Merge pull request #22761 from poettering/pcr-fix

[thirdparty/systemd.git] / NEWS

systemd System and Service Manager

CHANGES WITH 251:
        * Incompatibility and Regression note:
          In v250, the feature that automatically configures routes to addresses
          specified in AllowedIPs= was added and enabled by default. However,
          this feature causes network connectivity issues on many existing
          setups. Hence, this is disabled by default since v250.3. The feature
          can still be used by explicitly configuring RouteTable= setting in
          .netdev files.

        * Jobs started via StartUnitWithFlags() will no longer return 'skipped'
          when a Condition*= check does not succeed, restoring the JobRemoved
          signal to the behaviour it had before v250.

        * The org.freedesktop.portable1 methods GetMetadataWithExtensions and
          GetImageMetadataWithExtensions have been fixed to provide an extra return
          parameter, containing the actual extensions release metadata. The
          current implementation was judged to be broken and unusable, and thus
          the usual procedure of adding a new set of methods is skipped, opting
          for breaking backward compatibility instead, as nobody should be
          affected, given the state of the current interface.

        * Service monitor environment variables will only be passed to
          OnFailure=/OnSuccess= handlers if exactly one unit lists the handler
          unit as OnFailure=/OnSuccess=.  Therefore, $MONITOR_METADATA is no
          longer used, and instead separate variables are used:
          $MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
          $MONITOR_INVOCATION_ID and $MONITOR_UNIT.  For cases when a single
          handler needs to watch multiple units, use a templated handler.

        * kernel-install's and bootctl's Boot Loader Specification Type #1
          entry generation logic has been reworked. The user may now pick
          explicitly by which "token" string to name the installation's boot
          entries, through the new /etc/kernel/entry-token file or the new
          --entry-token= switch to bootctl. By default — as before — the
          entries are named after the local machine ID. However, in "golden
          image" environments, where the machine ID shall be initialized on
          first boot (as opposed to at installation time before first boot) the
          machine ID is not be available at build time to name the entry
          after. In this case the the --entry-token= switch to bootctl (or the
          /etc/kernel/entry-token file) may be used to override the "token" to
          identify the entry by, and use another ID, for example the IMAGE_ID=
          or ID= fields from /etc/os-release. This will make the OS images
          independent of any machine ID, and ensure that the images will not
          carry any identifiable information before first boot, but on the
          other hand means that multiple parallel installations of the very
          same image on the same disk cannot be supported. Summary: if you are
          building golden images that shall acquire identity information
          exclusively on first boot, make sure to both remove /etc/machine-id
          *and* to write /etc/kernel/entry-token to the value of the IMAGE_ID
          or ID field of /etc/os-release or another suitable identifier before
          deploying the image.

        * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
          loader.conf that implements booting Microsoft Windows from the
          sd-boot in a way that first reboots the system, to reset the TPM
          PCRs. This improves compatibility with BitLocker's TPM use, as the
          PCRs will only record the Windows boot process, and not sd-boot
          itself, thus retaining the PCR measurements not involving
          sd-boot. Note that this feature is experimental for now, and is
          likely going to be generalized, renamed and removed in its current
          form in a future release, without retaining compatibility with its
          current implementation.

        * The --make-machine-id-directory= switch to bootctl has been replaced
          by --make-entry-directory=, given that the entry directory is not
          necessarily named after the machine ID, but after some other suitable
          ID as selected via --entry-token= described above. The old name of
          the option is still understood to maximize compatibility.

        * Services with Restart=always and a failing ExecCondition= will no longer
          be restarted, to bring ExecCondition= in line with Condition*= settings.

        * Starting with v250 systemd-homed uses UID/GID mapping on the mounts
          of activated home directories it manages (if the kernel and selected
          file systems support it). So far it mapped three UID ranges: the
          range from 0…60000, the user's own UID, and the range 60514…65534,
          leaving everything else unmapped (in other words, the 16bit UID range
          is mapped almost fully, with the exception of the UID subrange used
          for systemd-homed users, with one exception from that: the user's own
          UID). Unmapped UIDs may not be used for file ownership in the home
          directory — any chown() attempts with them will fail. With this
          release a fourth range is added to these mappings:
          524288…1879048191. This range is the UID range intended for container
          uses, see:

                  https://systemd.io/UIDS-GIDS

          This range may be used for container managers that place container OS
          trees in the home directory (which is a questionable approach, for
          quota, permission, SUID handling and network file system
          compatibility reasons, but nonetheless apparently commonplace). Note
          that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
          UID assignments from the range are not managed or mapped by
          `systemd-homed`, and must be managed with other mechanisms, in the
          context of the local system.

          Typically, a better approach to user namespacing in relevant
          container managers would be to leave container OS trees on disk at
          UID offset 0, but then map them to a dynamically allocated runtime
          UID range via another UID mount map at container invocation
          time. That way user namespace UID ranges become strictly a runtime
          concept, and do not leak into persistent file systems, persistent
          user databases or persistent configuration, thus greatly simplifying
          handling, and improving compatibility with home directories intended
          to be portable like the ones managed by systemd-homed.

        * All kernels supported by systemd mix RDRAND (or similar) into the
          entropy pool at early boot. This means that on those systems, even
          if /dev/urandom is not yet initialized, it still returns bytes that
          that are at least as high quality as RDRAND. For that reason, we no
          longer have reason to invoke RDRAND from systemd itself, which has
          historically been a source of bugs. Furthermore, kernels ≥5.6 provide
          the getrandom(GRND_INSECURE) interface for returning random bytes
          before the entropy pool is initialized without warning into kmsg,
          which is what we attempt to use if available. By removing systemd's
          direct usage of RDRAND, x86 systems ≥Broadwell that are running an
          older kernel may experience kmsg warnings that were not seen with
          250. For newer kernels, non-x86 systems, or older x86 systems,
          there should be no visible changes.

        * sd-boot will now measure the kernel command line into TPM PCR 12
          rather than PCR 8. This improves usefulness of the measurements on
          sytems where sd-boot is chainloaded from Grub. Grub measures all
          commands its executes into PCR 8, which makes it very hard to use
          reasonably, hence separate ourselves from that and use PCR 12
          instead, which is already what certain Ubuntu editions use it for. To
          retain compatibility with systems running older systemd systems a new
          Meson option 'efi-tpm-pcr-compat' has been added (which defaults to
          false). If enabled, the measurement is done twice: into the new-style
          PCR 12 *and* the old-style PCR 8. It's strongly advised to migrate
          all users to PCR 12 for this purpose in the long run, as we intend to
          remove this compatibility feature again in two year's time.

CHANGES WITH 250:

        * Support for encrypted and authenticated credentials has been added.
          This extends the credential logic introduced with v247 to support
          non-interactive symmetric encryption and authentication, based on a
          key that is stored on the /var/ file system or in the TPM2 chip (if
          available), or the combination of both (by default if a TPM2 chip
          exists the combination is used, otherwise the /var/ key only). The
          credentials are automatically decrypted at the moment a service is
          started, and are made accessible to the service itself in unencrypted
          form. A new tool 'systemd-creds' encrypts credentials for this
          purpose, and two new service file settings LoadCredentialEncrypted=
          and SetCredentialEncrypted= configure such credentials.

          This feature is useful to store sensitive material such as SSL
          certificates, passwords and similar securely at rest and only decrypt
          them when needed, and in a way that is tied to the local OS
          installation or hardware.

        * systemd-gpt-auto-generator can now automatically set up discoverable
          LUKS2 encrypted swap partitions.

        * The GPT Discoverable Partitions Specification has been substantially
          extended with support for root and /usr/ partitions for the majority
          of architectures systemd supports. This includes platforms that do
          not natively support UEFI, because even though GPT is specified under
          UEFI umbrella, it is useful on other systems too. Specifically,
          systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
          Portable Services use the concept without requiring UEFI.

        * The GPT Discoverable Partitions Specifications has been extended with
          a new set of partitions that may carry PKCS#7 signatures for Verity
          partitions, encoded in a simple JSON format. This implements a simple
          mechanism for building disk images that are fully authenticated and
          can be tested against a set of cryptographic certificates. This is
          now implemented for the various systemd tools that can operate with
          disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
          Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
          The PKCS#7 signatures are passed to the kernel (where they are
          checked against certificates from the kernel keyring), or can be
          verified against certificates provided in userspace (via a simple
          drop-in file mechanism).

        * systemd-dissect's inspection logic will now report for which uses a
          disk image is intended. Specifically, it will display whether an
          image is suitable for booting on UEFI or in a container (using
          systemd-nspawn's --image= switch), whether it can be used as portable
          service, or attached as system extension.

        * The system-extension.d/ drop-in files now support a new field
          SYSEXT_SCOPE= that may encode which purpose a system extension image
          is for: one of "initrd", "system" or "portable". This is useful to
          make images more self-descriptive, and to ensure system extensions
          cannot be attached in the wrong contexts.

        * The os-release file learnt a new PORTABLE_PREFIXES= field which may
          be used in portable service images to indicate which unit prefixes
          are supported.

        * The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
          now is able to decode images for non-native architectures as well.
          This allows systemd-nspawn to boot images of non-native architectures
          if the corresponding user mode emulator is installed and
          systemd-binfmtd is running.

        * systemd-logind gained new settings HandlePowerKeyLongPress=,
          HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
          HandleHibernateKeyLongPress= which may be used to configure actions
          when the relevant keys are pressed for more than 5s. This is useful
          on devices that only have hardware for a subset of these keys. By
          default, if the reboot key is pressed long the poweroff operation is
          now triggered, and when the suspend key is pressed long the hibernate
          operation is triggered. Long pressing the other two keys currently
          does not trigger any operation by default.

        * When showing unit status updates on the console during boot and
          shutdown, and a service is slow to start so that the cylon animation
          is shown, the most recent sd_notify() STATUS= text is now shown as
          well. Services may use this to make the boot/shutdown output easier
          to understand, and to indicate what precisely a service that is slow
          to start or stop is waiting for. In particular, the per-user service
          manager instance now reports what it is doing and which service it is
          waiting for this way to the system service manager.

        * The service manager will now re-execute on reception of the
          SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
          only when running as PID 1. There was no signal to request this when
          running as per-user service manager, i.e. as any other PID than 1.
          SIGRTMIN+25 works for both system and user managers.

        * The hardware watchdog logic in PID 1 gained support for operating
          with the default timeout configured in the hardware, instead of
          insisting on re-configuring it. Set RuntimeWatchdogSec=default to
          request this behavior.

        * A new kernel command line option systemd.watchdog_sec= is now
          understood which may be used to override the hardware watchdog
          time-out for the boot.

        * A new setting DefaultOOMScoreAdjust= is now supported in
          /etc/systemd/system.conf + /etc/systemd/user.conf that may be used to
          set the default process OOM score adjustment value for processes
          forked off the service manager. For per-user service managers this
          now defaults to 100, but for per-system service managers is left as
          is. This means that by default now services forked off the user
          service manager are more likely to be killed by the OOM killer than
          system services or the managers themselves.

        * A new per-service setting RestrictFileSystems= as been added that
          restricts the file systems a service has access to by their type.
          This is based on the new BPF LSM of the Linux kernel. It provides an
          effective way to make certain API file systems unavailable to
          services (and thus minimizing attack surface). A new command
          "systemd-analyze filesystems" has been added that lists all known
          file system types (and how they are grouped together under useful
          group handles).

        * Services now support a new setting RestrictNetworkInterfaces= for
          restricting access to specific network interfaces.

        * Service unit files gained new settings StartupAllowedCPUs= and
          StartupAllowedMemoryNodes=. These are similar to their counterparts
          without the "Startup" prefix and apply during the boot process
          only. This is useful to improve boot-time behavior of the system and
          assign resources differently during boot than during regular
          runtime. This is similar to the preexisting StartupCPUWeight=
          vs. CPUWeight.

        * Related to this: the various StartupXYZ= settings
          (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
          during shutdown. The settings not prefixed with "Startup" hence apply
          during regular runtime, and those that are prefixed like that apply
          during boot and shutdown.

        * A new per-unit set of conditions/asserts
          [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
          unit skip/fail activation if the system's (or a slice's) memory/cpu/io
          pressure is above the configured threshold, using the kernel PSI
          feature. For more details see systemd.unit(5) and
          https://www.kernel.org/doc/html/latest/accounting/psi.html

        * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
          ProtectKernelLogs=yes can now be used.

        * The default maximum numbers of inodes have been raised from 64k to 1M
          for /dev/, and from 400k to 1M for /tmp/.

        * The per-user service manager learnt support for communicating with
          systemd-oomd to acquire OOM kill information.

        * A new service setting ExecSearchPath= has been added that allows
          changing the search path for executables for services. It affects
          where we look for the binaries specified in ExecStart= and similar,
          and the specified directories are also added the $PATH environment
          variable passed to invoked processes.

        * A new setting RuntimeRandomizedExtraSec= has been added for service
          and scope units that allows extending the runtime time-out as
          configured by RuntimeMaxSec= with a randomized amount.

        * The syntax of the service unit settings RuntimeDirectory=,
          StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
          if the specified value is now suffixed with a colon, followed by
          another filename, the latter will be created as symbolic link to the
          specified directory. This allows creating these service directories
          together with alias symlinks to make them available under multiple
          names.

        * Service unit files gained two new settings TTYRows=/TTYColumns= for
          configuring rows/columns of the TTY device passed to
          stdin/stdout/stderr of the service. This is useful to propagate TTY
          dimensions to a virtual machine.

        * A new service unit file setting ExitType= has been added that
          specifies when to assume a service has exited. By default systemd
          only watches the main process of a service. By setting
          ExitType=cgroup it can be told to wait for the last process in a
          cgroup instead.

        * Automount unit files gained a new setting ExtraOptions= that can be
          used to configure additional mount options to pass to the kernel when
          mounting the autofs instance.

        * "Urlification" (generation of ESC sequences that generate clickable
          hyperlinks in modern terminals) may now be turned off altogether
          during build-time.

        * Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
          settings that default to 200 and 2 s respectively. The ratelimit
          ensures that a path unit cannot cause PID1 to busy-loop when it is
          trying to trigger a service that is skipped because of a Condition*=
          not being satisfied. This matches the configuration and behaviour of
          socket units.

        * The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
          as a plug-in for cryptsetup. This means the plain cryptsetup command
          may now be used to unlock volumes set up this way.

        * The TPM2 logic in cryptsetup will now automatically detect systems
          where the TPM2 chip advertises SHA256 PCR banks but the firmware only
          updates the SHA1 banks. In such a case PCR policies will be
          automatically bound to the latter, not the former. This makes the PCR
          policies reliable, but of course do not provide the same level of
          trust as SHA256 banks.

        * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
          RSA primary keys in addition to ECC, improving compatibility with
          TPM2 chips that do not support ECC. RSA keys are much slower to use
          than ECC, and hence are only used if ECC is not available.

        * /etc/crypttab gained support for a new token-timeout= setting for
          encrypted volumes that allows configuration of the maximum time to
          wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
          the logic will query the user for a regular passphrase/recovery key
          instead.

        * Support for activating dm-integrity volumes at boot via a new file
          /etc/integritytab and the tool systemd-integritysetup have been
          added. This is similar to /etc/crypttab and /etc/veritytab, but deals
          with dm-integrity instead of dm-crypt/dm-verity.

        * The systemd-veritysetup-generator now understands a new usrhash=
          kernel command line option for specifying the Verity root hash for
          the partition backing the /usr/ file system. A matching set of
          systemd.verity_usr_* kernel command line options has been added as
          well. These all work similar to the corresponding options for the
          root partition.

        * The sd-device API gained a new API call sd_device_get_diskseq() to
          return the DISKSEQ property of a device structure. The "disk
          sequence" concept is a new feature recently introduced to the Linux
          kernel that allows detecting reuse cycles of block devices, i.e. can
          be used to recognize when loopback block devices are reused for a
          different purpose or CD-ROM drives get their media changed.

        * A new unit systemd-boot-update.service has been added. If enabled
          (the default) and the sd-boot loader is detected to be installed, it
          is automatically updated to the newest version when out of date. This
          is useful to ensure the boot loader remains up-to-date, and updates
          automatically propagate from the OS tree in /usr/.

        * sd-boot will now build with SBAT by default in order to facilitate
          working with recent versions of Shim that require it to be present.

        * sd-boot can now parse Microsoft Windows' Boot Configuration Data.
          This is used to robustly generate boot entry titles for Windows.

        * A new generic target unit factory-reset.target has been added. It is
          hooked into systemd-logind similar in fashion to
          reboot/poweroff/suspend/hibernate, and is supposed to be used to
          initiate a factory reset operation. What precisely this operation
          entails is up for the implementer to decide, the primary goal of the
          new unit is provide a framework where to plug in the implementation
          and how to trigger it.

        * A new meson build-time option 'clock-valid-range-usec-max' has been
          added which takes a time in µs and defaults to 15 years. If the RTC
          time is noticed to be more than the specified time ahead of the
          built-in epoch of systemd (which by default is the release timestamp
          of systemd) it is assumed that the RTC is not working correctly, and
          the RTC is reset to the epoch. (It already is reset to the epoch when
          noticed to be before it.) This should increase the chance that time
          doesn't accidentally jump too far ahead due to faulty hardware or
          batteries.

        * A new setting SaveIntervalSec= has been added to systemd-timesyncd,
          which may be used to automatically save the current system time to
          disk in regular intervals. This is useful to maintain a roughly
          monotonic clock even without RTC hardware and with some robustness
          against abnormal system shutdown.

        * systemd-analyze verify gained support for a pair of new --image= +
          --root= switches for verifying units below a specific root
          directory/image instead of on the host.

        * systemd-analyze verify gained support for verifying unit files under
          an explicitly specified unit name, independently of what the filename
          actually is.

        * systemd-analyze verify gained a new switch --recursive-errors= which
          controls whether to only fail on errors found in the specified units
          or recursively any dependent units.

        * systemd-analyze security now supports a new --offline mode for
          analyzing unit files stored on disk instead of loaded units. It may
          be combined with --root=/--image to analyze unit files under a root
          directory or disk image. It also learnt a new --threshold= parameter
          for specifying an exposure level threshold: if the exposure level
          exceeds the specified value the call will fail. It also gained a new
          --security-policy= switch for configuring security policies to
          enforce on the units. A policy is a JSON file that lists which tests
          shall be weighted how much to determine the overall exposure
          level. Altogether these new features are useful for fully automatic
          analysis and enforcement of security policies on unit files.

        * systemd-analyze security gain a new --json= switch for JSON output.

        * systemd-analyze learnt a new --quiet switch for reducing
          non-essential output. It's honored by the "dot", "syscall-filter",
          "filesystems" commands.

        * systemd-analyze security gained a --profile= option that can be used
          to take into account a portable profile when analyzing portable
          services, since a lot of the security-related settings are enabled
          through them.

        * systemd-analyze learnt a new inspect-elf verb that parses ELF core
          files, binaries and executables and prints metadata information,
          including the build-id and other info described on:
          https://systemd.io/COREDUMP_PACKAGE_METADATA/

        * .network files gained a new UplinkInterface= in the [IPv6SendRA]
          section, for automatically propagating DNS settings from other
          interfaces.

        * The static lease DHCP server logic in systemd-networkd may now serve
          IP addresses outside of the configured IP pool range for the server.

        * CAN support in systemd-networkd gained four new settings Loopback=,
          OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
          control modes. It gained a number of further settings for tweaking
          CAN timing quanta.

        * The [CAN] section in .network file gained new TimeQuantaNSec=,
          PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
          SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
          DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
          DataSyncJumpWidth= settings to control bit-timing processed by the
          CAN interface.

        * DHCPv4 client support in systemd-networkd learnt a new Label= option
          for configuring the address label to apply to configure IPv4
          addresses.

        * The [IPv6AcceptRA] section of .network files gained support for a new
          UseMTU= setting that may be used to control whether to apply the
          announced MTU settings to the local interface.

        * The [DHCPv4] section in .network file gained a new Use6RD= boolean
          setting to control whether the DHCPv4 client request and process the
          DHCP 6RD option.

        * The [DHCPv6PrefixDelegation] section in .network file is renamed to
          [DHCPPrefixDelegation], as now the prefix delegation is also supported
          with DHCPv4 protocol by enabling the Use6RD= setting.

        * The [DHCPPrefixDelegation] section in .network file gained a new
          setting UplinkInterface= to specify the upstream interface.

        * The [DHCPv6] section in .network file gained a new setting
          UseDelegatedPrefix= to control whether the delegated prefixes will be
          propagated to the downstream interfaces.

        * The [IPv6AcceptRA] section of .network files now understands two new
          settings UseGateway=/UseRoutePrefix= for explicitly configuring
          whether to use the relevant fields from the IPv6 Router Advertisement
          records.

        * The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
          has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
          settings in the [DHCPv6] section and the DHCPv6Client= setting in the
          [IPv6AcceptRA] section to control when the DHCPv6 client is started
          and how the delegated prefixes are handled by the DHCPv6 client.

        * The IPv6Token= section in the [Network] section is deprecated, and
          the [IPv6AcceptRA] section gained the Token= setting for its
          replacement. The [IPv6Prefix] section also gained the Token= setting.
          The Token= setting gained 'eui64' mode to explicitly configure an
          address with the EUI64 algorithm based on the interface MAC address.
          The 'prefixstable' mode can now optionally take a secret key. The
          Token= setting in the [DHCPPrefixDelegation] section now supports all
          algorithms supported by the same settings in the other sections.

        * The [RoutingPolicyRule] section of .network file gained a new
          SuppressInterfaceGroup= setting.

        * The IgnoreCarrierLoss= setting in the [Network] section of .network
          files now allows a duration to be specified, controlling how long to
          wait before reacting to carrier loss.

        * The [DHCPServer] section of .network file gained a new Router=
          setting to specify the router address.

        * The [CAKE] section of .network files gained various new settings
          AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
          MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
          and UseRawPacketSize= for configuring CAKE.

        * systemd-networkd now ships with new default .network files:
          80-container-vb.network which matches host-side network bridge device
          created by systemd-nspawn's --network-bridge or --network-zone
          switch, and 80-6rd-tunnel.network which matches automatically created
          sit tunnel with 6rd prefix when the DHCP 6RD option is received.

        * systemd-networkd's handling of Endpoint= resolution for WireGuard
          interfaces has been improved.

        * systemd-networkd will now automatically configure routes to addresses
          specified in AllowedIPs=. This feature can be controlled via
          RouteTable= and RouteMetric= settings in [WireGuard] or
          [WireGuardPeer] sections.

        * systemd-networkd will now once again automatically generate persistent
          MAC addresses for batadv and bridge interfaces. Users can disable this
          by using MACAddress=none in .netdev files.

        * systemd-networkd and systemd-udevd now support IP over InfiniBand
          interfaces. The Kind= setting in .netdev file accepts "ipoib". And
          systemd.netdev files gained the [IPoIB] section.

        * systemd-networkd and systemd-udevd now support net.ifname-policy=
          option on the kernel command-line. This is implemented through the
          systemd-network-generator service that automatically generates
          appropriate .link, .network, and .netdev files.

        * The various systemd-udevd "ethtool" buffer settings now understand
          the special value "max" to configure the buffers to the maximum the
          hardware supports.

        * systemd-udevd's .link files may now configure a large variety of
          NIC coalescing settings, plus more hardware offload settings.

        * .link files gained a new WakeOnLanPassword= setting in the [Link]
          section that allows to specify a WoL "SecureOn" password on hardware
          that supports this.

        * systemd-nspawn's --setenv= switch now supports an additional syntax:
          if only a variable name is specified (i.e. without being suffixed by
          a '=' character and a value) the current value of the environment
          variable is propagated to the container. e.g. --setenv=FOO will
          lookup the current value of $FOO in the environment, and pass it down
          to the container. Similar behavior has been added to homectl's,
          machinectl's and systemd-run's --setenv= switch.

        * systemd-nspawn gained a new switch --suppress-sync= which may be used
          to optionally suppress the effect of the sync()/fsync()/fdatasync()
          system calls for the container payload. This is useful for build
          system environments where safety against abnormal system shutdown is
          not essential as all build artifacts can be regenerated any time, but
          the performance win is beneficial.

        * systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
          same value that PID 1 uses for most forked off processes.

        * systemd-nspawn's --bind=/--bind-ro= switches now optionally take
          uidmap/nouidmap options as last parameter. If "uidmap" is used the
          bind mounts are created with UID mapping taking place that ensures
          the host's file ownerships are mapped 1:1 to container file
          ownerships, even if user namespacing is used. This way
          files/directories bound into containers will no longer show up as
          owned by the nobody user as they typically did if no special care was
          taken to shift them manually.

        * When discovering Windows installations sd-boot will now attempt to
          show the Windows version.

        * The color scheme to use in sd-boot may now be configured at
          build-time.

        * sd-boot gained the ability to change screen resolution during
          boot-time, by hitting the "r" key. This will cycle through available
          resolutions and save the last selection.

        * sd-boot learnt a new hotkey "f". When pressed the system will enter
          firmware setup. This is useful in environments where it is difficult
          to hit the right keys early enough to enter the firmware, and works
          on any firmware regardless which key it natively uses.

        * sd-boot gained support for automatically booting into the menu item
          selected on the last boot (using the "@saved" identifier for menu
          items).

        * sd-boot gained support for automatically loading all EFI drivers
          placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
          Partition (ESP). These drivers are loaded before the menu entries are
          loaded. This is useful e.g. to load additional file system drivers
          for the XBOOTLDR partition.

        * systemd-boot will now paint the input cursor on its own instead of
          relying on the firmware to do so, increasing compatibility with broken
          firmware that doesn't make the cursor reasonably visible.

        * sd-boot now embeds a .osrel PE section like we expect from Boot
          Loader Specification Type #2 Unified Kernels. This means sd-boot
          itself may be used in place of a Type #2 Unified Kernel. This is
          useful for debugging purposes as it allows chain-loading one a
          (development) sd-boot instance from another.

        * sd-boot now supports a new "devicetree" field in Boot Loader
          Specification Type #1 entries: if configured the specified device
          tree file is installed before the kernel is invoked. This is useful
          for installing/applying new devicetree files without updating the
          kernel image.

        * Similarly, sd-stub now can read devicetree data from a PE section
          ".dtb" and apply it before invoking the kernel.

        * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
          gained the ability to pick up credentials and sysext files, wrap them
          in a cpio archive, and pass as an additional initrd to the invoked
          Linux kernel, in effect placing those files in the /.extra/ directory
          of the initrd environment. This is useful to implement trusted initrd
          environments which are fully authenticated but still can be extended
          (via sysexts) and parameterized (via encrypted/authenticated
          credentials, see above).

          Credentials can be located next to the kernel image file (credentials
          specific to a single boot entry), or in one of the shared directories
          (credentials applicable to multiple boot entries).

        * sd-stub now comes with a full man page, that explains its feature set
          and how to combine a kernel image, an initrd and the stub to build a
          complete EFI unified kernel image, implementing Boot Loader
          Specification Type #2.

        * sd-stub may now provide the initrd to the executed kernel via the
          LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
          non-x86 architectures.

        * bootctl learnt new set-timeout and set-timeout-oneshot commands that
          may be used to set the boot menu time-out of the boot loader (for all
          or just the subsequent boot).

        * bootctl and kernel-install will now read KERNEL_INSTALL_MACHINE_ID
          and KERNEL_INSTALL_LAYOUT from kernel/install.conf. The first
          variable specifies the machine-id to use for installation. It would
          previously be used if set in the environment, and now it'll also be
          read automatically from the config file. The second variable is new.
          When set, it specifies the layout to use for installation directories
          on the boot partition, so that tools don't need to guess it based on
          the already-existing directories. The only value that is defined
          natively is "bls", corresponding to the layout specified in
          https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
          kernel-install that implement a different layout can declare other
          values for this variable.

          'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
          assumption that if the user installed sd-boot to the ESP, they intend
          to use the entry layout understood by sd-boot. It'll also write
          KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
          (and it wasn't specified in the config file yet). Similarly,
          kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
          wasn't specified in the config file yet). Effectively, those changes
          mean that the machine-id used for boot loader entry installation is
          "frozen" upon first use and becomes independent of the actual
          machine-id.

          Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
          images created for distribution ("golden images") are built with no
          machine-id, so that a unique machine-id can be created on the first
          boot. But those images may contain boot loader entries with the
          machine-id used during build included in paths. Using a "frozen"
          value allows unambiguously identifying entries that match the
          specific installation, while still permitting parallel installations
          without conflict.

          Configuring KERNEL_INSTALL_LAYOUT obviates the need for
          kernel-install to guess the installation layout. This fixes the
          problem where a (possibly empty) directory in the boot partition is
          created from a different layout causing kernel-install plugins to
          assume the wrong layout. A particular example of how this may happen
          is the grub2 package in Fedora which includes directories under /boot
          directly in its file list. Various other packages pull in grub2 as a
          dependency, so it may be installed even if unused, breaking
          installations that use the bls layout.

        * bootctl and systemd-bless-boot can now be linked statically.

        * systemd-sysext now optionally doesn't insist on extension-release.d/
          files being placed in the image under the image's file name. If the
          file system xattr user.extension-release.strict is set on the
          extension release file, it is accepted regardless of its name. This
          relaxes security restrictions a bit, as system extension may be
          attached under a wrong name this way.

        * udevadm's test-builtin command learnt a new --action= switch for
          testing the built-in with the specified action (in place of the
          default 'add').

        * udevadm info gained new switches --property=/--value for showing only
          specific udev properties/values instead of all.

        * A new hwdb database has been added that contains matches for various
          types of signal analyzers (protocol analyzers, logic analyzers,
          oscilloscopes, multimeters, bench power supplies, etc.) that should
          be accessible to regular users.

        * A new hwdb database entry has been added that carries information
          about types of cameras (regular or infrared), and in which direction
          they point (front or back).

        * A new rule to allow console users access to rfkill by default has been
          added to hwdb.

        * Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
          now also owned by the system group "sgx".

        * A new build-time meson option "extra-net-naming-schemes=" has been
          added to define additional naming schemes schemes for udev's network
          interface naming logic. This is useful for enterprise distributions
          and similar which want to pin the schemes of certain distribution
          releases under a specific name and previously had to patch the
          sources to introduce new named schemes.

        * The predictable naming logic for network interfaces has been extended
          to generate stable names from Xen netfront device information.

        * hostnamed's chassis property can now be sourced from chassis-type
          field encoded in devicetree (in addition to the existing DMI
          support).

        * systemd-cgls now optionally displays cgroup IDs and extended
          attributes for each cgroup. (Controllable via the new --xattr= +
          --cgroup-id= switches.)

        * coredumpctl gained a new --all switch for operating on all
          Journal files instead of just the local ones.

        * systemd-coredump will now use libdw/libelf via dlopen() rather than
          directly linking, allowing users to easily opt-out of backtrace/metadata
          analysis of core files, and reduce image sizes when this is not needed.

        * systemd-coredump will now analyze core files with libdw/libelf in a
          forked, sandboxed process.

        * systemd-homed will now try to unmount an activate home area in
          regular intervals once the user logged out fully. Previously this was
          attempted exactly once but if the home directory was busy for some
          reason it was not tried again.

        * systemd-homed's LUKS2 home area backend will now create a BSD file
          system lock on the image file while the home area is active
          (i.e. mounted). If a home area is found to be locked, logins are
          politely refused. This should improve behavior when using home areas
          images that are accessible via the network from multiple clients, and
          reduce the chance of accidental file system corruption in that case.

        * Optionally, systemd-homed will now drop the kernel buffer cache once
          a user has fully logged out, configurable via the new --drop-caches=
          homectl switch.

        * systemd-homed now makes use of UID mapped mounts for the home areas.
          If the kernel and used file system support it, files are now
          internally owned by the "nobody" user (i.e. the user typically used
          for indicating "this ownership is not mapped"), and dynamically
          mapped to the UID used locally on the system via the UID mapping
          mount logic of recent kernels. This makes migrating home areas
          between different systems cheaper because recursively chown()ing file
          system trees is no longer necessary.

        * systemd-homed's CIFS backend now optionally supports CIFS service
          names with a directory suffix, in order to place home directories in
          a subdirectory of a CIFS share, instead of the top-level directory.

        * systemd-homed's CIFS backend gained support for specifying additional
          mount options in the JSON user record (cifsExtraMountOptions field,
          and --cifs-extra-mount-options= homectl switch). This is for example
          useful for configuring mount options such as "noserverino" that some
          SMB3 services require (use that to run a homed home directory from a
          FritzBox SMB3 share this way).

        * systemd-homed will now default to btrfs' zstd compression for home
          areas. This is inspired by Fedora's recent decision to switch to zstd
          by default.

        * Additional mount options to use when mounting the file system of
          LUKS2 volumes in systemd-homed has been added. Via the
          $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
          $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
          systemd-homed or via the luksExtraMountOptions user record JSON
          property. (Exposed via homectl --luks-extra-mount-options)

        * homectl's resize command now takes the special size specifications
          "min" and "max" to shrink/grow the home area to the minimum/maximum
          size possible, taking disk usage/space constraints and file system
          limitations into account. Resizing is now generally graceful: the
          logic will try to get as close to the specified size as possible, but
          not consider it a failure if the request couldn't be fulfilled
          precisely.

        * systemd-homed gained the ability to automatically shrink home areas
          on logout to their minimal size and grow them again on next
          login. This ensures that while inactive, a home area only takes up
          the minimal space necessary, but once activated, it provides
          sufficient space for the user's needs. This behavior is only
          supported if btrfs is used as file system inside the home area
          (because only for btrfs online growing/shrinking is implemented in
          the kernel). This behavior is now enabled by default, but may be
          controlled via the new --auto-resize-mode= setting of homectl.

        * systemd-homed gained support for automatically re-balancing free disk
          space among active home areas, in case the LUKS2 backends are used,
          and no explicit disk size was requested. This way disk space is
          automatically managed and home areas resized in regular intervals and
          manual resizing when disk space becomes scarce should not be
          necessary anymore. This behavior is only supported if btrfs is used
          within the home areas (as only then online shrinking and growing is
          supported), and may be configured via the new rebalanceWeight JSON
          user record field (as exposed via the new --rebalance-weight= homectl
          setting). Re-balancing is mostly automatic, but can also be requested
          explicitly via "homectl rebalance", which is synchronous, and thus
          may be used to wait until the rebalance run is complete.

        * userdbctl gained a --json= switch for configured the JSON formatting
          to use when outputting user or group records.

        * userdbctl gained a new --multiplexer= switch for explicitly
          configuring whether to use the systemd-userdbd server side user
          record resolution logic.

        * userdbctl's ssh-authorized-keys command learnt a new --chain switch,
          for chaining up another command to execute after completing the
          look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
          configuration of a single command to invoke, this maybe used to
          invoke multiple: first userdbctl's own implementation, and then any
          other also configured in the command line.

        * The sd-event API gained a new function sd_event_add_inotify_fd() that
          is similar to sd_event_add_inotify() but accepts a file descriptor
          instead of a path in the file system for referencing the inode to
          watch.

        * The sd-event API gained a new function
          sd_event_source_set_ratelimit_expire_callback() that may be used to
          define a callback function that is called whenever an event source
          leaves the rate limiting phase.

        * New documentation has been added explaining which steps are necessary
          to port systemd to a new architecture:

          https://systemd.io/PORTING_TO_NEW_ARCHITECTURES

        * The x-systemd.makefs option in /etc/fstab now explicitly supports
          ext2, ext3, and f2fs file systems.

        * Mount units and units generated from /etc/fstab entries with 'noauto'
          are now ordered the same as other units. Effectively, they will be
          started earlier (if something actually pulled them in) and stopped
          later, similarly to normal mount units that are part of
          fs-local.target. This change should be invisible to users, but
          should prevent those units from being stopped too early during
          shutdown.

        * The systemd-getty-generator now honors a new kernel command line
          argument systemd.getty_auto= and a new environment variable
          $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
          example useful to turn off gettys inside of containers or similar
          environments.

        * systemd-resolved now listens on a second DNS stub address: 127.0.0.54
          (in addition to 127.0.0.53, as before). If DNS requests are sent to
          this address they are propagated in "bypass" mode only, i.e. are
          almost not processed locally, but mostly forwarded as-is to the
          current upstream DNS servers. This provides a stable DNS server
          address that proxies all requests dynamically to the right upstream
          DNS servers even if these dynamically change. This stub does not do
          mDNS/LLMNR resolution. However, it will translate look-ups to
          DNS-over-TLS if necessary. This new stub is particularly useful in
          container/VM environments, or for tethering setups: use DNAT to
          redirect traffic to any IP address to this stub.

        * systemd-importd now honors new environment variables
          $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
          $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
          generation, btrfs quota setup and disk synchronization.

        * systemd-importd and systemd-resolved can now be optionally built with
          OpenSSL instead of libgcrypt.

        * systemd-repart no longer requires OpenSSL.

        * systemd-sysusers will no longer create the redundant 'nobody' group
          by default, as the 'nobody' user is already created with an
          appropriate primary group.

        * If a unit uses RuntimeMaxSec, systemctl show will now display it.

        * systemctl show-environment gained support for --output=json.

        * pam_systemd will now first try to use the X11 abstract socket, and
          fallback to the socket file in /tmp/.X11-unix/ only if that does not
          work.

        * systemd-journald will no longer go back to volatile storage
          regardless of configuration when its unit is restarted.

        * Initial support for the LoongArch architecture has been added (system
          call lists, GPT partition table UUIDs, etc).

        * systemd-journald's own logging messages are now also logged to the
          journal itself when systemd-journald logs to /dev/kmsg.

        * systemd-journald now re-enables COW for archived journal files on
          filesystems that support COW. One benefit of this change is that
          archived journal files will now get compressed on btrfs filesystems
          that have compression enabled.

        * systemd-journald now deduplicates fields in a single log message
          before adding it to the journal. In archived journal files, it will
          also punch holes for unused parts and truncate the file as
          appropriate, leading to reductions in disk usage.

        * journalctl --verify was extended with more informative error
          messages.

        * More of sd-journal's functions are now resistant against journal file
          corruption.

        * The shutdown command learnt a new option --show, to display the
          scheduled shutdown.

        * A LICENSES/ directory is now included in the git tree. It contains a
          README.md file that explains the licenses used by source files in
          this repository.  It also contains the text of all applicable
          licenses as they appear on spdx.org.

        Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
        Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
        alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
        Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
        Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
        Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
        Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
        Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
        Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
        Christian Brauner, Christian Göttsche, Christian Wehrli,
        Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
        Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
        David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
        Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
        Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
        Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
        Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
        Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
        Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
        Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
        I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
        Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
        jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
        Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
        Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
        Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
        lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
        Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
        Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
        Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
        Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
        Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
        Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
        nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
        Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
        Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
        Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
        Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
        StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
        Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
        Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
        Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
        Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
        xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
        Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
        Дамјан Георгиевски, наб

        — Warsaw, 2021-12-23

CHANGES WITH 249:

        * When operating on disk images via the --image= switch of various
          tools (such as systemd-nspawn or systemd-dissect), or when udev finds
          no 'root=' parameter on the kernel command line, and multiple
          suitable root or /usr/ partitions exist in the image, then a simple
          comparison inspired by strverscmp() is done on the GPT partition
          label, and the newest partition is picked. This permits a simple and
          generic whole-file-system A/B update logic where new operating system
          versions are dropped into partitions whose label is then updated with
          a matching version identifier.

        * systemd-sysusers now supports querying the passwords to set for the
          users it creates via the "credentials" logic introduced in v247: the
          passwd.hashed-password.<user> and passwd.plaintext-password.<user>
          credentials are consulted for the password to use (either in UNIX
          hashed form, or literally). By default these credentials are inherited
          down from PID1 (which in turn imports it from a container manager if
          there is one). This permits easy configuration of user passwords
          during first boot. Example:

          # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo

          Note that systemd-sysusers operates in purely additive mode: it
          executes no operation if the declared users already exist, and hence
          doesn't set any passwords as effect of the command line above if the
          specified root user exists already in the image. (Note that
          --volatile=yes ensures it doesn't, though.)

        * systemd-firstboot now also supports querying various system
          parameters via the credential subsystems. Thus, as above this may be
          used to initialize important system parameters on first boot of
          previously unprovisioned images (i.e. images with a mostly empty
          /etc/).

        * PID 1 may now show both the unit name and the unit description
          strings in its status output during boot. This may be configured with
          StatusUnitFormat=combined in system.conf or
          systemd.status-unit-format=combined on the kernel command line.

        * The systemd-machine-id-setup tool now supports a --image= switch for
          provisioning a machine ID file into an OS disk image, similar to how
          --root= operates on an OS file tree. This matches the existing switch
          of the same name for systemd-tmpfiles, systemd-firstboot, and
          systemd-sysusers tools.

        * Similarly, systemd-repart gained support for the --image= switch too.
          In combination with the existing --size= option, this makes the tool
          particularly useful for easily growing disk images in a single
          invocation, following the declarative rules included in the image
          itself.

        * systemd-repart's partition configuration files gained support for a
          new switch MakeDirectories= which may be used to create arbitrary
          directories inside file systems that are created, before registering
          them in the partition table. This is useful in particular for root
          partitions to create mount point directories for other partitions
          included in the image. For example, a disk image that contains a
          root, /home/, and /var/ partitions, may set MakeDirectories=yes to
          create /home/ and /var/ as empty directories in the root file system
          on its creation, so that the resulting image can be mounted
          immediately, even in read-only mode.

        * systemd-repart's CopyBlocks= setting gained support for the special
          value "auto". If used, a suitable matching partition on the booted OS
          is found as source to copy blocks from. This is useful when
          implementing replicating installers, that are booted from one medium
          and then stream their own root partition onto the target medium.

        * systemd-repart's partition configuration files gained support for a
          Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
          GPT partition flags for the created partitions: this is useful for
          marking newly created partitions as read-only, or as not being
          subject for automatic mounting from creation on.

        * The /etc/os-release file has been extended with two new (optional)
          variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
          information for OS images that are updated comprehensively and
          atomically as one image. Two new specifiers %M, %A now resolve to
          these two fields in the various configuration options that resolve
          specifiers.

        * portablectl gained a new switch --extension= for enabling portable
          service images with extensions that follow the extension image
          concept introduced with v248, and thus allows layering multiple
          images when setting up the root filesystem of the service.

        * systemd-coredump will now extract ELF build-id information from
          processes dumping core and include it in the coredump report.
          Moreover, it will look for ELF .note.package sections with
          distribution packaging meta-information about the crashing process.
          This is useful to directly embed the rpm or deb (or any other)
          package name and version in ELF files, making it easy to match
          coredump reports with the specific package for which the software was
          compiled. This is particularly useful on environments with ELF files
          from multiple vendors, different distributions and versions, as is
          common today in our containerized and sand-boxed world. For further
          information, see:

          https://systemd.io/COREDUMP_PACKAGE_METADATA

        * A new udev hardware database has been added for FireWire devices
          (IEEE 1394).

        * The "net_id" built-in of udev has been updated with three
          backwards-incompatible changes:

          - PCI hotplug slot names on s390 systems are now parsed as
            hexadecimal numbers. They were incorrectly parsed as decimal
            previously, or ignored if the name was not a valid decimal
            number.

          - PCI onboard indices up to 65535 are allowed. Previously, numbers
            above 16383 were rejected. This primarily impacts s390 systems,
            where values up to 65535 are used.

          - Invalid characters in interface names are replaced with "_".

          The new version of the net naming scheme is "v249". The previous
          scheme can be selected via the "net.naming-scheme=v247" kernel
          command line parameter.

        * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
          NULL bus object, for which they will return false. Or in other words,
          an unallocated bus connection is neither ready nor open.

        * The sd-device API acquired a new API function
          sd_device_get_usec_initialized() that returns the monotonic time when
          the udev device first appeared in the database.

        * sd-device gained a new APIs sd_device_trigger_with_uuid() and
          sd_device_get_trigger_uuid(). The former is similar to
          sd_device_trigger() but returns a randomly generated UUID that is
          associated with the synthetic uevent generated by the call. This UUID
          may be read from the sd_device object a monitor eventually receives,
          via the sd_device_get_trigger_uuid(). This interface requires kernel
          4.13 or above to work, and allows tracking a synthetic uevent through
          the entire device management stack. The "udevadm trigger --settle"
          logic has been updated to make use of this concept if available to
          wait precisely for the uevents it generates. "udevadm trigger" also
          gained a new parameter --uuid that prints the UUID for each generated
          uevent.

        * sd-device also gained new APIs sd_device_new_from_ifname() and
          sd_device_new_from_ifindex() for allocating an sd-device object for
          the specified network interface. The former accepts an interface name
          (either a primary or an alternative name), the latter an interface
          index.

        * The native Journal protocol has been documented. Clients may talk
          this as alternative to the classic BSD syslog protocol for locally
          delivering log records to the Journal. The protocol has been stable
          for a long time and in fact been implemented already in a variety
          of alternative client libraries. This documentation makes the support
          for that official:

          https://systemd.io/JOURNAL_NATIVE_PROTOCOL

        * A new BPFProgram= setting has been added to service files. It may be
          set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
          file, or a bind mount or symlink to one. This may be used to upload
          and manage BPF programs externally and then hook arbitrary systemd
          services into them.

        * The "home.arpa" domain that has been officially declared as the
          choice for domain for local home networks per RFC 8375 has been added
          to the default NTA list of resolved, since DNSSEC is generally not
          available on private domains.

        * The CPUAffinity= setting of unit files now resolves "%" specifiers.

        * A new ManageForeignRoutingPolicyRules= setting has been added to
          .network files which may be used to exclude foreign-created routing
          policy rules from systemd-networkd management.

        * systemd-network-wait-online gained two new switches -4 and -6 that
          may be used to tweak whether to wait for only IPv4 or only IPv6
          connectivity.

        * .network files gained a new RequiredFamilyForOnline= setting to
          fine-tune whether to require an IPv4 or IPv6 address in order to
          consider an interface "online".

        * networkctl will now show an over-all "online" state in the per-link
          information.

        * In .network files a new OutgoingInterface= setting has been added to
          specify the output interface in bridge FDB setups.

        * In .network files the Multipath group ID may now be configured for
          [NextHop] entries, via the new Group= setting.

        * The DHCP server logic configured in .network files gained a new
          setting RelayTarget= that turns the server into a DHCP server relay.
          The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
          to further tweak the DHCP relay behaviour.

        * The DHCP server logic also gained a new ServerAddress= setting in
          .network files that explicitly specifies the server IP address to
          use. If not specified, the address is determined automatically, as
          before.

        * The DHCP server logic in systemd-networkd gained support for static
          DHCP leases, configurable via the [DHCPServerStaticLease]
          section. This allows explicitly mapping specific MAC addresses to
          fixed IP addresses and vice versa.

        * The RestrictAddressFamilies= setting in service files now supports a
          new special value "none". If specified sockets of all address
          families will be made unavailable to services configured that way.

        * systemd-fstab-generator and systemd-repart have been updated to
          support booting from disks that carry only a /usr/ partition but no
          root partition yet, and where systemd-repart can add it in on the
          first boot. This is useful for implementing systems that ship with a
          single /usr/ file system, and whose root file system shall be set up
          and formatted on a LUKS-encrypted volume whose key is generated
          locally (and possibly enrolled in the TPM) during the first boot.

        * The [Address] section of .network files now accepts a new
          RouteMetric= setting that configures the routing metric to use for
          the prefix route created as effect of the address configuration.
          Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
          gained matching settings for their prefix routes. (The option of the
          same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
          it conceptually belongs there; the old option is still understood for
          compatibility.)

        * The DHCPv6 IAID and DUID are now explicitly configurable in .network
          files.

        * A new udev property ID_NET_DHCP_BROADCAST on network interface
          devices is now honoured by systemd-networkd, controlling whether to
          issue DHCP offers via broadcasting. This is used to ensure that s390
          layer 3 network interfaces work out-of-the-box with systemd-networkd.

        * nss-myhostname and systemd-resolved will now synthesize address
          records for a new special hostname "_outbound". The name will always
          resolve to the local IP addresses most likely used for outbound
          connections towards the default routes. On multi-homed hosts this is
          useful to have a stable handle referring to "the" local IP address
          that matters most, to the point where this is defined.

        * The Discoverable Partition Specification has been updated with a new
          GPT partition flag "grow-file-system" defined for its partition
          types. Whenever partitions with this flag set are automatically
          mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
          of systemd-nspawn or other tools; and as opposed to explicit mounting
          via /etc/fstab), the file system within the partition is
          automatically grown to the full size of the partition. If the file
          system size already matches the partition size this flag has no
          effect. Previously, this functionality has been available via the
          explicit x-systemd.growfs mount option, and this new flag extends
          this to automatically discovered mounts. A new GrowFileSystem=
          setting has been added to systemd-repart drop-in files that allows
          configuring this partition flag. This new flag defaults to on for
          partitions automatically created by systemd-repart, except if they
          are marked read-only. See the specification for further details:

          https://systemd.io/DISCOVERABLE_PARTITIONS

        * .network files gained a new setting RoutesToNTP= in the [DHCPv4]
          section. If enabled (which is the default), and an NTP server address
          is acquired through a DHCP lease on this interface an explicit route
          to this address is created on this interface to ensure that NTP
          traffic to the NTP server acquired on an interface is also routed
          through that interface. The pre-existing RoutesToDNS= setting that
          implements the same for DNS servers is now enabled by default.

        * A pair of service settings SocketBindAllow= + SocketBindDeny= have
          been added that may be used to restrict the network interfaces
          sockets created by the service may be bound to. This is implemented
          via BPF.

        * A new ConditionFirmware= setting has been added to unit files to
          conditionalize on certain firmware features. At the moment it may
          check whether running on an UEFI system, a device.tree system, or if
          the system is compatible with some specified device-tree feature.

        * A new ConditionOSRelease= setting has been added to unit files to
          check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
          operators may be used to check if some field has some specific value
          or do an alphanumerical comparison. Equality comparisons are useful
          for fields like ID, but relative comparisons for fields like
          VERSION_ID or IMAGE_VERSION.

        * hostnamed gained a new Describe() D-Bus method that returns a JSON
          serialization of the host data it exposes. This is exposed via
          "hostnamectl --json=" to acquire a host identity description in JSON.
          It's our intention to add a similar features to most services and
          objects systemd manages, in order to simplify integration with
          program code that can consume JSON.

        * Similarly, networkd gained a Describe() method on its Manager and
          Link bus objects. This is exposed via "networkctl --json=".

        * hostnamectl's various "get-xyz"/"set-xyz" verb pairs
          (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
          been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
          that is used both to get the value (when no argument is given), and
          to set the value (when an argument is specified). The old names
          continue to be supported for compatibility.

        * systemd-detect-virt and ConditionVirtualization= are now able to
          correctly identify Amazon EC2 environments.

        * The LogLevelMax= setting of unit files now applies not only to log
          messages generated *by* the service, but also to log messages
          generated *about* the service by PID 1. To suppress logs concerning a
          specific service comprehensively, set this option to a high log
          level.

        * bootctl gained support for a new --make-machine-id-directory= switch
          that allows precise control on whether to create the top-level
          per-machine directory in the boot partition that typically contains
          Type 1 boot loader entries.

        * During build SBAT data to include in the systemd-boot EFI PE binaries
          may be specified now.

        * /etc/crypttab learnt a new option "headless". If specified any
          requests to query the user interactively for passwords or PINs will
          be skipped. This is useful on systems that are headless, i.e. where
          an interactive user is generally not present.

        * /etc/crypttab also learnt a new option "password-echo=" that allows
          configuring whether the encryption password prompt shall echo the
          typed password and if so, do so literally or via asterisks. (The
          default is the same behaviour as before: provide echo feedback via
          asterisks.)

        * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
          systemd-homed has been updated to allow explicit configuration of the
          "user presence" and "user verification" checks, as well as whether a
          PIN is required for authentication, via the new switches
          --fido2-with-user-presence=, --fido2-with-user-verification=,
          --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
          features are available, and may be enabled or disabled depends on the
          used FIDO2 token.

        * systemd-nspawn's --private-user= switch now accepts the special value
          "identity" which configures a user namespacing environment with an
          identity mapping of 65535 UIDs. This means the container UID 0 is
          mapped to the host UID 0, and the UID 1 to host UID 1. On first look
          this doesn't appear to be useful, however it does reduce the attack
          surface a bit, since the resulting container will possess process
          capabilities only within its namespace and not on the host.

        * systemd-nspawn's --private-user-chown switch has been replaced by a
          more generic --private-user-ownership= switch that accepts one of
          three values: "chown" is equivalent to the old --private-user-chown,
          and "off" is equivalent to the absence of the old switch. The value
          "map" uses the new UID mapping mounts of Linux 5.12 to map ownership
          of files and directories of the underlying image to the chosen UID
          range for the container. "auto" is equivalent to "map" if UID mapping
          mount are supported, otherwise it is equivalent to "chown". The short
          -U switch systemd-nspawn now implies --private-user-ownership=auto
          instead of the old --private-user-chown. Effectively this means: if
          the backing file system supports UID mapping mounts the feature is
          now used by default if -U is used. Generally, it's a good idea to use
          UID mapping mounts instead of recursive chown()ing, since it allows
          running containers off immutable images (since no modifications of
          the images need to take place), and share images between multiple
          instances. Moreover, the recursive chown()ing operation is slow and
          can be avoided. Conceptually it's also a good thing if transient UID
          range uses do not leak into persistent file ownership anymore. TLDR:
          finally, the last major drawback of user namespacing has been
          removed, and -U should always be used (unless you use btrfs, where
          UID mapped mounts do not exist; or your container actually needs
          privileges on the host).

        * nss-systemd now synthesizes user and group shadow records in addition
          to the main user and group records. Thus, hashed passwords managed by
          systemd-homed are now accessible via the shadow database.

        * The userdb logic (and thus nss-systemd, and so on) now read
          additional user/group definitions in JSON format from the drop-in
          directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
          /usr/lib/userdb/. This is a simple and powerful mechanism for making
          additional users available to the system, with full integration into
          NSS including the shadow databases. Since the full JSON user/group
          record format is supported this may also be used to define users with
          resource management settings and other runtime settings that
          pam_systemd and systemd-logind enforce at login.

        * The userdbctl tool gained two new switches --with-dropin= and
          --with-varlink= which can be used to fine-tune the sources used for
          user database lookups.

        * systemd-nspawn gained a new switch --bind-user= for binding a host
          user account into the container. This does three things: the user's
          home directory is bind mounted from the host into the container,
          below the /run/userdb/home/ hierarchy. A free UID is picked in the
          container, and a user namespacing UID mapping to the host user's UID
          installed. And finally, a minimal JSON user and group record (along
          with its hashed password) is dropped into /run/host/userdb/. These
          records are picked up automatically by the userdb drop-in logic
          describe above, and allow the user to login with the same password as
          on the host. Effectively this means: if host and container run new
          enough systemd versions making a host user available to the container
          is trivially simple.

        * systemd-journal-gatewayd now supports the switches --user, --system,
          --merge, --file= that are equivalent to the same switches of
          journalctl, and permit exposing only the specified subset of the
          Journal records.

        * The OnFailure= dependency between units is now augmented with a
          implicit reverse dependency OnFailureOf= (this new dependency cannot
          be configured directly it's only created as effect of an OnFailure=
          dependency in the reverse order — it's visible in "systemctl show"
          however). Similar, Slice= now has an reverse dependency SliceOf=,
          that is also not configurable directly, but useful to determine all
          units that are members of a slice.

        * A pair of new dependency types between units PropagatesStopTo= +
          StopPropagatedFrom= has been added, that allows propagation of unit
          stop events between two units. It operates similar to the existing
          PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.

        * A new dependency type OnSuccess= has been added (plus the reverse
          dependency OnSuccessOf=, which cannot be configured directly, but
          exists only as effect of the reverse OnSuccess=). It is similar to
          OnFailure=, but triggers in the opposite case: when a service exits
          cleanly. This allows "chaining up" of services where one or more
          services are started once another service has successfully completed.

        * A new dependency type Upholds= has been added (plus the reverse
          dependency UpheldBy=, which cannot be configured directly, but exists
          only as effect of Upholds=). This dependency type is a stronger form
          of Wants=: if a unit has an UpHolds= dependency on some other unit
          and the former is active then the latter is started whenever it is
          found inactive (and no job is queued for it). This is an alternative
          to Restart= inside service units, but less configurable, and the
          request to uphold a unit is not encoded in the unit itself but in
          another unit that intends to uphold it.

        * The systemd-ask-password tool now also supports reading passwords
          from the credentials subsystem, via the new --credential= switch.

        * The systemd-ask-password tool learnt a new switch --emoji= which may
          be used to explicit control whether the lock and key emoji (🔐) is
          shown in the password prompt on suitable TTYs.

        * The --echo switch of systemd-ask-password now optionally takes a
          parameter that controls character echo. It may either show asterisks
          (default, as before), turn echo off entirely, or echo the typed
          characters literally.

        * The systemd-ask-password tool also gained a new -n switch for
          suppressing output of a trailing newline character when writing the
          acquired password to standard output, similar to /bin/echo's -n
          switch.

        * New documentation has been added that describes the organization of
          the systemd source code tree:

          https://systemd.io/ARCHITECTURE

        * Units using ConditionNeedsUpdate= will no longer be activated in
          the initrd.

        * It is now possible to list a template unit in the WantedBy= or
          RequiredBy= settings of the [Install] section of another template
          unit, which will be instantiated using the same instance name.

        * A new MemoryAvailable property is available for units. If the unit,
          or the slice(s) it is part of, have a memory limit set via MemoryMax=/
          MemoryHigh=, MemoryAvailable will indicate how much more memory the
          unit can claim before hitting the limit(s).

        * systemd-coredump will now try to stay below the cgroup memory limit
          placed on itself or one of the slices it runs under, if the storage
          area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
          since files written on such filesystems count toward the cgroup memory
          limit. If there is not enough available memory in such cases to store
          the core file uncompressed, systemd-coredump will skip to compressed
          storage directly (if enabled) and it will avoid analyzing the core file
          to print backtrace and metadata in the journal.

        * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
          of a path matches the configured expectations, and remove it if not.

        * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
          specify which of the several available filesystem timestamps (access
          time, birth time, change time, modification time) to look at when
          deciding whether a path has aged enough to be cleaned.

        * A new IPv6StableSecretAddress= setting has been added to .network
          files, which takes an IPv6 address to use as secret for IPv6 address
          generation.

        * The [DHCPServer] logic in .network files gained support for a new
          UplinkInterface= setting that permits configuration of the uplink
          interface name to propagate DHCP lease information from.

        * The WakeOnLan= setting in .link files now accepts a list of flags
          instead of a single one, to configure multiple wake-on-LAN policies.

        * User-space defined tracepoints (USDT) have been added to udev at
          strategic locations. This is useful for tracing udev behaviour and
          performance with bpftrace and similar tools.

        * systemd-journald-upload gained a new NetworkTimeoutSec= option for
          setting a network timeout time.

        * If a system service is running in a new mount namespace (RootDirectory=
          and friends), all file systems will be mounted with MS_NOSUID by
          default, unless the system is running with SELinux enabled.

        * When enumerating time zones the timedatectl tool will now consult the
          'tzdata.zi' file shipped by the IANA time zone database package, in
          addition to 'zone1970.tab', as before. This makes sure time zone
          aliases are now correctly supported. Some distributions so far did
          not install this additional file, most do however. If you
          distribution does not install it yet, it might make sense to change
          that.

        * Intel HID rfkill event is no longer masked, since it's the only
          source of rfkill event on newer HP laptops. To have both backward and
          forward compatibility, userspace daemon needs to debounce duplicated
          events in a short time window.

        Contributions from: Aakash Singh, adrian5, Albert Brox,
        Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu,
        Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug,
        Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin,
        borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche,
        Christian Hesse, Daniel Schaefer, Dan Streetman,
        David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea,
        Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing,
        Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais,
        Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede,
        Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov,
        imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku,
        Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu,
        Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann,
        Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel,
        Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti,
        Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi,
        Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard,
        Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný,
        Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq,
        Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans,
        Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan,
        Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds,
        plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff,
        Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt,
        Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon,
        Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani,
        sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay,
        Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux,
        Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev,
        Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб

        — Edinburgh, 2021-07-07

CHANGES WITH 248:

        * A concept of system extension images is introduced. Such images may
          be used to extend the /usr/ and /opt/ directory hierarchies at
          runtime with additional files (even if the file system is read-only).
          When a system extension image is activated, its /usr/ and /opt/
          hierarchies and os-release information are combined via overlayfs
          with the file system hierarchy of the host OS.

          A new systemd-sysext tool can be used to merge, unmerge, list, and
          refresh system extension hierarchies. See
          https://www.freedesktop.org/software/systemd/man/systemd-sysext.html.

          The systemd-sysext.service automatically merges installed system
          extensions during boot (before basic.target, but not in very early
          boot, since various file systems have to be mounted first).

          The SYSEXT_LEVEL= field in os-release(5) may be used to specify the
          supported system extension level.

        * A new ExtensionImages= unit setting can be used to apply the same
          system extension image concept from systemd-sysext to the namespaced
          file hierarchy of specific services, following the same rules and
          constraints.

        * Support for a new special "root=tmpfs" kernel command-line option has
          been added. When specified, a tmpfs is mounted on /, and mount.usr=
          should be used to point to the operating system implementation.

        * A new configuration file /etc/veritytab may be used to configure
          dm-verity integrity protection for block devices. Each line is in the
          format "volume-name data-device hash-device roothash options",
          similar to /etc/crypttab.

        * A new kernel command-line option systemd.verity.root_options= may be
          used to configure dm-verity behaviour for the root device.

        * The key file specified in /etc/crypttab (the third field) may now
          refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
          acquired by connecting to that socket and reading from it. This
          allows the implementation of a service to provide key information
          dynamically, at the moment when it is needed.

        * When the hostname is set explicitly to "localhost", systemd-hostnamed
          will respect this. Previously such a setting would be mostly silently
          ignored. The goal is to honour configuration as specified by the
          user.

        * The fallback hostname that will be used by the system manager and
          systemd-hostnamed can now be configured in two new ways: by setting
          DEFAULT_HOSTNAME= in os-release(5), or by setting
          $SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can
          also be configured during compilation. The environment variable is
          intended for testing and local overrides, the os-release(5) field is
          intended to allow customization by different variants of a
          distribution that share the same compiled packages.

        * The environment block of the manager itself may be configured through
          a new ManagerEnvironment= setting in system.conf or user.conf. This
          complements existing ways to set the environment block (the kernel
          command line for the system manager, the inherited environment and
          user@.service unit file settings for the user manager).

        * systemd-hostnamed now exports the default hostname and the source of
          the configured hostname ("static", "transient", or "default") as
          D-Bus properties.

        * systemd-hostnamed now exports the "HardwareVendor" and
          "HardwareModel" D-Bus properties, which are supposed to contain a
          pair of cleaned up, human readable strings describing the system's
          vendor and model. It's typically sourced from the firmware's DMI
          tables, but may be augmented from a new hwdb database. hostnamectl
          shows this in the status output.

        * Support has been added to systemd-cryptsetup for extracting the
          PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
          metadata header. This allows the information how to open the
          encrypted device to be embedded directly in the device and obviates
          the need for configuration in an external file.

        * systemd-cryptsetup gained support for unlocking LUKS2 volumes using
          TPM2 hardware, as well as FIDO2 security tokens (in addition to the
          pre-existing support for PKCS#11 security tokens).

        * systemd-repart may enroll encrypted partitions using TPM2
          hardware. This may be useful for example to create an encrypted /var
          partition bound to the machine on first boot.

        * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
          and PKCS#11 security tokens to LUKS volumes, list and destroy
          them. See:

          http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

          It also supports enrolling "recovery keys" and regular passphrases.

        * The libfido2 dependency is now based on dlopen(), so that the library
          is used at runtime when installed, but is not a hard runtime
          dependency.

        * systemd-cryptsetup gained support for two new options in
          /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
          request synchronous processing of encryption/decryption IO.

        * The manager may be configured at compile time to use the fexecve()
          instead of the execve() system call when spawning processes. Using
          fexecve() closes a window between checking the security context of an
          executable and spawning it, but unfortunately the kernel displays
          stale information in the process' "comm" field, which impacts ps
          output and such.

        * The configuration option -Dcompat-gateway-hostname has been dropped.
          "_gateway" is now the only supported name.

        * The ConditionSecurity=tpm2 unit file setting may be used to check if
          the system has at least one TPM2 (tpmrm class) device.

        * A new ConditionCPUFeature= has been added that may be used to
          conditionalize units based on CPU features. For example,
          ConditionCPUFeature=rdrand will condition a unit so that it is only
          run when the system CPU supports the RDRAND opcode.

        * The existing ConditionControlGroupController= setting has been
          extended with two new values "v1" and "v2". "v2" means that the
          unified v2 cgroup hierarchy is used, and "v1" means that legacy v1
          hierarchy or the hybrid hierarchy are used.

        * A new PrivateIPC= setting on a unit file allows executed processes to
          be moved into a private IPC namespace, with separate System V IPC
          identifiers and POSIX message queues.

          A new IPCNamespacePath= allows the unit to be joined to an existing
          IPC namespace.

        * The tables of system calls in seccomp filters are now automatically
          generated from kernel lists exported on
          https://fedora.juszkiewicz.com.pl/syscalls.html.

          The following architectures should now have complete lists:
          alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32,
          powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32.

        * The MountAPIVFS= service file setting now additionally mounts a tmpfs
          on /run/ if it is not already a mount point. A writable /run/ has
          always been a requirement for a functioning system, but this was not
          guaranteed when using a read-only image.

          Users can always specify BindPaths= or InaccessiblePaths= as
          overrides, and they will take precedence. If the host's root mount
          point is used, there is no change in behaviour.

        * New bind mounts and file system image mounts may be injected into the
          mount namespace of a service (without restarting it). This is exposed
          respectively as 'systemctl bind <unit> <path>…' and
          'systemctl mount-image <unit> <image>…'.

        * The StandardOutput= and StandardError= settings can now specify files
          to be truncated for output (as "truncate:<path>").

        * The ExecPaths= and NoExecPaths= settings may be used to specify
          noexec for parts of the file system.

        * sd-bus has a new function sd_bus_open_user_machine() to open a
          connection to the session bus of a specific user in a local container
          or on the local host. This is exposed in the existing -M switch to
          systemctl and similar tools:

              systemctl --user -M lennart@foobar start foo

          This will connect to the user bus of a user "lennart" in container
          "foobar". If no container name is specified, the specified user on
          the host itself is connected to

              systemctl --user -M lennart@ start quux

        * sd-bus also gained a convenience function sd_bus_message_send() to
          simplify invocations of sd_bus_send(), taking only a single
          parameter: the message to send.

        * sd-event allows rate limits to be set on event sources, for dealing
          with high-priority event sources that might starve out others. See
          the new man page sd_event_source_set_ratelimit(3) for details.

        * systemd.link files gained a [Link] Promiscuous= switch, which allows
          the device to be raised in promiscuous mode.

          New [Link] TransmitQueues= and ReceiveQueues= settings allow the
          number of TX and RX queues to be configured.

          New [Link] TransmitQueueLength= setting allows the size of the TX
          queue to be configured.

          New [Link] GenericSegmentOffloadMaxBytes= and
          GenericSegmentOffloadMaxSegments= allow capping the packet size and
          the number of segments accepted in Generic Segment Offload.

        * systemd-networkd gained support for the "B.A.T.M.A.N. advanced"
          wireless routing protocol that operates on ISO/OSI Layer 2 only and
          uses ethernet frames to route/bridge packets. This encompasses a new
          "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
          new settings in .netdev files, and a new BatmanAdvanced= setting in
          .network files.

        * systemd.network files gained a [Network] RouteTable= configuration
          switch to select the routing policy table.

          systemd.network files gained a [RoutingPolicyRule] Type=
          configuration switch (one of "blackhole, "unreachable", "prohibit").

          systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and
          RouteAllowList= settings to ignore/accept route advertisements from
          routers matching specified prefixes. The DenyList= setting has been
          renamed to PrefixDenyList= and a new PrefixAllowList= option has been
          added.

          systemd.network files gained a [DHCPv6] UseAddress= setting to
          optionally ignore the address provided in the lease.

          systemd.network files gained a [DHCPv6PrefixDelegation]
          ManageTemporaryAddress= switch.

          systemd.network files gained a new ActivationPolicy= setting which
          allows configuring how the UP state of an interface shall be managed,
          i.e. whether the interface is always upped, always downed, or may be
          upped/downed by the user using "ip link set dev".

        * The default for the Broadcast= setting in .network files has slightly
          changed: the broadcast address will not be configured for wireguard
          devices.

        * systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
          EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
          configuration options for VLAN packet handling.

        * udev rules may now set log_level= option. This allows debug logs to
          be enabled for select events, e.g. just for a specific subsystem or
          even a single device.

        * udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
          DATA_PREPARED_ID properties for block devices with ISO9660 file
          systems.

        * udev now exports decoded DMI information about installed memory slots
          as device properties under the /sys/class/dmi/id/ pseudo device.

        * /dev/ is not mounted noexec anymore. This didn't provide any
          significant security benefits and would conflict with the executable
          mappings used with /dev/sgx device nodes. The previous behaviour can
          be restored for individual services with NoExecPaths=/dev (or by allow-
          listing and excluding /dev from ExecPaths=).

        * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
          and /dev/vhost-net are owned by the kvm group.

        * The hardware database has been extended with a list of fingerprint
          readers that correctly support USB auto-suspend using data from
          libfprint.

        * systemd-resolved can now answer DNSSEC questions through the stub
          resolver interface in a way that allows local clients to do DNSSEC
          validation themselves. For a question with DO+CD set, it'll proxy the
          DNS query and respond with a mostly unmodified packet received from
          the upstream server.

        * systemd-resolved learnt a new boolean option CacheFromLocalhost= in
          resolved.conf. If true the service will provide caching even for DNS
          lookups made to an upstream DNS server on the 127.0.0.1/::1
          addresses. By default (and when the option is false) systemd-resolved
          will not cache such lookups, in order to avoid duplicate local
          caching, under the assumption the local upstream server caches
          anyway.

        * systemd-resolved now implements RFC5001 NSID in its local DNS
          stub. This may be used by local clients to determine whether they are
          talking to the DNS resolver stub or a different DNS server.

        * When resolving host names and other records resolvectl will now
          report where the data was acquired from (i.e. the local cache, the
          network, locally synthesized, …) and whether the network traffic it
          effected was encrypted or not. Moreover the tool acquired a number of
          new options --cache=, --synthesize=, --network=, --zone=,
          --trust-anchor=, --validate= that take booleans and may be used to
          tweak a lookup, i.e. whether it may be answered from cached
          information, locally synthesized information, information acquired
          through the network, the local mDNS/LLMNR zone, the DNSSEC trust
          anchor, and whether DNSSEC validation shall be executed for the
          lookup.

        * systemd-nspawn gained a new --ambient-capability= setting
          (AmbientCapability= in .nspawn files) to configure ambient
          capabilities passed to the container payload.

        * systemd-nspawn gained the ability to configure the firewall using the
          nftables subsystem (in addition to the existing iptables
          support). Similarly, systemd-networkd's IPMasquerade= option now
          supports nftables as back-end, too. In both cases NAT on IPv6 is now
          supported too, in addition to IPv4 (the iptables back-end still is
          IPv4-only).

          "IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before,
          retains its meaning, but has been deprecated. Please switch to either
          "ivp4" or "both" (if covering IPv6 is desired).

        * systemd-importd will now download .verity and .roothash.p7s files
          along with the machine image (as exposed via machinectl pull-raw).

        * systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
          setting to configure the time a unit's cgroup needs to exceed memory
          pressure limits before action will be taken, and a new
          ManagedOOMPreference=none|avoid|omit setting to avoid killing certain
          units.

          systemd-oomd is now considered fully supported (the usual
          backwards-compatiblity promises apply). Swap is not required for
          operation, but it is still recommended.

        * systemd-timesyncd gained a new ConnectionRetrySec= setting which
          configures the retry delay when trying to contact servers.

        * systemd-stdio-bridge gained --system/--user options to connect to the
          system bus (previous default) or the user session bus.

        * systemd-localed may now call locale-gen to generate missing locales
          on-demand (UTF-8-only). This improves integration with Debian-based
          distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.

        * systemctl --check-inhibitors=true may now be used to obey inhibitors
          even when invoked non-interactively. The old --ignore-inhibitors
          switch is now deprecated and replaced by --check-inhibitors=false.

        * systemctl import-environment will now emit a warning when called
          without any arguments (i.e. to import the full environment block of
          the called program). This command will usually be invoked from a
          shell, which means that it'll inherit a bunch of variables which are
          specific to that shell, and usually to the TTY the shell is connected
          to, and don't have any meaning in the global context of the system or
          user service manager. Instead, only specific variables should be
          imported into the manager environment block.

          Similarly, programs which update the manager environment block by
          directly calling the D-Bus API of the manager, should also push
          specific variables, and not the full inherited environment.

        * systemctl's status output now shows unit state with a more careful
          choice of Unicode characters: units in maintenance show a "○" symbol
          instead of the usual "●", failed units show "×", and services being
          reloaded "↻".

        * coredumpctl gained a --debugger-arguments= switch to pass arguments
          to the debugger. It also gained support for showing coredump info in
          a simple JSON format.

        * systemctl/loginctl/machinectl's --signal= option now accept a special
          value "list", which may be used to show a brief table with known
          process signals and their numbers.

        * networkctl now shows the link activation policy in status.

        * Various tools gained --pager/--no-pager/--json= switches to
          enable/disable the pager and provide JSON output.

        * Various tools now accept two new values for the SYSTEMD_COLORS
          environment variable: "16" and "256", to configure how many terminal
          colors are used in output.

        * less 568 or newer is now required for the auto-paging logic of the
          various tools. Hyperlink ANSI sequences in terminal output are now
          used even if a pager is used, and older versions of less are not able
          to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
          disable this output again.

        * Builds with support for separate / and /usr/ hierarchies ("split-usr"
          builds, non-merged-usr builds) are now officially deprecated. A
          warning is emitted during build. Support is slated to be removed in
          about a year (when the Debian Bookworm release development starts).

        * Systems with the legacy cgroup v1 hierarchy are now marked as
          "tainted", to make it clearer that using the legacy hierarchy is not
          recommended.

        * systemd-localed will now refuse to configure a keymap which is not
          installed in the file system. This is intended as a bug fix, but
          could break cases where systemd-localed was used to configure the
          keymap in advanced of it being installed. It is necessary to install
          the keymap file first.

        * The main git development branch has been renamed to 'main'.

        * mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
          for partitions, as in the vast majority of cases they contain none
          and are used internally by the bootloader (eg: uboot).

        * systemd will now set the $SYSTEMD_EXEC_PID environment variable for
          spawned processes to the PID of the process itself. This may be used
          by programs for detecting whether they were forked off by the service
          manager itself or are a process forked off further down the tree.

        * The sd-device API gained four new calls: sd_device_get_action() to
          determine the uevent add/remove/change/… action the device object has
          been seen for, sd_device_get_seqno() to determine the uevent sequence
          number, sd_device_new_from_stat_rdev() to allocate a new sd_device
          object from stat(2) data of a device node, and sd_device_trigger() to
          write to the 'uevent' attribute of a device.

        * For most tools the --no-legend= switch has been replaced by
          --legend=no and --legend=yes, to force whether tables are shown with
          headers/legends.

        * Units acquired a new property "Markers" that takes a list of zero,
          one or two of the following strings: "needs-reload" and
          "needs-restart". These markers may be set via "systemctl
          set-property". Once a marker is set, "systemctl reload-or-restart
          --marked" may be invoked to execute the operation the units are
          marked for. This is useful for package managers that want to mark
          units for restart/reload while updating, but effect the actual
          operations at a later step at once.

        * The sd_bus_message_read_strv() API call of sd-bus may now also be
          used to parse arrays of D-Bus signatures and D-Bus paths, in addition
          to regular strings.

        * bootctl will now report whether the UEFI firmware used a TPM2 device
          and measured the boot process into it.

        * systemd-tmpfiles learnt support for a new environment variable
          $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
          the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
          even if the root fs of the system is not itself a btrfs volume.

        * systemd-detect-virt/ConditionVirtualization= will now explicitly
          detect Docker/Podman environments where possible. Moreover, they
          should be able to generically detect any container manager as long as
          it assigns the container a cgroup.

        * portablectl gained a new "reattach" verb for detaching/reattaching a
          portable service image, useful for updating images on-the-fly.

        * Intel SGX enclave device nodes (which expose a security feature of
          newer Intel CPUs) will now be owned by a new system group "sgx".

        Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry,
        Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos,
        Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro,
        Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T,
        A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase,
        caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt,
        Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn,
        Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman,
        Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle,
        Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo,
        Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges,
        feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink,
        Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule,
        Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer,
        Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide,
        Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan,
        Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade,
        Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt,
        Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak,
        Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng,
        l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi,
        Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg,
        Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner,
        Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik,
        Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco,
        Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen,
        Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan,
        Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt,
        Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn,
        Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas,
        Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani,
        Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield,
        Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f,
        Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad,
        walbit-de, Whired Planck, wouter bolsterlee, Xℹ Ruoyao, Yangyang Shen,
        Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek,
        Zmicer Turok, Дамјан Георгиевски

        — Berlin, 2021-03-30

CHANGES WITH 247:

        * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents
          "bind" and "unbind" to the Linux device model. When this kernel
          change was made, systemd-udevd was only minimally updated to handle
          and propagate these new event types. The introduction of these new
          uevents (which are typically generated for USB devices and devices
          needing a firmware upload before being functional) resulted in a
          number of issues which we so far didn't address. We hoped the kernel
          maintainers would themselves address these issues in some form, but
          that did not happen. To handle them properly, many (if not most) udev
          rules files shipped in various packages need updating, and so do many
          programs that monitor or enumerate devices with libudev or sd-device,
          or otherwise process uevents. Please note that this incompatibility
          is not fault of systemd or udev, but caused by an incompatible kernel
          change that happened back in Linux 4.14, but is becoming more and
          more visible as the new uevents are generated by more kernel drivers.

          To minimize issues resulting from this kernel change (but not avoid
          them entirely) starting with systemd-udevd 247 the udev "tags"
          concept (which is a concept for marking and filtering devices during
          enumeration and monitoring) has been reworked: udev tags are now
          "sticky", meaning that once a tag is assigned to a device it will not
          be removed from the device again until the device itself is removed
          (i.e. unplugged). This makes sure that any application monitoring
          devices that match a specific tag is guaranteed to both see uevents
          where the device starts being relevant, and those where it stops
          being relevant (the latter now regularly happening due to the new
          "unbind" uevent type). The udev tags concept is hence now a concept
          tied to a *device* instead of a device *event* — unlike for example
          udev properties whose lifecycle (as before) is generally tied to a
          device event, meaning that the previously determined properties are
          forgotten whenever a new uevent is processed.

          With the newly redefined udev tags concept, sometimes it's necessary
          to determine which tags are the ones applied by the most recent
          uevent/database update, in order to discern them from those
          originating from earlier uevents/database updates of the same
          device. To accommodate for this a new automatic property CURRENT_TAGS
          has been added that works similar to the existing TAGS property but
          only lists tags set by the most recent uevent/database
          update. Similarly, the libudev/sd-device API has been updated with
          new functions to enumerate these 'current' tags, in addition to the
          existing APIs that now enumerate the 'sticky' ones.

          To properly handle "bind"/"unbind" on Linux 4.14 and newer it is
          essential that all udev rules files and applications are updated to
          handle the new events. Specifically:

          • All rule files that currently use a header guard similar to
            ACTION!="add|change",GOTO="xyz_end" should be updated to use
            ACTION=="remove",GOTO="xyz_end" instead, so that the
            properties/tags they add are also applied whenever "bind" (or
            "unbind") is seen. (This is most important for all physical device
            types — those for which "bind" and "unbind" are currently
            generated, for all other device types this change is still
            recommended but not as important — but certainly prepares for
            future kernel uevent type additions).

          • Similarly, all code monitoring devices that contains an 'if' branch
            discerning the "add" + "change" uevent actions from all other
            uevents actions (i.e. considering devices only relevant after "add"
            or "change", and irrelevant on all other events) should be reworked
            to instead negatively check for "remove" only (i.e. considering
            devices relevant after all event types, except for "remove", which
            invalidates the device). Note that this also means that devices
            should be considered relevant on "unbind", even though conceptually
            this — in some form — invalidates the device. Since the precise
            effect of "unbind" is not generically defined, devices should be
            considered relevant even after "unbind", however I/O errors
            accessing the device should then be handled gracefully.

          • Any code that uses device tags for deciding whether a device is
            relevant or not most likely needs to be updated to use the new
            udev_device_has_current_tag() API (or sd_device_has_current_tag()
            in case sd-device is used), to check whether the tag is set at the
            moment an uevent is seen (as opposed to the existing
            udev_device_has_tag() API which checks if the tag ever existed on
            the device, following the API concept redefinition explained
            above).

          We are very sorry for this breakage and the requirement to update
          packages using these interfaces. We'd again like to underline that
          this is not caused by systemd/udev changes, but result of a kernel
          behaviour change.

        * UPCOMING INCOMPATIBILITY: So far most downstream distribution
          packages have not retriggered devices once the udev package (or any
          auxiliary package installing additional udev rules) is updated. We
          intend to work with major distributions to change this, so that
          "udevadm trigger -a change" is issued on such upgrades, ensuring that
          the updated ruleset is applied to the devices already discovered, so
          that (asynchronously) after the upgrade completed the udev database
          is consistent with the updated rule set. This means udev rules must
          be ready to be retriggered with a "change" action any time, and
          result in correct and complete udev database entries. While the
          majority of udev rule files known to us currently get this right,
          some don't. Specifically, there are udev rules files included in
          various packages that only set udev properties on the "add" action,
          but do not handle the "change" action. If a device matching those
          rules is retriggered with the "change" action (as is intended here)
          it would suddenly lose the relevant properties. This always has been
          problematic, but as soon as all udev devices are triggered on relevant
          package upgrades this will become particularly so. It is strongly
          recommended to fix offending rules so that they can handle a "change"
          action at any time, and acquire all necessary udev properties even
          then. Or in other words: the header guard mentioned above
          (ACTION=="remove",GOTO="xyz_end") is the correct approach to handle
          this, as it makes sure rules are rerun on "change" correctly, and
          accumulate the correct and complete set of udev properties. udev rule
          definitions that cannot handle "change" events being triggered at
          arbitrary times should be considered buggy.

        * The MountAPIVFS= service file setting now defaults to on if
          RootImage= and RootDirectory= are used, which means that with those
          two settings /proc/, /sys/ and /dev/ are automatically properly set
          up for services. Previous behaviour may be restored by explicitly
          setting MountAPIVFS=off.

        * Since PAM 1.2.0 (2015) configuration snippets may be placed in
          /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
          latter it takes precedence over the former, similar to how most of
          systemd's own configuration is handled. Given that PAM stack
          definitions are primarily put together by OS vendors/distributions
          (though possibly overridden by users), this systemd release moves its
          own PAM stack configuration for the "systemd-user" PAM service (i.e.
          for the PAM session invoked by the per-user user@.service instance)
          from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all
          packages' vendor versions of their PAM stack definitions from
          /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
          desired the location to which systemd installs its PAM stack
          configuration may be changed via the -Dpamconfdir Meson option.

        * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
          libpwquality and libcryptsetup have been changed to be based on
          dlopen(): instead of regular dynamic library dependencies declared in
          the binary ELF headers, these libraries are now loaded on demand
          only, if they are available. If the libraries cannot be found the
          relevant operations will fail gracefully, or a suitable fallback
          logic is chosen. This is supposed to be useful for general purpose
          distributions, as it allows minimizing the list of dependencies the
          systemd packages pull in, permitting building of more minimal OS
          images, while still making use of these "weak" dependencies should
          they be installed. Since many package managers automatically
          synthesize package dependencies from ELF shared library dependencies,
          some additional manual packaging work has to be done now to replace
          those (slightly downgraded from "required" to "recommended" or
          whatever is conceptually suitable for the package manager). Note that
          this change does not alter build-time behaviour: as before the
          build-time dependencies have to be installed during build, even if
          they now are optional during runtime.

        * sd-event.h gained a new call sd_event_add_time_relative() for
          installing timers relative to the current time. This is mostly a
          convenience wrapper around the pre-existing sd_event_add_time() call
          which installs absolute timers.

        * sd-event event sources may now be placed in a new "exit-on-failure"
          mode, which may be controlled via the new
          sd_event_source_get_exit_on_failure() and
          sd_event_source_set_exit_on_failure() functions. If enabled, any
          failure returned by the event source handler functions will result in
          exiting the event loop (unlike the default behaviour of just
          disabling the event source but continuing with the event loop). This
          feature is useful to set for all event sources that define "primary"
          program behaviour (where failure should be fatal) in contrast to
          "auxiliary" behaviour (where failure should remain local).

        * Most event source types sd-event supports now accept a NULL handler
          function, in which case the event loop is exited once the event
          source is to be dispatched, using the userdata pointer — converted to
          a signed integer — as exit code of the event loop. Previously this
          was supported for IO and signal event sources already. Exit event
          sources still do not support this (simply because it makes little
          sense there, as the event loop is already exiting when they are
          dispatched).

        * A new per-unit setting RootImageOptions= has been added which allows
          tweaking the mount options for any file system mounted as effect of
          the RootImage= setting.

        * Another new per-unit setting MountImages= has been added, that allows
          mounting additional disk images into the file system tree accessible
          to the service.

        * Timer units gained a new FixedRandomDelay= boolean setting. If
          enabled, the random delay configured with RandomizedDelaySec= is
          selected in a way that is stable on a given system (though still
          different for different units).

        * Socket units gained a new setting Timestamping= that takes "us", "ns"
          or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket
          options.

        * systemd-repart now generates JSON output when requested with the new
          --json= switch.

        * systemd-machined's OpenMachineShell() bus call will now pass
          additional policy metadata data fields to the PolicyKit
          authentication request.

        * systemd-tmpfiles gained a new -E switch, which is equivalent to
          --exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run
          --exclude=/sys. It's particularly useful in combination with --root=,
          when operating on OS trees that do not have any of these four runtime
          directories mounted, as this means no files below these subtrees are
          created or modified, since those mount points should probably remain
          empty.

        * systemd-tmpfiles gained a new --image= switch which is like --root=,
          but takes a disk image instead of a directory as argument. The
          specified disk image is mounted inside a temporary mount namespace
          and the tmpfiles.d/ drop-ins stored in the image are executed and
          applied to the image. systemd-sysusers similarly gained a new
          --image= switch, that allows the sysusers.d/ drop-ins stored in the
          image to be applied onto the image.

        * Similarly, the journalctl command also gained an --image= switch,
          which is a quick one-step solution to look at the log data included
          in OS disk images.

        * journalctl's --output=cat option (which outputs the log content
          without any metadata, just the pure text messages) will now make use
          of terminal colors when run on a suitable terminal, similarly to the
          other output modes.

        * JSON group records now support a "description" string that may be
          used to add a human-readable textual description to such groups. This
          is supposed to match the user's GECOS field which traditionally
          didn't have a counterpart for group records.

        * The "systemd-dissect" tool that may be used to inspect OS disk images
          and that was previously installed to /usr/lib/systemd/ has now been
          moved to /usr/bin/, reflecting its updated status of an officially
          supported tool with a stable interface. It gained support for a new
          --mkdir switch which when combined with --mount has the effect of
          creating the directory to mount the image to if it is missing
          first. It also gained two new commands --copy-from and --copy-to for
          copying files and directories in and out of an OS image without the
          need to manually mount it. It also acquired support for a new option
          --json= to generate JSON output when inspecting an OS image.

        * The cgroup2 file system is now mounted with the
          "memory_recursiveprot" mount option, supported since kernel 5.7. This
          means that the MemoryLow= and MemoryMin= unit file settings now apply
          recursively to whole subtrees.

        * systemd-homed now defaults to using the btrfs file system — if
          available — when creating home directories in LUKS volumes. This may
          be changed with the DefaultFileSystemType= setting in homed.conf.
          It's now the default file system in various major distributions and
          has the major benefit for homed that it can be grown and shrunk while
          mounted, unlike the other contenders ext4 and xfs, which can both be
          grown online, but not shrunk (in fact xfs is the technically most
          limited option here, as it cannot be shrunk at all).

        * JSON user records managed by systemd-homed gained support for
          "recovery keys". These are basically secondary passphrases that can
          unlock user accounts/home directories. They are computer-generated
          rather than user-chosen, and typically have greater entropy.
          homectl's --recovery-key= option may be used to add a recovery key to
          a user account. The generated recovery key is displayed as a QR code,
          so that it can be scanned to be kept in a safe place. This feature is
          particularly useful in combination with systemd-homed's support for
          FIDO2 or PKCS#11 authentication, as a secure fallback in case the
          security tokens are lost. Recovery keys may be entered wherever the
          system asks for a password.

        * systemd-homed now maintains a "dirty" flag for each LUKS encrypted
          home directory which indicates that a home directory has not been
          deactivated cleanly when offline. This flag is useful to identify
          home directories for which the offline discard logic did not run when
          offlining, and where it would be a good idea to log in again to catch
          up.

        * systemctl gained a new parameter --timestamp= which may be used to
          change the style in which timestamps are output, i.e. whether to show
          them in local timezone or UTC, or whether to show µs granularity.

        * Alibaba's "pouch" container manager is now detected by
          systemd-detect-virt, ConditionVirtualization= and similar
          constructs. Similar, they now also recognize IBM PowerVM machine
          virtualization.

        * systemd-nspawn has been reworked to use the /run/host/incoming/ as
          place to use for propagating external mounts into the
          container. Similarly /run/host/notify is now used as the socket path
          for container payloads to communicate with the container manager
          using sd_notify(). The container manager now uses the
          /run/host/inaccessible/ directory to place "inaccessible" file nodes
          of all relevant types which may be used by the container payload as
          bind mount source to over-mount inodes to make them inaccessible.
          /run/host/container-manager will now be initialized with the same
          string as the $container environment variable passed to the
          container's PID 1. /run/host/container-uuid will be initialized with
          the same string as $container_uuid. This means the /run/host/
          hierarchy is now the primary way to make host resources available to
          the container. The Container Interface documents these new files and
          directories:

          https://systemd.io/CONTAINER_INTERFACE

        * Support for the "ConditionNull=" unit file condition has been
          deprecated and undocumented for 6 years. systemd started to warn
          about its use 1.5 years ago. It has now been removed entirely.

        * sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
          a sd_bus_error struct and a list of error names, and checks if the
          error matches one of these names. It's a convenience wrapper that is
          useful in cases where multiple errors shall be handled the same way.

        * A new system call filter list "@known" has been added, that contains
          all system calls known at the time systemd was built.

        * Behaviour of system call filter allow lists has changed slightly:
          system calls that are contained in @known will result in EPERM by
          default, while those not contained in it result in ENOSYS. This
          should improve compatibility because known system calls will thus be
          communicated as prohibited, while unknown (and thus newer ones) will
          be communicated as not implemented, which hopefully has the greatest
          chance of triggering the right fallback code paths in client
          applications.

        * "systemd-analyze syscall-filter" will now show two separate sections
          at the bottom of the output: system calls known during systemd build
          time but not included in any of the filter groups shown above, and
          system calls defined on the local kernel but known during systemd
          build time.

        * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
          systemd-nspawn all system call filter violations will be logged by
          the kernel (audit). This is useful for tracking down system calls
          invoked by container payloads that are prohibited by the container's
          system call filter policy.

        * If the $SYSTEMD_SECCOMP=0 environment variable is set for
          systemd-nspawn (and other programs that use seccomp) all seccomp
          filtering is turned off.

        * Two new unit file settings ProtectProc= and ProcSubset= have been
          added that expose the hidepid= and subset= mount options of procfs.
          All processes of the unit will only see processes in /proc that are
          are owned by the unit's user. This is an important new sandboxing
          option that is recommended to be set on all system services. All
          long-running system services that are included in systemd itself set
          this option now. This option is only supported on kernel 5.8 and
          above, since the hidepid= option supported on older kernels was not a
          per-mount option but actually applied to the whole PID namespace.

        * Socket units gained a new boolean setting FlushPending=. If enabled
          all pending socket data/connections are flushed whenever the socket
          unit enters the "listening" state, i.e. after the associated service
          exited.

        * The unit file setting NUMAMask= gained a new "all" value: when used,
          all existing NUMA nodes are added to the NUMA mask.

        * A new "credentials" logic has been added to system services. This is
          a simple mechanism to pass privileged data to services in a safe and
          secure way. It's supposed to be used to pass per-service secret data
          such as passwords or cryptographic keys but also associated less
          private information such as user names, certificates, and similar to
          system services. Each credential is identified by a short user-chosen
          name and may contain arbitrary binary data. Two new unit file
          settings have been added: SetCredential= and LoadCredential=. The
          former allows setting a credential to a literal string, the latter
          sets a credential to the contents of a file (or data read from a
          user-chosen AF_UNIX stream socket). Credentials are passed to the
          service via a special credentials directory, one file for each
          credential. The path to the credentials directory is passed in a new
          $CREDENTIALS_DIRECTORY environment variable. Since the credentials
          are passed in the file system they may be easily referenced in
          ExecStart= command lines too, thus no explicit support for the
          credentials logic in daemons is required (though ideally daemons
          would look for the bits they need in $CREDENTIALS_DIRECTORY
          themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
          backed by unswappable memory if privileges allow it, immutable if
          privileges allow it, is accessible only to the service's UID, and is
          automatically destroyed when the service stops.

        * systemd-nspawn supports the same credentials logic. It can both
          consume credentials passed to it via the aforementioned
          $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
          to its payload. The service manager/PID 1 has been updated to match
          this: it can also accept credentials from the container manager that
          invokes it (in fact: any process that invokes it), and passes them on
          to its services. Thus, credentials can be propagated recursively down
          the tree: from a system's service manager to a systemd-nspawn
          service, to the service manager that runs as container payload and to
          the service it runs below. Credentials may also be added on the
          systemd-nspawn command line, using new --set-credential= and
          --load-credential= command line switches that match the
          aforementioned service settings.

        * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
          the partition drop-ins which may be used to format/LUKS
          encrypt/populate any created partitions. The partitions are
          encrypted/formatted/populated before they are registered in the
          partition table, so that they appear atomically: either the
          partitions do not exist yet or they exist fully encrypted, formatted,
          and populated — there is no time window where they are
          "half-initialized". Thus the system is robust to abrupt shutdown: if
          the tool is terminated half-way during its operations on next boot it
          will start from the beginning.

        * systemd-repart's --size= operation gained a new "auto" value. If
          specified, and operating on a loopback file it is automatically sized
          to the minimal size the size constraints permit. This is useful to
          use "systemd-repart" as an image builder for minimally sized images.

        * systemd-resolved now gained a third IPC interface for requesting name
          resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
          interface is now supported. The nss-resolve NSS module has been
          modified to use this new interface instead of D-Bus. Using Varlink
          has a major benefit over D-Bus: it works without a broker service,
          and thus already during earliest boot, before the dbus daemon has
          been started. This means name resolution via systemd-resolved now
          works at the same time systemd-networkd operates: from earliest boot
          on, including in the initrd.

        * systemd-resolved gained support for a new DNSStubListenerExtra=
          configuration file setting which may be used to specify additional IP
          addresses the built-in DNS stub shall listen on, in addition to the
          main one on 127.0.0.53:53.

        * Name lookups issued via systemd-resolved's D-Bus and Varlink
          interfaces (and thus also via glibc NSS if nss-resolve is used) will
          now honour a trailing dot in the hostname: if specified the search
          path logic is turned off. Thus "resolvectl query foo." is now
          equivalent to "resolvectl query --search=off foo.".

        * systemd-resolved gained a new D-Bus property "ResolvConfMode" that
          exposes how /etc/resolv.conf is currently managed: by resolved (and
          in which mode if so) or another subsystem. "resolvctl" will display
          this property in its status output.

        * The resolv.conf snippets systemd-resolved provides will now set "."
          as the search domain if no other search domain is known. This turns
          off the derivation of an implicit search domain by nss-dns for the
          hostname, when the hostname is set to an FQDN. This change is done to
          make nss-dns using resolv.conf provided by systemd-resolved behave
          more similarly to nss-resolve.

        * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
          /tmp/ and /var/tmp/ based on file timestamps) now looks at the
          "birth" time (btime) of a file in addition to the atime, mtime, and
          ctime.

        * systemd-analyze gained a new verb "capability" that lists all known
          capabilities by the systemd build and by the kernel.

        * If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and
          advance the system clock to it at boot if it is noticed to be before
          that time. Previously, PID 1 would only advance the time to an epoch
          time that is set during build-time. With this new file OS builders
          can change this epoch timestamp on individual OS images without
          having to rebuild systemd.

        * systemd-logind will now listen to the KEY_RESTART key from the Linux
          input layer and reboot the system if it is pressed, similarly to how
          it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART
          was originally defined in the Multimedia context (to restart playback
          of a song or film), but is now primarily used in various embedded
          devices for "Reboot" buttons. Accordingly, systemd-logind will now
          honour it as such. This may configured in more detail via the new
          HandleRebootKey= and RebootKeyIgnoreInhibited=.

        * systemd-nspawn/systemd-machined will now reconstruct hardlinks when
          copying OS trees, for example in "systemd-nspawn --ephemeral",
          "systemd-nspawn --template=", "machinectl clone" and similar. This is
          useful when operating with OSTree images, which use hardlinks heavily
          throughout, and where such copies previously resulting in "exploding"
          hardlinks.

        * systemd-nspawn's --console= setting gained support for a new
          "autopipe" value, which is identical to "interactive" when invoked on
          a TTY, and "pipe" otherwise.

        * systemd-networkd's .network files gained support for explicitly
          configuring the multicast membership entries of bridge devices in the
          [BridgeMDB] section. It also gained support for the PIE queuing
          discipline in the [FlowQueuePIE] sections.

        * systemd-networkd's .netdev files may now be used to create "BareUDP"
          tunnels, configured in the new [BareUDP] setting.

        * systemd-networkd's Gateway= setting in .network files now accepts the
          special values "_dhcp4" and "_ipv6ra" to configure additional,
          locally defined, explicit routes to the gateway acquired via DHCP or
          IPv6 Router Advertisements. The old setting "_dhcp" is deprecated,
          but still accepted for backwards compatibility.

        * systemd-networkd's [IPv6PrefixDelegation] section and
          IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and
          IPv6SendRA= (the old names are still accepted for backwards
          compatibility).

        * systemd-networkd's .network files gained the DHCPv6PrefixDelegation=
          boolean setting in [Network] section. If enabled, the delegated prefix
          gained by another link will be configured, and an address within the
          prefix will be assigned.

        * systemd-networkd's .network files gained the Announce= boolean setting
          in [DHCPv6PrefixDelegation] section. When enabled, the delegated
          prefix will be announced through IPv6 router advertisement (IPv6 RA).
          The setting is enabled by default.

        * VXLAN tunnels may now be marked as independent of any underlying
          network interface via the new Independent= boolean setting.

        * systemctl gained support for two new verbs: "service-log-level" and
          "service-log-target" may be used on services that implement the
          generic org.freedesktop.LogControl1 D-Bus interface to dynamically
          adjust the log level and target. All of systemd's long-running
          services support this now, but ideally all system services would
          implement this interface to make the system more uniformly
          debuggable.

        * The SystemCallErrorNumber= unit file setting now accepts the new
          "kill" and "log" actions, in addition to arbitrary error number
          specifications as before. If "kill" the processes are killed on the
          event, if "log" the offending system call is audit logged.

        * A new SystemCallLog= unit file setting has been added that accepts a
          list of system calls that shall be logged about (audit).

        * The OS image dissection logic (as used by RootImage= in unit files or
          systemd-nspawn's --image= switch) has gained support for identifying
          and mounting explicit /usr/ partitions, which are now defined in the
          discoverable partition specification. This should be useful for
          environments where the root file system is
          generated/formatted/populated dynamically on first boot and combined
          with an immutable /usr/ tree that is supplied by the vendor.

        * In the final phase of shutdown, within the systemd-shutdown binary
          we'll now try to detach MD devices (i.e software RAID) in addition to
          loopback block devices and DM devices as before. This is supposed to
          be a safety net only, in order to increase robustness if things go
          wrong. Storage subsystems are expected to properly detach their
          storage volumes during regular shutdown already (or in case of
          storage backing the root file system: in the initrd hook we return to
          later).

        * If the SYSTEMD_LOG_TID environment variable is set all systemd tools
          will now log the thread ID in their log output. This is useful when
          working with heavily threaded programs.

        * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
          not use the RDRAND CPU instruction. This is useful in environments
          such as replay debuggers where non-deterministic behaviour is not
          desirable.

        * The autopaging logic in systemd's various tools (such as systemctl)
          has been updated to turn on "secure" mode in "less"
          (i.e. $LESSECURE=1) if execution in a "sudo" environment is
          detected. This disables invoking external programs from the pager,
          via the pipe logic. This behaviour may be overridden via the new
          $SYSTEMD_PAGERSECURE environment variable.

        * Units which have resource limits (.service, .mount, .swap, .slice,
          .socket, and .slice) gained new configuration settings
          ManagedOOMSwap=, ManagedOOMMemoryPressure=, and
          ManagedOOMMemoryPressureLimitPercent= that specify resource pressure
          limits and optional action taken by systemd-oomd.

        * A new service systemd-oomd has been added. It monitors resource
          contention for selected parts of the unit hierarchy using the PSI
          information reported by the kernel, and kills processes when memory
          or swap pressure is above configured limits. This service is only
          enabled by default in developer mode (see below) and should be
          considered a preview in this release. Behaviour details and option
          names are subject to change without the usual backwards-compatibility
          promises.

        * A new helper oomctl has been added to introspect systemd-oomd state.
          It is only enabled by default in developer mode and should be
          considered a preview without the usual backwards-compatibility
          promises.

        * New meson option -Dcompat-mutable-uid-boundaries= has been added. If
          enabled, systemd reads the system UID boundaries from /etc/login.defs
          at runtime, instead of using the built-in values selected during
          build. This is an option to improve compatibility for upgrades from
          old systems. It's strongly recommended not to make use of this
          functionality on new systems (or even enable it during build), as it
          makes something runtime-configurable that is mostly an implementation
          detail of the OS, and permits avoidable differences in deployments
          that create all kinds of problems in the long run.

        * New meson option '-Dmode=developer|release' has been added. When
          'developer', additional checks and features are enabled that are
          relevant during upstream development, e.g. verification that
          semi-automatically-generated documentation has been properly updated
          following API changes. Those checks are considered hints for
          developers and are not actionable in downstream builds. In addition,
          extra features that are not ready for general consumption may be
          enabled in developer mode. It is thus recommended to set
          '-Dmode=release' in end-user and distro builds.

        * systemd-cryptsetup gained support for processing detached LUKS
          headers specified on the kernel command line via the header=
          parameter of the luks.options= kernel command line option. The same
          device/path syntax as for key files is supported for header files
          like this.

        * The "net_id" built-in of udev has been updated to ignore ACPI _SUN
          slot index data for devices that are connected through a PCI bridge
          where the _SUN index is associated with the bridge instead of the
          network device itself. Previously this would create ambiguous device
          naming if multiple network interfaces were connected to the same PCI
          bridge. Since this is a naming scheme incompatibility on systems that
          possess hardware like this it has been introduced as new naming
          scheme "v247". The previous scheme can be selected via the
          "net.naming-scheme=v245" kernel command line parameter.

        * ConditionFirstBoot= semantics have been modified to be safe towards
          abnormal system power-off during first boot. Specifically, the
          "systemd-machine-id-commit.service" service now acts as boot
          milestone indicating when the first boot process is sufficiently
          complete in order to not consider the next following boot also a
          first boot. If the system is reset before this unit is reached the
          first time, the next boot will still be considered a first boot; once
          it has been reached, no further boots will be considered a first
          boot. The "first-boot-complete.target" unit now acts as official hook
          point to order against this. If a service shall be run on every boot
          until the first boot fully succeeds it may thus be ordered before
          this target unit (and pull it in) and carry ConditionFirstBoot=
          appropriately.

        * bootctl's set-default and set-oneshot commands now accept the three
          special strings "@default", "@oneshot", "@current" in place of a boot
          entry id. These strings are resolved to the current default and
          oneshot boot loader entry, as well as the currently booted one. Thus
          a command "bootctl set-default @current" may be used to make the
          currently boot menu item the new default for all subsequent boots.

        * "systemctl edit" has been updated to show the original effective unit
          contents in commented form in the text editor.

        * Units in user mode are now segregated into three new slices:
          session.slice (units that form the core of graphical session),
          app.slice ("normal" user applications), and background.slice
          (low-priority tasks). Unless otherwise configured, user units are
          placed in app.slice. The plan is to add resource limits and
          protections for the different slices in the future.

        * New GPT partition types for RISCV32/64 for the root and /usr
          partitions, and their associated Verity partitions have been defined,
          and are now understood by systemd-gpt-auto-generator, and the OS
          image dissection logic.

        Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
        Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
        Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,
        Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep
        Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann,
        Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel
        Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov,
        Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne
        Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink,
        Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz,
        Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews,
        Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler,
        huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren,
        Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan
        Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert,
        Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan
        Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering,
        lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc
        Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000,
        Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal
        Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo
        Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar
        Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen,
        Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing
        Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter
        Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C,
        Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko,
        Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer,
        Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd,
        Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi
        Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck,
        williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски

        – Warsaw, 2020-11-26

CHANGES WITH 246:

        * The service manager gained basic support for cgroup v2 freezer. Units
          can now be suspended or resumed either using new systemctl verbs,
          freeze and thaw respectively, or via D-Bus.

        * PID 1 may now automatically load pre-compiled AppArmor policies from
          /etc/apparmor/earlypolicy during early boot.

        * The CPUAffinity= setting in service unit files now supports a new
          special value "numa" that causes the CPU affinity masked to be set
          based on the NUMA mask.

        * systemd will now log about all left-over processes remaining in a
          unit when the unit is stopped. It will now warn about services using
          KillMode=none, as this is generally an unsafe thing to make use of.

        * Two new unit file settings
          ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
          added. They may be used to check whether a specific file system path
          resides on a block device that is encrypted on the block level
          (i.e. using dm-crypt/LUKS).

        * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
          has been added that may be used for simple environment checks. This
          is particularly useful when passing in environment variables from a
          container manager (or from PAM in case of the systemd --user
          instance).

        * .service unit files now accept a new setting CoredumpFilter= which
          allows configuration of the memory sections coredumps of the
          service's processes shall include.

        * .mount units gained a new ReadWriteOnly= boolean option. If set
          it will not be attempted to mount a file system read-only if mounting
          in read-write mode doesn't succeed. An option x-systemd.rw-only is
          available in /etc/fstab to control the same.

        * .socket units gained a new boolean setting PassPacketInfo=. If
          enabled, the kernel will attach additional per-packet metadata to all
          packets read from the socket, as an ancillary message. This controls
          the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
          depending on socket type.

        * .service units gained a new setting RootHash= which may be used to
          specify the root hash for verity enabled disk images which are
          specified in RootImage=. RootVerity= may be used to specify a path to
          the Verity data matching a RootImage= file system. (The latter is
          only useful for images that do not contain the Verity data embedded
          into the same image that carries a GPT partition table following the
          Discoverable Partition Specification). Similarly, systemd-nspawn
          gained a new switch --verity-data= that takes a path to a file with
          the verity data of the disk image supplied in --image=, if the image
          doesn't contain the verity data itself.

        * .service units gained a new setting RootHashSignature= which takes
          either a base64 encoded PKCS#7 signature of the root hash specified
          with RootHash=, or a path to a file to read the signature from. This
          allows validation of the root hash against public keys available in
          the kernel keyring, and is only supported on recent kernels
          (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to
          systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for
          this mechanism has also been added to systemd-veritysetup.

        * .service unit files gained two new options
          TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to
          tune behaviour if a start or stop timeout is hit, i.e. whether to
          terminate the service with SIGTERM, SIGABRT or SIGKILL.

        * Most options in systemd that accept hexadecimal values prefixed with
          0x in additional to the usual decimal notation now also support octal
          notation when the 0o prefix is used and binary notation if the 0b
          prefix is used.

        * Various command line parameters and configuration file settings that
          configure key or certificate files now optionally take paths to
          AF_UNIX sockets in the file system. If configured that way a stream
          connection is made to the socket and the required data read from
          it. This is a simple and natural extension to the existing regular
          file logic, and permits other software to provide keys or
          certificates via simple IPC services, for example when unencrypted
          storage on disk is not desired. Specifically, systemd-networkd's
          Wireguard and MACSEC key file settings as well as
          systemd-journal-gatewayd's and systemd-journal-remote's PEM
          key/certificate parameters support this now.

        * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
          configuration files that support specifier expansion learnt six new
          specifiers: %a resolves to the current architecture, %o/%w/%B/%W
          resolve to the various ID fields from /etc/os-release, %l resolves to
          the "short" hostname of the system, i.e. the hostname configured in
          the kernel truncated at the first dot.

        * Support for the .include syntax in unit files has been removed. The
          concept has been obsolete for 6 years and we started warning about
          its pending removal 2 years ago (also see NEWS file below). It's
          finally gone now.

        * StandardError= and StandardOutput= in unit files no longer support
          the "syslog" and "syslog-console" switches. They were long removed
          from the documentation, but will now result in warnings when used,
          and be converted to "journal" and "journal+console" automatically.

        * If the service setting User= is set to the "nobody" user, a warning
          message is now written to the logs (but the value is nonetheless
          accepted). Setting User=nobody is unsafe, since the primary purpose
          of the "nobody" user is to own all files whose owner cannot be mapped
          locally. It's in particular used by the NFS subsystem and in user
          namespacing. By running a service under this user's UID it might get
          read and even write access to all these otherwise unmappable files,
          which is quite likely a major security problem.

        * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
          and others) now have a size and inode limits applied (50% of RAM for
          /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
          that the implicit kernel default is 50% too, so there is no change
          in the size limit for /tmp and /dev/shm.

        * nss-mymachines lost support for resolution of users and groups, and
          now only does resolution of hostnames. This functionality is now
          provided by nss-systemd. Thus, the 'mymachines' entry should be
          removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
          (and 'systemd' added if it is not already there).

        * A new kernel command line option systemd.hostname= has been added
          that allows controlling the hostname that is initialized early during
          boot.

        * A kernel command line option "udev.blockdev_read_only" has been
          added. If specified all hardware block devices that show up are
          immediately marked as read-only by udev. This option is useful for
          making sure that a specific boot under no circumstances modifies data
          on disk. Use "blockdev --setrw" to undo the effect of this, per
          device.

        * A new boolean kernel command line option systemd.swap= has been
          added, which may be used to turn off automatic activation of swap
          devices listed in /etc/fstab.

        * New kernel command line options systemd.condition-needs-update= and
          systemd.condition-first-boot= have been added, which override the
          result of the ConditionNeedsUpdate= and ConditionFirstBoot=
          conditions.

        * A new kernel command line option systemd.clock-usec= has been added
          that allows setting the system clock to the specified time in µs
          since Jan 1st, 1970 early during boot. This is in particular useful
          in order to make test cases more reliable.

        * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
          systemd-coredump to save core files for suid processes. When saving
          the core file, systemd-coredump will use the effective uid and gid of
          the process that faulted.

        * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
          now automatically set to "Y" at boot, in order to enable pstore
          generation for collection with systemd-pstore.

        * We provide a set of udev rules to enable auto-suspend on PCI and USB
          devices that were tested to correctly support it. Previously, this
          was distributed as a set of udev rules, but has now been replaced by
          by a set of hwdb entries (and a much shorter udev rule to take action
          if the device modalias matches one of the new hwdb entries).

          As before, entries are periodically imported from the database
          maintained by the ChromiumOS project. If you have a device that
          supports auto-suspend correctly and where it should be enabled by
          default, please submit a patch that adds it to the database (see
          /usr/lib/udev/hwdb.d/60-autosuspend.hwdb).

        * systemd-udevd gained the new configuration option timeout_signal= as well
          as a corresponding kernel command line option udev.timeout_signal=.
          The option can be used to configure the UNIX signal that the main
          daemon sends to the worker processes on timeout. Setting the signal
          to SIGABRT is useful for debugging.

        * .link files managed by systemd-udevd gained options RxFlowControl=,
          TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
          order to configure various flow control parameters. They also gained
          RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
          frame ring buffer sizes.

        * networkd.conf gained a new boolean setting ManageForeignRoutes=. If
          enabled systemd-networkd manages all routes configured by other tools.

        * .network files managed by systemd-networkd gained a new section
          [SR-IOV], in order to configure SR-IOV capable network devices.

        * systemd-networkd's [IPv6Prefix] section in .network files gained a
          new boolean setting Assign=. If enabled an address from the prefix is
          automatically assigned to the interface.

        * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
          controls delegated prefixes assigned by DHCPv6 client. The section
          has three settings: SubnetID=, Assign=, and Token=. The setting
          SubnetID= allows explicit configuration of the preferred subnet that
          systemd-networkd's Prefix Delegation logic assigns to interfaces. If
          Assign= is enabled (which is the default) an address from any acquired
          delegated prefix is automatically chosen and assigned to the
          interface. The setting Token= specifies an optional address generation
          mode for Assign=.

        * systemd-networkd's [Network] section gained a new setting
          IPv4AcceptLocal=. If enabled the interface accepts packets with local
          source addresses.

        * systemd-networkd gained support for configuring the HTB queuing
          discipline in the [HierarchyTokenBucket] and
          [HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may
          be configured in the [PFIFO] section, "GRED" in
          [GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake"
          in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and
          [DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO],
          "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF"
          in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and
          "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass].

        * systemd-networkd gained support for a new Termination= setting in the
          [CAN] section for configuring the termination resistor. It also
          gained a new ListenOnly= setting for controlling whether to only
          listen on CAN interfaces, without interfering with traffic otherwise
          (which is useful for debugging/monitoring CAN network
          traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have
          been added to configure various CAN-FD aspects.

        * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=.
          When enabled, DHCPv6 will be attempted right-away without requiring an
          Router Advertisement packet suggesting it first (i.e. without the 'M'
          or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option
          DHCPv6Client= that may be used to turn off the DHCPv6 client even if
          the RA packets suggest it.

        * systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
          which may be used to turn off use of the gateway information provided
          by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
          used to configure how to process leases that lack a lifetime option.

        * systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new
          setting SendVendorOption= allowing configuration of additional vendor
          options to send in the DHCP requests/responses. The [DHCPv6] section
          gained a new SendOption= setting for sending arbitrary DHCP
          options. RequestOptions= has been added to request arbitrary options
          from the server. UserClass= has been added to set the DHCP user class
          field.

        * systemd-networkd's [DHCPServer] section gained a new set of options
          EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server
          information about these three protocols in the DHCP lease. It also
          gained support for including "MUD" URLs ("Manufacturer Usage
          Description"). Support for "MUD" URLs was also added to the LLDP
          stack, configurable in the [LLDP] section in .network files.

        * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source'
          mode. Also, the sections now support a new setting SourceMACAddress=.

        * systemd-networkd's .netdev files now support a new setting
          VLANProtocol= in the [Bridge] section that allows configuration of
          the VLAN protocol to use.

        * systemd-networkd supports a new Group= setting in the [Link] section
          of the .network files, to control the link group.

        * systemd-networkd's [Network] section gained a new
          IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6
          link local address is generated.

        * A new default .network file is now shipped that matches TUN/TAP
          devices that begin with "vt-" in their name. Such interfaces will
          have IP routing onto the host links set up automatically. This is
          supposed to be used by VM managers to trivially acquire a network
          interface which is fully set up for host communication, simply by
          carefully picking an interface name to use.

        * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
          which sets the route priority for routes specified by the DHCP server.

        * systemd-networkd's [DHCPv6] section gained a new setting VendorClass=
          which configures the vendor class information sent to DHCP server.

        * The BlackList= settings in .network files' [DHCPv4] and
          [IPv6AcceptRA] sections have been renamed DenyList=. The old names
          are still understood to provide compatibility.

        * networkctl gained the new "forcerenew" command for forcing all DHCP
          server clients to renew their lease. The interface "status" output
          will now show numerous additional fields of information about an
          interface. There are new "up" and "down" commands to bring specific
          interfaces up or down.

        * systemd-resolved's DNS= configuration option now optionally accepts a
          port number (after ":") and a host name (after "#"). When the host
          name is specified, the DNS-over-TLS certificate is validated to match
          the specified hostname. Additionally, in case of IPv6 addresses, an
          interface may be specified (after "%").

        * systemd-resolved may be configured to forward single-label DNS names.
          This is not standard-conformant, but may make sense in setups where
          public DNS servers are not used.

        * systemd-resolved's DNS-over-TLS support gained SNI validation.

        * systemd-nspawn's --resolv-conf= switch gained a number of new
          supported values. Specifically, options starting with "replace-" are
          like those prefixed "copy-" but replace any existing resolv.conf
          file. And options ending in "-uplink" and "-stub" can now be used to
          propagate other flavours of resolv.conf into the container (as
          defined by systemd-resolved).

        * The various programs included in systemd can now optionally output
          their log messages on stderr prefixed with a timestamp, controlled by
          the $SYSTEMD_LOG_TIME environment variable.

        * systemctl gained a new "-P" switch that is a shortcut for "--value
          --property=…".

        * "systemctl list-units" and "systemctl list-machines" no longer hide
          their first output column with --no-legend. To hide the first column,
          use --plain.

        * "systemctl reboot" takes the option "--reboot-argument=".
          The optional positional argument to "systemctl reboot" is now
          being deprecated in favor of this option.

        * systemd-run gained a new switch --slice-inherit. If specified the
          unit it generates is placed in the same slice as the systemd-run
          process itself.

        * systemd-journald gained support for zstd compression of large fields
          in journal files. The hash tables in journal files have been hardened
          against hash collisions. This is an incompatible change and means
          that journal files created with new systemd versions are not readable
          with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
          environment variable for systemd-journald.service is set to 0 this
          new hardening functionality may be turned off, so that generated
          journal files remain compatible with older journalctl
          implementations.

        * journalctl will now include a clickable link in the default output for
          each log message for which an URL with further documentation is
          known. This is only supported on terminal emulators that support
          clickable hyperlinks, and is turned off if a pager is used (since
          "less" still doesn't support hyperlinks,
          unfortunately). Documentation URLs may be included in log messages
          either by including a DOCUMENTATION= journal field in it, or by
          associating a journal message catalog entry with the log message's
          MESSAGE_ID, which then carries a "Documentation:" tag.

        * journald.conf gained a new boolean setting Audit= that may be used to
          control whether systemd-journald will enable audit during
          initialization.

        * when systemd-journald's log stream is broken up into multiple lines
          because the PID of the sender changed this is indicated in the
          generated log records via the _LINE_BREAK=pid-change field.

        * journalctl's "-o cat" output mode will now show one or more journal
          fields specified with --output-fields= instead of unconditionally
          MESSAGE=. This is useful to retrieve a very specific set of fields
          without any decoration.

        * The sd-journal.h API gained two new functions:
          sd_journal_enumerate_available_unique() and
          sd_journal_enumerate_available_data() that operate like their
          counterparts that lack the _available_ in the name, but skip items
          that cannot be read and processed by the local implementation
          (i.e. are compressed in an unsupported format or such),

        * coredumpctl gained a new --file= switch, matching the same one in
          journalctl: a specific journal file may be specified to read the
          coredump data from.

        * coredumps collected by systemd-coredump may now be compressed using
          the zstd algorithm.

        * systemd-binfmt gained a new switch --unregister for unregistering all
          registered entries at once. This is now invoked automatically at
          shutdown, so that binary formats registered with the "F" flag will
          not block clean file system unmounting.

        * systemd-notify's --pid= switch gained new values: "parent", "self",
          "auto" for controlling which PID to send to the service manager: the
          systemd-notify process' PID, or the one of the process invoking it.

        * systemd-logind's Session bus object learnt a new method call
          SetType() for temporarily updating the session type of an already
          allocated session. This is useful for upgrading tty sessions to
          graphical ones once a compositor is invoked.

        * systemd-socket-proxy gained a new switch --exit-idle-time= for
          configuring an exit-on-idle time.

        * systemd-repart's --empty= setting gained a new value "create". If
          specified a new empty regular disk image file is created under the
          specified name. Its size may be specified with the new --size=
          option. The latter is also supported without the "create" mode, in
          order to grow existing disk image files to the specified size. These
          two new options are useful when creating or manipulating disk images
          instead of operating on actual block devices.

        * systemd-repart drop-ins now support a new UUID= setting to control
          the UUID to assign to a newly created partition.

        * systemd-repart's SizeMin= per-partition parameter now defaults to 10M
          instead of 0.

        * systemd-repart's Label= setting now support the usual, simple
          specifier expansion.

        * systemd-homed's LUKS backend gained the ability to discard empty file
          system blocks automatically when the user logs out. This is enabled
          by default to ensure that home directories take minimal space when
          logged out but get full size guarantees when logged in. This may be
          controlled with the new --luks-offline-discard= switch to homectl.

        * If systemd-homed detects that /home/ is encrypted as a whole it will
          now default to the directory or subvolume backends instead of the
          LUKS backend, in order to avoid double encryption. The default
          storage and file system may now be configured explicitly, too, via
          the new /etc/systemd/homed.conf configuration file.

        * systemd-homed now supports unlocking home directories with FIDO2
          security tokens that support the 'hmac-secret' extension, in addition
          to the existing support for PKCS#11 security token unlocking
          support. Note that many recent hardware security tokens support both
          interfaces. The FIDO2 support is accessible via homectl's
          --fido2-device= option.

        * homectl's --pkcs11-uri= setting now accepts two special parameters:
          if "auto" is specified and only one suitable PKCS#11 security token
          is plugged in, its URL is automatically determined and enrolled for
          unlocking the home directory. If "list" is specified a brief table of
          suitable PKCS#11 security tokens is shown. Similar, the new
          --fido2-device= option also supports these two special values, for
          automatically selecting and listing suitable FIDO2 devices.

        * The /etc/crypttab tmp option now optionally takes an argument
          selecting the file system to use. Moreover, the default is now
          changed from ext2 to ext4.

        * There's a new /etc/crypttab option "keyfile-erase". If specified the
          key file listed in the same line is removed after use, regardless if
          volume activation was successful or not. This is useful if the key
          file is only acquired transiently at runtime and shall be erased
          before the system continues to boot.

        * There's also a new /etc/crypttab option "try-empty-password". If
          specified, before asking the user for a password it is attempted to
          unlock the volume with an empty password. This is useful for
          installing encrypted images whose password shall be set on first boot
          instead of at installation time.

        * systemd-cryptsetup will now attempt to load the keys to unlock
          volumes with automatically from files in
          /etc/cryptsetup-keys.d/<volume>.key and
          /run/cryptsetup-keys.d/<volume>.key, if any of these files exist.

        * systemd-cryptsetup may now activate Microsoft BitLocker volumes via
          /etc/crypttab, during boot.

        * logind.conf gained a new RuntimeDirectoryInodesMax= setting to
          control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs
          instance.

        * A new generator systemd-xdg-autostart-generator has been added. It
          generates systemd unit files from XDG autostart .desktop files, and
          may be used to let the systemd user instance manage services that are
          started automatically as part of the desktop session.

        * "bootctl" gained a new verb "reboot-to-firmware" that may be used
          to query and change the firmware's 'reboot into firmware' setup flag.

        * systemd-firstboot gained a new switch --kernel-command-line= that may
          be used to initialize the /etc/kernel/cmdline file of the image. It
          also gained a new switch --root-password-hashed= which is like
          --root-password= but accepts a pre-hashed UNIX password as
          argument. The new option --delete-root-password may be used to unset
          any password for the root user (dangerous!). The --root-shell= switch
          may be used to control the shell to use for the root account. A new
          --force option may be used to override any already set settings with
          the parameters specified on the command line (by default, the tool
          will not override what has already been set before, i.e. is purely
          incremental).

        * systemd-firstboot gained support for a new --image= switch, which is
          similar to --root= but accepts the path to a disk image file, on
          which it then operates.

        * A new sd-path.h API has been added to libsystemd. It provides a
          simple API for retrieving various search paths and primary
          directories for various resources.

        * A new call sd_notify_barrier() has been added to the sd-daemon.h
          API. The call will block until all previously sent sd_notify()
          messages have been processed by the service manager. This is useful
          to remove races caused by a process already having disappeared at the
          time a notification message is processed by the service manager,
          making correct attribution impossible. The systemd-notify tool will
          now make use of this call implicitly, but this can be turned off again
          via the new --no-block switch.

        * When sending a file descriptor (fd) to the service manager to keep
          track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
          may be specified. If passed the service manager will refrain from
          poll()ing on the file descriptor. Traditionally (and when the
          parameter is not specified), the service manager will poll it for
          POLLHUP or POLLERR events, and immediately close the fds in that
          case.

        * The service manager (PID1) gained a new D-Bus method call
          SetShowStatus() which may be used to control whether it shall show
          boot-time status output on the console. This method has a similar
          effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1.

        * The sd-bus API gained a number of convenience functions that take
          va_list arguments rather than "...". For example, there's now
          sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make
          it easier to build wrappers that accept variadic arguments and want
          to pass a ready va_list structure to sd-bus.

        * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET
          flag which alters how the userdata pointer to pass to the callbacks
          is determined. When the flag is set, the offset field is converted
          as-is into a pointer, without adding it to the object pointer the
          vtable is associated with.

        * sd-bus now exposes four new functions:
          sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
          sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
          validate strings to check if they qualify as various D-Bus concepts.

        * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
          SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
          that simplify adding argument names to D-Bus methods and signals.

        * The man pages for the sd-bus and sd-hwdb APIs have been completed.

        * Various D-Bus APIs of systemd daemons now have man pages that
          document the methods, signals and properties.

        * The expectations on user/group name syntax are now documented in
          detail; documentation on how classic home directories may be
          converted into home directories managed by homed has been added;
          documentation regarding integration of homed/userdb functionality in
          desktops has been added:

              https://systemd.io/USER_NAMES
              https://systemd.io/CONVERTING_TO_HOMED
              https://systemd.io/USERDB_AND_DESKTOPS

        * Documentation for the on-disk Journal file format has been updated
          and has now moved to:

              https://systemd.io/JOURNAL_FILE_FORMAT

        * The interface for containers (https://systemd.io/CONTAINER_INTERFACE)
          has been extended by a set of environment variables that expose
          select fields from the host's os-release file to the container
          payload. Similarly, host's os-release files can be mounted into the
          container underneath /run/host. Together, those mechanisms provide a
          standardized way to expose information about the host to the
          container payload. Both interfaces are implemented in systemd-nspawn.

        * All D-Bus services shipped in systemd now implement the generic
          LogControl1 D-Bus API which allows clients to change log level +
          target of the service during runtime.

        * Only relevant for developers: the mkosi.default symlink has been
          dropped from version control. Please create a symlink to one of the
          distribution-specific defaults in .mkosi/ based on your preference.

        Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
        Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird,
        Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain,
        antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji
        Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg,
        Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian
        Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy,
        codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan,
        Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David
        Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri
        John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel
        Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
        ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger,
        Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui,
        Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius
        Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de
        Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan
        Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy
        Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg
        Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin
        Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard,
        Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas
        Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej
        S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc
        Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim
        Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels,
        Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár,
        Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys,
        nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert
        Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter
        Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross
        Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian
        Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas
        Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes,
        Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo,
        Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal
        Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб

        – Warsaw, 2020-07-30

CHANGES WITH 245:

        * A new tool "systemd-repart" has been added, that operates as an
          idempotent declarative repartitioner for GPT partition tables.
          Specifically, a set of partitions that must or may exist can be
          configured via drop-in files, and during every boot the partition
          table on disk is compared with these files, creating missing
          partitions or growing existing ones based on configurable relative
          and absolute size constraints. The tool is strictly incremental,
          i.e. does not delete, shrink or move partitions, but only adds and
          grows them. The primary use-case is OS images that ship in minimized
          form, that on first boot are grown to the size of the underlying
          block device or augmented with additional partitions. For example,
          the root partition could be extended to cover the whole disk, or a
          swap or /home partitions could be added on first boot. It can also be
          used for systems that use an A/B update scheme but ship images with
          just the A partition, with B added on first boot. The tool is
          primarily intended to be run in the initrd, shortly before
          transitioning into the host OS, but can also be run after the
          transition took place. It automatically discovers the disk backing
          the root file system, and should hence not require any additional
          configuration besides the partition definition drop-ins. If no
          configuration drop-ins are present, no action is taken.

        * A new component "userdb" has been added, along with a small daemon
          "systemd-userdbd.service" and a client tool "userdbctl". The framework
          allows defining rich user and group records in a JSON format,
          extending on the classic "struct passwd" and "struct group"
          structures. Various components in systemd have been updated to
          process records in this format, including systemd-logind and
          pam-systemd. The user records are intended to be extensible, and
          allow setting various resource management, security and runtime
          parameters that shall be applied to processes and sessions of the
          user as they log in. This facility is intended to allow associating
          such metadata directly with user/group records so that they can be
          produced, extended and consumed in unified form. We hope that
          eventually frameworks such as sssd will generate records this way, so
          that for the first time resource management and various other
          per-user settings can be configured in LDAP directories and then
          provided to systemd (specifically to systemd-logind and pam-system)
          to apply on login. For further details see:

          https://systemd.io/USER_RECORD
          https://systemd.io/GROUP_RECORD
          https://systemd.io/USER_GROUP_API

        * A small new service systemd-homed.service has been added, that may be
          used to securely manage home directories with built-in encryption.
          The complete user record data is unified with the home directory,
          thus making home directories naturally migratable. Its primary
          back-end is based on LUKS volumes, but fscrypt, plain directories,
          and other storage schemes are also supported. This solves a couple of
          problems we saw with traditional ways to manage home directories, in
          particular when it comes to encryption. For further discussion of
          this, see the video of Lennart's talk at AllSystemsGo! 2019:

          https://media.ccc.de/v/ASG2019-164-reinventing-home-directories

          For further details about the format and expectations on home
          directories this new daemon makes, see:

          https://systemd.io/HOME_DIRECTORY

        * systemd-journald is now multi-instantiable. In addition to the main
          instance systemd-journald.service there's now a template unit
          systemd-journald@.service, with each instance defining a new named
          log 'namespace' (whose name is specified via the instance part of the
          unit name). A new unit file setting LogNamespace= has been added,
          taking such a namespace name, that assigns services to the specified
          log namespaces. As each log namespace is serviced by its own
          independent journal daemon, this functionality may be used to improve
          performance and increase isolation of applications, at the price of
          losing global message ordering. Each instance of journald has a
          separate set of configuration files, with possibly different disk
          usage limitations and other settings.

          journalctl now takes a new option --namespace= to show logs from a
          specific log namespace. The sd-journal.h API gained
          sd_journal_open_namespace() for opening the log stream of a specific
          log namespace. systemd-journald also gained the ability to exit on
          idle, which is useful in the context of log namespaces, as this means
          log daemons for log namespaces can be activated automatically on
          demand and will stop automatically when no longer used, minimizing
          resource usage.

        * When systemd-tmpfiles copies a file tree using the 'C' line type it
          will now label every copied file according to the SELinux database.

        * When systemd/PID 1 detects it is used in the initrd it will now boot
          into initrd.target rather than default.target by default. This should
          make it simpler to build initrds with systemd as for many cases the
          only difference between a host OS image and an initrd image now is
          the presence of the /etc/initrd-release file.

        * A new kernel command line option systemd.cpu_affinity= is now
          understood. It's equivalent to the CPUAffinity= option in
          /etc/systemd/system.conf and allows setting the CPU mask for PID 1
          itself and the default for all other processes.

        * When systemd/PID 1 is reloaded (with systemctl daemon-reload or
          equivalent), the SELinux database is now reloaded, ensuring that
          sockets and other file system objects are generated taking the new
          database into account.

        * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and
          "quiet" has been changed to imply that instead of
          "systemd.show-status=auto". In this mode, only messages about errors
          and significant delays in boot are shown on the console.

        * The sd-event.h API gained native support for the new Linux "pidfd"
          concept. This permits watching processes using file descriptors
          instead of PID numbers, which fixes a number of races and makes
          process supervision more robust and efficient. All of systemd's
          components will now use pidfds if the kernel supports it for process
          watching, with the exception of PID 1 itself, unfortunately. We hope
          to move PID 1 to exclusively using pidfds too eventually, but this
          requires some more kernel work first. (Background: PID 1 watches
          processes using waitid() with the P_ALL flag, and that does not play
          together nicely with pidfds yet.)

        * Closely related to this, the sd-event.h API gained two new calls
          sd_event_source_send_child_signal() (for sending a signal to a
          watched process) and sd_event_source_get_child_process_own() (for
          marking a process so that it is killed automatically whenever the
          event source watching it is freed).

        * systemd-networkd gained support for configuring Token Bucket Filter
          (TBF) parameters in its qdisc configuration support. Similarly,
          support for Stochastic Fairness Queuing (SFQ), Controlled-Delay
          Active Queue Management (CoDel), and Fair Queue (FQ) has been added.

        * systemd-networkd gained support for Intermediate Functional Block
          (IFB) network devices.

        * systemd-networkd gained support for configuring multi-path IP routes,
          using the new MultiPathRoute= setting in the [Route] section.

        * systemd-networkd's DHCPv4 client has been updated to support a new
          SendDecline= option. If enabled, duplicate address detection is done
          after a DHCP offer is received from the server. If a conflict is
          detected, the address is declined. The DHCPv4 client also gained
          support for a new RouteMTUBytes= setting that allows to configure the
          MTU size to be used for routes generated from DHCPv4 leases.

        * The PrefixRoute= setting in systemd-networkd's [Address] section of
          .network files has been deprecated, and replaced by AddPrefixRoute=,
          with its sense inverted.

        * The Gateway= setting of [Route] sections of .network files gained
          support for a special new value "_dhcp". If set, the configured
          static route uses the gateway host configured via DHCP.

        * New User= and SuppressPrefixLength= settings have been implemented
          for the [RoutingPolicyRule] section of .network files to configure
          source routing based on UID ranges and prefix length, respectively.

        * The Type= match property of .link files has been generalized to
          always match the device type shown by 'networkctl status', even for
          devices where udev does not set DEVTYPE=. This allows e.g. Type=ether
          to be used.

        * sd-bus gained a new API call sd_bus_message_sensitive() that marks a
          D-Bus message object as "sensitive". Those objects are erased from
          memory when they are freed. This concept is intended to be used for
          messages that contain security sensitive data. A new flag
          SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods
          in sd-bus vtables, causing any incoming and outgoing messages of
          those methods to be implicitly marked as "sensitive".

        * sd-bus gained a new API call sd_bus_message_dump() for dumping the
          contents of a message (or parts thereof) to standard output for
          debugging purposes.

        * systemd-sysusers gained support for creating users with the primary
          group named differently than the user.

        * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
          gained support for growing XFS partitions. Previously it supported
          only ext4 and btrfs partitions.

        * The support for /etc/crypttab gained a new x-initrd.attach option. If
          set, the specified encrypted volume is unlocked already in the
          initrd. This concept corresponds to the x-initrd.mount option in
          /etc/fstab.

        * systemd-cryptsetup gained native support for unlocking encrypted
          volumes utilizing PKCS#11 smartcards, i.e. for example to bind
          encryption of volumes to YubiKeys. This is exposed in the new
          pkcs11-uri= option in /etc/crypttab.

        * The /etc/fstab support in systemd now supports two new mount options
          x-systemd.{required,wanted}-by=, for explicitly configuring the units
          that the specified mount shall be pulled in by, in place of
          the usual local-fs.target/remote-fs.target.

        * The https://systemd.io/ web site has been relaunched, directly
          populated with most of the documentation included in the systemd
          repository. systemd also acquired a new logo, thanks to Tobias
          Bernard.

        * systemd-udevd gained support for managing "alternative" network
          interface names, as supported by new Linux kernels. For the first
          time this permits assigning multiple (and longer!) names to a network
          interface. systemd-udevd will now by default assign the names
          generated via all supported naming schemes to each interface. This
          may be further tweaked with .link files and the AlternativeName= and
          AlternativeNamesPolicy= settings. Other components of systemd have
          been updated to support the new alternative names wherever
          appropriate. For example, systemd-nspawn will now generate
          alternative interface names for the host-facing side of container
          veth links based on the full container name without truncation.

        * systemd-nspawn interface naming logic has been updated in another way
          too: if the main interface name (i.e. as opposed to new-style
          "alternative" names) based on the container name is truncated, a
          simple hashing scheme is used to give different interface names to
          multiple containers whose names all begin with the same prefix. Since
          this changes the primary interface names pointing to containers if
          truncation happens, the old scheme may still be requested by
          selecting an older naming scheme, via the net.naming-scheme= kernel
          command line option.

        * PrivateUsers= in service files now works in services run by the
          systemd --user per-user instance of the service manager.

        * A new per-service sandboxing option ProtectClock= has been added that
          locks down write access to the system clock. It takes away device
          node access to /dev/rtc as well as the system calls that set the
          system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities.
          Note that this option does not affect access to auxiliary services
          that allow changing the clock, for example access to
          systemd-timedated.

        * The systemd-id128 tool gained a new "show" verb for listing or
          resolving a number of well-known UUIDs/128bit IDs, currently mostly
          GPT partition table types.

        * The Discoverable Partitions Specification has been updated to support
          /var and /var/tmp partition discovery. Support for this has been
          added to systemd-gpt-auto-generator. For details see:

          https://systemd.io/DISCOVERABLE_PARTITIONS

        * "systemctl list-unit-files" has been updated to show a new column
          with the suggested enablement state based on the vendor preset files
          for the respective units.

        * "systemctl" gained a new option "--with-dependencies". If specified
          commands such as "systemctl status" or "systemctl cat" will now show
          all specified units along with all units they depend on.

        * networkctl gained support for showing per-interface logs in its
          "status" output.

        * systemd-networkd-wait-online gained support for specifying the maximum
          operational state to wait for, and to wait for interfaces to
          disappear.

        * The [Match] section of .link and .network files now supports a new
          option PermanentMACAddress= which may be used to check against the
          permanent MAC address of a network device even if a randomized MAC
          address is used.

        * The [TrafficControlQueueingDiscipline] section in .network files has
          been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix
          dropped from the individual setting names.

        * Any .link and .network files that have an empty [Match] section (this
          also includes empty and commented-out files) will now be
          rejected. systemd-udev and systemd-networkd started warning about
          such files in version 243.

        * systemd-logind will now validate access to the operation of changing
          the virtual terminal via a polkit action. By default, only users
          with at least one session on a local VT are granted permission.

        * When systemd sets up PAM sessions that invoked service processes
          shall run in, the pam_setcred() API is now invoked, thus permitting
          PAM modules to set additional credentials for the processes.

        * portablectl attach/detach verbs now accept --now and --enable options
          to combine attachment with enablement and invocation, or detachment
          with stopping and disablement.

        * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was
          fixed, which in turn exposed bugs in unit configuration of services
          which have Type=oneshot and should only run once, but do not have
          RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot
          service may be started again after exiting successfully, for example
          as a dependency in another transaction. Affected services included
          some internal systemd services (most notably
          systemd-vconsole-setup.service, which was updated to have
          RemainAfterExit=yes), and plymouth-start.service. Please ensure that
          plymouth has been suitably updated or patched before upgrading to
          this systemd release. See
          https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some
          additional discussion.

        Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
        Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
        Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles
        (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt,
        Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek,
        Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David
        Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin,
        ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck
        Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem
        Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain
        Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin
        Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming,
        Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca
        Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew
        Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike
        Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange,
        Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa
        Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard,
        Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain
        Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas
        Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser,
        Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland
        Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri
        Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu
        DONG

        – Warsaw, 2020-03-06

CHANGES WITH 244:

        * Support for the cpuset cgroups v2 controller has been added.
          Processes may be restricted to specific CPUs using the new
          AllowedCPUs= setting, and to specific memory NUMA nodes using the new
          AllowedMemoryNodes= setting.

        * The signal used in restart jobs (as opposed to e.g. stop jobs) may
          now be configured using a new RestartKillSignal= setting. This
          allows units which signals to request termination to implement
          different behaviour when stopping in preparation for a restart.

        * "systemctl clean" may now be used also for socket, mount, and swap
          units.

        * systemd will also read configuration options from the EFI variable
          SystemdOptions. This may be used to configure systemd behaviour when
          modifying the kernel command line is inconvenient, but configuration
          on disk is read too late, for example for the options related to
          cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
          set the EFI variable.

        * systemd will now disable printk ratelimits in early boot. This should
          allow us to capture more logs from the early boot phase where normal
          storage is not available and the kernel ring buffer is used for
          logging. Configuration on the kernel command line has higher priority
          and overrides the systemd setting.

          systemd programs which log to /dev/kmsg directly use internal
          ratelimits to prevent runaway logging. (Normally this is only used
          during early boot, so in practice this change has very little
          effect.)

        * Unit files now support top level dropin directories of the form
          <unit_type>.d/ (e.g. service.d/) that may be used to add configuration
          that affects all corresponding unit files.

        * systemctl gained support for 'stop --job-mode=triggering' which will
          stop the specified unit and any units which could trigger it.

        * Unit status display now includes units triggering and triggered by
          the unit being shown.

        * The RuntimeMaxSec= setting is now supported by scopes, not just
          .service units. This is particularly useful for PAM sessions which
          create a scope unit for the user login. systemd.runtime_max_sec=
          setting may used with the pam_systemd module to limit the duration
          of the PAM session, for example for time-limited logins.

        * A new @pkey system call group is now defined to make it easier to
          allow-list memory protection syscalls for containers and services
          which need to use them.

        * systemd-udevd: removed the 30s timeout for killing stale workers on
          exit. systemd-udevd now waits for workers to finish. The hard-coded
          exit timeout of 30s was too short for some large installations, where
          driver initialization could be prematurely interrupted during initrd
          processing if the root file system had been mounted and init was
          preparing to switch root. If udevd is run without systemd and workers
          are hanging while udevd receives an exit signal, udevd will now exit
          when udev.event_timeout is reached for the last hanging worker. With
          systemd, the exit timeout can additionally be configured using
          TimeoutStopSec= in systemd-udevd.service.

        * udev now provides a program (fido_id) that identifies FIDO CTAP1
          ("U2F")/CTAP2 security tokens based on the usage declared in their
          report and descriptor and outputs suitable environment variables.
          This replaces the externally maintained allow lists of all known
          security tokens that were used previously.

        * Automatically generated autosuspend udev rules for allow-listed
          devices have been imported from the Chromium OS project. This should
          improve power saving with many more devices.

        * udev gained a new "CONST{key}=value" setting that allows matching
          against system-wide constants without forking a helper binary.
          Currently "arch" and "virt" keys are supported.

        * udev now opens CDROMs in non-exclusive mode when querying their
          capabilities. This should fix issues where other programs trying to
          use the CDROM cannot gain access to it, but carries a risk of
          interfering with programs writing to the disk, if they did not open
          the device in exclusive mode as they should.

        * systemd-networkd does not create a default route for IPv4 link local
          addressing anymore. The creation of the route was unexpected and was
          breaking routing in various cases, but people who rely on it being
          created implicitly will need to adjust. Such a route may be requested
          with DefaultRouteOnDevice=yes.

          Similarly, systemd-networkd will not assign a link-local IPv6 address
          when IPv6 link-local routing is not enabled.

        * Receive and transmit buffers may now be configured on links with
          the new RxBufferSize= and TxBufferSize= settings.

        * systemd-networkd may now advertise additional IPv6 routes. A new
          [IPv6RoutePrefix] section with Route= and LifetimeSec= options is
          now supported.

        * systemd-networkd may now configure "next hop" routes using the
          [NextHop] section and Gateway= and Id= settings.

        * systemd-networkd will now retain DHCP config on restarts by default
          (but this may be overridden using the KeepConfiguration= setting).
          The default for SendRelease= has been changed to true.

        * The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option
          received from the server.

          The client will use the received SIP server list if UseSIP=yes is
          set.

          The client may be configured to request specific options from the
          server using a new RequestOptions= setting.

          The client may be configured to send arbitrary options to the server
          using a new SendOption= setting.

          A new IPServiceType= setting has been added to configure the "IP
          service type" value used by the client.

        * The DHCPv6 client learnt a new PrefixDelegationHint= option to
          request prefix hints in the DHCPv6 solicitation.

        * The DHCPv4 server may be configured to send arbitrary options using
          a new SendOption= setting.

        * The DHCPv4 server may now be configured to emit SIP server list using
          the new EmitSIP= and SIP= settings.

        * systemd-networkd and networkctl may now renew DHCP leases on demand.
          networkctl has a new 'networkctl renew' verb.

        * systemd-networkd may now reconfigure links on demand. networkctl
          gained two new verbs: "reload" will reload the configuration, and
          "reconfigure DEVICE…" will reconfigure one or more devices.

        * .network files may now match on SSID and BSSID of a wireless network,
          i.e. the access point name and hardware address using the new SSID=
          and BSSID= options. networkctl will display the current SSID and
          BSSID for wireless links.

          .network files may also match on the wireless network type using the
          new WLANInterfaceType= option.

        * systemd-networkd now includes default configuration that enables
          link-local addressing when connected to an ad-hoc wireless network.

        * systemd-networkd may configure the Traffic Control queueing
          disciplines in the kernel using the new
          [TrafficControlQueueingDiscipline] section and Parent=,
          NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=,
          NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=,
          NetworkEmulatorDuplicateRate= settings.

        * systemd-tmpfiles gained a new w+ setting to append to files.

        * systemd-analyze dump will now report when the memory configuration in
          the kernel does not match what systemd has configured (usually,
          because some external program has modified the kernel configuration
          on its own).

        * systemd-analyze gained a new --base-time= switch instructs the
          'calendar' verb to resolve times relative to that timestamp instead
          of the present time.

        * journalctl --update-catalog now produces deterministic output (making
          reproducible image builds easier).

        * A new devicetree-overlay setting is now documented in the Boot Loader
          Specification.

        * The default value of the WatchdogSec= setting used in systemd
          services (the ones bundled with the project itself) may be set at
          configuration time using the -Dservice-watchdog= setting. If set to
          empty, the watchdogs will be disabled.

        * systemd-resolved validates IP addresses in certificates now when GnuTLS
          is being used.

        * libcryptsetup >= 2.0.1 is now required.

        * A configuration option -Duser-path= may be used to override the $PATH
          used by the user service manager. The default is again to use the same
          path as the system manager.

        * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
          outputting the 128bit IDs in UUID format (i.e. in the "canonical
          representation").

        * Service units gained a new sandboxing option ProtectKernelLogs= which
          makes sure the program cannot get direct access to the kernel log
          buffer anymore, i.e. the syslog() system call (not to be confused
          with the API of the same name in libc, which is not affected), the
          /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
          inaccessible to the service. It's recommended to enable this setting
          for all services that should not be able to read from or write to the
          kernel log buffer, which are probably almost all.

        Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
        Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo
        Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio
        Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe,
        Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David
        Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald
        A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger,
        Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen
        Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan
        Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson,
        Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng,
        Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering,
        Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario
        Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos,
        Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar,
        Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas
        Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel,
        Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle,
        Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan
        Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage,
        Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom
        Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe,
        Zach Smith, Zbigniew Jędrzejewski-Szmek

        – Warsaw, 2019-11-29

CHANGES WITH 243:

        * This release enables unprivileged programs (i.e. requiring neither
          setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
          by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
          kernel for the whole UNIX group range, i.e. all processes. This
          change should be reasonably safe, as the kernel support for it was
          specifically implemented to allow safe access to ICMP Echo for
          processes lacking any privileges. If this is not desirable, it can be
          disabled again by setting the parameter to "1 0".

        * Previously, filters defined with SystemCallFilter= would have the
          effect that any calling of an offending system call would terminate
          the calling thread. This behaviour never made much sense, since
          killing individual threads of unsuspecting processes is likely to
          create more problems than it solves. With this release the default
          action changed from killing the thread to killing the whole
          process. For this to work correctly both a kernel version (>= 4.14)
          and a libseccomp version (>= 2.4.0) supporting this new seccomp
          action is required. If an older kernel or libseccomp is used the old
          behaviour continues to be used. This change does not affect any
          services that have no system call filters defined, or that use
          SystemCallErrorNumber= (and thus see EPERM or another error instead
          of being killed when calling an offending system call). Note that
          systemd documentation always claimed that the whole process is
          killed. With this change behaviour is thus adjusted to match the
          documentation.

        * On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to
          4194304 by default, i.e. the full 22bit range the kernel allows, up
          from the old 16bit range. This should improve security and
          robustness, as PID collisions are made less likely (though certainly
          still possible). There are rumours this might create compatibility
          problems, though at this moment no practical ones are known to
          us. Downstream distributions are hence advised to undo this change in
          their builds if they are concerned about maximum compatibility, but
          for everybody else we recommend leaving the value bumped. Besides
          improving security and robustness this should also simplify things as
          the maximum number of allowed concurrent tasks was previously bounded
          by both "kernel.pid_max" and "kernel.threads-max" and now effectively
          only a single knob is left ("kernel.threads-max"). There have been
          concerns that usability is affected by this change because larger PID
          numbers are harder to type, but we believe the change from 5 digits
          to 7 digits doesn't hamper usability.

        * MemoryLow= and MemoryMin= gained hierarchy-aware counterparts,
          DefaultMemoryLow= and DefaultMemoryMin=, which can be used to
          hierarchically set default memory protection values for a particular
          subtree of the unit hierarchy.

        * Memory protection directives can now take a value of zero, allowing
          explicit opting out of a default value propagated by an ancestor.

        * systemd now defaults to the "unified" cgroup hierarchy setup during
          build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
          default. Previously, -Ddefault-hierarchy=hybrid was the default. This
          change reflects the fact that cgroupsv2 support has matured
          substantially in both systemd and in the kernel, and is clearly the
          way forward. Downstream production distributions might want to
          continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
          their builds as unfortunately the popular container managers have not
          caught up with the kernel API changes.

        * Man pages are not built by default anymore (html pages were already
          disabled by default), to make development builds quicker. When
          building systemd for a full installation with documentation, meson
          should be called with -Dman=true and/or -Dhtml=true as appropriate.
          The default was changed based on the assumption that quick one-off or
          repeated development builds are much more common than full optimized
          builds for installation, and people need to pass various other
          options to when doing "proper" builds anyway, so the gain from making
          development builds quicker is bigger than the one time disruption for
          packagers.

          Two scripts are created in the *build* directory to generate and
          preview man and html pages on demand, e.g.:

          build/man/man systemctl
          build/man/html systemd.index

        * libidn2 is used by default if both libidn2 and libidn are installed.
          Please use -Dlibidn=true if libidn is preferred.

        * The D-Bus "wire format" of the CPUAffinity= attribute is changed on
          big-endian machines. Before, bytes were written and read in native
          machine order as exposed by the native libc __cpu_mask interface.
          Now, little-endian order is always used (CPUs 0–7 are described by
          bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
          This change fixes D-Bus calls that cross endianness boundary.

          The presentation format used for CPUAffinity= by "systemctl show" and
          "systemd-analyze dump" is changed to present CPU indices instead of
          the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be
          shown as CPUAffinity=03000000000000000000000000000… (on
          little-endian) or CPUAffinity=00000000000000300000000000000… (on
          64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the
          input format. The maximum integer that will be printed in the new
          format is 8191 (four digits), while the old format always used a very
          long number (with the length varying by architecture), so they can be
          unambiguously distinguished.

        * /usr/sbin/halt.local is no longer supported. Implementation in
          distributions was inconsistent and it seems this functionality was
          very rarely used.

          To replace this functionality, users should:
          - either define a new unit and make it a dependency of final.target
            (systemctl add-wants final.target my-halt-local.service)
          - or move the shutdown script to /usr/lib/systemd/system-shutdown/
            and ensure that it accepts "halt", "poweroff", "reboot", and
            "kexec" as an argument, see the description in systemd-shutdown(8).

        * When a [Match] section in .link or .network file is empty (contains
          no match patterns), a warning will be emitted. Please add any "match
          all" pattern instead, e.g. OriginalName=* or Name=* in case all
          interfaces should really be matched.

        * A new setting NUMAPolicy= may be used to set process memory
          allocation policy. This setting can be specified in
          /etc/systemd/system.conf and hence will set the default policy for
          PID1. The default policy can be overridden on a per-service
          basis. The related setting NUMAMask= is used to specify NUMA node
          mask that should be associated with the selected policy.

        * PID 1 will now listen to Out-Of-Memory (OOM) events the kernel
          generates when processes it manages are reaching their memory limits,
          and will place their units in a special state, and optionally kill or
          stop the whole unit.

        * The service manager will now expose bus properties for the IO
          resources used by units. This information is also shown in "systemctl
          status" now (for services that have IOAccounting=yes set). Moreover,
          the IO accounting data is included in the resource log message
          generated whenever a unit stops.

        * Units may now configure an explicit timeout to wait for when killed
          with SIGABRT, for example when a service watchdog is hit. Previously,
          the regular TimeoutStopSec= timeout was applied in this case too —
          now a separate timeout may be set using TimeoutAbortSec=.

        * Services may now send a special WATCHDOG=trigger message with
          sd_notify() to trigger an immediate "watchdog missed" event, and thus
          trigger service termination. This is useful both for testing watchdog
          handling, but also for defining error paths in services, that shall
          be handled the same way as watchdog events.

        * There are two new per-unit settings IPIngressFilterPath= and
          IPEgressFilterPath= which allow configuration of a BPF program
          (usually by specifying a path to a program uploaded to /sys/fs/bpf/)
          to apply to the IP packet ingress/egress path of all processes of a
          unit. This is useful to allow running systemd services with BPF
          programs set up externally.

        * systemctl gained a new "clean" verb for removing the state, cache,
          runtime or logs directories of a service while it is terminated. The
          new verb may also be used to remove the state maintained on disk for
          timer units that have Persistent= configured.

        * During the last phase of shutdown systemd will now automatically
          increase the log level configured in the "kernel.printk" sysctl so
          that any relevant loggable events happening during late shutdown are
          made visible. Previously, loggable events happening so late during
          shutdown were generally lost if the "kernel.printk" sysctl was set to
          high thresholds, as regular logging daemons are terminated at that
          time and thus nothing is written to disk.

        * If processes terminated during the last phase of shutdown do not exit
          quickly systemd will now show their names after a short time, to make
          debugging easier. After a longer timeout they are forcibly killed,
          as before.

        * journalctl (and the other tools that display logs) will now highlight
          warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where
          shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs
          are now shown in blue color, to separate them visually from regular
          logs. References to configuration files are now turned into clickable
          links on terminals that support that.

        * systemd-journald will now stop logging to /var/log/journal during
          shutdown when /var/ is on a separate mount, so that it can be
          unmounted safely during shutdown.

        * systemd-resolved gained support for a new 'strict' DNS-over-TLS mode.

        * systemd-resolved "Cache=" configuration option in resolved.conf has
          been extended to also accept the 'no-negative' value. Previously,
          only a boolean option was allowed (yes/no), having yes as the
          default. If this option is set to 'no-negative', negative answers are
          not cached while the old cache heuristics are used positive answers.
          The default remains unchanged.

        * The predictable naming scheme for network devices now supports
          generating predictable names for "netdevsim" devices.

          Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD
          udev property.

          Those two changes form a new net.naming-policy-scheme= entry.
          Distributions which want to preserve naming stability may want to set
          the -Ddefault-net-naming-scheme= configuration option.

        * systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm
          interfaces natively.

        * systemd-networkd's bridge FDB support now allows configuration of a
          destination address for each entry (Destination=), as well as the
          VXLAN VNI (VNI=), as well as an option to declare what an entry is
          associated with (AssociatedWith=).

        * systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
          option for configuring the maximum number of DHCP lease requests.  It
          also learnt a new BlackList= option for deny-listing DHCP servers (a
          similar setting has also been added to the IPv6 RA client), as well
          as a SendRelease= option for configuring whether to send a DHCP
          RELEASE message when terminating.

        * systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured
          separately in the [DHCPv4] and [DHCPv6] sections.

        * systemd-networkd's DHCP support will now optionally create an
          implicit host route to the DNS server specified in the DHCP lease, in
          addition to the routes listed explicitly in the lease. This should
          ensure that in multi-homed systems DNS traffic leaves the systems on
          the interface that acquired the DNS server information even if other
          routes such as default routes exist. This behaviour may be turned on
          with the new RoutesToDNS= option.

        * systemd-networkd's VXLAN support gained a new option
          GenericProtocolExtension= for enabling VXLAN Generic Protocol
          Extension support, as well as IPDoNotFragment= for setting the IP
          "Don't fragment" bit on outgoing packets. A similar option has been
          added to the GENEVE support.

        * In systemd-networkd's [Route] section you may now configure
          FastOpenNoCookie= for configuring per-route TCP fast-open support, as
          well as TTLPropagate= for configuring Label Switched Path (LSP) TTL
          propagation. The Type= setting now supports local, broadcast,
          anycast, multicast, any, xresolve routes, too.

        * systemd-networkd's [Network] section learnt a new option
          DefaultRouteOnDevice= for automatically configuring a default route
          onto the network device.

        * systemd-networkd's bridging support gained two new options ProxyARP=
          and ProxyARPWifi= for configuring proxy ARP behaviour as well as
          MulticastRouter= for configuring multicast routing behaviour. A new
          option MulticastIGMPVersion= may be used to change bridge's multicast
          Internet Group Management Protocol (IGMP) version.

        * systemd-networkd's FooOverUDP support gained the ability to configure
          local and peer IP addresses via Local= and Peer=. A new option
          PeerPort= may be used to configure the peer's IP port.

        * systemd-networkd's TUN support gained a new setting VnetHeader= for
          tweaking Generic Segment Offload support.

        * The address family for policy rules may be specified using the new
          Family= option in the [RoutingPolicyRule] section.

        * networkctl gained a new "delete" command for removing virtual network
          devices, as well as a new "--stats" switch for showing device
          statistics.

        * networkd.conf gained a new setting SpeedMeter= and
          SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
          measured speed may be shown by 'networkctl status'.

        * "networkctl status" now displays MTU and queue lengths, and more
          detailed information about VXLAN and bridge devices.

        * systemd-networkd's .network and .link files gained a new Property=
          setting in the [Match] section, to match against devices with
          specific udev properties.

        * systemd-networkd's tunnel support gained a new option
          AssignToLoopback= for selecting whether to use the loopback device
          "lo" as underlying device.

        * systemd-networkd's MACAddress= setting in the [Neighbor] section has
          been renamed to LinkLayerAddress=, and it now allows configuration of
          IP addresses, too.

        * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
          simplified: systemd-networkd will disable the sysctl (enable IPv6) if
          IPv6 configuration (static or DHCPv6) was found for a given
          interface. It will not touch the sysctl otherwise.

        * The order of entries is $PATH used by the user manager instance was
          changed to put bin/ entries before the corresponding sbin/ entries.
          It is recommended to not rely on this order, and only ever have one
          binary with a given name in the system paths under /usr.

        * A new tool systemd-network-generator has been added that may generate
          .network, .netdev and .link files from IP configuration specified on
          the kernel command line in the format used by Dracut.

        * The CriticalConnection= setting in .network files is now deprecated,
          and replaced by a new KeepConfiguration= setting which allows more
          detailed configuration of the IP configuration to keep in place.

        * systemd-analyze gained a few new verbs:

          - "systemd-analyze timestamp" parses and converts timestamps. This is
            similar to the existing "systemd-analyze calendar" command which
            does the same for recurring calendar events.

          - "systemd-analyze timespan" parses and converts timespans (i.e.
            durations as opposed to points in time).

          - "systemd-analyze condition" will parse and test ConditionXYZ=
            expressions.

          - "systemd-analyze exit-status" will parse and convert exit status
            codes to their names and back.

          - "systemd-analyze unit-files" will print a list of all unit
            file paths and unit aliases.

        * SuccessExitStatus=, RestartPreventExitStatus=, and
          RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
          is equivalent to "65"). Those exit status name mappings may be
          displayed with the systemd-analyze exit-status verb describe above.

        * systemd-logind now exposes a per-session SetBrightness() bus call,
          which may be used to securely change the brightness of a kernel
          brightness device, if it belongs to the session's seat. By using this
          call unprivileged clients can make changes to "backlight" and "leds"
          devices securely with strict requirements on session membership.
          Desktop environments may use this to generically make brightness
          changes to such devices without shipping private SUID binaries or
          udev rules for that purpose.

        * "udevadm info" gained a --wait-for-initialization switch to wait for
          a device to be initialized.

        * systemd-hibernate-resume-generator will now look for resumeflags= on
          the kernel command line, which is similar to rootflags= and may be
          used to configure device timeout for the hibernation device.

        * sd-event learnt a new API call sd_event_source_disable_unref() for
          disabling and unref'ing an event source in a single function. A
          related call sd_event_source_disable_unrefp() has been added for use
          with gcc's cleanup extension.

        * The sd-id128.h public API gained a new definition
          SD_ID128_UUID_FORMAT_STR for formatting a 128bit ID in UUID format
          with printf().

        * "busctl introspect" gained a new switch --xml-interface for dumping
          XML introspection data unmodified.

        * PID 1 may now show the unit name instead of the unit description
          string in its status output during boot. This may be configured in
          the StatusUnitFormat= setting in /etc/systemd/system.conf or the
          kernel command line option systemd.status_unit_format=.

        * PID 1 now understands a new option KExecWatchdogSec= in
          /etc/systemd/system.conf to set a watchdog timeout for kexec reboots.
          Previously watchdog functionality was only available for regular
          reboots. The new setting defaults to off, because we don't know in
          the general case if the watchdog will be reset after kexec (some
          drivers do reset it, but not all), and the new userspace might not be
          configured to handle the watchdog.

          Moreover, the old ShutdownWatchdogSec= setting has been renamed to
          RebootWatchdogSec= to more clearly communicate what it is about. The
          old name is still accepted for compatibility.

        * The systemd.debug_shell kernel command line option now optionally
          takes a tty name to spawn the debug shell on, which allows a
          different tty to be selected than the built-in default.

        * Service units gained a new ExecCondition= setting which will run
          before ExecStartPre= and either continue execution of the unit (for
          clean exit codes), stop execution without marking the unit failed
          (for exit codes 1 through 254), or stop execution and fail the unit
          (for exit code 255 or abnormal termination).

        * A new service systemd-pstore.service has been added that pulls data
          from /sys/fs/pstore/ and saves it to /var/lib/pstore for later
          review.

        * timedatectl gained new verbs for configuring per-interface NTP
          service configuration for systemd-timesyncd.

        * "localectl list-locales" won't list non-UTF-8 locales anymore. It's
          2019. (You can set non-UTF-8 locales though, if you know their name.)

        * If variable assignments in sysctl.d/ files are prefixed with "-" any
          failures to apply them are now ignored.

        * systemd-random-seed.service now optionally credits entropy when
          applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to
          true for the service to enable this behaviour, but please consult the
          documentation first, since this comes with a couple of caveats.

        * systemd-random-seed.service is now a synchronization point for full
          initialization of the kernel's entropy pool. Services that require
          /dev/urandom to be correctly initialized should be ordered after this
          service.

        * The systemd-boot boot loader has been updated to optionally maintain
          a random seed file in the EFI System Partition (ESP). During the boot
          phase, this random seed is read and updated with a new seed
          cryptographically derived from it. Another derived seed is passed to
          the OS. The latter seed is then credited to the kernel's entropy pool
          very early during userspace initialization (from PID 1). This allows
          systems to boot up with a fully initialized kernel entropy pool from
          earliest boot on, and thus entirely removes all entropy pool
          initialization delays from systems using systemd-boot. Special care
          is taken to ensure different seeds are derived on system images
          replicated to multiple systems. "bootctl status" will show whether
          a seed was received from the boot loader.

        * bootctl gained two new verbs:

          - "bootctl random-seed" will generate the file in ESP and an EFI
            variable to allow a random seed to be passed to the OS as described
            above.

          - "bootctl is-installed" checks whether systemd-boot is currently
            installed.

        * bootctl will warn if it detects that boot entries are misconfigured
          (for example if the kernel image was removed without purging the
          bootloader entry).

        * A new document has been added describing systemd's use and support
          for the kernel's entropy pool subsystem:

          https://systemd.io/RANDOM_SEEDS

        * When the system is hibernated the swap device to write the
          hibernation image to is now automatically picked from all available
          swap devices, preferring the swap device with the highest configured
          priority over all others, and picking the device with the most free
          space if there are multiple devices with the highest priority.

        * /etc/crypttab support has learnt a new keyfile-timeout= per-device
          option that permits selecting the timeout how long to wait for a
          device with an encryption key before asking for the password.

        * IOWeight= has learnt to properly set the IO weight when using the
          BFQ scheduler officially found in kernels 5.0+.

        * A new mailing list has been created for reporting of security issues:
          systemd-security@redhat.com. For mode details, see
          https://systemd.io/CONTRIBUTING#security-vulnerability-reports.

        Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
        Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
        Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris
        Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy,
        Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan
        Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi
        Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas
        Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor,
        Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui,
        Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López
        Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob
        Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan
        Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen,
        Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson,
        Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski,
        Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
        Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca
        Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt,
        Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich,
        Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný,
        Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85,
        Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE,
        Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert
        Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer,
        Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant
        Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud
        Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala,
        Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann,
        William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan,
        Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei

        – Camerino, 2019-09-03

CHANGES WITH 242:

        * In .link files, MACAddressPolicy=persistent (the default) is changed
          to cover more devices. For devices like bridges, tun, tap, bond, and
          similar interfaces that do not have other identifying information,
          the interface name is used as the basis for persistent seed for MAC
          and IPv4LL addresses. The way that devices that were handled
          previously is not changed, and this change is about covering more
          devices then previously by the "persistent" policy.

          MACAddressPolicy=random may be used to force randomized MACs and
          IPv4LL addresses for a device if desired.

          Hint: the log output from udev (at debug level) was enhanced to
          clarify what policy is followed and which attributes are used.
          `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
          may be used to view this.

          Hint: if a bridge interface is created without any slaves, and gains
          a slave later, then now the bridge does not inherit slave's MAC.
          To inherit slave's MAC, for example, create the following file:
          ```
          # /etc/systemd/network/98-bridge-inherit-mac.link
          [Match]
          Type=bridge

          [Link]
          MACAddressPolicy=none
          ```

        * The .device units generated by systemd-fstab-generator and other
          generators do not automatically pull in the corresponding .mount unit
          as a Wants= dependency. This means that simply plugging in the device
          will not cause the mount unit to be started automatically. But please
          note that the mount unit may be started for other reasons, in
          particular if it is part of local-fs.target, and any unit which
          (transitively) depends on local-fs.target is started.

        * networkctl list/status/lldp now accept globbing wildcards for network
          interface names to match against all existing interfaces.

        * The $PIDFILE environment variable is set to point the absolute path
          configured with PIDFile= for processes of that service.

        * The fallback DNS server list was augmented with Cloudflare public DNS
          servers. Use `-Ddns-servers=` to set a different fallback.

        * A new special target usb-gadget.target will be started automatically
          when a USB Device Controller is detected (which means that the system
          is a USB peripheral).

        * A new unit setting CPUQuotaPeriodSec= assigns the time period
          relatively to which the CPU time quota specified by CPUQuota= is
          measured.

        * A new unit setting ProtectHostname= may be used to prevent services
          from modifying hostname information (even if they otherwise would
          have privileges to do so).

        * A new unit setting NetworkNamespacePath= may be used to specify a
          namespace for service or socket units through a path referring to a
          Linux network namespace pseudo-file.

        * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
          have an effect on .socket units: when used the listening socket is
          created within the configured network namespace instead of the host
          namespace.

        * ExecStart= command lines in unit files may now be prefixed with ':'
          in which case environment variable substitution is
          disabled. (Supported for the other ExecXYZ= settings, too.)

        * .timer units gained two new boolean settings OnClockChange= and
          OnTimezoneChange= which may be used to also trigger a unit when the
          system clock is changed or the local timezone is
          modified. systemd-run has been updated to make these options easily
          accessible from the command line for transient timers.

        * Two new conditions for units have been added: ConditionMemory= may be
          used to conditionalize a unit based on installed system
          RAM. ConditionCPUs= may be used to conditionalize a unit based on
          installed CPU cores.

        * The @default system call filter group understood by SystemCallFilter=
          has been updated to include the new rseq() system call introduced in
          kernel 4.15.

        * A new time-set.target has been added that indicates that the system
          time has been set from a local source (possibly imprecise). The
          existing time-sync.target is stronger and indicates that the time has
          been synchronized with a precise external source. Services where
          approximate time is sufficient should use the new target.

        * "systemctl start" (and related commands) learnt a new
          --show-transaction option. If specified brief information about all
          jobs queued because of the requested operation is shown.

        * systemd-networkd recognizes a new operation state 'enslaved', used
          (instead of 'degraded' or 'carrier') for interfaces which form a
          bridge, bond, or similar, and an new 'degraded-carrier' operational
          state used for the bond or bridge master interface when one of the
          enslaved devices is not operational.

        * .network files learnt the new IgnoreCarrierLoss= option for leaving
          networks configured even if the carrier is lost.

        * The RequiredForOnline= setting in .network files may now specify a
          minimum operational state required for the interface to be considered
          "online" by systemd-networkd-wait-online. Related to this
          systemd-networkd-wait-online gained a new option --operational-state=
          to configure the same, and its --interface= option was updated to
          optionally also take an operational state specific for an interface.

        * systemd-networkd-wait-online gained a new setting --any for waiting
          for only one of the requested interfaces instead of all of them.

        * systemd-networkd now implements L2TP tunnels.

        * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
          may be used to cause autonomous and onlink prefixes received in IPv6
          Router Advertisements to be ignored.

        * New MulticastFlood=, NeighborSuppression=, and Learning= .network
          file settings may be used to tweak bridge behaviour.

        * The new TripleSampling= option in .network files may be used to
          configure CAN triple sampling.

        * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
          used to point to private or preshared key for a WireGuard interface.

        * /etc/crypttab now supports the same-cpu-crypt and
          submit-from-crypt-cpus options to tweak encryption work scheduling
          details.

        * systemd-tmpfiles will now take a BSD file lock before operating on a
          contents of directory. This may be used to temporarily exclude
          directories from aging by taking the same lock (useful for example
          when extracting a tarball into /tmp or /var/tmp as a privileged user,
          which might create files with really old timestamps, which
          nevertheless should not be deleted). For further details, see:

          https://systemd.io/TEMPORARY_DIRECTORIES

        * systemd-tmpfiles' h line type gained support for the
          FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
          controlling project quota inheritance.

        * sd-boot and bootctl now implement support for an Extended Boot Loader
          (XBOOTLDR) partition, that is intended to be mounted to /boot, in
          addition to the ESP partition mounted to /efi or /boot/efi.
          Configuration file fragments, kernels, initrds and other EFI images
          to boot will be loaded from both the ESP and XBOOTLDR partitions.
          The XBOOTLDR partition was previously described by the Boot Loader
          Specification, but implementation was missing in sd-boot. Support for
          this concept allows using the sd-boot boot loader in more
          conservative scenarios where the boot loader itself is placed in the
          ESP but the kernels to boot (and their metadata) in a separate
          partition.

        * A system may now be booted with systemd.volatile=overlay on the
          kernel command line, which causes the root file system to be set up
          an overlayfs mount combining the root-only root directory with a
          writable tmpfs. In this setup, the underlying root device is not
          modified, and any changes are lost at reboot.

        * Similar, systemd-nspawn can now boot containers with a volatile
          overlayfs root with the new --volatile=overlay switch.

        * systemd-nspawn can now consume OCI runtime bundles using a new
          --oci-bundle= option. This implementation is fully usable, with most
          features in the specification implemented, but since this a lot of
          new code and functionality, this feature should most likely not
          be used in production yet.

        * systemd-nspawn now supports various options described by the OCI
          runtime specification on the command-line and in .nspawn files:
          --inaccessible=/Inaccessible= may be used to mask parts of the file
          system tree, --console=/--pipe may be used to configure how standard
          input, output, and error are set up.

        * busctl learned the `emit` verb to generate D-Bus signals.

        * systemd-analyze cat-config may be used to gather and display
          configuration spread over multiple files, for example system and user
          presets, tmpfiles.d, sysusers.d, udev rules, etc.

        * systemd-analyze calendar now takes an optional new parameter
          --iterations= which may be used to show a maximum number of iterations
          the specified expression will elapse next.

        * The sd-bus C API gained support for naming method parameters in the
          introspection data.

        * systemd-logind gained D-Bus APIs to specify the "reboot parameter"
          the reboot() system call expects.

        * journalctl learnt a new --cursor-file= option that points to a file
          from which a cursor should be loaded in the beginning and to which
          the updated cursor should be stored at the end.

        * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now
          detected by systemd-detect-virt (and may also be used in
          ConditionVirtualization=).

        * The behaviour of systemd-logind may now be modified with environment
          variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP,
          $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and
          $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either
          skip the relevant operation completely (when set to false), or to
          create a flag file in /run/systemd (when set to true), instead of
          actually commencing the real operation when requested. The presence
          of /run/systemd/reboot-to-firmware-setup,
          /run/systemd/reboot-to-boot-loader-menu, and
          /run/systemd/reboot-to-boot-loader-entry, may be used by alternative
          boot loader implementations to replace some steps logind performs
          during reboot with their own operations.

        * systemctl can be used to request a reboot into the boot loader menu
          or a specific boot loader entry with the new --boot-load-menu= and
          --boot-loader-entry= options to a reboot command. (This requires a
          boot loader that supports this, for example sd-boot.)

        * kernel-install will no longer unconditionally create the output
          directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
          snippets, but will do only if the machine-specific parent directory
          (i.e. /efi/<machine-id>/) already exists. bootctl has been modified
          to create this parent directory during sd-boot installation.

          This makes it easier to use kernel-install with plugins which support
          a different layout of the bootloader partitions (for example grub2).

        * During package installation (with `ninja install`), we would create
          symlinks for getty@tty1.service, systemd-networkd.service,
          systemd-networkd.socket, systemd-resolved.service,
          remote-cryptsetup.target, remote-fs.target,
          systemd-networkd-wait-online.service, and systemd-timesyncd.service
          in /etc, as if `systemctl enable` was called for those units, to make
          the system usable immediately after installation. Now this is not
          done anymore, and instead calling `systemctl preset-all` is
          recommended after the first installation of systemd.

        * A new boolean sandboxing option RestrictSUIDSGID= has been added that
          is built on seccomp. When turned on creation of SUID/SGID files is
          prohibited.

        * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
          implied if DynamicUser= is turned on for a service. This hardens
          these services, so that they neither can benefit from nor create
          SUID/SGID executables. This is a minor compatibility breakage, given
          that when DynamicUser= was first introduced SUID/SGID behaviour was
          unaffected. However, the security benefit of these two options is
          substantial, and the setting is still relatively new, hence we opted
          to make it mandatory for services with dynamic users.

        Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
        Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
        Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
        Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
        Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
        Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
        Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
        Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
        Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
        Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
        Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
        Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
        Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
        Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
        Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
        Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
        Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
        Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Warsaw, 2019-04-11

CHANGES WITH 241:

        * The default locale can now be configured at compile time. Otherwise,
          a suitable default will be selected automatically (one of C.UTF-8,
          en_US.UTF-8, and C).

        * The version string shown by systemd and other tools now includes the
          git commit hash when built from git. An override may be specified
          during compilation, which is intended to be used by distributions to
          include the package release information.

        * systemd-cat can now filter standard input and standard error streams
          for different syslog priorities using the new --stderr-priority=
          option.

        * systemd-journald and systemd-journal-remote reject entries which
          contain too many fields (CVE-2018-16865) and set limits on the
          process' command line length (CVE-2018-16864).

        * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
          again.

        * A new network device NamePolicy "keep" is implemented for link files,
          and used by default in 99-default.link (the fallback configuration
          provided by systemd). With this policy, if the network device name
          was already set by userspace, the device will not be renamed again.
          This matches the naming scheme that was implemented before
          systemd-240. If naming-scheme < 240 is specified, the "keep" policy
          is also enabled by default, even if not specified. Effectively, this
          means that if naming-scheme >= 240 is specified, network devices will
          be renamed according to the configuration, even if they have been
          renamed already, if "keep" is not specified as the naming policy in
          the .link file. The 99-default.link file provided by systemd includes
          "keep" for backwards compatibility, but it is recommended for user
          installed .link files to *not* include it.

          The "kernel" policy, which keeps kernel names declared to be
          "persistent", now works again as documented.

        * kernel-install script now optionally takes the paths to one or more
          initrd files, and passes them to all plugins.

        * The mincore() system call has been dropped from the @system-service
          system call filter group, as it is pretty exotic and may potentially
          used for side-channel attacks.

        * -fPIE is dropped from compiler and linker options. Please specify
          -Db_pie=true option to meson to build position-independent
          executables. Note that the meson option is supported since meson-0.49.

        * The fs.protected_regular and fs.protected_fifos sysctls, which were
          added in Linux 4.19 to make some data spoofing attacks harder, are
          now enabled by default. While this will hopefully improve the
          security of most installations, it is technically a backwards
          incompatible change; to disable these sysctls again, place the
          following lines in /etc/sysctl.d/60-protected.conf or a similar file:

              fs.protected_regular = 0
              fs.protected_fifos = 0

          Note that the similar hardlink and symlink protection has been
          enabled since v199, and may be disabled likewise.

        * The files read from the EnvironmentFile= setting in unit files now
          parse backslashes inside quotes literally, matching the behaviour of
          POSIX shells.

        * udevadm trigger, udevadm control, udevadm settle and udevadm monitor
          now automatically become NOPs when run in a chroot() environment.

        * The tmpfiles.d/ "C" line type will now copy directory trees not only
          when the destination is so far missing, but also if it already exists
          as a directory and is empty. This is useful to cater for systems
          where directory trees are put together from multiple separate mount
          points but otherwise empty.

        * A new function sd_bus_close_unref() (and the associated
          sd_bus_close_unrefp()) has been added to libsystemd, that combines
          sd_bus_close() and sd_bus_unref() in one.

        * udevadm control learnt a new option for --ping for testing whether a
          systemd-udevd instance is running and reacting.

        * udevadm trigger learnt a new option for --wait-daemon for waiting
          systemd-udevd daemon to be initialized.

        Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer,
        Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris
        Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele
        Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri
        John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe
        Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede,
        James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan
        Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost
        Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor,
        Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou,
        marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike
        Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen,
        Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger
        James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel,
        Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi
        Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски

        — Berlin, 2019-02-14

CHANGES WITH 240:

        * NoNewPrivileges=yes has been set for all long-running services
          implemented by systemd. Previously, this was problematic due to
          SELinux (as this would also prohibit the transition from PID1's label
          to the service's label). This restriction has since been lifted, but
          an SELinux policy update is required.
          (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)

        * DynamicUser=yes is dropped from systemd-networkd.service,
          systemd-resolved.service and systemd-timesyncd.service, which was
          enabled in v239 for systemd-networkd.service and systemd-resolved.service,
          and since v236 for systemd-timesyncd.service. The users and groups
          systemd-network, systemd-resolve and systemd-timesync are created
          by systemd-sysusers again. Distributors or system administrators
          may need to create these users and groups if they not exist (or need
          to re-enable DynamicUser= for those units) while upgrading systemd.
          Also, the clock file for systemd-timesyncd may need to move from
          /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock.

        * When unit files are loaded from disk, previously systemd would
          sometimes (depending on the unit loading order) load units from the
          target path of symlinks in .wants/ or .requires/ directories of other
          units. This meant that unit could be loaded from different paths
          depending on whether the unit was requested explicitly or as a
          dependency of another unit, not honouring the priority of directories
          in search path. It also meant that it was possible to successfully
          load and start units which are not found in the unit search path, as
          long as they were requested as a dependency and linked to from
          .wants/ or .requires/. The target paths of those symlinks are not
          used for loading units anymore and the unit file must be found in
          the search path.

        * A new service type has been added: Type=exec. It's very similar to
          Type=simple but ensures the service manager will wait for both fork()
          and execve() of the main service binary to complete before proceeding
          with follow-up units. This is primarily useful so that the manager
          propagates any errors in the preparation phase of service execution
          back to the job that requested the unit to be started. For example,
          consider a service that has ExecStart= set to a file system binary
          that doesn't exist. With Type=simple starting the unit would be
          considered instantly successful, as only fork() has to complete
          successfully and the manager does not wait for execve(), and hence
          its failure is seen "too late". With the new Type=exec service type
          starting the unit will fail, as the manager will wait for the
          execve() and notice its failure, which is then propagated back to the
          start job.

          NOTE: with the next release 241 of systemd we intend to change the
          systemd-run tool to default to Type=exec for transient services
          started by it. This should be mostly safe, but in specific corner
          cases might result in problems, as the systemd-run tool will then
          block on NSS calls (such as user name look-ups due to User=) done
          between the fork() and execve(), which under specific circumstances
          might cause problems. It is recommended to specify "-p Type=simple"
          explicitly in the few cases where this applies. For regular,
          non-transient services (i.e. those defined with unit files on disk)
          we will continue to default to Type=simple.

        * The Linux kernel's current default RLIMIT_NOFILE resource limit for
          userspace processes is set to 1024 (soft) and 4096
          (hard). Previously, systemd passed this on unmodified to all
          processes it forked off. With this systemd release the hard limit
          systemd passes on is increased to 512K, overriding the kernel's
          defaults and substantially increasing the number of simultaneous file
          descriptors unprivileged userspace processes can allocate. Note that
          the soft limit remains at 1024 for compatibility reasons: the
          traditional UNIX select() call cannot deal with file descriptors >=
          1024 and increasing the soft limit globally might thus result in
          programs unexpectedly allocating a high file descriptor and thus
          failing abnormally when attempting to use it with select() (of
          course, programs shouldn't use select() anymore, and prefer
          poll()/epoll, but the call unfortunately remains undeservedly popular
          at this time). This change reflects the fact that file descriptor
          handling in the Linux kernel has been optimized in more recent
          kernels and allocating large numbers of them should be much cheaper
          both in memory and in performance than it used to be. Programs that
          want to take benefit of the increased limit have to "opt-in" into
          high file descriptors explicitly by raising their soft limit. Of
          course, when they do that they must acknowledge that they cannot use
          select() anymore (and neither can any shared library they use — or
          any shared library used by any shared library they use and so on).
          Which default hard limit is most appropriate is of course hard to
          decide. However, given reports that ~300K file descriptors are used
          in real-life applications we believe 512K is sufficiently high as new
          default for now. Note that there are also reports that using very
          high hard limits (e.g. 1G) is problematic: some software allocates
          large arrays with one element for each potential file descriptor
          (Java, …) — a high hard limit thus triggers excessively large memory
          allocations in these applications. Hopefully, the new default of 512K
          is a good middle ground: higher than what real-life applications
          currently need, and low enough for avoid triggering excessively large
          allocations in problematic software. (And yes, somebody should fix
          Java.)

        * The fs.nr_open and fs.file-max sysctls are now automatically bumped
          to the highest possible values, as separate accounting of file
          descriptors is no longer necessary, as memcg tracks them correctly as
          part of the memory accounting anyway. Thus, from the four limits on
          file descriptors currently enforced (fs.file-max, fs.nr_open,
          RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
          and keep only the latter two. A set of build-time options
          (-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false)
          has been added to revert this change in behaviour, which might be
          an option for systems that turn off memcg in the kernel.

        * When no /etc/locale.conf file exists (and hence no locale settings
          are in place), systemd will now use the "C.UTF-8" locale by default,
          and set LANG= to it. This locale is supported by various
          distributions including Fedora, with clear indications that upstream
          glibc is going to make it available too. This locale enables UTF-8
          mode by default, which appears appropriate for 2018.

        * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by
          default. This effectively switches the RFC3704 Reverse Path filtering
          from Strict mode to Loose mode. This is more appropriate for hosts
          that have multiple links with routes to the same networks (e.g.
          a client with a Wi-Fi and Ethernet both connected to the internet).

          Consult the kernel documentation for details on this sysctl:
          https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

        * The v239 change to turn on "net.ipv4.tcp_ecn" by default has been
          reverted.

        * CPUAccounting=yes no longer enables the CPU controller when using
          kernel 4.15+ and the unified cgroup hierarchy, as required accounting
          statistics are now provided independently from the CPU controller.

        * Support for disabling a particular cgroup controller within a sub-tree
          has been added through the DisableControllers= directive.

        * cgroup_no_v1=all on the kernel command line now also implies
          using the unified cgroup hierarchy, unless one explicitly passes
          systemd.unified_cgroup_hierarchy=0 on the kernel command line.

        * The new "MemoryMin=" unit file property may now be used to set the
          memory usage protection limit of processes invoked by the unit. This
          controls the cgroup v2 memory.min attribute. Similarly, the new
          "IODeviceLatencyTargetSec=" property has been added, wrapping the new
          cgroup v2 io.latency cgroup property for configuring per-service I/O
          latency.

        * systemd now supports the cgroup v2 devices BPF logic, as counterpart
          to the cgroup v1 "devices" cgroup controller.

        * systemd-escape now is able to combine --unescape with --template. It
          also learnt a new option --instance for extracting and unescaping the
          instance part of a unit name.

        * sd-bus now provides the sd_bus_message_readv() which is similar to
          sd_bus_message_read() but takes a va_list object. The pair
          sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout()
          has been added for configuring the default method call timeout to
          use. sd_bus_error_move() may be used to efficiently move the contents
          from one sd_bus_error structure to another, invalidating the
          source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may
          be used to control whether a bus connection object is automatically
          flushed when an sd-event loop is exited.

        * When processing classic BSD syslog log messages, journald will now
          save the original time-stamp string supplied in the new
          SYSLOG_TIMESTAMP= journal field. This permits consumers to
          reconstruct the original BSD syslog message more correctly.

        * StandardOutput=/StandardError= in service files gained support for
          new "append:…" parameters, for connecting STDOUT/STDERR of a service
          to a file, and appending to it.

        * The signal to use as last step of killing of unit processes is now
          configurable. Previously it was hard-coded to SIGKILL, which may now
          be overridden with the new KillSignal= setting. Note that this is the
          signal used when regular termination (i.e. SIGTERM) does not suffice.
          Similarly, the signal used when aborting a program in case of a
          watchdog timeout may now be configured too (WatchdogSignal=).

        * The XDG_SESSION_DESKTOP environment variable may now be configured in
          the pam_systemd argument line, using the new desktop= switch. This is
          useful to initialize it properly from a display manager without
          having to touch C code.

        * Most configuration options that previously accepted percentage values
          now also accept permille values with the '‰' suffix (instead of '%').

        * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for
          DNS-over-TLS.

        * systemd-resolved's configuration file resolved.conf gained a new
          option ReadEtcHosts= which may be used to turn off processing and
          honoring /etc/hosts entries.

        * The "--wait" switch may now be passed to "systemctl
          is-system-running", in which case the tool will synchronously wait
          until the system finished start-up.

        * hostnamed gained a new bus call to determine the DMI product UUID.

        * On x86-64 systemd will now prefer using the RDRAND processor
          instruction over /dev/urandom whenever it requires randomness that
          neither has to be crypto-grade nor should be reproducible. This
          should substantially reduce the amount of entropy systemd requests
          from the kernel during initialization on such systems, though not
          reduce it to zero. (Why not zero? systemd still needs to allocate
          UUIDs and such uniquely, which require high-quality randomness.)

        * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP
          tunnels. It also gained a new option ForceDHCPv6PDOtherInformation=
          for forcing the "Other Information" bit in IPv6 RA messages. The
          bonding logic gained four new options AdActorSystemPriority=,
          AdUserPortKey=, AdActorSystem= for configuring various 802.3ad
          aspects, and DynamicTransmitLoadBalancing= for enabling dynamic
          shuffling of flows. The tunnel logic gained a new
          IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid
          Deployment. The policy rule logic gained four new options IPProtocol=,
          SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained
          support for the MulticastToUnicast= option. networkd also gained
          support for configuring static IPv4 ARP or IPv6 neighbor entries.

        * .preset files (as read by 'systemctl preset') may now be used to
          instantiate services.

        * /etc/crypttab now understands the sector-size= option to configure
          the sector size for an encrypted partition.

        * Key material for encrypted disks may now be placed on a formatted
          medium, and referenced from /etc/crypttab by the UUID of the file
          system, followed by "=" suffixed by the path to the key file.

        * The "collect" udev component has been removed without replacement, as
          it is neither used nor maintained.

        * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=,
          LogsDirectory=, ConfigurationDirectory= settings are used in a
          service the executed processes will now receive a set of environment
          variables containing the full paths of these directories.
          Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY,
          LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options
          are used. Note that these options may be used multiple times per
          service in which case the resulting paths will be concatenated and
          separated by colons.

        * Predictable interface naming has been extended to cover InfiniBand
          NICs. They will be exposed with an "ib" prefix.

        * tmpfiles.d/ line types may now be suffixed with a '-' character, in
          which case the respective line failing is ignored.

        * .link files may now be used to configure the equivalent to the
          "ethtool advertise" commands.

        * The sd-device.h and sd-hwdb.h APIs are now exported, as an
          alternative to libudev.h. Previously, the latter was just an internal
          wrapper around the former, but now these two APIs are exposed
          directly.

        * sd-id128.h gained a new function sd_id128_get_boot_app_specific()
          which calculates an app-specific boot ID similar to how
          sd_id128_get_machine_app_specific() generates an app-specific machine
          ID.

        * A new tool systemd-id128 has been added that can be used to determine
          and generate various 128bit IDs.

        * /etc/os-release gained two new standardized fields DOCUMENTATION_URL=
          and LOGO=.

        * systemd-hibernate-resume-generator will now honor the "noresume"
          kernel command line option, in which case it will bypass resuming
          from any hibernated image.

        * The systemd-sleep.conf configuration file gained new options
          AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=,
          AllowHybridSleep= for prohibiting specific sleep modes even if the
          kernel exports them.

        * portablectl is now officially supported and has thus moved to
          /usr/bin/.

        * bootctl learnt the two new commands "set-default" and "set-oneshot"
          for setting the default boot loader item to boot to (either
          persistently or only for the next boot). This is currently only
          compatible with sd-boot, but may be implemented on other boot loaders
          too, that follow the boot loader interface. The updated interface is
          now documented here:

          https://systemd.io/BOOT_LOADER_INTERFACE

        * A new kernel command line option systemd.early_core_pattern= is now
          understood which may be used to influence the core_pattern PID 1
          installs during early boot.

        * busctl learnt two new options -j and --json= for outputting method
          call replies, properties and monitoring output in JSON.

        * journalctl's JSON output now supports simple ANSI coloring as well as
          a new "json-seq" mode for generating RFC7464 output.

        * Unit files now support the %g/%G specifiers that resolve to the UNIX
          group/GID of the service manager runs as, similar to the existing
          %u/%U specifiers that resolve to the UNIX user/UID.

        * systemd-logind learnt a new global configuration option
          UserStopDelaySec= that may be set in logind.conf. It specifies how
          long the systemd --user instance shall remain started after a user
          logs out. This is useful to speed up repetitive re-connections of the
          same user, as it means the user's service manager doesn't have to be
          stopped/restarted on each iteration, but can be reused between
          subsequent options. This setting defaults to 10s. systemd-logind also
          exports two new properties on its Manager D-Bus objects indicating
          whether the system's lid is currently closed, and whether the system
          is on AC power.

        * systemd gained support for a generic boot counting logic, which
          generically permits automatic reverting to older boot loader entries
          if newer updated ones don't work. The boot loader side is implemented
          in sd-boot, but is kept open for other boot loaders too. For details
          see:

          https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT

        * The SuccessAction=/FailureAction= unit file settings now learnt two
          new parameters: "exit" and "exit-force", which result in immediate
          exiting of the service manager, and are only useful in systemd --user
          and container environments.

        * Unit files gained support for a pair of options
          FailureActionExitStatus=/SuccessActionExitStatus= for configuring the
          exit status to use as service manager exit status when
          SuccessAction=/FailureAction= is set to exit or exit-force.

        * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service
          options may now be used to configure the log rate limiting applied by
          journald per-service.

        * systemd-analyze gained a new verb "timespan" for parsing and
          normalizing time span values (i.e. strings like "5min 7s 8us").

        * systemd-analyze also gained a new verb "security" for analyzing the
          security and sand-boxing settings of services in order to determine an
          "exposure level" for them, indicating whether a service would benefit
          from more sand-boxing options turned on for them.

        * "systemd-analyze syscall-filter" will now also show system calls
          supported by the local kernel but not included in any of the defined
          groups.

        * .nspawn files now understand the Ephemeral= setting, matching the
          --ephemeral command line switch.

        * sd-event gained the new APIs sd_event_source_get_floating() and
          sd_event_source_set_floating() for controlling whether a specific
          event source is "floating", i.e. destroyed along with the even loop
          object itself.

        * Unit objects on D-Bus gained a new "Refs" property that lists all
          clients that currently have a reference on the unit (to ensure it is
          not unloaded).

        * The JoinControllers= option in system.conf is no longer supported, as
          it didn't work correctly, is hard to support properly, is legacy (as
          the concept only exists on cgroup v1) and apparently wasn't used.

        * Journal messages that are generated whenever a unit enters the failed
          state are now tagged with a unique MESSAGE_ID. Similarly, messages
          generated whenever a service process exits are now made recognizable,
          too. A tagged message is also emitted whenever a unit enters the
          "dead" state on success.

        * systemd-run gained a new switch --working-directory= for configuring
          the working directory of the service to start. A shortcut -d is
          equivalent, setting the working directory of the service to the
          current working directory of the invoking program. The new --shell
          (or just -S) option has been added for invoking the $SHELL of the
          caller as a service, and implies --pty --same-dir --wait --collect
          --service-type=exec. Or in other words, "systemd-run -S" is now the
          quickest way to quickly get an interactive in a fully clean and
          well-defined system service context.

        * machinectl gained a new verb "import-fs" for importing an OS tree
          from a directory. Moreover, when a directory or tarball is imported
          and single top-level directory found with the OS itself below the OS
          tree is automatically mangled and moved one level up.

        * systemd-importd will no longer set up an implicit btrfs loop-back
          file system on /var/lib/machines. If one is already set up, it will
          continue to be used.

        * A new generator "systemd-run-generator" has been added. It will
          synthesize a unit from one or more program command lines included in
          the kernel command line. This is very useful in container managers
          for example:

          # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"'

          This will run "systemd-nspawn" on an image, invoke the specified
          command line and immediately shut down the container again, returning
          the command line's exit code.

        * The block device locking logic is now documented:

          https://systemd.io/BLOCK_DEVICE_LOCKING

        * loginctl and machinectl now optionally output the various tables in
          JSON using the --output= switch. It is our intention to add similar
          support to systemctl and all other commands.

        * udevadm's query and trigger verb now optionally take a .device unit
          name as argument.

        * systemd-udevd's network naming logic now understands a new
          net.naming-scheme= kernel command line switch, which may be used to
          pick a specific version of the naming scheme. This helps stabilizing
          interface names even as systemd/udev are updated and the naming logic
          is improved.

        * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and
          SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to
          initialize one to all 0xFF.

        * After loading the SELinux policy systemd will now recursively relabel
          all files and directories listed in
          /run/systemd/relabel-extra.d/*.relabel (which should be simple
          newline separated lists of paths) in addition to the ones it already
          implicitly relabels in /run, /dev and /sys. After the relabelling is
          completed the *.relabel files (and /run/systemd/relabel-extra.d/) are
          removed. This is useful to permit initrds (i.e. code running before
          the SELinux policy is in effect) to generate files in the host
          filesystem safely and ensure that the correct label is applied during
          the transition to the host OS.

        * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding
          mknod() handling in user namespaces. Previously mknod() would always
          fail with EPERM in user namespaces. Since 4.18 mknod() will succeed
          but device nodes generated that way cannot be opened, and attempts to
          open them result in EPERM. This breaks the "graceful fallback" logic
          in systemd's PrivateDevices= sand-boxing option. This option is
          implemented defensively, so that when systemd detects it runs in a
          restricted environment (such as a user namespace, or an environment
          where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD)
          where device nodes cannot be created the effect of PrivateDevices= is
          bypassed (following the logic that 2nd-level sand-boxing is not
          essential if the system systemd runs in is itself already sand-boxed
          as a whole). This logic breaks with 4.18 in container managers where
          user namespacing is used: suddenly PrivateDevices= succeeds setting
          up a private /dev/ file system containing devices nodes — but when
          these are opened they don't work.

          At this point it is recommended that container managers utilizing
          user namespaces that intend to run systemd in the payload explicitly
          block mknod() with seccomp or similar, so that the graceful fallback
          logic works again.

          We are very sorry for the breakage and the requirement to change
          container configurations for newer kernels. It's purely caused by an
          incompatible kernel change. The relevant kernel developers have been
          notified about this userspace breakage quickly, but they chose to
          ignore it.

        * PermissionsStartOnly= setting is deprecated (but is still supported
          for backwards compatibility). The same functionality is provided by
          the more flexible "+", "!", and "!!" prefixes to ExecStart= and other
          commands.

        * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by
          pam_systemd anymore.

        * The naming scheme for network devices was changed to always rename
          devices, even if they were already renamed by userspace. The "kernel"
          policy was changed to only apply as a fallback, if no other naming
          policy took effect.

        * The requirements to build systemd is bumped to meson-0.46 and
          python-3.5.

        Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander
        Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson,
        Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov,
        asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt
        Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen
        Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius
        Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn
        Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner,
        David Anderson, Davide Cavalca, David Leeds, David Malcolm, David
        Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus,
        Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters,
        Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad,
        Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank
        Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe
        Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit
        Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan
        Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld,
        javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi
        Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens,
        Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi,
        Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry
        Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz
        Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier,
        Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin
        Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko
        Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck,
        Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich,
        Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal
        Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal
        Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby,
        Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł
        Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller,
        Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez,
        Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam
        Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher,
        Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee
        (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen
        Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim,
        Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas
        Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias
        Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore
        Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech
        Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward,
        Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein

        — Warsaw, 2018-12-21

CHANGES WITH 239:

        * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
          builtin will name network interfaces differently than in previous
          versions for virtual network interfaces created with SR-IOV and NPAR
          and for devices where the PCI network controller device does not have
          a slot number associated.

          SR-IOV virtual devices are now named based on the name of the parent
          interface, with a suffix of "v<N>", where <N> is the virtual device
          number. Previously those virtual devices were named as if completely
          independent.

          The ninth and later NPAR virtual devices will be named following the
          scheme used for the first eight NPAR partitions. Previously those
          devices were not renamed and the kernel default (eth<n>) was used.

          "net_id" will also generate names for PCI devices where the PCI
          network controller device does not have an associated slot number
          itself, but one of its parents does. Previously those devices were
          not renamed and the kernel default (eth<n>) was used.

        * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
          systemd-logind.service. Since v235, IPAddressDeny=any has been set to
          the unit. So, it is expected that the default behavior of
          systemd-logind is not changed. However, if distribution packagers or
          administrators disabled or modified IPAddressDeny= setting by a
          drop-in config file, then it may be necessary to update the file to
          re-enable AF_INET and AF_INET6 to support network user name services,
          e.g. NIS.

        * When the RestrictNamespaces= unit property is specified multiple
          times, then the specified types are merged now. Previously, only the
          last assignment was used. So, if distribution packagers or
          administrators modified the setting by a drop-in config file, then it
          may be necessary to update the file.

        * When OnFailure= is used in combination with Restart= on a service
          unit, then the specified units will no longer be triggered on
          failures that result in restarting. Previously, the specified units
          would be activated each time the unit failed, even when the unit was
          going to be restarted automatically. This behaviour contradicted the
          documentation. With this release the code is adjusted to match the
          documentation.

        * systemd-tmpfiles will now print a notice whenever it encounters
          tmpfiles.d/ lines referencing the /var/run/ directory. It will
          recommend reworking them to use the /run/ directory instead (for
          which /var/run/ is simply a symlinked compatibility alias). This way
          systemd-tmpfiles can properly detect line conflicts and merge lines
          referencing the same file by two paths, without having to access
          them.

        * systemctl disable/unmask/preset/preset-all cannot be used with
          --runtime. Previously this was allowed, but resulted in unintuitive
          behaviour that wasn't useful. systemctl disable/unmask will now undo
          both runtime and persistent enablement/masking, i.e. it will remove
          any relevant symlinks both in /run and /etc.

        * Note that all long-running system services shipped with systemd will
          now default to a system call allow list (rather than a deny list, as
          before). In particular, systemd-udevd will now enforce one too. For
          most cases this should be safe, however downstream distributions
          which disabled sandboxing of systemd-udevd (specifically the
          MountFlags= setting), might want to disable this security feature
          too, as the default allow-listing will prohibit all mount, swap,
          reboot and clock changing operations from udev rules.

        * sd-boot acquired new loader configuration settings to optionally turn
          off Windows and MacOS boot partition discovery as well as
          reboot-into-firmware menu items. It is also able to pick a better
          screen resolution for HiDPI systems, and now provides loader
          configuration settings to change the resolution explicitly.

        * systemd-resolved now supports DNS-over-TLS. It's still
          turned off by default, use DNSOverTLS=opportunistic to turn it on in
          resolved.conf. We intend to make this the default as soon as couple
          of additional techniques for optimizing the initial latency caused by
          establishing a TLS/TCP connection are implemented.

        * systemd-resolved.service and systemd-networkd.service now set
          DynamicUser=yes. The users systemd-resolve and systemd-network are
          not created by systemd-sysusers anymore.

          NOTE: This has a chance of breaking nss-ldap and similar NSS modules
          that embed a network facing module into any process using getpwuid()
          or related call: the dynamic allocation of the user ID for
          systemd-resolved.service means the service manager has to check NSS
          if the user name is already taken when forking off the service. Since
          the user in the common case won't be defined in /etc/passwd the
          lookup is likely to trigger nss-ldap which in turn might use NSS to
          ask systemd-resolved for hostname lookups. This will hence result in
          a deadlock: a user name lookup in order to start
          systemd-resolved.service will result in a hostname lookup for which
          systemd-resolved.service needs to be started already. There are
          multiple ways to work around this problem: pre-allocate the
          "systemd-resolve" user on such systems, so that nss-ldap won't be
          triggered; or use a different NSS package that doesn't do networking
          in-process but provides a local asynchronous name cache; or configure
          the NSS package to avoid lookups for UIDs in the range `pkg-config
          systemd --variable=dynamicuidmin` … `pkg-config systemd
          --variable=dynamicuidmax`, so that it does not consider itself
          authoritative for the same UID range systemd allocates dynamic users
          from.

        * The systemd-resolve tool has been renamed to resolvectl (it also
          remains available under the old name, for compatibility), and its
          interface is now verb-based, similar in style to the other <xyz>ctl
          tools, such as systemctl or loginctl.

        * The resolvectl/systemd-resolve tool also provides 'resolvconf'
          compatibility. It may be symlinked under the 'resolvconf' name, in
          which case it will take arguments and input compatible with the
          Debian and FreeBSD resolvconf tool.

        * Support for suspend-then-hibernate has been added, i.e. a sleep mode
          where the system initially suspends, and after a timeout resumes and
          hibernates again.

        * networkd's ClientIdentifier= now accepts a new option "duid-only". If
          set the client will only send a DUID as client identifier.

        * The nss-systemd glibc NSS module will now enumerate dynamic users and
          groups in effect. Previously, it could resolve UIDs/GIDs to user
          names/groups and vice versa, but did not support enumeration.

        * journald's Compress= configuration setting now optionally accepts a
          byte threshold value. All journal objects larger than this threshold
          will be compressed, smaller ones will not. Previously this threshold
          was not configurable and set to 512.

        * A new system.conf setting NoNewPrivileges= is now available which may
          be used to turn off acquisition of new privileges system-wide
          (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
          for all its children). Note that turning this option on means setuid
          binaries and file system capabilities lose their special powers.
          While turning on this option is a big step towards a more secure
          system, doing so is likely to break numerous pre-existing UNIX tools,
          in particular su and sudo.

        * A new service systemd-time-sync-wait.service has been added. If
          enabled it will delay the time-sync.target unit at boot until time
          synchronization has been received from the network. This
          functionality is useful on systems lacking a local RTC or where it is
          acceptable that the boot process shall be delayed by external network
          services.

        * When hibernating, systemd will now inform the kernel of the image
          write offset, on kernels new enough to support this. This means swap
          files should work for hibernation now.

        * When loading unit files, systemd will now look for drop-in unit files
          extensions in additional places. Previously, for a unit file name
          "foo-bar-baz.service" it would look for dropin files in
          "foo-bar-baz.service.d/*.conf". Now, it will also look in
          "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
          service name truncated after all inner dashes. This scheme allows
          writing drop-ins easily that apply to a whole set of unit files at
          once. It's particularly useful for mount and slice units (as their
          naming is prefix based), but is also useful for service and other
          units, for packages that install multiple unit files at once,
          following a strict naming regime of beginning the unit file name with
          the package's name. Two new specifiers are now supported in unit
          files to match this: %j and %J are replaced by the part of the unit
          name following the last dash.

        * Unit files and other configuration files that support specifier
          expansion now understand another three new specifiers: %T and %V will
          resolve to /tmp and /var/tmp respectively, or whatever temporary
          directory has been set for the calling user. %E will expand to either
          /etc (for system units) or $XDG_CONFIG_HOME (for user units).

        * The ExecStart= lines of unit files are no longer required to
          reference absolute paths. If non-absolute paths are specified the
          specified binary name is searched within the service manager's
          built-in $PATH, which may be queried with 'systemd-path
          search-binaries-default'. It's generally recommended to continue to
          use absolute paths for all binaries specified in unit files.

        * Units gained a new load state "bad-setting", which is used when a
          unit file was loaded, but contained fatal errors which prevent it
          from being started (for example, a service unit has been defined
          lacking both ExecStart= and ExecStop= lines).

        * coredumpctl's "gdb" verb has been renamed to "debug", in order to
          support alternative debuggers, for example lldb. The old name
          continues to be available however, for compatibility reasons. Use the
          new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
          to pick an alternative debugger instead of the default gdb.

        * systemctl and the other tools will now output escape sequences that
          generate proper clickable hyperlinks in various terminal emulators
          where useful (for example, in the "systemctl status" output you can
          now click on the unit file name to quickly open it in the
          editor/viewer of your choice). Note that not all terminal emulators
          support this functionality yet, but many do. Unfortunately, the
          "less" pager doesn't support this yet, hence this functionality is
          currently automatically turned off when a pager is started (which
          happens quite often due to auto-paging). We hope to remove this
          limitation as soon as "less" learns these escape sequences. This new
          behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
          environment variable. For details on these escape sequences see:
          https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda

        * networkd's .network files now support a new IPv6MTUBytes= option for
          setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
          option in the [Route] section to configure the MTU to use for
          specific routes. It also gained support for configuration of the DHCP
          "UserClass" option through the new UserClass= setting. It gained
          three new options in the new [CAN] section for configuring CAN
          networks. The MULTICAST and ALLMULTI interface flags may now be
          controlled explicitly with the new Multicast= and AllMulticast=
          settings.

        * networkd will now automatically make use of the kernel's route
          expiration feature, if it is available.

        * udevd's .link files now support setting the number of receive and
          transmit channels, using the RxChannels=, TxChannels=,
          OtherChannels=, CombinedChannels= settings.

        * Support for UDPSegmentationOffload= has been removed, given its
          limited support in hardware, and waning software support.

        * networkd's .netdev files now support creating "netdevsim" interfaces.

        * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
          to query the unit belonging to a specific kernel control group.

        * systemd-analyze gained a new verb "cat-config", which may be used to
          dump the contents of any configuration file, with all its matching
          drop-in files added in, and honouring the usual search and masking
          logic applied to systemd configuration files. For example use
          "systemd-analyze cat-config systemd/system.conf" to get the complete
          system configuration file of systemd how it would be loaded by PID 1
          itself. Similar to this, various tools such as systemd-tmpfiles or
          systemd-sysusers, gained a new option "--cat-config", which does the
          corresponding operation for their own configuration settings. For
          example, "systemd-tmpfiles --cat-config" will now output the full
          list of tmpfiles.d/ lines in place.

        * timedatectl gained three new verbs: "show" shows bus properties of
          systemd-timedated, "timesync-status" shows the current NTP
          synchronization state of systemd-timesyncd, and "show-timesync"
          shows bus properties of systemd-timesyncd.

        * systemd-timesyncd gained a bus interface on which it exposes details
          about its state.

        * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
          understood by systemd-timedated. It takes a colon-separated list of
          unit names of NTP client services. The list is used by
          "timedatectl set-ntp".

        * systemd-nspawn gained a new --rlimit= switch for setting initial
          resource limits for the container payload. There's a new switch
          --hostname= to explicitly override the container's hostname. A new
          --no-new-privileges= switch may be used to control the
          PR_SET_NO_NEW_PRIVS flag for the container payload. A new
          --oom-score-adjust= switch controls the OOM scoring adjustment value
          for the payload. The new --cpu-affinity= switch controls the CPU
          affinity of the container payload. The new --resolv-conf= switch
          allows more detailed control of /etc/resolv.conf handling of the
          container. Similarly, the new --timezone= switch allows more detailed
          control of /etc/localtime handling of the container.

        * systemd-detect-virt gained a new --list switch, which will print a
          list of all currently known VM and container environments.

        * Support for "Portable Services" has been added, see
          doc/PORTABLE_SERVICES.md for details. Currently, the support is still
          experimental, but this is expected to change soon. Reflecting this
          experimental state, the "portablectl" binary is not installed into
          /usr/bin yet. The binary has to be called with the full path
          /usr/lib/systemd/portablectl instead.

        * journalctl's and systemctl's -o switch now knows a new log output
          mode "with-unit". The output it generates is very similar to the
          regular "short" mode, but displays the unit name instead of the
          syslog tag for each log line. Also, the date is shown with timezone
          information. This mode is probably more useful than the classic
          "short" output mode for most purposes, except where pixel-perfect
          compatibility with classic /var/log/messages formatting is required.

        * A new --dump-bus-properties switch has been added to the systemd
          binary, which may be used to dump all supported D-Bus properties.
          (Options which are still supported, but are deprecated, are *not*
          shown.)

        * sd-bus gained a set of new calls:
          sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
          enable/disable the "floating" state of a bus slot object,
          i.e. whether the slot object pins the bus it is allocated for into
          memory or if the bus slot object gets disconnected when the bus goes
          away. sd_bus_open_with_description(),
          sd_bus_open_user_with_description(),
          sd_bus_open_system_with_description() may be used to allocate bus
          objects and set their description string already during allocation.

        * sd-event gained support for watching inotify events from the event
          loop, in an efficient way, sharing inotify handles between multiple
          users. For this a new function sd_event_add_inotify() has been added.

        * sd-event and sd-bus gained support for calling special user-supplied
          destructor functions for userdata pointers associated with
          sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
          functions sd_bus_slot_set_destroy_callback,
          sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
          sd_bus_track_get_destroy_callback,
          sd_event_source_set_destroy_callback,
          sd_event_source_get_destroy_callback have been added.

        * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.

        * PID 1 will now automatically reschedule .timer units whenever the
          local timezone changes. (They previously got rescheduled
          automatically when the system clock changed.)

        * New documentation has been added to document cgroups delegation,
          portable services and the various code quality tools we have set up:

          https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
          https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md
          https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md

        * The Boot Loader Specification has been added to the source tree.

          https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md

          While moving it into our source tree we have updated it and further
          changes are now accepted through the usual github PR workflow.

        * pam_systemd will now look for PAM userdata fields systemd.memory_max,
          systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
          earlier PAM modules. The data in these fields is used to initialize
          the session scope's resource properties. Thus external PAM modules
          may now configure per-session limits, for example sourced from
          external user databases.

        * socket units with Accept=yes will now maintain a "refused" counter in
          addition to the existing "accepted" counter, counting connections
          refused due to the enforced limits.

        * The "systemd-path search-binaries-default" command may now be use to
          query the default, built-in $PATH PID 1 will pass to the services it
          manages.

        * A new unit file setting PrivateMounts= has been added. It's a boolean
          option. If enabled the unit's processes are invoked in their own file
          system namespace. Note that this behaviour is also implied if any
          other file system namespacing options (such as PrivateTmp=,
          PrivateDevices=, ProtectSystem=, …) are used. This option is hence
          primarily useful for services that do not use any of the other file
          system namespacing options. One such service is systemd-udevd.service
          where this is now used by default.

        * ConditionSecurity= gained a new value "uefi-secureboot" that is true
          when the system is booted in UEFI "secure mode".

        * A new unit "system-update-pre.target" is added, which defines an
          optional synchronization point for offline system updates, as
          implemented by the pre-existing "system-update.target" unit. It
          allows ordering services before the service that executes the actual
          update process in a generic way.

        * Systemd now emits warnings whenever .include syntax is used.

        Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
        Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
        J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
        Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
        Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
        Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
        Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
        Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
        guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
        Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
        Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
        Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
        Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
        Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
        Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
        Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
        Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
        Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
        Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
        Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
        Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
        Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
        Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
        Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
        Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
        Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
        Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
        Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
        Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2018-06-22

CHANGES WITH 238:

        * The MemoryAccounting= unit property now defaults to on. After
          discussions with the upstream control group maintainers we learnt
          that the negative impact of cgroup memory accounting on current
          kernels is finally relatively minimal, so that it should be safe to
          enable this by default without affecting system performance. Besides
          memory accounting only task accounting is turned on by default, all
          other forms of resource accounting (CPU, IO, IP) remain off for now,
          because it's not clear yet that their impact is small enough to move
          from opt-in to opt-out. We recommend downstreams to leave memory
          accounting on by default if kernel 4.14 or higher is primarily
          used. On very resource constrained systems or when support for old
          kernels is a necessity, -Dmemory-accounting-default=false can be used
          to revert this change.

        * rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
          %udev_rules_update) and the journal catalog (%journal_catalog_update)
          from the upgrade scriptlets of individual packages now do nothing.
          Transfiletriggers have been added which will perform those updates
          once at the end of the transaction.

          Similar transfiletriggers have been added to execute any sysctl.d
          and binfmt.d rules. Thus, it should be unnecessary to provide any
          scriptlets to execute this configuration from package installation
          scripts.

        * systemd-sysusers gained a mode where the configuration to execute is
          specified on the command line, but this configuration is not executed
          directly, but instead it is merged with the configuration on disk,
          and the result is executed. This is useful for package installation
          scripts which want to create the user before installing any files on
          disk (in case some of those files are owned by that user), while
          still allowing local admin overrides.

          This functionality is exposed to rpm scriptlets through a new
          %sysusers_create_package macro. Old %sysusers_create and
          %sysusers_create_inline macros are deprecated.

          A transfiletrigger for sysusers.d configuration is now installed,
          which means that it should be unnecessary to call systemd-sysusers from
          package installation scripts, unless the package installs any files
          owned by those newly-created users, in which case
          %sysusers_create_package should be used.

        * Analogous change has been done for systemd-tmpfiles: it gained a mode
          where the command-line configuration is merged with the configuration
          on disk. This is exposed as the new %tmpfiles_create_package macro,
          and %tmpfiles_create is deprecated. A transfiletrigger is installed
          for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles
          from package installation scripts.

        * sysusers.d configuration for a user may now also specify the group
          number, in addition to the user number ("u username 123:456"), or
          without the user number ("u username -:456").

        * Configution items for systemd-sysusers can now be specified as
          positional arguments when the new --inline switch is used.

        * The login shell of users created through sysusers.d may now be
          specified (previously, it was always /bin/sh for root and
          /sbin/nologin for other users).

        * systemd-analyze gained a new --global switch to look at global user
          configuration. It also gained a unit-paths verb to list the unit load
          paths that are compiled into systemd (which can be used with
          --systemd, --user, or --global).

        * udevadm trigger gained a new --settle/-w option to wait for any
          triggered events to finish (but just those, and not any other events
          which are triggered meanwhile).

        * The action that systemd-logind takes when the lid is closed and the
          machine is connected to external power can now be configured using
          HandleLidSwitchExternalPower= in logind.conf. Previously, this action
          was determined by HandleLidSwitch=, and, for backwards compatibility,
          is still is, if HandleLidSwitchExternalPower= is not explicitly set.

        * journalctl will periodically call sd_journal_process() to make it
          resilient against inotify queue overruns when journal files are
          rotated very quickly.

        * Two new functions in libsystemd — sd_bus_get_n_queued_read and
          sd_bus_get_n_queued_write — may be used to check the number of
          pending bus messages.

        * systemd gained a new
          org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call
          which can be used to migrate foreign processes to scope and service
          units. The primary user for this new API is systemd itself: the
          systemd --user instance uses this call of the systemd --system
          instance to migrate processes if it itself gets the request to
          migrate processes and the kernel refuses this due to access
          restrictions.  Thanks to this "systemd-run --scope --user …" works
          again in pure cgroup v2 environments when invoked from the user
          session scope.

        * A new TemporaryFileSystem= setting can be used to mask out part of
          the real file system tree with tmpfs mounts. This may be combined
          with BindPaths= and BindReadOnlyPaths= to hide files or directories
          not relevant to the unit, while still allowing some paths lower in
          the tree to be accessed.

          ProtectHome=tmpfs may now be used to hide user home and runtime
          directories from units, in a way that is mostly equivalent to
          "TemporaryFileSystem=/home /run/user /root".

        * Non-service units are now started with KeyringMode=shared by default.
          This means that mount and swapon and other mount tools have access
          to keys in the main keyring.

        * /sys/fs/bpf is now mounted automatically.

        * QNX virtualization is now detected by systemd-detect-virt and may
          be used in ConditionVirtualization=.

        * IPAccounting= may now be enabled also for slice units.

        * A new -Dsplit-bin= build configuration switch may be used to specify
          whether bin and sbin directories are merged, or if they should be
          included separately in $PATH and various listings of executable
          directories. The build configuration scripts will try to autodetect
          the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
          system, but distributions are encouraged to configure this
          explicitly.

        * A new -Dok-color= build configuration switch may be used to change
          the colour of "OK" status messages.

        * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
          PrivateNetwork=yes was buggy in previous versions of systemd. This
          means that after the upgrade and daemon-reexec, any such units must
          be restarted.

        * INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles
          will not exclude read-only files owned by root from cleanup.

        Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
        Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
        Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
        de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
        Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
        Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
        Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
        Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
        Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
        Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
        MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
        Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
        Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
        Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
        Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)

        — Warsaw, 2018-03-05

CHANGES WITH 237:

        * Some keyboards come with a zoom see-saw or rocker which until now got
          mapped to the Linux "zoomin/out" keys in hwdb. However, these
          keycodes are not recognized by any major desktop. They now produce
          Up/Down key events so that they can be used for scrolling.

        * INCOMPATIBILITY: systemd-tmpfiles' "f" lines changed behaviour
          slightly: previously, if an argument was specified for lines of this
          type (i.e. the right-most column was set) this string was appended to
          existing files each time systemd-tmpfiles was run. This behaviour was
          different from what the documentation said, and not particularly
          useful, as repeated systemd-tmpfiles invocations would not be
          idempotent and grow such files without bounds. With this release
          behaviour has been altered to match what the documentation says:
          lines of this type only have an effect if the indicated files don't
          exist yet, and only then the argument string is written to the file.

        * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change
          systemd-tmpfiles behaviour: previously, read-only files owned by root
          were always excluded from the file "aging" algorithm (i.e. the
          automatic clean-up of directories like /tmp based on
          atime/mtime/ctime). We intend to drop this restriction, and age files
          by default even when owned by root and read-only. This behaviour was
          inherited from older tools, but there have been requests to remove
          it, and it's not obvious why this restriction was made in the first
          place. Please speak up now, if you are aware of software that requires
          this behaviour, otherwise we'll remove the restriction in v238.

        * A new environment variable $SYSTEMD_OFFLINE is now understood by
          systemctl. It takes a boolean argument. If on, systemctl assumes it
          operates on an "offline" OS tree, and will not attempt to talk to the
          service manager. Previously, this mode was implicitly enabled if a
          chroot() environment was detected, and this new environment variable
          now provides explicit control.

        * .path and .socket units may now be created transiently, too.
          Previously only service, mount, automount and timer units were
          supported as transient units. The systemd-run tool has been updated
          to expose this new functionality, you may hence use it now to bind
          arbitrary commands to path or socket activation on-the-fly from the
          command line. Moreover, almost all properties are now exposed for the
          unit types that already supported transient operation.

        * The systemd-mount command gained support for a new --owner= parameter
          which takes a user name, which is then resolved and included in uid=
          and gid= mount options string of the file system to mount.

        * A new unit condition ConditionControlGroupController= has been added
          that checks whether a specific cgroup controller is available.

        * Unit files, udev's .link files, and systemd-networkd's .netdev and
          .network files all gained support for a new condition
          ConditionKernelVersion= for checking against specific kernel
          versions.

        * In systemd-networkd, the [IPVLAN] section in .netdev files gained
          support for configuring device flags in the Flags= setting. In the
          same files, the [Tunnel] section gained support for configuring
          AllowLocalRemote=.  The [Route] section in .network files gained
          support for configuring InitialCongestionWindow=,
          InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now
          understands RapidCommit=.

        * systemd-networkd's DHCPv6 support gained support for Prefix
          Delegation.

        * sd-bus gained support for a new "watch-bind" feature. When this
          feature is enabled, an sd_bus connection may be set up to connect to
          an AF_UNIX socket in the file system as soon as it is created. This
          functionality is useful for writing early-boot services that
          automatically connect to the system bus as soon as it is started,
          without ugly time-based polling. systemd-networkd and
          systemd-resolved have been updated to make use of this
          functionality. busctl exposes this functionality in a new
          --watch-bind= command line switch.

        * sd-bus will now optionally synthesize a local "Connected" signal as
          soon as a D-Bus connection is set up fully. This message mirrors the
          already existing "Disconnected" signal which is synthesized when the
          connection is terminated. This signal is generally useful but
          particularly handy in combination with the "watch-bind" feature
          described above. Synthesizing of this message has to be requested
          explicitly through the new API call sd_bus_set_connected_signal(). In
          addition a new call sd_bus_is_ready() has been added that checks
          whether a connection is fully set up (i.e. between the "Connected" and
          "Disconnected" signals).

        * sd-bus gained two new calls sd_bus_request_name_async() and
          sd_bus_release_name_async() for asynchronously registering bus
          names. Similar, there is now sd_bus_add_match_async() for installing
          a signal match asynchronously. All of systemd's own services have
          been updated to make use of these calls. Doing these operations
          asynchronously has two benefits: it reduces the risk of deadlocks in
          case of cyclic dependencies between bus services, and it speeds up
          service initialization since synchronization points for bus
          round-trips are removed.

        * sd-bus gained two new calls sd_bus_match_signal() and
          sd_bus_match_signal_async(), which are similar to sd_bus_add_match()
          and sd_bus_add_match_async() but instead of taking a D-Bus match
          string take match fields as normal function parameters.

        * sd-bus gained two new calls sd_bus_set_sender() and
          sd_bus_message_set_sender() for setting the sender name of outgoing
          messages (either for all outgoing messages or for just one specific
          one). These calls are only useful in direct connections as on
          brokered connections the broker fills in the sender anyway,
          overwriting whatever the client filled in.

        * sd-event gained a new pseudo-handle that may be specified on all API
          calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When
          used this refers to the default event loop object of the calling
          thread. Note however that this does not implicitly allocate one —
          which has to be done prior by using sd_event_default(). Similarly
          sd-bus gained three new pseudo-handles SD_BUS_DEFAULT,
          SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer
          to the default bus of the specified type of the calling thread. Here
          too this does not implicitly allocate bus connection objects, this
          has to be done prior with sd_bus_default() and friends.

        * sd-event gained a new call pair
          sd_event_source_{get|set}_io_fd_own(). This may be used to request
          automatic closure of the file descriptor an IO event source watches
          when the event source is destroyed.

        * systemd-networkd gained support for natively configuring WireGuard
          connections.

        * In previous versions systemd synthesized user records both for the
          "nobody" (UID 65534) and "root" (UID 0) users in nss-systemd and
          internally. In order to simplify distribution-wide renames of the
          "nobody" user (like it is planned in Fedora: nfsnobody → nobody), a
          new transitional flag file has been added: if
          /etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534
          user and group record within the systemd codebase is disabled.

        * systemd-notify gained a new --uid= option for selecting the source
          user/UID to use for notification messages sent to the service
          manager.

        * journalctl gained a new --grep= option to list only entries in which
          the message matches a certain pattern. By default matching is case
          insensitive if the pattern is lowercase, and case sensitive
          otherwise. Option --case-sensitive=yes|no can be used to override
          this an specify case sensitivity or case insensitivity.

        * There's now a "systemd-analyze service-watchdogs" command for printing
          the current state of the service runtime watchdog, and optionally
          enabling or disabling the per-service watchdogs system-wide if given a
          boolean argument (i.e. the concept you configure in WatchdogSec=), for
          debugging purposes. There's also a kernel command line option
          systemd.service_watchdogs= for controlling the same.

        * Two new "log-level" and "log-target" options for systemd-analyze were
          added that merge the now deprecated get-log-level, set-log-level and
          get-log-target, set-log-target pairs. The deprecated options are still
          understood for backwards compatibility. The two new options print the
          current value when no arguments are given, and set them when a
          level/target is given as an argument.

        * sysusers.d's "u" lines now optionally accept both a UID and a GID
          specification, separated by a ":" character, in order to create users
          where UID and GID do not match.

        Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov,
        Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman
        Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton
        Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov,
        Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui,
        Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian
        Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander
        Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen,
        Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg
        Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering,
        Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt,
        Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy,
        Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał
        Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf
        Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer,
        Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer,
        Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani,
        Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz
        Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary
        Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян
        Палаузов

        — Brno, 2018-01-28

CHANGES WITH 236:

        * The modprobe.d/ drop-in for the bonding.ko kernel module introduced
          in v235 has been extended to also set the dummy.ko module option
          numdummies=0, preventing the kernel from automatically creating
          dummy0. All dummy interfaces must now be explicitly created.

        * Unknown '%' specifiers in configuration files are now rejected. This
          applies to units and tmpfiles.d configuration. Any percent characters
          that are followed by a letter or digit that are not supposed to be
          interpreted as the beginning of a specifier should be escaped by
          doubling ("%%").  (So "size=5%" is still accepted, as well as
          "size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not
          valid specifiers today.)

        * systemd-resolved now maintains a new dynamic
          /run/systemd/resolve/stub-resolv.conf compatibility file. It is
          recommended to make /etc/resolv.conf a symlink to it. This file
          points at the systemd-resolved stub DNS 127.0.0.53 resolver and
          includes dynamically acquired search domains, achieving more correct
          DNS resolution by software that bypasses local DNS APIs such as NSS.

        * The "uaccess" udev tag has been dropped from /dev/kvm and
          /dev/dri/renderD*.  These devices now have the 0666 permissions by
          default (but this may be changed at build-time). /dev/dri/renderD*
          will now be owned by the "render" group along with /dev/kfd.

        * "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
          systemd-journal-gatewayd.service and
          systemd-journal-upload.service. This means "nss-systemd" must be
          enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
          services are resolved properly.

        * In /etc/fstab two new mount options are now understood:
          x-systemd.makefs and x-systemd.growfs. The former has the effect that
          the configured file system is formatted before it is mounted, the
          latter that the file system is resized to the full block device size
          after it is mounted (i.e. if the file system is smaller than the
          partition it resides on, it's grown). This is similar to the fsck
          logic in /etc/fstab, and pulls in systemd-makefs@.service and
          systemd-growfs@.service as necessary, similar to
          systemd-fsck@.service. Resizing is currently only supported on ext4
          and btrfs.

        * In systemd-networkd, the IPv6 RA logic now optionally may announce
          DNS server and domain information.

        * Support for the LUKS2 on-disk format for encrypted partitions has
          been added. This requires libcryptsetup2 during compilation and
          runtime.

        * The systemd --user instance will now signal "readiness" when its
          basic.target unit has been reached, instead of when the run queue ran
          empty for the first time.

        * Tmpfiles.d with user configuration are now also supported.
          systemd-tmpfiles gained a new --user switch, and snippets placed in
          ~/.config/user-tmpfiles.d/ and corresponding directories will be
          executed by systemd-tmpfiles --user running in the new
          systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service
          running in the user session.

        * Unit files and tmpfiles.d snippets learnt three new % specifiers:
          %S resolves to the top-level state directory (/var/lib for the system
          instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the
          top-level cache directory (/var/cache for the system instance,
          $XDG_CACHE_HOME for the user instance), %L resolves to the top-level
          logs directory (/var/log for the system instance,
          $XDG_CONFIG_HOME/log/ for the user instance). This matches the
          existing %t specifier, that resolves to the top-level runtime
          directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
          user instance).

        * journalctl learnt a new parameter --output-fields= for limiting the
          set of journal fields to output in verbose and JSON output modes.

        * systemd-timesyncd's configuration file gained a new option
          RootDistanceMaxSec= for setting the maximum root distance of servers
          it'll use, as well as the new options PollIntervalMinSec= and
          PollIntervalMaxSec= to tweak the minimum and maximum poll interval.

        * bootctl gained a new command "list" for listing all available boot
          menu items on systems that follow the boot loader specification.

        * systemctl gained a new --dry-run switch that shows what would be done
          instead of doing it, and is currently supported by the shutdown and
          sleep verbs.

        * ConditionSecurity= can now detect the TOMOYO security module.

        * Unit file [Install] sections are now also respected in unit drop-in
          files. This is intended to be used by drop-ins under /usr/lib/.

        * systemd-firstboot may now also set the initial keyboard mapping.

        * Udev "changed" events for devices which are exposed as systemd
          .device units are now propagated to units specified in
          ReloadPropagatedFrom= as reload requests.

        * If a udev device has a SYSTEMD_WANTS= property containing a systemd
          unit template name (i.e. a name in the form of 'foobar@.service',
          without the instance component between the '@' and - the '.'), then
          the escaped sysfs path of the device is automatically used as the
          instance.

        * SystemCallFilter= in unit files has been extended so that an "errno"
          can be specified individually for each system call. Example:
          SystemCallFilter=~uname:EILSEQ.

        * The cgroup delegation logic has been substantially updated. Delegate=
          now optionally takes a list of controllers (instead of a boolean, as
          before), which lists the controllers to delegate at least.

        * The networkd DHCPv6 client now implements the FQDN option (RFC 4704).

        * A new LogLevelMax= setting configures the maximum log level any
          process of the service may log at (i.e. anything with a lesser
          priority than what is specified is automatically dropped). A new
          LogExtraFields= setting allows configuration of additional journal
          fields to attach to all log records generated by any of the unit's
          processes.

        * New StandardInputData= and StandardInputText= settings along with the
          new option StandardInput=data may be used to configure textual or
          binary data that shall be passed to the executed service process via
          standard input, encoded in-line in the unit file.

        * StandardInput=, StandardOutput= and StandardError= may now be used to
          connect stdin/stdout/stderr of executed processes directly with a
          file or AF_UNIX socket in the file system, using the new "file:" option.

        * A new unit file option CollectMode= has been added, that allows
          tweaking the garbage collection logic for units. It may be used to
          tell systemd to garbage collect units that have failed automatically
          (normally it only GCs units that exited successfully). systemd-run
          and systemd-mount expose this new functionality with a new -G option.

        * "machinectl bind" may now be used to bind mount non-directories
          (i.e. regularfiles, devices, fifos, sockets).

        * systemd-analyze gained a new verb "calendar" for validating and
          testing calendar time specifications to use for OnCalendar= in timer
          units. Besides validating the expression it will calculate the next
          time the specified expression would elapse.

        * In addition to the pre-existing FailureAction= unit file setting
          there's now SuccessAction=, for configuring a shutdown action to
          execute when a unit completes successfully. This is useful in
          particular inside containers that shall terminate after some workload
          has been completed. Also, both options are now supported for all unit
          types, not just services.

        * networkds's IP rule support gained two new options
          IncomingInterface= and OutgoingInterface= for configuring the incoming
          and outgoing interfaces of configured rules. systemd-networkd also
          gained support for "vxcan" network devices.

        * networkd gained a new setting RequiredForOnline=, taking a
          boolean. If set, systemd-wait-online will take it into consideration
          when determining that the system is up, otherwise it will ignore the
          interface for this purpose.

        * The sd_notify() protocol gained support for a new operation: with
          FDSTOREREMOVE=1 file descriptors may be removed from the per-service
          store again, ahead of POLLHUP or POLLERR when they are removed
          anyway.

        * A new document doc/UIDS-GIDS.md has been added to the source tree,
          that documents the UID/GID range and assignment assumptions and
          requirements of systemd.

        * The watchdog device PID 1 will ping may now be configured through the
          WatchdogDevice= configuration file setting, or by setting the
          systemd.watchdog_service= kernel commandline option.

        * systemd-resolved's gained support for registering DNS-SD services on
          the local network using MulticastDNS. Services may either be
          registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or
          the same dir below /run, /usr/lib), or through its D-Bus API.

        * The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond
          extend the effective start, runtime, and stop time. The service must
          continue to send EXTEND_TIMEOUT_USEC within the period specified to
          prevent the service manager from making the service as timedout.

        * systemd-resolved's DNSSEC support gained support for RFC 8080
          (Ed25519 keys and signatures).

        * The systemd-resolve command line tool gained a new set of options
          --set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=,
          --set-nta= and --revert to configure per-interface DNS configuration
          dynamically during runtime. It's useful for pushing DNS information
          into systemd-resolved from DNS hook scripts that various interface
          managing software supports (such as pppd).

        * systemd-nspawn gained a new --network-namespace-path= command line
          option, which may be used to make a container join an existing
          network namespace, by specifying a path to a "netns" file.

        Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini,
        Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten
        Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin
        Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri
        John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny
        Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de
        Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty,
        Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef
        Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars
        Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel,
        Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz
        Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson,
        Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala,
        Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal
        Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf
        Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer,
        Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran
        Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
        Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant
        Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem
        Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich,
        Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zeal Jagannatha

        — Berlin, 2017-12-14

CHANGES WITH 235:

        * INCOMPATIBILITY: systemd-logind.service and other long-running
          services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
          communication with the outside. This generally improves security of
          the system, and is in almost all cases a safe and good choice, as
          these services do not and should not provide any network-facing
          functionality. However, systemd-logind uses the glibc NSS API to
          query the user database. This creates problems on systems where NSS
          is set up to directly consult network services for user database
          lookups. In particular, this creates incompatibilities with the
          "nss-nis" module, which attempts to directly contact the NIS/YP
          network servers it is configured for, and will now consistently
          fail. In such cases, it is possible to turn off IP sandboxing for
          systemd-logind.service (set IPAddressDeny= in its [Service] section
          to the empty string, via a .d/ unit file drop-in). Downstream
          distributions might want to update their nss-nis packaging to include
          such a drop-in snippet, accordingly, to hide this incompatibility
          from the user. Another option is to make use of glibc's nscd service
          to proxy such network requests through a privilege-separated, minimal
          local caching daemon, or to switch to more modern technologies such
          sssd, whose NSS hook-ups generally do not involve direct network
          access. In general, we think it's definitely time to question the
          implementation choices of nss-nis, i.e. whether it's a good idea
          today to embed a network-facing loadable module into all local
          processes that need to query the user database, including the most
          trivial and benign ones, such as "ls". For more details about
          IPAddressDeny= see below.

        * A new modprobe.d drop-in is now shipped by default that sets the
          bonding module option max_bonds=0. This overrides the kernel default,
          to avoid conflicts and ambiguity as to whether or not bond0 should be
          managed by systemd-networkd or not. This resolves multiple issues
          with bond0 properties not being applied, when bond0 is configured
          with systemd-networkd. Distributors may choose to not package this,
          however in that case users will be prevented from correctly managing
          bond0 interface using systemd-networkd.

        * systemd-analyze gained new verbs "get-log-level" and "get-log-target"
          which print the logging level and target of the system manager. They
          complement the existing "set-log-level" and "set-log-target" verbs
          used to change those values.

        * journald.conf gained a new boolean setting ReadKMsg= which defaults
          to on. If turned off kernel log messages will not be read by
          systemd-journald or included in the logs. It also gained a new
          setting LineMax= for configuring the maximum line length in
          STDOUT/STDERR log streams. The new default for this value is 48K, up
          from the previous hardcoded 2048.

        * A new unit setting RuntimeDirectoryPreserve= has been added, which
          allows more detailed control of what to do with a runtime directory
          configured with RuntimeDirectory= (i.e. a directory below /run or
          $XDG_RUNTIME_DIR) after a unit is stopped.

        * The RuntimeDirectory= setting for units gained support for creating
          deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
          one top-level directory.

        * Units gained new options StateDirectory=, CacheDirectory=,
          LogsDirectory= and ConfigurationDirectory= which are closely related
          to RuntimeDirectory= but manage per-service directories below
          /var/lib, /var/cache, /var/log and /etc. By making use of them it is
          possible to write unit files which when activated automatically gain
          properly owned service specific directories in these locations, thus
          making unit files self-contained and increasing compatibility with
          stateless systems and factory reset where /etc or /var are
          unpopulated at boot. Matching these new settings there's also
          StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
          ConfigurationDirectoryMode= for configuring the access mode of these
          directories. These settings are particularly useful in combination
          with DynamicUser=yes as they provide secure, properly-owned,
          writable, and stateful locations for storage, excluded from the
          sandbox that such services live in otherwise.

        * Automake support has been removed from this release. systemd is now
          Meson-only.

        * systemd-journald will now aggressively cache client metadata during
          runtime, speeding up log write performance under pressure. This comes
          at a small price though: as much of the metadata is read
          asynchronously from /proc/ (and isn't implicitly attached to log
          datagrams by the kernel, like UID/GID/PID/SELinux are) this means the
          metadata stored alongside a log entry might be slightly
          out-of-date. Previously it could only be slightly newer than the log
          message. The time window is small however, and given that the kernel
          is unlikely to be improved anytime soon in this regard, this appears
          acceptable to us.

        * nss-myhostname/systemd-resolved will now by default synthesize an
          A/AAAA resource record for the "_gateway" hostname, pointing to the
          current default IP gateway. Previously it did that for the "gateway"
          name, hampering adoption, as some distributions wanted to leave that
          hostname open for local use. The old behaviour may still be
          requested at build time.

        * systemd-networkd's [Address] section in .network files gained a new
          Scope= setting for configuring the IP address scope. The [Network]
          section gained a new boolean setting ConfigureWithoutCarrier= that
          tells systemd-networkd to ignore link sensing when configuring the
          device. The [DHCP] section gained a new Anonymize= boolean option for
          turning on a number of options suggested in RFC 7844. A new
          [RoutingPolicyRule] section has been added for configuring the IP
          routing policy. The [Route] section has gained support for a new
          Type= setting which permits configuring
          blackhole/unreachable/prohibit routes.

        * The [VRF] section in .netdev files gained a new Table= setting for
          configuring the routing table to use. The [Tunnel] section gained a
          new Independent= boolean field for configuring tunnels independent of
          an underlying network interface. The [Bridge] section gained a new
          GroupForwardMask= option for configuration of propagation of link
          local frames between bridge ports.

        * The WakeOnLan= setting in .link files gained support for a number of
          new modes. A new TCP6SegmentationOffload= setting has been added for
          configuring TCP/IPv6 hardware segmentation offload.

        * The IPv6 RA sender implementation may now optionally send out RDNSS
          and RDNSSL records to supply DNS configuration to peers.

        * systemd-nspawn gained support for a new --system-call-filter= command
          line option for adding and removing entries in the default system
          call filter it applies. Moreover systemd-nspawn has been changed to
          implement a system call allow list instead of a deny list.

        * systemd-run gained support for a new --pipe command line option. If
          used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
          are directly passed on to the activated transient service
          executable. This allows invoking arbitrary processes as systemd
          services (for example to take benefit of dependency management,
          accounting management, resource management or log management that is
          done automatically for services) — while still allowing them to be
          integrated in a classic UNIX shell pipeline.

        * When a service sends RELOAD=1 via sd_notify() and reload propagation
          using ReloadPropagationTo= is configured, a reload is now propagated
          to configured units. (Previously this was only done on explicitly
          requested reloads, using "systemctl reload" or an equivalent
          command.)

        * For each service unit a restart counter is now kept: it is increased
          each time the service is restarted due to Restart=, and may be
          queried using "systemctl show -p NRestarts …".

        * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
          @signal and @timer have been added, for usage with SystemCallFilter=
          in unit files and the new --system-call-filter= command line option
          of systemd-nspawn (see above).

        * ExecStart= lines in unit files gained two new modifiers: when a
          command line is prefixed with "!" the command will be executed as
          configured, except for the credentials applied by
          setuid()/setgid()/setgroups(). It is very similar to the pre-existing
          "+", but does still apply namespacing options unlike "+". There's
          also "!!" now, which is mostly identical, but becomes a NOP on
          systems that support ambient capabilities. This is useful to write
          unit files that work with ambient capabilities where possible but
          automatically fall back to traditional privilege dropping mechanisms
          on systems where this is not supported.

        * ListenNetlink= settings in socket units now support RDMA netlink
          sockets.

        * A new unit file setting LockPersonality= has been added which permits
          locking down the chosen execution domain ("personality") of a service
          during runtime.

        * A new special target "getty-pre.target" has been added, which is
          ordered before all text logins, and may be used to order services
          before textual logins acquire access to the console.

        * systemd will now attempt to load the virtio-rng.ko kernel module very
          early on if a VM environment supporting this is detected. This should
          improve entropy during early boot in virtualized environments.

        * A _netdev option is now supported in /etc/crypttab that operates in a
          similar way as the same option in /etc/fstab: it permits configuring
          encrypted devices that need to be ordered after the network is up.
          Following this logic, two new special targets
          remote-cryptsetup-pre.target and remote-cryptsetup.target have been
          added that are to cryptsetup.target what remote-fs.target and
          remote-fs-pre.target are to local-fs.target.

        * Service units gained a new UnsetEnvironment= setting which permits
          unsetting specific environment variables for services that are
          normally passed to it (for example in order to mask out locale
          settings for specific services that can't deal with it).

        * Units acquired a new boolean option IPAccounting=. When turned on, IP
          traffic accounting (packet count as well as byte count) is done for
          the service, and shown as part of "systemctl status" or "systemd-run
          --wait".

        * Service units acquired two new options IPAddressAllow= and
          IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
          for configuring a simple IP access control list for all sockets of
          the unit. These options are available also on .slice and .socket
          units, permitting flexible access list configuration for individual
          services as well as groups of services (as defined by a slice unit),
          including system-wide. Note that IP ACLs configured this way are
          enforced on every single IPv4 and IPv6 socket created by any process
          of the service unit, and apply to ingress as well as egress traffic.

        * If CPUAccounting= or IPAccounting= is turned on for a unit a new
          structured log message is generated each time the unit is stopped,
          containing information about the consumed resources of this
          invocation.

        * A new setting KeyringMode= has been added to unit files, which may be
          used to control how the kernel keyring is set up for executed
          processes.

        * "systemctl poweroff", "systemctl reboot", "systemctl halt",
          "systemctl kexec" and "systemctl exit" are now always asynchronous in
          behaviour (that is: these commands return immediately after the
          operation was enqueued instead of waiting for the operation to
          complete). Previously, "systemctl poweroff" and "systemctl reboot"
          were asynchronous on systems using systemd-logind (i.e. almost
          always, and like they were on sysvinit), and the other three commands
          were unconditionally synchronous. With this release this is cleaned
          up, and callers will see the same asynchronous behaviour on all
          systems for all five operations.

        * systemd-logind gained new Halt() and CanHalt() bus calls for halting
          the system.

        * .timer units now accept calendar specifications in other timezones
          than UTC or the local timezone.

        * The tmpfiles snippet var.conf has been changed to create
          /var/log/btmp with access mode 0660 instead of 0600. It was owned by
          the "utmp" group already, and it appears to be generally understood
          that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
          databases. Previously this was implemented correctly for all these
          databases excepts btmp, which has been opened up like this now
          too. Note that while the other databases are world-readable
          (i.e. 0644), btmp is not and remains more restrictive.

        * The systemd-resolve tool gained a new --reset-server-features
          switch. When invoked like this systemd-resolved will forget
          everything it learnt about the features supported by the configured
          upstream DNS servers, and restarts the feature probing logic on the
          next resolver look-up for them at the highest feature level
          again.

        * The status dump systemd-resolved sends to the logs upon receiving
          SIGUSR1 now also includes information about all DNS servers it is
          configured to use, and the features levels it probed for them.

        Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
        Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
        Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
        Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
        Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
        Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
        ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
        Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
        Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
        John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
        Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
        Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
        Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
        Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
        Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
        Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
        Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
        Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
        Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
        Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2017-10-06

CHANGES WITH 234:

        * Meson is now supported as build system in addition to Automake. It is
          our plan to remove Automake in one of our next releases, so that
          Meson becomes our exclusive build system. Hence, please start using
          the Meson build system in your downstream packaging. There's plenty
          of documentation around how to use Meson, the extremely brief
          summary:

              ./autogen.sh && ./configure && make && sudo make install

          becomes:

              meson build && ninja -C build && sudo ninja -C build install

        * Unit files gained support for a new JobRunningTimeoutUSec= setting,
          which permits configuring a timeout on the time a job is
          running. This is particularly useful for setting timeouts on jobs for
          .device units.

        * Unit files gained two new options ConditionUser= and ConditionGroup=
          for conditionalizing units based on the identity of the user/group
          running a systemd user instance.

        * systemd-networkd now understands a new FlowLabel= setting in the
          [VXLAN] section of .network files, as well as a Priority= in
          [Bridge], GVRP= + MVRP= + LooseBinding= + ReorderHeader= in [VLAN]
          and GatewayOnlink= + IPv6Preference= + Protocol= in [Route]. It also
          gained support for configuration of GENEVE links, and IPv6 address
          labels. The [Network] section gained the new IPv6ProxyNDP= setting.

        * .link files now understand a new Port= setting.

        * systemd-networkd's DHCP support gained support for DHCP option 119
          (domain search list).

        * systemd-networkd gained support for serving IPv6 address ranges using
          the Router Advertisement protocol. The new .network configuration
          section [IPv6Prefix] may be used to configure the ranges to
          serve. This is implemented based on a new, minimal, native server
          implementation of RA.

        * journalctl's --output= switch gained support for a new parameter
          "short-iso-precise" for a mode where timestamps are shown as precise
          ISO date values.

        * systemd-udevd's "net_id" builtin may now generate stable network
          interface names from IBM PowerVM VIO devices as well as ACPI platform
          devices.

        * MulticastDNS support in systemd-resolved may now be explicitly
          enabled/disabled using the new MulticastDNS= configuration file
          option.

        * systemd-resolved may now optionally use libidn2 instead of the libidn
          for processing internationalized domain names. Support for libidn2
          should be considered experimental and should not be enabled by
          default yet.

        * "machinectl pull-tar" and related call may now do verification of
          downloaded images using SUSE-style .sha256 checksum files in addition
          to the already existing support for validating using Ubuntu-style
          SHA256SUMS files.

        * sd-bus gained support for a new sd_bus_message_appendv() call which
          is va_list equivalent of sd_bus_message_append().

        * sd-boot gained support for validating images using SHIM/MOK.

        * The SMACK code learnt support for "onlycap".

        * systemd-mount --umount is now much smarter in figuring out how to
          properly unmount a device given its mount or device path.

        * The code to call libnss_dns as a fallback from libnss_resolve when
          the communication with systemd-resolved fails was removed. This
          fallback was redundant and interfered with the [!UNAVAIL=return]
          suffix. See nss-resolve(8) for the recommended configuration.

        * systemd-logind may now be restarted without losing state. It stores
          the file descriptors for devices it manages in the system manager
          using the FDSTORE= mechanism. Please note that further changes in
          other components may be required to make use of this (for example
          Xorg has code to listen for stops of systemd-logind and terminate
          itself when logind is stopped or restarted, in order to avoid using
          stale file descriptors for graphical devices, which is now
          counterproductive and must be reverted in order for restarts of
          systemd-logind to be safe. See
          https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.)

        * All kernel-install plugins are called with the environment variable
          KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by
          /etc/machine-id. If the machine ID could not be determined,
          $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
          anything in the entry directory (passed as the second argument) if
          $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
          temporary directory is passed as the entry directory and removed
          after all the plugins exit.

        * If KERNEL_INSTALL_MACHINE_ID is set in /etc/machine-info, kernel-install
          will now use its value as the machine ID instead of the machine ID
          from /etc/machine-id. If KERNEL_INSTALL_MACHINE_ID isn't set in
          /etc/machine-info and no machine ID is set in /etc/machine-id,
          kernel-install will try to store the current machine ID there as
          KERNEL_INSTALL_MACHINE_ID. If there is no machine ID, kernel-install
          will generate a new UUID, store it in /etc/machine-info as
          KERNEL_INSTALL_MACHINE_ID and use it as the machine ID.

        Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
        Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
        Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert,
        Benjamin Robin, Boucman, Charles Plessy, Chris Chiu, Chris Lamb,
        Christian Brauner, Christian Hesse, Colin Walters, Daniel Drake,
        Danielle Church, Daniel Molkentin, Daniel Rusek, Daniel Wang, Davide
        Cavalca, David Herrmann, David Michael, Dax Kelson, Dimitri John
        Ledkov, Djalal Harouni, Dušan Kazik, Elias Probst, Evgeny Vereshchagin,
        Federico Di Pierro, Felipe Sateler, Felix Zhang, Franck Bui, Gary
        Tierney, George McCollister, Giedrius Statkevičius, Hans de Goede,
        hecke, Hendrik Westerberg, Hristo Venev, Ian Wienand, Insun Pyo, Ivan
        Shapovalov, James Cowgill, James Hemsing, Janne Heß, Jan Synacek, Jason
        Reeder, João Paulo Rechi Vita, John Paul Adrian Glaubitz, Jörg
        Thalheim, Josef Andersson, Josef Gajdusek, Julian Mehne, Kai Krakow,
        Krzysztof Jackiewicz, Lars Karlitski, Lennart Poettering, Lluís Gili,
        Lucas Werkmeister, Lukáš Nykrýn, Łukasz Stelmach, Mantas Mikulėnas,
        Marcin Bachry, Marcus Cooper, Mark Stosberg, Martin Pitt, Matija Skala,
        Matt Clarkson, Matthew Garrett, Matthias Greiner, Matthijs van Duin,
        Max Resch, Michael Biebl, Michal Koutný, Michal Sekletar, Michal
        Soltys, Michal Suchanek, Mike Gilbert, Nate Clark, Nathaniel R. Lewis,
        Neil Brown, Nikolai Kondrashov, Pascal S. de Kloe, Pat Riehecky, Patrik
        Flykt, Paul Kocialkowski, Peter Hutterer, Philip Withnall, Piotr
        Szydełko, Rafael Fontenelle, Ray Strode, Richard Maw, Roelf Wichertjes,
        Ronny Chevalier, Sarang S. Dalal, Sjoerd Simons, slodki, Stefan
        Schweter, Susant Sahani, Ted Wood, Thomas Blume, Thomas Haller, Thomas
        H. P. Andersen, Timothée Ravier, Tobias Jungel, Tobias Stoeckmann, Tom
        Gundersen, Tom Yan, Torstein Husebø, Umut Tezduyar Lindskog,
        userwithuid, Vito Caputo, Waldemar Brodkorb, WaLyong Cho, Yu, Li-Yu,
        Yusuke Nojima, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан
        Георгиевски

        — Berlin, 2017-07-12

CHANGES WITH 233:

        * The "hybrid" control group mode has been modified to improve
          compatibility with "legacy" cgroups-v1 setups. Specifically, the
          "hybrid" setup of /sys/fs/cgroup is now pretty much identical to
          "legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named
          cgroups-v1 hierarchy), the only externally visible change being that
          the cgroups-v2 hierarchy is also mounted, to
          /sys/fs/cgroup/unified. This should provide a large degree of
          compatibility with "legacy" cgroups-v1, while taking benefit of the
          better management capabilities of cgroups-v2.

        * The default control group setup mode may be selected both a boot-time
          via a set of kernel command line parameters (specifically:
          systemd.unified_cgroup_hierarchy= and
          systemd.legacy_systemd_cgroup_controller=), as well as a compile-time
          default selected on the configure command line
          (--with-default-hierarchy=). The upstream default is "hybrid"
          (i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but
          this will change in a future systemd version to be "unified" (pure
          cgroups-v2 mode). The third option for the compile time option is
          "legacy", to enter pure cgroups-v1 mode. We recommend downstream
          distributions to default to "hybrid" mode for release distributions,
          starting with v233. We recommend "unified" for development
          distributions (specifically: distributions such as Fedora's rawhide)
          as that's where things are headed in the long run. Use "legacy" for
          greatest stability and compatibility only.

        * Note one current limitation of "unified" and "hybrid" control group
          setup modes: the kernel currently does not permit the systemd --user
          instance (i.e. unprivileged code) to migrate processes between two
          disconnected cgroup subtrees, even if both are managed and owned by
          the user. This effectively means "systemd-run --user --scope" doesn't
          work when invoked from outside of any "systemd --user" service or
          scope. Specifically, it is not supported from session scopes. We are
          working on fixing this in a future systemd version. (See #3388 for
          further details about this.)

        * DBus policy files are now installed into /usr rather than /etc. Make
          sure your system has dbus >= 1.9.18 running before upgrading to this
          version, or override the install path with --with-dbuspolicydir= .

        * All python scripts shipped with systemd (specifically: the various
          tests written in Python) now require Python 3.

        * systemd unit tests can now run standalone (without the source or
          build directories), and can be installed into /usr/lib/systemd/tests/
          with 'make install-tests'.

        * Note that from this version on, CONFIG_CRYPTO_USER_API_HASH,
          CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the
          kernel.

        * Support for the %c, %r, %R specifiers in unit files has been
          removed. Specifiers are not supposed to be dependent on configuration
          in the unit file itself (so that they resolve the same regardless
          where used in the unit files), but these specifiers were influenced
          by the Slice= option.

        * The shell invoked by debug-shell.service now defaults to /bin/sh in
          all cases. If distributions want to use a different shell for this
          purpose (for example Fedora's /sbin/sushell) they need to specify
          this explicitly at configure time using --with-debug-shell=.

        * The confirmation spawn prompt has been reworked to offer the
          following choices:

           (c)ontinue, proceed without asking anymore
           (D)ump, show the state of the unit
           (f)ail, don't execute the command and pretend it failed
           (h)elp
           (i)nfo, show a short summary of the unit
           (j)obs, show jobs that are in progress
           (s)kip, don't execute the command and pretend it succeeded
           (y)es, execute the command

          The 'n' choice for the confirmation spawn prompt has been removed,
          because its meaning was confusing.

          The prompt may now also be redirected to an alternative console by
          specifying the console as parameter to systemd.confirm_spawn=.

        * Services of Type=notify require a READY=1 notification to be sent
          during startup. If no such message is sent, the service now fails,
          even if the main process exited with a successful exit code.

        * Services that fail to start up correctly now always have their
          ExecStopPost= commands executed. Previously, they'd enter "failed"
          state directly, without executing these commands.

        * The option MulticastDNS= of network configuration files has acquired
          an actual implementation. With MulticastDNS=yes a host can resolve
          names of remote hosts and reply to mDNS A and AAAA requests.

        * When units are about to be started an additional check is now done to
          ensure that all dependencies of type BindsTo= (when used in
          combination with After=) have been started.

        * systemd-analyze gained a new verb "syscall-filter" which shows which
          system call groups are defined for the SystemCallFilter= unit file
          setting, and which system calls they contain.

        * A new system call filter group "@filesystem" has been added,
          consisting of various file system related system calls. Group
          "@reboot" has been added, covering reboot, kexec and shutdown related
          calls. Finally, group "@swap" has been added covering swap
          configuration related calls.

        * A new unit file option RestrictNamespaces= has been added that may be
          used to restrict access to the various process namespace types the
          Linux kernel provides. Specifically, it may be used to take away the
          right for a service unit to create additional file system, network,
          user, and other namespaces. This sandboxing option is particularly
          relevant due to the high amount of recently discovered namespacing
          related vulnerabilities in the kernel.

        * systemd-udev's .link files gained support for a new AutoNegotiation=
          setting for configuring Ethernet auto-negotiation.

        * systemd-networkd's .network files gained support for a new
          ListenPort= setting in the [DHCP] section to explicitly configure the
          UDP client port the DHCP client shall listen on.

        * .network files gained a new Unmanaged= boolean setting for explicitly
          excluding one or more interfaces from management by systemd-networkd.

        * The systemd-networkd ProxyARP= option has been renamed to
          IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been
          renamed to ReduceARPProxy=. The old names continue to be available
          for compatibility.

        * systemd-networkd gained support for configuring IPv6 Proxy NDP
          addresses via the new IPv6ProxyNDPAddress= .network file setting.

        * systemd-networkd's bonding device support gained support for two new
          configuration options ActiveSlave= and PrimarySlave=.

        * The various options in the [Match] section of .network files gained
          support for negative matching.

        * New systemd-specific mount options are now understood in /etc/fstab:

          x-systemd.mount-timeout= may be used to configure the maximum
          permitted runtime of the mount command.

          x-systemd.device-bound may be set to bind a mount point to its
          backing device unit, in order to automatically remove a mount point
          if its backing device is unplugged. This option may also be
          configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property
          on the block device, which is now automatically set for all CDROM
          drives, so that mounted CDs are automatically unmounted when they are
          removed from the drive.

          x-systemd.after= and x-systemd.before= may be used to explicitly
          order a mount after or before another unit or mount point.

        * Enqueued start jobs for device units are now automatically garbage
          collected if there are no jobs waiting for them anymore.

        * systemctl list-jobs gained two new switches: with --after, for every
          queued job the jobs it's waiting for are shown; with --before the
          jobs which it's blocking are shown.

        * systemd-nspawn gained support for ephemeral boots from disk images
          (or in other words: --ephemeral and --image= may now be
          combined). Moreover, ephemeral boots are now supported for normal
          directories, even if the backing file system is not btrfs. Of course,
          if the file system does not support file system snapshots or
          reflinks, the initial copy operation will be relatively expensive, but
          this should still be suitable for many use cases.

        * Calendar time specifications in .timer units now support
          specifications relative to the end of a month by using "~" instead of
          "-" as separator between month and day. For example, "*-02~03" means
          "the third last day in February". In addition a new syntax for
          repeated events has been added using the "/" character. For example,
          "9..17/2:00" means "every two hours from 9am to 5pm".

        * systemd-socket-proxyd gained a new parameter --connections-max= for
          configuring the maximum number of concurrent connections.

        * sd-id128 gained a new API for generating unique IDs for the host in a
          way that does not leak the machine ID. Specifically,
          sd_id128_get_machine_app_specific() derives an ID based on the
          machine ID in a well-defined, non-reversible, stable way. This is
          useful whenever an identifier for the host is needed but where the
          identifier shall not be useful to identify the system beyond the
          scope of the application itself. (Internally this uses HMAC-SHA256 as
          keyed hash function using the machine ID as input.)

        * NotifyAccess= gained a new supported value "exec". When set
          notifications are accepted from all processes systemd itself invoked,
          including all control processes.

        * .nspawn files gained support for defining overlay mounts using the
          Overlay= and OverlayReadOnly= options. Previously this functionality
          was only available on the systemd-nspawn command line.

        * systemd-nspawn's --bind= and --overlay= options gained support for
          bind/overlay mounts whose source lies within the container tree by
          prefixing the source path with "+".

        * systemd-nspawn's --bind= and --overlay= options gained support for
          automatically allocating a temporary source directory in /var/tmp
          that is removed when the container dies. Specifically, if the source
          directory is specified as empty string this mechanism is selected. An
          example usage is --overlay=+/var::/var, which creates an overlay
          mount based on the original /var contained in the image, overlaid
          with a temporary directory in the host's /var/tmp. This way changes
          to /var are automatically flushed when the container shuts down.

        * systemd-nspawn --image= option does now permit raw file system block
          devices (in addition to images containing partition tables, as
          before).

        * The disk image dissection logic in systemd-nspawn gained support for
          automatically setting up LUKS encrypted as well as Verity protected
          partitions. When a container is booted from an encrypted image the
          passphrase is queried at start-up time. When a container with Verity
          data is started, the root hash is search in a ".roothash" file
          accompanying the disk image (alternatively, pass the root hash via
          the new --root-hash= command line option).

        * A new tool /usr/lib/systemd/systemd-dissect has been added that may
          be used to dissect disk images the same way as systemd-nspawn does
          it, following the Bootable Partition Specification. It may even be
          used to mount disk images with complex partition setups (including
          LUKS and Verity partitions) to a local host directory, in order to
          inspect them. This tool is not considered public API (yet), and is
          thus not installed into /usr/bin. Please do not rely on its
          existence, since it might go away or be changed in later systemd
          versions.

        * A new generator "systemd-verity-generator" has been added, similar in
          style to "systemd-cryptsetup-generator", permitting automatic setup of
          Verity root partitions when systemd boots up. In order to make use of
          this your partition setup should follow the Discoverable Partitions
          Specification, and the GPT partition ID of the root file system
          partition should be identical to the upper 128bit of the Verity root
          hash. The GPT partition ID of the Verity partition protecting it
          should be the lower 128bit of the Verity root hash. If the partition
          image follows this model it is sufficient to specify a single
          "roothash=" kernel command line argument to both configure which root
          image and verity partition to use as well as the root hash for
          it. Note that systemd-nspawn's Verity support follows the same
          semantics, meaning that disk images with proper Verity data in place
          may be booted in containers with systemd-nspawn as well as on
          physical systems via the verity generator. Also note that the "mkosi"
          tool available at https://github.com/systemd/mkosi has been updated
          to generate Verity protected disk images following this scheme. In
          fact, it has been updated to generate disk images that optionally
          implement a complete UEFI SecureBoot trust chain, involving a signed
          kernel and initrd image that incorporates such a root hash as well as
          a Verity-enabled root partition.

        * The hardware database (hwdb) udev supports has been updated to carry
          accelerometer quirks.

        * All system services are now run with a fresh kernel keyring set up
          for them. The invocation ID is stored by default in it, thus
          providing a safe, non-overridable way to determine the invocation
          ID of each service.

        * Service unit files gained new BindPaths= and BindReadOnlyPaths=
          options for bind mounting arbitrary paths in a service-specific
          way. When these options are used, arbitrary host or service files and
          directories may be mounted to arbitrary locations in the service's
          view.

        * Documentation has been added that lists all of systemd's low-level
          environment variables:

          https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md

        * sd-daemon gained a new API sd_is_socket_sockaddr() for determining
          whether a specific socket file descriptor matches a specified socket
          address.

        * systemd-firstboot has been updated to check for the
          systemd.firstboot= kernel command line option. It accepts a boolean
          and when set to false the first boot questions are skipped.

        * systemd-fstab-generator has been updated to check for the
          systemd.volatile= kernel command line option, which either takes an
          optional boolean parameter or the special value "state". If used the
          system may be booted in a "volatile" boot mode. Specifically,
          "systemd.volatile" is used, the root directory will be mounted as
          tmpfs, and only /usr is mounted from the actual root file system. If
          "systemd.volatile=state" is used, the root directory will be mounted
          as usual, but /var is mounted as tmpfs. This concept provides similar
          functionality as systemd-nspawn's --volatile= option, but provides it
          on physical boots. Use this option for implementing stateless
          systems, or testing systems with all state and/or configuration reset
          to the defaults. (Note though that many distributions are not
          prepared to boot up without a populated /etc or /var, though.)

        * systemd-gpt-auto-generator gained support for LUKS encrypted root
          partitions. Previously it only supported LUKS encrypted partitions
          for all other uses, except for the root partition itself.

        * Socket units gained support for listening on AF_VSOCK sockets for
          communication in virtualized QEMU environments.

        * The "configure" script gained a new option --with-fallback-hostname=
          for specifying the fallback hostname to use if none is configured in
          /etc/hostname. For example, by specifying
          --with-fallback-hostname=fedora it is possible to default to a
          hostname of "fedora" on pristine installations.

        * systemd-cgls gained support for a new --unit= switch for listing only
          the control groups of a specific unit. Similar --user-unit= has been
          added for listing only the control groups of a specific user unit.

        * systemd-mount gained a new --umount switch for unmounting a mount or
          automount point (and all mount/automount points below it).

        * systemd will now refuse full configuration reloads (via systemctl
          daemon-reload and related calls) unless at least 16MiB of free space
          are available in /run. This is a safety precaution in order to ensure
          that generators can safely operate after the reload completed.

        * A new unit file option RootImage= has been added, which has a similar
          effect as RootDirectory= but mounts the service's root directory from
          a disk image instead of plain directory. This logic reuses the same
          image dissection and mount logic that systemd-nspawn already uses,
          and hence supports any disk images systemd-nspawn supports, including
          those following the Discoverable Partition Specification, as well as
          Verity enabled images. This option enables systemd to run system
          services directly off disk images acting as resource bundles,
          possibly even including full integrity data.

        * A new MountAPIVFS= unit file option has been added, taking a boolean
          argument. If enabled /proc, /sys and /dev (collectively called the
          "API VFS") will be mounted for the service. This is only relevant if
          RootDirectory= or RootImage= is used for the service, as these mounts
          are of course in place in the host mount namespace anyway.

        * systemd-nspawn gained support for a new --pivot-root= switch. If
          specified the root directory within the container image is pivoted to
          the specified mount point, while the original root disk is moved to a
          different place. This option enables booting of ostree images
          directly with systemd-nspawn.

        * The systemd build scripts will no longer complain if the NTP server
          addresses are not changed from the defaults. Google now supports
          these NTP servers officially. We still recommend downstreams to
          properly register an NTP pool with the NTP pool project though.

        * coredumpctl gained a new "--reverse" option for printing the list
          of coredumps in reverse order.

        * coredumpctl will now show additional information about truncated and
          inaccessible coredumps, as well as coredumps that are still being
          processed. It also gained a new --quiet switch for suppressing
          additional informational message in its output.

        * coredumpctl gained support for only showing coredumps newer and/or
          older than specific timestamps, using the new --since= and --until=
          options, reminiscent of journalctl's options by the same name.

        * The systemd-coredump logic has been improved so that it may be reused
          to collect backtraces in non-compiled languages, for example in
          scripting languages such as Python.

        * machinectl will now show the UID shift of local containers, if user
          namespacing is enabled for them.

        * systemd will now optionally run "environment generator" binaries at
          configuration load time. They may be used to add environment
          variables to the environment block passed to services invoked. One
          user environment generator is shipped by default that sets up
          environment variables based on files dropped into /etc/environment.d
          and ~/.config/environment.d/.

        * systemd-resolved now includes the new, recently published 2017 DNSSEC
          root key (KSK).

        * hostnamed has been updated to report a new chassis type of
          "convertible" to cover "foldable" laptops that can both act as a
          tablet and as a laptop, such as various Lenovo Yoga devices.

        Contributions from: Adrián López, Alexander Galanin, Alexander
        Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch
        Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric
        Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri,
        Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner,
        David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry
        Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly,
        Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn
        Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter,
        Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede,
        Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan
        Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen,
        Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart
        Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de
        Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry,
        Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de
        Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal
        Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak,
        Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip
        Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin
        Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx,
        Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi,
        Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève,
        Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor
        Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar
        Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb,
        Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun,
        YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр
        Тихонов

        — Berlin, 2017-03-01

CHANGES WITH 232:

        * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
          RestrictAddressFamilies= enabled. These sandboxing options should
          generally be compatible with the various external udev call-out
          binaries we are aware of, however there may be exceptions, in
          particular when exotic languages for these call-outs are used. In
          this case, consider turning off these settings locally.

        * The new RemoveIPC= option can be used to remove IPC objects owned by
          the user or group of a service when that service exits.

        * The new ProtectKernelModules= option can be used to disable explicit
          load and unload operations of kernel modules by a service. In
          addition access to /usr/lib/modules is removed if this option is set.

        * ProtectSystem= option gained a new value "strict", which causes the
          whole file system tree with the exception of /dev, /proc, and /sys,
          to be remounted read-only for a service.

        * The new ProtectKernelTunables= option can be used to disable
          modification of configuration files in /sys and /proc by a service.
          Various directories and files are remounted read-only, so access is
          restricted even if the file permissions would allow it.

        * The new ProtectControlGroups= option can be used to disable write
          access by a service to /sys/fs/cgroup.

        * Various systemd services have been hardened with
          ProtectKernelTunables=yes, ProtectControlGroups=yes,
          RestrictAddressFamilies=.

        * Support for dynamically creating users for the lifetime of a service
          has been added. If DynamicUser=yes is specified, user and group IDs
          will be allocated from the range 61184…65519 for the lifetime of the
          service. They can be resolved using the new nss-systemd.so NSS
          module. The module must be enabled in /etc/nsswitch.conf. Services
          started in this way have PrivateTmp= and RemoveIPC= enabled, so that
          any resources allocated by the service will be cleaned up when the
          service exits. They also have ProtectHome=read-only and
          ProtectSystem=strict enabled, so they are not able to make any
          permanent modifications to the system.

        * The nss-systemd module also always resolves root and nobody, making
          it possible to have no /etc/passwd or /etc/group files in minimal
          container or chroot environments.

        * Services may be started with their own user namespace using the new
          boolean PrivateUsers= option. Only root, nobody, and the uid/gid
          under which the service is running are mapped. All other users are
          mapped to nobody.

        * Support for the cgroup namespace has been added to systemd-nspawn. If
          supported by kernel, the container system started by systemd-nspawn
          will have its own view of the cgroup hierarchy. This new behaviour
          can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable.

        * The new MemorySwapMax= option can be used to limit the maximum swap
          usage under the unified cgroup hierarchy.

        * Support for the CPU controller in the unified cgroup hierarchy has
          been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting=
          options. This controller requires out-of-tree patches for the kernel
          and the support is provisional.

        * Mount and automount units may now be created transiently
          (i.e. dynamically at runtime via the bus API, instead of requiring
          unit files in the file system).

        * systemd-mount is a new tool which may mount file systems – much like
          mount(8), optionally pulling in additional dependencies through
          transient .mount and .automount units. For example, this tool
          automatically runs fsck on a backing block device before mounting,
          and allows the automount logic to be used dynamically from the
          command line for establishing mount points. This tool is particularly
          useful when dealing with removable media, as it will ensure fsck is
          run – if necessary – before the first access and that the file system
          is quickly unmounted after each access by utilizing the automount
          logic. This maximizes the chance that the file system on the
          removable media stays in a clean state, and if it isn't in a clean
          state is fixed automatically.

        * LazyUnmount=yes option for mount units has been added to expose the
          umount --lazy option. Similarly, ForceUnmount=yes exposes the --force
          option.

        * /efi will be used as the mount point of the EFI boot partition, if
          the directory is present, and the mount point was not configured
          through other means (e.g. fstab). If /efi directory does not exist,
          /boot will be used as before. This makes it easier to automatically
          mount the EFI partition on systems where /boot is used for something
          else.

        * When operating on GPT disk images for containers, systemd-nspawn will
          now mount the ESP to /boot or /efi according to the same rules as PID
          1 running on a host. This allows tools like "bootctl" to operate
          correctly within such containers, in order to make container images
          bootable on physical systems.

        * disk/by-id and disk/by-path symlinks are now created for NVMe drives.

        * Two new user session targets have been added to support running
          graphical sessions under the systemd --user instance:
          graphical-session.target and graphical-session-pre.target. See
          systemd.special(7) for a description of how those targets should be
          used.

        * The vconsole initialization code has been significantly reworked to
          use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better
          support unicode keymaps. Font and keymap configuration will now be
          copied to all allocated virtual consoles.

        * FreeBSD's bhyve virtualization is now detected.

        * Information recorded in the journal for core dumps now includes the
          contents of /proc/mountinfo and the command line of the process at
          the top of the process hierarchy (which is usually the init process
          of the container).

        * systemd-journal-gatewayd learned the --directory= option to serve
          files from the specified location.

        * journalctl --root=… can be used to peruse the journal in the
          /var/log/ directories inside of a container tree. This is similar to
          the existing --machine= option, but does not require the container to
          be active.

        * The hardware database has been extended to support
          ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify
          trackball devices.

          MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to
          specify the click rate for mice which include a horizontal wheel with
          a click rate that is different than the one for the vertical wheel.

        * systemd-run gained a new --wait option that makes service execution
          synchronous. (Specifically, the command will not return until the
          specified service binary exited.)

        * systemctl gained a new --wait option that causes the start command to
          wait until the units being started have terminated again.

        * A new journal output mode "short-full" has been added which displays
          timestamps with abbreviated English day names and adds a timezone
          suffix. Those timestamps include more information than the default
          "short" output mode, and can be passed directly to journalctl's
          --since= and --until= options.

        * /etc/resolv.conf will be bind-mounted into containers started by
          systemd-nspawn, if possible, so any changes to resolv.conf contents
          are automatically propagated to the container.

        * The number of instances for socket-activated services originating
          from a single IP address can be limited with
          MaxConnectionsPerSource=, extending the existing setting of
          MaxConnections=.

        * systemd-networkd gained support for vcan ("Virtual CAN") interface
          configuration.

        * .netdev and .network configuration can now be extended through
          drop-ins.

        * UDP Segmentation Offload, TCP Segmentation Offload, Generic
          Segmentation Offload, Generic Receive Offload, Large Receive Offload
          can be enabled and disabled using the new UDPSegmentationOffload=,
          TCPSegmentationOffload=, GenericSegmentationOffload=,
          GenericReceiveOffload=, LargeReceiveOffload= options in the
          [Link] section of .link files.

        * The Spanning Tree Protocol, Priority, Aging Time, and the Default
          Port VLAN ID can be configured for bridge devices using the new STP=,
          Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge]
          section of .netdev files.

        * The route table to which routes received over DHCP or RA should be
          added can be configured with the new RouteTable= option in the [DHCP]
          and [IPv6AcceptRA] sections of .network files.

        * The Address Resolution Protocol can be disabled on links managed by
          systemd-networkd using the ARP=no setting in the [Link] section of
          .network files.

        * New environment variables $SERVICE_RESULT, $EXIT_CODE and
          $EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and
          encode information about the result and exit codes of the current
          service runtime cycle.

        * systemd-sysctl will now configure kernel parameters in the order
          they occur in the configuration files. This matches what sysctl
          has been traditionally doing.

        * kernel-install "plugins" that are executed to perform various
          tasks after a new kernel is added and before an old one is removed
          can now return a special value to terminate the procedure and
          prevent any later plugins from running.

        * Journald's SplitMode=login setting has been deprecated. It has been
          removed from documentation, and its use is discouraged. In a future
          release it will be completely removed, and made equivalent to current
          default of SplitMode=uid.

        * Storage=both option setting in /etc/systemd/coredump.conf has been
          removed. With fast LZ4 compression storing the core dump twice is not
          useful.

        * The --share-system systemd-nspawn option has been replaced with an
          (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
          this functionality is discouraged. In addition the variables
          $SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID,
          $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
          individual namespaces.

        * "machinectl list" now shows the IP address of running containers in
          the output, as well as OS release information.

        * "loginctl list" now shows the TTY of each session in the output.

        * sd-bus gained new API calls sd_bus_track_set_recursive(),
          sd_bus_track_get_recursive(), sd_bus_track_count_name(),
          sd_bus_track_count_sender(). They permit usage of sd_bus_track peer
          tracking objects in a "recursive" mode, where a single client can be
          counted multiple times, if it takes multiple references.

        * sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
          sd_bus_get_exit_on_disconnect(). They may be used to make a
          process using sd-bus automatically exit if the bus connection is
          severed.

        * Bus clients of the service manager may now "pin" loaded units into
          memory, by taking an explicit reference on them. This is useful to
          ensure the client can retrieve runtime data about the service even
          after the service completed execution. Taking such a reference is
          available only for privileged clients and should be helpful to watch
          running services in a race-free manner, and in particular collect
          information about exit statuses and results.

        * The nss-resolve module has been changed to strictly return UNAVAIL
          when communication via D-Bus with resolved failed, and NOTFOUND when
          a lookup completed but was negative. This means it is now possible to
          neatly configure fallbacks using nsswitch.conf result checking
          expressions. Taking benefit of this, the new recommended
          configuration line for the "hosts" entry in /etc/nsswitch.conf is:

              hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

        * A new setting CtrlAltDelBurstAction= has been added to
          /etc/systemd/system.conf which may be used to configure the precise
          behaviour if the user on the console presses Ctrl-Alt-Del more often
          than 7 times in 2s. Previously this would unconditionally result in
          an expedited, immediate reboot. With this new setting the precise
          operation may be configured in more detail, and also turned off
          entirely.

        * In .netdev files two new settings RemoteChecksumTx= and
          RemoteChecksumRx= are now understood that permit configuring the
          remote checksumming logic for VXLAN networks.

        * The service manager learnt a new "invocation ID" concept for invoked
          services. Each runtime cycle of a service will get a new invocation
          ID (a 128bit random UUID) assigned that identifies the current
          run of the service uniquely and globally. A new invocation ID
          is generated each time a service starts up. The journal will store
          the invocation ID of a service along with any logged messages, thus
          making the invocation ID useful for matching the online runtime of a
          service with the offline log data it generated in a safe way without
          relying on synchronized timestamps. In many ways this new service
          invocation ID concept is similar to the kernel's boot ID concept that
          uniquely and globally identifies the runtime of each boot. The
          invocation ID of a service is passed to the service itself via an
          environment variable ($INVOCATION_ID). A new bus call
          GetUnitByInvocationID() has been added that is similar to GetUnit()
          but instead of retrieving the bus path for a unit by its name
          retrieves it by its invocation ID. The returned path is valid only as
          long as the passed invocation ID is current.

        * systemd-resolved gained a new "DNSStubListener" setting in
          resolved.conf. It either takes a boolean value or the special values
          "udp" and "tcp", and configures whether to enable the stub DNS
          listener on 127.0.0.53:53.

        * IP addresses configured via networkd may now carry additional
          configuration settings supported by the kernel. New options include:
          HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=,
          PrefixRoute=, AutoJoin=.

        * The PAM configuration fragment file for "user@.service" shipped with
          systemd (i.e. the --user instance of systemd) has been stripped to
          the minimum necessary to make the system boot. Previously, it
          contained Fedora-specific stanzas that did not apply to other
          distributions. It is expected that downstream distributions add
          additional configuration lines, matching their needs to this file,
          using it only as rough template of what systemd itself needs. Note
          that this reduced fragment does not even include an invocation of
          pam_limits which most distributions probably want to add, even though
          systemd itself does not need it. (There's also the new build time
          option --with-pamconfdir=no to disable installation of the PAM
          fragment entirely.)

        * If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO
          capability is now also dropped from its set (in addition to
          CAP_SYS_MKNOD as before).

        * In service unit files it is now possible to connect a specific named
          file descriptor with stdin/stdout/stdout of an executed service. The
          name may be specified in matching .socket units using the
          FileDescriptorName= setting.

        * A number of journal settings may now be configured on the kernel
          command line. Specifically, the following options are now understood:
          systemd.journald.max_level_console=,
          systemd.journald.max_level_store=,
          systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=,
          systemd.journald.max_level_wall=.

        * "systemctl is-enabled --full" will now show by which symlinks a unit
          file is enabled in the unit dependency tree.

        * Support for VeraCrypt encrypted partitions has been added to the
          "cryptsetup" logic and /etc/crypttab.

        * systemd-detect-virt gained support for a new --private-users switch
          that checks whether the invoking processes are running inside a user
          namespace. Similar, a new special value "private-users" for the
          existing ConditionVirtualization= setting has been added, permitting
          skipping of specific units in user namespace environments.

        Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John,
        Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin
        Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner,
        Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez,
        Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick,
        Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg,
        Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric
        Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang,
        Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke,
        Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan
        Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker,
        Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski,
        Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering,
        Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš
        Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou,
        Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej
        Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy,
        Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike
        Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer,
        Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny
        Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant
        Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit,
        Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut
        Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann
        E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zeal Jagannatha

        — Santa Fe, 2016-11-03

CHANGES WITH 231:

        * In service units the various ExecXYZ= settings have been extended
          with an additional special character as first argument of the
          assigned value: if the character '+' is used the specified command
          line it will be run with full privileges, regardless of User=,
          Group=, CapabilityBoundingSet= and similar options. The effect is
          similar to the existing PermissionsStartOnly= option, but allows
          configuration of this concept for each executed command line
          independently.

        * Services may now alter the service watchdog timeout at runtime by
          sending a WATCHDOG_USEC= message via sd_notify().

        * MemoryLimit= and related unit settings now optionally take percentage
          specifications. The percentage is taken relative to the amount of
          physical memory in the system (or in case of containers, the assigned
          amount of memory). This allows scaling service resources neatly with
          the amount of RAM available on the system. Similarly, systemd-logind's
          RuntimeDirectorySize= option now also optionally takes percentage
          values.

        * In similar fashion TasksMax= takes percentage values now, too. The
          value is taken relative to the configured maximum number of processes
          on the system. The per-service task maximum has been changed to 15%
          using this functionality. (Effectively this is an increase of 512 →
          4915 for service units, given the kernel's default pid_max setting.)

        * Calendar time specifications in .timer units now understand a ".."
          syntax for time ranges. Example: "4..7:10" may now be used for
          defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
          7:10am every day.

        * The InaccessableDirectories=, ReadOnlyDirectories= and
          ReadWriteDirectories= unit file settings have been renamed to
          InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be
          applied to all kinds of file nodes, and not just directories, with
          the exception of symlinks. Specifically these settings may now be
          used on block and character device nodes, UNIX sockets and FIFOS as
          well as regular files. The old names of these settings remain
          available for compatibility.

        * systemd will now log about all service processes it kills forcibly
          (using SIGKILL) because they remained after the clean shutdown phase
          of the service completed. This should help identifying services that
          shut down uncleanly. Moreover if KillUserProcesses= is enabled in
          systemd-logind's configuration a similar log message is generated for
          processes killed at the end of each session due to this setting.

        * systemd will now set the $JOURNAL_STREAM environment variable for all
          services whose stdout/stderr are connected to the Journal (which
          effectively means by default: all services). The variable contains
          the device and inode number of the file descriptor used for
          stdout/stderr. This may be used by invoked programs to detect whether
          their stdout/stderr is connected to the Journal, in which case they
          can switch over to direct Journal communication, thus being able to
          pass extended, structured metadata along with their log messages. As
          one example, this is now used by glib's logging primitives.

        * When using systemd's default tmp.mount unit for /tmp, the mount point
          will now be established with the "nosuid" and "nodev" options. This
          avoids privilege escalation attacks that put traps and exploits into
          /tmp.  However, this might cause problems if you e. g. put container
          images or overlays into /tmp; if you need this, override tmp.mount's
          "Options=" with a drop-in, or mount /tmp from /etc/fstab with your
          desired options.

        * systemd now supports the "memory" cgroup controller also on
          cgroup v2.

        * The systemd-cgtop tool now optionally takes a control group path as
          command line argument. If specified, the control group list shown is
          limited to subgroups of that group.

        * The SystemCallFilter= unit file setting gained support for
          pre-defined, named system call filter sets. For example
          SystemCallFilter=@clock is now an effective way to make all clock
          changing-related system calls unavailable to a service. A number of
          similar pre-defined groups are defined. Writing system call filters
          for system services is simplified substantially with this new
          concept. Accordingly, all of systemd's own, long-running services now
          enable system call filtering based on this, by default.

        * A new service setting MemoryDenyWriteExecute= has been added, taking
          a boolean value. If turned on, a service may no longer create memory
          mappings that are writable and executable at the same time. This
          enhances security for services where this is enabled as it becomes
          harder to dynamically write and then execute memory in exploited
          service processes. This option has been enabled for all of systemd's
          own long-running services.

        * A new RestrictRealtime= service setting has been added, taking a
          boolean argument. If set the service's processes may no longer
          acquire realtime scheduling. This improves security as realtime
          scheduling may otherwise be used to easily freeze the system.

        * systemd-nspawn gained a new switch --notify-ready= taking a boolean
          value. This may be used for requesting that the system manager inside
          of the container reports start-up completion to nspawn which then
          propagates this notification further to the service manager
          supervising nspawn itself. A related option NotifyReady= in .nspawn
          files has been added too. This functionality allows ordering of the
          start-up of multiple containers using the usual systemd ordering
          primitives.

        * machinectl gained a new command "stop" that is an alias for
          "terminate".

        * systemd-resolved gained support for contacting DNS servers on
          link-local IPv6 addresses.

        * If systemd-resolved receives the SIGUSR2 signal it will now flush all
          its caches. A method call for requesting the same operation has been
          added to the bus API too, and is made available via "systemd-resolve
          --flush-caches".

        * systemd-resolve gained a new --status switch. If passed a brief
          summary of the used DNS configuration with per-interface information
          is shown.

        * resolved.conf gained a new Cache= boolean option, defaulting to
          on. If turned off local DNS caching is disabled. This comes with a
          performance penalty in particular when DNSSEC is enabled. Note that
          resolved disables its internal caching implicitly anyway, when the
          configured DNS server is on a host-local IP address such as ::1 or
          127.0.0.1, thus automatically avoiding double local caching.

        * systemd-resolved now listens on the local IP address 127.0.0.53:53
          for DNS requests. This improves compatibility with local programs
          that do not use the libc NSS or systemd-resolved's bus APIs for name
          resolution. This minimal DNS service is only available to local
          programs and does not implement the full DNS protocol, but enough to
          cover local DNS clients. A new, static resolv.conf file, listing just
          this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is
          now recommended to make /etc/resolv.conf a symlink to this file in
          order to route all DNS lookups to systemd-resolved, regardless if
          done via NSS, the bus API or raw DNS packets. Note that this local
          DNS service is not as fully featured as the libc NSS or
          systemd-resolved's bus APIs. For example, as unicast DNS cannot be
          used to deliver link-local address information (as this implies
          sending a local interface index along), LLMNR/mDNS support via this
          interface is severely restricted. It is thus strongly recommended for
          all applications to use the libc NSS API or native systemd-resolved
          bus API instead.

        * systemd-networkd's bridge support learned a new setting
          VLANFiltering= for controlling VLAN filtering. Moreover a new section
          in .network files has been added for configuring VLAN bridging in
          more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].

        * systemd-networkd's IPv6 Router Advertisement code now makes use of
          the DNSSL and RDNSS options. This means IPv6 DNS configuration may
          now be acquired without relying on DHCPv6. Two new options
          UseDomains= and UseDNS= have been added to configure this behaviour.

        * systemd-networkd's IPv6AcceptRouterAdvertisements= option has been
          renamed IPv6AcceptRA=, without altering its behaviour. The old
          setting name remains available for compatibility reasons.

        * The systemd-networkd VTI/VTI6 tunneling support gained new options
          Key=, InputKey= and OutputKey=.

        * systemd-networkd gained support for VRF ("Virtual Routing Function")
          interface configuration.

        * "systemctl edit" may now be used to create new unit files by
          specifying the --force switch.

        * sd-event gained a new function sd_event_get_iteration() for
          requesting the current iteration counter of the event loop. It starts
          at zero and is increased by one with each event loop iteration.

        * A new rpm macro %systemd_ordering is provided by the macros.systemd
          file. It can be used in lieu of %systemd_requires in packages which
          don't use any systemd functionality and are intended to be installed
          in minimal containers without systemd present. This macro provides
          ordering dependencies to ensure that if the package is installed in
          the same rpm transaction as systemd, systemd will be installed before
          the scriptlets for the package are executed, allowing unit presets
          to be handled.

          New macros %_systemdgeneratordir and %_systemdusergeneratordir have
          been added to simplify packaging of generators.

        * The os-release file gained VERSION_CODENAME field for the
          distribution nickname (e.g. VERSION_CODENAME=woody).

        * New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1
          can be set to disable parsing of metadata and the creation
          of persistent symlinks for that device.

        * The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess"
          to make them available to logged-in users has been reverted.

        * Much of the common code of the various systemd components is now
          built into an internal shared library libsystemd-shared-231.so
          (incorporating the systemd version number in the name, to be updated
          with future releases) that the components link to. This should
          decrease systemd footprint both in memory during runtime and on
          disk. Note that the shared library is not for public use, and is
          neither API nor ABI stable, but is likely to change with every new
          released update. Packagers need to make sure that binaries
          linking to libsystemd-shared.so are updated in step with the
          library.

        * Configuration for "mkosi" is now part of the systemd
          repository. mkosi is a tool to easily build legacy-free OS images,
          and is available on github: https://github.com/systemd/mkosi. If
          "mkosi" is invoked in the build tree a new raw OS image is generated
          incorporating the systemd sources currently being worked on and a
          clean, fresh distribution installation. The generated OS image may be
          booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
          UEFI PC. This functionality is particularly useful to easily test
          local changes made to systemd in a pristine, defined environment. See
          doc/HACKING for details.

        * configure learned the --with-support-url= option to specify the
          distribution's bugtracker.

        Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor
        Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika
        Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar
        Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse,
        Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David
        Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias
        Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler,
        Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan
        Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke
        Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart
        Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel
        Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov,
        Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz,
        Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran,
        Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier,
        Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas
        Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan,
        Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič,
        WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2016-07-25

CHANGES WITH 230:

        * DNSSEC is now turned on by default in systemd-resolved (in
          "allow-downgrade" mode), but may be turned off during compile time by
          passing "--with-default-dnssec=no" to "configure" (and of course,
          during runtime with DNSSEC= in resolved.conf). We recommend
          downstreams to leave this on at least during development cycles and
          report any issues with the DNSSEC logic upstream. We are very
          interested in collecting feedback about the DNSSEC validator and its
          limitations in the wild. Note however, that DNSSEC support is
          probably nothing downstreams should turn on in stable distros just
          yet, as it might create incompatibilities with a few DNS servers and
          networks. We tried hard to make sure we downgrade to non-DNSSEC mode
          automatically whenever we detect such incompatible setups, but there
          might be systems we do not cover yet. Hence: please help us testing
          the DNSSEC code, leave this on where you can, report back, but then
          again don't consider turning this on in your stable, LTS or
          production release just yet. (Note that you have to enable
          nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
          and its DNSSEC mode for hostname resolution from local
          applications.)

        * systemd-resolve conveniently resolves DANE records with the --tlsa
          option and OPENPGPKEY records with the --openpgp option. It also
          supports dumping raw DNS record data via the new --raw= switch.

        * systemd-logind will now by default terminate user processes that are
          part of the user session scope unit (session-XX.scope) when the user
          logs out. This behavior is controlled by the KillUserProcesses=
          setting in logind.conf, and the previous default of "no" is now
          changed to "yes". This means that user sessions will be properly
          cleaned up after, but additional steps are necessary to allow
          intentionally long-running processes to survive logout.

          While the user is logged in at least once, user@.service is running,
          and any service that should survive the end of any individual login
          session can be started at a user service or scope using systemd-run.
          systemd-run(1) man page has been extended with an example which shows
          how to run screen in a scope unit underneath user@.service. The same
          command works for tmux.

          After the user logs out of all sessions, user@.service will be
          terminated too, by default, unless the user has "lingering" enabled.
          To effectively allow users to run long-term tasks even if they are
          logged out, lingering must be enabled for them. See loginctl(1) for
          details. The default polkit policy was modified to allow users to
          set lingering for themselves without authentication.

          Previous defaults can be restored at compile time by the
          --without-kill-user-processes option to "configure".

        * systemd-logind gained new configuration settings SessionsMax= and
          InhibitorsMax=, both with a default of 8192. It will not register new
          user sessions or inhibitors above this limit.

        * systemd-logind will now reload configuration on SIGHUP.

        * The unified cgroup hierarchy added in Linux 4.5 is now supported.
          Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
          enable. Also, support for the "io" cgroup controller in the unified
          hierarchy has been added, so that the "memory", "pids" and "io" are
          now the controllers that are supported on the unified hierarchy.

          WARNING: it is not possible to use previous systemd versions with
          systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
          is necessary to also update systemd in the initramfs if using the
          unified hierarchy. An updated SELinux policy is also required.

        * LLDP support has been extended, and both passive (receive-only) and
          active (sender) modes are supported. Passive mode ("routers-only") is
          enabled by default in systemd-networkd. Active LLDP mode is enabled
          by default for containers on the internal network. The "networkctl
          lldp" command may be used to list information gathered. "networkctl
          status" will also show basic LLDP information on connected peers now.

        * The IAID and DUID unique identifier sent in DHCP requests may now be
          configured for the system and each .network file managed by
          systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.

        * systemd-networkd gained support for configuring proxy ARP support for
          each interface, via the ProxyArp= setting in .network files. It also
          gained support for configuring the multicast querier feature of
          bridge devices, via the new MulticastQuerier= setting in .netdev
          files. Similarly, snooping on the IGMP traffic can be controlled
          via the new setting MulticastSnooping=.

          A new setting PreferredLifetime= has been added for addresses
          configured in .network file to configure the lifetime intended for an
          address.

          The systemd-networkd DHCP server gained the option EmitRouter=, which
          defaults to yes, to configure whether the DHCP Option 3 (Router)
          should be emitted.

        * The testing tool /usr/lib/systemd/systemd-activate is renamed to
          systemd-socket-activate and installed into /usr/bin. It is now fully
          supported.

        * systemd-journald now uses separate threads to flush changes to disk
          when closing journal files, thus reducing impact of slow disk I/O on
          logging performance.

        * The sd-journal API gained two new calls
          sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
          can be used to open journal files using file descriptors instead of
          file or directory paths. sd_journal_open_container() has been
          deprecated, sd_journal_open_directory_fd() should be used instead
          with the flag SD_JOURNAL_OS_ROOT.

        * journalctl learned a new output mode "-o short-unix" that outputs log
          lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
          UTC). It also gained support for a new --no-hostname setting to
          suppress the hostname column in the family of "short" output modes.

        * systemd-ask-password now optionally skips printing of the password to
          stdout with --no-output which can be useful in scripts.

        * Framebuffer devices (/dev/fb*) and 3D printers and scanners
          (devices tagged with ID_MAKER_TOOL) are now tagged with
          "uaccess" and are available to logged in users.

        * The DeviceAllow= unit setting now supports specifiers (with "%").

        * "systemctl show" gained a new --value switch, which allows print a
          only the contents of a specific unit property, without also printing
          the property's name. Similar support was added to "show*" verbs
          of loginctl and machinectl that output "key=value" lists.

        * A new unit type "generated" was added for files dynamically generated
          by generator tools. Similarly, a new unit type "transient" is used
          for unit files created using the runtime API. "systemctl enable" will
          refuse to operate on such files.

        * A new command "systemctl revert" has been added that may be used to
          revert to the vendor version of a unit file, in case local changes
          have been made by adding drop-ins or overriding the unit file.

        * "machinectl clean" gained a new verb to automatically remove all or
          just hidden container images.

        * systemd-tmpfiles gained support for a new line type "e" for emptying
          directories, if they exist, without creating them if they don't.

        * systemd-nspawn gained support for automatically patching the UID/GIDs
          of the owners and the ACLs of all files and directories in a
          container tree to match the UID/GID user namespacing range selected
          for the container invocation. This mode is enabled via the new
          --private-users-chown switch. It also gained support for
          automatically choosing a free, previously unused UID/GID range when
          starting a container, via the new --private-users=pick setting (which
          implies --private-users-chown). Together, these options for the first
          time make user namespacing for nspawn containers fully automatic and
          thus deployable. The systemd-nspawn@.service template unit file has
          been changed to use this functionality by default.

        * systemd-nspawn gained a new --network-zone= switch, that allows
          creating ad-hoc virtual Ethernet links between multiple containers,
          that only exist as long as at least one container referencing them is
          running. This allows easy connecting of multiple containers with a
          common link that implements an Ethernet broadcast domain. Each of
          these network "zones" may be named relatively freely by the user, and
          may be referenced by any number of containers, but each container may
          only reference one of these "zones". On the lower level, this is
          implemented by an automatically managed bridge network interface for
          each zone, that is created when the first container referencing its
          zone is created and removed when the last one referencing its zone
          terminates.

        * The default start timeout may now be configured on the kernel command
          line via systemd.default_timeout_start_sec=. It was already
          configurable via the DefaultTimeoutStartSec= option in
          /etc/systemd/system.conf.

        * Socket units gained a new TriggerLimitIntervalSec= and
          TriggerLimitBurst= setting to configure a limit on the activation
          rate of the socket unit.

        * The LimitNICE= setting now optionally takes normal UNIX nice values
          in addition to the raw integer limit value. If the specified
          parameter is prefixed with "+" or "-" and is in the range -20…19 the
          value is understood as UNIX nice value. If not prefixed like this it
          is understood as raw RLIMIT_NICE limit.

        * Note that the effect of the PrivateDevices= unit file setting changed
          slightly with this release: the per-device /dev file system will be
          mounted read-only from this version on, and will have "noexec"
          set. This (minor) change of behavior might cause some (exceptional)
          legacy software to break, when PrivateDevices=yes is set for its
          service. Please leave PrivateDevices= off if you run into problems
          with this.

        * systemd-bootchart has been split out to a separate repository:
          https://github.com/systemd/systemd-bootchart

        * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
          merged into the kernel in its current form.

        * The compatibility libraries libsystemd-daemon.so,
          libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
          which have been deprecated since systemd-209 have been removed along
          with the corresponding pkg-config files. All symbols provided by
          those libraries are provided by libsystemd.so.

        * The Capabilities= unit file setting has been removed (it is ignored
          for backwards compatibility). AmbientCapabilities= and
          CapabilityBoundingSet= should be used instead.

        * A new special target has been added, initrd-root-device.target,
          which creates a synchronization point for dependencies of the root
          device in early userspace. Initramfs builders must ensure that this
          target is now included in early userspace.

        Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
        Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
        Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
        Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
        Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
        R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
        Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
        Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
        Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
        Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
        John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
        Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
        Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
        Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
        Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
        mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
        Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
        Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
        Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
        Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
        Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
        Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
        Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
        Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
        Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek

        — Fairfax, 2016-05-21

CHANGES WITH 229:

        * The systemd-resolved DNS resolver service has gained a substantial
          set of new features, most prominently it may now act as a DNSSEC
          validating stub resolver. DNSSEC mode is currently turned off by
          default, but is expected to be turned on by default in one of the
          next releases. For now, we invite everybody to test the DNSSEC logic
          by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The
          service also gained a full set of D-Bus interfaces, including calls
          to configure DNS and DNSSEC settings per link (for use by external
          network management software). systemd-resolved and systemd-networkd
          now distinguish between "search" and "routing" domains. The former
          are used to qualify single-label names, the latter are used purely
          for routing lookups within certain domains to specific links.
          resolved now also synthesizes RRs for all entries from /etc/hosts.

        * The systemd-resolve tool (which is a client utility for
          systemd-resolved) has been improved considerably and is now fully
          supported and documented. Hence it has moved from /usr/lib/systemd to
          /usr/bin.

        * /dev/disk/by-path/ symlink support has been (re-)added for virtio
          devices.

        * The coredump collection logic has been reworked: when a coredump is
          collected it is now written to disk, compressed and processed
          (including stacktrace extraction) from a new instantiated service
          systemd-coredump@.service, instead of directly from the
          /proc/sys/kernel/core_pattern hook we provide. This is beneficial as
          processing large coredumps can take up a substantial amount of
          resources and time, and this previously happened entirely outside of
          systemd's service supervision. With the new logic the core_pattern
          hook only does minimal metadata collection before passing off control
          to the new instantiated service, which is configured with a time
          limit, a nice level and other settings to minimize negative impact on
          the rest of the system. Also note that the new logic will honour the
          RLIMIT_CORE setting of the crashed process, which now allows users
          and processes to turn off coredumping for their processes by setting
          this limit.

        * The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1
          and all forked processes by default. Previously, PID 1 would leave
          the setting at "0" for all processes, as set by the kernel. Note that
          the resource limit traditionally has no effect on the generated
          coredumps on the system if the /proc/sys/kernel/core_pattern hook
          logic is used. Since the limit is now honoured (see above) its
          default has been changed so that the coredumping logic is enabled by
          default for all processes, while allowing specific opt-out.

        * When the stacktrace is extracted from processes of system users, this
          is now done as "systemd-coredump" user, in order to sandbox this
          potentially security sensitive parsing operation. (Note that when
          processing coredumps of normal users this is done under the user ID
          of process that crashed, as before.) Packagers should take notice
          that it is now necessary to create the "systemd-coredump" system user
          and group at package installation time.

        * The systemd-activate socket activation testing tool gained support
          for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram
          and --seqpacket switches. It also has been extended to support both
          new-style and inetd-style file descriptor passing. Use the new
          --inetd switch to request inetd-style file descriptor passing.

        * Most systemd tools now honor a new $SYSTEMD_COLORS environment
          variable, which takes a boolean value. If set to false, ANSI color
          output is disabled in the tools even when run on a terminal that
          supports it.

        * The VXLAN support in networkd now supports two new settings
          DestinationPort= and PortRange=.

        * A new systemd.machine_id= kernel command line switch has been added,
          that may be used to set the machine ID in /etc/machine-id if it is
          not initialized yet. This command line option has no effect if the
          file is already initialized.

        * systemd-nspawn gained a new --as-pid2 switch that invokes any
          specified command line as PID 2 rather than PID 1 in the
          container. In this mode PID 1 is a minimal stub init process that
          implements the special POSIX and Linux semantics of PID 1 regarding
          signal and child process management. Note that this stub init process
          is implemented in nspawn itself and requires no support from the
          container image. This new logic is useful to support running
          arbitrary commands in the container, as normal processes are
          generally not prepared to run as PID 1.

        * systemd-nspawn gained a new --chdir= switch for setting the current
          working directory for the process started in the container.

        * "journalctl /dev/sda" will now output all kernel log messages for
          specified device from the current boot, in addition to all devices
          that are parents of it. This should make log output about devices
          pretty useful, as long as kernel drivers attach enough metadata to
          the log messages. (The usual SATA drivers do.)

        * The sd-journal API gained two new calls
          sd_journal_has_runtime_files() and sd_journal_has_persistent_files()
          that report whether log data from /run or /var has been found.

        * journalctl gained a new switch "--fields" that prints all journal
          record field names currently in use in the journal.  This is backed
          by two new sd-journal API calls sd_journal_enumerate_fields() and
          sd_journal_restart_fields().

        * Most configurable timeouts in systemd now expect an argument of
          "infinity" to turn them off, instead of "0" as before. The semantics
          from now on is that a timeout of "0" means "now", and "infinity"
          means "never". To maintain backwards compatibility, "0" continues to
          turn off previously existing timeout settings.

        * "systemctl reload-or-try-restart" has been renamed to "systemctl
          try-reload-or-restart" to clarify what it actually does: the "try"
          logic applies to both reloading and restarting, not just restarting.
          The old name continues to be accepted for compatibility.

        * On boot-up, when PID 1 detects that the system clock is behind the
          release date of the systemd version in use, the clock is now set
          to the latter. Previously, this was already done in timesyncd, in order
          to avoid running with clocks set to the various clock epochs such as
          1902, 1938 or 1970. With this change the logic is now done in PID 1
          in addition to timesyncd during early boot-up, so that it is enforced
          before the first process is spawned by systemd. Note that the logic
          in timesyncd remains, as it is more comprehensive and ensures
          clock monotonicity by maintaining a persistent timestamp file in
          /var. Since /var is generally not available in earliest boot or the
          initrd, this part of the logic remains in timesyncd, and is not done
          by PID 1.

        * Support for tweaking details in net_cls.class_id through the
          NetClass= configuration directive has been removed, as the kernel
          people have decided to deprecate that controller in cgroup v2.
          Userspace tools such as nftables are moving over to setting rules
          that are specific to the full cgroup path of a task, which obsoletes
          these controllers anyway. The NetClass= directive is kept around for
          legacy compatibility reasons. For a more in-depth description of the
          kernel change, please refer to the respective upstream commit:

            https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671

        * A new service setting RuntimeMaxSec= has been added that may be used
          to specify a maximum runtime for a service. If the timeout is hit, the
          service is terminated and put into a failure state.

        * A new service setting AmbientCapabilities= has been added. It allows
          configuration of additional Linux process capabilities that are
          passed to the activated processes. This is only available on very
          recent kernels.

        * The process resource limit settings in service units may now be used
          to configure hard and soft limits individually.

        * The various libsystemd APIs such as sd-bus or sd-event now publicly
          expose support for gcc's __attribute__((cleanup())) C extension.
          Specifically, for many object destructor functions alternative
          versions have been added that have names suffixed with "p" and take a
          pointer to a pointer to the object to destroy, instead of just a
          pointer to the object itself. This is useful because these destructor
          functions may be used directly as parameters to the cleanup
          construct. Internally, systemd has been a heavy user of this GCC
          extension for a long time, and with this change similar support is
          now available to consumers of the library outside of systemd. Note
          that by using this extension in your sources compatibility with old
          and strictly ANSI compatible C compilers is lost. However, all gcc or
          LLVM versions of recent years support this extension.

        * Timer units gained support for a new setting RandomizedDelaySec= that
          allows configuring some additional randomized delay to the configured
          time. This is useful to spread out timer events to avoid load peaks in
          clusters or larger setups.

        * Calendar time specifications now support sub-second accuracy.

        * Socket units now support listening on SCTP and UDP-lite protocol
          sockets.

        * The sd-event API now comes with a full set of man pages.

        * Older versions of systemd contained experimental support for
          compressing journal files and coredumps with the LZ4 compressor that
          was not compatible with the lz4 binary (due to API limitations of the
          lz4 library). This support has been removed; only support for files
          compatible with the lz4 binary remains. This LZ4 logic is now
          officially supported and no longer considered experimental.

        * The dkr image import logic has been removed again from importd. dkr's
          micro-services focus doesn't fit into the machine image focus of
          importd, and quickly got out of date with the upstream dkr API.

        * Creation of the /run/lock/lockdev/ directory was dropped from
          tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have
          been available for many years. If you still need this, you need to
          create your own tmpfiles.d config file with:

                  d /run/lock/lockdev 0775 root lock -

        * The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction=
          and RebootArgument= have been moved from the [Service] section of
          unit files to [Unit], and they are now supported on all unit types,
          not just service units. Of course, systemd will continue to
          understand these settings also at the old location, in order to
          maintain compatibility.

        Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander
        Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov,
        Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler,
        Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan
        Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack,
        David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman,
        Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen,
        Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen,
        Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub
        Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek,
        Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos,
        lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel
        Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer,
        Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils
        Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz,
        Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant
        Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito
        Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2016-02-11

CHANGES WITH 228:

        * A number of properties previously only settable in unit
          files are now also available as properties to set when
          creating transient units programmatically via the bus, as it
          is exposed with systemd-run's --property=
          setting. Specifically, these are: SyslogIdentifier=,
          SyslogLevelPrefix=, TimerSlackNSec=, OOMScoreAdjust=,
          EnvironmentFile=, ReadWriteDirectories=,
          ReadOnlyDirectories=, InaccessibleDirectories=,
          ProtectSystem=, ProtectHome=, RuntimeDirectory=.

        * When creating transient services via the bus API it is now
          possible to pass in a set of file descriptors to use as
          STDIN/STDOUT/STDERR for the invoked process.

        * Slice units may now be created transiently via the bus APIs,
          similar to the way service and scope units may already be
          created transiently.

        * Wherever systemd expects a calendar timestamp specification
          (like in journalctl's --since= and --until= switches) UTC
          timestamps are now supported. Timestamps suffixed with "UTC"
          are now considered to be in Universal Time Coordinated
          instead of the local timezone. Also, timestamps may now
          optionally be specified with sub-second accuracy. Both of
          these additions also apply to recurring calendar event
          specification, such as OnCalendar= in timer units.

        * journalctl gained a new "--sync" switch that asks the
          journal daemon to write all so far unwritten log messages to
          disk and sync the files, before returning.

        * systemd-tmpfiles learned two new line types "q" and "Q" that
          operate like "v", but also set up a basic btrfs quota
          hierarchy when used on a btrfs file system with quota
          enabled.

        * tmpfiles' "v", "q" and "Q" will now create a plain directory
          instead of a subvolume (even on a btrfs file system) if the
          root directory is a plain directory, and not a
          subvolume. This should simplify things with certain chroot()
          environments which are not aware of the concept of btrfs
          subvolumes.

        * systemd-detect-virt gained a new --chroot switch to detect
          whether execution takes place in a chroot() environment.

        * CPUAffinity= now takes CPU index ranges in addition to
          individual indexes.

        * The various memory-related resource limit settings (such as
          LimitAS=) now understand the usual K, M, G, … suffixes to
          the base of 1024 (IEC). Similar, the time-related resource
          limit settings understand the usual min, h, day, … suffixes
          now.

        * There's a new system.conf setting DefaultTasksMax= to
          control the default TasksMax= setting for services and
          scopes running on the system. (TasksMax= is the primary
          setting that exposes the "pids" cgroup controller on systemd
          and was introduced in the previous systemd release.) The
          setting now defaults to 512, which means services that are
          not explicitly configured otherwise will only be able to
          create 512 processes or threads at maximum, from this
          version on. Note that this means that thread- or
          process-heavy services might need to be reconfigured to set
          TasksMax= to a higher value. It is sufficient to set
          TasksMax= in these specific unit files to a higher value, or
          even "infinity". Similar, there's now a logind.conf setting
          UserTasksMax= that defaults to 4096 and limits the total
          number of processes or tasks each user may own
          concurrently. nspawn containers also have the TasksMax=
          value set by default now, to 8192. Note that all of this
          only has an effect if the "pids" cgroup controller is
          enabled in the kernel. The general benefit of these changes
          should be a more robust and safer system, that provides a
          certain amount of per-service fork() bomb protection.

        * systemd-nspawn gained the new --network-veth-extra= switch
          to define additional and arbitrarily-named virtual Ethernet
          links between the host and the container.

        * A new service execution setting PassEnvironment= has been
          added that allows importing select environment variables
          from PID1's environment block into the environment block of
          the service.

        * Timer units gained support for a new RemainAfterElapse=
          setting which takes a boolean argument. It defaults to on,
          exposing behaviour unchanged to previous releases. If set to
          off, timer units are unloaded after they elapsed if they
          cannot elapse again. This is particularly useful for
          transient timer units, which shall not stay around longer
          than until they first elapse.

        * systemd will now bump the net.unix.max_dgram_qlen to 512 by
          default now (the kernel default is 16). This is beneficial
          for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it
          allows substantially larger numbers of queued
          datagrams. This should increase the capability of systemd to
          parallelize boot-up, as logging and sd_notify() are unlikely
          to stall execution anymore. If you need to change the value
          from the new defaults, use the usual sysctl.d/ snippets.

        * The compression framing format used by the journal or
          coredump processing has changed to be in line with what the
          official LZ4 tools generate. LZ4 compression support in
          systemd was considered unsupported previously, as the format
          was not compatible with the normal tools. With this release
          this has changed now, and it is hence safe for downstream
          distributions to turn it on. While not compressing as well
          as the XZ, LZ4 is substantially faster, which makes
          it a good default choice for the compression logic in the
          journal and in coredump handling.

        * Any reference to /etc/mtab has been dropped from
          systemd. The file has been obsolete since a while, but
          systemd refused to work on systems where it was incorrectly
          set up (it should be a symlink or non-existent). Please make
          sure to update to util-linux 2.27.1 or newer in conjunction
          with this systemd release, which also drops any reference to
          /etc/mtab. If you maintain a distribution make sure that no
          software you package still references it, as this is a
          likely source of bugs. There's also a glibc bug pending,
          asking for removal of any reference to this obsolete file:

          https://sourceware.org/bugzilla/show_bug.cgi?id=19108

          Note that only util-linux versions built with
          --enable-libmount-force-mountinfo are supported.

        * Support for the ".snapshot" unit type has been removed. This
          feature turned out to be little useful and little used, and
          has now been removed from the core and from systemctl.

        * The dependency types RequiresOverridable= and
          RequisiteOverridable= have been removed from systemd. They
          have been used only very sparingly to our knowledge and
          other options that provide a similar effect (such as
          systemctl --mode=ignore-dependencies) are much more useful
          and commonly used. Moreover, they were only half-way
          implemented as the option to control behaviour regarding
          these dependencies was never added to systemctl. By removing
          these dependency types the execution engine becomes a bit
          simpler. Unit files that use these dependencies should be
          changed to use the non-Overridable dependency types
          instead. In fact, when parsing unit files with these
          options, that's what systemd will automatically convert them
          too, but it will also warn, asking users to fix the unit
          files accordingly. Removal of these dependency types should
          only affect a negligible number of unit files in the wild.

        * Behaviour of networkd's IPForward= option changed
          (again). It will no longer maintain a per-interface setting,
          but propagate one way from interfaces where this is enabled
          to the global kernel setting. The global setting will be
          enabled when requested by a network that is set up, but
          never be disabled again. This change was made to make sure
          IPv4 and IPv6 behaviour regarding packet forwarding is
          similar (as the Linux IPv6 stack does not support
          per-interface control of this setting) and to minimize
          surprises.

        * In unit files the behaviour of %u, %U, %h, %s has
          changed. These specifiers will now unconditionally resolve
          to the various user database fields of the user that the
          systemd instance is running as, instead of the user
          configured in the specific unit via User=. Note that this
          effectively doesn't change much, as resolving of these
          specifiers was already turned off in the --system instance
          of systemd, as we cannot do NSS lookups from PID 1. In the
          --user instance of systemd these specifiers where correctly
          resolved, but hardly made any sense, since the user instance
          lacks privileges to do user switches anyway, and User= is
          hence useless. Moreover, even in the --user instance of
          systemd behaviour was awkward as it would only take settings
          from User= assignment placed before the specifier into
          account. In order to unify and simplify the logic around
          this the specifiers will now always resolve to the
          credentials of the user invoking the manager (which in case
          of PID 1 is the root user).

        Contributions from: Andrew Jones, Beniamino Galvani, Boyuan
        Yang, Daniel Machon, Daniel Mack, David Herrmann, David
        Reynolds, David Strauss, Dongsu Park, Evgeny Vereshchagin,
        Felipe Sateler, Filipe Brandenburger, Franck Bui, Hristo
        Venev, Iago López Galeiras, Jan Engelhardt, Jan Janssen, Jan
        Synacek, Jesus Ornelas Aguayo, Karel Zak, kayrus, Kay Sievers,
        Lennart Poettering, Liu Yuan Yuan, Mantas Mikulėnas, Marcel
        Holtmann, Marcin Bachry, Marcos Alano, Marcos Mello, Mark
        Theunissen, Martin Pitt, Michael Marineau, Michael Olbrich,
        Michal Schmidt, Michal Sekletar, Mirco Tischler, Nick Owens,
        Nicolas Cornu, Patrik Flykt, Peter Hutterer, reverendhomer,
        Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Shawn Landden,
        Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen,
        Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2015-11-18

CHANGES WITH 227:

        * systemd now depends on util-linux v2.27. More specifically,
          the newly added mount monitor feature in libmount now
          replaces systemd's former own implementation.

        * libmount mandates /etc/mtab not to be regular file, and
          systemd now enforces this condition at early boot.
          /etc/mtab has been deprecated and warned about for a very
          long time, so systems running systemd should already have
          stopped having this file around as anything else than a
          symlink to /proc/self/mounts.

        * Support for the "pids" cgroup controller has been added.  It
          allows accounting the number of tasks in a cgroup and
          enforcing limits on it. This adds two new setting
          TasksAccounting= and TasksMax= to each unit, as well as a
          global option DefaultTasksAccounting=.

        * Support for the "net_cls" cgroup controller has been added.
          It allows assigning a net class ID to each task in the
          cgroup, which can then be used in firewall rules and traffic
          shaping configurations. Note that the kernel netfilter net
          class code does not currently work reliably for ingress
          packets on unestablished sockets.

          This adds a new config directive called NetClass= to CGroup
          enabled units. Allowed values are positive numbers for fixed
          assignments and "auto" for picking a free value
          automatically.

        * 'systemctl is-system-running' now returns 'offline' if the
          system is not booted with systemd. This command can now be
          used as a substitute for 'systemd-notify --booted'.

        * Watchdog timeouts have been increased to 3 minutes for all
          in-tree service files. Apparently, disk IO issues are more
          frequent than we hoped, and user reported >1 minute waiting
          for disk IO.

        * 'machine-id-commit' functionality has been merged into
          'machine-id-setup --commit'. The separate binary has been
          removed.

        * The WorkingDirectory= directive in unit files may now be set
          to the special value '~'. In this case, the working
          directory is set to the home directory of the user
          configured in User=.

        * "machinectl shell" will now open the shell in the home
          directory of the selected user by default.

        * The CrashChVT= configuration file setting is renamed to
          CrashChangeVT=, following our usual logic of not
          abbreviating unnecessarily. The old directive is still
          supported for compat reasons. Also, this directive now takes
          an integer value between 1 and 63, or a boolean value. The
          formerly supported '-1' value for disabling stays around for
          compat reasons.

        * The PrivateTmp=, PrivateDevices=, PrivateNetwork=,
          NoNewPrivileges=, TTYPath=, WorkingDirectory= and
          RootDirectory= properties can now be set for transient
          units.

        * The systemd-analyze tool gained a new "set-log-target" verb
          to change the logging target the system manager logs to
          dynamically during runtime. This is similar to how
          "systemd-analyze set-log-level" already changes the log
          level.

        * In nspawn /sys is now mounted as tmpfs, with only a selected
          set of subdirectories mounted in from the real sysfs. This
          enhances security slightly, and is useful for ensuring user
          namespaces work correctly.

        * Support for USB FunctionFS activation has been added. This
          allows implementation of USB gadget services that are
          activated as soon as they are requested, so that they don't
          have to run continuously, similar to classic socket
          activation.

        * The "systemctl exit" command now optionally takes an
          additional parameter that sets the exit code to return from
          the systemd manager when exiting. This is only relevant when
          running the systemd user instance, or when running the
          system instance in a container.

        * sd-bus gained the new API calls sd_bus_path_encode_many()
          and sd_bus_path_decode_many() that allow easy encoding and
          decoding of multiple identifier strings inside a D-Bus
          object path. Another new call sd_bus_default_flush_close()
          has been added to flush and close per-thread default
          connections.

        * systemd-cgtop gained support for a -M/--machine= switch to
          show the control groups within a certain container only.

        * "systemctl kill" gained support for an optional --fail
          switch. If specified the requested operation will fail of no
          processes have been killed, because the unit had no
          processes attached, or similar.

        * A new systemd.crash_reboot=1 kernel command line option has
          been added that triggers a reboot after crashing. This can
          also be set through CrashReboot= in systemd.conf.

        * The RuntimeDirectory= setting now understands unit
          specifiers like %i or %f.

        * A new (still internal) library API sd-ipv4acd has been added,
          that implements address conflict detection for IPv4. It's
          based on code from sd-ipv4ll, and will be useful for
          detecting DHCP address conflicts.

        * File descriptors passed during socket activation may now be
          named. A new API sd_listen_fds_with_names() is added to
          access the names.  The default names may be overridden,
          either in the .socket file using the FileDescriptorName=
          parameter, or by passing FDNAME= when storing the file
          descriptors using sd_notify().

        * systemd-networkd gained support for:

            - Setting the IPv6 Router Advertisement settings via
              IPv6AcceptRouterAdvertisements= in .network files.

            - Configuring the HelloTimeSec=, MaxAgeSec= and
              ForwardDelaySec= bridge parameters in .netdev files.

            - Configuring PreferredSource= for static routes in
              .network files.

        * The "ask-password" framework used to query for LUKS harddisk
          passwords or SSL passwords during boot gained support for
          caching passwords in the kernel keyring, if it is
          available. This makes sure that the user only has to type in
          a passphrase once if there are multiple objects to unlock
          with the same one. Previously, such password caching was
          available only when Plymouth was used; this moves the
          caching logic into the systemd codebase itself. The
          "systemd-ask-password" utility gained a new --keyname=
          switch to control which kernel keyring key to use for
          caching a password in. This functionality is also useful for
          enabling display managers such as gdm to automatically
          unlock the user's GNOME keyring if its passphrase, the
          user's password and the harddisk password are the same, if
          gdm-autologin is used.

        * When downloading tar or raw images using "machinectl
          pull-tar" or "machinectl pull-raw", a matching ".nspawn"
          file is now also downloaded, if it is available and stored
          next to the image file.

        * Units of type ".socket" gained a new boolean setting
          Writable= which is only useful in conjunction with
          ListenSpecial=. If true, enables opening the specified
          special file in O_RDWR mode rather than O_RDONLY mode.

        * systemd-rfkill has been reworked to become a singleton
          service that is activated through /dev/rfkill on each rfkill
          state change and saves the settings to disk. This way,
          systemd-rfkill is now compatible with devices that exist
          only intermittendly, and even restores state if the previous
          system shutdown was abrupt rather than clean.

        * The journal daemon gained support for vacuuming old journal
          files controlled by the number of files that shall remain,
          in addition to the already existing control by size and by
          date. This is useful as journal interleaving performance
          degrades with too many separate journal files, and allows
          putting an effective limit on them. The new setting defaults
          to 100, but this may be changed by setting SystemMaxFiles=
          and RuntimeMaxFiles= in journald.conf. Also, the
          "journalctl" tool gained the new --vacuum-files= switch to
          manually vacuum journal files to leave only the specified
          number of files in place.

        * udev will now create /dev/disk/by-path links for ATA devices
          on kernels where that is supported.

        * Galician, Serbian, Turkish and Korean translations were added.

        Contributions from: Aaro Koskinen, Alban Crequy, Beniamino
        Galvani, Benjamin Robin, Branislav Blaskovic, Chen-Han Hsiao
        (Stanley), Daniel Buch, Daniel Machon, Daniel Mack, David
        Herrmann, David Milburn, doubleodoug, Evgeny Vereshchagin,
        Felipe Franciosi, Filipe Brandenburger, Fran Dieguez, Gabriel
        de Perthuis, Georg Müller, Hans de Goede, Hendrik Brueckner,
        Ivan Shapovalov, Jacob Keller, Jan Engelhardt, Jan Janssen,
        Jan Synacek, Jens Kuske, Karel Zak, Kay Sievers, Krzesimir
        Nowak, Krzysztof Kotlenga, Lars Uebernickel, Lennart
        Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski,
        Marcel Holtmann, Marius Thesing, Martin Pitt, Michael Biebl,
        Michael Gebetsroither, Michal Schmidt, Michal Sekletar, Mike
        Gilbert, Muhammet Kara, nazgul77, Nicolas Cornu, NoXPhasma,
        Olof Johansson, Patrik Flykt, Pawel Szewczyk, reverendhomer,
        Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Susant Sahani,
        Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich,
        Zbigniew Jędrzejewski-Szmek, Марко М. Костић

        — Berlin, 2015-10-07

CHANGES WITH 226:

        * The DHCP implementation of systemd-networkd gained a set of
          new features:

          - The DHCP server now supports emitting DNS and NTP
            information. It may be enabled and configured via
            EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS
            and NTP information is enabled, but no servers are
            configured, the corresponding uplink information (if there
            is any) is propagated.

          - Server and client now support transmission and reception
            of timezone information. It can be configured via the
            newly introduced network options UseTimezone=,
            EmitTimezone=, and Timezone=.  Transmission of timezone
            information is enabled between host and containers by
            default now: the container will change its local timezone
            to what the host has set.

          - Lease timeouts can now be configured via
            MaxLeaseTimeSec= and DefaultLeaseTimeSec=.

          - The DHCP server improved on the stability of
            leases. Clients are more likely to get the same lease
            information back, even if the server loses state.

          - The DHCP server supports two new configuration options to
            control the lease address pool metrics, PoolOffset= and
            PoolSize=.

        * The encapsulation limit of tunnels in systemd-networkd may
          now be configured via 'EncapsulationLimit='. It allows
          modifying the maximum additional levels of encapsulation
          that are permitted to be prepended to a packet.

        * systemd now supports the concept of user buses replacing
          session buses, if used with dbus-1.10 (and enabled via dbus
          --enable-user-session). It previously only supported this on
          kdbus-enabled systems, and this release expands this to
          'dbus-daemon' systems.

        * systemd-networkd now supports predictable interface names
          for virtio devices.

        * systemd now optionally supports the new Linux kernel
          "unified" control group hierarchy. If enabled via the kernel
          command-line option 'systemd.unified_cgroup_hierarchy=1',
          systemd will try to mount the unified cgroup hierarchy
          directly on /sys/fs/cgroup. If not enabled, or not
          available, systemd will fall back to the legacy cgroup
          hierarchy setup, as before. Host system and containers can
          mix and match legacy and unified hierarchies as they
          wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY
          environment variable to individually select the hierarchy to
          use for executed containers. By default, nspawn will use the
          unified hierarchy for the containers if the host uses the
          unified hierarchy, and the legacy hierarchy otherwise.
          Please note that at this point the unified hierarchy is an
          experimental kernel feature and is likely to change in one
          of the next kernel releases.  Therefore, it should not be
          enabled by default in downstream distributions yet. The
          minimum required kernel version for the unified hierarchy to
          work is 4.2. Note that when the unified hierarchy is used
          for the first time delegated access to controllers is
          safe. Because of this systemd-nspawn containers will get
          access to controllers now, as will systemd user
          sessions. This means containers and user sessions may now
          manage their own resources, partitioning up what the system
          grants them.

        * A new special scope unit "init.scope" has been introduced
          that encapsulates PID 1 of the system. It may be used to
          determine resource usage and enforce resource limits on PID
          1 itself. PID 1 hence moved out of the root of the control
          group tree.

        * The cgtop tool gained support for filtering out kernel
          threads when counting tasks in a control group. Also, the
          count of processes is now recursively summed up by
          default. Two options -k and --recursive= have been added to
          revert to old behaviour. The tool has also been updated to
          work correctly in containers now.

        * systemd-nspawn's --bind= and --bind-ro= options have been
          extended to allow creation of non-recursive bind mounts.

        * libsystemd gained two new calls sd_pid_get_cgroup() and
          sd_peer_get_cgroup() which return the control group path of
          a process or peer of a connected AF_UNIX socket. This
          function call is particularly useful when implementing
          delegated subtrees support in the control group hierarchy.

        * The "sd-event" event loop API of libsystemd now supports
          correct dequeuing of real-time signals, without losing
          signal events.

        * When systemd requests a polkit decision when managing units it
          will now add additional fields to the request, including unit
          name and desired operation. This enables more powerful polkit
          policies, that make decisions depending on these parameters.

        * nspawn learnt support for .nspawn settings files, that may
          accompany the image files or directories of containers, and
          may contain additional settings for the container. This is
          an alternative to configuring container parameters via the
          nspawn command line.

        Contributions from: Cristian Rodríguez, Daniel Mack, David
        Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe
        Brandenburger, Hans de Goede, Jan Alexander Steffens, Jan
        Synacek, Kay Sievers, Lennart Poettering, Mangix, Marcel
        Holtmann, Martin Pitt, Michael Biebl, Michael Chapman, Michal
        Sekletar, Peter Hutterer, Piotr Drąg, reverendhomer, Robin
        Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Torstein Husebø

        — Berlin, 2015-09-08

CHANGES WITH 225:

        * machinectl gained a new verb 'shell' which opens a fresh
          shell on the target container or the host. It is similar to
          the existing 'login' command of machinectl, but spawns the
          shell directly without prompting for username or
          password. The pseudo machine '.host' now refers to the local
          host and is used by default. Hence, 'machinectl shell' can
          be used as replacement for 'su -' which spawns a session as
          a fresh systemd unit in a way that is fully isolated from
          the originating session.

        * systemd-networkd learned to cope with private-zone DHCP
          options and allows other programs to query the values.

        * SELinux access control when enabling/disabling units is no
          longer enforced with this release. The previous implementation
          was incorrect, and a new corrected implementation is not yet
          available. As unit file operations are still protected via
          polkit and D-Bus policy this is not a security problem. Yet,
          distributions which care about optimal SELinux support should
          probably not stabilize on this release.

        * sd-bus gained support for matches of type "arg0has=", that
          test for membership of strings in string arrays sent in bus
          messages.

        * systemd-resolved now dumps the contents of its DNS and LLMNR
          caches to the logs on reception of the SIGUSR1 signal. This
          is useful to debug DNS behaviour.

        * The coredumpctl tool gained a new --directory= option to
          operate on journal files in a specific directory.

        * "systemctl reboot" and related commands gained a new
          "--message=" option which may be used to set a free-text
          wall message when shutting down or rebooting the
          system. This message is also logged, which is useful for
          figuring out the reason for a reboot or shutdown a
          posteriori.

        * The "systemd-resolve-host" tool's -i switch now takes
          network interface numbers as alternative to interface names.

        * A new unit file setting for services has been introduced:
          UtmpMode= allows configuration of how precisely systemd
          handles utmp and wtmp entries for the service if this is
          enabled. This allows writing services that appear similar to
          user sessions in the output of the "w", "who", "last" and
          "lastlog" tools.

        * systemd-resolved will now locally synthesize DNS resource
          records for the "localhost" and "gateway" domains as well as
          the local hostname. This should ensure that clients querying
          RRs via resolved will get similar results as those going via
          NSS, if nss-myhostname is enabled.

        Contributions from: Alastair Hughes, Alex Crawford, Daniel
        Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski,
        Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan
        Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers,
        Kefeng Wang, Lennart Poettering, Major Hayden, Marcel
        Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt
        Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim,
        Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer,
        reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings,
        Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe
        Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts,
        WaLyong Cho, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-08-27

CHANGES WITH 224:

        * The systemd-efi-boot-generator functionality was merged into
          systemd-gpt-auto-generator.

        * systemd-networkd now supports Group Policy for vxlan
          devices. It can be enabled via the new boolean configuration
          option called 'GroupPolicyExtension='.

        Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David
        Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart
        Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen

        — Berlin, 2015-07-31

CHANGES WITH 223:

        * The python-systemd code has been removed from the systemd repository.
          A new repository has been created which accommodates the code from
          now on, and we kindly ask distributions to create a separate package
          for this: https://github.com/systemd/python-systemd

        * The systemd daemon will now reload its main configuration
          (/etc/systemd/system.conf) on daemon-reload.

        * sd-dhcp now exposes vendor specific extensions via
          sd_dhcp_lease_get_vendor_specific().

        * systemd-networkd gained a number of new configuration options.

          - A new boolean configuration option for TAP devices called
            'VNetHeader='. If set, the IFF_VNET_HDR flag is set for the
            device, thus allowing to send and receive GSO packets.

          - A new tunnel configuration option called 'CopyDSCP='.
            If enabled, the DSCP field of ip6 tunnels is copied into the
            decapsulated packet.

          - A set of boolean bridge configuration options were added.
            'UseBPDU=', 'HairPin=', 'FastLeave=', 'AllowPortToBeRoot=',
            and 'UnicastFlood=' are now parsed by networkd and applied to the
            respective bridge link device via the respective IFLA_BRPORT_*
            netlink attribute.

          - A new string configuration option to override the hostname sent
            to a DHCP server, called 'Hostname='. If set and 'SendHostname='
            is true, networkd will use the configured hostname instead of the
            system hostname when sending DHCP requests.

          - A new tunnel configuration option called 'IPv6FlowLabel='. If set,
            networkd will configure the IPv6 flow-label of the tunnel device
            according to RFC2460.

          - The 'macvtap' virtual network devices are now supported, similar to
            the already supported 'macvlan' devices.

        * systemd-resolved now implements RFC5452 to improve resilience against
          cache poisoning. Additionally, source port randomization is enabled
          by default to further protect against DNS spoofing attacks.

        * nss-mymachines now supports translating UIDs and GIDs of running
          containers with user-namespaces enabled. If a container 'foo'
          translates a host uid 'UID' to the container uid 'TUID', then
          nss-mymachines will also map uid 'UID' to/from username 'vu-foo-TUID'
          (with 'foo' and 'TUID' replaced accordingly). Similarly, groups are
          mapped as 'vg-foo-TGID'.

        Contributions from: Beniamino Galvani, cee1, Christian Hesse, Daniel
        Buch, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov,
        HATAYAMA Daisuke, Ivan Shapovalov, Jan Alexander Steffens (heftig),
        Johan Ouwerkerk, Jose Carlos Venegas Munoz, Karel Zak, Kay Sievers,
        Lennart Poettering, Lidong Zhong, Martin Pitt, Michael Biebl, Michael
        Olbrich, Michal Schmidt, Michal Sekletar, Mike Gilbert, Namhyung Kim,
        Nick Owens, Peter Hutterer, Richard Maw, Steven Allen, Sungbae Yoo,
        Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom
        Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo,
        Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-07-29

CHANGES WITH 222:

        * udev does not longer support the WAIT_FOR_SYSFS= key in udev rules.
          There are no known issues with current sysfs, and udev does not need
          or should be used to work around such bugs.

        * udev does no longer enable USB HID power management. Several reports
          indicate, that some devices cannot handle that setting.

        * The udev accelerometer helper was removed. The functionality
          is now fully included in iio-sensor-proxy. But this means,
          older iio-sensor-proxy versions will no longer provide
          accelerometer/orientation data with this systemd version.
          Please upgrade iio-sensor-proxy to version 1.0.

        * networkd gained a new configuration option IPv6PrivacyExtensions=
          which enables IPv6 privacy extensions (RFC 4941, "Privacy Extensions
          for Stateless Address") on selected networks.

        * For the sake of fewer build-time dependencies and less code in the
          main repository, the python bindings are about to be removed in the
          next release. A new repository has been created which accommodates
          the code from now on, and we kindly ask distributions to create a
          separate package for this. The removal will take place in v223.

            https://github.com/systemd/python-systemd

        Contributions from: Abdo Roig-Maranges, Andrew Eikum, Bastien Nocera,
        Cédric Delmas, Christian Hesse, Christos Trochalakis, Daniel Mack,
        daurnimator, David Herrmann, Dimitri John Ledkov, Eric Biggers, Eric
        Cook, Felipe Sateler, Geert Jansen, Gerd Hoffmann, Gianpaolo Macario,
        Greg Kroah-Hartman, Iago López Galeiras, Jan Alexander Steffens
        (heftig), Jan Engelhardt, Jay Strict, Kay Sievers, Lennart Poettering,
        Markus Knetschke, Martin Pitt, Michael Biebl, Michael Marineau, Michal
        Sekletar, Miguel Bernal Marin, Peter Hutterer, Richard Maw, rinrinne,
        Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
        Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-07-07

CHANGES WITH 221:

        * The sd-bus.h and sd-event.h APIs have now been declared
          stable and have been added to the official interface of
          libsystemd.so. sd-bus implements an alternative D-Bus client
          library, that is relatively easy to use, very efficient and
          supports both classic D-Bus as well as kdbus as transport
          backend. sd-event is a generic event loop abstraction that
          is built around Linux epoll, but adds features such as event
          prioritization or efficient timer handling. Both APIs are good
          choices for C programs looking for a bus and/or event loop
          implementation that is minimal and does not have to be
          portable to other kernels.

        * kdbus support is no longer compile-time optional. It is now
          always built-in. However, it can still be disabled at
          runtime using the kdbus=0 kernel command line setting, and
          that setting may be changed to default to off, by specifying
          --disable-kdbus at build-time. Note though that the kernel
          command line setting has no effect if the kdbus.ko kernel
          module is not installed, in which case kdbus is (obviously)
          also disabled. We encourage all downstream distributions to
          begin testing kdbus by adding it to the kernel images in the
          development distributions, and leaving kdbus support in
          systemd enabled.

        * The minimal required util-linux version has been bumped to
          2.26.

        * Support for chkconfig (--enable-chkconfig) was removed in
          favor of calling an abstraction tool
          /lib/systemd/systemd-sysv-install. This needs to be
          implemented for your distribution. See "SYSV INIT.D SCRIPTS"
          in README for details.

        * If there's a systemd unit and a SysV init script for the
          same service name, and the user executes "systemctl enable"
          for it (or a related call), then this will now enable both
          (or execute the related operation on both), not just the
          unit.

        * The libudev API documentation has been converted from gtkdoc
          into man pages.

        * gudev has been removed from the systemd tree, it is now an
          external project.

        * The systemd-cgtop tool learnt a new --raw switch to generate
          "raw" (machine parsable) output.

        * networkd's IPForwarding= .network file setting learnt the
          new setting "kernel", which ensures that networkd does not
          change the IP forwarding sysctl from the default kernel
          state.

        * The systemd-logind bus API now exposes a new boolean
          property "Docked" that reports whether logind considers the
          system "docked", i.e. connected to a docking station or not.

        Contributions from: Alex Crawford, Andreas Pokorny, Andrei
        Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez,
        Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann,
        David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed
        Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario,
        Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek,
        Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang,
        Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart
        Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario
        Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich,
        Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes,
        Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip
        Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani,
        Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
        Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner
        Fink, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-06-19

CHANGES WITH 220:

        * The gudev library has been extracted into a separate repository
          available at: https://git.gnome.org/browse/libgudev/
          It is now managed as part of the Gnome project. Distributions
          are recommended to pass --disable-gudev to systemd and use
          gudev from the Gnome project instead. gudev is still included
          in systemd, for now. It will be removed soon, though. Please
          also see the announcement-thread on systemd-devel:
          https://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html

        * systemd now exposes a CPUUsageNSec= property for each
          service unit on the bus, that contains the overall consumed
          CPU time of a service (the sum of what each process of the
          service consumed). This value is only available if
          CPUAccounting= is turned on for a service, and is then shown
          in the "systemctl status" output.

        * Support for configuring alternative mappings of the old SysV
          runlevels to systemd targets has been removed. They are now
          hardcoded in a way that runlevels 2, 3, 4 all map to
          multi-user.target and 5 to graphical.target (which
          previously was already the default behaviour).

        * The auto-mounter logic gained support for mount point
          expiry, using a new TimeoutIdleSec= setting in .automount
          units. (Also available as x-systemd.idle-timeout= in /etc/fstab).

        * The EFI System Partition (ESP) as mounted to /boot by
          systemd-efi-boot-generator will now be unmounted
          automatically after 2 minutes of not being used. This should
          minimize the risk of ESP corruptions.

        * New /etc/fstab options x-systemd.requires= and
          x-systemd.requires-mounts-for= are now supported to express
          additional dependencies for mounts. This is useful for
          journaling file systems that support external journal
          devices or overlay file systems that require underlying file
          systems to be mounted.

        * systemd does not support direct live-upgrades (via systemctl
          daemon-reexec) from versions older than v44 anymore. As no
          distribution we are aware of shipped such old versions in a
          stable release this should not be problematic.

        * When systemd forks off a new per-connection service instance
          it will now set the $REMOTE_ADDR environment variable to the
          remote IP address, and $REMOTE_PORT environment variable to
          the remote IP port. This behaviour is similar to the
          corresponding environment variables defined by CGI.

        * systemd-networkd gained support for uplink failure
          detection. The BindCarrier= option allows binding interface
          configuration dynamically to the link sense of other
          interfaces. This is useful to achieve behaviour like in
          network switches.

        * systemd-networkd gained support for configuring the DHCP
          client identifier to use when requesting leases.

        * systemd-networkd now has a per-network UseNTP= option to
          configure whether NTP server information acquired via DHCP
          is passed on to services like systemd-timesyncd.

        * systemd-networkd gained support for vti6 tunnels.

        * Note that systemd-networkd manages the sysctl variable
          /proc/sys/net/ipv[46]/conf/*/forwarding for each interface
          it is configured for since v219. The variable controls IP
          forwarding, and is a per-interface alternative to the global
          /proc/sys/net/ipv[46]/ip_forward. This setting is
          configurable in the IPForward= option, which defaults to
          "no". This means if networkd is used for an interface it is
          no longer sufficient to set the global sysctl option to turn
          on IP forwarding! Instead, the .network file option
          IPForward= needs to be turned on! Note that the
          implementation of this behaviour was broken in v219 and has
          been fixed in v220.

        * Many bonding and vxlan options are now configurable in
          systemd-networkd.

        * systemd-nspawn gained a new --property= setting to set unit
          properties for the container scope. This is useful for
          setting resource parameters (e.g. "CPUShares=500") on
          containers started from the command line.

        * systemd-nspawn gained a new --private-users= switch to make
          use of user namespacing available on recent Linux kernels.

        * systemd-nspawn may now be called as part of a shell pipeline
          in which case the pipes used for stdin and stdout are passed
          directly to the process invoked in the container, without
          indirection via a pseudo tty.

        * systemd-nspawn gained a new switch to control the UNIX
          signal to use when killing the init process of the container
          when shutting down.

        * systemd-nspawn gained a new --overlay= switch for mounting
          overlay file systems into the container using the new kernel
          overlayfs support.

        * When a container image is imported via systemd-importd and
          the host file system is not btrfs, a loopback block device
          file is created in /var/lib/machines.raw with a btrfs file
          system inside. It is then mounted to /var/lib/machines to
          enable btrfs features for container management. The loopback
          file and btrfs file system is grown as needed when container
          images are imported via systemd-importd.

        * systemd-machined/systemd-importd gained support for btrfs
          quota, to enforce container disk space limits on disk. This
          is exposed in "machinectl set-limit".

        * systemd-importd now can import containers from local .tar,
          .raw and .qcow2 images, and export them to .tar and .raw. It
          can also import dkr v2 images now from the network (on top
          of v1 as before).

        * systemd-importd gained support for verifying downloaded
          images with gpg2 (previously only gpg1 was supported).

        * systemd-machined, systemd-logind, systemd: most bus calls are
          now accessible to unprivileged processes via polkit. Also,
          systemd-logind will now allow users to kill their own sessions
          without further privileges or authorization.

        * systemd-shutdownd has been removed. This service was
          previously responsible for implementing scheduled shutdowns
          as exposed in /usr/bin/shutdown's time parameter. This
          functionality has now been moved into systemd-logind and is
          accessible via a bus interface.

        * "systemctl reboot" gained a new switch --firmware-setup that
          can be used to reboot into the EFI firmware setup, if that
          is available. systemd-logind now exposes an API on the bus
          to trigger such reboots, in case graphical desktop UIs want
          to cover this functionality.

        * "systemctl enable", "systemctl disable" and "systemctl mask"
          now support a new "--now" switch. If specified the units
          that are enabled will also be started, and the ones
          disabled/masked also stopped.

        * The Gummiboot EFI boot loader tool has been merged into
          systemd, and renamed to "systemd-boot". The bootctl tool has been
          updated to support systemd-boot.

        * An EFI kernel stub has been added that may be used to create
          kernel EFI binaries that contain not only the actual kernel,
          but also an initrd, boot splash, command line and OS release
          information. This combined binary can then be signed as a
          single image, so that the firmware can verify it all in one
          step. systemd-boot has special support for EFI binaries created
          like this and can extract OS release information from them
          and show them in the boot menu. This functionality is useful
          to implement cryptographically verified boot schemes.

        * Optional support has been added to systemd-fsck to pass
          fsck's progress report to an AF_UNIX socket in the file
          system.

        * udev will no longer create device symlinks for all block devices by
          default. A deny list for excluding special block devices from this
          logic has been turned into an allow list that requires picking block
          devices explicitly that require device symlinks.

        * A new (currently still internal) API sd-device.h has been
          added to libsystemd. This modernized API is supposed to
          replace libudev eventually. In fact, already much of libudev
          is now just a wrapper around sd-device.h.

        * A new hwdb database for storing metadata about pointing
          stick devices has been added.

        * systemd-tmpfiles gained support for setting file attributes
          similar to the "chattr" tool with new 'h' and 'H' lines.

        * systemd-journald will no longer unconditionally set the
          btrfs NOCOW flag on new journal files. This is instead done
          with tmpfiles snippet using the new 'h' line type. This
          allows easy disabling of this logic, by masking the
          journal-nocow.conf tmpfiles file.

        * systemd-journald will now translate audit message types to
          human readable identifiers when writing them to the
          journal. This should improve readability of audit messages.

        * The LUKS logic gained support for the offset= and skip=
          options in /etc/crypttab, as previously implemented by
          Debian.

        * /usr/lib/os-release gained a new optional field VARIANT= for
          distributions that support multiple variants (such as a
          desktop edition, a server edition, …)

        Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
        Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
        Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel,
        Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž
        Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian
        Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel
        Mack, Daniel Mustieles, daurnimator, Davide Bettio, David
        Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov,
        Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke,
        Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López
        Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan
        Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John
        Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay
        Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas
        De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz
        Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel
        Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett,
        Michael Biebl, Michael Marineau, Michael Olbrich, Michal
        Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik
        Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter
        Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny
        Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick,
        Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker,
        Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas
        Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom
        Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will
        Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-05-22

CHANGES WITH 219:

        * Introduce a new API "sd-hwdb.h" for querying the hardware
          metadata database. With this minimal interface one can query
          and enumerate the udev hwdb, decoupled from the old libudev
          library. libudev's interface for this is now only a wrapper
          around sd-hwdb. A new tool systemd-hwdb has been added to
          interface with and update the database.

        * When any of systemd's tools copies files (for example due to
          tmpfiles' C lines) a btrfs reflink will attempted first,
          before bytewise copying is done.

        * systemd-nspawn gained a new --ephemeral switch. When
          specified a btrfs snapshot is taken of the container's root
          directory, and immediately removed when the container
          terminates again. Thus, a container can be started whose
          changes never alter the container's root directory, and are
          lost on container termination. This switch can also be used
          for starting a container off the root file system of the
          host without affecting the host OS. This switch is only
          available on btrfs file systems.

        * systemd-nspawn gained a new --template= switch. It takes the
          path to a container tree to use as template for the tree
          specified via --directory=, should that directory be
          missing. This allows instantiating containers dynamically,
          on first run. This switch is only available on btrfs file
          systems.

        * When a .mount unit refers to a mount point on which multiple
          mounts are stacked, and the .mount unit is stopped all of
          the stacked mount points will now be unmounted until no
          mount point remains.

        * systemd now has an explicit notion of supported and
          unsupported unit types. Jobs enqueued for unsupported unit
          types will now fail with an "unsupported" error code. More
          specifically .swap, .automount and .device units are not
          supported in containers, .busname units are not supported on
          non-kdbus systems. .swap and .automount are also not
          supported if their respective kernel compile time options
          are disabled.

        * machinectl gained support for two new "copy-from" and
          "copy-to" commands for copying files from a running
          container to the host or vice versa.

        * machinectl gained support for a new "bind" command to bind
          mount host directories into local containers. This is
          currently only supported for nspawn containers.

        * networkd gained support for configuring bridge forwarding
          database entries (fdb) from .network files.

        * A new tiny daemon "systemd-importd" has been added that can
          download container images in tar, raw, qcow2 or dkr formats,
          and make them available locally in /var/lib/machines, so
          that they can run as nspawn containers. The daemon can GPG
          verify the downloads (not supported for dkr, since it has no
          provisions for verifying downloads). It will transparently
          decompress bz2, xz, gzip compressed downloads if necessary,
          and restore sparse files on disk. The daemon uses privilege
          separation to ensure the actual download logic runs with
          fewer privileges than the daemon itself. machinectl has
          gained new commands "pull-tar", "pull-raw" and "pull-dkr" to
          make the functionality of importd available to the
          user. With this in place the Fedora and Ubuntu "Cloud"
          images can be downloaded and booted as containers unmodified
          (the Fedora images lack the appropriate GPG signature files
          currently, so they cannot be verified, but this will change
          soon, hopefully). Note that downloading images is currently
          only fully supported on btrfs.

        * machinectl is now able to list container images found in
          /var/lib/machines, along with some metadata about sizes of
          disk and similar. If the directory is located on btrfs and
          quota is enabled, this includes quota display. A new command
          "image-status" has been added that shows additional
          information about images.

        * machinectl is now able to clone container images
          efficiently, if the underlying file system (btrfs) supports
          it, with the new "machinectl clone" command. It also
          gained commands for renaming and removing images, as well as
          marking them read-only or read-write (supported also on
          legacy file systems).

        * networkd gained support for collecting LLDP network
          announcements, from hardware that supports this. This is
          shown in networkctl output.

        * systemd-run gained support for a new -t (--pty) switch for
          invoking a binary on a pty whose input and output is
          connected to the invoking terminal. This allows executing
          processes as system services while interactively
          communicating with them via the terminal. Most interestingly
          this is supported across container boundaries. Invoking
          "systemd-run -t /bin/bash" is an alternative to running a
          full login session, the difference being that the former
          will not register a session, nor go through the PAM session
          setup.

        * tmpfiles gained support for a new "v" line type for creating
          btrfs subvolumes. If the underlying file system is a legacy
          file system, this automatically degrades to creating a
          normal directory. Among others /var/lib/machines is now
          created like this at boot, should it be missing.

        * The directory /var/lib/containers/ has been deprecated and
          been replaced by /var/lib/machines. The term "machines" has
          been used in the systemd context as generic term for both
          VMs and containers, and hence appears more appropriate for
          this, as the directory can also contain raw images bootable
          via qemu/kvm.

        * systemd-nspawn when invoked with -M but without --directory=
          or --image= is now capable of searching for the container
          root directory, subvolume or disk image automatically, in
          /var/lib/machines. systemd-nspawn@.service has been updated
          to make use of this, thus allowing it to be used for raw
          disk images, too.

        * A new machines.target unit has been introduced that is
          supposed to group all containers/VMs invoked as services on
          the system. systemd-nspawn@.service has been updated to
          integrate with that.

        * machinectl gained a new "start" command, for invoking a
          container as a service. "machinectl start foo" is mostly
          equivalent to "systemctl start systemd-nspawn@foo.service",
          but handles escaping in a nicer way.

        * systemd-nspawn will now mount most of the cgroupfs tree
          read-only into each container, with the exception of the
          container's own subtree in the name=systemd hierarchy.

        * journald now sets the special FS_NOCOW file flag for its
          journal files. This should improve performance on btrfs, by
          avoiding heavy fragmentation when journald's write-pattern
          is used on COW file systems. It degrades btrfs' data
          integrity guarantees for the files to the same levels as for
          ext3/ext4 however. This should be OK though as journald does
          its own data integrity checks and all its objects are
          checksummed on disk. Also, journald should handle btrfs disk
          full events a lot more gracefully now, by processing SIGBUS
          errors, and not relying on fallocate() anymore.

        * When journald detects that journal files it is writing to
          have been deleted it will immediately start new journal
          files.

        * systemd now provides a way to store file descriptors
          per-service in PID 1. This is useful for daemons to ensure
          that fds they require are not lost during a daemon
          restart. The fds are passed to the daemon on the next
          invocation in the same way socket activation fds are
          passed. This is now used by journald to ensure that the
          various sockets connected to all the system's stdout/stderr
          are not lost when journald is restarted. File descriptors
          may be stored in PID 1 via the sd_pid_notify_with_fds() API,
          an extension to sd_notify(). Note that a limit is enforced
          on the number of fds a service can store in PID 1, and it
          defaults to 0, so that no fds may be stored, unless this is
          explicitly turned on.

        * The default TERM variable to use for units connected to a
          terminal, when no other value is explicitly is set is now
          vt220 rather than vt102. This should be fairly safe still,
          but allows PgUp/PgDn work.

        * The /etc/crypttab option header= as known from Debian is now
          supported.

        * "loginctl user-status" and "loginctl session-status" will
          now show the last 10 lines of log messages of the
          user/session following the status output. Similar,
          "machinectl status" will show the last 10 log lines
          associated with a virtual machine or container
          service. (Note that this is usually not the log messages
          done in the VM/container itself, but simply what the
          container manager logs. For nspawn this includes all console
          output however.)

        * "loginctl session-status" without further argument will now
          show the status of the session of the caller. Similar,
          "lock-session", "unlock-session", "activate",
          "enable-linger", "disable-linger" may now be called without
          session/user parameter in which case they apply to the
          caller's session/user.

        * An X11 session scriptlet is now shipped that uploads
          $DISPLAY and $XAUTHORITY into the environment of the systemd
          --user daemon if a session begins. This should improve
          compatibility with X11 enabled applications run as systemd
          user services.

        * Generators are now subject to masking via /etc and /run, the
          same way as unit files.

        * networkd .network files gained support for configuring
          per-link IPv4/IPv6 packet forwarding as well as IPv4
          masquerading. This is by default turned on for veth links to
          containers, as registered by systemd-nspawn. This means that
          nspawn containers run with --network-veth will now get
          automatic routed access to the host's networks without any
          further configuration or setup, as long as networkd runs on
          the host.

        * systemd-nspawn gained the --port= (-p) switch to expose TCP
          or UDP posts of a container on the host. With this in place
          it is possible to run containers with private veth links
          (--network-veth), and have their functionality exposed on
          the host as if their services were running directly on the
          host.

        * systemd-nspawn's --network-veth switch now gained a short
          version "-n", since with the changes above it is now truly
          useful out-of-the-box. The systemd-nspawn@.service has been
          updated to make use of it too by default.

        * systemd-nspawn will now maintain a per-image R/W lock, to
          ensure that the same image is not started more than once
          writable. (It's OK to run an image multiple times
          simultaneously in read-only mode.)

        * systemd-nspawn's --image= option is now capable of
          dissecting and booting MBR and GPT disk images that contain
          only a single active Linux partition. Previously it
          supported only GPT disk images with proper GPT type
          IDs. This allows running cloud images from major
          distributions directly with systemd-nspawn, without
          modification.

        * In addition to collecting mouse dpi data in the udev
          hardware database, there's now support for collecting angle
          information for mouse scroll wheels. The database is
          supposed to guarantee similar scrolling behavior on mice
          that it knows about. There's also support for collecting
          information about Touchpad types.

        * udev's input_id built-in will now also collect touch screen
          dimension data and attach it to probed devices.

        * /etc/os-release gained support for a Distribution Privacy
          Policy link field.

        * networkd gained support for creating "ipvlan", "gretap",
          "ip6gre", "ip6gretap" and "ip6tnl" network devices.

        * systemd-tmpfiles gained support for "a" lines for setting
          ACLs on files.

        * systemd-nspawn will now mount /tmp in the container to
          tmpfs, automatically.

        * systemd now exposes the memory.usage_in_bytes cgroup
          attribute and shows it for each service in the "systemctl
          status" output, if available.

        * When the user presses Ctrl-Alt-Del more than 7x within 2s an
          immediate reboot is triggered. This useful if shutdown is
          hung and is unable to complete, to expedite the
          operation. Note that this kind of reboot will still unmount
          all file systems, and hence should not result in fsck being
          run on next reboot.

        * A .device unit for an optical block device will now be
          considered active only when a medium is in the drive. Also,
          mount units are now bound to their backing devices thus
          triggering automatic unmounting when devices become
          unavailable. With this in place systemd will now
          automatically unmount left-over mounts when a CD-ROM is
          ejected or an USB stick is yanked from the system.

        * networkd-wait-online now has support for waiting for
          specific interfaces only (with globbing), and for giving up
          after a configurable timeout.

        * networkd now exits when idle. It will be automatically
          restarted as soon as interfaces show up, are removed or
          change state. networkd will stay around as long as there is
          at least one DHCP state machine or similar around, that keep
          it non-idle.

        * networkd may now configure IPv6 link-local addressing in
          addition to IPv4 link-local addressing.

        * The IPv6 "token" for use in SLAAC may now be configured for
          each .network interface in networkd.

        * Routes configured with networkd may now be assigned a scope
          in .network files.

        * networkd's [Match] sections now support globbing and lists
          of multiple space-separated matches per item.

        Contributions from: Alban Crequy, Alin Rauta, Andrey Chaser,
        Bastien Nocera, Bruno Bottazzini, Carlos Garnacho, Carlos
        Morata Castillo, Chris Atkinson, Chris J. Arges, Christian
        Kirbach, Christian Seiler, Christoph Brill, Colin Guthrie,
        Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack,
        Dave Reisner, David Herrmann, Djalal Harouni, Erik Auerswald,
        Filipe Brandenburger, Frank Theile, Gabor Kelemen, Gabriel de
        Perthuis, Harald Hoyer, Hui Wang, Ivan Shapovalov, Jan
        Engelhardt, Jan Synacek, Jay Faulkner, Johannes Hölzl, Jonas
        Ådahl, Jonathan Boulle, Josef Andersson, Kay Sievers, Ken
        Werner, Lennart Poettering, Lucas De Marchi, Lukas Märdian,
        Lukas Nykryn, Lukasz Skalski, Luke Shumaker, Mantas Mikulėnas,
        Manuel Mendez, Marcel Holtmann, Marc Schmitzer, Marko
        Myllynen, Martin Pitt, Maxim Mikityanskiy, Michael Biebl,
        Michael Marineau, Michael Olbrich, Michal Schmidt, Mindaugas
        Baranauskas, Moez Bouhlel, Naveen Kumar, Patrik Flykt, Paul
        Martin, Peter Hutterer, Peter Mattern, Philippe De Swert,
        Piotr Drąg, Rafael Ferreira, Rami Rosen, Robert Milasan, Ronny
        Chevalier, Sangjung Woo, Sebastien Bacher, Sergey Ptashnick,
        Shawn Landden, Stéphane Graber, Susant Sahani, Sylvain
        Plantefève, Thomas Hindoe Paaboel Andersen, Tim JP, Tom
        Gundersen, Topi Miettinen, Torstein Husebø, Umut Tezduyar
        Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland
        Hoffmann, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-02-16

CHANGES WITH 218:

        * When querying unit file enablement status (for example via
          "systemctl is-enabled"), a new state "indirect" is now known
          which indicates that a unit might not be enabled itself, but
          another unit listed in its Also= setting might be.

        * Similar to the various existing ConditionXYZ= settings for
          units, there are now matching AssertXYZ= settings. While
          failing conditions cause a unit to be skipped, but its job
          to succeed, failing assertions declared like this will cause
          a unit start operation and its job to fail.

        * hostnamed now knows a new chassis type "embedded".

        * systemctl gained a new "edit" command. When used on a unit
          file, this allows extending unit files with .d/ drop-in
          configuration snippets or editing the full file (after
          copying it from /usr/lib to /etc). This will invoke the
          user's editor (as configured with $EDITOR), and reload the
          modified configuration after editing.

        * "systemctl status" now shows the suggested enablement state
          for a unit, as declared in the (usually vendor-supplied)
          system preset files.

        * nss-myhostname will now resolve the single-label hostname
          "gateway" to the locally configured default IP routing
          gateways, ordered by their metrics. This assigns a stable
          name to the used gateways, regardless which ones are
          currently configured. Note that the name will only be
          resolved after all other name sources (if nss-myhostname is
          configured properly) and should hence not negatively impact
          systems that use the single-label hostname "gateway" in
          other contexts.

        * systemd-inhibit now allows filtering by mode when listing
          inhibitors.

        * Scope and service units gained a new "Delegate" boolean
          property, which, when set, allows processes running inside the
          unit to further partition resources. This is primarily
          useful for systemd user instances as well as container
          managers.

        * journald will now pick up audit messages directly from
          the kernel, and log them like any other log message. The
          audit fields are split up and fully indexed. This means that
          journalctl in many ways is now a (nicer!) alternative to
          ausearch, the traditional audit client. Note that this
          implements only a minimal audit client. If you want the
          special audit modes like reboot-on-log-overflow, please use
          the traditional auditd instead, which can be used in
          parallel to journald.

        * The ConditionSecurity= unit file option now understands the
          special string "audit" to check whether auditing is
          available.

        * journalctl gained two new commands --vacuum-size= and
          --vacuum-time= to delete old journal files until the
          remaining ones take up no more than the specified size on disk,
          or are not older than the specified time.

        * A new, native PPPoE library has been added to sd-network,
          systemd's library of light-weight networking protocols. This
          library will be used in a future version of networkd to
          enable PPPoE communication without an external pppd daemon.

        * The busctl tool now understands a new "capture" verb that
          works similar to "monitor", but writes a packet capture
          trace to STDOUT that can be redirected to a file which is
          compatible with libcap's capture file format. This can then
          be loaded in Wireshark and similar tools to inspect bus
          communication.

        * The busctl tool now understands a new "tree" verb that shows
          the object trees of a specific service on the bus, or of all
          services.

        * The busctl tool now understands a new "introspect" verb that
          shows all interfaces and members of objects on the bus,
          including their signature and values. This is particularly
          useful to get more information about bus objects shown by
          the new "busctl tree" command.

        * The busctl tool now understands new verbs "call",
          "set-property" and "get-property" for invoking bus method
          calls, setting and getting bus object properties in a
          friendly way.

        * busctl gained a new --augment-creds= argument that controls
          whether the tool shall augment credential information it
          gets from the bus with data from /proc, in a possibly
          race-ful way.

        * nspawn's --link-journal= switch gained two new values
          "try-guest" and "try-host" that work like "guest" and
          "host", but do not fail if the host has no persistent
          journaling enabled. -j is now equivalent to
          --link-journal=try-guest.

        * macvlan network devices created by nspawn will now have
          stable MAC addresses.

        * A new SmackProcessLabel= unit setting has been added, which
          controls the SMACK security label processes forked off by
          the respective unit shall use.

        * If compiled with --enable-xkbcommon, systemd-localed will
          verify x11 keymap settings by compiling the given keymap. It
          will spew out warnings if the compilation fails. This
          requires libxkbcommon to be installed.

        * When a coredump is collected, a larger number of metadata
          fields is now collected and included in the journal records
          created for it. More specifically, control group membership,
          environment variables, memory maps, working directory,
          chroot directory, /proc/$PID/status, and a list of open file
          descriptors is now stored in the log entry.

        * The udev hwdb now contains DPI information for mice. For
          details see:

          http://who-t.blogspot.de/2014/12/building-a-dpi-database-for-mice.html

        * All systemd programs that read standalone configuration
          files in /etc now also support a corresponding series of
          .conf.d configuration directories in /etc/, /run/,
          /usr/local/lib/, /usr/lib/, and (if configured with
          --enable-split-usr) /lib/.  In particular, the following
          configuration files now have corresponding configuration
          directories: system.conf user.conf, logind.conf,
          journald.conf, sleep.conf, bootchart.conf, coredump.conf,
          resolved.conf, timesyncd.conf, journal-remote.conf, and
          journal-upload.conf.  Note that distributions should use the
          configuration directories in /usr/lib/; the directories in
          /etc/ are reserved for the system administrator.

        * systemd-rfkill will no longer take the rfkill device name
          into account when storing rfkill state on disk, as the name
          might be dynamically assigned and not stable. Instead, the
          ID_PATH udev variable combined with the rfkill type (wlan,
          bluetooth, …) is used.

        * A new service systemd-machine-id-commit.service has been
          added. When used on systems where /etc is read-only during
          boot, and /etc/machine-id is not initialized (but an empty
          file), this service will copy the temporary machine ID
          created as replacement into /etc after the system is fully
          booted up. This is useful for systems that are freshly
          installed with a non-initialized machine ID, but should get
          a fixed machine ID for subsequent boots.

        * networkd's .netdev files now provide a large set of
          configuration parameters for VXLAN devices. Similarly, the
          bridge port cost parameter is now configurable in .network
          files. There's also new support for configuring IP source
          routing. networkd .link files gained support for a new
          OriginalName= match that is useful to match against the
          original interface name the kernel assigned. .network files
          may include MTU= and MACAddress= fields for altering the MTU
          and MAC address while being connected to a specific network
          interface.

        * The LUKS logic gained supported for configuring
          UUID-specific key files. There's also new support for naming
          LUKS device from the kernel command line, using the new
          luks.name= argument.

        * Timer units may now be transiently created via the bus API
          (this was previously already available for scope and service
          units). In addition it is now possible to create multiple
          transient units at the same time with a single bus call. The
          "systemd-run" tool has been updated to make use of this for
          running commands on a specified time, in at(1)-style.

        * tmpfiles gained support for "t" lines, for assigning
          extended attributes to files. Among other uses this may be
          used to assign SMACK labels to files.

        Contributions from: Alin Rauta, Alison Chaiken, Andrej
        Manduch, Bastien Nocera, Chris Atkinson, Chris Leech, Chris
        Mayo, Colin Guthrie, Colin Walters, Cristian Rodríguez,
        Daniele Medri, Daniel Mack, Dan Williams, Dan Winship, Dave
        Reisner, David Herrmann, Didier Roche, Felipe Sateler, Gavin
        Li, Hans de Goede, Harald Hoyer, Iago López Galeiras, Ivan
        Shapovalov, Jakub Filak, Jan Janssen, Jan Synacek, Joe
        Lawrence, Josh Triplett, Kay Sievers, Lennart Poettering,
        Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Mantas
        Mikulėnas, Marcel Holtmann, Martin Pitt, Maurizio Lombardi,
        Michael Biebl, Michael Chapman, Michael Marineau, Michal
        Schmidt, Michal Sekletar, Olivier Brunel, Patrik Flykt, Peter
        Hutterer, Przemyslaw Kedzierski, Rami Rosen, Ray Strode,
        Richard Schütz, Richard W.M. Jones, Ronny Chevalier, Ross
        Lagerwall, Sean Young, Stanisław Pitucha, Susant Sahani,
        Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
        Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert
        Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-12-10

CHANGES WITH 217:

        * journalctl gained the new options -t/--identifier= to match
          on the syslog identifier (aka "tag"), as well as --utc to
          show log timestamps in the UTC timezone. journalctl now also
          accepts -n/--lines=all to disable line capping in a pager.

        * journalctl gained a new switch, --flush, that synchronously
          flushes logs from /run/log/journal to /var/log/journal if
          persistent storage is enabled. systemd-journal-flush.service
          now waits until the operation is complete.

        * Services can notify the manager before they start a reload
          (by sending RELOADING=1) or shutdown (by sending
          STOPPING=1). This allows the manager to track and show the
          internal state of daemons and closes a race condition when
          the process is still running but has closed its D-Bus
          connection.

        * Services with Type=oneshot do not have to have any ExecStart
          commands anymore.

        * User units are now loaded also from
          $XDG_RUNTIME_DIR/systemd/user/. This is similar to the
          /run/systemd/user directory that was already previously
          supported, but is under the control of the user.

        * Job timeouts (i.e. timeouts on the time a job that is
          queued stays in the run queue) can now optionally result in
          immediate reboot or power-off actions (JobTimeoutAction= and
          JobTimeoutRebootArgument=). This is useful on ".target"
          units, to limit the maximum time a target remains
          undispatched in the run queue, and to trigger an emergency
          operation in such a case. This is now used by default to
          turn off the system if boot-up (as defined by everything in
          basic.target) hangs and does not complete for at least
          15min. Also, if power-off or reboot hang for at least 30min
          an immediate power-off/reboot operation is triggered. This
          functionality is particularly useful to increase reliability
          on embedded devices, but also on laptops which might
          accidentally get powered on when carried in a backpack and
          whose boot stays stuck in a hard disk encryption passphrase
          question.

        * systemd-logind can be configured to also handle lid switch
          events even when the machine is docked or multiple displays
          are attached (HandleLidSwitchDocked= option).

        * A helper binary and a service have been added which can be
          used to resume from hibernation in the initramfs. A
          generator will parse the resume= option on the kernel
          command line to trigger resume.

        * A user console daemon systemd-consoled has been
          added. Currently, it is a preview, and will so far open a
          single terminal on each session of the user marked as
          Desktop=systemd-console.

        * Route metrics can be specified for DHCP routes added by
          systemd-networkd.

        * The SELinux context of socket-activated services can be set
          from the information provided by the networking stack
          (SELinuxContextFromNet= option).

        * Userspace firmware loading support has been removed and
          the minimum supported kernel version is thus bumped to 3.7.

        * Timeout for udev workers has been increased from 1 to 3
          minutes, but a warning will be printed after 1 minute to
          help diagnose kernel modules that take a long time to load.

        * Udev rules can now remove tags on devices with TAG-="foobar".

        * systemd's readahead implementation has been removed. In many
          circumstances it didn't give expected benefits even for
          rotational disk drives and was becoming less relevant in the
          age of SSDs. As none of the developers has been using
          rotating media anymore, and nobody stepped up to actively
          maintain this component of systemd it has now been removed.

        * Swap units can use Options= to specify discard options.
          Discard options specified for swaps in /etc/fstab are now
          respected.

        * Docker containers are now detected as a separate type of
          virtualization.

        * The Password Agent protocol gained support for queries where
          the user input is shown, useful e.g. for user names.
          systemd-ask-password gained a new --echo option to turn that
          on.

        * The default sysctl.d/ snippets will now set:

                net.core.default_qdisc = fq_codel

          This selects Fair Queuing Controlled Delay as the default
          queuing discipline for network interfaces. fq_codel helps
          fight the network bufferbloat problem. It is believed to be
          a good default with no tuning required for most workloads.
          Downstream distributions may override this choice. On 10Gbit
          servers that do not do forwarding, "fq" may perform better.
          Systems without a good clocksource should use "pfifo_fast".

        * If kdbus is enabled during build a new option BusPolicy= is
          available for service units, that allows locking all service
          processes into a stricter bus policy, in order to limit
          access to various bus services, or even hide most of them
          from the service's view entirely.

        * networkctl will now show the .network and .link file
          networkd has applied to a specific interface.

        * sd-login gained a new API call sd_session_get_desktop() to
          query which desktop environment has been selected for a
          session.

        * UNIX utmp support is now compile-time optional to support
          legacy-free systems.

        * systemctl gained two new commands "add-wants" and
          "add-requires" for pulling in units from specific targets
          easily.

        * If the word "rescue" is specified on the kernel command line
          the system will now boot into rescue mode (aka
          rescue.target), which was previously available only by
          specifying "1" or "systemd.unit=rescue.target" on the kernel
          command line. This new kernel command line option nicely
          mirrors the already existing "emergency" kernel command line
          option.

        * New kernel command line options mount.usr=, mount.usrflags=,
          mount.usrfstype= have been added that match root=, rootflags=,
          rootfstype= but allow mounting a specific file system to
          /usr.

        * The $NOTIFY_SOCKET is now also passed to control processes of
          services, not only the main process.

        * This version reenables support for fsck's -l switch. This
          means at least version v2.25 of util-linux is required for
          operation, otherwise dead-locks on device nodes may
          occur. Again: you need to update util-linux to at least
          v2.25 when updating systemd to v217.

        * The "multi-seat-x" tool has been removed from systemd, as
          its functionality has been integrated into X servers 1.16,
          and the tool is hence redundant. It is recommended to update
          display managers invoking this tool to simply invoke X
          directly from now on, again.

        * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
          message flag has been added for all of systemd's polkit
          authenticated method calls has been added. In particular this
          now allows optional interactive authorization via polkit for
          many of PID1's privileged operations such as unit file
          enabling and disabling.

        * "udevadm hwdb --update" learnt a new switch "--usr" for
          placing the rebuilt hardware database in /usr instead of
          /etc. When used only hardware database entries stored in
          /usr will be used, and any user database entries in /etc are
          ignored. This functionality is useful for vendors to ship a
          pre-built database on systems where local configuration is
          unnecessary or unlikely.

        * Calendar time specifications in .timer units now also
          understand the strings "semi-annually", "quarterly" and
          "minutely" as shortcuts (in addition to the preexisting
          "annually", "hourly", …).

        * systemd-tmpfiles will now correctly create files in /dev
          at boot which are marked for creation only at boot. It is
          recommended to always create static device nodes with 'c!'
          and 'b!', so that they are created only at boot and not
          overwritten at runtime.

        * When the watchdog logic is used for a service (WatchdogSec=)
          and the watchdog timeout is hit the service will now be
          terminated with SIGABRT (instead of just SIGTERM), in order
          to make sure a proper coredump and backtrace is
          generated. This ensures that hanging services will result in
          similar coredump/backtrace behaviour as services that hit a
          segmentation fault.

        Contributions from: Andreas Henriksson, Andrei Borzenkov,
        Angus Gibson, Ansgar Burchardt, Ben Wolsieffer, Brandon L.
        Black, Christian Hesse, Cristian Rodríguez, Daniel Buch,
        Daniele Medri, Daniel Mack, Dan Williams, Dave Reisner, David
        Herrmann, David Sommerseth, David Strauss, Emil Renner
        Berthing, Eric Cook, Evangelos Foutras, Filipe Brandenburger,
        Gustavo Sverzut Barbieri, Hans de Goede, Harald Hoyer, Hristo
        Venev, Hugo Grostabussiat, Ivan Shapovalov, Jan Janssen, Jan
        Synacek, Jonathan Liu, Juho Son, Karel Zak, Kay Sievers, Klaus
        Purer, Koen Kooi, Lennart Poettering, Lukas Nykryn, Lukasz
        Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann,
        Marius Tessmann, Marko Myllynen, Martin Pitt, Michael Biebl,
        Michael Marineau, Michael Olbrich, Michael Scherer, Michal
        Schmidt, Michal Sekletar, Miroslav Lichvar, Patrik Flykt,
        Philippe De Swert, Piotr Drąg, Rahul Sundaram, Richard
        Weinberger, Robert Milasan, Ronny Chevalier, Ruben Kerkhof,
        Santiago Vila, Sergey Ptashnick, Simon McVittie, Sjoerd
        Simons, Stefan Brüns, Steven Allen, Steven Noonan, Susant
        Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen,
        Timofey Titovets, Tobias Hunger, Tom Gundersen, Torstein
        Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2014-10-28

CHANGES WITH 216:

        * timedated no longer reads NTP implementation unit names from
          /usr/lib/systemd/ntp-units.d/*.list. Alternative NTP
          implementations should add a

            Conflicts=systemd-timesyncd.service

          to their unit files to take over and replace systemd's NTP
          default functionality.

        * systemd-sysusers gained a new line type "r" for configuring
          which UID/GID ranges to allocate system users/groups
          from. Lines of type "u" may now add an additional column
          that specifies the home directory for the system user to be
          created. Also, systemd-sysusers may now optionally read user
          information from STDIN instead of a file. This is useful for
          invoking it from RPM preinst scriptlets that need to create
          users before the first RPM file is installed since these
          files might need to be owned by them. A new
          %sysusers_create_inline RPM macro has been introduced to do
          just that. systemd-sysusers now updates the shadow files as
          well as the user/group databases, which should enhance
          compatibility with certain tools like grpck.

        * A number of bus APIs of PID 1 now optionally consult polkit to
          permit access for otherwise unprivileged clients under certain
          conditions. Note that this currently doesn't support
          interactive authentication yet, but this is expected to be
          added eventually, too.

        * /etc/machine-info now has new fields for configuring the
          deployment environment of the machine, as well as the
          location of the machine. hostnamectl has been updated with
          new command to update these fields.

        * systemd-timesyncd has been updated to automatically acquire
          NTP server information from systemd-networkd, which might
          have been discovered via DHCP.

        * systemd-resolved now includes a caching DNS stub resolver
          and a complete LLMNR name resolution implementation. A new
          NSS module "nss-resolve" has been added which can be used
          instead of glibc's own "nss-dns" to resolve hostnames via
          systemd-resolved. Hostnames, addresses and arbitrary RRs may
          be resolved via systemd-resolved D-Bus APIs. In contrast to
          the glibc internal resolver systemd-resolved is aware of
          multi-homed system, and keeps DNS server and caches separate
          and per-interface. Queries are sent simultaneously on all
          interfaces that have DNS servers configured, in order to
          properly handle VPNs and local LANs which might resolve
          separate sets of domain names. systemd-resolved may acquire
          DNS server information from systemd-networkd automatically,
          which in turn might have discovered them via DHCP. A tool
          "systemd-resolve-host" has been added that may be used to
          query the DNS logic in resolved. systemd-resolved implements
          IDNA and automatically uses IDNA or UTF-8 encoding depending
          on whether classic DNS or LLMNR is used as transport. In the
          next releases we intend to add a DNSSEC and mDNS/DNS-SD
          implementation to systemd-resolved.

        * A new NSS module nss-mymachines has been added, that
          automatically resolves the names of all local registered
          containers to their respective IP addresses.

        * A new client tool "networkctl" for systemd-networkd has been
          added. It currently is entirely passive and will query
          networking configuration from udev, rtnetlink and networkd,
          and present it to the user in a very friendly
          way. Eventually, we hope to extend it to become a full
          control utility for networkd.

        * .socket units gained a new DeferAcceptSec= setting that
          controls the kernels' TCP_DEFER_ACCEPT sockopt for
          TCP. Similarly, support for controlling TCP keep-alive
          settings has been added (KeepAliveTimeSec=,
          KeepAliveIntervalSec=, KeepAliveProbes=). Also, support for
          turning off Nagle's algorithm on TCP has been added
          (NoDelay=).

        * logind learned a new session type "web", for use in projects
          like Cockpit which register web clients as PAM sessions.

        * timer units with at least one OnCalendar= setting will now
          be started only after time-sync.target has been
          reached. This way they will not elapse before the system
          clock has been corrected by a local NTP client or
          similar. This is particular useful on RTC-less embedded
          machines, that come up with an invalid system clock.

        * systemd-nspawn's --network-veth= switch should now result in
          stable MAC addresses for both the outer and the inner side
          of the link.

        * systemd-nspawn gained a new --volatile= switch for running
          container instances with /etc or /var unpopulated.

        * The kdbus client code has been updated to use the new Linux
          3.17 memfd subsystem instead of the old kdbus-specific one.

        * systemd-networkd's DHCP client and server now support
          FORCERENEW. There are also new configuration options to
          configure the vendor client identifier and broadcast mode
          for DHCP.

        * systemd will no longer inform the kernel about the current
          timezone, as this is necessarily incorrect and racy as the
          kernel has no understanding of DST and similar
          concepts. This hence means FAT timestamps will be always
          considered UTC, similar to what Android is already
          doing. Also, when the RTC is configured to the local time
          (rather than UTC) systemd will never synchronize back to it,
          as this might confuse Windows at a later boot.

        * systemd-analyze gained a new command "verify" for offline
          validation of unit files.

        * systemd-networkd gained support for a couple of additional
          settings for bonding networking setups. Also, the metric for
          statically configured routes may now be configured. For
          network interfaces where this is appropriate the peer IP
          address may now be configured.

        * systemd-networkd's DHCP client will no longer request
          broadcasting by default, as this tripped up some networks.
          For hardware where broadcast is required the feature should
          be switched back on using RequestBroadcast=yes.

        * systemd-networkd will now set up IPv4LL addresses (when
          enabled) even if DHCP is configured successfully.

        * udev will now default to respect network device names given
          by the kernel when the kernel indicates that these are
          predictable. This behavior can be tweaked by changing
          NamePolicy= in the relevant .link file.

        * A new library systemd-terminal has been added that
          implements full TTY stream parsing and rendering. This
          library is supposed to be used later on for implementing a
          full userspace VT subsystem, replacing the current kernel
          implementation.

        * A new tool systemd-journal-upload has been added to push
          journal data to a remote system running
          systemd-journal-remote.

        * journald will no longer forward all local data to another
          running syslog daemon. This change has been made because
          rsyslog (which appears to be the most commonly used syslog
          implementation these days) no longer makes use of this, and
          instead pulls the data out of the journal on its own. Since
          forwarding the messages to a non-existent syslog server is
          more expensive than we assumed we have now turned this
          off. If you run a syslog server that is not a recent rsyslog
          version, you have to turn this option on again
          (ForwardToSyslog= in journald.conf).

        * journald now optionally supports the LZ4 compressor for
          larger journal fields. This compressor should perform much
          better than XZ which was the previous default.

        * machinectl now shows the IP addresses of local containers,
          if it knows them, plus the interface name of the container.

        * A new tool "systemd-escape" has been added that makes it
          easy to escape strings to build unit names and similar.

        * sd_notify() messages may now include a new ERRNO= field
          which is parsed and collected by systemd and shown among the
          "systemctl status" output for a service.

        * A new component "systemd-firstboot" has been added that
          queries the most basic systemd information (timezone,
          hostname, root password) interactively on first
          boot. Alternatively it may also be used to provision these
          things offline on OS images installed into directories.

        * The default sysctl.d/ snippets will now set

                net.ipv4.conf.default.promote_secondaries=1

          This has the benefit of no flushing secondary IP addresses
          when primary addresses are removed.

        Contributions from: Ansgar Burchardt, Bastien Nocera, Colin
        Walters, Dan Dedrick, Daniel Buch, Daniel Korostil, Daniel
        Mack, Dan Williams, Dave Reisner, David Herrmann, Denis
        Kenzior, Eelco Dolstra, Eric Cook, Hannes Reinecke, Harald
        Hoyer, Hong Shick Pak, Hui Wang, Jean-André Santoni, Jóhann
        B. Guðmundsson, Jon Severinsson, Karel Zak, Kay Sievers, Kevin
        Wells, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas,
        Marc-Antoine Perennou, Martin Pitt, Michael Biebl, Michael
        Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar,
        Miguel Angel Ajo, Mike Gilbert, Olivier Brunel, Robert
        Schiele, Ronny Chevalier, Simon McVittie, Sjoerd Simons, Stef
        Walter, Steven Noonan, Susant Sahani, Tanu Kaskinen, Thomas
        Blume, Thomas Hindoe Paaboel Andersen, Timofey Titovets,
        Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut
        Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-08-19

CHANGES WITH 215:

        * A new tool systemd-sysusers has been added. This tool
          creates system users and groups in /etc/passwd and
          /etc/group, based on static declarative system user/group
          definitions in /usr/lib/sysusers.d/. This is useful to
          enable factory resets and volatile systems that boot up with
          an empty /etc directory, and thus need system users and
          groups created during early boot. systemd now also ships
          with two default sysusers.d/ files for the most basic
          users and groups systemd and the core operating system
          require.

        * A new tmpfiles snippet has been added that rebuilds the
          essential files in /etc on boot, should they be missing.

        * A directive for ensuring automatic clean-up of
          /var/cache/man/ has been removed from the default
          configuration. This line should now be shipped by the man
          implementation. The necessary change has been made to the
          man-db implementation. Note that you need to update your man
          implementation to one that ships this line, otherwise no
          automatic clean-up of /var/cache/man will take place.

        * A new condition ConditionNeedsUpdate= has been added that
          may conditionalize services to only run when /etc or /var
          are "older" than the vendor operating system resources in
          /usr. This is useful for reconstructing or updating /etc
          after an offline update of /usr or a factory reset, on the
          next reboot. Services that want to run once after such an
          update or reset should use this condition and order
          themselves before the new systemd-update-done.service, which
          will mark the two directories as fully updated. A number of
          service files have been added making use of this, to rebuild
          the udev hardware database, the journald message catalog and
          dynamic loader cache (ldconfig). The systemd-sysusers tool
          described above also makes use of this now. With this in
          place it is now possible to start up a minimal operating
          system with /etc empty cleanly. For more information on the
          concepts involved see this recent blog story:

          http://0pointer.de/blog/projects/stateless.html

        * A new system group "input" has been introduced, and all
          input device nodes get this group assigned. This is useful
          for system-level software to get access to input devices. It
          complements what is already done for "audio" and "video".

        * systemd-networkd learnt minimal DHCPv4 server support in
          addition to the existing DHCPv4 client support. It also
          learnt DHCPv6 client and IPv6 Router Solicitation client
          support. The DHCPv4 client gained support for static routes
          passed in from the server. Note that the [DHCPv4] section
          known in older systemd-networkd versions has been renamed to
          [DHCP] and is now also used by the DHCPv6 client. Existing
          .network files using settings of this section should be
          updated, though compatibility is maintained. Optionally, the
          client hostname may now be sent to the DHCP server.

        * networkd gained support for vxlan virtual networks as well
          as tun/tap and dummy devices.

        * networkd gained support for automatic allocation of address
          ranges for interfaces from a system-wide pool of
          addresses. This is useful for dynamically managing a large
          number of interfaces with a single network configuration
          file. In particular this is useful to easily assign
          appropriate IP addresses to the veth links of a large number
          of nspawn instances.

        * RPM macros for processing sysusers, sysctl and binfmt
          drop-in snippets at package installation time have been
          added.

        * The /etc/os-release file should now be placed in
          /usr/lib/os-release. The old location is automatically
          created as symlink. /usr/lib is the more appropriate
          location of this file, since it shall actually describe the
          vendor operating system shipped in /usr, and not the
          configuration stored in /etc.

        * .mount units gained a new boolean SloppyOptions= setting
          that maps to mount(8)'s -s option which enables permissive
          parsing of unknown mount options.

        * tmpfiles learnt a new "L+" directive which creates a symlink
          but (unlike "L") deletes a pre-existing file first, should
          it already exist and not already be the correct
          symlink. Similarly, "b+", "c+" and "p+" directives have been
          added as well, which create block and character devices, as
          well as fifos in the filesystem, possibly removing any
          pre-existing files of different types.

        * For tmpfiles' "L", "L+", "C" and "C+" directives the final
          'argument' field (which so far specified the source to
          symlink/copy the files from) is now optional. If omitted the
          same file os copied from /usr/share/factory/ suffixed by the
          full destination path. This is useful for populating /etc
          with essential files, by copying them from vendor defaults
          shipped in /usr/share/factory/etc.

        * A new command "systemctl preset-all" has been added that
          applies the service preset settings to all installed unit
          files. A new switch --preset-mode= has been added that
          controls whether only enable or only disable operations
          shall be executed.

        * A new command "systemctl is-system-running" has been added
          that allows checking the overall state of the system, for
          example whether it is fully up and running.

        * When the system boots up with an empty /etc, the equivalent
          to "systemctl preset-all" is executed during early boot, to
          make sure all default services are enabled after a factory
          reset.

        * systemd now contains a minimal preset file that enables the
          most basic services systemd ships by default.

        * Unit files' [Install] section gained a new DefaultInstance=
          field for defining the default instance to create if a
          template unit is enabled with no instance specified.

        * A new passive target cryptsetup-pre.target has been added
          that may be used by services that need to make they run and
          finish before the first LUKS cryptographic device is set up.

        * The /dev/loop-control and /dev/btrfs-control device nodes
          are now owned by the "disk" group by default, opening up
          access to this group.

        * systemd-coredump will now automatically generate a
          stack trace of all core dumps taking place on the system,
          based on elfutils' libdw library. This stack trace is logged
          to the journal.

        * systemd-coredump may now optionally store coredumps directly
          on disk (in /var/lib/systemd/coredump, possibly compressed),
          instead of storing them unconditionally in the journal. This
          mode is the new default. A new configuration file
          /etc/systemd/coredump.conf has been added to configure this
          and other parameters of systemd-coredump.

        * coredumpctl gained a new "info" verb to show details about a
          specific coredump. A new switch "-1" has also been added
          that makes sure to only show information about the most
          recent entry instead of all entries. Also, as the tool is
          generally useful now the "systemd-" prefix of the binary
          name has been removed. Distributions that want to maintain
          compatibility with the old name should add a symlink from
          the old name to the new name.

        * journald's SplitMode= now defaults to "uid". This makes sure
          that unprivileged users can access their own coredumps with
          coredumpctl without restrictions.

        * New kernel command line options "systemd.wants=" (for
          pulling an additional unit during boot), "systemd.mask="
          (for masking a specific unit for the boot), and
          "systemd.debug-shell" (for enabling the debug shell on tty9)
          have been added. This is implemented in the new generator
          "systemd-debug-generator".

        * systemd-nspawn will now by default filter a couple of
          syscalls for containers, among them those required for
          kernel module loading, direct x86 IO port access, swap
          management, and kexec. Most importantly though
          open_by_handle_at() is now prohibited for containers,
          closing a hole similar to a recently discussed vulnerability
          in docker regarding access to files on file hierarchies the
          container should normally not have access to. Note that, for
          nspawn, we generally make no security claims anyway (and
          this is explicitly documented in the man page), so this is
          just a fix for one of the most obvious problems.

        * A new man page file-hierarchy(7) has been added that
          contains a minimized, modernized version of the file system
          layout systemd expects, similar in style to the FHS
          specification or hier(5). A new tool systemd-path(1) has
          been added to query many of these paths for the local
          machine and user.

        * Automatic time-based clean-up of $XDG_RUNTIME_DIR is no
          longer done. Since the directory now has a per-user size
          limit, and is cleaned on logout this appears unnecessary,
          in particular since this now brings the lifecycle of this
          directory closer in line with how IPC objects are handled.

        * systemd.pc now exports a number of additional directories,
          including $libdir (which is useful to identify the library
          path for the primary architecture of the system), and a
          couple of drop-in directories.

        * udev's predictable network interface names now use the dev_port
          sysfs attribute, introduced in linux 3.15 instead of dev_id to
          distinguish between ports of the same PCI function. dev_id should
          only be used for ports using the same HW address, hence the need
          for dev_port.

        * machined has been updated to export the OS version of a
          container (read from /etc/os-release and
          /usr/lib/os-release) on the bus. This is now shown in
          "machinectl status" for a machine.

        * A new service setting RestartForceExitStatus= has been
          added. If configured to a set of exit signals or process
          return values, the service will be restarted when the main
          daemon process exits with any of them, regardless of the
          Restart= setting.

        * systemctl's -H switch for connecting to remote systemd
          machines has been extended so that it may be used to
          directly connect to a specific container on the
          host. "systemctl -H root@foobar:waldi" will now connect as
          user "root" to host "foobar", and then proceed directly to
          the container named "waldi". Note that currently you have to
          authenticate as user "root" for this to work, as entering
          containers is a privileged operation.

        Contributions from: Andreas Henriksson, Benjamin Steinwender,
        Carl Schaefer, Christian Hesse, Colin Ian King, Cristian
        Rodríguez, Daniel Mack, Dave Reisner, David Herrmann, Eugene
        Yakubovich, Filipe Brandenburger, Frederic Crozat, Hristo
        Venev, Jan Engelhardt, Jonathan Boulle, Kay Sievers, Lennart
        Poettering, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine
        Perennou, Marcel Holtmann, Michael Marineau, Michael Olbrich,
        Michał Bartoszkiewicz, Michal Sekletar, Patrik Flykt, Ronan Le
        Martret, Ronny Chevalier, Ruediger Oertel, Steven Noonan,
        Susant Sahani, Thadeu Lima de Souza Cascardo, Thomas Hindoe
        Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar
        Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-07-03

CHANGES WITH 214:

        * As an experimental feature, udev now tries to lock the
          disk device node (flock(LOCK_SH|LOCK_NB)) while it
          executes events for the disk or any of its partitions.
          Applications like partitioning programs can lock the
          disk device node (flock(LOCK_EX)) and claim temporary
          device ownership that way; udev will entirely skip all event
          handling for this disk and its partitions. If the disk
          was opened for writing, the close will trigger a partition
          table rescan in udev's "watch" facility, and if needed
          synthesize "change" events for the disk and all its partitions.
          This is now unconditionally enabled, and if it turns out to
          cause major problems, we might turn it on only for specific
          devices, or might need to disable it entirely. Device Mapper
          devices are excluded from this logic.

        * We temporarily dropped the "-l" switch for fsck invocations,
          since they collide with the flock() logic above. util-linux
          upstream has been changed already to avoid this conflict,
          and we will re-add "-l" as soon as util-linux with this
          change has been released.

        * The dependency on libattr has been removed. Since a long
          time, the extended attribute calls have moved to glibc, and
          libattr is thus unnecessary.

        * Virtualization detection works without privileges now. This
          means the systemd-detect-virt binary no longer requires
          CAP_SYS_PTRACE file capabilities, and our daemons can run
          with fewer privileges.

        * systemd-networkd now runs under its own "systemd-network"
          user. It retains the CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
          CAP_NET_BROADCAST, CAP_NET_RAW capabilities though, but
          loses the ability to write to files owned by root this way.

        * Similarly, systemd-resolved now runs under its own
          "systemd-resolve" user with no capabilities remaining.

        * Similarly, systemd-bus-proxyd now runs under its own
          "systemd-bus-proxy" user with only CAP_IPC_OWNER remaining.

        * systemd-networkd gained support for setting up "veth"
          virtual Ethernet devices for container connectivity, as well
          as GRE and VTI tunnels.

        * systemd-networkd will no longer automatically attempt to
          manually load kernel modules necessary for certain tunnel
          transports. Instead, it is assumed the kernel loads them
          automatically when required. This only works correctly on
          very new kernels. On older kernels, please consider adding
          the kernel modules to /etc/modules-load.d/ as a work-around.

        * The resolv.conf file systemd-resolved generates has been
          moved to /run/systemd/resolve/. If you have a symlink from
          /etc/resolv.conf, it might be necessary to correct it.

        * Two new service settings, ProtectHome= and ProtectSystem=,
          have been added. When enabled, they will make the user data
          (such as /home) inaccessible or read-only and the system
          (such as /usr) read-only, for specific services. This allows
          very light-weight per-service sandboxing to avoid
          modifications of user data or system files from
          services. These two new switches have been enabled for all
          of systemd's long-running services, where appropriate.

        * Socket units gained new SocketUser= and SocketGroup=
          settings to set the owner user and group of AF_UNIX sockets
          and FIFOs in the file system.

        * Socket units gained a new RemoveOnStop= setting. If enabled,
          all FIFOS and sockets in the file system will be removed
          when the specific socket unit is stopped.

        * Socket units gained a new Symlinks= setting. It takes a list
          of symlinks to create to file system sockets or FIFOs
          created by the specific Unix sockets. This is useful to
          manage symlinks to socket nodes with the same lifecycle as
          the socket itself.

        * The /dev/log socket and /dev/initctl FIFO have been moved to
          /run, and have been replaced by symlinks. This allows
          connecting to these facilities even if PrivateDevices=yes is
          used for a service (which makes /dev/log itself unavailable,
          but /run is left). This also has the benefit of ensuring
          that /dev only contains device nodes, directories and
          symlinks, and nothing else.

        * sd-daemon gained two new calls sd_pid_notify() and
          sd_pid_notifyf(). They are similar to sd_notify() and
          sd_notifyf(), but allow overriding of the source PID of
          notification messages if permissions permit this. This is
          useful to send notify messages on behalf of a different
          process (for example, the parent process). The
          systemd-notify tool has been updated to make use of this
          when sending messages (so that notification messages now
          originate from the shell script invoking systemd-notify and
          not the systemd-notify process itself. This should minimize
          a race where systemd fails to associate notification
          messages to services when the originating process already
          vanished.

        * A new "on-abnormal" setting for Restart= has been added. If
          set, it will result in automatic restarts on all "abnormal"
          reasons for a process to exit, which includes unclean
          signals, core dumps, timeouts and watchdog timeouts, but
          does not include clean and unclean exit codes or clean
          signals. Restart=on-abnormal is an alternative for
          Restart=on-failure for services that shall be able to
          terminate and avoid restarts on certain errors, by
          indicating so with an unclean exit code. Restart=on-failure
          or Restart=on-abnormal is now the recommended setting for
          all long-running services.

        * If the InaccessibleDirectories= service setting points to a
          mount point (or if there are any submounts contained within
          it), it is now attempted to completely unmount it, to make
          the file systems truly unavailable for the respective
          service.

        * The ReadOnlyDirectories= service setting and
          systemd-nspawn's --read-only parameter are now recursively
          applied to all submounts, too.

        * Mount units may now be created transiently via the bus APIs.

        * The support for SysV and LSB init scripts has been removed
          from the systemd daemon itself. Instead, it is now
          implemented as a generator that creates native systemd units
          from these scripts when needed. This enables us to remove a
          substantial amount of legacy code from PID 1, following the
          fact that many distributions only ship a very small number
          of LSB/SysV init scripts nowadays.

        * Privileged Xen (dom0) domains are not considered
          virtualization anymore by the virtualization detection
          logic. After all, they generally have unrestricted access to
          the hardware and usually are used to manage the unprivileged
          (domU) domains.

        * systemd-tmpfiles gained a new "C" line type, for copying
          files or entire directories.

        * systemd-tmpfiles "m" lines are now fully equivalent to "z"
          lines. So far, they have been non-globbing versions of the
          latter, and have thus been redundant. In future, it is
          recommended to only use "z". "m" has hence been removed
          from the documentation, even though it stays supported.

        * A tmpfiles snippet to recreate the most basic structure in
          /var has been added. This is enough to create the /var/run →
          /run symlink and create a couple of structural
          directories. This allows systems to boot up with an empty or
          volatile /var. Of course, while with this change, the core OS
          now is capable with dealing with a volatile /var, not all
          user services are ready for it. However, we hope that sooner
          or later, many service daemons will be changed upstream so
          that they are able to automatically create their necessary
          directories in /var at boot, should they be missing. This is
          the first step to allow state-less systems that only require
          the vendor image for /usr to boot.

        * systemd-nspawn has gained a new --tmpfs= switch to mount an
          empty tmpfs instance to a specific directory. This is
          particularly useful for making use of the automatic
          reconstruction of /var (see above), by passing --tmpfs=/var.

        * Access modes specified in tmpfiles snippets may now be
          prefixed with "~", which indicates that they shall be masked
          by whether the existing file or directory is currently
          writable, readable or executable at all. Also, if specified,
          the sgid/suid/sticky bits will be masked for all
          non-directories.

        * A new passive target unit "network-pre.target" has been
          added which is useful for services that shall run before any
          network is configured, for example firewall scripts.

        * The "floppy" group that previously owned the /dev/fd*
          devices is no longer used. The "disk" group is now used
          instead. Distributions should probably deprecate usage of
          this group.

        Contributions from: Camilo Aguilar, Christian Hesse, Colin Ian
        King, Cristian Rodríguez, Daniel Buch, Dave Reisner, David
        Strauss, Denis Tikhomirov, John, Jonathan Liu, Kay Sievers,
        Lennart Poettering, Mantas Mikulėnas, Mark Eichin, Ronny
        Chevalier, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2014-06-11

CHANGES WITH 213:

        * A new "systemd-timesyncd" daemon has been added for
          synchronizing the system clock across the network. It
          implements an SNTP client. In contrast to NTP
          implementations such as chrony or the NTP reference server,
          this only implements a client side, and does not bother with
          the full NTP complexity, focusing only on querying time from
          one remote server and synchronizing the local clock to
          it. Unless you intend to serve NTP to networked clients or
          want to connect to local hardware clocks, this simple NTP
          client should be more than appropriate for most
          installations. The daemon runs with minimal privileges, and
          has been hooked up with networkd to only operate when
          network connectivity is available. The daemon saves the
          current clock to disk every time a new NTP sync has been
          acquired, and uses this to possibly correct the system clock
          early at bootup, in order to accommodate for systems that
          lack an RTC such as the Raspberry Pi and embedded devices,
          and to make sure that time monotonically progresses on these
          systems, even if it is not always correct. To make use of
          this daemon, a new system user and group "systemd-timesync"
          needs to be created on installation of systemd.

        * The queue "seqnum" interface of libudev has been disabled, as
          it was generally incompatible with device namespacing as
          sequence numbers of devices go "missing" if the devices are
          part of a different namespace.

        * "systemctl list-timers" and "systemctl list-sockets" gained
          a --recursive switch for showing units of these types also
          for all local containers, similar in style to the already
          supported --recursive switch for "systemctl list-units".

        * A new RebootArgument= setting has been added for service
          units, which may be used to specify a kernel reboot argument
          to use when triggering reboots with StartLimitAction=.

        * A new FailureAction= setting has been added for service
          units which may be used to specify an operation to trigger
          when a service fails. This works similarly to
          StartLimitAction=, but unlike it, controls what is done
          immediately rather than only after several attempts to
          restart the service in question.

        * hostnamed got updated to also expose the kernel name,
          release, and version on the bus. This is useful for
          executing commands like hostnamectl with the -H switch.
          systemd-analyze makes use of this to properly display
          details when running non-locally.

        * The bootchart tool can now show cgroup information in the
          graphs it generates.

        * The CFS CPU quota cgroup attribute is now exposed for
          services. The new CPUQuota= switch has been added for this
          which takes a percentage value. Setting this will have the
          result that a service may never get more CPU time than the
          specified percentage, even if the machine is otherwise idle.

        * systemd-networkd learned IPIP and SIT tunnel support.

        * LSB init scripts exposing a dependency on $network will now
          get a dependency on network-online.target rather than simply
          network.target. This should bring LSB handling closer to
          what it was on SysV systems.

        * A new fsck.repair= kernel option has been added to control
          how fsck shall deal with unclean file systems at boot.

        * The (.ini) configuration file parser will now silently ignore
          sections whose names begin with "X-". This may be used to maintain
          application-specific extension sections in unit files.

        * machined gained a new API to query the IP addresses of
          registered containers. "machinectl status" has been updated
          to show these addresses in its output.

        * A new call sd_uid_get_display() has been added to the
          sd-login APIs for querying the "primary" session of a
          user. The "primary" session of the user is elected from the
          user's sessions and generally a graphical session is
          preferred over a text one.

        * A minimal systemd-resolved daemon has been added. It
          currently simply acts as a companion to systemd-networkd and
          manages resolv.conf based on per-interface DNS
          configuration, possibly supplied via DHCP. In the long run
          we hope to extend this into a local DNSSEC enabled DNS and
          mDNS cache.

        * The systemd-networkd-wait-online tool is now enabled by
          default. It will delay network-online.target until a network
          connection has been configured. The tool primarily integrates
          with networkd, but will also make a best effort to make sense
          of network configuration performed in some other way.

        * Two new service options StartupCPUShares= and
          StartupBlockIOWeight= have been added that work similarly to
          CPUShares= and BlockIOWeight= however only apply during
          system startup. This is useful to prioritize certain services
          differently during bootup than during normal runtime.

        * hostnamed has been changed to prefer the statically
          configured hostname in /etc/hostname (unless set to
          'localhost' or empty) over any dynamic one supplied by
          dhcp. With this change, the rules for picking the hostname
          match more closely the rules of other configuration settings
          where the local administrator's configuration in /etc always
          overrides any other settings.

        Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
        den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
        Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
        David Strauss, Dimitris Spingos, Djalal Harouni, Eelco
        Dolstra, Evan Nemerson, Florian Albrechtskirchinger, Greg
        Kroah-Hartman, Harald Hoyer, Holger Hans Peter Freyther, Jan
        Engelhardt, Jani Nikula, Jason St. John, Jeffrey Clark,
        Jonathan Boulle, Kay Sievers, Lennart Poettering, Lukas
        Nykryn, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas,
        Marcel Holtmann, Martin Pitt, Matthew Monaco, Michael
        Marineau, Michael Olbrich, Michal Sekletar, Mike Gilbert, Nis
        Martensen, Patrik Flykt, Philip Lorenz, poma, Ray Strode,
        Reyad Attiyat, Robert Milasan, Scott Thrasher, Stef Walter,
        Steven Siloti, Susant Sahani, Tanu Kaskinen, Thomas Bächler,
        Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar
        Lindskog, WaLyong Cho, Will Woods, Zbigniew
        Jędrzejewski-Szmek

        — Beijing, 2014-05-28

CHANGES WITH 212:

        * When restoring the screen brightness at boot, stay away from
          the darkest setting or from the lowest 5% of the available
          range, depending on which is the larger value of both. This
          should effectively protect the user from rebooting into a
          black screen, should the brightness have been set to minimum
          by accident.

        * sd-login gained a new sd_machine_get_class() call to
          determine the class ("vm" or "container") of a machine
          registered with machined.

        * sd-login gained new calls
          sd_peer_get_{session,owner_uid,unit,user_unit,slice,machine_name}(),
          to query the identity of the peer of a local AF_UNIX
          connection. They operate similarly to their sd_pid_get_xyz()
          counterparts.

        * PID 1 will now maintain a system-wide system state engine
          with the states "starting", "running", "degraded",
          "maintenance", "stopping". These states are bound to system
          startup, normal runtime, runtime with at least one failed
          service, rescue/emergency mode and system shutdown. This
          state is shown in the "systemctl status" output when no unit
          name is passed. It is useful to determine system state, in
          particularly when doing so for many systems or containers at
          once.

        * A new command "list-machines" has been added to "systemctl"
          that lists all local OS containers and shows their system
          state (see above), if systemd runs inside of them.

        * systemctl gained a new "-r" switch to recursively enumerate
          units on all local containers, when used with the
          "list-unit" command (which is the default one that is
          executed when no parameters are specified).

        * The GPT automatic partition discovery logic will now honour
          two GPT partition flags: one may be set on a partition to
          cause it to be mounted read-only, and the other may be set
          on a partition to ignore it during automatic discovery.

        * Two new GPT type UUIDs have been added for automatic root
          partition discovery, for 32-bit and 64-bit ARM. This is not
          particularly useful for discovering the root directory on
          these architectures during bare-metal boots (since UEFI is
          not common there), but still very useful to allow booting of
          ARM disk images in nspawn with the -i option.

        * MAC addresses of interfaces created with nspawn's
          --network-interface= switch will now be generated from the
          machine name, and thus be stable between multiple invocations
          of the container.

        * logind will now automatically remove all IPC objects owned
          by a user if she or he fully logs out. This makes sure that
          users who are logged out cannot continue to consume IPC
          resources. This covers SysV memory, semaphores and message
          queues as well as POSIX shared memory and message
          queues. Traditionally, SysV and POSIX IPC had no lifecycle
          limits. With this functionality, that is corrected. This may
          be turned off by using the RemoveIPC= switch of logind.conf.

        * The systemd-machine-id-setup and tmpfiles tools gained a
          --root= switch to operate on a specific root directory,
          instead of /.

        * journald can now forward logged messages to the TTYs of all
          logged in users ("wall"). This is the default for all
          emergency messages now.

        * A new tool systemd-journal-remote has been added to stream
          journal log messages across the network.

        * /sys/fs/cgroup/ is now mounted read-only after all cgroup
          controller trees are mounted into it. Note that the
          directories mounted beneath it are not read-only. This is a
          security measure and is particularly useful because glibc
          actually includes a search logic to pick any tmpfs it can
          find to implement shm_open() if /dev/shm is not available
          (which it might very well be in namespaced setups).

        * machinectl gained a new "poweroff" command to cleanly power
          down a local OS container.

        * The PrivateDevices= unit file setting will now also drop the
          CAP_MKNOD capability from the capability bound set, and
          imply DevicePolicy=closed.

        * PrivateDevices=, PrivateNetwork= and PrivateTmp= is now used
          comprehensively on all long-running systemd services where
          this is appropriate.

        * systemd-udevd will now run in a disassociated mount
          namespace. To mount directories from udev rules, make sure to
          pull in mount units via SYSTEMD_WANTS properties.

        * The kdbus support gained support for uploading policy into
          the kernel. sd-bus gained support for creating "monitoring"
          connections that can eavesdrop into all bus communication
          for debugging purposes.

        * Timestamps may now be specified in seconds since the UNIX
          epoch Jan 1st, 1970 by specifying "@" followed by the value
          in seconds.

        * Native tcpwrap support in systemd has been removed. tcpwrap
          is old code, not really maintained anymore and has serious
          shortcomings, and better options such as firewalls
          exist. For setups that require tcpwrap usage, please
          consider invoking your socket-activated service via tcpd,
          like on traditional inetd.

        * A new system.conf configuration option
          DefaultTimerAccuracySec= has been added that controls the
          default AccuracySec= setting of .timer units.

        * Timer units gained a new WakeSystem= switch. If enabled,
          timers configured this way will cause the system to resume
          from system suspend (if the system supports that, which most
          do these days).

        * Timer units gained a new Persistent= switch. If enabled,
          timers configured this way will save to disk when they have
          been last triggered. This information is then used on next
          reboot to possible execute overdue timer events, that
          could not take place because the system was powered off.
          This enables simple anacron-like behaviour for timer units.

        * systemctl's "list-timers" will now also list the time a
          timer unit was last triggered in addition to the next time
          it will be triggered.

        * systemd-networkd will now assign predictable IPv4LL
          addresses to its local interfaces.

        Contributions from: Brandon Philips, Daniel Buch, Daniel Mack,
        Dave Reisner, David Herrmann, Gerd Hoffmann, Greg
        Kroah-Hartman, Hendrik Brueckner, Jason St. John, Josh
        Triplett, Kay Sievers, Lennart Poettering, Marc-Antoine
        Perennou, Michael Marineau, Michael Olbrich, Miklos Vajna,
        Patrik Flykt, poma, Sebastian Thorarensen, Thomas Bächler,
        Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom Gundersen,
        Umut Tezduyar Lindskog, Wieland Hoffmann, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2014-03-25

CHANGES WITH 211:

        * A new unit file setting RestrictAddressFamilies= has been
          added to restrict which socket address families unit
          processes gain access to. This takes address family names
          like "AF_INET" or "AF_UNIX", and is useful to minimize the
          attack surface of services via exotic protocol stacks. This
          is built on seccomp system call filters.

        * Two new unit file settings RuntimeDirectory= and
          RuntimeDirectoryMode= have been added that may be used to
          manage a per-daemon runtime directories below /run. This is
          an alternative for setting up directory permissions with
          tmpfiles snippets, and has the advantage that the runtime
          directory's lifetime is bound to the daemon runtime and that
          the daemon starts up with an empty directory each time. This
          is particularly useful when writing services that drop
          privileges using the User= or Group= setting.

        * The DeviceAllow= unit setting now supports globbing for
          matching against device group names.

        * The systemd configuration file system.conf gained new
          settings DefaultCPUAccounting=, DefaultBlockIOAccounting=,
          DefaultMemoryAccounting= to globally turn on/off accounting
          for specific resources (cgroups) for all units. These
          settings may still be overridden individually in each unit
          though.

        * systemd-gpt-auto-generator is now able to discover /srv and
          root partitions in addition to /home and swap partitions. It
          also supports LUKS-encrypted partitions now. With this in
          place, automatic discovery of partitions to mount following
          the Discoverable Partitions Specification
          (https://systemd.io/DISCOVERABLE_PARTITIONS/)
          is now a lot more complete. This allows booting without
          /etc/fstab and without root= on the kernel command line on
          systems prepared appropriately.

        * systemd-nspawn gained a new --image= switch which allows
          booting up disk images and Linux installations on any block
          device that follow the Discoverable Partitions Specification
          (see above). This means that installations made with
          appropriately updated installers may now be started and
          deployed using container managers, completely
          unmodified. (We hope that libvirt-lxc will add support for
          this feature soon, too.)

        * systemd-nspawn gained a new --network-macvlan= setting to
          set up a private macvlan interface for the
          container. Similarly, systemd-networkd gained a new
          Kind=macvlan setting in .netdev files.

        * systemd-networkd now supports configuring local addresses
          using IPv4LL.

        * A new tool systemd-network-wait-online has been added to
          synchronously wait for network connectivity using
          systemd-networkd.

        * The sd-bus.h bus API gained a new sd_bus_track object for
          tracking the lifecycle of bus peers. Note that sd-bus.h is
          still not a public API though (unless you specify
          --enable-kdbus on the configure command line, which however
          voids your warranty and you get no API stability guarantee).

        * The $XDG_RUNTIME_DIR runtime directories for each user are
          now individual tmpfs instances, which has the benefit of
          introducing separate pools for each user, with individual
          size limits, and thus making sure that unprivileged clients
          can no longer negatively impact the system or other users by
          filling up their $XDG_RUNTIME_DIR. A new logind.conf setting
          RuntimeDirectorySize= has been introduced that allows
          controlling the default size limit for all users. It
          defaults to 10% of the available physical memory. This is no
          replacement for quotas on tmpfs though (which the kernel
          still does not support), as /dev/shm and /tmp are still
          shared resources used by both the system and unprivileged
          users.

        * logind will now automatically turn off automatic suspending
          on laptop lid close when more than one display is
          connected. This was previously expected to be implemented
          individually in desktop environments (such as GNOME),
          however has been added to logind now, in order to fix a
          boot-time race where a desktop environment might not have
          been started yet and thus not been able to take an inhibitor
          lock at the time where logind already suspends the system
          due to a closed lid.

        * logind will now wait at least 30s after each system
          suspend/resume cycle, and 3min after system boot before
          suspending the system due to a closed laptop lid. This
          should give USB docking stations and similar enough time to
          be probed and configured after system resume and boot in
          order to then act as suspend blocker.

        * systemd-run gained a new --property= setting which allows
          initialization of resource control properties (and others)
          for the created scope or service unit. Example: "systemd-run
          --property=BlockIOWeight=10 updatedb" may be used to run
          updatedb at a low block IO scheduling weight.

        * systemd-run's --uid=, --gid=, --setenv=, --setenv= switches
          now also work in --scope mode.

        * When systemd is compiled with kdbus support, basic support
          for enforced policies is now in place. (Note that enabling
          kdbus still voids your warranty and no API compatibility
          promises are made.)

        Contributions from: Andrey Borzenkov, Ansgar Burchardt, Armin
        K., Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
        Harald Hoyer, Henrik Grindal Bakken, Jasper St. Pierre, Kay
        Sievers, Kieran Clancy, Lennart Poettering, Lukas Nykryn,
        Mantas Mikulėnas, Marcel Holtmann, Mark Oteiza, Martin Pitt,
        Mike Gilbert, Peter Rajnoha, poma, Samuli Suominen, Stef
        Walter, Susant Sahani, Tero Roponen, Thomas Andersen, Thomas
        Bächler, Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom
        Gundersen, Umut Tezduyar Lindskog, Uoti Urpala, Zachary Cook,
        Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-03-12

CHANGES WITH 210:

        * systemd will now relabel /dev after loading the SMACK policy
          according to SMACK rules.

        * A new unit file option AppArmorProfile= has been added to
          set the AppArmor profile for the processes of a unit.

        * A new condition check ConditionArchitecture= has been added
          to conditionalize units based on the system architecture, as
          reported by uname()'s "machine" field.

        * systemd-networkd now supports matching on the system
          virtualization, architecture, kernel command line, hostname
          and machine ID.

        * logind is now a lot more aggressive when suspending the
          machine due to a closed laptop lid. Instead of acting only
          on the lid close action, it will continuously watch the lid
          status and act on it. This is useful for laptops where the
          power button is on the outside of the chassis so that it can
          be reached without opening the lid (such as the Lenovo
          Yoga). On those machines, logind will now immediately
          re-suspend the machine if the power button has been
          accidentally pressed while the laptop was suspended and in a
          backpack or similar.

        * logind will now watch SW_DOCK switches and inhibit reaction
          to the lid switch if it is pressed. This means that logind
          will not suspend the machine anymore if the lid is closed
          and the system is docked, if the laptop supports SW_DOCK
          notifications via the input layer. Note that ACPI docking
          stations do not generate this currently. Also note that this
          logic is usually not fully sufficient and Desktop
          Environments should take a lid switch inhibitor lock when an
          external display is connected, as systemd will not watch
          this on its own.

        * nspawn will now make use of the devices cgroup controller by
          default, and only permit creation of and access to the usual
          API device nodes like /dev/null or /dev/random, as well as
          access to (but not creation of) the pty devices.

        * We will now ship a default .network file for
          systemd-networkd that automatically configures DHCP for
          network interfaces created by nspawn's --network-veth or
          --network-bridge= switches.

        * systemd will now understand the usual M, K, G, T suffixes
          according to SI conventions (i.e. to the base 1000) when
          referring to throughput and hardware metrics. It will stay
          with IEC conventions (i.e. to the base 1024) for software
          metrics, according to what is customary according to
          Wikipedia. We explicitly document which base applies for
          each configuration option.

        * The DeviceAllow= setting in unit files now supports a syntax to
          allow-list an entire group of devices node majors at once, based on
          the /proc/devices listing. For example, with the string "char-pts",
          it is now possible to allow-list all current and future pseudo-TTYs
          at once.

        * sd-event learned a new "post" event source. Event sources of
          this type are triggered by the dispatching of any event
          source of a type that is not "post". This is useful for
          implementing clean-up and check event sources that are
          triggered by other work being done in the program.

        * systemd-networkd is no longer statically enabled, but uses
          the usual [Install] sections so that it can be
          enabled/disabled using systemctl. It still is enabled by
          default however.

        * When creating a veth interface pair with systemd-nspawn, the
          host side will now be prefixed with "vb-" if
          --network-bridge= is used, and with "ve-" if --network-veth
          is used. This way, it is easy to distinguish these cases on
          the host, for example to apply different configuration to
          them with systemd-networkd.

        * The compatibility libraries for libsystemd-journal.so,
          libsystem-id128.so, libsystemd-login.so and
          libsystemd-daemon.so do not make use of IFUNC
          anymore. Instead, we now build libsystemd.so multiple times
          under these alternative names. This means that the footprint
          is drastically increased, but given that these are
          transitional compatibility libraries, this should not matter
          much. This change has been made necessary to support the ARM
          platform for these compatibility libraries, as the ARM
          toolchain is not really at the same level as the toolchain
          for other architectures like x86 and does not support
          IFUNC. Please make sure to use --enable-compat-libs only
          during a transitional period!

        * The .include syntax has been deprecated and is not documented
          anymore. Drop-in files in .d directories should be used instead.

        Contributions from: Andreas Fuchs, Armin K., Colin Walters,
        Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
        Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper
        St. Pierre, Kay Sievers, Lennart Poettering, Łukasz Stelmach,
        Marcel Holtmann, Michael Scherer, Michal Sekletar, Mike
        Gilbert, Samuli Suominen, Thomas Bächler, Thomas Hindoe
        Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog,
        Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-02-24

CHANGES WITH 209:

        * A new component "systemd-networkd" has been added that can
          be used to configure local network interfaces statically or
          via DHCP. It is capable of bringing up bridges, VLANs, and
          bonding. Currently, no hook-ups for interactive network
          configuration are provided. Use this for your initrd,
          container, embedded, or server setup if you need a simple,
          yet powerful, network configuration solution. This
          configuration subsystem is quite nifty, as it allows wildcard
          hotplug matching in interfaces. For example, with a single
          configuration snippet, you can configure that all Ethernet
          interfaces showing up are automatically added to a bridge,
          or similar. It supports link-sensing and more.

        * A new tool "systemd-socket-proxyd" has been added which can
          act as a bidirectional proxy for TCP sockets. This is
          useful for adding socket activation support to services that
          do not actually support socket activation, including virtual
          machines and the like.

        * Add a new tool to save/restore rfkill state on
          shutdown/boot.

        * Save/restore state of keyboard backlights in addition to
          display backlights on shutdown/boot.

        * udev learned a new SECLABEL{} construct to label device
          nodes with a specific security label when they appear. For
          now, only SECLABEL{selinux} is supported, but the syntax is
          prepared for additional security frameworks.

        * udev gained a new scheme to configure link-level attributes
          from files in /etc/systemd/network/*.link. These files can
          match against MAC address, device path, driver name and type,
          and will apply attributes like the naming policy, link speed,
          MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC
          address assignment policy (randomized, …).

        * The configuration of network interface naming rules for
          "permanent interface names" has changed: a new NamePolicy=
          setting in the [Link] section of .link files determines the
          priority of possible naming schemes (onboard, slot, MAC,
          path). The default value of this setting is determined by
          /usr/lib/net/links/99-default.link. Old
          80-net-name-slot.rules udev configuration file has been
          removed, so local configuration overriding this file should
          be adapted to override 99-default.link instead.

        * When the User= switch is used in a unit file, also
          initialize $SHELL= based on the user database entry.

        * systemd no longer depends on libdbus. All communication is
          now done with sd-bus, systemd's low-level bus library
          implementation.

        * kdbus support has been added to PID 1 itself. When kdbus is
          enabled, this causes PID 1 to set up the system bus and
          enable support for a new ".busname" unit type that
          encapsulates bus name activation on kdbus. It works a little
          bit like ".socket" units, except for bus names. A new
          generator has been added that converts classic dbus1 service
          activation files automatically into native systemd .busname
          and .service units.

        * sd-bus: add a light-weight vtable implementation that allows
          defining objects on the bus with a simple static const
          vtable array of its methods, signals and properties.

        * systemd will not generate or install static dbus
          introspection data anymore to /usr/share/dbus-1/interfaces,
          as the precise format of these files is unclear, and
          nothing makes use of it.

        * A proxy daemon is now provided to proxy clients connecting
          via classic D-Bus AF_UNIX sockets to kdbus, to provide full
          compatibility with classic D-Bus.

        * A bus driver implementation has been added that supports the
          classic D-Bus bus driver calls on kdbus, also for
          compatibility purposes.

        * A new API "sd-event.h" has been added that implements a
          minimal event loop API built around epoll. It provides a
          couple of features that direct epoll usage is lacking:
          prioritization of events, scales to large numbers of timer
          events, per-event timer slack (accuracy), system-wide
          coalescing of timer events, exit handlers, watchdog
          supervision support using systemd's sd_notify() API, child
          process handling.

        * A new API "sd-rntl.h" has been added that provides an API
          around the route netlink interface of the kernel, similar in
          style to "sd-bus.h".

        * A new API "sd-dhcp-client.h" has been added that provides a
          small DHCPv4 client-side implementation. This is used by
          "systemd-networkd".

        * There is a new kernel command line option
          "systemd.restore_state=0|1". When set to "0", none of the
          systemd tools will restore saved runtime state to hardware
          devices. More specifically, the rfkill and backlight states
          are not restored.

        * The FsckPassNo= compatibility option in mount/service units
          has been removed. The fstab generator will now add the
          necessary dependencies automatically, and does not require
          PID1's support for that anymore.

        * journalctl gained a new switch, --list-boots, that lists
          recent boots with their times and boot IDs.

        * The various tools like systemctl, loginctl, timedatectl,
          busctl, systemd-run, … have gained a new switch "-M" to
          connect to a specific, local OS container (as direct
          connection, without requiring SSH). This works on any
          container that is registered with machined, such as those
          created by libvirt-lxc or nspawn.

        * systemd-run and systemd-analyze also gained support for "-H"
          to connect to remote hosts via SSH. This is particularly
          useful for systemd-run because it enables queuing of jobs
          onto remote systems.

        * machinectl gained a new command "login" to open a getty
          login in any local container. This works with any container
          that is registered with machined (such as those created by
          libvirt-lxc or nspawn), and which runs systemd inside.

        * machinectl gained a new "reboot" command that may be used to
          trigger a reboot on a specific container that is registered
          with machined. This works on any container that runs an init
          system of some kind.

        * systemctl gained a new "list-timers" command to print a nice
          listing of installed timer units with the times they elapse
          next.

        * Alternative reboot() parameters may now be specified on the
          "systemctl reboot" command line and are passed to the
          reboot() system call.

        * systemctl gained a new --job-mode= switch to configure the
          mode to queue a job with. This is a more generic version of
          --fail, --irreversible, and --ignore-dependencies, which are
          still available but not advertised anymore.

        * /etc/systemd/system.conf gained new settings to configure
          various default timeouts of units, as well as the default
          start limit interval and burst. These may still be overridden
          within each Unit.

        * PID1 will now export on the bus profile data of the security
          policy upload process (such as the SELinux policy upload to
          the kernel).

        * journald: when forwarding logs to the console, include
          timestamps (following the setting in
          /sys/module/printk/parameters/time).

        * OnCalendar= in timer units now understands the special
          strings "yearly" and "annually". (Both are equivalent)

        * The accuracy of timer units is now configurable with the new
          AccuracySec= setting. It defaults to 1min.

        * A new dependency type JoinsNamespaceOf= has been added that
          allows running two services within the same /tmp and network
          namespace, if PrivateNetwork= or PrivateTmp= are used.

        * A new command "cat" has been added to systemctl. It outputs
          the original unit file of a unit, and concatenates the
          contents of additional "drop-in" unit file snippets, so that
          the full configuration is shown.

        * systemctl now supports globbing on the various "list-xyz"
          commands, like "list-units" or "list-sockets", as well as on
          those commands which take multiple unit names.

        * journalctl's --unit= switch gained support for globbing.

        * All systemd daemons now make use of the watchdog logic so
          that systemd automatically notices when they hang.

        * If the $container_ttys environment variable is set,
          getty-generator will automatically spawn a getty for each
          listed tty. This is useful for container managers to request
          login gettys to be spawned on as many ttys as needed.

        * %h, %s, %U specifier support is not available anymore when
          used in unit files for PID 1. This is because NSS calls are
          not safe from PID 1. They stay available for --user
          instances of systemd, and as special case for the root user.

        * loginctl gained a new "--no-legend" switch to turn off output
          of the legend text.

        * The "sd-login.h" API gained three new calls:
          sd_session_is_remote(), sd_session_get_remote_user(),
          sd_session_get_remote_host() to query information about
          remote sessions.

        * The udev hardware database now also carries vendor/product
          information of SDIO devices.

        * The "sd-daemon.h" API gained a new sd_watchdog_enabled() to
          determine whether watchdog notifications are requested by
          the system manager.

        * Socket-activated per-connection services now include a
          short description of the connection parameters in the
          description.

        * tmpfiles gained a new "--boot" option. When this is not used,
          only lines where the command character is not suffixed with
          "!" are executed. When this option is specified, those
          options are executed too. This partitions tmpfiles
          directives into those that can be safely executed at any
          time, and those which should be run only at boot (for
          example, a line that creates /run/nologin).

        * A new API "sd-resolve.h" has been added which provides a simple
          asynchronous wrapper around glibc NSS hostname resolution
          calls, such as getaddrinfo(). In contrast to glibc's
          getaddrinfo_a(), it does not use signals. In contrast to most
          other asynchronous name resolution libraries, this one does
          not reimplement DNS, but reuses NSS, so that alternate
          hostname resolution systems continue to work, such as mDNS,
          LDAP, etc. This API is based on libasyncns, but it has been
          cleaned up for inclusion in systemd.

        * The APIs "sd-journal.h", "sd-login.h", "sd-id128.h",
          "sd-daemon.h" are no longer found in individual libraries
          libsystemd-journal.so, libsystemd-login.so,
          libsystemd-id128.so, libsystemd-daemon.so. Instead, we have
          merged them into a single library, libsystemd.so, which
          provides all symbols. The reason for this is cyclic
          dependencies, as these libraries tend to use each other's
          symbols. So far, we have managed to workaround that by linking
          a copy of a good part of our code into each of these
          libraries again and again, which, however, makes certain
          things hard to do, like sharing static variables. Also, it
          substantially increases footprint. With this change, there
          is only one library for the basic APIs systemd
          provides. Also, "sd-bus.h", "sd-memfd.h", "sd-event.h",
          "sd-rtnl.h", "sd-resolve.h", "sd-utf8.h" are found in this
          library as well, however are subject to the --enable-kdbus
          switch (see below). Note that "sd-dhcp-client.h" is not part
          of this library (this is because it only consumes, never
          provides, services of/to other APIs). To make the transition
          easy from the separate libraries to the unified one, we
          provide the --enable-compat-libs compile-time switch which
          will generate stub libraries that are compatible with the
          old ones but redirect all calls to the new one.

        * All of the kdbus logic and the new APIs "sd-bus.h",
          "sd-memfd.h", "sd-event.h", "sd-rtnl.h", "sd-resolve.h",
          and "sd-utf8.h" are compile-time optional via the
          "--enable-kdbus" switch, and they are not compiled in by
          default. To make use of kdbus, you have to explicitly enable
          the switch. Note however, that neither the kernel nor the
          userspace API for all of this is considered stable yet. We
          want to maintain the freedom to still change the APIs for
          now. By specifying this build-time switch, you acknowledge
          that you are aware of the instability of the current
          APIs.

        * Also, note that while kdbus is pretty much complete,
          it lacks one thing: proper policy support. This means you
          can build a fully working system with all features; however,
          it will be highly insecure. Policy support will be added in
          one of the next releases, at the same time that we will
          declare the APIs stable.

        * When the kernel command line argument "kdbus" is specified,
          systemd will automatically load the kdbus.ko kernel module. At
          this stage of development, it is only useful for testing kdbus
          and should not be used in production. Note: if "--enable-kdbus"
          is specified, and the kdbus.ko kernel module is available, and
          "kdbus" is added to the kernel command line, the entire system
          runs with kdbus instead of dbus-daemon, with the above mentioned
          problem of missing the system policy enforcement. Also a future
          version of kdbus.ko or a newer systemd will not be compatible with
          each other, and will unlikely be able to boot the machine if only
          one of them is updated.

        * systemctl gained a new "import-environment" command which
          uploads the caller's environment (or parts thereof) into the
          service manager so that it is inherited by services started
          by the manager. This is useful to upload variables like
          $DISPLAY into the user service manager.

        * A new PrivateDevices= switch has been added to service units
          which allows running a service with a namespaced /dev
          directory that does not contain any device nodes for
          physical devices. More specifically, it only includes devices
          such as /dev/null, /dev/urandom, and /dev/zero which are API
          entry points.

        * logind has been extended to support behaviour like VT
          switching on seats that do not support a VT. This makes
          multi-session available on seats that are not the first seat
          (seat0), and on systems where kernel support for VTs has
          been disabled at compile-time.

        * If a process holds a delay lock for system sleep or shutdown
          and fails to release it in time, we will now log its
          identity. This makes it easier to identify processes that
          cause slow suspends or power-offs.

        * When parsing /etc/crypttab, support for a new key-slot=
          option as supported by Debian is added. It allows indicating
          which LUKS slot to use on disk, speeding up key loading.

        * The sd_journal_sendv() API call has been checked and
          officially declared to be async-signal-safe so that it may
          be invoked from signal handlers for logging purposes.

        * Boot-time status output is now enabled automatically after a
          short timeout if boot does not progress, in order to give
          the user an indication what she or he is waiting for.

        * The boot-time output has been improved to show how much time
          remains until jobs expire.

        * The KillMode= switch in service units gained a new possible
          value "mixed". If set, and the unit is shut down, then the
          initial SIGTERM signal is sent only to the main daemon
          process, while the following SIGKILL signal is sent to
          all remaining processes of the service.

        * When a scope unit is registered, a new property "Controller"
          may be set. If set to a valid bus name, systemd will send a
          RequestStop() signal to this name when it would like to shut
          down the scope. This may be used to hook manager logic into
          the shutdown logic of scope units. Also, scope units may now
          be put in a special "abandoned" state, in which case the
          manager process which created them takes no further
          responsibilities for it.

        * When reading unit files, systemd will now verify
          the access mode of these files, and warn about certain
          suspicious combinations. This has been added to make it
          easier to track down packaging bugs where unit files are
          marked executable or world-writable.

        * systemd-nspawn gained a new "--setenv=" switch to set
          container-wide environment variables. The similar option in
          systemd-activate was renamed from "--environment=" to
          "--setenv=" for consistency.

        * systemd-nspawn has been updated to create a new kdbus domain
          for each container that is invoked, thus allowing each
          container to have its own set of system and user buses,
          independent of the host.

        * systemd-nspawn gained a new --drop-capability= switch to run
          the container with less capabilities than the default. Both
          --drop-capability= and --capability= now take the special
          string "all" for dropping or keeping all capabilities.

        * systemd-nspawn gained new switches for executing containers
          with specific SELinux labels set.

        * systemd-nspawn gained a new --quiet switch to not generate
          any additional output but the container's own console
          output.

        * systemd-nspawn gained a new --share-system switch to run a
          container without PID namespacing enabled.

        * systemd-nspawn gained a new --register= switch to control
          whether the container is registered with systemd-machined or
          not. This is useful for containers that do not run full
          OS images, but only specific apps.

        * systemd-nspawn gained a new --keep-unit which may be used
          when invoked as the only program from a service unit, and
          results in registration of the unit service itself in
          systemd-machined, instead of a newly opened scope unit.

        * systemd-nspawn gained a new --network-interface= switch for
          moving arbitrary interfaces to the container. The new
          --network-veth switch creates a virtual Ethernet connection
          between host and container. The new --network-bridge=
          switch then allows assigning the host side of this virtual
          Ethernet connection to a bridge device.

        * systemd-nspawn gained a new --personality= switch for
          setting the kernel personality for the container. This is
          useful when running a 32-bit container on a 64-bit host. A
          similar option Personality= is now also available for service
          units to use.

        * logind will now also track a "Desktop" identifier for each
          session which encodes the desktop environment of it. This is
          useful for desktop environments that want to identify
          multiple running sessions of itself easily.

        * A new SELinuxContext= setting for service units has been
          added that allows setting a specific SELinux execution
          context for a service.

        * Most systemd client tools will now honour $SYSTEMD_LESS for
          settings of the "less" pager. By default, these tools will
          override $LESS to allow certain operations to work, such as
          jump-to-the-end. With $SYSTEMD_LESS, it is possible to
          influence this logic.

        * systemd's "seccomp" hook-up has been changed to make use of
          the libseccomp library instead of using its own
          implementation. This has benefits for portability among
          other things.

        * For usage together with SystemCallFilter=, a new
          SystemCallErrorNumber= setting has been introduced that
          allows configuration of a system error number to be returned
          on filtered system calls, instead of immediately killing the
          process. Also, SystemCallArchitectures= has been added to
          limit access to system calls of a particular architecture
          (in order to turn off support for unused secondary
          architectures). There is also a global
          SystemCallArchitectures= setting in system.conf now to turn
          off support for non-native system calls system-wide.

        * systemd requires a kernel with a working name_to_handle_at(),
          please see the kernel config requirements in the README file.

        Contributions from: Adam Williamson, Alex Jia, Anatol Pomozov,
        Ansgar Burchardt, AppleBloom, Auke Kok, Bastien Nocera,
        Chengwei Yang, Christian Seiler, Colin Guthrie, Colin Walters,
        Cristian Rodríguez, Daniel Buch, Daniele Medri, Daniel J
        Walsh, Daniel Mack, Dan McGee, Dave Reisner, David Coppa,
        David Herrmann, David Strauss, Djalal Harouni, Dmitry Pisklov,
        Elia Pinto, Florian Weimer, George McCollister, Goffredo
        Baroncelli, Greg Kroah-Hartman, Hendrik Brueckner, Igor
        Zhbanov, Jan Engelhardt, Jan Janssen, Jason A. Donenfeld,
        Jason St. John, Jasper St. Pierre, Jóhann B. Guðmundsson, Jose
        Ignacio Naranjo, Karel Zak, Kay Sievers, Kristian Høgsberg,
        Lennart Poettering, Lubomir Rintel, Lukas Nykryn, Lukasz
        Skalski, Łukasz Stelmach, Luke Shumaker, Mantas Mikulėnas,
        Marc-Antoine Perennou, Marcel Holtmann, Marcos Felipe Rasia de
        Mello, Marko Myllynen, Martin Pitt, Matthew Monaco, Michael
        Marineau, Michael Scherer, Michał Górny, Michal Sekletar,
        Michele Curti, Oleksii Shevchuk, Olivier Brunel, Patrik Flykt,
        Pavel Holica, Raudi, Richard Marko, Ronny Chevalier, Sébastien
        Luttringer, Sergey Ptashnick, Shawn Landden, Simon Peeters,
        Stefan Beller, Susant Sahani, Sylvain Plantefeve, Sylvia Else,
        Tero Roponen, Thomas Bächler, Thomas Hindoe Paaboel Andersen,
        Tom Gundersen, Umut Tezduyar Lindskog, Unai Uribarri, Václav
        Pavlín, Vincent Batts, WaLyong Cho, William Giokas, Yang
        Zhiyong, Yin Kangkai, Yuxuan Shui, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-02-20

CHANGES WITH 208:

        * logind has gained support for facilitating privileged input
          and drm device access for unprivileged clients. This work is
          useful to allow Wayland display servers (and similar
          programs, such as kmscon) to run under the user's ID and
          access input and drm devices which are normally
          protected. When this is used (and the kernel is new enough)
          logind will "mute" IO on the file descriptors passed to
          Wayland as long as it is in the background and "unmute" it
          if it returns into the foreground. This allows secure
          session switching without allowing background sessions to
          eavesdrop on input and display data. This also introduces
          session switching support if VT support is turned off in the
          kernel, and on seats that are not seat0.

        * A new kernel command line option luks.options= is understood
          now which allows specifying LUKS options for usage for LUKS
          encrypted partitions specified with luks.uuid=.

        * tmpfiles.d(5) snippets may now use specifier expansion in
          path names. More specifically %m, %b, %H, %v, are now
          replaced by the local machine id, boot id, hostname, and
          kernel version number.

        * A new tmpfiles.d(5) command "m" has been introduced which
          may be used to change the owner/group/access mode of a file
          or directory if it exists, but do nothing if it does not.

        * This release removes high-level support for the
          MemorySoftLimit= cgroup setting. The underlying kernel
          cgroup attribute memory.soft_limit= is currently badly
          designed and likely to be removed from the kernel API in its
          current form, hence we should not expose it for now.

        * The memory.use_hierarchy cgroup attribute is now enabled for
          all cgroups systemd creates in the memory cgroup
          hierarchy. This option is likely to be come the built-in
          default in the kernel anyway, and the non-hierarchical mode
          never made much sense in the intrinsically hierarchical
          cgroup system.

        * A new field _SYSTEMD_SLICE= is logged along with all journal
          messages containing the slice a message was generated
          from. This is useful to allow easy per-customer filtering of
          logs among other things.

        * systemd-journald will no longer adjust the group of journal
          files it creates to the "systemd-journal" group. Instead we
          rely on the journal directory to be owned by the
          "systemd-journal" group, and its setgid bit set, so that the
          kernel file system layer will automatically enforce that
          journal files inherit this group assignment. The reason for
          this change is that we cannot allow NSS look-ups from
          journald which would be necessary to resolve
          "systemd-journal" to a numeric GID, because this might
          create deadlocks if NSS involves synchronous queries to
          other daemons (such as nscd, or sssd) which in turn are
          logging clients of journald and might block on it, which
          would then dead lock. A tmpfiles.d(5) snippet included in
          systemd will make sure the setgid bit and group are
          properly set on the journal directory if it exists on every
          boot. However, we recommend adjusting it manually after
          upgrades too (or from RPM scriptlets), so that the change is
          not delayed until next reboot.

        * Backlight and random seed files in /var/lib/ have moved into
          the /var/lib/systemd/ directory, in order to centralize all
          systemd generated files in one directory.

        * Boot time performance measurements (as displayed by
          "systemd-analyze" for example) will now read ACPI 5.0 FPDT
          performance information if that's available to determine how
          much time BIOS and boot loader initialization required. With
          a sufficiently new BIOS you hence no longer need to boot
          with Gummiboot to get access to such information.

        Contributions from: Andrey Borzenkov, Chen Jie, Colin Walters,
        Cristian Rodríguez, Dave Reisner, David Herrmann, David
        Mackey, David Strauss, Eelco Dolstra, Evan Callicoat, Gao
        feng, Harald Hoyer, Jimmie Tauriainen, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt,
        Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty,
        Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2013-10-02

CHANGES WITH 207:

        * The Restart= option for services now understands a new
          on-watchdog setting, which will restart the service
          automatically if the service stops sending out watchdog keep
          alive messages (as configured with WatchdogSec=).

        * The getty generator (which is responsible for bringing up a
          getty on configured serial consoles) will no longer only
          start a getty on the primary kernel console but on all
          others, too. This makes the order in which console= is
          specified on the kernel command line less important.

        * libsystemd-logind gained a new sd_session_get_vt() call to
          retrieve the VT number of a session.

        * If the option "tries=0" is set for an entry of /etc/crypttab
          its passphrase is queried indefinitely instead of any
          maximum number of tries.

        * If a service with a configure PID file terminates its PID
          file will now be removed automatically if it still exists
          afterwards. This should put an end to stale PID files.

        * systemd-run will now also take relative binary path names
          for execution and no longer insists on absolute paths.

        * InaccessibleDirectories= and ReadOnlyDirectories= now take
          paths that are optionally prefixed with "-" to indicate that
          it should not be considered a failure if they do not exist.

        * journalctl -o (and similar commands) now understands a new
          output mode "short-precise", it is similar to "short" but
          shows timestamps with usec accuracy.

        * The option "discard" (as known from Debian) is now
          synonymous to "allow-discards" in /etc/crypttab. In fact,
          "discard" is preferred now (since it is easier to remember
          and type).

        * Some licensing clean-ups were made, so that more code is now
          LGPL-2.1 licensed than before.

        * A minimal tool to save/restore the display backlight
          brightness across reboots has been added. It will store the
          backlight setting as late as possible at shutdown, and
          restore it as early as possible during reboot.

        * A logic to automatically discover and enable home and swap
          partitions on GPT disks has been added. With this in place
          /etc/fstab becomes optional for many setups as systemd can
          discover certain partitions located on the root disk
          automatically. Home partitions are recognized under their
          GPT type ID 933ac7e12eb44f13b8440e14e2aef915. Swap
          partitions are recognized under their GPT type ID
          0657fd6da4ab43c484e50933c84b4f4f.

        * systemd will no longer pass any environment from the kernel
          or initrd to system services. If you want to set an
          environment for all services, do so via the kernel command
          line systemd.setenv= assignment.

        * The systemd-sysctl tool no longer natively reads the file
          /etc/sysctl.conf. If desired, the file should be symlinked
          from /etc/sysctl.d/99-sysctl.conf. Apart from providing
          legacy support by a symlink rather than built-in code, it
          also makes the otherwise hidden order of application of the
          different files visible. (Note that this partly reverts to a
          pre-198 application order of sysctl knobs!)

        * The "systemctl set-log-level" and "systemctl dump" commands
          have been moved to systemd-analyze.

        * systemd-run learned the new --remain-after-exit switch,
          which causes the scope unit not to be cleaned up
          automatically after the process terminated.

        * tmpfiles learned a new --exclude-prefix= switch to exclude
          certain paths from operation.

        * journald will now automatically flush all messages to disk
          as soon as a message at the log level CRIT, ALERT or EMERG
          is received.

        Contributions from: Andrew Cook, Brandon Philips, Christian
        Hesse, Christoph Junghans, Colin Walters, Daniel Schaal,
        Daniel Wallace, Dave Reisner, David Herrmann, Gao feng, George
        McCollister, Giovanni Campagna, Hannes Reinecke, Harald Hoyer,
        Herczeg Zsolt, Holger Hans Peter Freyther, Jan Engelhardt,
        Jesper Larsen, Kay Sievers, Khem Raj, Lennart Poettering,
        Lukas Nykryn, Maciej Wereski, Mantas Mikulėnas, Marcel
        Holtmann, Martin Pitt, Michael Biebl, Michael Marineau,
        Michael Scherer, Michael Stapelberg, Michal Sekletar, Michał
        Górny, Olivier Brunel, Ondrej Balaz, Ronny Chevalier, Shawn
        Landden, Steven Hiscocks, Thomas Bächler, Thomas Hindoe
        Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao,
        William Giokas, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2013-09-13

CHANGES WITH 206:

        * The documentation has been updated to cover the various new
          concepts introduced with 205.

        * Unit files now understand the new %v specifier which
          resolves to the kernel version string as returned by "uname
          -r".

        * systemctl now supports filtering the unit list output by
          load state, active state and sub state, using the new
          --state= parameter.

        * "systemctl status" will now show the results of the
          condition checks (like ConditionPathExists= and similar) of
          the last start attempts of the unit. They are also logged to
          the journal.

        * "journalctl -b" may now be used to look for boot output of a
          specific boot. Try "journalctl -b -1" for the previous boot,
          but the syntax is substantially more powerful.

        * "journalctl --show-cursor" has been added which prints the
          cursor string the last shown log line. This may then be used
          with the new "journalctl --after-cursor=" switch to continue
          browsing logs from that point on.

        * "journalctl --force" may now be used to force regeneration
          of an FSS key.

        * Creation of "dead" device nodes has been moved from udev
          into kmod and tmpfiles. Previously, udev would read the kmod
          databases to pre-generate dead device nodes based on meta
          information contained in kernel modules, so that these would
          be auto-loaded on access rather then at boot. As this
          does not really have much to do with the exposing actual
          kernel devices to userspace this has always been slightly
          alien in the udev codebase. Following the new scheme kmod
          will now generate a runtime snippet for tmpfiles from the
          module meta information and it now is tmpfiles' job to the
          create the nodes. This also allows overriding access and
          other parameters for the nodes using the usual tmpfiles
          facilities. As side effect this allows us to remove the
          CAP_SYS_MKNOD capability bit from udevd entirely.

        * logind's device ACLs may now be applied to these "dead"
          devices nodes too, thus finally allowing managed access to
          devices such as /dev/snd/sequencer without loading the
          backing module right-away.

        * A new RPM macro has been added that may be used to apply
          tmpfiles configuration during package installation.

        * systemd-detect-virt and ConditionVirtualization= now can
          detect User-Mode-Linux machines (UML).

        * journald will now implicitly log the effective capabilities
          set of processes in the message metadata.

        * systemd-cryptsetup has gained support for TrueCrypt volumes.

        * The initrd interface has been simplified (more specifically,
          support for passing performance data via environment
          variables and fsck results via files in /run has been
          removed). These features were non-essential, and are
          nowadays available in a much nicer way by having systemd in
          the initrd serialize its state and have the hosts systemd
          deserialize it again.

        * The udev "keymap" data files and tools to apply keyboard
          specific mappings of scan to key codes, and force-release
          scan code lists have been entirely replaced by a udev
          "keyboard" builtin and a hwdb data file.

        * systemd will now honour the kernel's "quiet" command line
          argument also during late shutdown, resulting in a
          completely silent shutdown when used.

        * There's now an option to control the SO_REUSEPORT socket
          option in .socket units.

        * Instance units will now automatically get a per-template
          subslice of system.slice unless something else is explicitly
          configured. For example, instances of sshd@.service will now
          implicitly be placed in system-sshd.slice rather than
          system.slice as before.

        * Test coverage support may now be enabled at build time.

        Contributions from: Dave Reisner, Frederic Crozat, Harald
        Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jan
        Janssen, Jason St. John, Jesper Larsen, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Maciej Wereski, Martin Pitt, Michael
        Olbrich, Ramkumar Ramachandra, Ross Lagerwall, Shawn Landden,
        Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William
        Giokas, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2013-07-23

CHANGES WITH 205:

        * Two new unit types have been introduced:

          Scope units are very similar to service units, however, are
          created out of pre-existing processes — instead of PID 1
          forking off the processes. By using scope units it is
          possible for system services and applications to group their
          own child processes (worker processes) in a powerful way
          which then maybe used to organize them, or kill them
          together, or apply resource limits on them.

          Slice units may be used to partition system resources in an
          hierarchical fashion and then assign other units to them. By
          default there are now three slices: system.slice (for all
          system services), user.slice (for all user sessions),
          machine.slice (for VMs and containers).

          Slices and scopes have been introduced primarily in
          context of the work to move cgroup handling to a
          single-writer scheme, where only PID 1
          creates/removes/manages cgroups.

        * There's a new concept of "transient" units. In contrast to
          normal units these units are created via an API at runtime,
          not from configuration from disk. More specifically this
          means it is now possible to run arbitrary programs as
          independent services, with all execution parameters passed
          in via bus APIs rather than read from disk. Transient units
          make systemd substantially more dynamic then it ever was,
          and useful as a general batch manager.

        * logind has been updated to make use of scope and slice units
          for managing user sessions. As a user logs in he will get
          his own private slice unit, to which all sessions are added
          as scope units. We also added support for automatically
          adding an instance of user@.service for the user into the
          slice. Effectively logind will no longer create cgroup
          hierarchies on its own now, it will defer entirely to PID 1
          for this by means of scope, service and slice units. Since
          user sessions this way become entities managed by PID 1
          the output of "systemctl" is now a lot more comprehensive.

        * A new mini-daemon "systemd-machined" has been added which
          may be used by virtualization managers to register local
          VMs/containers. nspawn has been updated accordingly, and
          libvirt will be updated shortly. machined will collect a bit
          of meta information about the VMs/containers, and assign
          them their own scope unit (see above). The collected
          meta-data is then made available via the "machinectl" tool,
          and exposed in "ps" and similar tools. machined/machinectl
          is compile-time optional.

        * As discussed earlier, the low-level cgroup configuration
          options ControlGroup=, ControlGroupModify=,
          ControlGroupPersistent=, ControlGroupAttribute= have been
          removed. Please use high-level attribute settings instead as
          well as slice units.

        * A new bus call SetUnitProperties() has been added to alter
          various runtime parameters of a unit. This is primarily
          useful to alter cgroup parameters dynamically in a nice way,
          but will be extended later on to make more properties
          modifiable at runtime. systemctl gained a new set-properties
          command that wraps this call.

        * A new tool "systemd-run" has been added which can be used to
          run arbitrary command lines as transient services or scopes,
          while configuring a number of settings via the command
          line. This tool is currently very basic, however already
          very useful. We plan to extend this tool to even allow
          queuing of execution jobs with time triggers from the
          command line, similar in fashion to "at".

        * nspawn will now inform the user explicitly that kernels with
          audit enabled break containers, and suggest the user to turn
          off audit.

        * Support for detecting the IMA and AppArmor security
          frameworks with ConditionSecurity= has been added.

        * journalctl gained a new "-k" switch for showing only kernel
          messages, mimicking dmesg output; in addition to "--user"
          and "--system" switches for showing only user's own logs
          and system logs.

        * systemd-delta can now show information about drop-in
          snippets extending unit files.

        * libsystemd-bus has been substantially updated but is still
          not available as public API.

        * systemd will now look for the "debug" argument on the kernel
          command line and enable debug logging, similar to what
          "systemd.log_level=debug" already did before.

        * "systemctl set-default", "systemctl get-default" has been
          added to configure the default.target symlink, which
          controls what to boot into by default.

        * "systemctl set-log-level" has been added as a convenient
          way to raise and lower systemd logging threshold.

        * "systemd-analyze plot" will now show the time the various
          generators needed for execution, as well as information
          about the unit file loading.

        * libsystemd-journal gained a new sd_journal_open_files() call
          for opening specific journal files. journactl also gained a
          new switch to expose this new functionality. Previously we
          only supported opening all files from a directory, or all
          files from the system, as opening individual files only is
          racy due to journal file rotation.

        * systemd gained the new DefaultEnvironment= setting in
          /etc/systemd/system.conf to set environment variables for
          all services.

        * If a privileged process logs a journal message with the
          OBJECT_PID= field set, then journald will automatically
          augment this with additional OBJECT_UID=, OBJECT_GID=,
          OBJECT_COMM=, OBJECT_EXE=, … fields. This is useful if
          system services want to log events about specific client
          processes. journactl/systemctl has been updated to make use
          of this information if all log messages regarding a specific
          unit is requested.

        Contributions from: Auke Kok, Chengwei Yang, Colin Walters,
        Cristian Rodríguez, Daniel Albers, Daniel Wallace, Dave
        Reisner, David Coppa, David King, David Strauss, Eelco
        Dolstra, Gabriel de Perthuis, Harald Hoyer, Jan Alexander
        Steffens, Jan Engelhardt, Jan Janssen, Jason St. John, Johan
        Heikkilä, Karel Zak, Karol Lewandowski, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas, Marius Vollmer,
        Martin Pitt, Michael Biebl, Michael Olbrich, Michael Tremer,
        Michal Schmidt, Michał Bartoszkiewicz, Nirbheek Chauhan,
        Pierre Neidhardt, Ross Burton, Ross Lagerwall, Sean McGovern,
        Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar,
        Václav Pavlín, Zachary Cook, Zbigniew Jędrzejewski-Szmek,
        Łukasz Stelmach, 장동준

CHANGES WITH 204:

        * The Python bindings gained some minimal support for the APIs
          exposed by libsystemd-logind.

        * ConditionSecurity= gained support for detecting SMACK. Since
          this condition already supports SELinux and AppArmor we only
          miss IMA for this. Patches welcome!

        Contributions from: Karol Lewandowski, Lennart Poettering,
        Zbigniew Jędrzejewski-Szmek

CHANGES WITH 203:

        * systemd-nspawn will now create /etc/resolv.conf if
          necessary, before bind-mounting the host's file onto it.

        * systemd-nspawn will now store meta information about a
          container on the container's cgroup as extended attribute
          fields, including the root directory.

        * The cgroup hierarchy has been reworked in many ways. All
          objects any of the components systemd creates in the cgroup
          tree are now suffixed. More specifically, user sessions are
          now placed in cgroups suffixed with ".session", users in
          cgroups suffixed with ".user", and nspawn containers in
          cgroups suffixed with ".nspawn". Furthermore, all cgroup
          names are now escaped in a simple scheme to avoid collision
          of userspace object names with kernel filenames. This work
          is preparation for making these objects relocatable in the
          cgroup tree, in order to allow easy resource partitioning of
          these objects without causing naming conflicts.

        * systemctl list-dependencies gained the new switches
          --plain, --reverse, --after and --before.

        * systemd-inhibit now shows the process name of processes that
          have taken an inhibitor lock.

        * nss-myhostname will now also resolve "localhost"
          implicitly. This makes /etc/hosts an optional file and
          nicely handles that on IPv6 ::1 maps to both "localhost" and
          the local hostname.

        * libsystemd-logind.so gained a new call
          sd_get_machine_names() to enumerate running containers and
          VMs (currently only supported by very new libvirt and
          nspawn). sd_login_monitor can now be used to watch
          VMs/containers coming and going.

        * .include is not allowed recursively anymore, and only in
          unit files. Usually it is better to use drop-in snippets in
          .d/*.conf anyway, as introduced with systemd 198.

        * systemd-analyze gained a new "critical-chain" command that
          determines the slowest chain of units run during system
          boot-up. It is very useful for tracking down where
          optimizing boot time is the most beneficial.

        * systemd will no longer allow manipulating service paths in
          the name=systemd:/system cgroup tree using ControlGroup= in
          units. (But is still fine with it in all other dirs.)

        * There's a new systemd-nspawn@.service service file that may
          be used to easily run nspawn containers as system
          services. With the container's root directory in
          /var/lib/container/foobar it is now sufficient to run
          "systemctl start systemd-nspawn@foobar.service" to boot it.

        * systemd-cgls gained a new parameter "--machine" to list only
          the processes within a certain container.

        * ConditionSecurity= now can check for "apparmor". We still
          are lacking checks for SMACK and IMA for this condition
          check though. Patches welcome!

        * A new configuration file /etc/systemd/sleep.conf has been
          added that may be used to configure which kernel operation
          systemd is supposed to execute when "suspend", "hibernate"
          or "hybrid-sleep" is requested. This makes the new kernel
          "freeze" state accessible to the user.

        * ENV{SYSTEMD_WANTS} in udev rules will now implicitly escape
          the passed argument if applicable.

        Contributions from: Auke Kok, Colin Guthrie, Colin Walters,
        Cristian Rodríguez, Daniel Buch, Daniel Wallace, Dave Reisner,
        Evangelos Foutras, Greg Kroah-Hartman, Harald Hoyer, Josh
        Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn,
        MUNEDA Takahiro, Mantas Mikulėnas, Mirco Tischler, Nathaniel
        Chen, Nirbheek Chauhan, Ronny Chevalier, Ross Lagerwall, Tom
        Gundersen, Umut Tezduyar, Ville Skyttä, Zbigniew
        Jędrzejewski-Szmek

CHANGES WITH 202:

        * The output of 'systemctl list-jobs' got some polishing. The
          '--type=' argument may now be passed more than once. A new
          command 'systemctl list-sockets' has been added which shows
          a list of kernel sockets systemd is listening on with the
          socket units they belong to, plus the units these socket
          units activate.

        * The experimental libsystemd-bus library got substantial
          updates to work in conjunction with the (also experimental)
          kdbus kernel project. It works well enough to exchange
          messages with some sophistication. Note that kdbus is not
          ready yet, and the library is mostly an elaborate test case
          for now, and not installable.

        * systemd gained a new unit 'systemd-static-nodes.service'
          that generates static device nodes earlier during boot, and
          can run in conjunction with udev.

        * libsystemd-login gained a new call sd_pid_get_user_unit()
          to retrieve the user systemd unit a process is running
          in. This is useful for systems where systemd is used as
          session manager.

        * systemd-nspawn now places all containers in the new /machine
          top-level cgroup directory in the name=systemd
          hierarchy. libvirt will soon do the same, so that we get a
          uniform separation of /system, /user and /machine for system
          services, user processes and containers/virtual
          machines. This new cgroup hierarchy is also useful to stick
          stable names to specific container instances, which can be
          recognized later this way (this name may be controlled
          via systemd-nspawn's new -M switch). libsystemd-login also
          gained a new call sd_pid_get_machine_name() to retrieve the
          name of the container/VM a specific process belongs to.

        * bootchart can now store its data in the journal.

        * libsystemd-journal gained a new call
          sd_journal_add_conjunction() for AND expressions to the
          matching logic. This can be used to express more complex
          logical expressions.

        * journactl can now take multiple --unit= and --user-unit=
          switches.

        * The cryptsetup logic now understands the "luks.key=" kernel
          command line switch for specifying a file to read the
          decryption key from. Also, if a configured key file is not
          found the tool will now automatically fall back to prompting
          the user.

        * Python systemd.journal module was updated to wrap recently
          added functions from libsystemd-journal. The interface was
          changed to bring the low level interface in s.j._Reader
          closer to the C API, and the high level interface in
          s.j.Reader was updated to wrap and convert all data about
          an entry.

        Contributions from: Anatol Pomozov, Auke Kok, Harald Hoyer,
        Henrik Grindal Bakken, Josh Triplett, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas Marius Vollmer,
        Martin Jansa, Martin Pitt, Michael Biebl, Michal Schmidt,
        Mirco Tischler, Pali Rohar, Simon Peeters, Steven Hiscocks,
        Tom Gundersen, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 201:

        * journalctl --update-catalog now understands a new --root=
          option to operate on catalogs found in a different root
          directory.

        * During shutdown after systemd has terminated all running
          services a final killing loop kills all remaining left-over
          processes. We will now print the name of these processes
          when we send SIGKILL to them, since this usually indicates a
          problem.

        * If /etc/crypttab refers to password files stored on
          configured mount points automatic dependencies will now be
          generated to ensure the specific mount is established first
          before the key file is attempted to be read.

        * 'systemctl status' will now show information about the
          network sockets a socket unit is listening on.

        * 'systemctl status' will also shown information about any
          drop-in configuration file for units. (Drop-In configuration
          files in this context are files such as
          /etc/systemd/system/foobar.service.d/*.conf)

        * systemd-cgtop now optionally shows summed up CPU times of
          cgroups. Press '%' while running cgtop to switch between
          percentage and absolute mode. This is useful to determine
          which cgroups use up the most CPU time over the entire
          runtime of the system. systemd-cgtop has also been updated
          to be 'pipeable' for processing with further shell tools.

        * 'hostnamectl set-hostname' will now allow setting of FQDN
          hostnames.

        * The formatting and parsing of time span values has been
          changed. The parser now understands fractional expressions
          such as "5.5h". The formatter will now output fractional
          expressions for all time spans under 1min, i.e. "5.123456s"
          rather than "5s 123ms 456us". For time spans under 1s
          millisecond values are shown, for those under 1ms
          microsecond values are shown. This should greatly improve
          all time-related output of systemd.

        * libsystemd-login and libsystemd-journal gained new
          functions for querying the poll() events mask and poll()
          timeout value for integration into arbitrary event
          loops.

        * localectl gained the ability to list available X11 keymaps
          (models, layouts, variants, options).

        * 'systemd-analyze dot' gained the ability to filter for
          specific units via shell-style globs, to create smaller,
          more useful graphs. I.e. it is now possible to create simple
          graphs of all the dependencies between only target units, or
          of all units that Avahi has dependencies with.

        Contributions from: Cristian Rodríguez, Dr. Tilmann Bubeck,
        Harald Hoyer, Holger Hans Peter Freyther, Kay Sievers, Kelly
        Anderson, Koen Kooi, Lennart Poettering, Maksim Melnikau,
        Marc-Antoine Perennou, Marius Vollmer, Martin Pitt, Michal
        Schmidt, Oleksii Shevchuk, Ronny Chevalier, Simon McVittie,
        Steven Hiscocks, Thomas Weißschuh, Umut Tezduyar, Václav
        Pavlín, Zbigniew Jędrzejewski-Szmek, Łukasz Stelmach

CHANGES WITH 200:

        * The boot-time readahead implementation for rotating media
          will now read the read-ahead data in multiple passes which
          consist of all read requests made in equidistant time
          intervals. This means instead of strictly reading read-ahead
          data in its physical order on disk we now try to find a
          middle ground between physical and access time order.

        * /etc/os-release files gained a new BUILD_ID= field for usage
          on operating systems that provide continuous builds of OS
          images.

        Contributions from: Auke Kok, Eelco Dolstra, Kay Sievers,
        Lennart Poettering, Lukas Nykryn, Martin Pitt, Václav Pavlín
        William Douglas, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 199:

        * systemd-python gained an API exposing libsystemd-daemon.

        * The SMACK setup logic gained support for uploading CIPSO
          security policy.

        * Behaviour of PrivateTmp=, ReadWriteDirectories=,
          ReadOnlyDirectories= and InaccessibleDirectories= has
          changed. The private /tmp and /var/tmp directories are now
          shared by all processes of a service (which means
          ExecStartPre= may now leave data in /tmp that ExecStart= of
          the same service can still access). When a service is
          stopped its temporary directories are immediately deleted
          (normal clean-up with tmpfiles is still done in addition to
          this though).

        * By default, systemd will now set a couple of sysctl
          variables in the kernel: the safe sysrq options are turned
          on, IP route verification is turned on, and source routing
          disabled. The recently added hardlink and softlink
          protection of the kernel is turned on. These settings should
          be reasonably safe, and good defaults for all new systems.

        * The predictable network naming logic may now be turned off
          with a new kernel command line switch: net.ifnames=0.

        * A new libsystemd-bus module has been added that implements a
          pretty complete D-Bus client library. For details see:

          https://lists.freedesktop.org/archives/systemd-devel/2013-March/009797.html

        * journald will now explicitly flush the journal files to disk
          at the latest 5min after each write. The file will then also
          be marked offline until the next write. This should increase
          reliability in case of a crash. The synchronization delay
          can be configured via SyncIntervalSec= in journald.conf.

        * There's a new remote-fs-setup.target unit that can be used
          to pull in specific services when at least one remote file
          system is to be mounted.

        * There are new targets timers.target and paths.target as
          canonical targets to pull user timer and path units in
          from. This complements sockets.target with a similar
          purpose for socket units.

        * libudev gained a new call udev_device_set_attribute_value()
          to set sysfs attributes of a device.

        * The udev daemon now sets the default number of worker
          processes executed in parallel based on the number of available
          CPUs instead of the amount of available RAM. This is supposed
          to provide a more reliable default and limit a too aggressive
          parallelism for setups with 1000s of devices connected.

        Contributions from: Auke Kok, Colin Walters, Cristian
        Rodríguez, Daniel Buch, Dave Reisner, Frederic Crozat, Hannes
        Reinecke, Harald Hoyer, Jan Alexander Steffens, Jan
        Engelhardt, Josh Triplett, Kay Sievers, Lennart Poettering,
        Mantas Mikulėnas, Martin Pitt, Mathieu Bridon, Michael Biebl,
        Michal Schmidt, Michal Sekletar, Miklos Vajna, Nathaniel Chen,
        Oleksii Shevchuk, Ozan Çağlayan, Thomas Hindoe Paaboel
        Andersen, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar,
        Zbigniew Jędrzejewski-Szmek

CHANGES WITH 198:

        * Configuration of unit files may now be extended via drop-in
          files without having to edit/override the unit files
          themselves. More specifically, if the administrator wants to
          change one value for a service file foobar.service he can
          now do so by dropping in a configuration snippet into
          /etc/systemd/system/foobar.service.d/*.conf. The unit logic
          will load all these snippets and apply them on top of the
          main unit configuration file, possibly extending or
          overriding its settings. Using these drop-in snippets is
          generally nicer than the two earlier options for changing
          unit files locally: copying the files from
          /usr/lib/systemd/system/ to /etc/systemd/system/ and editing
          them there; or creating a new file in /etc/systemd/system/
          that incorporates the original one via ".include". Drop-in
          snippets into these .d/ directories can be placed in any
          directory systemd looks for units in, and the usual
          overriding semantics between /usr/lib, /etc and /run apply
          for them too.

        * Most unit file settings which take lists of items can now be
          reset by assigning the empty string to them. For example,
          normally, settings such as Environment=FOO=BAR append a new
          environment variable assignment to the environment block,
          each time they are used. By assigning Environment= the empty
          string the environment block can be reset to empty. This is
          particularly useful with the .d/*.conf drop-in snippets
          mentioned above, since this adds the ability to reset list
          settings from vendor unit files via these drop-ins.

        * systemctl gained a new "list-dependencies" command for
          listing the dependencies of a unit recursively.

        * Inhibitors are now honored and listed by "systemctl
          suspend", "systemctl poweroff" (and similar) too, not only
          GNOME. These commands will also list active sessions by
          other users.

        * Resource limits (as exposed by the various control group
          controllers) can now be controlled dynamically at runtime
          for all units. More specifically, you can now use a command
          like "systemctl set-cgroup-attr foobar.service cpu.shares
          2000" to alter the CPU shares a specific service gets. These
          settings are stored persistently on disk, and thus allow the
          administrator to easily adjust the resource usage of
          services with a few simple commands. This dynamic resource
          management logic is also available to other programs via the
          bus. Almost any kernel cgroup attribute and controller is
          supported.

        * systemd-vconsole-setup will now copy all font settings to
          all allocated VTs, where it previously applied them only to
          the foreground VT.

        * libsystemd-login gained the new sd_session_get_tty() API
          call.

        * This release drops support for a few legacy or
          distribution-specific LSB facility names when parsing init
          scripts: $x-display-manager, $mail-transfer-agent,
          $mail-transport-agent, $mail-transfer-agent, $smtp,
          $null. Also, the mail-transfer-agent.target unit backing
          this has been removed. Distributions which want to retain
          compatibility with this should carry the burden for
          supporting this themselves and patch support for these back
          in, if they really need to. Also, the facilities $syslog and
          $local_fs are now ignored, since systemd does not support
          early-boot LSB init scripts anymore, and these facilities
          are implied anyway for normal services. syslog.target has
          also been removed.

        * There are new bus calls on PID1's Manager object for
          cancelling jobs, and removing snapshot units. Previously,
          both calls were only available on the Job and Snapshot
          objects themselves.

        * systemd-journal-gatewayd gained SSL support.

        * The various "environment" files, such as /etc/locale.conf
          now support continuation lines with a backslash ("\") as
          last character in the line, similarly in style (but different)
          to how this is supported in shells.

        * For normal user processes the _SYSTEMD_USER_UNIT= field is
          now implicitly appended to every log entry logged. systemctl
          has been updated to filter by this field when operating on a
          user systemd instance.

        * nspawn will now implicitly add the CAP_AUDIT_WRITE and
          CAP_AUDIT_CONTROL capabilities to the capabilities set for
          the container. This makes it easier to boot unmodified
          Fedora systems in a container, which however still requires
          audit=0 to be passed on the kernel command line. Auditing in
          kernel and userspace is unfortunately still too broken in
          context of containers, hence we recommend compiling it out
          of the kernel or using audit=0. Hopefully this will be fixed
          one day for good in the kernel.

        * nspawn gained the new --bind= and --bind-ro= parameters to
          bind mount specific directories from the host into the
          container.

        * nspawn will now mount its own devpts file system instance
          into the container, in order not to leak pty devices from
          the host into the container.

        * systemd will now read the firmware boot time performance
          information from the EFI variables, if the used boot loader
          supports this, and takes it into account for boot performance
          analysis via "systemd-analyze". This is currently supported
          only in conjunction with Gummiboot, but could be supported
          by other boot loaders too. For details see:

          https://systemd.io/BOOT_LOADER_INTERFACE

        * A new generator has been added that automatically mounts the
          EFI System Partition (ESP) to /boot, if that directory
          exists, is empty, and no other file system has been
          configured to be mounted there.

        * logind will now send out PrepareForSleep(false) out
          unconditionally, after coming back from suspend. This may be
          used by applications as asynchronous notification for
          system resume events.

        * "systemctl unlock-sessions" has been added, that allows
          unlocking the screens of all user sessions at once, similar
          to how "systemctl lock-sessions" already locked all users
          sessions. This is backed by a new D-Bus call UnlockSessions().

        * "loginctl seat-status" will now show the master device of a
          seat. (i.e. the device of a seat that needs to be around for
          the seat to be considered available, usually the graphics
          card).

        * tmpfiles gained a new "X" line type, that allows
          configuration of files and directories (with wildcards) that
          shall be excluded from automatic cleanup ("aging").

        * udev default rules set the device node permissions now only
          at "add" events, and do not change them any longer with a
          later "change" event.

        * The log messages for lid events and power/sleep keypresses
          now carry a message ID.

        * We now have a substantially larger unit test suite, but this
          continues to be work in progress.

        * udevadm hwdb gained a new --root= parameter to change the
          root directory to operate relative to.

        * logind will now issue a background sync() request to the kernel
          early at shutdown, so that dirty buffers are flushed to disk early
          instead of at the last moment, in order to optimize shutdown
          times a little.

        * A new bootctl tool has been added that is an interface for
          certain boot loader operations. This is currently a preview
          and is likely to be extended into a small mechanism daemon
          like timedated, localed, hostnamed, and can be used by
          graphical UIs to enumerate available boot options, and
          request boot into firmware operations.

        * systemd-bootchart has been relicensed to LGPLv2.1+ to match
          the rest of the package. It also has been updated to work
          correctly in initrds.

        * polkit previously has been runtime optional, and is now also
          compile time optional via a configure switch.

        * systemd-analyze has been reimplemented in C. Also "systemctl
          dot" has moved into systemd-analyze.

        * "systemctl status" with no further parameters will now print
          the status of all active or failed units.

        * Operations such as "systemctl start" can now be executed
          with a new mode "--irreversible" which may be used to queue
          operations that cannot accidentally be reversed by a later
          job queuing. This is by default used to make shutdown
          requests more robust.

        * The Python API of systemd now gained a new module for
          reading journal files.

        * A new tool kernel-install has been added that can install
          kernel images according to the Boot Loader Specification:

          https://systemd.io/BOOT_LOADER_SPECIFICATION

        * Boot time console output has been improved to provide
          animated boot time output for hanging jobs.

        * A new tool systemd-activate has been added which can be used
          to test socket activation with, directly from the command
          line. This should make it much easier to test and debug
          socket activation in daemons.

        * journalctl gained a new "--reverse" (or -r) option to show
          journal output in reverse order (i.e. newest line first).

        * journalctl gained a new "--pager-end" (or -e) option to jump
          to immediately jump to the end of the journal in the
          pager. This is only supported in conjunction with "less".

        * journalctl gained a new "--user-unit=" option, that works
          similarly to "--unit=" but filters for user units rather than
          system units.

        * A number of unit files to ease adoption of systemd in
          initrds has been added. This moves some minimal logic from
          the various initrd implementations into systemd proper.

        * The journal files are now owned by a new group
          "systemd-journal", which exists specifically to allow access
          to the journal, and nothing else. Previously, we used the
          "adm" group for that, which however possibly covers more
          than just journal/log file access. This new group is now
          already used by systemd-journal-gatewayd to ensure this
          daemon gets access to the journal files and as little else
          as possible. Note that "make install" will also set FS ACLs
          up for /var/log/journal to give "adm" and "wheel" read
          access to it, in addition to "systemd-journal" which owns
          the journal files. We recommend that packaging scripts also
          add read access to "adm" + "wheel" to /var/log/journal, and
          all existing/future journal files. To normal users and
          administrators little changes, however packagers need to
          ensure to create the "systemd-journal" system group at
          package installation time.

        * The systemd-journal-gatewayd now runs as unprivileged user
          systemd-journal-gateway:systemd-journal-gateway. Packaging
          scripts need to create these system user/group at
          installation time.

        * timedated now exposes a new boolean property CanNTP that
          indicates whether a local NTP service is available or not.

        * systemd-detect-virt will now also detect xen PVs

        * The pstore file system is now mounted by default, if it is
          available.

        * In addition to the SELinux and IMA policies we will now also
          load SMACK policies at early boot.

        Contributions from: Adel Gadllah, Aleksander Morgado, Auke
        Kok, Ayan George, Bastien Nocera, Colin Walters, Daniel Buch,
        Daniel Wallace, Dave Reisner, David Herrmann, David Strauss,
        Eelco Dolstra, Enrico Scholz, Frederic Crozat, Harald Hoyer,
        Jan Janssen, Jonathan Callen, Kay Sievers, Lennart Poettering,
        Lukas Nykryn, Mantas Mikulėnas, Marc-Antoine Perennou, Martin
        Pitt, Mauro Dreissig, Max F. Albrecht, Michael Biebl, Michael
        Olbrich, Michal Schmidt, Michal Sekletar, Michal Vyskocil,
        Michał Bartoszkiewicz, Mirco Tischler, Nathaniel Chen, Nestor
        Ovroy, Oleksii Shevchuk, Paul W. Frields, Piotr Drąg, Rob
        Clark, Ryan Lortie, Simon McVittie, Simon Peeters, Steven
        Hiscocks, Thomas Hindoe Paaboel Andersen, Tollef Fog Heen, Tom
        Gundersen, Umut Tezduyar, William Giokas, Zbigniew
        Jędrzejewski-Szmek, Zeeshan Ali (Khattak)

CHANGES WITH 197:

        * Timer units now support calendar time events in addition to
          monotonic time events. That means you can now trigger a unit
          based on a calendar time specification such as "Thu,Fri
          2013-*-1,5 11:12:13" which refers to 11:12:13 of the first
          or fifth day of any month of the year 2013, given that it is
          a thursday or friday. This brings timer event support
          considerably closer to cron's capabilities. For details on
          the supported calendar time specification language see
          systemd.time(7).

        * udev now supports a number of different naming policies for
          network interfaces for predictable names, and a combination
          of these policies is now the default. Please see this wiki
          document for details:

          https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html

        * Auke Kok's bootchart implementation has been added to the
          systemd tree. It is an optional component that can graph the
          boot in quite some detail. It is one of the best bootchart
          implementations around and minimal in its code and
          dependencies.

        * nss-myhostname has been integrated into the systemd source
          tree. nss-myhostname guarantees that the local hostname
          always stays resolvable via NSS. It has been a weak
          requirement of systemd-hostnamed since a long time, and
          since its code is actually trivial we decided to just
          include it in systemd's source tree. It can be turned off
          with a configure switch.

        * The read-ahead logic is now capable of properly detecting
          whether a btrfs file system is on SSD or rotating media, in
          order to optimize the read-ahead scheme. Previously, it was
          only capable of detecting this on traditional file systems
          such as ext4.

        * In udev, additional device properties are now read from the
          IAB in addition to the OUI database. Also, Bluetooth company
          identities are attached to the devices as well.

        * In service files %U may be used as specifier that is
          replaced by the configured user name of the service.

        * nspawn may now be invoked without a controlling TTY. This
          makes it suitable for invocation as its own service. This
          may be used to set up a simple containerized server system
          using only core OS tools.

        * systemd and nspawn can now accept socket file descriptors
          when they are started for socket activation. This enables
          implementation of socket activated nspawn
          containers. i.e. think about autospawning an entire OS image
          when the first SSH or HTTP connection is received. We expect
          that similar functionality will also be added to libvirt-lxc
          eventually.

        * journalctl will now suppress ANSI color codes when
          presenting log data.

        * systemctl will no longer show control group information for
          a unit if the control group is empty anyway.

        * logind can now automatically suspend/hibernate/shutdown the
          system on idle.

        * /etc/machine-info and hostnamed now also expose the chassis
          type of the system. This can be used to determine whether
          the local system is a laptop, desktop, handset or
          tablet. This information may either be configured by the
          user/vendor or is automatically determined from ACPI and DMI
          information if possible.

        * A number of polkit actions are now bound together with "imply"
          rules. This should simplify creating UIs because many actions
          will now authenticate similar ones as well.

        * Unit files learnt a new condition ConditionACPower= which
          may be used to conditionalize a unit depending on whether an
          AC power source is connected or not, of whether the system
          is running on battery power.

        * systemctl gained a new "is-failed" verb that may be used in
          shell scripts and suchlike to check whether a specific unit
          is in the "failed" state.

        * The EnvironmentFile= setting in unit files now supports file
          globbing, and can hence be used to easily read a number of
          environment files at once.

        * systemd will no longer detect and recognize specific
          distributions. All distribution-specific #ifdeffery has been
          removed, systemd is now fully generic and
          distribution-agnostic. Effectively, not too much is lost as
          a lot of the code is still accessible via explicit configure
          switches. However, support for some distribution specific
          legacy configuration file formats has been dropped. We
          recommend distributions to simply adopt the configuration
          files everybody else uses now and convert the old
          configuration from packaging scripts. Most distributions
          already did that. If that's not possible or desirable,
          distributions are welcome to forward port the specific
          pieces of code locally from the git history.

        * When logging a message about a unit systemd will now always
          log the unit name in the message meta data.

        * localectl will now also discover system locale data that is
          not stored in locale archives, but directly unpacked.

        * logind will no longer unconditionally use framebuffer
          devices as seat masters, i.e. as devices that are required
          to be existing before a seat is considered preset. Instead,
          it will now look for all devices that are tagged as
          "seat-master" in udev. By default, framebuffer devices will
          be marked as such, but depending on local systems, other
          devices might be marked as well. This may be used to
          integrate graphics cards using closed source drivers (such
          as NVidia ones) more nicely into logind. Note however, that
          we recommend using the open source NVidia drivers instead,
          and no udev rules for the closed-source drivers will be
          shipped from us upstream.

        Contributions from: Adam Williamson, Alessandro Crismani, Auke
        Kok, Colin Walters, Daniel Wallace, Dave Reisner, David
        Herrmann, David Strauss, Dimitrios Apostolou, Eelco Dolstra,
        Eric Benoit, Giovanni Campagna, Hannes Reinecke, Henrik
        Grindal Bakken, Hermann Gausterer, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann,
        Martin Pitt, Matthew Monaco, Michael Biebl, Michael Terry,
        Michal Schmidt, Michal Sekletar, Michał Bartoszkiewicz, Oleg
        Samarin, Pekka Lundstrom, Philip Nilsson, Ramkumar
        Ramachandra, Richard Yao, Robert Millan, Sami Kerola, Shawn
        Landden, Thomas Hindoe Paaboel Andersen, Thomas Jarosch,
        Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, Zbigniew
        Jędrzejewski-Szmek

CHANGES WITH 196:

        * udev gained support for loading additional device properties
          from an indexed database that is keyed by vendor/product IDs
          and similar device identifiers. For the beginning this
          "hwdb" is populated with data from the well-known PCI and
          USB database, but also includes PNP, ACPI and OID data. In
          the longer run this indexed database shall grow into
          becoming the one central database for non-essential
          userspace device metadata. Previously, data from the PCI/USB
          database was only attached to select devices, since the
          lookup was a relatively expensive operation due to O(n) time
          complexity (with n being the number of entries in the
          database). Since this is now O(1), we decided to add in this
          data for all devices where this is available, by
          default. Note that the indexed database needs to be rebuilt
          when new data files are installed. To achieve this you need
          to update your packaging scripts to invoke "udevadm hwdb
          --update" after installation of hwdb data files. For
          RPM-based distributions we introduced the new
          %udev_hwdb_update macro for this purpose.

        * The Journal gained support for the "Message Catalog", an
          indexed database to link up additional information with
          journal entries. For further details please check:

          https://www.freedesktop.org/wiki/Software/systemd/catalog

          The indexed message catalog database also needs to be
          rebuilt after installation of message catalog files. Use
          "journalctl --update-catalog" for this. For RPM-based
          distributions we introduced the %journal_catalog_update
          macro for this purpose.

        * The Python Journal bindings gained support for the standard
          Python logging framework.

        * The Journal API gained new functions for checking whether
          the underlying file system of a journal file is capable of
          properly reporting file change notifications, or whether
          applications that want to reflect journal changes "live"
          need to recheck journal files continuously in appropriate
          time intervals.

        * It is now possible to set the "age" field for tmpfiles
          entries to 0, indicating that files matching this entry
          shall always be removed when the directories are cleaned up.

        * coredumpctl gained a new "gdb" verb which invokes gdb
          right-away on the selected coredump.

        * There's now support for "hybrid sleep" on kernels that
          support this, in addition to "suspend" and "hibernate". Use
          "systemctl hybrid-sleep" to make use of this.

        * logind's HandleSuspendKey= setting (and related settings)
          now gained support for a new "lock" setting to simply
          request the screen lock on all local sessions, instead of
          actually executing a suspend or hibernation.

        * systemd will now mount the EFI variables file system by
          default.

        * Socket units now gained support for configuration of the
          SMACK security label.

        * timedatectl will now output the time of the last and next
          daylight saving change.

        * We dropped support for various legacy and distro-specific
          concepts, such as insserv, early-boot SysV services
          (i.e. those for non-standard runlevels such as 'b' or 'S')
          or ArchLinux /etc/rc.conf support. We recommend the
          distributions who still need support this to either continue
          to maintain the necessary patches downstream, or find a
          different solution. (Talk to us if you have questions!)

        * Various systemd components will now bypass polkit checks for
          root and otherwise handle properly if polkit is not found to
          be around. This should fix most issues for polkit-less
          systems. Quite frankly this should have been this way since
          day one. It is absolutely our intention to make systemd work
          fine on polkit-less systems, and we consider it a bug if
          something does not work as it should if polkit is not around.

        * For embedded systems it is now possible to build udev and
          systemd without blkid and/or kmod support.

        * "systemctl switch-root" is now capable of switching root
          more than once. I.e. in addition to transitions from the
          initrd to the host OS it is now possible to transition to
          further OS images from the host. This is useful to implement
          offline updating tools.

        * Various other additions have been made to the RPM macros
          shipped with systemd. Use %udev_rules_update() after
          installing new udev rules files. %_udevhwdbdir,
          %_udevrulesdir, %_journalcatalogdir, %_tmpfilesdir,
          %_sysctldir are now available which resolve to the right
          directories for packages to place various data files in.

        * journalctl gained the new --full switch (in addition to
          --all, to disable ellipsation for long messages.

        Contributions from: Anders Olofsson, Auke Kok, Ben Boeckel,
        Colin Walters, Cosimo Cecchi, Daniel Wallace, Dave Reisner,
        Eelco Dolstra, Holger Hans Peter Freyther, Kay Sievers,
        Chun-Yi Lee, Lekensteyn, Lennart Poettering, Mantas Mikulėnas,
        Marti Raudsepp, Martin Pitt, Mauro Dreissig, Michael Biebl,
        Michal Schmidt, Michal Sekletar, Miklos Vajna, Nis Martensen,
        Oleksii Shevchuk, Olivier Brunel, Ramkumar Ramachandra, Thomas
        Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tony
        Camuso, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 195:

        * journalctl gained new --since= and --until= switches to
          filter by time. It also now supports nice filtering for
          units via --unit=/-u.

        * Type=oneshot services may use ExecReload= and do the
          right thing.

        * The journal daemon now supports time-based rotation and
          vacuuming, in addition to the usual disk-space based
          rotation.

        * The journal will now index the available field values for
          each field name. This enables clients to show pretty drop
          downs of available match values when filtering. The bash
          completion of journalctl has been updated
          accordingly. journalctl gained a new switch -F to list all
          values a certain field takes in the journal database.

        * More service events are now written as structured messages
          to the journal, and made recognizable via message IDs.

        * The timedated, localed and hostnamed mini-services which
          previously only provided support for changing time, locale
          and hostname settings from graphical DEs such as GNOME now
          also have a minimal (but very useful) text-based client
          utility each. This is probably the nicest way to changing
          these settings from the command line now, especially since
          it lists available options and is fully integrated with bash
          completion.

        * There's now a new tool "systemd-coredumpctl" to list and
          extract coredumps from the journal.

        * We now install a README each in /var/log/ and
          /etc/rc.d/init.d explaining where the system logs and init
          scripts went. This hopefully should help folks who go to
          that dirs and look into the otherwise now empty void and
          scratch their heads.

        * When user-services are invoked (by systemd --user) the
          $MANAGERPID env var is set to the PID of systemd.

        * SIGRTMIN+24 when sent to a --user instance will now result
          in immediate termination of systemd.

        * gatewayd received numerous feature additions such as a
          "follow" mode, for live syncing and filtering.

        * browse.html now allows filtering and showing detailed
          information on specific entries. Keyboard navigation and
          mouse screen support has been added.

        * gatewayd/journalctl now supports HTML5/JSON
          Server-Sent-Events as output.

        * The SysV init script compatibility logic will now
          heuristically determine whether a script supports the
          "reload" verb, and only then make this available as
          "systemctl reload".

        * "systemctl status --follow" has been removed, use "journalctl
          -u" instead.

        * journald.conf's RuntimeMinSize=, PersistentMinSize= settings
          have been removed since they are hardly useful to be
          configured.

        * And I'd like to take the opportunity to specifically mention
          Zbigniew for his great contributions. Zbigniew, you rock!

        Contributions from: Andrew Eikum, Christian Hesse, Colin
        Guthrie, Daniel J Walsh, Dave Reisner, Eelco Dolstra, Ferenc
        Wágner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas
        Mikulėnas, Martin Mikkelsen, Martin Pitt, Michael Olbrich,
        Michael Stapelberg, Michal Schmidt, Sebastian Ott, Thomas
        Bächler, Umut Tezduyar, Will Woods, Wulf C. Krueger, Zbigniew
        Jędrzejewski-Szmek, Сковорода Никита Андреевич

CHANGES WITH 194:

        * If /etc/vconsole.conf is non-existent or empty we will no
          longer load any console font or key map at boot by
          default. Instead the kernel defaults will be left
          intact. This is definitely the right thing to do, as no
          configuration should mean no configuration, and hard-coding
          font names that are different on all archs is probably a bad
          idea. Also, the kernel default key map and font should be
          good enough for most cases anyway, and mostly identical to
          the userspace fonts/key maps we previously overloaded them
          with. If distributions want to continue to default to a
          non-kernel font or key map they should ship a default
          /etc/vconsole.conf with the appropriate contents.

        Contributions from: Colin Walters, Daniel J Walsh, Dave
        Reisner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Tollef
        Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 193:

        * journalctl gained a new --cursor= switch to show entries
          starting from the specified location in the journal.

        * We now enforce a size limit on journal entry fields exported
          with "-o json" in journalctl. Fields larger than 4K will be
          assigned null. This can be turned off with --all.

        * An (optional) journal gateway daemon is now available as
          "systemd-journal-gatewayd.service". This service provides
          access to the journal via HTTP and JSON. This functionality
          will be used to implement live log synchronization in both
          pull and push modes, but has various other users too, such
          as easy log access for debugging of embedded devices. Right
          now it is already useful to retrieve the journal via HTTP:

          # systemctl start systemd-journal-gatewayd.service
          # wget http://localhost:19531/entries

          This will download the journal contents in a
          /var/log/messages compatible format. The same as JSON:

          # curl -H"Accept: application/json" http://localhost:19531/entries

          This service is also accessible via a web browser where a
          single static HTML5 app is served that uses the JSON logic
          to enable the user to do some basic browsing of the
          journal. This will be extended later on. Here's an example
          screenshot of this app in its current state:

          http://0pointer.de/public/journal-gatewayd

        Contributions from: Kay Sievers, Lennart Poettering, Robert
        Milasan, Tom Gundersen

CHANGES WITH 192:

        * The bash completion logic is now available for journalctl
          too.

        * We do not mount the "cpuset" controller anymore together with
          "cpu" and "cpuacct", as "cpuset" groups generally cannot be
          started if no parameters are assigned to it. "cpuset" hence
          broke code that assumed it could create "cpu" groups and
          just start them.

        * journalctl -f will now subscribe to terminal size changes,
          and line break accordingly.

        Contributions from: Dave Reisner, Kay Sievers, Lennart
        Poettering, Lukas Nykrynm, Mirco Tischler, Václav Pavlín

CHANGES WITH 191:

        * nspawn will now create a symlink /etc/localtime in the
          container environment, copying the host's timezone
          setting. Previously this has been done via a bind mount, but
          since symlinks cannot be bind mounted this has now been
          changed to create/update the appropriate symlink.

        * journalctl -n's line number argument is now optional, and
          will default to 10 if omitted.

        * journald will now log the maximum size the journal files may
          take up on disk. This is particularly useful if the default
          built-in logic of determining this parameter from the file
          system size is used. Use "systemctl status
          systemd-journald.service" to see this information.

        * The multi-seat X wrapper tool has been stripped down. As X
          is now capable of enumerating graphics devices via udev in a
          seat-aware way the wrapper is not strictly necessary
          anymore. A stripped down temporary stop-gap is still shipped
          until the upstream display managers have been updated to
          fully support the new X logic. Expect this wrapper to be
          removed entirely in one of the next releases.

        * HandleSleepKey= in logind.conf has been split up into
          HandleSuspendKey= and HandleHibernateKey=. The old setting
          is not available anymore. X11 and the kernel are
          distinguishing between these keys and we should too. This
          also means the inhibition lock for these keys has been split
          into two.

        Contributions from: Dave Airlie, Eelco Dolstra, Lennart
        Poettering, Lukas Nykryn, Václav Pavlín

CHANGES WITH 190:

        * Whenever a unit changes state we will now log this to the
          journal and show along the unit's own log output in
          "systemctl status".

        * ConditionPathIsMountPoint= can now properly detect bind
          mount points too. (Previously, a bind mount of one file
          system to another place in the same file system could not be
          detected as mount, since they shared struct stat's st_dev
          field.)

        * We will now mount the cgroup controllers cpu, cpuacct,
          cpuset and the controllers net_cls, net_prio together by
          default.

        * nspawn containers will now have a virtualized boot
          ID. (i.e. /proc/sys/kernel/random/boot_id is now mounted
          over with a randomized ID at container initialization). This
          has the effect of making "journalctl -b" do the right thing
          in a container.

        * The JSON output journal serialization has been updated not
          to generate "endless" list objects anymore, but rather one
          JSON object per line. This is more in line how most JSON
          parsers expect JSON objects. The new output mode
          "json-pretty" has been added to provide similar output, but
          neatly aligned for readability by humans.

        * We dropped all explicit sync() invocations in the shutdown
          code. The kernel does this implicitly anyway in the kernel
          reboot() syscall. halt(8)'s -n option is now a compatibility
          no-op.

        * We now support virtualized reboot() in containers, as
          supported by newer kernels. We will fall back to exit() if
          CAP_SYS_REBOOT is not available to the container. Also,
          nspawn makes use of this now and will actually reboot the
          container if the containerized OS asks for that.

        * journalctl will only show local log output by default
          now. Use --merge (-m) to show remote log output, too.

        * libsystemd-journal gained the new sd_journal_get_usage()
          call to determine the current disk usage of all journal
          files. This is exposed in the new "journalctl --disk-usage"
          command.

        * journald gained a new configuration setting SplitMode= in
          journald.conf which may be used to control how user journals
          are split off. See journald.conf(5) for details.

        * A new condition type ConditionFileNotEmpty= has been added.

        * tmpfiles' "w" lines now support file globbing, to write
          multiple files at once.

        * We added Python bindings for the journal submission
          APIs. More Python APIs for a number of selected APIs will
          likely follow. Note that we intend to add native bindings
          only for the Python language, as we consider it common
          enough to deserve bindings shipped within systemd. There are
          various projects outside of systemd that provide bindings
          for languages such as PHP or Lua.

        * Many conditions will now resolve specifiers such as %i. In
          addition, PathChanged= and related directives of .path units
          now support specifiers as well.

        * There's now a new RPM macro definition for the system preset
          dir: %_presetdir.

        * journald will now warn if it ca not forward a message to the
          syslog daemon because its socket is full.

        * timedated will no longer write or process /etc/timezone,
          except on Debian. As we do not support late mounted /usr
          anymore /etc/localtime always being a symlink is now safe,
          and hence the information in /etc/timezone is not necessary
          anymore.

        * logind will now always reserve one VT for a text getty (VT6
          by default). Previously if more than 6 X sessions where
          started they took up all the VTs with auto-spawned gettys,
          so that no text gettys were available anymore.

        * udev will now automatically inform the btrfs kernel logic
          about btrfs RAID components showing up. This should make
          simple hotplug based btrfs RAID assembly work.

        * PID 1 will now increase its RLIMIT_NOFILE to 64K by default
          (but not for its children which will stay at the kernel
          default). This should allow setups with a lot more listening
          sockets.

        * systemd will now always pass the configured timezone to the
          kernel at boot. timedated will do the same when the timezone
          is changed.

        * logind's inhibition logic has been updated. By default,
          logind will now handle the lid switch, the power and sleep
          keys all the time, even in graphical sessions. If DEs want
          to handle these events on their own they should take the new
          handle-power-key, handle-sleep-key and handle-lid-switch
          inhibitors during their runtime. A simple way to achieve
          that is to invoke the DE wrapped in an invocation of:

          systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch …

        * Access to unit operations is now checked via SELinux taking
          the unit file label and client process label into account.

        * systemd will now notify the administrator in the journal
          when he over-mounts a non-empty directory.

        * There are new specifiers that are resolved in unit files,
          for the hostname (%H), the machine ID (%m) and the boot ID
          (%b).

        Contributions from: Allin Cottrell, Auke Kok, Brandon Philips,
        Colin Guthrie, Colin Walters, Daniel J Walsh, Dave Reisner,
        Eelco Dolstra, Jan Engelhardt, Kay Sievers, Lennart
        Poettering, Lucas De Marchi, Lukas Nykryn, Mantas Mikulėnas,
        Martin Pitt, Matthias Clasen, Michael Olbrich, Pierre Schmitz,
        Shawn Landden, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
        Václav Pavlín, Yin Kangkai, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 189:

        * Support for reading structured kernel messages from
          /dev/kmsg has now been added and is enabled by default.

        * Support for reading kernel messages from /proc/kmsg has now
          been removed. If you want kernel messages in the journal
          make sure to run a recent kernel (>= 3.5) that supports
          reading structured messages from /dev/kmsg (see
          above). /proc/kmsg is now exclusive property of classic
          syslog daemons again.

        * The libudev API gained the new
          udev_device_new_from_device_id() call.

        * The logic for file system namespace (ReadOnlyDirectory=,
          ReadWriteDirectoy=, PrivateTmp=) has been reworked not to
          require pivot_root() anymore. This means fewer temporary
          directories are created below /tmp for this feature.

        * nspawn containers will now see and receive all submounts
          made on the host OS below the root file system of the
          container.

        * Forward Secure Sealing is now supported for Journal files,
          which provide cryptographical sealing of journal files so
          that attackers cannot alter log history anymore without this
          being detectable. Lennart will soon post a blog story about
          this explaining it in more detail.

        * There are two new service settings RestartPreventExitStatus=
          and SuccessExitStatus= which allow configuration of exit
          status (exit code or signal) which will be excepted from the
          restart logic, resp. consider successful.

        * journalctl gained the new --verify switch that can be used
          to check the integrity of the structure of journal files and
          (if Forward Secure Sealing is enabled) the contents of
          journal files.

        * nspawn containers will now be run with /dev/stdin, /dev/fd/
          and similar symlinks pre-created. This makes running shells
          as container init process a lot more fun.

        * The fstab support can now handle PARTUUID= and PARTLABEL=
          entries.

        * A new ConditionHost= condition has been added to match
          against the hostname (with globs) and machine ID. This is
          useful for clusters where a single OS image is used to
          provision a large number of hosts which shall run slightly
          different sets of services.

        * Services which hit the restart limit will now be placed in a
          failure state.

        Contributions from: Bertram Poettering, Dave Reisner, Huang
        Hang, Kay Sievers, Lennart Poettering, Lukas Nykryn, Martin
        Pitt, Simon Peeters, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 188:

        * When running in --user mode systemd will now become a
          subreaper (PR_SET_CHILD_SUBREAPER). This should make the ps
          tree a lot more organized.

        * A new PartOf= unit dependency type has been introduced that
          may be used to group services in a natural way.

        * "systemctl enable" may now be used to enable instances of
          services.

        * journalctl now prints error log levels in red, and
          warning/notice log levels in bright white. It also supports
          filtering by log level now.

        * cgtop gained a new -n switch (similar to top), to configure
          the maximum number of iterations to run for. It also gained
          -b, to run in batch mode (accepting no input).

        * The suffix ".service" may now be omitted on most systemctl
          command lines involving service unit names.

        * There's a new bus call in logind to lock all sessions, as
          well as a loginctl verb for it "lock-sessions".

        * libsystemd-logind.so gained a new call sd_journal_perror()
          that works similar to libc perror() but logs to the journal
          and encodes structured information about the error number.

        * /etc/crypttab entries now understand the new keyfile-size=
          option.

        * shutdown(8) now can send a (configurable) wall message when
          a shutdown is cancelled.

        * The mount propagation mode for the root file system will now
          default to "shared", which is useful to make containers work
          nicely out-of-the-box so that they receive new mounts from
          the host. This can be undone locally by running "mount
          --make-rprivate /" if needed.

        * The prefdm.service file has been removed. Distributions
          should maintain this unit downstream if they intend to keep
          it around. However, we recommend writing normal unit files
          for display managers instead.

        * Since systemd is a crucial part of the OS we will now
          default to a number of compiler switches that improve
          security (hardening) such as read-only relocations, stack
          protection, and suchlike.

        * The TimeoutSec= setting for services is now split into
          TimeoutStartSec= and TimeoutStopSec= to allow configuration
          of individual time outs for the start and the stop phase of
          the service.

        Contributions from: Artur Zaprzala, Arvydas Sidorenko, Auke
        Kok, Bryan Kadzban, Dave Reisner, David Strauss, Harald Hoyer,
        Jim Meyering, Kay Sievers, Lennart Poettering, Mantas
        Mikulėnas, Martin Pitt, Michal Schmidt, Michal Sekletar, Peter
        Alfredsen, Shawn Landden, Simon Peeters, Terence Honles, Tom
        Gundersen, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 187:

        * The journal and id128 C APIs are now fully documented as man
          pages.

        * Extra safety checks have been added when transitioning from
          the initial RAM disk to the main system to avoid accidental
          data loss.

        * /etc/crypttab entries now understand the new keyfile-offset=
          option.

        * systemctl -t can now be used to filter by unit load state.

        * The journal C API gained the new sd_journal_wait() call to
          make writing synchronous journal clients easier.

        * journalctl gained the new -D switch to show journals from a
          specific directory.

        * journalctl now displays a special marker between log
          messages of two different boots.

        * The journal is now explicitly flushed to /var via a service
          systemd-journal-flush.service, rather than implicitly simply
          by seeing /var/log/journal to be writable.

        * journalctl (and the journal C APIs) can now match for much
          more complex expressions, with alternatives and
          disjunctions.

        * When transitioning from the initial RAM disk to the main
          system we will now kill all processes in a killing spree to
          ensure no processes stay around by accident.

        * Three new specifiers may be used in unit files: %u, %h, %s
          resolve to the user name, user home directory resp. user
          shell. This is useful for running systemd user instances.

        * We now automatically rotate journal files if their data
          object hash table gets a fill level > 75%. We also size the
          hash table based on the configured maximum file size. This
          together should lower hash collisions drastically and thus
          speed things up a bit.

        * journalctl gained the new "--header" switch to introspect
          header data of journal files.

        * A new setting SystemCallFilters= has been added to services which may
          be used to apply deny lists or allow lists to system calls. This is
          based on SECCOMP Mode 2 of Linux 3.5.

        * nspawn gained a new --link-journal= switch (and quicker: -j)
          to link the container journal with the host. This makes it
          very easy to centralize log viewing on the host for all
          guests while still keeping the journal files separated.

        * Many bugfixes and optimizations

        Contributions from: Auke Kok, Eelco Dolstra, Harald Hoyer, Kay
        Sievers, Lennart Poettering, Malte Starostik, Paul Menzel, Rex
        Tsai, Shawn Landden, Tom Gundersen, Ville Skyttä, Zbigniew
        Jędrzejewski-Szmek

CHANGES WITH 186:

        * Several tools now understand kernel command line arguments,
          which are only read when run in an initial RAM disk. They
          usually follow closely their normal counterparts, but are
          prefixed with rd.

        * There's a new tool to analyze the readahead files that are
          automatically generated at boot. Use:

          /usr/lib/systemd/systemd-readahead analyze /.readahead

        * We now provide an early debug shell on tty9 if this enabled. Use:

          systemctl enable debug-shell.service

        * All plymouth related units have been moved into the Plymouth
          package. Please make sure to upgrade your Plymouth version
          as well.

        * systemd-tmpfiles now supports getting passed the basename of
          a configuration file only, in which case it will look for it
          in all appropriate directories automatically.

        * udevadm info now takes a /dev or /sys path as argument, and
          does the right thing. Example:

          udevadm info /dev/sda
          udevadm info /sys/class/block/sda

        * systemctl now prints a warning if a unit is stopped but a
          unit that might trigger it continues to run. Example: a
          service is stopped but the socket that activates it is left
          running.

        * "systemctl status" will now mention if the log output was
          shortened due to rotation since a service has been started.

        * The journal API now exposes functions to determine the
          "cutoff" times due to rotation.

        * journald now understands SIGUSR1 and SIGUSR2 for triggering
          immediately flushing of runtime logs to /var if possible,
          resp. for triggering immediate rotation of the journal
          files.

        * It is now considered an error if a service is attempted to
          be stopped that is not loaded.

        * XDG_RUNTIME_DIR now uses numeric UIDs instead of usernames.

        * systemd-analyze now supports Python 3

        * tmpfiles now supports cleaning up directories via aging
          where the first level dirs are always kept around but
          directories beneath it automatically aged. This is enabled
          by prefixing the age field with '~'.

        * Seat objects now expose CanGraphical, CanTTY properties
          which is required to deal with very fast bootups where the
          display manager might be running before the graphics drivers
          completed initialization.

        * Seat objects now expose a State property.

        * We now include RPM macros for service enabling/disabling
          based on the preset logic. We recommend RPM based
          distributions to make use of these macros if possible. This
          makes it simpler to reuse RPM spec files across
          distributions.

        * We now make sure that the collected systemd unit name is
          always valid when services log to the journal via
          STDOUT/STDERR.

        * There's a new man page kernel-command-line(7) detailing all
          command line options we understand.

        * The fstab generator may now be disabled at boot by passing
          fstab=0 on the kernel command line.

        * A new kernel command line option modules-load= is now understood
          to load a specific kernel module statically, early at boot.

        * Unit names specified on the systemctl command line are now
          automatically escaped as needed. Also, if file system or
          device paths are specified they are automatically turned
          into the appropriate mount or device unit names. Example:

          systemctl status /home
          systemctl status /dev/sda

        * The SysVConsole= configuration option has been removed from
          system.conf parsing.

        * The SysV search path is no longer exported on the D-Bus
          Manager object.

        * The Names= option has been removed from unit file parsing.

        * There's a new man page bootup(7) detailing the boot process.

        * Every unit and every generator we ship with systemd now
          comes with full documentation. The self-explanatory boot is
          complete.

        * A couple of services gained "systemd-" prefixes in their
          name if they wrap systemd code, rather than only external
          code. Among them fsck@.service which is now
          systemd-fsck@.service.

        * The HaveWatchdog property has been removed from the D-Bus
          Manager object.

        * systemd.confirm_spawn= on the kernel command line should now
          work sensibly.

        * There's a new man page crypttab(5) which details all options
          we actually understand.

        * systemd-nspawn gained a new --capability= switch to pass
          additional capabilities to the container.

        * timedated will now read known NTP implementation unit names
          from /usr/lib/systemd/ntp-units.d/*.list,
          systemd-timedated-ntp.target has been removed.

        * journalctl gained a new switch "-b" that lists log data of
          the current boot only.

        * The notify socket is in the abstract namespace again, in
          order to support daemons which chroot() at start-up.

        * There is a new Storage= configuration option for journald
          which allows configuration of where log data should go. This
          also provides a way to disable journal logging entirely, so
          that data collected is only forwarded to the console, the
          kernel log buffer or another syslog implementation.

        * Many bugfixes and optimizations

        Contributions from: Auke Kok, Colin Guthrie, Dave Reisner,
        David Strauss, Eelco Dolstra, Kay Sievers, Lennart Poettering,
        Lukas Nykryn, Michal Schmidt, Michal Sekletar, Paul Menzel,
        Shawn Landden, Tom Gundersen

CHANGES WITH 185:

        * "systemctl help <unit>" now shows the man page if one is
          available.

        * Several new man pages have been added.

        * MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=,
          MaxLevelConsole= can now be specified in
          journald.conf. These options allow reducing the amount of
          data stored on disk or forwarded by the log level.

        * TimerSlackNSec= can now be specified in system.conf for
          PID1. This allows system-wide power savings.

        Contributions from: Dave Reisner, Kay Sievers, Lauri Kasanen,
        Lennart Poettering, Malte Starostik, Marc-Antoine Perennou,
        Matthias Clasen

CHANGES WITH 184:

        * logind is now capable of (optionally) handling power and
          sleep keys as well as the lid switch.

        * journalctl now understands the syntax "journalctl
          /usr/bin/avahi-daemon" to get all log output of a specific
          daemon.

        * CapabilityBoundingSet= in system.conf now also influences
          the capability bound set of usermode helpers of the kernel.

        Contributions from: Daniel Drake, Daniel J. Walsh, Gert
        Michael Kulyk, Harald Hoyer, Jean Delvare, Kay Sievers,
        Lennart Poettering, Matthew Garrett, Matthias Clasen, Paul
        Menzel, Shawn Landden, Tero Roponen, Tom Gundersen

CHANGES WITH 183:

        * Note that we skipped 139 releases here in order to set the
          new version to something that is greater than both udev's
          and systemd's most recent version number.

        * udev: all udev sources are merged into the systemd source tree now.
          All future udev development will happen in the systemd tree. It
          is still fully supported to use the udev daemon and tools without
          systemd running, like in initramfs or other init systems. Building
          udev though, will require the *build* of the systemd tree, but
          udev can be properly *run* without systemd.

        * udev: /lib/udev/devices/ are not read anymore; systemd-tmpfiles
          should be used to create dead device nodes as workarounds for broken
          subsystems.

        * udev: RUN+="socket:…"  and udev_monitor_new_from_socket() is
          no longer supported. udev_monitor_new_from_netlink() needs to be
          used to subscribe to events.

        * udev: when udevd is started by systemd, processes which are left
          behind by forking them off of udev rules, are unconditionally cleaned
          up and killed now after the event handling has finished. Services or
          daemons must be started as systemd services. Services can be
          pulled-in by udev to get started, but they can no longer be directly
          forked by udev rules.

        * udev: the daemon binary is called systemd-udevd now and installed
          in /usr/lib/systemd/. Standalone builds or non-systemd systems need
          to adapt to that, create symlink, or rename the binary after building
          it.

        * libudev no longer provides these symbols:
            udev_monitor_from_socket()
            udev_queue_get_failed_list_entry()
            udev_get_{dev,sys,run}_path()
          The versions number was bumped and symbol versioning introduced.

        * systemd-loginctl and systemd-journalctl have been renamed
          to loginctl and journalctl to match systemctl.

        * The config files: /etc/systemd/systemd-logind.conf and
          /etc/systemd/systemd-journald.conf have been renamed to
          logind.conf and journald.conf. Package updates should rename
          the files to the new names on upgrade.

        * For almost all files the license is now LGPL2.1+, changed
          from the previous GPL2.0+. Exceptions are some minor stuff
          of udev (which will be changed to LGPL2.1 eventually, too),
          and the MIT licensed sd-daemon.[ch] library that is suitable
          to be used as drop-in files.

        * systemd and logind now handle system sleep states, in
          particular suspending and hibernating.

        * logind now implements a sleep/shutdown/idle inhibiting logic
          suitable for a variety of uses. Soonishly Lennart will blog
          about this in more detail.

        * var-run.mount and var-lock.mount are no longer provided
          (which previously bind mounted these directories to their new
          places). Distributions which have not converted these
          directories to symlinks should consider stealing these files
          from git history and add them downstream.

        * We introduced the Documentation= field for units and added
          this to all our shipped units. This is useful to make it
          easier to explore the boot and the purpose of the various
          units.

        * All smaller setup units (such as
          systemd-vconsole-setup.service) now detect properly if they
          are run in a container and are skipped when
          appropriate. This guarantees an entirely noise-free boot in
          Linux container environments such as systemd-nspawn.

        * A framework for implementing offline system updates is now
          integrated, for details see:
          https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html

        * A new service type Type=idle is available now which helps us
          avoiding ugly interleaving of getty output and boot status
          messages.

        * There's now a system-wide CapabilityBoundingSet= option to
          globally reduce the set of capabilities for the
          system. This is useful to drop CAP_SYS_MKNOD, CAP_SYS_RAWIO,
          CAP_NET_RAW, CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE or
          even CAP_NET_ADMIN system-wide for secure systems.

        * There are now system-wide DefaultLimitXXX= options to
          globally change the defaults of the various resource limits
          for all units started by PID 1.

        * Harald Hoyer's systemd test suite has been integrated into
          systemd which allows easy testing of systemd builds in qemu
          and nspawn. (This is really awesome! Ask us for details!)

        * The fstab parser is now implemented as generator, not inside
          of PID 1 anymore.

        * systemctl will now warn you if .mount units generated from
          /etc/fstab are out of date due to changes in fstab that
          have not been read by systemd yet.

        * systemd is now suitable for usage in initrds. Dracut has
          already been updated to make use of this. With this in place
          initrds get a slight bit faster but primarily are much
          easier to introspect and debug since "systemctl status" in
          the host system can be used to introspect initrd services,
          and the journal from the initrd is kept around too.

        * systemd-delta has been added, a tool to explore differences
          between user/admin configuration and vendor defaults.

        * PrivateTmp= now affects both /tmp and /var/tmp.

        * Boot time status messages are now much prettier and feature
          proper english language. Booting up systemd has never been
          so sexy.

        * Read-ahead pack files now include the inode number of all
          files to pre-cache. When the inode changes the pre-caching
          is not attempted. This should be nicer to deal with updated
          packages which might result in changes of read-ahead
          patterns.

        * We now temporaritly lower the kernel's read_ahead_kb variable
          when collecting read-ahead data to ensure the kernel's
          built-in read-ahead does not add noise to our measurements
          of necessary blocks to pre-cache.

        * There's now RequiresMountsFor= to add automatic dependencies
          for all mounts necessary for a specific file system path.

        * MountAuto= and SwapAuto= have been removed from
          system.conf. Mounting file systems at boot has to take place
          in systemd now.

        * nspawn now learned a new switch --uuid= to set the machine
          ID on the command line.

        * nspawn now learned the -b switch to automatically search
          for an init system.

        * vt102 is now the default TERM for serial TTYs, upgraded from
          vt100.

        * systemd-logind now works on VT-less systems.

        * The build tree has been reorganized. The individual
          components now have directories of their own.

        * A new condition type ConditionPathIsReadWrite= is now available.

        * nspawn learned the new -C switch to create cgroups for the
          container in other hierarchies.

        * We now have support for hardware watchdogs, configurable in
          system.conf.

        * The scheduled shutdown logic now has a public API.

        * We now mount /tmp as tmpfs by default, but this can be
          masked and /etc/fstab can override it.

        * Since udisks does not make use of /media anymore we are not
          mounting a tmpfs on it anymore.

        * journalctl gained a new --local switch to only interleave
          locally generated journal files.

        * We can now load the IMA policy at boot automatically.

        * The GTK tools have been split off into a systemd-ui.

        Contributions from: Andreas Schwab, Auke Kok, Ayan George,
        Colin Guthrie, Daniel Mack, Dave Reisner, David Ward, Elan
        Ruusamäe, Frederic Crozat, Gergely Nagy, Guillermo Vidal,
        Hannes Reinecke, Harald Hoyer, Javier Jardón, Kay Sievers,
        Lennart Poettering, Lucas De Marchi, Léo Gillot-Lamure,
        Marc-Antoine Perennou, Martin Pitt, Matthew Monaco, Maxim
        A. Mikityanskiy, Michael Biebl, Michael Olbrich, Michal
        Schmidt, Nis Martensen, Patrick McCarty, Roberto Sassu, Shawn
        Landden, Sjoerd Simons, Sven Anders, Tollef Fog Heen, Tom
        Gundersen

CHANGES WITH 44:

        * This is mostly a bugfix release

        * Support optional initialization of the machine ID from the
          KVM or container configured UUID.

        * Support immediate reboots with "systemctl reboot -ff"

        * Show /etc/os-release data in systemd-analyze output

        * Many bugfixes for the journal, including endianness fixes and
          ensuring that disk space enforcement works

        * sd-login.h is C++ compatible again

        * Extend the /etc/os-release format on request of the Debian
          folks

        * We now refuse non-UTF8 strings used in various configuration
          and unit files. This is done to ensure we do not pass invalid
          data over D-Bus or expose it elsewhere.

        * Register Mimo USB Screens as suitable for automatic seat
          configuration

        * Read SELinux client context from journal clients in a race
          free fashion

        * Reorder configuration file lookup order. /etc now always
          overrides /run in order to allow the administrator to always
          and unconditionally override vendor-supplied or
          automatically generated data.

        * The various user visible bits of the journal now have man
          pages. We still lack man pages for the journal API calls
          however.

        * We now ship all man pages in HTML format again in the
          tarball.

        Contributions from: Dave Reisner, Dirk Eibach, Frederic
        Crozat, Harald Hoyer, Kay Sievers, Lennart Poettering, Marti
        Raudsepp, Michal Schmidt, Shawn Landden, Tero Roponen, Thierry
        Reding

CHANGES WITH 43:

        * This is mostly a bugfix release

        * systems lacking /etc/os-release  are no longer supported.

        * Various functionality updates to libsystemd-login.so

        * Track class of PAM logins to distinguish greeters from
          normal user logins.

        Contributions from: Kay Sievers, Lennart Poettering, Michael
        Biebl

CHANGES WITH 42:

        * This is an important bugfix release for v41.

        * Building man pages is now optional which should be useful
          for those building systemd from git but unwilling to install
          xsltproc.

        * Watchdog support for supervising services is now usable. In
          a future release support for hardware watchdogs
          (i.e. /dev/watchdog) will be added building on this.

        * Service start rate limiting is now configurable and can be
          turned off per service. When a start rate limit is hit a
          reboot can automatically be triggered.

        * New CanReboot(), CanPowerOff() bus calls in systemd-logind.

        Contributions from: Benjamin Franzke, Bill Nottingham,
        Frederic Crozat, Lennart Poettering, Michael Olbrich, Michal
        Schmidt, Michał Górny, Piotr Drąg

CHANGES WITH 41:

        * The systemd binary is installed /usr/lib/systemd/systemd now;
          An existing /sbin/init symlink needs to be adapted with the
          package update.

        * The code that loads kernel modules has been ported to invoke
          libkmod directly, instead of modprobe. This means we do not
          support systems with module-init-tools anymore.

        * Watchdog support is now already useful, but still not
          complete.

        * A new kernel command line option systemd.setenv= is
          understood to set system wide environment variables
          dynamically at boot.

        * We now limit the set of capabilities of systemd-journald.

        * We now set SIGPIPE to ignore by default, since it only is
          useful in shell pipelines, and has little use in general
          code. This can be disabled with IgnoreSIPIPE=no in unit
          files.

        Contributions from: Benjamin Franzke, Kay Sievers, Lennart
        Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen,
        William Douglas

CHANGES WITH 40:

        * This is mostly a bugfix release

        * We now expose the reason why a service failed in the
          "Result" D-Bus property.

        * Rudimentary service watchdog support (will be completed over
          the next few releases.)

        * When systemd forks off in order execute some service we will
          now immediately changes its argv[0] to reflect which process
          it will execute. This is useful to minimize the time window
          with a generic argv[0], which makes bootcharts more useful

        Contributions from: Alvaro Soliverez, Chris Paulson-Ellis, Kay
        Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt,
        Mike Kazantsev, Ray Strode

CHANGES WITH 39:

        * This is mostly a test release, but incorporates many
          bugfixes.

        * New systemd-cgtop tool to show control groups by their
          resource usage.

        * Linking against libacl for ACLs is optional again. If
          disabled, support tracking device access for active logins
          goes becomes unavailable, and so does access to the user
          journals by the respective users.

        * If a group "adm" exists, journal files are automatically
          owned by them, thus allow members of this group full access
          to the system journal as well as all user journals.

        * The journal now stores the SELinux context of the logging
          client for all entries.

        * Add C++ inclusion guards to all public headers

        * New output mode "cat" in the journal to print only text
          messages, without any meta data like date or time.

        * Include tiny X server wrapper as a temporary stop-gap to
          teach XOrg udev display enumeration. This is used by display
          managers such as gdm, and will go away as soon as XOrg
          learned native udev hotplugging for display devices.

        * Add new systemd-cat tool for executing arbitrary programs
          with STDERR/STDOUT connected to the journal. Can also act as
          BSD logger replacement, and does so by default.

        * Optionally store all locally generated coredumps in the
          journal along with meta data.

        * systemd-tmpfiles learnt four new commands: n, L, c, b, for
          writing short strings to files (for usage for /sys), and for
          creating symlinks, character and block device nodes.

        * New unit file option ControlGroupPersistent= to make cgroups
          persistent, following the mechanisms outlined in
          https://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups

        * Support multiple local RTCs in a sane way

        * No longer monopolize IO when replaying readahead data on
          rotating disks, since we might starve non-file-system IO to
          death, since fanotify() will not see accesses done by blkid,
          or fsck.

        * Do not show kernel threads in systemd-cgls anymore, unless
          requested with new -k switch.

        Contributions from: Dan Horák, Kay Sievers, Lennart
        Poettering, Michal Schmidt

CHANGES WITH 38:

        * This is mostly a test release, but incorporates many
          bugfixes.

        * The git repository moved to:
          git://anongit.freedesktop.org/systemd/systemd
          ssh://git.freedesktop.org/git/systemd/systemd

        * First release with the journal
          http://0pointer.de/blog/projects/the-journal.html

        * The journal replaces both systemd-kmsg-syslogd and
          systemd-stdout-bridge.

        * New sd_pid_get_unit() API call in libsystemd-logind

        * Many systemadm clean-ups

        * Introduce remote-fs-pre.target which is ordered before all
          remote mounts and may be used to start services before all
          remote mounts.

        * Added Mageia support

        * Add bash completion for systemd-loginctl

        * Actively monitor PID file creation for daemons which exit in
          the parent process before having finished writing the PID
          file in the daemon process. Daemons which do this need to be
          fixed (i.e. PID file creation must have finished before the
          parent exits), but we now react a bit more gracefully to them.

        * Add colourful boot output, mimicking the well-known output
          of existing distributions.

        * New option PassCredentials= for socket units, for
          compatibility with a recent kernel ABI breakage.

        * /etc/rc.local is now hooked in via a generator binary, and
          thus will no longer act as synchronization point during
          boot.

        * systemctl list-unit-files now supports --root=.

        * systemd-tmpfiles now understands two new commands: z, Z for
          relabelling files according to the SELinux database. This is
          useful to apply SELinux labels to specific files in /sys,
          among other things.

        * Output of SysV services is now forwarded to both the console
          and the journal by default, not only just the console.

        * New man pages for all APIs from libsystemd-login.

        * The build tree got reorganized and the build system is a
          lot more modular allowing embedded setups to specifically
          select the components of systemd they are interested in.

        * Support for Linux systems lacking the kernel VT subsystem is
          restored.

        * configure's --with-rootdir= got renamed to
          --with-rootprefix= to follow the naming used by udev and
          kmod

        * Unless specified otherwise we will now install to /usr instead
          of /usr/local by default.

        * Processes with '@' in argv[0][0] are now excluded from the
          final shut-down killing spree, following the logic explained
          in:
          https://systemd.io/ROOT_STORAGE_DAEMONS/

        * All processes remaining in a service cgroup when we enter
          the START or START_PRE states are now killed with
          SIGKILL. That means it is no longer possible to spawn
          background processes from ExecStart= lines (which was never
          supported anyway, and bad style).

        * New PropagateReloadTo=/PropagateReloadFrom= options to bind
          reloading of units together.

        Contributions from: Bill Nottingham, Daniel J. Walsh, Dave
        Reisner, Dexter Morgan, Gregs Gregs, Jonathan Nieder, Kay
        Sievers, Lennart Poettering, Michael Biebl, Michal Schmidt,
        Michał Górny, Ran Benita, Thomas Jarosch, Tim Waugh, Tollef
        Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek