3 * Many manager configuration settings that are only applicable to user
4 manager or system manager can be always set. It would be better to reject
5 them when parsing config.
7 * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service.
8 Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service.
9 Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service.
13 * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
16 - natively watch for dbus-*.service symlinks (PENDING)
17 - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
19 * kernel: add device_type = "fb", "fbcon" to class "graphics"
21 * /usr/bin/service should actually show the new command line
23 * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
25 * neither pkexec nor sudo initialize environ[] from the PAM environment?
27 * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
29 * register catalog database signature as file magic
31 * zsh shell completion:
32 - <command> <verb> -<TAB> should complete options, but currently does not
33 - systemctl add-wants,add-requires
34 - systemctl reboot --boot-loader-entry=
36 * systemctl status should know about 'systemd-analyze calendar ... --iterations='
37 * If timer has just OnInactiveSec=..., it should fire after a specified time
40 * write blog stories about:
41 - hwdb: what belongs into it, lsusb
42 - enabling dbus services
43 - how to make changes to sysctl and sysfs attributes
45 - how to pass throw-away units to systemd, or dynamically change properties of existing units
46 - testing with Harald's awesome test kit
48 - how to develop against journal browsing APIs
49 - the journal HTTP iface
50 - non-cgroup resource management
51 - dynamic resource management with cgroups
52 - refreshed, longer missions statement
53 - calendar time events
54 - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
55 - how to create your own target
56 - instantiated apache, dovecot and so on
57 - hooking a script into various stages of shutdown/rearly booot
61 * look for close() vs. close_nointr() vs. close_nointr_nofail()
63 * check for strerror(r) instead of strerror(-r)
67 * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
69 * use secure_getenv() instead of getenv() where appropriate
71 * link up selected blog stories from man pages and unit files Documentation= fields
75 * rework mount.c and swap.c to follow proper state enumeration/deserialization
76 semantics, like we do for device.c now
78 * get rid of prefix_roota() and similar, only use chase() and related
81 * get rid of basename() and replace by path_extract_filename()
83 * Replace our fstype_is_network() with a call to libmount's mnt_fstype_is_netfs()?
84 Having two lists is not nice, but maybe it's now worth making a dependency on
85 libmount for something so trivial.
87 Deprecations and removals:
89 * Remove any support for booting without /usr pre-mounted in the initrd entirely.
90 Update INITRD_INTERFACE.md accordingly.
92 * 2019-10 – Remove POINTINGSTICK_CONST_ACCEL references from the hwdb, see #9573
94 * remove cgrouspv1 support EOY 2023. As per
95 https://lists.freedesktop.org/archives/systemd-devel/2022-July/048120.html
96 and then rework cgroupsv2 support around fds, i.e. keep one fd per active
97 unit around, and always operate on that, instead of cgroup fs paths.
99 * drop support for kernels that lack ambient capabilities support (i.e. make
100 4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which
101 is only supported for such old kernels.
103 * drop support for kernels lacking memfd_create() (i.e. make 3.17 new
104 baseline), then drop all pipe() based fallbacks.
106 * drop support for getrandom()-less kernels. (GRND_INSECURE means once kernel
107 5.6 becomes our baseline). See
108 https://github.com/systemd/systemd/pull/24101#issuecomment-1193966468 for
109 details. Maybe before that: at taint-flags/warn about kernels that lack
110 getrandom()/environments where it is blocked.
112 * drop support for LOOP_CONFIGURE-less loopback block devices, once kernel
115 * drop fd_is_mount_point() fallback mess once we can rely on
116 STATX_ATTR_MOUNT_ROOT to exist i.e. kernel baseline 5.8
118 * rework our PID tracking in services and so on, to be strictly based on pidfd,
119 once kernel baseline is 5.13.
121 * H2 2023: remove support for unmerged-usr
123 * Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous.
124 That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for
125 x86 and v6.2 for arm.
127 * Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm
128 trigger"'s waiting logic, since we can then rely on uuid-tagged uevents
132 * rework journalctl -M to be based on a machined method that generates a mount
133 fd of the relevant journal dirs in the container with uidmapping applied to
134 allow the host to read it, while making everything read-only.
136 * fix our various hwdb lookup keys to end with ":" again. The original idea was
137 that hwdb patters can match arbitrary fields with expressions like
138 "*:foobar:*", to wildcard match both the start and the end of the string.
139 This only works safely for later extensions of the string if the strings
140 always end in a colon. This requires updating our udev rules, as well as
141 checking if the various hwdb files are fine with that.
143 * mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user
144 among other things such as dynamic uid ranges for containers and so on. That
145 way noone can create files there with these uids and we enforce they are only
146 used transiently, never persistently.
148 * rework loopback support in fstab: when "loop" option is used, then
149 instantiate a new systemd-loop@.service for the source path, set the
150 lo_file_name field for it to something recognizable derived from the fstab
151 line, and then generate a mount unit for it using a udev generated symlink
152 based on lo_file_name.
154 * remove tomoyo support, it's obsolete and unmaintained apparently
156 * journald: add varlink service that allows subscribing to certain log events,
157 for example matching by message ID, or log level returns a list of journal
158 cursors as they happen.
160 * In .socket units, add ConnectStream=, ConnectDatagram=,
161 ConnectSequentialPacket= that create a socket, and then *connect to* rather than
162 listen on some socket. Then, add a new setting WriteData= that takes some
163 base64 data that systemd will write into the socket early on. This can then
164 be used to create connections to arbitrary services and issue requests into
165 them, as long as the data is static. This can then be combined with the
166 aforementioned journald subscription varlink service, to enable
167 activation-by-message id and similar.
169 * landlock: lock down RuntimeDirectory= via landlock, so that services lose
170 ability to write anywehere else below /run/. Similar for
171 StateDirectory=. Benefit would be clear delegation via unit files: services
172 get the directories they get, and nothing else even if they wanted to.
174 * landlock: for unprivileged systemd (i.e. systemd --user), use landlock to
175 implement ProtectSystem=, ProtectHome= and so on. Landlock does not require
176 privs, and we can implement pretty similar behaviour. Also, maybe add a mode
177 where ProtectSystem= combined with an explicit PrivateMounts=no could request
178 similar behaviour for system services, too.
180 * Add systemd-mount@.service which is instantiated for a block device and
181 invokes systemd-mount and exits. This is then useful to use in
182 ENV{SYSTEMD_WANTS} in udev rules, and a bit prettier than using RUN+=
184 * udevd: extend memory pressure logic: also kill any idle worker processes
186 * SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed,
187 localed, oomd, timedated.
189 * journald: also collect CLOCK_BOOTTIME timestamps per log entry. Then, derive
190 "corrected" CLOCK_REALTIME information on display from that and the timestamp
191 info of the newest entry of the specificy boot (as identified by the boot
192 ID). This way, if a system comes up without a valid clock but acquires a
193 better clock later, we can "fix" older entry timestamps on display, by
194 calculating backwards. We cannot use CLOCK_MONOTONIC for this, since it does
195 not account for suspend phases. This would then also enable us to correct the
196 kmsg timestamping we consume (where we erroneously assume the clock was in
197 CLOCK_MONOTONIC, but it actually is CLOCK_BOOTTIME as per kernel).
199 * sd-journal puts a limit on parallel journal files to view at once. journald
200 should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to
201 ensure we never generate more files than we can actually view.
203 * in order to make binding to PCR 4 realistic:
204 - generate one keypair "U" and store it in a tpm2 nvindex.
205 - Generate another keypair "P" and store it in a second tpm2 nvindex.
206 - allocate a persistent counter object "C" in the tpm2
207 - Enroll all user objects (i.e. luks volumes, creds, …) to a tpm2 policy
209 - Lock both U and P down with a tpm2 policy signed by P (yes, P can only be
210 used if a signature by P itself can be provided)
211 - For regular reboots generate a signature for a restrictive PCR4 + counter C
212 based policy with key P. Place signature in EFI var, so it can be found on
214 - For reboots where a firmware update is expected generate a signature with a
215 more open policy against just counter C. Place signature in same EFI var.
216 - Increase C whenever switching between these two signature types.
217 - During early boot, use the signature from the EFI var to unlock U and P.
218 Use it to generate a signature for unlocking user objects given the current
219 PCR 4 value, store that away into /run somewhere, for user during the whole
221 - When booting up automatically update the mentioned efi var so that it
222 contains the restrictive signature. But also generate a signature ahead of
223 time that could be used in case during the current boot we later detect we might
224 need to reboot for a firmware update. Store that in /run somewhere, so that
225 it can be placed in the EFI var, if needed.
227 * repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions,
228 that have a new type uuid and can "extend" earlier partitions, to work around
229 the fact that systemd-repart can only grow the last partition defined. During
230 activation we'd simply set up a dm-linear mapping to merge them again. A
231 partition that is to be extended would just set a bit in the partition flags
232 field to indicate that there's another extension partition to look for. The
233 identifiying UUID of the extension partition would be hashed in counter mode
234 from the uuid of the original partition it extends. Inspiration for this is
235 the "dynamic partitions" concept of new Android. This would be a minimalistic
236 concept of a volume manager, with the extents it manages being exposes as GPT
237 partitions. I a partition is extended multiple times they should probably
238 grow exponentially in size to ensure O(log(n)) time for finding them on
241 * split out execute.c into new "systemd-executor" binary. Then make PID 1 fork
242 that off via vfork(), and then let that executor do the hard work. Ultimately
243 the executor then gets replaced by the real binary sooner or later. Reason:
244 currently the intermediary "stub" process is a CoW trap that doubles memory
245 usage of PID 1 on each service start. Also, strictly speaking we are not
246 allowed to do NSS from the stub process yet we do anyway. Next steps would
247 then be maybe use CLONE_INTO_CGROUP for the executor, given that we don't
248 need glibc anymore in the stub process then. Then, switch nspawn to just be a
249 frontend for this too, so that we have to ways into the executor: via unit
250 files/dbus/varlin through PID1 and via cmdline/OCI through nspawn.
252 * sd-stub: detect if we are running with uefi console output on serial, and if so
253 automatically add console= to kernel cmdline matching the same port.
255 * add a utility that can be used with the kernel's
256 CONFIG_STATIC_USERMODEHELPER_PATH and then handles them within pid1 so that
257 security, resource management and cgroup settings can be enforced properly
258 for all umh processes.
260 * systemd-shutdown: keep sending sd_notify() status updates immediately before
261 going down, in particular include the "reboot param" string.
263 * homed: when resizing an fs don't sync identity beforehand there might simply
264 not be enough disk space for that. try to be defensive and sync only after
267 * homed: if for some reason the partition ended up being much smaller than
268 whole disk, recover from that, and grow it again.
270 * in journald, write out a recognizable log record whenever the system clock is
271 changed ("stepped"), and in timesyncd whenever we acquire an NTP fix
272 ("slewing"). Then, in journalctl for each boot time we come across, find
273 these records, and use the structured info they include to display
274 "corrected" wallclock time, as calculted from the monotonic timestamp in the
275 log record, adjusted by the delta declared in the structured log record.
277 * in journald: whenever we start a new journal file because the boot ID
278 changed, let's generate a recognizable log record containing info about old
279 and new ID. Then, when displaying log stream in journalctl look for these
280 records, to be able to order them.
282 * timesyncd: when saving/restoring clock try to take boot time into account.
283 Specifically, along with the saved clock, store the current boot ID. When
284 starting, check if the boot id matches. If so, don't do anything (we are on
285 the same boot and clock just kept running anyway). If not, then read
286 CLOCK_BOOTTIME (which started at boot), and add it to the saved clock
287 timestamp, to compensate for the time we spent booting. If EFI timestamps are
288 available, also include that in the calculation. With this we'll then only
289 miss the time spent during shutdown after timesync stopped and before the
290 system actually reset.
292 * systemd-stub: maybe store a "boot counter" in the ESP, and pass it down to
293 userspace to allow ordering boots (for example in journalctl). The counter
294 would be monotonically increased on every boot.
296 * pam_systemd_home: add module parameter to control whether to only accept
297 only password or only pcks11/fido2 auth, and then use this to hook nicely
298 into two of the three PAM stacks gdm provides.
299 See discussion at https://github.com/authselect/authselect/pull/311
301 * sd-boot: make boot loader spec type #1 accept http urls in "linux"
302 lines. Then, do the uefi http dance to download kernels and boot them. This
303 is then useful for network boot, by embdedding a cpio with type #1 snippets
304 in sd-boot, which reference remote kernels.
306 * fix systemd-gpt-auto-generator in case a UKI is spawned from XBOOTLDR without
307 sd-boot. In that case LoaderDevicePartUUID will point to the XBOOTLDR, and we
308 should then derive the root disk from that, and then the ESP/XBOOTLDR from
309 that. Right now we will only mount ESP if it matches LoaderDEvicePartUUID
310 which isn't quite the same.
312 * maybe prohibit setuid() to the nobody user, to lock things down, via seccomp.
313 the nobody is not a user any code should run under, ever, as that user would
314 possibly get a lot of access to resources it really shouldn't be getting
315 access to due to the userns + nfs semantics of the user. Alternatively: use
316 the seccomp log action, and allow it.
318 * sd-boot: add a new PE section .bls or so that carries a cpio with additional
319 boot loader entries (both type1 and type2). Then when initializing, find this
320 section, iterate through it and populate menu with it. cpio is simple enough
321 to make a parser for this reasonably robust. use same path structures as in
322 the ESP. Similar add one for signature key drop-ins.
324 * sd-boot: also allow passing in the cpio as in the previous item via SMBIOS
326 * add a new EFI tool "sd-fetch" or so. It looks in a PE section ".url" for an
327 URL, then downloads the file from it using UEFI HTTP APIs, and executes it.
328 Usecase: provide a minimal ESP with sd-boot and a couple of these sd-fetch
329 binaries in place of UKIs, and download them on-the-fly.
331 * bootctl: warn if ESP is mounted world-readable (and in particular the seed).
333 * maybe: systemd-loop-generator that sets up loopback devices if requested via kernel
334 cmdline. usecase: include encrypted/verity root fs in UKI.
336 * systemd-gpt-auto-generator: add kernel cmdline option to override block
337 device to dissect. also support dissecting a regular file. useccase: include
338 encrypted/verity root fs in UKI.
340 * sd-stub: add ".bootcfg" section for kernel bootconfig data (as per
341 https://docs.kernel.org/admin-guide/bootconfig.html)
343 * tpm2: add (optional) support for generating a local signing key from PCR 15
344 state. use private key part to sign PCR 7+14 policies. stash signatures for
345 expected PCR7+14 policies in EFI var. use public key part in disk encryption.
346 generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can
347 securely bind against SecureBoot/shim state, without having to renroll
348 everything on each update (but we still have to generate one sig on each
349 update, but that should be robust/idempotent). needs rollback protection, as
352 * Lennart: big blog story about DDIs
354 * Lennart: big blog story about building initrds
356 * Lennart: big blog story about "why systemd-boot"
358 * bpf: see if we can use BPF to solve the syslog message cgroup source problem:
359 one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to
360 implicitly contain the source cgroup id. Another idea would be to patch
361 sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target
364 * bpf: see if we can address opportunistic inode sharing of immutable fs images
365 with BPF. i.e. if bpf gives us power to hook into openat() and return a
366 different inode than is requested for which we however it has same contents
367 then we can use that to implement opportunistic inode sharing among DDIs:
368 make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also
369 dictate that DDIs should come with a top-level subdir where all reg files are
370 linked into by their SHA256 sum. Then, whenever an inode is opened with the
371 xattr set, check bpf table to find dirs with hashes for other prior DDIs and
372 try to use inode from there.
374 * extend the verity signature partition to permit multiple signatures for the
375 same root hash, so that people can sign a single image with multiple keys.
377 * consider adding a new partition type, just for /opt/ for usage in system
380 * gpt-auto-discovery: also use the pkcs7 signature stuff, and pass signature to
381 kernel. So far we only did this for the various --image= switches, but not
382 for the root fs or /usr/.
384 * dissection policy should enforce that unlocking can only take place by
385 certain means, i.e. only via pw, only via tpm2, or only via fido, or a
388 * make the systemd-repart "seed" value provisionable via credentials, so that
389 confidential computing environments can set it and deterministically
390 enforce the uuids for partitions created, so that they can calculate PCR 15
393 * systemd-repart: also derive the volume key from the seed value, for the
394 aforementioned purpose.
396 * in the initrd: derive the default machine ID to pass to the host PID 1 via
397 $machine_id from the same seed credential.
399 * Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the
400 initrd to bootstrap the initrd to populate the initial partitions. Some things
402 - Should it run on firstboot or on every boot?
403 - If run on every boot, should it use the sysupdate config from the host on
406 * hook up journald with TPMs? measure new journal records to the TPM in regular
407 intervals, validate the journal against current TPM state with that. (taking
408 inspiration from IMA log)
410 * provide an API to apps to encrypt/decrypt credentials. usecase: allow
411 bluez bluetooth daemon to pass pairings to initrd that way, without shelling
414 * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
415 use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
416 safe bet, given that it should change only on policy changes, and not
417 software updates. But that's wrong. Recent fwupd (rightfully) contains code
418 for updating the dbx denylist. This means even without any active policy
419 change PCR 7 might change. Hence, better idea might be in systemd-creds to
420 default to PCR 15 at least if sd-stub is used (i.e. bind to system identity),
421 and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should
422 be included as much as PCR 7 (as it contains shim's policy, which is
423 certainly as relevant as PCR 7 on many systems)
425 * To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab
426 (measuring the root hash) and integritytab (measuring the HMAC key if one is
429 * We should start measuring all services, containers, and system extensions we
430 activate. probably into PCR 13. i.e. add --tpm2-measure-pcr= or so to
431 systemd-nspawn, and MeasurePCR= to unit files. Should contain a measurement
432 of the activated configuration and the image that is being activated (in case
433 verity is used, hash of the root hash).
435 * whenever we measure something into a TPM PCR from userspace, write a record in
436 TCG's "Canonical Event Log" format to some file, so that we can reason about
437 how PCR values we manage came to
438 be. https://trustedcomputinggroup.org/resource/canonical-event-log-format/
440 * bootspec: permit graceful "update" from type #2 to type #1. If both a type #1
441 and a type #2 entry exist under otherwise the exact same name, then use the
442 type #1 entry, and ignore the type #2 entry. This way, people can "upgrade"
443 from the UKI with all parameters baked in to a Type #1 .conf file with manual
444 parametrization, if needed. This matches our usual rule that admin config
445 should win over vendor defaults.
447 * sd-stub: optionally allow users to configure manual kernel command line even
448 in SecureBoot by authenticating it via shim's APIs, integrating with MOK and
449 similar: instead of authenticating just PE code shim should be capable of
450 authenticating any kind of data for us, including files containing kernel
453 * write a "search path" spec, that documents the prefixes to search in
454 (i.e. the usual /etc/, /run/, /usr/lib/ dance, potentially /usr/etc/), how to
455 sort found entries, how masking works and overriding.
457 * automatic boot assessment: add one more default success check that just waits
458 for a bit after boot, and blesses the boot if the system stayed up that long.
460 * implement concept of "versioned" resources inside a dir, and write a spec for
461 it. Make all tools in systemd, in particular
462 RootImage=/RootDirectory=/--image=/--directory= implement this. Idea:
463 directories ending in ".v/" indicate a directory with versioned resources in
464 them. Versioned resources inside a .v dir are always named in the pattern
465 <prefix>_<version>[+<tries-left>[-<tries-done>]].<suffix>
467 * add support for using this .v/ logic on the root fs itself: in the initrd,
468 after mounting the rootfs, look for root-<arch>.v/ in the root fs, and then
469 apply the logic, moving the switch root logic there.
471 * systemd-repart: add support for generating ISO9660 images
473 * systemd-repart: in addition to the existing "factory reset" mode (which
474 simply empties existing partitions marked for that). add a mode where
475 partitions marked for it are entirely removed. Usecase: remove secondary OS
476 copy, and redundant partitions entirely, and recreate them anew.
478 * systemd-boot: maybe add support for collapsing menu entries of the same OS
479 into one item that can be opened (like in a "tree view" UI element) or
480 collapsed. If only a single OS is installed, disable this mode, but if
481 multiple OSes are installed might make sense to default to it, so that user
482 is not immediately bombarded with a multitude of Linux kernel versions but
483 only one for each OS.
485 * systemd-repart: if the GPT *disk* UUID (i.e. the one global for the entire
486 disk) is set to all FFFFF then use this as trigger for factory reset, in
487 addition to the existing mechanisms via EFI variables and kernel command
488 line. Benefit: works also on non-EFI systems, and can be requested on one
491 * figure out a sane way when building UKIs how to extract SBAT data from inner
492 kernel, extend it with component info, and add to outer kernel.
494 * systemd-sysupdate: make transport pluggable, so people can plug casync or
495 similar behind it, instead of http.
497 * systemd-tmpfiles: add concept for conditionalizing lines on factory reset
498 boot, or on first boot.
500 * in UKIs: add way to define allowlist of additional words that can be added to
501 the kernel cmdline even in SecureBoot mode
503 * we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
504 which contains a separate public key for PCR values that only apply in the
505 initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
506 can easily bind resources to just the initrd. Similar, maybe one more for
507 "enter-initrd:leave-initrd" for resources that shall be accessible only
508 before unprivileged user code is allowed. (we only need this for .pcrpkey,
509 not for .pcrsig, since the latter is a list of signatures anyway). With that,
510 when you enroll a LUKS volume or similar, pick either the .pcrkey (for
511 coverage through all phases of the boot, but excluding shutdown), the
512 .pcrpkeyrd (for coverage in the initrd only) and .pcrpkeybt (for coverage
513 until users are allowed to log in).
515 * Once the root fs LUKS volume key is measured into PCR 15, default to binding
516 credentials to PCR 15 in "systemd-creds"
518 * add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
519 an encrypted image on some host given a public key belonging to a specific
520 other host, so that only hosts possessing the private key in the TPM2 chip
521 can decrypt the volume key and activate the volume. Usecase: systemd-syscfg
522 for a central orchestrator to generate syscfg images securely that can only
523 be activated on one specific host (which can be used for installing a bunch
524 of creds in /etc/credstore/ for example). Extending on this: allow binding
525 LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
526 prepare a syscfg image that can only be activated on a specific host that
527 runs a specific software in a specific time window. syscfg would be
528 automatically invalidated outside of it.
530 * maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of
531 current system state, i.e. a combination of PCR information, local system
532 time and TPM clock, running services, recent high-priority log
533 messages/coredumps, system load/PSI, signed by the local TPM chip, to form an
534 enhanced remote attestation quote. Usecase: a simple orchestrator could use
535 this: have the report tool upload these reports every 3min somewhere. Then
536 have the orchestrator collect these reports centrally over a 3min time
537 window, and use them to determine what which node should now start/stop what,
538 and generate a small syscfg for each node, that uses Uphold= to pin services
539 on each node. The syscfg would be encrypted using the asymmetric encryption
540 proposed above, so that it can only be activated on the specific host, if the
541 software is in a good state, and within a specific time frame. Then run a
542 loop on each node that sends report to orchestrator and then sysupdate to
543 update syscfg. Orchestrator would be stateless, i.e. operate on desired
544 config and collected reports in the last 3min time window only, and thus can
545 be trivially scaled up since all instances of the orchestrator should come to
546 the same conclusions given the same inputs of reports/desired workload info.
547 Could also be used to deliver Wireguard secrets and thus to clients, thus
548 permitting zero-trust networking: secrets are rolled over via syscfg updates,
549 and via the time window TPM logic invalidated if node doesn't keep itself
550 updated, or becomes corrupted in some way.
552 * in the initrd, once the rootfs encryption key has been measured to PCR 15,
553 derive default machine ID to use from it, and pass it to host PID 1.
555 * tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
556 of manually hooking into SIGINT/SIGTERM
558 * tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK
559 instead of manual blocking.
561 * sd-boot: for each installed OS, grey out older entries (i.e. all but the
562 newest), to indicate they are obsolete
564 * automatically propagate LUKS password credential into cryptsetup from host
565 (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor
568 * add ability to path_is_valid() to classify paths that refer to a dir from
569 those which may refer to anything, and use that in various places to filter
570 early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a
571 directory, and paths ending that way can be refused early in many contexts.
573 * systemd-measure: allow operating with PEM certificates in addition to PEM
574 public keys when signing PCR values. SecureBoot and our Verity signatures
575 operate with certificates already, hence I guess we should also just deal for
576 convencience with certificates for the PCR stuff too.
578 * systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
579 would just use the same public key specified with --public-key= (or the one
580 automatically derived from --private-key=).
582 * push people to use ".sysext.raw" as suffix for sysext DDIs (DDI =
583 discoverable disk images, i.e. the new name for gpt disk images following the
584 discoverable disk spec). [Also: just ".sysext/" for directory-based sysext]
586 * Add "purpose" flag to partition flags in discoverable partition spec that
587 indicate if partition is intended for sysext, for portable service, for
588 booting and so on. Then, when dissecting DDI allow specifying a purpose to
589 use as additional search condition. Usecase: images that combined a sysext
590 partition with a portable service partition in one.
592 * On boot, auto-generate an asymmetric key pair from the TPM,
593 and use it for validating DDIs and credentials. Maybe upload it to the kernel
594 keyring, so that the kernel does this validation for us for verity and kernel
597 * for systemd-syscfg: add a tool that can generate suitable DDIs with verity +
598 sig using squashfs-tools-ng's library. Maybe just systemd-repart called under
599 a new name with a built-in config?
601 * lock down acceptable encrypted credentials at boot, via simple allowlist,
602 maybe on kernel command line:
603 systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked
604 down kernels from credentials generated on the host with a weak kernel
606 * Add support for extra verity configuration options to systemd-repart (FEC,
609 * chase(): take inspiration from path_extract_filename() and return
610 O_DIRECTORY if input path contains trailing slash.
612 * chase(): refuse resolution if trailing slash is specified on input,
613 but final node is not a directory
615 * document in boot loader spec that symlinks in XBOOTLDR/ESP are not OK even if
618 * measure credentials picked up from SMBIOS to some suitable PCR
620 * measure GPT and LUKS headers somewhere when we use them (i.e. in
621 systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?)
623 * pick up creds from EFI vars
625 * Add and pickup tpm2 metadata for creds structure.
627 * sd-boot: we probably should include all BootXY EFI variable defined boot
628 entries in our menu, and then suppress ourselves. Benefit: instant
629 compatibility with all other OSes which register things there, in particular
630 on other disks. Always boot into them via NextBoot EFI variable, to not
633 * systemd-measure tool:
634 - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
636 * in sd-boot: load EFI drivers from a new PE section. That way, one can have a
637 "supercharged" sd-boot binary, that could carry ext4 drivers built-in.
639 * sd-bus: document that sd_bus_process() only returns messages that non of the
640 filters/handlers installed on the connection took possession of.
642 * sd-device: add an API for acquiring list of child devices, given a device
643 objects (i.e. all child dirents that dirs or symlinks to dirs)
645 * sd-device: maybe pin the sysfs dir with an fd, during the entire runtime of
646 an sd_device, then always work based on that.
648 * add small wrapper around qemu that implements sd_notify/AF_VSOCK + machined and
649 maybe some other stuff and boots it
651 * maybe add new flags to gpt partition tables for rootfs and usrfs indicating
652 purpose, i.e. whether something is supposed to be bootable in a VM, on
653 baremetal, on an nspawn-style container, if it is a portable service image,
654 or a sysext for initrd, for host os, or for portable container. Then hook
655 portabled/… up to udev to watch block devices coming up with the flags set, and
658 * sd-boot should look for information what to boot in SMBIOS, too, so that VM
659 managers can tell sd-boot what to boot into and suchlike
661 * add "systemd-sysext identify" verb, that you can point on any file in /usr/
662 and that determines from which overlayfs layer it originates, which image, and with
665 * journald: generate recognizable log events whenever we shutdown journald
666 cleanly, and when we migrate run → var. This way tools can verify that a
667 previous boot terminated cleanly, because either of these two messages must
668 be safely written to disk, then.
670 * systemd-creds: extend encryption logic to support asymmetric
671 encryption/authentication. Idea: add new verb "systemd-creds public-key"
672 which generates a priv/pub key pair on the TPM2 and stores the priv key
673 locally in /var. It then outputs a certificate for the pub part to stdout.
674 This can then be copied/taken elsewhere, and can be used for encrypting creds
675 that only the host on its specific hw can decrypt. Then, support a drop-in
676 dir with certificates that can be used to authenticate credentials. Flow of
677 operations is then this: build image with owner certificate, then after
678 boot up issue "systemd-creds public-key" to acquire pubkey of the machine.
679 Then, when passing data to the machine, sign with privkey belonging to one of
680 the dropped in certs and encrypted with machine pubkey, and pass to machine.
681 Machine is then able to authenticate you, and confidentiality is guaranteed.
683 * building on top of the above, the pub/priv key pair generated on the TPM2
684 should probably also one you can use to get a remote attestation quote.
686 * Process credentials in:
687 • networkd/udevd: add a way to define additional .link, .network, .netdev files
688 via the credentials logic.
689 • fstab-generator: allow defining additional fstab-like mounts via
690 credentials (similar: crypttab-generator, verity-generator,
692 • getty-generator: allow defining additional getty instances via a credential
693 • run-generator: allow defining additional commands to run via a credential
694 • resolved: allow defining additional /etc/hosts entries via a credential (it
695 might make sense to then synthesize a new combined /etc/hosts file in /run
696 and bind mount it on /etc/hosts for other clients that want to read it.
697 • repart: allow defining additional partitions via credential
698 • timesyncd: pick NTP server info from credential
699 • portabled: read a credential "portable.extra" or so, that takes a list of
700 file system paths to enable on start.
701 • make systemd-fstab-generator look for a system credential encoding root= or
703 • systemd-homed: when initializing, look for a credential
704 systemd.homed.register or so with JSON user records to automatically
705 register if not registered yet. Usecase: deploy a system, and add an
706 account one can directly log into.
707 • initialize machine ID from systemd credential picked up from the ESP via
708 sd-stub, so that machine ID is stable even on systems where unified kernels
709 are used, and hence kernel cmdline cannot be modified locally
710 • in gpt-auto-generator: check partition uuids against such uuids supplied via
711 sd-stub credentials. That way, we can support parallel OS installations with
714 * define a JSON format for units, separating out unit definitions from unit
715 runtime state. Then, expose it:
717 1. Add Describe() method to Unit D-Bus object that returns a JSON object
719 2. Expose this natively via Varlink, in similar style
720 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor
721 binary which reads the JSON definition and runs it), to address the cow
722 trap issue and the fact that NSS is actually forbidden in
723 forked-but-not-exec'ed children
724 4. Add varlink API to run transient units based on provided JSON definitions
726 * Add SUPPORT_END_URL= field to os-release with more *actionable* information
727 what to do if support ended
729 * pam_systemd: on interactive logins, maybe show SUPPORT_END information at
730 login time, à la motd
732 * sd-boot: instead of unconditionally deriving the ESP to search boot loader
733 spec entries in from the paths of sd-boot binary, let's optionally allow it
734 to be configured on sd-boot cmdline + efi var. Usecase: embed sd-boot in the
735 UEFI firmware (for example, ovmf supports that via qemu cmdline option), and
736 use it to load stuff from the ESP.
738 * mount /var/ from initrd, so that we can apply sysext and stuff before the
739 initrd transition. Specifically:
740 1. There should be a var= kernel cmdline option, matching root= and usr=
741 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk
742 3. mount.x-initrd mount option in fstab should be implied for /var
744 * implement varlink introspection
746 * make persistent restarts easier by adding a new setting OpenPersistentFile=
747 or so, which allows opening one or more files that is "persistent" across
748 service restarts, hot reboot, cold reboots (depending on configuration): the
749 files are created empty on first invocation, and on subsequent invocations
750 the files are reboot. The files would be backed by tmpfs, pmem or /var
751 depending on desired level of persistency.
753 * sd-event: add ability to "chain" event sources. Specifically, add a call
754 sd_event_source_chain(x, y), which will automatically enable event source y
755 in oneshot mode once x is triggered. Use case: in src/core/mount.c implement
756 the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
757 seen, trigger the rescan defer event source automatically, and allow it to be
758 dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
759 dispatch order is strictly controlled by priorities again. (next step: chain
760 event sources to the ratelimit being over)
762 * if we fork of a service with StandardOutput=journal, and it forks off a
763 subprocess that quickly dies, we might not be able to identify the cgroup it
764 comes from, but we can still derive that from the stdin socket its output
765 came from. We apparently don't do that right now.
767 * add ability to set hostname with suffix derived from machine id at boot
769 * add PR_SET_DUMPABLE service setting
771 * homed/userdb: maybe define a "companion" dir for home directories where apps
772 can safely put privileged stuff in. Would not be writable by the user, but
773 still conceptually belong to the user. Would be included in user's quota if
774 possible, even if files are not owned by UID of user. Usecase: container
775 images that owned by arbitrary UIDs, and are owned/managed by the users, but
776 are not directly belonging to the user's UID. Goal: we shouldn't place more
777 privileged dirs inside of unprivileged dirs, and thus containers really
778 should not be placed inside of traditional UNIX home dirs (which are owned by
779 users themselves) but somewhere else, that is separate, but still close
780 by. Inform user code about path to this companion dir via env var, so that
781 container managers find it. the ~/.identity file is also a candidate for a
782 file to move there, since it is managed by privileged code (i.e. homed) and
783 not unprivileged code.
785 * given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
786 that hooks up userdbctl ssh-key stuff.
788 * maybe add support for binding and connecting AF_UNIX sockets in the file
789 system outside of the 108ch limit. When connecting, open O_PATH fd to socket
790 inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
791 to target dir in /tmp, and bind through it.
793 * add a proper concept of a "developer" mode, i.e. where cryptographic
794 protections of the root OS are weakened after interactive confirmation, to
795 allow hackers to allow their own stuff. idea: allow entering developer mode
796 only via explicit choice in boot menu: i.e. add explicit boot menu item for
797 it. When developer mode is entered, generate a key pair in the TPM2, and add
798 the public part of it automatically to keychain of valid code signature keys
799 on subsequent boots. Then provide a tool to sign code with the key in the
800 TPM2. Ensure that boot menu item is the only way to enter developer mode, by
801 binding it to locality/PCRs so that keys cannot be generated otherwise.
803 * services: add support for cryptographically unlocking per-service directories
804 via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to
805 set up the directory so that it can only be accessed if host and app are in
808 * TPM2: extend unlock policy to protect against version downgrades in signed
809 policies: policy probably must take some nvram based generation counter into
810 account that can only monotonically increase and can be used to invalidate
811 old PCR signatures. Otherwise people could downgrade to old signed PCR sets
814 * update HACKING.md to suggest developing systemd with the ideas from:
815 https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
816 https://0pointer.net/blog/running-an-container-off-the-host-usr.html
818 * add a clear concept how the initrd can make up credentials on their own to
819 pass to the system when transitioning into the host OS. usecase: things like
820 cloud-init/ignitation and similar can parameterize the host with data they
823 * sd-event: compat wd reuse in inotify code: keep a set of removed watch
824 descriptors, and clear this set piecemeal when we see the IN_IGNORED event
825 for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
826 see an inotify wd event check against this set, and if it is contained ignore
827 the event. (to be fully correct this would have to count the occurrences, in
828 case the same wd is reused multiple times before we start processing
831 * systemd-fstab-generator: support addition mount specifications via kernel
832 cmdline. Usecase: invoke a VM, and mount a host homedir into it via
835 * for vendor-built signed initrds:
836 - kernel-install should be able to install pre-built unified kernel images in
837 type #2 drop-in dir in the ESP.
838 - kernel-install should be able install encrypted creds automatically for
839 machine id, root pw, rootfs uuid, resume partition uuid, and place next to
840 EFI kernel, for sd-stub to pick them up. These creds should be locked to
841 the TPM, and bind to the right PCR the kernel is measured to.
842 - kernel-install should be able to pick up initrd sysexts automatically and
843 place them next to EFI kernel, for sd-stub to pick them up.
844 - systemd-fstab-generator should look for rootfs device to mount in creds
845 - pid 1 should look for machine ID in creds
846 - systemd-resume-generator should look for resume partition uuid in creds
847 - sd-stub: automatically pick up microcode from ESP (/loader/microcode/*)
848 and synthesize initrd from it, and measure it. Signing is not necessary, as
849 microcode does that on its own. Pass as first initrd to kernel.
851 * Maybe extend the service protocol to support handling of some specific SIGRT
852 signal for setting service log level, that carries the level via the
853 sigqueue() data parameter. Enable this via unit file setting.
855 * sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services,
856 then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically
857 fixed to "2", i.e. the official host cid) and the expected guest cid, for the
858 two sides of the channel. The latter env var could then be used in an
859 appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
860 directly to host service manager.
862 * maybe write a tool that binds an AF_VFSOCK socket, then invokes qemu,
863 extending the command line to enable vsock on the VM, and using SMBIOS
864 credentials to configure socket address.
866 * sd-boot: add menu item for shutdown? or hotkey?
868 * sd-device has an API to create an sd_device object from a device id, but has
869 no api to query the device id
871 * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
872 sd_device object, so that data passed into sd_device_new_from_devnum() can
875 * sd-event: optionally, if per-event source rate limit is hit, downgrade
876 priority, but leave enabled, and once ratelimit window is over, upgrade
877 priority again. That way we can combat event source starvation without
878 stopping processing events from one source entirely.
880 * sd-event: similar to existing inotify support add fanotify support (given
881 that apparently new features in this area are only going to be added to the
884 * sd-event: add 1st class event source for clock changes
886 * sd-event: add 1st class event source for timezone changes
888 * support uefi/http boots with sd-boot: instead of looking for dropin files in
889 /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that
890 as directory manifest. The file would be a standard directory listing as
891 generated by GNU sha256sums.
893 * sd-boot: maybe add support for embedding the various auxiliary resources we
894 look for right in the sd-boot binary. i.e. take inspiration from sd-stub
895 logic: allow combining sd-boot via ukify with kernels to enumerate, .conf
896 files, drivers, keys to enroll and so on. Then, add whatever we find that way
897 to the menu. Usecase: allow building a single PE image you can boot into via
900 * maybe add a new UEFI stub binary "sd-http". It works similar to sd-stub, but
901 all it does is download a file from a http server, and execute it, after
902 optionally checking its hash sum. idea would be: combine this "sd-http" stub
903 binary with some minimal info about an URL + hash sum, plus .osrel data, and
904 drop it into the unified kernel dir in the ESP. And bam you have something
905 that is tiny, feels a lot like a unified kernel, but all it does is chainload
906 the real kernel. benefit: downloading these stubs would be tiny and quick,
907 hence cheap for enumeration.
909 * sysext: measure all activated sysext into a TPM PCR
911 * maybe add a "syscfg" concept, that is almost entirely identical to "sysext",
912 but operates on /etc/ instead of /usr/ and /opt/. Use case would be: trusted,
913 authenticated, atomic, additive configuration management primitive: drop in a
914 configuration bundle, and activate it, so that it is instantly visible,
917 * systemd-dissect: show available versions inside of a disk image, i.e. if
918 multiple versions are around of the same resource, show which ones. (in other
919 words: show partition labels).
921 * maybe add a generator that reads /proc/cmdline, looks for
922 systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
923 that take an URL as parameter. It then generates service units for
924 systemd-pull calls that download these URLs if not installed yet. usecase:
925 invoke a VM or nspawn container in a way it automatically deploys/runs these
926 images as OS payloads. i.e. have a generic OS image you can point to any
927 payload you like, which is then downloaded, securely verified and run.
929 * improve scope units to support creation by pidfd instead of by PID
931 * deprecate cgroupsv1 further (print log message at boot)
933 * systemd-dissect: add --cat switch for dumping files such as /etc/os-release
935 * per-service sandboxing option: ProtectIds=. If used, will overmount
936 /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to
937 make it harder for the service to identify the host. Depending on the user
938 setting it should be fully randomized at invocation time, or a hash of the
939 real thing, keyed by the unit name or so. Of course, there are other ways to
940 get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU
941 ids), so this knob would only be useful in combination with other lockdown
942 options. Particularly useful for portable services, and anything else that
943 uses RootDirectory= or RootImage=. (Might also over-mount
944 /sys/class/dmi/id/*{uuid,serial} with /dev/null).
946 * journalctl/timesyncd: whenever timesyncd acquires a synchronization from NTP,
947 create a structured log entry that contains boot ID, monotonic clock and
948 realtime clock (I mean, this requires no special work, as these three fields
949 are implicit). Then in journalctl when attempting to display the realtime
950 timestamp of a log entry, first search for the closest later log entry
951 of this kinda that has a matching boot id, and convert the monotonic clock
952 timestamp of the entry to the realtime clock using this info. This way we can
953 retroactively correct the wallclock timestamps, in particular for systems
954 without RTC, i.e. where initially wallclock timestamps carry rubbish, until
955 an NTP sync is acquired.
958 - add --all switch for rerunning kernel-install for all installed kernels
960 * doc: prep a document explaining resolved's internal objects, i.e. Query
961 vs. Question vs. Transaction vs. Stream and so on.
963 * doc: prep a document explaining PID 1's internal logic, i.e. transactions,
966 * bootspec: bring UEFI and userspace enumeration of bootspec entries back into
967 sync, i.e. parse out architecture field in sd-boot (currently only done in
970 * automatically ignore threaded cgroups in cg_xyz().
972 * add linker script that implicitly adds symbol for build ID and new coredump
973 json package metadata, and use that when logging
975 * Enable RestrictFileSystems= for all our long-running services (similar:
976 RestrictNetworkInterfaces=)
978 * Add systemd-analyze security checks for RestrictFileSystems= and
979 RestrictNetworkInterfaces=
981 * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
984 * man: rework os-release(5), and clearly separate our extension-release.d/ and
985 initrd-release parts, i.e. list explicitly which fields are about what.
987 * sysext: before applying a sysext, do a superficial validation run so that
988 things are not rearranged to wildy. I.e. protect against accidental fuckups,
989 such as masking out /usr/lib/ or so. We should probably refuse if existing
990 inodes are replaced by other types of inodes or so.
992 * userdb: when synthesizing NSS records, pick "best" password from defined
993 passwords, not just the first. i.e. if there are multiple defined, prefer
994 unlocked over locked and prefer non-empty over empty.
996 * maybe add a tool inspired by the GPT auto discovery spec that runs in the
997 initrd and rearranges the rootfs hierarchy via bind mounts, if
998 enabled. Specifically in some top-level dir /@auto/ it will look for
999 dirs/symlinks/subvolumes that are named after their purpose, and optionally
1000 encode a version as well as assessment counters, and then mount them into the
1001 file system tree to boot into, similar to how we do that for the gpt auto
1002 logic. Maybe then bind mount the original root into /.superior or something
1003 like that (so that update tools can look there). Further discussion in this
1005 https://lists.freedesktop.org/archives/systemd-devel/2021-November/047059.html
1006 The GPT dissection logic should automatically enable this tool whenever we
1007 detect a specially marked root fs (i.e introduce a new generic root gpt type
1008 for this, that is arch independent). The also implement this in the image
1009 dissection logic, so that nspawn/RootImage= and so on grok it. Maybe make
1010 generic enough so that it can also work for ostrees arrangements.
1012 * if a path ending in ".auto.d/" is set for RootDirectory=/RootImage= then do a
1013 strverscmp() of everything inside that dir and use that. i.e. implement very
1014 simple version control. Also use this in systemd-nspawn --image= and so on.
1016 * homed: while a home dir is not activated generate slightly different NSS
1017 records for it, that reports the home dir as "/" and the shell as some binary
1018 provided by us. Then, when an SSH login happens and SSH permits it our binary
1019 is invoked. This binary can then talk to homed and activate the homedir if
1020 it's not around yet, prompting the user for a password. Once that succeeded
1021 we'll switch to the real user record, i.e. home dir and shell, and our tool
1022 exec()s the latter. Net effect: ssh'ing into a homed account will just work:
1023 we'll neatly prompt for the homedir's password if its needed. –– Building on
1024 this we could take this even further: since this tool will potentially have
1025 access to the client's ssh-agent (if ssh-agent forwarding is enabled) we
1026 could implement SSH unlocking of a homedir with that: when enrolling a new
1027 ssh pubkey in a user record we'd ask the ssh-agent to sign some random value
1028 with the privkey, then use that as luks key to unlock the home dir. Will not
1029 work for ECDSA keys since their signatures contain a random component, but
1030 will work for RSA and Ed25519 keys.
1032 * add tiny service that decrypts encrypted user records passed via initrd
1033 credential logic and drops them into /run where nss-systemd can pick them up,
1034 similar to /run/host/userdb/. Usecase: drop a root user JSON record there,
1035 and use it in the initrd to log in as root with locally selected password,
1036 for debugging purposes. Other usecase: boot into qemu with regular user
1037 mounted from host. maybe put this in systemd-user-sessions.service?
1039 * drop dependency on libcap, replace by direct syscalls based on
1040 CapabilityQuintet we already have. (This likely allows us to drop libcap
1041 dep in the base OS image)
1043 * add concept for "exitrd" as inverse of "initrd", that we can transition to at
1044 shutdown, and has similar security semantics. This should then take the place
1045 of dracut's shutdown logic. Should probably support sysexts too. Care needs
1046 to be taken that the resulting logic ends up in RAM, i.e. is copied out of
1049 * userdbd: implement an additional varlink service socket that provides the
1050 host user db in restricted form, then allow this to be bind mounted into
1051 sandboxed environments that want the host database in minimal form. All
1052 records would be stripped of all meta info, except the basic UID/name
1053 info. Then use this in portabled environments that do not use PrivateUsers=1.
1055 * portabled: when extracting unit files and copying to system.attached, if a
1056 .p7s is available in the image, use it to protect the system.attached copy
1057 with fs-verity, so that it cannot be tampered with
1059 * logind introduce two types of sessions: "heavy" and "light". The former would
1060 be our current sessions. But the latter would be a new type of session that
1061 is mostly the same but does not pull in user@.service or wait for it. Then,
1062 allow configuration which type of session is desired via pam_systemd
1063 parameters, and then make user@.service's session one of these "light" ones.
1064 People could then choose to make FTP sessions and suchlike "light" if they
1065 don't want the service manager to be started for that.
1067 * /etc/veritytab: allow that the roothash column can be specified as fs path
1068 including a path to an AF_UNIX path, similar to how we do things with the
1069 keys of /etc/crypttab. That way people can store/provide the roothash
1070 externally and provide to us on demand only.
1072 * we probably should extend the root verity hash of the root fs into some PCR
1073 on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure
1074 it into PCR 12); Similar: we probably should extend the LUKS volume key of
1075 the root fs into some PCR on boot. (i.e. maybe add a crypttab option
1076 tpm2-measure=15 or so to measure it into PCR 15); once both are in place
1077 update gpt-auto-discovery to generate these by default for the partitions it
1078 discovers. Static vendor stuff should probably end up in PCR 12 (i.e. the
1079 verity hash), with local keys in PCR 15 (i.e. the encryption volume
1080 key). That way, we nicely distinguish resources supplied by the OS vendor
1081 (i.e. sysext, root verity) from those inherently local (i.e. encryption key),
1082 which is useful if they shall be signed separately.
1084 * in uefi stub: query firmware regarding which PCR banks are being used, store
1085 that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify
1086 that the selected PCRs actually are used by firmware.
1088 * rework recursive read-only remount to use new mount API
1090 * PAM: pick up authentication token from credentials
1092 * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
1093 data in the image, make sure the image filename actually matches this, so
1094 that images cannot be misused.
1096 * New udev block device symlink names:
1097 /dev/disk/by-parttypelabel/<pttype>-<ptlabel>. Use case: if pt label is used
1098 as partition image version string, this is a safe way to reference a specific
1099 version of a specific partition type, in particular where related partitions
1100 are processed (e.g. verity + rootfs both named "LennartOS_0.7").
1103 - add fuzzing to the pattern parser
1104 - support casync as download mechanism
1105 - "systemd-sysupdate update --all" support, that iterates through all components
1106 defined on the host, plus all images installed into /var/lib/machines/,
1107 /var/lib/portable/ and so on.
1108 - figure out what to do about system extensions (i.e. they need to imply an
1109 update component, since otherwise system extenion' sysupdate.d/ files would
1110 override the host's update files.)
1111 - Allow invocation with a single transfer definition, i.e. with
1112 --definitions= pointing to a file rather than a dir.
1113 - add ability to disable implicit decompression of downloaded artifacts,
1114 i.e. a Compress=no option in the transfer definitions
1116 * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
1118 * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
1119 make dirs appear under right UID.
1121 * systemd-sysext: optionally, run it in initrd already, before transitioning
1122 into host, to open up possibility for services shipped like that.
1124 * maybe add a tool that displays most recent journal logs as QR code to scan
1125 off screen and run it automatically on boot failures, emergency logs and
1126 such. Use DRM APIs directly, see
1127 https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
1130 * introduce /dev/disk/root/* symlinks that allow referencing partitions on the
1131 disk the rootfs is on in a reasonably secure way. (or maybe: add
1132 /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we
1135 * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
1136 reception limit the kernel silently enforces.
1138 * Add service unit setting ConnectStream= which takes IP addresses and connects to them.
1140 * Similar, Load= which takes literal data in text or base64 format, and puts it
1141 into a memfd, and passes that. This enables some fun stuff, such as embedding
1142 bash scripts in unit files, by combining Load= with ExecStart=/bin/bash
1145 * add a ConnectSocket= setting to service unit files, that may reference a
1146 socket unit, and which will connect to the socket defined therein, and pass
1147 the resulting fd to the service program via socket activation proto.
1149 * Add a concept of ListenStream=anonymous to socket units: listen on a socket
1150 that is deleted in the fs. Usecase would be with ConnectSocket= above.
1152 * importd: support image signature verification with PKCS#7 + OpenBSD signify
1153 logic, as alternative to crummy gpg
1155 * add "systemd-analyze debug" + AttachDebugger= in unit files: The former
1156 specifies a command to execute; the latter specifies that an already running
1157 "systemd-analyze debug" instance shall be contacted and execution paused
1158 until it gives an OK. That way, tools like gdb or strace can be safely be
1159 invoked on processes forked off PID 1.
1161 * expose MS_NOSYMFOLLOW in various places
1163 * credentials system:
1164 - acquire from EFI variable?
1165 - acquire via ask-password?
1166 - acquire creds via keyring?
1167 - pass creds via keyring?
1168 - pass creds via memfd?
1169 - acquire + decrypt creds from pkcs11?
1170 - make systemd-cryptsetup acquire pw via creds logic
1171 - make PAMName= acquire pw via creds logic
1172 - make macsec/wireguard code in networkd read key via creds logic
1173 - make gatwayd/remote read key via creds logic
1174 - add sd_notify() command for flushing out creds not needed anymore
1175 - make user manager instances create and use a user-specific key (the one in
1176 /var/lib is root-only) and add --user switch to systemd-creds to use it
1178 * add tpm.target or so which is delayed until TPM2 device showed up in case
1179 firmware indicates there is one.
1181 * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
1184 * introduce a new group to own TPM devices
1186 * cryptsetup: add option for automatically removing empty password slot on boot
1188 * cryptsetup: optionally, when run during boot-up and password is never
1189 entered, and we are on battery power (or so), power off machine again
1191 * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
1192 allow plymouth to abort the waiting and enter pw instead
1194 * make cryptsetup lower --iter-time
1196 * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
1197 "base64:" prefix. Useful in particular for pkcs11 mode.
1199 * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
1200 systemd-makefs.service instead.
1203 - cryptsetup-generator: allow specification of passwords in crypttab itself
1204 - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
1206 * when configuring loopback netif, and it fails due to EPERM, eat up error if
1207 it happens to be set up alright already.
1209 * at boot: check if battery above some threshold, if not power off again after explanation
1211 * userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM
1212 for example. And add code that resets ambient caps for all services by
1215 * sd-bus: when connecting to some dbus server socker, set originating AF_UNIX
1216 socket name in abstract namespace to include "description" string, and pick
1217 it up from there in sd_bus_creds logic. i.e. we can use the socket peer
1218 address as conduit for some minimal connection metainfo, and use it to
1219 restore the "description" logic that kdbus used to have.
1221 * systemd-analyze netif that explains predictable interface (or networkctl)
1223 * Add service setting to run a service within the specified VRF. i.e. do the
1224 equivalent of "ip vrf exec".
1226 * change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as
1227 documented in the pivot_root(2) man page, so that we can drop the /oldroot
1230 * special case some calls of chase() to use openat2() internally, so
1231 that the kernel does what we otherwise do.
1233 * add a new flag to chase() that stops chasing once the first missing
1234 component is found and then allows the caller to create the rest.
1236 * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
1238 * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
1240 * pid1: Move to tracking of main pid/control pid of units per pidfd
1242 * pid1: support new clone3() fork-into-cgroup feature
1244 * pid1: also remove PID files of a service when the service starts, not just
1247 * make us use dynamically fewer deps for containers in general purpose distros:
1248 o turn into dlopen() deps:
1249 - kmod-libs (only when called from PID 1)
1250 - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
1251 - libpam (only when called from PID 1)
1252 - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
1253 since they are so basic and our defaults)
1254 o move into separate libsystemd-shared-iptables.so .so
1255 - iptables-libs (only used by nspawn + networkd)
1257 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
1258 Apparently kernel performance is much better with fewer larger seccomp
1259 filters than with more smaller seccomp filters.
1261 * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
1262 mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
1264 * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
1266 * seccomp: don't install filters for ABIs that are masked anyway for the
1269 * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
1270 exists and responds.
1272 * socket units: allow creating a udev monitor socket with ListenDevices= or so,
1273 with matches, then activate app through that passing socket over
1276 - kill gnutls support in resolved
1277 - figure out what to do about libmicrohttpd, which has a hard dependency on
1279 - port fsprg over to a dlopen lib, then switch it to openssl
1281 * add growvol and makevol options for /etc/crypttab, similar to
1282 x-systemd.growfs and x-systemd-makefs.
1284 * userdb: allow username prefix searches in varlink API, allow realname and
1285 realname substr searches in varlink API
1287 * userdb: allow uid/gid range checks
1289 * userdb: allow existence checks
1291 * pid1: activation by journal search expression
1293 * when switching root from initrd to host, set the machine_id env var so that
1294 if the host has no machine ID set yet we continue to use the random one the
1297 * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
1298 it for reaping assigned but unknown children. This needs to some special care
1299 to operate somewhat sensibly in light of priorities: P_ALL will return
1300 arbitrary processes, regardless of the priority we want to watch them with,
1301 hence on each event loop iteration check all processes which we shall watch
1302 with higher prio explicitly, and then watch the entire rest with P_ALL.
1304 * tweak sd-event's child watching: keep a prioq of children to watch and use
1305 waitid() only on the children with the highest priority until one is waitable
1306 and ignore all lower-prio ones from that point on
1308 * maybe introduce xattrs that can be set on the root dir of the root fs
1309 partition that declare the volatility mode to use the image in. Previously I
1310 thought marking this via GPT partition flags but that's not ideal since
1311 that's outside of the LUKS encryption/verity verification, and we probably
1312 shouldn't operate in a volatile mode unless we got told so from a trusted
1315 * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
1316 may be used to mark a whole binary as non-coredumpable. Would fix:
1317 https://bugs.freedesktop.org/show_bug.cgi?id=69447
1319 * teach parse_timestamp() timezones like the calendar spec already knows it
1321 * beef up s2h to implement a battery watch loop: instead of entering
1322 hibernation unconditionally after coming back from resume make a decision
1323 based on the battery load level: if battery level is above a specific
1324 threshold, go to suspend again, only hibernate if below it. This means we'd
1325 stick to suspend usually, but fall back to hibernation only when battery runs
1326 empty (well, subject to our sampling interval). Related to this, check if we
1327 can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too,
1328 i.e. see if it can wake up machines from suspend, so that we could resume
1329 automatically when the system is low on power and move automatically to
1330 hibernation mode. (see
1331 https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf
1332 section 10.2.2.8 and
1333 https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources
1336 * We should probably replace /etc/rc.d/README with a symlink to doc
1337 content. After all it is constant vendor data.
1339 * maybe add kernel cmdline params: to force random seed crediting
1341 * introduce a new per-process uuid, similar to the boot id, the machine id, the
1342 invocation id, that is derived from process creds, specifically a hashed
1343 combination of AT_RANDOM + getpid() + the starttime from
1344 /proc/self/status. Then add these ids implicitly when logging. Deriving this
1345 uuid from these three things has the benefit that it can be derived easily
1346 from /proc/$PID/ in a stable, and unique way that changes on both fork() and
1349 * let's not GC a unit while its ratelimits are still pending
1351 * when killing due to service watchdog timeout maybe detect whether target
1352 process is under ptracing and then log loudly and continue instead.
1354 * make rfkill uaccess controllable by default, i.e. steal rule from
1355 gnome-bluetooth and friends
1357 * make MAINPID= message reception checks even stricter: if service uses User=,
1358 then check sending UID and ignore message if it doesn't match the user or
1361 * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
1364 * when importing an fs tree with machined, optionally apply userns-rec-chown
1366 * when importing an fs tree with machined, complain if image is not an OS
1368 * Maybe introduce a helper safe_exec() or so, which is to execve() which
1369 safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
1370 to 1K implicitly, unless explicitly opted-out.
1372 * rework seccomp/nnp logic that even if User= is used in combination with
1373 a seccomp option we don't have to set NNP. For that, change uid first whil
1374 keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
1376 * when no locale is configured, default to UEFI's PlatformLang variable
1378 * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
1379 usefaultd() and make systemd-analyze check for it.
1381 * paranoia: whenever we process passwords, call mlock() on the memory
1382 first. i.e. look for all places we use free_and_erasep() and
1383 augment them with mlock(). Also use MADV_DONTDUMP.
1384 Alternatively (preferably?) use memfd_secret().
1386 * Move RestrictAddressFamily= to the new cgroup create socket
1388 * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
1389 log.c and sd-journal-send
1391 * optionally: turn on cgroup delegation for per-session scope units
1393 * introduce per-unit (i.e. per-slice, per-service) journal log size limits.
1395 * sd-boot: optionally, show boot menu when previous default boot item has
1396 non-zero "tries done" count
1398 * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
1399 contains some identifier for the project, which allows us to include
1400 clickable links to source files generating these log messages. The identifier
1401 could be some abberviated URL prefix or so (taking inspiration from Go
1402 imports). For example, for systemd we could use
1403 CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
1404 sufficient to build a link by prefixing "http://" and suffixing the
1407 * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
1408 make clickable links from log messages carrying a MESSAGE_ID, that lead to
1409 some explanatory text online.
1411 * maybe extend .path units to expose fanotify() per-mount change events
1413 * When reloading configuration PID 1 should reset all its properties to the
1414 original defaults before calling parse_config()
1416 * hibernate/s2h: make this robust and safe to enable in Fedora by default.
1419 1. add resume_offset support to the resume code (i.e. support swap files
1421 2. check if swap is on weird storage and refuse if so
1422 3. add auto-detection of hibernation images
1424 * cgroups: use inotify to get notified when somebody else modifies cgroups
1425 owned by us, then log a friendly warning.
1427 * beef up log.c with support for stripping ANSI sequences from strings, so that
1428 it is OK to include them in log strings. This would be particularly useful so
1429 that our log messages could contain clickable links for example for unit
1430 files and suchlike we operate on.
1432 * importd: add ability download images for portabled + sysext
1434 * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
1436 * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
1437 selected user is resolvable in the service even if it ships its own /etc/passwd)
1439 * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
1440 other doesn't. What a disaster. Probably to exclude it.
1442 * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
1443 usually IN_ATTRIB is the right way to watch deleted files, as the former only
1444 fires when a file is actually removed from disk, i.e. the link count drops to
1445 zero and is not open anymore, while the latter happens when a file is
1446 unlinked from any dir.
1448 * port systemctl, busctl, … over to format-table.[ch]'s table formatters
1450 * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
1452 * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
1454 * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
1455 files and directories that are left writable for a unit, and which are
1456 removed after the unit goes down again. A bit like --ephemeral for
1457 systemd-nspawn but for system services. If used together with RootImage= this
1458 should reflink the image file itself.
1460 Related: add Ephemeral=<path1> <path2> … which would allow marking
1461 specific paths only like this.
1463 * add CopyFile= or so as unit file setting that may be used to copy files or
1464 directory trees from the host to the services RootImage= and RootDirectory=
1465 environment. Which we can use for /etc/machine-id and in particular
1466 /etc/resolv.conf. Should be smart and do something useful on read-only
1467 images, for example fall back to read-only bind mounting the file instead.
1469 * show invocation ID in systemd-run output
1471 * bypass SIGTERM state in unit files if KillSignal is SIGKILL
1473 * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
1474 and so on, which would mean we could report errors and such.
1476 * introduce DefaultSlice= or so in system.conf that allows changing where we
1477 place our units by default, i.e. change system.slice to something
1478 else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
1479 be moved somewhere else too. Finally machined and logind should get similar
1480 options so that it is possible to move user session scopes and machines to a
1481 different slice too by default. Usecase: people who want to put resources on
1482 the entire system, with the exception of one specific service. See:
1483 https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
1485 * maybe rework get_user_creds() to query the user database if $SHELL is used
1486 for root, but only then.
1488 * be stricter with fds we receive for the fdstore: close them asynchronously
1490 * calenderspec: add support for week numbers and day numbers within a
1491 year. This would allow us to define "bi-weekly" triggers safely.
1493 * sd-bus: add vtable flag, that may be used to request client creds implicitly
1494 and asynchronously before dispatching the operation
1496 * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
1497 only when used. Add unit tests.
1499 * make use of ethtool veth peer info in machined, for automatically finding out
1500 host-side interface pointing to the container.
1502 * add some special mode to LogsDirectory=/StateDirectory=… that allows
1503 declaring these directories without necessarily pulling in deps for them, or
1504 creating them when starting up. That way, we could declare that
1505 systemd-journald writes to /var/log/journal, which could be useful when we
1506 doing disk usage calculations and so on.
1508 * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
1510 * support projid-based quota in machinectl for containers
1512 * add a way to lock down cgroup migration: a boolean, which when set for a unit
1513 makes sure the processes in it can never migrate out of it
1515 * blog about fd store and restartable services
1517 * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
1519 * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
1520 magic meaning and is no longer upgraded to something else if set explicitly.
1522 * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
1523 make it lose its identity, i.e. be anonymous. For this we'd have to patch
1524 through the whole tree to make all code deal with the case where no machine
1527 * optionally, collect cgroup resource data, and store it in per-unit RRD files,
1528 suitable for processing with rrdtool. Add bus API to access this data, and
1529 possibly implement a CPULoad property based on it.
1531 * beef up pam_systemd to take unit file settings such as cgroups properties as
1534 * maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage
1535 the quota of the user indicated in User= via unit file settings, like the
1536 other resource management concepts. Would mix nicely with DynamicUser=1. Or
1537 alternatively, do this with projids, so that we can also cover services
1538 running as root. Quota should probably cover all the special dirs such as
1539 StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
1540 is set, plus the whole disk space any image configured with RootImage=.
1542 * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
1543 disks to see if the UID is already in use.
1545 * expose IO accounting data on the bus, show it in systemd-run --wait and log
1546 about it in the resource log message
1548 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
1549 creates a static, persistent user rather than a dynamic, transient user. We
1550 can leverage code from sysusers.d for this.
1552 * add some optional flag to ReadWritePaths= and friends, that has the effect
1553 that we create the dir in question when the service is started. Example:
1555 ReadWritePaths=:/var/lib/foobar
1557 * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
1558 the service cgroup, which is supposed to monitor the service, and when it
1559 exits the service is considered failed by its monitor.
1561 * track the per-service PAM process properly (i.e. as an additional control
1562 process), so that it may be queried on the bus and everything.
1564 * add a new "debug" job mode, that is propagated to unit_start() and for
1565 services results in two things: we raise SIGSTOP right before invoking
1566 execve() and turn off watchdog support. Then, use that to implement
1567 "systemd-gdb" for attaching to the start-up of any system service in its
1570 * gpt-auto logic: support encrypted swap, add kernel cmdline option to force
1571 it, and honour a gpt bit about it, plus maybe a configuration file
1573 * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
1574 then use that for the setting used in user@.service. It should be understood
1575 relative to the configured default value.
1577 * enable LockMLOCK to take a percentage value relative to physical memory
1579 * Permit masking specific netlink APIs with RestrictAddressFamily=
1581 * define gpt header bits to select volatility mode
1583 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
1585 * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
1587 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
1589 * ProtectKeyRing= to take keyring calls away
1591 * RemoveKeyRing= to remove all keyring entries of the specified user
1593 * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
1594 on PID 1 with the relevant signals, and makes relevant files in /sys and
1595 /proc (such as the sysrq stuff) unavailable
1597 * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
1598 via the new unprivileged Landlock LSM (https://landlock.io)
1600 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
1602 * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
1603 find a way to map the User=/Group= of the service to the right name. This way
1604 a user/group for a service only has to exist on the host for the right
1607 * add bus API for creating unit files in /etc, reusing the code for transient units
1609 * add bus API to remove unit files from /etc
1611 * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
1613 * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
1614 kernel doesn't support linkat() that replaces existing files, currently)
1616 * transient units: don't bother with actually setting unit properties, we
1617 reload the unit file anyway
1619 * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
1621 * cache sd_event_now() result from before the first iteration...
1623 * PID1: find a way how we can reload unit file configuration for
1624 specific units only, without reloading the whole of systemd
1626 * add an explicit parser for LimitRTPRIO= that verifies
1627 the specified range and generates sane error messages for incorrect
1630 * when we detect that there are waiting jobs but no running jobs, do something
1632 * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
1634 * there's probably something wrong with having user mounts below /sys,
1635 as we have for debugfs. for example, src/core/mount.c handles mounts
1636 prefixed with /sys generally special.
1637 https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
1639 * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
1641 * docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
1643 * add a job mode that will fail if a transaction would mean stopping
1644 running units. Use this in timedated to manage the NTP service
1646 https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
1648 * The udev blkid built-in should expose a property that reflects
1649 whether media was sensed in USB CF/SD card readers. This should then
1650 be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
1651 picked up by systemd unless they contain a medium. This would mirror
1652 the behaviour we already have for CD drives.
1654 * hostnamectl: show root image uuid
1656 * Find a solution for SMACK capabilities stuff:
1657 https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
1659 * synchronize console access with BSD locks:
1660 https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
1662 * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
1663 https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
1665 * figure out when we can use the coarse timers
1667 * maybe allow timer units with an empty Units= setting, so that they
1668 can be used for resuming the system but nothing else.
1670 * what to do about udev db binary stability for apps? (raw access is not an option)
1672 * exponential backoff in timesyncd when we cannot reach a server
1674 * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
1676 * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
1678 * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
1679 (throughout the codebase, not only PID1)
1681 * drop nss-myhostname in favour of nss-resolve?
1685 - service registration
1686 - service/domain/types browsing
1688 - DNS-SD service registration from socket units
1689 - resolved should optionally register additional per-interface LLMNR
1690 names, so that for the container case we can establish the same name
1691 (maybe "host") for referencing the server, everywhere.
1692 - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
1693 - hook up resolved with machined-based address resolution
1695 * refcounting in sd-resolve is borked
1697 * add new gpt type for btrfs volumes
1699 * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
1701 * a way for container managers to turn off getty starting via $container_headless= or so...
1703 * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
1705 * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
1706 they run added to the initial transaction and thus confuse Type=idle.
1708 * add bus api to query unit file's X fields.
1710 * gpt-auto-generator:
1711 - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
1712 - Make /home automount rather than mount?
1714 * add generator that pulls in systemd-network from containers when
1715 CAP_NET_ADMIN is set, more than the loopback device is defined, even
1716 when it is otherwise off
1718 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
1720 * implement Distribute= in socket units to allow running multiple
1721 service instances processing the listening socket, and open this up
1725 - implement per-slice CPUFairScheduling=1 switch
1726 - introduce high-level settings for RT budget, swappiness
1727 - how to reset dynamically changed unit cgroup attributes sanely?
1728 - when reloading configuration, apply new cgroup configuration
1729 - when recursively showing the cgroup hierarchy, optionally also show
1730 the hierarchies of child processes
1731 - add settings for cgroup.max.descendants and cgroup.max.depth,
1732 maybe use them for user@.service
1735 - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
1737 * when we detect low battery and no AC on boot, show pretty splash and refuse boot
1739 * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
1741 * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
1743 * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
1745 * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs
1747 * If we try to find a unit via a dangling symlink, generate a clean
1748 error. Currently, we just ignore it and read the unit from the search
1751 * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
1753 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
1755 * load .d/*.conf dropins for device units
1757 * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
1759 * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
1761 * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
1763 * verify that the AF_UNIX sockets of a service in the fs still exist
1764 when we start a service in order to avoid confusion when a user
1765 assumes starting a service is enough to make it accessible
1767 * Make it possible to set the keymap independently from the font on
1768 the kernel cmdline. Right now setting one resets also the other.
1770 * and a dbus call to generate target from current state
1772 * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
1774 * dot output for --test showing the 'initial transaction'
1776 * be able to specify a forced restart of service A where service B depends on, in case B
1777 needs to be auto-respawned?
1780 - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
1781 log both units as UNIT=, so that journalctl -u triggers on both.
1782 - generate better errors when people try to set transient properties
1783 that are not supported...
1784 https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
1785 - maybe introduce WantsMountsFor=? Usecase:
1786 https://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
1787 - recreate systemd's D-Bus private socket file on SIGUSR2
1788 - move PAM code into its own binary
1789 - when we automatically restart a service, ensure we restart its rdeps, too.
1790 - hide PAM options in fragment parser when compile time disabled
1791 - Support --test based on current system state
1792 - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
1793 - after deserializing sockets in socket.c we should reapply sockopts and things
1794 - drop PID 1 reloading, only do reexecing (difficult: Reload()
1795 currently is properly synchronous, Reexec() is weird, because we
1796 cannot delay the response properly until we are back, so instead of
1797 being properly synchronous we just keep open the fd and close it
1798 when done. That means clients do not get a successful method reply,
1799 but much rather a disconnect on success.
1800 - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
1801 - when a bus name of a service disappears from the bus make sure to queue further activation requests
1802 - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
1803 processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
1804 with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
1807 - allow port=0 in .socket units
1808 - maybe introduce ExecRestartPre=
1809 - implement Register= switch in .socket units to enable registration
1810 in Avahi, RPC and other socket registration services.
1811 - allow Type=simple with PIDFile=
1812 https://bugzilla.redhat.com/show_bug.cgi?id=723942
1813 - allow writing multiple conditions in unit files on one line
1814 - introduce Type=pid-file
1815 - add a concept of RemainAfterExit= to scope units
1816 - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
1817 - add verification of [Install] section to systemd-analyze verify
1820 - timer units should get the ability to trigger when DST changes
1821 - Modulate timer frequency based on battery state
1823 * add libsystemd-password or so to query passwords during boot using the password agent logic
1825 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
1827 * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
1829 * make repeated alt-ctrl-del presses printing a dump
1831 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
1833 * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
1835 * add a pam module that on password changes updates any LUKS slot where the password matches
1838 - add unit tests for config_parse_device_allow()
1840 * seems that when we follow symlinks to units we prefer the symlink
1841 destination path over /etc and /usr. We should not do that. Instead
1842 /etc should always override /run+/usr and also any symlink
1845 * when isolating, try to figure out a way how we implicitly can order
1846 all units we stop before the isolating unit...
1848 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
1850 * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
1851 ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
1852 https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
1854 * BootLoaderSpec: Define a way how an installer can figure out whether a BLS
1855 compliant boot loader is installed.
1857 * think about requeuing jobs when daemon-reload is issued? usecase:
1858 the initrd issues a reload after fstab from the host is accessible
1859 and we might want to requeue the mounts local-fs acquired through
1862 * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
1864 * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
1866 * shutdown logging: store to EFI var, and store to USB stick?
1868 * merge unit_kill_common() and unit_kill_context()
1870 * add a dependency on standard-conf.xml and other included files to man pages
1872 * MountFlags=shared acts as MountFlags=slave right now.
1874 * properly handle loop back mounts via fstab, especially regards to fsck/passno
1876 * initialize the hostname from the fs label of /, if /etc/hostname does not exist?
1880 - GetAllProperties() on a non-existing object does not result in a failure currently
1881 - port to sd-resolve for connecting to TCP dbus servers
1882 - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
1883 - see if we can drop more message validation on the sending side
1884 - add API to clone sd_bus_message objects
1885 - longer term: priority inheritance
1886 - dbus spec updates:
1887 - NameLost/NameAcquired obsolete
1889 - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
1892 - allow multiple signal handlers per signal?
1893 - document chaining of signal handler for SIGCHLD and child handlers
1894 - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
1895 - maybe support iouring as backend, so that we allow hooking read and write
1896 operations instead of IO ready events into event loops. See considerations
1898 http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
1900 * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
1901 should be able to safely try another attempt when the bus call LoadUnit() is invoked.
1903 * maybe do not install getty@tty1.service symlink in /etc but in /usr?
1905 * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
1907 * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
1910 - honor language efi variables for default language selection (if there are any?)
1911 - honor timezone efi variables for default timezone selection (if there are any?)
1912 - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
1914 - recognize the case when not booted on EFI
1916 * bootctl,sd-boot: actually honour the "architecture" key
1919 - show whether UEFI audit mode is available
1920 - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
1921 - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
1924 - optionally, support generating type #2 entries instead of type #1, including signing them
1927 - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
1928 - logind: wakelock/opportunistic suspend support
1929 - Add pretty name for seats in logind
1930 - logind: allow showing logout dialog from system?
1931 - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
1932 - if pam_systemd is invoked by su from a process that is outside of a
1933 any session we should probably just become a NOP, since that's
1934 usually not a real user session but just some system code that just
1936 - logind: make the Suspend()/Hibernate() bus calls wait for the for
1937 the job to be completed. before returning, so that clients can wait
1938 for "systemctl suspend" to finish to know when the suspending is
1940 - logind: when the power button is pressed short, just popup a
1941 logout dialog. If it is pressed for 1s, do the usual
1942 shutdown. Inspiration are Macs here.
1943 - expose "Locked" property on logind session objects
1944 - maybe allow configuration of the StopTimeout for session scopes
1945 - rename session scope so that it includes the UID. THat way
1946 the session scope can be arranged freely in slices and we don't have
1947 make assumptions about their slice anymore.
1948 - follow PropertiesChanged state more closely, to deal with quick logouts and
1950 - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
1951 - expose details of boot entries on the bus. In particular, it should be possible
1952 to query the list of boot entry titles that bootctl / sd-boot would show.
1953 Currently we only expose their identifiers.
1955 * move multiseat vid/pid matches from logind udev rule to hwdb
1957 * logind: rework pam_logind to also do a bus call in case of invocation from
1958 user@.service, which returns the XDG_RUNTIME_DIR value, and make this
1959 behaviour selectable via pam module option.
1961 * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
1962 in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
1965 - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
1966 - journald: also get thread ID from client, plus thread name
1967 - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
1968 - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
1969 - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
1970 - declare the local journal protocol stable in the wiki interface chart
1971 - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
1972 - journald: when dropping msgs due to ratelimit make sure to write
1973 "dropped %u messages" not only when we are about to print the next
1974 message that works, but already after a short timeout
1975 - check if we can make journalctl by default use --follow mode inside of less if called without args?
1976 - maybe add API to send pairs of iovecs via sd_journal_send
1977 - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
1978 - journalctl: support negative filtering, i.e. FOOBAR!="waldo",
1979 and !FOOBAR for events without FOOBAR.
1980 - journal: store timestamp of journal_file_set_offline() in the header,
1981 so it is possible to display when the file was last synced.
1982 - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
1983 - journal: find a way to allow dropping history early, based on priority, other rules
1984 - journal: When used on NFS, check payload hashes
1985 - journald: add kernel cmdline option to disable ratelimiting for debug purposes
1986 - refuse taking lower-case variable names in sd_journal_send() and friends.
1987 - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
1988 - journal: deal nicely with byte-by-byte copied files, especially regards header
1989 - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
1990 - Replace utmp, wtmp, btmp, and lastlog completely with journal
1991 - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
1992 - when a kernel driver logs in a tight loop, we should ratelimit that too.
1993 - journald: optionally, log debug messages to /run but everything else to /var
1994 - journald: when we drop syslog messages because the syslog socket is
1995 full, make sure to write how many messages are lost as first thing
1996 to syslog when it works again.
1997 - journald: allow per-priority and per-service retention times when rotating/vacuuming
1998 - journald: make use of uid-range.h to managed uid ranges to split
2000 - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
2001 - improve journalctl performance by loading journal files
2002 lazily. Encode just enough information in the file name, so that we
2003 do not have to open it to know that it is not interesting for us, for
2004 the most common operations.
2005 - man: document that corrupted journal files is nothing to act on
2006 - rework journald sigbus stuff to use mutex
2007 - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
2008 services that run under their own user ids, and use User= (but only
2009 in a world where userns is ubiquitous since otherwise we cannot
2010 invoke those daemons on the host AND in a container anymore). Also,
2011 if LimitNPROC= is used without User= we should warn and refuse
2013 - journalctl --verify: don't show files that are currently being
2014 written to as FAIL, but instead show that their are being written to.
2015 - add journalctl -H that talks via ssh to a remote peer and passes through
2017 - add a version of --merge which also merges /var/log/journal/remote
2018 - journalctl: -m should access container journals directly by enumerating
2019 them via machined, and also watch containers coming and going.
2020 Benefit: nspawn --ephemeral would start working nicely with the journal.
2021 - assign MESSAGE_ID to log messages about failed services
2022 - check if loop in decompress_blob_xz() is necessary
2024 * journald: support RFC3164 fully for the incoming syslog transport, see
2025 https://github.com/systemd/systemd/issues/19251#issuecomment-816601955
2027 * Hook up journald's FSS logic with TPM2: seal the verification disk by
2028 time-based policy, so that the verification key can remain on host and ve
2031 * build short web pages out of each catalog entry, build them along with man
2032 pages, and include hyperlinks to them in the journal output
2034 * journald: do journal file writing out-of-process, with one writer process per
2035 client UID, so that synthetic hash table collisions can slow down a specific
2036 user's journal stream down but not the others.
2038 * tweak journald context caching. In addition to caching per-process attributes
2039 keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
2040 keyed by cgroup path, and guarded by ctime changes. This should provide us
2041 with a nice speed-up on services that have many processes running in the same
2044 * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
2045 the sd-journal logging socket, and, if the timeout is set to 0, sets
2046 O_NONBLOCK on it. That way people can control if and when to block for
2049 * journalctl: make sure -f ends when the container indicated by -M terminates
2051 * journald: sigbus API via a signal-handler safe function that people may call
2052 from the SIGBUS handler
2054 * add a test if all entries in the catalog are properly formatted.
2055 (Adding dashes in a catalog entry currently results in the catalog entry
2056 being silently skipped. journalctl --update-catalog must warn about this,
2057 and we should also have a unit test to check that all our message are OK.)
2060 - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
2061 - rollback when resize fails mid-operation
2062 - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
2063 - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
2064 - create on activate?
2065 - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
2066 - communicate clearly when usb stick is safe to remove. probably involves
2067 beefing up logind to make pam session close hook synchronous and wait until
2068 systemd --user is shut down.
2069 - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
2070 - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
2071 images (and btrfs snapshots of subvolumes) (think: time machine)
2072 - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
2073 - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
2074 - fingerprint authentication, pattern authentication, …
2075 - make sure "classic" user records can also be managed by homed
2076 - make size of $XDG_RUNTIME_DIR configurable in user record
2077 - query password from kernel keyring first
2078 - update even if record is "absent"
2079 - move acct mgmt stuff from pam_systemd_home to pam_systemd?
2080 - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
2081 - make slice for users configurable (requires logind rework)
2082 - logind: populate auto-login list bus property from PKCS#11 token
2083 - when determining state of a LUKS home directory, check DM suspended sysfs file
2084 - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
2085 so that mounts propagate down but not up - eg, user A setting up a backup volume
2086 doesn't mean user B sees it
2087 - use credentials logic/TPM2 logic to store homed signing key
2088 - permit multiple user record signing keys to be used locally, and pick
2089 the right one for signing records automatically depending on a pre-existing
2091 - add a way to "adopt" a home directory, i.e. strip foreign signatures
2092 and insert a local signature instead.
2093 - as an extension to the directory+subvolume backend: if located on
2094 especially marked fs, then sync down password into LUKS header of that fs,
2095 and always verify passwords against it too. Bootstrapping is a problem
2096 though: if no one is logged in (or no other user even exists yet), how do you
2097 unlock the volume in order to create the first user and add the first pw.
2098 - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
2099 - maybe pre-create ~/.cache as subvol so that it can have separate quota
2101 - add a switch to homectl (maybe called --first-boot) where it will check if
2102 any non-system users exist, and if not prompts interactively for basic user
2103 info, mimicking systemd-firstboot. Then, place this in a service that runs
2104 after systemd-homed, but before gdm and friends, as a simple, barebones
2105 fallback logic to get a regular user created on uninitialized systems.
2106 - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
2107 systemd-cryptsetup, so that it can unlock homed volumes
2108 - maybe make all *.home files owned by `systemd-home` user or so, so that we
2109 can easily set overall quota for all users
2110 - on login, if we can't fallocate initially, but rebalance is on, then allow
2111 login in discard mode, then immediately rebalance, then turn off discard
2112 - extend user records with optional "bulk" data. Specifically, a user
2113 avatar/photo or so. This data should be stored along with the user record,
2114 but probably shouldn't be part of the record itself, since it might be
2117 * add a new switch --auto-definitions=yes/no or so to systemd-repart. If
2118 specified, synthesize a definition automatically if we can: enlarge last
2119 partition on disk, but only if it is marked for growing and not read-only.
2121 * systemd-repart: read LUKS encryption key from $CREDENTIALS_DIRECTORY
2123 * systemd-repart: add a switch to factory reset the partition table without
2124 immediately applying the new configuration again. i.e. --factory-reset=leave
2125 or so. (this is useful to factory reset an image, then putting it into
2126 another machine, ensuring that luks key is generated on new machine, not old)
2128 * systemd-repart: support setting up dm-integrity with HMAC
2130 * systemd-repart: maybe remove half-initialized image on failure. It fails
2131 if the output file exists, so a repeated invocation will usually fail if
2132 something goes wrong on the way.
2134 * systemd-repart: drop pager mode on normal operation?
2136 * systemd-repart: by default generate minimized partition tables (i.e. tables
2137 that only cover the space actually used, excluding any free space at the
2138 end), in order to maximize dd'ability. Requires libfdisk work, see
2139 https://github.com/karelzak/util-linux/issues/907
2141 * systemd-repart: MBR partition table support. Care needs to be taken regarding
2142 Type=, so that partition definitions can sanely apply to both the GPT and the
2143 MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
2144 for the two partition types explicitly. And provide an internal mapping so
2145 that "Type=linux-generic" maps to the right types for both partition tables
2148 * systemd-repart: allow sizing partitions as factor of available RAM, so that
2149 we can reasonably size swap partitions for hibernation.
2151 * systemd-repart: allow boolean option that ensures that if existing partition
2152 doesn't exist within the configured size bounds the whole command fails. This
2153 is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
2154 of repart files for the case where ESP is large enough and one where it isn't
2155 and XBOOTLDR is added in instead. Then apply the former first, and if it
2156 fails to apply use the latter.
2158 * systemd-repart: add per-partition option to never reuse existing partition
2159 and always create anew even if matching partition already exists.
2161 * systemd-repart: add per-partition option to fail if partition already exist,
2162 i.e. is not added new. Similar, add option to fail if partition does not exist yet.
2164 * systemd-repart: allow disabling growing of specific partitions, or making
2165 them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
2166 Also add option to disable operation via kernel command line.
2168 * systemd-repart: make it a static checker during early boot for existence and
2169 absence of other partitions for trusted boot environments
2171 * systemd-repart: add support for SD_GPT_FLAG_GROWFS also on real systems, i.e.
2172 generate some unit to actually enlarge the fs after growing the partition
2175 * systemd-repart: do not print "Successfully resized …" when no change was done.
2178 - document that deps in [Unit] sections ignore Alias= fields in
2179 [Install] units of other units, unless those units are disabled
2180 - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
2181 - document that service reload may be implemented as service reexec
2182 - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
2183 - document systemd-journal-flush.service properly
2184 - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
2185 - man: document the very specific env the shutdown drop-in tools live in
2186 - man: add more examples to man pages,
2187 - in particular an example how to do the equivalent of switching runlevels
2188 - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
2189 - document root=gpt-auto properly
2192 - add systemctl switch to dump transaction without executing it
2193 - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
2194 - "systemctl disable" on a static unit prints no message and does
2195 nothing. "systemctl enable" does nothing, and gives a bad message
2196 about it. Should fix both to print nice actionable messages.
2197 - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
2198 - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
2199 - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
2200 - systemctl: "Journal has been rotated since unit was started." message is misleading
2201 - systemctl status output should include list of triggering units and their status
2203 * introduce an option (or replacement) for "systemctl show" that outputs all
2204 properties as JSON, similar to busctl's new JSON output. In contrast to that
2205 it should skip the variant type string though.
2207 * Add a "systemctl list-units --by-slice" mode or so, which rearranges the
2208 output of "systemctl list-units" slightly by showing the tree structure of
2209 the slices, and the units attached to them.
2211 * add "systemctl wait" or so, which does what "systemd-run --wait" does, but
2212 for all units. It should be both a way to pin units into memory as well as a
2213 wait to retrieve their exit data.
2215 * show whether a service has out-of-date configuration in "systemctl status" by
2216 using mtime data of ConfigurationDirectory=.
2218 * "systemctl preset-all" should probably order the unit files it
2219 operates on lexicographically before starting to work, in order to
2220 ensure deterministic behaviour if two unit files conflict (like DMs
2223 * add "systemctl start -v foobar.service" that shows logs of a service
2224 while the start command runs. This is non-trivial to do without
2225 races though, since we should flush out all journal messages before
2226 returning from the "systemctl stop".
2228 * systemctl: if some operation fails, show log output?
2230 * Add a new verb "systemctl top"
2233 - "systemctl mask" should find all names by which a unit is accessible
2234 (i.e. by scanning for symlinks to it) and link them all to /dev/null
2237 - emulate /dev/kmsg using CUSE and turn off the syslog syscall
2238 with seccomp. That should provide us with a useful log buffer that
2239 systemd can log to during early boot, and disconnect container logs
2240 from the kernel's logs.
2241 - as soon as networkd has a bus interface, hook up --network-interface=,
2242 --network-bridge= with networkd, to trigger netdev creation should an
2243 interface be missing
2244 - a nice way to boot up without machine id set, so that it is set at boot
2245 automatically for supporting --ephemeral. Maybe hash the host machine id
2246 together with the machine name to generate the machine id for the container
2247 - fix logic always print a final newline on output.
2248 https://github.com/systemd/systemd/pull/272#issuecomment-113153176
2249 - should optionally support receiving WATCHDOG=1 messages from its payload
2251 - optionally automatically add FORWARD rules to iptables whenever nspawn is
2252 running, remove them when shut down.
2253 - add support for sysext extensions, too. i.e. a new --extension= switch that
2254 takes one or more arguments, and applies the extensions already during
2256 - when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU
2257 or so, freeze the payload too.
2258 - support time namespaces
2259 - on cgroupsv1 issue cgroup empty handler process based on host events, so
2260 that we make cgroup agent logic safe
2261 - add API to invoke binary in container, then use that as fallback in
2263 - make nspawn suitable for shell pipelines: instead of triggering a hangup
2264 when input is finished, send ^D, which synthesizes an EOF. Then wait for
2265 hangup or ^D before passing on the EOF.
2266 - greater control over selinux label?
2267 - support that /proc, /sys/, /dev are pre-mounted
2268 - maybe allow TPM passthrough, backed by swtpm, and measure --image= hash
2269 into its PCR 11, so that nspawn instances can be TPM enabled, and partake
2270 in measurements/remote attestation and such. swtpm would run outside of
2271 control of container, and ideally would itself bind its encryption keys to
2273 - make boot assessment do something sensible in a container. i.e send an
2274 sd_notify() from payload to container manager once boot-up is completed
2275 successfully, and use that in nspawn for dealing with boot counting,
2276 implemented in the partition table labels and directory names.
2277 - optionally set up nftables/iptables routes that forward UDP/TCP traffic on
2278 port 53 to resolved stub 127.0.0.54
2279 - maybe optionally insert .nspawn file as GPT partition into images, so that
2280 such container images are entirely stand-alone and can be updated as one.
2281 - The subreaper logic we currently have seems overly complex. We should
2282 investigate whether creating the inner child with CLONE_PARENT isn't better.
2283 - Reduce the number of sockets that are currently in use and just rely on one
2285 - Support running nspawn as an unprivileged user.
2287 * machined: add API to acquire UID range. add API to mount/dissect loopback
2288 file. Both protected by PK. Then make nspawn use these APIs to run
2289 unprivileged containers. i.e. push the truly privileged bits into machined,
2290 so that the client side can remain entirely unprivileged, with SUID or
2294 - add an API so that libvirt-lxc can inform us about network interfaces being
2295 removed or added to an existing machine
2296 - "machinectl migrate" or similar to copy a container from or to a
2297 difference host, via ssh
2298 - introduce systemd-nspawn-ephemeral@.service, and hook it into
2299 "machinectl start" with a new --ephemeral switch
2300 - "machinectl status" should also show internal logs of the container in
2302 - "machinectl history"
2304 - "machinectl commit" that takes a writable snapshot of a tree, invokes a
2305 shell in it, and marks it read-only after use
2310 - add trigger --subsystem-match=usb/usb_device device
2311 - reimport udev db after MOVE events for devices without dev_t
2312 - re-enable ProtectClock= once only cgroupsv2 is supported.
2313 See f562abe2963bad241d34e0b308e48cf114672c84.
2316 - save coredump in Windows/Mozilla minidump format
2317 - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
2318 - add examples for other distros in ELF_PACKAGE_METADATA
2320 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
2323 - apply "x" on "D" too (see patch from William Douglas)
2324 - allow time-based cleanup in r and R too
2325 - instead of ignoring unknown fields, reject them.
2326 - creating new directories/subvolumes/fifos/device nodes
2327 should not follow symlinks. None of the other adjustment or creation
2328 calls follow symlinks.
2330 - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
2332 - teach tmpfiles.d m/M to move / atomic move + symlink old -> new
2333 - add new line type for setting btrfs subvolume attributes (i.e. rw/ro)
2334 - tmpfiles: add new line type for setting fcaps
2337 - Make sure ID_PATH is always exported and complete for
2338 network devices where possible, so we can safely rely
2342 - add support for more attribute types
2343 - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
2346 - add more keys to [Route] and [Address] sections
2347 - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
2348 - add reduced [Link] support to .network files
2349 - properly handle routerless dhcp leases
2350 - work with non-Ethernet devices
2351 - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
2352 - the DHCP lease data (such as NTP/DNS) is still made available when
2353 a carrier is lost on a link. It should be removed instantly.
2354 - expose in the API the following bits:
2355 - option 15, domain name
2356 - option 12, hostname and/or option 81, fqdn
2357 - option 123, 144, geolocation
2358 - option 252, configure http proxy (PAC/wpad)
2359 - provide a way to define a per-network interface default metric value
2360 for all routes to it. possibly a second default for DHCP routes.
2361 - allow Name= to be specified repeatedly in the [Match] section. Maybe also
2362 support Name=foo*|bar*|baz ?
2363 - whenever uplink info changes, make DHCP server send out FORCERENEW
2365 * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
2367 * Figure out how to do unittests of networkd's state serialization
2370 - figure out how much we can increase Maximum Message Size
2373 - add functions to set previously stored IPv6 addresses on startup and get
2374 them at shutdown; store them in client->ia_na
2375 - write more test cases
2376 - implement reconfigure support, see 5.3., 15.11. and 22.20.
2377 - implement support for temporary adressess (IA_TA)
2378 - implement dhcpv6 authentication
2379 - investigate the usefulness of Confirm messages; i.e. are there any
2380 situations where the link changes without any loss in carrier detection
2382 - some servers don't do rapid commit without a filled in IA_NA, verify