the home areas (as only then online shrinking and growing is supported), and may be configured via the new rebalanceWeight JSON user record field (as exposed via the new --rebalance-weight= homectl setting). Re-balancing is mostly automatic, but can also be requested explicitly via "homectl rebalance", which is synchronous, and thus may be used to wait until the rebalance run is complete.
  • userdbctl gained a --json= switch for configured the JSON formatting to use when outputting user or group records.
  • userdbctl gained a new --multiplexer= switch for explicitly configuring whether to use the systemd-userdbd server side user record resolution logic.
  • userdbctl's ssh-authorized-keys command learnt a new --chain switch, for chaining up another command to execute after completing the look-up. Since the OpenSSH's AuthorizedKeysCommand only allows configuration of a single command to invoke, this maybe used to invoke multiple: first userdbctl's own implementation, and then any other also configured in the command line.
  • The sd-event API gained a new function sd_event_add_inotify_fd() that is similar to sd_event_add_inotify() but accepts a file descriptor instead of a path in the file system for referencing the inode to watch.
  • The sd-event API gained a new function sd_event_source_set_ratelimit_expire_callback() that may be used to define a callback function that is called whenever an event source leaves the rate limiting phase.
  • New documentation has been added explaining which steps are necessary to port systemd to a new architecture:
  •  https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
  • The x-systemd.makefs option in /etc/fstab now explicitly supports ext2, ext3, and f2fs file systems.
  • Mount units and units generated from /etc/fstab entries with 'noauto' are now ordered the same as other units. Effectively, they will be started earlier (if something actually pulled them in) and stopped later, similarly to normal mount units that are part of fs-local.target. This change should be invisible to users, but should prevent those units from being stopped too early during shutdown.
  • The systemd-getty-generator now honors a new kernel command line argument systemd.getty_auto= and a new environment variable $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for example useful to turn off gettys inside of containers or similar environments.
  • systemd-resolved now listens on a second DNS stub address: 127.0.0.54 (in addition to 127.0.0.53, as before). If DNS requests are sent to this address they are propagated in "bypass" mode only, i.e. are almost not processed locally, but mostly forwarded as-is to the current upstream DNS servers. This provides a stable DNS server address that proxies all requests dynamically to the right upstream DNS servers even if these dynamically change. This stub does not do mDNS/LLMNR resolution. However, it will translate look-ups to DNS-over-TLS if necessary. This new stub is particularly useful in container/VM environments, or for tethering setups: use DNAT to redirect traffic to any IP address to this stub.
  • systemd-importd now honors new environment variables $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume generation, btrfs quota setup and disk synchronization.
  • systemd-importd and systemd-resolved can now be optionally built with OpenSSL instead of libgcrypt.
  • systemd-repart no longer requires OpenSSL.
  • systemd-sysusers will no longer create the redundant 'nobody' group by default, as the 'nobody' user is already created with an appropriate primary group.
  • If a unit uses RuntimeMaxSec, systemctl show will now display it.
  • systemctl show-environment gained support for --output=json.
  • pam_systemd will now first try to use the X11 abstract socket, and fallback to the socket file in /tmp/.X11-unix/ only if that does not work.
  • systemd-journald will no longer go back to volatile storage regardless of configuration when its unit is restarted.
  • Initial support for the LoongArch architecture has been added (system call lists, GPT partition table UUIDs, etc).
  • systemd-journald's own logging messages are now also logged to the journal itself when systemd-journald logs to /dev/kmsg.
  • systemd-journald now re-enables COW for archived journal files on filesystems that support COW. One benefit of this change is that archived journal files will now get compressed on btrfs filesystems that have compression enabled.
  • systemd-journald now deduplicates fields in a single log message before adding it to the journal. In archived journal files, it will also punch holes for unused parts and truncate the file as appropriate, leading to reductions in disk usage.
  • journalctl --verify was extended with more informative error messages.
  • More of sd-journal's functions are now resistant against journal file corruption.
  • The shutdown command learnt a new option --show, to display the scheduled shutdown.

A systemd újdonságainak teljes listája. Letöltés és további részletek az új Polychromatic frissítésről a projekt GitHub oldalán keresztül érhető el.