systemd System and Service Manager
-CHANGES WITH 243 in spe:
+CHANGES WITH 252 🎃:
+
+ Announcements of Future Feature Removals:
+
+ * We intend to remove cgroup v1 support from systemd release after the
+ end of 2023. If you run services that make explicit use of cgroup v1
+ features (i.e. the "legacy hierarchy" with separate hierarchies for
+ each controller), please implement compatibility with cgroup v2 (i.e.
+ the "unified hierarchy") sooner rather than later. Most of Linux
+ userspace has been ported over already.
+
+ * We intend to remove support for split-usr (/usr mounted separately
+ during boot) and unmerged-usr (parallel directories /bin and
+ /usr/bin, /lib and /usr/lib, etc). This will happen in the second
+ half of 2023, in the first release that falls into that time window.
+ For more details, see:
+ https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
+
+ Compatibility Breaks:
+
+ * ConditionKernelVersion= checks that use the '=' or '!=' operators
+ will now do simple string comparisons (instead of version comparisons
+ á la stverscmp()). Version comparisons are still done for the
+ ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
+ specified, a shell-style glob match is now done. This creates a minor
+ incompatibility compared to older systemd versions when the '*', '?',
+ '[', ']' characters are used, as these will now match as shell globs
+ instead of literally. Given that kernel version strings typically do
+ not include these characters we expect little breakage through this
+ change.
+
+ * The service manager will now read the SELinux label used for SELinux
+ access checks from the unit file at the time it loads the file.
+ Previously, the label would be read at the moment of the access
+ check, which was problematic since at that time the unit file might
+ already have been updated or removed.
+
+ New Features:
+
+ * systemd-measure is a new tool for calculating and signing expected
+ TPM2 PCR values for a given unified kernel image (UKI) booted via
+ sd-stub. The public key used for the signature and the signed
+ expected PCR information can be embedded inside the UKI. This
+ information can be extracted from the UKI by external tools and code
+ in the image itself and is made available to userspace in the booted
+ kernel.
+
+ systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
+ updated to make use of this information if available in the booted
+ kernel: when locking an encrypted volume/credential to the TPM
+ systemd-cryptenroll/systemd-creds will use the public key to bind the
+ volume/credential to any kernel that carries PCR information signed
+ by the same key pair. When unlocking such volumes/credentials
+ systemd-cryptsetup/systemd-creds will use the signature embedded in
+ the booted UKI to gain access.
+
+ Binding TPM-based disk encryption to public keys/signatures of PCR
+ values — instead of literal PCR values — addresses the inherent
+ "brittleness" of traditional PCR-bound TPM disk encryption schemes:
+ disks remain accessible even if the UKI is updated, without any TPM
+ specific preparation during the OS update — as long as each UKI
+ carries the necessary PCR signature information.
+
+ Net effect: if you boot a properly prepared kernel, TPM-bound disk
+ encryption now defaults to be locked to kernels which carry PCR
+ signatures from the same key pair. Example: if a hypothetical distro
+ FooOS prepares its UKIs like this, TPM-based disk encryption is now –
+ by default – bound to only FooOS kernels, and encrypted volumes bound
+ to the TPM cannot be unlocked on kernels from other sources. (But do
+ note this behaviour requires preparation/enabling in the UKI, and of
+ course users can always enroll non-TPM ways to unlock the volume.)
+
+ * systemd-pcrphase is a new tool that is invoked at six places during
+ system runtime, and measures additional words into TPM2 PCR 11, to
+ mark milestones of the boot process. This allows binding access to
+ specific TPM2-encrypted secrets to specific phases of the boot
+ process. (Example: LUKS2 disk encryption key only accessible in the
+ initrd, but not later.)
+
+ Changes in systemd itself, i.e. the manager and units
+
+ * The cpu controller is delegated to user manager units by default, and
+ CPUWeight= settings are applied to the top-level user slice units
+ (app.slice, background.slice, session.slice). This provides a degree
+ of resource isolation between different user services competing for
+ the CPU.
+
+ * Systemd can optionally do a full preset in the "first boot" condition
+ (instead of just enable-only). This behaviour is controlled by the
+ compile-time option -Dfirst-boot-full-preset. Right now it defaults
+ to 'false', but the plan is to switch it to 'true' for the subsequent
+ release.
+
+ * Drop-ins are now allowed for transient units too.
+
+ * Systemd will set the taint flag 'support-ended' if it detects that
+ the OS image is past its end-of-support date. This date is declared
+ in a new /etc/os-release field SUPPORT_END= described below.
+
+ * Two new settings ConditionCredential= and AssertCredential= can be
+ used to skip or fail units if a certain system credential is not
+ provided.
+
+ * ConditionMemory= accepts size suffixes (K, M, G, T, …).
+
+ * DefaultSmackProcessLabel= can be used in system.conf and user.conf to
+ specify the SMACK security label to use when not specified in a unit
+ file.
+
+ * DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
+ specify the default timeout when waiting for device units to
+ activate.
+
+ * C.UTF-8 is used as the default locale if nothing else has been
+ configured.
+
+ * [Condition|Assert]Firmware= have been extended to support certain
+ SMBIOS fields. For example
+
+ ConditionFirmware=smbios-field(board_name = "Custom Board")
+
+ conditionalizes the unit to run only when
+ /sys/class/dmi/id/board_name contains "Custom Board" (without the
+ quotes).
+
+ * ConditionFirstBoot= now correctly evaluates as true only during the
+ boot phase of the first boot. A unit executed later, after booting
+ has completed, will no longer evaluate this condition as true.
+
+ * Socket units will now create sockets in the SELinuxContext= of the
+ associated service unit, if any.
+
+ * Boot phase transitions (start initrd → exit initrd → boot complete →
+ shutdown) will be measured into TPM2 PCR 11, so that secrets can be
+ bound to a specific runtime phase. E.g.: a LUKS encryption key can be
+ unsealed only in the initrd.
+
+ * Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
+ also be provided to ExecStartPre= processes.
+
+ * Various units are now correctly ordered against
+ initrd-switch-root.target where previously a conflict without
+ ordering was configured. A stop job for those units would be queued,
+ but without the ordering it could be executed only after
+ initrd-switch-root.service, leading to units not being restarted in
+ the host system as expected.
+
+ * In order to fully support the IPMI watchdog driver, which has not yet
+ been ported to the new common watchdog device interface,
+ /dev/watchdog0 will be tried first and systemd will silently fallback
+ to /dev/watchdog if it is not found.
+
+ * New watchdog-related D-Bus properties are now published by systemd:
+ WatchdogDevice, WatchdogLastPingTimestamp,
+ WatchdogLastPingTimestampMonotonic.
+
+ * At shutdown, API virtual files systems (proc, sys, etc.) will be
+ unmounted lazily.
+
+ * At shutdown, systemd will now log about processes blocking unmounting
+ of file systems.
+
+ * A new meson build option 'clock-valid-range-usec-max' was added to
+ allow disabling system time correction if RTC returns a timestamp far
+ in the future.
+
+ * Propagated restart jobs will no longer be discarded while a unit is
+ activating.
+
+ * PID 1 will now import system credentials from SMBIOS Type 11 fields
+ ("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
+ simple, fast and generic path for supplying credentials to a VM,
+ without involving external tools such as cloud-init/ignition.
+
+ * The CPUWeight= setting of unit files now accepts a new special value
+ "idle", which configures "idle" level scheduling for the unit.
+
+ * Service processes that are activated due to a .timer or .path unit
+ triggering will now receive information about this via environment
+ variables. Note that this is information is lossy, as activation
+ might be coalesced and only one of the activating triggers will be
+ reported. This is hence more suited for debugging or tracing rather
+ than for behaviour decisions.
+
+ * The riscv_flush_icache(2) system call has been added to the list of
+ system calls allowed by default when SystemCallFilter= is used.
+
+ * The selinux context derived from the target executable, instead of
+ 'init_t' used for the manager itself, is now used when creating
+ listening sockets for units that specify SELinuxContextFromNet=yes.
+
+ Changes in sd-boot, bootctl, and the Boot Loader Specification:
+
+ * The Boot Loader Specification has been cleaned up and clarified.
+ Various corner cases in version string comparisons have been fixed
+ (e.g. comparisons for empty strings). Boot counting is now part of
+ the main specification.
+
+ * New PCRs measurements are performed during boot: PCR 11 for the the
+ kernel+initrd combo, PCR 13 for any sysext images. If a measurement
+ took place this is now reported to userspace via the new
+ StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
+
+ * As before, systemd-stub will measure kernel parameters and system
+ credentials into PCR 12. It will now report this fact via the
+ StubPcrKernelParameters EFI variable to userspace.
+
+ * The UEFI monotonic boot counter is now included in the updated random
+ seed file maintained by sd-boot, providing some additional entropy.
+
+ * sd-stub will use LoadImage/StartImage to execute the kernel, instead
+ of arranging the image manually and jumping to the kernel entry
+ point. sd-stub also installs a temporary UEFI SecurityOverride to
+ allow the (unsigned) nested image to be booted. This is safe because
+ the outer (signed) stub+kernel binary must have been verified before
+ the stub was executed.
+
+ * Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
+ is now supported by sd-boot.
+
+ * bootctl gained a bunch of new options: --all-architectures to install
+ binaries for all supported EFI architectures, --root= and --image=
+ options to operate on a directory or disk image, and
+ --install-source= to specify the source for binaries to install,
+ --efi-boot-option-description= to control the name of the boot entry.
+
+ * The sd-boot stub exports a StubFeatures flag, which is used by
+ bootctl to show features supported by the stub that was used to boot.
+
+ * The PE section offsets that are used by tools that assemble unified
+ kernel images have historically been hard-coded. This may lead to
+ overlapping PE sections which may break on boot. The UKI will now try
+ to detect and warn about this.
+
+ Any tools that assemble UKIs must update to calculate these offsets
+ dynamically. Future sd-stub versions may use offsets that will not
+ work with the currently used set of hard-coded offsets!
+
+ * sd-stub now accepts (and passes to the initrd and then to the full
+ OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
+ signatures of expected PCR values, to allow sealing secrets via the
+ TPM2 against pre-calculated PCR measurements.
+
+ Changes in the hardware database:
+
+ * 'systemd-hwdb query' now supports the --root= option.
+
+ Changes in systemctl:
+
+ * systemctl now supports --state= and --type= options for the 'show'
+ and 'status' verbs.
+
+ * systemctl gained a new verb 'list-automounts' to list automount
+ points.
+
+ * systemctl gained support for a new --image= switch to be able to
+ operate on the specified disk image (similar to the existing --root=
+ which operates relative to some directory).
+
+ Changes in systemd-networkd:
+
+ * networkd can set Linux NetLabel labels for integration with the
+ network control in security modules via a new NetLabel= option.
+
+ * The RapidCommit= is (re-)introduced to enable faster configuration
+ via DHCPv6 (RFC 3315).
+
+ * networkd gained a new option TCPCongestionControlAlgorithm= that
+ allows setting a per-route TCP algorithm.
+
+ * networkd gained a new option KeepFileDescriptor= to allow keeping a
+ reference (file descriptor) open on TUN/TAP interfaces, which is
+ useful to avoid link flaps while the underlying service providing the
+ interface is being serviced.
+
+ * RouteTable= now also accepts route table names.
+
+ Changes in systemd-nspawn:
+
+ * The --bind= and --overlay= options now support relative paths.
+
+ * The --bind= option now supports a 'rootidmap' value, which will
+ use id-mapped mounts to map the root user inside the container to the
+ owner of the mounted directory on the host.
+
+ Changes in systemd-resolved:
+
+ * systemd-resolved now persists DNSOverTLS in its state file too. This
+ fixes a problem when used in combination with NetworkManager, which
+ sends the setting only once, causing it to be lost if resolved was
+ restarted at any point.
+
+ * systemd-resolved now exposes a varlink socket at
+ /run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
+ root. Processed DNS requests in a JSON format will be published to
+ any clients connected to this socket.
+
+ resolvectl gained a 'monitor' verb to make use of this.
+
+ * systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
+ instead of returning SERVFAIL, as per RFC:
+ https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
+
+ * OpenSSL is the default crypto backend for systemd-resolved. (gnutls
+ is still supported.)
+
+ Changes in libsystemd and other libraries:
+
+ * libsystemd now exports sd_bus_error_setfv() (a convenience function
+ for setting bus errors), sd_id128_string_equal (a convenience
+ function for 128bit ID string comparisons), and
+ sd_bus_message_read_strv_extend() (a function to incrementally read
+ string arrays).
+
+ * libsystemd now exports sd_device_get_child_first()/_next() as a
+ high-level interface for enumerating child devices. It also supports
+ sd_device_new_child() for opening a child device given a device
+ object.
+
+ * libsystemd now exports sd_device_monitor_set()/get_description()
+ which allow setting a custom description that will be used in log
+ messages by sd_device_monitor*.
+
+ * Private shared libraries (libsystemd-shared-nnn.so,
+ libsystemd-core-nnn.so) are now installed into arch-specific
+ directories to allow multi-arch installs.
+
+ * A new sd-gpt.h header is now published, listing GUIDs from the
+ Discoverable Partitions specification. For more details see:
+ https://systemd.io/DISCOVERABLE_PARTITIONS/
+
+ * A new function sd_hwdb_new_from_path() has been added to open a hwdb
+ database given an explicit path to the file.
+
+ * The signal number argument to sd_event_add_signal() now can now be
+ ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
+ be automatically invoked to block the specified signal. This is
+ useful to simplify invocations as the caller doesn't have to do this
+ manually.
+
+ * A new convenience call sd_event_set_signal_exit() has been added to
+ sd-event to set up signal handling so that the event loop
+ automatically terminates cleanly on SIGTERM/SIGINT.
+
+ Changes in other components:
+
+ * systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
+ can now be provided via the credential mechanism.
+
+ * systemd-analyze gained a new verb 'compare-versions' that implements
+ comparisons for versions strings (similarly to 'rpmdev-vercmp' and
+ 'dpkg --compare-versions').
+
+ * 'systemd-analyze dump' is extended to accept glob patterns for unit
+ names to limit the output to matching units.
+
+ * tmpfiles.d/ lines can read file contents to write from a credential.
+ The new modifier char '^' is used to specify that the argument is a
+ credential name. This mechanism is used to automatically populate
+ /etc/motd, /etc/issue, and /etc/hosts from credentials.
+
+ * tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
+ an inode if the specification is prefixed with ':' and the inode
+ already exists.
+
+ * Default tmpfiles.d/ configuration now carries a line to automatically
+ use an 'ssh.authorized_keys.root' credential if provided to set up
+ the SSH authorized_keys file for the root user.
+
+ * systemd-tmpfiles will now gracefully handle absent source of "C" copy
+ lines.
+
+ * tmpfiles.d/ F/w lines now optionally permit encoding of the payload
+ in base64. This is useful to write arbitrary binary data into files.
+
+ * The pkgconfig and rpm macros files now export the directory for user
+ units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
+
+ * Detection of Apple Virtualization and detection of Parallels and
+ KubeVirt virtualization on non-x86 archs have been added.
+
+ * os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
+ user when their system will become unsupported.
+
+ * When performing suspend-then-hibernate, the system will estimate the
+ discharge rate and use that to set the delay until hibernation and
+ hibernate immediately instead of suspending when running from a
+ battery and the capacity is below 5%.
+
+ * systemd-sysctl gained a --strict option to fail when a sysctl
+ setting is unknown to the kernel.
+
+ * machinectl supports --force for the 'copy-to' and 'copy-from'
+ verbs.
+
+ * coredumpctl gained the --root and --image options to look for journal
+ files under the specified root directory, image, or block device.
+
+ * 'journalctl -o' and similar commands now implement a new output mode
+ "short-delta". It is similar to "short-monotonic", but also shows the
+ time delta between subsequent messages.
+
+ * journalctl now respects the --quiet flag when verifying consistency
+ of journal files.
+
+ * Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
+ will indicate whether a message was logged in the 'initrd' phase or
+ in the 'system' phase of the boot process.
+
+ * Journal files gained a new compatibility flag
+ 'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
+ to the storage format that allow reducing size on disk. As with other
+ compatibility flags, older journalctl versions will not be able to
+ read journal files using this new format. The environment variable
+ 'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
+ disable this functionality. It is enabled by default.
+
+ * systemd-run's --working-directory= switch now works when used in
+ combination with --scope.
+
+ * portablectl gained a --force flag to skip certain sanity checks. This
+ is implemented using new flags accepted by systemd-portabled for the
+ *WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
+ flag now means that the attach/detach checks whether the units are
+ already present and running will be skipped. Similarly,
+ SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
+ image name matches the name declared inside of the image will be
+ skipped. Callers must be sure to do those checks themselves if
+ appropriate.
+
+ * systemd-portabled will now use the original filename to check
+ extension-release.NAME for correctness, in case it is passed a
+ symlink.
+
+ * systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
+ too.
+
+ * sysext's extension-release files now support '_any' as a special
+ value for the ID= field, to allow distribution-independent extensions
+ (e.g.: fully statically compiled binaries, scripts). It also gained
+ support for a new ARCHITECTURE= field that may be used to explicitly
+ restrict an image to hosts of a specific architecture.
+
+ * systemd-repart now supports creating squashfs partitions. This
+ requires mksquashfs from squashfs-tools.
+
+ * systemd-repart gained a --split flag to also generate split
+ artifacts, i.e. a separate file for each partition. This is useful in
+ conjunction with systemd-sysupdate or other tools, or to generate
+ split dm-verity artifacts.
+
+ * systemd-repart is now able to generate dm-verity partitions, including
+ signatures.
+
+ * systemd-repart can now set a partition UUID to zero, allowing it to
+ be filled in later, such as when using verity partitions.
+
+ * systemd-repart now supports drop-ins for its configuration files.
+
+ * Package metadata logged by systemd-coredump in the system journal is
+ now more compact.
+
+ * xdg-autostart-service now expands 'tilde' characters in Exec lines.
+
+ * systemd-oomd now automatically links against libatomic, if available.
+
+ * systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
+ killed.
+
+ * scope units now also provide oom-kill status.
+
+ * systemd-pstore will now try to load only the efi_pstore kernel module
+ before running, ensuring that pstore can be used.
+
+ * systemd-logind gained a new StopIdleSessionSec= option to stop an idle
+ session after a preconfigure timeout.
+
+ * systemd-homed will now wait up to 30 seconds for workers to terminate,
+ rather than indefinitely.
+
+ * homectl gained a new '--luks-sector-size=' flag that allows users to
+ select the preferred LUKS sector size. Must be a power of 2 between 512
+ and 4096. systemd-userdbd records gained a corresponding field.
+
+ * systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
+ variable when generating the 'sp_lstchg' field, to ensure an image
+ build can be reproducible.
+
+ * 'udevadm wait' will now listen to kernel uevents too when called with
+ --initialized=no.
+
+ * When naming network devices udev will now consult the Devicetree
+ "alias" fields for the device.
+
+ * systemd-udev will now create infiniband/by-path and
+ infiniband/by-ibdev links for Infiniband verbs devices.
+
+ * systemd-udev-trigger.service will now also prioritize input devices.
+
+ * ConditionACPower= and systemd-ac-power will now assume the system is
+ running on AC power if no battery can be found.
+
+ * All features and tools using the TPM2 will now communicate with it
+ using a bind key. Beforehand, the tpm2 support used encrypted sessions
+ by creating a primary key that was used to encrypt traffic. This
+ creates a problem as the key created for encrypting the traffic could
+ be faked by an active interposer on the bus. In cases when a pin is
+ used, a bind key will be used. The pin is used as the auth value for
+ the seal key, aka the disk encryption key, and that auth value will be
+ used in the session establishment. An attacker would need the pin
+ value to create the secure session and thus an active interposer
+ without the pin cannot interpose on TPM2 traffic.
+
+ * systemd-growfs no longer requires udev to run.
+
+ * systemd-backlight now will better support systems with multiple
+ graphic cards.
+
+ * systemd-cryptsetup's keyfile-timeout= option now also works when a
+ device is used as a keyfile.
+
+ * systemd-cryptenroll gained a new --unlock-key-file= option to get the
+ unlocking key from a key file (instead of prompting the user). Note
+ that this is the key for unlocking the volume in order to be able to
+ enroll a new key, but it is not the key that is enrolled.
+
+ * systemd-dissect gained a new --umount switch that will safely and
+ synchronously unmount all partitions of an image previously mounted
+ with 'systemd-dissect --mount'.
+
+ * When using gcrypt, all systemd tools and services will now configure
+ it to prefer the OS random number generator if present.
+
+ * All example code shipped with documentation has been relicensed from CC0
+ to MIT-0.
+
+ * Unit tests will no longer fail when running on a system without
+ /etc/machine-id.
+
+ Experimental features:
+
+ * BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
+ and bpftool >= 7.0).
+
+ * sd-boot can automatically enroll SecureBoot keys from files found on
+ the ESP. This enrollment can be either automatic ('force' mode) or
+ controlled by the user ('manual' mode). It is sufficient to place the
+ SecureBoot keys in the right place in the ESP and they will be picked
+ up by sd-boot and shown in the boot menu.
+
+ * The mkosi config in systemd gained support for automatically
+ compiling a kernel with the configuration appropriate for testing
+ systemd. This may be useful when developing or testing systemd in
+ tandem with the kernel.
+
+ Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
+ Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
+ Alexander Graf, Alexander Shopov, Alexander Wilson,
+ Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb,
+ Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
+ Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
+ Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
+ Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu,
+ Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
+ Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
+ Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
+ Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson,
+ David Jaša, David Rheinsberg, David Seifert, David Tardon,
+ dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
+ Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
+ Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
+ Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
+ Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01,
+ Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
+ Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
+ Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
+ Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku,
+ Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller,
+ JeroenHD, jiangchuangang, João Loureiro,
+ Joaquín Ignacio Aramendía, Jochen Sprickerhof,
+ Johannes Schauer Marin Rodrigues, Jonas Kümmerlin,
+ Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink,
+ Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick,
+ Lennart Poettering, Leon M. George, licunlong, Li kunyu,
+ LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
+ Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
+ Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
+ Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
+ Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
+ Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen,
+ Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov,
+ Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch,
+ Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang,
+ Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt,
+ Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi,
+ Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh,
+ Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume,
+ Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc,
+ Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa,
+ Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas,
+ Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap,
+ wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
+
+ – The Great Beyond, 2022-10-31 👻
+
+CHANGES WITH 251:
+
+ Backwards-incompatible changes:
+
+ * The minimum kernel version required has been bumped from 3.13 to 4.15,
+ and CLOCK_BOOTTIME is now assumed to always exist.
+
+ * C11 with GNU extensions (aka "gnu11") is now used to build our
+ components. Public API headers are still restricted to ISO C89.
+
+ * In v250, a systemd-networkd feature that automatically configures
+ routes to addresses specified in AllowedIPs= was added and enabled by
+ default. However, this causes network connectivity issues in many
+ existing setups. Hence, it has been disabled by default since
+ systemd-stable 250.3. The feature can still be used by explicitly
+ configuring RouteTable= setting in .netdev files.
+
+ * Jobs started via StartUnitWithFlags() will no longer return 'skipped'
+ when a Condition*= check does not succeed, restoring the JobRemoved
+ signal to the behaviour it had before v250.
+
+ * The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
+ GetImageMetadataWithExtensions() have been fixed to provide an extra
+ return parameter, containing the actual extension release metadata.
+ The current implementation was judged to be broken and unusable, and
+ thus the usual procedure of adding a new set of methods was skipped,
+ and backward compatibility broken instead on the assumption that
+ nobody can be affected given the current state of this interface.
+
+ * All kernels supported by systemd mix bytes returned by RDRAND (or
+ similar) into the entropy pool at early boot. This means that on
+ those systems, even if /dev/urandom is not yet initialized, it still
+ returns bytes that are of at least RDRAND quality. For that reason,
+ we no longer have reason to invoke RDRAND from systemd itself, which
+ has historically been a source of bugs. Furthermore, kernels ≥5.6
+ provide the getrandom(GRND_INSECURE) interface for returning random
+ bytes before the entropy pool is initialized without warning into
+ kmsg, which is what we attempt to use if available. systemd's direct
+ usage of RDRAND has been removed. x86 systems ≥Broadwell that are
+ running an older kernel may experience kmsg warnings that were not
+ seen with 250. For newer kernels, non-x86 systems, or older x86
+ systems, there should be no visible changes.
+
+ * sd-boot will now measure the kernel command line into TPM PCR 12
+ rather than PCR 8. This improves usefulness of the measurements on
+ systems where sd-boot is chainloaded from Grub. Grub measures all
+ commands its executes into PCR 8, which makes it very hard to use
+ reasonably, hence separate ourselves from that and use PCR 12
+ instead, which is what certain Ubuntu editions already do. To retain
+ compatibility with systems running older systemd systems a new meson
+ option 'efi-tpm-pcr-compat' has been added (which defaults to false).
+ If enabled, the measurement is done twice: into the new-style PCR 12
+ *and* the old-style PCR 8. It's strongly advised to migrate all users
+ to PCR 12 for this purpose in the long run, as we intend to remove
+ this compatibility feature in two years' time.
+
+ * busctl capture now writes output in the newer pcapng format instead
+ of pcap.
+
+ * A udev rule that imported hwdb matches for USB devices with lowercase
+ hexadecimal vendor/product ID digits was added in systemd 250. This
+ has been reverted, since uppercase hexadecimal digits are supposed to
+ be used, and we already had a rule with the appropriate match.
+
+ Users might need to adjust their local hwdb entries.
+
+ * arch_prctl(2) has been moved to the @default set in the syscall filters
+ (as exposed via the SystemCallFilter= setting in service unit files).
+ It is apparently used by the linker now.
+
+ * The tmpfiles entries that create the /run/systemd/netif directory and
+ its subdirectories were moved from tmpfiles.d/systemd.conf to
+ tmpfiles.d/systemd-network.conf.
+
+ Users might need to adjust their files that override tmpfiles.d/systemd.conf
+ to account for this change.
+
+ * The requirement for Portable Services images to contain a well-formed
+ os-release file (i.e.: contain at least an ID field) is now enforced.
+ This applies to base images and extensions, and also to systemd-sysext.
+
+ Changes in the Boot Loader Specification, kernel-install and sd-boot:
+
+ * kernel-install's and bootctl's Boot Loader Specification Type #1
+ entry generation logic has been reworked. The user may now pick
+ explicitly by which "token" string to name the installation's boot
+ entries, via the new /etc/kernel/entry-token file or the new
+ --entry-token= switch to bootctl. By default — as before — the
+ entries are named after the local machine ID. However, in "golden
+ image" environments, where the machine ID shall be initialized on
+ first boot (as opposed to at installation time before first boot) the
+ machine ID will not be available at build time. In this case the
+ --entry-token= switch to bootctl (or the /etc/kernel/entry-token
+ file) may be used to override the "token" for the entries, for
+ example the IMAGE_ID= or ID= fields from /etc/os-release. This will
+ make the OS images independent of any machine ID, and ensure that the
+ images will not carry any identifiable information before first boot,
+ but on the other hand means that multiple parallel installations of
+ the very same image on the same disk cannot be supported.
+
+ Summary: if you are building golden images that shall acquire
+ identity information exclusively on first boot, make sure to both
+ remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
+ value of the IMAGE_ID= or ID= field of /etc/os-release or another
+ suitable identifier before deploying the image.
+
+ * The Boot Loader Specification has been extended with
+ /loader/entries.srel file located in the EFI System Partition (ESP)
+ that disambiguates the format of the entries in the /loader/entries/
+ directory (in order to discern them from incompatible uses of this
+ directory by other projects). For entries that follow the
+ Specification, the string "type1" is stored in this file.
+
+ bootctl will now write this file automatically when installing the
+ systemd-boot boot loader.
+
+ * kernel-install supports a new initrd_generator= setting in
+ /etc/kernel/install.conf, that is exported as
+ $KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
+ allows choosing different initrd generators.
+
+ * kernel-install will now create a "staging area" (an initially-empty
+ directory to gather files for a Boot Loader Specification Type #1
+ entry). The path to this directory is exported as
+ $KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
+ drop files there instead of writing them directly to the final
+ location. kernel-install will move them when all files have been
+ prepared successfully.
+
+ * New option sort-key= has been added to the Boot Loader Specification
+ to override the sorting order of the entries in the boot menu. It is
+ read by sd-boot and bootctl, and will be written by kernel-install,
+ with the default value of IMAGE_ID= or ID= fields from
+ os-release. Together, this means that on multiboot installations,
+ entries should be grouped and sorted in a predictable way.
+
+ * The sort order of boot entries has been updated: entries which have
+ the new field sort-key= are sorted by it first, and all entries
+ without it are ordered later. After that, entries are sorted by
+ version so that newest entries are towards the beginning of the list.
+
+ * The kernel-install tool gained a new 'inspect' verb which shows the
+ paths and other settings used.
+
+ * sd-boot can now optionally beep when the menu is shown and menu
+ entries are selected, which can be useful on machines without a
+ working display. (Controllable via a loader.conf setting.)
+
+ * The --make-machine-id-directory= switch to bootctl has been replaced
+ by --make-entry-directory=, given that the entry directory is not
+ necessarily named after the machine ID, but after some other suitable
+ ID as selected via --entry-token= described above. The old name of
+ the option is still understood to maximize compatibility.
+
+ * 'bootctl list' gained support for a new --json= switch to output boot
+ menu entries in JSON format.
+
+ * 'bootctl is-installed' now supports the --graceful, and various verbs
+ omit output with the new option --quiet.
+
+ Changes in systemd-homed:
+
+ * Starting with v250 systemd-homed uses UID/GID mapping on the mounts
+ of activated home directories it manages (if the kernel and selected
+ file systems support it). So far it mapped three UID ranges: the
+ range from 0…60000, the user's own UID, and the range 60514…65534,
+ leaving everything else unmapped (in other words, the 16bit UID range
+ is mapped almost fully, with the exception of the UID subrange used
+ for systemd-homed users, with one exception: the user's own UID).
+ Unmapped UIDs may not be used for file ownership in the home
+ directory — any chown() attempts with them will fail. With this
+ release a fourth range is added to these mappings:
+ 524288…1879048191. This range is the UID range intended for container
+ uses, see:
+
+ https://systemd.io/UIDS-GIDS
+
+ This range may be used for container managers that place container OS
+ trees in the home directory (which is a questionable approach, for
+ quota, permission, SUID handling and network file system
+ compatibility reasons, but nonetheless apparently commonplace). Note
+ that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
+ UID assignments from the range are not managed or mapped by
+ `systemd-homed`, and must be managed with other mechanisms, in the
+ context of the local system.
+
+ Typically, a better approach to user namespacing in relevant
+ container managers would be to leave container OS trees on disk at
+ UID offset 0, but then map them to a dynamically allocated runtime
+ UID range via another UID mount map at container invocation
+ time. That way user namespace UID ranges become strictly a runtime
+ concept, and do not leak into persistent file systems, persistent
+ user databases or persistent configuration, thus greatly simplifying
+ handling, and improving compatibility with home directories intended
+ to be portable like the ones managed by systemd-homed.
+
+ Changes in shared libraries:
+
+ * A new libsystemd-core-<version>.so private shared library is
+ installed under /usr/lib/systemd/system, mirroring the existing
+ libsystemd-shared-<version>.so library. This allows the total
+ installation size to be reduced by binary code reuse.
+
+ * The <version> tag used in the name of libsystemd-shared.so and
+ libsystemd-core.so can be configured via the meson option
+ 'shared-lib-tag'. Distributions may build subsequent versions of the
+ systemd package with unique tags (e.g. the full package version),
+ thus allowing multiple installations of those shared libraries to be
+ available at the same time. This is intended to fix an issue where
+ programs that link to those libraries would fail to execute because
+ they were installed earlier or later than the appropriate version of
+ the library.
+
+ * The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
+ similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
+ format instead of as a simple series of hex characters.
+
+ * The sd-device API gained two new calls sd_device_new_from_devname()
+ and sd_device_new_from_path() which permit allocating an sd_device
+ object from a device node name or file system path.
+
+ * sd-device also gained a new call sd_device_open() which will open the
+ device node associated with a device for which an sd_device object
+ has been allocated. The call is supposed to address races around
+ device nodes being removed/recycled due to hotplug events, or media
+ change events: the call checks internally whether the major/minor of
+ the device node and the "diskseq" (in case of block devices) match
+ with the metadata loaded in the sd_device object, thus ensuring that
+ the device once opened really matches the provided sd_device object.
+
+ Changes in PID1, systemctl, and systemd-oomd:
+
+ * A new set of service monitor environment variables will be passed to
+ OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
+ handler unit as OnFailure=/OnSuccess=. The variables are:
+ $MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
+ $MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
+ handler needs to watch multiple units, use a templated handler.
+
+ * A new ExtensionDirectories= setting in service unit files allows
+ system extensions to be loaded from a directory. (It is similar to
+ ExtensionImages=, but takes paths to directories, instead of
+ disk image files.)
+
+ 'portablectl attach --extension=' now also accepts directory paths.
+
+ * The user.delegate and user.invocation_id extended attributes on
+ cgroups are used in addition to trusted.delegate and
+ trusted.invocation_id. The latter pair requires privileges to set,
+ but the former doesn't and can be also set by the unprivileged user
+ manager.
+
+ (Only supported on kernels ≥5.6.)
+
+ * Units that were killed by systemd-oomd will now have a service result
+ of 'oom-kill'. The number of times a service was killed is tallied
+ in the 'user.oomd_ooms' extended attribute.
+
+ The OOMPolicy= unit file setting is now also honoured by
+ systemd-oomd.
+
+ * In unit files the new %y/%Y specifiers can be used to refer to
+ normalized unit file path, which is particularly useful for symlinked
+ unit files.
+
+ The new %q specifier resolves to the pretty hostname
+ (i.e. PRETTY_HOSTNAME= from /etc/machine-info).
+
+ The new %d specifier resolves to the credentials directory of a
+ service (same as $CREDENTIALS_DIRECTORY).
+
+ * The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
+ *Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
+ PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
+ PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
+ ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
+ MountFlags= service settings now also work in unprivileged user
+ services, i.e. those run by the user's --user service manager, as long
+ as user namespaces are enabled on the system.
+
+ * Services with Restart=always and a failing ExecCondition= will no
+ longer be restarted, to bring ExecCondition= behaviour in line with
+ Condition*= settings.
+
+ * LoadCredential= now accepts a directory as the argument; all files
+ from the directory will be loaded as credentials.
+
+ * A new D-Bus property ControlGroupId is now exposed on service units,
+ that encapsulates the service's numeric cgroup ID that newer kernels
+ assign to each cgroup.
+
+ * PID 1 gained support for configuring the "pre-timeout" of watchdog
+ devices and the associated governor, via the new
+ RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
+ options in /etc/systemd/system.conf.
+
+ * systemctl's --timestamp= option gained a new choice "unix", to show
+ timestamp as unix times, i.e. seconds since 1970, Jan 1st.
+
+ * A new "taint" flag named "old-kernel" is introduced which is set when
+ the kernel systemd runs on is older then the current baseline version
+ (see above). The flag is shown in "systemctl status" output.
+
+ * Two additional taint flags "short-uid-range" and "short-gid-range"
+ have been added as well, which are set when systemd notices it is run
+ within a userns namespace that does not define the full 0…65535 UID
+ range
+
+ * A new "unmerged-usr" taint flag has been added that is set whenever
+ running on systems where /bin/ + /sbin/ are *not* symlinks to their
+ counterparts in /usr/, i.e. on systems where the /usr/-merge has not
+ been completed.
+
+ * Generators invoked by PID 1 will now have a couple of useful
+ environment variables set describing the execution context a
+ bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
+ system service manager, or from the per-user service
+ manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
+ in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
+ systemd considers the current boot to be a "first"
+ boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
+ detected and which type of hypervisor/container
+ manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
+ kernel is built for.
+
+ * PID 1 will now automatically pick up system credentials from qemu's
+ fw_cfg interface, thus allowing passing arbitrary data into VM
+ systems similar to how this is already supported for passing them
+ into `systemd-nspawn` containers. Credentials may now also be passed
+ in via the new kernel command line option `systemd.set_credential=`
+ (note that kernel command line options are world-readable during
+ runtime, and only useful for credentials that require no
+ confidentiality). The credentials that can be passed to unified
+ kernels that use the `systemd-stub` UEFI stub are now similarly
+ picked up automatically. Automatic importing of system credentials
+ this way can be turned off via the new
+ `systemd.import_credentials=no` kernel command line option.
+
+ * LoadCredential= will now automatically look for credentials in the
+ /etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
+ the argument is not an absolute path. Similarly,
+ LoadCredentialEncrypted= will check the same directories plus
+ /etc/credstore.encrypted/, /run/credstore.encrypted/ and
+ /usr/lib/credstore.encrypted/. The idea is to use those directories
+ as the system-wide location for credentials that services should pick
+ up automatically.
+
+ * System and service credentials are described in great detail in a new
+ document:
+
+ https://systemd.io/CREDENTIALS
+
+ Changes in systemd-journald:
+
+ * The journal JSON export format has been added to listed of stable
+ interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
+
+ * journalctl --list-boots now supports JSON output and the --reverse option.
+
+ * Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
+ updated, BUILDING_IMAGES is new:
+
+ https://systemd.io/JOURNAL_EXPORT_FORMATS
+ https://systemd.io/BUILDING_IMAGES
+
+ Changes in udev:
+
+ * Two new hwdb files have been added. One lists "handhelds" (PDAs,
+ calculators, etc.), the other AV production devices (DJ tables,
+ keypads, etc.) that should accessible to the seat owner user by
+ default.
+
+ * udevadm trigger gained a new --prioritized-subsystem= option to
+ process certain subsystems (and all their parent devices) earlier.
+
+ systemd-udev-trigger.service now uses this new option to trigger
+ block and TPM devices first, hopefully making the boot a bit faster.
+
+ * udevadm trigger now implements --type=all, --initialized-match,
+ --initialized-nomatch to trigger both subsystems and devices, only
+ already-initialized devices, and only devices which haven't been
+ initialized yet, respectively.
+
+ * udevadm gained a new "wait" command for safely waiting for a specific
+ device to show up in the udev device database. This is useful in
+ scripts that asynchronously allocate a block device (e.g. through
+ repartitioning, or allocating a loopback device or similar) and need
+ to synchronize on the creation to complete.
+
+ * udevadm gained a new "lock" command for locking one or more block
+ devices while formatting it or writing a partition table to it. It is
+ an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
+ usable in scripts dealing with block devices.
+
+ * udevadm info will show a couple of additional device fields in its
+ output, and will not apply a limited set of coloring to line types.
+
+ * udevadm info --tree will now show a tree of objects (i.e. devices and
+ suchlike) in the /sys/ hierarchy.
+
+ * Block devices will now get a new set of device symlinks in
+ /dev/disk/by-diskseq/<nr>, which may be used to reference block
+ device nodes via the kernel's "diskseq" value. Note that this does
+ not guarantee that opening a device by a symlink like this will
+ guarantee that the opened device actually matches the specified
+ diskseq value. To be safe against races, the actual diskseq value of
+ the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
+ the one in the symlink path.
+
+ * .link files gained support for setting MDI/MID-X on a link.
+
+ * .link files gained support for [Match] Firmware= setting to match on
+ the device firmware description string. By mistake, it was previously
+ only supported in .network files.
+
+ * .link files gained support for [Link] SR-IOVVirtualFunctions= setting
+ and [SR-IOV] section to configure SR-IOV virtual functions.
+
+ Changes in systemd-networkd:
+
+ * The default scope for unicast routes configured through [Route]
+ section is changed to "link", to make the behavior consistent with
+ "ip route" command. The manual configuration of [Route] Scope= is
+ still honored.
+
+ * A new unit systemd-networkd-wait-online@<interface>.service has been
+ added that can be used to wait for a specific network interface to be
+ up.
+
+ * systemd-networkd gained a new [Bridge] Isolated=true|false setting
+ that configures the eponymous kernel attribute on the bridge.
+
+ * .netdev files now can be used to create virtual WLAN devices, and
+ configure various settings on them, via the [WLAN] section.
+
+ * .link/.network files gained support for [Match] Kind= setting to match
+ on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
+
+ This value is also shown by 'networkctl status'.
+
+ * The Local= setting in .netdev files for various virtual network
+ devices gained support for specifying, in addition to the network
+ address, the name of a local interface which must have the specified
+ address.
+
+ * systemd-networkd gained a new [Tunnel] External= setting in .netdev
+ files, to configure tunnels in external mode (a.k.a. collect metadata
+ mode).
+
+ * [Network] L2TP= setting was removed. Please use interface specifier in
+ Local= setting in .netdev files of corresponding L2TP interface.
+
+ * New [DHCPServer] BootServerName=, BootServerAddress=, and
+ BootFilename= settings can be used to configure the server address,
+ server name, and file name sent in the DHCP packet (e.g. to configure
+ PXE boot).
+
+ Changes in systemd-resolved:
+
+ * systemd-resolved is started earlier (in sysinit.target), so it
+ available earlier and will also be started in the initrd if installed
+ there.
+
+ Changes in disk encryption:
+
+ * systemd-cryptenroll can now control whether to require the user to
+ enter a PIN when using TPM-based unlocking of a volume via the new
+ --tpm2-with-pin= option.
+
+ Option tpm2-pin= can be used in /etc/crypttab.
+
+ * When unlocking devices via TPM, TPM2 parameter encryption is now
+ used, to ensure that communication between CPU and discrete TPM chips
+ cannot be eavesdropped to acquire disk encryption keys.
+
+ * A new switch --fido2-credential-algorithm= has been added to
+ systemd-cryptenroll allowing selection of the credential algorithm to
+ use when binding encryption to FIDO2 tokens.
+
+ Changes in systemd-hostnamed:
+
+ * HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
+ to override the values gleaned from the hwdb.
+
+ * A ID_CHASSIS property can be set in the hwdb (for the DMI device
+ /sys/class/dmi/id) to override the chassis that is reported by
+ hostnamed.
+
+ * hostnamed's D-Bus interface gained a new method GetHardwareSerial()
+ for reading the hardware serial number, as reportd by DMI. It also
+ exposes a new method D-Bus property FirmwareVersion that encode the
+ firmware version of the system.
+
+ Changes in other components:
+
+ * /etc/locale.conf is now populated through tmpfiles.d factory /etc/
+ handling with the values that were configured during systemd build
+ (if /etc/locale.conf has not been created through some other
+ mechanism). This means that /etc/locale.conf should always have
+ reasonable contents and we avoid a potential mismatch in defaults.
+
+ * The userdbctl tool will now show UID range information as part of the
+ list of known users.
+
+ * A new build-time configuration setting default-user-shell= can be
+ used to set the default shell for user records and nspawn shell
+ invocations (instead of of the default /bin/bash).
+
+ * systemd-timesyncd now provides a D-Bus API for receiving NTP server
+ information dynamically at runtime via IPC.
+
+ * The systemd-creds tool gained a new "has-tpm2" verb, which reports
+ whether a functioning TPM2 infrastructure is available, i.e. if
+ firmware, kernel driver and systemd all have TPM2 support enabled and
+ a device found.
+
+ * The systemd-creds tool gained support for generating encrypted
+ credentials that are using an empty encryption key. While this
+ provides no integrity nor confidentiality it's useful to implement
+ codeflows that work the same on TPM-ful and TPM2-less systems. The
+ service manager will only accept credentials "encrypted" that way if
+ a TPM2 device cannot be detected, to ensure that credentials
+ "encrypted" like that cannot be used to trick TPM2 systems.
+
+ * When deciding whether to colorize output, all systemd programs now
+ also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
+ $TERM).
+
+ * Meson's new install_tag feature is now in use for several components,
+ allowing to build and install select binaries only: pam, nss, devel
+ (pkg-config files), systemd-boot, libsystemd, libudev. Example:
+ $ meson build systemd-boot
+ $ meson install --tags systemd-boot --no-rebuild
+ https://mesonbuild.com/Installing.html#installation-tags
+
+ * A new build configuration option has been added, to allow selecting the
+ default compression algorithm used by systemd-journald and systemd-coredump.
+ This allows to build-in support for decompressing all supported formats,
+ but choose a specific one for compression. E.g.:
+ $ meson -Ddefault-compression=xz
+
+ Experimental features:
+
+ * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
+ loader.conf that implements booting Microsoft Windows from the
+ sd-boot in a way that first reboots the system, to reset the TPM
+ PCRs. This improves compatibility with BitLocker's TPM use, as the
+ PCRs will only record the Windows boot process, and not sd-boot
+ itself, thus retaining the PCR measurements not involving sd-boot.
+ Note that this feature is experimental for now, and is likely going
+ to be generalized and renamed in a future release, without retaining
+ compatibility with the current implementation.
+
+ * A new systemd-sysupdate component has been added that automatically
+ discovers, downloads, and installs A/B-style updates for the host
+ installation itself, or container images, portable service images,
+ and other assets. See the new systemd-sysupdate man page for updates.
+
+ Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
+ AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
+ Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
+ Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
+ Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
+ bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke,
+ Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein,
+ Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich,
+ David, David Bond, Davide Cavalca, David Tardon, davijosw,
+ dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa,
+ Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin,
+ Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY,
+ Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli,
+ Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho,
+ Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld,
+ Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva,
+ Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian,
+ Laura Barcziova, Lennart Poettering, Leviticoh, licunlong,
+ Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi,
+ Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993,
+ Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
+ Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala,
+ Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
+ Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
+ Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
+ Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin,
+ Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer,
+ Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill,
+ Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
+ Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
+ Simon Ellmann, Sonali Srivastava, Stefan Seering,
+ Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
+ Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
+ Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas,
+ Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu,
+ yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, наб
+
+ — Edinburgh, 2022-05-21
+
+CHANGES WITH 250:
+
+ * Support for encrypted and authenticated credentials has been added.
+ This extends the credential logic introduced with v247 to support
+ non-interactive symmetric encryption and authentication, based on a
+ key that is stored on the /var/ file system or in the TPM2 chip (if
+ available), or the combination of both (by default if a TPM2 chip
+ exists the combination is used, otherwise the /var/ key only). The
+ credentials are automatically decrypted at the moment a service is
+ started, and are made accessible to the service itself in unencrypted
+ form. A new tool 'systemd-creds' encrypts credentials for this
+ purpose, and two new service file settings LoadCredentialEncrypted=
+ and SetCredentialEncrypted= configure such credentials.
+
+ This feature is useful to store sensitive material such as SSL
+ certificates, passwords and similar securely at rest and only decrypt
+ them when needed, and in a way that is tied to the local OS
+ installation or hardware.
+
+ * systemd-gpt-auto-generator can now automatically set up discoverable
+ LUKS2 encrypted swap partitions.
+
+ * The GPT Discoverable Partitions Specification has been substantially
+ extended with support for root and /usr/ partitions for the majority
+ of architectures systemd supports. This includes platforms that do
+ not natively support UEFI, because even though GPT is specified under
+ UEFI umbrella, it is useful on other systems too. Specifically,
+ systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
+ Portable Services use the concept without requiring UEFI.
+
+ * The GPT Discoverable Partitions Specifications has been extended with
+ a new set of partitions that may carry PKCS#7 signatures for Verity
+ partitions, encoded in a simple JSON format. This implements a simple
+ mechanism for building disk images that are fully authenticated and
+ can be tested against a set of cryptographic certificates. This is
+ now implemented for the various systemd tools that can operate with
+ disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
+ Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
+ The PKCS#7 signatures are passed to the kernel (where they are
+ checked against certificates from the kernel keyring), or can be
+ verified against certificates provided in userspace (via a simple
+ drop-in file mechanism).
+
+ * systemd-dissect's inspection logic will now report for which uses a
+ disk image is intended. Specifically, it will display whether an
+ image is suitable for booting on UEFI or in a container (using
+ systemd-nspawn's --image= switch), whether it can be used as portable
+ service, or attached as system extension.
+
+ * The system-extension.d/ drop-in files now support a new field
+ SYSEXT_SCOPE= that may encode which purpose a system extension image
+ is for: one of "initrd", "system" or "portable". This is useful to
+ make images more self-descriptive, and to ensure system extensions
+ cannot be attached in the wrong contexts.
+
+ * The os-release file learnt a new PORTABLE_PREFIXES= field which may
+ be used in portable service images to indicate which unit prefixes
+ are supported.
+
+ * The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
+ now is able to decode images for non-native architectures as well.
+ This allows systemd-nspawn to boot images of non-native architectures
+ if the corresponding user mode emulator is installed and
+ systemd-binfmtd is running.
+
+ * systemd-logind gained new settings HandlePowerKeyLongPress=,
+ HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
+ HandleHibernateKeyLongPress= which may be used to configure actions
+ when the relevant keys are pressed for more than 5s. This is useful
+ on devices that only have hardware for a subset of these keys. By
+ default, if the reboot key is pressed long the poweroff operation is
+ now triggered, and when the suspend key is pressed long the hibernate
+ operation is triggered. Long pressing the other two keys currently
+ does not trigger any operation by default.
+
+ * When showing unit status updates on the console during boot and
+ shutdown, and a service is slow to start so that the cylon animation
+ is shown, the most recent sd_notify() STATUS= text is now shown as
+ well. Services may use this to make the boot/shutdown output easier
+ to understand, and to indicate what precisely a service that is slow
+ to start or stop is waiting for. In particular, the per-user service
+ manager instance now reports what it is doing and which service it is
+ waiting for this way to the system service manager.
+
+ * The service manager will now re-execute on reception of the
+ SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
+ only when running as PID 1. There was no signal to request this when
+ running as per-user service manager, i.e. as any other PID than 1.
+ SIGRTMIN+25 works for both system and user managers.
+
+ * The hardware watchdog logic in PID 1 gained support for operating
+ with the default timeout configured in the hardware, instead of
+ insisting on re-configuring it. Set RuntimeWatchdogSec=default to
+ request this behavior.
+
+ * A new kernel command line option systemd.watchdog_sec= is now
+ understood which may be used to override the hardware watchdog
+ time-out for the boot.
+
+ * A new setting DefaultOOMScoreAdjust= is now supported in
+ /etc/systemd/system.conf and /etc/systemd/user.conf. It may be used
+ to set the default process OOM score adjustment value for processes
+ started by the service manager. For per-user service managers this
+ now defaults to 100, but for per-system service managers is left as
+ is. This means that by default now services forked off the user
+ service manager are more likely to be killed by the OOM killer than
+ system services or the managers themselves.
+
+ * A new per-service setting RestrictFileSystems= as been added that
+ restricts the file systems a service has access to by their type.
+ This is based on the new BPF LSM of the Linux kernel. It provides an
+ effective way to make certain API file systems unavailable to
+ services (and thus minimizing attack surface). A new command
+ "systemd-analyze filesystems" has been added that lists all known
+ file system types (and how they are grouped together under useful
+ group handles).
+
+ * Services now support a new setting RestrictNetworkInterfaces= for
+ restricting access to specific network interfaces.
+
+ * Service unit files gained new settings StartupAllowedCPUs= and
+ StartupAllowedMemoryNodes=. These are similar to their counterparts
+ without the "Startup" prefix and apply during the boot process
+ only. This is useful to improve boot-time behavior of the system and
+ assign resources differently during boot than during regular
+ runtime. This is similar to the preexisting StartupCPUWeight=
+ vs. CPUWeight.
+
+ * Related to this: the various StartupXYZ= settings
+ (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
+ during shutdown. The settings not prefixed with "Startup" hence apply
+ during regular runtime, and those that are prefixed like that apply
+ during boot and shutdown.
+
+ * A new per-unit set of conditions/asserts
+ [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
+ unit skip/fail activation if the system's (or a slice's) memory/cpu/io
+ pressure is above the configured threshold, using the kernel PSI
+ feature. For more details see systemd.unit(5) and
+ https://docs.kernel.org/accounting/psi.html
+
+ * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
+ ProtectKernelLogs=yes can now be used.
+
+ * The default maximum numbers of inodes have been raised from 64k to 1M
+ for /dev/, and from 400k to 1M for /tmp/.
+
+ * The per-user service manager learnt support for communicating with
+ systemd-oomd to acquire OOM kill information.
+
+ * A new service setting ExecSearchPath= has been added that allows
+ changing the search path for executables for services. It affects
+ where we look for the binaries specified in ExecStart= and similar,
+ and the specified directories are also added the $PATH environment
+ variable passed to invoked processes.
+
+ * A new setting RuntimeRandomizedExtraSec= has been added for service
+ and scope units that allows extending the runtime time-out as
+ configured by RuntimeMaxSec= with a randomized amount.
+
+ * The syntax of the service unit settings RuntimeDirectory=,
+ StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
+ if the specified value is now suffixed with a colon, followed by
+ another filename, the latter will be created as symbolic link to the
+ specified directory. This allows creating these service directories
+ together with alias symlinks to make them available under multiple
+ names.
+
+ * Service unit files gained two new settings TTYRows=/TTYColumns= for
+ configuring rows/columns of the TTY device passed to
+ stdin/stdout/stderr of the service. This is useful to propagate TTY
+ dimensions to a virtual machine.
+
+ * A new service unit file setting ExitType= has been added that
+ specifies when to assume a service has exited. By default systemd
+ only watches the main process of a service. By setting
+ ExitType=cgroup it can be told to wait for the last process in a
+ cgroup instead.
+
+ * Automount unit files gained a new setting ExtraOptions= that can be
+ used to configure additional mount options to pass to the kernel when
+ mounting the autofs instance.
+
+ * "Urlification" (generation of ESC sequences that generate clickable
+ hyperlinks in modern terminals) may now be turned off altogether
+ during build-time.
+
+ * Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
+ settings that default to 200 and 2 s respectively. The ratelimit
+ ensures that a path unit cannot cause PID1 to busy-loop when it is
+ trying to trigger a service that is skipped because of a Condition*=
+ not being satisfied. This matches the configuration and behaviour of
+ socket units.
+
+ * The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
+ as a plug-in for cryptsetup. This means the plain cryptsetup command
+ may now be used to unlock volumes set up this way.
+
+ * The TPM2 logic in cryptsetup will now automatically detect systems
+ where the TPM2 chip advertises SHA256 PCR banks but the firmware only
+ updates the SHA1 banks. In such a case PCR policies will be
+ automatically bound to the latter, not the former. This makes the PCR
+ policies reliable, but of course do not provide the same level of
+ trust as SHA256 banks.
+
+ * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
+ RSA primary keys in addition to ECC, improving compatibility with
+ TPM2 chips that do not support ECC. RSA keys are much slower to use
+ than ECC, and hence are only used if ECC is not available.
+
+ * /etc/crypttab gained support for a new token-timeout= setting for
+ encrypted volumes that allows configuration of the maximum time to
+ wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
+ the logic will query the user for a regular passphrase/recovery key
+ instead.
+
+ * Support for activating dm-integrity volumes at boot via a new file
+ /etc/integritytab and the tool systemd-integritysetup have been
+ added. This is similar to /etc/crypttab and /etc/veritytab, but deals
+ with dm-integrity instead of dm-crypt/dm-verity.
+
+ * The systemd-veritysetup-generator now understands a new usrhash=
+ kernel command line option for specifying the Verity root hash for
+ the partition backing the /usr/ file system. A matching set of
+ systemd.verity_usr_* kernel command line options has been added as
+ well. These all work similar to the corresponding options for the
+ root partition.
+
+ * The sd-device API gained a new API call sd_device_get_diskseq() to
+ return the DISKSEQ property of a device structure. The "disk
+ sequence" concept is a new feature recently introduced to the Linux
+ kernel that allows detecting reuse cycles of block devices, i.e. can
+ be used to recognize when loopback block devices are reused for a
+ different purpose or CD-ROM drives get their media changed.
+
+ * A new unit systemd-boot-update.service has been added. If enabled
+ (the default) and the sd-boot loader is detected to be installed, it
+ is automatically updated to the newest version when out of date. This
+ is useful to ensure the boot loader remains up-to-date, and updates
+ automatically propagate from the OS tree in /usr/.
+
+ * sd-boot will now build with SBAT by default in order to facilitate
+ working with recent versions of Shim that require it to be present.
+
+ * sd-boot can now parse Microsoft Windows' Boot Configuration Data.
+ This is used to robustly generate boot entry titles for Windows.
+
+ * A new generic target unit factory-reset.target has been added. It is
+ hooked into systemd-logind similar in fashion to
+ reboot/poweroff/suspend/hibernate, and is supposed to be used to
+ initiate a factory reset operation. What precisely this operation
+ entails is up for the implementer to decide, the primary goal of the
+ new unit is provide a framework where to plug in the implementation
+ and how to trigger it.
+
+ * A new meson build-time option 'clock-valid-range-usec-max' has been
+ added which takes a time in µs and defaults to 15 years. If the RTC
+ time is noticed to be more than the specified time ahead of the
+ built-in epoch of systemd (which by default is the release timestamp
+ of systemd) it is assumed that the RTC is not working correctly, and
+ the RTC is reset to the epoch. (It already is reset to the epoch when
+ noticed to be before it.) This should increase the chance that time
+ doesn't accidentally jump too far ahead due to faulty hardware or
+ batteries.
+
+ * A new setting SaveIntervalSec= has been added to systemd-timesyncd,
+ which may be used to automatically save the current system time to
+ disk in regular intervals. This is useful to maintain a roughly
+ monotonic clock even without RTC hardware and with some robustness
+ against abnormal system shutdown.
+
+ * systemd-analyze verify gained support for a pair of new --image= +
+ --root= switches for verifying units below a specific root
+ directory/image instead of on the host.
+
+ * systemd-analyze verify gained support for verifying unit files under
+ an explicitly specified unit name, independently of what the filename
+ actually is.
+
+ * systemd-analyze verify gained a new switch --recursive-errors= which
+ controls whether to only fail on errors found in the specified units
+ or recursively any dependent units.
+
+ * systemd-analyze security now supports a new --offline mode for
+ analyzing unit files stored on disk instead of loaded units. It may
+ be combined with --root=/--image to analyze unit files under a root
+ directory or disk image. It also learnt a new --threshold= parameter
+ for specifying an exposure level threshold: if the exposure level
+ exceeds the specified value the call will fail. It also gained a new
+ --security-policy= switch for configuring security policies to
+ enforce on the units. A policy is a JSON file that lists which tests
+ shall be weighted how much to determine the overall exposure
+ level. Altogether these new features are useful for fully automatic
+ analysis and enforcement of security policies on unit files.
+
+ * systemd-analyze security gain a new --json= switch for JSON output.
+
+ * systemd-analyze learnt a new --quiet switch for reducing
+ non-essential output. It's honored by the "dot", "syscall-filter",
+ "filesystems" commands.
+
+ * systemd-analyze security gained a --profile= option that can be used
+ to take into account a portable profile when analyzing portable
+ services, since a lot of the security-related settings are enabled
+ through them.
+
+ * systemd-analyze learnt a new inspect-elf verb that parses ELF core
+ files, binaries and executables and prints metadata information,
+ including the build-id and other info described on:
+ https://systemd.io/COREDUMP_PACKAGE_METADATA/
+
+ * .network files gained a new UplinkInterface= in the [IPv6SendRA]
+ section, for automatically propagating DNS settings from other
+ interfaces.
+
+ * The static lease DHCP server logic in systemd-networkd may now serve
+ IP addresses outside of the configured IP pool range for the server.
+
+ * CAN support in systemd-networkd gained four new settings Loopback=,
+ OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
+ control modes. It gained a number of further settings for tweaking
+ CAN timing quanta.
+
+ * The [CAN] section in .network file gained new TimeQuantaNSec=,
+ PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
+ SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
+ DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
+ DataSyncJumpWidth= settings to control bit-timing processed by the
+ CAN interface.
+
+ * DHCPv4 client support in systemd-networkd learnt a new Label= option
+ for configuring the address label to apply to configure IPv4
+ addresses.
+
+ * The [IPv6AcceptRA] section of .network files gained support for a new
+ UseMTU= setting that may be used to control whether to apply the
+ announced MTU settings to the local interface.
+
+ * The [DHCPv4] section in .network file gained a new Use6RD= boolean
+ setting to control whether the DHCPv4 client request and process the
+ DHCP 6RD option.
+
+ * The [DHCPv6PrefixDelegation] section in .network file is renamed to
+ [DHCPPrefixDelegation], as now the prefix delegation is also supported
+ with DHCPv4 protocol by enabling the Use6RD= setting.
+
+ * The [DHCPPrefixDelegation] section in .network file gained a new
+ setting UplinkInterface= to specify the upstream interface.
+
+ * The [DHCPv6] section in .network file gained a new setting
+ UseDelegatedPrefix= to control whether the delegated prefixes will be
+ propagated to the downstream interfaces.
+
+ * The [IPv6AcceptRA] section of .network files now understands two new
+ settings UseGateway=/UseRoutePrefix= for explicitly configuring
+ whether to use the relevant fields from the IPv6 Router Advertisement
+ records.
+
+ * The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
+ has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
+ settings in the [DHCPv6] section and the DHCPv6Client= setting in the
+ [IPv6AcceptRA] section to control when the DHCPv6 client is started
+ and how the delegated prefixes are handled by the DHCPv6 client.
+
+ * The IPv6Token= section in the [Network] section is deprecated, and
+ the [IPv6AcceptRA] section gained the Token= setting for its
+ replacement. The [IPv6Prefix] section also gained the Token= setting.
+ The Token= setting gained 'eui64' mode to explicitly configure an
+ address with the EUI64 algorithm based on the interface MAC address.
+ The 'prefixstable' mode can now optionally take a secret key. The
+ Token= setting in the [DHCPPrefixDelegation] section now supports all
+ algorithms supported by the same settings in the other sections.
+
+ * The [RoutingPolicyRule] section of .network file gained a new
+ SuppressInterfaceGroup= setting.
+
+ * The IgnoreCarrierLoss= setting in the [Network] section of .network
+ files now allows a duration to be specified, controlling how long to
+ wait before reacting to carrier loss.
+
+ * The [DHCPServer] section of .network file gained a new Router=
+ setting to specify the router address.
+
+ * The [CAKE] section of .network files gained various new settings
+ AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
+ MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
+ and UseRawPacketSize= for configuring CAKE.
+
+ * systemd-networkd now ships with new default .network files:
+ 80-container-vb.network which matches host-side network bridge device
+ created by systemd-nspawn's --network-bridge or --network-zone
+ switch, and 80-6rd-tunnel.network which matches automatically created
+ sit tunnel with 6rd prefix when the DHCP 6RD option is received.
+
+ * systemd-networkd's handling of Endpoint= resolution for WireGuard
+ interfaces has been improved.
+
+ * systemd-networkd will now automatically configure routes to addresses
+ specified in AllowedIPs=. This feature can be controlled via
+ RouteTable= and RouteMetric= settings in [WireGuard] or
+ [WireGuardPeer] sections.
+
+ * systemd-networkd will now once again automatically generate persistent
+ MAC addresses for batadv and bridge interfaces. Users can disable this
+ by using MACAddress=none in .netdev files.
+
+ * systemd-networkd and systemd-udevd now support IP over InfiniBand
+ interfaces. The Kind= setting in .netdev file accepts "ipoib". And
+ systemd.netdev files gained the [IPoIB] section.
+
+ * systemd-networkd and systemd-udevd now support net.ifname-policy=
+ option on the kernel command-line. This is implemented through the
+ systemd-network-generator service that automatically generates
+ appropriate .link, .network, and .netdev files.
+
+ * The various systemd-udevd "ethtool" buffer settings now understand
+ the special value "max" to configure the buffers to the maximum the
+ hardware supports.
+
+ * systemd-udevd's .link files may now configure a large variety of
+ NIC coalescing settings, plus more hardware offload settings.
+
+ * .link files gained a new WakeOnLanPassword= setting in the [Link]
+ section that allows to specify a WoL "SecureOn" password on hardware
+ that supports this.
+
+ * systemd-nspawn's --setenv= switch now supports an additional syntax:
+ if only a variable name is specified (i.e. without being suffixed by
+ a '=' character and a value) the current value of the environment
+ variable is propagated to the container. e.g. --setenv=FOO will
+ lookup the current value of $FOO in the environment, and pass it down
+ to the container. Similar behavior has been added to homectl's,
+ machinectl's and systemd-run's --setenv= switch.
+
+ * systemd-nspawn gained a new switch --suppress-sync= which may be used
+ to optionally suppress the effect of the sync()/fsync()/fdatasync()
+ system calls for the container payload. This is useful for build
+ system environments where safety against abnormal system shutdown is
+ not essential as all build artifacts can be regenerated any time, but
+ the performance win is beneficial.
+
+ * systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
+ same value that PID 1 uses for most forked off processes.
+
+ * systemd-nspawn's --bind=/--bind-ro= switches now optionally take
+ uidmap/nouidmap options as last parameter. If "uidmap" is used the
+ bind mounts are created with UID mapping taking place that ensures
+ the host's file ownerships are mapped 1:1 to container file
+ ownerships, even if user namespacing is used. This way
+ files/directories bound into containers will no longer show up as
+ owned by the nobody user as they typically did if no special care was
+ taken to shift them manually.
+
+ * When discovering Windows installations sd-boot will now attempt to
+ show the Windows version.
+
+ * The color scheme to use in sd-boot may now be configured at
+ build-time.
+
+ * sd-boot gained the ability to change screen resolution during
+ boot-time, by hitting the "r" key. This will cycle through available
+ resolutions and save the last selection.
+
+ * sd-boot learnt a new hotkey "f". When pressed the system will enter
+ firmware setup. This is useful in environments where it is difficult
+ to hit the right keys early enough to enter the firmware, and works
+ on any firmware regardless which key it natively uses.
+
+ * sd-boot gained support for automatically booting into the menu item
+ selected on the last boot (using the "@saved" identifier for menu
+ items).
+
+ * sd-boot gained support for automatically loading all EFI drivers
+ placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
+ Partition (ESP). These drivers are loaded before the menu entries are
+ loaded. This is useful e.g. to load additional file system drivers
+ for the XBOOTLDR partition.
+
+ * systemd-boot will now paint the input cursor on its own instead of
+ relying on the firmware to do so, increasing compatibility with broken
+ firmware that doesn't make the cursor reasonably visible.
+
+ * sd-boot now embeds a .osrel PE section like we expect from Boot
+ Loader Specification Type #2 Unified Kernels. This means sd-boot
+ itself may be used in place of a Type #2 Unified Kernel. This is
+ useful for debugging purposes as it allows chain-loading one a
+ (development) sd-boot instance from another.
+
+ * sd-boot now supports a new "devicetree" field in Boot Loader
+ Specification Type #1 entries: if configured the specified device
+ tree file is installed before the kernel is invoked. This is useful
+ for installing/applying new devicetree files without updating the
+ kernel image.
+
+ * Similarly, sd-stub now can read devicetree data from a PE section
+ ".dtb" and apply it before invoking the kernel.
+
+ * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
+ gained the ability to pick up credentials and sysext files, wrap them
+ in a cpio archive, and pass as an additional initrd to the invoked
+ Linux kernel, in effect placing those files in the /.extra/ directory
+ of the initrd environment. This is useful to implement trusted initrd
+ environments which are fully authenticated but still can be extended
+ (via sysexts) and parameterized (via encrypted/authenticated
+ credentials, see above).
+
+ Credentials can be located next to the kernel image file (credentials
+ specific to a single boot entry), or in one of the shared directories
+ (credentials applicable to multiple boot entries).
+
+ * sd-stub now comes with a full man page, that explains its feature set
+ and how to combine a kernel image, an initrd and the stub to build a
+ complete EFI unified kernel image, implementing Boot Loader
+ Specification Type #2.
+
+ * sd-stub may now provide the initrd to the executed kernel via the
+ LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
+ non-x86 architectures.
+
+ * bootctl learnt new set-timeout and set-timeout-oneshot commands that
+ may be used to set the boot menu time-out of the boot loader (for all
+ or just the subsequent boot).
+
+ * bootctl and kernel-install will now read variables
+ KERNEL_INSTALL_LAYOUT= from /etc/machine-info and layout= from
+ /etc/kernel/install.conf. When set, it specifies the layout to use
+ for installation directories on the boot partition, so that tools
+ don't need to guess it based on the already-existing directories. The
+ only value that is defined natively is "bls", corresponding to the
+ layout specified in
+ https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
+ kernel-install that implement a different layout can declare other
+ values for this variable.
+
+ 'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
+ assumption that if the user installed sd-boot to the ESP, they intend
+ to use the entry layout understood by sd-boot. It'll also write
+ KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
+ (and it wasn't specified in the config file yet). Similarly,
+ kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
+ wasn't specified in the config file yet). Effectively, those changes
+ mean that the machine-id used for boot loader entry installation is
+ "frozen" upon first use and becomes independent of the actual
+ machine-id.
+
+ Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
+ images created for distribution ("golden images") are built with no
+ machine-id, so that a unique machine-id can be created on the first
+ boot. But those images may contain boot loader entries with the
+ machine-id used during build included in paths. Using a "frozen"
+ value allows unambiguously identifying entries that match the
+ specific installation, while still permitting parallel installations
+ without conflict.
+
+ Configuring KERNEL_INSTALL_LAYOUT obviates the need for
+ kernel-install to guess the installation layout. This fixes the
+ problem where a (possibly empty) directory in the boot partition is
+ created from a different layout causing kernel-install plugins to
+ assume the wrong layout. A particular example of how this may happen
+ is the grub2 package in Fedora which includes directories under /boot
+ directly in its file list. Various other packages pull in grub2 as a
+ dependency, so it may be installed even if unused, breaking
+ installations that use the bls layout.
+
+ * bootctl and systemd-bless-boot can now be linked statically.
+
+ * systemd-sysext now optionally doesn't insist on extension-release.d/
+ files being placed in the image under the image's file name. If the
+ file system xattr user.extension-release.strict is set on the
+ extension release file, it is accepted regardless of its name. This
+ relaxes security restrictions a bit, as system extension may be
+ attached under a wrong name this way.
+
+ * udevadm's test-builtin command learnt a new --action= switch for
+ testing the built-in with the specified action (in place of the
+ default 'add').
+
+ * udevadm info gained new switches --property=/--value for showing only
+ specific udev properties/values instead of all.
+
+ * A new hwdb database has been added that contains matches for various
+ types of signal analyzers (protocol analyzers, logic analyzers,
+ oscilloscopes, multimeters, bench power supplies, etc.) that should
+ be accessible to regular users.
+
+ * A new hwdb database entry has been added that carries information
+ about types of cameras (regular or infrared), and in which direction
+ they point (front or back).
+
+ * A new rule to allow console users access to rfkill by default has been
+ added to hwdb.
+
+ * Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
+ now also owned by the system group "sgx".
+
+ * A new build-time meson option "extra-net-naming-schemes=" has been
+ added to define additional naming schemes schemes for udev's network
+ interface naming logic. This is useful for enterprise distributions
+ and similar which want to pin the schemes of certain distribution
+ releases under a specific name and previously had to patch the
+ sources to introduce new named schemes.
+
+ * The predictable naming logic for network interfaces has been extended
+ to generate stable names from Xen netfront device information.
+
+ * hostnamed's chassis property can now be sourced from chassis-type
+ field encoded in devicetree (in addition to the existing DMI
+ support).
+
+ * systemd-cgls now optionally displays cgroup IDs and extended
+ attributes for each cgroup. (Controllable via the new --xattr= +
+ --cgroup-id= switches.)
+
+ * coredumpctl gained a new --all switch for operating on all
+ Journal files instead of just the local ones.
+
+ * systemd-coredump will now use libdw/libelf via dlopen() rather than
+ directly linking, allowing users to easily opt-out of backtrace/metadata
+ analysis of core files, and reduce image sizes when this is not needed.
+
+ * systemd-coredump will now analyze core files with libdw/libelf in a
+ forked, sandboxed process.
+
+ * systemd-homed will now try to unmount an activate home area in
+ regular intervals once the user logged out fully. Previously this was
+ attempted exactly once but if the home directory was busy for some
+ reason it was not tried again.
+
+ * systemd-homed's LUKS2 home area backend will now create a BSD file
+ system lock on the image file while the home area is active
+ (i.e. mounted). If a home area is found to be locked, logins are
+ politely refused. This should improve behavior when using home areas
+ images that are accessible via the network from multiple clients, and
+ reduce the chance of accidental file system corruption in that case.
+
+ * Optionally, systemd-homed will now drop the kernel buffer cache once
+ a user has fully logged out, configurable via the new --drop-caches=
+ homectl switch.
+
+ * systemd-homed now makes use of UID mapped mounts for the home areas.
+ If the kernel and used file system support it, files are now
+ internally owned by the "nobody" user (i.e. the user typically used
+ for indicating "this ownership is not mapped"), and dynamically
+ mapped to the UID used locally on the system via the UID mapping
+ mount logic of recent kernels. This makes migrating home areas
+ between different systems cheaper because recursively chown()ing file
+ system trees is no longer necessary.
+
+ * systemd-homed's CIFS backend now optionally supports CIFS service
+ names with a directory suffix, in order to place home directories in
+ a subdirectory of a CIFS share, instead of the top-level directory.
+
+ * systemd-homed's CIFS backend gained support for specifying additional
+ mount options in the JSON user record (cifsExtraMountOptions field,
+ and --cifs-extra-mount-options= homectl switch). This is for example
+ useful for configuring mount options such as "noserverino" that some
+ SMB3 services require (use that to run a homed home directory from a
+ FritzBox SMB3 share this way).
+
+ * systemd-homed will now default to btrfs' zstd compression for home
+ areas. This is inspired by Fedora's recent decision to switch to zstd
+ by default.
+
+ * Additional mount options to use when mounting the file system of
+ LUKS2 volumes in systemd-homed has been added. Via the
+ $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
+ $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
+ systemd-homed or via the luksExtraMountOptions user record JSON
+ property. (Exposed via homectl --luks-extra-mount-options)
+
+ * homectl's resize command now takes the special size specifications
+ "min" and "max" to shrink/grow the home area to the minimum/maximum
+ size possible, taking disk usage/space constraints and file system
+ limitations into account. Resizing is now generally graceful: the
+ logic will try to get as close to the specified size as possible, but
+ not consider it a failure if the request couldn't be fulfilled
+ precisely.
+
+ * systemd-homed gained the ability to automatically shrink home areas
+ on logout to their minimal size and grow them again on next
+ login. This ensures that while inactive, a home area only takes up
+ the minimal space necessary, but once activated, it provides
+ sufficient space for the user's needs. This behavior is only
+ supported if btrfs is used as file system inside the home area
+ (because only for btrfs online growing/shrinking is implemented in
+ the kernel). This behavior is now enabled by default, but may be
+ controlled via the new --auto-resize-mode= setting of homectl.
+
+ * systemd-homed gained support for automatically re-balancing free disk
+ space among active home areas, in case the LUKS2 backends are used,
+ and no explicit disk size was requested. This way disk space is
+ automatically managed and home areas resized in regular intervals and
+ manual resizing when disk space becomes scarce should not be
+ necessary anymore. This behavior is only supported if btrfs is used
+ within the home areas (as only then online shrinking and growing is
+ supported), and may be configured via the new rebalanceWeight JSON
+ user record field (as exposed via the new --rebalance-weight= homectl
+ setting). Re-balancing is mostly automatic, but can also be requested
+ explicitly via "homectl rebalance", which is synchronous, and thus
+ may be used to wait until the rebalance run is complete.
+
+ * userdbctl gained a --json= switch for configured the JSON formatting
+ to use when outputting user or group records.
+
+ * userdbctl gained a new --multiplexer= switch for explicitly
+ configuring whether to use the systemd-userdbd server side user
+ record resolution logic.
+
+ * userdbctl's ssh-authorized-keys command learnt a new --chain switch,
+ for chaining up another command to execute after completing the
+ look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
+ configuration of a single command to invoke, this maybe used to
+ invoke multiple: first userdbctl's own implementation, and then any
+ other also configured in the command line.
+
+ * The sd-event API gained a new function sd_event_add_inotify_fd() that
+ is similar to sd_event_add_inotify() but accepts a file descriptor
+ instead of a path in the file system for referencing the inode to
+ watch.
+
+ * The sd-event API gained a new function
+ sd_event_source_set_ratelimit_expire_callback() that may be used to
+ define a callback function that is called whenever an event source
+ leaves the rate limiting phase.
+
+ * New documentation has been added explaining which steps are necessary
+ to port systemd to a new architecture:
+
+ https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
+
+ * The x-systemd.makefs option in /etc/fstab now explicitly supports
+ ext2, ext3, and f2fs file systems.
+
+ * Mount units and units generated from /etc/fstab entries with 'noauto'
+ are now ordered the same as other units. Effectively, they will be
+ started earlier (if something actually pulled them in) and stopped
+ later, similarly to normal mount units that are part of
+ fs-local.target. This change should be invisible to users, but
+ should prevent those units from being stopped too early during
+ shutdown.
+
+ * The systemd-getty-generator now honors a new kernel command line
+ argument systemd.getty_auto= and a new environment variable
+ $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
+ example useful to turn off gettys inside of containers or similar
+ environments.
+
+ * systemd-resolved now listens on a second DNS stub address: 127.0.0.54
+ (in addition to 127.0.0.53, as before). If DNS requests are sent to
+ this address they are propagated in "bypass" mode only, i.e. are
+ almost not processed locally, but mostly forwarded as-is to the
+ current upstream DNS servers. This provides a stable DNS server
+ address that proxies all requests dynamically to the right upstream
+ DNS servers even if these dynamically change. This stub does not do
+ mDNS/LLMNR resolution. However, it will translate look-ups to
+ DNS-over-TLS if necessary. This new stub is particularly useful in
+ container/VM environments, or for tethering setups: use DNAT to
+ redirect traffic to any IP address to this stub.
+
+ * systemd-importd now honors new environment variables
+ $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
+ $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
+ generation, btrfs quota setup and disk synchronization.
+
+ * systemd-importd and systemd-resolved can now be optionally built with
+ OpenSSL instead of libgcrypt.
+
+ * systemd-repart no longer requires OpenSSL.
+
+ * systemd-sysusers will no longer create the redundant 'nobody' group
+ by default, as the 'nobody' user is already created with an
+ appropriate primary group.
+
+ * If a unit uses RuntimeMaxSec, systemctl show will now display it.
+
+ * systemctl show-environment gained support for --output=json.
+
+ * pam_systemd will now first try to use the X11 abstract socket, and
+ fallback to the socket file in /tmp/.X11-unix/ only if that does not
+ work.
+
+ * systemd-journald will no longer go back to volatile storage
+ regardless of configuration when its unit is restarted.
+
+ * Initial support for the LoongArch architecture has been added (system
+ call lists, GPT partition table UUIDs, etc).
+
+ * systemd-journald's own logging messages are now also logged to the
+ journal itself when systemd-journald logs to /dev/kmsg.
+
+ * systemd-journald now re-enables COW for archived journal files on
+ filesystems that support COW. One benefit of this change is that
+ archived journal files will now get compressed on btrfs filesystems
+ that have compression enabled.
+
+ * systemd-journald now deduplicates fields in a single log message
+ before adding it to the journal. In archived journal files, it will
+ also punch holes for unused parts and truncate the file as
+ appropriate, leading to reductions in disk usage.
+
+ * journalctl --verify was extended with more informative error
+ messages.
+
+ * More of sd-journal's functions are now resistant against journal file
+ corruption.
+
+ * The shutdown command learnt a new option --show, to display the
+ scheduled shutdown.
+
+ * A LICENSES/ directory is now included in the git tree. It contains a
+ README.md file that explains the licenses used by source files in
+ this repository. It also contains the text of all applicable
+ licenses as they appear on spdx.org.
+
+ Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
+ Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
+ alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
+ Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
+ Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
+ Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
+ Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
+ Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
+ Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
+ Christian Brauner, Christian Göttsche, Christian Wehrli,
+ Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
+ Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
+ David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
+ Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
+ Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
+ Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
+ Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
+ Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
+ Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
+ Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
+ I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
+ Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
+ jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
+ Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
+ Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
+ Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
+ lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
+ Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
+ Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
+ Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
+ Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
+ Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
+ Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
+ nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
+ Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
+ Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
+ Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
+ Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
+ StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
+ Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
+ Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
+ Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
+ Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
+ xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
+ Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
+ Дамјан Георгиевски, наб
+
+ — Warsaw, 2021-12-23
+
+CHANGES WITH 249:
+
+ * When operating on disk images via the --image= switch of various
+ tools (such as systemd-nspawn or systemd-dissect), or when udev finds
+ no 'root=' parameter on the kernel command line, and multiple
+ suitable root or /usr/ partitions exist in the image, then a simple
+ comparison inspired by strverscmp() is done on the GPT partition
+ label, and the newest partition is picked. This permits a simple and
+ generic whole-file-system A/B update logic where new operating system
+ versions are dropped into partitions whose label is then updated with
+ a matching version identifier.
+
+ * systemd-sysusers now supports querying the passwords to set for the
+ users it creates via the "credentials" logic introduced in v247: the
+ passwd.hashed-password.<user> and passwd.plaintext-password.<user>
+ credentials are consulted for the password to use (either in UNIX
+ hashed form, or literally). By default these credentials are inherited
+ down from PID1 (which in turn imports it from a container manager if
+ there is one). This permits easy configuration of user passwords
+ during first boot. Example:
+
+ # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo
+
+ Note that systemd-sysusers operates in purely additive mode: it
+ executes no operation if the declared users already exist, and hence
+ doesn't set any passwords as effect of the command line above if the
+ specified root user exists already in the image. (Note that
+ --volatile=yes ensures it doesn't, though.)
+
+ * systemd-firstboot now also supports querying various system
+ parameters via the credential subsystems. Thus, as above this may be
+ used to initialize important system parameters on first boot of
+ previously unprovisioned images (i.e. images with a mostly empty
+ /etc/).
+
+ * PID 1 may now show both the unit name and the unit description
+ strings in its status output during boot. This may be configured with
+ StatusUnitFormat=combined in system.conf or
+ systemd.status-unit-format=combined on the kernel command line.
+
+ * The systemd-machine-id-setup tool now supports a --image= switch for
+ provisioning a machine ID file into an OS disk image, similar to how
+ --root= operates on an OS file tree. This matches the existing switch
+ of the same name for systemd-tmpfiles, systemd-firstboot, and
+ systemd-sysusers tools.
+
+ * Similarly, systemd-repart gained support for the --image= switch too.
+ In combination with the existing --size= option, this makes the tool
+ particularly useful for easily growing disk images in a single
+ invocation, following the declarative rules included in the image
+ itself.
+
+ * systemd-repart's partition configuration files gained support for a
+ new switch MakeDirectories= which may be used to create arbitrary
+ directories inside file systems that are created, before registering
+ them in the partition table. This is useful in particular for root
+ partitions to create mount point directories for other partitions
+ included in the image. For example, a disk image that contains a
+ root, /home/, and /var/ partitions, may set MakeDirectories=yes to
+ create /home/ and /var/ as empty directories in the root file system
+ on its creation, so that the resulting image can be mounted
+ immediately, even in read-only mode.
+
+ * systemd-repart's CopyBlocks= setting gained support for the special
+ value "auto". If used, a suitable matching partition on the booted OS
+ is found as source to copy blocks from. This is useful when
+ implementing replicating installers, that are booted from one medium
+ and then stream their own root partition onto the target medium.
+
+ * systemd-repart's partition configuration files gained support for a
+ Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
+ GPT partition flags for the created partitions: this is useful for
+ marking newly created partitions as read-only, or as not being
+ subject for automatic mounting from creation on.
+
+ * The /etc/os-release file has been extended with two new (optional)
+ variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
+ information for OS images that are updated comprehensively and
+ atomically as one image. Two new specifiers %M, %A now resolve to
+ these two fields in the various configuration options that resolve
+ specifiers.
+
+ * portablectl gained a new switch --extension= for enabling portable
+ service images with extensions that follow the extension image
+ concept introduced with v248, and thus allows layering multiple
+ images when setting up the root filesystem of the service.
+
+ * systemd-coredump will now extract ELF build-id information from
+ processes dumping core and include it in the coredump report.
+ Moreover, it will look for ELF .note.package sections with
+ distribution packaging meta-information about the crashing process.
+ This is useful to directly embed the rpm or deb (or any other)
+ package name and version in ELF files, making it easy to match
+ coredump reports with the specific package for which the software was
+ compiled. This is particularly useful on environments with ELF files
+ from multiple vendors, different distributions and versions, as is
+ common today in our containerized and sand-boxed world. For further
+ information, see:
+
+ https://systemd.io/COREDUMP_PACKAGE_METADATA
+
+ * A new udev hardware database has been added for FireWire devices
+ (IEEE 1394).
+
+ * The "net_id" built-in of udev has been updated with three
+ backwards-incompatible changes:
+
+ - PCI hotplug slot names on s390 systems are now parsed as
+ hexadecimal numbers. They were incorrectly parsed as decimal
+ previously, or ignored if the name was not a valid decimal
+ number.
+
+ - PCI onboard indices up to 65535 are allowed. Previously, numbers
+ above 16383 were rejected. This primarily impacts s390 systems,
+ where values up to 65535 are used.
+
+ - Invalid characters in interface names are replaced with "_".
+
+ The new version of the net naming scheme is "v249". The previous
+ scheme can be selected via the "net.naming-scheme=v247" kernel
+ command line parameter.
+
+ * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
+ NULL bus object, for which they will return false. Or in other words,
+ an unallocated bus connection is neither ready nor open.
+
+ * The sd-device API acquired a new API function
+ sd_device_get_usec_initialized() that returns the monotonic time when
+ the udev device first appeared in the database.
+
+ * sd-device gained a new APIs sd_device_trigger_with_uuid() and
+ sd_device_get_trigger_uuid(). The former is similar to
+ sd_device_trigger() but returns a randomly generated UUID that is
+ associated with the synthetic uevent generated by the call. This UUID
+ may be read from the sd_device object a monitor eventually receives,
+ via the sd_device_get_trigger_uuid(). This interface requires kernel
+ 4.13 or above to work, and allows tracking a synthetic uevent through
+ the entire device management stack. The "udevadm trigger --settle"
+ logic has been updated to make use of this concept if available to
+ wait precisely for the uevents it generates. "udevadm trigger" also
+ gained a new parameter --uuid that prints the UUID for each generated
+ uevent.
+
+ * sd-device also gained new APIs sd_device_new_from_ifname() and
+ sd_device_new_from_ifindex() for allocating an sd-device object for
+ the specified network interface. The former accepts an interface name
+ (either a primary or an alternative name), the latter an interface
+ index.
+
+ * The native Journal protocol has been documented. Clients may talk
+ this as alternative to the classic BSD syslog protocol for locally
+ delivering log records to the Journal. The protocol has been stable
+ for a long time and in fact been implemented already in a variety
+ of alternative client libraries. This documentation makes the support
+ for that official:
+
+ https://systemd.io/JOURNAL_NATIVE_PROTOCOL
+
+ * A new BPFProgram= setting has been added to service files. It may be
+ set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
+ file, or a bind mount or symlink to one. This may be used to upload
+ and manage BPF programs externally and then hook arbitrary systemd
+ services into them.
+
+ * The "home.arpa" domain that has been officially declared as the
+ choice for domain for local home networks per RFC 8375 has been added
+ to the default NTA list of resolved, since DNSSEC is generally not
+ available on private domains.
+
+ * The CPUAffinity= setting of unit files now resolves "%" specifiers.
+
+ * A new ManageForeignRoutingPolicyRules= setting has been added to
+ .network files which may be used to exclude foreign-created routing
+ policy rules from systemd-networkd management.
+
+ * systemd-network-wait-online gained two new switches -4 and -6 that
+ may be used to tweak whether to wait for only IPv4 or only IPv6
+ connectivity.
+
+ * .network files gained a new RequiredFamilyForOnline= setting to
+ fine-tune whether to require an IPv4 or IPv6 address in order to
+ consider an interface "online".
+
+ * networkctl will now show an over-all "online" state in the per-link
+ information.
+
+ * In .network files a new OutgoingInterface= setting has been added to
+ specify the output interface in bridge FDB setups.
+
+ * In .network files the Multipath group ID may now be configured for
+ [NextHop] entries, via the new Group= setting.
+
+ * The DHCP server logic configured in .network files gained a new
+ setting RelayTarget= that turns the server into a DHCP server relay.
+ The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
+ to further tweak the DHCP relay behaviour.
+
+ * The DHCP server logic also gained a new ServerAddress= setting in
+ .network files that explicitly specifies the server IP address to
+ use. If not specified, the address is determined automatically, as
+ before.
+
+ * The DHCP server logic in systemd-networkd gained support for static
+ DHCP leases, configurable via the [DHCPServerStaticLease]
+ section. This allows explicitly mapping specific MAC addresses to
+ fixed IP addresses and vice versa.
+
+ * The RestrictAddressFamilies= setting in service files now supports a
+ new special value "none". If specified sockets of all address
+ families will be made unavailable to services configured that way.
+
+ * systemd-fstab-generator and systemd-repart have been updated to
+ support booting from disks that carry only a /usr/ partition but no
+ root partition yet, and where systemd-repart can add it in on the
+ first boot. This is useful for implementing systems that ship with a
+ single /usr/ file system, and whose root file system shall be set up
+ and formatted on a LUKS-encrypted volume whose key is generated
+ locally (and possibly enrolled in the TPM) during the first boot.
+
+ * The [Address] section of .network files now accepts a new
+ RouteMetric= setting that configures the routing metric to use for
+ the prefix route created as effect of the address configuration.
+ Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
+ gained matching settings for their prefix routes. (The option of the
+ same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
+ it conceptually belongs there; the old option is still understood for
+ compatibility.)
+
+ * The DHCPv6 IAID and DUID are now explicitly configurable in .network
+ files.
+
+ * A new udev property ID_NET_DHCP_BROADCAST on network interface
+ devices is now honoured by systemd-networkd, controlling whether to
+ issue DHCP offers via broadcasting. This is used to ensure that s390
+ layer 3 network interfaces work out-of-the-box with systemd-networkd.
+
+ * nss-myhostname and systemd-resolved will now synthesize address
+ records for a new special hostname "_outbound". The name will always
+ resolve to the local IP addresses most likely used for outbound
+ connections towards the default routes. On multi-homed hosts this is
+ useful to have a stable handle referring to "the" local IP address
+ that matters most, to the point where this is defined.
+
+ * The Discoverable Partition Specification has been updated with a new
+ GPT partition flag "grow-file-system" defined for its partition
+ types. Whenever partitions with this flag set are automatically
+ mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
+ of systemd-nspawn or other tools; and as opposed to explicit mounting
+ via /etc/fstab), the file system within the partition is
+ automatically grown to the full size of the partition. If the file
+ system size already matches the partition size this flag has no
+ effect. Previously, this functionality has been available via the
+ explicit x-systemd.growfs mount option, and this new flag extends
+ this to automatically discovered mounts. A new GrowFileSystem=
+ setting has been added to systemd-repart drop-in files that allows
+ configuring this partition flag. This new flag defaults to on for
+ partitions automatically created by systemd-repart, except if they
+ are marked read-only. See the specification for further details:
+
+ https://systemd.io/DISCOVERABLE_PARTITIONS
+
+ * .network files gained a new setting RoutesToNTP= in the [DHCPv4]
+ section. If enabled (which is the default), and an NTP server address
+ is acquired through a DHCP lease on this interface an explicit route
+ to this address is created on this interface to ensure that NTP
+ traffic to the NTP server acquired on an interface is also routed
+ through that interface. The pre-existing RoutesToDNS= setting that
+ implements the same for DNS servers is now enabled by default.
+
+ * A pair of service settings SocketBindAllow= + SocketBindDeny= have
+ been added that may be used to restrict the network interfaces
+ sockets created by the service may be bound to. This is implemented
+ via BPF.
+
+ * A new ConditionFirmware= setting has been added to unit files to
+ conditionalize on certain firmware features. At the moment it may
+ check whether running on an UEFI system, a device.tree system, or if
+ the system is compatible with some specified device-tree feature.
+
+ * A new ConditionOSRelease= setting has been added to unit files to
+ check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
+ operators may be used to check if some field has some specific value
+ or do an alphanumerical comparison. Equality comparisons are useful
+ for fields like ID, but relative comparisons for fields like
+ VERSION_ID or IMAGE_VERSION.
+
+ * hostnamed gained a new Describe() D-Bus method that returns a JSON
+ serialization of the host data it exposes. This is exposed via
+ "hostnamectl --json=" to acquire a host identity description in JSON.
+ It's our intention to add a similar features to most services and
+ objects systemd manages, in order to simplify integration with
+ program code that can consume JSON.
+
+ * Similarly, networkd gained a Describe() method on its Manager and
+ Link bus objects. This is exposed via "networkctl --json=".
+
+ * hostnamectl's various "get-xyz"/"set-xyz" verb pairs
+ (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
+ been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
+ that is used both to get the value (when no argument is given), and
+ to set the value (when an argument is specified). The old names
+ continue to be supported for compatibility.
+
+ * systemd-detect-virt and ConditionVirtualization= are now able to
+ correctly identify Amazon EC2 environments.
+
+ * The LogLevelMax= setting of unit files now applies not only to log
+ messages generated *by* the service, but also to log messages
+ generated *about* the service by PID 1. To suppress logs concerning a
+ specific service comprehensively, set this option to a high log
+ level.
+
+ * bootctl gained support for a new --make-machine-id-directory= switch
+ that allows precise control on whether to create the top-level
+ per-machine directory in the boot partition that typically contains
+ Type 1 boot loader entries.
+
+ * During build SBAT data to include in the systemd-boot EFI PE binaries
+ may be specified now.
+
+ * /etc/crypttab learnt a new option "headless". If specified any
+ requests to query the user interactively for passwords or PINs will
+ be skipped. This is useful on systems that are headless, i.e. where
+ an interactive user is generally not present.
+
+ * /etc/crypttab also learnt a new option "password-echo=" that allows
+ configuring whether the encryption password prompt shall echo the
+ typed password and if so, do so literally or via asterisks. (The
+ default is the same behaviour as before: provide echo feedback via
+ asterisks.)
+
+ * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
+ systemd-homed has been updated to allow explicit configuration of the
+ "user presence" and "user verification" checks, as well as whether a
+ PIN is required for authentication, via the new switches
+ --fido2-with-user-presence=, --fido2-with-user-verification=,
+ --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
+ features are available, and may be enabled or disabled depends on the
+ used FIDO2 token.
+
+ * systemd-nspawn's --private-user= switch now accepts the special value
+ "identity" which configures a user namespacing environment with an
+ identity mapping of 65535 UIDs. This means the container UID 0 is
+ mapped to the host UID 0, and the UID 1 to host UID 1. On first look
+ this doesn't appear to be useful, however it does reduce the attack
+ surface a bit, since the resulting container will possess process
+ capabilities only within its namespace and not on the host.
+
+ * systemd-nspawn's --private-user-chown switch has been replaced by a
+ more generic --private-user-ownership= switch that accepts one of
+ three values: "chown" is equivalent to the old --private-user-chown,
+ and "off" is equivalent to the absence of the old switch. The value
+ "map" uses the new UID mapping mounts of Linux 5.12 to map ownership
+ of files and directories of the underlying image to the chosen UID
+ range for the container. "auto" is equivalent to "map" if UID mapping
+ mount are supported, otherwise it is equivalent to "chown". The short
+ -U switch systemd-nspawn now implies --private-user-ownership=auto
+ instead of the old --private-user-chown. Effectively this means: if
+ the backing file system supports UID mapping mounts the feature is
+ now used by default if -U is used. Generally, it's a good idea to use
+ UID mapping mounts instead of recursive chown()ing, since it allows
+ running containers off immutable images (since no modifications of
+ the images need to take place), and share images between multiple
+ instances. Moreover, the recursive chown()ing operation is slow and
+ can be avoided. Conceptually it's also a good thing if transient UID
+ range uses do not leak into persistent file ownership anymore. TLDR:
+ finally, the last major drawback of user namespacing has been
+ removed, and -U should always be used (unless you use btrfs, where
+ UID mapped mounts do not exist; or your container actually needs
+ privileges on the host).
+
+ * nss-systemd now synthesizes user and group shadow records in addition
+ to the main user and group records. Thus, hashed passwords managed by
+ systemd-homed are now accessible via the shadow database.
+
+ * The userdb logic (and thus nss-systemd, and so on) now read
+ additional user/group definitions in JSON format from the drop-in
+ directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
+ /usr/lib/userdb/. This is a simple and powerful mechanism for making
+ additional users available to the system, with full integration into
+ NSS including the shadow databases. Since the full JSON user/group
+ record format is supported this may also be used to define users with
+ resource management settings and other runtime settings that
+ pam_systemd and systemd-logind enforce at login.
+
+ * The userdbctl tool gained two new switches --with-dropin= and
+ --with-varlink= which can be used to fine-tune the sources used for
+ user database lookups.
+
+ * systemd-nspawn gained a new switch --bind-user= for binding a host
+ user account into the container. This does three things: the user's
+ home directory is bind mounted from the host into the container,
+ below the /run/userdb/home/ hierarchy. A free UID is picked in the
+ container, and a user namespacing UID mapping to the host user's UID
+ installed. And finally, a minimal JSON user and group record (along
+ with its hashed password) is dropped into /run/host/userdb/. These
+ records are picked up automatically by the userdb drop-in logic
+ describe above, and allow the user to login with the same password as
+ on the host. Effectively this means: if host and container run new
+ enough systemd versions making a host user available to the container
+ is trivially simple.
+
+ * systemd-journal-gatewayd now supports the switches --user, --system,
+ --merge, --file= that are equivalent to the same switches of
+ journalctl, and permit exposing only the specified subset of the
+ Journal records.
+
+ * The OnFailure= dependency between units is now augmented with a
+ implicit reverse dependency OnFailureOf= (this new dependency cannot
+ be configured directly it's only created as effect of an OnFailure=
+ dependency in the reverse order — it's visible in "systemctl show"
+ however). Similar, Slice= now has an reverse dependency SliceOf=,
+ that is also not configurable directly, but useful to determine all
+ units that are members of a slice.
+
+ * A pair of new dependency types between units PropagatesStopTo= +
+ StopPropagatedFrom= has been added, that allows propagation of unit
+ stop events between two units. It operates similar to the existing
+ PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.
+
+ * A new dependency type OnSuccess= has been added (plus the reverse
+ dependency OnSuccessOf=, which cannot be configured directly, but
+ exists only as effect of the reverse OnSuccess=). It is similar to
+ OnFailure=, but triggers in the opposite case: when a service exits
+ cleanly. This allows "chaining up" of services where one or more
+ services are started once another service has successfully completed.
+
+ * A new dependency type Upholds= has been added (plus the reverse
+ dependency UpheldBy=, which cannot be configured directly, but exists
+ only as effect of Upholds=). This dependency type is a stronger form
+ of Wants=: if a unit has an UpHolds= dependency on some other unit
+ and the former is active then the latter is started whenever it is
+ found inactive (and no job is queued for it). This is an alternative
+ to Restart= inside service units, but less configurable, and the
+ request to uphold a unit is not encoded in the unit itself but in
+ another unit that intends to uphold it.
+
+ * The systemd-ask-password tool now also supports reading passwords
+ from the credentials subsystem, via the new --credential= switch.
+
+ * The systemd-ask-password tool learnt a new switch --emoji= which may
+ be used to explicit control whether the lock and key emoji (🔐) is
+ shown in the password prompt on suitable TTYs.
+
+ * The --echo switch of systemd-ask-password now optionally takes a
+ parameter that controls character echo. It may either show asterisks
+ (default, as before), turn echo off entirely, or echo the typed
+ characters literally.
+
+ * The systemd-ask-password tool also gained a new -n switch for
+ suppressing output of a trailing newline character when writing the
+ acquired password to standard output, similar to /bin/echo's -n
+ switch.
+
+ * New documentation has been added that describes the organization of
+ the systemd source code tree:
+
+ https://systemd.io/ARCHITECTURE
+
+ * Units using ConditionNeedsUpdate= will no longer be activated in
+ the initrd.
+
+ * It is now possible to list a template unit in the WantedBy= or
+ RequiredBy= settings of the [Install] section of another template
+ unit, which will be instantiated using the same instance name.
+
+ * A new MemoryAvailable property is available for units. If the unit,
+ or the slices it is part of, have a memory limit set via MemoryMax=/
+ MemoryHigh=, MemoryAvailable will indicate how much more memory the
+ unit can claim before hitting the limits.
+
+ * systemd-coredump will now try to stay below the cgroup memory limit
+ placed on itself or one of the slices it runs under, if the storage
+ area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
+ since files written on such filesystems count toward the cgroup memory
+ limit. If there is not enough available memory in such cases to store
+ the core file uncompressed, systemd-coredump will skip to compressed
+ storage directly (if enabled) and it will avoid analyzing the core file
+ to print backtrace and metadata in the journal.
+
+ * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
+ of a path matches the configured expectations, and remove it if not.
+
+ * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
+ specify which of the several available filesystem timestamps (access
+ time, birth time, change time, modification time) to look at when
+ deciding whether a path has aged enough to be cleaned.
+
+ * A new IPv6StableSecretAddress= setting has been added to .network
+ files, which takes an IPv6 address to use as secret for IPv6 address
+ generation.
+
+ * The [DHCPServer] logic in .network files gained support for a new
+ UplinkInterface= setting that permits configuration of the uplink
+ interface name to propagate DHCP lease information from.
+
+ * The WakeOnLan= setting in .link files now accepts a list of flags
+ instead of a single one, to configure multiple wake-on-LAN policies.
+
+ * User-space defined tracepoints (USDT) have been added to udev at
+ strategic locations. This is useful for tracing udev behaviour and
+ performance with bpftrace and similar tools.
+
+ * systemd-journald-upload gained a new NetworkTimeoutSec= option for
+ setting a network timeout time.
+
+ * If a system service is running in a new mount namespace (RootDirectory=
+ and friends), all file systems will be mounted with MS_NOSUID by
+ default, unless the system is running with SELinux enabled.
+
+ * When enumerating time zones the timedatectl tool will now consult the
+ 'tzdata.zi' file shipped by the IANA time zone database package, in
+ addition to 'zone1970.tab', as before. This makes sure time zone
+ aliases are now correctly supported. Some distributions so far did
+ not install this additional file, most do however. If you
+ distribution does not install it yet, it might make sense to change
+ that.
+
+ * Intel HID rfkill event is no longer masked, since it's the only
+ source of rfkill event on newer HP laptops. To have both backward and
+ forward compatibility, userspace daemon needs to debounce duplicated
+ events in a short time window.
+
+ Contributions from: Aakash Singh, adrian5, Albert Brox,
+ Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu,
+ Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug,
+ Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin,
+ borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche,
+ Christian Hesse, Daniel Schaefer, Dan Streetman,
+ David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea,
+ Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing,
+ Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais,
+ Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede,
+ Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov,
+ imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku,
+ Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu,
+ Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann,
+ Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel,
+ Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti,
+ Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi,
+ Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard,
+ Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný,
+ Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq,
+ Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans,
+ Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan,
+ Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds,
+ plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff,
+ Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt,
+ Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon,
+ Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani,
+ sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay,
+ Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux,
+ Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev,
+ Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб
+
+ — Edinburgh, 2021-07-07
+
+CHANGES WITH 248:
+
+ * A concept of system extension images is introduced. Such images may
+ be used to extend the /usr/ and /opt/ directory hierarchies at
+ runtime with additional files (even if the file system is read-only).
+ When a system extension image is activated, its /usr/ and /opt/
+ hierarchies and os-release information are combined via overlayfs
+ with the file system hierarchy of the host OS.
+
+ A new systemd-sysext tool can be used to merge, unmerge, list, and
+ refresh system extension hierarchies. See
+ https://www.freedesktop.org/software/systemd/man/systemd-sysext.html.
+
+ The systemd-sysext.service automatically merges installed system
+ extensions during boot (before basic.target, but not in very early
+ boot, since various file systems have to be mounted first).
+
+ The SYSEXT_LEVEL= field in os-release(5) may be used to specify the
+ supported system extension level.
+
+ * A new ExtensionImages= unit setting can be used to apply the same
+ system extension image concept from systemd-sysext to the namespaced
+ file hierarchy of specific services, following the same rules and
+ constraints.
+
+ * Support for a new special "root=tmpfs" kernel command-line option has
+ been added. When specified, a tmpfs is mounted on /, and mount.usr=
+ should be used to point to the operating system implementation.
+
+ * A new configuration file /etc/veritytab may be used to configure
+ dm-verity integrity protection for block devices. Each line is in the
+ format "volume-name data-device hash-device roothash options",
+ similar to /etc/crypttab.
+
+ * A new kernel command-line option systemd.verity.root_options= may be
+ used to configure dm-verity behaviour for the root device.
+
+ * The key file specified in /etc/crypttab (the third field) may now
+ refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
+ acquired by connecting to that socket and reading from it. This
+ allows the implementation of a service to provide key information
+ dynamically, at the moment when it is needed.
+
+ * When the hostname is set explicitly to "localhost", systemd-hostnamed
+ will respect this. Previously such a setting would be mostly silently
+ ignored. The goal is to honour configuration as specified by the
+ user.
+
+ * The fallback hostname that will be used by the system manager and
+ systemd-hostnamed can now be configured in two new ways: by setting
+ DEFAULT_HOSTNAME= in os-release(5), or by setting
+ $SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can
+ also be configured during compilation. The environment variable is
+ intended for testing and local overrides, the os-release(5) field is
+ intended to allow customization by different variants of a
+ distribution that share the same compiled packages.
+
+ * The environment block of the manager itself may be configured through
+ a new ManagerEnvironment= setting in system.conf or user.conf. This
+ complements existing ways to set the environment block (the kernel
+ command line for the system manager, the inherited environment and
+ user@.service unit file settings for the user manager).
+
+ * systemd-hostnamed now exports the default hostname and the source of
+ the configured hostname ("static", "transient", or "default") as
+ D-Bus properties.
+
+ * systemd-hostnamed now exports the "HardwareVendor" and
+ "HardwareModel" D-Bus properties, which are supposed to contain a
+ pair of cleaned up, human readable strings describing the system's
+ vendor and model. It's typically sourced from the firmware's DMI
+ tables, but may be augmented from a new hwdb database. hostnamectl
+ shows this in the status output.
+
+ * Support has been added to systemd-cryptsetup for extracting the
+ PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
+ metadata header. This allows the information how to open the
+ encrypted device to be embedded directly in the device and obviates
+ the need for configuration in an external file.
+
+ * systemd-cryptsetup gained support for unlocking LUKS2 volumes using
+ TPM2 hardware, as well as FIDO2 security tokens (in addition to the
+ pre-existing support for PKCS#11 security tokens).
+
+ * systemd-repart may enroll encrypted partitions using TPM2
+ hardware. This may be useful for example to create an encrypted /var
+ partition bound to the machine on first boot.
+
+ * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
+ and PKCS#11 security tokens to LUKS volumes, list and destroy
+ them. See:
+
+ http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
+
+ It also supports enrolling "recovery keys" and regular passphrases.
+
+ * The libfido2 dependency is now based on dlopen(), so that the library
+ is used at runtime when installed, but is not a hard runtime
+ dependency.
+
+ * systemd-cryptsetup gained support for two new options in
+ /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
+ request synchronous processing of encryption/decryption IO.
+
+ * The manager may be configured at compile time to use the fexecve()
+ instead of the execve() system call when spawning processes. Using
+ fexecve() closes a window between checking the security context of an
+ executable and spawning it, but unfortunately the kernel displays
+ stale information in the process' "comm" field, which impacts ps
+ output and such.
+
+ * The configuration option -Dcompat-gateway-hostname has been dropped.
+ "_gateway" is now the only supported name.
+
+ * The ConditionSecurity=tpm2 unit file setting may be used to check if
+ the system has at least one TPM2 (tpmrm class) device.
+
+ * A new ConditionCPUFeature= has been added that may be used to
+ conditionalize units based on CPU features. For example,
+ ConditionCPUFeature=rdrand will condition a unit so that it is only
+ run when the system CPU supports the RDRAND opcode.
+
+ * The existing ConditionControlGroupController= setting has been
+ extended with two new values "v1" and "v2". "v2" means that the
+ unified v2 cgroup hierarchy is used, and "v1" means that legacy v1
+ hierarchy or the hybrid hierarchy are used.
+
+ * A new PrivateIPC= setting on a unit file allows executed processes to
+ be moved into a private IPC namespace, with separate System V IPC
+ identifiers and POSIX message queues.
+
+ A new IPCNamespacePath= allows the unit to be joined to an existing
+ IPC namespace.
+
+ * The tables of system calls in seccomp filters are now automatically
+ generated from kernel lists exported on
+ https://fedora.juszkiewicz.com.pl/syscalls.html.
+
+ The following architectures should now have complete lists:
+ alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32,
+ powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32.
+
+ * The MountAPIVFS= service file setting now additionally mounts a tmpfs
+ on /run/ if it is not already a mount point. A writable /run/ has
+ always been a requirement for a functioning system, but this was not
+ guaranteed when using a read-only image.
+
+ Users can always specify BindPaths= or InaccessiblePaths= as
+ overrides, and they will take precedence. If the host's root mount
+ point is used, there is no change in behaviour.
+
+ * New bind mounts and file system image mounts may be injected into the
+ mount namespace of a service (without restarting it). This is exposed
+ respectively as 'systemctl bind <unit> <path>…' and
+ 'systemctl mount-image <unit> <image>…'.
+
+ * The StandardOutput= and StandardError= settings can now specify files
+ to be truncated for output (as "truncate:<path>").
+
+ * The ExecPaths= and NoExecPaths= settings may be used to specify
+ noexec for parts of the file system.
+
+ * sd-bus has a new function sd_bus_open_user_machine() to open a
+ connection to the session bus of a specific user in a local container
+ or on the local host. This is exposed in the existing -M switch to
+ systemctl and similar tools:
+
+ systemctl --user -M lennart@foobar start foo
+
+ This will connect to the user bus of a user "lennart" in container
+ "foobar". If no container name is specified, the specified user on
+ the host itself is connected to
+
+ systemctl --user -M lennart@ start quux
+
+ * sd-bus also gained a convenience function sd_bus_message_send() to
+ simplify invocations of sd_bus_send(), taking only a single
+ parameter: the message to send.
+
+ * sd-event allows rate limits to be set on event sources, for dealing
+ with high-priority event sources that might starve out others. See
+ the new man page sd_event_source_set_ratelimit(3) for details.
+
+ * systemd.link files gained a [Link] Promiscuous= switch, which allows
+ the device to be raised in promiscuous mode.
+
+ New [Link] TransmitQueues= and ReceiveQueues= settings allow the
+ number of TX and RX queues to be configured.
+
+ New [Link] TransmitQueueLength= setting allows the size of the TX
+ queue to be configured.
+
+ New [Link] GenericSegmentOffloadMaxBytes= and
+ GenericSegmentOffloadMaxSegments= allow capping the packet size and
+ the number of segments accepted in Generic Segment Offload.
+
+ * systemd-networkd gained support for the "B.A.T.M.A.N. advanced"
+ wireless routing protocol that operates on ISO/OSI Layer 2 only and
+ uses ethernet frames to route/bridge packets. This encompasses a new
+ "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
+ new settings in .netdev files, and a new BatmanAdvanced= setting in
+ .network files.
+
+ * systemd.network files gained a [Network] RouteTable= configuration
+ switch to select the routing policy table.
+
+ systemd.network files gained a [RoutingPolicyRule] Type=
+ configuration switch (one of "blackhole, "unreachable", "prohibit").
+
+ systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and
+ RouteAllowList= settings to ignore/accept route advertisements from
+ routers matching specified prefixes. The DenyList= setting has been
+ renamed to PrefixDenyList= and a new PrefixAllowList= option has been
+ added.
+
+ systemd.network files gained a [DHCPv6] UseAddress= setting to
+ optionally ignore the address provided in the lease.
+
+ systemd.network files gained a [DHCPv6PrefixDelegation]
+ ManageTemporaryAddress= switch.
+
+ systemd.network files gained a new ActivationPolicy= setting which
+ allows configuring how the UP state of an interface shall be managed,
+ i.e. whether the interface is always upped, always downed, or may be
+ upped/downed by the user using "ip link set dev".
+
+ * The default for the Broadcast= setting in .network files has slightly
+ changed: the broadcast address will not be configured for wireguard
+ devices.
+
+ * systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
+ EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
+ configuration options for VLAN packet handling.
+
+ * udev rules may now set log_level= option. This allows debug logs to
+ be enabled for select events, e.g. just for a specific subsystem or
+ even a single device.
+
+ * udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
+ DATA_PREPARED_ID properties for block devices with ISO9660 file
+ systems.
+
+ * udev now exports decoded DMI information about installed memory slots
+ as device properties under the /sys/class/dmi/id/ pseudo device.
+
+ * /dev/ is not mounted noexec anymore. This didn't provide any
+ significant security benefits and would conflict with the executable
+ mappings used with /dev/sgx device nodes. The previous behaviour can
+ be restored for individual services with NoExecPaths=/dev (or by allow-
+ listing and excluding /dev from ExecPaths=).
+
+ * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
+ and /dev/vhost-net are owned by the kvm group.
+
+ * The hardware database has been extended with a list of fingerprint
+ readers that correctly support USB auto-suspend using data from
+ libfprint.
+
+ * systemd-resolved can now answer DNSSEC questions through the stub
+ resolver interface in a way that allows local clients to do DNSSEC
+ validation themselves. For a question with DO+CD set, it'll proxy the
+ DNS query and respond with a mostly unmodified packet received from
+ the upstream server.
+
+ * systemd-resolved learnt a new boolean option CacheFromLocalhost= in
+ resolved.conf. If true the service will provide caching even for DNS
+ lookups made to an upstream DNS server on the 127.0.0.1/::1
+ addresses. By default (and when the option is false) systemd-resolved
+ will not cache such lookups, in order to avoid duplicate local
+ caching, under the assumption the local upstream server caches
+ anyway.
+
+ * systemd-resolved now implements RFC5001 NSID in its local DNS
+ stub. This may be used by local clients to determine whether they are
+ talking to the DNS resolver stub or a different DNS server.
+
+ * When resolving host names and other records resolvectl will now
+ report where the data was acquired from (i.e. the local cache, the
+ network, locally synthesized, …) and whether the network traffic it
+ effected was encrypted or not. Moreover the tool acquired a number of
+ new options --cache=, --synthesize=, --network=, --zone=,
+ --trust-anchor=, --validate= that take booleans and may be used to
+ tweak a lookup, i.e. whether it may be answered from cached
+ information, locally synthesized information, information acquired
+ through the network, the local mDNS/LLMNR zone, the DNSSEC trust
+ anchor, and whether DNSSEC validation shall be executed for the
+ lookup.
+
+ * systemd-nspawn gained a new --ambient-capability= setting
+ (AmbientCapability= in .nspawn files) to configure ambient
+ capabilities passed to the container payload.
+
+ * systemd-nspawn gained the ability to configure the firewall using the
+ nftables subsystem (in addition to the existing iptables
+ support). Similarly, systemd-networkd's IPMasquerade= option now
+ supports nftables as back-end, too. In both cases NAT on IPv6 is now
+ supported too, in addition to IPv4 (the iptables back-end still is
+ IPv4-only).
+
+ "IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before,
+ retains its meaning, but has been deprecated. Please switch to either
+ "ivp4" or "both" (if covering IPv6 is desired).
+
+ * systemd-importd will now download .verity and .roothash.p7s files
+ along with the machine image (as exposed via machinectl pull-raw).
+
+ * systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
+ setting to configure the time a unit's cgroup needs to exceed memory
+ pressure limits before action will be taken, and a new
+ ManagedOOMPreference=none|avoid|omit setting to avoid killing certain
+ units.
+
+ systemd-oomd is now considered fully supported (the usual
+ backwards-compatibility promises apply). Swap is not required for
+ operation, but it is still recommended.
+
+ * systemd-timesyncd gained a new ConnectionRetrySec= setting which
+ configures the retry delay when trying to contact servers.
+
+ * systemd-stdio-bridge gained --system/--user options to connect to the
+ system bus (previous default) or the user session bus.
+
+ * systemd-localed may now call locale-gen to generate missing locales
+ on-demand (UTF-8-only). This improves integration with Debian-based
+ distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.
+
+ * systemctl --check-inhibitors=true may now be used to obey inhibitors
+ even when invoked non-interactively. The old --ignore-inhibitors
+ switch is now deprecated and replaced by --check-inhibitors=false.
+
+ * systemctl import-environment will now emit a warning when called
+ without any arguments (i.e. to import the full environment block of
+ the called program). This command will usually be invoked from a
+ shell, which means that it'll inherit a bunch of variables which are
+ specific to that shell, and usually to the TTY the shell is connected
+ to, and don't have any meaning in the global context of the system or
+ user service manager. Instead, only specific variables should be
+ imported into the manager environment block.
+
+ Similarly, programs which update the manager environment block by
+ directly calling the D-Bus API of the manager, should also push
+ specific variables, and not the full inherited environment.
+
+ * systemctl's status output now shows unit state with a more careful
+ choice of Unicode characters: units in maintenance show a "○" symbol
+ instead of the usual "●", failed units show "×", and services being
+ reloaded "↻".
+
+ * coredumpctl gained a --debugger-arguments= switch to pass arguments
+ to the debugger. It also gained support for showing coredump info in
+ a simple JSON format.
+
+ * systemctl/loginctl/machinectl's --signal= option now accept a special
+ value "list", which may be used to show a brief table with known
+ process signals and their numbers.
+
+ * networkctl now shows the link activation policy in status.
+
+ * Various tools gained --pager/--no-pager/--json= switches to
+ enable/disable the pager and provide JSON output.
+
+ * Various tools now accept two new values for the SYSTEMD_COLORS
+ environment variable: "16" and "256", to configure how many terminal
+ colors are used in output.
+
+ * less 568 or newer is now required for the auto-paging logic of the
+ various tools. Hyperlink ANSI sequences in terminal output are now
+ used even if a pager is used, and older versions of less are not able
+ to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
+ disable this output again.
+
+ * Builds with support for separate / and /usr/ hierarchies ("split-usr"
+ builds, non-merged-usr builds) are now officially deprecated. A
+ warning is emitted during build. Support is slated to be removed in
+ about a year (when the Debian Bookworm release development starts).
+
+ * Systems with the legacy cgroup v1 hierarchy are now marked as
+ "tainted", to make it clearer that using the legacy hierarchy is not
+ recommended.
+
+ * systemd-localed will now refuse to configure a keymap which is not
+ installed in the file system. This is intended as a bug fix, but
+ could break cases where systemd-localed was used to configure the
+ keymap in advanced of it being installed. It is necessary to install
+ the keymap file first.
+
+ * The main git development branch has been renamed to 'main'.
+
+ * mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
+ for partitions, as in the vast majority of cases they contain none
+ and are used internally by the bootloader (eg: uboot).
+
+ * systemd will now set the $SYSTEMD_EXEC_PID environment variable for
+ spawned processes to the PID of the process itself. This may be used
+ by programs for detecting whether they were forked off by the service
+ manager itself or are a process forked off further down the tree.
+
+ * The sd-device API gained four new calls: sd_device_get_action() to
+ determine the uevent add/remove/change/… action the device object has
+ been seen for, sd_device_get_seqno() to determine the uevent sequence
+ number, sd_device_new_from_stat_rdev() to allocate a new sd_device
+ object from stat(2) data of a device node, and sd_device_trigger() to
+ write to the 'uevent' attribute of a device.
+
+ * For most tools the --no-legend= switch has been replaced by
+ --legend=no and --legend=yes, to force whether tables are shown with
+ headers/legends.
+
+ * Units acquired a new property "Markers" that takes a list of zero,
+ one or two of the following strings: "needs-reload" and
+ "needs-restart". These markers may be set via "systemctl
+ set-property". Once a marker is set, "systemctl reload-or-restart
+ --marked" may be invoked to execute the operation the units are
+ marked for. This is useful for package managers that want to mark
+ units for restart/reload while updating, but effect the actual
+ operations at a later step at once.
+
+ * The sd_bus_message_read_strv() API call of sd-bus may now also be
+ used to parse arrays of D-Bus signatures and D-Bus paths, in addition
+ to regular strings.
+
+ * bootctl will now report whether the UEFI firmware used a TPM2 device
+ and measured the boot process into it.
+
+ * systemd-tmpfiles learnt support for a new environment variable
+ $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
+ the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
+ even if the root fs of the system is not itself a btrfs volume.
+
+ * systemd-detect-virt/ConditionVirtualization= will now explicitly
+ detect Docker/Podman environments where possible. Moreover, they
+ should be able to generically detect any container manager as long as
+ it assigns the container a cgroup.
+
+ * portablectl gained a new "reattach" verb for detaching/reattaching a
+ portable service image, useful for updating images on-the-fly.
+
+ * Intel SGX enclave device nodes (which expose a security feature of
+ newer Intel CPUs) will now be owned by a new system group "sgx".
+
+ Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry,
+ Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos,
+ Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro,
+ Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T,
+ A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase,
+ caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt,
+ Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn,
+ Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman,
+ Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle,
+ Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo,
+ Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges,
+ feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink,
+ Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule,
+ Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer,
+ Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide,
+ Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan,
+ Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade,
+ Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt,
+ Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak,
+ Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng,
+ l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi,
+ Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg,
+ Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner,
+ Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik,
+ Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco,
+ Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen,
+ Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan,
+ Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt,
+ Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn,
+ Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas,
+ Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani,
+ Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield,
+ Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f,
+ Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad,
+ walbit-de, Whired Planck, wouter bolsterlee, Xℹ Ruoyao, Yangyang Shen,
+ Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek,
+ Zmicer Turok, Дамјан Георгиевски
+
+ — Berlin, 2021-03-30
+
+CHANGES WITH 247:
+
+ * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents
+ "bind" and "unbind" to the Linux device model. When this kernel
+ change was made, systemd-udevd was only minimally updated to handle
+ and propagate these new event types. The introduction of these new
+ uevents (which are typically generated for USB devices and devices
+ needing a firmware upload before being functional) resulted in a
+ number of issues which we so far didn't address. We hoped the kernel
+ maintainers would themselves address these issues in some form, but
+ that did not happen. To handle them properly, many (if not most) udev
+ rules files shipped in various packages need updating, and so do many
+ programs that monitor or enumerate devices with libudev or sd-device,
+ or otherwise process uevents. Please note that this incompatibility
+ is not fault of systemd or udev, but caused by an incompatible kernel
+ change that happened back in Linux 4.14, but is becoming more and
+ more visible as the new uevents are generated by more kernel drivers.
+
+ To minimize issues resulting from this kernel change (but not avoid
+ them entirely) starting with systemd-udevd 247 the udev "tags"
+ concept (which is a concept for marking and filtering devices during
+ enumeration and monitoring) has been reworked: udev tags are now
+ "sticky", meaning that once a tag is assigned to a device it will not
+ be removed from the device again until the device itself is removed
+ (i.e. unplugged). This makes sure that any application monitoring
+ devices that match a specific tag is guaranteed to both see uevents
+ where the device starts being relevant, and those where it stops
+ being relevant (the latter now regularly happening due to the new
+ "unbind" uevent type). The udev tags concept is hence now a concept
+ tied to a *device* instead of a device *event* — unlike for example
+ udev properties whose lifecycle (as before) is generally tied to a
+ device event, meaning that the previously determined properties are
+ forgotten whenever a new uevent is processed.
+
+ With the newly redefined udev tags concept, sometimes it's necessary
+ to determine which tags are the ones applied by the most recent
+ uevent/database update, in order to discern them from those
+ originating from earlier uevents/database updates of the same
+ device. To accommodate for this a new automatic property CURRENT_TAGS
+ has been added that works similar to the existing TAGS property but
+ only lists tags set by the most recent uevent/database
+ update. Similarly, the libudev/sd-device API has been updated with
+ new functions to enumerate these 'current' tags, in addition to the
+ existing APIs that now enumerate the 'sticky' ones.
+
+ To properly handle "bind"/"unbind" on Linux 4.14 and newer it is
+ essential that all udev rules files and applications are updated to
+ handle the new events. Specifically:
+
+ • All rule files that currently use a header guard similar to
+ ACTION!="add|change",GOTO="xyz_end" should be updated to use
+ ACTION=="remove",GOTO="xyz_end" instead, so that the
+ properties/tags they add are also applied whenever "bind" (or
+ "unbind") is seen. (This is most important for all physical device
+ types — those for which "bind" and "unbind" are currently
+ generated, for all other device types this change is still
+ recommended but not as important — but certainly prepares for
+ future kernel uevent type additions).
+
+ • Similarly, all code monitoring devices that contains an 'if' branch
+ discerning the "add" + "change" uevent actions from all other
+ uevents actions (i.e. considering devices only relevant after "add"
+ or "change", and irrelevant on all other events) should be reworked
+ to instead negatively check for "remove" only (i.e. considering
+ devices relevant after all event types, except for "remove", which
+ invalidates the device). Note that this also means that devices
+ should be considered relevant on "unbind", even though conceptually
+ this — in some form — invalidates the device. Since the precise
+ effect of "unbind" is not generically defined, devices should be
+ considered relevant even after "unbind", however I/O errors
+ accessing the device should then be handled gracefully.
+
+ • Any code that uses device tags for deciding whether a device is
+ relevant or not most likely needs to be updated to use the new
+ udev_device_has_current_tag() API (or sd_device_has_current_tag()
+ in case sd-device is used), to check whether the tag is set at the
+ moment an uevent is seen (as opposed to the existing
+ udev_device_has_tag() API which checks if the tag ever existed on
+ the device, following the API concept redefinition explained
+ above).
+
+ We are very sorry for this breakage and the requirement to update
+ packages using these interfaces. We'd again like to underline that
+ this is not caused by systemd/udev changes, but result of a kernel
+ behaviour change.
+
+ * UPCOMING INCOMPATIBILITY: So far most downstream distribution
+ packages have not retriggered devices once the udev package (or any
+ auxiliary package installing additional udev rules) is updated. We
+ intend to work with major distributions to change this, so that
+ "udevadm trigger -a change" is issued on such upgrades, ensuring that
+ the updated ruleset is applied to the devices already discovered, so
+ that (asynchronously) after the upgrade completed the udev database
+ is consistent with the updated rule set. This means udev rules must
+ be ready to be retriggered with a "change" action any time, and
+ result in correct and complete udev database entries. While the
+ majority of udev rule files known to us currently get this right,
+ some don't. Specifically, there are udev rules files included in
+ various packages that only set udev properties on the "add" action,
+ but do not handle the "change" action. If a device matching those
+ rules is retriggered with the "change" action (as is intended here)
+ it would suddenly lose the relevant properties. This always has been
+ problematic, but as soon as all udev devices are triggered on relevant
+ package upgrades this will become particularly so. It is strongly
+ recommended to fix offending rules so that they can handle a "change"
+ action at any time, and acquire all necessary udev properties even
+ then. Or in other words: the header guard mentioned above
+ (ACTION=="remove",GOTO="xyz_end") is the correct approach to handle
+ this, as it makes sure rules are rerun on "change" correctly, and
+ accumulate the correct and complete set of udev properties. udev rule
+ definitions that cannot handle "change" events being triggered at
+ arbitrary times should be considered buggy.
+
+ * The MountAPIVFS= service file setting now defaults to on if
+ RootImage= and RootDirectory= are used, which means that with those
+ two settings /proc/, /sys/ and /dev/ are automatically properly set
+ up for services. Previous behaviour may be restored by explicitly
+ setting MountAPIVFS=off.
+
+ * Since PAM 1.2.0 (2015) configuration snippets may be placed in
+ /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
+ latter it takes precedence over the former, similar to how most of
+ systemd's own configuration is handled. Given that PAM stack
+ definitions are primarily put together by OS vendors/distributions
+ (though possibly overridden by users), this systemd release moves its
+ own PAM stack configuration for the "systemd-user" PAM service (i.e.
+ for the PAM session invoked by the per-user user@.service instance)
+ from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all
+ packages' vendor versions of their PAM stack definitions from
+ /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
+ desired the location to which systemd installs its PAM stack
+ configuration may be changed via the -Dpamconfdir Meson option.
+
+ * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
+ libpwquality and libcryptsetup have been changed to be based on
+ dlopen(): instead of regular dynamic library dependencies declared in
+ the binary ELF headers, these libraries are now loaded on demand
+ only, if they are available. If the libraries cannot be found the
+ relevant operations will fail gracefully, or a suitable fallback
+ logic is chosen. This is supposed to be useful for general purpose
+ distributions, as it allows minimizing the list of dependencies the
+ systemd packages pull in, permitting building of more minimal OS
+ images, while still making use of these "weak" dependencies should
+ they be installed. Since many package managers automatically
+ synthesize package dependencies from ELF shared library dependencies,
+ some additional manual packaging work has to be done now to replace
+ those (slightly downgraded from "required" to "recommended" or
+ whatever is conceptually suitable for the package manager). Note that
+ this change does not alter build-time behaviour: as before the
+ build-time dependencies have to be installed during build, even if
+ they now are optional during runtime.
+
+ * sd-event.h gained a new call sd_event_add_time_relative() for
+ installing timers relative to the current time. This is mostly a
+ convenience wrapper around the pre-existing sd_event_add_time() call
+ which installs absolute timers.
+
+ * sd-event event sources may now be placed in a new "exit-on-failure"
+ mode, which may be controlled via the new
+ sd_event_source_get_exit_on_failure() and
+ sd_event_source_set_exit_on_failure() functions. If enabled, any
+ failure returned by the event source handler functions will result in
+ exiting the event loop (unlike the default behaviour of just
+ disabling the event source but continuing with the event loop). This
+ feature is useful to set for all event sources that define "primary"
+ program behaviour (where failure should be fatal) in contrast to
+ "auxiliary" behaviour (where failure should remain local).
+
+ * Most event source types sd-event supports now accept a NULL handler
+ function, in which case the event loop is exited once the event
+ source is to be dispatched, using the userdata pointer — converted to
+ a signed integer — as exit code of the event loop. Previously this
+ was supported for IO and signal event sources already. Exit event
+ sources still do not support this (simply because it makes little
+ sense there, as the event loop is already exiting when they are
+ dispatched).
+
+ * A new per-unit setting RootImageOptions= has been added which allows
+ tweaking the mount options for any file system mounted as effect of
+ the RootImage= setting.
+
+ * Another new per-unit setting MountImages= has been added, that allows
+ mounting additional disk images into the file system tree accessible
+ to the service.
+
+ * Timer units gained a new FixedRandomDelay= boolean setting. If
+ enabled, the random delay configured with RandomizedDelaySec= is
+ selected in a way that is stable on a given system (though still
+ different for different units).
+
+ * Socket units gained a new setting Timestamping= that takes "us", "ns"
+ or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket
+ options.
+
+ * systemd-repart now generates JSON output when requested with the new
+ --json= switch.
+
+ * systemd-machined's OpenMachineShell() bus call will now pass
+ additional policy metadata data fields to the PolicyKit
+ authentication request.
+
+ * systemd-tmpfiles gained a new -E switch, which is equivalent to
+ --exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run
+ --exclude=/sys. It's particularly useful in combination with --root=,
+ when operating on OS trees that do not have any of these four runtime
+ directories mounted, as this means no files below these subtrees are
+ created or modified, since those mount points should probably remain
+ empty.
+
+ * systemd-tmpfiles gained a new --image= switch which is like --root=,
+ but takes a disk image instead of a directory as argument. The
+ specified disk image is mounted inside a temporary mount namespace
+ and the tmpfiles.d/ drop-ins stored in the image are executed and
+ applied to the image. systemd-sysusers similarly gained a new
+ --image= switch, that allows the sysusers.d/ drop-ins stored in the
+ image to be applied onto the image.
+
+ * Similarly, the journalctl command also gained an --image= switch,
+ which is a quick one-step solution to look at the log data included
+ in OS disk images.
+
+ * journalctl's --output=cat option (which outputs the log content
+ without any metadata, just the pure text messages) will now make use
+ of terminal colors when run on a suitable terminal, similarly to the
+ other output modes.
+
+ * JSON group records now support a "description" string that may be
+ used to add a human-readable textual description to such groups. This
+ is supposed to match the user's GECOS field which traditionally
+ didn't have a counterpart for group records.
+
+ * The "systemd-dissect" tool that may be used to inspect OS disk images
+ and that was previously installed to /usr/lib/systemd/ has now been
+ moved to /usr/bin/, reflecting its updated status of an officially
+ supported tool with a stable interface. It gained support for a new
+ --mkdir switch which when combined with --mount has the effect of
+ creating the directory to mount the image to if it is missing
+ first. It also gained two new commands --copy-from and --copy-to for
+ copying files and directories in and out of an OS image without the
+ need to manually mount it. It also acquired support for a new option
+ --json= to generate JSON output when inspecting an OS image.
+
+ * The cgroup2 file system is now mounted with the
+ "memory_recursiveprot" mount option, supported since kernel 5.7. This
+ means that the MemoryLow= and MemoryMin= unit file settings now apply
+ recursively to whole subtrees.
+
+ * systemd-homed now defaults to using the btrfs file system — if
+ available — when creating home directories in LUKS volumes. This may
+ be changed with the DefaultFileSystemType= setting in homed.conf.
+ It's now the default file system in various major distributions and
+ has the major benefit for homed that it can be grown and shrunk while
+ mounted, unlike the other contenders ext4 and xfs, which can both be
+ grown online, but not shrunk (in fact xfs is the technically most
+ limited option here, as it cannot be shrunk at all).
+
+ * JSON user records managed by systemd-homed gained support for
+ "recovery keys". These are basically secondary passphrases that can
+ unlock user accounts/home directories. They are computer-generated
+ rather than user-chosen, and typically have greater entropy.
+ homectl's --recovery-key= option may be used to add a recovery key to
+ a user account. The generated recovery key is displayed as a QR code,
+ so that it can be scanned to be kept in a safe place. This feature is
+ particularly useful in combination with systemd-homed's support for
+ FIDO2 or PKCS#11 authentication, as a secure fallback in case the
+ security tokens are lost. Recovery keys may be entered wherever the
+ system asks for a password.
+
+ * systemd-homed now maintains a "dirty" flag for each LUKS encrypted
+ home directory which indicates that a home directory has not been
+ deactivated cleanly when offline. This flag is useful to identify
+ home directories for which the offline discard logic did not run when
+ offlining, and where it would be a good idea to log in again to catch
+ up.
+
+ * systemctl gained a new parameter --timestamp= which may be used to
+ change the style in which timestamps are output, i.e. whether to show
+ them in local timezone or UTC, or whether to show µs granularity.
+
+ * Alibaba's "pouch" container manager is now detected by
+ systemd-detect-virt, ConditionVirtualization= and similar
+ constructs. Similar, they now also recognize IBM PowerVM machine
+ virtualization.
+
+ * systemd-nspawn has been reworked to use the /run/host/incoming/ as
+ place to use for propagating external mounts into the
+ container. Similarly /run/host/notify is now used as the socket path
+ for container payloads to communicate with the container manager
+ using sd_notify(). The container manager now uses the
+ /run/host/inaccessible/ directory to place "inaccessible" file nodes
+ of all relevant types which may be used by the container payload as
+ bind mount source to over-mount inodes to make them inaccessible.
+ /run/host/container-manager will now be initialized with the same
+ string as the $container environment variable passed to the
+ container's PID 1. /run/host/container-uuid will be initialized with
+ the same string as $container_uuid. This means the /run/host/
+ hierarchy is now the primary way to make host resources available to
+ the container. The Container Interface documents these new files and
+ directories:
+
+ https://systemd.io/CONTAINER_INTERFACE
+
+ * Support for the "ConditionNull=" unit file condition has been
+ deprecated and undocumented for 6 years. systemd started to warn
+ about its use 1.5 years ago. It has now been removed entirely.
+
+ * sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
+ a sd_bus_error struct and a list of error names, and checks if the
+ error matches one of these names. It's a convenience wrapper that is
+ useful in cases where multiple errors shall be handled the same way.
+
+ * A new system call filter list "@known" has been added, that contains
+ all system calls known at the time systemd was built.
+
+ * Behaviour of system call filter allow lists has changed slightly:
+ system calls that are contained in @known will result in EPERM by
+ default, while those not contained in it result in ENOSYS. This
+ should improve compatibility because known system calls will thus be
+ communicated as prohibited, while unknown (and thus newer ones) will
+ be communicated as not implemented, which hopefully has the greatest
+ chance of triggering the right fallback code paths in client
+ applications.
+
+ * "systemd-analyze syscall-filter" will now show two separate sections
+ at the bottom of the output: system calls known during systemd build
+ time but not included in any of the filter groups shown above, and
+ system calls defined on the local kernel but known during systemd
+ build time.
+
+ * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
+ systemd-nspawn all system call filter violations will be logged by
+ the kernel (audit). This is useful for tracking down system calls
+ invoked by container payloads that are prohibited by the container's
+ system call filter policy.
+
+ * If the $SYSTEMD_SECCOMP=0 environment variable is set for
+ systemd-nspawn (and other programs that use seccomp) all seccomp
+ filtering is turned off.
+
+ * Two new unit file settings ProtectProc= and ProcSubset= have been
+ added that expose the hidepid= and subset= mount options of procfs.
+ All processes of the unit will only see processes in /proc that are
+ are owned by the unit's user. This is an important new sandboxing
+ option that is recommended to be set on all system services. All
+ long-running system services that are included in systemd itself set
+ this option now. This option is only supported on kernel 5.8 and
+ above, since the hidepid= option supported on older kernels was not a
+ per-mount option but actually applied to the whole PID namespace.
+
+ * Socket units gained a new boolean setting FlushPending=. If enabled
+ all pending socket data/connections are flushed whenever the socket
+ unit enters the "listening" state, i.e. after the associated service
+ exited.
+
+ * The unit file setting NUMAMask= gained a new "all" value: when used,
+ all existing NUMA nodes are added to the NUMA mask.
+
+ * A new "credentials" logic has been added to system services. This is
+ a simple mechanism to pass privileged data to services in a safe and
+ secure way. It's supposed to be used to pass per-service secret data
+ such as passwords or cryptographic keys but also associated less
+ private information such as user names, certificates, and similar to
+ system services. Each credential is identified by a short user-chosen
+ name and may contain arbitrary binary data. Two new unit file
+ settings have been added: SetCredential= and LoadCredential=. The
+ former allows setting a credential to a literal string, the latter
+ sets a credential to the contents of a file (or data read from a
+ user-chosen AF_UNIX stream socket). Credentials are passed to the
+ service via a special credentials directory, one file for each
+ credential. The path to the credentials directory is passed in a new
+ $CREDENTIALS_DIRECTORY environment variable. Since the credentials
+ are passed in the file system they may be easily referenced in
+ ExecStart= command lines too, thus no explicit support for the
+ credentials logic in daemons is required (though ideally daemons
+ would look for the bits they need in $CREDENTIALS_DIRECTORY
+ themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
+ backed by unswappable memory if privileges allow it, immutable if
+ privileges allow it, is accessible only to the service's UID, and is
+ automatically destroyed when the service stops.
+
+ * systemd-nspawn supports the same credentials logic. It can both
+ consume credentials passed to it via the aforementioned
+ $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
+ to its payload. The service manager/PID 1 has been updated to match
+ this: it can also accept credentials from the container manager that
+ invokes it (in fact: any process that invokes it), and passes them on
+ to its services. Thus, credentials can be propagated recursively down
+ the tree: from a system's service manager to a systemd-nspawn
+ service, to the service manager that runs as container payload and to
+ the service it runs below. Credentials may also be added on the
+ systemd-nspawn command line, using new --set-credential= and
+ --load-credential= command line switches that match the
+ aforementioned service settings.
+
+ * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
+ the partition drop-ins which may be used to format/LUKS
+ encrypt/populate any created partitions. The partitions are
+ encrypted/formatted/populated before they are registered in the
+ partition table, so that they appear atomically: either the
+ partitions do not exist yet or they exist fully encrypted, formatted,
+ and populated — there is no time window where they are
+ "half-initialized". Thus the system is robust to abrupt shutdown: if
+ the tool is terminated half-way during its operations on next boot it
+ will start from the beginning.
+
+ * systemd-repart's --size= operation gained a new "auto" value. If
+ specified, and operating on a loopback file it is automatically sized
+ to the minimal size the size constraints permit. This is useful to
+ use "systemd-repart" as an image builder for minimally sized images.
+
+ * systemd-resolved now gained a third IPC interface for requesting name
+ resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
+ interface is now supported. The nss-resolve NSS module has been
+ modified to use this new interface instead of D-Bus. Using Varlink
+ has a major benefit over D-Bus: it works without a broker service,
+ and thus already during earliest boot, before the dbus daemon has
+ been started. This means name resolution via systemd-resolved now
+ works at the same time systemd-networkd operates: from earliest boot
+ on, including in the initrd.
+
+ * systemd-resolved gained support for a new DNSStubListenerExtra=
+ configuration file setting which may be used to specify additional IP
+ addresses the built-in DNS stub shall listen on, in addition to the
+ main one on 127.0.0.53:53.
+
+ * Name lookups issued via systemd-resolved's D-Bus and Varlink
+ interfaces (and thus also via glibc NSS if nss-resolve is used) will
+ now honour a trailing dot in the hostname: if specified the search
+ path logic is turned off. Thus "resolvectl query foo." is now
+ equivalent to "resolvectl query --search=off foo.".
+
+ * systemd-resolved gained a new D-Bus property "ResolvConfMode" that
+ exposes how /etc/resolv.conf is currently managed: by resolved (and
+ in which mode if so) or another subsystem. "resolvctl" will display
+ this property in its status output.
+
+ * The resolv.conf snippets systemd-resolved provides will now set "."
+ as the search domain if no other search domain is known. This turns
+ off the derivation of an implicit search domain by nss-dns for the
+ hostname, when the hostname is set to an FQDN. This change is done to
+ make nss-dns using resolv.conf provided by systemd-resolved behave
+ more similarly to nss-resolve.
+
+ * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
+ /tmp/ and /var/tmp/ based on file timestamps) now looks at the
+ "birth" time (btime) of a file in addition to the atime, mtime, and
+ ctime.
+
+ * systemd-analyze gained a new verb "capability" that lists all known
+ capabilities by the systemd build and by the kernel.
+
+ * If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and
+ advance the system clock to it at boot if it is noticed to be before
+ that time. Previously, PID 1 would only advance the time to an epoch
+ time that is set during build-time. With this new file OS builders
+ can change this epoch timestamp on individual OS images without
+ having to rebuild systemd.
+
+ * systemd-logind will now listen to the KEY_RESTART key from the Linux
+ input layer and reboot the system if it is pressed, similarly to how
+ it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART
+ was originally defined in the Multimedia context (to restart playback
+ of a song or film), but is now primarily used in various embedded
+ devices for "Reboot" buttons. Accordingly, systemd-logind will now
+ honour it as such. This may configured in more detail via the new
+ HandleRebootKey= and RebootKeyIgnoreInhibited=.
+
+ * systemd-nspawn/systemd-machined will now reconstruct hardlinks when
+ copying OS trees, for example in "systemd-nspawn --ephemeral",
+ "systemd-nspawn --template=", "machinectl clone" and similar. This is
+ useful when operating with OSTree images, which use hardlinks heavily
+ throughout, and where such copies previously resulting in "exploding"
+ hardlinks.
+
+ * systemd-nspawn's --console= setting gained support for a new
+ "autopipe" value, which is identical to "interactive" when invoked on
+ a TTY, and "pipe" otherwise.
+
+ * systemd-networkd's .network files gained support for explicitly
+ configuring the multicast membership entries of bridge devices in the
+ [BridgeMDB] section. It also gained support for the PIE queuing
+ discipline in the [FlowQueuePIE] sections.
+
+ * systemd-networkd's .netdev files may now be used to create "BareUDP"
+ tunnels, configured in the new [BareUDP] setting.
+
+ * systemd-networkd's Gateway= setting in .network files now accepts the
+ special values "_dhcp4" and "_ipv6ra" to configure additional,
+ locally defined, explicit routes to the gateway acquired via DHCP or
+ IPv6 Router Advertisements. The old setting "_dhcp" is deprecated,
+ but still accepted for backwards compatibility.
+
+ * systemd-networkd's [IPv6PrefixDelegation] section and
+ IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and
+ IPv6SendRA= (the old names are still accepted for backwards
+ compatibility).
+
+ * systemd-networkd's .network files gained the DHCPv6PrefixDelegation=
+ boolean setting in [Network] section. If enabled, the delegated prefix
+ gained by another link will be configured, and an address within the
+ prefix will be assigned.
+
+ * systemd-networkd's .network files gained the Announce= boolean setting
+ in [DHCPv6PrefixDelegation] section. When enabled, the delegated
+ prefix will be announced through IPv6 router advertisement (IPv6 RA).
+ The setting is enabled by default.
+
+ * VXLAN tunnels may now be marked as independent of any underlying
+ network interface via the new Independent= boolean setting.
+
+ * systemctl gained support for two new verbs: "service-log-level" and
+ "service-log-target" may be used on services that implement the
+ generic org.freedesktop.LogControl1 D-Bus interface to dynamically
+ adjust the log level and target. All of systemd's long-running
+ services support this now, but ideally all system services would
+ implement this interface to make the system more uniformly
+ debuggable.
+
+ * The SystemCallErrorNumber= unit file setting now accepts the new
+ "kill" and "log" actions, in addition to arbitrary error number
+ specifications as before. If "kill" the processes are killed on the
+ event, if "log" the offending system call is audit logged.
+
+ * A new SystemCallLog= unit file setting has been added that accepts a
+ list of system calls that shall be logged about (audit).
+
+ * The OS image dissection logic (as used by RootImage= in unit files or
+ systemd-nspawn's --image= switch) has gained support for identifying
+ and mounting explicit /usr/ partitions, which are now defined in the
+ discoverable partition specification. This should be useful for
+ environments where the root file system is
+ generated/formatted/populated dynamically on first boot and combined
+ with an immutable /usr/ tree that is supplied by the vendor.
+
+ * In the final phase of shutdown, within the systemd-shutdown binary
+ we'll now try to detach MD devices (i.e software RAID) in addition to
+ loopback block devices and DM devices as before. This is supposed to
+ be a safety net only, in order to increase robustness if things go
+ wrong. Storage subsystems are expected to properly detach their
+ storage volumes during regular shutdown already (or in case of
+ storage backing the root file system: in the initrd hook we return to
+ later).
+
+ * If the SYSTEMD_LOG_TID environment variable is set all systemd tools
+ will now log the thread ID in their log output. This is useful when
+ working with heavily threaded programs.
+
+ * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
+ not use the RDRAND CPU instruction. This is useful in environments
+ such as replay debuggers where non-deterministic behaviour is not
+ desirable.
+
+ * The autopaging logic in systemd's various tools (such as systemctl)
+ has been updated to turn on "secure" mode in "less"
+ (i.e. $LESSECURE=1) if execution in a "sudo" environment is
+ detected. This disables invoking external programs from the pager,
+ via the pipe logic. This behaviour may be overridden via the new
+ $SYSTEMD_PAGERSECURE environment variable.
+
+ * Units which have resource limits (.service, .mount, .swap, .slice,
+ .socket, and .slice) gained new configuration settings
+ ManagedOOMSwap=, ManagedOOMMemoryPressure=, and
+ ManagedOOMMemoryPressureLimitPercent= that specify resource pressure
+ limits and optional action taken by systemd-oomd.
+
+ * A new service systemd-oomd has been added. It monitors resource
+ contention for selected parts of the unit hierarchy using the PSI
+ information reported by the kernel, and kills processes when memory
+ or swap pressure is above configured limits. This service is only
+ enabled by default in developer mode (see below) and should be
+ considered a preview in this release. Behaviour details and option
+ names are subject to change without the usual backwards-compatibility
+ promises.
+
+ * A new helper oomctl has been added to introspect systemd-oomd state.
+ It is only enabled by default in developer mode and should be
+ considered a preview without the usual backwards-compatibility
+ promises.
+
+ * New meson option -Dcompat-mutable-uid-boundaries= has been added. If
+ enabled, systemd reads the system UID boundaries from /etc/login.defs
+ at runtime, instead of using the built-in values selected during
+ build. This is an option to improve compatibility for upgrades from
+ old systems. It's strongly recommended not to make use of this
+ functionality on new systems (or even enable it during build), as it
+ makes something runtime-configurable that is mostly an implementation
+ detail of the OS, and permits avoidable differences in deployments
+ that create all kinds of problems in the long run.
+
+ * New meson option '-Dmode=developer|release' has been added. When
+ 'developer', additional checks and features are enabled that are
+ relevant during upstream development, e.g. verification that
+ semi-automatically-generated documentation has been properly updated
+ following API changes. Those checks are considered hints for
+ developers and are not actionable in downstream builds. In addition,
+ extra features that are not ready for general consumption may be
+ enabled in developer mode. It is thus recommended to set
+ '-Dmode=release' in end-user and distro builds.
+
+ * systemd-cryptsetup gained support for processing detached LUKS
+ headers specified on the kernel command line via the header=
+ parameter of the luks.options= kernel command line option. The same
+ device/path syntax as for key files is supported for header files
+ like this.
+
+ * The "net_id" built-in of udev has been updated to ignore ACPI _SUN
+ slot index data for devices that are connected through a PCI bridge
+ where the _SUN index is associated with the bridge instead of the
+ network device itself. Previously this would create ambiguous device
+ naming if multiple network interfaces were connected to the same PCI
+ bridge. Since this is a naming scheme incompatibility on systems that
+ possess hardware like this it has been introduced as new naming
+ scheme "v247". The previous scheme can be selected via the
+ "net.naming-scheme=v245" kernel command line parameter.
+
+ * ConditionFirstBoot= semantics have been modified to be safe towards
+ abnormal system power-off during first boot. Specifically, the
+ "systemd-machine-id-commit.service" service now acts as boot
+ milestone indicating when the first boot process is sufficiently
+ complete in order to not consider the next following boot also a
+ first boot. If the system is reset before this unit is reached the
+ first time, the next boot will still be considered a first boot; once
+ it has been reached, no further boots will be considered a first
+ boot. The "first-boot-complete.target" unit now acts as official hook
+ point to order against this. If a service shall be run on every boot
+ until the first boot fully succeeds it may thus be ordered before
+ this target unit (and pull it in) and carry ConditionFirstBoot=
+ appropriately.
+
+ * bootctl's set-default and set-oneshot commands now accept the three
+ special strings "@default", "@oneshot", "@current" in place of a boot
+ entry id. These strings are resolved to the current default and
+ oneshot boot loader entry, as well as the currently booted one. Thus
+ a command "bootctl set-default @current" may be used to make the
+ currently boot menu item the new default for all subsequent boots.
+
+ * "systemctl edit" has been updated to show the original effective unit
+ contents in commented form in the text editor.
+
+ * Units in user mode are now segregated into three new slices:
+ session.slice (units that form the core of graphical session),
+ app.slice ("normal" user applications), and background.slice
+ (low-priority tasks). Unless otherwise configured, user units are
+ placed in app.slice. The plan is to add resource limits and
+ protections for the different slices in the future.
+
+ * New GPT partition types for RISCV32/64 for the root and /usr
+ partitions, and their associated Verity partitions have been defined,
+ and are now understood by systemd-gpt-auto-generator, and the OS
+ image dissection logic.
+
+ Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
+ Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
+ Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,
+ Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep
+ Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann,
+ Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel
+ Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov,
+ Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne
+ Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink,
+ Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz,
+ Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews,
+ Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler,
+ huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren,
+ Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan
+ Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert,
+ Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan
+ Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering,
+ lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc
+ Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000,
+ Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal
+ Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo
+ Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar
+ Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen,
+ Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing
+ Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter
+ Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C,
+ Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko,
+ Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer,
+ Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd,
+ Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi
+ Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck,
+ williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски
+
+ – Warsaw, 2020-11-26
+
+CHANGES WITH 246:
+
+ * The service manager gained basic support for cgroup v2 freezer. Units
+ can now be suspended or resumed either using new systemctl verbs,
+ freeze and thaw respectively, or via D-Bus.
+
+ * PID 1 may now automatically load pre-compiled AppArmor policies from
+ /etc/apparmor/earlypolicy during early boot.
+
+ * The CPUAffinity= setting in service unit files now supports a new
+ special value "numa" that causes the CPU affinity masked to be set
+ based on the NUMA mask.
+
+ * systemd will now log about all left-over processes remaining in a
+ unit when the unit is stopped. It will now warn about services using
+ KillMode=none, as this is generally an unsafe thing to make use of.
+
+ * Two new unit file settings
+ ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
+ added. They may be used to check whether a specific file system path
+ resides on a block device that is encrypted on the block level
+ (i.e. using dm-crypt/LUKS).
+
+ * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
+ has been added that may be used for simple environment checks. This
+ is particularly useful when passing in environment variables from a
+ container manager (or from PAM in case of the systemd --user
+ instance).
+
+ * .service unit files now accept a new setting CoredumpFilter= which
+ allows configuration of the memory sections coredumps of the
+ service's processes shall include.
+
+ * .mount units gained a new ReadWriteOnly= boolean option. If set
+ it will not be attempted to mount a file system read-only if mounting
+ in read-write mode doesn't succeed. An option x-systemd.rw-only is
+ available in /etc/fstab to control the same.
+
+ * .socket units gained a new boolean setting PassPacketInfo=. If
+ enabled, the kernel will attach additional per-packet metadata to all
+ packets read from the socket, as an ancillary message. This controls
+ the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
+ depending on socket type.
+
+ * .service units gained a new setting RootHash= which may be used to
+ specify the root hash for verity enabled disk images which are
+ specified in RootImage=. RootVerity= may be used to specify a path to
+ the Verity data matching a RootImage= file system. (The latter is
+ only useful for images that do not contain the Verity data embedded
+ into the same image that carries a GPT partition table following the
+ Discoverable Partition Specification). Similarly, systemd-nspawn
+ gained a new switch --verity-data= that takes a path to a file with
+ the verity data of the disk image supplied in --image=, if the image
+ doesn't contain the verity data itself.
+
+ * .service units gained a new setting RootHashSignature= which takes
+ either a base64 encoded PKCS#7 signature of the root hash specified
+ with RootHash=, or a path to a file to read the signature from. This
+ allows validation of the root hash against public keys available in
+ the kernel keyring, and is only supported on recent kernels
+ (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to
+ systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for
+ this mechanism has also been added to systemd-veritysetup.
+
+ * .service unit files gained two new options
+ TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to
+ tune behaviour if a start or stop timeout is hit, i.e. whether to
+ terminate the service with SIGTERM, SIGABRT or SIGKILL.
+
+ * Most options in systemd that accept hexadecimal values prefixed with
+ 0x in additional to the usual decimal notation now also support octal
+ notation when the 0o prefix is used and binary notation if the 0b
+ prefix is used.
+
+ * Various command line parameters and configuration file settings that
+ configure key or certificate files now optionally take paths to
+ AF_UNIX sockets in the file system. If configured that way a stream
+ connection is made to the socket and the required data read from
+ it. This is a simple and natural extension to the existing regular
+ file logic, and permits other software to provide keys or
+ certificates via simple IPC services, for example when unencrypted
+ storage on disk is not desired. Specifically, systemd-networkd's
+ Wireguard and MACSEC key file settings as well as
+ systemd-journal-gatewayd's and systemd-journal-remote's PEM
+ key/certificate parameters support this now.
+
+ * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
+ configuration files that support specifier expansion learnt six new
+ specifiers: %a resolves to the current architecture, %o/%w/%B/%W
+ resolve to the various ID fields from /etc/os-release, %l resolves to
+ the "short" hostname of the system, i.e. the hostname configured in
+ the kernel truncated at the first dot.
+
+ * Support for the .include syntax in unit files has been removed. The
+ concept has been obsolete for 6 years and we started warning about
+ its pending removal 2 years ago (also see NEWS file below). It's
+ finally gone now.
+
+ * StandardError= and StandardOutput= in unit files no longer support
+ the "syslog" and "syslog-console" switches. They were long removed
+ from the documentation, but will now result in warnings when used,
+ and be converted to "journal" and "journal+console" automatically.
+
+ * If the service setting User= is set to the "nobody" user, a warning
+ message is now written to the logs (but the value is nonetheless
+ accepted). Setting User=nobody is unsafe, since the primary purpose
+ of the "nobody" user is to own all files whose owner cannot be mapped
+ locally. It's in particular used by the NFS subsystem and in user
+ namespacing. By running a service under this user's UID it might get
+ read and even write access to all these otherwise unmappable files,
+ which is quite likely a major security problem.
+
+ * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
+ and others) now have a size and inode limits applied (50% of RAM for
+ /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
+ that the implicit kernel default is 50% too, so there is no change
+ in the size limit for /tmp and /dev/shm.
+
+ * nss-mymachines lost support for resolution of users and groups, and
+ now only does resolution of hostnames. This functionality is now
+ provided by nss-systemd. Thus, the 'mymachines' entry should be
+ removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
+ (and 'systemd' added if it is not already there).
+
+ * A new kernel command line option systemd.hostname= has been added
+ that allows controlling the hostname that is initialized early during
+ boot.
+
+ * A kernel command line option "udev.blockdev_read_only" has been
+ added. If specified all hardware block devices that show up are
+ immediately marked as read-only by udev. This option is useful for
+ making sure that a specific boot under no circumstances modifies data
+ on disk. Use "blockdev --setrw" to undo the effect of this, per
+ device.
+
+ * A new boolean kernel command line option systemd.swap= has been
+ added, which may be used to turn off automatic activation of swap
+ devices listed in /etc/fstab.
+
+ * New kernel command line options systemd.condition-needs-update= and
+ systemd.condition-first-boot= have been added, which override the
+ result of the ConditionNeedsUpdate= and ConditionFirstBoot=
+ conditions.
+
+ * A new kernel command line option systemd.clock-usec= has been added
+ that allows setting the system clock to the specified time in µs
+ since Jan 1st, 1970 early during boot. This is in particular useful
+ in order to make test cases more reliable.
+
+ * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
+ systemd-coredump to save core files for suid processes. When saving
+ the core file, systemd-coredump will use the effective uid and gid of
+ the process that faulted.
+
+ * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
+ now automatically set to "Y" at boot, in order to enable pstore
+ generation for collection with systemd-pstore.
+
+ * We provide a set of udev rules to enable auto-suspend on PCI and USB
+ devices that were tested to correctly support it. Previously, this
+ was distributed as a set of udev rules, but has now been replaced by
+ by a set of hwdb entries (and a much shorter udev rule to take action
+ if the device modalias matches one of the new hwdb entries).
+
+ As before, entries are periodically imported from the database
+ maintained by the ChromiumOS project. If you have a device that
+ supports auto-suspend correctly and where it should be enabled by
+ default, please submit a patch that adds it to the database (see
+ /usr/lib/udev/hwdb.d/60-autosuspend.hwdb).
+
+ * systemd-udevd gained the new configuration option timeout_signal= as well
+ as a corresponding kernel command line option udev.timeout_signal=.
+ The option can be used to configure the UNIX signal that the main
+ daemon sends to the worker processes on timeout. Setting the signal
+ to SIGABRT is useful for debugging.
+
+ * .link files managed by systemd-udevd gained options RxFlowControl=,
+ TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
+ order to configure various flow control parameters. They also gained
+ RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
+ frame ring buffer sizes.
+
+ * networkd.conf gained a new boolean setting ManageForeignRoutes=. If
+ enabled systemd-networkd manages all routes configured by other tools.
+
+ * .network files managed by systemd-networkd gained a new section
+ [SR-IOV], in order to configure SR-IOV capable network devices.
+
+ * systemd-networkd's [IPv6Prefix] section in .network files gained a
+ new boolean setting Assign=. If enabled an address from the prefix is
+ automatically assigned to the interface.
+
+ * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
+ controls delegated prefixes assigned by DHCPv6 client. The section
+ has three settings: SubnetID=, Assign=, and Token=. The setting
+ SubnetID= allows explicit configuration of the preferred subnet that
+ systemd-networkd's Prefix Delegation logic assigns to interfaces. If
+ Assign= is enabled (which is the default) an address from any acquired
+ delegated prefix is automatically chosen and assigned to the
+ interface. The setting Token= specifies an optional address generation
+ mode for Assign=.
+
+ * systemd-networkd's [Network] section gained a new setting
+ IPv4AcceptLocal=. If enabled the interface accepts packets with local
+ source addresses.
+
+ * systemd-networkd gained support for configuring the HTB queuing
+ discipline in the [HierarchyTokenBucket] and
+ [HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may
+ be configured in the [PFIFO] section, "GRED" in
+ [GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake"
+ in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and
+ [DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO],
+ "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF"
+ in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and
+ "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass].
+
+ * systemd-networkd gained support for a new Termination= setting in the
+ [CAN] section for configuring the termination resistor. It also
+ gained a new ListenOnly= setting for controlling whether to only
+ listen on CAN interfaces, without interfering with traffic otherwise
+ (which is useful for debugging/monitoring CAN network
+ traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have
+ been added to configure various CAN-FD aspects.
+
+ * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=.
+ When enabled, DHCPv6 will be attempted right-away without requiring an
+ Router Advertisement packet suggesting it first (i.e. without the 'M'
+ or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option
+ DHCPv6Client= that may be used to turn off the DHCPv6 client even if
+ the RA packets suggest it.
+
+ * systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
+ which may be used to turn off use of the gateway information provided
+ by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
+ used to configure how to process leases that lack a lifetime option.
+
+ * systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new
+ setting SendVendorOption= allowing configuration of additional vendor
+ options to send in the DHCP requests/responses. The [DHCPv6] section
+ gained a new SendOption= setting for sending arbitrary DHCP
+ options. RequestOptions= has been added to request arbitrary options
+ from the server. UserClass= has been added to set the DHCP user class
+ field.
+
+ * systemd-networkd's [DHCPServer] section gained a new set of options
+ EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server
+ information about these three protocols in the DHCP lease. It also
+ gained support for including "MUD" URLs ("Manufacturer Usage
+ Description"). Support for "MUD" URLs was also added to the LLDP
+ stack, configurable in the [LLDP] section in .network files.
+
+ * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source'
+ mode. Also, the sections now support a new setting SourceMACAddress=.
+
+ * systemd-networkd's .netdev files now support a new setting
+ VLANProtocol= in the [Bridge] section that allows configuration of
+ the VLAN protocol to use.
+
+ * systemd-networkd supports a new Group= setting in the [Link] section
+ of the .network files, to control the link group.
+
+ * systemd-networkd's [Network] section gained a new
+ IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6
+ link local address is generated.
+
+ * A new default .network file is now shipped that matches TUN/TAP
+ devices that begin with "vt-" in their name. Such interfaces will
+ have IP routing onto the host links set up automatically. This is
+ supposed to be used by VM managers to trivially acquire a network
+ interface which is fully set up for host communication, simply by
+ carefully picking an interface name to use.
+
+ * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
+ which sets the route priority for routes specified by the DHCP server.
+
+ * systemd-networkd's [DHCPv6] section gained a new setting VendorClass=
+ which configures the vendor class information sent to DHCP server.
+
+ * The BlackList= settings in .network files' [DHCPv4] and
+ [IPv6AcceptRA] sections have been renamed DenyList=. The old names
+ are still understood to provide compatibility.
+
+ * networkctl gained the new "forcerenew" command for forcing all DHCP
+ server clients to renew their lease. The interface "status" output
+ will now show numerous additional fields of information about an
+ interface. There are new "up" and "down" commands to bring specific
+ interfaces up or down.
+
+ * systemd-resolved's DNS= configuration option now optionally accepts a
+ port number (after ":") and a host name (after "#"). When the host
+ name is specified, the DNS-over-TLS certificate is validated to match
+ the specified hostname. Additionally, in case of IPv6 addresses, an
+ interface may be specified (after "%").
+
+ * systemd-resolved may be configured to forward single-label DNS names.
+ This is not standard-conformant, but may make sense in setups where
+ public DNS servers are not used.
+
+ * systemd-resolved's DNS-over-TLS support gained SNI validation.
+
+ * systemd-nspawn's --resolv-conf= switch gained a number of new
+ supported values. Specifically, options starting with "replace-" are
+ like those prefixed "copy-" but replace any existing resolv.conf
+ file. And options ending in "-uplink" and "-stub" can now be used to
+ propagate other flavours of resolv.conf into the container (as
+ defined by systemd-resolved).
+
+ * The various programs included in systemd can now optionally output
+ their log messages on stderr prefixed with a timestamp, controlled by
+ the $SYSTEMD_LOG_TIME environment variable.
+
+ * systemctl gained a new "-P" switch that is a shortcut for "--value
+ --property=…".
+
+ * "systemctl list-units" and "systemctl list-machines" no longer hide
+ their first output column with --no-legend. To hide the first column,
+ use --plain.
+
+ * "systemctl reboot" takes the option "--reboot-argument=".
+ The optional positional argument to "systemctl reboot" is now
+ being deprecated in favor of this option.
+
+ * systemd-run gained a new switch --slice-inherit. If specified the
+ unit it generates is placed in the same slice as the systemd-run
+ process itself.
+
+ * systemd-journald gained support for zstd compression of large fields
+ in journal files. The hash tables in journal files have been hardened
+ against hash collisions. This is an incompatible change and means
+ that journal files created with new systemd versions are not readable
+ with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
+ environment variable for systemd-journald.service is set to 0 this
+ new hardening functionality may be turned off, so that generated
+ journal files remain compatible with older journalctl
+ implementations.
+
+ * journalctl will now include a clickable link in the default output for
+ each log message for which an URL with further documentation is
+ known. This is only supported on terminal emulators that support
+ clickable hyperlinks, and is turned off if a pager is used (since
+ "less" still doesn't support hyperlinks,
+ unfortunately). Documentation URLs may be included in log messages
+ either by including a DOCUMENTATION= journal field in it, or by
+ associating a journal message catalog entry with the log message's
+ MESSAGE_ID, which then carries a "Documentation:" tag.
+
+ * journald.conf gained a new boolean setting Audit= that may be used to
+ control whether systemd-journald will enable audit during
+ initialization.
+
+ * when systemd-journald's log stream is broken up into multiple lines
+ because the PID of the sender changed this is indicated in the
+ generated log records via the _LINE_BREAK=pid-change field.
+
+ * journalctl's "-o cat" output mode will now show one or more journal
+ fields specified with --output-fields= instead of unconditionally
+ MESSAGE=. This is useful to retrieve a very specific set of fields
+ without any decoration.
+
+ * The sd-journal.h API gained two new functions:
+ sd_journal_enumerate_available_unique() and
+ sd_journal_enumerate_available_data() that operate like their
+ counterparts that lack the _available_ in the name, but skip items
+ that cannot be read and processed by the local implementation
+ (i.e. are compressed in an unsupported format or such),
+
+ * coredumpctl gained a new --file= switch, matching the same one in
+ journalctl: a specific journal file may be specified to read the
+ coredump data from.
+
+ * coredumps collected by systemd-coredump may now be compressed using
+ the zstd algorithm.
+
+ * systemd-binfmt gained a new switch --unregister for unregistering all
+ registered entries at once. This is now invoked automatically at
+ shutdown, so that binary formats registered with the "F" flag will
+ not block clean file system unmounting.
+
+ * systemd-notify's --pid= switch gained new values: "parent", "self",
+ "auto" for controlling which PID to send to the service manager: the
+ systemd-notify process' PID, or the one of the process invoking it.
+
+ * systemd-logind's Session bus object learnt a new method call
+ SetType() for temporarily updating the session type of an already
+ allocated session. This is useful for upgrading tty sessions to
+ graphical ones once a compositor is invoked.
+
+ * systemd-socket-proxy gained a new switch --exit-idle-time= for
+ configuring an exit-on-idle time.
+
+ * systemd-repart's --empty= setting gained a new value "create". If
+ specified a new empty regular disk image file is created under the
+ specified name. Its size may be specified with the new --size=
+ option. The latter is also supported without the "create" mode, in
+ order to grow existing disk image files to the specified size. These
+ two new options are useful when creating or manipulating disk images
+ instead of operating on actual block devices.
+
+ * systemd-repart drop-ins now support a new UUID= setting to control
+ the UUID to assign to a newly created partition.
+
+ * systemd-repart's SizeMin= per-partition parameter now defaults to 10M
+ instead of 0.
+
+ * systemd-repart's Label= setting now support the usual, simple
+ specifier expansion.
+
+ * systemd-homed's LUKS backend gained the ability to discard empty file
+ system blocks automatically when the user logs out. This is enabled
+ by default to ensure that home directories take minimal space when
+ logged out but get full size guarantees when logged in. This may be
+ controlled with the new --luks-offline-discard= switch to homectl.
+
+ * If systemd-homed detects that /home/ is encrypted as a whole it will
+ now default to the directory or subvolume backends instead of the
+ LUKS backend, in order to avoid double encryption. The default
+ storage and file system may now be configured explicitly, too, via
+ the new /etc/systemd/homed.conf configuration file.
+
+ * systemd-homed now supports unlocking home directories with FIDO2
+ security tokens that support the 'hmac-secret' extension, in addition
+ to the existing support for PKCS#11 security token unlocking
+ support. Note that many recent hardware security tokens support both
+ interfaces. The FIDO2 support is accessible via homectl's
+ --fido2-device= option.
+
+ * homectl's --pkcs11-uri= setting now accepts two special parameters:
+ if "auto" is specified and only one suitable PKCS#11 security token
+ is plugged in, its URL is automatically determined and enrolled for
+ unlocking the home directory. If "list" is specified a brief table of
+ suitable PKCS#11 security tokens is shown. Similar, the new
+ --fido2-device= option also supports these two special values, for
+ automatically selecting and listing suitable FIDO2 devices.
+
+ * The /etc/crypttab tmp option now optionally takes an argument
+ selecting the file system to use. Moreover, the default is now
+ changed from ext2 to ext4.
+
+ * There's a new /etc/crypttab option "keyfile-erase". If specified the
+ key file listed in the same line is removed after use, regardless if
+ volume activation was successful or not. This is useful if the key
+ file is only acquired transiently at runtime and shall be erased
+ before the system continues to boot.
+
+ * There's also a new /etc/crypttab option "try-empty-password". If
+ specified, before asking the user for a password it is attempted to
+ unlock the volume with an empty password. This is useful for
+ installing encrypted images whose password shall be set on first boot
+ instead of at installation time.
+
+ * systemd-cryptsetup will now attempt to load the keys to unlock
+ volumes with automatically from files in
+ /etc/cryptsetup-keys.d/<volume>.key and
+ /run/cryptsetup-keys.d/<volume>.key, if any of these files exist.
+
+ * systemd-cryptsetup may now activate Microsoft BitLocker volumes via
+ /etc/crypttab, during boot.
+
+ * logind.conf gained a new RuntimeDirectoryInodesMax= setting to
+ control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs
+ instance.
+
+ * A new generator systemd-xdg-autostart-generator has been added. It
+ generates systemd unit files from XDG autostart .desktop files, and
+ may be used to let the systemd user instance manage services that are
+ started automatically as part of the desktop session.
+
+ * "bootctl" gained a new verb "reboot-to-firmware" that may be used
+ to query and change the firmware's 'reboot into firmware' setup flag.
+
+ * systemd-firstboot gained a new switch --kernel-command-line= that may
+ be used to initialize the /etc/kernel/cmdline file of the image. It
+ also gained a new switch --root-password-hashed= which is like
+ --root-password= but accepts a pre-hashed UNIX password as
+ argument. The new option --delete-root-password may be used to unset
+ any password for the root user (dangerous!). The --root-shell= switch
+ may be used to control the shell to use for the root account. A new
+ --force option may be used to override any already set settings with
+ the parameters specified on the command line (by default, the tool
+ will not override what has already been set before, i.e. is purely
+ incremental).
+
+ * systemd-firstboot gained support for a new --image= switch, which is
+ similar to --root= but accepts the path to a disk image file, on
+ which it then operates.
+
+ * A new sd-path.h API has been added to libsystemd. It provides a
+ simple API for retrieving various search paths and primary
+ directories for various resources.
+
+ * A new call sd_notify_barrier() has been added to the sd-daemon.h
+ API. The call will block until all previously sent sd_notify()
+ messages have been processed by the service manager. This is useful
+ to remove races caused by a process already having disappeared at the
+ time a notification message is processed by the service manager,
+ making correct attribution impossible. The systemd-notify tool will
+ now make use of this call implicitly, but this can be turned off again
+ via the new --no-block switch.
+
+ * When sending a file descriptor (fd) to the service manager to keep
+ track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
+ may be specified. If passed the service manager will refrain from
+ poll()ing on the file descriptor. Traditionally (and when the
+ parameter is not specified), the service manager will poll it for
+ POLLHUP or POLLERR events, and immediately close the fds in that
+ case.
+
+ * The service manager (PID1) gained a new D-Bus method call
+ SetShowStatus() which may be used to control whether it shall show
+ boot-time status output on the console. This method has a similar
+ effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1.
+
+ * The sd-bus API gained a number of convenience functions that take
+ va_list arguments rather than "...". For example, there's now
+ sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make
+ it easier to build wrappers that accept variadic arguments and want
+ to pass a ready va_list structure to sd-bus.
+
+ * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET
+ flag which alters how the userdata pointer to pass to the callbacks
+ is determined. When the flag is set, the offset field is converted
+ as-is into a pointer, without adding it to the object pointer the
+ vtable is associated with.
+
+ * sd-bus now exposes four new functions:
+ sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
+ sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
+ validate strings to check if they qualify as various D-Bus concepts.
+
+ * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
+ SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
+ that simplify adding argument names to D-Bus methods and signals.
+
+ * The man pages for the sd-bus and sd-hwdb APIs have been completed.
+
+ * Various D-Bus APIs of systemd daemons now have man pages that
+ document the methods, signals and properties.
+
+ * The expectations on user/group name syntax are now documented in
+ detail; documentation on how classic home directories may be
+ converted into home directories managed by homed has been added;
+ documentation regarding integration of homed/userdb functionality in
+ desktops has been added:
+
+ https://systemd.io/USER_NAMES
+ https://systemd.io/CONVERTING_TO_HOMED
+ https://systemd.io/USERDB_AND_DESKTOPS
+
+ * Documentation for the on-disk Journal file format has been updated
+ and has now moved to:
+
+ https://systemd.io/JOURNAL_FILE_FORMAT
+
+ * The interface for containers (https://systemd.io/CONTAINER_INTERFACE)
+ has been extended by a set of environment variables that expose
+ select fields from the host's os-release file to the container
+ payload. Similarly, host's os-release files can be mounted into the
+ container underneath /run/host. Together, those mechanisms provide a
+ standardized way to expose information about the host to the
+ container payload. Both interfaces are implemented in systemd-nspawn.
+
+ * All D-Bus services shipped in systemd now implement the generic
+ LogControl1 D-Bus API which allows clients to change log level +
+ target of the service during runtime.
+
+ * Only relevant for developers: the mkosi.default symlink has been
+ dropped from version control. Please create a symlink to one of the
+ distribution-specific defaults in .mkosi/ based on your preference.
+
+ Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
+ Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird,
+ Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain,
+ antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji
+ Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg,
+ Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian
+ Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy,
+ codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan,
+ Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David
+ Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri
+ John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel
+ Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
+ ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger,
+ Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui,
+ Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius
+ Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de
+ Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan
+ Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy
+ Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg
+ Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin
+ Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard,
+ Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas
+ Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej
+ S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc
+ Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim
+ Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels,
+ Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár,
+ Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys,
+ nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert
+ Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter
+ Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross
+ Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian
+ Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas
+ Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes,
+ Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo,
+ Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal
+ Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб
+
+ – Warsaw, 2020-07-30
+
+CHANGES WITH 245:
+
+ * A new tool "systemd-repart" has been added, that operates as an
+ idempotent declarative repartitioner for GPT partition tables.
+ Specifically, a set of partitions that must or may exist can be
+ configured via drop-in files, and during every boot the partition
+ table on disk is compared with these files, creating missing
+ partitions or growing existing ones based on configurable relative
+ and absolute size constraints. The tool is strictly incremental,
+ i.e. does not delete, shrink or move partitions, but only adds and
+ grows them. The primary use-case is OS images that ship in minimized
+ form, that on first boot are grown to the size of the underlying
+ block device or augmented with additional partitions. For example,
+ the root partition could be extended to cover the whole disk, or a
+ swap or /home partitions could be added on first boot. It can also be
+ used for systems that use an A/B update scheme but ship images with
+ just the A partition, with B added on first boot. The tool is
+ primarily intended to be run in the initrd, shortly before
+ transitioning into the host OS, but can also be run after the
+ transition took place. It automatically discovers the disk backing
+ the root file system, and should hence not require any additional
+ configuration besides the partition definition drop-ins. If no
+ configuration drop-ins are present, no action is taken.
+
+ * A new component "userdb" has been added, along with a small daemon
+ "systemd-userdbd.service" and a client tool "userdbctl". The framework
+ allows defining rich user and group records in a JSON format,
+ extending on the classic "struct passwd" and "struct group"
+ structures. Various components in systemd have been updated to
+ process records in this format, including systemd-logind and
+ pam-systemd. The user records are intended to be extensible, and
+ allow setting various resource management, security and runtime
+ parameters that shall be applied to processes and sessions of the
+ user as they log in. This facility is intended to allow associating
+ such metadata directly with user/group records so that they can be
+ produced, extended and consumed in unified form. We hope that
+ eventually frameworks such as sssd will generate records this way, so
+ that for the first time resource management and various other
+ per-user settings can be configured in LDAP directories and then
+ provided to systemd (specifically to systemd-logind and pam-system)
+ to apply on login. For further details see:
+
+ https://systemd.io/USER_RECORD
+ https://systemd.io/GROUP_RECORD
+ https://systemd.io/USER_GROUP_API
+
+ * A small new service systemd-homed.service has been added, that may be
+ used to securely manage home directories with built-in encryption.
+ The complete user record data is unified with the home directory,
+ thus making home directories naturally migratable. Its primary
+ back-end is based on LUKS volumes, but fscrypt, plain directories,
+ and other storage schemes are also supported. This solves a couple of
+ problems we saw with traditional ways to manage home directories, in
+ particular when it comes to encryption. For further discussion of
+ this, see the video of Lennart's talk at AllSystemsGo! 2019:
+
+ https://media.ccc.de/v/ASG2019-164-reinventing-home-directories
+
+ For further details about the format and expectations on home
+ directories this new daemon makes, see:
+
+ https://systemd.io/HOME_DIRECTORY
+
+ * systemd-journald is now multi-instantiable. In addition to the main
+ instance systemd-journald.service there's now a template unit
+ systemd-journald@.service, with each instance defining a new named
+ log 'namespace' (whose name is specified via the instance part of the
+ unit name). A new unit file setting LogNamespace= has been added,
+ taking such a namespace name, that assigns services to the specified
+ log namespaces. As each log namespace is serviced by its own
+ independent journal daemon, this functionality may be used to improve
+ performance and increase isolation of applications, at the price of
+ losing global message ordering. Each instance of journald has a
+ separate set of configuration files, with possibly different disk
+ usage limitations and other settings.
+
+ journalctl now takes a new option --namespace= to show logs from a
+ specific log namespace. The sd-journal.h API gained
+ sd_journal_open_namespace() for opening the log stream of a specific
+ log namespace. systemd-journald also gained the ability to exit on
+ idle, which is useful in the context of log namespaces, as this means
+ log daemons for log namespaces can be activated automatically on
+ demand and will stop automatically when no longer used, minimizing
+ resource usage.
+
+ * When systemd-tmpfiles copies a file tree using the 'C' line type it
+ will now label every copied file according to the SELinux database.
+
+ * When systemd/PID 1 detects it is used in the initrd it will now boot
+ into initrd.target rather than default.target by default. This should
+ make it simpler to build initrds with systemd as for many cases the
+ only difference between a host OS image and an initrd image now is
+ the presence of the /etc/initrd-release file.
+
+ * A new kernel command line option systemd.cpu_affinity= is now
+ understood. It's equivalent to the CPUAffinity= option in
+ /etc/systemd/system.conf and allows setting the CPU mask for PID 1
+ itself and the default for all other processes.
+
+ * When systemd/PID 1 is reloaded (with systemctl daemon-reload or
+ equivalent), the SELinux database is now reloaded, ensuring that
+ sockets and other file system objects are generated taking the new
+ database into account.
+
+ * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and
+ "quiet" has been changed to imply that instead of
+ "systemd.show-status=auto". In this mode, only messages about errors
+ and significant delays in boot are shown on the console.
+
+ * The sd-event.h API gained native support for the new Linux "pidfd"
+ concept. This permits watching processes using file descriptors
+ instead of PID numbers, which fixes a number of races and makes
+ process supervision more robust and efficient. All of systemd's
+ components will now use pidfds if the kernel supports it for process
+ watching, with the exception of PID 1 itself, unfortunately. We hope
+ to move PID 1 to exclusively using pidfds too eventually, but this
+ requires some more kernel work first. (Background: PID 1 watches
+ processes using waitid() with the P_ALL flag, and that does not play
+ together nicely with pidfds yet.)
+
+ * Closely related to this, the sd-event.h API gained two new calls
+ sd_event_source_send_child_signal() (for sending a signal to a
+ watched process) and sd_event_source_get_child_process_own() (for
+ marking a process so that it is killed automatically whenever the
+ event source watching it is freed).
+
+ * systemd-networkd gained support for configuring Token Bucket Filter
+ (TBF) parameters in its qdisc configuration support. Similarly,
+ support for Stochastic Fairness Queuing (SFQ), Controlled-Delay
+ Active Queue Management (CoDel), and Fair Queue (FQ) has been added.
+
+ * systemd-networkd gained support for Intermediate Functional Block
+ (IFB) network devices.
+
+ * systemd-networkd gained support for configuring multi-path IP routes,
+ using the new MultiPathRoute= setting in the [Route] section.
+
+ * systemd-networkd's DHCPv4 client has been updated to support a new
+ SendDecline= option. If enabled, duplicate address detection is done
+ after a DHCP offer is received from the server. If a conflict is
+ detected, the address is declined. The DHCPv4 client also gained
+ support for a new RouteMTUBytes= setting that allows to configure the
+ MTU size to be used for routes generated from DHCPv4 leases.
+
+ * The PrefixRoute= setting in systemd-networkd's [Address] section of
+ .network files has been deprecated, and replaced by AddPrefixRoute=,
+ with its sense inverted.
+
+ * The Gateway= setting of [Route] sections of .network files gained
+ support for a special new value "_dhcp". If set, the configured
+ static route uses the gateway host configured via DHCP.
+
+ * New User= and SuppressPrefixLength= settings have been implemented
+ for the [RoutingPolicyRule] section of .network files to configure
+ source routing based on UID ranges and prefix length, respectively.
+
+ * The Type= match property of .link files has been generalized to
+ always match the device type shown by 'networkctl status', even for
+ devices where udev does not set DEVTYPE=. This allows e.g. Type=ether
+ to be used.
+
+ * sd-bus gained a new API call sd_bus_message_sensitive() that marks a
+ D-Bus message object as "sensitive". Those objects are erased from
+ memory when they are freed. This concept is intended to be used for
+ messages that contain security sensitive data. A new flag
+ SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods
+ in sd-bus vtables, causing any incoming and outgoing messages of
+ those methods to be implicitly marked as "sensitive".
+
+ * sd-bus gained a new API call sd_bus_message_dump() for dumping the
+ contents of a message (or parts thereof) to standard output for
+ debugging purposes.
+
+ * systemd-sysusers gained support for creating users with the primary
+ group named differently than the user.
+
+ * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
+ gained support for growing XFS partitions. Previously it supported
+ only ext4 and btrfs partitions.
+
+ * The support for /etc/crypttab gained a new x-initrd.attach option. If
+ set, the specified encrypted volume is unlocked already in the
+ initrd. This concept corresponds to the x-initrd.mount option in
+ /etc/fstab.
+
+ * systemd-cryptsetup gained native support for unlocking encrypted
+ volumes utilizing PKCS#11 smartcards, i.e. for example to bind
+ encryption of volumes to YubiKeys. This is exposed in the new
+ pkcs11-uri= option in /etc/crypttab.
+
+ * The /etc/fstab support in systemd now supports two new mount options
+ x-systemd.{required,wanted}-by=, for explicitly configuring the units
+ that the specified mount shall be pulled in by, in place of
+ the usual local-fs.target/remote-fs.target.
+
+ * The https://systemd.io/ web site has been relaunched, directly
+ populated with most of the documentation included in the systemd
+ repository. systemd also acquired a new logo, thanks to Tobias
+ Bernard.
+
+ * systemd-udevd gained support for managing "alternative" network
+ interface names, as supported by new Linux kernels. For the first
+ time this permits assigning multiple (and longer!) names to a network
+ interface. systemd-udevd will now by default assign the names
+ generated via all supported naming schemes to each interface. This
+ may be further tweaked with .link files and the AlternativeName= and
+ AlternativeNamesPolicy= settings. Other components of systemd have
+ been updated to support the new alternative names wherever
+ appropriate. For example, systemd-nspawn will now generate
+ alternative interface names for the host-facing side of container
+ veth links based on the full container name without truncation.
+
+ * systemd-nspawn interface naming logic has been updated in another way
+ too: if the main interface name (i.e. as opposed to new-style
+ "alternative" names) based on the container name is truncated, a
+ simple hashing scheme is used to give different interface names to
+ multiple containers whose names all begin with the same prefix. Since
+ this changes the primary interface names pointing to containers if
+ truncation happens, the old scheme may still be requested by
+ selecting an older naming scheme, via the net.naming-scheme= kernel
+ command line option.
+
+ * PrivateUsers= in service files now works in services run by the
+ systemd --user per-user instance of the service manager.
+
+ * A new per-service sandboxing option ProtectClock= has been added that
+ locks down write access to the system clock. It takes away device
+ node access to /dev/rtc as well as the system calls that set the
+ system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities.
+ Note that this option does not affect access to auxiliary services
+ that allow changing the clock, for example access to
+ systemd-timedated.
+
+ * The systemd-id128 tool gained a new "show" verb for listing or
+ resolving a number of well-known UUIDs/128bit IDs, currently mostly
+ GPT partition table types.
+
+ * The Discoverable Partitions Specification has been updated to support
+ /var and /var/tmp partition discovery. Support for this has been
+ added to systemd-gpt-auto-generator. For details see:
+
+ https://systemd.io/DISCOVERABLE_PARTITIONS
+
+ * "systemctl list-unit-files" has been updated to show a new column
+ with the suggested enablement state based on the vendor preset files
+ for the respective units.
+
+ * "systemctl" gained a new option "--with-dependencies". If specified
+ commands such as "systemctl status" or "systemctl cat" will now show
+ all specified units along with all units they depend on.
+
+ * networkctl gained support for showing per-interface logs in its
+ "status" output.
+
+ * systemd-networkd-wait-online gained support for specifying the maximum
+ operational state to wait for, and to wait for interfaces to
+ disappear.
+
+ * The [Match] section of .link and .network files now supports a new
+ option PermanentMACAddress= which may be used to check against the
+ permanent MAC address of a network device even if a randomized MAC
+ address is used.
+
+ * The [TrafficControlQueueingDiscipline] section in .network files has
+ been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix
+ dropped from the individual setting names.
+
+ * Any .link and .network files that have an empty [Match] section (this
+ also includes empty and commented-out files) will now be
+ rejected. systemd-udev and systemd-networkd started warning about
+ such files in version 243.
+
+ * systemd-logind will now validate access to the operation of changing
+ the virtual terminal via a polkit action. By default, only users
+ with at least one session on a local VT are granted permission.
+
+ * When systemd sets up PAM sessions that invoked service processes
+ shall run in, the pam_setcred() API is now invoked, thus permitting
+ PAM modules to set additional credentials for the processes.
+
+ * portablectl attach/detach verbs now accept --now and --enable options
+ to combine attachment with enablement and invocation, or detachment
+ with stopping and disablement.
+
+ * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was
+ fixed, which in turn exposed bugs in unit configuration of services
+ which have Type=oneshot and should only run once, but do not have
+ RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot
+ service may be started again after exiting successfully, for example
+ as a dependency in another transaction. Affected services included
+ some internal systemd services (most notably
+ systemd-vconsole-setup.service, which was updated to have
+ RemainAfterExit=yes), and plymouth-start.service. Please ensure that
+ plymouth has been suitably updated or patched before upgrading to
+ this systemd release. See
+ https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some
+ additional discussion.
+
+ Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
+ Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
+ Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles
+ (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt,
+ Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek,
+ Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David
+ Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin,
+ ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck
+ Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem
+ Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain
+ Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin
+ Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming,
+ Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca
+ Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew
+ Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike
+ Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange,
+ Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa
+ Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard,
+ Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain
+ Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas
+ Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser,
+ Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland
+ Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri
+ Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu
+ DONG
+
+ – Warsaw, 2020-03-06
+
+CHANGES WITH 244:
+
+ * Support for the cpuset cgroups v2 controller has been added.
+ Processes may be restricted to specific CPUs using the new
+ AllowedCPUs= setting, and to specific memory NUMA nodes using the new
+ AllowedMemoryNodes= setting.
+
+ * The signal used in restart jobs (as opposed to e.g. stop jobs) may
+ now be configured using a new RestartKillSignal= setting. This
+ allows units which signals to request termination to implement
+ different behaviour when stopping in preparation for a restart.
+
+ * "systemctl clean" may now be used also for socket, mount, and swap
+ units.
+
+ * systemd will also read configuration options from the EFI variable
+ SystemdOptions. This may be used to configure systemd behaviour when
+ modifying the kernel command line is inconvenient, but configuration
+ on disk is read too late, for example for the options related to
+ cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
+ set the EFI variable.
+
+ * systemd will now disable printk ratelimits in early boot. This should
+ allow us to capture more logs from the early boot phase where normal
+ storage is not available and the kernel ring buffer is used for
+ logging. Configuration on the kernel command line has higher priority
+ and overrides the systemd setting.
+
+ systemd programs which log to /dev/kmsg directly use internal
+ ratelimits to prevent runaway logging. (Normally this is only used
+ during early boot, so in practice this change has very little
+ effect.)
+
+ * Unit files now support top level dropin directories of the form
+ <unit_type>.d/ (e.g. service.d/) that may be used to add configuration
+ that affects all corresponding unit files.
+
+ * systemctl gained support for 'stop --job-mode=triggering' which will
+ stop the specified unit and any units which could trigger it.
+
+ * Unit status display now includes units triggering and triggered by
+ the unit being shown.
+
+ * The RuntimeMaxSec= setting is now supported by scopes, not just
+ .service units. This is particularly useful for PAM sessions which
+ create a scope unit for the user login. systemd.runtime_max_sec=
+ setting may used with the pam_systemd module to limit the duration
+ of the PAM session, for example for time-limited logins.
+
+ * A new @pkey system call group is now defined to make it easier to
+ allow-list memory protection syscalls for containers and services
+ which need to use them.
+
+ * systemd-udevd: removed the 30s timeout for killing stale workers on
+ exit. systemd-udevd now waits for workers to finish. The hard-coded
+ exit timeout of 30s was too short for some large installations, where
+ driver initialization could be prematurely interrupted during initrd
+ processing if the root file system had been mounted and init was
+ preparing to switch root. If udevd is run without systemd and workers
+ are hanging while udevd receives an exit signal, udevd will now exit
+ when udev.event_timeout is reached for the last hanging worker. With
+ systemd, the exit timeout can additionally be configured using
+ TimeoutStopSec= in systemd-udevd.service.
+
+ * udev now provides a program (fido_id) that identifies FIDO CTAP1
+ ("U2F")/CTAP2 security tokens based on the usage declared in their
+ report and descriptor and outputs suitable environment variables.
+ This replaces the externally maintained allow lists of all known
+ security tokens that were used previously.
+
+ * Automatically generated autosuspend udev rules for allow-listed
+ devices have been imported from the Chromium OS project. This should
+ improve power saving with many more devices.
+
+ * udev gained a new "CONST{key}=value" setting that allows matching
+ against system-wide constants without forking a helper binary.
+ Currently "arch" and "virt" keys are supported.
+
+ * udev now opens CDROMs in non-exclusive mode when querying their
+ capabilities. This should fix issues where other programs trying to
+ use the CDROM cannot gain access to it, but carries a risk of
+ interfering with programs writing to the disk, if they did not open
+ the device in exclusive mode as they should.
+
+ * systemd-networkd does not create a default route for IPv4 link local
+ addressing anymore. The creation of the route was unexpected and was
+ breaking routing in various cases, but people who rely on it being
+ created implicitly will need to adjust. Such a route may be requested
+ with DefaultRouteOnDevice=yes.
+
+ Similarly, systemd-networkd will not assign a link-local IPv6 address
+ when IPv6 link-local routing is not enabled.
+
+ * Receive and transmit buffers may now be configured on links with
+ the new RxBufferSize= and TxBufferSize= settings.
+
+ * systemd-networkd may now advertise additional IPv6 routes. A new
+ [IPv6RoutePrefix] section with Route= and LifetimeSec= options is
+ now supported.
+
+ * systemd-networkd may now configure "next hop" routes using the
+ [NextHop] section and Gateway= and Id= settings.
+
+ * systemd-networkd will now retain DHCP config on restarts by default
+ (but this may be overridden using the KeepConfiguration= setting).
+ The default for SendRelease= has been changed to true.
+
+ * The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option
+ received from the server.
+
+ The client will use the received SIP server list if UseSIP=yes is
+ set.
+
+ The client may be configured to request specific options from the
+ server using a new RequestOptions= setting.
+
+ The client may be configured to send arbitrary options to the server
+ using a new SendOption= setting.
+
+ A new IPServiceType= setting has been added to configure the "IP
+ service type" value used by the client.
+
+ * The DHCPv6 client learnt a new PrefixDelegationHint= option to
+ request prefix hints in the DHCPv6 solicitation.
+
+ * The DHCPv4 server may be configured to send arbitrary options using
+ a new SendOption= setting.
+
+ * The DHCPv4 server may now be configured to emit SIP server list using
+ the new EmitSIP= and SIP= settings.
+
+ * systemd-networkd and networkctl may now renew DHCP leases on demand.
+ networkctl has a new 'networkctl renew' verb.
+
+ * systemd-networkd may now reconfigure links on demand. networkctl
+ gained two new verbs: "reload" will reload the configuration, and
+ "reconfigure DEVICE…" will reconfigure one or more devices.
+
+ * .network files may now match on SSID and BSSID of a wireless network,
+ i.e. the access point name and hardware address using the new SSID=
+ and BSSID= options. networkctl will display the current SSID and
+ BSSID for wireless links.
+
+ .network files may also match on the wireless network type using the
+ new WLANInterfaceType= option.
+
+ * systemd-networkd now includes default configuration that enables
+ link-local addressing when connected to an ad-hoc wireless network.
+
+ * systemd-networkd may configure the Traffic Control queueing
+ disciplines in the kernel using the new
+ [TrafficControlQueueingDiscipline] section and Parent=,
+ NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=,
+ NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=,
+ NetworkEmulatorDuplicateRate= settings.
+
+ * systemd-tmpfiles gained a new w+ setting to append to files.
+
+ * systemd-analyze dump will now report when the memory configuration in
+ the kernel does not match what systemd has configured (usually,
+ because some external program has modified the kernel configuration
+ on its own).
+
+ * systemd-analyze gained a new --base-time= switch instructs the
+ 'calendar' verb to resolve times relative to that timestamp instead
+ of the present time.
+
+ * journalctl --update-catalog now produces deterministic output (making
+ reproducible image builds easier).
+
+ * A new devicetree-overlay setting is now documented in the Boot Loader
+ Specification.
+
+ * The default value of the WatchdogSec= setting used in systemd
+ services (the ones bundled with the project itself) may be set at
+ configuration time using the -Dservice-watchdog= setting. If set to
+ empty, the watchdogs will be disabled.
+
+ * systemd-resolved validates IP addresses in certificates now when GnuTLS
+ is being used.
+
+ * libcryptsetup >= 2.0.1 is now required.
+
+ * A configuration option -Duser-path= may be used to override the $PATH
+ used by the user service manager. The default is again to use the same
+ path as the system manager.
+
+ * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
+ outputting the 128bit IDs in UUID format (i.e. in the "canonical
+ representation").
+
+ * Service units gained a new sandboxing option ProtectKernelLogs= which
+ makes sure the program cannot get direct access to the kernel log
+ buffer anymore, i.e. the syslog() system call (not to be confused
+ with the API of the same name in libc, which is not affected), the
+ /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
+ inaccessible to the service. It's recommended to enable this setting
+ for all services that should not be able to read from or write to the
+ kernel log buffer, which are probably almost all.
+
+ Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
+ Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo
+ Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio
+ Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe,
+ Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David
+ Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald
+ A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger,
+ Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen
+ Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan
+ Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson,
+ Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng,
+ Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering,
+ Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario
+ Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos,
+ Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar,
+ Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas
+ Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel,
+ Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle,
+ Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan
+ Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage,
+ Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom
+ Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe,
+ Zach Smith, Zbigniew Jędrzejewski-Szmek
+
+ – Warsaw, 2019-11-29
+
+CHANGES WITH 243:
* This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
the IO accounting data is included in the resource log message
generated whenever a unit stops.
- * Units may now configure an explicit time-out to wait for when killed
+ * Units may now configure an explicit timeout to wait for when killed
with SIGABRT, for example when a service watchdog is hit. Previously,
- the regular TimeoutStopSec= time-out was applied in this case too —
- now a separate time-out may be set using TimeoutAbortSec=.
+ the regular TimeoutStopSec= timeout was applied in this case too —
+ now a separate timeout may be set using TimeoutAbortSec=.
* Services may now send a special WATCHDOG=trigger message with
sd_notify() to trigger an immediate "watchdog missed" event, and thus
* If processes terminated during the last phase of shutdown do not exit
quickly systemd will now show their names after a short time, to make
- debugging easier. After a longer time-out they are forcibly killed,
+ debugging easier. After a longer timeout they are forcibly killed,
as before.
* journalctl (and the other tools that display logs) will now highlight
* systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
option for configuring the maximum number of DHCP lease requests. It
- also learnt a new BlackList= option for blacklisting DHCP servers (a
+ also learnt a new BlackList= option for deny-listing DHCP servers (a
similar setting has also been added to the IPv6 RA client), as well
as a SendRelease= option for configuring whether to send a DHCP
RELEASE message when terminating.
* systemd-networkd's TUN support gained a new setting VnetHeader= for
tweaking Generic Segment Offload support.
+ * The address family for policy rules may be specified using the new
+ Family= option in the [RoutingPolicyRule] section.
+
* networkctl gained a new "delete" command for removing virtual network
devices, as well as a new "--stats" switch for showing device
statistics.
been renamed to LinkLayerAddress=, and it now allows configuration of
IP addresses, too.
+ * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
+ simplified: systemd-networkd will disable the sysctl (enable IPv6) if
+ IPv6 configuration (static or DHCPv6) was found for a given
+ interface. It will not touch the sysctl otherwise.
+
+ * The order of entries is $PATH used by the user manager instance was
+ changed to put bin/ entries before the corresponding sbin/ entries.
+ It is recommended to not rely on this order, and only ever have one
+ binary with a given name in the system paths under /usr.
+
* A new tool systemd-network-generator has been added that may generate
.network, .netdev and .link files from IP configuration specified on
the kernel command line in the format used by Dracut.
* SuccessExitStatus=, RestartPreventExitStatus=, and
RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
is equivalent to "65"). Those exit status name mappings may be
- displayed with the sytemd-analyze exit-status verb describe above.
+ displayed with the systemd-analyze exit-status verb describe above.
* systemd-logind now exposes a per-session SetBrightness() bus call,
which may be used to securely change the brightness of a kernel
space if there are multiple devices with the highest priority.
* /etc/crypttab support has learnt a new keyfile-timeout= per-device
- option that permits selecting the timout how long to wait for a
+ option that permits selecting the timeout how long to wait for a
device with an encryption key before asking for the password.
* IOWeight= has learnt to properly set the IO weight when using the
BFQ scheduler officially found in kernels 5.0+.
+ * A new mailing list has been created for reporting of security issues:
+ systemd-security@redhat.com. For mode details, see
+ https://systemd.io/CONTRIBUTING#security-vulnerability-reports.
+
Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris
- Chiu, Chris Down, Christian Kellner, Clinton Roy, Connor Reeder, Daniel
- Black, Daniele Medri, Dan Streetman, Dave Reisner, Dave Ross, David
- Art, David Tardon, Debarshi Ray, Dominick Grift, Donald Buczek, Douglas
+ Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy,
+ Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan
+ Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi
+ Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas
Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor,
Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui,
- Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López
+ Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López
Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob
- Unterwurzacher, Jan Klötzke, Jan Pokorný, Jan Synacek, Jeka Pats,
- Jérémy Rosen, Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann
- B. Guðmundsson, Johannes Christ, Johannes Schmitz, Jonathan Rouleau,
- Jorge Niedbalski, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
+ Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan
+ Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen,
+ Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson,
+ Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski,
+ Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca
Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt,
Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich,
Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný,
Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85,
Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE,
- Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Roberto
- Santalla, Ronan Pigott, root, RussianNeuroMancer, Sebastian Jennen,
- shinygold, Shreyas Behera, Simon Schricker, Susant Sahani, Thadeu Lima
- de Souza Cascardo, Theo Ouzhinski, Thiebaud Weksteen, Thomas Haller,
- Thomas Weißschuh, Tomas Mraz, Tommi Rantala, Topi Miettinen, ven,
- Wieland Hoffmann, William A. Kennington III, William Wold, Xi Ruoyao,
- Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek,
- Zhang Xianwei
+ Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert
+ Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer,
+ Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant
+ Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud
+ Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala,
+ Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann,
+ William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan,
+ Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei
- – Somewhere, SOME-TI-ME
+ – Camerino, 2019-09-03
CHANGES WITH 242:
a client with a Wi-Fi and Ethernet both connected to the internet).
Consult the kernel documentation for details on this sysctl:
- https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+ https://docs.kernel.org/networking/ip-sysctl.html
+
+ * The v239 change to turn on "net.ipv4.tcp_ecn" by default has been
+ reverted.
* CPUAccounting=yes no longer enables the CPU controller when using
kernel 4.15+ and the unified cgroup hierarchy, as required accounting
any relevant symlinks both in /run and /etc.
* Note that all long-running system services shipped with systemd will
- now default to a system call whitelist (rather than a blacklist, as
+ now default to a system call allow list (rather than a deny list, as
before). In particular, systemd-udevd will now enforce one too. For
most cases this should be safe, however downstream distributions
which disabled sandboxing of systemd-udevd (specifically the
MountFlags= setting), might want to disable this security feature
- too, as the default whitelisting will prohibit all mount, swap,
+ too, as the default allow-listing will prohibit all mount, swap,
reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally turn
lookup is likely to trigger nss-ldap which in turn might use NSS to
ask systemd-resolved for hostname lookups. This will hence result in
a deadlock: a user name lookup in order to start
- systemd-resolved.service will result in a host name lookup for which
+ systemd-resolved.service will result in a hostname lookup for which
systemd-resolved.service needs to be started already. There are
multiple ways to work around this problem: pre-allocate the
"systemd-resolve" user on such systems, so that nss-ldap won't be
by default even when owned by root and read-only. This behaviour was
inherited from older tools, but there have been requests to remove
it, and it's not obvious why this restriction was made in the first
- place. Please speak up now, if you are aware of software that reqires
+ place. Please speak up now, if you are aware of software that requires
this behaviour, otherwise we'll remove the restriction in v238.
* A new environment variable $SYSTEMD_OFFLINE is now understood by
A/AAAA resource record for the "_gateway" hostname, pointing to the
current default IP gateway. Previously it did that for the "gateway"
name, hampering adoption, as some distributions wanted to leave that
- host name open for local use. The old behaviour may still be
+ hostname open for local use. The old behaviour may still be
requested at build time.
* systemd-networkd's [Address] section in .network files gained a new
* systemd-nspawn gained support for a new --system-call-filter= command
line option for adding and removing entries in the default system
call filter it applies. Moreover systemd-nspawn has been changed to
- implement a system call whitelist instead of a blacklist.
+ implement a system call allow list instead of a deny list.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
temporary directory is passed as the entry directory and removed
after all the plugins exit.
+ * If KERNEL_INSTALL_MACHINE_ID is set in /etc/machine-info, kernel-install
+ will now use its value as the machine ID instead of the machine ID
+ from /etc/machine-id. If KERNEL_INSTALL_MACHINE_ID isn't set in
+ /etc/machine-info and no machine ID is set in /etc/machine-id,
+ kernel-install will try to store the current machine ID there as
+ KERNEL_INSTALL_MACHINE_ID. If there is no machine ID, kernel-install
+ will generate a new UUID, store it in /etc/machine-info as
+ KERNEL_INSTALL_MACHINE_ID and use it as the machine ID.
+
Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert,
* sd-id128 gained a new API for generating unique IDs for the host in a
way that does not leak the machine ID. Specifically,
sd_id128_get_machine_app_specific() derives an ID based on the
- machine ID a in well-defined, non-reversible, stable way. This is
+ machine ID in a well-defined, non-reversible, stable way. This is
useful whenever an identifier for the host is needed but where the
identifier shall not be useful to identify the system beyond the
scope of the application itself. (Internally this uses HMAC-SHA256 as
that is removed when the container dies. Specifically, if the source
directory is specified as empty string this mechanism is selected. An
example usage is --overlay=+/var::/var, which creates an overlay
- mount based on the original /var contained in the image, overlayed
+ mount based on the original /var contained in the image, overlaid
with a temporary directory in the host's /var/tmp. This way changes
to /var are automatically flushed when the container shuts down.
* Support for dynamically creating users for the lifetime of a service
has been added. If DynamicUser=yes is specified, user and group IDs
- will be allocated from the range 61184..65519 for the lifetime of the
+ will be allocated from the range 61184…65519 for the lifetime of the
service. They can be resolved using the new nss-systemd.so NSS
module. The module must be enabled in /etc/nsswitch.conf. Services
started in this way have PrivateTmp= and RemoveIPC= enabled, so that
again don't consider turning this on in your stable, LTS or
production release just yet. (Note that you have to enable
nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
- and its DNSSEC mode for host name resolution from local
+ and its DNSSEC mode for hostname resolution from local
applications.)
* systemd-resolve conveniently resolves DANE records with the --tlsa
* The LimitNICE= setting now optionally takes normal UNIX nice values
in addition to the raw integer limit value. If the specified
- parameter is prefixed with "+" or "-" and is in the range -20..19 the
+ parameter is prefixed with "+" or "-" and is in the range -20…19 the
value is understood as UNIX nice value. If not prefixed like this it
is understood as raw RLIMIT_NICE limit.
individual indexes.
* The various memory-related resource limit settings (such as
- LimitAS=) now understand the usual K, M, G, ... suffixes to
+ LimitAS=) now understand the usual K, M, G, … suffixes to
the base of 1024 (IEC). Similar, the time-related resource
- limit settings understand the usual min, h, day, ...
- suffixes now.
+ limit settings understand the usual min, h, day, … suffixes
+ now.
* There's a new system.conf setting DefaultTasksMax= to
control the default TasksMax= setting for services and
* New /etc/fstab options x-systemd.requires= and
x-systemd.requires-mounts-for= are now supported to express
additional dependencies for mounts. This is useful for
- journalling file systems that support external journal
+ journaling file systems that support external journal
devices or overlay file systems that require underlying file
systems to be mounted.
fsck's progress report to an AF_UNIX socket in the file
system.
- * udev will no longer create device symlinks for all block
- devices by default. A blacklist for excluding special block
- devices from this logic has been turned into a whitelist
- that requires picking block devices explicitly that require
- device symlinks.
+ * udev will no longer create device symlinks for all block devices by
+ default. A deny list for excluding special block devices from this
+ logic has been turned into an allow list that requires picking block
+ devices explicitly that require device symlinks.
* A new (currently still internal) API sd-device.h has been
added to libsystemd. This modernized API is supposed to
* /usr/lib/os-release gained a new optional field VARIANT= for
distributions that support multiple variants (such as a
- desktop edition, a server edition, ...)
+ desktop edition, a server edition, …)
Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
for a unit, as declared in the (usually vendor-supplied)
system preset files.
- * nss-myhostname will now resolve the single-label host name
+ * nss-myhostname will now resolve the single-label hostname
"gateway" to the locally configured default IP routing
gateways, ordered by their metrics. This assigns a stable
name to the used gateways, regardless which ones are
currently configured. Note that the name will only be
resolved after all other name sources (if nss-myhostname is
configured properly) and should hence not negatively impact
- systems that use the single-label host name "gateway" in
+ systems that use the single-label hostname "gateway" in
other contexts.
* systemd-inhibit now allows filtering by mode when listing
* nspawn's --link-journal= switch gained two new values
"try-guest" and "try-host" that work like "guest" and
"host", but do not fail if the host has no persistent
- journalling enabled. -j is now equivalent to
+ journaling enabled. -j is now equivalent to
--link-journal=try-guest.
* macvlan network devices created by nspawn will now have
into account when storing rfkill state on disk, as the name
might be dynamically assigned and not stable. Instead, the
ID_PATH udev variable combined with the rfkill type (wlan,
- bluetooth, ...) is used.
+ bluetooth, …) is used.
* A new service systemd-machine-id-commit.service has been
added. When used on systems where /etc is read-only during
* Calendar time specifications in .timer units now also
understand the strings "semi-annually", "quarterly" and
"minutely" as shortcuts (in addition to the preexisting
- "anually", "hourly", ...).
+ "annually", "hourly", …).
* systemd-tmpfiles will now correctly create files in /dev
at boot which are marked for creation only at boot. It is
* A new fsck.repair= kernel option has been added to control
how fsck shall deal with unclean file systems at boot.
- * The (.ini) configuration file parser will now silently
- ignore sections whose name begins with "X-". This may be
- used to maintain application-specific extension sections in unit
- files.
+ * The (.ini) configuration file parser will now silently ignore
+ sections whose names begin with "X-". This may be used to maintain
+ application-specific extension sections in unit files.
* machined gained a new API to query the IP addresses of
registered containers. "machinectl status" has been updated
also supports LUKS-encrypted partitions now. With this in
place, automatic discovery of partitions to mount following
the Discoverable Partitions Specification
- (https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec)
+ (https://systemd.io/DISCOVERABLE_PARTITIONS/)
is now a lot more complete. This allows booting without
/etc/fstab and without root= on the kernel command line on
systems prepared appropriately.
reported by uname()'s "machine" field.
* systemd-networkd now supports matching on the system
- virtualization, architecture, kernel command line, host name
+ virtualization, architecture, kernel command line, hostname
and machine ID.
* logind is now a lot more aggressive when suspending the
Wikipedia. We explicitly document which base applies for
each configuration option.
- * The DeviceAllow= setting in unit files now supports a syntax
- to whitelist an entire group of devices node majors at once,
- based on the /proc/devices listing. For example, with the
- string "char-pts", it is now possible to whitelist all
- current and future pseudo-TTYs at once.
+ * The DeviceAllow= setting in unit files now supports a syntax to
+ allow-list an entire group of devices node majors at once, based on
+ the /proc/devices listing. For example, with the string "char-pts",
+ it is now possible to allow-list all current and future pseudo-TTYs
+ at once.
* sd-event learned a new "post" event source. Event sources of
this type are triggered by the dispatching of any event
match against MAC address, device path, driver name and type,
and will apply attributes like the naming policy, link speed,
MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC
- address assignment policy (randomized, ...).
+ address assignment policy (randomized, …).
* The configuration of network interface naming rules for
"permanent interface names" has changed: a new NamePolicy=
recent boots with their times and boot IDs.
* The various tools like systemctl, loginctl, timedatectl,
- busctl, systemd-run, ... have gained a new switch "-M" to
+ busctl, systemd-run, … have gained a new switch "-M" to
connect to a specific, local OS container (as direct
connection, without requiring SSH). This works on any
container that is registered with machined, such as those
example, a line that creates /run/nologin).
* A new API "sd-resolve.h" has been added which provides a simple
- asynchronous wrapper around glibc NSS host name resolution
+ asynchronous wrapper around glibc NSS hostname resolution
calls, such as getaddrinfo(). In contrast to glibc's
getaddrinfo_a(), it does not use signals. In contrast to most
other asynchronous name resolution libraries, this one does
not reimplement DNS, but reuses NSS, so that alternate
- host name resolution systems continue to work, such as mDNS,
+ hostname resolution systems continue to work, such as mDNS,
LDAP, etc. This API is based on libasyncns, but it has been
cleaned up for inclusion in systemd.
* If a privileged process logs a journal message with the
OBJECT_PID= field set, then journald will automatically
augment this with additional OBJECT_UID=, OBJECT_GID=,
- OBJECT_COMM=, OBJECT_EXE=, ... fields. This is useful if
+ OBJECT_COMM=, OBJECT_EXE=, … fields. This is useful if
system services want to log events about specific client
processes. journactl/systemctl has been updated to make use
of this information if all log messages regarding a specific
* 'systemctl status' will also shown information about any
drop-in configuration file for units. (Drop-In configuration
files in this context are files such as
- /etc/systemd/systemd/foobar.service.d/*.conf)
+ /etc/systemd/system/foobar.service.d/*.conf)
* systemd-cgtop now optionally shows summed up CPU times of
cgroups. Press '%' while running cgtop to switch between
only in conjunction with Gummiboot, but could be supported
by other boot loaders too. For details see:
- https://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
+ https://systemd.io/BOOT_LOADER_INTERFACE
* A new generator has been added that automatically mounts the
EFI System Partition (ESP) to /boot, if that directory
* A new tool kernel-install has been added that can install
kernel images according to the Boot Loader Specification:
- https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
+ https://systemd.io/BOOT_LOADER_SPECIFICATION
* Boot time console output has been improved to provide
animated boot time output for hanging jobs.
based on a calendar time specification such as "Thu,Fri
2013-*-1,5 11:12:13" which refers to 11:12:13 of the first
or fifth day of any month of the year 2013, given that it is
- a thursday or friday. This brings timer event support
+ a Thursday or a Friday. This brings timer event support
considerably closer to cron's capabilities. For details on
the supported calendar time specification language see
systemd.time(7).
of these policies is now the default. Please see this wiki
document for details:
- https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames
+ https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html
* Auke Kok's bootchart implementation has been added to the
systemd tree. It is an optional component that can graph the
inhibitors during their runtime. A simple way to achieve
that is to invoke the DE wrapped in an invocation of:
- systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch ...
+ systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch …
* Access to unit operations is now checked via SELinux taking
the unit file label and client process label into account.
when he over-mounts a non-empty directory.
* There are new specifiers that are resolved in unit files,
- for the host name (%H), the machine ID (%m) and the boot ID
+ for the hostname (%H), the machine ID (%m) and the boot ID
(%b).
Contributions from: Allin Cottrell, Auke Kok, Brandon Philips,
* journalctl gained the new "--header" switch to introspect
header data of journal files.
- * A new setting SystemCallFilters= has been added to services
- which may be used to apply blacklists or whitelists to
- system calls. This is based on SECCOMP Mode 2 of Linux 3.5.
+ * A new setting SystemCallFilters= has been added to services which may
+ be used to apply deny lists or allow lists to system calls. This is
+ based on SECCOMP Mode 2 of Linux 3.5.
* nspawn gained a new --link-journal= switch (and quicker: -j)
to link the container journal with the host. This makes it
should be used to create dead device nodes as workarounds for broken
subsystems.
- * udev: RUN+="socket:..." and udev_monitor_new_from_socket() is
+ * udev: RUN+="socket:…" and udev_monitor_new_from_socket() is
no longer supported. udev_monitor_new_from_netlink() needs to be
used to subscribe to events.
* A framework for implementing offline system updates is now
integrated, for details see:
- https://www.freedesktop.org/wiki/Software/systemd/SystemUpdates
+ https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html
* A new service type Type=idle is available now which helps us
avoiding ugly interleaving of getty output and boot status
* Processes with '@' in argv[0][0] are now excluded from the
final shut-down killing spree, following the logic explained
in:
- https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons
+ https://systemd.io/ROOT_STORAGE_DAEMONS/
* All processes remaining in a service cgroup when we enter
the START or START_PRE states are now killed with
projects / systemd.git / blobdiff