]>
Commit | Line | Data |
---|---|---|
afe3ab58 | 1 | Bugfixes: |
c343be28 | 2 | |
54fcb619 ZJS |
3 | * Many manager configuration settings that are only applicable to user |
4 | manager or system manager can be always set. It would be better to reject | |
5 | them when parsing config. | |
6 | ||
5b326dee ZJS |
7 | * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service. |
8 | Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service. | |
9 | Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service. | |
10 | ||
f38afcd0 | 11 | External: |
f85857df | 12 | |
f38afcd0 | 13 | * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. |
bafb15ba | 14 | |
07eabc2b LB |
15 | * dbus: |
16 | - natively watch for dbus-*.service symlinks (PENDING) | |
17 | - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service | |
18 | ||
19 | * kernel: add device_type = "fb", "fbcon" to class "graphics" | |
20 | ||
21 | * /usr/bin/service should actually show the new command line | |
22 | ||
23 | * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= | |
24 | ||
25 | * neither pkexec nor sudo initialize environ[] from the PAM environment? | |
26 | ||
27 | * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it | |
28 | ||
29 | * register catalog database signature as file magic | |
30 | ||
31 | * zsh shell completion: | |
32 | - <command> <verb> -<TAB> should complete options, but currently does not | |
33 | - systemctl add-wants,add-requires | |
76c068b7 | 34 | - systemctl reboot --boot-loader-entry= |
07eabc2b LB |
35 | |
36 | * systemctl status should know about 'systemd-analyze calendar ... --iterations=' | |
37 | * If timer has just OnInactiveSec=..., it should fire after a specified time | |
38 | after being started. | |
39 | ||
40 | * write blog stories about: | |
41 | - hwdb: what belongs into it, lsusb | |
42 | - enabling dbus services | |
43 | - how to make changes to sysctl and sysfs attributes | |
44 | - remote access | |
45 | - how to pass throw-away units to systemd, or dynamically change properties of existing units | |
46 | - testing with Harald's awesome test kit | |
47 | - auto-restart | |
48 | - how to develop against journal browsing APIs | |
49 | - the journal HTTP iface | |
50 | - non-cgroup resource management | |
51 | - dynamic resource management with cgroups | |
52 | - refreshed, longer missions statement | |
53 | - calendar time events | |
54 | - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell | |
55 | - how to create your own target | |
56 | - instantiated apache, dovecot and so on | |
57 | - hooking a script into various stages of shutdown/rearly booot | |
58 | ||
59 | Regularly: | |
60 | ||
61 | * look for close() vs. close_nointr() vs. close_nointr_nofail() | |
62 | ||
63 | * check for strerror(r) instead of strerror(-r) | |
64 | ||
65 | * pahole | |
66 | ||
67 | * set_put(), hashmap_put() return values check. i.e. == 0 does not free()! | |
68 | ||
69 | * use secure_getenv() instead of getenv() where appropriate | |
70 | ||
71 | * link up selected blog stories from man pages and unit files Documentation= fields | |
72 | ||
5e524b40 LP |
73 | Janitorial Clean-ups: |
74 | ||
5e524b40 LP |
75 | * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again |
76 | ||
bb527e11 LP |
77 | * rework mount.c and swap.c to follow proper state enumeration/deserialization |
78 | semantics, like we do for device.c now | |
79 | ||
180efdb7 LP |
80 | * get rid of prefix_roota() and similar, only use chase_symlinks() and related |
81 | calls instead. | |
82 | ||
83 | * get rid of basename() and replace by path_extract_filename() | |
84 | ||
3345802c LP |
85 | Deprecations and removals: |
86 | ||
87 | * Remove any support for booting without /usr pre-mounted in the initrd entirely. | |
88 | Update INITRD_INTERFACE.md accordingly. | |
89 | ||
90 | * 2019-10 – Remove POINTINGSTICK_CONST_ACCEL references from the hwdb, see #9573 | |
c6407108 | 91 | |
b98445cd LP |
92 | * remove cgrouspv1 support EOY 2023. As per |
93 | https://lists.freedesktop.org/archives/systemd-devel/2022-July/048120.html | |
94 | and then rework cgroupsv2 support around fds, i.e. keep one fd per active | |
95 | unit around, and always operate on that, instead of cgroup fs paths. | |
96 | ||
3345802c LP |
97 | * drop support for kernels that lack ambient capabilities support (i.e. make |
98 | 4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which | |
9eb41aab | 99 | is only supported for such old kernels. |
3345802c | 100 | |
9eb41aab | 101 | * drop support for getrandom()-less kernels. (GRND_INSECURE means once kernel |
3345802c | 102 | 5.6 becomes our baseline). See |
9eb41aab LP |
103 | https://github.com/systemd/systemd/pull/24101#issuecomment-1193966468 for |
104 | details. Maybe before that: at taint-flags/warn about kernels that lack | |
3345802c LP |
105 | getrandom()/environments where it is blocked. |
106 | ||
9eb41aab LP |
107 | * drop support for LOOP_CONFIGURE-less loopback block devices, once kernel |
108 | baseline is 5.8. | |
3345802c | 109 | |
dec6f619 LP |
110 | * drop fd_is_mount_point() fallback mess once we can rely on |
111 | STATX_ATTR_MOUNT_ROOT to exist i.e. kernel baseline 5.8 | |
112 | ||
3345802c | 113 | * rework our PID tracking in services and so on, to be strictly based on pidfd, |
9eb41aab | 114 | once kernel baseline is 5.13. |
3345802c | 115 | |
5a20b1aa LP |
116 | * ~2023: remove support for TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT |
117 | ||
3d4cbc3f LB |
118 | * H2 2023: remove support for unmerged-usr |
119 | ||
3345802c LP |
120 | Features: |
121 | ||
6d040d84 LP |
122 | * sd-stub: add ".bootcfg" section for kernel bootconfig data (as per |
123 | ||
124 | * tpm2: add (optional) support for generating a local signing key from PCR 15 | |
125 | state. use private key part to sign PCR 7+14 policies. stash signatures for | |
126 | expected PCR7+14 policies in EFI var. use public key part in disk encryption. | |
127 | generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can | |
128 | securely bind against SecureBoot/shim state, without having to renroll | |
129 | everything on each update (but we still have to generate one sig on each | |
130 | update, but that should be robust/idempotent). needs rollback protection, as | |
131 | usual. | |
132 | ||
e8cb96ac LP |
133 | * Lennart: big blog story about DDIs |
134 | ||
135 | * Lennart: big blog story about building initrds | |
136 | ||
137 | * Lennart: big blog story about "why systemd-boot" | |
138 | ||
0cdb1a2f LP |
139 | * bpf: see if we can use BPF to solve the syslog message cgroup source problem: |
140 | one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to | |
141 | implicitly contain the source cgroup id. Another idea would be to patch | |
142 | sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target | |
143 | sockaddr. | |
144 | ||
145 | * bpf: see if we can address opportunistic inode sharing of immutable fs images | |
146 | with BPF. i.e. if bpf gives us power to hook into openat() and return a | |
147 | different inode than is requested for which we however it has same contents | |
148 | then we can use that to implement opportunistic inode sharing among DDIs: | |
149 | make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also | |
150 | dictate that DDIs should come with a top-level subdir where all reg files are | |
151 | linked into by their SHA256 sum. Then, whenever an inode is opened with the | |
152 | xattr set, check bpf table to find dirs with hashes for other prior DDIs and | |
153 | try to use inode from there. | |
154 | ||
155 | * dissect too: add --with switch that will invoke a command with the image | |
156 | mounted, and as current working directory. Terminate once done. | |
157 | ||
158 | * extend the verity signature partition to permit multiple signatures for the | |
159 | same root hash, so that people can sign a single image with multiple keys. | |
160 | ||
efe7ab96 LP |
161 | * consider adding a new partition type, just for /opt/ for usage in system |
162 | extensions | |
163 | ||
164 | * gpt-auto-discovery: also use the pkcs7 signature stuff, and pass signature to | |
165 | kernel. So far we only did this for the various --image= switches, but not | |
166 | for the root fs or /usr/. | |
167 | ||
5bc58da2 LP |
168 | * extend systemd-measure with an --append= mode when signing expected PCR |
169 | measurements. In this mode the tool should read an existing signature JSON | |
170 | object (which primarily contains an array with the actual signature data), | |
171 | and then append the new signature to it instead of writing out an entirely | |
172 | JSON object. Usecase: it might make sense to to sign a UKI's expected PCRs | |
173 | with different keys for different boot phases. i.e. use keypair X for signing | |
174 | the expected PCR in the initrd boot phase and keypair Y for signing the | |
175 | expected PCR in the main boot phase. Via the --append logic we could merge | |
176 | these signatures into one object, and then include the result in the UKI. | |
177 | Then, if you bind a LUKS volume to public key X it really only can be | |
178 | unlocked during early boot, and you bind a LUKS volume to public key Y it | |
bcf04e9b | 179 | really only can be unlocked during later boot, and so on. |
5bc58da2 | 180 | |
9ef6330e LP |
181 | * dissection policy should enforce that unlocking can only take place by |
182 | certain means, i.e. only via pw, only via tpm2, or only via fido, or a | |
183 | combination thereof. | |
184 | ||
185 | * make the systemd-repart "seed" value provisionable via credentials, so that | |
186 | confidential computing environments can set it and deterministically | |
187 | enforce the uuids for partitions created, so that they can calculate PCR 15 | |
188 | ahead of time. | |
189 | ||
190 | * systemd-repart: also derive the volume key from the seed value, for the | |
191 | aforementioned purpose. | |
192 | ||
193 | * in the initrd: derive the default machine ID to pass to the host PID 1 via | |
194 | $machine_id from the same seed credential. | |
195 | ||
f87338fa DDM |
196 | * Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the |
197 | initrd to bootstrap the initrd to populate the initial partitions. Some things | |
198 | to figure out: | |
199 | - Should it run on firstboot or on every boot? | |
200 | - If run on every boot, should it use the sysupdate config from the host on | |
201 | subsequent boots? | |
202 | ||
9ef6330e LP |
203 | * hook up journald with TPMs? measure new journal records to the TPM in regular |
204 | intervals, validate the journal against current TPM state with that. (taking | |
205 | inspiration from IMA log) | |
206 | ||
c868e95e LP |
207 | * provide an API to apps to encrypt/decrypt credentials. usecase: allow |
208 | bluez bluetooth daemon to pass pairings to initrd that way, without shelling | |
209 | out to our tools. | |
210 | ||
924a329a LP |
211 | * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they |
212 | use PCR 7 which should contain secureboot state db/dbx. Which sounded like a | |
213 | safe bet, given that it should change only on policy changes, and not | |
214 | software updates. But that's wrong. Recent fwupd (rightfully) contains code | |
215 | for updating the dbx denylist. This means even without any active policy | |
216 | change PCR 7 might change. Hence, better idea might be in systemd-creds to | |
6d040d84 LP |
217 | default to PCR 15 at least if sd-stub is used (i.e. bind to system identity), |
218 | and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should | |
219 | be included as much as PCR 7 (as it contains shim's policy, which is | |
220 | certainly as relevant as PCR 7 on many systems) | |
924a329a LP |
221 | |
222 | * move discoverable partition spec and boot loader spec over to uapi group | |
223 | ||
224 | * maybe measure UUIDs of important mounted file systems (after mount, via the | |
225 | new ioctls to query them) into PCR 15? Add "x-systemd.measure-pcr=" or so for | |
226 | this that pulls in a per mount service? | |
227 | ||
228 | * measure /etc/machine-id during early boot into PCR 15? | |
229 | ||
230 | * To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab | |
231 | (measuring the root hash) and integritytab (measuring the HMAC key if one is | |
232 | used) | |
233 | ||
4554c178 LP |
234 | * We should start measuring all services, containers, and system extensions we |
235 | activate. probably into PCR 13. i.e. add --tpm2-measure-pcr= or so to | |
236 | systemd-nspawn, and MeasurePCR= to unit files. Should contain a measurement | |
237 | of the activated configuration and the image that is being activated (in case | |
238 | verity is used, hash of the root hash). | |
239 | ||
fd5dead7 LP |
240 | * whenever we measure something into a TPM PCR from userspace, write a record in |
241 | TCG's "Canonical Event Log" format to some file, so that we can reason about | |
242 | how PCR values we manage came to | |
243 | be. https://trustedcomputinggroup.org/resource/canonical-event-log-format/ | |
244 | ||
4d727f86 LP |
245 | * bootspec: permit graceful "update" from type #2 to type #1. If both a type #1 |
246 | and a type #2 entry exist under otherwise the exact same name, then use the | |
247 | type #1 entry, and ignore the type #2 entry. This way, people can "upgrade" | |
248 | from the UKI with all parameters baked in to a Type #1 .conf file with manual | |
7ff7eadf | 249 | parametrization, if needed. This matches our usual rule that admin config |
4d727f86 LP |
250 | should win over vendor defaults. |
251 | ||
252 | * sd-stub: optionally allow users to configure manual kernel command line even | |
253 | in SecureBoot by authenticating it via shim's APIs, integrating with MOK and | |
254 | similar: instead of authenticating just PE code shim should be capable of | |
255 | authenticating any kind of data for us, including files containing kernel | |
256 | command lines. | |
257 | ||
258 | * write a "search path" spec, that documents the prefixes to search in | |
259 | (i.e. the usual /etc/, /run/, /usr/lib/ dance, potentially /usr/etc/), how to | |
260 | sort found entries, how masking works and overriding. | |
261 | ||
262 | * automatic boot assessment: add one more default success check that just waits | |
263 | for a bit after boot, and blesses the boot if the system stayed up that long. | |
264 | ||
265 | * implement concept of "versioned" resources inside a dir, and write a spec for | |
266 | it. Make all tools in systemd, in particular | |
267 | RootImage=/RootDirectory=/--image=/--directory= implement this. Idea: | |
268 | directories ending in ".v/" indicate a directory with versioned resources in | |
269 | them. Versioned resources inside a .v dir are always named in the pattern | |
270 | <prefix>_<version>[+<tries-left>[-<tries-done>]].<suffix> | |
271 | ||
272 | * add support for using this .v/ logic on the root fs itself: in the initrd, | |
273 | after mounting the rootfs, look for root-<arch>.v/ in the root fs, and then | |
274 | apply the logic, moving the switch root logic there. | |
275 | ||
276 | * systemd-repart: add support for generating ISO9660 images | |
277 | ||
278 | * systemd-repart: in addition to the existing "factory reset" mode (which | |
279 | simply empties existing partitions marked for that). add a mode where | |
280 | partitions marked for it are entirely removed. Usecase: remove secondary OS | |
281 | copy, and redundant partitions entirely, and recreate them anew. | |
282 | ||
283 | * systemd-boot: maybe add support for collapsing menu entries of the same OS | |
284 | into one item that can be opened (like in a "tree view" UI element) or | |
285 | collapsed. If only a single OS is installed, disable this mode, but if | |
286 | multiple OSes are installed might make sense to default to it, so that user | |
287 | is not immediately bombarded with a multitude of Linux kernel versions but | |
288 | only one for each OS. | |
289 | ||
290 | * systemd-repart: if the GPT *disk* UUID (i.e. the one global for the entire | |
291 | disk) is set to all FFFFF then use this as trigger for factory reset, in | |
7ff7eadf | 292 | addition to the existing mechanisms via EFI variables and kernel command |
4d727f86 LP |
293 | line. Benefit: works also on non-EFI systems, and can be requested on one |
294 | boot, for the next. | |
295 | ||
296 | * figure out a sane way when building UKIs how to extract SBAT data from inner | |
297 | kernel, extend it with component info, and add to outer kernel. | |
298 | ||
299 | * systemd-sysupdate: make transport pluggable, so people can plug casync or | |
300 | similar behind it, instead of http. | |
301 | ||
302 | * systemd-tmpfiles: add concept for conditionalizing lines on factory reset | |
303 | boot, or on first boot. | |
304 | ||
305 | * in UKIs: add way to define allowlist of additional words that can be added to | |
306 | the kernel cmdline even in SecureBoot mode | |
307 | ||
a5a0da08 LP |
308 | * we probably needs .pcrpkeyrd or so as additional PE section in UKIs, |
309 | which contains a separate public key for PCR values that only apply in the | |
310 | initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace | |
311 | can easily bind resources to just the initrd. Similar, maybe one more for | |
312 | "enter-initrd:leave-initrd" for resources that shall be accessible only | |
313 | before unprivileged user code is allowed. (we only need this for .pcrpkey, | |
314 | not for .pcrsig, since the latter is a list of signatures anyway). With that, | |
315 | when you enroll a LUKS volume or similar, pick either the .pcrkey (for | |
316 | coverage through all phases of the boot, but excluding shutdown), the | |
317 | .pcrpkeyrd (for coverage in the initrd only) and .pcrpkeybt (for coverage | |
318 | until users are allowed to log in). | |
319 | ||
320 | * Once the root fs LUKS volume key is measured into PCR 15, default to binding | |
321 | credentials to PCR 15 in "systemd-creds" | |
322 | ||
feffee70 LP |
323 | * add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing |
324 | an encrypted image on some host given a public key belonging to a specific | |
325 | other host, so that only hosts possessing the private key in the TPM2 chip | |
326 | can decrypt the volume key and activate the volume. Usecase: systemd-syscfg | |
327 | for a central orchestrator to generate syscfg images securely that can only | |
328 | be activated on one specific host (which can be used for installing a bunch | |
329 | of creds in /etc/credstore/ for example). Extending on this: allow binding | |
330 | LUKS2 TPM based encryption also to the TPM2 internal clock. Net result: | |
331 | prepare a syscfg image that can only be activated on a specific host that | |
332 | runs a specific software in a specific time window. syscfg would be | |
333 | automatically invalidated outside of it. | |
334 | ||
335 | * maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of | |
336 | current system state, i.e. a combination of PCR information, local system | |
337 | time and TPM clock, running services, recent high-priority log | |
338 | messages/coredumps, system load/PSI, signed by the local TPM chip, to form an | |
339 | enhanced remote attestation quote. Usecase: a simple orchestrator could use | |
ae24e4e8 | 340 | this: have the report tool upload these reports every 3min somewhere. Then |
feffee70 LP |
341 | have the orchestrator collect these reports centrally over a 3min time |
342 | window, and use them to determine what which node should now start/stop what, | |
343 | and generate a small syscfg for each node, that uses Uphold= to pin services | |
344 | on each node. The syscfg would be encrypted using the asymmetric encryption | |
345 | proposed above, so that it can only be activated on the specific host, if the | |
346 | software is in a good state, and within a specific time frame. Then run a | |
347 | loop on each node that sends report to orchestrator and then sysupdate to | |
348 | update syscfg. Orchestrator would be stateless, i.e. operate on desired | |
349 | config and collected reports in the last 3min time window only, and thus can | |
350 | be trivially scaled up since all instances of the orchestrator should come to | |
351 | the same conclusions given the same inputs of reports/desired workload info. | |
352 | Could also be used to deliver Wireguard secrets and thus to clients, thus | |
353 | permitting zero-trust networking: secrets are rolled over via syscfg updates, | |
354 | and via the time window TPM logic invalidated if node doesn't keep itself | |
355 | updated, or becomes corrupted in some way. | |
356 | ||
357 | * Always measure the LUKS rootfs volume key into PCR 15, and derive the machine | |
358 | ID from it securely. This would then allow us to bind secrets a specific | |
359 | system securely. | |
360 | ||
361 | * nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image= | |
362 | hash into its PCR 11, so that nspawn instances can be TPM enabled, and | |
363 | partake in measurements/remote attestation and such. swtpm would run outside | |
364 | of control of container, and ideally would itself bind its encryption keys to | |
365 | host TPM. | |
366 | ||
de76643b LP |
367 | * tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead |
368 | of manually hooking into SIGINT/SIGTERM | |
369 | ||
370 | * tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK | |
371 | instead of manual blocking. | |
372 | ||
eb8817db LP |
373 | * sd-boot: for each installed OS, grey out older entries (i.e. all but the |
374 | newest), to indicate they are obsolete | |
375 | ||
d1666bde LP |
376 | * automatically propagate LUKS password credential into cryptsetup from host |
377 | (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor | |
378 | supplied password. | |
7dad7811 | 379 | |
72a77377 LP |
380 | * add ability to path_is_valid() to classify paths that refer to a dir from |
381 | those which may refer to anything, and use that in various places to filter | |
382 | early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a | |
383 | directory, and paths ending that way can be refused early in many contexts. | |
384 | ||
fdcc31b7 LP |
385 | * systemd-measure: allow operating with PEM certificates in addition to PEM |
386 | public keys when signing PCR values. SecureBoot and our Verity signatures | |
387 | operate with certificates already, hence I guess we should also just deal for | |
388 | convencience with certificates for the PCR stuff too. | |
389 | ||
390 | * systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it | |
391 | would just use the same public key specified with --public-key= (or the one | |
392 | automatically derived from --private-key=). | |
393 | ||
842beda4 LP |
394 | * tmpfiles: add new line type for setting btrfs subvolume attributes (i.e. rw/ro) |
395 | ||
396 | * tmpfiles: add new line type for setting fcaps | |
397 | ||
72a77377 LP |
398 | * push people to use ".sysext.raw" as suffix for sysext DDIs (DDI = |
399 | discoverable disk images, i.e. the new name for gpt disk images following the | |
400 | discoverable disk spec). [Also: just ".sysext/" for directory-based sysext] | |
401 | ||
402 | * Add "purpose" flag to partition flags in discoverable partition spec that | |
403 | indicate if partition is intended for sysext, for portable service, for | |
404 | booting and so on. Then, when dissecting DDI allow specifying a purpose to | |
405 | use as additional search condition. Usecase: images that combined a sysext | |
406 | partition with a portable service partition in one. | |
407 | ||
408 | * On boot, auto-generate an asymmetric key pair from the TPM, | |
409 | and use it for validating DDIs and credentials. Maybe upload it to the kernel | |
410 | keyring, so that the kernel does this validation for us for verity and kernel | |
411 | modules | |
412 | ||
413 | * for systemd-syscfg: add a tool that can generate suitable DDIs with verity + | |
414 | sig using squashfs-tools-ng's library. Maybe just systemd-repart called under | |
415 | a new name with a built-in config? | |
416 | ||
11357791 LP |
417 | * gpt-auto: generate mount units that reference partitions via |
418 | /dev/disk/by-diskseq/… so that they can't be swapped out behind our back. | |
419 | ||
4e0ceefe LP |
420 | * lock down acceptable encrypted credentials at boot, via simple allowlist, |
421 | maybe on kernel command line: | |
422 | systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked | |
423 | down kernels from credentials generated on the host with a weak kernel | |
424 | ||
4e0ceefe LP |
425 | * Add support for extra verity configuration options to systemd-repart (FEC, |
426 | hash type, etc) | |
0fc40a0e | 427 | |
be429c8f LP |
428 | * chase_symlinks(): take inspiraton from path_extract_filename() and return |
429 | O_DIRECTORY if input path contains trailing slash. | |
430 | ||
4e0ceefe LP |
431 | * chase_symlinks(): refuse resolution if trailing slash is specified on input, |
432 | but final node is not a directory | |
be429c8f LP |
433 | |
434 | * chase_symlinks(): add new flag that simply refuses all symlink use in a path, | |
435 | then use that for accessing XBOOTLDR/ESP | |
436 | ||
437 | * document in boot loader spec that symlinks in XBOOTLDR/ESP are not OK even if | |
438 | non-VFAT fs is used. | |
439 | ||
a9f1bf40 LP |
440 | * measure credentials picked up from SMBIOS to some suitable PCR |
441 | ||
b7b7441d LP |
442 | * measure GPT and LUKS headers somewhere when we use them (i.e. in |
443 | systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?) | |
444 | ||
a9f1bf40 LP |
445 | * pick up creds from EFI vars |
446 | ||
80821405 LP |
447 | * sd-stub/sd-boot: write RNG seed to LINUX_EFI_RANDOM_SEED_TABLE_GUID config |
448 | table as well. (and possibly drop our efi var). Current kernels will pick up | |
449 | the seed from there already, if EFI_RNG_PROTOCOL is not implemented by | |
450 | firmware. | |
451 | ||
8680e40a LP |
452 | * sd-boot: include domain specific hash string in hash function for random seed |
453 | plus sizes of everything. also include DMI/SMBIOS blob | |
454 | ||
7f8258b4 LP |
455 | * sd-stub: invoke random seed logic the same way as in sd-boot, except if |
456 | random seed EFI variable is already set. That way, the variable set will be | |
457 | set in all cases: if you just use sd-stub, or just sd-boot, or both. | |
458 | ||
c794e280 LP |
459 | * sd-boot: we probably should include all BootXY EFI variable defined boot |
460 | entries in our menu, and then suppress ourselves. Benefit: instant | |
461 | compatibility with all other OSes which register things there, in particular | |
462 | on other disks. Always boot into them via NextBoot EFI variable, to not | |
463 | affect PCR values. | |
464 | ||
c0a74f62 LP |
465 | * systemd-measure tool: |
466 | - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11 | |
c0a74f62 | 467 | |
5b6e5d57 LP |
468 | * in sd-boot: load EFI drivers from a new PE section. That way, one can have a |
469 | "supercharged" sd-boot binary, that could carry ext4 drivers built-in. | |
470 | ||
1160267a LP |
471 | * sd-bus: document that sd_bus_process() only returns messages that non of the |
472 | filters/handlers installed on the connection took possession of. | |
473 | ||
812a8731 LP |
474 | * sd-device: add an API for acquiring list of child devices, given a device |
475 | objects (i.e. all child dirents that dirs or symlinks to dirs) | |
476 | ||
477 | * sd-device: maybe pin the sysfs dir with an fd, during the entire runtime of | |
478 | an sd_device, then always work based on that. | |
479 | ||
9f3a3ac7 LP |
480 | * add small wrapper around qemu that implements sd_notify/AF_VSOCK + machined and |
481 | maybe some other stuff and boots it | |
482 | ||
e1b45a75 | 483 | * maybe add new flags to gpt partition tables for rootfs and usrfs indicating |
9f3a3ac7 LP |
484 | purpose, i.e. whether something is supposed to be bootable in a VM, on |
485 | baremetal, on an nspawn-style container, if it is a portable service image, | |
486 | or a sysext for initrd, for host os, or for portable container. Then hook | |
487 | portabled/… up to udev to watch block devices coming up with the flags set, and | |
488 | use it. | |
489 | ||
b89cfe8a LP |
490 | * sd-boot should look for information what to boot in SMBIOS, too, so that VM |
491 | managers can tell sd-boot what to boot into and suchlike | |
492 | ||
c0432917 LP |
493 | * PID 1 should look for an SMBIOS variable that encodes an AF_VSOCK address it |
494 | should send sd_notify() ready notifications to. That way a VMM can boot up a | |
495 | system, and generically know when it finished booting. | |
496 | ||
52cd58b8 LP |
497 | * add "systemd-sysext identify" verb, that you can point on any file in /usr/ |
498 | and that determines from which overlayfs layer it originates, which image, and with | |
499 | what it was signed. | |
500 | ||
bbe29ca2 LP |
501 | * journald: generate recognizable log events whenever we shutdown journald |
502 | cleanly, and when we migrate run → var. This way tools can verify that a | |
503 | previous boot terminated cleanly, because either of these two messages must | |
504 | be safely written to disk, then. | |
505 | ||
0fde330d LP |
506 | * systemd-creds: extend encryption logic to support asymmetric |
507 | encryption/authentication. Idea: add new verb "systemd-creds public-key" | |
508 | which generates a priv/pub key pair on the TPM2 and stores the priv key | |
509 | locally in /var. It then outputs a certificate for the pub part to stdout. | |
510 | This can then be copied/taken elsewhere, and can be used for encrypting creds | |
511 | that only the host on its specific hw can decrypt. Then, support a drop-in | |
512 | dir with certificates that can be used to authenticate credentials. Flow of | |
513 | operations is then this: build image with owner certificate, then after | |
514 | boot up issue "systemd-creds public-key" to acquire pubkey of the machine. | |
515 | Then, when passing data to the machine, sign with privkey belonging to one of | |
516 | the dropped in certs and encrypted with machine pubkey, and pass to machine. | |
517 | Machine is then able to authenticate you, and confidentiality is guaranteed. | |
518 | ||
bbe29ca2 LP |
519 | * building on top of the above, the pub/priv key pair generated on the TPM2 |
520 | should probably also one you can use to get a remote attestation quote. | |
521 | ||
8c776523 | 522 | * bootctl: add "gc" verb that loads all type #1 .conf files, and then removes |
1aad75ef LP |
523 | all files from the set of files from the ESP/XBOOTLDR matching the entry |
524 | token that are not referenced by any. Then, change kernel-install to use only | |
525 | this to remove auxiliary files, and never remove them explicitly. Benefit: | |
526 | resources such as initrds/kernels/dtb can be shared between entries. | |
8c776523 | 527 | |
d1666bde LP |
528 | * Process credentials in: |
529 | • networkd/udevd: add a way to define additional .link, .network, .netdev files | |
530 | via the credentials logic. | |
531 | • fstab-generator: allow defining additional fstab-like mounts via | |
532 | credentials (similar: crypttab-generator, verity-generator, | |
533 | integrity-generator) | |
534 | • getty-generator: allow defining additional getty instances via a credential | |
535 | • run-generator: allow defining additional commands to run via a credential | |
536 | • resolved: allow defining additional /etc/hosts entries via a credential (it | |
537 | might make sense to then synthesize a new combined /etc/hosts file in /run | |
538 | and bind mount it on /etc/hosts for other clients that want to read it. | |
539 | Similar, allow picking up DNS server IP addresses from credential. | |
540 | • repart: allow defining additional partitions via credential | |
541 | • timesyncd: pick NTP server info from credential | |
542 | • portabled: read a credential "portable.extra" or so, that takes a list of | |
543 | file system paths to enable on start. | |
544 | • make systemd-fstab-generator look for a system credential encoding root= or | |
545 | usr= | |
546 | • systemd-homed: when initializing, look for a credential | |
547 | systemd.homed.register or so with JSON user records to automatically | |
548 | register if not registered yet. Usecase: deploy a system, and add an | |
549 | account one can directly log into. | |
550 | • initialize machine ID from systemd credential picked up from the ESP via | |
551 | sd-stub, so that machine ID is stable even on systems where unified kernels | |
552 | are used, and hence kernel cmdline cannot be modified locally | |
553 | • in gpt-auto-generator: check partition uuids against such uuids supplied via | |
554 | sd-stub credentials. That way, we can support parallel OS installations with | |
555 | pre-built kernels. | |
bbe29ca2 | 556 | |
f95db4d6 LP |
557 | * define a JSON format for units, separating out unit definitions from unit |
558 | runtime state. Then, expose it: | |
559 | ||
560 | 1. Add Describe() method to Unit D-Bus object that returns a JSON object | |
561 | about the unit. | |
562 | 2. Expose this natively via Varlink, in similar style | |
563 | 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor | |
564 | binary which reads the JSON definition and runs it), to address the cow | |
565 | trap issue and the fact that NSS is actually forbidden in | |
566 | forked-but-not-exec'ed children | |
567 | 4. Add varlink API to run transient units based on provided JSON definitions | |
568 | ||
81a96518 LP |
569 | * show SUPPORT_END= data in "hostnamectl" output (and thus also expose a prop |
570 | for this on dbus) | |
571 | ||
572 | * Add SUPPORT_END_URL= field to os-release with more *actionable* information | |
573 | what to do if support ended | |
574 | ||
575 | * pam_systemd: on interactive logins, maybe show SUPPORT_END information at | |
576 | login time, á la motd | |
577 | ||
e1b45a75 | 578 | * sd-boot: instead of unconditionally deriving the ESP to search boot loader |
9c18b363 | 579 | spec entries in from the paths of sd-boot binary, let's optionally allow it |
e1b45a75 | 580 | to be configured on sd-boot cmdline + efi var. Usecase: embed sd-boot in the |
9c18b363 | 581 | UEFI firmware (for example, ovmf supports that via qemu cmdline option), and |
e1b45a75 | 582 | use it to load stuff from the ESP. |
9c18b363 | 583 | |
b467422b LP |
584 | * mount /var/ from initrd, so that we can apply sysext and stuff before the |
585 | initrd transition. Specifically: | |
586 | 1. There should be a var= kernel cmdline option, matching root= and usr= | |
587 | 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk | |
588 | 3. mount.x-initrd mount option in fstab should be implied for /var | |
589 | ||
590 | * implement varlink introspection | |
591 | ||
2df264e6 LP |
592 | * we should probably drop all use of prefix_roota() and friends, and use |
593 | chase_symlinks() instead | |
594 | ||
d486b26f | 595 | * make persistent restarts easier by adding a new setting OpenPersistentFile= |
47b86590 | 596 | or so, which allows opening one or more files that is "persistent" across |
d486b26f LP |
597 | service restarts, hot reboot, cold reboots (depending on configuration): the |
598 | files are created empty on first invocation, and on subsequent invocations | |
599 | the files are reboot. The files would be backed by tmpfs, pmem or /var | |
600 | depending on desired level of persistency. | |
601 | ||
602 | * sd-event: add ability to "chain" event sources. Specifically, add a call | |
603 | sd_event_source_chain(x, y), which will automatically enable event source y | |
604 | in oneshit mode once x is triggered. Use case: in src/core/mount.c implement | |
605 | the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is | |
606 | seen, trigger the rescan defer event source automatically, and allow it to be | |
607 | dispatched *before* the SIGCHLD is handled (based on priorities). Benefit: | |
608 | dispatch order is strictly controlled by priorities again. (next step: chain | |
609 | event sources to the ratelimit being over) | |
610 | ||
611 | * if we fork of a service with StandardOutput=journal, and it forks off a | |
612 | subprocess that quickly dies, we might not be able to identify the cgroup it | |
613 | comes from, but we can still derive that from the stdin socket its output | |
614 | came from. We apparently don't do that right now. | |
615 | ||
d486b26f LP |
616 | * add ability to set hostname with suffix derived from machine id at boot |
617 | ||
d486b26f LP |
618 | * add PR_SET_DUMPABLE service setting |
619 | ||
027301b4 LP |
620 | * homed/userdb: maybe define a "companion" dir for home directories where apps |
621 | can safely put privileged stuff in. Would not be writable by the user, but | |
622 | still conceptually belong to the user. Would be included in user's quota if | |
623 | possible, even if files are not owned by UID of user. Usecase: container | |
624 | images that owned by arbitrary UIDs, and are owned/managed by the users, but | |
625 | are not directly belonging to the user's UID. Goal: we shouldn't place more | |
626 | privileged dirs inside of unprivileged dirs, and thus containers really | |
627 | should not be placed inside of traditional UNIX home dirs (which are owned by | |
3881fd40 | 628 | users themselves) but somewhere else, that is separate, but still close |
027301b4 LP |
629 | by. Inform user code about path to this companion dir via env var, so that |
630 | container managers find it. the ~/.identity file is also a candidate for a | |
631 | file to move there, since it is managed by privileged code (i.e. homed) and | |
632 | not unprivileged code. | |
633 | ||
634 | * given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that | |
635 | that hooks up userbdctl ssh-key stuff. | |
636 | ||
3a466def LP |
637 | * maybe add support for binding and connecting AF_UNIX sockets in the file |
638 | system outside of the 108ch limit. When connecting, open O_PATH fd to socket | |
639 | inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink | |
640 | to target dir in /tmp, and bind through it. | |
641 | ||
fd74ed23 LP |
642 | * add a proper concept of a "developer" mode, i.e. where cryptographic |
643 | protections of the root OS are weakened after interactive confirmation, to | |
644 | allow hackers to allow their own stuff. idea: allow entering developer mode | |
645 | only via explicit choice in boot menu: i.e. add explicit boot menu item for | |
646 | it. when developer mode is entered generate a key pair in the TPM2, and add | |
647 | the public part of it automatically to keychain of valid code signature keys | |
648 | on subsequent boots. Then provide a tool to sign code with the key in the | |
649 | TPM2. Ensure that boot menu item is only way to enter developer mode, by | |
650 | binding it to locality/PCRs so that that keys cannot be generated otherwise. | |
651 | ||
652 | * services: add support for cryptographically unlocking per-service directories | |
653 | via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to | |
654 | set up the directory so that it can only be accessed if host and app are in | |
655 | order. | |
656 | ||
1d5f14ef LP |
657 | * TPM2: extend unlock policy to protect against version downgrades in signed |
658 | policies: policy probably must take some nvram based generation counter into | |
659 | account that can only monotonically increase and can be used to invalidate | |
660 | old PCR signatures. Otherwise people could downgrade to old signed PCR sets | |
661 | whenever they want. | |
98045d12 LP |
662 | |
663 | * update HACKING.md to suggest developing systemd with the ideas from: | |
664 | https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html | |
665 | https://0pointer.net/blog/running-an-container-off-the-host-usr.html | |
666 | ||
667 | * add a clear concept how the initrd can make up credentials on their own to | |
668 | pass to the system when transitioning into the host OS. usecase: things like | |
669 | cloud-init/ignitation and similar can parameterize the host with data they | |
670 | acquire. | |
671 | ||
8b825133 LP |
672 | * sd-event: compat wd reuse in inotify code: keep a set of removed watch |
673 | descriptors, and clear this set piecemeal when we see the IN_IGNORED event | |
674 | for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we | |
675 | see an inotify wd event check against this set, and if it is contained ignore | |
8ac6b05b | 676 | the event. (to be fully correct this would have to count the occurrences, in |
8b825133 LP |
677 | case the same wd is reused multiple times before we start processing |
678 | IN_IGNORED again) | |
679 | ||
5b06ad51 LP |
680 | * systemd-fstab-generator: support addition mount specifications via kernel |
681 | cmdline. Usecase: invoke a VM, and mount a host homedir into it via | |
682 | virtio-fs. | |
683 | ||
684 | * for vendor-built signed initrds: | |
62471289 | 685 | - make sysext run in the initrd |
5b06ad51 | 686 | - sysext should pick up sysext images from /.extra/ in the initrd, and insist |
62471289 | 687 | on verification if in secureboot mode |
5b06ad51 LP |
688 | - kernel-install should be able to install pre-built unified kernel images in |
689 | type #2 drop-in dir in the ESP. | |
62471289 LP |
690 | - kernel-install should be able install encrypted creds automatically for |
691 | machine id, root pw, rootfs uuid, resume partition uuid, and place next to | |
692 | EFI kernel, for sd-stub to pick them up. These creds should be locked to | |
693 | the TPM, and bind to the right PCR the kernel is measured to. | |
11b957b5 LP |
694 | - kernel-install should be able to pick up initrd sysexts automatically and |
695 | place them next to EFI kernel, for sd-stub to pick them up. | |
5b06ad51 LP |
696 | - systemd-fstab-generator should look for rootfs device to mount in creds |
697 | - pid 1 should look for machine ID in creds | |
62471289 | 698 | - systemd-resume-generator should look for resume partition uuid in creds |
11b957b5 LP |
699 | - sd-stub: automatically pick up microcode from ESP (/loader/microcode/*) |
700 | and synthesize initrd from it, and measure it. Signing is not necessary, as | |
701 | microcode does that on its own. Pass as first initrd to kernel. | |
5b06ad51 | 702 | |
2df2bb1f LP |
703 | * Add a new service type very similar to Type=notify, that goes one step |
704 | further and extends the protocol to cover reloads. Specifically, SIGHUP will | |
705 | become the official way to reload, and daemon has to respond with sd_notify() | |
706 | to report when it starts reloading, and when it is complete reloading. Care | |
707 | must be taken to remove races from this model. I.e. PID 1 needs to take | |
708 | CLOCK_MONOTONIC, then send SIGHUP, then wait for at least one RELOADING=1 | |
709 | message that comes with a newer timestamp, then wait for a READY=1 message. | |
710 | while we are at it, also maybe extend the logic to require handling of some | |
711 | specific SIGRT signal for setting debug log level, that carries the level via | |
712 | the sigqueue() data parameter. With that we extended with minimal logic the | |
713 | service runtime logic quite substantially. | |
714 | ||
5645b497 LP |
715 | * firstboot: maybe just default to C.UTF-8 locale if nothing is set, so that we |
716 | don't query this unnecessarily in entirely uninitialized | |
717 | containers. (i.e. containers with empty /etc). | |
718 | ||
598e4315 | 719 | * beef up sd_notify() to support AV_VSOCK in $NOTIFY_SOCKET, so that VM |
197be532 LP |
720 | managers can get ready notifications from VMs, just like container managers |
721 | from their payload. Also pick up address from qemu/fw_cfg if set there. | |
722 | (which has benefits, given SecureBoot and kernel cmdline are not necessarily | |
723 | friends.) | |
598e4315 | 724 | |
c0da575a LP |
725 | * mirroring this: maybe support binding to AV_VSOCK in Type=notify services, |
726 | then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically | |
727 | fixed to "2", i.e. the official host cid) and the expected guest cid, for the | |
3a258d3a | 728 | two sides of the channel. The latter env var could then be used in an |
c0da575a LP |
729 | appropriate qemu cmdline. That way qemu payloads could talk sd_notify() |
730 | directly to host service manager. | |
731 | ||
598e4315 LP |
732 | * maybe write a tool that binds an AF_VFSOCK socket, then invokes qemu, |
733 | extending the command line to enable vsock on the VM, and using fw_cfg to | |
734 | configure socket address. | |
735 | ||
3e3c49cb LP |
736 | * sd-boot: rework random seed handling following recent kernel changes: always |
737 | pass seed to kernel, but credit only if secure boot is used | |
738 | ||
127927b2 LP |
739 | * sd-boot: also include the hyperv "vm generation id" in the random seed hash, |
740 | to cover nicely for machine clones. It's found in the ACPI tables, which | |
741 | should be easily accessible from UEFI. | |
742 | ||
3e3c49cb LP |
743 | * sd-boot: add menu item for shutdown? or hotkey? |
744 | ||
2cf120f7 LP |
745 | * sd-device has an API to create an sd_device object from a device id, but has |
746 | no api to query the device id | |
747 | ||
748 | * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an | |
749 | sd_device object, so that data passed into sd_device_new_from_devnum() can | |
750 | also be queried. | |
751 | ||
5b89bff5 LP |
752 | * sd-event: optionally, if per-event source rate limit is hit, downgrade |
753 | priority, but leave enabled, and once ratelimit window is over, upgrade | |
754 | priority again. That way we can combat event source starvation without | |
755 | stopping processing events from one source entirely. | |
756 | ||
e4f92a62 LP |
757 | * sd-event: similar to existing inotify support add fanotify support (given |
758 | that apparently new features in this area are only going to be added to the | |
759 | latter). | |
5b89bff5 LP |
760 | |
761 | * sd-event: add 1st class event source for clock changes | |
762 | ||
763 | * sd-event: add 1st class event source for timezone changes | |
764 | ||
9e83d3e4 LP |
765 | * support uefi/http boots with sd-boot: instead of looking for dropin files in |
766 | /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that | |
767 | as directory manifest. The file would be a standard directory listing as | |
768 | generated by GNU sha256sums. | |
769 | ||
47a9f917 LP |
770 | * sd-boot: maybe add support for embedding the various auxiliary resources we |
771 | look for right in the sd-boot binary. i.e. take inspiration from sd-stub | |
772 | logic: allow combining sd-boot via objcopy with kernels to enumerate, .conf | |
773 | files, drivers, keys to enroll and so on. Then, add whatever we find that way | |
774 | to the menu. Usecase: allow building a single PE image you can boot into via | |
775 | UEFI HTTP boot. | |
776 | ||
777 | * maybe add a new UEFI stub binary "sd-http". It works similar to sd-stub, but | |
778 | all it does is download a file from a http server, and execute it, after | |
779 | optionally checking its hash sum. idea would be: combine this "sd-http" stub | |
780 | binary with some minimal info about an URL + hash sum, plus .osrel data, and | |
781 | drop it into the unified kernel dir in the ESP. And bam you have something | |
782 | that is tiny, feels a lot like a unified kernel, but all it does is chainload | |
783 | the real kernel. benefit: downloading these stubs would be tiny and quick, | |
784 | hence cheap for enumeration. | |
785 | ||
d360eafb LP |
786 | * sysext: measure all activated sysext into a TPM PCR |
787 | ||
788 | * maybe add a "syscfg" concept, that is almost entirely identical to "sysext", | |
789 | but operates on /etc/ instead of /usr/ and /opt/. Use case would be: trusted, | |
790 | authenticated, atomic, additive configuration management primitive: drop in a | |
791 | configuration bundle, and activate it, so that it is instantly visible, | |
792 | comprehensively. | |
793 | ||
794 | * systemd-dissect: show available versions inside of a disk image, i.e. if | |
795 | multiple versions are around of the same resource, show which ones. (in other | |
796 | words: show partition labels). | |
797 | ||
798 | * systemd-nspawn: make boot assessment do something sensible in a | |
799 | container. i.e send an sd_notify() from payload to container manager once | |
800 | boot-up is completed successfully, and use that in nspawn for dealing with | |
801 | boot counting, implemented in the partition table labels and directory names. | |
802 | ||
803 | * maybe add a generator that reads /proc/cmdline, looks for | |
804 | systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches | |
805 | that take an URL as parameter. It then generates service units for | |
b17a681b | 806 | systemd-pull calls that download these URLs if not installed yet. usecase: |
d360eafb LP |
807 | invoke a VM or nspawn container in a way it automatically deploys/runs these |
808 | images as OS payloads. i.e. have a generic OS image you can point to any | |
809 | payload you like, which is then downloaded, securely verified and run. | |
810 | ||
dca92ca3 LP |
811 | * improve scope units to support creation by pidfd instead of by PID |
812 | ||
e4f92a62 | 813 | * deprecate cgroupsv1 further (print log message at boot) |
f1a147f2 LP |
814 | |
815 | * systemd-dissect: add --cat switch for dumping files such as /etc/os-release | |
816 | ||
f5d0f21c LP |
817 | * per-service sandboxing option: ProtectIds=. If used, will overmount |
818 | /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to | |
819 | make it harder for the service to identify the host. Depending on the user | |
820 | setting it should be fully randomized at invocation time, or a hash of the | |
821 | real thing, keyed by the unit name or so. Of course, there are other ways to | |
822 | get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU | |
823 | ids), so this knob would only be useful in combination with other lockdown | |
824 | options. Particularly useful for portable services, and anything else that | |
825 | uses RootDirectory= or RootImage=. (Might also over-mount | |
826 | /sys/class/dmi/id/*{uuid,serial} with /dev/null). | |
827 | ||
63a185dc LP |
828 | * journalctl/timesyncd: whenever timesyncd acquires a synchronization from NTP, |
829 | create a structured log entry that contains boot ID, monotonic clock and | |
830 | realtime clock (I mean, this requires no special work, as these three fields | |
831 | are implicit). Then in journalctl when attempting to display the realtime | |
832 | timestamp of a log entry, first search for the closest later log entry | |
833 | of this kinda that has a matching boot id, and convert the monotonic clock | |
834 | timestamp of the entry to the realtime clock using this info. This way we can | |
835 | retroactively correct the wallclock timestamps, in particular for systems | |
836 | without RTC, i.e. where initially wallclock timestamps carry rubbish, until | |
837 | an NTP sync is acquired. | |
838 | ||
45cab6e3 LP |
839 | * kernel-install: |
840 | - add --all switch for rerunning kernel-install for all installed kernels | |
841 | - maybe add env var that shortcuts kernel-install for installers that want to | |
842 | call it at the end only | |
843 | ||
a57d72ce LP |
844 | * doc: prep a document explaining resolved's internal objects, i.e. Query |
845 | vs. Question vs. Transaction vs. Stream and so on. | |
846 | ||
a5a316e7 LP |
847 | * doc: prep a document explaining PID 1's internal logic, i.e. transactions, |
848 | jobs, units | |
849 | ||
a57d72ce | 850 | * bootspec: bring UEFI and userspace enumeration of bootspec entries back into |
95150f3f LP |
851 | sync, i.e. parse out architecture field in sd-boot (currently only done in |
852 | userspace) | |
a57d72ce | 853 | |
594f64f4 LP |
854 | * automatically ignore threaded cgroups in cg_xyz(). |
855 | ||
e6f48be8 LP |
856 | * add linker script that implicitly adds symbol for build ID and new coredump |
857 | json package metadata, and use that when logging | |
858 | ||
f08e143c LP |
859 | * systemd-dissect: show GPT disk UUID in output |
860 | ||
d1666bde | 861 | * Enable RestrictFileSystems= for all our long-running services (similar: |
f08e143c LP |
862 | RestrictNetworkInterfaces=) |
863 | ||
864 | * Add systemd-analyze security checks for RestrictFileSystems= and | |
865 | RestrictNetworkInterfaces= | |
866 | ||
1ccfb792 LP |
867 | * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its |
868 | internal clock. | |
869 | ||
1ccfb792 | 870 | * nspawn: optionally set up nftables/iptables routes that forward UDP/TCP |
f08e143c | 871 | traffic on port 53 to resolved stub 127.0.0.54 |
e0c311b1 | 872 | |
f5ba8115 LP |
873 | * man: rework os-release(5), and clearly separate our extension-release.d/ and |
874 | initrd-release parts, i.e. list explicitly which fields are about what. | |
875 | ||
876 | * sysext: before applying a sysext, do a superficial validation run so that | |
877 | things are not rearranged to wildy. I.e. protect against accidental fuckups, | |
878 | such as masking out /usr/lib/ or so. We should probably refuse if existing | |
879 | inodes are replaced by other types of inodes or so. | |
880 | ||
af11e0ef LP |
881 | * userdb: when synthesizing NSS records, pick "best" password from defined |
882 | passwords, not just the first. i.e. if there are multiple defined, prefer | |
883 | unlocked over locked and prefer non-empty over empty. | |
884 | ||
885 | * maybe add a tool inspired by the GPT auto discovery spec that runs in the | |
886 | initrd and rearranges the rootfs hierarchy via bind mounts, if | |
887 | enabled. Specifically in some top-level dir /@auto/ it will look for | |
888 | dirs/symlinks/subvolumes that are named after their purpose, and optionally | |
889 | encode a version as well as assessment counters, and then mount them into the | |
890 | file system tree to boot into, similar to how we do that for the gpt auto | |
891 | logic. Maybe then bind mount the original root into /.superior or something | |
892 | like that (so that update tools can look there). Further discussion in this | |
893 | thread: | |
894 | https://lists.freedesktop.org/archives/systemd-devel/2021-November/047059.html | |
895 | The GPT dissection logic should automatically enable this tool whenever we | |
896 | detect a specially marked root fs (i.e introduce a new generic root gpt type | |
897 | for this, that is arch independent). The also implement this in the image | |
898 | dissection logic, so that nspawn/RootImage= and so on grok it. Maybe make | |
899 | generic enough so that it can also work for ostrees arrangements. | |
900 | ||
901 | * if a path ending in ".auto.d/" is set for RootDirectory=/RootImage= then do a | |
902 | strverscmp() of everything inside that dir and use that. i.e. implement very | |
903 | simple version control. Also use this in systemd-nspawn --image= and so on. | |
904 | ||
905 | * homed: while a home dir is not activated generate slightly different NSS | |
906 | records for it, that reports the home dir as "/" and the shell as some binary | |
907 | provided by us. Then, when an SSH login happens and SSH permits it our binary | |
908 | is invoked. This binary can then talk to homed and activate the homedir if | |
909 | it's not around yet, prompting the user for a password. Once that succeeded | |
910 | we'll switch to the real user record, i.e. home dir and shell, and our tool | |
911 | exec()s the latter. Net effect: ssh'ing into a homed account will just work: | |
912 | we'll neatly prompt for the homedir's password if its needed. –– Building on | |
913 | this we could take this even further: since this tool will potentially have | |
914 | access to the client's ssh-agent (if ssh-agent forwarding is enabled) we | |
915 | could implement SSH unlocking of a homedir with that: when enrolling a new | |
916 | ssh pubkey in a user record we'd ask the ssh-agent to sign some random value | |
917 | with the privkey, then use that as luks key to unlock the home dir. Will not | |
918 | work for ECDSA keys since their signatures contain a random component, but | |
919 | will work for RSA and Ed25519 keys. | |
920 | ||
bb5464ad LP |
921 | * add tiny service that decrypts encrypted user records passed via initrd |
922 | credential logic and drops them into /run where nss-systemd can pick them up, | |
923 | similar to /run/host/userdb/. Usecase: drop a root user JSON record there, | |
924 | and use it in the initrd to log in as root with locally selected password, | |
11b957b5 LP |
925 | for debugging purposes. Other usecase: boot into qemu with regular user |
926 | mounted from host. maybe put this in systemd-user-sessions.service? | |
bb5464ad LP |
927 | |
928 | * drop dependency on libcap, replace by direct syscalls based on | |
929 | CapabilityQuintet we already have. (This likely allows us drop drop libcap | |
930 | dep in the base OS image) | |
931 | ||
932 | * sysext: automatically activate sysext images dropped in via new sd-stub | |
c0a74f62 | 933 | sysext pickup logic. (must insist on verity + signature on those though) |
bb5464ad LP |
934 | |
935 | * add concept for "exitrd" as inverse of "initrd", that we can transition to at | |
936 | shutdown, and has similar security semantics. This should then take the place | |
937 | of dracut's shutdown logic. Should probably support sysexts too. Care needs | |
938 | to be taken that the resulting logic ends up in RAM, i.e. is copied out of | |
939 | on-disk storage. | |
940 | ||
a07ab1dd LP |
941 | * userdbd: implement an additional varlink service socket that provides the |
942 | host user db in restricted form, then allow this to be bind mounted into | |
943 | sandboxed environments that want the host database in minimal form. All | |
944 | records would be stripped of all meta info, except the basic UID/name | |
945 | info. Then use this in portabled environments that do not use PrivateUsers=1. | |
946 | ||
a5bf435e LP |
947 | * logind introduce two types of sessions: "heavy" and "light". The former would |
948 | be our current sessions. But the latter would be a new type of session that | |
949 | is mostly the same but does not pull in user@.service or wait for it. Then, | |
950 | allow configuration which type of session is desired via pam_systemd | |
951 | parameters, and then make user@.service's session one of these "light" ones. | |
952 | People could then choose to make FTP sessions and suchlike "light" if they | |
953 | don't want the service manager to be started for that. | |
954 | ||
da3ab57c LP |
955 | * /etc/veritytab: allow that the roothash column can be specified as fs path |
956 | including a path to an AF_UNIX path, similar to how we do things with the | |
957 | keys of /etc/crypttab. That way people can store/provide the roothash | |
958 | externally and provide to us on demand only. | |
959 | ||
636c8a1f LP |
960 | * add high-level lockdown level for GPT dissection logic: e.g. an enum that can |
961 | be ANY (to mount anything), TRUSTED (to require that /usr is on signed | |
962 | verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is | |
963 | on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not | |
964 | allowed). And then maybe some flavours of that that declare what is expected | |
965 | from home/srv/var… Then, add a new cmdline flag to all tools that parse such | |
966 | images, to configure this. Also, add a kernel cmdline option for this, to be | |
967 | honoured by the gpt auto generator. | |
968 | ||
4e0ceefe LP |
969 | Alternative idea: add "systemd.gpt_auto_policy=rhvs" to allow gpt-auto to |
970 | only mount root dir, /home/ dir, /var/ and /srv/, but nothing else. And then | |
971 | minor extension to this, insisting on encryption, for example | |
af3d3873 | 972 | "systemd.gpt_auto_policy=r+v+h" to require encryption for root and var but not |
4e0ceefe LP |
973 | for /home/, and similar. Similar add --image-dissect-policy= to tools that |
974 | take --image= that take the same short string. | |
975 | ||
636c8a1f LP |
976 | * nspawn: maybe optionally insert .nspawn file as GPT partition into images, so |
977 | that such container images are entirely stand-alone and can be updated as | |
978 | one. | |
979 | ||
3fc0688d | 980 | * we probably should extend the root verity hash of the root fs into some PCR |
7dad7811 LP |
981 | on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure |
982 | it into PCR 12); Similar: we probably should extend the LUKS volume key of | |
983 | the root fs into some PCR on boot. (i.e. maybe add a crypttab option | |
984 | tpm2-measure=15 or so to measure it into PCR 15); once both are in place | |
985 | update gpt-auto-discovery to generate these by default for the partitions it | |
986 | discovers. Static vendor stuff should probably end up in PCR 12 (i.e. the | |
987 | verity hash), with local keys in PCR 15 (i.e. the encryption volume | |
988 | key). That way, we nicely distinguish resources supplied by the OS vendor | |
989 | (i.e. sysext, root verity) from those inherently local (i.e. encryption key), | |
990 | which is useful if they shall be signed separately. | |
3fc0688d LP |
991 | |
992 | * add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount, | |
993 | what must be read-only, what requires encryption, and what requires | |
994 | authentication. | |
995 | ||
c0a74f62 LP |
996 | * in uefi stub: query firmware regarding which PCR banks are being used, store |
997 | that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify | |
998 | that the selected PCRs actually are used by firmware. | |
f4529c4d | 999 | |
322b3b38 LP |
1000 | * rework recursive read-only remount to use new mount API |
1001 | ||
63a185dc | 1002 | * PAM: pick up authentication token from credentials |
9a6549f6 | 1003 | |
9a6549f6 LP |
1004 | * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release |
1005 | data in the image, make sure the image filename actually matches this, so | |
1006 | that images cannot be misused. | |
1007 | ||
aca8ecc3 | 1008 | * New udev block device symlink names: |
178d3ff2 | 1009 | /dev/disk/by-parttypelabel/<pttype>-<ptlabel>. Use case: if pt label is used |
aca8ecc3 LP |
1010 | as partition image version string, this is a safe way to reference a specific |
1011 | version of a specific partition type, in particular where related partitions | |
1012 | are processed (e.g. verity + rootfs both named "LennartOS_0.7"). | |
1013 | ||
178d3ff2 LP |
1014 | * sysupdate: |
1015 | - add fuzzing to the pattern parser | |
1016 | - support casync as download mechanism | |
178d3ff2 LP |
1017 | - "systemd-sysupdate update --all" support, that iterates through all components |
1018 | defined on the host, plus all images installed into /var/lib/machines/, | |
1019 | /var/lib/portable/ and so on. | |
1020 | - figure out what to do about system extensions (i.e. they need to imply an | |
1021 | update component, since otherwise system extenion' sysupdate.d/ files would | |
1022 | override the host's update files.) | |
1023 | - Allow invocation with a single transfer definition, i.e. with | |
1024 | --definitions= pointing to a file rather than a dir. | |
1025 | - add ability to disable implicit decompression of downloaded artifacts, | |
1026 | i.e. a Compress=no option in the transfer definitions | |
1027 | ||
cf2ab2e7 LP |
1028 | * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix) |
1029 | ||
31892e8d LP |
1030 | * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to |
1031 | make dirs appear under right UID. | |
1032 | ||
f3e58b55 LP |
1033 | * systemd-sysext: optionally, run it in initrd already, before transitioning |
1034 | into host, to open up possibility for services shipped like that. | |
1035 | ||
49bd547b LP |
1036 | * maybe add a tool that displays most recent journal logs as QR code to scan |
1037 | off screen and run it automatically on boot failures, emergency logs and | |
1038 | such. Use DRM APIs directly, see | |
1039 | https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example | |
1040 | for doing that. | |
1041 | ||
24063ba1 | 1042 | * introduce /dev/disk/root/* symlinks that allow referencing partitions on the |
f3e58b55 LP |
1043 | disk the rootfs is on in a reasonably secure way. (or maybe: add |
1044 | /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we | |
1045 | already have it. | |
24063ba1 | 1046 | |
7ed72cfa LP |
1047 | * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the |
1048 | reception limit the kernel silently enforces. | |
1049 | ||
66e52d22 LP |
1050 | * add an Open= setting to service unit files that can open arbitrary file |
1051 | system paths at service startup time and pass them to the service process via | |
1052 | our usual socket activation protocol. If passed path refers to AF_UNIX | |
1053 | socket: connect() to it. | |
1054 | ||
256cfb71 LP |
1055 | * Similar, ConnectStream= which takes IP addresses and connects to them. |
1056 | ||
1057 | * Similar, Load= which takes literal data in text or base64 format, and puts it | |
1058 | into a memfd, and passes that. This enables some fun stuff, such as embedding | |
1059 | bash scripts in unit files, by combining Load= with ExecStart=/bin/bash | |
1060 | /proc/self/fd/3 | |
1061 | ||
66e52d22 LP |
1062 | * add a ConnectSocket= setting to service unit files, that may reference a |
1063 | socket unit, and which will connect to the socket defined therein, and pass | |
1064 | the resulting fd to the service program via socket activation proto. | |
1065 | ||
1066 | * Add a concept of ListenStream=anonymous to socket units: listen on a socket | |
1067 | that is deleted in the fs. Usecase would be with ConnectSocket= above. | |
1068 | ||
14f7d087 LP |
1069 | * importd: support image signature verification with PKCS#7 + OpenBSD signify |
1070 | logic, as alternative to crummy gpg | |
1071 | ||
9786ba13 LP |
1072 | * add "systemd-analyze debug" + AttachDebugger= in unit files: The former |
1073 | specifies a command to execute; the latter specifies that an already running | |
1074 | "systemd-analyze debug" instance shall be contacted and execution paused | |
1075 | until it gives an OK. That way, tools like gdb or strace can be safely be | |
1076 | invoked on processes forked off PID 1. | |
1077 | ||
38abd1bf LP |
1078 | * expose MS_NOSYMFOLLOW in various places |
1079 | ||
199b097d | 1080 | * credentials system: |
199b097d LP |
1081 | - acquire from EFI variable? |
1082 | - acquire via via ask-password? | |
1083 | - acquire creds via keyring? | |
1084 | - pass creds via keyring? | |
1085 | - pass creds via memfd? | |
1086 | - acquire + decrypt creds from pkcs11? | |
1087 | - make systemd-cryptsetup acquire pw via creds logic | |
1088 | - make PAMName= acquire pw via creds logic | |
1089 | - make macsec/wireguard code in networkd read key via creds logic | |
1090 | - make gatwayd/remote read key via creds logic | |
1091 | - add sd_notify() command for flushing out creds not needed anymore | |
1f066ce2 LB |
1092 | - make user manager instances create and use a user-specific key (the one in |
1093 | /var/lib is root-only) and add --user switch to systemd-creds to use it | |
199b097d | 1094 | |
199b097d LP |
1095 | * add tpm.target or so which is delayed until TPM2 device showed up in case |
1096 | firmware indicates there is one. | |
07eabc2b | 1097 | |
07eabc2b LB |
1098 | * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades |
1099 | and such | |
1100 | ||
1101 | * introduce a new group to own TPM devices | |
80670e74 | 1102 | |
80670e74 LP |
1103 | * cyptsetup: add option for automatically removing empty password slot on boot |
1104 | ||
7d7c75f1 | 1105 | * cryptsetup: optionally, when run during boot-up and password is never |
80670e74 LP |
1106 | entered, and we are on battery power (or so), power off machine again |
1107 | ||
80670e74 LP |
1108 | * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and |
1109 | allow plymouth to abort the waiting and enter pw instead | |
7d7c75f1 | 1110 | |
07eabc2b LB |
1111 | * make cryptsetup lower --iter-time |
1112 | ||
1113 | * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a | |
1114 | "base64:" prefix. Useful in particular for pkcs11 mode. | |
1115 | ||
1116 | * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use | |
1117 | systemd-makefs.service instead. | |
1118 | ||
1119 | * cryptsetup: | |
1120 | - cryptsetup-generator: allow specification of passwords in crypttab itself | |
1121 | - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator | |
1122 | ||
7d7c75f1 LP |
1123 | * when configuring loopback netif, and it fails due to EPERM, eat up error if |
1124 | it happens to be set up alright already. | |
1125 | ||
1126 | * at boot: check if battery above some threshold, if not power off again after explanation | |
1127 | ||
1128 | * userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM | |
1129 | for example. And add code that resets ambient caps for all services by | |
1130 | default. | |
1131 | ||
ff640bd2 LP |
1132 | * sd-bus: when connecting to some dbus server socker, set originating AF_UNIX |
1133 | socket name in abstract namespace to include "description" string, and pick | |
1134 | it up from there in sd_bus_creds logic. i.e. we can use the socket peer | |
1135 | address as conduit for some minimal connection metainfo, and use it to | |
1136 | restore the "description" logic that kdbus used to have. | |
1137 | ||
08d33656 | 1138 | * systemd-analyze netif that explains predictable interface (or networkctl) |
d775d8e6 | 1139 | |
816d460a LP |
1140 | * Add service setting to run a service within the specified VRF. i.e. do the |
1141 | equivalent of "ip vrf exec". | |
1142 | ||
e59d030f LP |
1143 | * change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as |
1144 | documented in the pivot_root(2) man page, so that we can drop the /oldroot | |
1145 | temporary dir. | |
1146 | ||
1147 | * special case some calls of chase_symlinks() to use openat2() internally, so | |
1148 | that the kernel does what we otherwise do. | |
1149 | ||
6dbfbc46 LB |
1150 | * add a new flag to chase_symlinks() that stops chasing once the first missing |
1151 | component is found and then allows the caller to create the rest. | |
1152 | ||
fc733bed LP |
1153 | * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np(). |
1154 | ||
effefa30 LP |
1155 | * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it |
1156 | ||
f1eb0ccd LP |
1157 | * pid1: Move to tracking of main pid/control pid of units per pidfd |
1158 | ||
1159 | * pid1: support new clone3() fork-into-cgroup feature | |
1160 | ||
7cc8fb3e LP |
1161 | * pid1: also remove PID files of a service when the service starts, not just |
1162 | when it exits | |
1163 | ||
cdfd8537 LP |
1164 | * make us use dynamically fewer deps for containers in general purpose distros: |
1165 | o turn into dlopen() deps: | |
cdfd8537 LP |
1166 | - p11-kit-trust (always) |
1167 | - kmod-libs (only when called from PID 1) | |
a52dc0b6 | 1168 | - libblkid (only in RootImage= handling in PID 1, but not elsewhere) |
cdfd8537 LP |
1169 | - libpam (only when called from PID 1) |
1170 | - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are, | |
1171 | since they are so basic and our defaults) | |
1172 | o move into separate libsystemd-shared-iptables.so .so | |
1173 | - iptables-libs (only used by nspawn + networkd) | |
1174 | ||
77169ed0 LP |
1175 | * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. |
1176 | Apparently kernel performance is much better with fewer larger seccomp | |
1177 | filters than with more smaller seccomp filters. | |
1178 | ||
bfafec25 LP |
1179 | * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum, |
1180 | mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such | |
1181 | ||
a6e1018d | 1182 | * All tools that support --root= should also learn --image= so that they can |
d5bf74f9 LB |
1183 | operate on disk images directly. Specifically: systemctl, coredumpctl. |
1184 | (Already done: bootctl, systemd-nspawn, systemd-firstboot, | |
612d3a68 | 1185 | systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl) |
a6e1018d | 1186 | |
112bed84 LP |
1187 | * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out |
1188 | ||
1189 | * seccomp: don't install filters for ABIs that are masked anyway for the | |
1190 | specific service | |
1191 | ||
cbe952fe LP |
1192 | * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it |
1193 | exists and responds. | |
1194 | ||
b47261e5 LP |
1195 | * Maybe add a separate GPT partition type to the discoverable partition spec |
1196 | for "hibernate" partitions, that are exactly like swap partitions but only | |
1197 | activated right before hibernation and thus never used for regular swapping. | |
1198 | ||
91fc013f | 1199 | * socket units: allow creating a udev monitor socket with ListenDevices= or so, |
86b52a39 | 1200 | with matches, then activate app through that passing socket over |
91fc013f | 1201 | |
7e8facb3 | 1202 | * unify on openssl: |
070f7370 LB |
1203 | - kill gnutls support in resolved |
1204 | - figure out what to do about libmicrohttpd, which has a hard dependency on | |
1205 | gnutls | |
1206 | - port fsprg over to a dlopen lib, then switch it to openssl | |
492f91d8 | 1207 | |
492f91d8 LP |
1208 | * add growvol and makevol options for /etc/crypttab, similar to |
1209 | x-systemd.growfs and x-systemd-makefs. | |
1210 | ||
77b19caf LP |
1211 | * userdb: allow username prefix searches in varlink API, allow realname and |
1212 | realname substr searches in varlink API | |
006c44c1 | 1213 | |
76410e98 LP |
1214 | * userdb: allow uid/gid range checks |
1215 | ||
2a4be3c5 | 1216 | * userdb: allow existence checks |
006c44c1 | 1217 | |
f1eb0ccd | 1218 | * pid1: activation by journal search expression |
006c44c1 | 1219 | |
492f91d8 LP |
1220 | * when switching root from initrd to host, set the machine_id env var so that |
1221 | if the host has no machine ID set yet we continue to use the random one the | |
1222 | initrd had set. | |
1223 | ||
173c7873 | 1224 | * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to |
84a1ff94 | 1225 | it for reaping assigned but unknown children. This needs to some special care |
173c7873 LP |
1226 | to operate somewhat sensibly in light of priorities: P_ALL will return |
1227 | arbitrary processes, regardless of the priority we want to watch them with, | |
1228 | hence on each event loop iteration check all processes which we shall watch | |
1229 | with higher prio explicitly, and then watch the entire rest with P_ALL. | |
1230 | ||
1231 | * tweak sd-event's child watching: keep a prioq of children to watch and use | |
1232 | waitid() only on the children with the highest priority until one is waitable | |
1233 | and ignore all lower-prio ones from that point on | |
1234 | ||
173c7873 LP |
1235 | * maybe introduce xattrs that can be set on the root dir of the root fs |
1236 | partition that declare the volatility mode to use the image in. Previously I | |
1237 | thought marking this via GPT partition flags but that's not ideal since | |
1238 | that's outside of the LUKS encryption/verity verification, and we probably | |
1239 | shouldn't operate in a volatile mode unless we got told so from a trusted | |
1240 | source. | |
1241 | ||
97e5cc88 LP |
1242 | * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that |
1243 | may be used to mark a whole binary as non-coredumpable. Would fix: | |
1244 | https://bugs.freedesktop.org/show_bug.cgi?id=69447 | |
1245 | ||
f3e361c1 LP |
1246 | * teach parse_timestamp() timezones like the calendar spec already knows it |
1247 | ||
9ef3376b LP |
1248 | * beef up hibernation to optionally do swapon/swapoff immediately before/after |
1249 | the hibernation | |
1250 | ||
c846b233 LP |
1251 | * beef up s2h to implement a battery watch loop: instead of entering |
1252 | hibernation unconditionally after coming back from resume make a decision | |
1253 | based on the battery load level: if battery level is above a specific | |
1254 | threshold, go to suspend again, only hibernate if below it. This means we'd | |
1255 | stick to suspend usually, but fall back to hibernation only when battery runs | |
1256 | empty (well, subject to our sampling interval). Related to this, check if we | |
1257 | can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too, | |
1258 | i.e. see if it can wake up machines from suspend, so that we could resume | |
1259 | automatically when the system is low on power and move automatically to | |
1260 | hibernation mode. (see | |
1261 | https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf | |
1262 | section 10.2.2.8 and | |
1263 | https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources | |
1264 | at the end). | |
1265 | ||
6fe23ff3 LB |
1266 | * We should probably replace /etc/rc.d/README with a symlink to doc |
1267 | content. After all it is constant vendor data. | |
9c230b8f | 1268 | |
c6526b8d | 1269 | * maybe add kernel cmdline params: to force random seed crediting |
312dc153 | 1270 | |
ac5dca64 LP |
1271 | * introduce a new per-process uuid, similar to the boot id, the machine id, the |
1272 | invocation id, that is derived from process creds, specifically a hashed | |
1273 | combination of AT_RANDOM + getpid() + the starttime from | |
1274 | /proc/self/status. Then add these ids implicitly when logging. Deriving this | |
1275 | uuid from these three things has the benefit that it can be derived easily | |
1276 | from /proc/$PID/ in a stable, and unique way that changes on both fork() and | |
1277 | exec(). | |
1278 | ||
1279 | * let's not GC a unit while its ratelimits are still pending | |
1280 | ||
5daeeecf LP |
1281 | * when killing due to service watchdog timeout maybe detect whether target |
1282 | process is under ptracing and then log loudly and continue instead. | |
1283 | ||
5802d977 LP |
1284 | * make rfkill uaccess controllable by default, i.e. steal rule from |
1285 | gnome-bluetooth and friends | |
1286 | ||
03ccc7f0 LP |
1287 | * make MAINPID= message reception checks even stricter: if service uses User=, |
1288 | then check sending UID and ignore message if it doesn't match the user or | |
1289 | root. | |
1290 | ||
1291 | * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device" | |
1292 | is issued. | |
1293 | ||
db3cea22 LP |
1294 | * when importing an fs tree with machined, optionally apply userns-rec-chown |
1295 | ||
1296 | * when importing an fs tree with machined, complain if image is not an OS | |
1297 | ||
707b3fbd LP |
1298 | * Maybe introduce a helper safe_exec() or so, which is to execve() which |
1299 | safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit | |
1300 | to 1K implicitly, unless explicitly opted-out. | |
d7b659ef | 1301 | |
d238709c | 1302 | * rework seccomp/nnp logic that even if User= is used in combination with |
d96c081a LP |
1303 | a seccomp option we don't have to set NNP. For that, change uid first whil |
1304 | keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap. | |
1305 | ||
8a7cf157 LP |
1306 | * when no locale is configured, default to UEFI's PlatformLang variable |
1307 | ||
d96c081a LP |
1308 | * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and |
1309 | usefaultd() and make systemd-analyze check for it. | |
1310 | ||
06898123 | 1311 | * paranoia: whenever we process passwords, call mlock() on the memory |
309c6b19 | 1312 | first. i.e. look for all places we use free_and_erasep() and |
9ae4ef49 | 1313 | augment them with mlock(). Also use MADV_DONTDUMP. |
8b213bf1 | 1314 | Alternatively (preferably?) use memfd_secret(). |
06898123 | 1315 | |
32875617 LP |
1316 | * Move RestrictAddressFamily= to the new cgroup create socket |
1317 | ||
76853293 LP |
1318 | * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in |
1319 | log.c and sd-journal-send | |
1320 | ||
06898123 LP |
1321 | * optionally: turn on cgroup delegation for per-session scope units |
1322 | ||
d3aeddb8 LP |
1323 | * introduce per-unit (i.e. per-slice, per-service) journal log size limits. |
1324 | ||
42e18088 LP |
1325 | * sd-boot: optionally, show boot menu when previous default boot item has |
1326 | non-zero "tries done" count | |
1327 | ||
8f2eb730 LP |
1328 | * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which |
1329 | contains some identifier for the project, which allows us to include | |
1330 | clickable links to source files generating these log messages. The identifier | |
1331 | could be some abberviated URL prefix or so (taking inspiration from Go | |
1332 | imports). For example, for systemd we could use | |
1333 | CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is | |
1334 | sufficient to build a link by prefixing "http://" and suffixing the | |
1335 | CODE_FILE. | |
1336 | ||
8f2eb730 LP |
1337 | * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can |
1338 | make clickable links from log messages carrying a MESSAGE_ID, that lead to | |
1339 | some explanatory text online. | |
1340 | ||
7bd4bcf7 LP |
1341 | * maybe extend .path units to expose fanotify() per-mount change events |
1342 | ||
bb527e11 LP |
1343 | * When reloading configuration PID 1 should reset all its properties to the |
1344 | original defaults before calling parse_config() | |
1345 | ||
c633b0a6 LP |
1346 | * hibernate/s2h: make this robust and safe to enable in Fedora by default. |
1347 | Specifically: | |
1348 | ||
1349 | 1. add resume_offset support to the resume code (i.e. support swap files | |
1350 | properly) | |
e83419d0 | 1351 | 2. check if swap is on weird storage and refuse if so |
46c41478 | 1352 | 3. add auto-detection of hibernation images |
c633b0a6 | 1353 | |
070d0ac9 LP |
1354 | * cgroups: use inotify to get notified when somebody else modifies cgroups |
1355 | owned by us, then log a friendly warning. | |
1356 | ||
e44924f5 LP |
1357 | * beef up log.c with support for stripping ANSI sequences from strings, so that |
1358 | it is OK to include them in log strings. This would be particularly useful so | |
1359 | that our log messages could contain clickable links for example for unit | |
1360 | files and suchlike we operate on. | |
070d0ac9 | 1361 | |
07eabc2b LB |
1362 | * importd: add ability download images for portabled + sysext |
1363 | ||
8c4c2dfc LP |
1364 | * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) |
1365 | ||
8c4c2dfc LP |
1366 | * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the |
1367 | selected user is resolvable in the service even if it ships its own /etc/passwd) | |
1368 | ||
5da19043 | 1369 | * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the |
63a185dc | 1370 | other doesn't. What a disaster. Probably to exclude it. |
5da19043 | 1371 | |
16270697 LP |
1372 | * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as |
1373 | usually IN_ATTRIB is the right way to watch deleted files, as the former only | |
1374 | fires when a file is actually removed from disk, i.e. the link count drops to | |
1375 | zero and is not open anymore, while the latter happens when a file is | |
1376 | unlinked from any dir. | |
1377 | ||
bd1b3f75 | 1378 | * port systemctl, busctl, … over to format-table.[ch]'s table formatters |
5da19043 | 1379 | |
7bc756ff LP |
1380 | * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up |
1381 | ||
1382 | * add --vacuum-xyz options to coredumpctl, matching those journalctl already has. | |
1383 | ||
53c70a27 LP |
1384 | * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all |
1385 | files and directories that are left writable for a unit, and which are | |
1386 | removed after the unit goes down again. A bit like --ephemeral for | |
1387 | systemd-nspawn but for system services. If used together with RootImage= this | |
1388 | should reflink the image file itself. | |
1389 | ||
1390 | Related: add Ephemeral=<path1> <path2> … which would allow marking | |
1391 | specific paths only like this. | |
1392 | ||
53c70a27 | 1393 | * add CopyFile= or so as unit file setting that may be used to copy files or |
5238e957 | 1394 | directory trees from the host to the services RootImage= and RootDirectory= |
53c70a27 LP |
1395 | environment. Which we can use for /etc/machine-id and in particular |
1396 | /etc/resolv.conf. Should be smart and do something useful on read-only | |
2aed63f4 | 1397 | images, for example fall back to read-only bind mounting the file instead. |
53c70a27 | 1398 | |
d9b50610 LP |
1399 | * show invocation ID in systemd-run output |
1400 | ||
1401 | * bypass SIGTERM state in unit files if KillSignal is SIGKILL | |
1402 | ||
9711b1ad LP |
1403 | * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1 |
1404 | and so on, which would mean we could report errors and such. | |
1405 | ||
6b7b0f39 LP |
1406 | * introduce DefaultSlice= or so in system.conf that allows changing where we |
1407 | place our units by default, i.e. change system.slice to something | |
1408 | else. Similar, ManagerSlice= should exist so that PID1's own scope unit could | |
1409 | be moved somewhere else too. Finally machined and logind should get similar | |
1410 | options so that it is possible to move user session scopes and machines to a | |
1411 | different slice too by default. Usecase: people who want to put resources on | |
1412 | the entire system, with the exception of one specific service. See: | |
1413 | https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html | |
1414 | ||
aa79f932 LP |
1415 | * maybe rework get_user_creds() to query the user database if $SHELL is used |
1416 | for root, but only then. | |
586a8e93 | 1417 | |
46099c9e LP |
1418 | * be stricter with fds we receive for the fdstore: close them asynchronously |
1419 | ||
46099c9e LP |
1420 | * calenderspec: add support for week numbers and day numbers within a |
1421 | year. This would allow us to define "bi-weekly" triggers safely. | |
1422 | ||
c3cd7cc9 LP |
1423 | * sd-bus: add vtable flag, that may be used to request client creds implicitly |
1424 | and asynchronously before dispatching the operation | |
1425 | ||
d0e5db44 ZJS |
1426 | * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not |
1427 | only when used. Add unit tests. | |
1428 | ||
06345858 LP |
1429 | * make use of ethtool veth peer info in machined, for automatically finding out |
1430 | host-side interface pointing to the container. | |
1431 | ||
48f1b5e5 LP |
1432 | * add some special mode to LogsDirectory=/StateDirectory=… that allows |
1433 | declaring these directories without necessarily pulling in deps for them, or | |
1434 | creating them when starting up. That way, we could declare that | |
1435 | systemd-journald writes to /var/log/journal, which could be useful when we | |
1436 | doing disk usage calculations and so on. | |
1437 | ||
899feb72 | 1438 | * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char |
c6009ff0 | 1439 | |
3d80d454 LP |
1440 | * add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for |
1441 | the runtime dir as we maintain for the fdstore: i.e. keep it around as long | |
1442 | as the unit is running or has a job queued. | |
1443 | ||
5f7ecd61 | 1444 | * support projid-based quota in machinectl for containers |
5962e9db | 1445 | |
17b6f896 LP |
1446 | * add a way to lock down cgroup migration: a boolean, which when set for a unit |
1447 | makes sure the processes in it can never migrate out of it | |
1448 | ||
17b6f896 LP |
1449 | * blog about fd store and restartable services |
1450 | ||
1451 | * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document | |
1452 | ||
370f9c21 LP |
1453 | * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its |
1454 | magic meaning and is no longer upgraded to something else if set explicitly. | |
1455 | ||
17b6f896 LP |
1456 | * in the long run: permit a system with /etc/machine-id linked to /dev/null, to |
1457 | make it lose its identity, i.e. be anonymous. For this we'd have to patch | |
1458 | through the whole tree to make all code deal with the case where no machine | |
1459 | ID is available. | |
1460 | ||
1461 | * optionally, collect cgroup resource data, and store it in per-unit RRD files, | |
1462 | suitable for processing with rrdtool. Add bus API to access this data, and | |
1463 | possibly implement a CPULoad property based on it. | |
1464 | ||
e7e4a258 LP |
1465 | * beef up pam_systemd to take unit file settings such as cgroups properties as |
1466 | parameters | |
1467 | ||
63a185dc | 1468 | * maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage |
d51c4fca | 1469 | the quota of the user indicated in User= via unit file settings, like the |
5962e9db LP |
1470 | other resource management concepts. Would mix nicely with DynamicUser=1. Or |
1471 | alternatively, do this with projids, so that we can also cover services | |
1472 | running as root. Quota should probably cover all the special dirs such as | |
1473 | StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it | |
1474 | is set, plus the whole disk space any image configured with RootImage=. | |
6fc373ee | 1475 | |
9a92a97a LP |
1476 | * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant |
1477 | disks to see if the UID is already in use. | |
1478 | ||
fa991fb7 LP |
1479 | * expose IO accounting data on the bus, show it in systemd-run --wait and log |
1480 | about it in the resource log message | |
1481 | ||
d73b607d LP |
1482 | * Add AddUser= setting to unit files, similar to DynamicUser=1 which however |
1483 | creates a static, persistent user rather than a dynamic, transient user. We | |
1484 | can leverage code from sysusers.d for this. | |
1485 | ||
fd63f36c LP |
1486 | * add some optional flag to ReadWritePaths= and friends, that has the effect |
1487 | that we create the dir in question when the service is started. Example: | |
1488 | ||
1489 | ReadWritePaths=:/var/lib/foobar | |
1490 | ||
f59d1da8 LP |
1491 | * Add ExecMonitor= setting. May be used multiple times. Forks off a process in |
1492 | the service cgroup, which is supposed to monitor the service, and when it | |
1493 | exits the service is considered failed by its monitor. | |
1494 | ||
33bac67b LP |
1495 | * track the per-service PAM process properly (i.e. as an additional control |
1496 | process), so that it may be queried on the bus and everything. | |
1497 | ||
1498 | * add a new "debug" job mode, that is propagated to unit_start() and for | |
1499 | services results in two things: we raise SIGSTOP right before invoking | |
1500 | execve() and turn off watchdog support. Then, use that to implement | |
1501 | "systemd-gdb" for attaching to the start-up of any system service in its | |
1502 | natural habitat. | |
1503 | ||
d1666bde LP |
1504 | * gpt-auto logic: support encrypted swap, add kernel cmdline option to force |
1505 | it, and honour a gpt bit about it, plus maybe a configuration file | |
8eb7383b | 1506 | |
b5bdbcd5 LP |
1507 | * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and |
1508 | then use that for the setting used in user@.service. It should be understood | |
1509 | relative to the configured default value. | |
1510 | ||
d21494ea LP |
1511 | * enable LockMLOCK to take a percentage value relative to physical memory |
1512 | ||
04397464 | 1513 | * Permit masking specific netlink APIs with RestrictAddressFamily= |
d82047be | 1514 | |
d82047be LP |
1515 | * define gpt header bits to select volatility mode |
1516 | ||
42d61ded LP |
1517 | * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc |
1518 | ||
04397464 | 1519 | * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) |
42d61ded | 1520 | |
04397464 | 1521 | * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) |
563a69f4 | 1522 | |
04397464 | 1523 | * ProtectKeyRing= to take keyring calls away |
2c5f2958 | 1524 | |
8ce9b83a | 1525 | * RemoveKeyRing= to remove all keyring entries of the specified user |
a46eac1b LP |
1526 | |
1527 | * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill | |
1528 | on PID 1 with the relevant signals, and makes relevant files in /sys and | |
1529 | /proc (such as the sysrq stuff) unavailable | |
1530 | ||
88511a37 LB |
1531 | * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances |
1532 | via the new unprivileged Landlock LSM (https://landlock.io) | |
1533 | ||
e40a326c | 1534 | * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things |
89f193fa | 1535 | |
8ce9b83a LP |
1536 | * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, |
1537 | find a way to map the User=/Group= of the service to the right name. This way | |
1538 | a user/group for a service only has to exist on the host for the right | |
1539 | mapping to work. | |
1540 | ||
2c5f2958 LP |
1541 | * add bus API for creating unit files in /etc, reusing the code for transient units |
1542 | ||
1543 | * add bus API to remove unit files from /etc | |
1544 | ||
1545 | * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) | |
1546 | ||
b8c7afdf LP |
1547 | * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the |
1548 | kernel doesn't support linkat() that replaces existing files, currently) | |
1549 | ||
1e555cb5 LP |
1550 | * transient units: don't bother with actually setting unit properties, we |
1551 | reload the unit file anyway | |
1552 | ||
c8048350 LP |
1553 | * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown |
1554 | ||
3d39e6e5 LP |
1555 | * cache sd_event_now() result from before the first iteration... |
1556 | ||
bd098bce LP |
1557 | * PID1: find a way how we can reload unit file configuration for |
1558 | specific units only, without reloading the whole of systemd | |
1559 | ||
f9bf1b8f | 1560 | * add an explicit parser for LimitRTPRIO= that verifies |
de7399eb | 1561 | the specified range and generates sane error messages for incorrect |
f9bf1b8f | 1562 | specifications. |
de7399eb | 1563 | |
3efc8c72 LP |
1564 | * when we detect that there are waiting jobs but no running jobs, do something |
1565 | ||
e6a26d8c LP |
1566 | * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) |
1567 | ||
a2088fd0 | 1568 | * there's probably something wrong with having user mounts below /sys, |
5238e957 | 1569 | as we have for debugfs. for example, src/core/mount.c handles mounts |
a2088fd0 | 1570 | prefixed with /sys generally special. |
41d6f3bf | 1571 | https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html |
a2088fd0 | 1572 | |
8aa20381 LP |
1573 | * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline |
1574 | ||
931bc195 | 1575 | * docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date |
b18d23d7 | 1576 | |
60d17b74 LP |
1577 | * add a job mode that will fail if a transaction would mean stopping |
1578 | running units. Use this in timedated to manage the NTP service | |
1579 | state. | |
41d6f3bf | 1580 | https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html |
60d17b74 | 1581 | |
477e75ef LP |
1582 | * The udev blkid built-in should expose a property that reflects |
1583 | whether media was sensed in USB CF/SD card readers. This should then | |
1584 | be used to control SYSTEMD_READY=1/0 so that USB card readers aren't | |
1585 | picked up by systemd unless they contain a medium. This would mirror | |
1586 | the behaviour we already have for CD drives. | |
1587 | ||
c3a0d00d LP |
1588 | * hostnamectl: show root image uuid |
1589 | ||
d2f81fb0 | 1590 | * Find a solution for SMACK capabilities stuff: |
41d6f3bf | 1591 | https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html |
98cd2651 | 1592 | |
0a86c1a9 | 1593 | * synchronize console access with BSD locks: |
41d6f3bf | 1594 | https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html |
0a86c1a9 | 1595 | |
e031c227 | 1596 | * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: |
41d6f3bf | 1597 | https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html |
0a86c1a9 | 1598 | |
8514b677 LP |
1599 | * figure out when we can use the coarse timers |
1600 | ||
8483d73f LP |
1601 | * maybe allow timer units with an empty Units= setting, so that they |
1602 | can be used for resuming the system but nothing else. | |
1603 | ||
25e773ee | 1604 | * what to do about udev db binary stability for apps? (raw access is not an option) |
b857e042 | 1605 | |
720652b3 | 1606 | * exponential backoff in timesyncd when we cannot reach a server |
42aeb14a | 1607 | |
720652b3 | 1608 | * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM |
e25b5a8d | 1609 | |
563b1bdc LP |
1610 | * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share.... |
1611 | ||
6bd7941e TG |
1612 | * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL |
1613 | (throughout the codebase, not only PID1) | |
1614 | ||
07eabc2b LB |
1615 | * drop nss-myhostname in favour of nss-resolve? |
1616 | ||
9d6db739 | 1617 | * resolved: |
9d6db739 | 1618 | - mDNS/DNS-SD |
ccc3e8a1 LP |
1619 | - service registration |
1620 | - service/domain/types browsing | |
0f47ed0a | 1621 | - avahi compat |
9d6db739 | 1622 | - DNS-SD service registration from socket units |
e25b5a8d DH |
1623 | - resolved should optionally register additional per-interface LLMNR |
1624 | names, so that for the container case we can establish the same name | |
1625 | (maybe "host") for referencing the server, everywhere. | |
720652b3 | 1626 | - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) |
3efb871a | 1627 | - hook up resolved with machined-based address resolution |
3f77a1b1 | 1628 | |
e25b5a8d | 1629 | * refcounting in sd-resolve is borked |
e2a69298 | 1630 | |
a940778f LP |
1631 | * add new gpt type for btrfs volumes |
1632 | ||
3de03738 LP |
1633 | * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. |
1634 | ||
37efac5d LP |
1635 | * a way for container managers to turn off getty starting via $container_headless= or so... |
1636 | ||
7348b3ad LP |
1637 | * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit |
1638 | ||
81429136 KS |
1639 | * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services |
1640 | they run added to the initial transaction and thus confuse Type=idle. | |
e107ed18 | 1641 | |
edb2935c LP |
1642 | * add bus api to query unit file's X fields. |
1643 | ||
6a3f892a | 1644 | * gpt-auto-generator: |
2a781fc9 | 1645 | - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap? |
6a3f892a | 1646 | - Make /home automount rather than mount? |
6a3f892a | 1647 | |
65026403 LP |
1648 | * add generator that pulls in systemd-network from containers when |
1649 | CAP_NET_ADMIN is set, more than the loopback device is defined, even | |
1650 | when it is otherwise off | |
f8901862 | 1651 | |
f9bf1b8f | 1652 | * MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). |
eda8f067 | 1653 | |
af1082b0 LP |
1654 | * implement Distribute= in socket units to allow running multiple |
1655 | service instances processing the listening socket, and open this up | |
1656 | for ReusePort= | |
1657 | ||
f38afcd0 | 1658 | * cgroups: |
f38afcd0 | 1659 | - implement per-slice CPUFairScheduling=1 switch |
f38afcd0 LP |
1660 | - introduce high-level settings for RT budget, swappiness |
1661 | - how to reset dynamically changed unit cgroup attributes sanely? | |
1662 | - when reloading configuration, apply new cgroup configuration | |
1663 | - when recursively showing the cgroup hierarchy, optionally also show | |
1664 | the hierarchies of child processes | |
b8df7f86 ZJS |
1665 | - add settings for cgroup.max.descendants and cgroup.max.depth, |
1666 | maybe use them for user@.service | |
0bee65f0 | 1667 | |
f38afcd0 | 1668 | * transient units: |
f38afcd0 | 1669 | - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt |
ebcf1f97 | 1670 | |
718db961 LP |
1671 | * when we detect low battery and no AC on boot, show pretty splash and refuse boot |
1672 | ||
718db961 LP |
1673 | * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops |
1674 | ||
966204e0 LP |
1675 | * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 |
1676 | ||
41644622 LP |
1677 | * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it |
1678 | ||
7f79cd71 | 1679 | * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs |
0aafd43d | 1680 | |
19aadacf JE |
1681 | * If we try to find a unit via a dangling symlink, generate a clean |
1682 | error. Currently, we just ignore it and read the unit from the search | |
df5f6971 LP |
1683 | path anyway. |
1684 | ||
04397464 | 1685 | * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up |
fcba531e | 1686 | |
bdeeb6b5 LP |
1687 | * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. |
1688 | ||
1689 | * load .d/*.conf dropins for device units | |
1690 | ||
07eabc2b | 1691 | * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) |
f38afcd0 | 1692 | |
07eabc2b | 1693 | * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ |
eb01ba5d | 1694 | |
07eabc2b LB |
1695 | * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early |
1696 | ||
1697 | * verify that the AF_UNIX sockets of a service in the fs still exist | |
1698 | when we start a service in order to avoid confusion when a user | |
1699 | assumes starting a service is enough to make it accessible | |
1700 | ||
1701 | * Make it possible to set the keymap independently from the font on | |
1702 | the kernel cmdline. Right now setting one resets also the other. | |
1703 | ||
1704 | * and a dbus call to generate target from current state | |
1705 | ||
1706 | * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support. | |
1707 | ||
1708 | * dot output for --test showing the 'initial transaction' | |
1709 | ||
1710 | * be able to specify a forced restart of service A where service B depends on, in case B | |
1711 | needs to be auto-respawned? | |
1712 | ||
1713 | * pid1: | |
1714 | - When logging about multiple units (stopping BoundTo units, conflicts, etc.), | |
1715 | log both units as UNIT=, so that journalctl -u triggers on both. | |
1716 | - generate better errors when people try to set transient properties | |
1717 | that are not supported... | |
41d6f3bf | 1718 | https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html |
07eabc2b | 1719 | - maybe introduce WantsMountsFor=? Usecase: |
41d6f3bf | 1720 | https://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html |
07eabc2b LB |
1721 | - recreate systemd's D-Bus private socket file on SIGUSR2 |
1722 | - move PAM code into its own binary | |
1723 | - when we automatically restart a service, ensure we restart its rdeps, too. | |
1724 | - hide PAM options in fragment parser when compile time disabled | |
1725 | - Support --test based on current system state | |
1726 | - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). | |
1727 | - after deserializing sockets in socket.c we should reapply sockopts and things | |
1728 | - drop PID 1 reloading, only do reexecing (difficult: Reload() | |
1729 | currently is properly synchronous, Reexec() is weird, because we | |
1730 | cannot delay the response properly until we are back, so instead of | |
1731 | being properly synchronous we just keep open the fd and close it | |
1732 | when done. That means clients do not get a successful method reply, | |
1733 | but much rather a disconnect on success. | |
1734 | - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr | |
1735 | - when a bus name of a service disappears from the bus make sure to queue further activation requests | |
1736 | - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all | |
1737 | processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores | |
1738 | with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst | |
1739 | ||
1740 | * unit files: | |
1741 | - allow port=0 in .socket units | |
1742 | - maybe introduce ExecRestartPre= | |
1743 | - add ReloadSignal= for configuring a reload signal to use | |
1744 | - implement Register= switch in .socket units to enable registration | |
1745 | in Avahi, RPC and other socket registration services. | |
1746 | - allow Type=simple with PIDFile= | |
1747 | https://bugzilla.redhat.com/show_bug.cgi?id=723942 | |
1748 | - allow writing multiple conditions in unit files on one line | |
1749 | - introduce Type=pid-file | |
1750 | - add a concept of RemainAfterExit= to scope units | |
1751 | - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely | |
1752 | - add verification of [Install] section to systemd-analyze verify | |
1753 | ||
1754 | * timer units: | |
63a185dc | 1755 | - timer units should get the ability to trigger when DST changes |
07eabc2b LB |
1756 | - Modulate timer frequency based on battery state |
1757 | ||
1758 | * add libsystemd-password or so to query passwords during boot using the password agent logic | |
1759 | ||
1760 | * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed | |
1761 | ||
1762 | * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel | |
1763 | ||
1764 | * make repeated alt-ctrl-del presses printing a dump | |
1765 | ||
07eabc2b | 1766 | * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not |
461bd8e4 | 1767 | |
ab8e074c LP |
1768 | * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login. |
1769 | ||
1770 | * add a pam module that on password changes updates any LUKS slot where the password matches | |
1771 | ||
fff87a35 | 1772 | * test/: |
20d52ab6 | 1773 | - add unit tests for config_parse_device_allow() |
b8b4d3dd | 1774 | |
b5c03638 | 1775 | * seems that when we follow symlinks to units we prefer the symlink |
d28315e4 | 1776 | destination path over /etc and /usr. We should not do that. Instead |
b5c03638 LP |
1777 | /etc should always override /run+/usr and also any symlink |
1778 | destination. | |
1779 | ||
eece8c6f LP |
1780 | * when isolating, try to figure out a way how we implicitly can order |
1781 | all units we stop before the isolating unit... | |
1782 | ||
356ce991 LP |
1783 | * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) |
1784 | ||
6daebf9e ZJS |
1785 | * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add |
1786 | ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at | |
1787 | https://github.com/systemd/systemd/pull/15109#issuecomment-607740136. | |
1788 | ||
1ccfb792 LP |
1789 | * BootLoaderSpec: Define a way how an installer can figure out whether a BLS |
1790 | compliant boot loader is installed. | |
795607b2 | 1791 | |
0be8342c LP |
1792 | * think about requeuing jobs when daemon-reload is issued? usecase: |
1793 | the initrd issues a reload after fstab from the host is accessible | |
1794 | and we might want to requeue the mounts local-fs acquired through | |
1795 | that automatically. | |
1796 | ||
e5ec62c5 | 1797 | * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() |
54c31a79 | 1798 | |
ccddd104 | 1799 | * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good |
826872b6 | 1800 | |
3679d112 LP |
1801 | * shutdown logging: store to EFI var, and store to USB stick? |
1802 | ||
356ce991 | 1803 | * merge unit_kill_common() and unit_kill_context() |
490b7e47 | 1804 | |
07eabc2b LB |
1805 | * add a dependency on standard-conf.xml and other included files to man pages |
1806 | ||
1807 | * MountFlags=shared acts as MountFlags=slave right now. | |
1808 | ||
1809 | * properly handle loop back mounts via fstab, especially regards to fsck/passno | |
1810 | ||
1811 | * initialize the hostname from the fs label of /, if /etc/hostname does not exist? | |
1812 | ||
1813 | * sd-bus: | |
1814 | - EBADSLT handling | |
1815 | - GetAllProperties() on a non-existing object does not result in a failure currently | |
1816 | - port to sd-resolve for connecting to TCP dbus servers | |
1817 | - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself | |
1818 | - see if we can drop more message validation on the sending side | |
1819 | - add API to clone sd_bus_message objects | |
1820 | - longer term: priority inheritance | |
1821 | - dbus spec updates: | |
1822 | - NameLost/NameAcquired obsolete | |
07eabc2b LB |
1823 | - path escaping |
1824 | - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now | |
1825 | ||
1826 | * sd-event | |
1827 | - allow multiple signal handlers per signal? | |
1828 | - document chaining of signal handler for SIGCHLD and child handlers | |
1829 | - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... | |
1830 | - maybe support iouring as backend, so that we allow hooking read and write | |
1831 | operations instead of IO ready events into event loops. See considerations | |
1832 | here: | |
1833 | http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html | |
1834 | ||
1835 | * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we | |
1836 | should be able to safely try another attempt when the bus call LoadUnit() is invoked. | |
1837 | ||
1838 | * maybe do not install getty@tty1.service symlink in /etc but in /usr? | |
1839 | ||
1840 | * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word | |
1841 | ||
1842 | * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units. | |
1843 | ||
07eabc2b LB |
1844 | * systemd-firstboot: make sure to always use chase_symlinks() before |
1845 | reading/writing files | |
1846 | ||
1847 | * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists | |
1848 | ||
b44be3ec | 1849 | * EFI: |
b44be3ec LP |
1850 | - honor language efi variables for default language selection (if there are any?) |
1851 | - honor timezone efi variables for default timezone selection (if there are any?) | |
466784c8 | 1852 | - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables |
631427d6 | 1853 | * bootctl |
631427d6 | 1854 | - recognize the case when not booted on EFI |
e4181484 | 1855 | |
07eabc2b | 1856 | * bootctl,sd-boot: actually honour the "architecture" key |
e9fd44b7 | 1857 | |
07eabc2b | 1858 | * bootctl: |
483091b0 | 1859 | - show whether UEFI audit mode is available |
07eabc2b LB |
1860 | - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation |
1861 | - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host | |
f620a368 LP |
1862 | |
1863 | * kernel-install: | |
1864 | - optionally, support generating type #2 entries instead of type #1, including signing them | |
e6c6e7af | 1865 | |
b44be3ec LP |
1866 | * logind: |
1867 | - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around | |
b44be3ec LP |
1868 | - logind: wakelock/opportunistic suspend support |
1869 | - Add pretty name for seats in logind | |
1870 | - logind: allow showing logout dialog from system? | |
f38afcd0 LP |
1871 | - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly. |
1872 | - if pam_systemd is invoked by su from a process that is outside of a | |
1873 | any session we should probably just become a NOP, since that's | |
1874 | usually not a real user session but just some system code that just | |
1875 | needs setuid(). | |
279f0366 LP |
1876 | - logind: make the Suspend()/Hibernate() bus calls wait for the for |
1877 | the job to be completed. before returning, so that clients can wait | |
1878 | for "systemctl suspend" to finish to know when the suspending is | |
1879 | complete. | |
1880 | - logind: when the power button is pressed short, just popup a | |
1881 | logout dialog. If it is pressed for 1s, do the usual | |
1882 | shutdown. Inspiration are Macs here. | |
28423d9a | 1883 | - expose "Locked" property on logind session objects |
e25b5a8d DH |
1884 | - maybe allow configuration of the StopTimeout for session scopes |
1885 | - rename session scope so that it includes the UID. THat way | |
1886 | the session scope can be arranged freely in slices and we don't have | |
1887 | make assumptions about their slice anymore. | |
1888 | - follow PropertiesChanged state more closely, to deal with quick logouts and | |
1889 | relogins | |
77b19caf | 1890 | - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set |
4a5f779f ZJS |
1891 | - expose details of boot entries on the bus. In particular, it should be possible |
1892 | to query the list of boot entry titles that bootctl / sd-boot would show. | |
1893 | Currently we only expose their identifiers. | |
07eabc2b LB |
1894 | |
1895 | * move multiseat vid/pid matches from logind udev rule to hwdb | |
1896 | ||
1897 | * logind: rework pam_logind to also do a bus call in case of invocation from | |
1898 | user@.service, which returns the XDG_RUNTIME_DIR value, and make this | |
1899 | behaviour selectable via pam module option. | |
1900 | ||
1901 | * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it | |
1902 | in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle | |
1903 | ||
b44be3ec | 1904 | * journal: |
57f2a947 | 1905 | - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields |
b44be3ec LP |
1906 | - journald: also get thread ID from client, plus thread name |
1907 | - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups | |
1908 | - add API to close/reopen/get fd for journal client fd in libsystemd-journal. | |
2aed63f4 | 1909 | - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively? |
b44be3ec | 1910 | - declare the local journal protocol stable in the wiki interface chart |
b44be3ec LP |
1911 | - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg |
1912 | - journald: when dropping msgs due to ratelimit make sure to write | |
1913 | "dropped %u messages" not only when we are about to print the next | |
5238e957 | 1914 | message that works, but already after a short timeout |
b44be3ec LP |
1915 | - check if we can make journalctl by default use --follow mode inside of less if called without args? |
1916 | - maybe add API to send pairs of iovecs via sd_journal_send | |
f47ec8eb | 1917 | - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access |
b44be3ec LP |
1918 | - journactl: support negative filtering, i.e. FOOBAR!="waldo", |
1919 | and !FOOBAR for events without FOOBAR. | |
06847d0f | 1920 | - journal: store timestamp of journal_file_set_offline() in the header, |
038cf334 | 1921 | so it is possible to display when the file was last synced. |
b44be3ec LP |
1922 | - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. |
1923 | - journal: find a way to allow dropping history early, based on priority, other rules | |
1924 | - journal: When used on NFS, check payload hashes | |
b44be3ec LP |
1925 | - journald: add kernel cmdline option to disable ratelimiting for debug purposes |
1926 | - refuse taking lower-case variable names in sd_journal_send() and friends. | |
1927 | - journald: we currently rotate only after MaxUse+MaxFilesize has been reached. | |
1928 | - journal: deal nicely with byte-by-byte copied files, especially regards header | |
b44be3ec | 1929 | - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit |
601d9d6f | 1930 | - Replace utmp, wtmp, btmp, and lastlog completely with journal |
f38afcd0 | 1931 | - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax? |
f38afcd0 LP |
1932 | - when a kernel driver logs in a tight loop, we should ratelimit that too. |
1933 | - journald: optionally, log debug messages to /run but everything else to /var | |
1934 | - journald: when we drop syslog messages because the syslog socket is | |
1935 | full, make sure to write how many messages are lost as first thing | |
1936 | to syslog when it works again. | |
279f0366 LP |
1937 | - journald: allow per-priority and per-service retention times when rotating/vacuuming |
1938 | - journald: make use of uid-range.h to managed uid ranges to split | |
1939 | journals in. | |
1940 | - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so... | |
1941 | - improve journalctl performance by loading journal files | |
1942 | lazily. Encode just enough information in the file name, so that we | |
1943 | do not have to open it to know that it is not interesting for us, for | |
1944 | the most common operations. | |
e25b5a8d | 1945 | - man: document that corrupted journal files is nothing to act on |
e25b5a8d DH |
1946 | - rework journald sigbus stuff to use mutex |
1947 | - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our | |
1948 | services that run under their own user ids, and use User= (but only | |
1949 | in a world where userns is ubiquitous since otherwise we cannot | |
1950 | invoke those daemons on the host AND in a container anymore). Also, | |
1951 | if LimitNPROC= is used without User= we should warn and refuse | |
1952 | operation. | |
1953 | - journalctl --verify: don't show files that are currently being | |
1954 | written to as FAIL, but instead show that their are being written to. | |
1955 | - add journalctl -H that talks via ssh to a remote peer and passes through | |
1956 | binary logs data | |
e25b5a8d | 1957 | - add a version of --merge which also merges /var/log/journal/remote |
e25b5a8d DH |
1958 | - journalctl: -m should access container journals directly by enumerating |
1959 | them via machined, and also watch containers coming and going. | |
1960 | Benefit: nspawn --ephemeral would start working nicely with the journal. | |
1961 | - assign MESSAGE_ID to log messages about failed services | |
06847d0f | 1962 | - check if loop in decompress_blob_xz() is necessary |
b44be3ec | 1963 | |
07eabc2b LB |
1964 | * journald: support RFC3164 fully for the incoming syslog transport, see |
1965 | https://github.com/systemd/systemd/issues/19251#issuecomment-816601955 | |
1966 | ||
1967 | * Hook up journald's FSS logic with TPM2: seal the verification disk by | |
1968 | time-based policy, so that the verification key can remain on host and ve | |
1969 | validated via TPM. | |
1970 | ||
1971 | * build short web pages out of each catalog entry, build them along with man | |
1972 | pages, and include hyperlinks to them in the journal output | |
1973 | ||
1974 | * journald: do journal file writing out-of-process, with one writer process per | |
1975 | client UID, so that synthetic hash table collisions can slow down a specific | |
1976 | user's journal stream down but not the others. | |
1977 | ||
1978 | * tweak journald context caching. In addition to caching per-process attributes | |
1979 | keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read) | |
1980 | keyed by cgroup path, and guarded by ctime changes. This should provide us | |
1981 | with a nice speed-up on services that have many processes running in the same | |
1982 | cgroup. | |
1983 | ||
1984 | * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for | |
1985 | the sd-journal logging socket, and, if the timeout is set to 0, sets | |
1986 | O_NONBLOCK on it. That way people can control if and when to block for | |
1987 | logging. | |
1988 | ||
1989 | * journalctl: make sure -f ends when the container indicated by -M terminates | |
1990 | ||
1991 | * journald: sigbus API via a signal-handler safe function that people may call | |
1992 | from the SIGBUS handler | |
1993 | ||
590171d1 ZJS |
1994 | * add a test if all entries in the catalog are properly formatted. |
1995 | (Adding dashes in a catalog entry currently results in the catalog entry | |
1996 | being silently skipped. journalctl --update-catalog must warn about this, | |
1997 | and we should also have a unit test to check that all our message are OK.) | |
1998 | ||
07eabc2b LB |
1999 | * homed: |
2000 | - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth | |
2001 | - rollback when resize fails mid-operation | |
2002 | - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid) | |
07eabc2b LB |
2003 | - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device. |
2004 | - create on activate? | |
2005 | - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls? | |
2006 | - communicate clearly when usb stick is safe to remove. probably involves | |
2007 | beefing up logind to make pam session close hook synchronous and wait until | |
2008 | systemd --user is shut down. | |
2009 | - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service | |
2010 | - maybe make automatic, read-only, time-based reflink-copies of LUKS disk | |
2011 | images (and btrfs snapshots of subvolumes) (think: time machine) | |
2012 | - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory) | |
2013 | - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work | |
2014 | - fingerprint authentication, pattern authentication, … | |
2015 | - make sure "classic" user records can also be managed by homed | |
2016 | - make size of $XDG_RUNTIME_DIR configurable in user record | |
2017 | - query password from kernel keyring first | |
2018 | - update even if record is "absent" | |
07eabc2b LB |
2019 | - move acct mgmt stuff from pam_systemd_home to pam_systemd? |
2020 | - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for | |
2021 | - make slice for users configurable (requires logind rework) | |
2022 | - logind: populate auto-login list bus property from PKCS#11 token | |
2023 | - when determining state of a LUKS home directory, check DM suspended sysfs file | |
a11e7c0b LB |
2024 | - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE, |
2025 | so that mounts propagate down but not up - eg, user A setting up a backup volume | |
2026 | doesn't mean user B sees it | |
9c53de8b | 2027 | - use credentials logic/TPM2 logic to store homed signing key |
9c53de8b LP |
2028 | - permit multiple user record signing keys to be used locally, and pick |
2029 | the right one for signing records automatically depending on a pre-existing | |
2030 | signature | |
2031 | - add a way to "adopt" a home directory, i.e. strip foreign signatures | |
2032 | and insert a local signature instead. | |
2033 | - as an extension to the directory+subvolume backend: if located on | |
2034 | especially marked fs, then sync down password into LUKS header of that fs, | |
2035 | and always verify passwords against it too. Bootstrapping is a problem | |
2036 | though: if no one is logged in (or no other user even exists yet), how do you | |
2037 | unlock the volume in order to create the first user and add the first pw. | |
2038 | - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt | |
2039 | - maybe pre-create ~/.cache as subvol so that it can have separate quota | |
2040 | easily? | |
9c53de8b LP |
2041 | - add a switch to homectl (maybe called --first-boot) where it will check if |
2042 | any non-system users exist, and if not prompts interactively for basic user | |
2043 | info, mimicking systemd-firstboot. Then, place this in a service that runs | |
2044 | after systemd-homed, but before gdm and friends, as a simple, barebones | |
2045 | fallback logic to get a regular user created on uninitialized systems. | |
2046 | - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with | |
2047 | systemd-cryptsetup, so that it can unlock homed volumes | |
6d975fe7 LP |
2048 | - maybe make all *.home files owned by `systemd-home` user or so, so that we |
2049 | can easily set overall quota for all users | |
2050 | - on login, if we can't fallocate initially, but rebalance is on, then allow | |
2051 | login in discard mode, then immediately rebalance, then turn off discard | |
f1a147f2 | 2052 | - extend user records with optional "bulk" data. Specifically, a user |
288bd406 | 2053 | avatar/photo or so. This data should be stored along with the user record, |
f1a147f2 LP |
2054 | but probably shouldn't be part of the record itself, since it might be |
2055 | large. | |
07eabc2b | 2056 | |
07eabc2b LB |
2057 | * add a new switch --auto-definitions=yes/no or so to systemd-repart. If |
2058 | specified, synthesize a definition automatically if we can: enlarge last | |
2059 | partition on disk, but only if it is marked for growing and not read-only. | |
2060 | ||
2df2bb1f | 2061 | * systemd-repart: read LUKS encryption key from $CREDENTIALS_DIRECTORY |
07eabc2b LB |
2062 | |
2063 | * systemd-repart: add a switch to factory reset the partition table without | |
2064 | immediately applying the new configuration again. i.e. --factory-reset=leave | |
2065 | or so. (this is useful to factory reset an image, then putting it into | |
2066 | another machine, ensuring that luks key is generated on new machine, not old) | |
2067 | ||
2068 | * systemd-repart: support setting up dm-integrity with HMAC | |
2069 | ||
2070 | * systemd-repart: maybe remove half-initialized image on failure. It fails | |
2071 | if the output file exists, so a repeated invocation will usually fail if | |
2072 | something goes wrong on the way. | |
2073 | ||
2074 | * systemd-repart: drop pager mode on normal operation? | |
2075 | ||
2076 | * systemd-repart: by default generate minimized partition tables (i.e. tables | |
2077 | that only cover the space actually used, excluding any free space at the | |
2078 | end), in order to maximize dd'ability. Requires libfdisk work, see | |
2079 | https://github.com/karelzak/util-linux/issues/907 | |
2080 | ||
2081 | * systemd-repart: MBR partition table support. Care needs to be taken regarding | |
2082 | Type=, so that partition definitions can sanely apply to both the GPT and the | |
2083 | MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types | |
2084 | for the two partition types explicitly. And provide an internal mapping so | |
2085 | that "Type=linux-generic" maps to the right types for both partition tables | |
2086 | automatically. | |
2087 | ||
2088 | * systemd-repart: allow sizing partitions as factor of available RAM, so that | |
2089 | we can reasonably size swap partitions for hibernation. | |
2090 | ||
2091 | * systemd-repart: allow boolean option that ensures that if existing partition | |
2092 | doesn't exist within the configured size bounds the whole command fails. This | |
2093 | is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set | |
2094 | of repart files for the case where ESP is large enough and one where it isn't | |
2095 | and XBOOTLDR is added in instead. Then apply the former first, and if it | |
2096 | fails to apply use the latter. | |
2097 | ||
2098 | * systemd-repart: add per-partition option to never reuse existing partition | |
2099 | and always create anew even if matching partition already exists. | |
2100 | ||
2101 | * systemd-repart: add per-partition option to fail if partition already exist, | |
2102 | i.e. is not added new. Similar, add option to fail if partition does not exist yet. | |
2103 | ||
2104 | * systemd-repart: allow disabling growing of specific partitions, or making | |
2105 | them (think ESP: we don't ever want to grow it, since we cannot resize vfat) | |
d01d9197 | 2106 | Also add option to disable operation via kernel command line. |
07eabc2b LB |
2107 | |
2108 | * systemd-repart: make it a static checker during early boot for existence and | |
2109 | absence of other partitions for trusted boot environments | |
2110 | ||
92e72028 | 2111 | * systemd-repart: add support for SD_GPT_FLAG_GROWFS also on real systems, i.e. |
d01d9197 ZJS |
2112 | generate some unit to actually enlarge the fs after growing the partition |
2113 | during boot. | |
2114 | ||
2115 | * systemd-repart: do not print "Successfully resized …" when no change was done. | |
2116 | ||
b44be3ec | 2117 | * document: |
8b8f2591 | 2118 | - document that deps in [Unit] sections ignore Alias= fields in |
b44be3ec LP |
2119 | [Install] units of other units, unless those units are disabled |
2120 | - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets | |
b44be3ec | 2121 | - document that service reload may be implemented as service reexec |
f38afcd0 LP |
2122 | - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr. |
2123 | - document systemd-journal-flush.service properly | |
f38afcd0 LP |
2124 | - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] |
2125 | - man: document the very specific env the shutdown drop-in tools live in | |
5cf821ac ZJS |
2126 | - man: add more examples to man pages, |
2127 | - in particular an example how to do the equivalent of switching runlevels | |
f38afcd0 | 2128 | - man: maybe sort directives in man pages, and take sections from --help and apply them to man too |
17ec531f | 2129 | - document root=gpt-auto properly |
b44be3ec LP |
2130 | |
2131 | * systemctl: | |
b44be3ec LP |
2132 | - add systemctl switch to dump transaction without executing it |
2133 | - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done | |
2134 | - "systemctl disable" on a static unit prints no message and does | |
2135 | nothing. "systemctl enable" does nothing, and gives a bad message | |
2136 | about it. Should fix both to print nice actionable messages. | |
2137 | - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service | |
2138 | - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible | |
d28315e4 | 2139 | - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? |
b44be3ec | 2140 | - systemctl: "Journal has been rotated since unit was started." message is misleading |
61233823 | 2141 | - systemctl status output should include list of triggering units and their status |
f38afcd0 | 2142 | |
07eabc2b LB |
2143 | * introduce an option (or replacement) for "systemctl show" that outputs all |
2144 | properties as JSON, similar to busctl's new JSON output. In contrast to that | |
2145 | it should skip the variant type string though. | |
8b04b925 | 2146 | |
07eabc2b LB |
2147 | * add an explicit "vertical" mode to format-table, so that "systemctl |
2148 | status"-like outputs (i.e. with a series of field names left and values | |
2149 | right) become genuine first class citizens, and we gain automatic, sane JSON | |
2150 | output for them. | |
d2e83c23 | 2151 | |
07eabc2b LB |
2152 | * Add a "systemctl list-units --by-slice" mode or so, which rearranges the |
2153 | output of "systemctl list-units" slightly by showing the tree structure of | |
2154 | the slices, and the units attached to them. | |
a19554ed | 2155 | |
07eabc2b LB |
2156 | * add "systemctl wait" or so, which does what "systemd-run --wait" does, but |
2157 | for all units. It should be both a way to pin units into memory as well as a | |
2158 | wait to retrieve their exit data. | |
a7a3f28b | 2159 | |
07eabc2b LB |
2160 | * show whether a service has out-of-date configuration in "systemctl status" by |
2161 | using mtime data of ConfigurationDirectory=. | |
08f95888 | 2162 | |
07eabc2b LB |
2163 | * "systemctl preset-all" should probably order the unit files it |
2164 | operates on lexicographically before starting to work, in order to | |
2165 | ensure deterministic behaviour if two unit files conflict (like DMs | |
2166 | do, for example) | |
dcfc4b2e | 2167 | |
07eabc2b LB |
2168 | * add "systemctl start -v foobar.service" that shows logs of a service |
2169 | while the start command runs. This is non-trivial to do without | |
2170 | races though, since we should flush out all journal messages before | |
2171 | returning from the "systemctl stop". | |
71ef24d0 | 2172 | |
07eabc2b LB |
2173 | * systemctl: if some operation fails, show log output? |
2174 | ||
2175 | * Add a new verb "systemctl top" | |
2176 | ||
2177 | * unit install: | |
2178 | - "systemctl mask" should find all names by which a unit is accessible | |
2179 | (i.e. by scanning for symlinks to it) and link them all to /dev/null | |
1b89884b | 2180 | |
b44be3ec | 2181 | * nspawn: |
e25b5a8d DH |
2182 | - emulate /dev/kmsg using CUSE and turn off the syslog syscall |
2183 | with seccomp. That should provide us with a useful log buffer that | |
2184 | systemd can log to during early boot, and disconnect container logs | |
2185 | from the kernel's logs. | |
2186 | - as soon as networkd has a bus interface, hook up --network-interface=, | |
2187 | --network-bridge= with networkd, to trigger netdev creation should an | |
2188 | interface be missing | |
e25b5a8d DH |
2189 | - a nice way to boot up without machine id set, so that it is set at boot |
2190 | automatically for supporting --ephemeral. Maybe hash the host machine id | |
2191 | together with the machine name to generate the machine id for the container | |
2192 | - fix logic always print a final newline on output. | |
2193 | https://github.com/systemd/systemd/pull/272#issuecomment-113153176 | |
2194 | - should optionally support receiving WATCHDOG=1 messages from its payload | |
2195 | PID 1... | |
e25b5a8d DH |
2196 | - optionally automatically add FORWARD rules to iptables whenever nspawn is |
2197 | running, remove them when shut down. | |
e25b5a8d | 2198 | |
07eabc2b LB |
2199 | * nspawn: add support for sysext extensions, too. i.e. a new --extension= |
2200 | switch that takes one or more arguments, and applies the extensions already | |
2201 | during startup. | |
2202 | ||
2203 | * when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or | |
2204 | so, freeze the payload too. | |
2205 | ||
2206 | * machined: add API to acquire UID range. add API to mount/dissect loopback | |
2207 | file. Both protected by PK. Then make nspawn use these APIs to run | |
2208 | unprivileged containers. i.e. push the truly privileged bits into machined, | |
2209 | so that the client side can remain entirely unprivileged, with SUID or | |
2210 | anything like that. | |
2211 | ||
2212 | * nspawn: support time namespaces | |
2213 | ||
2214 | * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events, | |
2215 | so that we make cgroup agent logic safe | |
2216 | ||
2217 | * nspawn/machined: add API to invoke binary in container, then use that as | |
2218 | fallback in "machinectl shell" | |
2219 | ||
2220 | * nspawn: make nspawn suitable for shell pipelines: instead of triggering a | |
2221 | hangup when input is finished, send ^D, which synthesizes an EOF. Then wait | |
2222 | for hangup or ^D before passing on the EOF. | |
2223 | ||
2224 | * nspawn: greater control over selinux label? | |
2225 | ||
2226 | * nspawn: support that /proc, /sys/, /dev are pre-mounted | |
2227 | ||
e25b5a8d | 2228 | * machined: |
e25b5a8d DH |
2229 | - add an API so that libvirt-lxc can inform us about network interfaces being |
2230 | removed or added to an existing machine | |
2231 | - "machinectl migrate" or similar to copy a container from or to a | |
2232 | difference host, via ssh | |
e25b5a8d DH |
2233 | - introduce systemd-nspawn-ephemeral@.service, and hook it into |
2234 | "machinectl start" with a new --ephemeral switch | |
2235 | - "machinectl status" should also show internal logs of the container in | |
2236 | question | |
e25b5a8d DH |
2237 | - "machinectl history" |
2238 | - "machinectl diff" | |
2239 | - "machinectl commit" that takes a writable snapshot of a tree, invokes a | |
2240 | shell in it, and marks it read-only after use | |
2241 | ||
abd55b16 | 2242 | * udev: |
abd55b16 | 2243 | - move to LGPL |
abd55b16 KS |
2244 | - kill scsi_id |
2245 | - add trigger --subsystem-match=usb/usb_device device | |
e8d842a0 | 2246 | - reimport udev db after MOVE events for devices without dev_t |
75723d31 | 2247 | - re-enable ProtectClock= once only cgroupsv2 is supported. |
8cfde28b | 2248 | See f562abe2963bad241d34e0b308e48cf114672c84. |
b8217b7b | 2249 | |
e25b5a8d DH |
2250 | * coredump: |
2251 | - save coredump in Windows/Mozilla minidump format | |
73a99163 | 2252 | - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps |
1a0281a3 | 2253 | - add examples for other distros in ELF_PACKAGE_METADATA |
87a8baa3 LP |
2254 | |
2255 | * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) | |
2256 | ||
f38afcd0 | 2257 | * tmpfiles: |
f38afcd0 | 2258 | - apply "x" on "D" too (see patch from William Douglas) |
614cc34f | 2259 | - instead of ignoring unknown fields, reject them. |
e25b5a8d DH |
2260 | - creating new directories/subvolumes/fifos/device nodes |
2261 | should not follow symlinks. None of the other adjustment or creation | |
2262 | calls follow symlinks. | |
36f57e02 | 2263 | - add --test mode |
ba405b22 ZJS |
2264 | - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4 |
2265 | project quota | |
a9b0d0a2 | 2266 | - teach tmpfiles.d m/M to move / atomic move + symlink old -> new |
1258097c | 2267 | |
af6f0d42 TG |
2268 | * udev-link-config: |
2269 | - Make sure ID_PATH is always exported and complete for | |
2270 | network devices where possible, so we can safely rely | |
2271 | on Path= matching | |
af6f0d42 | 2272 | |
88e4d1d7 | 2273 | * sd-rtnl: |
88e4d1d7 | 2274 | - add support for more attribute types |
c589a0e6 | 2275 | - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places |
88e4d1d7 | 2276 | |
0a4b9a07 | 2277 | * networkd: |
c74ecd71 TG |
2278 | - add more keys to [Route] and [Address] sections |
2279 | - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) | |
e8d842a0 | 2280 | - add reduced [Link] support to .network files |
798e174a | 2281 | - properly handle routerless dhcp leases |
a8eaaee7 | 2282 | - work with non-Ethernet devices |
e25b5a8d | 2283 | - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? |
e25b5a8d DH |
2284 | - the DHCP lease data (such as NTP/DNS) is still made available when |
2285 | a carrier is lost on a link. It should be removed instantly. | |
2286 | - expose in the API the following bits: | |
e2da6491 | 2287 | - option 15, domain name |
38b38500 | 2288 | - option 12, hostname and/or option 81, fqdn |
e25b5a8d DH |
2289 | - option 123, 144, geolocation |
2290 | - option 252, configure http proxy (PAC/wpad) | |
2291 | - provide a way to define a per-network interface default metric value | |
2292 | for all routes to it. possibly a second default for DHCP routes. | |
2293 | - allow Name= to be specified repeatedly in the [Match] section. Maybe also | |
2294 | support Name=foo*|bar*|baz ? | |
e25b5a8d | 2295 | - whenever uplink info changes, make DHCP server send out FORCERENEW |
155e8b9a | 2296 | |
07eabc2b LB |
2297 | * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us |
2298 | ||
d5e172d2 ZJS |
2299 | * Figure out how to do unittests of networkd's state serialization |
2300 | ||
ac976532 | 2301 | * dhcp: |
424a8732 | 2302 | - figure out how much we can increase Maximum Message Size |
ac976532 | 2303 | |
37d8b536 PF |
2304 | * dhcp6: |
2305 | - add functions to set previously stored IPv6 addresses on startup and get | |
2306 | them at shutdown; store them in client->ia_na | |
2307 | - write more test cases | |
37d8b536 | 2308 | - implement reconfigure support, see 5.3., 15.11. and 22.20. |
37d8b536 | 2309 | - implement support for temporary adressess (IA_TA) |
37d8b536 PF |
2310 | - implement dhcpv6 authentication |
2311 | - investigate the usefulness of Confirm messages; i.e. are there any | |
2312 | situations where the link changes without any loss in carrier detection | |
2313 | or interface down | |
2314 | - some servers don't do rapid commit without a filled in IA_NA, verify | |
2315 | this behavior | |
4a77c53d | 2316 | - RouteTable= ? |