systemd System and Service Manager
-CHANGES WITH 244 in spe:
-
- * systemd-udevd: removed the 30s timeout for killing stale workers on
- exit. systemd-udevd now waits for workers to finish. The hard-coded
- exit timeout of 30s was too short for some large installations, where
- driver initialization could be prematurely interrupted during initrd
- processing if the root file system had been mounted and init was
- preparing to switch root. If udevd is run without systemd and workers
- are hanging while udevd receives an exit signal, udevd will now exit
- when udev.event_timeout is reached for the last hanging worker. With
- systemd, the exit timeout can additionally be configured using
- TimeoutStopSec= in systemd-udevd.service.
+CHANGES WITH 244:
* Support for the cpuset cgroups v2 controller has been added.
Processes may be restricted to specific CPUs using the new
SystemdOptions. This may be used to configure systemd behaviour when
modifying the kernel command line is inconvenient, but configuration
on disk is read too late, for example for the options related to
- cgroup hierarchy setup. 'bootctl system-options' may be used to
+ cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
set the EFI variable.
* systemd will now disable printk ratelimits in early boot. This should
<unit_type>.d/ (e.g. service.d/) that may be used to add configuration
that affects all corresponding unit files.
+ * systemctl gained support for 'stop --job-mode=triggering' which will
+ stop the specified unit and any units which could trigger it.
+
+ * Unit status display now includes units triggering and triggered by
+ the unit being shown.
+
* The RuntimeMaxSec= setting is now supported by scopes, not just
.service units. This is particularly useful for PAM sessions which
create a scope unit for the user login. systemd.runtime_max_sec=
setting may used with the pam_systemd module to limit the duration
of the PAM session, for example for time-limited logins.
+ * A new @pkey system call group is now defined to make it easier to
+ whitelist memory protection syscalls for containers and services
+ which need to use them.
+
+ * systemd-udevd: removed the 30s timeout for killing stale workers on
+ exit. systemd-udevd now waits for workers to finish. The hard-coded
+ exit timeout of 30s was too short for some large installations, where
+ driver initialization could be prematurely interrupted during initrd
+ processing if the root file system had been mounted and init was
+ preparing to switch root. If udevd is run without systemd and workers
+ are hanging while udevd receives an exit signal, udevd will now exit
+ when udev.event_timeout is reached for the last hanging worker. With
+ systemd, the exit timeout can additionally be configured using
+ TimeoutStopSec= in systemd-udevd.service.
+
* udev now provides a program (fido_id) that identifies FIDO CTAP1
("U2F")/CTAP2 security tokens based on the usage declared in their
report and descriptor and outputs suitable environment variables.
The client may be configured to request specific options from the
server using a new RequestOptions= setting.
+ The client may be configured to send arbitrary options to the server
+ using a new SendOption= setting.
+
A new IPServiceType= setting has been added to configure the "IP
service type" value used by the client.
* The DHCPv6 client learnt a new PrefixDelegationHint= option to
request prefix hints in the DHCPv6 solicitation.
+ * The DHCPv4 server may be configured to send arbitrary options using
+ a new SendOption= setting.
+
+ * The DHCPv4 server may now be configured to emit SIP server list using
+ the new EmitSIP= and SIP= settings.
+
* systemd-networkd and networkctl may now renew DHCP leases on demand.
networkctl has a new 'networkctl renew' verb.
* systemd-networkd now includes default configuration that enables
link-local addressing when connected to an ad-hoc wireless network.
- * The DHCPv4 server may now be configured to emit SIP server list using
- the new EmitSIP= and SIP= settings.
-
* systemd-networkd may configure the Traffic Control queueing
disciplines in the kernel using the new
[TrafficControlQueueingDiscipline] section and Parent=,
because some external program has modified the kernel configuration
on its own).
+ * systemd-analyze gained a new --base-time= switch instructs the
+ 'calendar' verb to resolve times relative to that timestamp instead
+ of the present time.
+
* journalctl --update-catalog now produces deterministic output (making
reproducible image builds easier).
configuration time using the -Dservice-watchdog= setting. If set to
empty, the watchdogs will be disabled.
- * libcryptsetup >= 2.0.1 is now required.
-
* systemd-resolved validates IP addresses in certificates now when GnuTLS
is being used.
+ * libcryptsetup >= 2.0.1 is now required.
+
+ * A configuration option -Duser-path= may be used to override the $PATH
+ used by the user service manager. The default is again to use the same
+ path as the system manager.
+
+ * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
+ outputting the 128bit IDs in UUID format (i.e. in the "canonical
+ representation").
+
+ * Service units gained a new sandboxing option ProtectKernelLogs= which
+ makes sure the program cannot get direct access to the kernel log
+ buffer anymore, i.e. the syslog() system call (not to be confused
+ with the API of the same name in libc, which is not affected), the
+ /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
+ inaccessible to the service. It's recommended to enable this setting
+ for all services that should not be able to read from or write to the
+ kernel log buffer, which are probably almost all.
+
+ Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
+ Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, cbzxt,
+ Chen Qi, Chris Down, Christian Rebischke, Claudio Zumbo, ClydeByrdIII,
+ crashfistfight, Cyprien Laplace, Daniel Gorbea, Daniel Edgecumbe,
+ Daniel Rusek, Daniel Stuart, Dan Streetman, David Pedersen, David
+ Tardon, Dimitri John Ledkov, Dominique Martinet, Donald A. Cupp Jr,
+ Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger, Franck Bui,
+ Frantisek Sumsal, Georg Müller, Hans de Goede, HATAYAMA Daisuke, Iwan
+ Timmer, Jan Janssen, Jan Kundrát, Jan Synacek, Jay Strict, Jérémy
+ Rosen, Jóhann B. Guðmundsson, Jonas Jelten, Jonas Thelemann, Justin
+ Trudell, Kai-Heng Feng, Kenneth D'souza, Kevin Kuehler, Kevin Becker,
+ Lennart Poettering, Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej
+ Stanczew, Mario Limonciello, Marko Myllynen, Mark Stosberg, Martin
+ Wilck, matthiasroos, Michael Biebl, Michael Olbrich, Michael Tretter,
+ Michal Sekletar, Michal Suchanek, Mike Kazantsev, Nicolas Douma,
+ Norbert Lange, pan93412, Pavel Hrdina, Peter Wu, Philip Withnall, Piotr
+ Drąg, Rafael Fontenelle, Renaud Métrich, Riccardo Schirone,
+ RoadrunnerWMC, Ronan Pigott, Ryan Attard, Sebastian Wick, Serge,
+ Siddharth Chandrasekara, Steve Traylen, Susant Sahani, Thibault Nélis,
+ Tim Teichmann, Tom Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo,
+ ypf791, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek
+
+ – Somewhere, 2019-11-22
+
CHANGES WITH 243:
* This release enables unprivileged programs (i.e. requiring neither
* SuccessExitStatus=, RestartPreventExitStatus=, and
RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
is equivalent to "65"). Those exit status name mappings may be
- displayed with the sytemd-analyze exit-status verb describe above.
+ displayed with the systemd-analyze exit-status verb describe above.
* systemd-logind now exposes a per-session SetBrightness() bus call,
which may be used to securely change the brightness of a kernel
projects / thirdparty / systemd.git / blobdiff