systemd System and Service Manager
+CHANGES WITH 252 🎃:
+
+ Announcements of Future Feature Removals:
+
+ * We intend to remove cgroup v1 support from systemd release after the
+ end of 2023. If you run services that make explicit use of cgroup v1
+ features (i.e. the "legacy hierarchy" with separate hierarchies for
+ each controller), please implement compatibility with cgroup v2 (i.e.
+ the "unified hierarchy") sooner rather than later. Most of Linux
+ userspace has been ported over already.
+
+ * We intend to remove support for split-usr (/usr mounted separately
+ during boot) and unmerged-usr (parallel directories /bin and
+ /usr/bin, /lib and /usr/lib, etc). This will happen in the second
+ half of 2023, in the first release that falls into that time window.
+ For more details, see:
+ https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
+
+ Compatibility Breaks:
+
+ * ConditionKernelVersion= checks that use the '=' or '!=' operators
+ will now do simple string comparisons (instead of version comparisons
+ á la stverscmp()). Version comparisons are still done for the
+ ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
+ specified, a shell-style glob match is now done. This creates a minor
+ incompatibility compared to older systemd versions when the '*', '?',
+ '[', ']' characters are used, as these will now match as shell globs
+ instead of literally. Given that kernel version strings typically do
+ not include these characters we expect little breakage through this
+ change.
+
+ * The service manager will now read the SELinux label used for SELinux
+ access checks from the unit file at the time it loads the file.
+ Previously, the label would be read at the moment of the access
+ check, which was problematic since at that time the unit file might
+ already have been updated or removed.
+
+ New Features:
+
+ * systemd-measure is a new tool for calculating and signing expected
+ TPM2 PCR values for a given unified kernel image (UKI) booted via
+ sd-stub. The public key used for the signature and the signed
+ expected PCR information can be embedded inside the UKI. This
+ information can be extracted from the UKI by external tools and code
+ in the image itself and is made available to userspace in the booted
+ kernel.
+
+ systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
+ updated to make use of this information if available in the booted
+ kernel: when locking an encrypted volume/credential to the TPM
+ systemd-cryptenroll/systemd-creds will use the public key to bind the
+ volume/credential to any kernel that carries PCR information signed
+ by the same key pair. When unlocking such volumes/credentials
+ systemd-cryptsetup/systemd-creds will use the signature embedded in
+ the booted UKI to gain access.
+
+ Binding TPM-based disk encryption to public keys/signatures of PCR
+ values — instead of literal PCR values — addresses the inherent
+ "brittleness" of traditional PCR-bound TPM disk encryption schemes:
+ disks remain accessible even if the UKI is updated, without any TPM
+ specific preparation during the OS update — as long as each UKI
+ carries the necessary PCR signature information.
+
+ Net effect: if you boot a properly prepared kernel, TPM-bound disk
+ encryption now defaults to be locked to kernels which carry PCR
+ signatures from the same key pair. Example: if a hypothetical distro
+ FooOS prepares its UKIs like this, TPM-based disk encryption is now –
+ by default – bound to only FooOS kernels, and encrypted volumes bound
+ to the TPM cannot be unlocked on kernels from other sources. (But do
+ note this behaviour requires preparation/enabling in the UKI, and of
+ course users can always enroll non-TPM ways to unlock the volume.)
+
+ * systemd-pcrphase is a new tool that is invoked at six places during
+ system runtime, and measures additional words into TPM2 PCR 11, to
+ mark milestones of the boot process. This allows binding access to
+ specific TPM2-encrypted secrets to specific phases of the boot
+ process. (Example: LUKS2 disk encryption key only accessible in the
+ initrd, but not later.)
+
+ Changes in systemd itself, i.e. the manager and units
+
+ * The cpu controller is delegated to user manager units by default, and
+ CPUWeight= settings are applied to the top-level user slice units
+ (app.slice, background.slice, session.slice). This provides a degree
+ of resource isolation between different user services competing for
+ the CPU.
+
+ * Systemd can optionally do a full preset in the "first boot" condition
+ (instead of just enable-only). This behaviour is controlled by the
+ compile-time option -Dfirst-boot-full-preset. Right now it defaults
+ to 'false', but the plan is to switch it to 'true' for the subsequent
+ release.
+
+ * Drop-ins are now allowed for transient units too.
+
+ * Systemd will set the taint flag 'support-ended' if it detects that
+ the OS image is past its end-of-support date. This date is declared
+ in a new /etc/os-release field SUPPORT_END= described below.
+
+ * Two new settings ConditionCredential= and AssertCredential= can be
+ used to skip or fail units if a certain system credential is not
+ provided.
+
+ * ConditionMemory= accepts size suffixes (K, M, G, T, …).
+
+ * DefaultSmackProcessLabel= can be used in system.conf and user.conf to
+ specify the SMACK security label to use when not specified in a unit
+ file.
+
+ * DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
+ specify the default timeout when waiting for device units to
+ activate.
+
+ * C.UTF-8 is used as the default locale if nothing else has been
+ configured.
+
+ * [Condition|Assert]Firmware= have been extended to support certain
+ SMBIOS fields. For example
+
+ ConditionFirmware=smbios-field(board_name = "Custom Board")
+
+ conditionalizes the unit to run only when
+ /sys/class/dmi/id/board_name contains "Custom Board" (without the
+ quotes).
+
+ * ConditionFirstBoot= now correctly evaluates as true only during the
+ boot phase of the first boot. A unit executed later, after booting
+ has completed, will no longer evaluate this condition as true.
+
+ * Socket units will now create sockets in the SELinuxContext= of the
+ associated service unit, if any.
+
+ * Boot phase transitions (start initrd → exit initrd → boot complete →
+ shutdown) will be measured into TPM2 PCR 11, so that secrets can be
+ bound to a specific runtime phase. E.g.: a LUKS encryption key can be
+ unsealed only in the initrd.
+
+ * Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
+ also be provided to ExecStartPre= processes.
+
+ * Various units are now correctly ordered against
+ initrd-switch-root.target where previously a conflict without
+ ordering was configured. A stop job for those units would be queued,
+ but without the ordering it could be executed only after
+ initrd-switch-root.service, leading to units not being restarted in
+ the host system as expected.
+
+ * In order to fully support the IPMI watchdog driver, which has not yet
+ been ported to the new common watchdog device interface,
+ /dev/watchdog0 will be tried first and systemd will silently fallback
+ to /dev/watchdog if it is not found.
+
+ * New watchdog-related D-Bus properties are now published by systemd:
+ WatchdogDevice, WatchdogLastPingTimestamp,
+ WatchdogLastPingTimestampMonotonic.
+
+ * At shutdown, API virtual files systems (proc, sys, etc.) will be
+ unmounted lazily.
+
+ * At shutdown, systemd will now log about processes blocking unmounting
+ of file systems.
+
+ * A new meson build option 'clock-valid-range-usec-max' was added to
+ allow disabling system time correction if RTC returns a timestamp far
+ in the future.
+
+ * Propagated restart jobs will no longer be discarded while a unit is
+ activating.
+
+ * PID 1 will now import system credentials from SMBIOS Type 11 fields
+ ("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
+ simple, fast and generic path for supplying credentials to a VM,
+ without involving external tools such as cloud-init/ignition.
+
+ * The CPUWeight= setting of unit files now accepts a new special value
+ "idle", which configures "idle" level scheduling for the unit.
+
+ * Service processes that are activated due to a .timer or .path unit
+ triggering will now receive information about this via environment
+ variables. Note that this is information is lossy, as activation
+ might be coalesced and only one of the activating triggers will be
+ reported. This is hence more suited for debugging or tracing rather
+ than for behaviour decisions.
+
+ * The riscv_flush_icache(2) system call has been added to the list of
+ system calls allowed by default when SystemCallFilter= is used.
+
+ * The selinux context derived from the target executable, instead of
+ 'init_t' used for the manager itself, is now used when creating
+ listening sockets for units that specify SELinuxContextFromNet=yes.
+
+ Changes in sd-boot, bootctl, and the Boot Loader Specification:
+
+ * The Boot Loader Specification has been cleaned up and clarified.
+ Various corner cases in version string comparisons have been fixed
+ (e.g. comparisons for empty strings). Boot counting is now part of
+ the main specification.
+
+ * New PCRs measurements are performed during boot: PCR 11 for the the
+ kernel+initrd combo, PCR 13 for any sysext images. If a measurement
+ took place this is now reported to userspace via the new
+ StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
+
+ * As before, systemd-stub will measure kernel parameters and system
+ credentials into PCR 12. It will now report this fact via the
+ StubPcrKernelParameters EFI variable to userspace.
+
+ * The UEFI monotonic boot counter is now included in the updated random
+ seed file maintained by sd-boot, providing some additional entropy.
+
+ * sd-stub will use LoadImage/StartImage to execute the kernel, instead
+ of arranging the image manually and jumping to the kernel entry
+ point. sd-stub also installs a temporary UEFI SecurityOverride to
+ allow the (unsigned) nested image to be booted. This is safe because
+ the outer (signed) stub+kernel binary must have been verified before
+ the stub was executed.
+
+ * Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
+ is now supported by sd-boot.
+
+ * bootctl gained a bunch of new options: --all-architectures to install
+ binaries for all supported EFI architectures, --root= and --image=
+ options to operate on a directory or disk image, and
+ --install-source= to specify the source for binaries to install,
+ --efi-boot-option-description= to control the name of the boot entry.
+
+ * The sd-boot stub exports a StubFeatures flag, which is used by
+ bootctl to show features supported by the stub that was used to boot.
+
+ * The PE section offsets that are used by tools that assemble unified
+ kernel images have historically been hard-coded. This may lead to
+ overlapping PE sections which may break on boot. The UKI will now try
+ to detect and warn about this.
+
+ Any tools that assemble UKIs must update to calculate these offsets
+ dynamically. Future sd-stub versions may use offsets that will not
+ work with the currently used set of hard-coded offsets!
+
+ * sd-stub now accepts (and passes to the initrd and then to the full
+ OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
+ signatures of expected PCR values, to allow sealing secrets via the
+ TPM2 against pre-calculated PCR measurements.
+
+ Changes in the hardware database:
+
+ * 'systemd-hwdb query' now supports the --root= option.
+
+ Changes in systemctl:
+
+ * systemctl now supports --state= and --type= options for the 'show'
+ and 'status' verbs.
+
+ * systemctl gained a new verb 'list-automounts' to list automount
+ points.
+
+ * systemctl gained support for a new --image= switch to be able to
+ operate on the specified disk image (similar to the existing --root=
+ which operates relative to some directory).
+
+ Changes in systemd-networkd:
+
+ * networkd can set Linux NetLabel labels for integration with the
+ network control in security modules via a new NetLabel= option.
+
+ * The RapidCommit= is (re-)introduced to enable faster configuration
+ via DHCPv6 (RFC 3315).
+
+ * networkd gained a new option TCPCongestionControlAlgorithm= that
+ allows setting a per-route TCP algorithm.
+
+ * networkd gained a new option KeepFileDescriptor= to allow keeping a
+ reference (file descriptor) open on TUN/TAP interfaces, which is
+ useful to avoid link flaps while the underlying service providing the
+ interface is being serviced.
+
+ * RouteTable= now also accepts route table names.
+
+ Changes in systemd-nspawn:
+
+ * The --bind= and --overlay= options now support relative paths.
+
+ * The --bind= option now supports a 'rootidmap' value, which will
+ use id-mapped mounts to map the root user inside the container to the
+ owner of the mounted directory on the host.
+
+ Changes in systemd-resolved:
+
+ * systemd-resolved now persists DNSOverTLS in its state file too. This
+ fixes a problem when used in combination with NetworkManager, which
+ sends the setting only once, causing it to be lost if resolved was
+ restarted at any point.
+
+ * systemd-resolved now exposes a varlink socket at
+ /run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
+ root. Processed DNS requests in a JSON format will be published to
+ any clients connected to this socket.
+
+ resolvectl gained a 'monitor' verb to make use of this.
+
+ * systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
+ instead of returning SERVFAIL, as per RFC:
+ https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
+
+ * OpenSSL is the default crypto backend for systemd-resolved. (gnutls
+ is still supported.)
+
+ Changes in libsystemd and other libraries:
+
+ * libsystemd now exports sd_bus_error_setfv() (a convenience function
+ for setting bus errors), sd_id128_string_equal (a convenience
+ function for 128bit ID string comparisons), and
+ sd_bus_message_read_strv_extend() (a function to incrementally read
+ string arrays).
+
+ * libsystemd now exports sd_device_get_child_first()/_next() as a
+ high-level interface for enumerating child devices. It also supports
+ sd_device_new_child() for opening a child device given a device
+ object.
+
+ * libsystemd now exports sd_device_monitor_set()/get_description()
+ which allow setting a custom description that will be used in log
+ messages by sd_device_monitor*.
+
+ * Private shared libraries (libsystemd-shared-nnn.so,
+ libsystemd-core-nnn.so) are now installed into arch-specific
+ directories to allow multi-arch installs.
+
+ * A new sd-gpt.h header is now published, listing GUIDs from the
+ Discoverable Partitions specification. For more details see:
+ https://systemd.io/DISCOVERABLE_PARTITIONS/
+
+ * A new function sd_hwdb_new_from_path() has been added to open a hwdb
+ database given an explicit path to the file.
+
+ * The signal number argument to sd_event_add_signal() now can now be
+ ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
+ be automatically invoked to block the specified signal. This is
+ useful to simplify invocations as the caller doesn't have to do this
+ manually.
+
+ * A new convenience call sd_event_set_signal_exit() has been added to
+ sd-event to set up signal handling so that the event loop
+ automatically terminates cleanly on SIGTERM/SIGINT.
+
+ Changes in other components:
+
+ * systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
+ can now be provided via the credential mechanism.
+
+ * systemd-analyze gained a new verb 'compare-versions' that implements
+ comparisons for versions strings (similarly to 'rpmdev-vercmp' and
+ 'dpkg --compare-versions').
+
+ * 'systemd-analyze dump' is extended to accept glob patterns for unit
+ names to limit the output to matching units.
+
+ * tmpfiles.d/ lines can read file contents to write from a credential.
+ The new modifier char '^' is used to specify that the argument is a
+ credential name. This mechanism is used to automatically populate
+ /etc/motd, /etc/issue, and /etc/hosts from credentials.
+
+ * tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
+ an inode if the specification is prefixed with ':' and the inode
+ already exists.
+
+ * Default tmpfiles.d/ configuration now carries a line to automatically
+ use an 'ssh.authorized_keys.root' credential if provided to set up
+ the SSH authorized_keys file for the root user.
+
+ * systemd-tmpfiles will now gracefully handle absent source of "C" copy
+ lines.
+
+ * tmpfiles.d/ F/w lines now optionally permit encoding of the payload
+ in base64. This is useful to write arbitrary binary data into files.
+
+ * The pkgconfig and rpm macros files now export the directory for user
+ units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
+
+ * Detection of Apple Virtualization and detection of Parallels and
+ KubeVirt virtualization on non-x86 archs have been added.
+
+ * os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
+ user when their system will become unsupported.
+
+ * When performing suspend-then-hibernate, the system will estimate the
+ discharge rate and use that to set the delay until hibernation and
+ hibernate immediately instead of suspending when running from a
+ battery and the capacity is below 5%.
+
+ * systemd-sysctl gained a --strict option to fail when a sysctl
+ setting is unknown to the kernel.
+
+ * machinectl supports --force for the 'copy-to' and 'copy-from'
+ verbs.
+
+ * coredumpctl gained the --root and --image options to look for journal
+ files under the specified root directory, image, or block device.
+
+ * 'journalctl -o' and similar commands now implement a new output mode
+ "short-delta". It is similar to "short-monotonic", but also shows the
+ time delta between subsequent messages.
+
+ * journalctl now respects the --quiet flag when verifying consistency
+ of journal files.
+
+ * Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
+ will indicate whether a message was logged in the 'initrd' phase or
+ in the 'system' phase of the boot process.
+
+ * Journal files gained a new compatibility flag
+ 'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
+ to the storage format that allow reducing size on disk. As with other
+ compatibility flags, older journalctl versions will not be able to
+ read journal files using this new format. The environment variable
+ 'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
+ disable this functionality. It is enabled by default.
+
+ * systemd-run's --working-directory= switch now works when used in
+ combination with --scope.
+
+ * portablectl gained a --force flag to skip certain sanity checks. This
+ is implemented using new flags accepted by systemd-portabled for the
+ *WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
+ flag now means that the attach/detach checks whether the units are
+ already present and running will be skipped. Similarly,
+ SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
+ image name matches the name declared inside of the image will be
+ skipped. Callers must be sure to do those checks themselves if
+ appropriate.
+
+ * systemd-portabled will now use the original filename to check
+ extension-release.NAME for correctness, in case it is passed a
+ symlink.
+
+ * systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
+ too.
+
+ * sysext's extension-release files now support '_any' as a special
+ value for the ID= field, to allow distribution-independent extensions
+ (e.g.: fully statically compiled binaries, scripts). It also gained
+ support for a new ARCHITECTURE= field that may be used to explicitly
+ restrict an image to hosts of a specific architecture.
+
+ * systemd-repart now supports creating squashfs partitions. This
+ requires mksquashfs from squashfs-tools.
+
+ * systemd-repart gained a --split flag to also generate split
+ artifacts, i.e. a separate file for each partition. This is useful in
+ conjunction with systemd-sysupdate or other tools, or to generate
+ split dm-verity artifacts.
+
+ * systemd-repart is now able to generate dm-verity partitions, including
+ signatures.
+
+ * systemd-repart can now set a partition UUID to zero, allowing it to
+ be filled in later, such as when using verity partitions.
+
+ * systemd-repart now supports drop-ins for its configuration files.
+
+ * Package metadata logged by systemd-coredump in the system journal is
+ now more compact.
+
+ * xdg-autostart-service now expands 'tilde' characters in Exec lines.
+
+ * systemd-oomd now automatically links against libatomic, if available.
+
+ * systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
+ killed.
+
+ * scope units now also provide oom-kill status.
+
+ * systemd-pstore will now try to load only the efi_pstore kernel module
+ before running, ensuring that pstore can be used.
+
+ * systemd-logind gained a new StopIdleSessionSec= option to stop an idle
+ session after a preconfigure timeout.
+
+ * systemd-homed will now wait up to 30 seconds for workers to terminate,
+ rather than indefinitely.
+
+ * homectl gained a new '--luks-sector-size=' flag that allows users to
+ select the preferred LUKS sector size. Must be a power of 2 between 512
+ and 4096. systemd-userdbd records gained a corresponding field.
+
+ * systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
+ variable when generating the 'sp_lstchg' field, to ensure an image
+ build can be reproducible.
+
+ * 'udevadm wait' will now listen to kernel uevents too when called with
+ --initialized=no.
+
+ * When naming network devices udev will now consult the Devicetree
+ "alias" fields for the device.
+
+ * systemd-udev will now create infiniband/by-path and
+ infiniband/by-ibdev links for Infiniband verbs devices.
+
+ * systemd-udev-trigger.service will now also prioritize input devices.
+
+ * ConditionACPower= and systemd-ac-power will now assume the system is
+ running on AC power if no battery can be found.
+
+ * All features and tools using the TPM2 will now communicate with it
+ using a bind key. Beforehand, the tpm2 support used encrypted sessions
+ by creating a primary key that was used to encrypt traffic. This
+ creates a problem as the key created for encrypting the traffic could
+ be faked by an active interposer on the bus. In cases when a pin is
+ used, a bind key will be used. The pin is used as the auth value for
+ the seal key, aka the disk encryption key, and that auth value will be
+ used in the session establishment. An attacker would need the pin
+ value to create the secure session and thus an active interposer
+ without the pin cannot interpose on TPM2 traffic.
+
+ * systemd-growfs no longer requires udev to run.
+
+ * systemd-backlight now will better support systems with multiple
+ graphic cards.
+
+ * systemd-cryptsetup's keyfile-timeout= option now also works when a
+ device is used as a keyfile.
+
+ * systemd-cryptenroll gained a new --unlock-key-file= option to get the
+ unlocking key from a key file (instead of prompting the user). Note
+ that this is the key for unlocking the volume in order to be able to
+ enroll a new key, but it is not the key that is enrolled.
+
+ * systemd-dissect gained a new --umount switch that will safely and
+ synchronously unmount all partitions of an image previously mounted
+ with 'systemd-dissect --mount'.
+
+ * When using gcrypt, all systemd tools and services will now configure
+ it to prefer the OS random number generator if present.
+
+ * All example code shipped with documentation has been relicensed from CC0
+ to MIT-0.
+
+ * Unit tests will no longer fail when running on a system without
+ /etc/machine-id.
+
+ Experimental features:
+
+ * BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
+ and bpftool >= 7.0).
+
+ * sd-boot can automatically enroll SecureBoot keys from files found on
+ the ESP. This enrollment can be either automatic ('force' mode) or
+ controlled by the user ('manual' mode). It is sufficient to place the
+ SecureBoot keys in the right place in the ESP and they will be picked
+ up by sd-boot and shown in the boot menu.
+
+ * The mkosi config in systemd gained support for automatically
+ compiling a kernel with the configuration appropriate for testing
+ systemd. This may be useful when developing or testing systemd in
+ tandem with the kernel.
+
+ Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
+ Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
+ Alexander Graf, Alexander Shopov, Alexander Wilson,
+ Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb,
+ Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
+ Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
+ Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
+ Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu,
+ Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
+ Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
+ Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
+ Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson,
+ David Jaša, David Rheinsberg, David Seifert, David Tardon,
+ dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
+ Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
+ Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
+ Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
+ Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01,
+ Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
+ Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
+ Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
+ Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku,
+ Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller,
+ JeroenHD, jiangchuangang, João Loureiro,
+ Joaquín Ignacio Aramendía, Jochen Sprickerhof,
+ Johannes Schauer Marin Rodrigues, Jonas Kümmerlin,
+ Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink,
+ Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick,
+ Lennart Poettering, Leon M. George, licunlong, Li kunyu,
+ LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
+ Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
+ Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
+ Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
+ Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
+ Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen,
+ Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov,
+ Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch,
+ Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang,
+ Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt,
+ Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi,
+ Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh,
+ Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume,
+ Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc,
+ Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa,
+ Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas,
+ Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap,
+ wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб
+
+ – The Great Beyond, 2022-10-31 👻
+
+CHANGES WITH 251:
+
+ Backwards-incompatible changes:
+
+ * The minimum kernel version required has been bumped from 3.13 to 4.15,
+ and CLOCK_BOOTTIME is now assumed to always exist.
+
+ * C11 with GNU extensions (aka "gnu11") is now used to build our
+ components. Public API headers are still restricted to ISO C89.
+
+ * In v250, a systemd-networkd feature that automatically configures
+ routes to addresses specified in AllowedIPs= was added and enabled by
+ default. However, this causes network connectivity issues in many
+ existing setups. Hence, it has been disabled by default since
+ systemd-stable 250.3. The feature can still be used by explicitly
+ configuring RouteTable= setting in .netdev files.
+
+ * Jobs started via StartUnitWithFlags() will no longer return 'skipped'
+ when a Condition*= check does not succeed, restoring the JobRemoved
+ signal to the behaviour it had before v250.
+
+ * The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
+ GetImageMetadataWithExtensions() have been fixed to provide an extra
+ return parameter, containing the actual extension release metadata.
+ The current implementation was judged to be broken and unusable, and
+ thus the usual procedure of adding a new set of methods was skipped,
+ and backward compatibility broken instead on the assumption that
+ nobody can be affected given the current state of this interface.
+
+ * All kernels supported by systemd mix bytes returned by RDRAND (or
+ similar) into the entropy pool at early boot. This means that on
+ those systems, even if /dev/urandom is not yet initialized, it still
+ returns bytes that are of at least RDRAND quality. For that reason,
+ we no longer have reason to invoke RDRAND from systemd itself, which
+ has historically been a source of bugs. Furthermore, kernels ≥5.6
+ provide the getrandom(GRND_INSECURE) interface for returning random
+ bytes before the entropy pool is initialized without warning into
+ kmsg, which is what we attempt to use if available. systemd's direct
+ usage of RDRAND has been removed. x86 systems ≥Broadwell that are
+ running an older kernel may experience kmsg warnings that were not
+ seen with 250. For newer kernels, non-x86 systems, or older x86
+ systems, there should be no visible changes.
+
+ * sd-boot will now measure the kernel command line into TPM PCR 12
+ rather than PCR 8. This improves usefulness of the measurements on
+ systems where sd-boot is chainloaded from Grub. Grub measures all
+ commands its executes into PCR 8, which makes it very hard to use
+ reasonably, hence separate ourselves from that and use PCR 12
+ instead, which is what certain Ubuntu editions already do. To retain
+ compatibility with systems running older systemd systems a new meson
+ option 'efi-tpm-pcr-compat' has been added (which defaults to false).
+ If enabled, the measurement is done twice: into the new-style PCR 12
+ *and* the old-style PCR 8. It's strongly advised to migrate all users
+ to PCR 12 for this purpose in the long run, as we intend to remove
+ this compatibility feature in two years' time.
+
+ * busctl capture now writes output in the newer pcapng format instead
+ of pcap.
+
+ * A udev rule that imported hwdb matches for USB devices with lowercase
+ hexadecimal vendor/product ID digits was added in systemd 250. This
+ has been reverted, since uppercase hexadecimal digits are supposed to
+ be used, and we already had a rule with the appropriate match.
+
+ Users might need to adjust their local hwdb entries.
+
+ * arch_prctl(2) has been moved to the @default set in the syscall filters
+ (as exposed via the SystemCallFilter= setting in service unit files).
+ It is apparently used by the linker now.
+
+ * The tmpfiles entries that create the /run/systemd/netif directory and
+ its subdirectories were moved from tmpfiles.d/systemd.conf to
+ tmpfiles.d/systemd-network.conf.
+
+ Users might need to adjust their files that override tmpfiles.d/systemd.conf
+ to account for this change.
+
+ * The requirement for Portable Services images to contain a well-formed
+ os-release file (i.e.: contain at least an ID field) is now enforced.
+ This applies to base images and extensions, and also to systemd-sysext.
+
+ Changes in the Boot Loader Specification, kernel-install and sd-boot:
+
+ * kernel-install's and bootctl's Boot Loader Specification Type #1
+ entry generation logic has been reworked. The user may now pick
+ explicitly by which "token" string to name the installation's boot
+ entries, via the new /etc/kernel/entry-token file or the new
+ --entry-token= switch to bootctl. By default — as before — the
+ entries are named after the local machine ID. However, in "golden
+ image" environments, where the machine ID shall be initialized on
+ first boot (as opposed to at installation time before first boot) the
+ machine ID will not be available at build time. In this case the
+ --entry-token= switch to bootctl (or the /etc/kernel/entry-token
+ file) may be used to override the "token" for the entries, for
+ example the IMAGE_ID= or ID= fields from /etc/os-release. This will
+ make the OS images independent of any machine ID, and ensure that the
+ images will not carry any identifiable information before first boot,
+ but on the other hand means that multiple parallel installations of
+ the very same image on the same disk cannot be supported.
+
+ Summary: if you are building golden images that shall acquire
+ identity information exclusively on first boot, make sure to both
+ remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
+ value of the IMAGE_ID= or ID= field of /etc/os-release or another
+ suitable identifier before deploying the image.
+
+ * The Boot Loader Specification has been extended with
+ /loader/entries.srel file located in the EFI System Partition (ESP)
+ that disambiguates the format of the entries in the /loader/entries/
+ directory (in order to discern them from incompatible uses of this
+ directory by other projects). For entries that follow the
+ Specification, the string "type1" is stored in this file.
+
+ bootctl will now write this file automatically when installing the
+ systemd-boot boot loader.
+
+ * kernel-install supports a new initrd_generator= setting in
+ /etc/kernel/install.conf, that is exported as
+ $KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
+ allows choosing different initrd generators.
+
+ * kernel-install will now create a "staging area" (an initially-empty
+ directory to gather files for a Boot Loader Specification Type #1
+ entry). The path to this directory is exported as
+ $KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
+ drop files there instead of writing them directly to the final
+ location. kernel-install will move them when all files have been
+ prepared successfully.
+
+ * New option sort-key= has been added to the Boot Loader Specification
+ to override the sorting order of the entries in the boot menu. It is
+ read by sd-boot and bootctl, and will be written by kernel-install,
+ with the default value of IMAGE_ID= or ID= fields from
+ os-release. Together, this means that on multiboot installations,
+ entries should be grouped and sorted in a predictable way.
+
+ * The sort order of boot entries has been updated: entries which have
+ the new field sort-key= are sorted by it first, and all entries
+ without it are ordered later. After that, entries are sorted by
+ version so that newest entries are towards the beginning of the list.
+
+ * The kernel-install tool gained a new 'inspect' verb which shows the
+ paths and other settings used.
+
+ * sd-boot can now optionally beep when the menu is shown and menu
+ entries are selected, which can be useful on machines without a
+ working display. (Controllable via a loader.conf setting.)
+
+ * The --make-machine-id-directory= switch to bootctl has been replaced
+ by --make-entry-directory=, given that the entry directory is not
+ necessarily named after the machine ID, but after some other suitable
+ ID as selected via --entry-token= described above. The old name of
+ the option is still understood to maximize compatibility.
+
+ * 'bootctl list' gained support for a new --json= switch to output boot
+ menu entries in JSON format.
+
+ * 'bootctl is-installed' now supports the --graceful, and various verbs
+ omit output with the new option --quiet.
+
+ Changes in systemd-homed:
+
+ * Starting with v250 systemd-homed uses UID/GID mapping on the mounts
+ of activated home directories it manages (if the kernel and selected
+ file systems support it). So far it mapped three UID ranges: the
+ range from 0…60000, the user's own UID, and the range 60514…65534,
+ leaving everything else unmapped (in other words, the 16bit UID range
+ is mapped almost fully, with the exception of the UID subrange used
+ for systemd-homed users, with one exception: the user's own UID).
+ Unmapped UIDs may not be used for file ownership in the home
+ directory — any chown() attempts with them will fail. With this
+ release a fourth range is added to these mappings:
+ 524288…1879048191. This range is the UID range intended for container
+ uses, see:
+
+ https://systemd.io/UIDS-GIDS
+
+ This range may be used for container managers that place container OS
+ trees in the home directory (which is a questionable approach, for
+ quota, permission, SUID handling and network file system
+ compatibility reasons, but nonetheless apparently commonplace). Note
+ that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
+ UID assignments from the range are not managed or mapped by
+ `systemd-homed`, and must be managed with other mechanisms, in the
+ context of the local system.
+
+ Typically, a better approach to user namespacing in relevant
+ container managers would be to leave container OS trees on disk at
+ UID offset 0, but then map them to a dynamically allocated runtime
+ UID range via another UID mount map at container invocation
+ time. That way user namespace UID ranges become strictly a runtime
+ concept, and do not leak into persistent file systems, persistent
+ user databases or persistent configuration, thus greatly simplifying
+ handling, and improving compatibility with home directories intended
+ to be portable like the ones managed by systemd-homed.
+
+ Changes in shared libraries:
+
+ * A new libsystemd-core-<version>.so private shared library is
+ installed under /usr/lib/systemd/system, mirroring the existing
+ libsystemd-shared-<version>.so library. This allows the total
+ installation size to be reduced by binary code reuse.
+
+ * The <version> tag used in the name of libsystemd-shared.so and
+ libsystemd-core.so can be configured via the meson option
+ 'shared-lib-tag'. Distributions may build subsequent versions of the
+ systemd package with unique tags (e.g. the full package version),
+ thus allowing multiple installations of those shared libraries to be
+ available at the same time. This is intended to fix an issue where
+ programs that link to those libraries would fail to execute because
+ they were installed earlier or later than the appropriate version of
+ the library.
+
+ * The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
+ similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
+ format instead of as a simple series of hex characters.
+
+ * The sd-device API gained two new calls sd_device_new_from_devname()
+ and sd_device_new_from_path() which permit allocating an sd_device
+ object from a device node name or file system path.
+
+ * sd-device also gained a new call sd_device_open() which will open the
+ device node associated with a device for which an sd_device object
+ has been allocated. The call is supposed to address races around
+ device nodes being removed/recycled due to hotplug events, or media
+ change events: the call checks internally whether the major/minor of
+ the device node and the "diskseq" (in case of block devices) match
+ with the metadata loaded in the sd_device object, thus ensuring that
+ the device once opened really matches the provided sd_device object.
+
+ Changes in PID1, systemctl, and systemd-oomd:
+
+ * A new set of service monitor environment variables will be passed to
+ OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
+ handler unit as OnFailure=/OnSuccess=. The variables are:
+ $MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
+ $MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
+ handler needs to watch multiple units, use a templated handler.
+
+ * A new ExtensionDirectories= setting in service unit files allows
+ system extensions to be loaded from a directory. (It is similar to
+ ExtensionImages=, but takes paths to directories, instead of
+ disk image files.)
+
+ 'portablectl attach --extension=' now also accepts directory paths.
+
+ * The user.delegate and user.invocation_id extended attributes on
+ cgroups are used in addition to trusted.delegate and
+ trusted.invocation_id. The latter pair requires privileges to set,
+ but the former doesn't and can be also set by the unprivileged user
+ manager.
+
+ (Only supported on kernels ≥5.6.)
+
+ * Units that were killed by systemd-oomd will now have a service result
+ of 'oom-kill'. The number of times a service was killed is tallied
+ in the 'user.oomd_ooms' extended attribute.
+
+ The OOMPolicy= unit file setting is now also honoured by
+ systemd-oomd.
+
+ * In unit files the new %y/%Y specifiers can be used to refer to
+ normalized unit file path, which is particularly useful for symlinked
+ unit files.
+
+ The new %q specifier resolves to the pretty hostname
+ (i.e. PRETTY_HOSTNAME= from /etc/machine-info).
+
+ The new %d specifier resolves to the credentials directory of a
+ service (same as $CREDENTIALS_DIRECTORY).
+
+ * The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
+ *Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
+ PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
+ PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
+ ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
+ MountFlags= service settings now also work in unprivileged user
+ services, i.e. those run by the user's --user service manager, as long
+ as user namespaces are enabled on the system.
+
+ * Services with Restart=always and a failing ExecCondition= will no
+ longer be restarted, to bring ExecCondition= behaviour in line with
+ Condition*= settings.
+
+ * LoadCredential= now accepts a directory as the argument; all files
+ from the directory will be loaded as credentials.
+
+ * A new D-Bus property ControlGroupId is now exposed on service units,
+ that encapsulates the service's numeric cgroup ID that newer kernels
+ assign to each cgroup.
+
+ * PID 1 gained support for configuring the "pre-timeout" of watchdog
+ devices and the associated governor, via the new
+ RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
+ options in /etc/systemd/system.conf.
+
+ * systemctl's --timestamp= option gained a new choice "unix", to show
+ timestamp as unix times, i.e. seconds since 1970, Jan 1st.
+
+ * A new "taint" flag named "old-kernel" is introduced which is set when
+ the kernel systemd runs on is older then the current baseline version
+ (see above). The flag is shown in "systemctl status" output.
+
+ * Two additional taint flags "short-uid-range" and "short-gid-range"
+ have been added as well, which are set when systemd notices it is run
+ within a userns namespace that does not define the full 0…65535 UID
+ range
+
+ * A new "unmerged-usr" taint flag has been added that is set whenever
+ running on systems where /bin/ + /sbin/ are *not* symlinks to their
+ counterparts in /usr/, i.e. on systems where the /usr/-merge has not
+ been completed.
+
+ * Generators invoked by PID 1 will now have a couple of useful
+ environment variables set describing the execution context a
+ bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
+ system service manager, or from the per-user service
+ manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
+ in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
+ systemd considers the current boot to be a "first"
+ boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
+ detected and which type of hypervisor/container
+ manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
+ kernel is built for.
+
+ * PID 1 will now automatically pick up system credentials from qemu's
+ fw_cfg interface, thus allowing passing arbitrary data into VM
+ systems similar to how this is already supported for passing them
+ into `systemd-nspawn` containers. Credentials may now also be passed
+ in via the new kernel command line option `systemd.set_credential=`
+ (note that kernel command line options are world-readable during
+ runtime, and only useful for credentials that require no
+ confidentiality). The credentials that can be passed to unified
+ kernels that use the `systemd-stub` UEFI stub are now similarly
+ picked up automatically. Automatic importing of system credentials
+ this way can be turned off via the new
+ `systemd.import_credentials=no` kernel command line option.
+
+ * LoadCredential= will now automatically look for credentials in the
+ /etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
+ the argument is not an absolute path. Similarly,
+ LoadCredentialEncrypted= will check the same directories plus
+ /etc/credstore.encrypted/, /run/credstore.encrypted/ and
+ /usr/lib/credstore.encrypted/. The idea is to use those directories
+ as the system-wide location for credentials that services should pick
+ up automatically.
+
+ * System and service credentials are described in great detail in a new
+ document:
+
+ https://systemd.io/CREDENTIALS
+
+ Changes in systemd-journald:
+
+ * The journal JSON export format has been added to listed of stable
+ interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).
+
+ * journalctl --list-boots now supports JSON output and the --reverse option.
+
+ * Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
+ updated, BUILDING_IMAGES is new:
+
+ https://systemd.io/JOURNAL_EXPORT_FORMATS
+ https://systemd.io/BUILDING_IMAGES
+
+ Changes in udev:
+
+ * Two new hwdb files have been added. One lists "handhelds" (PDAs,
+ calculators, etc.), the other AV production devices (DJ tables,
+ keypads, etc.) that should accessible to the seat owner user by
+ default.
+
+ * udevadm trigger gained a new --prioritized-subsystem= option to
+ process certain subsystems (and all their parent devices) earlier.
+
+ systemd-udev-trigger.service now uses this new option to trigger
+ block and TPM devices first, hopefully making the boot a bit faster.
+
+ * udevadm trigger now implements --type=all, --initialized-match,
+ --initialized-nomatch to trigger both subsystems and devices, only
+ already-initialized devices, and only devices which haven't been
+ initialized yet, respectively.
+
+ * udevadm gained a new "wait" command for safely waiting for a specific
+ device to show up in the udev device database. This is useful in
+ scripts that asynchronously allocate a block device (e.g. through
+ repartitioning, or allocating a loopback device or similar) and need
+ to synchronize on the creation to complete.
+
+ * udevadm gained a new "lock" command for locking one or more block
+ devices while formatting it or writing a partition table to it. It is
+ an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
+ usable in scripts dealing with block devices.
+
+ * udevadm info will show a couple of additional device fields in its
+ output, and will not apply a limited set of coloring to line types.
+
+ * udevadm info --tree will now show a tree of objects (i.e. devices and
+ suchlike) in the /sys/ hierarchy.
+
+ * Block devices will now get a new set of device symlinks in
+ /dev/disk/by-diskseq/<nr>, which may be used to reference block
+ device nodes via the kernel's "diskseq" value. Note that this does
+ not guarantee that opening a device by a symlink like this will
+ guarantee that the opened device actually matches the specified
+ diskseq value. To be safe against races, the actual diskseq value of
+ the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
+ the one in the symlink path.
+
+ * .link files gained support for setting MDI/MID-X on a link.
+
+ * .link files gained support for [Match] Firmware= setting to match on
+ the device firmware description string. By mistake, it was previously
+ only supported in .network files.
+
+ * .link files gained support for [Link] SR-IOVVirtualFunctions= setting
+ and [SR-IOV] section to configure SR-IOV virtual functions.
+
+ Changes in systemd-networkd:
+
+ * The default scope for unicast routes configured through [Route]
+ section is changed to "link", to make the behavior consistent with
+ "ip route" command. The manual configuration of [Route] Scope= is
+ still honored.
+
+ * A new unit systemd-networkd-wait-online@<interface>.service has been
+ added that can be used to wait for a specific network interface to be
+ up.
+
+ * systemd-networkd gained a new [Bridge] Isolated=true|false setting
+ that configures the eponymous kernel attribute on the bridge.
+
+ * .netdev files now can be used to create virtual WLAN devices, and
+ configure various settings on them, via the [WLAN] section.
+
+ * .link/.network files gained support for [Match] Kind= setting to match
+ on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)
+
+ This value is also shown by 'networkctl status'.
+
+ * The Local= setting in .netdev files for various virtual network
+ devices gained support for specifying, in addition to the network
+ address, the name of a local interface which must have the specified
+ address.
+
+ * systemd-networkd gained a new [Tunnel] External= setting in .netdev
+ files, to configure tunnels in external mode (a.k.a. collect metadata
+ mode).
+
+ * [Network] L2TP= setting was removed. Please use interface specifier in
+ Local= setting in .netdev files of corresponding L2TP interface.
+
+ * New [DHCPServer] BootServerName=, BootServerAddress=, and
+ BootFilename= settings can be used to configure the server address,
+ server name, and file name sent in the DHCP packet (e.g. to configure
+ PXE boot).
+
+ Changes in systemd-resolved:
+
+ * systemd-resolved is started earlier (in sysinit.target), so it
+ available earlier and will also be started in the initrd if installed
+ there.
+
+ Changes in disk encryption:
+
+ * systemd-cryptenroll can now control whether to require the user to
+ enter a PIN when using TPM-based unlocking of a volume via the new
+ --tpm2-with-pin= option.
+
+ Option tpm2-pin= can be used in /etc/crypttab.
+
+ * When unlocking devices via TPM, TPM2 parameter encryption is now
+ used, to ensure that communication between CPU and discrete TPM chips
+ cannot be eavesdropped to acquire disk encryption keys.
+
+ * A new switch --fido2-credential-algorithm= has been added to
+ systemd-cryptenroll allowing selection of the credential algorithm to
+ use when binding encryption to FIDO2 tokens.
+
+ Changes in systemd-hostnamed:
+
+ * HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
+ to override the values gleaned from the hwdb.
+
+ * A ID_CHASSIS property can be set in the hwdb (for the DMI device
+ /sys/class/dmi/id) to override the chassis that is reported by
+ hostnamed.
+
+ * hostnamed's D-Bus interface gained a new method GetHardwareSerial()
+ for reading the hardware serial number, as reportd by DMI. It also
+ exposes a new method D-Bus property FirmwareVersion that encode the
+ firmware version of the system.
+
+ Changes in other components:
+
+ * /etc/locale.conf is now populated through tmpfiles.d factory /etc/
+ handling with the values that were configured during systemd build
+ (if /etc/locale.conf has not been created through some other
+ mechanism). This means that /etc/locale.conf should always have
+ reasonable contents and we avoid a potential mismatch in defaults.
+
+ * The userdbctl tool will now show UID range information as part of the
+ list of known users.
+
+ * A new build-time configuration setting default-user-shell= can be
+ used to set the default shell for user records and nspawn shell
+ invocations (instead of of the default /bin/bash).
+
+ * systemd-timesyncd now provides a D-Bus API for receiving NTP server
+ information dynamically at runtime via IPC.
+
+ * The systemd-creds tool gained a new "has-tpm2" verb, which reports
+ whether a functioning TPM2 infrastructure is available, i.e. if
+ firmware, kernel driver and systemd all have TPM2 support enabled and
+ a device found.
+
+ * The systemd-creds tool gained support for generating encrypted
+ credentials that are using an empty encryption key. While this
+ provides no integrity nor confidentiality it's useful to implement
+ codeflows that work the same on TPM-ful and TPM2-less systems. The
+ service manager will only accept credentials "encrypted" that way if
+ a TPM2 device cannot be detected, to ensure that credentials
+ "encrypted" like that cannot be used to trick TPM2 systems.
+
+ * When deciding whether to colorize output, all systemd programs now
+ also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
+ $TERM).
+
+ * Meson's new install_tag feature is now in use for several components,
+ allowing to build and install select binaries only: pam, nss, devel
+ (pkg-config files), systemd-boot, libsystemd, libudev. Example:
+ $ meson build systemd-boot
+ $ meson install --tags systemd-boot --no-rebuild
+ https://mesonbuild.com/Installing.html#installation-tags
+
+ * A new build configuration option has been added, to allow selecting the
+ default compression algorithm used by systemd-journald and systemd-coredump.
+ This allows to build-in support for decompressing all supported formats,
+ but choose a specific one for compression. E.g.:
+ $ meson -Ddefault-compression=xz
+
+ Experimental features:
+
+ * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
+ loader.conf that implements booting Microsoft Windows from the
+ sd-boot in a way that first reboots the system, to reset the TPM
+ PCRs. This improves compatibility with BitLocker's TPM use, as the
+ PCRs will only record the Windows boot process, and not sd-boot
+ itself, thus retaining the PCR measurements not involving sd-boot.
+ Note that this feature is experimental for now, and is likely going
+ to be generalized and renamed in a future release, without retaining
+ compatibility with the current implementation.
+
+ * A new systemd-sysupdate component has been added that automatically
+ discovers, downloads, and installs A/B-style updates for the host
+ installation itself, or container images, portable service images,
+ and other assets. See the new systemd-sysupdate man page for updates.
+
+ Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
+ AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
+ Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
+ Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
+ Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
+ bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke,
+ Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein,
+ Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich,
+ David, David Bond, Davide Cavalca, David Tardon, davijosw,
+ dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa,
+ Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin,
+ Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY,
+ Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli,
+ Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho,
+ Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld,
+ Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva,
+ Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian,
+ Laura Barcziova, Lennart Poettering, Leviticoh, licunlong,
+ Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi,
+ Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993,
+ Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
+ Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala,
+ Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
+ Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
+ Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
+ Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin,
+ Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer,
+ Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill,
+ Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
+ Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
+ Simon Ellmann, Sonali Srivastava, Stefan Seering,
+ Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
+ Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
+ Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas,
+ Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu,
+ yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, наб
+
+ — Edinburgh, 2022-05-21
+
+CHANGES WITH 250:
+
+ * Support for encrypted and authenticated credentials has been added.
+ This extends the credential logic introduced with v247 to support
+ non-interactive symmetric encryption and authentication, based on a
+ key that is stored on the /var/ file system or in the TPM2 chip (if
+ available), or the combination of both (by default if a TPM2 chip
+ exists the combination is used, otherwise the /var/ key only). The
+ credentials are automatically decrypted at the moment a service is
+ started, and are made accessible to the service itself in unencrypted
+ form. A new tool 'systemd-creds' encrypts credentials for this
+ purpose, and two new service file settings LoadCredentialEncrypted=
+ and SetCredentialEncrypted= configure such credentials.
+
+ This feature is useful to store sensitive material such as SSL
+ certificates, passwords and similar securely at rest and only decrypt
+ them when needed, and in a way that is tied to the local OS
+ installation or hardware.
+
+ * systemd-gpt-auto-generator can now automatically set up discoverable
+ LUKS2 encrypted swap partitions.
+
+ * The GPT Discoverable Partitions Specification has been substantially
+ extended with support for root and /usr/ partitions for the majority
+ of architectures systemd supports. This includes platforms that do
+ not natively support UEFI, because even though GPT is specified under
+ UEFI umbrella, it is useful on other systems too. Specifically,
+ systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
+ Portable Services use the concept without requiring UEFI.
+
+ * The GPT Discoverable Partitions Specifications has been extended with
+ a new set of partitions that may carry PKCS#7 signatures for Verity
+ partitions, encoded in a simple JSON format. This implements a simple
+ mechanism for building disk images that are fully authenticated and
+ can be tested against a set of cryptographic certificates. This is
+ now implemented for the various systemd tools that can operate with
+ disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
+ Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
+ The PKCS#7 signatures are passed to the kernel (where they are
+ checked against certificates from the kernel keyring), or can be
+ verified against certificates provided in userspace (via a simple
+ drop-in file mechanism).
+
+ * systemd-dissect's inspection logic will now report for which uses a
+ disk image is intended. Specifically, it will display whether an
+ image is suitable for booting on UEFI or in a container (using
+ systemd-nspawn's --image= switch), whether it can be used as portable
+ service, or attached as system extension.
+
+ * The system-extension.d/ drop-in files now support a new field
+ SYSEXT_SCOPE= that may encode which purpose a system extension image
+ is for: one of "initrd", "system" or "portable". This is useful to
+ make images more self-descriptive, and to ensure system extensions
+ cannot be attached in the wrong contexts.
+
+ * The os-release file learnt a new PORTABLE_PREFIXES= field which may
+ be used in portable service images to indicate which unit prefixes
+ are supported.
+
+ * The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
+ now is able to decode images for non-native architectures as well.
+ This allows systemd-nspawn to boot images of non-native architectures
+ if the corresponding user mode emulator is installed and
+ systemd-binfmtd is running.
+
+ * systemd-logind gained new settings HandlePowerKeyLongPress=,
+ HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
+ HandleHibernateKeyLongPress= which may be used to configure actions
+ when the relevant keys are pressed for more than 5s. This is useful
+ on devices that only have hardware for a subset of these keys. By
+ default, if the reboot key is pressed long the poweroff operation is
+ now triggered, and when the suspend key is pressed long the hibernate
+ operation is triggered. Long pressing the other two keys currently
+ does not trigger any operation by default.
+
+ * When showing unit status updates on the console during boot and
+ shutdown, and a service is slow to start so that the cylon animation
+ is shown, the most recent sd_notify() STATUS= text is now shown as
+ well. Services may use this to make the boot/shutdown output easier
+ to understand, and to indicate what precisely a service that is slow
+ to start or stop is waiting for. In particular, the per-user service
+ manager instance now reports what it is doing and which service it is
+ waiting for this way to the system service manager.
+
+ * The service manager will now re-execute on reception of the
+ SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
+ only when running as PID 1. There was no signal to request this when
+ running as per-user service manager, i.e. as any other PID than 1.
+ SIGRTMIN+25 works for both system and user managers.
+
+ * The hardware watchdog logic in PID 1 gained support for operating
+ with the default timeout configured in the hardware, instead of
+ insisting on re-configuring it. Set RuntimeWatchdogSec=default to
+ request this behavior.
+
+ * A new kernel command line option systemd.watchdog_sec= is now
+ understood which may be used to override the hardware watchdog
+ time-out for the boot.
+
+ * A new setting DefaultOOMScoreAdjust= is now supported in
+ /etc/systemd/system.conf and /etc/systemd/user.conf. It may be used
+ to set the default process OOM score adjustment value for processes
+ started by the service manager. For per-user service managers this
+ now defaults to 100, but for per-system service managers is left as
+ is. This means that by default now services forked off the user
+ service manager are more likely to be killed by the OOM killer than
+ system services or the managers themselves.
+
+ * A new per-service setting RestrictFileSystems= as been added that
+ restricts the file systems a service has access to by their type.
+ This is based on the new BPF LSM of the Linux kernel. It provides an
+ effective way to make certain API file systems unavailable to
+ services (and thus minimizing attack surface). A new command
+ "systemd-analyze filesystems" has been added that lists all known
+ file system types (and how they are grouped together under useful
+ group handles).
+
+ * Services now support a new setting RestrictNetworkInterfaces= for
+ restricting access to specific network interfaces.
+
+ * Service unit files gained new settings StartupAllowedCPUs= and
+ StartupAllowedMemoryNodes=. These are similar to their counterparts
+ without the "Startup" prefix and apply during the boot process
+ only. This is useful to improve boot-time behavior of the system and
+ assign resources differently during boot than during regular
+ runtime. This is similar to the preexisting StartupCPUWeight=
+ vs. CPUWeight.
+
+ * Related to this: the various StartupXYZ= settings
+ (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
+ during shutdown. The settings not prefixed with "Startup" hence apply
+ during regular runtime, and those that are prefixed like that apply
+ during boot and shutdown.
+
+ * A new per-unit set of conditions/asserts
+ [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
+ unit skip/fail activation if the system's (or a slice's) memory/cpu/io
+ pressure is above the configured threshold, using the kernel PSI
+ feature. For more details see systemd.unit(5) and
+ https://docs.kernel.org/accounting/psi.html
+
+ * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
+ ProtectKernelLogs=yes can now be used.
+
+ * The default maximum numbers of inodes have been raised from 64k to 1M
+ for /dev/, and from 400k to 1M for /tmp/.
+
+ * The per-user service manager learnt support for communicating with
+ systemd-oomd to acquire OOM kill information.
+
+ * A new service setting ExecSearchPath= has been added that allows
+ changing the search path for executables for services. It affects
+ where we look for the binaries specified in ExecStart= and similar,
+ and the specified directories are also added the $PATH environment
+ variable passed to invoked processes.
+
+ * A new setting RuntimeRandomizedExtraSec= has been added for service
+ and scope units that allows extending the runtime time-out as
+ configured by RuntimeMaxSec= with a randomized amount.
+
+ * The syntax of the service unit settings RuntimeDirectory=,
+ StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
+ if the specified value is now suffixed with a colon, followed by
+ another filename, the latter will be created as symbolic link to the
+ specified directory. This allows creating these service directories
+ together with alias symlinks to make them available under multiple
+ names.
+
+ * Service unit files gained two new settings TTYRows=/TTYColumns= for
+ configuring rows/columns of the TTY device passed to
+ stdin/stdout/stderr of the service. This is useful to propagate TTY
+ dimensions to a virtual machine.
+
+ * A new service unit file setting ExitType= has been added that
+ specifies when to assume a service has exited. By default systemd
+ only watches the main process of a service. By setting
+ ExitType=cgroup it can be told to wait for the last process in a
+ cgroup instead.
+
+ * Automount unit files gained a new setting ExtraOptions= that can be
+ used to configure additional mount options to pass to the kernel when
+ mounting the autofs instance.
+
+ * "Urlification" (generation of ESC sequences that generate clickable
+ hyperlinks in modern terminals) may now be turned off altogether
+ during build-time.
+
+ * Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
+ settings that default to 200 and 2 s respectively. The ratelimit
+ ensures that a path unit cannot cause PID1 to busy-loop when it is
+ trying to trigger a service that is skipped because of a Condition*=
+ not being satisfied. This matches the configuration and behaviour of
+ socket units.
+
+ * The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
+ as a plug-in for cryptsetup. This means the plain cryptsetup command
+ may now be used to unlock volumes set up this way.
+
+ * The TPM2 logic in cryptsetup will now automatically detect systems
+ where the TPM2 chip advertises SHA256 PCR banks but the firmware only
+ updates the SHA1 banks. In such a case PCR policies will be
+ automatically bound to the latter, not the former. This makes the PCR
+ policies reliable, but of course do not provide the same level of
+ trust as SHA256 banks.
+
+ * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
+ RSA primary keys in addition to ECC, improving compatibility with
+ TPM2 chips that do not support ECC. RSA keys are much slower to use
+ than ECC, and hence are only used if ECC is not available.
+
+ * /etc/crypttab gained support for a new token-timeout= setting for
+ encrypted volumes that allows configuration of the maximum time to
+ wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
+ the logic will query the user for a regular passphrase/recovery key
+ instead.
+
+ * Support for activating dm-integrity volumes at boot via a new file
+ /etc/integritytab and the tool systemd-integritysetup have been
+ added. This is similar to /etc/crypttab and /etc/veritytab, but deals
+ with dm-integrity instead of dm-crypt/dm-verity.
+
+ * The systemd-veritysetup-generator now understands a new usrhash=
+ kernel command line option for specifying the Verity root hash for
+ the partition backing the /usr/ file system. A matching set of
+ systemd.verity_usr_* kernel command line options has been added as
+ well. These all work similar to the corresponding options for the
+ root partition.
+
+ * The sd-device API gained a new API call sd_device_get_diskseq() to
+ return the DISKSEQ property of a device structure. The "disk
+ sequence" concept is a new feature recently introduced to the Linux
+ kernel that allows detecting reuse cycles of block devices, i.e. can
+ be used to recognize when loopback block devices are reused for a
+ different purpose or CD-ROM drives get their media changed.
+
+ * A new unit systemd-boot-update.service has been added. If enabled
+ (the default) and the sd-boot loader is detected to be installed, it
+ is automatically updated to the newest version when out of date. This
+ is useful to ensure the boot loader remains up-to-date, and updates
+ automatically propagate from the OS tree in /usr/.
+
+ * sd-boot will now build with SBAT by default in order to facilitate
+ working with recent versions of Shim that require it to be present.
+
+ * sd-boot can now parse Microsoft Windows' Boot Configuration Data.
+ This is used to robustly generate boot entry titles for Windows.
+
+ * A new generic target unit factory-reset.target has been added. It is
+ hooked into systemd-logind similar in fashion to
+ reboot/poweroff/suspend/hibernate, and is supposed to be used to
+ initiate a factory reset operation. What precisely this operation
+ entails is up for the implementer to decide, the primary goal of the
+ new unit is provide a framework where to plug in the implementation
+ and how to trigger it.
+
+ * A new meson build-time option 'clock-valid-range-usec-max' has been
+ added which takes a time in µs and defaults to 15 years. If the RTC
+ time is noticed to be more than the specified time ahead of the
+ built-in epoch of systemd (which by default is the release timestamp
+ of systemd) it is assumed that the RTC is not working correctly, and
+ the RTC is reset to the epoch. (It already is reset to the epoch when
+ noticed to be before it.) This should increase the chance that time
+ doesn't accidentally jump too far ahead due to faulty hardware or
+ batteries.
+
+ * A new setting SaveIntervalSec= has been added to systemd-timesyncd,
+ which may be used to automatically save the current system time to
+ disk in regular intervals. This is useful to maintain a roughly
+ monotonic clock even without RTC hardware and with some robustness
+ against abnormal system shutdown.
+
+ * systemd-analyze verify gained support for a pair of new --image= +
+ --root= switches for verifying units below a specific root
+ directory/image instead of on the host.
+
+ * systemd-analyze verify gained support for verifying unit files under
+ an explicitly specified unit name, independently of what the filename
+ actually is.
+
+ * systemd-analyze verify gained a new switch --recursive-errors= which
+ controls whether to only fail on errors found in the specified units
+ or recursively any dependent units.
+
+ * systemd-analyze security now supports a new --offline mode for
+ analyzing unit files stored on disk instead of loaded units. It may
+ be combined with --root=/--image to analyze unit files under a root
+ directory or disk image. It also learnt a new --threshold= parameter
+ for specifying an exposure level threshold: if the exposure level
+ exceeds the specified value the call will fail. It also gained a new
+ --security-policy= switch for configuring security policies to
+ enforce on the units. A policy is a JSON file that lists which tests
+ shall be weighted how much to determine the overall exposure
+ level. Altogether these new features are useful for fully automatic
+ analysis and enforcement of security policies on unit files.
+
+ * systemd-analyze security gain a new --json= switch for JSON output.
+
+ * systemd-analyze learnt a new --quiet switch for reducing
+ non-essential output. It's honored by the "dot", "syscall-filter",
+ "filesystems" commands.
+
+ * systemd-analyze security gained a --profile= option that can be used
+ to take into account a portable profile when analyzing portable
+ services, since a lot of the security-related settings are enabled
+ through them.
+
+ * systemd-analyze learnt a new inspect-elf verb that parses ELF core
+ files, binaries and executables and prints metadata information,
+ including the build-id and other info described on:
+ https://systemd.io/COREDUMP_PACKAGE_METADATA/
+
+ * .network files gained a new UplinkInterface= in the [IPv6SendRA]
+ section, for automatically propagating DNS settings from other
+ interfaces.
+
+ * The static lease DHCP server logic in systemd-networkd may now serve
+ IP addresses outside of the configured IP pool range for the server.
+
+ * CAN support in systemd-networkd gained four new settings Loopback=,
+ OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
+ control modes. It gained a number of further settings for tweaking
+ CAN timing quanta.
+
+ * The [CAN] section in .network file gained new TimeQuantaNSec=,
+ PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
+ SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
+ DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
+ DataSyncJumpWidth= settings to control bit-timing processed by the
+ CAN interface.
+
+ * DHCPv4 client support in systemd-networkd learnt a new Label= option
+ for configuring the address label to apply to configure IPv4
+ addresses.
+
+ * The [IPv6AcceptRA] section of .network files gained support for a new
+ UseMTU= setting that may be used to control whether to apply the
+ announced MTU settings to the local interface.
+
+ * The [DHCPv4] section in .network file gained a new Use6RD= boolean
+ setting to control whether the DHCPv4 client request and process the
+ DHCP 6RD option.
+
+ * The [DHCPv6PrefixDelegation] section in .network file is renamed to
+ [DHCPPrefixDelegation], as now the prefix delegation is also supported
+ with DHCPv4 protocol by enabling the Use6RD= setting.
+
+ * The [DHCPPrefixDelegation] section in .network file gained a new
+ setting UplinkInterface= to specify the upstream interface.
+
+ * The [DHCPv6] section in .network file gained a new setting
+ UseDelegatedPrefix= to control whether the delegated prefixes will be
+ propagated to the downstream interfaces.
+
+ * The [IPv6AcceptRA] section of .network files now understands two new
+ settings UseGateway=/UseRoutePrefix= for explicitly configuring
+ whether to use the relevant fields from the IPv6 Router Advertisement
+ records.
+
+ * The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
+ has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
+ settings in the [DHCPv6] section and the DHCPv6Client= setting in the
+ [IPv6AcceptRA] section to control when the DHCPv6 client is started
+ and how the delegated prefixes are handled by the DHCPv6 client.
+
+ * The IPv6Token= section in the [Network] section is deprecated, and
+ the [IPv6AcceptRA] section gained the Token= setting for its
+ replacement. The [IPv6Prefix] section also gained the Token= setting.
+ The Token= setting gained 'eui64' mode to explicitly configure an
+ address with the EUI64 algorithm based on the interface MAC address.
+ The 'prefixstable' mode can now optionally take a secret key. The
+ Token= setting in the [DHCPPrefixDelegation] section now supports all
+ algorithms supported by the same settings in the other sections.
+
+ * The [RoutingPolicyRule] section of .network file gained a new
+ SuppressInterfaceGroup= setting.
+
+ * The IgnoreCarrierLoss= setting in the [Network] section of .network
+ files now allows a duration to be specified, controlling how long to
+ wait before reacting to carrier loss.
+
+ * The [DHCPServer] section of .network file gained a new Router=
+ setting to specify the router address.
+
+ * The [CAKE] section of .network files gained various new settings
+ AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
+ MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
+ and UseRawPacketSize= for configuring CAKE.
+
+ * systemd-networkd now ships with new default .network files:
+ 80-container-vb.network which matches host-side network bridge device
+ created by systemd-nspawn's --network-bridge or --network-zone
+ switch, and 80-6rd-tunnel.network which matches automatically created
+ sit tunnel with 6rd prefix when the DHCP 6RD option is received.
+
+ * systemd-networkd's handling of Endpoint= resolution for WireGuard
+ interfaces has been improved.
+
+ * systemd-networkd will now automatically configure routes to addresses
+ specified in AllowedIPs=. This feature can be controlled via
+ RouteTable= and RouteMetric= settings in [WireGuard] or
+ [WireGuardPeer] sections.
+
+ * systemd-networkd will now once again automatically generate persistent
+ MAC addresses for batadv and bridge interfaces. Users can disable this
+ by using MACAddress=none in .netdev files.
+
+ * systemd-networkd and systemd-udevd now support IP over InfiniBand
+ interfaces. The Kind= setting in .netdev file accepts "ipoib". And
+ systemd.netdev files gained the [IPoIB] section.
+
+ * systemd-networkd and systemd-udevd now support net.ifname-policy=
+ option on the kernel command-line. This is implemented through the
+ systemd-network-generator service that automatically generates
+ appropriate .link, .network, and .netdev files.
+
+ * The various systemd-udevd "ethtool" buffer settings now understand
+ the special value "max" to configure the buffers to the maximum the
+ hardware supports.
+
+ * systemd-udevd's .link files may now configure a large variety of
+ NIC coalescing settings, plus more hardware offload settings.
+
+ * .link files gained a new WakeOnLanPassword= setting in the [Link]
+ section that allows to specify a WoL "SecureOn" password on hardware
+ that supports this.
+
+ * systemd-nspawn's --setenv= switch now supports an additional syntax:
+ if only a variable name is specified (i.e. without being suffixed by
+ a '=' character and a value) the current value of the environment
+ variable is propagated to the container. e.g. --setenv=FOO will
+ lookup the current value of $FOO in the environment, and pass it down
+ to the container. Similar behavior has been added to homectl's,
+ machinectl's and systemd-run's --setenv= switch.
+
+ * systemd-nspawn gained a new switch --suppress-sync= which may be used
+ to optionally suppress the effect of the sync()/fsync()/fdatasync()
+ system calls for the container payload. This is useful for build
+ system environments where safety against abnormal system shutdown is
+ not essential as all build artifacts can be regenerated any time, but
+ the performance win is beneficial.
+
+ * systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
+ same value that PID 1 uses for most forked off processes.
+
+ * systemd-nspawn's --bind=/--bind-ro= switches now optionally take
+ uidmap/nouidmap options as last parameter. If "uidmap" is used the
+ bind mounts are created with UID mapping taking place that ensures
+ the host's file ownerships are mapped 1:1 to container file
+ ownerships, even if user namespacing is used. This way
+ files/directories bound into containers will no longer show up as
+ owned by the nobody user as they typically did if no special care was
+ taken to shift them manually.
+
+ * When discovering Windows installations sd-boot will now attempt to
+ show the Windows version.
+
+ * The color scheme to use in sd-boot may now be configured at
+ build-time.
+
+ * sd-boot gained the ability to change screen resolution during
+ boot-time, by hitting the "r" key. This will cycle through available
+ resolutions and save the last selection.
+
+ * sd-boot learnt a new hotkey "f". When pressed the system will enter
+ firmware setup. This is useful in environments where it is difficult
+ to hit the right keys early enough to enter the firmware, and works
+ on any firmware regardless which key it natively uses.
+
+ * sd-boot gained support for automatically booting into the menu item
+ selected on the last boot (using the "@saved" identifier for menu
+ items).
+
+ * sd-boot gained support for automatically loading all EFI drivers
+ placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
+ Partition (ESP). These drivers are loaded before the menu entries are
+ loaded. This is useful e.g. to load additional file system drivers
+ for the XBOOTLDR partition.
+
+ * systemd-boot will now paint the input cursor on its own instead of
+ relying on the firmware to do so, increasing compatibility with broken
+ firmware that doesn't make the cursor reasonably visible.
+
+ * sd-boot now embeds a .osrel PE section like we expect from Boot
+ Loader Specification Type #2 Unified Kernels. This means sd-boot
+ itself may be used in place of a Type #2 Unified Kernel. This is
+ useful for debugging purposes as it allows chain-loading one a
+ (development) sd-boot instance from another.
+
+ * sd-boot now supports a new "devicetree" field in Boot Loader
+ Specification Type #1 entries: if configured the specified device
+ tree file is installed before the kernel is invoked. This is useful
+ for installing/applying new devicetree files without updating the
+ kernel image.
+
+ * Similarly, sd-stub now can read devicetree data from a PE section
+ ".dtb" and apply it before invoking the kernel.
+
+ * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
+ gained the ability to pick up credentials and sysext files, wrap them
+ in a cpio archive, and pass as an additional initrd to the invoked
+ Linux kernel, in effect placing those files in the /.extra/ directory
+ of the initrd environment. This is useful to implement trusted initrd
+ environments which are fully authenticated but still can be extended
+ (via sysexts) and parameterized (via encrypted/authenticated
+ credentials, see above).
+
+ Credentials can be located next to the kernel image file (credentials
+ specific to a single boot entry), or in one of the shared directories
+ (credentials applicable to multiple boot entries).
+
+ * sd-stub now comes with a full man page, that explains its feature set
+ and how to combine a kernel image, an initrd and the stub to build a
+ complete EFI unified kernel image, implementing Boot Loader
+ Specification Type #2.
+
+ * sd-stub may now provide the initrd to the executed kernel via the
+ LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
+ non-x86 architectures.
+
+ * bootctl learnt new set-timeout and set-timeout-oneshot commands that
+ may be used to set the boot menu time-out of the boot loader (for all
+ or just the subsequent boot).
+
+ * bootctl and kernel-install will now read variables
+ KERNEL_INSTALL_LAYOUT= from /etc/machine-info and layout= from
+ /etc/kernel/install.conf. When set, it specifies the layout to use
+ for installation directories on the boot partition, so that tools
+ don't need to guess it based on the already-existing directories. The
+ only value that is defined natively is "bls", corresponding to the
+ layout specified in
+ https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
+ kernel-install that implement a different layout can declare other
+ values for this variable.
+
+ 'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
+ assumption that if the user installed sd-boot to the ESP, they intend
+ to use the entry layout understood by sd-boot. It'll also write
+ KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
+ (and it wasn't specified in the config file yet). Similarly,
+ kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
+ wasn't specified in the config file yet). Effectively, those changes
+ mean that the machine-id used for boot loader entry installation is
+ "frozen" upon first use and becomes independent of the actual
+ machine-id.
+
+ Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
+ images created for distribution ("golden images") are built with no
+ machine-id, so that a unique machine-id can be created on the first
+ boot. But those images may contain boot loader entries with the
+ machine-id used during build included in paths. Using a "frozen"
+ value allows unambiguously identifying entries that match the
+ specific installation, while still permitting parallel installations
+ without conflict.
+
+ Configuring KERNEL_INSTALL_LAYOUT obviates the need for
+ kernel-install to guess the installation layout. This fixes the
+ problem where a (possibly empty) directory in the boot partition is
+ created from a different layout causing kernel-install plugins to
+ assume the wrong layout. A particular example of how this may happen
+ is the grub2 package in Fedora which includes directories under /boot
+ directly in its file list. Various other packages pull in grub2 as a
+ dependency, so it may be installed even if unused, breaking
+ installations that use the bls layout.
+
+ * bootctl and systemd-bless-boot can now be linked statically.
+
+ * systemd-sysext now optionally doesn't insist on extension-release.d/
+ files being placed in the image under the image's file name. If the
+ file system xattr user.extension-release.strict is set on the
+ extension release file, it is accepted regardless of its name. This
+ relaxes security restrictions a bit, as system extension may be
+ attached under a wrong name this way.
+
+ * udevadm's test-builtin command learnt a new --action= switch for
+ testing the built-in with the specified action (in place of the
+ default 'add').
+
+ * udevadm info gained new switches --property=/--value for showing only
+ specific udev properties/values instead of all.
+
+ * A new hwdb database has been added that contains matches for various
+ types of signal analyzers (protocol analyzers, logic analyzers,
+ oscilloscopes, multimeters, bench power supplies, etc.) that should
+ be accessible to regular users.
+
+ * A new hwdb database entry has been added that carries information
+ about types of cameras (regular or infrared), and in which direction
+ they point (front or back).
+
+ * A new rule to allow console users access to rfkill by default has been
+ added to hwdb.
+
+ * Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
+ now also owned by the system group "sgx".
+
+ * A new build-time meson option "extra-net-naming-schemes=" has been
+ added to define additional naming schemes schemes for udev's network
+ interface naming logic. This is useful for enterprise distributions
+ and similar which want to pin the schemes of certain distribution
+ releases under a specific name and previously had to patch the
+ sources to introduce new named schemes.
+
+ * The predictable naming logic for network interfaces has been extended
+ to generate stable names from Xen netfront device information.
+
+ * hostnamed's chassis property can now be sourced from chassis-type
+ field encoded in devicetree (in addition to the existing DMI
+ support).
+
+ * systemd-cgls now optionally displays cgroup IDs and extended
+ attributes for each cgroup. (Controllable via the new --xattr= +
+ --cgroup-id= switches.)
+
+ * coredumpctl gained a new --all switch for operating on all
+ Journal files instead of just the local ones.
+
+ * systemd-coredump will now use libdw/libelf via dlopen() rather than
+ directly linking, allowing users to easily opt-out of backtrace/metadata
+ analysis of core files, and reduce image sizes when this is not needed.
+
+ * systemd-coredump will now analyze core files with libdw/libelf in a
+ forked, sandboxed process.
+
+ * systemd-homed will now try to unmount an activate home area in
+ regular intervals once the user logged out fully. Previously this was
+ attempted exactly once but if the home directory was busy for some
+ reason it was not tried again.
+
+ * systemd-homed's LUKS2 home area backend will now create a BSD file
+ system lock on the image file while the home area is active
+ (i.e. mounted). If a home area is found to be locked, logins are
+ politely refused. This should improve behavior when using home areas
+ images that are accessible via the network from multiple clients, and
+ reduce the chance of accidental file system corruption in that case.
+
+ * Optionally, systemd-homed will now drop the kernel buffer cache once
+ a user has fully logged out, configurable via the new --drop-caches=
+ homectl switch.
+
+ * systemd-homed now makes use of UID mapped mounts for the home areas.
+ If the kernel and used file system support it, files are now
+ internally owned by the "nobody" user (i.e. the user typically used
+ for indicating "this ownership is not mapped"), and dynamically
+ mapped to the UID used locally on the system via the UID mapping
+ mount logic of recent kernels. This makes migrating home areas
+ between different systems cheaper because recursively chown()ing file
+ system trees is no longer necessary.
+
+ * systemd-homed's CIFS backend now optionally supports CIFS service
+ names with a directory suffix, in order to place home directories in
+ a subdirectory of a CIFS share, instead of the top-level directory.
+
+ * systemd-homed's CIFS backend gained support for specifying additional
+ mount options in the JSON user record (cifsExtraMountOptions field,
+ and --cifs-extra-mount-options= homectl switch). This is for example
+ useful for configuring mount options such as "noserverino" that some
+ SMB3 services require (use that to run a homed home directory from a
+ FritzBox SMB3 share this way).
+
+ * systemd-homed will now default to btrfs' zstd compression for home
+ areas. This is inspired by Fedora's recent decision to switch to zstd
+ by default.
+
+ * Additional mount options to use when mounting the file system of
+ LUKS2 volumes in systemd-homed has been added. Via the
+ $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
+ $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
+ systemd-homed or via the luksExtraMountOptions user record JSON
+ property. (Exposed via homectl --luks-extra-mount-options)
+
+ * homectl's resize command now takes the special size specifications
+ "min" and "max" to shrink/grow the home area to the minimum/maximum
+ size possible, taking disk usage/space constraints and file system
+ limitations into account. Resizing is now generally graceful: the
+ logic will try to get as close to the specified size as possible, but
+ not consider it a failure if the request couldn't be fulfilled
+ precisely.
+
+ * systemd-homed gained the ability to automatically shrink home areas
+ on logout to their minimal size and grow them again on next
+ login. This ensures that while inactive, a home area only takes up
+ the minimal space necessary, but once activated, it provides
+ sufficient space for the user's needs. This behavior is only
+ supported if btrfs is used as file system inside the home area
+ (because only for btrfs online growing/shrinking is implemented in
+ the kernel). This behavior is now enabled by default, but may be
+ controlled via the new --auto-resize-mode= setting of homectl.
+
+ * systemd-homed gained support for automatically re-balancing free disk
+ space among active home areas, in case the LUKS2 backends are used,
+ and no explicit disk size was requested. This way disk space is
+ automatically managed and home areas resized in regular intervals and
+ manual resizing when disk space becomes scarce should not be
+ necessary anymore. This behavior is only supported if btrfs is used
+ within the home areas (as only then online shrinking and growing is
+ supported), and may be configured via the new rebalanceWeight JSON
+ user record field (as exposed via the new --rebalance-weight= homectl
+ setting). Re-balancing is mostly automatic, but can also be requested
+ explicitly via "homectl rebalance", which is synchronous, and thus
+ may be used to wait until the rebalance run is complete.
+
+ * userdbctl gained a --json= switch for configured the JSON formatting
+ to use when outputting user or group records.
+
+ * userdbctl gained a new --multiplexer= switch for explicitly
+ configuring whether to use the systemd-userdbd server side user
+ record resolution logic.
+
+ * userdbctl's ssh-authorized-keys command learnt a new --chain switch,
+ for chaining up another command to execute after completing the
+ look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
+ configuration of a single command to invoke, this maybe used to
+ invoke multiple: first userdbctl's own implementation, and then any
+ other also configured in the command line.
+
+ * The sd-event API gained a new function sd_event_add_inotify_fd() that
+ is similar to sd_event_add_inotify() but accepts a file descriptor
+ instead of a path in the file system for referencing the inode to
+ watch.
+
+ * The sd-event API gained a new function
+ sd_event_source_set_ratelimit_expire_callback() that may be used to
+ define a callback function that is called whenever an event source
+ leaves the rate limiting phase.
+
+ * New documentation has been added explaining which steps are necessary
+ to port systemd to a new architecture:
+
+ https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
+
+ * The x-systemd.makefs option in /etc/fstab now explicitly supports
+ ext2, ext3, and f2fs file systems.
+
+ * Mount units and units generated from /etc/fstab entries with 'noauto'
+ are now ordered the same as other units. Effectively, they will be
+ started earlier (if something actually pulled them in) and stopped
+ later, similarly to normal mount units that are part of
+ fs-local.target. This change should be invisible to users, but
+ should prevent those units from being stopped too early during
+ shutdown.
+
+ * The systemd-getty-generator now honors a new kernel command line
+ argument systemd.getty_auto= and a new environment variable
+ $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
+ example useful to turn off gettys inside of containers or similar
+ environments.
+
+ * systemd-resolved now listens on a second DNS stub address: 127.0.0.54
+ (in addition to 127.0.0.53, as before). If DNS requests are sent to
+ this address they are propagated in "bypass" mode only, i.e. are
+ almost not processed locally, but mostly forwarded as-is to the
+ current upstream DNS servers. This provides a stable DNS server
+ address that proxies all requests dynamically to the right upstream
+ DNS servers even if these dynamically change. This stub does not do
+ mDNS/LLMNR resolution. However, it will translate look-ups to
+ DNS-over-TLS if necessary. This new stub is particularly useful in
+ container/VM environments, or for tethering setups: use DNAT to
+ redirect traffic to any IP address to this stub.
+
+ * systemd-importd now honors new environment variables
+ $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
+ $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
+ generation, btrfs quota setup and disk synchronization.
+
+ * systemd-importd and systemd-resolved can now be optionally built with
+ OpenSSL instead of libgcrypt.
+
+ * systemd-repart no longer requires OpenSSL.
+
+ * systemd-sysusers will no longer create the redundant 'nobody' group
+ by default, as the 'nobody' user is already created with an
+ appropriate primary group.
+
+ * If a unit uses RuntimeMaxSec, systemctl show will now display it.
+
+ * systemctl show-environment gained support for --output=json.
+
+ * pam_systemd will now first try to use the X11 abstract socket, and
+ fallback to the socket file in /tmp/.X11-unix/ only if that does not
+ work.
+
+ * systemd-journald will no longer go back to volatile storage
+ regardless of configuration when its unit is restarted.
+
+ * Initial support for the LoongArch architecture has been added (system
+ call lists, GPT partition table UUIDs, etc).
+
+ * systemd-journald's own logging messages are now also logged to the
+ journal itself when systemd-journald logs to /dev/kmsg.
+
+ * systemd-journald now re-enables COW for archived journal files on
+ filesystems that support COW. One benefit of this change is that
+ archived journal files will now get compressed on btrfs filesystems
+ that have compression enabled.
+
+ * systemd-journald now deduplicates fields in a single log message
+ before adding it to the journal. In archived journal files, it will
+ also punch holes for unused parts and truncate the file as
+ appropriate, leading to reductions in disk usage.
+
+ * journalctl --verify was extended with more informative error
+ messages.
+
+ * More of sd-journal's functions are now resistant against journal file
+ corruption.
+
+ * The shutdown command learnt a new option --show, to display the
+ scheduled shutdown.
+
+ * A LICENSES/ directory is now included in the git tree. It contains a
+ README.md file that explains the licenses used by source files in
+ this repository. It also contains the text of all applicable
+ licenses as they appear on spdx.org.
+
+ Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
+ Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
+ alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
+ Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
+ Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
+ Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
+ Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
+ Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
+ Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
+ Christian Brauner, Christian Göttsche, Christian Wehrli,
+ Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
+ Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
+ David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
+ Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
+ Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
+ Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
+ Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
+ Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
+ Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
+ Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
+ I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
+ Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
+ jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
+ Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
+ Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
+ Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
+ lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
+ Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
+ Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
+ Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
+ Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
+ Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
+ Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
+ nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
+ Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
+ Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
+ Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
+ Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
+ StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
+ Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
+ Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
+ Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
+ Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
+ xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
+ Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
+ Дамјан Георгиевски, наб
+
+ — Warsaw, 2021-12-23
+
+CHANGES WITH 249:
+
+ * When operating on disk images via the --image= switch of various
+ tools (such as systemd-nspawn or systemd-dissect), or when udev finds
+ no 'root=' parameter on the kernel command line, and multiple
+ suitable root or /usr/ partitions exist in the image, then a simple
+ comparison inspired by strverscmp() is done on the GPT partition
+ label, and the newest partition is picked. This permits a simple and
+ generic whole-file-system A/B update logic where new operating system
+ versions are dropped into partitions whose label is then updated with
+ a matching version identifier.
+
+ * systemd-sysusers now supports querying the passwords to set for the
+ users it creates via the "credentials" logic introduced in v247: the
+ passwd.hashed-password.<user> and passwd.plaintext-password.<user>
+ credentials are consulted for the password to use (either in UNIX
+ hashed form, or literally). By default these credentials are inherited
+ down from PID1 (which in turn imports it from a container manager if
+ there is one). This permits easy configuration of user passwords
+ during first boot. Example:
+
+ # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo
+
+ Note that systemd-sysusers operates in purely additive mode: it
+ executes no operation if the declared users already exist, and hence
+ doesn't set any passwords as effect of the command line above if the
+ specified root user exists already in the image. (Note that
+ --volatile=yes ensures it doesn't, though.)
+
+ * systemd-firstboot now also supports querying various system
+ parameters via the credential subsystems. Thus, as above this may be
+ used to initialize important system parameters on first boot of
+ previously unprovisioned images (i.e. images with a mostly empty
+ /etc/).
+
+ * PID 1 may now show both the unit name and the unit description
+ strings in its status output during boot. This may be configured with
+ StatusUnitFormat=combined in system.conf or
+ systemd.status-unit-format=combined on the kernel command line.
+
+ * The systemd-machine-id-setup tool now supports a --image= switch for
+ provisioning a machine ID file into an OS disk image, similar to how
+ --root= operates on an OS file tree. This matches the existing switch
+ of the same name for systemd-tmpfiles, systemd-firstboot, and
+ systemd-sysusers tools.
+
+ * Similarly, systemd-repart gained support for the --image= switch too.
+ In combination with the existing --size= option, this makes the tool
+ particularly useful for easily growing disk images in a single
+ invocation, following the declarative rules included in the image
+ itself.
+
+ * systemd-repart's partition configuration files gained support for a
+ new switch MakeDirectories= which may be used to create arbitrary
+ directories inside file systems that are created, before registering
+ them in the partition table. This is useful in particular for root
+ partitions to create mount point directories for other partitions
+ included in the image. For example, a disk image that contains a
+ root, /home/, and /var/ partitions, may set MakeDirectories=yes to
+ create /home/ and /var/ as empty directories in the root file system
+ on its creation, so that the resulting image can be mounted
+ immediately, even in read-only mode.
+
+ * systemd-repart's CopyBlocks= setting gained support for the special
+ value "auto". If used, a suitable matching partition on the booted OS
+ is found as source to copy blocks from. This is useful when
+ implementing replicating installers, that are booted from one medium
+ and then stream their own root partition onto the target medium.
+
+ * systemd-repart's partition configuration files gained support for a
+ Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
+ GPT partition flags for the created partitions: this is useful for
+ marking newly created partitions as read-only, or as not being
+ subject for automatic mounting from creation on.
+
+ * The /etc/os-release file has been extended with two new (optional)
+ variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
+ information for OS images that are updated comprehensively and
+ atomically as one image. Two new specifiers %M, %A now resolve to
+ these two fields in the various configuration options that resolve
+ specifiers.
+
+ * portablectl gained a new switch --extension= for enabling portable
+ service images with extensions that follow the extension image
+ concept introduced with v248, and thus allows layering multiple
+ images when setting up the root filesystem of the service.
+
+ * systemd-coredump will now extract ELF build-id information from
+ processes dumping core and include it in the coredump report.
+ Moreover, it will look for ELF .note.package sections with
+ distribution packaging meta-information about the crashing process.
+ This is useful to directly embed the rpm or deb (or any other)
+ package name and version in ELF files, making it easy to match
+ coredump reports with the specific package for which the software was
+ compiled. This is particularly useful on environments with ELF files
+ from multiple vendors, different distributions and versions, as is
+ common today in our containerized and sand-boxed world. For further
+ information, see:
+
+ https://systemd.io/COREDUMP_PACKAGE_METADATA
+
+ * A new udev hardware database has been added for FireWire devices
+ (IEEE 1394).
+
+ * The "net_id" built-in of udev has been updated with three
+ backwards-incompatible changes:
+
+ - PCI hotplug slot names on s390 systems are now parsed as
+ hexadecimal numbers. They were incorrectly parsed as decimal
+ previously, or ignored if the name was not a valid decimal
+ number.
+
+ - PCI onboard indices up to 65535 are allowed. Previously, numbers
+ above 16383 were rejected. This primarily impacts s390 systems,
+ where values up to 65535 are used.
+
+ - Invalid characters in interface names are replaced with "_".
+
+ The new version of the net naming scheme is "v249". The previous
+ scheme can be selected via the "net.naming-scheme=v247" kernel
+ command line parameter.
+
+ * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
+ NULL bus object, for which they will return false. Or in other words,
+ an unallocated bus connection is neither ready nor open.
+
+ * The sd-device API acquired a new API function
+ sd_device_get_usec_initialized() that returns the monotonic time when
+ the udev device first appeared in the database.
+
+ * sd-device gained a new APIs sd_device_trigger_with_uuid() and
+ sd_device_get_trigger_uuid(). The former is similar to
+ sd_device_trigger() but returns a randomly generated UUID that is
+ associated with the synthetic uevent generated by the call. This UUID
+ may be read from the sd_device object a monitor eventually receives,
+ via the sd_device_get_trigger_uuid(). This interface requires kernel
+ 4.13 or above to work, and allows tracking a synthetic uevent through
+ the entire device management stack. The "udevadm trigger --settle"
+ logic has been updated to make use of this concept if available to
+ wait precisely for the uevents it generates. "udevadm trigger" also
+ gained a new parameter --uuid that prints the UUID for each generated
+ uevent.
+
+ * sd-device also gained new APIs sd_device_new_from_ifname() and
+ sd_device_new_from_ifindex() for allocating an sd-device object for
+ the specified network interface. The former accepts an interface name
+ (either a primary or an alternative name), the latter an interface
+ index.
+
+ * The native Journal protocol has been documented. Clients may talk
+ this as alternative to the classic BSD syslog protocol for locally
+ delivering log records to the Journal. The protocol has been stable
+ for a long time and in fact been implemented already in a variety
+ of alternative client libraries. This documentation makes the support
+ for that official:
+
+ https://systemd.io/JOURNAL_NATIVE_PROTOCOL
+
+ * A new BPFProgram= setting has been added to service files. It may be
+ set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
+ file, or a bind mount or symlink to one. This may be used to upload
+ and manage BPF programs externally and then hook arbitrary systemd
+ services into them.
+
+ * The "home.arpa" domain that has been officially declared as the
+ choice for domain for local home networks per RFC 8375 has been added
+ to the default NTA list of resolved, since DNSSEC is generally not
+ available on private domains.
+
+ * The CPUAffinity= setting of unit files now resolves "%" specifiers.
+
+ * A new ManageForeignRoutingPolicyRules= setting has been added to
+ .network files which may be used to exclude foreign-created routing
+ policy rules from systemd-networkd management.
+
+ * systemd-network-wait-online gained two new switches -4 and -6 that
+ may be used to tweak whether to wait for only IPv4 or only IPv6
+ connectivity.
+
+ * .network files gained a new RequiredFamilyForOnline= setting to
+ fine-tune whether to require an IPv4 or IPv6 address in order to
+ consider an interface "online".
+
+ * networkctl will now show an over-all "online" state in the per-link
+ information.
+
+ * In .network files a new OutgoingInterface= setting has been added to
+ specify the output interface in bridge FDB setups.
+
+ * In .network files the Multipath group ID may now be configured for
+ [NextHop] entries, via the new Group= setting.
+
+ * The DHCP server logic configured in .network files gained a new
+ setting RelayTarget= that turns the server into a DHCP server relay.
+ The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
+ to further tweak the DHCP relay behaviour.
+
+ * The DHCP server logic also gained a new ServerAddress= setting in
+ .network files that explicitly specifies the server IP address to
+ use. If not specified, the address is determined automatically, as
+ before.
+
+ * The DHCP server logic in systemd-networkd gained support for static
+ DHCP leases, configurable via the [DHCPServerStaticLease]
+ section. This allows explicitly mapping specific MAC addresses to
+ fixed IP addresses and vice versa.
+
+ * The RestrictAddressFamilies= setting in service files now supports a
+ new special value "none". If specified sockets of all address
+ families will be made unavailable to services configured that way.
+
+ * systemd-fstab-generator and systemd-repart have been updated to
+ support booting from disks that carry only a /usr/ partition but no
+ root partition yet, and where systemd-repart can add it in on the
+ first boot. This is useful for implementing systems that ship with a
+ single /usr/ file system, and whose root file system shall be set up
+ and formatted on a LUKS-encrypted volume whose key is generated
+ locally (and possibly enrolled in the TPM) during the first boot.
+
+ * The [Address] section of .network files now accepts a new
+ RouteMetric= setting that configures the routing metric to use for
+ the prefix route created as effect of the address configuration.
+ Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
+ gained matching settings for their prefix routes. (The option of the
+ same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
+ it conceptually belongs there; the old option is still understood for
+ compatibility.)
+
+ * The DHCPv6 IAID and DUID are now explicitly configurable in .network
+ files.
+
+ * A new udev property ID_NET_DHCP_BROADCAST on network interface
+ devices is now honoured by systemd-networkd, controlling whether to
+ issue DHCP offers via broadcasting. This is used to ensure that s390
+ layer 3 network interfaces work out-of-the-box with systemd-networkd.
+
+ * nss-myhostname and systemd-resolved will now synthesize address
+ records for a new special hostname "_outbound". The name will always
+ resolve to the local IP addresses most likely used for outbound
+ connections towards the default routes. On multi-homed hosts this is
+ useful to have a stable handle referring to "the" local IP address
+ that matters most, to the point where this is defined.
+
+ * The Discoverable Partition Specification has been updated with a new
+ GPT partition flag "grow-file-system" defined for its partition
+ types. Whenever partitions with this flag set are automatically
+ mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
+ of systemd-nspawn or other tools; and as opposed to explicit mounting
+ via /etc/fstab), the file system within the partition is
+ automatically grown to the full size of the partition. If the file
+ system size already matches the partition size this flag has no
+ effect. Previously, this functionality has been available via the
+ explicit x-systemd.growfs mount option, and this new flag extends
+ this to automatically discovered mounts. A new GrowFileSystem=
+ setting has been added to systemd-repart drop-in files that allows
+ configuring this partition flag. This new flag defaults to on for
+ partitions automatically created by systemd-repart, except if they
+ are marked read-only. See the specification for further details:
+
+ https://systemd.io/DISCOVERABLE_PARTITIONS
+
+ * .network files gained a new setting RoutesToNTP= in the [DHCPv4]
+ section. If enabled (which is the default), and an NTP server address
+ is acquired through a DHCP lease on this interface an explicit route
+ to this address is created on this interface to ensure that NTP
+ traffic to the NTP server acquired on an interface is also routed
+ through that interface. The pre-existing RoutesToDNS= setting that
+ implements the same for DNS servers is now enabled by default.
+
+ * A pair of service settings SocketBindAllow= + SocketBindDeny= have
+ been added that may be used to restrict the network interfaces
+ sockets created by the service may be bound to. This is implemented
+ via BPF.
+
+ * A new ConditionFirmware= setting has been added to unit files to
+ conditionalize on certain firmware features. At the moment it may
+ check whether running on an UEFI system, a device.tree system, or if
+ the system is compatible with some specified device-tree feature.
+
+ * A new ConditionOSRelease= setting has been added to unit files to
+ check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
+ operators may be used to check if some field has some specific value
+ or do an alphanumerical comparison. Equality comparisons are useful
+ for fields like ID, but relative comparisons for fields like
+ VERSION_ID or IMAGE_VERSION.
+
+ * hostnamed gained a new Describe() D-Bus method that returns a JSON
+ serialization of the host data it exposes. This is exposed via
+ "hostnamectl --json=" to acquire a host identity description in JSON.
+ It's our intention to add a similar features to most services and
+ objects systemd manages, in order to simplify integration with
+ program code that can consume JSON.
+
+ * Similarly, networkd gained a Describe() method on its Manager and
+ Link bus objects. This is exposed via "networkctl --json=".
+
+ * hostnamectl's various "get-xyz"/"set-xyz" verb pairs
+ (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
+ been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
+ that is used both to get the value (when no argument is given), and
+ to set the value (when an argument is specified). The old names
+ continue to be supported for compatibility.
+
+ * systemd-detect-virt and ConditionVirtualization= are now able to
+ correctly identify Amazon EC2 environments.
+
+ * The LogLevelMax= setting of unit files now applies not only to log
+ messages generated *by* the service, but also to log messages
+ generated *about* the service by PID 1. To suppress logs concerning a
+ specific service comprehensively, set this option to a high log
+ level.
+
+ * bootctl gained support for a new --make-machine-id-directory= switch
+ that allows precise control on whether to create the top-level
+ per-machine directory in the boot partition that typically contains
+ Type 1 boot loader entries.
+
+ * During build SBAT data to include in the systemd-boot EFI PE binaries
+ may be specified now.
+
+ * /etc/crypttab learnt a new option "headless". If specified any
+ requests to query the user interactively for passwords or PINs will
+ be skipped. This is useful on systems that are headless, i.e. where
+ an interactive user is generally not present.
+
+ * /etc/crypttab also learnt a new option "password-echo=" that allows
+ configuring whether the encryption password prompt shall echo the
+ typed password and if so, do so literally or via asterisks. (The
+ default is the same behaviour as before: provide echo feedback via
+ asterisks.)
+
+ * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
+ systemd-homed has been updated to allow explicit configuration of the
+ "user presence" and "user verification" checks, as well as whether a
+ PIN is required for authentication, via the new switches
+ --fido2-with-user-presence=, --fido2-with-user-verification=,
+ --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
+ features are available, and may be enabled or disabled depends on the
+ used FIDO2 token.
+
+ * systemd-nspawn's --private-user= switch now accepts the special value
+ "identity" which configures a user namespacing environment with an
+ identity mapping of 65535 UIDs. This means the container UID 0 is
+ mapped to the host UID 0, and the UID 1 to host UID 1. On first look
+ this doesn't appear to be useful, however it does reduce the attack
+ surface a bit, since the resulting container will possess process
+ capabilities only within its namespace and not on the host.
+
+ * systemd-nspawn's --private-user-chown switch has been replaced by a
+ more generic --private-user-ownership= switch that accepts one of
+ three values: "chown" is equivalent to the old --private-user-chown,
+ and "off" is equivalent to the absence of the old switch. The value
+ "map" uses the new UID mapping mounts of Linux 5.12 to map ownership
+ of files and directories of the underlying image to the chosen UID
+ range for the container. "auto" is equivalent to "map" if UID mapping
+ mount are supported, otherwise it is equivalent to "chown". The short
+ -U switch systemd-nspawn now implies --private-user-ownership=auto
+ instead of the old --private-user-chown. Effectively this means: if
+ the backing file system supports UID mapping mounts the feature is
+ now used by default if -U is used. Generally, it's a good idea to use
+ UID mapping mounts instead of recursive chown()ing, since it allows
+ running containers off immutable images (since no modifications of
+ the images need to take place), and share images between multiple
+ instances. Moreover, the recursive chown()ing operation is slow and
+ can be avoided. Conceptually it's also a good thing if transient UID
+ range uses do not leak into persistent file ownership anymore. TLDR:
+ finally, the last major drawback of user namespacing has been
+ removed, and -U should always be used (unless you use btrfs, where
+ UID mapped mounts do not exist; or your container actually needs
+ privileges on the host).
+
+ * nss-systemd now synthesizes user and group shadow records in addition
+ to the main user and group records. Thus, hashed passwords managed by
+ systemd-homed are now accessible via the shadow database.
+
+ * The userdb logic (and thus nss-systemd, and so on) now read
+ additional user/group definitions in JSON format from the drop-in
+ directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
+ /usr/lib/userdb/. This is a simple and powerful mechanism for making
+ additional users available to the system, with full integration into
+ NSS including the shadow databases. Since the full JSON user/group
+ record format is supported this may also be used to define users with
+ resource management settings and other runtime settings that
+ pam_systemd and systemd-logind enforce at login.
+
+ * The userdbctl tool gained two new switches --with-dropin= and
+ --with-varlink= which can be used to fine-tune the sources used for
+ user database lookups.
+
+ * systemd-nspawn gained a new switch --bind-user= for binding a host
+ user account into the container. This does three things: the user's
+ home directory is bind mounted from the host into the container,
+ below the /run/userdb/home/ hierarchy. A free UID is picked in the
+ container, and a user namespacing UID mapping to the host user's UID
+ installed. And finally, a minimal JSON user and group record (along
+ with its hashed password) is dropped into /run/host/userdb/. These
+ records are picked up automatically by the userdb drop-in logic
+ describe above, and allow the user to login with the same password as
+ on the host. Effectively this means: if host and container run new
+ enough systemd versions making a host user available to the container
+ is trivially simple.
+
+ * systemd-journal-gatewayd now supports the switches --user, --system,
+ --merge, --file= that are equivalent to the same switches of
+ journalctl, and permit exposing only the specified subset of the
+ Journal records.
+
+ * The OnFailure= dependency between units is now augmented with a
+ implicit reverse dependency OnFailureOf= (this new dependency cannot
+ be configured directly it's only created as effect of an OnFailure=
+ dependency in the reverse order — it's visible in "systemctl show"
+ however). Similar, Slice= now has an reverse dependency SliceOf=,
+ that is also not configurable directly, but useful to determine all
+ units that are members of a slice.
+
+ * A pair of new dependency types between units PropagatesStopTo= +
+ StopPropagatedFrom= has been added, that allows propagation of unit
+ stop events between two units. It operates similar to the existing
+ PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.
+
+ * A new dependency type OnSuccess= has been added (plus the reverse
+ dependency OnSuccessOf=, which cannot be configured directly, but
+ exists only as effect of the reverse OnSuccess=). It is similar to
+ OnFailure=, but triggers in the opposite case: when a service exits
+ cleanly. This allows "chaining up" of services where one or more
+ services are started once another service has successfully completed.
+
+ * A new dependency type Upholds= has been added (plus the reverse
+ dependency UpheldBy=, which cannot be configured directly, but exists
+ only as effect of Upholds=). This dependency type is a stronger form
+ of Wants=: if a unit has an UpHolds= dependency on some other unit
+ and the former is active then the latter is started whenever it is
+ found inactive (and no job is queued for it). This is an alternative
+ to Restart= inside service units, but less configurable, and the
+ request to uphold a unit is not encoded in the unit itself but in
+ another unit that intends to uphold it.
+
+ * The systemd-ask-password tool now also supports reading passwords
+ from the credentials subsystem, via the new --credential= switch.
+
+ * The systemd-ask-password tool learnt a new switch --emoji= which may
+ be used to explicit control whether the lock and key emoji (🔐) is
+ shown in the password prompt on suitable TTYs.
+
+ * The --echo switch of systemd-ask-password now optionally takes a
+ parameter that controls character echo. It may either show asterisks
+ (default, as before), turn echo off entirely, or echo the typed
+ characters literally.
+
+ * The systemd-ask-password tool also gained a new -n switch for
+ suppressing output of a trailing newline character when writing the
+ acquired password to standard output, similar to /bin/echo's -n
+ switch.
+
+ * New documentation has been added that describes the organization of
+ the systemd source code tree:
+
+ https://systemd.io/ARCHITECTURE
+
+ * Units using ConditionNeedsUpdate= will no longer be activated in
+ the initrd.
+
+ * It is now possible to list a template unit in the WantedBy= or
+ RequiredBy= settings of the [Install] section of another template
+ unit, which will be instantiated using the same instance name.
+
+ * A new MemoryAvailable property is available for units. If the unit,
+ or the slices it is part of, have a memory limit set via MemoryMax=/
+ MemoryHigh=, MemoryAvailable will indicate how much more memory the
+ unit can claim before hitting the limits.
+
+ * systemd-coredump will now try to stay below the cgroup memory limit
+ placed on itself or one of the slices it runs under, if the storage
+ area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
+ since files written on such filesystems count toward the cgroup memory
+ limit. If there is not enough available memory in such cases to store
+ the core file uncompressed, systemd-coredump will skip to compressed
+ storage directly (if enabled) and it will avoid analyzing the core file
+ to print backtrace and metadata in the journal.
+
+ * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
+ of a path matches the configured expectations, and remove it if not.
+
+ * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
+ specify which of the several available filesystem timestamps (access
+ time, birth time, change time, modification time) to look at when
+ deciding whether a path has aged enough to be cleaned.
+
+ * A new IPv6StableSecretAddress= setting has been added to .network
+ files, which takes an IPv6 address to use as secret for IPv6 address
+ generation.
+
+ * The [DHCPServer] logic in .network files gained support for a new
+ UplinkInterface= setting that permits configuration of the uplink
+ interface name to propagate DHCP lease information from.
+
+ * The WakeOnLan= setting in .link files now accepts a list of flags
+ instead of a single one, to configure multiple wake-on-LAN policies.
+
+ * User-space defined tracepoints (USDT) have been added to udev at
+ strategic locations. This is useful for tracing udev behaviour and
+ performance with bpftrace and similar tools.
+
+ * systemd-journald-upload gained a new NetworkTimeoutSec= option for
+ setting a network timeout time.
+
+ * If a system service is running in a new mount namespace (RootDirectory=
+ and friends), all file systems will be mounted with MS_NOSUID by
+ default, unless the system is running with SELinux enabled.
+
+ * When enumerating time zones the timedatectl tool will now consult the
+ 'tzdata.zi' file shipped by the IANA time zone database package, in
+ addition to 'zone1970.tab', as before. This makes sure time zone
+ aliases are now correctly supported. Some distributions so far did
+ not install this additional file, most do however. If you
+ distribution does not install it yet, it might make sense to change
+ that.
+
+ * Intel HID rfkill event is no longer masked, since it's the only
+ source of rfkill event on newer HP laptops. To have both backward and
+ forward compatibility, userspace daemon needs to debounce duplicated
+ events in a short time window.
+
+ Contributions from: Aakash Singh, adrian5, Albert Brox,
+ Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu,
+ Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug,
+ Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin,
+ borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche,
+ Christian Hesse, Daniel Schaefer, Dan Streetman,
+ David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea,
+ Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing,
+ Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais,
+ Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede,
+ Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov,
+ imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku,
+ Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu,
+ Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann,
+ Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel,
+ Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti,
+ Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi,
+ Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard,
+ Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný,
+ Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq,
+ Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans,
+ Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan,
+ Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds,
+ plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff,
+ Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt,
+ Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon,
+ Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani,
+ sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay,
+ Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux,
+ Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev,
+ Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб
+
+ — Edinburgh, 2021-07-07
+
+CHANGES WITH 248:
+
+ * A concept of system extension images is introduced. Such images may
+ be used to extend the /usr/ and /opt/ directory hierarchies at
+ runtime with additional files (even if the file system is read-only).
+ When a system extension image is activated, its /usr/ and /opt/
+ hierarchies and os-release information are combined via overlayfs
+ with the file system hierarchy of the host OS.
+
+ A new systemd-sysext tool can be used to merge, unmerge, list, and
+ refresh system extension hierarchies. See
+ https://www.freedesktop.org/software/systemd/man/systemd-sysext.html.
+
+ The systemd-sysext.service automatically merges installed system
+ extensions during boot (before basic.target, but not in very early
+ boot, since various file systems have to be mounted first).
+
+ The SYSEXT_LEVEL= field in os-release(5) may be used to specify the
+ supported system extension level.
+
+ * A new ExtensionImages= unit setting can be used to apply the same
+ system extension image concept from systemd-sysext to the namespaced
+ file hierarchy of specific services, following the same rules and
+ constraints.
+
+ * Support for a new special "root=tmpfs" kernel command-line option has
+ been added. When specified, a tmpfs is mounted on /, and mount.usr=
+ should be used to point to the operating system implementation.
+
+ * A new configuration file /etc/veritytab may be used to configure
+ dm-verity integrity protection for block devices. Each line is in the
+ format "volume-name data-device hash-device roothash options",
+ similar to /etc/crypttab.
+
+ * A new kernel command-line option systemd.verity.root_options= may be
+ used to configure dm-verity behaviour for the root device.
+
+ * The key file specified in /etc/crypttab (the third field) may now
+ refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
+ acquired by connecting to that socket and reading from it. This
+ allows the implementation of a service to provide key information
+ dynamically, at the moment when it is needed.
+
+ * When the hostname is set explicitly to "localhost", systemd-hostnamed
+ will respect this. Previously such a setting would be mostly silently
+ ignored. The goal is to honour configuration as specified by the
+ user.
+
+ * The fallback hostname that will be used by the system manager and
+ systemd-hostnamed can now be configured in two new ways: by setting
+ DEFAULT_HOSTNAME= in os-release(5), or by setting
+ $SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can
+ also be configured during compilation. The environment variable is
+ intended for testing and local overrides, the os-release(5) field is
+ intended to allow customization by different variants of a
+ distribution that share the same compiled packages.
+
+ * The environment block of the manager itself may be configured through
+ a new ManagerEnvironment= setting in system.conf or user.conf. This
+ complements existing ways to set the environment block (the kernel
+ command line for the system manager, the inherited environment and
+ user@.service unit file settings for the user manager).
+
+ * systemd-hostnamed now exports the default hostname and the source of
+ the configured hostname ("static", "transient", or "default") as
+ D-Bus properties.
+
+ * systemd-hostnamed now exports the "HardwareVendor" and
+ "HardwareModel" D-Bus properties, which are supposed to contain a
+ pair of cleaned up, human readable strings describing the system's
+ vendor and model. It's typically sourced from the firmware's DMI
+ tables, but may be augmented from a new hwdb database. hostnamectl
+ shows this in the status output.
+
+ * Support has been added to systemd-cryptsetup for extracting the
+ PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
+ metadata header. This allows the information how to open the
+ encrypted device to be embedded directly in the device and obviates
+ the need for configuration in an external file.
+
+ * systemd-cryptsetup gained support for unlocking LUKS2 volumes using
+ TPM2 hardware, as well as FIDO2 security tokens (in addition to the
+ pre-existing support for PKCS#11 security tokens).
+
+ * systemd-repart may enroll encrypted partitions using TPM2
+ hardware. This may be useful for example to create an encrypted /var
+ partition bound to the machine on first boot.
+
+ * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
+ and PKCS#11 security tokens to LUKS volumes, list and destroy
+ them. See:
+
+ http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
+
+ It also supports enrolling "recovery keys" and regular passphrases.
+
+ * The libfido2 dependency is now based on dlopen(), so that the library
+ is used at runtime when installed, but is not a hard runtime
+ dependency.
+
+ * systemd-cryptsetup gained support for two new options in
+ /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
+ request synchronous processing of encryption/decryption IO.
+
+ * The manager may be configured at compile time to use the fexecve()
+ instead of the execve() system call when spawning processes. Using
+ fexecve() closes a window between checking the security context of an
+ executable and spawning it, but unfortunately the kernel displays
+ stale information in the process' "comm" field, which impacts ps
+ output and such.
+
+ * The configuration option -Dcompat-gateway-hostname has been dropped.
+ "_gateway" is now the only supported name.
+
+ * The ConditionSecurity=tpm2 unit file setting may be used to check if
+ the system has at least one TPM2 (tpmrm class) device.
+
+ * A new ConditionCPUFeature= has been added that may be used to
+ conditionalize units based on CPU features. For example,
+ ConditionCPUFeature=rdrand will condition a unit so that it is only
+ run when the system CPU supports the RDRAND opcode.
+
+ * The existing ConditionControlGroupController= setting has been
+ extended with two new values "v1" and "v2". "v2" means that the
+ unified v2 cgroup hierarchy is used, and "v1" means that legacy v1
+ hierarchy or the hybrid hierarchy are used.
+
+ * A new PrivateIPC= setting on a unit file allows executed processes to
+ be moved into a private IPC namespace, with separate System V IPC
+ identifiers and POSIX message queues.
+
+ A new IPCNamespacePath= allows the unit to be joined to an existing
+ IPC namespace.
+
+ * The tables of system calls in seccomp filters are now automatically
+ generated from kernel lists exported on
+ https://fedora.juszkiewicz.com.pl/syscalls.html.
+
+ The following architectures should now have complete lists:
+ alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32,
+ powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32.
+
+ * The MountAPIVFS= service file setting now additionally mounts a tmpfs
+ on /run/ if it is not already a mount point. A writable /run/ has
+ always been a requirement for a functioning system, but this was not
+ guaranteed when using a read-only image.
+
+ Users can always specify BindPaths= or InaccessiblePaths= as
+ overrides, and they will take precedence. If the host's root mount
+ point is used, there is no change in behaviour.
+
+ * New bind mounts and file system image mounts may be injected into the
+ mount namespace of a service (without restarting it). This is exposed
+ respectively as 'systemctl bind <unit> <path>…' and
+ 'systemctl mount-image <unit> <image>…'.
+
+ * The StandardOutput= and StandardError= settings can now specify files
+ to be truncated for output (as "truncate:<path>").
+
+ * The ExecPaths= and NoExecPaths= settings may be used to specify
+ noexec for parts of the file system.
+
+ * sd-bus has a new function sd_bus_open_user_machine() to open a
+ connection to the session bus of a specific user in a local container
+ or on the local host. This is exposed in the existing -M switch to
+ systemctl and similar tools:
+
+ systemctl --user -M lennart@foobar start foo
+
+ This will connect to the user bus of a user "lennart" in container
+ "foobar". If no container name is specified, the specified user on
+ the host itself is connected to
+
+ systemctl --user -M lennart@ start quux
+
+ * sd-bus also gained a convenience function sd_bus_message_send() to
+ simplify invocations of sd_bus_send(), taking only a single
+ parameter: the message to send.
+
+ * sd-event allows rate limits to be set on event sources, for dealing
+ with high-priority event sources that might starve out others. See
+ the new man page sd_event_source_set_ratelimit(3) for details.
+
+ * systemd.link files gained a [Link] Promiscuous= switch, which allows
+ the device to be raised in promiscuous mode.
+
+ New [Link] TransmitQueues= and ReceiveQueues= settings allow the
+ number of TX and RX queues to be configured.
+
+ New [Link] TransmitQueueLength= setting allows the size of the TX
+ queue to be configured.
+
+ New [Link] GenericSegmentOffloadMaxBytes= and
+ GenericSegmentOffloadMaxSegments= allow capping the packet size and
+ the number of segments accepted in Generic Segment Offload.
+
+ * systemd-networkd gained support for the "B.A.T.M.A.N. advanced"
+ wireless routing protocol that operates on ISO/OSI Layer 2 only and
+ uses ethernet frames to route/bridge packets. This encompasses a new
+ "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
+ new settings in .netdev files, and a new BatmanAdvanced= setting in
+ .network files.
+
+ * systemd.network files gained a [Network] RouteTable= configuration
+ switch to select the routing policy table.
+
+ systemd.network files gained a [RoutingPolicyRule] Type=
+ configuration switch (one of "blackhole, "unreachable", "prohibit").
+
+ systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and
+ RouteAllowList= settings to ignore/accept route advertisements from
+ routers matching specified prefixes. The DenyList= setting has been
+ renamed to PrefixDenyList= and a new PrefixAllowList= option has been
+ added.
+
+ systemd.network files gained a [DHCPv6] UseAddress= setting to
+ optionally ignore the address provided in the lease.
+
+ systemd.network files gained a [DHCPv6PrefixDelegation]
+ ManageTemporaryAddress= switch.
+
+ systemd.network files gained a new ActivationPolicy= setting which
+ allows configuring how the UP state of an interface shall be managed,
+ i.e. whether the interface is always upped, always downed, or may be
+ upped/downed by the user using "ip link set dev".
+
+ * The default for the Broadcast= setting in .network files has slightly
+ changed: the broadcast address will not be configured for wireguard
+ devices.
+
+ * systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
+ EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
+ configuration options for VLAN packet handling.
+
+ * udev rules may now set log_level= option. This allows debug logs to
+ be enabled for select events, e.g. just for a specific subsystem or
+ even a single device.
+
+ * udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
+ DATA_PREPARED_ID properties for block devices with ISO9660 file
+ systems.
+
+ * udev now exports decoded DMI information about installed memory slots
+ as device properties under the /sys/class/dmi/id/ pseudo device.
+
+ * /dev/ is not mounted noexec anymore. This didn't provide any
+ significant security benefits and would conflict with the executable
+ mappings used with /dev/sgx device nodes. The previous behaviour can
+ be restored for individual services with NoExecPaths=/dev (or by allow-
+ listing and excluding /dev from ExecPaths=).
+
+ * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
+ and /dev/vhost-net are owned by the kvm group.
+
+ * The hardware database has been extended with a list of fingerprint
+ readers that correctly support USB auto-suspend using data from
+ libfprint.
+
+ * systemd-resolved can now answer DNSSEC questions through the stub
+ resolver interface in a way that allows local clients to do DNSSEC
+ validation themselves. For a question with DO+CD set, it'll proxy the
+ DNS query and respond with a mostly unmodified packet received from
+ the upstream server.
+
+ * systemd-resolved learnt a new boolean option CacheFromLocalhost= in
+ resolved.conf. If true the service will provide caching even for DNS
+ lookups made to an upstream DNS server on the 127.0.0.1/::1
+ addresses. By default (and when the option is false) systemd-resolved
+ will not cache such lookups, in order to avoid duplicate local
+ caching, under the assumption the local upstream server caches
+ anyway.
+
+ * systemd-resolved now implements RFC5001 NSID in its local DNS
+ stub. This may be used by local clients to determine whether they are
+ talking to the DNS resolver stub or a different DNS server.
+
+ * When resolving host names and other records resolvectl will now
+ report where the data was acquired from (i.e. the local cache, the
+ network, locally synthesized, …) and whether the network traffic it
+ effected was encrypted or not. Moreover the tool acquired a number of
+ new options --cache=, --synthesize=, --network=, --zone=,
+ --trust-anchor=, --validate= that take booleans and may be used to
+ tweak a lookup, i.e. whether it may be answered from cached
+ information, locally synthesized information, information acquired
+ through the network, the local mDNS/LLMNR zone, the DNSSEC trust
+ anchor, and whether DNSSEC validation shall be executed for the
+ lookup.
+
+ * systemd-nspawn gained a new --ambient-capability= setting
+ (AmbientCapability= in .nspawn files) to configure ambient
+ capabilities passed to the container payload.
+
+ * systemd-nspawn gained the ability to configure the firewall using the
+ nftables subsystem (in addition to the existing iptables
+ support). Similarly, systemd-networkd's IPMasquerade= option now
+ supports nftables as back-end, too. In both cases NAT on IPv6 is now
+ supported too, in addition to IPv4 (the iptables back-end still is
+ IPv4-only).
+
+ "IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before,
+ retains its meaning, but has been deprecated. Please switch to either
+ "ivp4" or "both" (if covering IPv6 is desired).
+
+ * systemd-importd will now download .verity and .roothash.p7s files
+ along with the machine image (as exposed via machinectl pull-raw).
+
+ * systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
+ setting to configure the time a unit's cgroup needs to exceed memory
+ pressure limits before action will be taken, and a new
+ ManagedOOMPreference=none|avoid|omit setting to avoid killing certain
+ units.
+
+ systemd-oomd is now considered fully supported (the usual
+ backwards-compatibility promises apply). Swap is not required for
+ operation, but it is still recommended.
+
+ * systemd-timesyncd gained a new ConnectionRetrySec= setting which
+ configures the retry delay when trying to contact servers.
+
+ * systemd-stdio-bridge gained --system/--user options to connect to the
+ system bus (previous default) or the user session bus.
+
+ * systemd-localed may now call locale-gen to generate missing locales
+ on-demand (UTF-8-only). This improves integration with Debian-based
+ distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.
+
+ * systemctl --check-inhibitors=true may now be used to obey inhibitors
+ even when invoked non-interactively. The old --ignore-inhibitors
+ switch is now deprecated and replaced by --check-inhibitors=false.
+
+ * systemctl import-environment will now emit a warning when called
+ without any arguments (i.e. to import the full environment block of
+ the called program). This command will usually be invoked from a
+ shell, which means that it'll inherit a bunch of variables which are
+ specific to that shell, and usually to the TTY the shell is connected
+ to, and don't have any meaning in the global context of the system or
+ user service manager. Instead, only specific variables should be
+ imported into the manager environment block.
+
+ Similarly, programs which update the manager environment block by
+ directly calling the D-Bus API of the manager, should also push
+ specific variables, and not the full inherited environment.
+
+ * systemctl's status output now shows unit state with a more careful
+ choice of Unicode characters: units in maintenance show a "○" symbol
+ instead of the usual "●", failed units show "×", and services being
+ reloaded "↻".
+
+ * coredumpctl gained a --debugger-arguments= switch to pass arguments
+ to the debugger. It also gained support for showing coredump info in
+ a simple JSON format.
+
+ * systemctl/loginctl/machinectl's --signal= option now accept a special
+ value "list", which may be used to show a brief table with known
+ process signals and their numbers.
+
+ * networkctl now shows the link activation policy in status.
+
+ * Various tools gained --pager/--no-pager/--json= switches to
+ enable/disable the pager and provide JSON output.
+
+ * Various tools now accept two new values for the SYSTEMD_COLORS
+ environment variable: "16" and "256", to configure how many terminal
+ colors are used in output.
+
+ * less 568 or newer is now required for the auto-paging logic of the
+ various tools. Hyperlink ANSI sequences in terminal output are now
+ used even if a pager is used, and older versions of less are not able
+ to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
+ disable this output again.
+
+ * Builds with support for separate / and /usr/ hierarchies ("split-usr"
+ builds, non-merged-usr builds) are now officially deprecated. A
+ warning is emitted during build. Support is slated to be removed in
+ about a year (when the Debian Bookworm release development starts).
+
+ * Systems with the legacy cgroup v1 hierarchy are now marked as
+ "tainted", to make it clearer that using the legacy hierarchy is not
+ recommended.
+
+ * systemd-localed will now refuse to configure a keymap which is not
+ installed in the file system. This is intended as a bug fix, but
+ could break cases where systemd-localed was used to configure the
+ keymap in advanced of it being installed. It is necessary to install
+ the keymap file first.
+
+ * The main git development branch has been renamed to 'main'.
+
+ * mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
+ for partitions, as in the vast majority of cases they contain none
+ and are used internally by the bootloader (eg: uboot).
+
+ * systemd will now set the $SYSTEMD_EXEC_PID environment variable for
+ spawned processes to the PID of the process itself. This may be used
+ by programs for detecting whether they were forked off by the service
+ manager itself or are a process forked off further down the tree.
+
+ * The sd-device API gained four new calls: sd_device_get_action() to
+ determine the uevent add/remove/change/… action the device object has
+ been seen for, sd_device_get_seqno() to determine the uevent sequence
+ number, sd_device_new_from_stat_rdev() to allocate a new sd_device
+ object from stat(2) data of a device node, and sd_device_trigger() to
+ write to the 'uevent' attribute of a device.
+
+ * For most tools the --no-legend= switch has been replaced by
+ --legend=no and --legend=yes, to force whether tables are shown with
+ headers/legends.
+
+ * Units acquired a new property "Markers" that takes a list of zero,
+ one or two of the following strings: "needs-reload" and
+ "needs-restart". These markers may be set via "systemctl
+ set-property". Once a marker is set, "systemctl reload-or-restart
+ --marked" may be invoked to execute the operation the units are
+ marked for. This is useful for package managers that want to mark
+ units for restart/reload while updating, but effect the actual
+ operations at a later step at once.
+
+ * The sd_bus_message_read_strv() API call of sd-bus may now also be
+ used to parse arrays of D-Bus signatures and D-Bus paths, in addition
+ to regular strings.
+
+ * bootctl will now report whether the UEFI firmware used a TPM2 device
+ and measured the boot process into it.
+
+ * systemd-tmpfiles learnt support for a new environment variable
+ $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
+ the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
+ even if the root fs of the system is not itself a btrfs volume.
+
+ * systemd-detect-virt/ConditionVirtualization= will now explicitly
+ detect Docker/Podman environments where possible. Moreover, they
+ should be able to generically detect any container manager as long as
+ it assigns the container a cgroup.
+
+ * portablectl gained a new "reattach" verb for detaching/reattaching a
+ portable service image, useful for updating images on-the-fly.
+
+ * Intel SGX enclave device nodes (which expose a security feature of
+ newer Intel CPUs) will now be owned by a new system group "sgx".
+
+ Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry,
+ Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos,
+ Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro,
+ Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T,
+ A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase,
+ caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt,
+ Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn,
+ Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman,
+ Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle,
+ Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo,
+ Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges,
+ feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink,
+ Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule,
+ Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer,
+ Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide,
+ Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan,
+ Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade,
+ Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt,
+ Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak,
+ Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng,
+ l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi,
+ Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg,
+ Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner,
+ Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik,
+ Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco,
+ Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen,
+ Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan,
+ Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt,
+ Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn,
+ Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas,
+ Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani,
+ Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield,
+ Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f,
+ Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad,
+ walbit-de, Whired Planck, wouter bolsterlee, Xℹ Ruoyao, Yangyang Shen,
+ Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek,
+ Zmicer Turok, Дамјан Георгиевски
+
+ — Berlin, 2021-03-30
+
+CHANGES WITH 247:
+
+ * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents
+ "bind" and "unbind" to the Linux device model. When this kernel
+ change was made, systemd-udevd was only minimally updated to handle
+ and propagate these new event types. The introduction of these new
+ uevents (which are typically generated for USB devices and devices
+ needing a firmware upload before being functional) resulted in a
+ number of issues which we so far didn't address. We hoped the kernel
+ maintainers would themselves address these issues in some form, but
+ that did not happen. To handle them properly, many (if not most) udev
+ rules files shipped in various packages need updating, and so do many
+ programs that monitor or enumerate devices with libudev or sd-device,
+ or otherwise process uevents. Please note that this incompatibility
+ is not fault of systemd or udev, but caused by an incompatible kernel
+ change that happened back in Linux 4.14, but is becoming more and
+ more visible as the new uevents are generated by more kernel drivers.
+
+ To minimize issues resulting from this kernel change (but not avoid
+ them entirely) starting with systemd-udevd 247 the udev "tags"
+ concept (which is a concept for marking and filtering devices during
+ enumeration and monitoring) has been reworked: udev tags are now
+ "sticky", meaning that once a tag is assigned to a device it will not
+ be removed from the device again until the device itself is removed
+ (i.e. unplugged). This makes sure that any application monitoring
+ devices that match a specific tag is guaranteed to both see uevents
+ where the device starts being relevant, and those where it stops
+ being relevant (the latter now regularly happening due to the new
+ "unbind" uevent type). The udev tags concept is hence now a concept
+ tied to a *device* instead of a device *event* — unlike for example
+ udev properties whose lifecycle (as before) is generally tied to a
+ device event, meaning that the previously determined properties are
+ forgotten whenever a new uevent is processed.
+
+ With the newly redefined udev tags concept, sometimes it's necessary
+ to determine which tags are the ones applied by the most recent
+ uevent/database update, in order to discern them from those
+ originating from earlier uevents/database updates of the same
+ device. To accommodate for this a new automatic property CURRENT_TAGS
+ has been added that works similar to the existing TAGS property but
+ only lists tags set by the most recent uevent/database
+ update. Similarly, the libudev/sd-device API has been updated with
+ new functions to enumerate these 'current' tags, in addition to the
+ existing APIs that now enumerate the 'sticky' ones.
+
+ To properly handle "bind"/"unbind" on Linux 4.14 and newer it is
+ essential that all udev rules files and applications are updated to
+ handle the new events. Specifically:
+
+ • All rule files that currently use a header guard similar to
+ ACTION!="add|change",GOTO="xyz_end" should be updated to use
+ ACTION=="remove",GOTO="xyz_end" instead, so that the
+ properties/tags they add are also applied whenever "bind" (or
+ "unbind") is seen. (This is most important for all physical device
+ types — those for which "bind" and "unbind" are currently
+ generated, for all other device types this change is still
+ recommended but not as important — but certainly prepares for
+ future kernel uevent type additions).
+
+ • Similarly, all code monitoring devices that contains an 'if' branch
+ discerning the "add" + "change" uevent actions from all other
+ uevents actions (i.e. considering devices only relevant after "add"
+ or "change", and irrelevant on all other events) should be reworked
+ to instead negatively check for "remove" only (i.e. considering
+ devices relevant after all event types, except for "remove", which
+ invalidates the device). Note that this also means that devices
+ should be considered relevant on "unbind", even though conceptually
+ this — in some form — invalidates the device. Since the precise
+ effect of "unbind" is not generically defined, devices should be
+ considered relevant even after "unbind", however I/O errors
+ accessing the device should then be handled gracefully.
+
+ • Any code that uses device tags for deciding whether a device is
+ relevant or not most likely needs to be updated to use the new
+ udev_device_has_current_tag() API (or sd_device_has_current_tag()
+ in case sd-device is used), to check whether the tag is set at the
+ moment an uevent is seen (as opposed to the existing
+ udev_device_has_tag() API which checks if the tag ever existed on
+ the device, following the API concept redefinition explained
+ above).
+
+ We are very sorry for this breakage and the requirement to update
+ packages using these interfaces. We'd again like to underline that
+ this is not caused by systemd/udev changes, but result of a kernel
+ behaviour change.
+
+ * UPCOMING INCOMPATIBILITY: So far most downstream distribution
+ packages have not retriggered devices once the udev package (or any
+ auxiliary package installing additional udev rules) is updated. We
+ intend to work with major distributions to change this, so that
+ "udevadm trigger -a change" is issued on such upgrades, ensuring that
+ the updated ruleset is applied to the devices already discovered, so
+ that (asynchronously) after the upgrade completed the udev database
+ is consistent with the updated rule set. This means udev rules must
+ be ready to be retriggered with a "change" action any time, and
+ result in correct and complete udev database entries. While the
+ majority of udev rule files known to us currently get this right,
+ some don't. Specifically, there are udev rules files included in
+ various packages that only set udev properties on the "add" action,
+ but do not handle the "change" action. If a device matching those
+ rules is retriggered with the "change" action (as is intended here)
+ it would suddenly lose the relevant properties. This always has been
+ problematic, but as soon as all udev devices are triggered on relevant
+ package upgrades this will become particularly so. It is strongly
+ recommended to fix offending rules so that they can handle a "change"
+ action at any time, and acquire all necessary udev properties even
+ then. Or in other words: the header guard mentioned above
+ (ACTION=="remove",GOTO="xyz_end") is the correct approach to handle
+ this, as it makes sure rules are rerun on "change" correctly, and
+ accumulate the correct and complete set of udev properties. udev rule
+ definitions that cannot handle "change" events being triggered at
+ arbitrary times should be considered buggy.
+
+ * The MountAPIVFS= service file setting now defaults to on if
+ RootImage= and RootDirectory= are used, which means that with those
+ two settings /proc/, /sys/ and /dev/ are automatically properly set
+ up for services. Previous behaviour may be restored by explicitly
+ setting MountAPIVFS=off.
+
+ * Since PAM 1.2.0 (2015) configuration snippets may be placed in
+ /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
+ latter it takes precedence over the former, similar to how most of
+ systemd's own configuration is handled. Given that PAM stack
+ definitions are primarily put together by OS vendors/distributions
+ (though possibly overridden by users), this systemd release moves its
+ own PAM stack configuration for the "systemd-user" PAM service (i.e.
+ for the PAM session invoked by the per-user user@.service instance)
+ from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all
+ packages' vendor versions of their PAM stack definitions from
+ /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
+ desired the location to which systemd installs its PAM stack
+ configuration may be changed via the -Dpamconfdir Meson option.
+
+ * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
+ libpwquality and libcryptsetup have been changed to be based on
+ dlopen(): instead of regular dynamic library dependencies declared in
+ the binary ELF headers, these libraries are now loaded on demand
+ only, if they are available. If the libraries cannot be found the
+ relevant operations will fail gracefully, or a suitable fallback
+ logic is chosen. This is supposed to be useful for general purpose
+ distributions, as it allows minimizing the list of dependencies the
+ systemd packages pull in, permitting building of more minimal OS
+ images, while still making use of these "weak" dependencies should
+ they be installed. Since many package managers automatically
+ synthesize package dependencies from ELF shared library dependencies,
+ some additional manual packaging work has to be done now to replace
+ those (slightly downgraded from "required" to "recommended" or
+ whatever is conceptually suitable for the package manager). Note that
+ this change does not alter build-time behaviour: as before the
+ build-time dependencies have to be installed during build, even if
+ they now are optional during runtime.
+
+ * sd-event.h gained a new call sd_event_add_time_relative() for
+ installing timers relative to the current time. This is mostly a
+ convenience wrapper around the pre-existing sd_event_add_time() call
+ which installs absolute timers.
+
+ * sd-event event sources may now be placed in a new "exit-on-failure"
+ mode, which may be controlled via the new
+ sd_event_source_get_exit_on_failure() and
+ sd_event_source_set_exit_on_failure() functions. If enabled, any
+ failure returned by the event source handler functions will result in
+ exiting the event loop (unlike the default behaviour of just
+ disabling the event source but continuing with the event loop). This
+ feature is useful to set for all event sources that define "primary"
+ program behaviour (where failure should be fatal) in contrast to
+ "auxiliary" behaviour (where failure should remain local).
+
+ * Most event source types sd-event supports now accept a NULL handler
+ function, in which case the event loop is exited once the event
+ source is to be dispatched, using the userdata pointer — converted to
+ a signed integer — as exit code of the event loop. Previously this
+ was supported for IO and signal event sources already. Exit event
+ sources still do not support this (simply because it makes little
+ sense there, as the event loop is already exiting when they are
+ dispatched).
+
+ * A new per-unit setting RootImageOptions= has been added which allows
+ tweaking the mount options for any file system mounted as effect of
+ the RootImage= setting.
+
+ * Another new per-unit setting MountImages= has been added, that allows
+ mounting additional disk images into the file system tree accessible
+ to the service.
+
+ * Timer units gained a new FixedRandomDelay= boolean setting. If
+ enabled, the random delay configured with RandomizedDelaySec= is
+ selected in a way that is stable on a given system (though still
+ different for different units).
+
+ * Socket units gained a new setting Timestamping= that takes "us", "ns"
+ or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket
+ options.
+
+ * systemd-repart now generates JSON output when requested with the new
+ --json= switch.
+
+ * systemd-machined's OpenMachineShell() bus call will now pass
+ additional policy metadata data fields to the PolicyKit
+ authentication request.
+
+ * systemd-tmpfiles gained a new -E switch, which is equivalent to
+ --exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run
+ --exclude=/sys. It's particularly useful in combination with --root=,
+ when operating on OS trees that do not have any of these four runtime
+ directories mounted, as this means no files below these subtrees are
+ created or modified, since those mount points should probably remain
+ empty.
+
+ * systemd-tmpfiles gained a new --image= switch which is like --root=,
+ but takes a disk image instead of a directory as argument. The
+ specified disk image is mounted inside a temporary mount namespace
+ and the tmpfiles.d/ drop-ins stored in the image are executed and
+ applied to the image. systemd-sysusers similarly gained a new
+ --image= switch, that allows the sysusers.d/ drop-ins stored in the
+ image to be applied onto the image.
+
+ * Similarly, the journalctl command also gained an --image= switch,
+ which is a quick one-step solution to look at the log data included
+ in OS disk images.
+
+ * journalctl's --output=cat option (which outputs the log content
+ without any metadata, just the pure text messages) will now make use
+ of terminal colors when run on a suitable terminal, similarly to the
+ other output modes.
+
+ * JSON group records now support a "description" string that may be
+ used to add a human-readable textual description to such groups. This
+ is supposed to match the user's GECOS field which traditionally
+ didn't have a counterpart for group records.
+
+ * The "systemd-dissect" tool that may be used to inspect OS disk images
+ and that was previously installed to /usr/lib/systemd/ has now been
+ moved to /usr/bin/, reflecting its updated status of an officially
+ supported tool with a stable interface. It gained support for a new
+ --mkdir switch which when combined with --mount has the effect of
+ creating the directory to mount the image to if it is missing
+ first. It also gained two new commands --copy-from and --copy-to for
+ copying files and directories in and out of an OS image without the
+ need to manually mount it. It also acquired support for a new option
+ --json= to generate JSON output when inspecting an OS image.
+
+ * The cgroup2 file system is now mounted with the
+ "memory_recursiveprot" mount option, supported since kernel 5.7. This
+ means that the MemoryLow= and MemoryMin= unit file settings now apply
+ recursively to whole subtrees.
+
+ * systemd-homed now defaults to using the btrfs file system — if
+ available — when creating home directories in LUKS volumes. This may
+ be changed with the DefaultFileSystemType= setting in homed.conf.
+ It's now the default file system in various major distributions and
+ has the major benefit for homed that it can be grown and shrunk while
+ mounted, unlike the other contenders ext4 and xfs, which can both be
+ grown online, but not shrunk (in fact xfs is the technically most
+ limited option here, as it cannot be shrunk at all).
+
+ * JSON user records managed by systemd-homed gained support for
+ "recovery keys". These are basically secondary passphrases that can
+ unlock user accounts/home directories. They are computer-generated
+ rather than user-chosen, and typically have greater entropy.
+ homectl's --recovery-key= option may be used to add a recovery key to
+ a user account. The generated recovery key is displayed as a QR code,
+ so that it can be scanned to be kept in a safe place. This feature is
+ particularly useful in combination with systemd-homed's support for
+ FIDO2 or PKCS#11 authentication, as a secure fallback in case the
+ security tokens are lost. Recovery keys may be entered wherever the
+ system asks for a password.
+
+ * systemd-homed now maintains a "dirty" flag for each LUKS encrypted
+ home directory which indicates that a home directory has not been
+ deactivated cleanly when offline. This flag is useful to identify
+ home directories for which the offline discard logic did not run when
+ offlining, and where it would be a good idea to log in again to catch
+ up.
+
+ * systemctl gained a new parameter --timestamp= which may be used to
+ change the style in which timestamps are output, i.e. whether to show
+ them in local timezone or UTC, or whether to show µs granularity.
+
+ * Alibaba's "pouch" container manager is now detected by
+ systemd-detect-virt, ConditionVirtualization= and similar
+ constructs. Similar, they now also recognize IBM PowerVM machine
+ virtualization.
+
+ * systemd-nspawn has been reworked to use the /run/host/incoming/ as
+ place to use for propagating external mounts into the
+ container. Similarly /run/host/notify is now used as the socket path
+ for container payloads to communicate with the container manager
+ using sd_notify(). The container manager now uses the
+ /run/host/inaccessible/ directory to place "inaccessible" file nodes
+ of all relevant types which may be used by the container payload as
+ bind mount source to over-mount inodes to make them inaccessible.
+ /run/host/container-manager will now be initialized with the same
+ string as the $container environment variable passed to the
+ container's PID 1. /run/host/container-uuid will be initialized with
+ the same string as $container_uuid. This means the /run/host/
+ hierarchy is now the primary way to make host resources available to
+ the container. The Container Interface documents these new files and
+ directories:
+
+ https://systemd.io/CONTAINER_INTERFACE
+
+ * Support for the "ConditionNull=" unit file condition has been
+ deprecated and undocumented for 6 years. systemd started to warn
+ about its use 1.5 years ago. It has now been removed entirely.
+
+ * sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
+ a sd_bus_error struct and a list of error names, and checks if the
+ error matches one of these names. It's a convenience wrapper that is
+ useful in cases where multiple errors shall be handled the same way.
+
+ * A new system call filter list "@known" has been added, that contains
+ all system calls known at the time systemd was built.
+
+ * Behaviour of system call filter allow lists has changed slightly:
+ system calls that are contained in @known will result in EPERM by
+ default, while those not contained in it result in ENOSYS. This
+ should improve compatibility because known system calls will thus be
+ communicated as prohibited, while unknown (and thus newer ones) will
+ be communicated as not implemented, which hopefully has the greatest
+ chance of triggering the right fallback code paths in client
+ applications.
+
+ * "systemd-analyze syscall-filter" will now show two separate sections
+ at the bottom of the output: system calls known during systemd build
+ time but not included in any of the filter groups shown above, and
+ system calls defined on the local kernel but known during systemd
+ build time.
+
+ * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
+ systemd-nspawn all system call filter violations will be logged by
+ the kernel (audit). This is useful for tracking down system calls
+ invoked by container payloads that are prohibited by the container's
+ system call filter policy.
+
+ * If the $SYSTEMD_SECCOMP=0 environment variable is set for
+ systemd-nspawn (and other programs that use seccomp) all seccomp
+ filtering is turned off.
+
+ * Two new unit file settings ProtectProc= and ProcSubset= have been
+ added that expose the hidepid= and subset= mount options of procfs.
+ All processes of the unit will only see processes in /proc that are
+ are owned by the unit's user. This is an important new sandboxing
+ option that is recommended to be set on all system services. All
+ long-running system services that are included in systemd itself set
+ this option now. This option is only supported on kernel 5.8 and
+ above, since the hidepid= option supported on older kernels was not a
+ per-mount option but actually applied to the whole PID namespace.
+
+ * Socket units gained a new boolean setting FlushPending=. If enabled
+ all pending socket data/connections are flushed whenever the socket
+ unit enters the "listening" state, i.e. after the associated service
+ exited.
+
+ * The unit file setting NUMAMask= gained a new "all" value: when used,
+ all existing NUMA nodes are added to the NUMA mask.
+
+ * A new "credentials" logic has been added to system services. This is
+ a simple mechanism to pass privileged data to services in a safe and
+ secure way. It's supposed to be used to pass per-service secret data
+ such as passwords or cryptographic keys but also associated less
+ private information such as user names, certificates, and similar to
+ system services. Each credential is identified by a short user-chosen
+ name and may contain arbitrary binary data. Two new unit file
+ settings have been added: SetCredential= and LoadCredential=. The
+ former allows setting a credential to a literal string, the latter
+ sets a credential to the contents of a file (or data read from a
+ user-chosen AF_UNIX stream socket). Credentials are passed to the
+ service via a special credentials directory, one file for each
+ credential. The path to the credentials directory is passed in a new
+ $CREDENTIALS_DIRECTORY environment variable. Since the credentials
+ are passed in the file system they may be easily referenced in
+ ExecStart= command lines too, thus no explicit support for the
+ credentials logic in daemons is required (though ideally daemons
+ would look for the bits they need in $CREDENTIALS_DIRECTORY
+ themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
+ backed by unswappable memory if privileges allow it, immutable if
+ privileges allow it, is accessible only to the service's UID, and is
+ automatically destroyed when the service stops.
+
+ * systemd-nspawn supports the same credentials logic. It can both
+ consume credentials passed to it via the aforementioned
+ $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
+ to its payload. The service manager/PID 1 has been updated to match
+ this: it can also accept credentials from the container manager that
+ invokes it (in fact: any process that invokes it), and passes them on
+ to its services. Thus, credentials can be propagated recursively down
+ the tree: from a system's service manager to a systemd-nspawn
+ service, to the service manager that runs as container payload and to
+ the service it runs below. Credentials may also be added on the
+ systemd-nspawn command line, using new --set-credential= and
+ --load-credential= command line switches that match the
+ aforementioned service settings.
+
+ * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
+ the partition drop-ins which may be used to format/LUKS
+ encrypt/populate any created partitions. The partitions are
+ encrypted/formatted/populated before they are registered in the
+ partition table, so that they appear atomically: either the
+ partitions do not exist yet or they exist fully encrypted, formatted,
+ and populated — there is no time window where they are
+ "half-initialized". Thus the system is robust to abrupt shutdown: if
+ the tool is terminated half-way during its operations on next boot it
+ will start from the beginning.
+
+ * systemd-repart's --size= operation gained a new "auto" value. If
+ specified, and operating on a loopback file it is automatically sized
+ to the minimal size the size constraints permit. This is useful to
+ use "systemd-repart" as an image builder for minimally sized images.
+
+ * systemd-resolved now gained a third IPC interface for requesting name
+ resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
+ interface is now supported. The nss-resolve NSS module has been
+ modified to use this new interface instead of D-Bus. Using Varlink
+ has a major benefit over D-Bus: it works without a broker service,
+ and thus already during earliest boot, before the dbus daemon has
+ been started. This means name resolution via systemd-resolved now
+ works at the same time systemd-networkd operates: from earliest boot
+ on, including in the initrd.
+
+ * systemd-resolved gained support for a new DNSStubListenerExtra=
+ configuration file setting which may be used to specify additional IP
+ addresses the built-in DNS stub shall listen on, in addition to the
+ main one on 127.0.0.53:53.
+
+ * Name lookups issued via systemd-resolved's D-Bus and Varlink
+ interfaces (and thus also via glibc NSS if nss-resolve is used) will
+ now honour a trailing dot in the hostname: if specified the search
+ path logic is turned off. Thus "resolvectl query foo." is now
+ equivalent to "resolvectl query --search=off foo.".
+
+ * systemd-resolved gained a new D-Bus property "ResolvConfMode" that
+ exposes how /etc/resolv.conf is currently managed: by resolved (and
+ in which mode if so) or another subsystem. "resolvctl" will display
+ this property in its status output.
+
+ * The resolv.conf snippets systemd-resolved provides will now set "."
+ as the search domain if no other search domain is known. This turns
+ off the derivation of an implicit search domain by nss-dns for the
+ hostname, when the hostname is set to an FQDN. This change is done to
+ make nss-dns using resolv.conf provided by systemd-resolved behave
+ more similarly to nss-resolve.
+
+ * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
+ /tmp/ and /var/tmp/ based on file timestamps) now looks at the
+ "birth" time (btime) of a file in addition to the atime, mtime, and
+ ctime.
+
+ * systemd-analyze gained a new verb "capability" that lists all known
+ capabilities by the systemd build and by the kernel.
+
+ * If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and
+ advance the system clock to it at boot if it is noticed to be before
+ that time. Previously, PID 1 would only advance the time to an epoch
+ time that is set during build-time. With this new file OS builders
+ can change this epoch timestamp on individual OS images without
+ having to rebuild systemd.
+
+ * systemd-logind will now listen to the KEY_RESTART key from the Linux
+ input layer and reboot the system if it is pressed, similarly to how
+ it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART
+ was originally defined in the Multimedia context (to restart playback
+ of a song or film), but is now primarily used in various embedded
+ devices for "Reboot" buttons. Accordingly, systemd-logind will now
+ honour it as such. This may configured in more detail via the new
+ HandleRebootKey= and RebootKeyIgnoreInhibited=.
+
+ * systemd-nspawn/systemd-machined will now reconstruct hardlinks when
+ copying OS trees, for example in "systemd-nspawn --ephemeral",
+ "systemd-nspawn --template=", "machinectl clone" and similar. This is
+ useful when operating with OSTree images, which use hardlinks heavily
+ throughout, and where such copies previously resulting in "exploding"
+ hardlinks.
+
+ * systemd-nspawn's --console= setting gained support for a new
+ "autopipe" value, which is identical to "interactive" when invoked on
+ a TTY, and "pipe" otherwise.
+
+ * systemd-networkd's .network files gained support for explicitly
+ configuring the multicast membership entries of bridge devices in the
+ [BridgeMDB] section. It also gained support for the PIE queuing
+ discipline in the [FlowQueuePIE] sections.
+
+ * systemd-networkd's .netdev files may now be used to create "BareUDP"
+ tunnels, configured in the new [BareUDP] setting.
+
+ * systemd-networkd's Gateway= setting in .network files now accepts the
+ special values "_dhcp4" and "_ipv6ra" to configure additional,
+ locally defined, explicit routes to the gateway acquired via DHCP or
+ IPv6 Router Advertisements. The old setting "_dhcp" is deprecated,
+ but still accepted for backwards compatibility.
+
+ * systemd-networkd's [IPv6PrefixDelegation] section and
+ IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and
+ IPv6SendRA= (the old names are still accepted for backwards
+ compatibility).
+
+ * systemd-networkd's .network files gained the DHCPv6PrefixDelegation=
+ boolean setting in [Network] section. If enabled, the delegated prefix
+ gained by another link will be configured, and an address within the
+ prefix will be assigned.
+
+ * systemd-networkd's .network files gained the Announce= boolean setting
+ in [DHCPv6PrefixDelegation] section. When enabled, the delegated
+ prefix will be announced through IPv6 router advertisement (IPv6 RA).
+ The setting is enabled by default.
+
+ * VXLAN tunnels may now be marked as independent of any underlying
+ network interface via the new Independent= boolean setting.
+
+ * systemctl gained support for two new verbs: "service-log-level" and
+ "service-log-target" may be used on services that implement the
+ generic org.freedesktop.LogControl1 D-Bus interface to dynamically
+ adjust the log level and target. All of systemd's long-running
+ services support this now, but ideally all system services would
+ implement this interface to make the system more uniformly
+ debuggable.
+
+ * The SystemCallErrorNumber= unit file setting now accepts the new
+ "kill" and "log" actions, in addition to arbitrary error number
+ specifications as before. If "kill" the processes are killed on the
+ event, if "log" the offending system call is audit logged.
+
+ * A new SystemCallLog= unit file setting has been added that accepts a
+ list of system calls that shall be logged about (audit).
+
+ * The OS image dissection logic (as used by RootImage= in unit files or
+ systemd-nspawn's --image= switch) has gained support for identifying
+ and mounting explicit /usr/ partitions, which are now defined in the
+ discoverable partition specification. This should be useful for
+ environments where the root file system is
+ generated/formatted/populated dynamically on first boot and combined
+ with an immutable /usr/ tree that is supplied by the vendor.
+
+ * In the final phase of shutdown, within the systemd-shutdown binary
+ we'll now try to detach MD devices (i.e software RAID) in addition to
+ loopback block devices and DM devices as before. This is supposed to
+ be a safety net only, in order to increase robustness if things go
+ wrong. Storage subsystems are expected to properly detach their
+ storage volumes during regular shutdown already (or in case of
+ storage backing the root file system: in the initrd hook we return to
+ later).
+
+ * If the SYSTEMD_LOG_TID environment variable is set all systemd tools
+ will now log the thread ID in their log output. This is useful when
+ working with heavily threaded programs.
+
+ * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
+ not use the RDRAND CPU instruction. This is useful in environments
+ such as replay debuggers where non-deterministic behaviour is not
+ desirable.
+
+ * The autopaging logic in systemd's various tools (such as systemctl)
+ has been updated to turn on "secure" mode in "less"
+ (i.e. $LESSECURE=1) if execution in a "sudo" environment is
+ detected. This disables invoking external programs from the pager,
+ via the pipe logic. This behaviour may be overridden via the new
+ $SYSTEMD_PAGERSECURE environment variable.
+
+ * Units which have resource limits (.service, .mount, .swap, .slice,
+ .socket, and .slice) gained new configuration settings
+ ManagedOOMSwap=, ManagedOOMMemoryPressure=, and
+ ManagedOOMMemoryPressureLimitPercent= that specify resource pressure
+ limits and optional action taken by systemd-oomd.
+
+ * A new service systemd-oomd has been added. It monitors resource
+ contention for selected parts of the unit hierarchy using the PSI
+ information reported by the kernel, and kills processes when memory
+ or swap pressure is above configured limits. This service is only
+ enabled by default in developer mode (see below) and should be
+ considered a preview in this release. Behaviour details and option
+ names are subject to change without the usual backwards-compatibility
+ promises.
+
+ * A new helper oomctl has been added to introspect systemd-oomd state.
+ It is only enabled by default in developer mode and should be
+ considered a preview without the usual backwards-compatibility
+ promises.
+
+ * New meson option -Dcompat-mutable-uid-boundaries= has been added. If
+ enabled, systemd reads the system UID boundaries from /etc/login.defs
+ at runtime, instead of using the built-in values selected during
+ build. This is an option to improve compatibility for upgrades from
+ old systems. It's strongly recommended not to make use of this
+ functionality on new systems (or even enable it during build), as it
+ makes something runtime-configurable that is mostly an implementation
+ detail of the OS, and permits avoidable differences in deployments
+ that create all kinds of problems in the long run.
+
+ * New meson option '-Dmode=developer|release' has been added. When
+ 'developer', additional checks and features are enabled that are
+ relevant during upstream development, e.g. verification that
+ semi-automatically-generated documentation has been properly updated
+ following API changes. Those checks are considered hints for
+ developers and are not actionable in downstream builds. In addition,
+ extra features that are not ready for general consumption may be
+ enabled in developer mode. It is thus recommended to set
+ '-Dmode=release' in end-user and distro builds.
+
+ * systemd-cryptsetup gained support for processing detached LUKS
+ headers specified on the kernel command line via the header=
+ parameter of the luks.options= kernel command line option. The same
+ device/path syntax as for key files is supported for header files
+ like this.
+
+ * The "net_id" built-in of udev has been updated to ignore ACPI _SUN
+ slot index data for devices that are connected through a PCI bridge
+ where the _SUN index is associated with the bridge instead of the
+ network device itself. Previously this would create ambiguous device
+ naming if multiple network interfaces were connected to the same PCI
+ bridge. Since this is a naming scheme incompatibility on systems that
+ possess hardware like this it has been introduced as new naming
+ scheme "v247". The previous scheme can be selected via the
+ "net.naming-scheme=v245" kernel command line parameter.
+
+ * ConditionFirstBoot= semantics have been modified to be safe towards
+ abnormal system power-off during first boot. Specifically, the
+ "systemd-machine-id-commit.service" service now acts as boot
+ milestone indicating when the first boot process is sufficiently
+ complete in order to not consider the next following boot also a
+ first boot. If the system is reset before this unit is reached the
+ first time, the next boot will still be considered a first boot; once
+ it has been reached, no further boots will be considered a first
+ boot. The "first-boot-complete.target" unit now acts as official hook
+ point to order against this. If a service shall be run on every boot
+ until the first boot fully succeeds it may thus be ordered before
+ this target unit (and pull it in) and carry ConditionFirstBoot=
+ appropriately.
+
+ * bootctl's set-default and set-oneshot commands now accept the three
+ special strings "@default", "@oneshot", "@current" in place of a boot
+ entry id. These strings are resolved to the current default and
+ oneshot boot loader entry, as well as the currently booted one. Thus
+ a command "bootctl set-default @current" may be used to make the
+ currently boot menu item the new default for all subsequent boots.
+
+ * "systemctl edit" has been updated to show the original effective unit
+ contents in commented form in the text editor.
+
+ * Units in user mode are now segregated into three new slices:
+ session.slice (units that form the core of graphical session),
+ app.slice ("normal" user applications), and background.slice
+ (low-priority tasks). Unless otherwise configured, user units are
+ placed in app.slice. The plan is to add resource limits and
+ protections for the different slices in the future.
+
+ * New GPT partition types for RISCV32/64 for the root and /usr
+ partitions, and their associated Verity partitions have been defined,
+ and are now understood by systemd-gpt-auto-generator, and the OS
+ image dissection logic.
+
+ Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
+ Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
+ Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,
+ Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep
+ Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann,
+ Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel
+ Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov,
+ Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne
+ Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink,
+ Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz,
+ Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews,
+ Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler,
+ huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren,
+ Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan
+ Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert,
+ Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan
+ Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering,
+ lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc
+ Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000,
+ Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal
+ Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo
+ Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar
+ Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen,
+ Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing
+ Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter
+ Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C,
+ Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko,
+ Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer,
+ Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd,
+ Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi
+ Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck,
+ williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски
+
+ – Warsaw, 2020-11-26
+
+CHANGES WITH 246:
+
+ * The service manager gained basic support for cgroup v2 freezer. Units
+ can now be suspended or resumed either using new systemctl verbs,
+ freeze and thaw respectively, or via D-Bus.
+
+ * PID 1 may now automatically load pre-compiled AppArmor policies from
+ /etc/apparmor/earlypolicy during early boot.
+
+ * The CPUAffinity= setting in service unit files now supports a new
+ special value "numa" that causes the CPU affinity masked to be set
+ based on the NUMA mask.
+
+ * systemd will now log about all left-over processes remaining in a
+ unit when the unit is stopped. It will now warn about services using
+ KillMode=none, as this is generally an unsafe thing to make use of.
+
+ * Two new unit file settings
+ ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
+ added. They may be used to check whether a specific file system path
+ resides on a block device that is encrypted on the block level
+ (i.e. using dm-crypt/LUKS).
+
+ * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
+ has been added that may be used for simple environment checks. This
+ is particularly useful when passing in environment variables from a
+ container manager (or from PAM in case of the systemd --user
+ instance).
+
+ * .service unit files now accept a new setting CoredumpFilter= which
+ allows configuration of the memory sections coredumps of the
+ service's processes shall include.
+
+ * .mount units gained a new ReadWriteOnly= boolean option. If set
+ it will not be attempted to mount a file system read-only if mounting
+ in read-write mode doesn't succeed. An option x-systemd.rw-only is
+ available in /etc/fstab to control the same.
+
+ * .socket units gained a new boolean setting PassPacketInfo=. If
+ enabled, the kernel will attach additional per-packet metadata to all
+ packets read from the socket, as an ancillary message. This controls
+ the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
+ depending on socket type.
+
+ * .service units gained a new setting RootHash= which may be used to
+ specify the root hash for verity enabled disk images which are
+ specified in RootImage=. RootVerity= may be used to specify a path to
+ the Verity data matching a RootImage= file system. (The latter is
+ only useful for images that do not contain the Verity data embedded
+ into the same image that carries a GPT partition table following the
+ Discoverable Partition Specification). Similarly, systemd-nspawn
+ gained a new switch --verity-data= that takes a path to a file with
+ the verity data of the disk image supplied in --image=, if the image
+ doesn't contain the verity data itself.
+
+ * .service units gained a new setting RootHashSignature= which takes
+ either a base64 encoded PKCS#7 signature of the root hash specified
+ with RootHash=, or a path to a file to read the signature from. This
+ allows validation of the root hash against public keys available in
+ the kernel keyring, and is only supported on recent kernels
+ (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to
+ systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for
+ this mechanism has also been added to systemd-veritysetup.
+
+ * .service unit files gained two new options
+ TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to
+ tune behaviour if a start or stop timeout is hit, i.e. whether to
+ terminate the service with SIGTERM, SIGABRT or SIGKILL.
+
+ * Most options in systemd that accept hexadecimal values prefixed with
+ 0x in additional to the usual decimal notation now also support octal
+ notation when the 0o prefix is used and binary notation if the 0b
+ prefix is used.
+
+ * Various command line parameters and configuration file settings that
+ configure key or certificate files now optionally take paths to
+ AF_UNIX sockets in the file system. If configured that way a stream
+ connection is made to the socket and the required data read from
+ it. This is a simple and natural extension to the existing regular
+ file logic, and permits other software to provide keys or
+ certificates via simple IPC services, for example when unencrypted
+ storage on disk is not desired. Specifically, systemd-networkd's
+ Wireguard and MACSEC key file settings as well as
+ systemd-journal-gatewayd's and systemd-journal-remote's PEM
+ key/certificate parameters support this now.
+
+ * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
+ configuration files that support specifier expansion learnt six new
+ specifiers: %a resolves to the current architecture, %o/%w/%B/%W
+ resolve to the various ID fields from /etc/os-release, %l resolves to
+ the "short" hostname of the system, i.e. the hostname configured in
+ the kernel truncated at the first dot.
+
+ * Support for the .include syntax in unit files has been removed. The
+ concept has been obsolete for 6 years and we started warning about
+ its pending removal 2 years ago (also see NEWS file below). It's
+ finally gone now.
+
+ * StandardError= and StandardOutput= in unit files no longer support
+ the "syslog" and "syslog-console" switches. They were long removed
+ from the documentation, but will now result in warnings when used,
+ and be converted to "journal" and "journal+console" automatically.
+
+ * If the service setting User= is set to the "nobody" user, a warning
+ message is now written to the logs (but the value is nonetheless
+ accepted). Setting User=nobody is unsafe, since the primary purpose
+ of the "nobody" user is to own all files whose owner cannot be mapped
+ locally. It's in particular used by the NFS subsystem and in user
+ namespacing. By running a service under this user's UID it might get
+ read and even write access to all these otherwise unmappable files,
+ which is quite likely a major security problem.
+
+ * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
+ and others) now have a size and inode limits applied (50% of RAM for
+ /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
+ that the implicit kernel default is 50% too, so there is no change
+ in the size limit for /tmp and /dev/shm.
+
+ * nss-mymachines lost support for resolution of users and groups, and
+ now only does resolution of hostnames. This functionality is now
+ provided by nss-systemd. Thus, the 'mymachines' entry should be
+ removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
+ (and 'systemd' added if it is not already there).
+
+ * A new kernel command line option systemd.hostname= has been added
+ that allows controlling the hostname that is initialized early during
+ boot.
+
+ * A kernel command line option "udev.blockdev_read_only" has been
+ added. If specified all hardware block devices that show up are
+ immediately marked as read-only by udev. This option is useful for
+ making sure that a specific boot under no circumstances modifies data
+ on disk. Use "blockdev --setrw" to undo the effect of this, per
+ device.
+
+ * A new boolean kernel command line option systemd.swap= has been
+ added, which may be used to turn off automatic activation of swap
+ devices listed in /etc/fstab.
+
+ * New kernel command line options systemd.condition-needs-update= and
+ systemd.condition-first-boot= have been added, which override the
+ result of the ConditionNeedsUpdate= and ConditionFirstBoot=
+ conditions.
+
+ * A new kernel command line option systemd.clock-usec= has been added
+ that allows setting the system clock to the specified time in µs
+ since Jan 1st, 1970 early during boot. This is in particular useful
+ in order to make test cases more reliable.
+
+ * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
+ systemd-coredump to save core files for suid processes. When saving
+ the core file, systemd-coredump will use the effective uid and gid of
+ the process that faulted.
+
+ * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
+ now automatically set to "Y" at boot, in order to enable pstore
+ generation for collection with systemd-pstore.
+
+ * We provide a set of udev rules to enable auto-suspend on PCI and USB
+ devices that were tested to correctly support it. Previously, this
+ was distributed as a set of udev rules, but has now been replaced by
+ by a set of hwdb entries (and a much shorter udev rule to take action
+ if the device modalias matches one of the new hwdb entries).
+
+ As before, entries are periodically imported from the database
+ maintained by the ChromiumOS project. If you have a device that
+ supports auto-suspend correctly and where it should be enabled by
+ default, please submit a patch that adds it to the database (see
+ /usr/lib/udev/hwdb.d/60-autosuspend.hwdb).
+
+ * systemd-udevd gained the new configuration option timeout_signal= as well
+ as a corresponding kernel command line option udev.timeout_signal=.
+ The option can be used to configure the UNIX signal that the main
+ daemon sends to the worker processes on timeout. Setting the signal
+ to SIGABRT is useful for debugging.
+
+ * .link files managed by systemd-udevd gained options RxFlowControl=,
+ TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
+ order to configure various flow control parameters. They also gained
+ RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
+ frame ring buffer sizes.
+
+ * networkd.conf gained a new boolean setting ManageForeignRoutes=. If
+ enabled systemd-networkd manages all routes configured by other tools.
+
+ * .network files managed by systemd-networkd gained a new section
+ [SR-IOV], in order to configure SR-IOV capable network devices.
+
+ * systemd-networkd's [IPv6Prefix] section in .network files gained a
+ new boolean setting Assign=. If enabled an address from the prefix is
+ automatically assigned to the interface.
+
+ * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
+ controls delegated prefixes assigned by DHCPv6 client. The section
+ has three settings: SubnetID=, Assign=, and Token=. The setting
+ SubnetID= allows explicit configuration of the preferred subnet that
+ systemd-networkd's Prefix Delegation logic assigns to interfaces. If
+ Assign= is enabled (which is the default) an address from any acquired
+ delegated prefix is automatically chosen and assigned to the
+ interface. The setting Token= specifies an optional address generation
+ mode for Assign=.
+
+ * systemd-networkd's [Network] section gained a new setting
+ IPv4AcceptLocal=. If enabled the interface accepts packets with local
+ source addresses.
+
+ * systemd-networkd gained support for configuring the HTB queuing
+ discipline in the [HierarchyTokenBucket] and
+ [HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may
+ be configured in the [PFIFO] section, "GRED" in
+ [GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake"
+ in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and
+ [DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO],
+ "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF"
+ in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and
+ "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass].
+
+ * systemd-networkd gained support for a new Termination= setting in the
+ [CAN] section for configuring the termination resistor. It also
+ gained a new ListenOnly= setting for controlling whether to only
+ listen on CAN interfaces, without interfering with traffic otherwise
+ (which is useful for debugging/monitoring CAN network
+ traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have
+ been added to configure various CAN-FD aspects.
+
+ * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=.
+ When enabled, DHCPv6 will be attempted right-away without requiring an
+ Router Advertisement packet suggesting it first (i.e. without the 'M'
+ or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option
+ DHCPv6Client= that may be used to turn off the DHCPv6 client even if
+ the RA packets suggest it.
+
+ * systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
+ which may be used to turn off use of the gateway information provided
+ by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
+ used to configure how to process leases that lack a lifetime option.
+
+ * systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new
+ setting SendVendorOption= allowing configuration of additional vendor
+ options to send in the DHCP requests/responses. The [DHCPv6] section
+ gained a new SendOption= setting for sending arbitrary DHCP
+ options. RequestOptions= has been added to request arbitrary options
+ from the server. UserClass= has been added to set the DHCP user class
+ field.
+
+ * systemd-networkd's [DHCPServer] section gained a new set of options
+ EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server
+ information about these three protocols in the DHCP lease. It also
+ gained support for including "MUD" URLs ("Manufacturer Usage
+ Description"). Support for "MUD" URLs was also added to the LLDP
+ stack, configurable in the [LLDP] section in .network files.
+
+ * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source'
+ mode. Also, the sections now support a new setting SourceMACAddress=.
+
+ * systemd-networkd's .netdev files now support a new setting
+ VLANProtocol= in the [Bridge] section that allows configuration of
+ the VLAN protocol to use.
+
+ * systemd-networkd supports a new Group= setting in the [Link] section
+ of the .network files, to control the link group.
+
+ * systemd-networkd's [Network] section gained a new
+ IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6
+ link local address is generated.
+
+ * A new default .network file is now shipped that matches TUN/TAP
+ devices that begin with "vt-" in their name. Such interfaces will
+ have IP routing onto the host links set up automatically. This is
+ supposed to be used by VM managers to trivially acquire a network
+ interface which is fully set up for host communication, simply by
+ carefully picking an interface name to use.
+
+ * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
+ which sets the route priority for routes specified by the DHCP server.
+
+ * systemd-networkd's [DHCPv6] section gained a new setting VendorClass=
+ which configures the vendor class information sent to DHCP server.
+
+ * The BlackList= settings in .network files' [DHCPv4] and
+ [IPv6AcceptRA] sections have been renamed DenyList=. The old names
+ are still understood to provide compatibility.
+
+ * networkctl gained the new "forcerenew" command for forcing all DHCP
+ server clients to renew their lease. The interface "status" output
+ will now show numerous additional fields of information about an
+ interface. There are new "up" and "down" commands to bring specific
+ interfaces up or down.
+
+ * systemd-resolved's DNS= configuration option now optionally accepts a
+ port number (after ":") and a host name (after "#"). When the host
+ name is specified, the DNS-over-TLS certificate is validated to match
+ the specified hostname. Additionally, in case of IPv6 addresses, an
+ interface may be specified (after "%").
+
+ * systemd-resolved may be configured to forward single-label DNS names.
+ This is not standard-conformant, but may make sense in setups where
+ public DNS servers are not used.
+
+ * systemd-resolved's DNS-over-TLS support gained SNI validation.
+
+ * systemd-nspawn's --resolv-conf= switch gained a number of new
+ supported values. Specifically, options starting with "replace-" are
+ like those prefixed "copy-" but replace any existing resolv.conf
+ file. And options ending in "-uplink" and "-stub" can now be used to
+ propagate other flavours of resolv.conf into the container (as
+ defined by systemd-resolved).
+
+ * The various programs included in systemd can now optionally output
+ their log messages on stderr prefixed with a timestamp, controlled by
+ the $SYSTEMD_LOG_TIME environment variable.
+
+ * systemctl gained a new "-P" switch that is a shortcut for "--value
+ --property=…".
+
+ * "systemctl list-units" and "systemctl list-machines" no longer hide
+ their first output column with --no-legend. To hide the first column,
+ use --plain.
+
+ * "systemctl reboot" takes the option "--reboot-argument=".
+ The optional positional argument to "systemctl reboot" is now
+ being deprecated in favor of this option.
+
+ * systemd-run gained a new switch --slice-inherit. If specified the
+ unit it generates is placed in the same slice as the systemd-run
+ process itself.
+
+ * systemd-journald gained support for zstd compression of large fields
+ in journal files. The hash tables in journal files have been hardened
+ against hash collisions. This is an incompatible change and means
+ that journal files created with new systemd versions are not readable
+ with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
+ environment variable for systemd-journald.service is set to 0 this
+ new hardening functionality may be turned off, so that generated
+ journal files remain compatible with older journalctl
+ implementations.
+
+ * journalctl will now include a clickable link in the default output for
+ each log message for which an URL with further documentation is
+ known. This is only supported on terminal emulators that support
+ clickable hyperlinks, and is turned off if a pager is used (since
+ "less" still doesn't support hyperlinks,
+ unfortunately). Documentation URLs may be included in log messages
+ either by including a DOCUMENTATION= journal field in it, or by
+ associating a journal message catalog entry with the log message's
+ MESSAGE_ID, which then carries a "Documentation:" tag.
+
+ * journald.conf gained a new boolean setting Audit= that may be used to
+ control whether systemd-journald will enable audit during
+ initialization.
+
+ * when systemd-journald's log stream is broken up into multiple lines
+ because the PID of the sender changed this is indicated in the
+ generated log records via the _LINE_BREAK=pid-change field.
+
+ * journalctl's "-o cat" output mode will now show one or more journal
+ fields specified with --output-fields= instead of unconditionally
+ MESSAGE=. This is useful to retrieve a very specific set of fields
+ without any decoration.
+
+ * The sd-journal.h API gained two new functions:
+ sd_journal_enumerate_available_unique() and
+ sd_journal_enumerate_available_data() that operate like their
+ counterparts that lack the _available_ in the name, but skip items
+ that cannot be read and processed by the local implementation
+ (i.e. are compressed in an unsupported format or such),
+
+ * coredumpctl gained a new --file= switch, matching the same one in
+ journalctl: a specific journal file may be specified to read the
+ coredump data from.
+
+ * coredumps collected by systemd-coredump may now be compressed using
+ the zstd algorithm.
+
+ * systemd-binfmt gained a new switch --unregister for unregistering all
+ registered entries at once. This is now invoked automatically at
+ shutdown, so that binary formats registered with the "F" flag will
+ not block clean file system unmounting.
+
+ * systemd-notify's --pid= switch gained new values: "parent", "self",
+ "auto" for controlling which PID to send to the service manager: the
+ systemd-notify process' PID, or the one of the process invoking it.
+
+ * systemd-logind's Session bus object learnt a new method call
+ SetType() for temporarily updating the session type of an already
+ allocated session. This is useful for upgrading tty sessions to
+ graphical ones once a compositor is invoked.
+
+ * systemd-socket-proxy gained a new switch --exit-idle-time= for
+ configuring an exit-on-idle time.
+
+ * systemd-repart's --empty= setting gained a new value "create". If
+ specified a new empty regular disk image file is created under the
+ specified name. Its size may be specified with the new --size=
+ option. The latter is also supported without the "create" mode, in
+ order to grow existing disk image files to the specified size. These
+ two new options are useful when creating or manipulating disk images
+ instead of operating on actual block devices.
+
+ * systemd-repart drop-ins now support a new UUID= setting to control
+ the UUID to assign to a newly created partition.
+
+ * systemd-repart's SizeMin= per-partition parameter now defaults to 10M
+ instead of 0.
+
+ * systemd-repart's Label= setting now support the usual, simple
+ specifier expansion.
+
+ * systemd-homed's LUKS backend gained the ability to discard empty file
+ system blocks automatically when the user logs out. This is enabled
+ by default to ensure that home directories take minimal space when
+ logged out but get full size guarantees when logged in. This may be
+ controlled with the new --luks-offline-discard= switch to homectl.
+
+ * If systemd-homed detects that /home/ is encrypted as a whole it will
+ now default to the directory or subvolume backends instead of the
+ LUKS backend, in order to avoid double encryption. The default
+ storage and file system may now be configured explicitly, too, via
+ the new /etc/systemd/homed.conf configuration file.
+
+ * systemd-homed now supports unlocking home directories with FIDO2
+ security tokens that support the 'hmac-secret' extension, in addition
+ to the existing support for PKCS#11 security token unlocking
+ support. Note that many recent hardware security tokens support both
+ interfaces. The FIDO2 support is accessible via homectl's
+ --fido2-device= option.
+
+ * homectl's --pkcs11-uri= setting now accepts two special parameters:
+ if "auto" is specified and only one suitable PKCS#11 security token
+ is plugged in, its URL is automatically determined and enrolled for
+ unlocking the home directory. If "list" is specified a brief table of
+ suitable PKCS#11 security tokens is shown. Similar, the new
+ --fido2-device= option also supports these two special values, for
+ automatically selecting and listing suitable FIDO2 devices.
+
+ * The /etc/crypttab tmp option now optionally takes an argument
+ selecting the file system to use. Moreover, the default is now
+ changed from ext2 to ext4.
+
+ * There's a new /etc/crypttab option "keyfile-erase". If specified the
+ key file listed in the same line is removed after use, regardless if
+ volume activation was successful or not. This is useful if the key
+ file is only acquired transiently at runtime and shall be erased
+ before the system continues to boot.
+
+ * There's also a new /etc/crypttab option "try-empty-password". If
+ specified, before asking the user for a password it is attempted to
+ unlock the volume with an empty password. This is useful for
+ installing encrypted images whose password shall be set on first boot
+ instead of at installation time.
+
+ * systemd-cryptsetup will now attempt to load the keys to unlock
+ volumes with automatically from files in
+ /etc/cryptsetup-keys.d/<volume>.key and
+ /run/cryptsetup-keys.d/<volume>.key, if any of these files exist.
+
+ * systemd-cryptsetup may now activate Microsoft BitLocker volumes via
+ /etc/crypttab, during boot.
+
+ * logind.conf gained a new RuntimeDirectoryInodesMax= setting to
+ control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs
+ instance.
+
+ * A new generator systemd-xdg-autostart-generator has been added. It
+ generates systemd unit files from XDG autostart .desktop files, and
+ may be used to let the systemd user instance manage services that are
+ started automatically as part of the desktop session.
+
+ * "bootctl" gained a new verb "reboot-to-firmware" that may be used
+ to query and change the firmware's 'reboot into firmware' setup flag.
+
+ * systemd-firstboot gained a new switch --kernel-command-line= that may
+ be used to initialize the /etc/kernel/cmdline file of the image. It
+ also gained a new switch --root-password-hashed= which is like
+ --root-password= but accepts a pre-hashed UNIX password as
+ argument. The new option --delete-root-password may be used to unset
+ any password for the root user (dangerous!). The --root-shell= switch
+ may be used to control the shell to use for the root account. A new
+ --force option may be used to override any already set settings with
+ the parameters specified on the command line (by default, the tool
+ will not override what has already been set before, i.e. is purely
+ incremental).
+
+ * systemd-firstboot gained support for a new --image= switch, which is
+ similar to --root= but accepts the path to a disk image file, on
+ which it then operates.
+
+ * A new sd-path.h API has been added to libsystemd. It provides a
+ simple API for retrieving various search paths and primary
+ directories for various resources.
+
+ * A new call sd_notify_barrier() has been added to the sd-daemon.h
+ API. The call will block until all previously sent sd_notify()
+ messages have been processed by the service manager. This is useful
+ to remove races caused by a process already having disappeared at the
+ time a notification message is processed by the service manager,
+ making correct attribution impossible. The systemd-notify tool will
+ now make use of this call implicitly, but this can be turned off again
+ via the new --no-block switch.
+
+ * When sending a file descriptor (fd) to the service manager to keep
+ track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
+ may be specified. If passed the service manager will refrain from
+ poll()ing on the file descriptor. Traditionally (and when the
+ parameter is not specified), the service manager will poll it for
+ POLLHUP or POLLERR events, and immediately close the fds in that
+ case.
+
+ * The service manager (PID1) gained a new D-Bus method call
+ SetShowStatus() which may be used to control whether it shall show
+ boot-time status output on the console. This method has a similar
+ effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1.
+
+ * The sd-bus API gained a number of convenience functions that take
+ va_list arguments rather than "...". For example, there's now
+ sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make
+ it easier to build wrappers that accept variadic arguments and want
+ to pass a ready va_list structure to sd-bus.
+
+ * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET
+ flag which alters how the userdata pointer to pass to the callbacks
+ is determined. When the flag is set, the offset field is converted
+ as-is into a pointer, without adding it to the object pointer the
+ vtable is associated with.
+
+ * sd-bus now exposes four new functions:
+ sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
+ sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
+ validate strings to check if they qualify as various D-Bus concepts.
+
+ * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
+ SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
+ that simplify adding argument names to D-Bus methods and signals.
+
+ * The man pages for the sd-bus and sd-hwdb APIs have been completed.
+
+ * Various D-Bus APIs of systemd daemons now have man pages that
+ document the methods, signals and properties.
+
+ * The expectations on user/group name syntax are now documented in
+ detail; documentation on how classic home directories may be
+ converted into home directories managed by homed has been added;
+ documentation regarding integration of homed/userdb functionality in
+ desktops has been added:
+
+ https://systemd.io/USER_NAMES
+ https://systemd.io/CONVERTING_TO_HOMED
+ https://systemd.io/USERDB_AND_DESKTOPS
+
+ * Documentation for the on-disk Journal file format has been updated
+ and has now moved to:
+
+ https://systemd.io/JOURNAL_FILE_FORMAT
+
+ * The interface for containers (https://systemd.io/CONTAINER_INTERFACE)
+ has been extended by a set of environment variables that expose
+ select fields from the host's os-release file to the container
+ payload. Similarly, host's os-release files can be mounted into the
+ container underneath /run/host. Together, those mechanisms provide a
+ standardized way to expose information about the host to the
+ container payload. Both interfaces are implemented in systemd-nspawn.
+
+ * All D-Bus services shipped in systemd now implement the generic
+ LogControl1 D-Bus API which allows clients to change log level +
+ target of the service during runtime.
+
+ * Only relevant for developers: the mkosi.default symlink has been
+ dropped from version control. Please create a symlink to one of the
+ distribution-specific defaults in .mkosi/ based on your preference.
+
+ Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
+ Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird,
+ Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain,
+ antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji
+ Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg,
+ Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian
+ Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy,
+ codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan,
+ Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David
+ Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri
+ John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel
+ Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
+ ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger,
+ Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui,
+ Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius
+ Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de
+ Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan
+ Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy
+ Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg
+ Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin
+ Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard,
+ Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas
+ Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej
+ S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc
+ Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim
+ Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels,
+ Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár,
+ Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys,
+ nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert
+ Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter
+ Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross
+ Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian
+ Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas
+ Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes,
+ Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo,
+ Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal
+ Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб
+
+ – Warsaw, 2020-07-30
+
+CHANGES WITH 245:
+
+ * A new tool "systemd-repart" has been added, that operates as an
+ idempotent declarative repartitioner for GPT partition tables.
+ Specifically, a set of partitions that must or may exist can be
+ configured via drop-in files, and during every boot the partition
+ table on disk is compared with these files, creating missing
+ partitions or growing existing ones based on configurable relative
+ and absolute size constraints. The tool is strictly incremental,
+ i.e. does not delete, shrink or move partitions, but only adds and
+ grows them. The primary use-case is OS images that ship in minimized
+ form, that on first boot are grown to the size of the underlying
+ block device or augmented with additional partitions. For example,
+ the root partition could be extended to cover the whole disk, or a
+ swap or /home partitions could be added on first boot. It can also be
+ used for systems that use an A/B update scheme but ship images with
+ just the A partition, with B added on first boot. The tool is
+ primarily intended to be run in the initrd, shortly before
+ transitioning into the host OS, but can also be run after the
+ transition took place. It automatically discovers the disk backing
+ the root file system, and should hence not require any additional
+ configuration besides the partition definition drop-ins. If no
+ configuration drop-ins are present, no action is taken.
+
+ * A new component "userdb" has been added, along with a small daemon
+ "systemd-userdbd.service" and a client tool "userdbctl". The framework
+ allows defining rich user and group records in a JSON format,
+ extending on the classic "struct passwd" and "struct group"
+ structures. Various components in systemd have been updated to
+ process records in this format, including systemd-logind and
+ pam-systemd. The user records are intended to be extensible, and
+ allow setting various resource management, security and runtime
+ parameters that shall be applied to processes and sessions of the
+ user as they log in. This facility is intended to allow associating
+ such metadata directly with user/group records so that they can be
+ produced, extended and consumed in unified form. We hope that
+ eventually frameworks such as sssd will generate records this way, so
+ that for the first time resource management and various other
+ per-user settings can be configured in LDAP directories and then
+ provided to systemd (specifically to systemd-logind and pam-system)
+ to apply on login. For further details see:
+
+ https://systemd.io/USER_RECORD
+ https://systemd.io/GROUP_RECORD
+ https://systemd.io/USER_GROUP_API
+
+ * A small new service systemd-homed.service has been added, that may be
+ used to securely manage home directories with built-in encryption.
+ The complete user record data is unified with the home directory,
+ thus making home directories naturally migratable. Its primary
+ back-end is based on LUKS volumes, but fscrypt, plain directories,
+ and other storage schemes are also supported. This solves a couple of
+ problems we saw with traditional ways to manage home directories, in
+ particular when it comes to encryption. For further discussion of
+ this, see the video of Lennart's talk at AllSystemsGo! 2019:
+
+ https://media.ccc.de/v/ASG2019-164-reinventing-home-directories
+
+ For further details about the format and expectations on home
+ directories this new daemon makes, see:
+
+ https://systemd.io/HOME_DIRECTORY
+
+ * systemd-journald is now multi-instantiable. In addition to the main
+ instance systemd-journald.service there's now a template unit
+ systemd-journald@.service, with each instance defining a new named
+ log 'namespace' (whose name is specified via the instance part of the
+ unit name). A new unit file setting LogNamespace= has been added,
+ taking such a namespace name, that assigns services to the specified
+ log namespaces. As each log namespace is serviced by its own
+ independent journal daemon, this functionality may be used to improve
+ performance and increase isolation of applications, at the price of
+ losing global message ordering. Each instance of journald has a
+ separate set of configuration files, with possibly different disk
+ usage limitations and other settings.
+
+ journalctl now takes a new option --namespace= to show logs from a
+ specific log namespace. The sd-journal.h API gained
+ sd_journal_open_namespace() for opening the log stream of a specific
+ log namespace. systemd-journald also gained the ability to exit on
+ idle, which is useful in the context of log namespaces, as this means
+ log daemons for log namespaces can be activated automatically on
+ demand and will stop automatically when no longer used, minimizing
+ resource usage.
+
+ * When systemd-tmpfiles copies a file tree using the 'C' line type it
+ will now label every copied file according to the SELinux database.
+
+ * When systemd/PID 1 detects it is used in the initrd it will now boot
+ into initrd.target rather than default.target by default. This should
+ make it simpler to build initrds with systemd as for many cases the
+ only difference between a host OS image and an initrd image now is
+ the presence of the /etc/initrd-release file.
+
+ * A new kernel command line option systemd.cpu_affinity= is now
+ understood. It's equivalent to the CPUAffinity= option in
+ /etc/systemd/system.conf and allows setting the CPU mask for PID 1
+ itself and the default for all other processes.
+
+ * When systemd/PID 1 is reloaded (with systemctl daemon-reload or
+ equivalent), the SELinux database is now reloaded, ensuring that
+ sockets and other file system objects are generated taking the new
+ database into account.
+
+ * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and
+ "quiet" has been changed to imply that instead of
+ "systemd.show-status=auto". In this mode, only messages about errors
+ and significant delays in boot are shown on the console.
+
+ * The sd-event.h API gained native support for the new Linux "pidfd"
+ concept. This permits watching processes using file descriptors
+ instead of PID numbers, which fixes a number of races and makes
+ process supervision more robust and efficient. All of systemd's
+ components will now use pidfds if the kernel supports it for process
+ watching, with the exception of PID 1 itself, unfortunately. We hope
+ to move PID 1 to exclusively using pidfds too eventually, but this
+ requires some more kernel work first. (Background: PID 1 watches
+ processes using waitid() with the P_ALL flag, and that does not play
+ together nicely with pidfds yet.)
+
+ * Closely related to this, the sd-event.h API gained two new calls
+ sd_event_source_send_child_signal() (for sending a signal to a
+ watched process) and sd_event_source_get_child_process_own() (for
+ marking a process so that it is killed automatically whenever the
+ event source watching it is freed).
+
+ * systemd-networkd gained support for configuring Token Bucket Filter
+ (TBF) parameters in its qdisc configuration support. Similarly,
+ support for Stochastic Fairness Queuing (SFQ), Controlled-Delay
+ Active Queue Management (CoDel), and Fair Queue (FQ) has been added.
+
+ * systemd-networkd gained support for Intermediate Functional Block
+ (IFB) network devices.
+
+ * systemd-networkd gained support for configuring multi-path IP routes,
+ using the new MultiPathRoute= setting in the [Route] section.
+
+ * systemd-networkd's DHCPv4 client has been updated to support a new
+ SendDecline= option. If enabled, duplicate address detection is done
+ after a DHCP offer is received from the server. If a conflict is
+ detected, the address is declined. The DHCPv4 client also gained
+ support for a new RouteMTUBytes= setting that allows to configure the
+ MTU size to be used for routes generated from DHCPv4 leases.
+
+ * The PrefixRoute= setting in systemd-networkd's [Address] section of
+ .network files has been deprecated, and replaced by AddPrefixRoute=,
+ with its sense inverted.
+
+ * The Gateway= setting of [Route] sections of .network files gained
+ support for a special new value "_dhcp". If set, the configured
+ static route uses the gateway host configured via DHCP.
+
+ * New User= and SuppressPrefixLength= settings have been implemented
+ for the [RoutingPolicyRule] section of .network files to configure
+ source routing based on UID ranges and prefix length, respectively.
+
+ * The Type= match property of .link files has been generalized to
+ always match the device type shown by 'networkctl status', even for
+ devices where udev does not set DEVTYPE=. This allows e.g. Type=ether
+ to be used.
+
+ * sd-bus gained a new API call sd_bus_message_sensitive() that marks a
+ D-Bus message object as "sensitive". Those objects are erased from
+ memory when they are freed. This concept is intended to be used for
+ messages that contain security sensitive data. A new flag
+ SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods
+ in sd-bus vtables, causing any incoming and outgoing messages of
+ those methods to be implicitly marked as "sensitive".
+
+ * sd-bus gained a new API call sd_bus_message_dump() for dumping the
+ contents of a message (or parts thereof) to standard output for
+ debugging purposes.
+
+ * systemd-sysusers gained support for creating users with the primary
+ group named differently than the user.
+
+ * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
+ gained support for growing XFS partitions. Previously it supported
+ only ext4 and btrfs partitions.
+
+ * The support for /etc/crypttab gained a new x-initrd.attach option. If
+ set, the specified encrypted volume is unlocked already in the
+ initrd. This concept corresponds to the x-initrd.mount option in
+ /etc/fstab.
+
+ * systemd-cryptsetup gained native support for unlocking encrypted
+ volumes utilizing PKCS#11 smartcards, i.e. for example to bind
+ encryption of volumes to YubiKeys. This is exposed in the new
+ pkcs11-uri= option in /etc/crypttab.
+
+ * The /etc/fstab support in systemd now supports two new mount options
+ x-systemd.{required,wanted}-by=, for explicitly configuring the units
+ that the specified mount shall be pulled in by, in place of
+ the usual local-fs.target/remote-fs.target.
+
+ * The https://systemd.io/ web site has been relaunched, directly
+ populated with most of the documentation included in the systemd
+ repository. systemd also acquired a new logo, thanks to Tobias
+ Bernard.
+
+ * systemd-udevd gained support for managing "alternative" network
+ interface names, as supported by new Linux kernels. For the first
+ time this permits assigning multiple (and longer!) names to a network
+ interface. systemd-udevd will now by default assign the names
+ generated via all supported naming schemes to each interface. This
+ may be further tweaked with .link files and the AlternativeName= and
+ AlternativeNamesPolicy= settings. Other components of systemd have
+ been updated to support the new alternative names wherever
+ appropriate. For example, systemd-nspawn will now generate
+ alternative interface names for the host-facing side of container
+ veth links based on the full container name without truncation.
+
+ * systemd-nspawn interface naming logic has been updated in another way
+ too: if the main interface name (i.e. as opposed to new-style
+ "alternative" names) based on the container name is truncated, a
+ simple hashing scheme is used to give different interface names to
+ multiple containers whose names all begin with the same prefix. Since
+ this changes the primary interface names pointing to containers if
+ truncation happens, the old scheme may still be requested by
+ selecting an older naming scheme, via the net.naming-scheme= kernel
+ command line option.
+
+ * PrivateUsers= in service files now works in services run by the
+ systemd --user per-user instance of the service manager.
+
+ * A new per-service sandboxing option ProtectClock= has been added that
+ locks down write access to the system clock. It takes away device
+ node access to /dev/rtc as well as the system calls that set the
+ system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities.
+ Note that this option does not affect access to auxiliary services
+ that allow changing the clock, for example access to
+ systemd-timedated.
+
+ * The systemd-id128 tool gained a new "show" verb for listing or
+ resolving a number of well-known UUIDs/128bit IDs, currently mostly
+ GPT partition table types.
+
+ * The Discoverable Partitions Specification has been updated to support
+ /var and /var/tmp partition discovery. Support for this has been
+ added to systemd-gpt-auto-generator. For details see:
+
+ https://systemd.io/DISCOVERABLE_PARTITIONS
+
+ * "systemctl list-unit-files" has been updated to show a new column
+ with the suggested enablement state based on the vendor preset files
+ for the respective units.
+
+ * "systemctl" gained a new option "--with-dependencies". If specified
+ commands such as "systemctl status" or "systemctl cat" will now show
+ all specified units along with all units they depend on.
+
+ * networkctl gained support for showing per-interface logs in its
+ "status" output.
+
+ * systemd-networkd-wait-online gained support for specifying the maximum
+ operational state to wait for, and to wait for interfaces to
+ disappear.
+
+ * The [Match] section of .link and .network files now supports a new
+ option PermanentMACAddress= which may be used to check against the
+ permanent MAC address of a network device even if a randomized MAC
+ address is used.
+
+ * The [TrafficControlQueueingDiscipline] section in .network files has
+ been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix
+ dropped from the individual setting names.
+
+ * Any .link and .network files that have an empty [Match] section (this
+ also includes empty and commented-out files) will now be
+ rejected. systemd-udev and systemd-networkd started warning about
+ such files in version 243.
+
+ * systemd-logind will now validate access to the operation of changing
+ the virtual terminal via a polkit action. By default, only users
+ with at least one session on a local VT are granted permission.
+
+ * When systemd sets up PAM sessions that invoked service processes
+ shall run in, the pam_setcred() API is now invoked, thus permitting
+ PAM modules to set additional credentials for the processes.
+
+ * portablectl attach/detach verbs now accept --now and --enable options
+ to combine attachment with enablement and invocation, or detachment
+ with stopping and disablement.
+
+ * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was
+ fixed, which in turn exposed bugs in unit configuration of services
+ which have Type=oneshot and should only run once, but do not have
+ RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot
+ service may be started again after exiting successfully, for example
+ as a dependency in another transaction. Affected services included
+ some internal systemd services (most notably
+ systemd-vconsole-setup.service, which was updated to have
+ RemainAfterExit=yes), and plymouth-start.service. Please ensure that
+ plymouth has been suitably updated or patched before upgrading to
+ this systemd release. See
+ https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some
+ additional discussion.
+
+ Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
+ Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
+ Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles
+ (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt,
+ Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek,
+ Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David
+ Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin,
+ ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck
+ Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem
+ Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain
+ Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin
+ Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming,
+ Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca
+ Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew
+ Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike
+ Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange,
+ Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa
+ Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard,
+ Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain
+ Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas
+ Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser,
+ Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland
+ Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri
+ Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu
+ DONG
+
+ – Warsaw, 2020-03-06
+
+CHANGES WITH 244:
+
+ * Support for the cpuset cgroups v2 controller has been added.
+ Processes may be restricted to specific CPUs using the new
+ AllowedCPUs= setting, and to specific memory NUMA nodes using the new
+ AllowedMemoryNodes= setting.
+
+ * The signal used in restart jobs (as opposed to e.g. stop jobs) may
+ now be configured using a new RestartKillSignal= setting. This
+ allows units which signals to request termination to implement
+ different behaviour when stopping in preparation for a restart.
+
+ * "systemctl clean" may now be used also for socket, mount, and swap
+ units.
+
+ * systemd will also read configuration options from the EFI variable
+ SystemdOptions. This may be used to configure systemd behaviour when
+ modifying the kernel command line is inconvenient, but configuration
+ on disk is read too late, for example for the options related to
+ cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
+ set the EFI variable.
+
+ * systemd will now disable printk ratelimits in early boot. This should
+ allow us to capture more logs from the early boot phase where normal
+ storage is not available and the kernel ring buffer is used for
+ logging. Configuration on the kernel command line has higher priority
+ and overrides the systemd setting.
+
+ systemd programs which log to /dev/kmsg directly use internal
+ ratelimits to prevent runaway logging. (Normally this is only used
+ during early boot, so in practice this change has very little
+ effect.)
+
+ * Unit files now support top level dropin directories of the form
+ <unit_type>.d/ (e.g. service.d/) that may be used to add configuration
+ that affects all corresponding unit files.
+
+ * systemctl gained support for 'stop --job-mode=triggering' which will
+ stop the specified unit and any units which could trigger it.
+
+ * Unit status display now includes units triggering and triggered by
+ the unit being shown.
+
+ * The RuntimeMaxSec= setting is now supported by scopes, not just
+ .service units. This is particularly useful for PAM sessions which
+ create a scope unit for the user login. systemd.runtime_max_sec=
+ setting may used with the pam_systemd module to limit the duration
+ of the PAM session, for example for time-limited logins.
+
+ * A new @pkey system call group is now defined to make it easier to
+ allow-list memory protection syscalls for containers and services
+ which need to use them.
+
+ * systemd-udevd: removed the 30s timeout for killing stale workers on
+ exit. systemd-udevd now waits for workers to finish. The hard-coded
+ exit timeout of 30s was too short for some large installations, where
+ driver initialization could be prematurely interrupted during initrd
+ processing if the root file system had been mounted and init was
+ preparing to switch root. If udevd is run without systemd and workers
+ are hanging while udevd receives an exit signal, udevd will now exit
+ when udev.event_timeout is reached for the last hanging worker. With
+ systemd, the exit timeout can additionally be configured using
+ TimeoutStopSec= in systemd-udevd.service.
+
+ * udev now provides a program (fido_id) that identifies FIDO CTAP1
+ ("U2F")/CTAP2 security tokens based on the usage declared in their
+ report and descriptor and outputs suitable environment variables.
+ This replaces the externally maintained allow lists of all known
+ security tokens that were used previously.
+
+ * Automatically generated autosuspend udev rules for allow-listed
+ devices have been imported from the Chromium OS project. This should
+ improve power saving with many more devices.
+
+ * udev gained a new "CONST{key}=value" setting that allows matching
+ against system-wide constants without forking a helper binary.
+ Currently "arch" and "virt" keys are supported.
+
+ * udev now opens CDROMs in non-exclusive mode when querying their
+ capabilities. This should fix issues where other programs trying to
+ use the CDROM cannot gain access to it, but carries a risk of
+ interfering with programs writing to the disk, if they did not open
+ the device in exclusive mode as they should.
+
+ * systemd-networkd does not create a default route for IPv4 link local
+ addressing anymore. The creation of the route was unexpected and was
+ breaking routing in various cases, but people who rely on it being
+ created implicitly will need to adjust. Such a route may be requested
+ with DefaultRouteOnDevice=yes.
+
+ Similarly, systemd-networkd will not assign a link-local IPv6 address
+ when IPv6 link-local routing is not enabled.
+
+ * Receive and transmit buffers may now be configured on links with
+ the new RxBufferSize= and TxBufferSize= settings.
+
+ * systemd-networkd may now advertise additional IPv6 routes. A new
+ [IPv6RoutePrefix] section with Route= and LifetimeSec= options is
+ now supported.
+
+ * systemd-networkd may now configure "next hop" routes using the
+ [NextHop] section and Gateway= and Id= settings.
+
+ * systemd-networkd will now retain DHCP config on restarts by default
+ (but this may be overridden using the KeepConfiguration= setting).
+ The default for SendRelease= has been changed to true.
+
+ * The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option
+ received from the server.
+
+ The client will use the received SIP server list if UseSIP=yes is
+ set.
+
+ The client may be configured to request specific options from the
+ server using a new RequestOptions= setting.
+
+ The client may be configured to send arbitrary options to the server
+ using a new SendOption= setting.
+
+ A new IPServiceType= setting has been added to configure the "IP
+ service type" value used by the client.
+
+ * The DHCPv6 client learnt a new PrefixDelegationHint= option to
+ request prefix hints in the DHCPv6 solicitation.
+
+ * The DHCPv4 server may be configured to send arbitrary options using
+ a new SendOption= setting.
+
+ * The DHCPv4 server may now be configured to emit SIP server list using
+ the new EmitSIP= and SIP= settings.
+
+ * systemd-networkd and networkctl may now renew DHCP leases on demand.
+ networkctl has a new 'networkctl renew' verb.
+
+ * systemd-networkd may now reconfigure links on demand. networkctl
+ gained two new verbs: "reload" will reload the configuration, and
+ "reconfigure DEVICE…" will reconfigure one or more devices.
+
+ * .network files may now match on SSID and BSSID of a wireless network,
+ i.e. the access point name and hardware address using the new SSID=
+ and BSSID= options. networkctl will display the current SSID and
+ BSSID for wireless links.
+
+ .network files may also match on the wireless network type using the
+ new WLANInterfaceType= option.
+
+ * systemd-networkd now includes default configuration that enables
+ link-local addressing when connected to an ad-hoc wireless network.
+
+ * systemd-networkd may configure the Traffic Control queueing
+ disciplines in the kernel using the new
+ [TrafficControlQueueingDiscipline] section and Parent=,
+ NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=,
+ NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=,
+ NetworkEmulatorDuplicateRate= settings.
+
+ * systemd-tmpfiles gained a new w+ setting to append to files.
+
+ * systemd-analyze dump will now report when the memory configuration in
+ the kernel does not match what systemd has configured (usually,
+ because some external program has modified the kernel configuration
+ on its own).
+
+ * systemd-analyze gained a new --base-time= switch instructs the
+ 'calendar' verb to resolve times relative to that timestamp instead
+ of the present time.
+
+ * journalctl --update-catalog now produces deterministic output (making
+ reproducible image builds easier).
+
+ * A new devicetree-overlay setting is now documented in the Boot Loader
+ Specification.
+
+ * The default value of the WatchdogSec= setting used in systemd
+ services (the ones bundled with the project itself) may be set at
+ configuration time using the -Dservice-watchdog= setting. If set to
+ empty, the watchdogs will be disabled.
+
+ * systemd-resolved validates IP addresses in certificates now when GnuTLS
+ is being used.
+
+ * libcryptsetup >= 2.0.1 is now required.
+
+ * A configuration option -Duser-path= may be used to override the $PATH
+ used by the user service manager. The default is again to use the same
+ path as the system manager.
+
+ * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
+ outputting the 128bit IDs in UUID format (i.e. in the "canonical
+ representation").
+
+ * Service units gained a new sandboxing option ProtectKernelLogs= which
+ makes sure the program cannot get direct access to the kernel log
+ buffer anymore, i.e. the syslog() system call (not to be confused
+ with the API of the same name in libc, which is not affected), the
+ /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
+ inaccessible to the service. It's recommended to enable this setting
+ for all services that should not be able to read from or write to the
+ kernel log buffer, which are probably almost all.
+
+ Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
+ Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo
+ Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio
+ Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe,
+ Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David
+ Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald
+ A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger,
+ Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen
+ Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan
+ Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson,
+ Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng,
+ Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering,
+ Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario
+ Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos,
+ Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar,
+ Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas
+ Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel,
+ Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle,
+ Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan
+ Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage,
+ Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom
+ Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe,
+ Zach Smith, Zbigniew Jędrzejewski-Szmek
+
+ – Warsaw, 2019-11-29
+
+CHANGES WITH 243:
+
+ * This release enables unprivileged programs (i.e. requiring neither
+ setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
+ by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
+ kernel for the whole UNIX group range, i.e. all processes. This
+ change should be reasonably safe, as the kernel support for it was
+ specifically implemented to allow safe access to ICMP Echo for
+ processes lacking any privileges. If this is not desirable, it can be
+ disabled again by setting the parameter to "1 0".
+
+ * Previously, filters defined with SystemCallFilter= would have the
+ effect that any calling of an offending system call would terminate
+ the calling thread. This behaviour never made much sense, since
+ killing individual threads of unsuspecting processes is likely to
+ create more problems than it solves. With this release the default
+ action changed from killing the thread to killing the whole
+ process. For this to work correctly both a kernel version (>= 4.14)
+ and a libseccomp version (>= 2.4.0) supporting this new seccomp
+ action is required. If an older kernel or libseccomp is used the old
+ behaviour continues to be used. This change does not affect any
+ services that have no system call filters defined, or that use
+ SystemCallErrorNumber= (and thus see EPERM or another error instead
+ of being killed when calling an offending system call). Note that
+ systemd documentation always claimed that the whole process is
+ killed. With this change behaviour is thus adjusted to match the
+ documentation.
+
+ * On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to
+ 4194304 by default, i.e. the full 22bit range the kernel allows, up
+ from the old 16bit range. This should improve security and
+ robustness, as PID collisions are made less likely (though certainly
+ still possible). There are rumours this might create compatibility
+ problems, though at this moment no practical ones are known to
+ us. Downstream distributions are hence advised to undo this change in
+ their builds if they are concerned about maximum compatibility, but
+ for everybody else we recommend leaving the value bumped. Besides
+ improving security and robustness this should also simplify things as
+ the maximum number of allowed concurrent tasks was previously bounded
+ by both "kernel.pid_max" and "kernel.threads-max" and now effectively
+ only a single knob is left ("kernel.threads-max"). There have been
+ concerns that usability is affected by this change because larger PID
+ numbers are harder to type, but we believe the change from 5 digits
+ to 7 digits doesn't hamper usability.
+
+ * MemoryLow= and MemoryMin= gained hierarchy-aware counterparts,
+ DefaultMemoryLow= and DefaultMemoryMin=, which can be used to
+ hierarchically set default memory protection values for a particular
+ subtree of the unit hierarchy.
+
+ * Memory protection directives can now take a value of zero, allowing
+ explicit opting out of a default value propagated by an ancestor.
+
+ * systemd now defaults to the "unified" cgroup hierarchy setup during
+ build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
+ default. Previously, -Ddefault-hierarchy=hybrid was the default. This
+ change reflects the fact that cgroupsv2 support has matured
+ substantially in both systemd and in the kernel, and is clearly the
+ way forward. Downstream production distributions might want to
+ continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
+ their builds as unfortunately the popular container managers have not
+ caught up with the kernel API changes.
+
+ * Man pages are not built by default anymore (html pages were already
+ disabled by default), to make development builds quicker. When
+ building systemd for a full installation with documentation, meson
+ should be called with -Dman=true and/or -Dhtml=true as appropriate.
+ The default was changed based on the assumption that quick one-off or
+ repeated development builds are much more common than full optimized
+ builds for installation, and people need to pass various other
+ options to when doing "proper" builds anyway, so the gain from making
+ development builds quicker is bigger than the one time disruption for
+ packagers.
+
+ Two scripts are created in the *build* directory to generate and
+ preview man and html pages on demand, e.g.:
+
+ build/man/man systemctl
+ build/man/html systemd.index
+
+ * libidn2 is used by default if both libidn2 and libidn are installed.
+ Please use -Dlibidn=true if libidn is preferred.
+
+ * The D-Bus "wire format" of the CPUAffinity= attribute is changed on
+ big-endian machines. Before, bytes were written and read in native
+ machine order as exposed by the native libc __cpu_mask interface.
+ Now, little-endian order is always used (CPUs 0–7 are described by
+ bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
+ This change fixes D-Bus calls that cross endianness boundary.
+
+ The presentation format used for CPUAffinity= by "systemctl show" and
+ "systemd-analyze dump" is changed to present CPU indices instead of
+ the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be
+ shown as CPUAffinity=03000000000000000000000000000… (on
+ little-endian) or CPUAffinity=00000000000000300000000000000… (on
+ 64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the
+ input format. The maximum integer that will be printed in the new
+ format is 8191 (four digits), while the old format always used a very
+ long number (with the length varying by architecture), so they can be
+ unambiguously distinguished.
+
+ * /usr/sbin/halt.local is no longer supported. Implementation in
+ distributions was inconsistent and it seems this functionality was
+ very rarely used.
+
+ To replace this functionality, users should:
+ - either define a new unit and make it a dependency of final.target
+ (systemctl add-wants final.target my-halt-local.service)
+ - or move the shutdown script to /usr/lib/systemd/system-shutdown/
+ and ensure that it accepts "halt", "poweroff", "reboot", and
+ "kexec" as an argument, see the description in systemd-shutdown(8).
+
+ * When a [Match] section in .link or .network file is empty (contains
+ no match patterns), a warning will be emitted. Please add any "match
+ all" pattern instead, e.g. OriginalName=* or Name=* in case all
+ interfaces should really be matched.
+
+ * A new setting NUMAPolicy= may be used to set process memory
+ allocation policy. This setting can be specified in
+ /etc/systemd/system.conf and hence will set the default policy for
+ PID1. The default policy can be overridden on a per-service
+ basis. The related setting NUMAMask= is used to specify NUMA node
+ mask that should be associated with the selected policy.
+
+ * PID 1 will now listen to Out-Of-Memory (OOM) events the kernel
+ generates when processes it manages are reaching their memory limits,
+ and will place their units in a special state, and optionally kill or
+ stop the whole unit.
+
+ * The service manager will now expose bus properties for the IO
+ resources used by units. This information is also shown in "systemctl
+ status" now (for services that have IOAccounting=yes set). Moreover,
+ the IO accounting data is included in the resource log message
+ generated whenever a unit stops.
+
+ * Units may now configure an explicit timeout to wait for when killed
+ with SIGABRT, for example when a service watchdog is hit. Previously,
+ the regular TimeoutStopSec= timeout was applied in this case too —
+ now a separate timeout may be set using TimeoutAbortSec=.
+
+ * Services may now send a special WATCHDOG=trigger message with
+ sd_notify() to trigger an immediate "watchdog missed" event, and thus
+ trigger service termination. This is useful both for testing watchdog
+ handling, but also for defining error paths in services, that shall
+ be handled the same way as watchdog events.
+
+ * There are two new per-unit settings IPIngressFilterPath= and
+ IPEgressFilterPath= which allow configuration of a BPF program
+ (usually by specifying a path to a program uploaded to /sys/fs/bpf/)
+ to apply to the IP packet ingress/egress path of all processes of a
+ unit. This is useful to allow running systemd services with BPF
+ programs set up externally.
+
+ * systemctl gained a new "clean" verb for removing the state, cache,
+ runtime or logs directories of a service while it is terminated. The
+ new verb may also be used to remove the state maintained on disk for
+ timer units that have Persistent= configured.
+
+ * During the last phase of shutdown systemd will now automatically
+ increase the log level configured in the "kernel.printk" sysctl so
+ that any relevant loggable events happening during late shutdown are
+ made visible. Previously, loggable events happening so late during
+ shutdown were generally lost if the "kernel.printk" sysctl was set to
+ high thresholds, as regular logging daemons are terminated at that
+ time and thus nothing is written to disk.
+
+ * If processes terminated during the last phase of shutdown do not exit
+ quickly systemd will now show their names after a short time, to make
+ debugging easier. After a longer timeout they are forcibly killed,
+ as before.
+
+ * journalctl (and the other tools that display logs) will now highlight
+ warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where
+ shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs
+ are now shown in blue color, to separate them visually from regular
+ logs. References to configuration files are now turned into clickable
+ links on terminals that support that.
+
+ * systemd-journald will now stop logging to /var/log/journal during
+ shutdown when /var/ is on a separate mount, so that it can be
+ unmounted safely during shutdown.
+
+ * systemd-resolved gained support for a new 'strict' DNS-over-TLS mode.
+
+ * systemd-resolved "Cache=" configuration option in resolved.conf has
+ been extended to also accept the 'no-negative' value. Previously,
+ only a boolean option was allowed (yes/no), having yes as the
+ default. If this option is set to 'no-negative', negative answers are
+ not cached while the old cache heuristics are used positive answers.
+ The default remains unchanged.
+
+ * The predictable naming scheme for network devices now supports
+ generating predictable names for "netdevsim" devices.
+
+ Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD
+ udev property.
+
+ Those two changes form a new net.naming-policy-scheme= entry.
+ Distributions which want to preserve naming stability may want to set
+ the -Ddefault-net-naming-scheme= configuration option.
+
+ * systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm
+ interfaces natively.
+
+ * systemd-networkd's bridge FDB support now allows configuration of a
+ destination address for each entry (Destination=), as well as the
+ VXLAN VNI (VNI=), as well as an option to declare what an entry is
+ associated with (AssociatedWith=).
+
+ * systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
+ option for configuring the maximum number of DHCP lease requests. It
+ also learnt a new BlackList= option for deny-listing DHCP servers (a
+ similar setting has also been added to the IPv6 RA client), as well
+ as a SendRelease= option for configuring whether to send a DHCP
+ RELEASE message when terminating.
+
+ * systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured
+ separately in the [DHCPv4] and [DHCPv6] sections.
+
+ * systemd-networkd's DHCP support will now optionally create an
+ implicit host route to the DNS server specified in the DHCP lease, in
+ addition to the routes listed explicitly in the lease. This should
+ ensure that in multi-homed systems DNS traffic leaves the systems on
+ the interface that acquired the DNS server information even if other
+ routes such as default routes exist. This behaviour may be turned on
+ with the new RoutesToDNS= option.
+
+ * systemd-networkd's VXLAN support gained a new option
+ GenericProtocolExtension= for enabling VXLAN Generic Protocol
+ Extension support, as well as IPDoNotFragment= for setting the IP
+ "Don't fragment" bit on outgoing packets. A similar option has been
+ added to the GENEVE support.
+
+ * In systemd-networkd's [Route] section you may now configure
+ FastOpenNoCookie= for configuring per-route TCP fast-open support, as
+ well as TTLPropagate= for configuring Label Switched Path (LSP) TTL
+ propagation. The Type= setting now supports local, broadcast,
+ anycast, multicast, any, xresolve routes, too.
+
+ * systemd-networkd's [Network] section learnt a new option
+ DefaultRouteOnDevice= for automatically configuring a default route
+ onto the network device.
+
+ * systemd-networkd's bridging support gained two new options ProxyARP=
+ and ProxyARPWifi= for configuring proxy ARP behaviour as well as
+ MulticastRouter= for configuring multicast routing behaviour. A new
+ option MulticastIGMPVersion= may be used to change bridge's multicast
+ Internet Group Management Protocol (IGMP) version.
+
+ * systemd-networkd's FooOverUDP support gained the ability to configure
+ local and peer IP addresses via Local= and Peer=. A new option
+ PeerPort= may be used to configure the peer's IP port.
+
+ * systemd-networkd's TUN support gained a new setting VnetHeader= for
+ tweaking Generic Segment Offload support.
+
+ * The address family for policy rules may be specified using the new
+ Family= option in the [RoutingPolicyRule] section.
+
+ * networkctl gained a new "delete" command for removing virtual network
+ devices, as well as a new "--stats" switch for showing device
+ statistics.
+
+ * networkd.conf gained a new setting SpeedMeter= and
+ SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
+ measured speed may be shown by 'networkctl status'.
+
+ * "networkctl status" now displays MTU and queue lengths, and more
+ detailed information about VXLAN and bridge devices.
+
+ * systemd-networkd's .network and .link files gained a new Property=
+ setting in the [Match] section, to match against devices with
+ specific udev properties.
+
+ * systemd-networkd's tunnel support gained a new option
+ AssignToLoopback= for selecting whether to use the loopback device
+ "lo" as underlying device.
+
+ * systemd-networkd's MACAddress= setting in the [Neighbor] section has
+ been renamed to LinkLayerAddress=, and it now allows configuration of
+ IP addresses, too.
+
+ * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
+ simplified: systemd-networkd will disable the sysctl (enable IPv6) if
+ IPv6 configuration (static or DHCPv6) was found for a given
+ interface. It will not touch the sysctl otherwise.
+
+ * The order of entries is $PATH used by the user manager instance was
+ changed to put bin/ entries before the corresponding sbin/ entries.
+ It is recommended to not rely on this order, and only ever have one
+ binary with a given name in the system paths under /usr.
+
+ * A new tool systemd-network-generator has been added that may generate
+ .network, .netdev and .link files from IP configuration specified on
+ the kernel command line in the format used by Dracut.
+
+ * The CriticalConnection= setting in .network files is now deprecated,
+ and replaced by a new KeepConfiguration= setting which allows more
+ detailed configuration of the IP configuration to keep in place.
+
+ * systemd-analyze gained a few new verbs:
+
+ - "systemd-analyze timestamp" parses and converts timestamps. This is
+ similar to the existing "systemd-analyze calendar" command which
+ does the same for recurring calendar events.
+
+ - "systemd-analyze timespan" parses and converts timespans (i.e.
+ durations as opposed to points in time).
+
+ - "systemd-analyze condition" will parse and test ConditionXYZ=
+ expressions.
+
+ - "systemd-analyze exit-status" will parse and convert exit status
+ codes to their names and back.
+
+ - "systemd-analyze unit-files" will print a list of all unit
+ file paths and unit aliases.
+
+ * SuccessExitStatus=, RestartPreventExitStatus=, and
+ RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
+ is equivalent to "65"). Those exit status name mappings may be
+ displayed with the systemd-analyze exit-status verb describe above.
+
+ * systemd-logind now exposes a per-session SetBrightness() bus call,
+ which may be used to securely change the brightness of a kernel
+ brightness device, if it belongs to the session's seat. By using this
+ call unprivileged clients can make changes to "backlight" and "leds"
+ devices securely with strict requirements on session membership.
+ Desktop environments may use this to generically make brightness
+ changes to such devices without shipping private SUID binaries or
+ udev rules for that purpose.
+
+ * "udevadm info" gained a --wait-for-initialization switch to wait for
+ a device to be initialized.
+
+ * systemd-hibernate-resume-generator will now look for resumeflags= on
+ the kernel command line, which is similar to rootflags= and may be
+ used to configure device timeout for the hibernation device.
+
+ * sd-event learnt a new API call sd_event_source_disable_unref() for
+ disabling and unref'ing an event source in a single function. A
+ related call sd_event_source_disable_unrefp() has been added for use
+ with gcc's cleanup extension.
+
+ * The sd-id128.h public API gained a new definition
+ SD_ID128_UUID_FORMAT_STR for formatting a 128bit ID in UUID format
+ with printf().
+
+ * "busctl introspect" gained a new switch --xml-interface for dumping
+ XML introspection data unmodified.
+
+ * PID 1 may now show the unit name instead of the unit description
+ string in its status output during boot. This may be configured in
+ the StatusUnitFormat= setting in /etc/systemd/system.conf or the
+ kernel command line option systemd.status_unit_format=.
+
+ * PID 1 now understands a new option KExecWatchdogSec= in
+ /etc/systemd/system.conf to set a watchdog timeout for kexec reboots.
+ Previously watchdog functionality was only available for regular
+ reboots. The new setting defaults to off, because we don't know in
+ the general case if the watchdog will be reset after kexec (some
+ drivers do reset it, but not all), and the new userspace might not be
+ configured to handle the watchdog.
+
+ Moreover, the old ShutdownWatchdogSec= setting has been renamed to
+ RebootWatchdogSec= to more clearly communicate what it is about. The
+ old name is still accepted for compatibility.
+
+ * The systemd.debug_shell kernel command line option now optionally
+ takes a tty name to spawn the debug shell on, which allows a
+ different tty to be selected than the built-in default.
+
+ * Service units gained a new ExecCondition= setting which will run
+ before ExecStartPre= and either continue execution of the unit (for
+ clean exit codes), stop execution without marking the unit failed
+ (for exit codes 1 through 254), or stop execution and fail the unit
+ (for exit code 255 or abnormal termination).
+
+ * A new service systemd-pstore.service has been added that pulls data
+ from /sys/fs/pstore/ and saves it to /var/lib/pstore for later
+ review.
+
+ * timedatectl gained new verbs for configuring per-interface NTP
+ service configuration for systemd-timesyncd.
+
+ * "localectl list-locales" won't list non-UTF-8 locales anymore. It's
+ 2019. (You can set non-UTF-8 locales though, if you know their name.)
+
+ * If variable assignments in sysctl.d/ files are prefixed with "-" any
+ failures to apply them are now ignored.
+
+ * systemd-random-seed.service now optionally credits entropy when
+ applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to
+ true for the service to enable this behaviour, but please consult the
+ documentation first, since this comes with a couple of caveats.
+
+ * systemd-random-seed.service is now a synchronization point for full
+ initialization of the kernel's entropy pool. Services that require
+ /dev/urandom to be correctly initialized should be ordered after this
+ service.
+
+ * The systemd-boot boot loader has been updated to optionally maintain
+ a random seed file in the EFI System Partition (ESP). During the boot
+ phase, this random seed is read and updated with a new seed
+ cryptographically derived from it. Another derived seed is passed to
+ the OS. The latter seed is then credited to the kernel's entropy pool
+ very early during userspace initialization (from PID 1). This allows
+ systems to boot up with a fully initialized kernel entropy pool from
+ earliest boot on, and thus entirely removes all entropy pool
+ initialization delays from systems using systemd-boot. Special care
+ is taken to ensure different seeds are derived on system images
+ replicated to multiple systems. "bootctl status" will show whether
+ a seed was received from the boot loader.
+
+ * bootctl gained two new verbs:
+
+ - "bootctl random-seed" will generate the file in ESP and an EFI
+ variable to allow a random seed to be passed to the OS as described
+ above.
+
+ - "bootctl is-installed" checks whether systemd-boot is currently
+ installed.
+
+ * bootctl will warn if it detects that boot entries are misconfigured
+ (for example if the kernel image was removed without purging the
+ bootloader entry).
+
+ * A new document has been added describing systemd's use and support
+ for the kernel's entropy pool subsystem:
+
+ https://systemd.io/RANDOM_SEEDS
+
+ * When the system is hibernated the swap device to write the
+ hibernation image to is now automatically picked from all available
+ swap devices, preferring the swap device with the highest configured
+ priority over all others, and picking the device with the most free
+ space if there are multiple devices with the highest priority.
+
+ * /etc/crypttab support has learnt a new keyfile-timeout= per-device
+ option that permits selecting the timeout how long to wait for a
+ device with an encryption key before asking for the password.
+
+ * IOWeight= has learnt to properly set the IO weight when using the
+ BFQ scheduler officially found in kernels 5.0+.
+
+ * A new mailing list has been created for reporting of security issues:
+ systemd-security@redhat.com. For mode details, see
+ https://systemd.io/CONTRIBUTING#security-vulnerability-reports.
+
+ Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
+ Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
+ Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris
+ Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy,
+ Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan
+ Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi
+ Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas
+ Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor,
+ Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui,
+ Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López
+ Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob
+ Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan
+ Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen,
+ Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson,
+ Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski,
+ Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
+ Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca
+ Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt,
+ Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich,
+ Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný,
+ Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85,
+ Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE,
+ Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert
+ Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer,
+ Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant
+ Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud
+ Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala,
+ Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann,
+ William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan,
+ Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei
+
+ – Camerino, 2019-09-03
+
+CHANGES WITH 242:
+
+ * In .link files, MACAddressPolicy=persistent (the default) is changed
+ to cover more devices. For devices like bridges, tun, tap, bond, and
+ similar interfaces that do not have other identifying information,
+ the interface name is used as the basis for persistent seed for MAC
+ and IPv4LL addresses. The way that devices that were handled
+ previously is not changed, and this change is about covering more
+ devices then previously by the "persistent" policy.
+
+ MACAddressPolicy=random may be used to force randomized MACs and
+ IPv4LL addresses for a device if desired.
+
+ Hint: the log output from udev (at debug level) was enhanced to
+ clarify what policy is followed and which attributes are used.
+ `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
+ may be used to view this.
+
+ Hint: if a bridge interface is created without any slaves, and gains
+ a slave later, then now the bridge does not inherit slave's MAC.
+ To inherit slave's MAC, for example, create the following file:
+ ```
+ # /etc/systemd/network/98-bridge-inherit-mac.link
+ [Match]
+ Type=bridge
+
+ [Link]
+ MACAddressPolicy=none
+ ```
+
+ * The .device units generated by systemd-fstab-generator and other
+ generators do not automatically pull in the corresponding .mount unit
+ as a Wants= dependency. This means that simply plugging in the device
+ will not cause the mount unit to be started automatically. But please
+ note that the mount unit may be started for other reasons, in
+ particular if it is part of local-fs.target, and any unit which
+ (transitively) depends on local-fs.target is started.
+
+ * networkctl list/status/lldp now accept globbing wildcards for network
+ interface names to match against all existing interfaces.
+
+ * The $PIDFILE environment variable is set to point the absolute path
+ configured with PIDFile= for processes of that service.
+
+ * The fallback DNS server list was augmented with Cloudflare public DNS
+ servers. Use `-Ddns-servers=` to set a different fallback.
+
+ * A new special target usb-gadget.target will be started automatically
+ when a USB Device Controller is detected (which means that the system
+ is a USB peripheral).
+
+ * A new unit setting CPUQuotaPeriodSec= assigns the time period
+ relatively to which the CPU time quota specified by CPUQuota= is
+ measured.
+
+ * A new unit setting ProtectHostname= may be used to prevent services
+ from modifying hostname information (even if they otherwise would
+ have privileges to do so).
+
+ * A new unit setting NetworkNamespacePath= may be used to specify a
+ namespace for service or socket units through a path referring to a
+ Linux network namespace pseudo-file.
+
+ * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
+ have an effect on .socket units: when used the listening socket is
+ created within the configured network namespace instead of the host
+ namespace.
+
+ * ExecStart= command lines in unit files may now be prefixed with ':'
+ in which case environment variable substitution is
+ disabled. (Supported for the other ExecXYZ= settings, too.)
+
+ * .timer units gained two new boolean settings OnClockChange= and
+ OnTimezoneChange= which may be used to also trigger a unit when the
+ system clock is changed or the local timezone is
+ modified. systemd-run has been updated to make these options easily
+ accessible from the command line for transient timers.
+
+ * Two new conditions for units have been added: ConditionMemory= may be
+ used to conditionalize a unit based on installed system
+ RAM. ConditionCPUs= may be used to conditionalize a unit based on
+ installed CPU cores.
+
+ * The @default system call filter group understood by SystemCallFilter=
+ has been updated to include the new rseq() system call introduced in
+ kernel 4.15.
+
+ * A new time-set.target has been added that indicates that the system
+ time has been set from a local source (possibly imprecise). The
+ existing time-sync.target is stronger and indicates that the time has
+ been synchronized with a precise external source. Services where
+ approximate time is sufficient should use the new target.
+
+ * "systemctl start" (and related commands) learnt a new
+ --show-transaction option. If specified brief information about all
+ jobs queued because of the requested operation is shown.
+
+ * systemd-networkd recognizes a new operation state 'enslaved', used
+ (instead of 'degraded' or 'carrier') for interfaces which form a
+ bridge, bond, or similar, and an new 'degraded-carrier' operational
+ state used for the bond or bridge master interface when one of the
+ enslaved devices is not operational.
+
+ * .network files learnt the new IgnoreCarrierLoss= option for leaving
+ networks configured even if the carrier is lost.
+
+ * The RequiredForOnline= setting in .network files may now specify a
+ minimum operational state required for the interface to be considered
+ "online" by systemd-networkd-wait-online. Related to this
+ systemd-networkd-wait-online gained a new option --operational-state=
+ to configure the same, and its --interface= option was updated to
+ optionally also take an operational state specific for an interface.
+
+ * systemd-networkd-wait-online gained a new setting --any for waiting
+ for only one of the requested interfaces instead of all of them.
+
+ * systemd-networkd now implements L2TP tunnels.
+
+ * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
+ may be used to cause autonomous and onlink prefixes received in IPv6
+ Router Advertisements to be ignored.
+
+ * New MulticastFlood=, NeighborSuppression=, and Learning= .network
+ file settings may be used to tweak bridge behaviour.
+
+ * The new TripleSampling= option in .network files may be used to
+ configure CAN triple sampling.
+
+ * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
+ used to point to private or preshared key for a WireGuard interface.
+
+ * /etc/crypttab now supports the same-cpu-crypt and
+ submit-from-crypt-cpus options to tweak encryption work scheduling
+ details.
+
+ * systemd-tmpfiles will now take a BSD file lock before operating on a
+ contents of directory. This may be used to temporarily exclude
+ directories from aging by taking the same lock (useful for example
+ when extracting a tarball into /tmp or /var/tmp as a privileged user,
+ which might create files with really old timestamps, which
+ nevertheless should not be deleted). For further details, see:
+
+ https://systemd.io/TEMPORARY_DIRECTORIES
+
+ * systemd-tmpfiles' h line type gained support for the
+ FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
+ controlling project quota inheritance.
+
+ * sd-boot and bootctl now implement support for an Extended Boot Loader
+ (XBOOTLDR) partition, that is intended to be mounted to /boot, in
+ addition to the ESP partition mounted to /efi or /boot/efi.
+ Configuration file fragments, kernels, initrds and other EFI images
+ to boot will be loaded from both the ESP and XBOOTLDR partitions.
+ The XBOOTLDR partition was previously described by the Boot Loader
+ Specification, but implementation was missing in sd-boot. Support for
+ this concept allows using the sd-boot boot loader in more
+ conservative scenarios where the boot loader itself is placed in the
+ ESP but the kernels to boot (and their metadata) in a separate
+ partition.
+
+ * A system may now be booted with systemd.volatile=overlay on the
+ kernel command line, which causes the root file system to be set up
+ an overlayfs mount combining the root-only root directory with a
+ writable tmpfs. In this setup, the underlying root device is not
+ modified, and any changes are lost at reboot.
+
+ * Similar, systemd-nspawn can now boot containers with a volatile
+ overlayfs root with the new --volatile=overlay switch.
+
+ * systemd-nspawn can now consume OCI runtime bundles using a new
+ --oci-bundle= option. This implementation is fully usable, with most
+ features in the specification implemented, but since this a lot of
+ new code and functionality, this feature should most likely not
+ be used in production yet.
+
+ * systemd-nspawn now supports various options described by the OCI
+ runtime specification on the command-line and in .nspawn files:
+ --inaccessible=/Inaccessible= may be used to mask parts of the file
+ system tree, --console=/--pipe may be used to configure how standard
+ input, output, and error are set up.
+
+ * busctl learned the `emit` verb to generate D-Bus signals.
+
+ * systemd-analyze cat-config may be used to gather and display
+ configuration spread over multiple files, for example system and user
+ presets, tmpfiles.d, sysusers.d, udev rules, etc.
+
+ * systemd-analyze calendar now takes an optional new parameter
+ --iterations= which may be used to show a maximum number of iterations
+ the specified expression will elapse next.
+
+ * The sd-bus C API gained support for naming method parameters in the
+ introspection data.
+
+ * systemd-logind gained D-Bus APIs to specify the "reboot parameter"
+ the reboot() system call expects.
+
+ * journalctl learnt a new --cursor-file= option that points to a file
+ from which a cursor should be loaded in the beginning and to which
+ the updated cursor should be stored at the end.
+
+ * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now
+ detected by systemd-detect-virt (and may also be used in
+ ConditionVirtualization=).
+
+ * The behaviour of systemd-logind may now be modified with environment
+ variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP,
+ $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and
+ $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either
+ skip the relevant operation completely (when set to false), or to
+ create a flag file in /run/systemd (when set to true), instead of
+ actually commencing the real operation when requested. The presence
+ of /run/systemd/reboot-to-firmware-setup,
+ /run/systemd/reboot-to-boot-loader-menu, and
+ /run/systemd/reboot-to-boot-loader-entry, may be used by alternative
+ boot loader implementations to replace some steps logind performs
+ during reboot with their own operations.
+
+ * systemctl can be used to request a reboot into the boot loader menu
+ or a specific boot loader entry with the new --boot-load-menu= and
+ --boot-loader-entry= options to a reboot command. (This requires a
+ boot loader that supports this, for example sd-boot.)
+
+ * kernel-install will no longer unconditionally create the output
+ directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
+ snippets, but will do only if the machine-specific parent directory
+ (i.e. /efi/<machine-id>/) already exists. bootctl has been modified
+ to create this parent directory during sd-boot installation.
+
+ This makes it easier to use kernel-install with plugins which support
+ a different layout of the bootloader partitions (for example grub2).
+
+ * During package installation (with `ninja install`), we would create
+ symlinks for getty@tty1.service, systemd-networkd.service,
+ systemd-networkd.socket, systemd-resolved.service,
+ remote-cryptsetup.target, remote-fs.target,
+ systemd-networkd-wait-online.service, and systemd-timesyncd.service
+ in /etc, as if `systemctl enable` was called for those units, to make
+ the system usable immediately after installation. Now this is not
+ done anymore, and instead calling `systemctl preset-all` is
+ recommended after the first installation of systemd.
+
+ * A new boolean sandboxing option RestrictSUIDSGID= has been added that
+ is built on seccomp. When turned on creation of SUID/SGID files is
+ prohibited.
+
+ * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
+ implied if DynamicUser= is turned on for a service. This hardens
+ these services, so that they neither can benefit from nor create
+ SUID/SGID executables. This is a minor compatibility breakage, given
+ that when DynamicUser= was first introduced SUID/SGID behaviour was
+ unaffected. However, the security benefit of these two options is
+ substantial, and the setting is still relatively new, hence we opted
+ to make it mandatory for services with dynamic users.
+
+ Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
+ Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
+ Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
+ Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
+ Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
+ Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
+ Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
+ Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
+ Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
+ Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
+ Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
+ Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
+ Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
+ Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
+ Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
+ Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
+ Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Warsaw, 2019-04-11
+
+CHANGES WITH 241:
+
+ * The default locale can now be configured at compile time. Otherwise,
+ a suitable default will be selected automatically (one of C.UTF-8,
+ en_US.UTF-8, and C).
+
+ * The version string shown by systemd and other tools now includes the
+ git commit hash when built from git. An override may be specified
+ during compilation, which is intended to be used by distributions to
+ include the package release information.
+
+ * systemd-cat can now filter standard input and standard error streams
+ for different syslog priorities using the new --stderr-priority=
+ option.
+
+ * systemd-journald and systemd-journal-remote reject entries which
+ contain too many fields (CVE-2018-16865) and set limits on the
+ process' command line length (CVE-2018-16864).
+
+ * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
+ again.
+
+ * A new network device NamePolicy "keep" is implemented for link files,
+ and used by default in 99-default.link (the fallback configuration
+ provided by systemd). With this policy, if the network device name
+ was already set by userspace, the device will not be renamed again.
+ This matches the naming scheme that was implemented before
+ systemd-240. If naming-scheme < 240 is specified, the "keep" policy
+ is also enabled by default, even if not specified. Effectively, this
+ means that if naming-scheme >= 240 is specified, network devices will
+ be renamed according to the configuration, even if they have been
+ renamed already, if "keep" is not specified as the naming policy in
+ the .link file. The 99-default.link file provided by systemd includes
+ "keep" for backwards compatibility, but it is recommended for user
+ installed .link files to *not* include it.
+
+ The "kernel" policy, which keeps kernel names declared to be
+ "persistent", now works again as documented.
+
+ * kernel-install script now optionally takes the paths to one or more
+ initrd files, and passes them to all plugins.
+
+ * The mincore() system call has been dropped from the @system-service
+ system call filter group, as it is pretty exotic and may potentially
+ used for side-channel attacks.
+
+ * -fPIE is dropped from compiler and linker options. Please specify
+ -Db_pie=true option to meson to build position-independent
+ executables. Note that the meson option is supported since meson-0.49.
+
+ * The fs.protected_regular and fs.protected_fifos sysctls, which were
+ added in Linux 4.19 to make some data spoofing attacks harder, are
+ now enabled by default. While this will hopefully improve the
+ security of most installations, it is technically a backwards
+ incompatible change; to disable these sysctls again, place the
+ following lines in /etc/sysctl.d/60-protected.conf or a similar file:
+
+ fs.protected_regular = 0
+ fs.protected_fifos = 0
+
+ Note that the similar hardlink and symlink protection has been
+ enabled since v199, and may be disabled likewise.
+
+ * The files read from the EnvironmentFile= setting in unit files now
+ parse backslashes inside quotes literally, matching the behaviour of
+ POSIX shells.
+
+ * udevadm trigger, udevadm control, udevadm settle and udevadm monitor
+ now automatically become NOPs when run in a chroot() environment.
+
+ * The tmpfiles.d/ "C" line type will now copy directory trees not only
+ when the destination is so far missing, but also if it already exists
+ as a directory and is empty. This is useful to cater for systems
+ where directory trees are put together from multiple separate mount
+ points but otherwise empty.
+
+ * A new function sd_bus_close_unref() (and the associated
+ sd_bus_close_unrefp()) has been added to libsystemd, that combines
+ sd_bus_close() and sd_bus_unref() in one.
+
+ * udevadm control learnt a new option for --ping for testing whether a
+ systemd-udevd instance is running and reacting.
+
+ * udevadm trigger learnt a new option for --wait-daemon for waiting
+ systemd-udevd daemon to be initialized.
+
+ Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer,
+ Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris
+ Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele
+ Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri
+ John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe
+ Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede,
+ James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan
+ Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost
+ Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor,
+ Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou,
+ marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike
+ Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen,
+ Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger
+ James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel,
+ Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi
+ Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски
+
+ — Berlin, 2019-02-14
+
+CHANGES WITH 240:
+
+ * NoNewPrivileges=yes has been set for all long-running services
+ implemented by systemd. Previously, this was problematic due to
+ SELinux (as this would also prohibit the transition from PID1's label
+ to the service's label). This restriction has since been lifted, but
+ an SELinux policy update is required.
+ (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)
+
+ * DynamicUser=yes is dropped from systemd-networkd.service,
+ systemd-resolved.service and systemd-timesyncd.service, which was
+ enabled in v239 for systemd-networkd.service and systemd-resolved.service,
+ and since v236 for systemd-timesyncd.service. The users and groups
+ systemd-network, systemd-resolve and systemd-timesync are created
+ by systemd-sysusers again. Distributors or system administrators
+ may need to create these users and groups if they not exist (or need
+ to re-enable DynamicUser= for those units) while upgrading systemd.
+ Also, the clock file for systemd-timesyncd may need to move from
+ /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock.
+
+ * When unit files are loaded from disk, previously systemd would
+ sometimes (depending on the unit loading order) load units from the
+ target path of symlinks in .wants/ or .requires/ directories of other
+ units. This meant that unit could be loaded from different paths
+ depending on whether the unit was requested explicitly or as a
+ dependency of another unit, not honouring the priority of directories
+ in search path. It also meant that it was possible to successfully
+ load and start units which are not found in the unit search path, as
+ long as they were requested as a dependency and linked to from
+ .wants/ or .requires/. The target paths of those symlinks are not
+ used for loading units anymore and the unit file must be found in
+ the search path.
+
+ * A new service type has been added: Type=exec. It's very similar to
+ Type=simple but ensures the service manager will wait for both fork()
+ and execve() of the main service binary to complete before proceeding
+ with follow-up units. This is primarily useful so that the manager
+ propagates any errors in the preparation phase of service execution
+ back to the job that requested the unit to be started. For example,
+ consider a service that has ExecStart= set to a file system binary
+ that doesn't exist. With Type=simple starting the unit would be
+ considered instantly successful, as only fork() has to complete
+ successfully and the manager does not wait for execve(), and hence
+ its failure is seen "too late". With the new Type=exec service type
+ starting the unit will fail, as the manager will wait for the
+ execve() and notice its failure, which is then propagated back to the
+ start job.
+
+ NOTE: with the next release 241 of systemd we intend to change the
+ systemd-run tool to default to Type=exec for transient services
+ started by it. This should be mostly safe, but in specific corner
+ cases might result in problems, as the systemd-run tool will then
+ block on NSS calls (such as user name look-ups due to User=) done
+ between the fork() and execve(), which under specific circumstances
+ might cause problems. It is recommended to specify "-p Type=simple"
+ explicitly in the few cases where this applies. For regular,
+ non-transient services (i.e. those defined with unit files on disk)
+ we will continue to default to Type=simple.
+
+ * The Linux kernel's current default RLIMIT_NOFILE resource limit for
+ userspace processes is set to 1024 (soft) and 4096
+ (hard). Previously, systemd passed this on unmodified to all
+ processes it forked off. With this systemd release the hard limit
+ systemd passes on is increased to 512K, overriding the kernel's
+ defaults and substantially increasing the number of simultaneous file
+ descriptors unprivileged userspace processes can allocate. Note that
+ the soft limit remains at 1024 for compatibility reasons: the
+ traditional UNIX select() call cannot deal with file descriptors >=
+ 1024 and increasing the soft limit globally might thus result in
+ programs unexpectedly allocating a high file descriptor and thus
+ failing abnormally when attempting to use it with select() (of
+ course, programs shouldn't use select() anymore, and prefer
+ poll()/epoll, but the call unfortunately remains undeservedly popular
+ at this time). This change reflects the fact that file descriptor
+ handling in the Linux kernel has been optimized in more recent
+ kernels and allocating large numbers of them should be much cheaper
+ both in memory and in performance than it used to be. Programs that
+ want to take benefit of the increased limit have to "opt-in" into
+ high file descriptors explicitly by raising their soft limit. Of
+ course, when they do that they must acknowledge that they cannot use
+ select() anymore (and neither can any shared library they use — or
+ any shared library used by any shared library they use and so on).
+ Which default hard limit is most appropriate is of course hard to
+ decide. However, given reports that ~300K file descriptors are used
+ in real-life applications we believe 512K is sufficiently high as new
+ default for now. Note that there are also reports that using very
+ high hard limits (e.g. 1G) is problematic: some software allocates
+ large arrays with one element for each potential file descriptor
+ (Java, …) — a high hard limit thus triggers excessively large memory
+ allocations in these applications. Hopefully, the new default of 512K
+ is a good middle ground: higher than what real-life applications
+ currently need, and low enough for avoid triggering excessively large
+ allocations in problematic software. (And yes, somebody should fix
+ Java.)
+
+ * The fs.nr_open and fs.file-max sysctls are now automatically bumped
+ to the highest possible values, as separate accounting of file
+ descriptors is no longer necessary, as memcg tracks them correctly as
+ part of the memory accounting anyway. Thus, from the four limits on
+ file descriptors currently enforced (fs.file-max, fs.nr_open,
+ RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
+ and keep only the latter two. A set of build-time options
+ (-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false)
+ has been added to revert this change in behaviour, which might be
+ an option for systems that turn off memcg in the kernel.
+
+ * When no /etc/locale.conf file exists (and hence no locale settings
+ are in place), systemd will now use the "C.UTF-8" locale by default,
+ and set LANG= to it. This locale is supported by various
+ distributions including Fedora, with clear indications that upstream
+ glibc is going to make it available too. This locale enables UTF-8
+ mode by default, which appears appropriate for 2018.
+
+ * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by
+ default. This effectively switches the RFC3704 Reverse Path filtering
+ from Strict mode to Loose mode. This is more appropriate for hosts
+ that have multiple links with routes to the same networks (e.g.
+ a client with a Wi-Fi and Ethernet both connected to the internet).
+
+ Consult the kernel documentation for details on this sysctl:
+ https://docs.kernel.org/networking/ip-sysctl.html
+
+ * The v239 change to turn on "net.ipv4.tcp_ecn" by default has been
+ reverted.
+
+ * CPUAccounting=yes no longer enables the CPU controller when using
+ kernel 4.15+ and the unified cgroup hierarchy, as required accounting
+ statistics are now provided independently from the CPU controller.
+
+ * Support for disabling a particular cgroup controller within a sub-tree
+ has been added through the DisableControllers= directive.
+
+ * cgroup_no_v1=all on the kernel command line now also implies
+ using the unified cgroup hierarchy, unless one explicitly passes
+ systemd.unified_cgroup_hierarchy=0 on the kernel command line.
+
+ * The new "MemoryMin=" unit file property may now be used to set the
+ memory usage protection limit of processes invoked by the unit. This
+ controls the cgroup v2 memory.min attribute. Similarly, the new
+ "IODeviceLatencyTargetSec=" property has been added, wrapping the new
+ cgroup v2 io.latency cgroup property for configuring per-service I/O
+ latency.
+
+ * systemd now supports the cgroup v2 devices BPF logic, as counterpart
+ to the cgroup v1 "devices" cgroup controller.
+
+ * systemd-escape now is able to combine --unescape with --template. It
+ also learnt a new option --instance for extracting and unescaping the
+ instance part of a unit name.
+
+ * sd-bus now provides the sd_bus_message_readv() which is similar to
+ sd_bus_message_read() but takes a va_list object. The pair
+ sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout()
+ has been added for configuring the default method call timeout to
+ use. sd_bus_error_move() may be used to efficiently move the contents
+ from one sd_bus_error structure to another, invalidating the
+ source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may
+ be used to control whether a bus connection object is automatically
+ flushed when an sd-event loop is exited.
+
+ * When processing classic BSD syslog log messages, journald will now
+ save the original time-stamp string supplied in the new
+ SYSLOG_TIMESTAMP= journal field. This permits consumers to
+ reconstruct the original BSD syslog message more correctly.
+
+ * StandardOutput=/StandardError= in service files gained support for
+ new "append:…" parameters, for connecting STDOUT/STDERR of a service
+ to a file, and appending to it.
+
+ * The signal to use as last step of killing of unit processes is now
+ configurable. Previously it was hard-coded to SIGKILL, which may now
+ be overridden with the new KillSignal= setting. Note that this is the
+ signal used when regular termination (i.e. SIGTERM) does not suffice.
+ Similarly, the signal used when aborting a program in case of a
+ watchdog timeout may now be configured too (WatchdogSignal=).
+
+ * The XDG_SESSION_DESKTOP environment variable may now be configured in
+ the pam_systemd argument line, using the new desktop= switch. This is
+ useful to initialize it properly from a display manager without
+ having to touch C code.
+
+ * Most configuration options that previously accepted percentage values
+ now also accept permille values with the '‰' suffix (instead of '%').
+
+ * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for
+ DNS-over-TLS.
+
+ * systemd-resolved's configuration file resolved.conf gained a new
+ option ReadEtcHosts= which may be used to turn off processing and
+ honoring /etc/hosts entries.
+
+ * The "--wait" switch may now be passed to "systemctl
+ is-system-running", in which case the tool will synchronously wait
+ until the system finished start-up.
+
+ * hostnamed gained a new bus call to determine the DMI product UUID.
+
+ * On x86-64 systemd will now prefer using the RDRAND processor
+ instruction over /dev/urandom whenever it requires randomness that
+ neither has to be crypto-grade nor should be reproducible. This
+ should substantially reduce the amount of entropy systemd requests
+ from the kernel during initialization on such systems, though not
+ reduce it to zero. (Why not zero? systemd still needs to allocate
+ UUIDs and such uniquely, which require high-quality randomness.)
+
+ * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP
+ tunnels. It also gained a new option ForceDHCPv6PDOtherInformation=
+ for forcing the "Other Information" bit in IPv6 RA messages. The
+ bonding logic gained four new options AdActorSystemPriority=,
+ AdUserPortKey=, AdActorSystem= for configuring various 802.3ad
+ aspects, and DynamicTransmitLoadBalancing= for enabling dynamic
+ shuffling of flows. The tunnel logic gained a new
+ IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid
+ Deployment. The policy rule logic gained four new options IPProtocol=,
+ SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained
+ support for the MulticastToUnicast= option. networkd also gained
+ support for configuring static IPv4 ARP or IPv6 neighbor entries.
+
+ * .preset files (as read by 'systemctl preset') may now be used to
+ instantiate services.
+
+ * /etc/crypttab now understands the sector-size= option to configure
+ the sector size for an encrypted partition.
+
+ * Key material for encrypted disks may now be placed on a formatted
+ medium, and referenced from /etc/crypttab by the UUID of the file
+ system, followed by "=" suffixed by the path to the key file.
+
+ * The "collect" udev component has been removed without replacement, as
+ it is neither used nor maintained.
+
+ * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=,
+ LogsDirectory=, ConfigurationDirectory= settings are used in a
+ service the executed processes will now receive a set of environment
+ variables containing the full paths of these directories.
+ Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY,
+ LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options
+ are used. Note that these options may be used multiple times per
+ service in which case the resulting paths will be concatenated and
+ separated by colons.
+
+ * Predictable interface naming has been extended to cover InfiniBand
+ NICs. They will be exposed with an "ib" prefix.
+
+ * tmpfiles.d/ line types may now be suffixed with a '-' character, in
+ which case the respective line failing is ignored.
+
+ * .link files may now be used to configure the equivalent to the
+ "ethtool advertise" commands.
+
+ * The sd-device.h and sd-hwdb.h APIs are now exported, as an
+ alternative to libudev.h. Previously, the latter was just an internal
+ wrapper around the former, but now these two APIs are exposed
+ directly.
+
+ * sd-id128.h gained a new function sd_id128_get_boot_app_specific()
+ which calculates an app-specific boot ID similar to how
+ sd_id128_get_machine_app_specific() generates an app-specific machine
+ ID.
+
+ * A new tool systemd-id128 has been added that can be used to determine
+ and generate various 128bit IDs.
+
+ * /etc/os-release gained two new standardized fields DOCUMENTATION_URL=
+ and LOGO=.
+
+ * systemd-hibernate-resume-generator will now honor the "noresume"
+ kernel command line option, in which case it will bypass resuming
+ from any hibernated image.
+
+ * The systemd-sleep.conf configuration file gained new options
+ AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=,
+ AllowHybridSleep= for prohibiting specific sleep modes even if the
+ kernel exports them.
+
+ * portablectl is now officially supported and has thus moved to
+ /usr/bin/.
+
+ * bootctl learnt the two new commands "set-default" and "set-oneshot"
+ for setting the default boot loader item to boot to (either
+ persistently or only for the next boot). This is currently only
+ compatible with sd-boot, but may be implemented on other boot loaders
+ too, that follow the boot loader interface. The updated interface is
+ now documented here:
+
+ https://systemd.io/BOOT_LOADER_INTERFACE
+
+ * A new kernel command line option systemd.early_core_pattern= is now
+ understood which may be used to influence the core_pattern PID 1
+ installs during early boot.
+
+ * busctl learnt two new options -j and --json= for outputting method
+ call replies, properties and monitoring output in JSON.
+
+ * journalctl's JSON output now supports simple ANSI coloring as well as
+ a new "json-seq" mode for generating RFC7464 output.
+
+ * Unit files now support the %g/%G specifiers that resolve to the UNIX
+ group/GID of the service manager runs as, similar to the existing
+ %u/%U specifiers that resolve to the UNIX user/UID.
+
+ * systemd-logind learnt a new global configuration option
+ UserStopDelaySec= that may be set in logind.conf. It specifies how
+ long the systemd --user instance shall remain started after a user
+ logs out. This is useful to speed up repetitive re-connections of the
+ same user, as it means the user's service manager doesn't have to be
+ stopped/restarted on each iteration, but can be reused between
+ subsequent options. This setting defaults to 10s. systemd-logind also
+ exports two new properties on its Manager D-Bus objects indicating
+ whether the system's lid is currently closed, and whether the system
+ is on AC power.
+
+ * systemd gained support for a generic boot counting logic, which
+ generically permits automatic reverting to older boot loader entries
+ if newer updated ones don't work. The boot loader side is implemented
+ in sd-boot, but is kept open for other boot loaders too. For details
+ see:
+
+ https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT
+
+ * The SuccessAction=/FailureAction= unit file settings now learnt two
+ new parameters: "exit" and "exit-force", which result in immediate
+ exiting of the service manager, and are only useful in systemd --user
+ and container environments.
+
+ * Unit files gained support for a pair of options
+ FailureActionExitStatus=/SuccessActionExitStatus= for configuring the
+ exit status to use as service manager exit status when
+ SuccessAction=/FailureAction= is set to exit or exit-force.
+
+ * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service
+ options may now be used to configure the log rate limiting applied by
+ journald per-service.
+
+ * systemd-analyze gained a new verb "timespan" for parsing and
+ normalizing time span values (i.e. strings like "5min 7s 8us").
+
+ * systemd-analyze also gained a new verb "security" for analyzing the
+ security and sand-boxing settings of services in order to determine an
+ "exposure level" for them, indicating whether a service would benefit
+ from more sand-boxing options turned on for them.
+
+ * "systemd-analyze syscall-filter" will now also show system calls
+ supported by the local kernel but not included in any of the defined
+ groups.
+
+ * .nspawn files now understand the Ephemeral= setting, matching the
+ --ephemeral command line switch.
+
+ * sd-event gained the new APIs sd_event_source_get_floating() and
+ sd_event_source_set_floating() for controlling whether a specific
+ event source is "floating", i.e. destroyed along with the even loop
+ object itself.
+
+ * Unit objects on D-Bus gained a new "Refs" property that lists all
+ clients that currently have a reference on the unit (to ensure it is
+ not unloaded).
+
+ * The JoinControllers= option in system.conf is no longer supported, as
+ it didn't work correctly, is hard to support properly, is legacy (as
+ the concept only exists on cgroup v1) and apparently wasn't used.
+
+ * Journal messages that are generated whenever a unit enters the failed
+ state are now tagged with a unique MESSAGE_ID. Similarly, messages
+ generated whenever a service process exits are now made recognizable,
+ too. A tagged message is also emitted whenever a unit enters the
+ "dead" state on success.
+
+ * systemd-run gained a new switch --working-directory= for configuring
+ the working directory of the service to start. A shortcut -d is
+ equivalent, setting the working directory of the service to the
+ current working directory of the invoking program. The new --shell
+ (or just -S) option has been added for invoking the $SHELL of the
+ caller as a service, and implies --pty --same-dir --wait --collect
+ --service-type=exec. Or in other words, "systemd-run -S" is now the
+ quickest way to quickly get an interactive in a fully clean and
+ well-defined system service context.
+
+ * machinectl gained a new verb "import-fs" for importing an OS tree
+ from a directory. Moreover, when a directory or tarball is imported
+ and single top-level directory found with the OS itself below the OS
+ tree is automatically mangled and moved one level up.
+
+ * systemd-importd will no longer set up an implicit btrfs loop-back
+ file system on /var/lib/machines. If one is already set up, it will
+ continue to be used.
+
+ * A new generator "systemd-run-generator" has been added. It will
+ synthesize a unit from one or more program command lines included in
+ the kernel command line. This is very useful in container managers
+ for example:
+
+ # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"'
+
+ This will run "systemd-nspawn" on an image, invoke the specified
+ command line and immediately shut down the container again, returning
+ the command line's exit code.
+
+ * The block device locking logic is now documented:
+
+ https://systemd.io/BLOCK_DEVICE_LOCKING
+
+ * loginctl and machinectl now optionally output the various tables in
+ JSON using the --output= switch. It is our intention to add similar
+ support to systemctl and all other commands.
+
+ * udevadm's query and trigger verb now optionally take a .device unit
+ name as argument.
+
+ * systemd-udevd's network naming logic now understands a new
+ net.naming-scheme= kernel command line switch, which may be used to
+ pick a specific version of the naming scheme. This helps stabilizing
+ interface names even as systemd/udev are updated and the naming logic
+ is improved.
+
+ * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and
+ SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to
+ initialize one to all 0xFF.
+
+ * After loading the SELinux policy systemd will now recursively relabel
+ all files and directories listed in
+ /run/systemd/relabel-extra.d/*.relabel (which should be simple
+ newline separated lists of paths) in addition to the ones it already
+ implicitly relabels in /run, /dev and /sys. After the relabelling is
+ completed the *.relabel files (and /run/systemd/relabel-extra.d/) are
+ removed. This is useful to permit initrds (i.e. code running before
+ the SELinux policy is in effect) to generate files in the host
+ filesystem safely and ensure that the correct label is applied during
+ the transition to the host OS.
+
+ * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding
+ mknod() handling in user namespaces. Previously mknod() would always
+ fail with EPERM in user namespaces. Since 4.18 mknod() will succeed
+ but device nodes generated that way cannot be opened, and attempts to
+ open them result in EPERM. This breaks the "graceful fallback" logic
+ in systemd's PrivateDevices= sand-boxing option. This option is
+ implemented defensively, so that when systemd detects it runs in a
+ restricted environment (such as a user namespace, or an environment
+ where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD)
+ where device nodes cannot be created the effect of PrivateDevices= is
+ bypassed (following the logic that 2nd-level sand-boxing is not
+ essential if the system systemd runs in is itself already sand-boxed
+ as a whole). This logic breaks with 4.18 in container managers where
+ user namespacing is used: suddenly PrivateDevices= succeeds setting
+ up a private /dev/ file system containing devices nodes — but when
+ these are opened they don't work.
+
+ At this point it is recommended that container managers utilizing
+ user namespaces that intend to run systemd in the payload explicitly
+ block mknod() with seccomp or similar, so that the graceful fallback
+ logic works again.
+
+ We are very sorry for the breakage and the requirement to change
+ container configurations for newer kernels. It's purely caused by an
+ incompatible kernel change. The relevant kernel developers have been
+ notified about this userspace breakage quickly, but they chose to
+ ignore it.
+
+ * PermissionsStartOnly= setting is deprecated (but is still supported
+ for backwards compatibility). The same functionality is provided by
+ the more flexible "+", "!", and "!!" prefixes to ExecStart= and other
+ commands.
+
+ * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by
+ pam_systemd anymore.
+
+ * The naming scheme for network devices was changed to always rename
+ devices, even if they were already renamed by userspace. The "kernel"
+ policy was changed to only apply as a fallback, if no other naming
+ policy took effect.
+
+ * The requirements to build systemd is bumped to meson-0.46 and
+ python-3.5.
+
+ Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander
+ Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson,
+ Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov,
+ asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt
+ Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen
+ Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius
+ Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn
+ Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner,
+ David Anderson, Davide Cavalca, David Leeds, David Malcolm, David
+ Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus,
+ Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters,
+ Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad,
+ Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank
+ Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe
+ Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit
+ Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan
+ Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld,
+ javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi
+ Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens,
+ Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi,
+ Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry
+ Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz
+ Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier,
+ Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin
+ Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko
+ Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck,
+ Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich,
+ Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal
+ Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal
+ Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby,
+ Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł
+ Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller,
+ Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez,
+ Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam
+ Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher,
+ Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee
+ (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen
+ Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim,
+ Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas
+ Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias
+ Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore
+ Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech
+ Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward,
+ Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein
+
+ — Warsaw, 2018-12-21
+
+CHANGES WITH 239:
+
+ * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
+ builtin will name network interfaces differently than in previous
+ versions for virtual network interfaces created with SR-IOV and NPAR
+ and for devices where the PCI network controller device does not have
+ a slot number associated.
+
+ SR-IOV virtual devices are now named based on the name of the parent
+ interface, with a suffix of "v<N>", where <N> is the virtual device
+ number. Previously those virtual devices were named as if completely
+ independent.
+
+ The ninth and later NPAR virtual devices will be named following the
+ scheme used for the first eight NPAR partitions. Previously those
+ devices were not renamed and the kernel default (eth<n>) was used.
+
+ "net_id" will also generate names for PCI devices where the PCI
+ network controller device does not have an associated slot number
+ itself, but one of its parents does. Previously those devices were
+ not renamed and the kernel default (eth<n>) was used.
+
+ * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
+ systemd-logind.service. Since v235, IPAddressDeny=any has been set to
+ the unit. So, it is expected that the default behavior of
+ systemd-logind is not changed. However, if distribution packagers or
+ administrators disabled or modified IPAddressDeny= setting by a
+ drop-in config file, then it may be necessary to update the file to
+ re-enable AF_INET and AF_INET6 to support network user name services,
+ e.g. NIS.
+
+ * When the RestrictNamespaces= unit property is specified multiple
+ times, then the specified types are merged now. Previously, only the
+ last assignment was used. So, if distribution packagers or
+ administrators modified the setting by a drop-in config file, then it
+ may be necessary to update the file.
+
+ * When OnFailure= is used in combination with Restart= on a service
+ unit, then the specified units will no longer be triggered on
+ failures that result in restarting. Previously, the specified units
+ would be activated each time the unit failed, even when the unit was
+ going to be restarted automatically. This behaviour contradicted the
+ documentation. With this release the code is adjusted to match the
+ documentation.
+
+ * systemd-tmpfiles will now print a notice whenever it encounters
+ tmpfiles.d/ lines referencing the /var/run/ directory. It will
+ recommend reworking them to use the /run/ directory instead (for
+ which /var/run/ is simply a symlinked compatibility alias). This way
+ systemd-tmpfiles can properly detect line conflicts and merge lines
+ referencing the same file by two paths, without having to access
+ them.
+
+ * systemctl disable/unmask/preset/preset-all cannot be used with
+ --runtime. Previously this was allowed, but resulted in unintuitive
+ behaviour that wasn't useful. systemctl disable/unmask will now undo
+ both runtime and persistent enablement/masking, i.e. it will remove
+ any relevant symlinks both in /run and /etc.
+
+ * Note that all long-running system services shipped with systemd will
+ now default to a system call allow list (rather than a deny list, as
+ before). In particular, systemd-udevd will now enforce one too. For
+ most cases this should be safe, however downstream distributions
+ which disabled sandboxing of systemd-udevd (specifically the
+ MountFlags= setting), might want to disable this security feature
+ too, as the default allow-listing will prohibit all mount, swap,
+ reboot and clock changing operations from udev rules.
+
+ * sd-boot acquired new loader configuration settings to optionally turn
+ off Windows and MacOS boot partition discovery as well as
+ reboot-into-firmware menu items. It is also able to pick a better
+ screen resolution for HiDPI systems, and now provides loader
+ configuration settings to change the resolution explicitly.
+
+ * systemd-resolved now supports DNS-over-TLS. It's still
+ turned off by default, use DNSOverTLS=opportunistic to turn it on in
+ resolved.conf. We intend to make this the default as soon as couple
+ of additional techniques for optimizing the initial latency caused by
+ establishing a TLS/TCP connection are implemented.
+
+ * systemd-resolved.service and systemd-networkd.service now set
+ DynamicUser=yes. The users systemd-resolve and systemd-network are
+ not created by systemd-sysusers anymore.
+
+ NOTE: This has a chance of breaking nss-ldap and similar NSS modules
+ that embed a network facing module into any process using getpwuid()
+ or related call: the dynamic allocation of the user ID for
+ systemd-resolved.service means the service manager has to check NSS
+ if the user name is already taken when forking off the service. Since
+ the user in the common case won't be defined in /etc/passwd the
+ lookup is likely to trigger nss-ldap which in turn might use NSS to
+ ask systemd-resolved for hostname lookups. This will hence result in
+ a deadlock: a user name lookup in order to start
+ systemd-resolved.service will result in a hostname lookup for which
+ systemd-resolved.service needs to be started already. There are
+ multiple ways to work around this problem: pre-allocate the
+ "systemd-resolve" user on such systems, so that nss-ldap won't be
+ triggered; or use a different NSS package that doesn't do networking
+ in-process but provides a local asynchronous name cache; or configure
+ the NSS package to avoid lookups for UIDs in the range `pkg-config
+ systemd --variable=dynamicuidmin` … `pkg-config systemd
+ --variable=dynamicuidmax`, so that it does not consider itself
+ authoritative for the same UID range systemd allocates dynamic users
+ from.
+
+ * The systemd-resolve tool has been renamed to resolvectl (it also
+ remains available under the old name, for compatibility), and its
+ interface is now verb-based, similar in style to the other <xyz>ctl
+ tools, such as systemctl or loginctl.
+
+ * The resolvectl/systemd-resolve tool also provides 'resolvconf'
+ compatibility. It may be symlinked under the 'resolvconf' name, in
+ which case it will take arguments and input compatible with the
+ Debian and FreeBSD resolvconf tool.
+
+ * Support for suspend-then-hibernate has been added, i.e. a sleep mode
+ where the system initially suspends, and after a timeout resumes and
+ hibernates again.
+
+ * networkd's ClientIdentifier= now accepts a new option "duid-only". If
+ set the client will only send a DUID as client identifier.
+
+ * The nss-systemd glibc NSS module will now enumerate dynamic users and
+ groups in effect. Previously, it could resolve UIDs/GIDs to user
+ names/groups and vice versa, but did not support enumeration.
+
+ * journald's Compress= configuration setting now optionally accepts a
+ byte threshold value. All journal objects larger than this threshold
+ will be compressed, smaller ones will not. Previously this threshold
+ was not configurable and set to 512.
+
+ * A new system.conf setting NoNewPrivileges= is now available which may
+ be used to turn off acquisition of new privileges system-wide
+ (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
+ for all its children). Note that turning this option on means setuid
+ binaries and file system capabilities lose their special powers.
+ While turning on this option is a big step towards a more secure
+ system, doing so is likely to break numerous pre-existing UNIX tools,
+ in particular su and sudo.
+
+ * A new service systemd-time-sync-wait.service has been added. If
+ enabled it will delay the time-sync.target unit at boot until time
+ synchronization has been received from the network. This
+ functionality is useful on systems lacking a local RTC or where it is
+ acceptable that the boot process shall be delayed by external network
+ services.
+
+ * When hibernating, systemd will now inform the kernel of the image
+ write offset, on kernels new enough to support this. This means swap
+ files should work for hibernation now.
+
+ * When loading unit files, systemd will now look for drop-in unit files
+ extensions in additional places. Previously, for a unit file name
+ "foo-bar-baz.service" it would look for dropin files in
+ "foo-bar-baz.service.d/*.conf". Now, it will also look in
+ "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
+ service name truncated after all inner dashes. This scheme allows
+ writing drop-ins easily that apply to a whole set of unit files at
+ once. It's particularly useful for mount and slice units (as their
+ naming is prefix based), but is also useful for service and other
+ units, for packages that install multiple unit files at once,
+ following a strict naming regime of beginning the unit file name with
+ the package's name. Two new specifiers are now supported in unit
+ files to match this: %j and %J are replaced by the part of the unit
+ name following the last dash.
+
+ * Unit files and other configuration files that support specifier
+ expansion now understand another three new specifiers: %T and %V will
+ resolve to /tmp and /var/tmp respectively, or whatever temporary
+ directory has been set for the calling user. %E will expand to either
+ /etc (for system units) or $XDG_CONFIG_HOME (for user units).
+
+ * The ExecStart= lines of unit files are no longer required to
+ reference absolute paths. If non-absolute paths are specified the
+ specified binary name is searched within the service manager's
+ built-in $PATH, which may be queried with 'systemd-path
+ search-binaries-default'. It's generally recommended to continue to
+ use absolute paths for all binaries specified in unit files.
+
+ * Units gained a new load state "bad-setting", which is used when a
+ unit file was loaded, but contained fatal errors which prevent it
+ from being started (for example, a service unit has been defined
+ lacking both ExecStart= and ExecStop= lines).
+
+ * coredumpctl's "gdb" verb has been renamed to "debug", in order to
+ support alternative debuggers, for example lldb. The old name
+ continues to be available however, for compatibility reasons. Use the
+ new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
+ to pick an alternative debugger instead of the default gdb.
+
+ * systemctl and the other tools will now output escape sequences that
+ generate proper clickable hyperlinks in various terminal emulators
+ where useful (for example, in the "systemctl status" output you can
+ now click on the unit file name to quickly open it in the
+ editor/viewer of your choice). Note that not all terminal emulators
+ support this functionality yet, but many do. Unfortunately, the
+ "less" pager doesn't support this yet, hence this functionality is
+ currently automatically turned off when a pager is started (which
+ happens quite often due to auto-paging). We hope to remove this
+ limitation as soon as "less" learns these escape sequences. This new
+ behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
+ environment variable. For details on these escape sequences see:
+ https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda
+
+ * networkd's .network files now support a new IPv6MTUBytes= option for
+ setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
+ option in the [Route] section to configure the MTU to use for
+ specific routes. It also gained support for configuration of the DHCP
+ "UserClass" option through the new UserClass= setting. It gained
+ three new options in the new [CAN] section for configuring CAN
+ networks. The MULTICAST and ALLMULTI interface flags may now be
+ controlled explicitly with the new Multicast= and AllMulticast=
+ settings.
+
+ * networkd will now automatically make use of the kernel's route
+ expiration feature, if it is available.
+
+ * udevd's .link files now support setting the number of receive and
+ transmit channels, using the RxChannels=, TxChannels=,
+ OtherChannels=, CombinedChannels= settings.
+
+ * Support for UDPSegmentationOffload= has been removed, given its
+ limited support in hardware, and waning software support.
+
+ * networkd's .netdev files now support creating "netdevsim" interfaces.
+
+ * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
+ to query the unit belonging to a specific kernel control group.
+
+ * systemd-analyze gained a new verb "cat-config", which may be used to
+ dump the contents of any configuration file, with all its matching
+ drop-in files added in, and honouring the usual search and masking
+ logic applied to systemd configuration files. For example use
+ "systemd-analyze cat-config systemd/system.conf" to get the complete
+ system configuration file of systemd how it would be loaded by PID 1
+ itself. Similar to this, various tools such as systemd-tmpfiles or
+ systemd-sysusers, gained a new option "--cat-config", which does the
+ corresponding operation for their own configuration settings. For
+ example, "systemd-tmpfiles --cat-config" will now output the full
+ list of tmpfiles.d/ lines in place.
+
+ * timedatectl gained three new verbs: "show" shows bus properties of
+ systemd-timedated, "timesync-status" shows the current NTP
+ synchronization state of systemd-timesyncd, and "show-timesync"
+ shows bus properties of systemd-timesyncd.
+
+ * systemd-timesyncd gained a bus interface on which it exposes details
+ about its state.
+
+ * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
+ understood by systemd-timedated. It takes a colon-separated list of
+ unit names of NTP client services. The list is used by
+ "timedatectl set-ntp".
+
+ * systemd-nspawn gained a new --rlimit= switch for setting initial
+ resource limits for the container payload. There's a new switch
+ --hostname= to explicitly override the container's hostname. A new
+ --no-new-privileges= switch may be used to control the
+ PR_SET_NO_NEW_PRIVS flag for the container payload. A new
+ --oom-score-adjust= switch controls the OOM scoring adjustment value
+ for the payload. The new --cpu-affinity= switch controls the CPU
+ affinity of the container payload. The new --resolv-conf= switch
+ allows more detailed control of /etc/resolv.conf handling of the
+ container. Similarly, the new --timezone= switch allows more detailed
+ control of /etc/localtime handling of the container.
+
+ * systemd-detect-virt gained a new --list switch, which will print a
+ list of all currently known VM and container environments.
+
+ * Support for "Portable Services" has been added, see
+ doc/PORTABLE_SERVICES.md for details. Currently, the support is still
+ experimental, but this is expected to change soon. Reflecting this
+ experimental state, the "portablectl" binary is not installed into
+ /usr/bin yet. The binary has to be called with the full path
+ /usr/lib/systemd/portablectl instead.
+
+ * journalctl's and systemctl's -o switch now knows a new log output
+ mode "with-unit". The output it generates is very similar to the
+ regular "short" mode, but displays the unit name instead of the
+ syslog tag for each log line. Also, the date is shown with timezone
+ information. This mode is probably more useful than the classic
+ "short" output mode for most purposes, except where pixel-perfect
+ compatibility with classic /var/log/messages formatting is required.
+
+ * A new --dump-bus-properties switch has been added to the systemd
+ binary, which may be used to dump all supported D-Bus properties.
+ (Options which are still supported, but are deprecated, are *not*
+ shown.)
+
+ * sd-bus gained a set of new calls:
+ sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
+ enable/disable the "floating" state of a bus slot object,
+ i.e. whether the slot object pins the bus it is allocated for into
+ memory or if the bus slot object gets disconnected when the bus goes
+ away. sd_bus_open_with_description(),
+ sd_bus_open_user_with_description(),
+ sd_bus_open_system_with_description() may be used to allocate bus
+ objects and set their description string already during allocation.
+
+ * sd-event gained support for watching inotify events from the event
+ loop, in an efficient way, sharing inotify handles between multiple
+ users. For this a new function sd_event_add_inotify() has been added.
+
+ * sd-event and sd-bus gained support for calling special user-supplied
+ destructor functions for userdata pointers associated with
+ sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
+ functions sd_bus_slot_set_destroy_callback,
+ sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
+ sd_bus_track_get_destroy_callback,
+ sd_event_source_set_destroy_callback,
+ sd_event_source_get_destroy_callback have been added.
+
+ * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.
+
+ * PID 1 will now automatically reschedule .timer units whenever the
+ local timezone changes. (They previously got rescheduled
+ automatically when the system clock changed.)
+
+ * New documentation has been added to document cgroups delegation,
+ portable services and the various code quality tools we have set up:
+
+ https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
+ https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md
+ https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md
+
+ * The Boot Loader Specification has been added to the source tree.
+
+ https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md
+
+ While moving it into our source tree we have updated it and further
+ changes are now accepted through the usual github PR workflow.
+
+ * pam_systemd will now look for PAM userdata fields systemd.memory_max,
+ systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
+ earlier PAM modules. The data in these fields is used to initialize
+ the session scope's resource properties. Thus external PAM modules
+ may now configure per-session limits, for example sourced from
+ external user databases.
+
+ * socket units with Accept=yes will now maintain a "refused" counter in
+ addition to the existing "accepted" counter, counting connections
+ refused due to the enforced limits.
+
+ * The "systemd-path search-binaries-default" command may now be use to
+ query the default, built-in $PATH PID 1 will pass to the services it
+ manages.
+
+ * A new unit file setting PrivateMounts= has been added. It's a boolean
+ option. If enabled the unit's processes are invoked in their own file
+ system namespace. Note that this behaviour is also implied if any
+ other file system namespacing options (such as PrivateTmp=,
+ PrivateDevices=, ProtectSystem=, …) are used. This option is hence
+ primarily useful for services that do not use any of the other file
+ system namespacing options. One such service is systemd-udevd.service
+ where this is now used by default.
+
+ * ConditionSecurity= gained a new value "uefi-secureboot" that is true
+ when the system is booted in UEFI "secure mode".
+
+ * A new unit "system-update-pre.target" is added, which defines an
+ optional synchronization point for offline system updates, as
+ implemented by the pre-existing "system-update.target" unit. It
+ allows ordering services before the service that executes the actual
+ update process in a generic way.
+
+ * Systemd now emits warnings whenever .include syntax is used.
+
+ Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
+ Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
+ J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
+ Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
+ Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
+ Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
+ Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
+ Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
+ guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
+ Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
+ Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
+ Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
+ Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
+ Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
+ Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
+ Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
+ Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
+ Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
+ Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
+ Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
+ Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
+ Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
+ Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
+ Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
+ Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
+ Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
+ Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
+ Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2018-06-22
+
+CHANGES WITH 238:
+
+ * The MemoryAccounting= unit property now defaults to on. After
+ discussions with the upstream control group maintainers we learnt
+ that the negative impact of cgroup memory accounting on current
+ kernels is finally relatively minimal, so that it should be safe to
+ enable this by default without affecting system performance. Besides
+ memory accounting only task accounting is turned on by default, all
+ other forms of resource accounting (CPU, IO, IP) remain off for now,
+ because it's not clear yet that their impact is small enough to move
+ from opt-in to opt-out. We recommend downstreams to leave memory
+ accounting on by default if kernel 4.14 or higher is primarily
+ used. On very resource constrained systems or when support for old
+ kernels is a necessity, -Dmemory-accounting-default=false can be used
+ to revert this change.
+
+ * rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
+ %udev_rules_update) and the journal catalog (%journal_catalog_update)
+ from the upgrade scriptlets of individual packages now do nothing.
+ Transfiletriggers have been added which will perform those updates
+ once at the end of the transaction.
+
+ Similar transfiletriggers have been added to execute any sysctl.d
+ and binfmt.d rules. Thus, it should be unnecessary to provide any
+ scriptlets to execute this configuration from package installation
+ scripts.
+
+ * systemd-sysusers gained a mode where the configuration to execute is
+ specified on the command line, but this configuration is not executed
+ directly, but instead it is merged with the configuration on disk,
+ and the result is executed. This is useful for package installation
+ scripts which want to create the user before installing any files on
+ disk (in case some of those files are owned by that user), while
+ still allowing local admin overrides.
+
+ This functionality is exposed to rpm scriptlets through a new
+ %sysusers_create_package macro. Old %sysusers_create and
+ %sysusers_create_inline macros are deprecated.
+
+ A transfiletrigger for sysusers.d configuration is now installed,
+ which means that it should be unnecessary to call systemd-sysusers from
+ package installation scripts, unless the package installs any files
+ owned by those newly-created users, in which case
+ %sysusers_create_package should be used.
+
+ * Analogous change has been done for systemd-tmpfiles: it gained a mode
+ where the command-line configuration is merged with the configuration
+ on disk. This is exposed as the new %tmpfiles_create_package macro,
+ and %tmpfiles_create is deprecated. A transfiletrigger is installed
+ for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles
+ from package installation scripts.
+
+ * sysusers.d configuration for a user may now also specify the group
+ number, in addition to the user number ("u username 123:456"), or
+ without the user number ("u username -:456").
+
+ * Configution items for systemd-sysusers can now be specified as
+ positional arguments when the new --inline switch is used.
+
+ * The login shell of users created through sysusers.d may now be
+ specified (previously, it was always /bin/sh for root and
+ /sbin/nologin for other users).
+
+ * systemd-analyze gained a new --global switch to look at global user
+ configuration. It also gained a unit-paths verb to list the unit load
+ paths that are compiled into systemd (which can be used with
+ --systemd, --user, or --global).
+
+ * udevadm trigger gained a new --settle/-w option to wait for any
+ triggered events to finish (but just those, and not any other events
+ which are triggered meanwhile).
+
+ * The action that systemd-logind takes when the lid is closed and the
+ machine is connected to external power can now be configured using
+ HandleLidSwitchExternalPower= in logind.conf. Previously, this action
+ was determined by HandleLidSwitch=, and, for backwards compatibility,
+ is still is, if HandleLidSwitchExternalPower= is not explicitly set.
+
+ * journalctl will periodically call sd_journal_process() to make it
+ resilient against inotify queue overruns when journal files are
+ rotated very quickly.
+
+ * Two new functions in libsystemd — sd_bus_get_n_queued_read and
+ sd_bus_get_n_queued_write — may be used to check the number of
+ pending bus messages.
+
+ * systemd gained a new
+ org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call
+ which can be used to migrate foreign processes to scope and service
+ units. The primary user for this new API is systemd itself: the
+ systemd --user instance uses this call of the systemd --system
+ instance to migrate processes if it itself gets the request to
+ migrate processes and the kernel refuses this due to access
+ restrictions. Thanks to this "systemd-run --scope --user …" works
+ again in pure cgroup v2 environments when invoked from the user
+ session scope.
+
+ * A new TemporaryFileSystem= setting can be used to mask out part of
+ the real file system tree with tmpfs mounts. This may be combined
+ with BindPaths= and BindReadOnlyPaths= to hide files or directories
+ not relevant to the unit, while still allowing some paths lower in
+ the tree to be accessed.
+
+ ProtectHome=tmpfs may now be used to hide user home and runtime
+ directories from units, in a way that is mostly equivalent to
+ "TemporaryFileSystem=/home /run/user /root".
+
+ * Non-service units are now started with KeyringMode=shared by default.
+ This means that mount and swapon and other mount tools have access
+ to keys in the main keyring.
+
+ * /sys/fs/bpf is now mounted automatically.
+
+ * QNX virtualization is now detected by systemd-detect-virt and may
+ be used in ConditionVirtualization=.
+
+ * IPAccounting= may now be enabled also for slice units.
+
+ * A new -Dsplit-bin= build configuration switch may be used to specify
+ whether bin and sbin directories are merged, or if they should be
+ included separately in $PATH and various listings of executable
+ directories. The build configuration scripts will try to autodetect
+ the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
+ system, but distributions are encouraged to configure this
+ explicitly.
+
+ * A new -Dok-color= build configuration switch may be used to change
+ the colour of "OK" status messages.
+
+ * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
+ PrivateNetwork=yes was buggy in previous versions of systemd. This
+ means that after the upgrade and daemon-reexec, any such units must
+ be restarted.
+
+ * INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles
+ will not exclude read-only files owned by root from cleanup.
+
+ Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
+ Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
+ Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
+ de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
+ Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
+ Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
+ Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
+ Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
+ Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
+ Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
+ MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
+ Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
+ Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
+ Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
+ Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)
+
+ — Warsaw, 2018-03-05
+
+CHANGES WITH 237:
+
+ * Some keyboards come with a zoom see-saw or rocker which until now got
+ mapped to the Linux "zoomin/out" keys in hwdb. However, these
+ keycodes are not recognized by any major desktop. They now produce
+ Up/Down key events so that they can be used for scrolling.
+
+ * INCOMPATIBILITY: systemd-tmpfiles' "f" lines changed behaviour
+ slightly: previously, if an argument was specified for lines of this
+ type (i.e. the right-most column was set) this string was appended to
+ existing files each time systemd-tmpfiles was run. This behaviour was
+ different from what the documentation said, and not particularly
+ useful, as repeated systemd-tmpfiles invocations would not be
+ idempotent and grow such files without bounds. With this release
+ behaviour has been altered to match what the documentation says:
+ lines of this type only have an effect if the indicated files don't
+ exist yet, and only then the argument string is written to the file.
+
+ * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change
+ systemd-tmpfiles behaviour: previously, read-only files owned by root
+ were always excluded from the file "aging" algorithm (i.e. the
+ automatic clean-up of directories like /tmp based on
+ atime/mtime/ctime). We intend to drop this restriction, and age files
+ by default even when owned by root and read-only. This behaviour was
+ inherited from older tools, but there have been requests to remove
+ it, and it's not obvious why this restriction was made in the first
+ place. Please speak up now, if you are aware of software that requires
+ this behaviour, otherwise we'll remove the restriction in v238.
+
+ * A new environment variable $SYSTEMD_OFFLINE is now understood by
+ systemctl. It takes a boolean argument. If on, systemctl assumes it
+ operates on an "offline" OS tree, and will not attempt to talk to the
+ service manager. Previously, this mode was implicitly enabled if a
+ chroot() environment was detected, and this new environment variable
+ now provides explicit control.
+
+ * .path and .socket units may now be created transiently, too.
+ Previously only service, mount, automount and timer units were
+ supported as transient units. The systemd-run tool has been updated
+ to expose this new functionality, you may hence use it now to bind
+ arbitrary commands to path or socket activation on-the-fly from the
+ command line. Moreover, almost all properties are now exposed for the
+ unit types that already supported transient operation.
+
+ * The systemd-mount command gained support for a new --owner= parameter
+ which takes a user name, which is then resolved and included in uid=
+ and gid= mount options string of the file system to mount.
+
+ * A new unit condition ConditionControlGroupController= has been added
+ that checks whether a specific cgroup controller is available.
+
+ * Unit files, udev's .link files, and systemd-networkd's .netdev and
+ .network files all gained support for a new condition
+ ConditionKernelVersion= for checking against specific kernel
+ versions.
+
+ * In systemd-networkd, the [IPVLAN] section in .netdev files gained
+ support for configuring device flags in the Flags= setting. In the
+ same files, the [Tunnel] section gained support for configuring
+ AllowLocalRemote=. The [Route] section in .network files gained
+ support for configuring InitialCongestionWindow=,
+ InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now
+ understands RapidCommit=.
+
+ * systemd-networkd's DHCPv6 support gained support for Prefix
+ Delegation.
+
+ * sd-bus gained support for a new "watch-bind" feature. When this
+ feature is enabled, an sd_bus connection may be set up to connect to
+ an AF_UNIX socket in the file system as soon as it is created. This
+ functionality is useful for writing early-boot services that
+ automatically connect to the system bus as soon as it is started,
+ without ugly time-based polling. systemd-networkd and
+ systemd-resolved have been updated to make use of this
+ functionality. busctl exposes this functionality in a new
+ --watch-bind= command line switch.
+
+ * sd-bus will now optionally synthesize a local "Connected" signal as
+ soon as a D-Bus connection is set up fully. This message mirrors the
+ already existing "Disconnected" signal which is synthesized when the
+ connection is terminated. This signal is generally useful but
+ particularly handy in combination with the "watch-bind" feature
+ described above. Synthesizing of this message has to be requested
+ explicitly through the new API call sd_bus_set_connected_signal(). In
+ addition a new call sd_bus_is_ready() has been added that checks
+ whether a connection is fully set up (i.e. between the "Connected" and
+ "Disconnected" signals).
+
+ * sd-bus gained two new calls sd_bus_request_name_async() and
+ sd_bus_release_name_async() for asynchronously registering bus
+ names. Similar, there is now sd_bus_add_match_async() for installing
+ a signal match asynchronously. All of systemd's own services have
+ been updated to make use of these calls. Doing these operations
+ asynchronously has two benefits: it reduces the risk of deadlocks in
+ case of cyclic dependencies between bus services, and it speeds up
+ service initialization since synchronization points for bus
+ round-trips are removed.
+
+ * sd-bus gained two new calls sd_bus_match_signal() and
+ sd_bus_match_signal_async(), which are similar to sd_bus_add_match()
+ and sd_bus_add_match_async() but instead of taking a D-Bus match
+ string take match fields as normal function parameters.
+
+ * sd-bus gained two new calls sd_bus_set_sender() and
+ sd_bus_message_set_sender() for setting the sender name of outgoing
+ messages (either for all outgoing messages or for just one specific
+ one). These calls are only useful in direct connections as on
+ brokered connections the broker fills in the sender anyway,
+ overwriting whatever the client filled in.
+
+ * sd-event gained a new pseudo-handle that may be specified on all API
+ calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When
+ used this refers to the default event loop object of the calling
+ thread. Note however that this does not implicitly allocate one —
+ which has to be done prior by using sd_event_default(). Similarly
+ sd-bus gained three new pseudo-handles SD_BUS_DEFAULT,
+ SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer
+ to the default bus of the specified type of the calling thread. Here
+ too this does not implicitly allocate bus connection objects, this
+ has to be done prior with sd_bus_default() and friends.
+
+ * sd-event gained a new call pair
+ sd_event_source_{get|set}_io_fd_own(). This may be used to request
+ automatic closure of the file descriptor an IO event source watches
+ when the event source is destroyed.
+
+ * systemd-networkd gained support for natively configuring WireGuard
+ connections.
+
+ * In previous versions systemd synthesized user records both for the
+ "nobody" (UID 65534) and "root" (UID 0) users in nss-systemd and
+ internally. In order to simplify distribution-wide renames of the
+ "nobody" user (like it is planned in Fedora: nfsnobody → nobody), a
+ new transitional flag file has been added: if
+ /etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534
+ user and group record within the systemd codebase is disabled.
+
+ * systemd-notify gained a new --uid= option for selecting the source
+ user/UID to use for notification messages sent to the service
+ manager.
+
+ * journalctl gained a new --grep= option to list only entries in which
+ the message matches a certain pattern. By default matching is case
+ insensitive if the pattern is lowercase, and case sensitive
+ otherwise. Option --case-sensitive=yes|no can be used to override
+ this an specify case sensitivity or case insensitivity.
+
+ * There's now a "systemd-analyze service-watchdogs" command for printing
+ the current state of the service runtime watchdog, and optionally
+ enabling or disabling the per-service watchdogs system-wide if given a
+ boolean argument (i.e. the concept you configure in WatchdogSec=), for
+ debugging purposes. There's also a kernel command line option
+ systemd.service_watchdogs= for controlling the same.
+
+ * Two new "log-level" and "log-target" options for systemd-analyze were
+ added that merge the now deprecated get-log-level, set-log-level and
+ get-log-target, set-log-target pairs. The deprecated options are still
+ understood for backwards compatibility. The two new options print the
+ current value when no arguments are given, and set them when a
+ level/target is given as an argument.
+
+ * sysusers.d's "u" lines now optionally accept both a UID and a GID
+ specification, separated by a ":" character, in order to create users
+ where UID and GID do not match.
+
+ Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov,
+ Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman
+ Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton
+ Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov,
+ Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui,
+ Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian
+ Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander
+ Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen,
+ Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg
+ Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering,
+ Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt,
+ Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy,
+ Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał
+ Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf
+ Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer,
+ Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer,
+ Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani,
+ Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz
+ Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary
+ Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян
+ Палаузов
+
+ — Brno, 2018-01-28
+
+CHANGES WITH 236:
+
+ * The modprobe.d/ drop-in for the bonding.ko kernel module introduced
+ in v235 has been extended to also set the dummy.ko module option
+ numdummies=0, preventing the kernel from automatically creating
+ dummy0. All dummy interfaces must now be explicitly created.
+
+ * Unknown '%' specifiers in configuration files are now rejected. This
+ applies to units and tmpfiles.d configuration. Any percent characters
+ that are followed by a letter or digit that are not supposed to be
+ interpreted as the beginning of a specifier should be escaped by
+ doubling ("%%"). (So "size=5%" is still accepted, as well as
+ "size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not
+ valid specifiers today.)
+
+ * systemd-resolved now maintains a new dynamic
+ /run/systemd/resolve/stub-resolv.conf compatibility file. It is
+ recommended to make /etc/resolv.conf a symlink to it. This file
+ points at the systemd-resolved stub DNS 127.0.0.53 resolver and
+ includes dynamically acquired search domains, achieving more correct
+ DNS resolution by software that bypasses local DNS APIs such as NSS.
+
+ * The "uaccess" udev tag has been dropped from /dev/kvm and
+ /dev/dri/renderD*. These devices now have the 0666 permissions by
+ default (but this may be changed at build-time). /dev/dri/renderD*
+ will now be owned by the "render" group along with /dev/kfd.
+
+ * "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
+ systemd-journal-gatewayd.service and
+ systemd-journal-upload.service. This means "nss-systemd" must be
+ enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
+ services are resolved properly.
+
+ * In /etc/fstab two new mount options are now understood:
+ x-systemd.makefs and x-systemd.growfs. The former has the effect that
+ the configured file system is formatted before it is mounted, the
+ latter that the file system is resized to the full block device size
+ after it is mounted (i.e. if the file system is smaller than the
+ partition it resides on, it's grown). This is similar to the fsck
+ logic in /etc/fstab, and pulls in systemd-makefs@.service and
+ systemd-growfs@.service as necessary, similar to
+ systemd-fsck@.service. Resizing is currently only supported on ext4
+ and btrfs.
+
+ * In systemd-networkd, the IPv6 RA logic now optionally may announce
+ DNS server and domain information.
+
+ * Support for the LUKS2 on-disk format for encrypted partitions has
+ been added. This requires libcryptsetup2 during compilation and
+ runtime.
+
+ * The systemd --user instance will now signal "readiness" when its
+ basic.target unit has been reached, instead of when the run queue ran
+ empty for the first time.
+
+ * Tmpfiles.d with user configuration are now also supported.
+ systemd-tmpfiles gained a new --user switch, and snippets placed in
+ ~/.config/user-tmpfiles.d/ and corresponding directories will be
+ executed by systemd-tmpfiles --user running in the new
+ systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service
+ running in the user session.
+
+ * Unit files and tmpfiles.d snippets learnt three new % specifiers:
+ %S resolves to the top-level state directory (/var/lib for the system
+ instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the
+ top-level cache directory (/var/cache for the system instance,
+ $XDG_CACHE_HOME for the user instance), %L resolves to the top-level
+ logs directory (/var/log for the system instance,
+ $XDG_CONFIG_HOME/log/ for the user instance). This matches the
+ existing %t specifier, that resolves to the top-level runtime
+ directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
+ user instance).
+
+ * journalctl learnt a new parameter --output-fields= for limiting the
+ set of journal fields to output in verbose and JSON output modes.
+
+ * systemd-timesyncd's configuration file gained a new option
+ RootDistanceMaxSec= for setting the maximum root distance of servers
+ it'll use, as well as the new options PollIntervalMinSec= and
+ PollIntervalMaxSec= to tweak the minimum and maximum poll interval.
+
+ * bootctl gained a new command "list" for listing all available boot
+ menu items on systems that follow the boot loader specification.
+
+ * systemctl gained a new --dry-run switch that shows what would be done
+ instead of doing it, and is currently supported by the shutdown and
+ sleep verbs.
+
+ * ConditionSecurity= can now detect the TOMOYO security module.
+
+ * Unit file [Install] sections are now also respected in unit drop-in
+ files. This is intended to be used by drop-ins under /usr/lib/.
+
+ * systemd-firstboot may now also set the initial keyboard mapping.
+
+ * Udev "changed" events for devices which are exposed as systemd
+ .device units are now propagated to units specified in
+ ReloadPropagatedFrom= as reload requests.
+
+ * If a udev device has a SYSTEMD_WANTS= property containing a systemd
+ unit template name (i.e. a name in the form of 'foobar@.service',
+ without the instance component between the '@' and - the '.'), then
+ the escaped sysfs path of the device is automatically used as the
+ instance.
+
+ * SystemCallFilter= in unit files has been extended so that an "errno"
+ can be specified individually for each system call. Example:
+ SystemCallFilter=~uname:EILSEQ.
+
+ * The cgroup delegation logic has been substantially updated. Delegate=
+ now optionally takes a list of controllers (instead of a boolean, as
+ before), which lists the controllers to delegate at least.
+
+ * The networkd DHCPv6 client now implements the FQDN option (RFC 4704).
+
+ * A new LogLevelMax= setting configures the maximum log level any
+ process of the service may log at (i.e. anything with a lesser
+ priority than what is specified is automatically dropped). A new
+ LogExtraFields= setting allows configuration of additional journal
+ fields to attach to all log records generated by any of the unit's
+ processes.
+
+ * New StandardInputData= and StandardInputText= settings along with the
+ new option StandardInput=data may be used to configure textual or
+ binary data that shall be passed to the executed service process via
+ standard input, encoded in-line in the unit file.
+
+ * StandardInput=, StandardOutput= and StandardError= may now be used to
+ connect stdin/stdout/stderr of executed processes directly with a
+ file or AF_UNIX socket in the file system, using the new "file:" option.
+
+ * A new unit file option CollectMode= has been added, that allows
+ tweaking the garbage collection logic for units. It may be used to
+ tell systemd to garbage collect units that have failed automatically
+ (normally it only GCs units that exited successfully). systemd-run
+ and systemd-mount expose this new functionality with a new -G option.
+
+ * "machinectl bind" may now be used to bind mount non-directories
+ (i.e. regularfiles, devices, fifos, sockets).
+
+ * systemd-analyze gained a new verb "calendar" for validating and
+ testing calendar time specifications to use for OnCalendar= in timer
+ units. Besides validating the expression it will calculate the next
+ time the specified expression would elapse.
+
+ * In addition to the pre-existing FailureAction= unit file setting
+ there's now SuccessAction=, for configuring a shutdown action to
+ execute when a unit completes successfully. This is useful in
+ particular inside containers that shall terminate after some workload
+ has been completed. Also, both options are now supported for all unit
+ types, not just services.
+
+ * networkds's IP rule support gained two new options
+ IncomingInterface= and OutgoingInterface= for configuring the incoming
+ and outgoing interfaces of configured rules. systemd-networkd also
+ gained support for "vxcan" network devices.
+
+ * networkd gained a new setting RequiredForOnline=, taking a
+ boolean. If set, systemd-wait-online will take it into consideration
+ when determining that the system is up, otherwise it will ignore the
+ interface for this purpose.
+
+ * The sd_notify() protocol gained support for a new operation: with
+ FDSTOREREMOVE=1 file descriptors may be removed from the per-service
+ store again, ahead of POLLHUP or POLLERR when they are removed
+ anyway.
+
+ * A new document doc/UIDS-GIDS.md has been added to the source tree,
+ that documents the UID/GID range and assignment assumptions and
+ requirements of systemd.
+
+ * The watchdog device PID 1 will ping may now be configured through the
+ WatchdogDevice= configuration file setting, or by setting the
+ systemd.watchdog_service= kernel commandline option.
+
+ * systemd-resolved's gained support for registering DNS-SD services on
+ the local network using MulticastDNS. Services may either be
+ registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or
+ the same dir below /run, /usr/lib), or through its D-Bus API.
+
+ * The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond
+ extend the effective start, runtime, and stop time. The service must
+ continue to send EXTEND_TIMEOUT_USEC within the period specified to
+ prevent the service manager from making the service as timedout.
+
+ * systemd-resolved's DNSSEC support gained support for RFC 8080
+ (Ed25519 keys and signatures).
+
+ * The systemd-resolve command line tool gained a new set of options
+ --set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=,
+ --set-nta= and --revert to configure per-interface DNS configuration
+ dynamically during runtime. It's useful for pushing DNS information
+ into systemd-resolved from DNS hook scripts that various interface
+ managing software supports (such as pppd).
+
+ * systemd-nspawn gained a new --network-namespace-path= command line
+ option, which may be used to make a container join an existing
+ network namespace, by specifying a path to a "netns" file.
+
+ Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini,
+ Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten
+ Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin
+ Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri
+ John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny
+ Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de
+ Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty,
+ Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef
+ Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars
+ Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel,
+ Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz
+ Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson,
+ Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala,
+ Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal
+ Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf
+ Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer,
+ Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran
+ Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
+ Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant
+ Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem
+ Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich,
+ Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zeal Jagannatha
+
+ — Berlin, 2017-12-14
+
CHANGES WITH 235:
+ * INCOMPATIBILITY: systemd-logind.service and other long-running
+ services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
+ communication with the outside. This generally improves security of
+ the system, and is in almost all cases a safe and good choice, as
+ these services do not and should not provide any network-facing
+ functionality. However, systemd-logind uses the glibc NSS API to
+ query the user database. This creates problems on systems where NSS
+ is set up to directly consult network services for user database
+ lookups. In particular, this creates incompatibilities with the
+ "nss-nis" module, which attempts to directly contact the NIS/YP
+ network servers it is configured for, and will now consistently
+ fail. In such cases, it is possible to turn off IP sandboxing for
+ systemd-logind.service (set IPAddressDeny= in its [Service] section
+ to the empty string, via a .d/ unit file drop-in). Downstream
+ distributions might want to update their nss-nis packaging to include
+ such a drop-in snippet, accordingly, to hide this incompatibility
+ from the user. Another option is to make use of glibc's nscd service
+ to proxy such network requests through a privilege-separated, minimal
+ local caching daemon, or to switch to more modern technologies such
+ sssd, whose NSS hook-ups generally do not involve direct network
+ access. In general, we think it's definitely time to question the
+ implementation choices of nss-nis, i.e. whether it's a good idea
+ today to embed a network-facing loadable module into all local
+ processes that need to query the user database, including the most
+ trivial and benign ones, such as "ls". For more details about
+ IPAddressDeny= see below.
+
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
A/AAAA resource record for the "_gateway" hostname, pointing to the
current default IP gateway. Previously it did that for the "gateway"
name, hampering adoption, as some distributions wanted to leave that
- host name open for local use. The old behaviour may still be
+ hostname open for local use. The old behaviour may still be
requested at build time.
* systemd-networkd's [Address] section in .network files gained a new
* systemd-nspawn gained support for a new --system-call-filter= command
line option for adding and removing entries in the default system
call filter it applies. Moreover systemd-nspawn has been changed to
- implement a system call whitelist instead of a blacklist.
+ implement a system call allow list instead of a deny list.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
(domain search list).
* systemd-networkd gained support for serving IPv6 address ranges using
- the Router Advertisment protocol. The new .network configuration
+ the Router Advertisement protocol. The new .network configuration
section [IPv6Prefix] may be used to configure the ranges to
serve. This is implemented based on a new, minimal, native server
implementation of RA.
systemd-logind to be safe. See
https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.)
- * All kernel install plugins are called with the environment variable
+ * All kernel-install plugins are called with the environment variable
KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by
- /etc/machine-id. If the file is missing or empty, the variable is
- empty and BOOT_DIR_ABS is the path of a temporary directory which is
- removed after all the plugins exit. So, if KERNEL_INSTALL_MACHINE_ID
- is empty, all plugins should not put anything in BOOT_DIR_ABS.
+ /etc/machine-id. If the machine ID could not be determined,
+ $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
+ anything in the entry directory (passed as the second argument) if
+ $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
+ temporary directory is passed as the entry directory and removed
+ after all the plugins exit.
+
+ * If KERNEL_INSTALL_MACHINE_ID is set in /etc/machine-info, kernel-install
+ will now use its value as the machine ID instead of the machine ID
+ from /etc/machine-id. If KERNEL_INSTALL_MACHINE_ID isn't set in
+ /etc/machine-info and no machine ID is set in /etc/machine-id,
+ kernel-install will try to store the current machine ID there as
+ KERNEL_INSTALL_MACHINE_ID. If there is no machine ID, kernel-install
+ will generate a new UUID, store it in /etc/machine-info as
+ KERNEL_INSTALL_MACHINE_ID and use it as the machine ID.
Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
* sd-id128 gained a new API for generating unique IDs for the host in a
way that does not leak the machine ID. Specifically,
sd_id128_get_machine_app_specific() derives an ID based on the
- machine ID a in well-defined, non-reversible, stable way. This is
+ machine ID in a well-defined, non-reversible, stable way. This is
useful whenever an identifier for the host is needed but where the
identifier shall not be useful to identify the system beyond the
scope of the application itself. (Internally this uses HMAC-SHA256 as
that is removed when the container dies. Specifically, if the source
directory is specified as empty string this mechanism is selected. An
example usage is --overlay=+/var::/var, which creates an overlay
- mount based on the original /var contained in the image, overlayed
+ mount based on the original /var contained in the image, overlaid
with a temporary directory in the host's /var/tmp. This way changes
to /var are automatically flushed when the container shuts down.
* Documentation has been added that lists all of systemd's low-level
environment variables:
- https://github.com/systemd/systemd/blob/master/ENVIRONMENT.md
+ https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
whether a specific socket file descriptor matches a specified socket
* Support for dynamically creating users for the lifetime of a service
has been added. If DynamicUser=yes is specified, user and group IDs
- will be allocated from the range 61184..65519 for the lifetime of the
+ will be allocated from the range 61184…65519 for the lifetime of the
service. They can be resolved using the new nss-systemd.so NSS
module. The module must be enabled in /etc/nsswitch.conf. Services
started in this way have PrivateTmp= and RemoveIPC= enabled, so that
counted multiple times, if it takes multiple references.
* sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
- sd_bus_get_exit_on_disconnect(). They may be used to to make a
+ sd_bus_get_exit_on_disconnect(). They may be used to make a
process using sd-bus automatically exit if the bus connection is
severed.
desired options.
* systemd now supports the "memory" cgroup controller also on
- cgroupsv2.
+ cgroup v2.
* The systemd-cgtop tool now optionally takes a control group path as
command line argument. If specified, the control group list shown is
with future releases) that the components link to. This should
decrease systemd footprint both in memory during runtime and on
disk. Note that the shared library is not for public use, and is
- neither API not ABI stable, but is likely to change with every new
+ neither API nor ABI stable, but is likely to change with every new
released update. Packagers need to make sure that binaries
linking to libsystemd-shared.so are updated in step with the
library.
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
UEFI PC. This functionality is particularly useful to easily test
local changes made to systemd in a pristine, defined environment. See
- HACKING for details.
+ doc/HACKING for details.
* configure learned the --with-support-url= option to specify the
distribution's bugtracker.
again don't consider turning this on in your stable, LTS or
production release just yet. (Note that you have to enable
nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
- and its DNSSEC mode for host name resolution from local
+ and its DNSSEC mode for hostname resolution from local
applications.)
* systemd-resolve conveniently resolves DANE records with the --tlsa
* The LimitNICE= setting now optionally takes normal UNIX nice values
in addition to the raw integer limit value. If the specified
- parameter is prefixed with "+" or "-" and is in the range -20..19 the
+ parameter is prefixed with "+" or "-" and is in the range -20…19 the
value is understood as UNIX nice value. If not prefixed like this it
is understood as raw RLIMIT_NICE limit.
d /run/lock/lockdev 0775 root lock -
+ * The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction=
+ and RebootArgument= have been moved from the [Service] section of
+ unit files to [Unit], and they are now supported on all unit types,
+ not just service units. Of course, systemd will continue to
+ understand these settings also at the old location, in order to
+ maintain compatibility.
+
Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander
Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov,
Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler,
individual indexes.
* The various memory-related resource limit settings (such as
- LimitAS=) now understand the usual K, M, G, ... suffixes to
+ LimitAS=) now understand the usual K, M, G, … suffixes to
the base of 1024 (IEC). Similar, the time-related resource
- limit settings understand the usual min, h, day, ...
- suffixes now.
+ limit settings understand the usual min, h, day, … suffixes
+ now.
* There's a new system.conf setting DefaultTasksMax= to
control the default TasksMax= setting for services and
correct dequeuing of real-time signals, without losing
signal events.
- * When systemd requests a PolicyKit decision when managing
- units it will now add additional fields to the request,
- including unit name and desired operation. This enables more
- powerful PolicyKit policies, that make decisions depending
- on these parameters.
+ * When systemd requests a polkit decision when managing units it
+ will now add additional fields to the request, including unit
+ name and desired operation. This enables more powerful polkit
+ policies, that make decisions depending on these parameters.
* nspawn learnt support for .nspawn settings files, that may
accompany the image files or directories of containers, and
options and allows other programs to query the values.
* SELinux access control when enabling/disabling units is no
- longer enforced with this release. The previous
- implementation was incorrect, and a new corrected
- implementation is not yet available. As unit file operations
- are still protected via PolicyKit and D-Bus policy this is
- not a security problem. Yet, distributions which care about
- optimal SELinux support should probably not stabilize on
- this release.
+ longer enforced with this release. The previous implementation
+ was incorrect, and a new corrected implementation is not yet
+ available. As unit file operations are still protected via
+ polkit and D-Bus policy this is not a security problem. Yet,
+ distributions which care about optimal SELinux support should
+ probably not stabilize on this release.
* sd-bus gained support for matches of type "arg0has=", that
test for membership of strings in string arrays sent in bus
* New /etc/fstab options x-systemd.requires= and
x-systemd.requires-mounts-for= are now supported to express
additional dependencies for mounts. This is useful for
- journalling file systems that support external journal
+ journaling file systems that support external journal
devices or overlay file systems that require underlying file
systems to be mounted.
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
- * systemd-machined, systemd-logind, systemd: most bus calls
- are now accessible to unprivileged processes via
- PolicyKit. Also, systemd-logind will now allow users to kill
- their own sessions without further privileges or
- authorization.
+ * systemd-machined, systemd-logind, systemd: most bus calls are
+ now accessible to unprivileged processes via polkit. Also,
+ systemd-logind will now allow users to kill their own sessions
+ without further privileges or authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
fsck's progress report to an AF_UNIX socket in the file
system.
- * udev will no longer create device symlinks for all block
- devices by default. A blacklist for excluding special block
- devices from this logic has been turned into a whitelist
- that requires picking block devices explicitly that require
- device symlinks.
+ * udev will no longer create device symlinks for all block devices by
+ default. A deny list for excluding special block devices from this
+ logic has been turned into an allow list that requires picking block
+ devices explicitly that require device symlinks.
* A new (currently still internal) API sd-device.h has been
added to libsystemd. This modernized API is supposed to
* /usr/lib/os-release gained a new optional field VARIANT= for
distributions that support multiple variants (such as a
- desktop edition, a server edition, ...)
+ desktop edition, a server edition, …)
Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
for a unit, as declared in the (usually vendor-supplied)
system preset files.
- * nss-myhostname will now resolve the single-label host name
+ * nss-myhostname will now resolve the single-label hostname
"gateway" to the locally configured default IP routing
gateways, ordered by their metrics. This assigns a stable
name to the used gateways, regardless which ones are
currently configured. Note that the name will only be
resolved after all other name sources (if nss-myhostname is
configured properly) and should hence not negatively impact
- systems that use the single-label host name "gateway" in
+ systems that use the single-label hostname "gateway" in
other contexts.
* systemd-inhibit now allows filtering by mode when listing
* nspawn's --link-journal= switch gained two new values
"try-guest" and "try-host" that work like "guest" and
"host", but do not fail if the host has no persistent
- journalling enabled. -j is now equivalent to
+ journaling enabled. -j is now equivalent to
--link-journal=try-guest.
* macvlan network devices created by nspawn will now have
into account when storing rfkill state on disk, as the name
might be dynamically assigned and not stable. Instead, the
ID_PATH udev variable combined with the rfkill type (wlan,
- bluetooth, ...) is used.
+ bluetooth, …) is used.
* A new service systemd-machine-id-commit.service has been
added. When used on systems where /etc is read-only during
/run/systemd/user directory that was already previously
supported, but is under the control of the user.
- * Job timeouts (i.e. time-outs on the time a job that is
+ * Job timeouts (i.e. timeouts on the time a job that is
queued stays in the run queue) can now optionally result in
immediate reboot or power-off actions (JobTimeoutAction= and
JobTimeoutRebootArgument=). This is useful on ".target"
directly from now on, again.
* Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
- message flag has been added for all of systemd's PolicyKit
- authenticated method calls has been added. In particular
- this now allows optional interactive authorization via
- PolicyKit for many of PID1's privileged operations such as
- unit file enabling and disabling.
+ message flag has been added for all of systemd's polkit
+ authenticated method calls has been added. In particular this
+ now allows optional interactive authorization via polkit for
+ many of PID1's privileged operations such as unit file
+ enabling and disabling.
* "udevadm hwdb --update" learnt a new switch "--usr" for
placing the rebuilt hardware database in /usr instead of
* Calendar time specifications in .timer units now also
understand the strings "semi-annually", "quarterly" and
"minutely" as shortcuts (in addition to the preexisting
- "anually", "hourly", ...).
+ "annually", "hourly", …).
* systemd-tmpfiles will now correctly create files in /dev
at boot which are marked for creation only at boot. It is
well as the user/group databases, which should enhance
compatibility with certain tools like grpck.
- * A number of bus APIs of PID 1 now optionally consult
- PolicyKit to permit access for otherwise unprivileged
- clients under certain conditions. Note that this currently
- doesn't support interactive authentication yet, but this is
- expected to be added eventually, too.
+ * A number of bus APIs of PID 1 now optionally consult polkit to
+ permit access for otherwise unprivileged clients under certain
+ conditions. Note that this currently doesn't support
+ interactive authentication yet, but this is expected to be
+ added eventually, too.
* /etc/machine-info now has new fields for configuring the
deployment environment of the machine, as well as the
* We temporarily dropped the "-l" switch for fsck invocations,
since they collide with the flock() logic above. util-linux
upstream has been changed already to avoid this conflict,
- and we will readd "-l" as soon as util-linux with this
+ and we will re-add "-l" as soon as util-linux with this
change has been released.
* The dependency on libattr has been removed. Since a long
* Socket units gained a new Symlinks= setting. It takes a list
of symlinks to create to file system sockets or FIFOs
created by the specific Unix sockets. This is useful to
- manage symlinks to socket nodes with the same life-cycle as
+ manage symlinks to socket nodes with the same lifecycle as
the socket itself.
* The /dev/log socket and /dev/initctl FIFO have been moved to
* A new fsck.repair= kernel option has been added to control
how fsck shall deal with unclean file systems at boot.
- * The (.ini) configuration file parser will now silently
- ignore sections whose name begins with "X-". This may be
- used to maintain application-specific extension sections in unit
- files.
+ * The (.ini) configuration file parser will now silently ignore
+ sections whose names begin with "X-". This may be used to maintain
+ application-specific extension sections in unit files.
* machined gained a new API to query the IP addresses of
registered containers. "machinectl status" has been updated
where the local administrator's configuration in /etc always
overrides any other settings.
- Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van
+ Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
David Strauss, Dimitris Spingos, Djalal Harouni, Eelco
users who are logged out cannot continue to consume IPC
resources. This covers SysV memory, semaphores and message
queues as well as POSIX shared memory and message
- queues. Traditionally, SysV and POSIX IPC had no life-cycle
+ queues. Traditionally, SysV and POSIX IPC had no lifecycle
limits. With this functionality, that is corrected. This may
be turned off by using the RemoveIPC= switch of logind.conf.
also supports LUKS-encrypted partitions now. With this in
place, automatic discovery of partitions to mount following
the Discoverable Partitions Specification
- (https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec)
+ (https://systemd.io/DISCOVERABLE_PARTITIONS/)
is now a lot more complete. This allows booting without
/etc/fstab and without root= on the kernel command line on
systems prepared appropriately.
systemd-networkd.
* The sd-bus.h bus API gained a new sd_bus_track object for
- tracking the life-cycle of bus peers. Note that sd-bus.h is
+ tracking the lifecycle of bus peers. Note that sd-bus.h is
still not a public API though (unless you specify
--enable-kdbus on the configure command line, which however
voids your warranty and you get no API stability guarantee).
reported by uname()'s "machine" field.
* systemd-networkd now supports matching on the system
- virtualization, architecture, kernel command line, host name
+ virtualization, architecture, kernel command line, hostname
and machine ID.
* logind is now a lot more aggressive when suspending the
Wikipedia. We explicitly document which base applies for
each configuration option.
- * The DeviceAllow= setting in unit files now supports a syntax
- to whitelist an entire group of devices node majors at once,
- based on the /proc/devices listing. For example, with the
- string "char-pts", it is now possible to whitelist all
- current and future pseudo-TTYs at once.
+ * The DeviceAllow= setting in unit files now supports a syntax to
+ allow-list an entire group of devices node majors at once, based on
+ the /proc/devices listing. For example, with the string "char-pts",
+ it is now possible to allow-list all current and future pseudo-TTYs
+ at once.
* sd-event learned a new "post" event source. Event sources of
this type are triggered by the dispatching of any event
IFUNC. Please make sure to use --enable-compat-libs only
during a transitional period!
+ * The .include syntax has been deprecated and is not documented
+ anymore. Drop-in files in .d directories should be used instead.
+
Contributions from: Andreas Fuchs, Armin K., Colin Walters,
Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper
match against MAC address, device path, driver name and type,
and will apply attributes like the naming policy, link speed,
MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC
- address assignment policy (randomized, ...).
+ address assignment policy (randomized, …).
* The configuration of network interface naming rules for
"permanent interface names" has changed: a new NamePolicy=
recent boots with their times and boot IDs.
* The various tools like systemctl, loginctl, timedatectl,
- busctl, systemd-run, ... have gained a new switch "-M" to
+ busctl, systemd-run, … have gained a new switch "-M" to
connect to a specific, local OS container (as direct
connection, without requiring SSH). This works on any
container that is registered with machined, such as those
example, a line that creates /run/nologin).
* A new API "sd-resolve.h" has been added which provides a simple
- asynchronous wrapper around glibc NSS host name resolution
+ asynchronous wrapper around glibc NSS hostname resolution
calls, such as getaddrinfo(). In contrast to glibc's
getaddrinfo_a(), it does not use signals. In contrast to most
other asynchronous name resolution libraries, this one does
not reimplement DNS, but reuses NSS, so that alternate
- host name resolution systems continue to work, such as mDNS,
+ hostname resolution systems continue to work, such as mDNS,
LDAP, etc. This API is based on libasyncns, but it has been
cleaned up for inclusion in systemd.
option as supported by Debian is added. It allows indicating
which LUKS slot to use on disk, speeding up key loading.
- * The sd_journald_sendv() API call has been checked and
+ * The sd_journal_sendv() API call has been checked and
officially declared to be async-signal-safe so that it may
be invoked from signal handlers for logging purposes.
* If a privileged process logs a journal message with the
OBJECT_PID= field set, then journald will automatically
augment this with additional OBJECT_UID=, OBJECT_GID=,
- OBJECT_COMM=, OBJECT_EXE=, ... fields. This is useful if
+ OBJECT_COMM=, OBJECT_EXE=, … fields. This is useful if
system services want to log events about specific client
processes. journactl/systemctl has been updated to make use
of this information if all log messages regarding a specific
* 'systemctl status' will also shown information about any
drop-in configuration file for units. (Drop-In configuration
files in this context are files such as
- /etc/systemd/systemd/foobar.service.d/*.conf)
+ /etc/systemd/system/foobar.service.d/*.conf)
* systemd-cgtop now optionally shows summed up CPU times of
cgroups. Press '%' while running cgtop to switch between
only in conjunction with Gummiboot, but could be supported
by other boot loaders too. For details see:
- https://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
+ https://systemd.io/BOOT_LOADER_INTERFACE
* A new generator has been added that automatically mounts the
EFI System Partition (ESP) to /boot, if that directory
the rest of the package. It also has been updated to work
correctly in initrds.
- * Policykit previously has been runtime optional, and is now
- also compile time optional via a configure switch.
+ * polkit previously has been runtime optional, and is now also
+ compile time optional via a configure switch.
* systemd-analyze has been reimplemented in C. Also "systemctl
dot" has moved into systemd-analyze.
* A new tool kernel-install has been added that can install
kernel images according to the Boot Loader Specification:
- https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
+ https://systemd.io/BOOT_LOADER_SPECIFICATION
* Boot time console output has been improved to provide
animated boot time output for hanging jobs.
based on a calendar time specification such as "Thu,Fri
2013-*-1,5 11:12:13" which refers to 11:12:13 of the first
or fifth day of any month of the year 2013, given that it is
- a thursday or friday. This brings timer event support
+ a Thursday or a Friday. This brings timer event support
considerably closer to cron's capabilities. For details on
the supported calendar time specification language see
systemd.time(7).
of these policies is now the default. Please see this wiki
document for details:
- https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames
+ https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html
* Auke Kok's bootchart implementation has been added to the
systemd tree. It is an optional component that can graph the
user/vendor or is automatically determined from ACPI and DMI
information if possible.
- * A number of PolicyKit actions are now bound together with
- "imply" rules. This should simplify creating UIs because
- many actions will now authenticate similar ones as well.
+ * A number of polkit actions are now bound together with "imply"
+ rules. This should simplify creating UIs because many actions
+ will now authenticate similar ones as well.
* Unit files learnt a new condition ConditionACPower= which
may be used to conditionalize a unit depending on whether an
to maintain the necessary patches downstream, or find a
different solution. (Talk to us if you have questions!)
- * Various systemd components will now bypass PolicyKit checks
- for root and otherwise handle properly if PolicyKit is not
- found to be around. This should fix most issues for
- PolicyKit-less systems. Quite frankly this should have been
- this way since day one. It is absolutely our intention to
- make systemd work fine on PolicyKit-less systems, and we
- consider it a bug if something does not work as it should if
- PolicyKit is not around.
+ * Various systemd components will now bypass polkit checks for
+ root and otherwise handle properly if polkit is not found to
+ be around. This should fix most issues for polkit-less
+ systems. Quite frankly this should have been this way since
+ day one. It is absolutely our intention to make systemd work
+ fine on polkit-less systems, and we consider it a bug if
+ something does not work as it should if polkit is not around.
* For embedded systems it is now possible to build udev and
systemd without blkid and/or kmod support.
inhibitors during their runtime. A simple way to achieve
that is to invoke the DE wrapped in an invocation of:
- systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch ...
+ systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch …
* Access to unit operations is now checked via SELinux taking
the unit file label and client process label into account.
when he over-mounts a non-empty directory.
* There are new specifiers that are resolved in unit files,
- for the host name (%H), the machine ID (%m) and the boot ID
+ for the hostname (%H), the machine ID (%m) and the boot ID
(%b).
Contributions from: Allin Cottrell, Auke Kok, Brandon Philips,
* journalctl gained the new "--header" switch to introspect
header data of journal files.
- * A new setting SystemCallFilters= has been added to services
- which may be used to apply blacklists or whitelists to
- system calls. This is based on SECCOMP Mode 2 of Linux 3.5.
+ * A new setting SystemCallFilters= has been added to services which may
+ be used to apply deny lists or allow lists to system calls. This is
+ based on SECCOMP Mode 2 of Linux 3.5.
* nspawn gained a new --link-journal= switch (and quicker: -j)
to link the container journal with the host. This makes it
should be used to create dead device nodes as workarounds for broken
subsystems.
- * udev: RUN+="socket:..." and udev_monitor_new_from_socket() is
+ * udev: RUN+="socket:…" and udev_monitor_new_from_socket() is
no longer supported. udev_monitor_new_from_netlink() needs to be
used to subscribe to events.
* A framework for implementing offline system updates is now
integrated, for details see:
- https://www.freedesktop.org/wiki/Software/systemd/SystemUpdates
+ https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html
* A new service type Type=idle is available now which helps us
avoiding ugly interleaving of getty output and boot status
* Processes with '@' in argv[0][0] are now excluded from the
final shut-down killing spree, following the logic explained
in:
- https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons
+ https://systemd.io/ROOT_STORAGE_DAEMONS/
* All processes remaining in a service cgroup when we enter
the START or START_PRE states are now killed with
projects / systemd.git / blobdiff