supported system extension level.
* A new configuration file /etc/veritytab may be used to configure
- integrity protection for block devices. Each line is in the format
- "volume-name data-device hash-device roothash options".
+ dm-verity integrity protection for block devices. Each line is in the
+ format "volume-name data-device hash-device roothash options",
+ similar to /etc/crypttab.
- * A new kernel command-line option systemd.verity.root-options= may be
+ * A new kernel command-line option systemd.verity.root_options= may be
used to configure dm-verity behaviour for the root device.
* The key file specified in /etc/crypttab (the third field) may now
- refer to a UNIX socket path. The key is acquired by connecting to
- that socket and reading from it. This allows the implementation of a
- service to provide key information dynamically, at the moment when it
- is needed.
+ refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
+ acquired by connecting to that socket and reading from it. This
+ allows the implementation of a service to provide key information
+ dynamically, at the moment when it is needed.
- * Support has been added for extracting the PKCS#11 token URI and
- encrypted key from the LUKS2 JSON embedded metadata header. This
- allows the information how to open the encrypted device to be
- embedded directly in the device and obviates the need for
- configuration in an external file.
+ * Support has been added to systemd-cryptsetup for extracting the
+ PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
+ metadata header. This allows the information how to open the
+ encrypted device to be embedded directly in the device and obviates
+ the need for configuration in an external file.
- * LUKS devices may now be unlocked using TPM2 hardware.
+ * systemd-cryptsetup gained support for unlocking LUKS2 volumes using
+ TPM2 hardware, as well as FIDO2 security tokens (in addition to the
+ pre-existing support for PKCS#11 security tokens).
- * systemd-repart may lock partitions using TPM2 hardware. This may be
- useful for example to create an encrypted /var partition bound to the
- machine on first boot.
+ * systemd-repart may enroll encrypted partitions using TPM2
+ hardware. This may be useful for example to create an encrypted /var
+ partition bound to the machine on first boot.
- * A new systemd-cryptenroll tool has been added to enroll FIDO2+PKCS#11
- security tokens to LUKS volumes, list and destroy them. See
- https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html.
+ * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
+ and PKCS#11 security tokens to LUKS volumes, list and destroy
+ them. See:
- * The manager may be configured at compile time to use fexecve instead
- of execve when spawning children. Using fexecve closes a window
- between checking the security context of an executable and spawning
- it, but unfortunately the kernel displays stale information in the
- comm field, which impacts ps output and such.
+ http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
+
+ It also supports enrolling "recovery keys" and regular passphrases.
+
+ * The libfido2 dependency is now based on dlopen(), so that the library
+ is used at runtime when installed, but is not a hard runtime
+ dependency.
+
+ * systemd-cryptsetup gained support for two new options in
+ /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
+ request synchronous processing of encryption/decryption IO.
+
+ * The manager may be configured at compile time to use the fexecve()
+ instead of the execve() system call when spawning processes. Using
+ fexecve() closes a window between checking the security context of an
+ executable and spawning it, but unfortunately the kernel displays
+ stale information in the process' "comm" field, which impacts ps
+ output and such.
* The configuration option -Dcompat-gateway-hostname has been dropped.
"_gateway" is now the only supported name.
- * The ConditionSecurity=tpm2 unit file setting may be used to check
- if the system has at least one TPM2 (tpmrm class) device.
+ * The ConditionSecurity=tpm2 unit file setting may be used to check if
+ the system has at least one TPM2 (tpmrm class) device.
+
+ * A new ConditionCPUFeature= has been added that may be used to
+ conditionalize units based on CPU features. For example,
+ ConditionCPUFeature=rdrand will condition a unit so that it is only
+ run when the system CPU supports the RDRAND opcode.
* The tables of system calls in seccomps filters are now automatically
generated from kernel lists exported on
respectively as 'systemctl bind <unit> <path>…' and
'systemctl mount-image <unit> <image>…'.
- * The StandardOuput= and StandardError= settings can now specify files
+ * The StandardOutput= and StandardError= settings can now specify files
to be truncated for output (as "truncate:<path>").
* The ExecPaths= and NoExecPaths= settings may be used to specify
noexec for parts of the file system.
- * sd-bus has a new function sd_bus_open_use_machine() to open a
+ * sd-bus has a new function sd_bus_open_user_machine() to open a
connection to the session bus of a specific user in a local container
- or on the local host. It also gained a convenience function
- sd_bus_reply() to call sd_bus_send() with an existing reply message.
+ or on the local host. This is exposed in the existing -M switch to
+ systemctl and similar tools:
+
+ systemctl --user -M lennart@foobar start foo
+
+ This will connect to the user bus of a user "lennart" in container
+ "foobar". If no container name is specified, the specified user on
+ the host itself is connected to
+
+ systemctl --user -M lennart@ start quux
+
+ * sd-bus also gained a convenience function sd_bus_message_send() to
+ simplify invocations of sd_bus_send(), taking only a single
+ parameter: the message to send.
- * sd-event allows rate limits to be set on event sources. See the new
- man page sd_event_source_set_ratelimit(3) for details.
+ * sd-event allows rate limits to be set on event sources, for dealing
+ with high-priority event sources that might starve out others. See
+ the new man page sd_event_source_set_ratelimit(3) for details.
* systemd.link files gained a [Link] Promiscuous= switch, which allows
the device to be raised in promiscuous mode.
systemd.network files gained a [DHCPv6PrefixDelegation]
ManageTemporaryAddress= switch.
+ .network files gained a new ActivationPolicy= setting which allows
+ configuration how the UP state of an interface shall be managed,
+ i.e. whether the interface is always upped, always downed, or may be
+ upped/downed by the user using "ip dev".
+
* systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
configuration options for VLAN packet handling.
even a single device.
* udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
- DATA_PREPARED_ID attributes for block devices (when available).
+ DATA_PREPARED_ID properties for block devices with ISO9660 file
+ systems.
- * udev now exports decoded DMI information about memory under the
- /sys/class/dmi/id/ pseudo device.
+ * udev now exports decoded DMI information about installed memory slots
+ as device properties under the /sys/class/dmi/id/ pseudo device.
- * /dev is not mounted noexec any more. This didn't provide any
+ * /dev/ is not mounted noexec anymore. This didn't provide any
significant security benefits and would conflicts with the executable
mappings used with /dev/sgx device nodes.
and /dev/vhost-net are owned by the kvm group.
* The hardware database has been extended with a list of fingerprint
- readers that correctly support autosuspend using data from libfprint.
+ readers that correctly support USB auto-suspend using data from
+ libfprint.
* systemd-resolved can now answer DNSSEC questions through the stub
resolver interface in a way that allows local clients to do DNSSEC
DNS query and respond with a mostly unmodified packet received from
the upstream server.
+ * systemd-resolved learnt a new boolean option CacheFromLocalhost= in
+ resolved.conf. If true the service will provide caching even for DNS
+ lookups made to an upstream DNS server on the 127.0.0.1/::1
+ addresses. By default (and when the option is false) systemd-resolved
+ will not cache such lookups, in order to avoid duplicate local
+ caching, under the assumption the local upstream server caches
+ anyway.
+
+ * systemd-resolved now implements RFC5001 NSID in its local DNS
+ stub. This may be used by local clients to determine whether they are
+ talking to the DNS resolver stub or a different DNS server.
+
+ * When resolving host names and other records resolvectl will now
+ report where the data was acquired from (i.e. the local cache, the
+ network, locally synthesized, …) and whether the network traffic it
+ effected was encrypted or not. Moreover the tool acquired a number of
+ new options --cache=, --synthesize=, --network=, --zone=,
+ --trust-anchor=, --validate= that take booleans and may be used to
+ tweak a lookup, i.e. whether it may be answered from cached
+ information, locally synthesized information, information acquired
+ through the network, the local mDNS/LLMNR zone, the DNSSEC trust
+ anchor, and whether DNSSEC validation shall be executed for the
+ lookup.
+
* systemd-nspawn gained a new --ambient-capability= setting
(AmbientCapability= in .nspawn files) to configure ambient
capabilities passed to the container payload.
* systemd-nspawn gained the ability to configure the firewall using the
- nft subsystem (in addition to the existing iptables support).
+ nftables subsystem (in addition to the existing iptables
+ support). Similar, systemd-networkd's IPMasquerade= option now
+ supports nftables as back-end, too. In both cases NAT on IPv6 is now
+ supported too, in addition to IPv4 (the iptables back-end still is
+ IPv4-only).
+
+ * systemd-importd will now download .verity and .roothash.p7s files
+ along with the machine image (as exposed via machinectl pull-raw).
* systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
setting to configure the time a unit's cgroup needs to exceed memory
* systemd-stdio-bridge gained --system/--user options to connect to the
system bus (previous default) or the user session bus.
- * When the hostname is set to "localhost", systemd-hostnamed will
- accept this. Previously such a setting would be mostly silently
+ * When the hostname is set explicitly to "localhost", systemd-hostnamed
+ will respect this. Previously such a setting would be mostly silently
ignored. The goal is to honour configuration as specified by the
user.
the configured hostname ("static", "transient", or "default") as
D-Bus properties.
- * systemd-hostnamed now exports the HardwareVendor and HardwareModel
- D-Bus properties. hostnamectl shows this in the status output.
+ * systemd-hostnamed now exports the "HardwareVendor" and
+ "HardwareModel" D-Bus properties, which are supposed to contain a
+ pair of cleaned up, human readable strings describing the system's
+ vendor and model. It's typically sourced from the firmware's DMI
+ tables, but may be augmented from a new hwdb database. hostnamectl
+ shows this in the status output.
* systemd-localed may now call locale-gen to generate missing locales
on-demand (UTF-8-only). This improves integration with Debian-based
distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.
- * systemctl --check-inhibitors may now be used to obey inhibitors even
- when invoked non-interactively.
+ * systemctl --check-inhibitors=true may now be used to obey inhibitors
+ even when invoked non-interactively. The old --ignore-inhibitors
+ switch is now deprecated and replaced by --check-inhibitors=false.
* systemctl import-environment will now emit a warning when called
without any arguments (i.e. to import the full environment block of
directly calling the D-Bus API of the manager, should also push
specific variables, and not the full inherited environment.
+ * systemctl's status output now shows unit state with a more careful
+ choice of Unicode characters: units in maintenance show a "○" symbol
+ instead of the usual "●", failed units show "×", and services being
+ reloaded "↻".
+
* coredumpctl gained a --debugger-arguments= switch to pass arguments
- to the debugger.
+ to the debugger. It also gained support for showing coredump info in
+ a simple JSON format.
+
+ * systemctl/loginctl/machinectl's --signal= option now accept a special
+ value "list", which may be used to show a brief table with known
+ process signals and their numbers.
* networkctl now shows the link activation policy in status.
- * Various tools gained --pager/--no-pager/--json switches to
+ * Various tools gained --pager/--no-pager/--json= switches to
enable/disable the pager and provide JSON output.
- * Various tools now accept SYSTEMD_COLORS=16|256 to configure what
- colours are used in output.
+ * Various tools now accept two new values for the SYSTEMD_COLORS
+ environment variable: "16" and "256", to configure how many terminal
+ colors are used in output.
- * less 568 or newer is now required. Link markup is now always used,
- and older versions will not display it properly. SYSTEMD_URLIFY=0 may
- be used to disable it.
+ * less 568 or newer is now required for the auto-paging logic of the
+ various tools. Hyperlink ANSI sequences in terminal output are now
+ used even if a pager is used, and older versions of less are not able
+ to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
+ disable this output again.
- * Builds with support for separate / and /usr hierarchies (split-usr
+ * Builds with support for separate / and /usr/ hierarchies ("split-usr"
builds, non-merged-usr builds) are now officially deprecated. A
warning is emitted during build. Support is slated to be removed in
about a year (when the Debian Bookworm release development starts).
- * The main development branch has been renamed to 'main'.
+ * The main git development branch has been renamed to 'main'.
* mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
for partitions, as in the vast majority of cases they contain none
and are used internally by the bootloader (eg: uboot).
+ * systemd will now set the $SYSTEMD_EXEC_PID environment variable for
+ spawned processes to the PID of the process itself. This may be used
+ by programs for detecting whether they were forked off by the service
+ manager itself or are a process forked off further down the tree.
+
+ * The sd-device API gained three new calls sd_device_get_action() (for
+ determining the uevent add/remove/change/… action the device object
+ has been seen for), sd_device_get_seqno() (for determining the uevent
+ sequence number) and sd_device_new_from_stat_rdev() (for allocating a
+ new sd_device object from stat() data of a device node).
+
+ * For most tools the --no-legend= switch has been replaced by
+ --legend=no and --legend=yes, to force whether tables are shown with
+ headers/legends.
+
+ * Units acquired a new property "Markers" that takes a list of zero,
+ one or two of the following strings: "needs-reload" and
+ "needs-restart". These markers may be set via "systemctl
+ set-property". Once a marker is set, "systemctl reload-or-restart
+ --marked" may be invoked to execute the operation the units are
+ marked for. This is useful for package managers that want to mark
+ units for restart/reload while updating, but effect the actual
+ operations at a later step at once.
+
+ * The sd_bus_message_read_strv() API call of sd-bus may now also be
+ used to parse arrays of D-Bus signatures and D-Bus paths, in addition
+ to regular strings.
+
+ * bootctl will now report whether the UEFI firmware used a TPM2 device
+ and measured the boot process into it.
+
+ * systemd-tmpfiles learnt support for a new environment variable
+ $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
+ the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
+ even if the root fs of the system is not itself a btrfs volume.
+
+ * systemd-detect-virt/ConditionVirtualization= will now explicitly
+ detect Docker/Podman environments where possible. Moreover, they
+ should be able to generically detect any container manager as long as
+ it assigns the container a cgroup.
+
+ * portablectl gained a new "reattach" verb for detaching/reattaching a
+ portable service image, useful for updating images on-the-fly.
+
CHANGES WITH 247:
* KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents