3 * Many manager configuration settings that are only applicable to user
4 manager or system manager can be always set. It would be better to reject
5 them when parsing config.
7 * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service.
8 Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service.
9 Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service.
13 * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
16 - natively watch for dbus-*.service symlinks (PENDING)
17 - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
19 * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
21 * neither pkexec nor sudo initialize environ[] from the PAM environment?
23 * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
25 * register catalog database signature as file magic
27 * zsh shell completion:
28 - <command> <verb> -<TAB> should complete options, but currently does not
29 - systemctl add-wants,add-requires
30 - systemctl reboot --boot-loader-entry=
32 * systemctl status should know about 'systemd-analyze calendar ... --iterations='
33 * If timer has just OnInactiveSec=..., it should fire after a specified time
36 * write blog stories about:
37 - hwdb: what belongs into it, lsusb
38 - enabling dbus services
39 - how to make changes to sysctl and sysfs attributes
41 - how to pass throw-away units to systemd, or dynamically change properties of existing units
42 - testing with Harald's awesome test kit
44 - how to develop against journal browsing APIs
45 - the journal HTTP iface
46 - non-cgroup resource management
47 - dynamic resource management with cgroups
48 - refreshed, longer missions statement
49 - calendar time events
50 - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
51 - how to create your own target
52 - instantiated apache, dovecot and so on
53 - hooking a script into various stages of shutdown/early boot
57 * look for close() vs. close_nointr() vs. close_nointr_nofail()
59 * check for strerror(r) instead of strerror(-r)
63 * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
65 * use secure_getenv() instead of getenv() where appropriate
67 * link up selected blog stories from man pages and unit files Documentation= fields
71 * rework mount.c and swap.c to follow proper state enumeration/deserialization
72 semantics, like we do for device.c now
74 * get rid of prefix_roota() and similar, only use chase() and related
77 * get rid of basename() and replace by path_extract_filename()
79 * Replace our fstype_is_network() with a call to libmount's mnt_fstype_is_netfs()?
80 Having two lists is not nice, but maybe it's now worth making a dependency on
81 libmount for something so trivial.
83 * drop set_free_free() and switch things over from string_hash_ops to
84 string_hash_ops_free everywhere, so that destruction is implicit rather than
85 explicit. Similar, for other special hashmap/set/ordered_hashmap destructors.
87 * generators sometimes apply C escaping and sometimes specifier escaping to
88 paths and similar strings they write out. Sometimes both. We should clean
89 this up, and should probably always apply both, i.e. introduce
90 unit_file_escape() or so, which applies both.
92 * xopenat() should pin the parent dir of the inode it creates before doing its
93 thing, so that it can create, open, label somewhat atomically.
95 Deprecations and removals:
97 * Remove any support for booting without /usr pre-mounted in the initrd entirely.
98 Update INITRD_INTERFACE.md accordingly.
100 * remove cgroups v1 support EOY 2023. As per
101 https://lists.freedesktop.org/archives/systemd-devel/2022-July/048120.html
102 and then rework cgroupsv2 support around fds, i.e. keep one fd per active
103 unit around, and always operate on that, instead of cgroup fs paths.
105 * drop support for kernels that lack ambient capabilities support (i.e. make
106 4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which
107 is only supported for such old kernels.
109 * drop support for kernels lacking memfd_create() (i.e. make 3.17 new
110 baseline), then drop all pipe() based fallbacks.
112 * drop support for getrandom()-less kernels. (GRND_INSECURE means once kernel
113 5.6 becomes our baseline). See
114 https://github.com/systemd/systemd/pull/24101#issuecomment-1193966468 for
115 details. Maybe before that: at taint-flags/warn about kernels that lack
116 getrandom()/environments where it is blocked.
118 * drop support for LOOP_CONFIGURE-less loopback block devices, once kernel
121 * drop fd_is_mount_point() fallback mess once we can rely on
122 STATX_ATTR_MOUNT_ROOT to exist i.e. kernel baseline 5.8
124 * Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous.
125 That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for
126 x86 and v6.2 for arm.
128 * Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm
129 trigger"'s waiting logic, since we can then rely on uuid-tagged uevents
133 * move documentation about our common env vars (SYSTEMD_LOG_LEVEL,
134 SYSTEMD_PAGER, …) into a man page of its own, and just link it from our
135 various man pages that so far embedd the whole list again and again, in an
136 attempt to reduce clutter and noise a bid.
138 * vmspawn switch default swtpm PCR bank to SHA384-only (away from SHA256), at
139 least on 64bit archs, simply because SHA384 is typically double the hashing
140 speed than SHA256 on 64bit archs (since based on 64bit words unlike SHA256
141 which uses 32bit words).
143 * send out sd_notify() from PID 1 when we determined hostname and machine ID
145 * send out sd_notify() from PID 1 whenever we reach a target unit. Then
146 introduce ssh.target or so. And in vmspawn/nspawn wait for that as indication
147 whether/when SSH is available. Similar for D-Bus (but just use sockets.target for that)
149 * teach nspawn/machined a new bus call/verb that gets you a
150 shell in containers that have no sensible pid1, via joining the container,
151 and invoking a shell directly. Then provide another new bus call/vern that is
152 somewhat automatic: if we detect that pid1 is running and fully booted up we
153 provide a proper login shell, otherwise just a joined shell. Then expose that
154 as primary way into the container.
156 * make vmspawn/nspawn/importd/machined a bit more usable in a WSL-like
157 fashion. i.e. teach unpriv systemd-vmspawn/systemd-nspawn a reasonable
158 --bind-user= behaviour that mounts the calling user through into the
159 machine. Then, ship importd with a small database of well known distro images
160 along with their pinned signature keys. Then add some minimal glue that binds
161 this together: downloads a suitable image if not done so yet, starts it in
162 the bg via vmspawn/nspawn if not done so yet and then requests a shell inside
163 it for the invoking user.
165 * make varlink.h a public API, i.e. give all symbols an sd_ prefix, and rename
166 header file to sd-varlink.h. This of course also means we have to make json.h
167 public the same way. Convert the function param checks from assert() to
168 assert_ret(). Only export the stuff we are sure about, and keep some symbols
169 internally where things are not clear whether we want other projects to use.
171 * machined: allow running in a per-user instance too, to allow unpriv
172 systemd-nspawn and systemd-vmspawn do something useful. (Alternatively: open
173 up system machined to unpriv client's registering their machines, and enforce
174 they come with some prefix or suffix that clarifies they are the
175 user's. i.e. when a user registers a machine it must be called
176 foobar.<username> or so.).
178 * importd/…: define per-user dirs for container/VM images too.
180 * add a new specifier to unit files that figures out the DDI the unit file is
181 from, tracing through overlayfs, DM, loopback block device.
185 - port tar handling to libarchive
186 - add varlink interface
187 - download images into .v/ dirs
189 * in os-release define a field that can be initialized at build time from
190 SOURCE_DATE_EPOCH (maybe even under that name?). Would then be used to
191 initialize the timestamp logic of ConditionNeedsUpdate=.
193 * ptyfwd: look for window title ANSI sequences and insert colored dot in front
194 of it while passing it through, to indicate whether we are in privileged, VM,
195 container terminal sessions.
197 * nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into
198 shell pipelines, i.e. add easy to use switch that turns off console status
199 output, and generates the right credentials for systemd-run-generator so that
200 a program is invoked, and its output captured, with correct EOF handling and
201 exit code propagation
203 * new systemd-analyze "join" verb or so, for debugging services. Would be
204 nsenter on steroids, i.e invoke a shell or command line in an environment as
205 close as we can make it for the MainPID of a service. Should be built around
206 pidfd, so that we can reasonably robustly do this. Would only cover the
207 execution environment like namespaces, but not the privilege settings.
209 * varlink: extend varlink IDL macros to include documentation strings
211 * Introduce a CGroupRef structure, inspired by PidRef. Should contain cgroup
212 path, cgroup id, and cgroup fd. Use it to continuously pin all v2 cgroups via
213 a cgroup_ref field in the CGroupRuntime structure. Eventually switch things
214 over to do all cgroupfs access only via that structure's fd.
216 * Get rid of the symlinks in /run/systemd/units/* and exclusively use cgroupfs
217 xattrs to convey info about invocation ids, logging settings and so on.
218 support for cgroupfs xattrs in the "trusted." namespace was added in linux
219 3.7, i.e. which we don't pretend to support anymore.
221 * rewrite bpf-devices in libbpf/C code, rather than home-grown BPF assembly, to
222 match bpf-restrict-fs, bpf-restrict-ifaces, bpf-socket-bind
224 * ditto: rewrite bpf-firewall in libbpf/C code
226 * credentials: if we ever acquire a secure way to derive cgroup id of socket
227 peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to
228 allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next
229 step use this to implement per-app/per-service encrypted directories, where
230 we set up fscrypt on the StateDirectory= with a randomized key which is
231 stored as xattr on the directory, encrypted as a credential.
233 * credentials: optionally include a per-user secret in scoped user-credential
234 encryption keys. should come from homed in some way, derived from the luks
235 volume key or fscrypt directory key.
237 * credentials: add a flag to the scoped credentials that if set require PK
238 reauthentication when unlocking a secret.
240 * teach systemd --user to properly load credentials off disk, with
241 /etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY=
242 actually works too when run with user privs.
244 * extend the smbios11 logic for passing credentials so that instead of passing
245 the credential data literally it can also just reference an AF_VSOCK CID/port
246 to read them from. This way the data doesn't remain in the SMBIOS blob during
247 runtime, but only in the credentials fs.
249 * machined: make machine registration available via varlink to simplify
250 nspawn/vmspawn, and to have an extensible way to register VM/machine metadata
252 * ssh-proxy: add support for "ssh machine/foobar" to automatically connect to
253 machined registered machine "foobar". Requires updating machined to track CID
254 and unix-export dir of containers.
256 * add a new ExecStart= flag that inserts the configured user's shell as first
257 word in the command line. (maybe use character '.'). Usecase: tool such as
258 uid0 can use that to spawn the target user's default shell.
260 * varlink: figure out how to do docs for our varlink interfaces. Idea: install
261 interface files augmented with docs in /usr/share/ somewhere. And have
262 functionality in varlinkctl to merge interface info extracted from binaries
263 with interface info on disk. And store the doc strings only in the latter.
265 * introduce mntid_t, and make it 64bit, as apparently the kernel switched to
268 * use udev rule networkd ownership property to take ownership of network
269 interfaces nspawn creates
271 * add a kernel cmdline switch (and cred?) for marking a system to be
272 "headless", in which case we never open /dev/console for reading, only for
273 writing. This would then mean: systemd-firstboot would process creds but not
274 ask interactively, getty would not be started and so on.
276 * cryptsetup: new crypttab option to auto-grow a luks device to its backing
277 partition size. new crypttab option to reencrypt a luks device with a new
280 * we probably should have some infrastructure to acquire sysexts with
281 drivers/firmware for local hardware automatically. Idea: reuse the modalias
282 logic of the kernel for this: make the main OS image install a hwdb file
283 that matches against local modalias strings, and adds properties to relevant
284 devices listing names of sysexts needed to support the hw. Then provide some
285 tool that goes through all devices and tries to acquire/download the
288 * repart + cryptsetup: support file systems that are encrypted and use verity
289 on top. Usecase: confexts that shall be signed by the admin but also be
290 confidential. Then, add a new --make-ddi=confext-encrypted for this.
292 * tmpfiles: add new line type for moving files from some source dir to some
293 target dir. then use that to move sysexts/confexts and stuff from initrd
294 tmpfs to /run/, so that host can pick things up.
296 * tiny varlink service that takes a fd passed in and serves it via http. Then
297 make use of that in networkd, and expose some EFI binary of choice for
298 DHCP/HTTP base EFI boot.
300 * bootctl: add reboot-to-disk which takes a block device name, and
301 automatically sets things up so that system reboots into that device next.
303 * maybe: in PID1, when we detect we run in an initrd, make superblock read-only
304 early on, but provide opt-out via kernel cmdline.
307 - support measuring to nvindex with PCR update semantics ("fake PCRs")
308 - add api for "allocating" such an nvindex
309 - once we have that start measuring every sysext we apply, every confext,
310 every RootImage= we apply, every nspawn and so on. All in separate fake
314 - enable hyperv extension by default (https://www.qemu.org/docs/master/system/i386/hyperv.html)
315 - register with machined
316 - run in scope unit when invoked from command line, and machined registration is off
317 - support --directory= via virtiofs
319 - --ephemeral support
320 - --read-only support
321 - automatically suspend/resume the VM if the host suspends. Use logind
322 suspend inhibitor to implement this. request clean suspend by generating
324 - support for "real" networking via "-n" and --network-bridge=
325 - translate SIGTERM to clean ACPI shutdown event
327 * systemd-pcrmachine should probably also measure the SMBIOS system UUID.
329 * sd-boot: allow synthesizing additional type1 entries via SMBIOS vendor strings
332 - add USB mass storage device logic, so that all local disks are also exposed
333 as mass storage devices on systems that have a USB controller that can
334 operate in device mode
335 - add NVMe authentication
337 * add support for activating nvme-oF devices at boot automatically via kernel
338 cmdline, and maybe even support a syntax such as
339 root=nvme:<trtype>:<traddr>:<trsvcid>:<nqn>:<partition> to boot directly from
343 - make signed PCR work together with pcrlock
344 - add kernel-install plugin that automatically creates UKI .pcrlock file when
345 UKI is installed, and removes it when it is removed again
346 - automatically install PE measurement of sd-boot on "bootctl install"
347 - write generated pcrlock signature files to the ESP as credential, one for
348 each installed OS & pick up generated pcrlock signature file in sd-stub,
349 pass it via initrd to OS
350 - pre-calc sysext + kernel cmdline measurements
351 - pre-calc cryptsetup root key measurement
352 - maybe make systemd-repart generate .pcrlock for old and new GPT header in
354 - Add support for more than 8 branches per PCR OR
355 - add "systemd-pcrlock lock-kernel-current" or so which synthesizes .pcrlock
356 policy from currently booted kernel/event log, to close gap for first boot
359 * add a new systemd-project@.service that is very similar to user@.service but
360 uses DynamicUser=1 and no PAMName= to invoke an unprivileged somewhat
361 light-weight service manager. Use HOME=/var/lib/systemd/projects/%i as home
362 dir. Similar for $XDG_RUNTIME_DIR. Start project@%i.target. Use LogField= to
363 add a field identifying the project.
365 * in sd-boot and sd-stub measure the SMBIOS vendor strings to some PCR (at
366 least some subset of them that look like systemd stuff), because apparently
367 some firmware does not, but systemd honours it. avoid duplicate measurement
368 by sd-boot and sd-stub by adding LoaderFeatures/StubFeatures flag for this,
369 so that sd-stub can avoid it if sd-boot already did it.
371 * cryptsetup: a mechanism that allows signing a volume key with some key that
372 has to be present in the kernel keyring, or similar, to ensure that confext
373 DDIs can be encrypted against the local SRK but signed with the admin's key
374 and thus can authenticated locally before they are decrypted.
376 * image policy should be extended to allow dictating *how* a disk is unlocked,
377 i.e. root=encrypted-tpm2+encrypted-fido2 would mean "root fs must be
378 encrypted and unlocked via fido2 or tpm2, but not otherwise"
380 * systemd-repart: add support for formatting dm-crypt + dm-integrity file
383 * homed: use systemd-storagetm to expose home dirs via nvme-tcp. Then,
384 teach homed/pam_systemd_homed with a user name such as
385 lennart%nvme_tcp_192.168.100.77_8787 to log in from any linux host with the
386 same home dir. Similar maybe for nbd, iscsi? this should then first ask for
387 the local root pw, to authenticate that logging in like this is ok, and would
388 then be followed by another password prompt asking for the user's own
389 password. Also, do something similar for CIFS: if you log in via
390 lennart%cifs-someserver_someshare, then set up the homed dir for it
391 automatically. The PAM module should update the user name used for login to
392 the short version once it set up the user. Some care should be taken, so that
393 the long version can be still be resolved via NSS afterwards, to deal with
394 PAM clients that do not support PAM sessions where PAM_USER changes half-way.
396 * redefine /var/lib/extensions/ as the dir one can place all three of sysext,
397 confext as well is multi-modal DDIs that qualify as both. Then introduce
398 /var/lib/sysexts/ which can be used to place only DDIs that shall be used as
401 * Varlinkification of the following command line tools, to open them up to
402 other programs via IPC:
404 - journalctl (allowing journal read access via IPC)
408 - systemd-cryptenroll (to allow UIs to enroll FIDO2 keys and such)
413 - systemd-mount (with PK so that desktop environments could use it to mount disks)
415 * in the service manager, pick up ERRNO= + BUSERROR= + VARLINKERROR= error
416 identifiers, and store them along with the exit status of a server and report
417 via "systemctl status".
419 * enumerate virtiofs devices during boot-up in a generator, and synthesize
420 mounts for rootfs, /usr/, /home/, /srv/ and some others from it, depending on
421 the "tag". (waits for: https://gitlab.com/virtio-fs/virtiofsd/-/issues/128)
423 * automatically mount one virtiofs during early boot phase to /run/host/,
424 similar to how we do that for nspawn, based on some clear tag.
426 * add some service that makes an atomic snapshot of PCR state and event log up
427 to that point available, possibly even with quote by the TPM.
429 * encode type1 entries in some UKI section to add additional entries to the
432 * Add ACL-based access management to .socket units. i.e. add AllowPeerUser= +
433 AllowPeerGroup= that installs additional user/group ACL entries on AF_UNIX
436 * systemd-tpm2-setup should probably have a factory reset logic, i.e. when some
437 kernel command line option is set we reset the TPM (equivalent of tpm2_clear
438 -c owner? or rather echo 5 >/sys/class/tpm/tpm0/ppi/request?).
440 * systemd-tpm2-setup should support a mode where we refuse booting if the SRK
441 changed. (Must be opt-in, to not break systems which are supposed to be
442 migratable between PCs)
444 * when systemd-sysext learns mutable /usr/ (and systemd-confext mutable /etc/)
445 then allow them to store the result in a .v/ versioned subdir, for some basic
448 * add a new PE binary section ".mokkeys" or so which sd-stub will insert into
449 Mok keyring, by overriding/extending whatever shim sets in the EFI
450 var. Benefit: we can extend the kernel module keyring at ukify time,
451 i.e. without recompiling the kernel, taking an upstream OS' kernel and adding
454 * PidRef conversion work:
456 - pid_from_same_root_fs()
458 - pid1: sd_notify() receiver should use SCM_PIDFD to authenticate client
459 - actually wait for POLLIN on pidref's pidfd in service logic
460 - exec_spawn() + safe_fork()
461 - openpt_allocate_in_namespace()
462 - unit_attach_pid_to_cgroup_via_bus()
463 - cg_attach() – requires new kernel feature
465 * ddi must be listed as block device fstype
467 * measure some string via pcrphase whenever we end up booting into emergency
470 * homed: add a basic form of secrets management to homed, that stores
471 secrets in $HOME somewhere, is protected by the accounts own authentication
472 mechanisms. Should implement something PKCS#11-like that can be used to
473 implement emulated FIDO2 in unpriv userspace on top (which should happen
474 outside of homed), emulated PKCS11, and libsecrets support. Operate with a
475 2nd key derived from volume key of the user, with which to wrap all
476 keys. maintain keys in kernel keyring if possible.
478 * use sd-event ratelimit feature optionally for journal stream clients that log
481 * systemd-mount should only consider modern file systems when mounting, similar
484 * add another PE section ".fname" or so that encodes the intended filename for
485 PE file, and validate that when loading add-ons and similar before using
486 it. This is particularly relevant when we load multiple add-ons and want to
487 sort them to apply them in a define order. The order should not be under
488 control of the attacker.
490 * also include packaging metadata (á la
491 https://systemd.io/ELF_PACKAGE_METADATA/) in our UEFI PE binaries, using the
494 * make "bootctl install" + "bootctl update" useful for installing shim too. For
495 that introduce new dir /usr/lib/systemd/efi/extra/ which we copy mostly 1:1
496 into the ESP at install time. Then make the logic smart enough so that we
497 don't overwrite bootx64.efi with our own if the extra tree already contains
498 one. Also, follow symlinks when copying, so that shim rpm can symlink their
499 stuff into our dir (which is safe since the target ESP is generally VFAT and
500 thus does not have symlinks anyway). Later, teach the update logic to look at
501 the ELF package metadata (which we also should include in all PE files, see
502 above) for version info in all *.EFI files, and use it to only update if
505 * in sd-stub: optionally add support for a new PE section .keyring or so that
506 contains additional certificates to include in the Mok keyring, extending
507 what shim might have placed there. why? let's say I use "ukify" to build +
508 sign my own fedora-based UKIs, and only enroll my personal lennart key via
509 shim. Then, I want to include the fedora keyring in it, so that kmods work.
510 But I might not want to enroll the fedora key in shim, because this would
511 also mean that the key would be in effect whenever I boot an archlinux UKI
512 built the same way, signed with the same lennart key.
514 * resolved: take possession of some IPv6 ULA address (let's say
515 fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the
516 local stubs, so that we can make the stub available via ipv6 too.
518 * introduce a .microcode PE section for sd-stub which we'll pass as first initrd
519 to the kernel which will then upload it to the CPU. This should be distinct
520 from .initrd to guarantee right ordering. also, and maybe more importantly
521 support .microcode in PE add-ons, so that a microcode update can be shipped
522 independently of any kernel.
524 * Maybe add SwitchRootEx() as new bus call that takes env vars to set for new
525 PID 1 as argument. When adding SwitchRootEx() we should maybe also add a
526 flags param that allows disabling and enabling whether serialization is
527 requested during switch root.
529 * introduce a .acpitable section for early ACPI table override
531 * add proper .osrel matching for PE addons. i.e. refuse applying an addon
532 intended for a different OS. Take inspiration from how confext/sysext are
535 * figure out what to do about credentials sealed to PCRs in kexec + soft-reboot
536 scenarios. Maybe insist sealing is done additionally against some keypair in
537 the TPM to which access is updated on each boot, for the next, or so?
539 * logind: when logging in, always take an fd to the home dir, to keep the dir
540 busy, so that autofs release can never happen. (this is generally a good
541 idea, and specifically works around the fact the autofs ignores busy by mount
544 * mount most file systems with a restrictive uidmap. e.g. mount /usr/ with a
545 uidmap that blocks out anything outside 0…1000 (i.e. system users) and similar.
547 * mount the root fs with MS_NOSUID by default, and then mount /usr/ without
548 both so that suid executables can only be placed there. Do this already in
549 the initrd. If /usr/ is not split out create a bind mount automatically.
551 * fix our various hwdb lookup keys to end with ":" again. The original idea was
552 that hwdb patterns can match arbitrary fields with expressions like
553 "*:foobar:*", to wildcard match both the start and the end of the string.
554 This only works safely for later extensions of the string if the strings
555 always end in a colon. This requires updating our udev rules, as well as
556 checking if the various hwdb files are fine with that.
558 * mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user
559 among other things such as dynamic uid ranges for containers and so on. That
560 way no one can create files there with these uids and we enforce they are only
561 used transiently, never persistently.
563 * rework loopback support in fstab: when "loop" option is used, then
564 instantiate a new systemd-loop@.service for the source path, set the
565 lo_file_name field for it to something recognizable derived from the fstab
566 line, and then generate a mount unit for it using a udev generated symlink
567 based on lo_file_name.
569 * teach systemd-nspawn the boot assessment logic: hook up vpick's try counters
570 with success notifications from nspawn payloads. When this is enabled,
571 automatically support reverting back to older OS version images if newer ones
574 * implement new "systemd-fsrebind" tool that works like gpt-auto-generator but
575 looks at a root dir and then applies vpick on various dirs/images to pick a
576 root tree, a /usr/ tree, a /home/, a /srv/, a /var/ tree and so on. Dirs
577 could also be btrfs subvols (combine with btrfs auto-snapshort approach for
578 creating versions like these automatically).
580 * remove tomoyo support, it's obsolete and unmaintained apparently
582 * In .socket units, add ConnectStream=, ConnectDatagram=,
583 ConnectSequentialPacket= that create a socket, and then *connect to* rather than
584 listen on some socket. Then, add a new setting WriteData= that takes some
585 base64 data that systemd will write into the socket early on. This can then
586 be used to create connections to arbitrary services and issue requests into
587 them, as long as the data is static. This can then be combined with the
588 aforementioned journald subscription varlink service, to enable
589 activation-by-message id and similar.
591 * .service with invalid Sockets= starts successfully.
593 * landlock: lock down RuntimeDirectory= via landlock, so that services lose
594 ability to write anywhere else below /run/. Similar for
595 StateDirectory=. Benefit would be clear delegation via unit files: services
596 get the directories they get, and nothing else even if they wanted to.
598 * landlock: for unprivileged systemd (i.e. systemd --user), use landlock to
599 implement ProtectSystem=, ProtectHome= and so on. Landlock does not require
600 privs, and we can implement pretty similar behaviour. Also, maybe add a mode
601 where ProtectSystem= combined with an explicit PrivateMounts=no could request
602 similar behaviour for system services, too.
604 * Add systemd-mount@.service which is instantiated for a block device and
605 invokes systemd-mount and exits. This is then useful to use in
606 ENV{SYSTEMD_WANTS} in udev rules, and a bit prettier than using RUN+=
608 * udevd: extend memory pressure logic: also kill any idle worker processes
610 * udevadm: to make symlink querying with udevadm nicer:
611 - do not enable the pager for queries like 'udevadm info -q -r symlink'
612 - add mode with newlines instead of spaces (for grep)?
614 * SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed,
615 localed, oomd, timedated.
617 * repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions,
618 that have a new type uuid and can "extend" earlier partitions, to work around
619 the fact that systemd-repart can only grow the last partition defined. During
620 activation we'd simply set up a dm-linear mapping to merge them again. A
621 partition that is to be extended would just set a bit in the partition flags
622 field to indicate that there's another extension partition to look for. The
623 identifying UUID of the extension partition would be hashed in counter mode
624 from the uuid of the original partition it extends. Inspiration for this is
625 the "dynamic partitions" concept of new Android. This would be a minimalistic
626 concept of a volume manager, with the extents it manages being exposes as GPT
627 partitions. I a partition is extended multiple times they should probably
628 grow exponentially in size to ensure O(log(n)) time for finding them on
631 * Use CLONE_INTO_CGROUP to spawn systemd-executor, once glibc supports it in
634 * Make nspawn to a frontend for systemd-executor, so that we have to ways into
635 the executor: via unit files/dbus/varlink through PID1 and via cmdline/OCI
638 * sd-stub: detect if we are running with uefi console output on serial, and if so
639 automatically add console= to kernel cmdline matching the same port.
641 * add a utility that can be used with the kernel's
642 CONFIG_STATIC_USERMODEHELPER_PATH and then handles them within pid1 so that
643 security, resource management and cgroup settings can be enforced properly
644 for all umh processes.
646 * systemd-shutdown: keep sending sd_notify() status updates immediately before
647 going down, in particular include the "reboot param" string.
649 * homed: when resizing an fs don't sync identity beforehand there might simply
650 not be enough disk space for that. try to be defensive and sync only after
653 * homed: if for some reason the partition ended up being much smaller than
654 whole disk, recover from that, and grow it again.
656 * timesyncd: when saving/restoring clock try to take boot time into account.
657 Specifically, along with the saved clock, store the current boot ID. When
658 starting, check if the boot id matches. If so, don't do anything (we are on
659 the same boot and clock just kept running anyway). If not, then read
660 CLOCK_BOOTTIME (which started at boot), and add it to the saved clock
661 timestamp, to compensate for the time we spent booting. If EFI timestamps are
662 available, also include that in the calculation. With this we'll then only
663 miss the time spent during shutdown after timesync stopped and before the
664 system actually reset.
666 * systemd-stub: maybe store a "boot counter" in the ESP, and pass it down to
667 userspace to allow ordering boots (for example in journalctl). The counter
668 would be monotonically increased on every boot.
670 * pam_systemd_home: add module parameter to control whether to only accept
671 only password or only pcks11/fido2 auth, and then use this to hook nicely
672 into two of the three PAM stacks gdm provides.
673 See discussion at https://github.com/authselect/authselect/pull/311
675 * sd-boot: make boot loader spec type #1 accept http urls in "linux"
676 lines. Then, do the uefi http dance to download kernels and boot them. This
677 is then useful for network boot, by embedding a cpio with type #1 snippets
678 in sd-boot, which reference remote kernels.
680 * maybe prohibit setuid() to the nobody user, to lock things down, via seccomp.
681 the nobody is not a user any code should run under, ever, as that user would
682 possibly get a lot of access to resources it really shouldn't be getting
683 access to due to the userns + nfs semantics of the user. Alternatively: use
684 the seccomp log action, and allow it.
686 * sd-boot: add a new PE section .bls or so that carries a cpio with additional
687 boot loader entries (both type1 and type2). Then when initializing, find this
688 section, iterate through it and populate menu with it. cpio is simple enough
689 to make a parser for this reasonably robust. use same path structures as in
690 the ESP. Similar add one for signature key drop-ins.
692 * sd-boot: also allow passing in the cpio as in the previous item via SMBIOS
694 * add a new EFI tool "sd-fetch" or so. It looks in a PE section ".url" for an
695 URL, then downloads the file from it using UEFI HTTP APIs, and executes it.
696 Use case: provide a minimal ESP with sd-boot and a couple of these sd-fetch
697 binaries in place of UKIs, and download them on-the-fly.
699 * maybe: systemd-loop-generator that sets up loopback devices if requested via kernel
700 cmdline. use case: include encrypted/verity root fs in UKI.
702 * systemd-gpt-auto-generator: add kernel cmdline option to override block
703 device to dissect. also support dissecting a regular file. useccase: include
704 encrypted/verity root fs in UKI.
706 * sd-stub: add ".bootcfg" section for kernel bootconfig data (as per
707 https://docs.kernel.org/admin-guide/bootconfig.html)
709 * tpm2: add (optional) support for generating a local signing key from PCR 15
710 state. use private key part to sign PCR 7+14 policies. stash signatures for
711 expected PCR7+14 policies in EFI var. use public key part in disk encryption.
712 generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can
713 securely bind against SecureBoot/shim state, without having to renroll
714 everything on each update (but we still have to generate one sig on each
715 update, but that should be robust/idempotent). needs rollback protection, as
718 * Lennart: big blog story about DDIs
720 * Lennart: big blog story about building initrds
722 * Lennart: big blog story about "why systemd-boot"
724 * bpf: see if we can use BPF to solve the syslog message cgroup source problem:
725 one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to
726 implicitly contain the source cgroup id. Another idea would be to patch
727 sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target
730 * bpf: see if we can address opportunistic inode sharing of immutable fs images
731 with BPF. i.e. if bpf gives us power to hook into openat() and return a
732 different inode than is requested for which we however it has same contents
733 then we can use that to implement opportunistic inode sharing among DDIs:
734 make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also
735 dictate that DDIs should come with a top-level subdir where all reg files are
736 linked into by their SHA256 sum. Then, whenever an inode is opened with the
737 xattr set, check bpf table to find dirs with hashes for other prior DDIs and
738 try to use inode from there.
740 * extend the verity signature partition to permit multiple signatures for the
741 same root hash, so that people can sign a single image with multiple keys.
743 * consider adding a new partition type, just for /opt/ for usage in system
746 * gpt-auto-discovery: also use the pkcs7 signature stuff, and pass signature to
747 kernel. So far we only did this for the various --image= switches, but not
748 for the root fs or /usr/.
750 * dissection policy should enforce that unlocking can only take place by
751 certain means, i.e. only via pw, only via tpm2, or only via fido, or a
754 * make the systemd-repart "seed" value provisionable via credentials, so that
755 confidential computing environments can set it and deterministically
756 enforce the uuids for partitions created, so that they can calculate PCR 15
759 * systemd-repart: also derive the volume key from the seed value, for the
760 aforementioned purpose.
762 * in the initrd: derive the default machine ID to pass to the host PID 1 via
763 $machine_id from the same seed credential.
765 * Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the
766 initrd to bootstrap the initrd to populate the initial partitions. Some things
768 - Should it run on firstboot or on every boot?
769 - If run on every boot, should it use the sysupdate config from the host on
772 * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they
773 use PCR 7 which should contain secureboot state db/dbx. Which sounded like a
774 safe bet, given that it should change only on policy changes, and not
775 software updates. But that's wrong. Recent fwupd (rightfully) contains code
776 for updating the dbx denylist. This means even without any active policy
777 change PCR 7 might change. Hence, better idea might be in systemd-creds to
778 default to PCR 15 at least if sd-stub is used (i.e. bind to system identity),
779 and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should
780 be included as much as PCR 7 (as it contains shim's policy, which is
781 certainly as relevant as PCR 7 on many systems)
783 * To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab
784 (measuring the root hash) and integritytab (measuring the HMAC key if one is
787 * We should start measuring all services, containers, and system extensions we
788 activate. probably into PCR 13. i.e. add --tpm2-measure-pcr= or so to
789 systemd-nspawn, and MeasurePCR= to unit files. Should contain a measurement
790 of the activated configuration and the image that is being activated (in case
791 verity is used, hash of the root hash).
793 * bootspec: permit graceful "update" from type #2 to type #1. If both a type #1
794 and a type #2 entry exist under otherwise the exact same name, then use the
795 type #1 entry, and ignore the type #2 entry. This way, people can "upgrade"
796 from the UKI with all parameters baked in to a Type #1 .conf file with manual
797 parametrization, if needed. This matches our usual rule that admin config
798 should win over vendor defaults.
800 * write a "search path" spec, that documents the prefixes to search in
801 (i.e. the usual /etc/, /run/, /usr/lib/ dance, potentially /usr/etc/), how to
802 sort found entries, how masking works and overriding.
804 * automatic boot assessment: add one more default success check that just waits
805 for a bit after boot, and blesses the boot if the system stayed up that long.
807 * systemd-repart: add support for generating ISO9660 images
809 * systemd-repart: in addition to the existing "factory reset" mode (which
810 simply empties existing partitions marked for that). add a mode where
811 partitions marked for it are entirely removed. Use case: remove secondary OS
812 copy, and redundant partitions entirely, and recreate them anew.
814 * systemd-boot: maybe add support for collapsing menu entries of the same OS
815 into one item that can be opened (like in a "tree view" UI element) or
816 collapsed. If only a single OS is installed, disable this mode, but if
817 multiple OSes are installed might make sense to default to it, so that user
818 is not immediately bombarded with a multitude of Linux kernel versions but
819 only one for each OS.
821 * systemd-repart: if the GPT *disk* UUID (i.e. the one global for the entire
822 disk) is set to all FFFFF then use this as trigger for factory reset, in
823 addition to the existing mechanisms via EFI variables and kernel command
824 line. Benefit: works also on non-EFI systems, and can be requested on one
827 * systemd-sysupdate: make transport pluggable, so people can plug casync or
828 similar behind it, instead of http.
830 * systemd-tmpfiles: add concept for conditionalizing lines on factory reset
831 boot, or on first boot.
833 * in UKIs: add way to define allowlist of additional words that can be added to
834 the kernel cmdline even in SecureBoot mode
836 * we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
837 which contains a separate public key for PCR values that only apply in the
838 initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
839 can easily bind resources to just the initrd. Similar, maybe one more for
840 "enter-initrd:leave-initrd" for resources that shall be accessible only
841 before unprivileged user code is allowed. (we only need this for .pcrpkey,
842 not for .pcrsig, since the latter is a list of signatures anyway). With that,
843 when you enroll a LUKS volume or similar, pick either the .pcrkey (for
844 coverage through all phases of the boot, but excluding shutdown), the
845 .pcrpkeyrd (for coverage in the initrd only) and .pcrpkeybt (for coverage
846 until users are allowed to log in).
848 * Once the root fs LUKS volume key is measured into PCR 15, default to binding
849 credentials to PCR 15 in "systemd-creds"
851 * add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
852 an encrypted image on some host given a public key belonging to a specific
853 other host, so that only hosts possessing the private key in the TPM2 chip
854 can decrypt the volume key and activate the volume. Use case: systemd-confext
855 for a central orchestrator to generate confext images securely that can only
856 be activated on one specific host (which can be used for installing a bunch
857 of creds in /etc/credstore/ for example). Extending on this: allow binding
858 LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
859 prepare a confext image that can only be activated on a specific host that
860 runs a specific software in a specific time window. confext would be
861 automatically invalidated outside of it.
863 * maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of
864 current system state, i.e. a combination of PCR information, local system
865 time and TPM clock, running services, recent high-priority log
866 messages/coredumps, system load/PSI, signed by the local TPM chip, to form an
867 enhanced remote attestation quote. Use case: a simple orchestrator could use
868 this: have the report tool upload these reports every 3min somewhere. Then
869 have the orchestrator collect these reports centrally over a 3min time
870 window, and use them to determine what which node should now start/stop what,
871 and generate a small confext for each node, that uses Uphold= to pin services
872 on each node. The confext would be encrypted using the asymmetric encryption
873 proposed above, so that it can only be activated on the specific host, if the
874 software is in a good state, and within a specific time frame. Then run a
875 loop on each node that sends report to orchestrator and then sysupdate to
876 update confext. Orchestrator would be stateless, i.e. operate on desired
877 config and collected reports in the last 3min time window only, and thus can
878 be trivially scaled up since all instances of the orchestrator should come to
879 the same conclusions given the same inputs of reports/desired workload info.
880 Could also be used to deliver Wireguard secrets and thus to clients, thus
881 permitting zero-trust networking: secrets are rolled over via confext updates,
882 and via the time window TPM logic invalidated if node doesn't keep itself
883 updated, or becomes corrupted in some way.
885 * in the initrd, once the rootfs encryption key has been measured to PCR 15,
886 derive default machine ID to use from it, and pass it to host PID 1.
888 * tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
889 of manually hooking into SIGINT/SIGTERM
891 * tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK
892 instead of manual blocking.
894 * sd-boot: for each installed OS, grey out older entries (i.e. all but the
895 newest), to indicate they are obsolete
897 * automatically propagate LUKS password credential into cryptsetup from host
898 (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor
901 * add ability to path_is_valid() to classify paths that refer to a dir from
902 those which may refer to anything, and use that in various places to filter
903 early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a
904 directory, and paths ending that way can be refused early in many contexts.
906 * systemd-measure: allow operating with PEM certificates in addition to PEM
907 public keys when signing PCR values. SecureBoot and our Verity signatures
908 operate with certificates already, hence I guess we should also just deal for
909 convenience with certificates for the PCR stuff too.
911 * systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
912 would just use the same public key specified with --public-key= (or the one
913 automatically derived from --private-key=).
915 * Add "purpose" flag to partition flags in discoverable partition spec that
916 indicate if partition is intended for sysext, for portable service, for
917 booting and so on. Then, when dissecting DDI allow specifying a purpose to
918 use as additional search condition. Use case: images that combined a sysext
919 partition with a portable service partition in one.
921 * On boot, auto-generate an asymmetric key pair from the TPM,
922 and use it for validating DDIs and credentials. Maybe upload it to the kernel
923 keyring, so that the kernel does this validation for us for verity and kernel
926 * for systemd-confext: add a tool that can generate suitable DDIs with verity +
927 sig using squashfs-tools-ng's library. Maybe just systemd-repart called under
928 a new name with a built-in config?
930 * lock down acceptable encrypted credentials at boot, via simple allowlist,
931 maybe on kernel command line:
932 systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked
933 down kernels from credentials generated on the host with a weak kernel
935 * Add support for extra verity configuration options to systemd-repart (FEC,
938 * chase(): take inspiration from path_extract_filename() and return
939 O_DIRECTORY if input path contains trailing slash.
941 * chase(): refuse resolution if trailing slash is specified on input,
942 but final node is not a directory
944 * document in boot loader spec that symlinks in XBOOTLDR/ESP are not OK even if
947 * measure credentials picked up from SMBIOS to some suitable PCR
949 * measure GPT and LUKS headers somewhere when we use them (i.e. in
950 systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?)
952 * pick up creds from EFI vars
954 * Add and pickup tpm2 metadata for creds structure.
956 * sd-boot: we probably should include all BootXY EFI variable defined boot
957 entries in our menu, and then suppress ourselves. Benefit: instant
958 compatibility with all other OSes which register things there, in particular
959 on other disks. Always boot into them via NextBoot EFI variable, to not
962 * systemd-measure tool:
963 - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
965 * in sd-boot: load EFI drivers from a new PE section. That way, one can have a
966 "supercharged" sd-boot binary, that could carry ext4 drivers built-in.
968 * sd-bus: document that sd_bus_process() only returns messages that non of the
969 filters/handlers installed on the connection took possession of.
971 * sd-device: add an API for acquiring list of child devices, given a device
972 objects (i.e. all child dirents that dirs or symlinks to dirs)
974 * sd-device: maybe pin the sysfs dir with an fd, during the entire runtime of
975 an sd_device, then always work based on that.
977 * maybe add new flags to gpt partition tables for rootfs and usrfs indicating
978 purpose, i.e. whether something is supposed to be bootable in a VM, on
979 baremetal, on an nspawn-style container, if it is a portable service image,
980 or a sysext for initrd, for host os, or for portable container. Then hook
981 portabled/… up to udev to watch block devices coming up with the flags set, and
984 * sd-boot should look for information what to boot in SMBIOS, too, so that VM
985 managers can tell sd-boot what to boot into and suchlike
987 * add "systemd-sysext identify" verb, that you can point on any file in /usr/
988 and that determines from which overlayfs layer it originates, which image, and with
991 * systemd-creds: extend encryption logic to support asymmetric
992 encryption/authentication. Idea: add new verb "systemd-creds public-key"
993 which generates a priv/pub key pair on the TPM2 and stores the priv key
994 locally in /var. It then outputs a certificate for the pub part to stdout.
995 This can then be copied/taken elsewhere, and can be used for encrypting creds
996 that only the host on its specific hw can decrypt. Then, support a drop-in
997 dir with certificates that can be used to authenticate credentials. Flow of
998 operations is then this: build image with owner certificate, then after
999 boot up issue "systemd-creds public-key" to acquire pubkey of the machine.
1000 Then, when passing data to the machine, sign with privkey belonging to one of
1001 the dropped in certs and encrypted with machine pubkey, and pass to machine.
1002 Machine is then able to authenticate you, and confidentiality is guaranteed.
1004 * building on top of the above, the pub/priv key pair generated on the TPM2
1005 should probably also one you can use to get a remote attestation quote.
1007 * Process credentials in:
1008 • crypttab-generator: allow defining additional crypttab-like volumes via
1009 credentials (similar: verity-generator, integrity-generator). Use
1010 fstab-generator logic as inspiration.
1011 • run-generator: allow defining additional commands to run via a credential
1012 • resolved: allow defining additional /etc/hosts entries via a credential (it
1013 might make sense to then synthesize a new combined /etc/hosts file in /run
1014 and bind mount it on /etc/hosts for other clients that want to read it.
1015 • repart: allow defining additional partitions via credential
1016 • timesyncd: pick NTP server info from credential
1017 • portabled: read a credential "portable.extra" or so, that takes a list of
1018 file system paths to enable on start.
1019 • make systemd-fstab-generator look for a system credential encoding root= or
1021 • in gpt-auto-generator: check partition uuids against such uuids supplied via
1022 sd-stub credentials. That way, we can support parallel OS installations with
1025 * define a JSON format for units, separating out unit definitions from unit
1026 runtime state. Then, expose it:
1028 1. Add Describe() method to Unit D-Bus object that returns a JSON object
1030 2. Expose this natively via Varlink, in similar style
1031 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor
1032 binary which reads the JSON definition and runs it), to address the cow
1033 trap issue and the fact that NSS is actually forbidden in
1034 forked-but-not-exec'ed children
1035 4. Add varlink API to run transient units based on provided JSON definitions
1037 * Add SUPPORT_END_URL= field to os-release with more *actionable* information
1038 what to do if support ended
1040 * pam_systemd: on interactive logins, maybe show SUPPORT_END information at
1041 login time, à la motd
1043 * sd-boot: instead of unconditionally deriving the ESP to search boot loader
1044 spec entries in from the paths of sd-boot binary, let's optionally allow it
1045 to be configured on sd-boot cmdline + efi var. Use case: embed sd-boot in the
1046 UEFI firmware (for example, ovmf supports that via qemu cmdline option), and
1047 use it to load stuff from the ESP.
1049 * mount /var/ from initrd, so that we can apply sysext and stuff before the
1050 initrd transition. Specifically:
1051 1. There should be a var= kernel cmdline option, matching root= and usr=
1052 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk
1053 3. mount.x-initrd mount option in fstab should be implied for /var
1055 * make persistent restarts easier by adding a new setting OpenPersistentFile=
1056 or so, which allows opening one or more files that is "persistent" across
1057 service restarts, hot reboot, cold reboots (depending on configuration): the
1058 files are created empty on first invocation, and on subsequent invocations
1059 the files are reboot. The files would be backed by tmpfs, pmem or /var
1060 depending on desired level of persistency.
1062 * sd-event: add ability to "chain" event sources. Specifically, add a call
1063 sd_event_source_chain(x, y), which will automatically enable event source y
1064 in oneshot mode once x is triggered. Use case: in src/core/mount.c implement
1065 the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
1066 seen, trigger the rescan defer event source automatically, and allow it to be
1067 dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
1068 dispatch order is strictly controlled by priorities again. (next step: chain
1069 event sources to the ratelimit being over)
1071 * if we fork of a service with StandardOutput=journal, and it forks off a
1072 subprocess that quickly dies, we might not be able to identify the cgroup it
1073 comes from, but we can still derive that from the stdin socket its output
1074 came from. We apparently don't do that right now.
1076 * add ability to set hostname with suffix derived from machine id at boot
1078 * add PR_SET_DUMPABLE service setting
1080 * homed/userdb: maybe define a "companion" dir for home directories where apps
1081 can safely put privileged stuff in. Would not be writable by the user, but
1082 still conceptually belong to the user. Would be included in user's quota if
1083 possible, even if files are not owned by UID of user. Use case: container
1084 images that owned by arbitrary UIDs, and are owned/managed by the users, but
1085 are not directly belonging to the user's UID. Goal: we shouldn't place more
1086 privileged dirs inside of unprivileged dirs, and thus containers really
1087 should not be placed inside of traditional UNIX home dirs (which are owned by
1088 users themselves) but somewhere else, that is separate, but still close
1089 by. Inform user code about path to this companion dir via env var, so that
1090 container managers find it. the ~/.identity file is also a candidate for a
1091 file to move there, since it is managed by privileged code (i.e. homed) and
1092 not unprivileged code.
1094 * maybe add support for binding and connecting AF_UNIX sockets in the file
1095 system outside of the 108ch limit. When connecting, open O_PATH fd to socket
1096 inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
1097 to target dir in /tmp, and bind through it.
1099 * add a proper concept of a "developer" mode, i.e. where cryptographic
1100 protections of the root OS are weakened after interactive confirmation, to
1101 allow hackers to allow their own stuff. idea: allow entering developer mode
1102 only via explicit choice in boot menu: i.e. add explicit boot menu item for
1103 it. When developer mode is entered, generate a key pair in the TPM2, and add
1104 the public part of it automatically to keychain of valid code signature keys
1105 on subsequent boots. Then provide a tool to sign code with the key in the
1106 TPM2. Ensure that boot menu item is the only way to enter developer mode, by
1107 binding it to locality/PCRs so that keys cannot be generated otherwise.
1109 * services: add support for cryptographically unlocking per-service directories
1110 via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to
1111 set up the directory so that it can only be accessed if host and app are in
1114 * update HACKING.md to suggest developing systemd with the ideas from:
1115 https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
1116 https://0pointer.net/blog/running-an-container-off-the-host-usr.html
1118 * sd-event: compat wd reuse in inotify code: keep a set of removed watch
1119 descriptors, and clear this set piecemeal when we see the IN_IGNORED event
1120 for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
1121 see an inotify wd event check against this set, and if it is contained ignore
1122 the event. (to be fully correct this would have to count the occurrences, in
1123 case the same wd is reused multiple times before we start processing
1126 * for vendor-built signed initrds:
1127 - kernel-install should be able to install encrypted creds automatically for
1128 machine id, root pw, rootfs uuid, resume partition uuid, and place next to
1129 EFI kernel, for sd-stub to pick them up. These creds should be locked to
1130 the TPM, and bind to the right PCR the kernel is measured to.
1131 - kernel-install should be able to pick up initrd sysexts automatically and
1132 place them next to EFI kernel, for sd-stub to pick them up.
1133 - systemd-fstab-generator should look for rootfs device to mount in creds
1134 - systemd-resume-generator should look for resume partition uuid in creds
1135 - sd-stub: automatically pick up microcode from ESP (/loader/microcode/*)
1136 and synthesize initrd from it, and measure it. Signing is not necessary, as
1137 microcode does that on its own. Pass as first initrd to kernel.
1139 * Maybe extend the service protocol to support handling of some specific SIGRT
1140 signal for setting service log level, that carries the level via the
1141 sigqueue() data parameter. Enable this via unit file setting.
1143 * sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services,
1144 then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically
1145 fixed to "2", i.e. the official host cid) and the expected guest cid, for the
1146 two sides of the channel. The latter env var could then be used in an
1147 appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
1148 directly to host service manager.
1150 * sd-device has an API to create an sd_device object from a device id, but has
1151 no api to query the device id
1153 * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
1154 sd_device object, so that data passed into sd_device_new_from_devnum() can
1157 * sd-event: optionally, if per-event source rate limit is hit, downgrade
1158 priority, but leave enabled, and once ratelimit window is over, upgrade
1159 priority again. That way we can combat event source starvation without
1160 stopping processing events from one source entirely.
1162 * sd-event: similar to existing inotify support add fanotify support (given
1163 that apparently new features in this area are only going to be added to the
1166 * sd-event: add 1st class event source for clock changes
1168 * sd-event: add 1st class event source for timezone changes
1170 * support uefi/http boots with sd-boot: instead of looking for dropin files in
1171 /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that
1172 as directory manifest. The file would be a standard directory listing as
1173 generated by GNU sha256sums.
1175 * sd-boot: maybe add support for embedding the various auxiliary resources we
1176 look for right in the sd-boot binary. i.e. take inspiration from sd-stub
1177 logic: allow combining sd-boot via ukify with kernels to enumerate, .conf
1178 files, drivers, keys to enroll and so on. Then, add whatever we find that way
1179 to the menu. Use case: allow building a single PE image you can boot into via
1182 * maybe add a new UEFI stub binary "sd-http". It works similar to sd-stub, but
1183 all it does is download a file from a http server, and execute it, after
1184 optionally checking its hash sum. idea would be: combine this "sd-http" stub
1185 binary with some minimal info about a URL + hash sum, plus .osrel data, and
1186 drop it into the unified kernel dir in the ESP. And bam you have something
1187 that is tiny, feels a lot like a unified kernel, but all it does is chainload
1188 the real kernel. benefit: downloading these stubs would be tiny and quick,
1189 hence cheap for enumeration.
1191 * sysext: measure all activated sysext into a TPM PCR
1193 * systemd-dissect: show available versions inside of a disk image, i.e. if
1194 multiple versions are around of the same resource, show which ones. (in other
1195 words: show partition labels).
1197 * maybe add a generator that reads /proc/cmdline, looks for
1198 systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
1199 that take a URL as parameter. It then generates service units for
1200 systemd-pull calls that download these URLs if not installed yet. Use case:
1201 invoke a VM or nspawn container in a way it automatically deploys/runs these
1202 images as OS payloads. i.e. have a generic OS image you can point to any
1203 payload you like, which is then downloaded, securely verified and run.
1205 * deprecate cgroupsv1 further (print log message at boot)
1207 * systemd-dissect: add --cat switch for dumping files such as /etc/os-release
1209 * per-service sandboxing option: ProtectIds=. If used, will overmount
1210 /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to
1211 make it harder for the service to identify the host. Depending on the user
1212 setting it should be fully randomized at invocation time, or a hash of the
1213 real thing, keyed by the unit name or so. Of course, there are other ways to
1214 get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU
1215 ids), so this knob would only be useful in combination with other lockdown
1216 options. Particularly useful for portable services, and anything else that
1217 uses RootDirectory= or RootImage=. (Might also over-mount
1218 /sys/class/dmi/id/*{uuid,serial} with /dev/null).
1220 * doc: prep a document explaining resolved's internal objects, i.e. Query
1221 vs. Question vs. Transaction vs. Stream and so on.
1223 * doc: prep a document explaining PID 1's internal logic, i.e. transactions,
1226 * bootspec: bring UEFI and userspace enumeration of bootspec entries back into
1227 sync, i.e. parse out architecture field in sd-boot (currently only done in
1230 * automatically ignore threaded cgroups in cg_xyz().
1232 * add linker script that implicitly adds symbol for build ID and new coredump
1233 json package metadata, and use that when logging
1235 * Enable RestrictFileSystems= for all our long-running services (similar:
1236 RestrictNetworkInterfaces=)
1238 * Add systemd-analyze security checks for RestrictFileSystems= and
1239 RestrictNetworkInterfaces=
1241 * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
1244 * man: rework os-release(5), and clearly separate our extension-release.d/ and
1245 initrd-release parts, i.e. list explicitly which fields are about what.
1247 * sysext: before applying a sysext, do a superficial validation run so that
1248 things are not rearranged to wildy. I.e. protect against accidental fuckups,
1249 such as masking out /usr/lib/ or so. We should probably refuse if existing
1250 inodes are replaced by other types of inodes or so.
1252 * userdb: when synthesizing NSS records, pick "best" password from defined
1253 passwords, not just the first. i.e. if there are multiple defined, prefer
1254 unlocked over locked and prefer non-empty over empty.
1256 * homed: if the homed shell fallback thing has access to an SSH agent, try to
1257 use it to unlock home dir (if ssh-agent forwarding is enabled). We
1258 could implement SSH unlocking of a homedir with that: when enrolling a new
1259 ssh pubkey in a user record we'd ask the ssh-agent to sign some random value
1260 with the privkey, then use that as luks key to unlock the home dir. Will not
1261 work for ECDSA keys since their signatures contain a random component, but
1262 will work for RSA and Ed25519 keys.
1264 * add tiny service that decrypts encrypted user records passed via initrd
1265 credential logic and drops them into /run where nss-systemd can pick them up,
1266 similar to /run/host/userdb/. Use case: drop a root user JSON record there,
1267 and use it in the initrd to log in as root with locally selected password,
1268 for debugging purposes. Other use case: boot into qemu with regular user
1269 mounted from host. maybe put this in systemd-user-sessions.service?
1271 * drop dependency on libcap, replace by direct syscalls based on
1272 CapabilityQuintet we already have. (This likely allows us to drop libcap
1273 dep in the base OS image)
1275 * add concept for "exitrd" as inverse of "initrd", that we can transition to at
1276 shutdown, and has similar security semantics. This should then take the place
1277 of dracut's shutdown logic. Should probably support sysexts too. Care needs
1278 to be taken that the resulting logic ends up in RAM, i.e. is copied out of
1281 * userdbd: implement an additional varlink service socket that provides the
1282 host user db in restricted form, then allow this to be bind mounted into
1283 sandboxed environments that want the host database in minimal form. All
1284 records would be stripped of all meta info, except the basic UID/name
1285 info. Then use this in portabled environments that do not use PrivateUsers=1.
1287 * portabled: when extracting unit files and copying to system.attached, if a
1288 .p7s is available in the image, use it to protect the system.attached copy
1289 with fs-verity, so that it cannot be tampered with
1291 * /etc/veritytab: allow that the roothash column can be specified as fs path
1292 including a path to an AF_UNIX path, similar to how we do things with the
1293 keys of /etc/crypttab. That way people can store/provide the roothash
1294 externally and provide to us on demand only.
1296 * we probably should extend the root verity hash of the root fs into some PCR
1297 on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure
1298 it into PCR 12); Similar: we probably should extend the LUKS volume key of
1299 the root fs into some PCR on boot. (i.e. maybe add a crypttab option
1300 tpm2-measure=15 or so to measure it into PCR 15); once both are in place
1301 update gpt-auto-discovery to generate these by default for the partitions it
1302 discovers. Static vendor stuff should probably end up in PCR 12 (i.e. the
1303 verity hash), with local keys in PCR 15 (i.e. the encryption volume
1304 key). That way, we nicely distinguish resources supplied by the OS vendor
1305 (i.e. sysext, root verity) from those inherently local (i.e. encryption key),
1306 which is useful if they shall be signed separately.
1308 * in uefi stub: query firmware regarding which PCR banks are being used, store
1309 that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify
1310 that the selected PCRs actually are used by firmware.
1312 * rework recursive read-only remount to use new mount API
1314 * PAM: pick up authentication token from credentials
1316 * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
1317 data in the image, make sure the image filename actually matches this, so
1318 that images cannot be misused.
1320 * New udev block device symlink names:
1321 /dev/disk/by-parttypelabel/<pttype>-<ptlabel>. Use case: if pt label is used
1322 as partition image version string, this is a safe way to reference a specific
1323 version of a specific partition type, in particular where related partitions
1324 are processed (e.g. verity + rootfs both named "LennartOS_0.7").
1327 - add fuzzing to the pattern parser
1328 - support casync as download mechanism
1329 - "systemd-sysupdate update --all" support, that iterates through all components
1330 defined on the host, plus all images installed into /var/lib/machines/,
1331 /var/lib/portable/ and so on.
1332 - figure out what to do about system extensions (i.e. they need to imply an
1333 update component, since otherwise sysupdate.d/ files would override the
1334 host's update files.)
1335 - Allow invocation with a single transfer definition, i.e. with
1336 --definitions= pointing to a file rather than a dir.
1337 - add ability to disable implicit decompression of downloaded artifacts,
1338 i.e. a Compress=no option in the transfer definitions
1340 * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
1342 * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
1343 make dirs appear under right UID.
1345 * systemd-sysext: optionally, run it in initrd already, before transitioning
1346 into host, to open up possibility for services shipped like that.
1348 * introduce /dev/disk/root/* symlinks that allow referencing partitions on the
1349 disk the rootfs is on in a reasonably secure way. (or maybe: add
1350 /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we
1353 * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
1354 reception limit the kernel silently enforces.
1356 * Add service unit setting ConnectStream= which takes IP addresses and connects to them.
1358 * Similar, Load= which takes literal data in text or base64 format, and puts it
1359 into a memfd, and passes that. This enables some fun stuff, such as embedding
1360 bash scripts in unit files, by combining Load= with ExecStart=/bin/bash
1363 * add a ConnectSocket= setting to service unit files, that may reference a
1364 socket unit, and which will connect to the socket defined therein, and pass
1365 the resulting fd to the service program via socket activation proto.
1367 * Add a concept of ListenStream=anonymous to socket units: listen on a socket
1368 that is deleted in the fs. Use case would be with ConnectSocket= above.
1370 * importd: support image signature verification with PKCS#7 + OpenBSD signify
1371 logic, as alternative to crummy gpg
1373 * add "systemd-analyze debug" + AttachDebugger= in unit files: The former
1374 specifies a command to execute; the latter specifies that an already running
1375 "systemd-analyze debug" instance shall be contacted and execution paused
1376 until it gives an OK. That way, tools like gdb or strace can be safely be
1377 invoked on processes forked off PID 1.
1379 * expose MS_NOSYMFOLLOW in various places
1381 * credentials system:
1382 - acquire from EFI variable?
1383 - acquire via ask-password?
1384 - acquire creds via keyring?
1385 - pass creds via keyring?
1386 - pass creds via memfd?
1387 - acquire + decrypt creds from pkcs11?
1388 - make systemd-cryptsetup acquire pw via creds logic
1389 - make PAMName= acquire pw via creds logic
1390 - make macsec code in networkd read key via creds logic (copy logic from
1392 - make gatewayd/remote read key via creds logic
1393 - add sd_notify() command for flushing out creds not needed anymore
1395 * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
1398 * introduce a new group to own TPM devices
1400 * cryptsetup: add option for automatically removing empty password slot on boot
1402 * cryptsetup: optionally, when run during boot-up and password is never
1403 entered, and we are on battery power (or so), power off machine again
1405 * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
1406 allow plymouth to abort the waiting and enter pw instead
1408 * make cryptsetup lower --iter-time
1410 * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
1411 "base64:" prefix. Useful in particular for pkcs11 mode.
1413 * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
1414 systemd-makefs.service instead.
1417 - cryptsetup-generator: allow specification of passwords in crypttab itself
1418 - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
1420 * systemd-analyze netif that explains predictable interface (or networkctl)
1422 * Add service setting to run a service within the specified VRF. i.e. do the
1423 equivalent of "ip vrf exec".
1425 * special case some calls of chase() to use openat2() internally, so
1426 that the kernel does what we otherwise do.
1428 * add a new flag to chase() that stops chasing once the first missing
1429 component is found and then allows the caller to create the rest.
1431 * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
1433 * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
1435 * pid1: also remove PID files of a service when the service starts, not just
1438 * make us use dynamically fewer deps for containers in general purpose distros:
1439 o turn into dlopen() deps:
1440 - kmod-libs (only when called from PID 1)
1441 - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
1442 - libpam (only when called from PID 1)
1443 - bzip2 (always — gzip should probably stay static dep the way it is,
1444 since it's so basic and our defaults)
1446 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
1447 Apparently kernel performance is much better with fewer larger seccomp
1448 filters than with more smaller seccomp filters.
1450 * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
1451 mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
1453 * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
1455 * seccomp: don't install filters for ABIs that are masked anyway for the
1458 * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
1459 exists and responds.
1461 * socket units: allow creating a udev monitor socket with ListenDevices= or so,
1462 with matches, then activate app through that passing socket over
1465 - kill gnutls support in resolved
1466 - figure out what to do about libmicrohttpd, which has a hard dependency on
1468 - port fsprg over to a dlopen lib, then switch it to openssl
1470 * add growvol and makevol options for /etc/crypttab, similar to
1471 x-systemd.growfs and x-systemd-makefs.
1473 * userdb: allow username prefix searches in varlink API, allow realname and
1474 realname substr searches in varlink API
1476 * userdb: allow uid/gid range checks
1478 * userdb: allow existence checks
1480 * pid1: activation by journal search expression
1482 * when switching root from initrd to host, set the machine_id env var so that
1483 if the host has no machine ID set yet we continue to use the random one the
1486 * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
1487 it for reaping assigned but unknown children. This needs to some special care
1488 to operate somewhat sensibly in light of priorities: P_ALL will return
1489 arbitrary processes, regardless of the priority we want to watch them with,
1490 hence on each event loop iteration check all processes which we shall watch
1491 with higher prio explicitly, and then watch the entire rest with P_ALL.
1493 * tweak sd-event's child watching: keep a prioq of children to watch and use
1494 waitid() only on the children with the highest priority until one is waitable
1495 and ignore all lower-prio ones from that point on
1497 * maybe introduce xattrs that can be set on the root dir of the root fs
1498 partition that declare the volatility mode to use the image in. Previously I
1499 thought marking this via GPT partition flags but that's not ideal since
1500 that's outside of the LUKS encryption/verity verification, and we probably
1501 shouldn't operate in a volatile mode unless we got told so from a trusted
1504 * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
1505 may be used to mark a whole binary as non-coredumpable. Would fix:
1506 https://bugs.freedesktop.org/show_bug.cgi?id=69447
1508 * teach parse_timestamp() timezones like the calendar spec already knows it
1510 * We should probably replace /etc/rc.d/README with a symlink to doc
1511 content. After all it is constant vendor data.
1513 * maybe add kernel cmdline params: to force random seed crediting
1515 * introduce a new per-process uuid, similar to the boot id, the machine id, the
1516 invocation id, that is derived from process creds, specifically a hashed
1517 combination of AT_RANDOM + getpid() + the starttime from
1518 /proc/self/status. Then add these ids implicitly when logging. Deriving this
1519 uuid from these three things has the benefit that it can be derived easily
1520 from /proc/$PID/ in a stable, and unique way that changes on both fork() and
1523 * let's not GC a unit while its ratelimits are still pending
1525 * when killing due to service watchdog timeout maybe detect whether target
1526 process is under ptracing and then log loudly and continue instead.
1528 * make rfkill uaccess controllable by default, i.e. steal rule from
1529 gnome-bluetooth and friends
1531 * make MAINPID= message reception checks even stricter: if service uses User=,
1532 then check sending UID and ignore message if it doesn't match the user or
1535 * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
1538 * when importing an fs tree with machined, optionally apply userns-rec-chown
1540 * when importing an fs tree with machined, complain if image is not an OS
1542 * Maybe introduce a helper safe_exec() or so, which is to execve() which
1543 safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
1544 to 1K implicitly, unless explicitly opted-out.
1546 * rework seccomp/nnp logic that even if User= is used in combination with
1547 a seccomp option we don't have to set NNP. For that, change uid first whil
1548 keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
1550 * when no locale is configured, default to UEFI's PlatformLang variable
1552 * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
1553 usefaultd() and make systemd-analyze check for it.
1555 * paranoia: whenever we process passwords, call mlock() on the memory
1556 first. i.e. look for all places we use free_and_erasep() and
1557 augment them with mlock(). Also use MADV_DONTDUMP.
1558 Alternatively (preferably?) use memfd_secret().
1560 * Move RestrictAddressFamily= to the new cgroup create socket
1562 * optionally: turn on cgroup delegation for per-session scope units
1564 * sd-boot: optionally, show boot menu when previous default boot item has
1565 non-zero "tries done" count
1567 * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
1568 contains some identifier for the project, which allows us to include
1569 clickable links to source files generating these log messages. The identifier
1570 could be some abberviated URL prefix or so (taking inspiration from Go
1571 imports). For example, for systemd we could use
1572 CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
1573 sufficient to build a link by prefixing "http://" and suffixing the
1576 * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
1577 make clickable links from log messages carrying a MESSAGE_ID, that lead to
1578 some explanatory text online.
1580 * maybe extend .path units to expose fanotify() per-mount change events
1582 * hibernate/s2h: if swap is on weird storage and refuse if so
1584 * cgroups: use inotify to get notified when somebody else modifies cgroups
1585 owned by us, then log a friendly warning.
1587 * beef up log.c with support for stripping ANSI sequences from strings, so that
1588 it is OK to include them in log strings. This would be particularly useful so
1589 that our log messages could contain clickable links for example for unit
1590 files and suchlike we operate on.
1592 * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
1594 * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
1595 selected user is resolvable in the service even if it ships its own /etc/passwd)
1597 * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
1598 other doesn't. What a disaster. Probably to exclude it.
1600 * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
1601 usually IN_ATTRIB is the right way to watch deleted files, as the former only
1602 fires when a file is actually removed from disk, i.e. the link count drops to
1603 zero and is not open anymore, while the latter happens when a file is
1604 unlinked from any dir.
1606 * port systemctl, busctl, … over to format-table.[ch]'s table formatters
1608 * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
1610 * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
1612 * add CopyFile= or so as unit file setting that may be used to copy files or
1613 directory trees from the host to the services RootImage= and RootDirectory=
1614 environment. Which we can use for /etc/machine-id and in particular
1615 /etc/resolv.conf. Should be smart and do something useful on read-only
1616 images, for example fall back to read-only bind mounting the file instead.
1618 * bypass SIGTERM state in unit files if KillSignal is SIGKILL
1620 * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
1621 and so on, which would mean we could report errors and such.
1623 * introduce DefaultSlice= or so in system.conf that allows changing where we
1624 place our units by default, i.e. change system.slice to something
1625 else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
1626 be moved somewhere else too. Finally machined and logind should get similar
1627 options so that it is possible to move user session scopes and machines to a
1628 different slice too by default. Use case: people who want to put resources on
1629 the entire system, with the exception of one specific service. See:
1630 https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
1632 * maybe rework get_user_creds() to query the user database if $SHELL is used
1633 for root, but only then.
1635 * calenderspec: add support for week numbers and day numbers within a
1636 year. This would allow us to define "bi-weekly" triggers safely.
1638 * sd-bus: add vtable flag, that may be used to request client creds implicitly
1639 and asynchronously before dispatching the operation
1641 * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
1642 only when used. Add unit tests.
1644 * make use of ethtool veth peer info in machined, for automatically finding out
1645 host-side interface pointing to the container.
1647 * add some special mode to LogsDirectory=/StateDirectory=… that allows
1648 declaring these directories without necessarily pulling in deps for them, or
1649 creating them when starting up. That way, we could declare that
1650 systemd-journald writes to /var/log/journal, which could be useful when we
1651 doing disk usage calculations and so on.
1653 * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
1655 * support projid-based quota in machinectl for containers
1657 * add a way to lock down cgroup migration: a boolean, which when set for a unit
1658 makes sure the processes in it can never migrate out of it
1660 * blog about fd store and restartable services
1662 * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
1664 * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
1665 magic meaning and is no longer upgraded to something else if set explicitly.
1667 * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
1668 make it lose its identity, i.e. be anonymous. For this we'd have to patch
1669 through the whole tree to make all code deal with the case where no machine
1672 * optionally, collect cgroup resource data, and store it in per-unit RRD files,
1673 suitable for processing with rrdtool. Add bus API to access this data, and
1674 possibly implement a CPULoad property based on it.
1676 * beef up pam_systemd to take unit file settings such as cgroups properties as
1679 * maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage
1680 the quota of the user indicated in User= via unit file settings, like the
1681 other resource management concepts. Would mix nicely with DynamicUser=1. Or
1682 alternatively, do this with projids, so that we can also cover services
1683 running as root. Quota should probably cover all the special dirs such as
1684 StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
1685 is set, plus the whole disk space any image configured with RootImage=.
1687 * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
1688 disks to see if the UID is already in use.
1690 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
1691 creates a static, persistent user rather than a dynamic, transient user. We
1692 can leverage code from sysusers.d for this.
1694 * add some optional flag to ReadWritePaths= and friends, that has the effect
1695 that we create the dir in question when the service is started. Example:
1697 ReadWritePaths=:/var/lib/foobar
1699 * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
1700 the service cgroup, which is supposed to monitor the service, and when it
1701 exits the service is considered failed by its monitor.
1703 * track the per-service PAM process properly (i.e. as an additional control
1704 process), so that it may be queried on the bus and everything.
1706 * add a new "debug" job mode, that is propagated to unit_start() and for
1707 services results in two things: we raise SIGSTOP right before invoking
1708 execve() and turn off watchdog support. Then, use that to implement
1709 "systemd-gdb" for attaching to the start-up of any system service in its
1712 * gpt-auto logic: support encrypted swap, add kernel cmdline option to force
1713 it, and honour a gpt bit about it, plus maybe a configuration file
1715 * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
1716 then use that for the setting used in user@.service. It should be understood
1717 relative to the configured default value.
1719 * enable LockMLOCK to take a percentage value relative to physical memory
1721 * Permit masking specific netlink APIs with RestrictAddressFamily=
1723 * define gpt header bits to select volatility mode
1725 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
1727 * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
1729 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
1731 * ProtectKeyRing= to take keyring calls away
1733 * RemoveKeyRing= to remove all keyring entries of the specified user
1735 * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
1736 on PID 1 with the relevant signals, and makes relevant files in /sys and
1737 /proc (such as the sysrq stuff) unavailable
1739 * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
1740 via the new unprivileged Landlock LSM (https://landlock.io)
1742 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
1744 * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
1745 find a way to map the User=/Group= of the service to the right name. This way
1746 a user/group for a service only has to exist on the host for the right
1749 * add bus API for creating unit files in /etc, reusing the code for transient units
1751 * add bus API to remove unit files from /etc
1753 * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
1755 * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
1756 kernel doesn't support linkat() that replaces existing files, currently)
1758 * transient units: don't bother with actually setting unit properties, we
1759 reload the unit file anyway
1761 * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
1763 * cache sd_event_now() result from before the first iteration...
1765 * PID1: find a way how we can reload unit file configuration for
1766 specific units only, without reloading the whole of systemd
1768 * add an explicit parser for LimitRTPRIO= that verifies
1769 the specified range and generates sane error messages for incorrect
1772 * when we detect that there are waiting jobs but no running jobs, do something
1774 * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
1776 * there's probably something wrong with having user mounts below /sys,
1777 as we have for debugfs. for example, src/core/mount.c handles mounts
1778 prefixed with /sys generally special.
1779 https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
1781 * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
1783 * docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
1785 * add a job mode that will fail if a transaction would mean stopping
1786 running units. Use this in timedated to manage the NTP service
1788 https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
1790 * The udev blkid built-in should expose a property that reflects
1791 whether media was sensed in USB CF/SD card readers. This should then
1792 be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
1793 picked up by systemd unless they contain a medium. This would mirror
1794 the behaviour we already have for CD drives.
1796 * hostnamectl: show root image uuid
1798 * Find a solution for SMACK capabilities stuff:
1799 https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
1801 * synchronize console access with BSD locks:
1802 https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
1804 * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
1805 https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
1807 * figure out when we can use the coarse timers
1809 * maybe allow timer units with an empty Units= setting, so that they
1810 can be used for resuming the system but nothing else.
1812 * what to do about udev db binary stability for apps? (raw access is not an option)
1814 * exponential backoff in timesyncd when we cannot reach a server
1816 * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
1818 * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
1819 (throughout the codebase, not only PID1)
1821 * drop nss-myhostname in favour of nss-resolve?
1825 - service registration
1826 - service/domain/types browsing
1828 - DNS-SD service registration from socket units
1829 - resolved should optionally register additional per-interface LLMNR
1830 names, so that for the container case we can establish the same name
1831 (maybe "host") for referencing the server, everywhere.
1832 - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
1833 - hook up resolved with machined-based address resolution
1835 * refcounting in sd-resolve is borked
1837 * add new gpt type for btrfs volumes
1839 * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
1841 * a way for container managers to turn off getty starting via $container_headless= or so...
1843 * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
1845 * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
1846 they run added to the initial transaction and thus confuse Type=idle.
1848 * add bus api to query unit file's X fields.
1850 * gpt-auto-generator:
1851 - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
1852 - Make /home automount rather than mount?
1854 * add generator that pulls in systemd-network from containers when
1855 CAP_NET_ADMIN is set, more than the loopback device is defined, even
1856 when it is otherwise off
1858 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
1860 * implement Distribute= in socket units to allow running multiple
1861 service instances processing the listening socket, and open this up
1865 - implement per-slice CPUFairScheduling=1 switch
1866 - introduce high-level settings for RT budget, swappiness
1867 - how to reset dynamically changed unit cgroup attributes sanely?
1868 - when reloading configuration, apply new cgroup configuration
1869 - when recursively showing the cgroup hierarchy, optionally also show
1870 the hierarchies of child processes
1871 - add settings for cgroup.max.descendants and cgroup.max.depth,
1872 maybe use them for user@.service
1875 - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
1877 * when we detect low battery and no AC on boot, show pretty splash and refuse boot
1879 * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
1881 * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
1883 * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
1885 * If we try to find a unit via a dangling symlink, generate a clean
1886 error. Currently, we just ignore it and read the unit from the search
1889 * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
1891 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
1893 * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
1895 * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
1897 * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
1899 * verify that the AF_UNIX sockets of a service in the fs still exist
1900 when we start a service in order to avoid confusion when a user
1901 assumes starting a service is enough to make it accessible
1903 * Make it possible to set the keymap independently from the font on
1904 the kernel cmdline. Right now setting one resets also the other.
1906 * and a dbus call to generate target from current state
1908 * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
1910 * dot output for --test showing the 'initial transaction'
1912 * be able to specify a forced restart of service A where service B depends on, in case B
1913 needs to be auto-respawned?
1916 - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
1917 log both units as UNIT=, so that journalctl -u triggers on both.
1918 - generate better errors when people try to set transient properties
1919 that are not supported...
1920 https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
1921 - recreate systemd's D-Bus private socket file on SIGUSR2
1922 - move PAM code into its own binary
1923 - when we automatically restart a service, ensure we restart its rdeps, too.
1924 - hide PAM options in fragment parser when compile time disabled
1925 - Support --test based on current system state
1926 - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
1927 - after deserializing sockets in socket.c we should reapply sockopts and things
1928 - drop PID 1 reloading, only do reexecing (difficult: Reload()
1929 currently is properly synchronous, Reexec() is weird, because we
1930 cannot delay the response properly until we are back, so instead of
1931 being properly synchronous we just keep open the fd and close it
1932 when done. That means clients do not get a successful method reply,
1933 but much rather a disconnect on success.
1934 - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
1935 - when a bus name of a service disappears from the bus make sure to queue further activation requests
1936 - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
1937 processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
1938 with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
1941 - allow port=0 in .socket units
1942 - maybe introduce ExecRestartPre=
1943 - implement Register= switch in .socket units to enable registration
1944 in Avahi, RPC and other socket registration services.
1945 - allow Type=simple with PIDFile=
1946 https://bugzilla.redhat.com/show_bug.cgi?id=723942
1947 - allow writing multiple conditions in unit files on one line
1948 - introduce Type=pid-file
1949 - add a concept of RemainAfterExit= to scope units
1950 - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
1951 - add verification of [Install] section to systemd-analyze verify
1954 - timer units should get the ability to trigger when DST changes
1955 - Modulate timer frequency based on battery state
1957 * add libsystemd-password or so to query passwords during boot using the password agent logic
1959 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
1961 * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
1963 * make repeated alt-ctrl-del presses printing a dump
1965 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
1967 * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
1969 * add a pam module that on password changes updates any LUKS slot where the password matches
1972 - add unit tests for config_parse_device_allow()
1974 * seems that when we follow symlinks to units we prefer the symlink
1975 destination path over /etc and /usr. We should not do that. Instead
1976 /etc should always override /run+/usr and also any symlink
1979 * when isolating, try to figure out a way how we implicitly can order
1980 all units we stop before the isolating unit...
1982 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
1984 * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
1985 ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
1986 https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
1988 * BootLoaderSpec: Define a way how an installer can figure out whether a BLS
1989 compliant boot loader is installed.
1991 * think about requeuing jobs when daemon-reload is issued? use case:
1992 the initrd issues a reload after fstab from the host is accessible
1993 and we might want to requeue the mounts local-fs acquired through
1996 * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
1998 * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
2000 * shutdown logging: store to EFI var, and store to USB stick?
2002 * merge unit_kill_common() and unit_kill_context()
2004 * add a dependency on standard-conf.xml and other included files to man pages
2006 * MountFlags=shared acts as MountFlags=slave right now.
2008 * properly handle loop back mounts via fstab, especially regards to fsck/passno
2010 * initialize the hostname from the fs label of /, if /etc/hostname does not exist?
2014 - GetAllProperties() on a non-existing object does not result in a failure currently
2015 - port to sd-resolve for connecting to TCP dbus servers
2016 - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
2017 - see if we can drop more message validation on the sending side
2018 - add API to clone sd_bus_message objects
2019 - longer term: priority inheritance
2020 - dbus spec updates:
2021 - NameLost/NameAcquired obsolete
2023 - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
2026 - allow multiple signal handlers per signal?
2027 - document chaining of signal handler for SIGCHLD and child handlers
2028 - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
2029 - maybe support iouring as backend, so that we allow hooking read and write
2030 operations instead of IO ready events into event loops. See considerations
2032 http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
2034 * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
2035 should be able to safely try another attempt when the bus call LoadUnit() is invoked.
2037 * document org.freedesktop.MemoryAllocation1
2039 * maybe do not install getty@tty1.service symlink in /etc but in /usr?
2041 * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
2043 * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
2046 - honor language efi variables for default language selection (if there are any?)
2047 - honor timezone efi variables for default timezone selection (if there are any?)
2048 - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
2050 - recognize the case when not booted on EFI
2052 * bootctl,sd-boot: actually honour the "architecture" key
2055 - show whether UEFI audit mode is available
2056 - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
2057 - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
2060 - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
2061 - logind: wakelock/opportunistic suspend support
2062 - Add pretty name for seats in logind
2063 - logind: allow showing logout dialog from system?
2064 - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
2065 - if pam_systemd is invoked by su from a process that is outside of a
2066 any session we should probably just become a NOP, since that's
2067 usually not a real user session but just some system code that just
2069 - logind: make the Suspend()/Hibernate() bus calls wait for the for
2070 the job to be completed. before returning, so that clients can wait
2071 for "systemctl suspend" to finish to know when the suspending is
2073 - logind: when the power button is pressed short, just popup a
2074 logout dialog. If it is pressed for 1s, do the usual
2075 shutdown. Inspiration are Macs here.
2076 - expose "Locked" property on logind session objects
2077 - maybe allow configuration of the StopTimeout for session scopes
2078 - rename session scope so that it includes the UID. THat way
2079 the session scope can be arranged freely in slices and we don't have
2080 make assumptions about their slice anymore.
2081 - follow PropertiesChanged state more closely, to deal with quick logouts and
2083 - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
2084 - expose details of boot entries on the bus. In particular, it should be possible
2085 to query the list of boot entry titles that bootctl / sd-boot would show.
2086 Currently we only expose their identifiers.
2088 * move multiseat vid/pid matches from logind udev rule to hwdb
2090 * logind: rework pam_logind to also do a bus call in case of invocation from
2091 user@.service, which returns the XDG_RUNTIME_DIR value, and make this
2092 behaviour selectable via pam module option.
2094 * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
2095 in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
2098 - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
2099 - journald: also get thread ID from client, plus thread name
2100 - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
2101 - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
2102 - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
2103 - declare the local journal protocol stable in the wiki interface chart
2104 - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
2105 - journald: when dropping msgs due to ratelimit make sure to write
2106 "dropped %u messages" not only when we are about to print the next
2107 message that works, but already after a short timeout
2108 - check if we can make journalctl by default use --follow mode inside of less if called without args?
2109 - maybe add API to send pairs of iovecs via sd_journal_send
2110 - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
2111 - journalctl: support negative filtering, i.e. FOOBAR!="waldo",
2112 and !FOOBAR for events without FOOBAR.
2113 - journal: store timestamp of journal_file_set_offline() in the header,
2114 so it is possible to display when the file was last synced.
2115 - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
2116 - journal: find a way to allow dropping history early, based on priority, other rules
2117 - journal: When used on NFS, check payload hashes
2118 - journald: add kernel cmdline option to disable ratelimiting for debug purposes
2119 - refuse taking lower-case variable names in sd_journal_send() and friends.
2120 - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
2121 - journal: deal nicely with byte-by-byte copied files, especially regards header
2122 - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
2123 - Replace utmp, wtmp, btmp, and lastlog completely with journal
2124 - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
2125 - when a kernel driver logs in a tight loop, we should ratelimit that too.
2126 - journald: optionally, log debug messages to /run but everything else to /var
2127 - journald: when we drop syslog messages because the syslog socket is
2128 full, make sure to write how many messages are lost as first thing
2129 to syslog when it works again.
2130 - journald: allow per-priority and per-service retention times when rotating/vacuuming
2131 - journald: make use of uid-range.h to managed uid ranges to split
2133 - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
2134 - improve journalctl performance by loading journal files
2135 lazily. Encode just enough information in the file name, so that we
2136 do not have to open it to know that it is not interesting for us, for
2137 the most common operations.
2138 - man: document that corrupted journal files is nothing to act on
2139 - rework journald sigbus stuff to use mutex
2140 - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
2141 services that run under their own user ids, and use User= (but only
2142 in a world where userns is ubiquitous since otherwise we cannot
2143 invoke those daemons on the host AND in a container anymore). Also,
2144 if LimitNPROC= is used without User= we should warn and refuse
2146 - journalctl --verify: don't show files that are currently being
2147 written to as FAIL, but instead show that they are being written to.
2148 - add journalctl -H that talks via ssh to a remote peer and passes through
2150 - add a version of --merge which also merges /var/log/journal/remote
2151 - journalctl: -m should access container journals directly by enumerating
2152 them via machined, and also watch containers coming and going.
2153 Benefit: nspawn --ephemeral would start working nicely with the journal.
2154 - assign MESSAGE_ID to log messages about failed services
2155 - check if loop in decompress_blob_xz() is necessary
2157 * journald: support RFC3164 fully for the incoming syslog transport, see
2158 https://github.com/systemd/systemd/issues/19251#issuecomment-816601955
2160 * Hook up journald's FSS logic with TPM2: seal the verification disk by
2161 time-based policy, so that the verification key can remain on host and ve
2164 * rework journalctl -M to be based on a machined method that generates a mount
2165 fd of the relevant journal dirs in the container with uidmapping applied to
2166 allow the host to read it, while making everything read-only.
2168 * journald: add varlink service that allows subscribing to certain log events,
2169 for example matching by message ID, or log level returns a list of journal
2170 cursors as they happen.
2172 * journald: also collect CLOCK_BOOTTIME timestamps per log entry. Then, derive
2173 "corrected" CLOCK_REALTIME information on display from that and the timestamp
2174 info of the newest entry of the specific boot (as identified by the boot
2175 ID). This way, if a system comes up without a valid clock but acquires a
2176 better clock later, we can "fix" older entry timestamps on display, by
2177 calculating backwards. We cannot use CLOCK_MONOTONIC for this, since it does
2178 not account for suspend phases. This would then also enable us to correct the
2179 kmsg timestamping we consume (where we erroneously assume the clock was in
2180 CLOCK_MONOTONIC, but it actually is CLOCK_BOOTTIME as per kernel).
2182 * in journald, write out a recognizable log record whenever the system clock is
2183 changed ("stepped"), and in timesyncd whenever we acquire an NTP fix
2184 ("slewing"). Then, in journalctl for each boot time we come across, find
2185 these records, and use the structured info they include to display
2186 "corrected" wallclock time, as calculated from the monotonic timestamp in the
2187 log record, adjusted by the delta declared in the structured log record.
2189 * in journald: whenever we start a new journal file because the boot ID
2190 changed, let's generate a recognizable log record containing info about old
2191 and new ID. Then, when displaying log stream in journalctl look for these
2192 records, to be able to order them.
2194 * journald: generate recognizable log events whenever we shutdown journald
2195 cleanly, and when we migrate run → var. This way tools can verify that a
2196 previous boot terminated cleanly, because either of these two messages must
2197 be safely written to disk, then.
2199 * hook up journald with TPMs? measure new journal records to the TPM in regular
2200 intervals, validate the journal against current TPM state with that. (taking
2201 inspiration from IMA log)
2203 * sd-journal puts a limit on parallel journal files to view at once. journald
2204 should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to
2205 ensure we never generate more files than we can actually view.
2207 * maybe add a tool that displays most recent journal logs as QR code to scan
2208 off screen and run it automatically on boot failures, emergency logs and
2209 such. Use DRM APIs directly, see
2210 https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
2213 * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
2214 log.c and sd-journal-send
2216 * journalctl/timesyncd: whenever timesyncd acquires a synchronization from NTP,
2217 create a structured log entry that contains boot ID, monotonic clock and
2218 realtime clock (I mean, this requires no special work, as these three fields
2219 are implicit). Then in journalctl when attempting to display the realtime
2220 timestamp of a log entry, first search for the closest later log entry
2221 of this kinda that has a matching boot id, and convert the monotonic clock
2222 timestamp of the entry to the realtime clock using this info. This way we can
2223 retroactively correct the wallclock timestamps, in particular for systems
2224 without RTC, i.e. where initially wallclock timestamps carry rubbish, until
2225 an NTP sync is acquired.
2227 * introduce per-unit (i.e. per-slice, per-service) journal log size limits.
2229 * journald: do journal file writing out-of-process, with one writer process per
2230 client UID, so that synthetic hash table collisions can slow down a specific
2231 user's journal stream down but not the others.
2233 * tweak journald context caching. In addition to caching per-process attributes
2234 keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
2235 keyed by cgroup path, and guarded by ctime changes. This should provide us
2236 with a nice speed-up on services that have many processes running in the same
2239 * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
2240 the sd-journal logging socket, and, if the timeout is set to 0, sets
2241 O_NONBLOCK on it. That way people can control if and when to block for
2244 * journalctl: make sure -f ends when the container indicated by -M terminates
2246 * journald: sigbus API via a signal-handler safe function that people may call
2247 from the SIGBUS handler
2249 * add a test if all entries in the catalog are properly formatted.
2250 (Adding dashes in a catalog entry currently results in the catalog entry
2251 being silently skipped. journalctl --update-catalog must warn about this,
2252 and we should also have a unit test to check that all our message are OK.)
2254 * build short web pages out of each catalog entry, build them along with man
2255 pages, and include hyperlinks to them in the journal output
2258 - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
2259 - rollback when resize fails mid-operation
2260 - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
2261 - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
2262 - create on activate?
2263 - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
2264 - communicate clearly when usb stick is safe to remove. probably involves
2265 beefing up logind to make pam session close hook synchronous and wait until
2266 systemd --user is shut down.
2267 - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
2268 - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
2269 images (and btrfs snapshots of subvolumes) (think: time machine)
2270 - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
2271 - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
2272 - fingerprint authentication, pattern authentication, …
2273 - make sure "classic" user records can also be managed by homed
2274 - make size of $XDG_RUNTIME_DIR configurable in user record
2275 - query password from kernel keyring first
2276 - update even if record is "absent"
2277 - move acct mgmt stuff from pam_systemd_home to pam_systemd?
2278 - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
2279 - make slice for users configurable (requires logind rework)
2280 - logind: populate auto-login list bus property from PKCS#11 token
2281 - when determining state of a LUKS home directory, check DM suspended sysfs file
2282 - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
2283 so that mounts propagate down but not up - eg, user A setting up a backup volume
2284 doesn't mean user B sees it
2285 - use credentials logic/TPM2 logic to store homed signing key
2286 - permit multiple user record signing keys to be used locally, and pick
2287 the right one for signing records automatically depending on a pre-existing
2289 - add a way to "adopt" a home directory, i.e. strip foreign signatures
2290 and insert a local signature instead.
2291 - as an extension to the directory+subvolume backend: if located on
2292 especially marked fs, then sync down password into LUKS header of that fs,
2293 and always verify passwords against it too. Bootstrapping is a problem
2294 though: if no one is logged in (or no other user even exists yet), how do you
2295 unlock the volume in order to create the first user and add the first pw.
2296 - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
2297 - maybe pre-create ~/.cache as subvol so that it can have separate quota
2299 - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
2300 systemd-cryptsetup, so that it can unlock homed volumes
2301 - maybe make all *.home files owned by `systemd-home` user or so, so that we
2302 can easily set overall quota for all users
2303 - on login, if we can't fallocate initially, but rebalance is on, then allow
2304 login in discard mode, then immediately rebalance, then turn off discard
2305 - add "homectl unbind" command to remove local user record of an inactive
2308 * add a new switch --auto-definitions=yes/no or so to systemd-repart. If
2309 specified, synthesize a definition automatically if we can: enlarge last
2310 partition on disk, but only if it is marked for growing and not read-only.
2312 * systemd-repart: read LUKS encryption key from $CREDENTIALS_DIRECTORY
2314 * systemd-repart: add a switch to factory reset the partition table without
2315 immediately applying the new configuration again. i.e. --factory-reset=leave
2316 or so. (this is useful to factory reset an image, then putting it into
2317 another machine, ensuring that luks key is generated on new machine, not old)
2319 * systemd-repart: support setting up dm-integrity with HMAC
2321 * systemd-repart: maybe remove half-initialized image on failure. It fails
2322 if the output file exists, so a repeated invocation will usually fail if
2323 something goes wrong on the way.
2325 * systemd-repart: by default generate minimized partition tables (i.e. tables
2326 that only cover the space actually used, excluding any free space at the
2327 end), in order to maximize dd'ability. Requires libfdisk work, see
2328 https://github.com/karelzak/util-linux/issues/907
2330 * systemd-repart: MBR partition table support. Care needs to be taken regarding
2331 Type=, so that partition definitions can sanely apply to both the GPT and the
2332 MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
2333 for the two partition types explicitly. And provide an internal mapping so
2334 that "Type=linux-generic" maps to the right types for both partition tables
2337 * systemd-repart: allow sizing partitions as factor of available RAM, so that
2338 we can reasonably size swap partitions for hibernation.
2340 * systemd-repart: allow boolean option that ensures that if existing partition
2341 doesn't exist within the configured size bounds the whole command fails. This
2342 is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
2343 of repart files for the case where ESP is large enough and one where it isn't
2344 and XBOOTLDR is added in instead. Then apply the former first, and if it
2345 fails to apply use the latter.
2347 * systemd-repart: add per-partition option to never reuse existing partition
2348 and always create anew even if matching partition already exists.
2350 * systemd-repart: add per-partition option to fail if partition already exist,
2351 i.e. is not added new. Similar, add option to fail if partition does not exist yet.
2353 * systemd-repart: allow disabling growing of specific partitions, or making
2354 them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
2355 Also add option to disable operation via kernel command line.
2357 * systemd-repart: make it a static checker during early boot for existence and
2358 absence of other partitions for trusted boot environments
2360 * systemd-repart: add support for SD_GPT_FLAG_GROWFS also on real systems, i.e.
2361 generate some unit to actually enlarge the fs after growing the partition
2364 * systemd-repart: do not print "Successfully resized …" when no change was done.
2367 - document that deps in [Unit] sections ignore Alias= fields in
2368 [Install] units of other units, unless those units are disabled
2369 - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
2370 - document that service reload may be implemented as service reexec
2371 - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
2372 - document systemd-journal-flush.service properly
2373 - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
2374 - man: document the very specific env the shutdown drop-in tools live in
2375 - man: add more examples to man pages,
2376 - in particular an example how to do the equivalent of switching runlevels
2377 - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
2378 - document root=gpt-auto properly
2381 - add systemctl switch to dump transaction without executing it
2382 - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
2383 - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
2384 - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
2385 - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
2386 - systemctl: "Journal has been rotated since unit was started." message is misleading
2388 * introduce an option (or replacement) for "systemctl show" that outputs all
2389 properties as JSON, similar to busctl's new JSON output. In contrast to that
2390 it should skip the variant type string though.
2392 * Add a "systemctl list-units --by-slice" mode or so, which rearranges the
2393 output of "systemctl list-units" slightly by showing the tree structure of
2394 the slices, and the units attached to them.
2396 * add "systemctl wait" or so, which does what "systemd-run --wait" does, but
2397 for all units. It should be both a way to pin units into memory as well as a
2398 wait to retrieve their exit data.
2400 * show whether a service has out-of-date configuration in "systemctl status" by
2401 using mtime data of ConfigurationDirectory=.
2403 * "systemctl preset-all" should probably order the unit files it
2404 operates on lexicographically before starting to work, in order to
2405 ensure deterministic behaviour if two unit files conflict (like DMs
2408 * add "systemctl start -v foobar.service" that shows logs of a service
2409 while the start command runs. This is non-trivial to do without
2410 races though, since we should flush out all journal messages before
2411 returning from the "systemctl stop".
2413 * systemctl: if some operation fails, show log output?
2415 * Add a new verb "systemctl top"
2418 - "systemctl mask" should find all names by which a unit is accessible
2419 (i.e. by scanning for symlinks to it) and link them all to /dev/null
2422 - emulate /dev/kmsg using CUSE and turn off the syslog syscall
2423 with seccomp. That should provide us with a useful log buffer that
2424 systemd can log to during early boot, and disconnect container logs
2425 from the kernel's logs.
2426 - as soon as networkd has a bus interface, hook up --network-interface=,
2427 --network-bridge= with networkd, to trigger netdev creation should an
2428 interface be missing
2429 - a nice way to boot up without machine id set, so that it is set at boot
2430 automatically for supporting --ephemeral. Maybe hash the host machine id
2431 together with the machine name to generate the machine id for the container
2432 - fix logic always print a final newline on output.
2433 https://github.com/systemd/systemd/pull/272#issuecomment-113153176
2434 - should optionally support receiving WATCHDOG=1 messages from its payload
2436 - optionally automatically add FORWARD rules to iptables whenever nspawn is
2437 running, remove them when shut down.
2438 - add support for sysext extensions, too. i.e. a new --extension= switch that
2439 takes one or more arguments, and applies the extensions already during
2441 - when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU
2442 or so, freeze the payload too.
2443 - support time namespaces
2444 - on cgroupsv1 issue cgroup empty handler process based on host events, so
2445 that we make cgroup agent logic safe
2446 - add API to invoke binary in container, then use that as fallback in
2448 - make nspawn suitable for shell pipelines: instead of triggering a hangup
2449 when input is finished, send ^D, which synthesizes an EOF. Then wait for
2450 hangup or ^D before passing on the EOF.
2451 - greater control over selinux label?
2452 - support that /proc, /sys/, /dev are pre-mounted
2453 - maybe allow TPM passthrough, backed by swtpm, and measure --image= hash
2454 into its PCR 11, so that nspawn instances can be TPM enabled, and partake
2455 in measurements/remote attestation and such. swtpm would run outside of
2456 control of container, and ideally would itself bind its encryption keys to
2458 - make boot assessment do something sensible in a container. i.e send an
2459 sd_notify() from payload to container manager once boot-up is completed
2460 successfully, and use that in nspawn for dealing with boot counting,
2461 implemented in the partition table labels and directory names.
2462 - optionally set up nftables/iptables routes that forward UDP/TCP traffic on
2463 port 53 to resolved stub 127.0.0.54
2464 - maybe optionally insert .nspawn file as GPT partition into images, so that
2465 such container images are entirely stand-alone and can be updated as one.
2466 - The subreaper logic we currently have seems overly complex. We should
2467 investigate whether creating the inner child with CLONE_PARENT isn't better.
2468 - Reduce the number of sockets that are currently in use and just rely on one
2470 - Support running nspawn as an unprivileged user.
2472 * machined: add API to acquire UID range. add API to mount/dissect loopback
2473 file. Both protected by PK. Then make nspawn use these APIs to run
2474 unprivileged containers. i.e. push the truly privileged bits into machined,
2475 so that the client side can remain entirely unprivileged, with SUID or
2479 - add an API so that libvirt-lxc can inform us about network interfaces being
2480 removed or added to an existing machine
2481 - "machinectl migrate" or similar to copy a container from or to a
2482 difference host, via ssh
2483 - introduce systemd-nspawn-ephemeral@.service, and hook it into
2484 "machinectl start" with a new --ephemeral switch
2485 - "machinectl status" should also show internal logs of the container in
2487 - "machinectl history"
2489 - "machinectl commit" that takes a writable snapshot of a tree, invokes a
2490 shell in it, and marks it read-only after use
2495 - add trigger --subsystem-match=usb/usb_device device
2496 - reimport udev db after MOVE events for devices without dev_t
2497 - re-enable ProtectClock= once only cgroupsv2 is supported.
2498 See f562abe2963bad241d34e0b308e48cf114672c84.
2501 - save coredump in Windows/Mozilla minidump format
2502 - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
2503 - add examples for other distros in ELF_PACKAGE_METADATA
2505 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
2508 - allow time-based cleanup in r and R too
2509 - instead of ignoring unknown fields, reject them.
2510 - creating new directories/subvolumes/fifos/device nodes
2511 should not follow symlinks. None of the other adjustment or creation
2512 calls follow symlinks.
2513 - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
2515 - teach tmpfiles.d m/M to move / atomic move + symlink old -> new
2516 - add new line type for setting btrfs subvolume attributes (i.e. rw/ro)
2517 - tmpfiles: add new line type for setting fcaps
2518 - add -n as shortcut for --dry-run in tmpfiles & sysusers & possibly other places
2521 - Make sure ID_PATH is always exported and complete for
2522 network devices where possible, so we can safely rely
2526 - add support for more attribute types
2527 - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
2530 - add more keys to [Route] and [Address] sections
2531 - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
2532 - add reduced [Link] support to .network files
2533 - properly handle routerless dhcp leases
2534 - work with non-Ethernet devices
2535 - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
2536 - the DHCP lease data (such as NTP/DNS) is still made available when
2537 a carrier is lost on a link. It should be removed instantly.
2538 - expose in the API the following bits:
2539 - option 15, domain name
2540 - option 12, hostname and/or option 81, fqdn
2541 - option 123, 144, geolocation
2542 - option 252, configure http proxy (PAC/wpad)
2543 - provide a way to define a per-network interface default metric value
2544 for all routes to it. possibly a second default for DHCP routes.
2545 - allow Name= to be specified repeatedly in the [Match] section. Maybe also
2546 support Name=foo*|bar*|baz ?
2547 - whenever uplink info changes, make DHCP server send out FORCERENEW
2549 * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
2551 * Figure out how to do unittests of networkd's state serialization
2554 - figure out how much we can increase Maximum Message Size
2557 - add functions to set previously stored IPv6 addresses on startup and get
2558 them at shutdown; store them in client->ia_na
2559 - write more test cases
2560 - implement reconfigure support, see 5.3., 15.11. and 22.20.
2561 - implement support for temporary addresses (IA_TA)
2562 - implement dhcpv6 authentication
2563 - investigate the usefulness of Confirm messages; i.e. are there any
2564 situations where the link changes without any loss in carrier detection
2566 - some servers don't do rapid commit without a filled in IA_NA, verify
2570 * shared/wall: Once more programs are taught to prefer sd-login over utmp,
2571 switch the default wall implementation to wall_logind
2572 (https://github.com/systemd/systemd/pull/29051#issuecomment-1704917074)