]>
Commit | Line | Data |
---|---|---|
afe3ab58 | 1 | Bugfixes: |
c343be28 | 2 | |
54fcb619 ZJS |
3 | * Many manager configuration settings that are only applicable to user |
4 | manager or system manager can be always set. It would be better to reject | |
5 | them when parsing config. | |
6 | ||
ceaf24d4 ZJS |
7 | * userdbctl: "Password OK: yes" is shown even when there are no passwords |
8 | or the password is locked. | |
9 | ||
5b326dee ZJS |
10 | * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service. |
11 | Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service. | |
12 | Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service. | |
13 | ||
f38afcd0 | 14 | External: |
f85857df | 15 | |
f38afcd0 | 16 | * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. |
bafb15ba | 17 | |
07eabc2b LB |
18 | * dbus: |
19 | - natively watch for dbus-*.service symlinks (PENDING) | |
20 | - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service | |
21 | ||
22 | * kernel: add device_type = "fb", "fbcon" to class "graphics" | |
23 | ||
24 | * /usr/bin/service should actually show the new command line | |
25 | ||
26 | * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= | |
27 | ||
28 | * neither pkexec nor sudo initialize environ[] from the PAM environment? | |
29 | ||
30 | * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it | |
31 | ||
32 | * register catalog database signature as file magic | |
33 | ||
34 | * zsh shell completion: | |
35 | - <command> <verb> -<TAB> should complete options, but currently does not | |
36 | - systemctl add-wants,add-requires | |
37 | ||
38 | * systemctl status should know about 'systemd-analyze calendar ... --iterations=' | |
39 | * If timer has just OnInactiveSec=..., it should fire after a specified time | |
40 | after being started. | |
41 | ||
42 | * write blog stories about: | |
43 | - hwdb: what belongs into it, lsusb | |
44 | - enabling dbus services | |
45 | - how to make changes to sysctl and sysfs attributes | |
46 | - remote access | |
47 | - how to pass throw-away units to systemd, or dynamically change properties of existing units | |
48 | - testing with Harald's awesome test kit | |
49 | - auto-restart | |
50 | - how to develop against journal browsing APIs | |
51 | - the journal HTTP iface | |
52 | - non-cgroup resource management | |
53 | - dynamic resource management with cgroups | |
54 | - refreshed, longer missions statement | |
55 | - calendar time events | |
56 | - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell | |
57 | - how to create your own target | |
58 | - instantiated apache, dovecot and so on | |
59 | - hooking a script into various stages of shutdown/rearly booot | |
60 | ||
61 | Regularly: | |
62 | ||
63 | * look for close() vs. close_nointr() vs. close_nointr_nofail() | |
64 | ||
65 | * check for strerror(r) instead of strerror(-r) | |
66 | ||
67 | * pahole | |
68 | ||
69 | * set_put(), hashmap_put() return values check. i.e. == 0 does not free()! | |
70 | ||
71 | * use secure_getenv() instead of getenv() where appropriate | |
72 | ||
73 | * link up selected blog stories from man pages and unit files Documentation= fields | |
74 | ||
5e524b40 LP |
75 | Janitorial Clean-ups: |
76 | ||
5e524b40 LP |
77 | * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again |
78 | ||
bb527e11 LP |
79 | * rework mount.c and swap.c to follow proper state enumeration/deserialization |
80 | semantics, like we do for device.c now | |
81 | ||
c6407108 LP |
82 | Features: |
83 | ||
bb5464ad LP |
84 | * add tiny service that decrypts encrypted user records passed via initrd |
85 | credential logic and drops them into /run where nss-systemd can pick them up, | |
86 | similar to /run/host/userdb/. Usecase: drop a root user JSON record there, | |
87 | and use it in the initrd to log in as root with locally selected password, | |
88 | for debugging purposes. | |
89 | ||
90 | * drop dependency on libcap, replace by direct syscalls based on | |
91 | CapabilityQuintet we already have. (This likely allows us drop drop libcap | |
92 | dep in the base OS image) | |
93 | ||
94 | * sysext: automatically activate sysext images dropped in via new sd-stub | |
95 | sysext pickup logic. | |
96 | ||
97 | * add concept for "exitrd" as inverse of "initrd", that we can transition to at | |
98 | shutdown, and has similar security semantics. This should then take the place | |
99 | of dracut's shutdown logic. Should probably support sysexts too. Care needs | |
100 | to be taken that the resulting logic ends up in RAM, i.e. is copied out of | |
101 | on-disk storage. | |
102 | ||
103 | * sd-stub: automatically pick up microcode from ESP and synthesize initrd from | |
104 | it, and measure it. Signing is not necessary, as microcode does that on its | |
105 | own. Pass as first initrd to kernel. | |
106 | ||
a07ab1dd LP |
107 | * userdbd: implement an additional varlink service socket that provides the |
108 | host user db in restricted form, then allow this to be bind mounted into | |
109 | sandboxed environments that want the host database in minimal form. All | |
110 | records would be stripped of all meta info, except the basic UID/name | |
111 | info. Then use this in portabled environments that do not use PrivateUsers=1. | |
112 | ||
a5bf435e LP |
113 | * logind introduce two types of sessions: "heavy" and "light". The former would |
114 | be our current sessions. But the latter would be a new type of session that | |
115 | is mostly the same but does not pull in user@.service or wait for it. Then, | |
116 | allow configuration which type of session is desired via pam_systemd | |
117 | parameters, and then make user@.service's session one of these "light" ones. | |
118 | People could then choose to make FTP sessions and suchlike "light" if they | |
119 | don't want the service manager to be started for that. | |
120 | ||
da3ab57c LP |
121 | * /etc/veritytab: allow that the roothash column can be specified as fs path |
122 | including a path to an AF_UNIX path, similar to how we do things with the | |
123 | keys of /etc/crypttab. That way people can store/provide the roothash | |
124 | externally and provide to us on demand only. | |
125 | ||
636c8a1f LP |
126 | * add high-level lockdown level for GPT dissection logic: e.g. an enum that can |
127 | be ANY (to mount anything), TRUSTED (to require that /usr is on signed | |
128 | verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is | |
129 | on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not | |
130 | allowed). And then maybe some flavours of that that declare what is expected | |
131 | from home/srv/var… Then, add a new cmdline flag to all tools that parse such | |
132 | images, to configure this. Also, add a kernel cmdline option for this, to be | |
133 | honoured by the gpt auto generator. | |
134 | ||
135 | * nspawn: maybe optionally insert .nspawn file as GPT partition into images, so | |
136 | that such container images are entirely stand-alone and can be updated as | |
137 | one. | |
138 | ||
3fc0688d LP |
139 | * we probably should extend the root verity hash of the root fs into some PCR |
140 | on boot. (i.e. maybe add a crypttab option tpm2-measure=8 or so to measure it | |
141 | into PCR 8) | |
142 | ||
143 | * add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount, | |
144 | what must be read-only, what requires encryption, and what requires | |
145 | authentication. | |
146 | ||
f4529c4d LP |
147 | * in uefi stub: query firmware regarding which PCRs are being used, store that |
148 | in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that | |
149 | the selected PCRs actually are used by firmware. | |
150 | ||
322b3b38 LP |
151 | * rework recursive read-only remount to use new mount API |
152 | ||
9c53de8b LP |
153 | * PAM: pick auf one authentication token from credentials |
154 | ||
9a6549f6 LP |
155 | * tpm2: figure out if we need to do anything for TPM2 parameter encryption? And |
156 | if so, what precisely? | |
157 | ||
9a6549f6 LP |
158 | * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release |
159 | data in the image, make sure the image filename actually matches this, so | |
160 | that images cannot be misused. | |
161 | ||
aca8ecc3 LP |
162 | * New udev block device symlink names: |
163 | /dev/disk/by-parttypelabel/<pttype>/<ptlabel>. Use case: if pt label is used | |
164 | as partition image version string, this is a safe way to reference a specific | |
165 | version of a specific partition type, in particular where related partitions | |
166 | are processed (e.g. verity + rootfs both named "LennartOS_0.7"). | |
167 | ||
cf2ab2e7 LP |
168 | * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix) |
169 | ||
31892e8d LP |
170 | * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to |
171 | make dirs appear under right UID. | |
172 | ||
f3e58b55 LP |
173 | * systemd-sysext: optionally, run it in initrd already, before transitioning |
174 | into host, to open up possibility for services shipped like that. | |
175 | ||
49bd547b LP |
176 | * maybe add a tool that displays most recent journal logs as QR code to scan |
177 | off screen and run it automatically on boot failures, emergency logs and | |
178 | such. Use DRM APIs directly, see | |
179 | https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example | |
180 | for doing that. | |
181 | ||
182 | * pass systemd-detect-virt result to generators as env var. Modifying behaviour | |
183 | based on whether we are virtualized or not is a pretty common thing, hence | |
184 | maybe just pass that info along for free in an env var. We cache the result | |
185 | anyway, so it's basically free. | |
186 | ||
24063ba1 | 187 | * introduce /dev/disk/root/* symlinks that allow referencing partitions on the |
f3e58b55 LP |
188 | disk the rootfs is on in a reasonably secure way. (or maybe: add |
189 | /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we | |
190 | already have it. | |
24063ba1 | 191 | |
7ed72cfa LP |
192 | * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the |
193 | reception limit the kernel silently enforces. | |
194 | ||
66e52d22 LP |
195 | * add an Open= setting to service unit files that can open arbitrary file |
196 | system paths at service startup time and pass them to the service process via | |
197 | our usual socket activation protocol. If passed path refers to AF_UNIX | |
198 | socket: connect() to it. | |
199 | ||
200 | * add a ConnectSocket= setting to service unit files, that may reference a | |
201 | socket unit, and which will connect to the socket defined therein, and pass | |
202 | the resulting fd to the service program via socket activation proto. | |
203 | ||
204 | * Add a concept of ListenStream=anonymous to socket units: listen on a socket | |
205 | that is deleted in the fs. Usecase would be with ConnectSocket= above. | |
206 | ||
14f7d087 LP |
207 | * importd: support image signature verification with PKCS#7 + OpenBSD signify |
208 | logic, as alternative to crummy gpg | |
209 | ||
dfbbb4f7 LP |
210 | * sysext: optionally, if the merged trees allow it use bind mounts instead of |
211 | overlayfs | |
212 | ||
9786ba13 LP |
213 | * add "systemd-analyze debug" + AttachDebugger= in unit files: The former |
214 | specifies a command to execute; the latter specifies that an already running | |
215 | "systemd-analyze debug" instance shall be contacted and execution paused | |
216 | until it gives an OK. That way, tools like gdb or strace can be safely be | |
217 | invoked on processes forked off PID 1. | |
218 | ||
38abd1bf LP |
219 | * expose MS_NOSYMFOLLOW in various places |
220 | ||
199b097d LP |
221 | * allow passing creds into kernel when booting: in EFI stub, collect creds |
222 | files from ESP directory, generate CPIO archive on the fly from them, so that | |
223 | they are dropped into /run/initramfs/creds/ and pass to kernel as additional | |
224 | initrd. Then, use LoadCredentialEncrypted=foo:/run/initramfs/creds/foo to | |
225 | load them. | |
226 | ||
227 | * make LoadCredential= automatically find credentials in /etc/creds, | |
228 | /run/creds, … and so on, if path component is unqualified | |
229 | ||
230 | * teach LoadCredential=/LoadCredentialEncrypted= to load credentials from | |
231 | kernel cmdline, maybe: LoadCredentialEncrypted=foobar:proc-cmdline:foobar | |
232 | ||
233 | * credentials system: | |
234 | - acquire from kernel command line | |
235 | - acquire from EFI variable? | |
236 | - acquire via via ask-password? | |
237 | - acquire creds via keyring? | |
238 | - pass creds via keyring? | |
239 | - pass creds via memfd? | |
240 | - acquire + decrypt creds from pkcs11? | |
241 | - make systemd-cryptsetup acquire pw via creds logic | |
242 | - make PAMName= acquire pw via creds logic | |
243 | - make macsec/wireguard code in networkd read key via creds logic | |
244 | - make gatwayd/remote read key via creds logic | |
245 | - add sd_notify() command for flushing out creds not needed anymore | |
246 | ||
247 | * teach LoadCredential= the ability to load all files from a specified dir as | |
248 | individual creds | |
249 | ||
250 | * add tpm.target or so which is delayed until TPM2 device showed up in case | |
251 | firmware indicates there is one. | |
07eabc2b | 252 | |
9aea1e58 LP |
253 | * tpm2: support a PIN policy, i.e. allowing windows-style short authentication |
254 | passwords by using the TPM2 to enforce ratelimiting and such, use for | |
255 | cryptsetup and homed | |
256 | ||
80670e74 LP |
257 | * Add concept for upgrading TPM2 enrollments, maybe a new switch |
258 | --pcrs=4:<hash> or so, i.e. select a PCR to include in the hash, and then | |
259 | override its hash | |
260 | ||
07eabc2b LB |
261 | * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades |
262 | and such | |
263 | ||
264 | * introduce a new group to own TPM devices | |
80670e74 | 265 | |
80670e74 LP |
266 | * cryptsetup: if only recovery keys are registered and no regular passphrases, |
267 | ask user for "recovery key", not "passphrase" | |
268 | ||
269 | * cyptsetup: add option for automatically removing empty password slot on boot | |
270 | ||
7d7c75f1 | 271 | * cryptsetup: optionally, when run during boot-up and password is never |
80670e74 LP |
272 | entered, and we are on battery power (or so), power off machine again |
273 | ||
274 | * cryptsetup: when FIDO2/PKCS#11/TPM2 token/chip didn't show up after some | |
275 | time, abort the attempt, fallback to asking for pw | |
276 | ||
277 | * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and | |
278 | allow plymouth to abort the waiting and enter pw instead | |
7d7c75f1 | 279 | |
07eabc2b LB |
280 | * make cryptsetup lower --iter-time |
281 | ||
282 | * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a | |
283 | "base64:" prefix. Useful in particular for pkcs11 mode. | |
284 | ||
285 | * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use | |
286 | systemd-makefs.service instead. | |
287 | ||
288 | * cryptsetup: | |
289 | - cryptsetup-generator: allow specification of passwords in crypttab itself | |
290 | - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator | |
291 | ||
7d7c75f1 LP |
292 | * when configuring loopback netif, and it fails due to EPERM, eat up error if |
293 | it happens to be set up alright already. | |
294 | ||
295 | * at boot: check if battery above some threshold, if not power off again after explanation | |
296 | ||
297 | * userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM | |
298 | for example. And add code that resets ambient caps for all services by | |
299 | default. | |
300 | ||
ff640bd2 LP |
301 | * sd-bus: when connecting to some dbus server socker, set originating AF_UNIX |
302 | socket name in abstract namespace to include "description" string, and pick | |
303 | it up from there in sd_bus_creds logic. i.e. we can use the socket peer | |
304 | address as conduit for some minimal connection metainfo, and use it to | |
305 | restore the "description" logic that kdbus used to have. | |
306 | ||
08d33656 | 307 | * systemd-analyze netif that explains predictable interface (or networkctl) |
d775d8e6 | 308 | |
816d460a LP |
309 | * Add service setting to run a service within the specified VRF. i.e. do the |
310 | equivalent of "ip vrf exec". | |
311 | ||
e59d030f LP |
312 | * change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as |
313 | documented in the pivot_root(2) man page, so that we can drop the /oldroot | |
314 | temporary dir. | |
315 | ||
316 | * special case some calls of chase_symlinks() to use openat2() internally, so | |
317 | that the kernel does what we otherwise do. | |
318 | ||
6dbfbc46 LB |
319 | * add a new flag to chase_symlinks() that stops chasing once the first missing |
320 | component is found and then allows the caller to create the rest. | |
321 | ||
fc733bed LP |
322 | * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np(). |
323 | ||
42165319 LP |
324 | * add /etc/integritytab, to support dm-integrity setups. In particular those |
325 | with HMAC as hash function, so that we can have a protected /home without | |
326 | encryption (leaving encryption to the individual dirs/homed). | |
327 | ||
16a4a2f8 LP |
328 | * complement root=, rootflags=, rootfstype= with rootsubdir= which allows |
329 | mounting a subdir of the root fs as actual root. This can be used as | |
330 | fstype-agnostic version of btrfs' rootflags=subvol=foobar. | |
331 | ||
effefa30 LP |
332 | * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it |
333 | ||
42ba8d25 LP |
334 | * Remove any support for booting without /usr pre-mounted in the initrd entirely. |
335 | Update INITRD_INTERFACE.md accordingly. | |
336 | ||
f1eb0ccd LP |
337 | * pid1: Move to tracking of main pid/control pid of units per pidfd |
338 | ||
339 | * pid1: support new clone3() fork-into-cgroup feature | |
340 | ||
8b213bf1 LB |
341 | * pid1: support new cgroup.kill to terminate all processes in a cgroup |
342 | ||
7cc8fb3e LP |
343 | * pid1: also remove PID files of a service when the service starts, not just |
344 | when it exits | |
345 | ||
cdfd8537 LP |
346 | * make us use dynamically fewer deps for containers in general purpose distros: |
347 | o turn into dlopen() deps: | |
cdfd8537 LP |
348 | - elfutils (always) |
349 | - p11-kit-trust (always) | |
350 | - kmod-libs (only when called from PID 1) | |
a52dc0b6 | 351 | - libblkid (only in RootImage= handling in PID 1, but not elsewhere) |
cdfd8537 LP |
352 | - libpam (only when called from PID 1) |
353 | - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are, | |
354 | since they are so basic and our defaults) | |
355 | o move into separate libsystemd-shared-iptables.so .so | |
356 | - iptables-libs (only used by nspawn + networkd) | |
357 | ||
77169ed0 LP |
358 | * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. |
359 | Apparently kernel performance is much better with fewer larger seccomp | |
360 | filters than with more smaller seccomp filters. | |
361 | ||
bfafec25 LP |
362 | * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum, |
363 | mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such | |
364 | ||
a6e1018d | 365 | * All tools that support --root= should also learn --image= so that they can |
612d3a68 LP |
366 | operate on disk images directly. Specifically: bootctl, systemctl, |
367 | coredumpctl. (Already done: systemd-nspawn, systemd-firstboot, | |
368 | systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl) | |
a6e1018d | 369 | |
112bed84 LP |
370 | * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out |
371 | ||
372 | * seccomp: don't install filters for ABIs that are masked anyway for the | |
373 | specific service | |
374 | ||
375 | * seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging. | |
376 | ||
cbe952fe LP |
377 | * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it |
378 | exists and responds. | |
379 | ||
b47261e5 LP |
380 | * Maybe add a separate GPT partition type to the discoverable partition spec |
381 | for "hibernate" partitions, that are exactly like swap partitions but only | |
382 | activated right before hibernation and thus never used for regular swapping. | |
383 | ||
e1d32d6e LP |
384 | * by default, in systemd --user service bump the OOMAdjust to 100, as privs |
385 | allow so that systemd survives | |
386 | ||
91fc013f | 387 | * socket units: allow creating a udev monitor socket with ListenDevices= or so, |
86b52a39 | 388 | with matches, then activate app through that passing socket over |
91fc013f | 389 | |
cdfd8537 LP |
390 | * unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license |
391 | confusion is gone) | |
492f91d8 LP |
392 | - port resolved over from libgcrypt (DNSSEC code) |
393 | - port journald + fsprg over from libgcrypt | |
394 | - port importd over from libgcrypt | |
492f91d8 LP |
395 | - when that's done: kill gnutls support in resolved |
396 | ||
492f91d8 LP |
397 | * add growvol and makevol options for /etc/crypttab, similar to |
398 | x-systemd.growfs and x-systemd-makefs. | |
399 | ||
77b19caf LP |
400 | * userdb: allow username prefix searches in varlink API, allow realname and |
401 | realname substr searches in varlink API | |
006c44c1 | 402 | |
76410e98 LP |
403 | * userdb: allow uid/gid range checks |
404 | ||
2a4be3c5 | 405 | * userdb: allow existence checks |
006c44c1 | 406 | |
f1eb0ccd | 407 | * pid1: activation by journal search expression |
006c44c1 | 408 | |
492f91d8 LP |
409 | * when switching root from initrd to host, set the machine_id env var so that |
410 | if the host has no machine ID set yet we continue to use the random one the | |
411 | initrd had set. | |
412 | ||
173c7873 | 413 | * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to |
84a1ff94 | 414 | it for reaping assigned but unknown children. This needs to some special care |
173c7873 LP |
415 | to operate somewhat sensibly in light of priorities: P_ALL will return |
416 | arbitrary processes, regardless of the priority we want to watch them with, | |
417 | hence on each event loop iteration check all processes which we shall watch | |
418 | with higher prio explicitly, and then watch the entire rest with P_ALL. | |
419 | ||
420 | * tweak sd-event's child watching: keep a prioq of children to watch and use | |
421 | waitid() only on the children with the highest priority until one is waitable | |
422 | and ignore all lower-prio ones from that point on | |
423 | ||
173c7873 LP |
424 | * maybe introduce xattrs that can be set on the root dir of the root fs |
425 | partition that declare the volatility mode to use the image in. Previously I | |
426 | thought marking this via GPT partition flags but that's not ideal since | |
427 | that's outside of the LUKS encryption/verity verification, and we probably | |
428 | shouldn't operate in a volatile mode unless we got told so from a trusted | |
429 | source. | |
430 | ||
97e5cc88 LP |
431 | * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that |
432 | may be used to mark a whole binary as non-coredumpable. Would fix: | |
433 | https://bugs.freedesktop.org/show_bug.cgi?id=69447 | |
434 | ||
f3e361c1 LP |
435 | * teach parse_timestamp() timezones like the calendar spec already knows it |
436 | ||
9ef3376b LP |
437 | * beef up hibernation to optionally do swapon/swapoff immediately before/after |
438 | the hibernation | |
439 | ||
c846b233 LP |
440 | * beef up s2h to implement a battery watch loop: instead of entering |
441 | hibernation unconditionally after coming back from resume make a decision | |
442 | based on the battery load level: if battery level is above a specific | |
443 | threshold, go to suspend again, only hibernate if below it. This means we'd | |
444 | stick to suspend usually, but fall back to hibernation only when battery runs | |
445 | empty (well, subject to our sampling interval). Related to this, check if we | |
446 | can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too, | |
447 | i.e. see if it can wake up machines from suspend, so that we could resume | |
448 | automatically when the system is low on power and move automatically to | |
449 | hibernation mode. (see | |
450 | https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf | |
451 | section 10.2.2.8 and | |
452 | https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources | |
453 | at the end). | |
454 | ||
6fe23ff3 LB |
455 | * We should probably replace /etc/rc.d/README with a symlink to doc |
456 | content. After all it is constant vendor data. | |
9c230b8f | 457 | |
c6526b8d | 458 | * maybe add kernel cmdline params: to force random seed crediting |
312dc153 | 459 | |
ac5dca64 LP |
460 | * introduce a new per-process uuid, similar to the boot id, the machine id, the |
461 | invocation id, that is derived from process creds, specifically a hashed | |
462 | combination of AT_RANDOM + getpid() + the starttime from | |
463 | /proc/self/status. Then add these ids implicitly when logging. Deriving this | |
464 | uuid from these three things has the benefit that it can be derived easily | |
465 | from /proc/$PID/ in a stable, and unique way that changes on both fork() and | |
466 | exec(). | |
467 | ||
468 | * let's not GC a unit while its ratelimits are still pending | |
469 | ||
5daeeecf LP |
470 | * when killing due to service watchdog timeout maybe detect whether target |
471 | process is under ptracing and then log loudly and continue instead. | |
472 | ||
5802d977 LP |
473 | * make rfkill uaccess controllable by default, i.e. steal rule from |
474 | gnome-bluetooth and friends | |
475 | ||
03ccc7f0 LP |
476 | * make MAINPID= message reception checks even stricter: if service uses User=, |
477 | then check sending UID and ignore message if it doesn't match the user or | |
478 | root. | |
479 | ||
480 | * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device" | |
481 | is issued. | |
482 | ||
db3cea22 LP |
483 | * when importing an fs tree with machined, optionally apply userns-rec-chown |
484 | ||
485 | * when importing an fs tree with machined, complain if image is not an OS | |
486 | ||
707b3fbd LP |
487 | * Maybe introduce a helper safe_exec() or so, which is to execve() which |
488 | safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit | |
489 | to 1K implicitly, unless explicitly opted-out. | |
d7b659ef | 490 | |
d238709c | 491 | * rework seccomp/nnp logic that even if User= is used in combination with |
d96c081a LP |
492 | a seccomp option we don't have to set NNP. For that, change uid first whil |
493 | keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap. | |
494 | ||
8a7cf157 LP |
495 | * when no locale is configured, default to UEFI's PlatformLang variable |
496 | ||
d96c081a LP |
497 | * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and |
498 | usefaultd() and make systemd-analyze check for it. | |
499 | ||
06898123 | 500 | * paranoia: whenever we process passwords, call mlock() on the memory |
309c6b19 | 501 | first. i.e. look for all places we use free_and_erasep() and |
9ae4ef49 | 502 | augment them with mlock(). Also use MADV_DONTDUMP. |
8b213bf1 | 503 | Alternatively (preferably?) use memfd_secret(). |
06898123 | 504 | |
32875617 LP |
505 | * Move RestrictAddressFamily= to the new cgroup create socket |
506 | ||
507 | * support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly | |
508 | patching around | |
509 | ||
76853293 LP |
510 | * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in |
511 | log.c and sd-journal-send | |
512 | ||
06898123 LP |
513 | * optionally: turn on cgroup delegation for per-session scope units |
514 | ||
d3aeddb8 LP |
515 | * introduce per-unit (i.e. per-slice, per-service) journal log size limits. |
516 | ||
42e18088 LP |
517 | * sd-boot: automatically load EFI modules from some drop-in dir, so that people |
518 | can add in file system drivers and such | |
519 | ||
42e18088 LP |
520 | * sd-boot: optionally, show boot menu when previous default boot item has |
521 | non-zero "tries done" count | |
522 | ||
8f2eb730 LP |
523 | * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which |
524 | contains some identifier for the project, which allows us to include | |
525 | clickable links to source files generating these log messages. The identifier | |
526 | could be some abberviated URL prefix or so (taking inspiration from Go | |
527 | imports). For example, for systemd we could use | |
528 | CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is | |
529 | sufficient to build a link by prefixing "http://" and suffixing the | |
530 | CODE_FILE. | |
531 | ||
8f2eb730 LP |
532 | * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can |
533 | make clickable links from log messages carrying a MESSAGE_ID, that lead to | |
534 | some explanatory text online. | |
535 | ||
7bd4bcf7 LP |
536 | * maybe extend .path units to expose fanotify() per-mount change events |
537 | ||
bb527e11 LP |
538 | * When reloading configuration PID 1 should reset all its properties to the |
539 | original defaults before calling parse_config() | |
540 | ||
c633b0a6 LP |
541 | * hibernate/s2h: make this robust and safe to enable in Fedora by default. |
542 | Specifically: | |
543 | ||
544 | 1. add resume_offset support to the resume code (i.e. support swap files | |
545 | properly) | |
e83419d0 | 546 | 2. check if swap is on weird storage and refuse if so |
46c41478 | 547 | 3. add auto-detection of hibernation images |
c633b0a6 | 548 | |
070d0ac9 LP |
549 | * cgroups: use inotify to get notified when somebody else modifies cgroups |
550 | owned by us, then log a friendly warning. | |
551 | ||
e44924f5 LP |
552 | * beef up log.c with support for stripping ANSI sequences from strings, so that |
553 | it is OK to include them in log strings. This would be particularly useful so | |
554 | that our log messages could contain clickable links for example for unit | |
555 | files and suchlike we operate on. | |
070d0ac9 | 556 | |
07eabc2b LB |
557 | * importd: add ability download images for portabled + sysext |
558 | ||
8c4c2dfc LP |
559 | * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) |
560 | ||
8c4c2dfc LP |
561 | * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the |
562 | selected user is resolvable in the service even if it ships its own /etc/passwd) | |
563 | ||
5da19043 | 564 | * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the |
5238e957 | 565 | other doesn't. What a disaster. Probably to exclude it. Also |
5da19043 LP |
566 | DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative |
567 | numbers. | |
568 | ||
16270697 LP |
569 | * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as |
570 | usually IN_ATTRIB is the right way to watch deleted files, as the former only | |
571 | fires when a file is actually removed from disk, i.e. the link count drops to | |
572 | zero and is not open anymore, while the latter happens when a file is | |
573 | unlinked from any dir. | |
574 | ||
bd1b3f75 | 575 | * port systemctl, busctl, … over to format-table.[ch]'s table formatters |
5da19043 | 576 | |
7bc756ff LP |
577 | * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up |
578 | ||
579 | * add --vacuum-xyz options to coredumpctl, matching those journalctl already has. | |
580 | ||
53c70a27 LP |
581 | * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all |
582 | files and directories that are left writable for a unit, and which are | |
583 | removed after the unit goes down again. A bit like --ephemeral for | |
584 | systemd-nspawn but for system services. If used together with RootImage= this | |
585 | should reflink the image file itself. | |
586 | ||
587 | Related: add Ephemeral=<path1> <path2> … which would allow marking | |
588 | specific paths only like this. | |
589 | ||
53c70a27 | 590 | * add CopyFile= or so as unit file setting that may be used to copy files or |
5238e957 | 591 | directory trees from the host to the services RootImage= and RootDirectory= |
53c70a27 LP |
592 | environment. Which we can use for /etc/machine-id and in particular |
593 | /etc/resolv.conf. Should be smart and do something useful on read-only | |
2aed63f4 | 594 | images, for example fall back to read-only bind mounting the file instead. |
53c70a27 | 595 | |
d9b50610 LP |
596 | * show invocation ID in systemd-run output |
597 | ||
598 | * bypass SIGTERM state in unit files if KillSignal is SIGKILL | |
599 | ||
9711b1ad LP |
600 | * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1 |
601 | and so on, which would mean we could report errors and such. | |
602 | ||
6b7b0f39 LP |
603 | * introduce DefaultSlice= or so in system.conf that allows changing where we |
604 | place our units by default, i.e. change system.slice to something | |
605 | else. Similar, ManagerSlice= should exist so that PID1's own scope unit could | |
606 | be moved somewhere else too. Finally machined and logind should get similar | |
607 | options so that it is possible to move user session scopes and machines to a | |
608 | different slice too by default. Usecase: people who want to put resources on | |
609 | the entire system, with the exception of one specific service. See: | |
610 | https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html | |
611 | ||
aa79f932 LP |
612 | * maybe rework get_user_creds() to query the user database if $SHELL is used |
613 | for root, but only then. | |
586a8e93 | 614 | |
46099c9e LP |
615 | * be stricter with fds we receive for the fdstore: close them asynchronously |
616 | ||
46099c9e LP |
617 | * calenderspec: add support for week numbers and day numbers within a |
618 | year. This would allow us to define "bi-weekly" triggers safely. | |
619 | ||
c3cd7cc9 LP |
620 | * sd-bus: add vtable flag, that may be used to request client creds implicitly |
621 | and asynchronously before dispatching the operation | |
622 | ||
d0e5db44 ZJS |
623 | * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not |
624 | only when used. Add unit tests. | |
625 | ||
06345858 LP |
626 | * make use of ethtool veth peer info in machined, for automatically finding out |
627 | host-side interface pointing to the container. | |
628 | ||
48f1b5e5 LP |
629 | * add some special mode to LogsDirectory=/StateDirectory=… that allows |
630 | declaring these directories without necessarily pulling in deps for them, or | |
631 | creating them when starting up. That way, we could declare that | |
632 | systemd-journald writes to /var/log/journal, which could be useful when we | |
633 | doing disk usage calculations and so on. | |
634 | ||
cb77e122 | 635 | * taint systemd if there are fewer than 65536 users assigned (userns) to the system. |
c6009ff0 | 636 | |
899feb72 | 637 | * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char |
c6009ff0 | 638 | |
3d80d454 LP |
639 | * add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for |
640 | the runtime dir as we maintain for the fdstore: i.e. keep it around as long | |
641 | as the unit is running or has a job queued. | |
642 | ||
5f7ecd61 | 643 | * support projid-based quota in machinectl for containers |
5962e9db | 644 | |
17b6f896 LP |
645 | * add a way to lock down cgroup migration: a boolean, which when set for a unit |
646 | makes sure the processes in it can never migrate out of it | |
647 | ||
17b6f896 LP |
648 | * blog about fd store and restartable services |
649 | ||
650 | * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document | |
651 | ||
370f9c21 LP |
652 | * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its |
653 | magic meaning and is no longer upgraded to something else if set explicitly. | |
654 | ||
17b6f896 LP |
655 | * in the long run: permit a system with /etc/machine-id linked to /dev/null, to |
656 | make it lose its identity, i.e. be anonymous. For this we'd have to patch | |
657 | through the whole tree to make all code deal with the case where no machine | |
658 | ID is available. | |
659 | ||
660 | * optionally, collect cgroup resource data, and store it in per-unit RRD files, | |
661 | suitable for processing with rrdtool. Add bus API to access this data, and | |
662 | possibly implement a CPULoad property based on it. | |
663 | ||
e7e4a258 LP |
664 | * beef up pam_systemd to take unit file settings such as cgroups properties as |
665 | parameters | |
666 | ||
6fc373ee | 667 | * maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage |
d51c4fca | 668 | the quota of the user indicated in User= via unit file settings, like the |
5962e9db LP |
669 | other resource management concepts. Would mix nicely with DynamicUser=1. Or |
670 | alternatively, do this with projids, so that we can also cover services | |
671 | running as root. Quota should probably cover all the special dirs such as | |
672 | StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it | |
673 | is set, plus the whole disk space any image configured with RootImage=. | |
6fc373ee | 674 | |
9a92a97a LP |
675 | * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant |
676 | disks to see if the UID is already in use. | |
677 | ||
fa991fb7 LP |
678 | * expose IO accounting data on the bus, show it in systemd-run --wait and log |
679 | about it in the resource log message | |
680 | ||
d73b607d LP |
681 | * Add AddUser= setting to unit files, similar to DynamicUser=1 which however |
682 | creates a static, persistent user rather than a dynamic, transient user. We | |
683 | can leverage code from sysusers.d for this. | |
684 | ||
fd63f36c LP |
685 | * add some optional flag to ReadWritePaths= and friends, that has the effect |
686 | that we create the dir in question when the service is started. Example: | |
687 | ||
688 | ReadWritePaths=:/var/lib/foobar | |
689 | ||
fe6a0235 LP |
690 | * hostnamed: populate form factor data from a new hwdb database, so that old |
691 | yogas can be recognized as "convertible" too, even if they predate the DMI | |
692 | "convertible" form factor | |
693 | ||
f59d1da8 LP |
694 | * Add ExecMonitor= setting. May be used multiple times. Forks off a process in |
695 | the service cgroup, which is supposed to monitor the service, and when it | |
696 | exits the service is considered failed by its monitor. | |
697 | ||
33bac67b LP |
698 | * track the per-service PAM process properly (i.e. as an additional control |
699 | process), so that it may be queried on the bus and everything. | |
700 | ||
701 | * add a new "debug" job mode, that is propagated to unit_start() and for | |
702 | services results in two things: we raise SIGSTOP right before invoking | |
703 | execve() and turn off watchdog support. Then, use that to implement | |
704 | "systemd-gdb" for attaching to the start-up of any system service in its | |
705 | natural habitat. | |
706 | ||
8eb7383b LP |
707 | * gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file |
708 | ||
b5bdbcd5 LP |
709 | * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and |
710 | then use that for the setting used in user@.service. It should be understood | |
711 | relative to the configured default value. | |
712 | ||
d21494ea LP |
713 | * enable LockMLOCK to take a percentage value relative to physical memory |
714 | ||
04397464 | 715 | * Permit masking specific netlink APIs with RestrictAddressFamily= |
d82047be | 716 | |
d82047be LP |
717 | * define gpt header bits to select volatility mode |
718 | ||
42d61ded LP |
719 | * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc |
720 | ||
04397464 | 721 | * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) |
42d61ded | 722 | |
04397464 | 723 | * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) |
563a69f4 | 724 | |
04397464 | 725 | * ProtectKeyRing= to take keyring calls away |
2c5f2958 | 726 | |
8ce9b83a | 727 | * RemoveKeyRing= to remove all keyring entries of the specified user |
a46eac1b LP |
728 | |
729 | * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill | |
730 | on PID 1 with the relevant signals, and makes relevant files in /sys and | |
731 | /proc (such as the sysrq stuff) unavailable | |
732 | ||
88511a37 LB |
733 | * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances |
734 | via the new unprivileged Landlock LSM (https://landlock.io) | |
735 | ||
e40a326c | 736 | * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things |
89f193fa | 737 | |
8ce9b83a LP |
738 | * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, |
739 | find a way to map the User=/Group= of the service to the right name. This way | |
740 | a user/group for a service only has to exist on the host for the right | |
741 | mapping to work. | |
742 | ||
2c5f2958 LP |
743 | * add bus API for creating unit files in /etc, reusing the code for transient units |
744 | ||
745 | * add bus API to remove unit files from /etc | |
746 | ||
747 | * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) | |
748 | ||
b8c7afdf LP |
749 | * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the |
750 | kernel doesn't support linkat() that replaces existing files, currently) | |
751 | ||
1e555cb5 LP |
752 | * transient units: don't bother with actually setting unit properties, we |
753 | reload the unit file anyway | |
754 | ||
c8048350 LP |
755 | * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown |
756 | ||
3d39e6e5 LP |
757 | * cache sd_event_now() result from before the first iteration... |
758 | ||
bd098bce LP |
759 | * PID1: find a way how we can reload unit file configuration for |
760 | specific units only, without reloading the whole of systemd | |
761 | ||
f9bf1b8f | 762 | * add an explicit parser for LimitRTPRIO= that verifies |
de7399eb | 763 | the specified range and generates sane error messages for incorrect |
f9bf1b8f | 764 | specifications. |
de7399eb | 765 | |
3efc8c72 LP |
766 | * when we detect that there are waiting jobs but no running jobs, do something |
767 | ||
5ebbb45b | 768 | * push CPUAffinity= also into the "cpuset" cgroup controller |
03364e47 | 769 | |
e6a26d8c LP |
770 | * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) |
771 | ||
a2088fd0 | 772 | * there's probably something wrong with having user mounts below /sys, |
5238e957 | 773 | as we have for debugfs. for example, src/core/mount.c handles mounts |
a2088fd0 LP |
774 | prefixed with /sys generally special. |
775 | http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html | |
776 | ||
8aa20381 LP |
777 | * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline |
778 | ||
a7972611 ZJS |
779 | * initrd-parse-etc.service: can we skip daemon-reload if /sysroot/etc/fstab is missing? |
780 | Note that we start initrd-fs.target and initrd-cleanup.target there, so a straightforward | |
781 | ConditionPathExists= is not enough. | |
782 | ||
b18d23d7 LP |
783 | * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date |
784 | ||
60d17b74 LP |
785 | * add a job mode that will fail if a transaction would mean stopping |
786 | running units. Use this in timedated to manage the NTP service | |
787 | state. | |
788 | http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html | |
789 | ||
477e75ef LP |
790 | * The udev blkid built-in should expose a property that reflects |
791 | whether media was sensed in USB CF/SD card readers. This should then | |
792 | be used to control SYSTEMD_READY=1/0 so that USB card readers aren't | |
793 | picked up by systemd unless they contain a medium. This would mirror | |
794 | the behaviour we already have for CD drives. | |
795 | ||
c3a0d00d LP |
796 | * hostnamectl: show root image uuid |
797 | ||
d2f81fb0 LP |
798 | * Find a solution for SMACK capabilities stuff: |
799 | http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html | |
98cd2651 | 800 | |
0a86c1a9 LP |
801 | * synchronize console access with BSD locks: |
802 | http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html | |
803 | ||
e031c227 | 804 | * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: |
0a86c1a9 LP |
805 | http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html |
806 | ||
8514b677 LP |
807 | * figure out when we can use the coarse timers |
808 | ||
8483d73f LP |
809 | * maybe allow timer units with an empty Units= setting, so that they |
810 | can be used for resuming the system but nothing else. | |
811 | ||
25e773ee | 812 | * what to do about udev db binary stability for apps? (raw access is not an option) |
b857e042 | 813 | |
720652b3 | 814 | * exponential backoff in timesyncd when we cannot reach a server |
42aeb14a | 815 | |
720652b3 | 816 | * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM |
e25b5a8d | 817 | |
563b1bdc LP |
818 | * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share.... |
819 | ||
6bd7941e TG |
820 | * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL |
821 | (throughout the codebase, not only PID1) | |
822 | ||
07eabc2b LB |
823 | * drop nss-myhostname in favour of nss-resolve? |
824 | ||
9d6db739 | 825 | * resolved: |
9d6db739 | 826 | - mDNS/DNS-SD |
ccc3e8a1 LP |
827 | - service registration |
828 | - service/domain/types browsing | |
0f47ed0a | 829 | - avahi compat |
9d6db739 | 830 | - DNS-SD service registration from socket units |
e25b5a8d DH |
831 | - resolved should optionally register additional per-interface LLMNR |
832 | names, so that for the container case we can establish the same name | |
833 | (maybe "host") for referencing the server, everywhere. | |
720652b3 | 834 | - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) |
3efb871a | 835 | - hook up resolved with machined-based address resolution |
3f77a1b1 | 836 | |
e25b5a8d | 837 | * refcounting in sd-resolve is borked |
e2a69298 | 838 | |
a940778f LP |
839 | * add new gpt type for btrfs volumes |
840 | ||
3de03738 LP |
841 | * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. |
842 | ||
37efac5d LP |
843 | * a way for container managers to turn off getty starting via $container_headless= or so... |
844 | ||
7348b3ad LP |
845 | * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit |
846 | ||
81429136 KS |
847 | * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services |
848 | they run added to the initial transaction and thus confuse Type=idle. | |
e107ed18 | 849 | |
edb2935c LP |
850 | * add bus api to query unit file's X fields. |
851 | ||
6a3f892a | 852 | * gpt-auto-generator: |
2a781fc9 | 853 | - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap? |
6a3f892a | 854 | - Make /home automount rather than mount? |
6a3f892a | 855 | |
65026403 LP |
856 | * add generator that pulls in systemd-network from containers when |
857 | CAP_NET_ADMIN is set, more than the loopback device is defined, even | |
858 | when it is otherwise off | |
f8901862 | 859 | |
f9bf1b8f | 860 | * MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). |
eda8f067 | 861 | |
af1082b0 LP |
862 | * implement Distribute= in socket units to allow running multiple |
863 | service instances processing the listening socket, and open this up | |
864 | for ReusePort= | |
865 | ||
f38afcd0 | 866 | * cgroups: |
f38afcd0 | 867 | - implement per-slice CPUFairScheduling=1 switch |
f38afcd0 LP |
868 | - introduce high-level settings for RT budget, swappiness |
869 | - how to reset dynamically changed unit cgroup attributes sanely? | |
870 | - when reloading configuration, apply new cgroup configuration | |
871 | - when recursively showing the cgroup hierarchy, optionally also show | |
872 | the hierarchies of child processes | |
0bee65f0 | 873 | |
f38afcd0 | 874 | * transient units: |
f38afcd0 | 875 | - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt |
ebcf1f97 | 876 | |
718db961 LP |
877 | * when we detect low battery and no AC on boot, show pretty splash and refuse boot |
878 | ||
718db961 LP |
879 | * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops |
880 | ||
966204e0 LP |
881 | * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 |
882 | ||
41644622 LP |
883 | * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it |
884 | ||
7f79cd71 | 885 | * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs |
0aafd43d | 886 | |
19aadacf JE |
887 | * If we try to find a unit via a dangling symlink, generate a clean |
888 | error. Currently, we just ignore it and read the unit from the search | |
df5f6971 LP |
889 | path anyway. |
890 | ||
04397464 | 891 | * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up |
fcba531e | 892 | |
bdeeb6b5 LP |
893 | * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. |
894 | ||
895 | * load .d/*.conf dropins for device units | |
896 | ||
07eabc2b | 897 | * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) |
f38afcd0 | 898 | |
07eabc2b | 899 | * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ |
eb01ba5d | 900 | |
07eabc2b LB |
901 | * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early |
902 | ||
903 | * verify that the AF_UNIX sockets of a service in the fs still exist | |
904 | when we start a service in order to avoid confusion when a user | |
905 | assumes starting a service is enough to make it accessible | |
906 | ||
907 | * Make it possible to set the keymap independently from the font on | |
908 | the kernel cmdline. Right now setting one resets also the other. | |
909 | ||
910 | * and a dbus call to generate target from current state | |
911 | ||
912 | * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support. | |
913 | ||
914 | * dot output for --test showing the 'initial transaction' | |
915 | ||
916 | * be able to specify a forced restart of service A where service B depends on, in case B | |
917 | needs to be auto-respawned? | |
918 | ||
919 | * pid1: | |
920 | - When logging about multiple units (stopping BoundTo units, conflicts, etc.), | |
921 | log both units as UNIT=, so that journalctl -u triggers on both. | |
922 | - generate better errors when people try to set transient properties | |
923 | that are not supported... | |
924 | http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html | |
925 | - maybe introduce WantsMountsFor=? Usecase: | |
926 | http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html | |
927 | - recreate systemd's D-Bus private socket file on SIGUSR2 | |
928 | - move PAM code into its own binary | |
929 | - when we automatically restart a service, ensure we restart its rdeps, too. | |
930 | - hide PAM options in fragment parser when compile time disabled | |
931 | - Support --test based on current system state | |
932 | - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). | |
933 | - after deserializing sockets in socket.c we should reapply sockopts and things | |
934 | - drop PID 1 reloading, only do reexecing (difficult: Reload() | |
935 | currently is properly synchronous, Reexec() is weird, because we | |
936 | cannot delay the response properly until we are back, so instead of | |
937 | being properly synchronous we just keep open the fd and close it | |
938 | when done. That means clients do not get a successful method reply, | |
939 | but much rather a disconnect on success. | |
940 | - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr | |
941 | - when a bus name of a service disappears from the bus make sure to queue further activation requests | |
942 | - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all | |
943 | processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores | |
944 | with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst | |
945 | ||
946 | * unit files: | |
947 | - allow port=0 in .socket units | |
948 | - maybe introduce ExecRestartPre= | |
949 | - add ReloadSignal= for configuring a reload signal to use | |
950 | - implement Register= switch in .socket units to enable registration | |
951 | in Avahi, RPC and other socket registration services. | |
952 | - allow Type=simple with PIDFile= | |
953 | https://bugzilla.redhat.com/show_bug.cgi?id=723942 | |
954 | - allow writing multiple conditions in unit files on one line | |
955 | - introduce Type=pid-file | |
956 | - add a concept of RemainAfterExit= to scope units | |
957 | - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely | |
958 | - add verification of [Install] section to systemd-analyze verify | |
959 | ||
960 | * timer units: | |
961 | - timer units should get the ability to trigger when: | |
962 | o DST changes | |
963 | - Modulate timer frequency based on battery state | |
964 | ||
965 | * add libsystemd-password or so to query passwords during boot using the password agent logic | |
966 | ||
967 | * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed | |
968 | ||
969 | * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel | |
970 | ||
971 | * make repeated alt-ctrl-del presses printing a dump | |
972 | ||
973 | * hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ... | |
974 | ||
975 | * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not | |
461bd8e4 | 976 | |
ab8e074c LP |
977 | * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login. |
978 | ||
979 | * add a pam module that on password changes updates any LUKS slot where the password matches | |
980 | ||
fff87a35 | 981 | * test/: |
20d52ab6 | 982 | - add unit tests for config_parse_device_allow() |
b8b4d3dd | 983 | |
b5c03638 | 984 | * seems that when we follow symlinks to units we prefer the symlink |
d28315e4 | 985 | destination path over /etc and /usr. We should not do that. Instead |
b5c03638 LP |
986 | /etc should always override /run+/usr and also any symlink |
987 | destination. | |
988 | ||
eece8c6f LP |
989 | * when isolating, try to figure out a way how we implicitly can order |
990 | all units we stop before the isolating unit... | |
991 | ||
356ce991 LP |
992 | * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) |
993 | ||
6daebf9e ZJS |
994 | * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add |
995 | ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at | |
996 | https://github.com/systemd/systemd/pull/15109#issuecomment-607740136. | |
997 | ||
c1446921 LP |
998 | * BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify |
999 | that the boot loader should be installed to the ESP. Define a way | |
1000 | how an installer can figure out whether a BLS compliant boot loader | |
1001 | is installed. | |
795607b2 | 1002 | |
0be8342c LP |
1003 | * think about requeuing jobs when daemon-reload is issued? usecase: |
1004 | the initrd issues a reload after fstab from the host is accessible | |
1005 | and we might want to requeue the mounts local-fs acquired through | |
1006 | that automatically. | |
1007 | ||
e5ec62c5 | 1008 | * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() |
54c31a79 | 1009 | |
ccddd104 | 1010 | * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good |
826872b6 | 1011 | |
3679d112 LP |
1012 | * shutdown logging: store to EFI var, and store to USB stick? |
1013 | ||
356ce991 | 1014 | * merge unit_kill_common() and unit_kill_context() |
490b7e47 | 1015 | |
07eabc2b LB |
1016 | * hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it |
1017 | https://bugs.freedesktop.org/show_bug.cgi?id=54712 | |
1018 | ||
1019 | * add a dependency on standard-conf.xml and other included files to man pages | |
1020 | ||
1021 | * MountFlags=shared acts as MountFlags=slave right now. | |
1022 | ||
1023 | * properly handle loop back mounts via fstab, especially regards to fsck/passno | |
1024 | ||
1025 | * initialize the hostname from the fs label of /, if /etc/hostname does not exist? | |
1026 | ||
1027 | * sd-bus: | |
1028 | - EBADSLT handling | |
1029 | - GetAllProperties() on a non-existing object does not result in a failure currently | |
1030 | - port to sd-resolve for connecting to TCP dbus servers | |
1031 | - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself | |
1032 | - see if we can drop more message validation on the sending side | |
1033 | - add API to clone sd_bus_message objects | |
1034 | - longer term: priority inheritance | |
1035 | - dbus spec updates: | |
1036 | - NameLost/NameAcquired obsolete | |
1037 | - GVariant | |
1038 | - path escaping | |
1039 | - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now | |
1040 | ||
1041 | * sd-event | |
1042 | - allow multiple signal handlers per signal? | |
1043 | - document chaining of signal handler for SIGCHLD and child handlers | |
1044 | - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... | |
1045 | - maybe support iouring as backend, so that we allow hooking read and write | |
1046 | operations instead of IO ready events into event loops. See considerations | |
1047 | here: | |
1048 | http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html | |
1049 | ||
1050 | * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we | |
1051 | should be able to safely try another attempt when the bus call LoadUnit() is invoked. | |
1052 | ||
1053 | * maybe do not install getty@tty1.service symlink in /etc but in /usr? | |
1054 | ||
1055 | * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word | |
1056 | ||
1057 | * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units. | |
1058 | ||
1059 | * firstboot: allow provisioning of /etc/hosts entries, so that we can via the | |
1060 | credentials logic insert host name to resolve into containers/hosts. Usecase: | |
1061 | fork a container, and make it ping some specific address which is defined by | |
1062 | the host on invocation | |
1063 | ||
1064 | * systemd-firstboot: make sure to always use chase_symlinks() before | |
1065 | reading/writing files | |
1066 | ||
1067 | * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists | |
1068 | ||
1069 | * sd-boot: define a drop-in dir in the ESP that may contain X.509 | |
1070 | certificates. If the firmware is detected to be in setup mode, automatically | |
1071 | enroll them as PK/KEK/db, turn off setup mode and proceed. Optionally, | |
1072 | instead of auto-enrolling them add them to the sd-boot menu, giving the user | |
1073 | the option to manually enroll them, after selecting the menu entry. This way, | |
1074 | installer images can just drop the certfiicates in the ESP, and on first boot | |
1075 | can easily enroll the keys without ever booting up. | |
1076 | ||
1077 | * efi stub: optionally, load initrd from disk as a separate file, HMAC check it | |
1078 | with key from TPM, bound to PCR, refusing if failing. This would then allow | |
1079 | traditional distros that generate initrds locally to secure them with TPM: | |
1080 | after generating the initrd, do the HMAC calculation, put result in initrd | |
1081 | filename, done. This would then bind the validity of the initrd to the local | |
1082 | host, and used kernel, and means people cannot change initrd or kernel | |
1083 | without booting the kernel + initrd. | |
1084 | ||
b44be3ec | 1085 | * EFI: |
b44be3ec LP |
1086 | - honor language efi variables for default language selection (if there are any?) |
1087 | - honor timezone efi variables for default timezone selection (if there are any?) | |
466784c8 | 1088 | - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables |
631427d6 | 1089 | * bootctl |
631427d6 | 1090 | - recognize the case when not booted on EFI |
e4181484 | 1091 | |
07eabc2b | 1092 | * bootctl,sd-boot: actually honour the "architecture" key |
e9fd44b7 | 1093 | |
07eabc2b LB |
1094 | * bootctl: |
1095 | - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation | |
1096 | - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host | |
1097 | - make it operate on loopback files, dissecting enough to find ESP to operate on | |
e6c6e7af | 1098 | |
b44be3ec LP |
1099 | * logind: |
1100 | - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around | |
b44be3ec LP |
1101 | - logind: wakelock/opportunistic suspend support |
1102 | - Add pretty name for seats in logind | |
1103 | - logind: allow showing logout dialog from system? | |
f38afcd0 LP |
1104 | - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly. |
1105 | - if pam_systemd is invoked by su from a process that is outside of a | |
1106 | any session we should probably just become a NOP, since that's | |
1107 | usually not a real user session but just some system code that just | |
1108 | needs setuid(). | |
279f0366 LP |
1109 | - logind: make the Suspend()/Hibernate() bus calls wait for the for |
1110 | the job to be completed. before returning, so that clients can wait | |
1111 | for "systemctl suspend" to finish to know when the suspending is | |
1112 | complete. | |
1113 | - logind: when the power button is pressed short, just popup a | |
1114 | logout dialog. If it is pressed for 1s, do the usual | |
1115 | shutdown. Inspiration are Macs here. | |
28423d9a | 1116 | - expose "Locked" property on logind session objects |
e25b5a8d DH |
1117 | - maybe allow configuration of the StopTimeout for session scopes |
1118 | - rename session scope so that it includes the UID. THat way | |
1119 | the session scope can be arranged freely in slices and we don't have | |
1120 | make assumptions about their slice anymore. | |
1121 | - follow PropertiesChanged state more closely, to deal with quick logouts and | |
1122 | relogins | |
77b19caf | 1123 | - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set |
e673ad04 | 1124 | |
07eabc2b LB |
1125 | * move logind udev rules to top-level rule.d/ directory |
1126 | ||
1127 | * move multiseat vid/pid matches from logind udev rule to hwdb | |
1128 | ||
1129 | * logind: rework pam_logind to also do a bus call in case of invocation from | |
1130 | user@.service, which returns the XDG_RUNTIME_DIR value, and make this | |
1131 | behaviour selectable via pam module option. | |
1132 | ||
1133 | * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it | |
1134 | in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle | |
1135 | ||
b44be3ec | 1136 | * journal: |
57f2a947 | 1137 | - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields |
b44be3ec LP |
1138 | - journald: also get thread ID from client, plus thread name |
1139 | - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups | |
1140 | - add API to close/reopen/get fd for journal client fd in libsystemd-journal. | |
2aed63f4 | 1141 | - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively? |
b44be3ec | 1142 | - declare the local journal protocol stable in the wiki interface chart |
b44be3ec LP |
1143 | - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg |
1144 | - journald: when dropping msgs due to ratelimit make sure to write | |
1145 | "dropped %u messages" not only when we are about to print the next | |
5238e957 | 1146 | message that works, but already after a short timeout |
b44be3ec LP |
1147 | - check if we can make journalctl by default use --follow mode inside of less if called without args? |
1148 | - maybe add API to send pairs of iovecs via sd_journal_send | |
f47ec8eb | 1149 | - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access |
b44be3ec LP |
1150 | - journactl: support negative filtering, i.e. FOOBAR!="waldo", |
1151 | and !FOOBAR for events without FOOBAR. | |
06847d0f | 1152 | - journal: store timestamp of journal_file_set_offline() in the header, |
038cf334 | 1153 | so it is possible to display when the file was last synced. |
b44be3ec LP |
1154 | - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. |
1155 | - journal: find a way to allow dropping history early, based on priority, other rules | |
1156 | - journal: When used on NFS, check payload hashes | |
b44be3ec LP |
1157 | - journald: add kernel cmdline option to disable ratelimiting for debug purposes |
1158 | - refuse taking lower-case variable names in sd_journal_send() and friends. | |
1159 | - journald: we currently rotate only after MaxUse+MaxFilesize has been reached. | |
1160 | - journal: deal nicely with byte-by-byte copied files, especially regards header | |
b44be3ec | 1161 | - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit |
601d9d6f | 1162 | - Replace utmp, wtmp, btmp, and lastlog completely with journal |
f38afcd0 | 1163 | - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax? |
f38afcd0 LP |
1164 | - when a kernel driver logs in a tight loop, we should ratelimit that too. |
1165 | - journald: optionally, log debug messages to /run but everything else to /var | |
1166 | - journald: when we drop syslog messages because the syslog socket is | |
1167 | full, make sure to write how many messages are lost as first thing | |
1168 | to syslog when it works again. | |
279f0366 LP |
1169 | - journald: allow per-priority and per-service retention times when rotating/vacuuming |
1170 | - journald: make use of uid-range.h to managed uid ranges to split | |
1171 | journals in. | |
1172 | - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so... | |
1173 | - improve journalctl performance by loading journal files | |
1174 | lazily. Encode just enough information in the file name, so that we | |
1175 | do not have to open it to know that it is not interesting for us, for | |
1176 | the most common operations. | |
e25b5a8d | 1177 | - man: document that corrupted journal files is nothing to act on |
e25b5a8d DH |
1178 | - rework journald sigbus stuff to use mutex |
1179 | - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our | |
1180 | services that run under their own user ids, and use User= (but only | |
1181 | in a world where userns is ubiquitous since otherwise we cannot | |
1182 | invoke those daemons on the host AND in a container anymore). Also, | |
1183 | if LimitNPROC= is used without User= we should warn and refuse | |
1184 | operation. | |
1185 | - journalctl --verify: don't show files that are currently being | |
1186 | written to as FAIL, but instead show that their are being written to. | |
1187 | - add journalctl -H that talks via ssh to a remote peer and passes through | |
1188 | binary logs data | |
e25b5a8d | 1189 | - add a version of --merge which also merges /var/log/journal/remote |
e25b5a8d DH |
1190 | - journalctl: -m should access container journals directly by enumerating |
1191 | them via machined, and also watch containers coming and going. | |
1192 | Benefit: nspawn --ephemeral would start working nicely with the journal. | |
1193 | - assign MESSAGE_ID to log messages about failed services | |
06847d0f | 1194 | - check if loop in decompress_blob_xz() is necessary |
b44be3ec | 1195 | |
07eabc2b LB |
1196 | * journald: support RFC3164 fully for the incoming syslog transport, see |
1197 | https://github.com/systemd/systemd/issues/19251#issuecomment-816601955 | |
1198 | ||
1199 | * Hook up journald's FSS logic with TPM2: seal the verification disk by | |
1200 | time-based policy, so that the verification key can remain on host and ve | |
1201 | validated via TPM. | |
1202 | ||
1203 | * build short web pages out of each catalog entry, build them along with man | |
1204 | pages, and include hyperlinks to them in the journal output | |
1205 | ||
1206 | * journald: do journal file writing out-of-process, with one writer process per | |
1207 | client UID, so that synthetic hash table collisions can slow down a specific | |
1208 | user's journal stream down but not the others. | |
1209 | ||
1210 | * tweak journald context caching. In addition to caching per-process attributes | |
1211 | keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read) | |
1212 | keyed by cgroup path, and guarded by ctime changes. This should provide us | |
1213 | with a nice speed-up on services that have many processes running in the same | |
1214 | cgroup. | |
1215 | ||
1216 | * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for | |
1217 | the sd-journal logging socket, and, if the timeout is set to 0, sets | |
1218 | O_NONBLOCK on it. That way people can control if and when to block for | |
1219 | logging. | |
1220 | ||
1221 | * journalctl: make sure -f ends when the container indicated by -M terminates | |
1222 | ||
1223 | * journald: sigbus API via a signal-handler safe function that people may call | |
1224 | from the SIGBUS handler | |
1225 | ||
590171d1 ZJS |
1226 | * add a test if all entries in the catalog are properly formatted. |
1227 | (Adding dashes in a catalog entry currently results in the catalog entry | |
1228 | being silently skipped. journalctl --update-catalog must warn about this, | |
1229 | and we should also have a unit test to check that all our message are OK.) | |
1230 | ||
07eabc2b LB |
1231 | * homed: |
1232 | - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth | |
1233 | - rollback when resize fails mid-operation | |
1234 | - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid) | |
1235 | - resize on login? | |
1236 | - shrink fs on logout? | |
1237 | - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device. | |
1238 | - create on activate? | |
1239 | - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls? | |
1240 | - communicate clearly when usb stick is safe to remove. probably involves | |
1241 | beefing up logind to make pam session close hook synchronous and wait until | |
1242 | systemd --user is shut down. | |
1243 | - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service | |
1244 | - maybe make automatic, read-only, time-based reflink-copies of LUKS disk | |
1245 | images (and btrfs snapshots of subvolumes) (think: time machine) | |
1246 | - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory) | |
1247 | - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work | |
1248 | - fingerprint authentication, pattern authentication, … | |
1249 | - make sure "classic" user records can also be managed by homed | |
1250 | - make size of $XDG_RUNTIME_DIR configurable in user record | |
1251 | - query password from kernel keyring first | |
1252 | - update even if record is "absent" | |
1253 | - add a "access mode" + "fstype" field to the "status" section of json identity records reflecting the actually used access mode and fstype, even on non-luks backends | |
1254 | - move acct mgmt stuff from pam_systemd_home to pam_systemd? | |
1255 | - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for | |
1256 | - make slice for users configurable (requires logind rework) | |
1257 | - logind: populate auto-login list bus property from PKCS#11 token | |
1258 | - when determining state of a LUKS home directory, check DM suspended sysfs file | |
1259 | - introduce API for "making room", that grows/shrinks home directory | |
1260 | according to elastic parameters, discards blocks, and removes additional snapshots. Call it | |
1261 | either from UI when disk space gets low | |
a11e7c0b LB |
1262 | - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE, |
1263 | so that mounts propagate down but not up - eg, user A setting up a backup volume | |
1264 | doesn't mean user B sees it | |
9c53de8b LP |
1265 | - use credentials logic/TPM2 logic to store homed signing key |
1266 | - during login resize fs automatically towards size goal. Specifically, | |
1267 | resize to diskSize if possible, but leave a certain amount (configured by a | |
1268 | new value diskLeaveFreeSize) of space free on the backing fs. | |
1269 | - permit multiple user record signing keys to be used locally, and pick | |
1270 | the right one for signing records automatically depending on a pre-existing | |
1271 | signature | |
1272 | - add a way to "adopt" a home directory, i.e. strip foreign signatures | |
1273 | and insert a local signature instead. | |
1274 | - as an extension to the directory+subvolume backend: if located on | |
1275 | especially marked fs, then sync down password into LUKS header of that fs, | |
1276 | and always verify passwords against it too. Bootstrapping is a problem | |
1277 | though: if no one is logged in (or no other user even exists yet), how do you | |
1278 | unlock the volume in order to create the first user and add the first pw. | |
1279 | - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt | |
1280 | - maybe pre-create ~/.cache as subvol so that it can have separate quota | |
1281 | easily? | |
9c53de8b LP |
1282 | - add a switch to homectl (maybe called --first-boot) where it will check if |
1283 | any non-system users exist, and if not prompts interactively for basic user | |
1284 | info, mimicking systemd-firstboot. Then, place this in a service that runs | |
1285 | after systemd-homed, but before gdm and friends, as a simple, barebones | |
1286 | fallback logic to get a regular user created on uninitialized systems. | |
1287 | - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with | |
1288 | systemd-cryptsetup, so that it can unlock homed volumes | |
07eabc2b | 1289 | |
07eabc2b LB |
1290 | * add a new switch --auto-definitions=yes/no or so to systemd-repart. If |
1291 | specified, synthesize a definition automatically if we can: enlarge last | |
1292 | partition on disk, but only if it is marked for growing and not read-only. | |
1293 | ||
1294 | * systemd-repart: read LUKS encryption key from $CREDENTIALS_PATH | |
1295 | ||
1296 | * systemd-repart: add a switch to factory reset the partition table without | |
1297 | immediately applying the new configuration again. i.e. --factory-reset=leave | |
1298 | or so. (this is useful to factory reset an image, then putting it into | |
1299 | another machine, ensuring that luks key is generated on new machine, not old) | |
1300 | ||
1301 | * systemd-repart: support setting up dm-integrity with HMAC | |
1302 | ||
1303 | * systemd-repart: maybe remove half-initialized image on failure. It fails | |
1304 | if the output file exists, so a repeated invocation will usually fail if | |
1305 | something goes wrong on the way. | |
1306 | ||
1307 | * systemd-repart: drop pager mode on normal operation? | |
1308 | ||
1309 | * systemd-repart: by default generate minimized partition tables (i.e. tables | |
1310 | that only cover the space actually used, excluding any free space at the | |
1311 | end), in order to maximize dd'ability. Requires libfdisk work, see | |
1312 | https://github.com/karelzak/util-linux/issues/907 | |
1313 | ||
1314 | * systemd-repart: MBR partition table support. Care needs to be taken regarding | |
1315 | Type=, so that partition definitions can sanely apply to both the GPT and the | |
1316 | MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types | |
1317 | for the two partition types explicitly. And provide an internal mapping so | |
1318 | that "Type=linux-generic" maps to the right types for both partition tables | |
1319 | automatically. | |
1320 | ||
1321 | * systemd-repart: allow sizing partitions as factor of available RAM, so that | |
1322 | we can reasonably size swap partitions for hibernation. | |
1323 | ||
1324 | * systemd-repart: allow boolean option that ensures that if existing partition | |
1325 | doesn't exist within the configured size bounds the whole command fails. This | |
1326 | is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set | |
1327 | of repart files for the case where ESP is large enough and one where it isn't | |
1328 | and XBOOTLDR is added in instead. Then apply the former first, and if it | |
1329 | fails to apply use the latter. | |
1330 | ||
1331 | * systemd-repart: add per-partition option to never reuse existing partition | |
1332 | and always create anew even if matching partition already exists. | |
1333 | ||
1334 | * systemd-repart: add per-partition option to fail if partition already exist, | |
1335 | i.e. is not added new. Similar, add option to fail if partition does not exist yet. | |
1336 | ||
1337 | * systemd-repart: allow disabling growing of specific partitions, or making | |
1338 | them (think ESP: we don't ever want to grow it, since we cannot resize vfat) | |
1339 | ||
1340 | * systemd-repart: make it a static checker during early boot for existence and | |
1341 | absence of other partitions for trusted boot environments | |
1342 | ||
b44be3ec | 1343 | * document: |
8b8f2591 | 1344 | - document that deps in [Unit] sections ignore Alias= fields in |
b44be3ec LP |
1345 | [Install] units of other units, unless those units are disabled |
1346 | - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets | |
b44be3ec | 1347 | - document that service reload may be implemented as service reexec |
f38afcd0 LP |
1348 | - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr. |
1349 | - document systemd-journal-flush.service properly | |
f38afcd0 LP |
1350 | - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] |
1351 | - man: document the very specific env the shutdown drop-in tools live in | |
5cf821ac ZJS |
1352 | - man: add more examples to man pages, |
1353 | - in particular an example how to do the equivalent of switching runlevels | |
f38afcd0 | 1354 | - man: maybe sort directives in man pages, and take sections from --help and apply them to man too |
17ec531f | 1355 | - document root=gpt-auto properly |
b44be3ec LP |
1356 | |
1357 | * systemctl: | |
b44be3ec LP |
1358 | - add systemctl switch to dump transaction without executing it |
1359 | - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done | |
1360 | - "systemctl disable" on a static unit prints no message and does | |
1361 | nothing. "systemctl enable" does nothing, and gives a bad message | |
1362 | about it. Should fix both to print nice actionable messages. | |
1363 | - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service | |
1364 | - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible | |
d28315e4 | 1365 | - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? |
b44be3ec | 1366 | - systemctl: "Journal has been rotated since unit was started." message is misleading |
61233823 | 1367 | - systemctl status output should include list of triggering units and their status |
f38afcd0 | 1368 | |
07eabc2b LB |
1369 | * introduce an option (or replacement) for "systemctl show" that outputs all |
1370 | properties as JSON, similar to busctl's new JSON output. In contrast to that | |
1371 | it should skip the variant type string though. | |
8b04b925 | 1372 | |
07eabc2b LB |
1373 | * add an explicit "vertical" mode to format-table, so that "systemctl |
1374 | status"-like outputs (i.e. with a series of field names left and values | |
1375 | right) become genuine first class citizens, and we gain automatic, sane JSON | |
1376 | output for them. | |
d2e83c23 | 1377 | |
07eabc2b LB |
1378 | * Add a "systemctl list-units --by-slice" mode or so, which rearranges the |
1379 | output of "systemctl list-units" slightly by showing the tree structure of | |
1380 | the slices, and the units attached to them. | |
a19554ed | 1381 | |
07eabc2b LB |
1382 | * add "systemctl wait" or so, which does what "systemd-run --wait" does, but |
1383 | for all units. It should be both a way to pin units into memory as well as a | |
1384 | wait to retrieve their exit data. | |
a7a3f28b | 1385 | |
07eabc2b LB |
1386 | * show whether a service has out-of-date configuration in "systemctl status" by |
1387 | using mtime data of ConfigurationDirectory=. | |
08f95888 | 1388 | |
07eabc2b LB |
1389 | * "systemctl preset-all" should probably order the unit files it |
1390 | operates on lexicographically before starting to work, in order to | |
1391 | ensure deterministic behaviour if two unit files conflict (like DMs | |
1392 | do, for example) | |
dcfc4b2e | 1393 | |
07eabc2b LB |
1394 | * add "systemctl start -v foobar.service" that shows logs of a service |
1395 | while the start command runs. This is non-trivial to do without | |
1396 | races though, since we should flush out all journal messages before | |
1397 | returning from the "systemctl stop". | |
71ef24d0 | 1398 | |
07eabc2b LB |
1399 | * systemctl: if some operation fails, show log output? |
1400 | ||
1401 | * Add a new verb "systemctl top" | |
1402 | ||
1403 | * unit install: | |
1404 | - "systemctl mask" should find all names by which a unit is accessible | |
1405 | (i.e. by scanning for symlinks to it) and link them all to /dev/null | |
1b89884b | 1406 | |
b44be3ec | 1407 | * nspawn: |
e25b5a8d DH |
1408 | - emulate /dev/kmsg using CUSE and turn off the syslog syscall |
1409 | with seccomp. That should provide us with a useful log buffer that | |
1410 | systemd can log to during early boot, and disconnect container logs | |
1411 | from the kernel's logs. | |
1412 | - as soon as networkd has a bus interface, hook up --network-interface=, | |
1413 | --network-bridge= with networkd, to trigger netdev creation should an | |
1414 | interface be missing | |
e25b5a8d DH |
1415 | - a nice way to boot up without machine id set, so that it is set at boot |
1416 | automatically for supporting --ephemeral. Maybe hash the host machine id | |
1417 | together with the machine name to generate the machine id for the container | |
1418 | - fix logic always print a final newline on output. | |
1419 | https://github.com/systemd/systemd/pull/272#issuecomment-113153176 | |
1420 | - should optionally support receiving WATCHDOG=1 messages from its payload | |
1421 | PID 1... | |
e25b5a8d DH |
1422 | - optionally automatically add FORWARD rules to iptables whenever nspawn is |
1423 | running, remove them when shut down. | |
e25b5a8d | 1424 | |
07eabc2b LB |
1425 | * nspawn: make --bind= work sanely with --private-users when uid mapping mounts |
1426 | are used. | |
1427 | ||
1428 | * nspawn: add support for sysext extensions, too. i.e. a new --extension= | |
1429 | switch that takes one or more arguments, and applies the extensions already | |
1430 | during startup. | |
1431 | ||
1432 | * when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or | |
1433 | so, freeze the payload too. | |
1434 | ||
1435 | * machined: add API to acquire UID range. add API to mount/dissect loopback | |
1436 | file. Both protected by PK. Then make nspawn use these APIs to run | |
1437 | unprivileged containers. i.e. push the truly privileged bits into machined, | |
1438 | so that the client side can remain entirely unprivileged, with SUID or | |
1439 | anything like that. | |
1440 | ||
1441 | * nspawn: support time namespaces | |
1442 | ||
1443 | * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events, | |
1444 | so that we make cgroup agent logic safe | |
1445 | ||
1446 | * nspawn/machined: add API to invoke binary in container, then use that as | |
1447 | fallback in "machinectl shell" | |
1448 | ||
1449 | * nspawn: make nspawn suitable for shell pipelines: instead of triggering a | |
1450 | hangup when input is finished, send ^D, which synthesizes an EOF. Then wait | |
1451 | for hangup or ^D before passing on the EOF. | |
1452 | ||
1453 | * nspawn: greater control over selinux label? | |
1454 | ||
1455 | * nspawn: support that /proc, /sys/, /dev are pre-mounted | |
1456 | ||
e25b5a8d | 1457 | * machined: |
e25b5a8d DH |
1458 | - add an API so that libvirt-lxc can inform us about network interfaces being |
1459 | removed or added to an existing machine | |
1460 | - "machinectl migrate" or similar to copy a container from or to a | |
1461 | difference host, via ssh | |
e25b5a8d DH |
1462 | - introduce systemd-nspawn-ephemeral@.service, and hook it into |
1463 | "machinectl start" with a new --ephemeral switch | |
1464 | - "machinectl status" should also show internal logs of the container in | |
1465 | question | |
e25b5a8d DH |
1466 | - "machinectl history" |
1467 | - "machinectl diff" | |
1468 | - "machinectl commit" that takes a writable snapshot of a tree, invokes a | |
1469 | shell in it, and marks it read-only after use | |
1470 | ||
abd55b16 | 1471 | * udev: |
abd55b16 | 1472 | - move to LGPL |
abd55b16 KS |
1473 | - kill scsi_id |
1474 | - add trigger --subsystem-match=usb/usb_device device | |
e8d842a0 | 1475 | - reimport udev db after MOVE events for devices without dev_t |
b8217b7b | 1476 | |
e25b5a8d DH |
1477 | * coredump: |
1478 | - save coredump in Windows/Mozilla minidump format | |
73a99163 | 1479 | - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps |
87a8baa3 LP |
1480 | |
1481 | * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) | |
1482 | ||
f38afcd0 | 1483 | * tmpfiles: |
f38afcd0 | 1484 | - apply "x" on "D" too (see patch from William Douglas) |
614cc34f | 1485 | - instead of ignoring unknown fields, reject them. |
e25b5a8d DH |
1486 | - creating new directories/subvolumes/fifos/device nodes |
1487 | should not follow symlinks. None of the other adjustment or creation | |
1488 | calls follow symlinks. | |
36f57e02 | 1489 | - add --test mode |
ba405b22 ZJS |
1490 | - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4 |
1491 | project quota | |
1258097c | 1492 | |
af6f0d42 TG |
1493 | * udev-link-config: |
1494 | - Make sure ID_PATH is always exported and complete for | |
1495 | network devices where possible, so we can safely rely | |
1496 | on Path= matching | |
af6f0d42 | 1497 | |
88e4d1d7 | 1498 | * sd-rtnl: |
88e4d1d7 | 1499 | - add support for more attribute types |
c589a0e6 | 1500 | - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places |
88e4d1d7 | 1501 | |
0a4b9a07 | 1502 | * networkd: |
c74ecd71 TG |
1503 | - add more keys to [Route] and [Address] sections |
1504 | - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) | |
e8d842a0 | 1505 | - add reduced [Link] support to .network files |
798e174a | 1506 | - properly handle routerless dhcp leases |
a8eaaee7 | 1507 | - work with non-Ethernet devices |
e25b5a8d | 1508 | - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? |
e25b5a8d DH |
1509 | - the DHCP lease data (such as NTP/DNS) is still made available when |
1510 | a carrier is lost on a link. It should be removed instantly. | |
1511 | - expose in the API the following bits: | |
e2da6491 | 1512 | - option 15, domain name |
38b38500 | 1513 | - option 12, hostname and/or option 81, fqdn |
e25b5a8d DH |
1514 | - option 123, 144, geolocation |
1515 | - option 252, configure http proxy (PAC/wpad) | |
1516 | - provide a way to define a per-network interface default metric value | |
1517 | for all routes to it. possibly a second default for DHCP routes. | |
1518 | - allow Name= to be specified repeatedly in the [Match] section. Maybe also | |
1519 | support Name=foo*|bar*|baz ? | |
e25b5a8d | 1520 | - whenever uplink info changes, make DHCP server send out FORCERENEW |
155e8b9a | 1521 | |
07eabc2b LB |
1522 | * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us |
1523 | ||
d5e172d2 ZJS |
1524 | * Figure out how to do unittests of networkd's state serialization |
1525 | ||
ac976532 | 1526 | * dhcp: |
424a8732 | 1527 | - figure out how much we can increase Maximum Message Size |
ac976532 | 1528 | |
37d8b536 PF |
1529 | * dhcp6: |
1530 | - add functions to set previously stored IPv6 addresses on startup and get | |
1531 | them at shutdown; store them in client->ia_na | |
1532 | - write more test cases | |
37d8b536 | 1533 | - implement reconfigure support, see 5.3., 15.11. and 22.20. |
37d8b536 | 1534 | - implement support for temporary adressess (IA_TA) |
37d8b536 PF |
1535 | - implement dhcpv6 authentication |
1536 | - investigate the usefulness of Confirm messages; i.e. are there any | |
1537 | situations where the link changes without any loss in carrier detection | |
1538 | or interface down | |
1539 | - some servers don't do rapid commit without a filled in IA_NA, verify | |
1540 | this behavior | |
4a77c53d | 1541 | - RouteTable= ? |