3 * Many manager configuration settings that are only applicable to user
4 manager or system manager can be always set. It would be better to reject
5 them when parsing config.
7 * userdbctl: "Password OK: yes" is shown even when there are no passwords
8 or the password is locked.
10 * Get rid of nftw(). We should refuse to use such useless APIs on principle.
12 * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service.
13 Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service.
14 Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service.
18 * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
21 - natively watch for dbus-*.service symlinks (PENDING)
22 - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
24 * kernel: add device_type = "fb", "fbcon" to class "graphics"
26 * /usr/bin/service should actually show the new command line
28 * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
30 * neither pkexec nor sudo initialize environ[] from the PAM environment?
32 * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
34 * register catalog database signature as file magic
36 * zsh shell completion:
37 - <command> <verb> -<TAB> should complete options, but currently does not
38 - systemctl add-wants,add-requires
40 * systemctl status should know about 'systemd-analyze calendar ... --iterations='
41 * If timer has just OnInactiveSec=..., it should fire after a specified time
44 * write blog stories about:
45 - hwdb: what belongs into it, lsusb
46 - enabling dbus services
47 - how to make changes to sysctl and sysfs attributes
49 - how to pass throw-away units to systemd, or dynamically change properties of existing units
50 - testing with Harald's awesome test kit
52 - how to develop against journal browsing APIs
53 - the journal HTTP iface
54 - non-cgroup resource management
55 - dynamic resource management with cgroups
56 - refreshed, longer missions statement
57 - calendar time events
58 - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
59 - how to create your own target
60 - instantiated apache, dovecot and so on
61 - hooking a script into various stages of shutdown/rearly booot
65 * look for close() vs. close_nointr() vs. close_nointr_nofail()
67 * check for strerror(r) instead of strerror(-r)
71 * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
73 * use secure_getenv() instead of getenv() where appropriate
75 * link up selected blog stories from man pages and unit files Documentation= fields
79 * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
81 * rework mount.c and swap.c to follow proper state enumeration/deserialization
82 semantics, like we do for device.c now
86 * in uefi stub: query firmware regarding which PCRs are being used, store that
87 in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that
88 the selected PCRs actually are used by firmware.
90 * rework recursive read-only remount to use new mount API
92 * PAM: pick auf one authentication token from credentials
94 * tpm2: figure out if we need to do anything for TPM2 parameter encryption? And
95 if so, what precisely?
97 * insert pkcs7 signature for verity gpt
99 * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
100 data in the image, make sure the image filename actually matches this, so
101 that images cannot be misused.
103 * New udev block device symlink names:
104 /dev/disk/by-parttypelabel/<pttype>/<ptlabel>. Use case: if pt label is used
105 as partition image version string, this is a safe way to reference a specific
106 version of a specific partition type, in particular where related partitions
107 are processed (e.g. verity + rootfs both named "LennartOS_0.7").
109 * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
111 * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
112 make dirs appear under right UID.
114 * systemd-sysext: optionally, run it in initrd already, before transitioning
115 into host, to open up possibility for services shipped like that.
117 * maybe add a tool that displays most recent journal logs as QR code to scan
118 off screen and run it automatically on boot failures, emergency logs and
119 such. Use DRM APIs directly, see
120 https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
123 * pass systemd-detect-virt result to generators as env var. Modifying behaviour
124 based on whether we are virtualized or not is a pretty common thing, hence
125 maybe just pass that info along for free in an env var. We cache the result
126 anyway, so it's basically free.
128 * introduce /dev/disk/root/* symlinks that allow referencing partitions on the
129 disk the rootfs is on in a reasonably secure way. (or maybe: add
130 /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we
133 * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
134 reception limit the kernel silently enforces.
136 * add an Open= setting to service unit files that can open arbitrary file
137 system paths at service startup time and pass them to the service process via
138 our usual socket activation protocol. If passed path refers to AF_UNIX
139 socket: connect() to it.
141 * add a ConnectSocket= setting to service unit files, that may reference a
142 socket unit, and which will connect to the socket defined therein, and pass
143 the resulting fd to the service program via socket activation proto.
145 * Add a concept of ListenStream=anonymous to socket units: listen on a socket
146 that is deleted in the fs. Usecase would be with ConnectSocket= above.
148 * importd: support image signature verification with PKCS#7 + OpenBSD signify
149 logic, as alternative to crummy gpg
151 * sysext: optionally, if the merged trees allow it use bind mounts instead of
154 * add "systemd-analyze debug" + AttachDebugger= in unit files: The former
155 specifies a command to execute; the latter specifies that an already running
156 "systemd-analyze debug" instance shall be contacted and execution paused
157 until it gives an OK. That way, tools like gdb or strace can be safely be
158 invoked on processes forked off PID 1.
160 * expose MS_NOSYMFOLLOW in various places
162 * allow passing creds into kernel when booting: in EFI stub, collect creds
163 files from ESP directory, generate CPIO archive on the fly from them, so that
164 they are dropped into /run/initramfs/creds/ and pass to kernel as additional
165 initrd. Then, use LoadCredentialEncrypted=foo:/run/initramfs/creds/foo to
168 * make LoadCredential= automatically find credentials in /etc/creds,
169 /run/creds, … and so on, if path component is unqualified
171 * teach LoadCredential=/LoadCredentialEncrypted= to load credentials from
172 kernel cmdline, maybe: LoadCredentialEncrypted=foobar:proc-cmdline:foobar
174 * credentials system:
175 - acquire from kernel command line
176 - acquire from EFI variable?
177 - acquire via via ask-password?
178 - acquire creds via keyring?
179 - pass creds via keyring?
180 - pass creds via memfd?
181 - acquire + decrypt creds from pkcs11?
182 - make systemd-cryptsetup acquire pw via creds logic
183 - make PAMName= acquire pw via creds logic
184 - make macsec/wireguard code in networkd read key via creds logic
185 - make gatwayd/remote read key via creds logic
186 - add sd_notify() command for flushing out creds not needed anymore
188 * teach LoadCredential= the ability to load all files from a specified dir as
191 * add tpm.target or so which is delayed until TPM2 device showed up in case
192 firmware indicates there is one.
194 * tpm2: support a PIN policy, i.e. allowing windows-style short authentication
195 passwords by using the TPM2 to enforce ratelimiting and such, use for
198 * Add concept for upgrading TPM2 enrollments, maybe a new switch
199 --pcrs=4:<hash> or so, i.e. select a PCR to include in the hash, and then
202 * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
205 * introduce a new group to own TPM devices
207 * cryptenroll: politely refuse enrolling new keys to homed volumes, since we
208 we cannot update identity info
210 * cryptsetup: if only recovery keys are registered and no regular passphrases,
211 ask user for "recovery key", not "passphrase"
213 * cyptsetup: add option for automatically removing empty password slot on boot
215 * cryptsetup: optionally, when run during boot-up and password is never
216 entered, and we are on battery power (or so), power off machine again
218 * cryptsetup: when FIDO2/PKCS#11/TPM2 token/chip didn't show up after some
219 time, abort the attempt, fallback to asking for pw
221 * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
222 allow plymouth to abort the waiting and enter pw instead
224 * make cryptsetup lower --iter-time
226 * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
227 "base64:" prefix. Useful in particular for pkcs11 mode.
229 * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
230 systemd-makefs.service instead.
233 - cryptsetup-generator: allow specification of passwords in crypttab itself
234 - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
236 * when configuring loopback netif, and it fails due to EPERM, eat up error if
237 it happens to be set up alright already.
239 * at boot: check if battery above some threshold, if not power off again after explanation
241 * userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM
242 for example. And add code that resets ambient caps for all services by
245 * sd-bus: when connecting to some dbus server socker, set originating AF_UNIX
246 socket name in abstract namespace to include "description" string, and pick
247 it up from there in sd_bus_creds logic. i.e. we can use the socket peer
248 address as conduit for some minimal connection metainfo, and use it to
249 restore the "description" logic that kdbus used to have.
251 * systemd-analyze netif that explains predictable interface (or networkctl)
253 * Add service setting to run a service within the specified VRF. i.e. do the
254 equivalent of "ip vrf exec".
256 * change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as
257 documented in the pivot_root(2) man page, so that we can drop the /oldroot
260 * special case some calls of chase_symlinks() to use openat2() internally, so
261 that the kernel does what we otherwise do.
263 * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
265 * add /etc/integritytab, to support dm-integrity setups. In particular those
266 with HMAC as hash function, so that we can have a protected /home without
267 encryption (leaving encryption to the individual dirs/homed).
269 * complement root=, rootflags=, rootfstype= with rootsubdir= which allows
270 mounting a subdir of the root fs as actual root. This can be used as
271 fstype-agnostic version of btrfs' rootflags=subvol=foobar.
273 * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
275 * Remove any support for booting without /usr pre-mounted in the initrd entirely.
276 Update INITRD_INTERFACE.md accordingly.
278 * pid1: Move to tracking of main pid/control pid of units per pidfd
280 * pid1: support new clone3() fork-into-cgroup feature
282 * pid1: support new cgroup.kill to terminate all processes in a cgroup
284 * pid1: also remove PID files of a service when the service starts, not just
287 * make us use dynamically fewer deps for containers in general purpose distros:
288 o turn into dlopen() deps:
290 - p11-kit-trust (always)
291 - kmod-libs (only when called from PID 1)
292 - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
293 - libpam (only when called from PID 1)
294 - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
295 since they are so basic and our defaults)
296 o move into separate libsystemd-shared-iptables.so .so
297 - iptables-libs (only used by nspawn + networkd)
299 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
300 Apparently kernel performance is much better with fewer larger seccomp
301 filters than with more smaller seccomp filters.
303 * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
304 mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
306 * All tools that support --root= should also learn --image= so that they can
307 operate on disk images directly. Specifically: bootctl, systemctl,
308 coredumpctl. (Already done: systemd-nspawn, systemd-firstboot,
309 systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl)
311 * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
313 * seccomp: don't install filters for ABIs that are masked anyway for the
316 * seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
318 * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
321 * Maybe add a separate GPT partition type to the discoverable partition spec
322 for "hibernate" partitions, that are exactly like swap partitions but only
323 activated right before hibernation and thus never used for regular swapping.
325 * by default, in systemd --user service bump the OOMAdjust to 100, as privs
326 allow so that systemd survives
328 * socket units: allow creating a udev monitor socket with ListenDevices= or so,
329 with matches, then activate app through that passing socket over
331 * unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
333 - port sd_id128_get_machine_app_specific() over from khash
334 - port resolved over from libgcrypt (DNSSEC code)
335 - port journald + fsprg over from libgcrypt
336 - port importd over from libgcrypt
337 - when that's done: kill khash.c
338 - when that's done: kill gnutls support in resolved
340 * add growvol and makevol options for /etc/crypttab, similar to
341 x-systemd.growfs and x-systemd-makefs.
343 * userdb: allow username prefix searches in varlink API, allow realname and
344 realname substr searches in varlink API
346 * userdb: allow uid/gid range checks
348 * userdb: allow existence checks
350 * pid1: activation by journal search expression
352 * when switching root from initrd to host, set the machine_id env var so that
353 if the host has no machine ID set yet we continue to use the random one the
356 * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
357 it for reaping assigned but unknown children. This needs to some special care
358 to operate somewhat sensibly in light of priorities: P_ALL will return
359 arbitrary processes, regardless of the priority we want to watch them with,
360 hence on each event loop iteration check all processes which we shall watch
361 with higher prio explicitly, and then watch the entire rest with P_ALL.
363 * tweak sd-event's child watching: keep a prioq of children to watch and use
364 waitid() only on the children with the highest priority until one is waitable
365 and ignore all lower-prio ones from that point on
367 * maybe introduce xattrs that can be set on the root dir of the root fs
368 partition that declare the volatility mode to use the image in. Previously I
369 thought marking this via GPT partition flags but that's not ideal since
370 that's outside of the LUKS encryption/verity verification, and we probably
371 shouldn't operate in a volatile mode unless we got told so from a trusted
374 * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
375 may be used to mark a whole binary as non-coredumpable. Would fix:
376 https://bugs.freedesktop.org/show_bug.cgi?id=69447
378 * teach parse_timestamp() timezones like the calendar spec already knows it
380 * beef up hibernation to optionally do swapon/swapoff immediately before/after
383 * beef up s2h to implement a battery watch loop: instead of entering
384 hibernation unconditionally after coming back from resume make a decision
385 based on the battery load level: if battery level is above a specific
386 threshold, go to suspend again, only hibernate if below it. This means we'd
387 stick to suspend usually, but fall back to hibernation only when battery runs
388 empty (well, subject to our sampling interval). Related to this, check if we
389 can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too,
390 i.e. see if it can wake up machines from suspend, so that we could resume
391 automatically when the system is low on power and move automatically to
392 hibernation mode. (see
393 https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf
395 https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources
398 * We should probably replace /etc/rc.d/README with a symlink to doc
399 content. After all it is constant vendor data.
401 * maybe add kernel cmdline params: to force random seed crediting
403 * introduce a new per-process uuid, similar to the boot id, the machine id, the
404 invocation id, that is derived from process creds, specifically a hashed
405 combination of AT_RANDOM + getpid() + the starttime from
406 /proc/self/status. Then add these ids implicitly when logging. Deriving this
407 uuid from these three things has the benefit that it can be derived easily
408 from /proc/$PID/ in a stable, and unique way that changes on both fork() and
411 * let's not GC a unit while its ratelimits are still pending
413 * when killing due to service watchdog timeout maybe detect whether target
414 process is under ptracing and then log loudly and continue instead.
416 * make rfkill uaccess controllable by default, i.e. steal rule from
417 gnome-bluetooth and friends
419 * make MAINPID= message reception checks even stricter: if service uses User=,
420 then check sending UID and ignore message if it doesn't match the user or
423 * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
426 * when importing an fs tree with machined, optionally apply userns-rec-chown
428 * when importing an fs tree with machined, complain if image is not an OS
430 * Maybe introduce a helper safe_exec() or so, which is to execve() which
431 safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
432 to 1K implicitly, unless explicitly opted-out.
434 * rework seccomp/nnp logic that even if User= is used in combination with
435 a seccomp option we don't have to set NNP. For that, change uid first whil
436 keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
438 * when no locale is configured, default to UEFI's PlatformLang variable
440 * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
441 usefaultd() and make systemd-analyze check for it.
443 * paranoia: whenever we process passwords, call mlock() on the memory
444 first. i.e. look for all places we use free_and_erasep() and
445 augment them with mlock(). Also use MADV_DONTDUMP.
446 Alternatively (preferably?) use memfd_secret().
448 * Move RestrictAddressFamily= to the new cgroup create socket
450 * support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly
453 * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
454 log.c and sd-journal-send
456 * optionally: turn on cgroup delegation for per-session scope units
458 * introduce per-unit (i.e. per-slice, per-service) journal log size limits.
460 * sd-boot: automatically load EFI modules from some drop-in dir, so that people
461 can add in file system drivers and such
463 * sd-boot: optionally, show boot menu when previous default boot item has
464 non-zero "tries done" count
466 * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
467 contains some identifier for the project, which allows us to include
468 clickable links to source files generating these log messages. The identifier
469 could be some abberviated URL prefix or so (taking inspiration from Go
470 imports). For example, for systemd we could use
471 CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
472 sufficient to build a link by prefixing "http://" and suffixing the
475 * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
476 make clickable links from log messages carrying a MESSAGE_ID, that lead to
477 some explanatory text online.
479 * maybe extend .path units to expose fanotify() per-mount change events
481 * When reloading configuration PID 1 should reset all its properties to the
482 original defaults before calling parse_config()
484 * hibernate/s2h: make this robust and safe to enable in Fedora by default.
487 1. add resume_offset support to the resume code (i.e. support swap files
489 2. check if swap is on weird storage and refuse if so
490 3. add auto-detection of hibernation images
492 * cgroups: use inotify to get notified when somebody else modifies cgroups
493 owned by us, then log a friendly warning.
495 * beef up log.c with support for stripping ANSI sequences from strings, so that
496 it is OK to include them in log strings. This would be particularly useful so
497 that our log messages could contain clickable links for example for unit
498 files and suchlike we operate on.
500 * importd: add ability download images for portabled + sysext
502 * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
504 * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
505 selected user is resolvable in the service even if it ships its own /etc/passwd)
507 * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
508 other doesn't. What a disaster. Probably to exclude it. Also
509 DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative
512 * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
513 usually IN_ATTRIB is the right way to watch deleted files, as the former only
514 fires when a file is actually removed from disk, i.e. the link count drops to
515 zero and is not open anymore, while the latter happens when a file is
516 unlinked from any dir.
518 * port systemctl, busctl, … over to format-table.[ch]'s table formatters
520 * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
522 * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
524 * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
525 files and directories that are left writable for a unit, and which are
526 removed after the unit goes down again. A bit like --ephemeral for
527 systemd-nspawn but for system services. If used together with RootImage= this
528 should reflink the image file itself.
530 Related: add Ephemeral=<path1> <path2> … which would allow marking
531 specific paths only like this.
533 * add CopyFile= or so as unit file setting that may be used to copy files or
534 directory trees from the host to the services RootImage= and RootDirectory=
535 environment. Which we can use for /etc/machine-id and in particular
536 /etc/resolv.conf. Should be smart and do something useful on read-only
537 images, for example fall back to read-only bind mounting the file instead.
539 * show invocation ID in systemd-run output
541 * bypass SIGTERM state in unit files if KillSignal is SIGKILL
543 * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
544 and so on, which would mean we could report errors and such.
546 * introduce DefaultSlice= or so in system.conf that allows changing where we
547 place our units by default, i.e. change system.slice to something
548 else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
549 be moved somewhere else too. Finally machined and logind should get similar
550 options so that it is possible to move user session scopes and machines to a
551 different slice too by default. Usecase: people who want to put resources on
552 the entire system, with the exception of one specific service. See:
553 https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
555 * maybe rework get_user_creds() to query the user database if $SHELL is used
556 for root, but only then.
558 * be stricter with fds we receive for the fdstore: close them asynchronously
560 * calenderspec: add support for week numbers and day numbers within a
561 year. This would allow us to define "bi-weekly" triggers safely.
563 * sd-bus: add vtable flag, that may be used to request client creds implicitly
564 and asynchronously before dispatching the operation
566 * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
567 only when used. Add unit tests.
569 * make use of ethtool veth peer info in machined, for automatically finding out
570 host-side interface pointing to the container.
572 * add some special mode to LogsDirectory=/StateDirectory=… that allows
573 declaring these directories without necessarily pulling in deps for them, or
574 creating them when starting up. That way, we could declare that
575 systemd-journald writes to /var/log/journal, which could be useful when we
576 doing disk usage calculations and so on.
578 * taint systemd if there are fewer than 65536 users assigned (userns) to the system.
580 * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
582 * add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
583 the runtime dir as we maintain for the fdstore: i.e. keep it around as long
584 as the unit is running or has a job queued.
586 * support projid-based quota in machinectl for containers
588 * add a way to lock down cgroup migration: a boolean, which when set for a unit
589 makes sure the processes in it can never migrate out of it
591 * blog about fd store and restartable services
593 * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
595 * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
596 magic meaning and is no longer upgraded to something else if set explicitly.
598 * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
599 make it lose its identity, i.e. be anonymous. For this we'd have to patch
600 through the whole tree to make all code deal with the case where no machine
603 * optionally, collect cgroup resource data, and store it in per-unit RRD files,
604 suitable for processing with rrdtool. Add bus API to access this data, and
605 possibly implement a CPULoad property based on it.
607 * beef up pam_systemd to take unit file settings such as cgroups properties as
610 * maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
611 the quota of the user indicated in User= via unit file settings, like the
612 other resource management concepts. Would mix nicely with DynamicUser=1. Or
613 alternatively, do this with projids, so that we can also cover services
614 running as root. Quota should probably cover all the special dirs such as
615 StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
616 is set, plus the whole disk space any image configured with RootImage=.
618 * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
619 disks to see if the UID is already in use.
621 * expose IO accounting data on the bus, show it in systemd-run --wait and log
622 about it in the resource log message
624 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
625 creates a static, persistent user rather than a dynamic, transient user. We
626 can leverage code from sysusers.d for this.
628 * add some optional flag to ReadWritePaths= and friends, that has the effect
629 that we create the dir in question when the service is started. Example:
631 ReadWritePaths=:/var/lib/foobar
633 * hostnamed: populate form factor data from a new hwdb database, so that old
634 yogas can be recognized as "convertible" too, even if they predate the DMI
635 "convertible" form factor
637 * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
638 the service cgroup, which is supposed to monitor the service, and when it
639 exits the service is considered failed by its monitor.
641 * track the per-service PAM process properly (i.e. as an additional control
642 process), so that it may be queried on the bus and everything.
644 * add a new "debug" job mode, that is propagated to unit_start() and for
645 services results in two things: we raise SIGSTOP right before invoking
646 execve() and turn off watchdog support. Then, use that to implement
647 "systemd-gdb" for attaching to the start-up of any system service in its
650 * gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
652 * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
653 then use that for the setting used in user@.service. It should be understood
654 relative to the configured default value.
656 * enable LockMLOCK to take a percentage value relative to physical memory
658 * Permit masking specific netlink APIs with RestrictAddressFamily=
660 * define gpt header bits to select volatility mode
662 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
664 * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
666 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
668 * ProtectKeyRing= to take keyring calls away
670 * RemoveKeyRing= to remove all keyring entries of the specified user
672 * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
673 on PID 1 with the relevant signals, and makes relevant files in /sys and
674 /proc (such as the sysrq stuff) unavailable
676 * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
677 via the new unprivileged Landlock LSM (https://landlock.io)
679 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
681 * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
682 find a way to map the User=/Group= of the service to the right name. This way
683 a user/group for a service only has to exist on the host for the right
686 * add bus API for creating unit files in /etc, reusing the code for transient units
688 * add bus API to remove unit files from /etc
690 * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
692 * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
693 kernel doesn't support linkat() that replaces existing files, currently)
695 * transient units: don't bother with actually setting unit properties, we
696 reload the unit file anyway
698 * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
700 * cache sd_event_now() result from before the first iteration...
702 * PID1: find a way how we can reload unit file configuration for
703 specific units only, without reloading the whole of systemd
705 * add an explicit parser for LimitRTPRIO= that verifies
706 the specified range and generates sane error messages for incorrect
709 * when we detect that there are waiting jobs but no running jobs, do something
711 * push CPUAffinity= also into the "cpuset" cgroup controller
713 * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
715 * there's probably something wrong with having user mounts below /sys,
716 as we have for debugfs. for example, src/core/mount.c handles mounts
717 prefixed with /sys generally special.
718 http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
720 * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
722 * initrd-parse-etc.service: can we skip daemon-reload if /sysroot/etc/fstab is missing?
723 Note that we start initrd-fs.target and initrd-cleanup.target there, so a straightforward
724 ConditionPathExists= is not enough.
726 * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
728 * add a job mode that will fail if a transaction would mean stopping
729 running units. Use this in timedated to manage the NTP service
731 http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
733 * The udev blkid built-in should expose a property that reflects
734 whether media was sensed in USB CF/SD card readers. This should then
735 be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
736 picked up by systemd unless they contain a medium. This would mirror
737 the behaviour we already have for CD drives.
739 * hostnamectl: show root image uuid
741 * Find a solution for SMACK capabilities stuff:
742 http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
744 * synchronize console access with BSD locks:
745 http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
747 * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
748 http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
750 * figure out when we can use the coarse timers
752 * maybe allow timer units with an empty Units= setting, so that they
753 can be used for resuming the system but nothing else.
755 * what to do about udev db binary stability for apps? (raw access is not an option)
757 * exponential backoff in timesyncd when we cannot reach a server
759 * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
761 * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
763 * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
764 (throughout the codebase, not only PID1)
766 * drop nss-myhostname in favour of nss-resolve?
770 - service registration
771 - service/domain/types browsing
773 - DNS-SD service registration from socket units
774 - resolved should optionally register additional per-interface LLMNR
775 names, so that for the container case we can establish the same name
776 (maybe "host") for referencing the server, everywhere.
777 - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
778 - hook up resolved with machined-based address resolution
780 * refcounting in sd-resolve is borked
782 * add new gpt type for btrfs volumes
784 * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
786 * a way for container managers to turn off getty starting via $container_headless= or so...
788 * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
790 * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
791 they run added to the initial transaction and thus confuse Type=idle.
793 * add bus api to query unit file's X fields.
795 * gpt-auto-generator:
796 - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
797 - Make /home automount rather than mount?
799 * add generator that pulls in systemd-network from containers when
800 CAP_NET_ADMIN is set, more than the loopback device is defined, even
801 when it is otherwise off
803 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
805 * implement Distribute= in socket units to allow running multiple
806 service instances processing the listening socket, and open this up
810 - implement per-slice CPUFairScheduling=1 switch
811 - introduce high-level settings for RT budget, swappiness
812 - how to reset dynamically changed unit cgroup attributes sanely?
813 - when reloading configuration, apply new cgroup configuration
814 - when recursively showing the cgroup hierarchy, optionally also show
815 the hierarchies of child processes
818 - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
820 * when we detect low battery and no AC on boot, show pretty splash and refuse boot
822 * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
824 * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
826 * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
828 * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs
830 * If we try to find a unit via a dangling symlink, generate a clean
831 error. Currently, we just ignore it and read the unit from the search
834 * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
836 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
838 * load .d/*.conf dropins for device units
840 * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
842 * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
844 * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
846 * verify that the AF_UNIX sockets of a service in the fs still exist
847 when we start a service in order to avoid confusion when a user
848 assumes starting a service is enough to make it accessible
850 * Make it possible to set the keymap independently from the font on
851 the kernel cmdline. Right now setting one resets also the other.
853 * and a dbus call to generate target from current state
855 * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
857 * dot output for --test showing the 'initial transaction'
859 * be able to specify a forced restart of service A where service B depends on, in case B
860 needs to be auto-respawned?
863 - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
864 log both units as UNIT=, so that journalctl -u triggers on both.
865 - generate better errors when people try to set transient properties
866 that are not supported...
867 http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
868 - maybe introduce WantsMountsFor=? Usecase:
869 http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
870 - recreate systemd's D-Bus private socket file on SIGUSR2
871 - move PAM code into its own binary
872 - when we automatically restart a service, ensure we restart its rdeps, too.
873 - hide PAM options in fragment parser when compile time disabled
874 - Support --test based on current system state
875 - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
876 - after deserializing sockets in socket.c we should reapply sockopts and things
877 - drop PID 1 reloading, only do reexecing (difficult: Reload()
878 currently is properly synchronous, Reexec() is weird, because we
879 cannot delay the response properly until we are back, so instead of
880 being properly synchronous we just keep open the fd and close it
881 when done. That means clients do not get a successful method reply,
882 but much rather a disconnect on success.
883 - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
884 - when a bus name of a service disappears from the bus make sure to queue further activation requests
885 - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
886 processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
887 with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
890 - allow port=0 in .socket units
891 - maybe introduce ExecRestartPre=
892 - add ReloadSignal= for configuring a reload signal to use
893 - implement Register= switch in .socket units to enable registration
894 in Avahi, RPC and other socket registration services.
895 - allow Type=simple with PIDFile=
896 https://bugzilla.redhat.com/show_bug.cgi?id=723942
897 - allow writing multiple conditions in unit files on one line
898 - introduce Type=pid-file
899 - add a concept of RemainAfterExit= to scope units
900 - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
901 - add verification of [Install] section to systemd-analyze verify
904 - timer units should get the ability to trigger when:
906 - Modulate timer frequency based on battery state
908 * add libsystemd-password or so to query passwords during boot using the password agent logic
910 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
912 * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
914 * make repeated alt-ctrl-del presses printing a dump
916 * hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ...
918 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
920 * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
922 * add a pam module that on password changes updates any LUKS slot where the password matches
925 - add unit tests for config_parse_device_allow()
927 * seems that when we follow symlinks to units we prefer the symlink
928 destination path over /etc and /usr. We should not do that. Instead
929 /etc should always override /run+/usr and also any symlink
932 * when isolating, try to figure out a way how we implicitly can order
933 all units we stop before the isolating unit...
935 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
937 * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
938 ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
939 https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
941 * BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify
942 that the boot loader should be installed to the ESP. Define a way
943 how an installer can figure out whether a BLS compliant boot loader
946 * think about requeuing jobs when daemon-reload is issued? usecase:
947 the initrd issues a reload after fstab from the host is accessible
948 and we might want to requeue the mounts local-fs acquired through
951 * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
953 * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
955 * shutdown logging: store to EFI var, and store to USB stick?
957 * merge unit_kill_common() and unit_kill_context()
959 * hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it
960 https://bugs.freedesktop.org/show_bug.cgi?id=54712
962 * add a dependency on standard-conf.xml and other included files to man pages
964 * MountFlags=shared acts as MountFlags=slave right now.
966 * properly handle loop back mounts via fstab, especially regards to fsck/passno
968 * initialize the hostname from the fs label of /, if /etc/hostname does not exist?
972 - GetAllProperties() on a non-existing object does not result in a failure currently
973 - port to sd-resolve for connecting to TCP dbus servers
974 - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
975 - see if we can drop more message validation on the sending side
976 - add API to clone sd_bus_message objects
977 - longer term: priority inheritance
979 - NameLost/NameAcquired obsolete
982 - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
985 - allow multiple signal handlers per signal?
986 - document chaining of signal handler for SIGCHLD and child handlers
987 - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
988 - maybe support iouring as backend, so that we allow hooking read and write
989 operations instead of IO ready events into event loops. See considerations
991 http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
993 * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
994 should be able to safely try another attempt when the bus call LoadUnit() is invoked.
996 * maybe do not install getty@tty1.service symlink in /etc but in /usr?
998 * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
1000 * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
1002 * firstboot: allow provisioning of /etc/hosts entries, so that we can via the
1003 credentials logic insert host name to resolve into containers/hosts. Usecase:
1004 fork a container, and make it ping some specific address which is defined by
1005 the host on invocation
1007 * systemd-firstboot: make sure to always use chase_symlinks() before
1008 reading/writing files
1010 * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists
1012 * sd-boot: define a drop-in dir in the ESP that may contain X.509
1013 certificates. If the firmware is detected to be in setup mode, automatically
1014 enroll them as PK/KEK/db, turn off setup mode and proceed. Optionally,
1015 instead of auto-enrolling them add them to the sd-boot menu, giving the user
1016 the option to manually enroll them, after selecting the menu entry. This way,
1017 installer images can just drop the certfiicates in the ESP, and on first boot
1018 can easily enroll the keys without ever booting up.
1020 * efi stub: optionally, load initrd from disk as a separate file, HMAC check it
1021 with key from TPM, bound to PCR, refusing if failing. This would then allow
1022 traditional distros that generate initrds locally to secure them with TPM:
1023 after generating the initrd, do the HMAC calculation, put result in initrd
1024 filename, done. This would then bind the validity of the initrd to the local
1025 host, and used kernel, and means people cannot change initrd or kernel
1026 without booting the kernel + initrd.
1029 - honor language efi variables for default language selection (if there are any?)
1030 - honor timezone efi variables for default timezone selection (if there are any?)
1031 - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
1033 - recognize the case when not booted on EFI
1035 * bootctl,sd-boot: actually honour the "architecture" key
1038 - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
1039 - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
1040 - make it operate on loopback files, dissecting enough to find ESP to operate on
1043 - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
1044 - logind: wakelock/opportunistic suspend support
1045 - Add pretty name for seats in logind
1046 - logind: allow showing logout dialog from system?
1047 - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
1048 - if pam_systemd is invoked by su from a process that is outside of a
1049 any session we should probably just become a NOP, since that's
1050 usually not a real user session but just some system code that just
1052 - logind: make the Suspend()/Hibernate() bus calls wait for the for
1053 the job to be completed. before returning, so that clients can wait
1054 for "systemctl suspend" to finish to know when the suspending is
1056 - logind: when the power button is pressed short, just popup a
1057 logout dialog. If it is pressed for 1s, do the usual
1058 shutdown. Inspiration are Macs here.
1059 - expose "Locked" property on logind session objects
1060 - maybe allow configuration of the StopTimeout for session scopes
1061 - rename session scope so that it includes the UID. THat way
1062 the session scope can be arranged freely in slices and we don't have
1063 make assumptions about their slice anymore.
1064 - follow PropertiesChanged state more closely, to deal with quick logouts and
1066 - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
1068 * move logind udev rules to top-level rule.d/ directory
1070 * move multiseat vid/pid matches from logind udev rule to hwdb
1072 * logind: rework pam_logind to also do a bus call in case of invocation from
1073 user@.service, which returns the XDG_RUNTIME_DIR value, and make this
1074 behaviour selectable via pam module option.
1076 * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
1077 in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
1080 - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
1081 - journald: also get thread ID from client, plus thread name
1082 - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
1083 - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
1084 - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
1085 - declare the local journal protocol stable in the wiki interface chart
1086 - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
1087 - journald: when dropping msgs due to ratelimit make sure to write
1088 "dropped %u messages" not only when we are about to print the next
1089 message that works, but already after a short timeout
1090 - check if we can make journalctl by default use --follow mode inside of less if called without args?
1091 - maybe add API to send pairs of iovecs via sd_journal_send
1092 - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
1093 - journactl: support negative filtering, i.e. FOOBAR!="waldo",
1094 and !FOOBAR for events without FOOBAR.
1095 - journal: store timestamp of journal_file_set_offline() in the header,
1096 so it is possible to display when the file was last synced.
1097 - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
1098 - journal: find a way to allow dropping history early, based on priority, other rules
1099 - journal: When used on NFS, check payload hashes
1100 - journald: add kernel cmdline option to disable ratelimiting for debug purposes
1101 - refuse taking lower-case variable names in sd_journal_send() and friends.
1102 - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
1103 - journal: deal nicely with byte-by-byte copied files, especially regards header
1104 - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
1105 - Replace utmp, wtmp, btmp, and lastlog completely with journal
1106 - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
1107 - when a kernel driver logs in a tight loop, we should ratelimit that too.
1108 - journald: optionally, log debug messages to /run but everything else to /var
1109 - journald: when we drop syslog messages because the syslog socket is
1110 full, make sure to write how many messages are lost as first thing
1111 to syslog when it works again.
1112 - journald: allow per-priority and per-service retention times when rotating/vacuuming
1113 - journald: make use of uid-range.h to managed uid ranges to split
1115 - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
1116 - improve journalctl performance by loading journal files
1117 lazily. Encode just enough information in the file name, so that we
1118 do not have to open it to know that it is not interesting for us, for
1119 the most common operations.
1120 - man: document that corrupted journal files is nothing to act on
1121 - rework journald sigbus stuff to use mutex
1122 - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
1123 services that run under their own user ids, and use User= (but only
1124 in a world where userns is ubiquitous since otherwise we cannot
1125 invoke those daemons on the host AND in a container anymore). Also,
1126 if LimitNPROC= is used without User= we should warn and refuse
1128 - journalctl --verify: don't show files that are currently being
1129 written to as FAIL, but instead show that their are being written to.
1130 - add journalctl -H that talks via ssh to a remote peer and passes through
1132 - add a version of --merge which also merges /var/log/journal/remote
1133 - journalctl: -m should access container journals directly by enumerating
1134 them via machined, and also watch containers coming and going.
1135 Benefit: nspawn --ephemeral would start working nicely with the journal.
1136 - assign MESSAGE_ID to log messages about failed services
1137 - check if loop in decompress_blob_xz() is necessary
1139 * journald: support RFC3164 fully for the incoming syslog transport, see
1140 https://github.com/systemd/systemd/issues/19251#issuecomment-816601955
1142 * Hook up journald's FSS logic with TPM2: seal the verification disk by
1143 time-based policy, so that the verification key can remain on host and ve
1146 * build short web pages out of each catalog entry, build them along with man
1147 pages, and include hyperlinks to them in the journal output
1149 * journald: do journal file writing out-of-process, with one writer process per
1150 client UID, so that synthetic hash table collisions can slow down a specific
1151 user's journal stream down but not the others.
1153 * tweak journald context caching. In addition to caching per-process attributes
1154 keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
1155 keyed by cgroup path, and guarded by ctime changes. This should provide us
1156 with a nice speed-up on services that have many processes running in the same
1159 * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
1160 the sd-journal logging socket, and, if the timeout is set to 0, sets
1161 O_NONBLOCK on it. That way people can control if and when to block for
1164 * journalctl: make sure -f ends when the container indicated by -M terminates
1166 * journald: sigbus API via a signal-handler safe function that people may call
1167 from the SIGBUS handler
1169 * add a test if all entries in the catalog are properly formatted.
1170 (Adding dashes in a catalog entry currently results in the catalog entry
1171 being silently skipped. journalctl --update-catalog must warn about this,
1172 and we should also have a unit test to check that all our message are OK.)
1175 - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
1176 - rollback when resize fails mid-operation
1177 - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
1179 - shrink fs on logout?
1180 - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
1181 - create on activate?
1182 - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
1183 - communicate clearly when usb stick is safe to remove. probably involves
1184 beefing up logind to make pam session close hook synchronous and wait until
1185 systemd --user is shut down.
1186 - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
1187 - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
1188 images (and btrfs snapshots of subvolumes) (think: time machine)
1189 - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
1190 - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
1191 - fingerprint authentication, pattern authentication, …
1192 - make sure "classic" user records can also be managed by homed
1193 - make size of $XDG_RUNTIME_DIR configurable in user record
1194 - query password from kernel keyring first
1195 - update even if record is "absent"
1196 - add a "access mode" + "fstype" field to the "status" section of json identity records reflecting the actually used access mode and fstype, even on non-luks backends
1197 - move acct mgmt stuff from pam_systemd_home to pam_systemd?
1198 - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
1199 - make slice for users configurable (requires logind rework)
1200 - logind: populate auto-login list bus property from PKCS#11 token
1201 - when determining state of a LUKS home directory, check DM suspended sysfs file
1202 - introduce API for "making room", that grows/shrinks home directory
1203 according to elastic parameters, discards blocks, and removes additional snapshots. Call it
1204 either from UI when disk space gets low
1205 - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
1206 so that mounts propagate down but not up - eg, user A setting up a backup volume
1207 doesn't mean user B sees it
1208 - use credentials logic/TPM2 logic to store homed signing key
1209 - during login resize fs automatically towards size goal. Specifically,
1210 resize to diskSize if possible, but leave a certain amount (configured by a
1211 new value diskLeaveFreeSize) of space free on the backing fs.
1212 - permit multiple user record signing keys to be used locally, and pick
1213 the right one for signing records automatically depending on a pre-existing
1215 - add a way to "adopt" a home directory, i.e. strip foreign signatures
1216 and insert a local signature instead.
1217 - as an extension to the directory+subvolume backend: if located on
1218 especially marked fs, then sync down password into LUKS header of that fs,
1219 and always verify passwords against it too. Bootstrapping is a problem
1220 though: if no one is logged in (or no other user even exists yet), how do you
1221 unlock the volume in order to create the first user and add the first pw.
1222 - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
1223 - maybe pre-create ~/.cache as subvol so that it can have separate quota
1225 - if kernel 5.12 uid mapping mounts exist, use that instead of recursive
1227 - add a switch to homectl (maybe called --first-boot) where it will check if
1228 any non-system users exist, and if not prompts interactively for basic user
1229 info, mimicking systemd-firstboot. Then, place this in a service that runs
1230 after systemd-homed, but before gdm and friends, as a simple, barebones
1231 fallback logic to get a regular user created on uninitialized systems.
1232 - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
1233 systemd-cryptsetup, so that it can unlock homed volumes
1234 - try to unmount in regular intervals when home dir was busy when we
1236 - keep an fd to the homedir open at all times, to keep the fs pinned
1237 (autofs and such) while user is logged in.
1239 * add a new switch --auto-definitions=yes/no or so to systemd-repart. If
1240 specified, synthesize a definition automatically if we can: enlarge last
1241 partition on disk, but only if it is marked for growing and not read-only.
1243 * systemd-repart: read LUKS encryption key from $CREDENTIALS_PATH
1245 * systemd-repart: add a switch to factory reset the partition table without
1246 immediately applying the new configuration again. i.e. --factory-reset=leave
1247 or so. (this is useful to factory reset an image, then putting it into
1248 another machine, ensuring that luks key is generated on new machine, not old)
1250 * systemd-repart: support setting up dm-integrity with HMAC
1252 * systemd-repart: maybe remove half-initialized image on failure. It fails
1253 if the output file exists, so a repeated invocation will usually fail if
1254 something goes wrong on the way.
1256 * systemd-repart: drop pager mode on normal operation?
1258 * systemd-repart: by default generate minimized partition tables (i.e. tables
1259 that only cover the space actually used, excluding any free space at the
1260 end), in order to maximize dd'ability. Requires libfdisk work, see
1261 https://github.com/karelzak/util-linux/issues/907
1263 * systemd-repart: MBR partition table support. Care needs to be taken regarding
1264 Type=, so that partition definitions can sanely apply to both the GPT and the
1265 MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
1266 for the two partition types explicitly. And provide an internal mapping so
1267 that "Type=linux-generic" maps to the right types for both partition tables
1270 * systemd-repart: allow sizing partitions as factor of available RAM, so that
1271 we can reasonably size swap partitions for hibernation.
1273 * systemd-repart: allow boolean option that ensures that if existing partition
1274 doesn't exist within the configured size bounds the whole command fails. This
1275 is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
1276 of repart files for the case where ESP is large enough and one where it isn't
1277 and XBOOTLDR is added in instead. Then apply the former first, and if it
1278 fails to apply use the latter.
1280 * systemd-repart: add per-partition option to never reuse existing partition
1281 and always create anew even if matching partition already exists.
1283 * systemd-repart: add per-partition option to fail if partition already exist,
1284 i.e. is not added new. Similar, add option to fail if partition does not exist yet.
1286 * systemd-repart: allow disabling growing of specific partitions, or making
1287 them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
1289 * systemd-repart: make it a static checker during early boot for existence and
1290 absence of other partitions for trusted boot environments
1293 - document that deps in [Unit] sections ignore Alias= fields in
1294 [Install] units of other units, unless those units are disabled
1295 - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
1296 - document that service reload may be implemented as service reexec
1297 - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
1298 - document systemd-journal-flush.service properly
1299 - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
1300 - man: document the very specific env the shutdown drop-in tools live in
1301 - man: add more examples to man pages,
1302 - in particular an example how to do the equivalent of switching runlevels
1303 - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
1304 - document root=gpt-auto properly
1307 - add systemctl switch to dump transaction without executing it
1308 - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
1309 - "systemctl disable" on a static unit prints no message and does
1310 nothing. "systemctl enable" does nothing, and gives a bad message
1311 about it. Should fix both to print nice actionable messages.
1312 - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
1313 - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
1314 - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
1315 - systemctl: "Journal has been rotated since unit was started." message is misleading
1316 - systemctl status output should include list of triggering units and their status
1318 * introduce an option (or replacement) for "systemctl show" that outputs all
1319 properties as JSON, similar to busctl's new JSON output. In contrast to that
1320 it should skip the variant type string though.
1322 * add an explicit "vertical" mode to format-table, so that "systemctl
1323 status"-like outputs (i.e. with a series of field names left and values
1324 right) become genuine first class citizens, and we gain automatic, sane JSON
1327 * Add a "systemctl list-units --by-slice" mode or so, which rearranges the
1328 output of "systemctl list-units" slightly by showing the tree structure of
1329 the slices, and the units attached to them.
1331 * add "systemctl wait" or so, which does what "systemd-run --wait" does, but
1332 for all units. It should be both a way to pin units into memory as well as a
1333 wait to retrieve their exit data.
1335 * show whether a service has out-of-date configuration in "systemctl status" by
1336 using mtime data of ConfigurationDirectory=.
1338 * "systemctl preset-all" should probably order the unit files it
1339 operates on lexicographically before starting to work, in order to
1340 ensure deterministic behaviour if two unit files conflict (like DMs
1343 * add "systemctl start -v foobar.service" that shows logs of a service
1344 while the start command runs. This is non-trivial to do without
1345 races though, since we should flush out all journal messages before
1346 returning from the "systemctl stop".
1348 * systemctl: if some operation fails, show log output?
1350 * Add a new verb "systemctl top"
1353 - "systemctl mask" should find all names by which a unit is accessible
1354 (i.e. by scanning for symlinks to it) and link them all to /dev/null
1357 - emulate /dev/kmsg using CUSE and turn off the syslog syscall
1358 with seccomp. That should provide us with a useful log buffer that
1359 systemd can log to during early boot, and disconnect container logs
1360 from the kernel's logs.
1361 - as soon as networkd has a bus interface, hook up --network-interface=,
1362 --network-bridge= with networkd, to trigger netdev creation should an
1363 interface be missing
1364 - a nice way to boot up without machine id set, so that it is set at boot
1365 automatically for supporting --ephemeral. Maybe hash the host machine id
1366 together with the machine name to generate the machine id for the container
1367 - fix logic always print a final newline on output.
1368 https://github.com/systemd/systemd/pull/272#issuecomment-113153176
1369 - should optionally support receiving WATCHDOG=1 messages from its payload
1371 - optionally automatically add FORWARD rules to iptables whenever nspawn is
1372 running, remove them when shut down.
1374 * nspawn: make --bind= work sanely with --private-users when uid mapping mounts
1377 * nspawn: add support for sysext extensions, too. i.e. a new --extension=
1378 switch that takes one or more arguments, and applies the extensions already
1381 * when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or
1382 so, freeze the payload too.
1384 * machined: add API to acquire UID range. add API to mount/dissect loopback
1385 file. Both protected by PK. Then make nspawn use these APIs to run
1386 unprivileged containers. i.e. push the truly privileged bits into machined,
1387 so that the client side can remain entirely unprivileged, with SUID or
1390 * nspawn: support time namespaces
1392 * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
1393 so that we make cgroup agent logic safe
1395 * nspawn/machined: add API to invoke binary in container, then use that as
1396 fallback in "machinectl shell"
1398 * nspawn: make nspawn suitable for shell pipelines: instead of triggering a
1399 hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
1400 for hangup or ^D before passing on the EOF.
1402 * nspawn: greater control over selinux label?
1404 * nspawn: support that /proc, /sys/, /dev are pre-mounted
1407 - add an API so that libvirt-lxc can inform us about network interfaces being
1408 removed or added to an existing machine
1409 - "machinectl migrate" or similar to copy a container from or to a
1410 difference host, via ssh
1411 - introduce systemd-nspawn-ephemeral@.service, and hook it into
1412 "machinectl start" with a new --ephemeral switch
1413 - "machinectl status" should also show internal logs of the container in
1415 - "machinectl history"
1417 - "machinectl commit" that takes a writable snapshot of a tree, invokes a
1418 shell in it, and marks it read-only after use
1423 - add trigger --subsystem-match=usb/usb_device device
1424 - reimport udev db after MOVE events for devices without dev_t
1427 - save coredump in Windows/Mozilla minidump format
1428 - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
1430 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
1433 - apply "x" on "D" too (see patch from William Douglas)
1434 - instead of ignoring unknown fields, reject them.
1435 - creating new directories/subvolumes/fifos/device nodes
1436 should not follow symlinks. None of the other adjustment or creation
1437 calls follow symlinks.
1439 - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
1443 - Make sure ID_PATH is always exported and complete for
1444 network devices where possible, so we can safely rely
1448 - add support for more attribute types
1449 - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
1452 - add more keys to [Route] and [Address] sections
1453 - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
1454 - add reduced [Link] support to .network files
1455 - properly handle routerless dhcp leases
1456 - work with non-Ethernet devices
1457 - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
1458 - the DHCP lease data (such as NTP/DNS) is still made available when
1459 a carrier is lost on a link. It should be removed instantly.
1460 - expose in the API the following bits:
1461 - option 15, domain name
1462 - option 12, hostname and/or option 81, fqdn
1463 - option 123, 144, geolocation
1464 - option 252, configure http proxy (PAC/wpad)
1465 - provide a way to define a per-network interface default metric value
1466 for all routes to it. possibly a second default for DHCP routes.
1467 - allow Name= to be specified repeatedly in the [Match] section. Maybe also
1468 support Name=foo*|bar*|baz ?
1469 - whenever uplink info changes, make DHCP server send out FORCERENEW
1471 * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
1473 * Figure out how to do unittests of networkd's state serialization
1476 - figure out how much we can increase Maximum Message Size
1479 - add functions to set previously stored IPv6 addresses on startup and get
1480 them at shutdown; store them in client->ia_na
1481 - write more test cases
1482 - implement reconfigure support, see 5.3., 15.11. and 22.20.
1483 - implement support for temporary adressess (IA_TA)
1484 - implement dhcpv6 authentication
1485 - investigate the usefulness of Confirm messages; i.e. are there any
1486 situations where the link changes without any loss in carrier detection
1488 - some servers don't do rapid commit without a filled in IA_NA, verify