3 * Many manager configuration settings that are only applicable to user
4 manager or system manager can be always set. It would be better to reject
5 them when parsing config.
7 * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service.
8 Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service.
9 Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service.
13 * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
16 - natively watch for dbus-*.service symlinks (PENDING)
17 - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
19 * kernel: add device_type = "fb", "fbcon" to class "graphics"
21 * /usr/bin/service should actually show the new command line
23 * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
25 * neither pkexec nor sudo initialize environ[] from the PAM environment?
27 * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
29 * register catalog database signature as file magic
31 * zsh shell completion:
32 - <command> <verb> -<TAB> should complete options, but currently does not
33 - systemctl add-wants,add-requires
34 - systemctl reboot --boot-loader-entry=
36 * systemctl status should know about 'systemd-analyze calendar ... --iterations='
37 * If timer has just OnInactiveSec=..., it should fire after a specified time
40 * write blog stories about:
41 - hwdb: what belongs into it, lsusb
42 - enabling dbus services
43 - how to make changes to sysctl and sysfs attributes
45 - how to pass throw-away units to systemd, or dynamically change properties of existing units
46 - testing with Harald's awesome test kit
48 - how to develop against journal browsing APIs
49 - the journal HTTP iface
50 - non-cgroup resource management
51 - dynamic resource management with cgroups
52 - refreshed, longer missions statement
53 - calendar time events
54 - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
55 - how to create your own target
56 - instantiated apache, dovecot and so on
57 - hooking a script into various stages of shutdown/rearly booot
61 * look for close() vs. close_nointr() vs. close_nointr_nofail()
63 * check for strerror(r) instead of strerror(-r)
67 * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
69 * use secure_getenv() instead of getenv() where appropriate
71 * link up selected blog stories from man pages and unit files Documentation= fields
75 * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
77 * rework mount.c and swap.c to follow proper state enumeration/deserialization
78 semantics, like we do for device.c now
82 * add small wrapper around qemu that implements sd_notify/AF_VSOCK + machined and
83 maybe some other stuff and boots it
85 * mybe add new flags to gpt partition tables for rootfs and usrfs indicating
86 purpose, i.e. whether something is supposed to be bootable in a VM, on
87 baremetal, on an nspawn-style container, if it is a portable service image,
88 or a sysext for initrd, for host os, or for portable container. Then hook
89 portabled/… up to udev to watch block devices coming up with the flags set, and
92 * portabled: read a credential "portable.extra" or so, that takes a list of
93 file system paths to enable on start.
95 * sd-boot should look for information what to boot in SMBIOS, too, so that VM
96 managers can tell sd-boot what to boot into and suchlike
98 * PID 1 should look for an SMBIOS variable that encodes an AF_VSOCK address it
99 should send sd_notify() ready notifications to. That way a VMM can boot up a
100 system, and generically know when it finished booting.
102 * add "systemd-sysext identify" verb, that you can point on any file in /usr/
103 and that determines from which overlayfs layer it originates, which image, and with
106 * journald: generate recognizable log events whenever we shutdown journald
107 cleanly, and when we migrate run → var. This way tools can verify that a
108 previous boot terminated cleanly, because either of these two messages must
109 be safely written to disk, then.
111 * systemd-creds: extend encryption logic to support asymmetric
112 encryption/authentication. Idea: add new verb "systemd-creds public-key"
113 which generates a priv/pub key pair on the TPM2 and stores the priv key
114 locally in /var. It then outputs a certificate for the pub part to stdout.
115 This can then be copied/taken elsewhere, and can be used for encrypting creds
116 that only the host on its specific hw can decrypt. Then, support a drop-in
117 dir with certificates that can be used to authenticate credentials. Flow of
118 operations is then this: build image with owner certificate, then after
119 boot up issue "systemd-creds public-key" to acquire pubkey of the machine.
120 Then, when passing data to the machine, sign with privkey belonging to one of
121 the dropped in certs and encrypted with machine pubkey, and pass to machine.
122 Machine is then able to authenticate you, and confidentiality is guaranteed.
124 * building on top of the above, the pub/priv key pair generated on the TPM2
125 should probably also one you can use to get a remote attestation quote.
127 * bootctl: add "gc" verb that loads all type #1 .conf files, and then removes
128 all files from the set of files from the ESP/XBOOTLDR matching the entry
129 token that are not referenced by any. Then, change kernel-install to use only
130 this to remove auxiliary files, and never remove them explicitly. Benefit:
131 resources such as initrds/kernels/dtb can be shared between entries.
133 * networkd/udevd: add a way to define additional .link, .network, .netdev files
134 via the credentials logic.
136 * fstab-generator: allow definining additional fstab-like mounts via
137 credentials (similar: crypttab-generator, verity-generator,
140 * getty-generator: allow defining additional getty instances via a credential
142 * run-generator: allow defining additional commands to run via a credential
144 * resolved: allow defining additional /etc/hosts entries via a credential (it
145 might make sense to then synthesize a new combined /etc/hosts file in /run
146 and bind mount it on /etc/hosts for other clients that want to read it.
147 Similar, allow picking up DNS server IP addresses from credential.
149 * repart: allow defining additional partitions via credential
151 * tmpfiles: add snippet that provisions /etc/hosts, /etc/motd,
152 /root/.ssh/authorized_keys from credential
154 * timesyncd: pick NTP server info from credential
156 * define a JSON format for units, separating out unit definitions from unit
157 runtime state. Then, expose it:
159 1. Add Describe() method to Unit D-Bus object that returns a JSON object
161 2. Expose this natively via Varlink, in similar style
162 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor
163 binary which reads the JSON definition and runs it), to address the cow
164 trap issue and the fact that NSS is actually forbidden in
165 forked-but-not-exec'ed children
166 4. Add varlink API to run transient units based on provided JSON definitions
168 * show SUPPORT_END= data in "hostnamectl" output (and thus also expose a prop
171 * Add SUPPORT_END_URL= field to os-release with more *actionable* information
172 what to do if support ended
174 * pam_systemd: on interactive logins, maybe show SUPPORT_END information at
175 login time, á la motd
177 * sd-boot: instead of uncondtionally deriving the ESP to search boot loader
178 spec entries in from the paths of sd-boot binary, let's optionally allow it
179 to be configured on sd-boot cmdline + efi var. Usecase: embedd sd-boot in the
180 UEFI firmware (for example, ovmf supports that via qemu cmdline option), and
181 use it to load stuff from the ESP).
183 * make tmpfiles read lines from creds, so that we can provision SSH host keys
184 via creds. Similar: sysusers, sysctl, homed
186 * mount /var/ from initrd, so that we can apply sysext and stuff before the
187 initrd transition. Specifically:
188 1. There should be a var= kernel cmdline option, matching root= and usr=
189 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk
190 3. mount.x-initrd mount option in fstab should be implied for /var
192 * implement varlink introspection
194 * we should probably drop all use of prefix_roota() and friends, and use
195 chase_symlinks() instead
197 * make persistent restarts easier by adding a new setting OpenPersistentFile=
198 or so, which allows opening one or more files that is "persistent" across
199 service restarts, hot reboot, cold reboots (depending on configuration): the
200 files are created empty on first invocation, and on subsequent invocations
201 the files are reboot. The files would be backed by tmpfs, pmem or /var
202 depending on desired level of persistency.
204 * sd-event: add ability to "chain" event sources. Specifically, add a call
205 sd_event_source_chain(x, y), which will automatically enable event source y
206 in oneshit mode once x is triggered. Use case: in src/core/mount.c implement
207 the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
208 seen, trigger the rescan defer event source automatically, and allow it to be
209 dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
210 dispatch order is strictly controlled by priorities again. (next step: chain
211 event sources to the ratelimit being over)
213 * if we fork of a service with StandardOutput=journal, and it forks off a
214 subprocess that quickly dies, we might not be able to identify the cgroup it
215 comes from, but we can still derive that from the stdin socket its output
216 came from. We apparently don't do that right now.
218 * make systemd-fstab-generator look for a system credential encoding root= or
221 * add ability to set hostname with suffix derived from machine id at boot
223 * ask dracut to generate usr= on the kernel cmdline so that we don't need to
224 read /etc/fstab from the root fs from the initrd and do daemon-reload
226 * add PR_SET_DUMPABLE service setting
228 * homed/userdb: maybe define a "companion" dir for home directories where apps
229 can safely put privileged stuff in. Would not be writable by the user, but
230 still conceptually belong to the user. Would be included in user's quota if
231 possible, even if files are not owned by UID of user. Usecase: container
232 images that owned by arbitrary UIDs, and are owned/managed by the users, but
233 are not directly belonging to the user's UID. Goal: we shouldn't place more
234 privileged dirs inside of unprivileged dirs, and thus containers really
235 should not be placed inside of traditional UNIX home dirs (which are owned by
236 users themselves) but somewhere else, that is separate, but still close
237 by. Inform user code about path to this companion dir via env var, so that
238 container managers find it. the ~/.identity file is also a candidate for a
239 file to move there, since it is managed by privileged code (i.e. homed) and
240 not unprivileged code.
242 * given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
243 that hooks up userbdctl ssh-key stuff.
245 * allow embedding a signature blob for PCR hashes into separate section in
246 unified kernel binaries. This section should be picked up by sd-stub, and
247 passed in a file to the booted kernel (via initrd cpio, as usual). Usecase:
248 this way we can implement disk encryption policies that bind to specific
249 kernel PCR state, without breaking things on every kernel update. As long as
250 the kernel includes the PCR signature blob we should be good, as disk
251 encryption can then pass the signature to the TPM to unlock their secrets.
252 Why do this via a separate PE section? That's because the PCR state depends
253 on the measured kernel/initrd of course, thus we cannot put the signature
254 into the kernel/initrd itself, because that would require a time machine.
255 Hence we have to find a separate place. A simple solution is a PE section
256 of its own, because then it is next to the kernel and initrd which after all
257 are stored in PE sections of their own too. Building a unified kernel would
258 thus mean, calculating PCR values for the raw kernel image, and raw initrd
259 image, then signing those PCR values with a vendor key, and then combining
260 sd-stub, raw kernel image, raw initrd, and PCR signature into a unified
263 * a new tool "systemd-trust" or so, that can calculate PCR hashes offline, and
264 optionally sign them. for that we should extend our syntax for specifying pcr
265 policies (e.g. the string like "4+7+9") so that it can also include explicit
267 4=sha256:0ef149998289474e4bb31813edda6ad7f3c991b2d8dec6e8fe4db7a1f039f2d1+7=sha256:87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7+9=sha256:0263829989b6fd954f72baaf2fc64bc2e2f01d692d4de72986ea808f6e99813f
268 and file names to calculate hashes from, i.e.
269 4=file:/boot/vmlinuz+7=file:/boot/initrd/+9=file:/etc/fstab"
270 The systemd-trust tool should then be able to resolve any "underspecifed"
271 form into the form with explicit hash values.
273 * maybe add support for binding and connecting AF_UNIX sockets in the file
274 system outside of the 108ch limit. When connecting, open O_PATH fd to socket
275 inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
276 to target dir in /tmp, and bind through it.
278 * tmpfiles: for f/F/w lines, if the argument columns is left unspecified, look
279 for a service credential named after the file path to write to, and load
280 contents to write from there. Usecase: provision arbitrary files from
281 credentials. Example use: with a line like "f /root/.ssh/authorized-keys
282 0644 root root" in a tmpfiles.d/ snippet add
283 LoadCredential=root.ssh.authorized-keys via drop-in to
284 systemd-tmpfiles.service, and then provision an SSH access key through
285 nspawn's --load-credential=, through qemu's fw_cfg, or via systemd-stub's
286 credntial pick-up. The latter is particularly interesting to implement SSH
289 * systemd-homed: when initializing, look for a credential sysemd.homed.register
290 or so with JSON user records to automatically register if not registered yet.
291 Usecase: deploy a system, and add an account one can directly log into.
293 * add a proper concept of a "developer" mode, i.e. where cryptographic
294 protections of the root OS are weakened after interactive confirmation, to
295 allow hackers to allow their own stuff. idea: allow entering developer mode
296 only via explicit choice in boot menu: i.e. add explicit boot menu item for
297 it. when developer mode is entered generate a key pair in the TPM2, and add
298 the public part of it automatically to keychain of valid code signature keys
299 on subsequent boots. Then provide a tool to sign code with the key in the
300 TPM2. Ensure that boot menu item is only way to enter developer mode, by
301 binding it to locality/PCRs so that that keys cannot be generated otherwise.
303 * services: add support for cryptographically unlocking per-service directories
304 via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to
305 set up the directory so that it can only be accessed if host and app are in
308 * TPM2: add auth policy for signed PCR values to make updates easy. i.e. do
309 what tpm2_policyauthorize tool does. To be truly useful scheme needs to be a
310 bit more elaborate though: policy probably must take some nvram based
311 generation counter into account that can only monotonically increase and can
312 be used to invalidate old PCR signatures. Otherwise people could downgrade to
313 old signed PCR sets whenever they want. Usecase: encrypt the rootfs with LUKS
314 with a key that can only be unlocked via a pristine pre-built Fedora
317 * update HACKING.md to suggest developing systemd with the ideas from:
318 https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
319 https://0pointer.net/blog/running-an-container-off-the-host-usr.html
321 * add a clear concept how the initrd can make up credentials on their own to
322 pass to the system when transitioning into the host OS. usecase: things like
323 cloud-init/ignitation and similar can parameterize the host with data they
326 * drop support for kernels that lack ambient capabilities support (i.e. make
327 4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which
328 is only supported for such old kernels
330 * sd-event: compat wd reuse in inotify code: keep a set of removed watch
331 descriptors, and clear this set piecemeal when we see the IN_IGNORED event
332 for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
333 see an inotify wd event check against this set, and if it is contained ignore
334 the event. (to be fully correct this would have to count the occurrences, in
335 case the same wd is reused multiple times before we start processing
338 * sd-stub: set efi var indicating stub features, i.e. whether they pick up
339 creds, sysexts and so on. similar to existing variable of sd-boot
341 * sd-stub: set efi vars declaring TPM PCRs we measured creds/cmdline + sysext
342 into (even if we hardcode them)
344 * systemd-fstab-generator: support addition mount specifications via kernel
345 cmdline. Usecase: invoke a VM, and mount a host homedir into it via
348 * for vendor-built signed initrds:
349 - make sysext run in the initrd
350 - sysext should pick up sysext images from /.extra/ in the initrd, and insist
351 on verification if in secureboot mode
352 - kernel-install should be able to install pre-built unified kernel images in
353 type #2 drop-in dir in the ESP.
354 - kernel-install should be able install encrypted creds automatically for
355 machine id, root pw, rootfs uuid, resume partition uuid, and place next to
356 EFI kernel, for sd-stub to pick them up. These creds should be locked to
357 the TPM, and bind to the right PCR the kernel is measured to.
358 - kernel-install should be able to pick up initrd sysexts automatically and
359 place them next to EFI kernel, for sd-stub to pick them up.
360 - systemd-fstab-generator should look for rootfs device to mount in creds
361 - pid 1 should look for machine ID in creds
362 - systemd-resume-generator should look for resume partition uuid in creds
363 - sd-stub: automatically pick up microcode from ESP (/loader/microcode/*)
364 and synthesize initrd from it, and measure it. Signing is not necessary, as
365 microcode does that on its own. Pass as first initrd to kernel.
366 - sd-stub should measure the kernel/initrd/… into a separate PCR, so that we
367 have one PCR we can bind the encrypted creds to that is not effected by
368 anything else but what we drop in via kernel-install, i.e. by earlier EFI
369 code running (i.e. like PCR 4)
371 * Add a new service type very similar to Type=notify, that goes one step
372 further and extends the protocol to cover reloads. Specifically, SIGHUP will
373 become the official way to reload, and daemon has to respond with sd_notify()
374 to report when it starts reloading, and when it is complete reloading. Care
375 must be taken to remove races from this model. I.e. PID 1 needs to take
376 CLOCK_MONOTONIC, then send SIGHUP, then wait for at least one RELOADING=1
377 message that comes with a newer timestamp, then wait for a READY=1 message.
378 while we are at it, also maybe extend the logic to require handling of some
379 specific SIGRT signal for setting debug log level, that carries the level via
380 the sigqueue() data parameter. With that we extended with minimal logic the
381 service runtime logic quite substantially.
383 * firstboot: maybe just default to C.UTF-8 locale if nothing is set, so that we
384 don't query this unnecessarily in entirely uninitialized
385 containers. (i.e. containers with empty /etc).
387 * beef up sd_notify() to support AV_VSOCK in $NOTIFY_SOCKET, so that VM
388 managers can get ready notifications from VMs, just like container managers
389 from their payload. Also pick up address from qemu/fw_cfg if set there.
390 (which has benefits, given SecureBoot and kernel cmdline are not necessarily
393 * mirroring this: maybe support binding to AV_VSOCK in Type=notify services,
394 then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically
395 fixed to "2", i.e. the official host cid) and the expected guest cid, for the
396 two sides of the channel. The latter env var could then be used in an
397 appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
398 directly to host service manager.
400 * maybe write a tool that binds an AF_VFSOCK socket, then invokes qemu,
401 extending the command line to enable vsock on the VM, and using fw_cfg to
402 configure socket address.
404 * sd-boot: rework random seed handling following recent kernel changes: always
405 pass seed to kernel, but credit only if secure boot is used
407 * sd-boot: also include the hyperv "vm generation id" in the random seed hash,
408 to cover nicely for machine clones. It's found in the ACPI tables, which
409 should be easily accessible from UEFI.
411 * sd-boot: add menu item for shutdown? or hotkey?
413 * sd-device has an API to create an sd_device object from a device id, but has
414 no api to query the device id
416 * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
417 sd_device object, so that data passed into sd_device_new_from_devnum() can
420 * sd-event: optionally, if per-event source rate limit is hit, downgrade
421 priority, but leave enabled, and once ratelimit window is over, upgrade
422 priority again. That way we can combat event source starvation without
423 stopping processing events from one source entirely.
425 * sd-event: similar to existing inotify support add fanotify support (given
426 that apparently new features in this area are only going to be added to the
429 * sd-event: add 1st class event source for clock changes
431 * sd-event: add 1st class event source for timezone changes
433 * support uefi/http boots with sd-boot: instead of looking for dropin files in
434 /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that
435 as directory manifest. The file would be a standard directory listing as
436 generated by GNU sha256sums.
438 * sd-boot: maybe add support for embedding the various auxiliary resources we
439 look for right in the sd-boot binary. i.e. take inspiration from sd-stub
440 logic: allow combining sd-boot via objcopy with kernels to enumerate, .conf
441 files, drivers, keys to enroll and so on. Then, add whatever we find that way
442 to the menu. Usecase: allow building a single PE image you can boot into via
445 * maybe add a new UEFI stub binary "sd-http". It works similar to sd-stub, but
446 all it does is download a file from a http server, and execute it, after
447 optionally checking its hash sum. idea would be: combine this "sd-http" stub
448 binary with some minimal info about an URL + hash sum, plus .osrel data, and
449 drop it into the unified kernel dir in the ESP. And bam you have something
450 that is tiny, feels a lot like a unified kernel, but all it does is chainload
451 the real kernel. benefit: downloading these stubs would be tiny and quick,
452 hence cheap for enumeration.
454 * initialize machine ID from systemd credential picked up from the ESP via
455 sd-stub, so that machine ID is stable even on systems where unified kernels
456 are used, and hence kernel cmdline cannot be modified locally
458 * in gpt-auto-generator: check partition uuids against such uuids supplied via
459 sd-stub credentials. That way, we can support parallel OS installations with
462 * sysext: measure all activated sysext into a TPM PCR
464 * maybe add a "syscfg" concept, that is almost entirely identical to "sysext",
465 but operates on /etc/ instead of /usr/ and /opt/. Use case would be: trusted,
466 authenticated, atomic, additive configuration management primitive: drop in a
467 configuration bundle, and activate it, so that it is instantly visible,
470 * systemd-dissect: show available versions inside of a disk image, i.e. if
471 multiple versions are around of the same resource, show which ones. (in other
472 words: show partition labels).
474 * systemd-nspawn: make boot assessment do something sensible in a
475 container. i.e send an sd_notify() from payload to container manager once
476 boot-up is completed successfully, and use that in nspawn for dealing with
477 boot counting, implemented in the partition table labels and directory names.
479 * maybe add a generator that reads /proc/cmdline, looks for
480 systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
481 that take an URL as parameter. It then generates service units for
482 systemd-pull calls that download these URLs if not installed yet. usecase:
483 invoke a VM or nspawn container in a way it automatically deploys/runs these
484 images as OS payloads. i.e. have a generic OS image you can point to any
485 payload you like, which is then downloaded, securely verified and run.
487 * improve scope units to support creation by pidfd instead of by PID
489 * deprecate cgroupsv1 further (print log message at boot)
491 * systemd-dissect: add --cat switch for dumping files such as /etc/os-release
493 * per-service sandboxing option: ProtectIds=. If used, will overmount
494 /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to
495 make it harder for the service to identify the host. Depending on the user
496 setting it should be fully randomized at invocation time, or a hash of the
497 real thing, keyed by the unit name or so. Of course, there are other ways to
498 get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU
499 ids), so this knob would only be useful in combination with other lockdown
500 options. Particularly useful for portable services, and anything else that
501 uses RootDirectory= or RootImage=. (Might also over-mount
502 /sys/class/dmi/id/*{uuid,serial} with /dev/null).
504 * journalctl/timesyncd: whenever timesyncd acquires a synchronization from NTP,
505 create a structured log entry that contains boot ID, monotonic clock and
506 realtime clock (I mean, this requires no special work, as these three fields
507 are implicit). Then in journalctl when attempting to display the realtime
508 timestamp of a log entry, first search for the closest later log entry
509 of this kinda that has a matching boot id, and convert the monotonic clock
510 timestamp of the entry to the realtime clock using this info. This way we can
511 retroactively correct the wallclock timestamps, in particular for systems
512 without RTC, i.e. where initially wallclock timestamps carry rubbish, until
513 an NTP sync is acquired.
516 - add --all switch for rerunning kernel-install for all installed kernels
517 - maybe add env var that shortcuts kernel-install for installers that want to
518 call it at the end only
520 * doc: prep a document explaining resolved's internal objects, i.e. Query
521 vs. Question vs. Transaction vs. Stream and so on.
523 * doc: prep a document explaining PID 1's internal logic, i.e. transactions,
526 * bootspec: remove tries counter from boot entry ids
528 * bootspec: bring UEFI and userspace enumeration of bootspec entries back into
529 sync, i.e. parse out tries in both
531 * automatically ignore threaded cgroups in cg_xyz().
533 * add linker script that implicitly adds symbol for build ID and new coredump
534 json package metadata, and use that when logging
536 * systemd-dissect: show GPT disk UUID in output
538 * Enable RestricFileSystems= for all our long-running services (similar:
539 RestrictNetworkInterfaces=)
541 * Add systemd-analyze security checks for RestrictFileSystems= and
542 RestrictNetworkInterfaces=
544 * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
547 * nspawn: optionally set up nftables/iptables routes that forward UDP/TCP
548 traffic on port 53 to resolved stub 127.0.0.54
550 * man: rework os-release(5), and clearly separate our extension-release.d/ and
551 initrd-release parts, i.e. list explicitly which fields are about what.
553 * sysext: before applying a sysext, do a superficial validation run so that
554 things are not rearranged to wildy. I.e. protect against accidental fuckups,
555 such as masking out /usr/lib/ or so. We should probably refuse if existing
556 inodes are replaced by other types of inodes or so.
558 * sysext: ensure one can build a sysext that can safely apply to *any* system
559 (because it contains only static go binaries in /opt/ or so)
561 * userdb: when synthesizing NSS records, pick "best" password from defined
562 passwords, not just the first. i.e. if there are multiple defined, prefer
563 unlocked over locked and prefer non-empty over empty.
565 * maybe add a tool inspired by the GPT auto discovery spec that runs in the
566 initrd and rearranges the rootfs hierarchy via bind mounts, if
567 enabled. Specifically in some top-level dir /@auto/ it will look for
568 dirs/symlinks/subvolumes that are named after their purpose, and optionally
569 encode a version as well as assessment counters, and then mount them into the
570 file system tree to boot into, similar to how we do that for the gpt auto
571 logic. Maybe then bind mount the original root into /.superior or something
572 like that (so that update tools can look there). Further discussion in this
574 https://lists.freedesktop.org/archives/systemd-devel/2021-November/047059.html
575 The GPT dissection logic should automatically enable this tool whenever we
576 detect a specially marked root fs (i.e introduce a new generic root gpt type
577 for this, that is arch independent). The also implement this in the image
578 dissection logic, so that nspawn/RootImage= and so on grok it. Maybe make
579 generic enough so that it can also work for ostrees arrangements.
581 * if a path ending in ".auto.d/" is set for RootDirectory=/RootImage= then do a
582 strverscmp() of everything inside that dir and use that. i.e. implement very
583 simple version control. Also use this in systemd-nspawn --image= and so on.
585 * homed: while a home dir is not activated generate slightly different NSS
586 records for it, that reports the home dir as "/" and the shell as some binary
587 provided by us. Then, when an SSH login happens and SSH permits it our binary
588 is invoked. This binary can then talk to homed and activate the homedir if
589 it's not around yet, prompting the user for a password. Once that succeeded
590 we'll switch to the real user record, i.e. home dir and shell, and our tool
591 exec()s the latter. Net effect: ssh'ing into a homed account will just work:
592 we'll neatly prompt for the homedir's password if its needed. –– Building on
593 this we could take this even further: since this tool will potentially have
594 access to the client's ssh-agent (if ssh-agent forwarding is enabled) we
595 could implement SSH unlocking of a homedir with that: when enrolling a new
596 ssh pubkey in a user record we'd ask the ssh-agent to sign some random value
597 with the privkey, then use that as luks key to unlock the home dir. Will not
598 work for ECDSA keys since their signatures contain a random component, but
599 will work for RSA and Ed25519 keys.
601 * add tiny service that decrypts encrypted user records passed via initrd
602 credential logic and drops them into /run where nss-systemd can pick them up,
603 similar to /run/host/userdb/. Usecase: drop a root user JSON record there,
604 and use it in the initrd to log in as root with locally selected password,
605 for debugging purposes. Other usecase: boot into qemu with regular user
606 mounted from host. maybe put this in systemd-user-sessions.service?
608 * drop dependency on libcap, replace by direct syscalls based on
609 CapabilityQuintet we already have. (This likely allows us drop drop libcap
610 dep in the base OS image)
612 * sysext: automatically activate sysext images dropped in via new sd-stub
615 * add concept for "exitrd" as inverse of "initrd", that we can transition to at
616 shutdown, and has similar security semantics. This should then take the place
617 of dracut's shutdown logic. Should probably support sysexts too. Care needs
618 to be taken that the resulting logic ends up in RAM, i.e. is copied out of
621 * userdbd: implement an additional varlink service socket that provides the
622 host user db in restricted form, then allow this to be bind mounted into
623 sandboxed environments that want the host database in minimal form. All
624 records would be stripped of all meta info, except the basic UID/name
625 info. Then use this in portabled environments that do not use PrivateUsers=1.
627 * logind introduce two types of sessions: "heavy" and "light". The former would
628 be our current sessions. But the latter would be a new type of session that
629 is mostly the same but does not pull in user@.service or wait for it. Then,
630 allow configuration which type of session is desired via pam_systemd
631 parameters, and then make user@.service's session one of these "light" ones.
632 People could then choose to make FTP sessions and suchlike "light" if they
633 don't want the service manager to be started for that.
635 * /etc/veritytab: allow that the roothash column can be specified as fs path
636 including a path to an AF_UNIX path, similar to how we do things with the
637 keys of /etc/crypttab. That way people can store/provide the roothash
638 externally and provide to us on demand only.
640 * add high-level lockdown level for GPT dissection logic: e.g. an enum that can
641 be ANY (to mount anything), TRUSTED (to require that /usr is on signed
642 verity, but rest doesn't matter), LOCKEDDOWN (to require that everything is
643 on signed verity, except for ESP), SUPERLOCKDOWN (like LOCKEDDOWN but ESP not
644 allowed). And then maybe some flavours of that that declare what is expected
645 from home/srv/var… Then, add a new cmdline flag to all tools that parse such
646 images, to configure this. Also, add a kernel cmdline option for this, to be
647 honoured by the gpt auto generator.
649 * nspawn: maybe optionally insert .nspawn file as GPT partition into images, so
650 that such container images are entirely stand-alone and can be updated as
653 * we probably should extend the root verity hash of the root fs into some PCR
654 on boot. (i.e. maybe add a crypttab option tpm2-measure=8 or so to measure it
657 * add a "policy" to the dissection logic. i.e. a bit mask what is OK to mount,
658 what must be read-only, what requires encryption, and what requires
661 * in uefi stub: query firmware regarding which PCRs are being used, store that
662 in EFI var. then use this when enrolling TPM2 in cryptsetup to verify that
663 the selected PCRs actually are used by firmware.
665 * rework recursive read-only remount to use new mount API
667 * PAM: pick up authentication token from credentials
669 * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
670 data in the image, make sure the image filename actually matches this, so
671 that images cannot be misused.
673 * New udev block device symlink names:
674 /dev/disk/by-parttypelabel/<pttype>-<ptlabel>. Use case: if pt label is used
675 as partition image version string, this is a safe way to reference a specific
676 version of a specific partition type, in particular where related partitions
677 are processed (e.g. verity + rootfs both named "LennartOS_0.7").
680 - add fuzzing to the pattern parser
681 - support casync as download mechanism
682 - direct TPM2 PCR change handling, possible renrolling LUKS2 media if needed.
683 - "systemd-sysupdate update --all" support, that iterates through all components
684 defined on the host, plus all images installed into /var/lib/machines/,
685 /var/lib/portable/ and so on.
686 - figure out what to do about system extensions (i.e. they need to imply an
687 update component, since otherwise system extenion' sysupdate.d/ files would
688 override the host's update files.)
689 - Allow invocation with a single transfer definition, i.e. with
690 --definitions= pointing to a file rather than a dir.
691 - add ability to disable implicit decompression of downloaded artifacts,
692 i.e. a Compress=no option in the transfer definitions
694 * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
696 * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
697 make dirs appear under right UID.
699 * systemd-sysext: optionally, run it in initrd already, before transitioning
700 into host, to open up possibility for services shipped like that.
702 * maybe add a tool that displays most recent journal logs as QR code to scan
703 off screen and run it automatically on boot failures, emergency logs and
704 such. Use DRM APIs directly, see
705 https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
708 * introduce /dev/disk/root/* symlinks that allow referencing partitions on the
709 disk the rootfs is on in a reasonably secure way. (or maybe: add
710 /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we
713 * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
714 reception limit the kernel silently enforces.
716 * add an Open= setting to service unit files that can open arbitrary file
717 system paths at service startup time and pass them to the service process via
718 our usual socket activation protocol. If passed path refers to AF_UNIX
719 socket: connect() to it.
721 * Similar, ConnectStream= which takes IP addresses and connects to them.
723 * Similar, Load= which takes literal data in text or base64 format, and puts it
724 into a memfd, and passes that. This enables some fun stuff, such as embedding
725 bash scripts in unit files, by combining Load= with ExecStart=/bin/bash
728 * add a ConnectSocket= setting to service unit files, that may reference a
729 socket unit, and which will connect to the socket defined therein, and pass
730 the resulting fd to the service program via socket activation proto.
732 * Add a concept of ListenStream=anonymous to socket units: listen on a socket
733 that is deleted in the fs. Usecase would be with ConnectSocket= above.
735 * importd: support image signature verification with PKCS#7 + OpenBSD signify
736 logic, as alternative to crummy gpg
738 * add "systemd-analyze debug" + AttachDebugger= in unit files: The former
739 specifies a command to execute; the latter specifies that an already running
740 "systemd-analyze debug" instance shall be contacted and execution paused
741 until it gives an OK. That way, tools like gdb or strace can be safely be
742 invoked on processes forked off PID 1.
744 * expose MS_NOSYMFOLLOW in various places
746 * credentials system:
747 - acquire from EFI variable?
748 - acquire via via ask-password?
749 - acquire creds via keyring?
750 - pass creds via keyring?
751 - pass creds via memfd?
752 - acquire + decrypt creds from pkcs11?
753 - make systemd-cryptsetup acquire pw via creds logic
754 - make PAMName= acquire pw via creds logic
755 - make macsec/wireguard code in networkd read key via creds logic
756 - make gatwayd/remote read key via creds logic
757 - add sd_notify() command for flushing out creds not needed anymore
758 - make user manager instances create and use a user-specific key (the one in
759 /var/lib is root-only) and add --user switch to systemd-creds to use it
761 * add tpm.target or so which is delayed until TPM2 device showed up in case
762 firmware indicates there is one.
764 * Add concept for upgrading TPM2 enrollments, maybe a new switch
765 --pcrs=4:<hash> or so, i.e. select a PCR to include in the hash, and then
768 * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
771 * introduce a new group to own TPM devices
773 * cryptsetup: if only recovery keys are registered and no regular passphrases,
774 ask user for "recovery key", not "passphrase"
776 * cyptsetup: add option for automatically removing empty password slot on boot
778 * cryptsetup: optionally, when run during boot-up and password is never
779 entered, and we are on battery power (or so), power off machine again
781 * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
782 allow plymouth to abort the waiting and enter pw instead
784 * make cryptsetup lower --iter-time
786 * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
787 "base64:" prefix. Useful in particular for pkcs11 mode.
789 * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
790 systemd-makefs.service instead.
793 - cryptsetup-generator: allow specification of passwords in crypttab itself
794 - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
796 * when configuring loopback netif, and it fails due to EPERM, eat up error if
797 it happens to be set up alright already.
799 * at boot: check if battery above some threshold, if not power off again after explanation
801 * userdb: add field for ambient caps, so that a user can have CAP_WAKE_ALARM
802 for example. And add code that resets ambient caps for all services by
805 * sd-bus: when connecting to some dbus server socker, set originating AF_UNIX
806 socket name in abstract namespace to include "description" string, and pick
807 it up from there in sd_bus_creds logic. i.e. we can use the socket peer
808 address as conduit for some minimal connection metainfo, and use it to
809 restore the "description" logic that kdbus used to have.
811 * systemd-analyze netif that explains predictable interface (or networkctl)
813 * Add service setting to run a service within the specified VRF. i.e. do the
814 equivalent of "ip vrf exec".
816 * change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as
817 documented in the pivot_root(2) man page, so that we can drop the /oldroot
820 * special case some calls of chase_symlinks() to use openat2() internally, so
821 that the kernel does what we otherwise do.
823 * add a new flag to chase_symlinks() that stops chasing once the first missing
824 component is found and then allows the caller to create the rest.
826 * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
828 * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
830 * Remove any support for booting without /usr pre-mounted in the initrd entirely.
831 Update INITRD_INTERFACE.md accordingly.
833 * pid1: Move to tracking of main pid/control pid of units per pidfd
835 * pid1: support new clone3() fork-into-cgroup feature
837 * pid1: also remove PID files of a service when the service starts, not just
840 * make us use dynamically fewer deps for containers in general purpose distros:
841 o turn into dlopen() deps:
842 - p11-kit-trust (always)
843 - kmod-libs (only when called from PID 1)
844 - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
845 - libpam (only when called from PID 1)
846 - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
847 since they are so basic and our defaults)
848 o move into separate libsystemd-shared-iptables.so .so
849 - iptables-libs (only used by nspawn + networkd)
851 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
852 Apparently kernel performance is much better with fewer larger seccomp
853 filters than with more smaller seccomp filters.
855 * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
856 mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
858 * All tools that support --root= should also learn --image= so that they can
859 operate on disk images directly. Specifically: systemctl, coredumpctl.
860 (Already done: bootctl, systemd-nspawn, systemd-firstboot,
861 systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl)
863 * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
865 * seccomp: don't install filters for ABIs that are masked anyway for the
868 * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
871 * Maybe add a separate GPT partition type to the discoverable partition spec
872 for "hibernate" partitions, that are exactly like swap partitions but only
873 activated right before hibernation and thus never used for regular swapping.
875 * socket units: allow creating a udev monitor socket with ListenDevices= or so,
876 with matches, then activate app through that passing socket over
879 - kill gnutls support in resolved
880 - figure out what to do about libmicrohttpd, which has a hard dependency on
882 - port fsprg over to a dlopen lib, then switch it to openssl
884 * add growvol and makevol options for /etc/crypttab, similar to
885 x-systemd.growfs and x-systemd-makefs.
887 * userdb: allow username prefix searches in varlink API, allow realname and
888 realname substr searches in varlink API
890 * userdb: allow uid/gid range checks
892 * userdb: allow existence checks
894 * pid1: activation by journal search expression
896 * when switching root from initrd to host, set the machine_id env var so that
897 if the host has no machine ID set yet we continue to use the random one the
900 * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
901 it for reaping assigned but unknown children. This needs to some special care
902 to operate somewhat sensibly in light of priorities: P_ALL will return
903 arbitrary processes, regardless of the priority we want to watch them with,
904 hence on each event loop iteration check all processes which we shall watch
905 with higher prio explicitly, and then watch the entire rest with P_ALL.
907 * tweak sd-event's child watching: keep a prioq of children to watch and use
908 waitid() only on the children with the highest priority until one is waitable
909 and ignore all lower-prio ones from that point on
911 * maybe introduce xattrs that can be set on the root dir of the root fs
912 partition that declare the volatility mode to use the image in. Previously I
913 thought marking this via GPT partition flags but that's not ideal since
914 that's outside of the LUKS encryption/verity verification, and we probably
915 shouldn't operate in a volatile mode unless we got told so from a trusted
918 * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
919 may be used to mark a whole binary as non-coredumpable. Would fix:
920 https://bugs.freedesktop.org/show_bug.cgi?id=69447
922 * teach parse_timestamp() timezones like the calendar spec already knows it
924 * beef up hibernation to optionally do swapon/swapoff immediately before/after
927 * beef up s2h to implement a battery watch loop: instead of entering
928 hibernation unconditionally after coming back from resume make a decision
929 based on the battery load level: if battery level is above a specific
930 threshold, go to suspend again, only hibernate if below it. This means we'd
931 stick to suspend usually, but fall back to hibernation only when battery runs
932 empty (well, subject to our sampling interval). Related to this, check if we
933 can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too,
934 i.e. see if it can wake up machines from suspend, so that we could resume
935 automatically when the system is low on power and move automatically to
936 hibernation mode. (see
937 https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf
939 https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources
942 * We should probably replace /etc/rc.d/README with a symlink to doc
943 content. After all it is constant vendor data.
945 * maybe add kernel cmdline params: to force random seed crediting
947 * introduce a new per-process uuid, similar to the boot id, the machine id, the
948 invocation id, that is derived from process creds, specifically a hashed
949 combination of AT_RANDOM + getpid() + the starttime from
950 /proc/self/status. Then add these ids implicitly when logging. Deriving this
951 uuid from these three things has the benefit that it can be derived easily
952 from /proc/$PID/ in a stable, and unique way that changes on both fork() and
955 * let's not GC a unit while its ratelimits are still pending
957 * when killing due to service watchdog timeout maybe detect whether target
958 process is under ptracing and then log loudly and continue instead.
960 * make rfkill uaccess controllable by default, i.e. steal rule from
961 gnome-bluetooth and friends
963 * make MAINPID= message reception checks even stricter: if service uses User=,
964 then check sending UID and ignore message if it doesn't match the user or
967 * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
970 * when importing an fs tree with machined, optionally apply userns-rec-chown
972 * when importing an fs tree with machined, complain if image is not an OS
974 * Maybe introduce a helper safe_exec() or so, which is to execve() which
975 safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
976 to 1K implicitly, unless explicitly opted-out.
978 * rework seccomp/nnp logic that even if User= is used in combination with
979 a seccomp option we don't have to set NNP. For that, change uid first whil
980 keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
982 * when no locale is configured, default to UEFI's PlatformLang variable
984 * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
985 usefaultd() and make systemd-analyze check for it.
987 * paranoia: whenever we process passwords, call mlock() on the memory
988 first. i.e. look for all places we use free_and_erasep() and
989 augment them with mlock(). Also use MADV_DONTDUMP.
990 Alternatively (preferably?) use memfd_secret().
992 * Move RestrictAddressFamily= to the new cgroup create socket
994 * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
995 log.c and sd-journal-send
997 * optionally: turn on cgroup delegation for per-session scope units
999 * introduce per-unit (i.e. per-slice, per-service) journal log size limits.
1001 * sd-boot: optionally, show boot menu when previous default boot item has
1002 non-zero "tries done" count
1004 * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
1005 contains some identifier for the project, which allows us to include
1006 clickable links to source files generating these log messages. The identifier
1007 could be some abberviated URL prefix or so (taking inspiration from Go
1008 imports). For example, for systemd we could use
1009 CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
1010 sufficient to build a link by prefixing "http://" and suffixing the
1013 * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
1014 make clickable links from log messages carrying a MESSAGE_ID, that lead to
1015 some explanatory text online.
1017 * maybe extend .path units to expose fanotify() per-mount change events
1019 * When reloading configuration PID 1 should reset all its properties to the
1020 original defaults before calling parse_config()
1022 * hibernate/s2h: make this robust and safe to enable in Fedora by default.
1025 1. add resume_offset support to the resume code (i.e. support swap files
1027 2. check if swap is on weird storage and refuse if so
1028 3. add auto-detection of hibernation images
1030 * cgroups: use inotify to get notified when somebody else modifies cgroups
1031 owned by us, then log a friendly warning.
1033 * beef up log.c with support for stripping ANSI sequences from strings, so that
1034 it is OK to include them in log strings. This would be particularly useful so
1035 that our log messages could contain clickable links for example for unit
1036 files and suchlike we operate on.
1038 * importd: add ability download images for portabled + sysext
1040 * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
1042 * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
1043 selected user is resolvable in the service even if it ships its own /etc/passwd)
1045 * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
1046 other doesn't. What a disaster. Probably to exclude it.
1048 * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
1049 usually IN_ATTRIB is the right way to watch deleted files, as the former only
1050 fires when a file is actually removed from disk, i.e. the link count drops to
1051 zero and is not open anymore, while the latter happens when a file is
1052 unlinked from any dir.
1054 * port systemctl, busctl, … over to format-table.[ch]'s table formatters
1056 * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
1058 * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
1060 * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
1061 files and directories that are left writable for a unit, and which are
1062 removed after the unit goes down again. A bit like --ephemeral for
1063 systemd-nspawn but for system services. If used together with RootImage= this
1064 should reflink the image file itself.
1066 Related: add Ephemeral=<path1> <path2> … which would allow marking
1067 specific paths only like this.
1069 * add CopyFile= or so as unit file setting that may be used to copy files or
1070 directory trees from the host to the services RootImage= and RootDirectory=
1071 environment. Which we can use for /etc/machine-id and in particular
1072 /etc/resolv.conf. Should be smart and do something useful on read-only
1073 images, for example fall back to read-only bind mounting the file instead.
1075 * show invocation ID in systemd-run output
1077 * bypass SIGTERM state in unit files if KillSignal is SIGKILL
1079 * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
1080 and so on, which would mean we could report errors and such.
1082 * introduce DefaultSlice= or so in system.conf that allows changing where we
1083 place our units by default, i.e. change system.slice to something
1084 else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
1085 be moved somewhere else too. Finally machined and logind should get similar
1086 options so that it is possible to move user session scopes and machines to a
1087 different slice too by default. Usecase: people who want to put resources on
1088 the entire system, with the exception of one specific service. See:
1089 https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
1091 * maybe rework get_user_creds() to query the user database if $SHELL is used
1092 for root, but only then.
1094 * be stricter with fds we receive for the fdstore: close them asynchronously
1096 * calenderspec: add support for week numbers and day numbers within a
1097 year. This would allow us to define "bi-weekly" triggers safely.
1099 * sd-bus: add vtable flag, that may be used to request client creds implicitly
1100 and asynchronously before dispatching the operation
1102 * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
1103 only when used. Add unit tests.
1105 * make use of ethtool veth peer info in machined, for automatically finding out
1106 host-side interface pointing to the container.
1108 * add some special mode to LogsDirectory=/StateDirectory=… that allows
1109 declaring these directories without necessarily pulling in deps for them, or
1110 creating them when starting up. That way, we could declare that
1111 systemd-journald writes to /var/log/journal, which could be useful when we
1112 doing disk usage calculations and so on.
1114 * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
1116 * add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
1117 the runtime dir as we maintain for the fdstore: i.e. keep it around as long
1118 as the unit is running or has a job queued.
1120 * support projid-based quota in machinectl for containers
1122 * add a way to lock down cgroup migration: a boolean, which when set for a unit
1123 makes sure the processes in it can never migrate out of it
1125 * blog about fd store and restartable services
1127 * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
1129 * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
1130 magic meaning and is no longer upgraded to something else if set explicitly.
1132 * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
1133 make it lose its identity, i.e. be anonymous. For this we'd have to patch
1134 through the whole tree to make all code deal with the case where no machine
1137 * optionally, collect cgroup resource data, and store it in per-unit RRD files,
1138 suitable for processing with rrdtool. Add bus API to access this data, and
1139 possibly implement a CPULoad property based on it.
1141 * beef up pam_systemd to take unit file settings such as cgroups properties as
1144 * maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage
1145 the quota of the user indicated in User= via unit file settings, like the
1146 other resource management concepts. Would mix nicely with DynamicUser=1. Or
1147 alternatively, do this with projids, so that we can also cover services
1148 running as root. Quota should probably cover all the special dirs such as
1149 StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
1150 is set, plus the whole disk space any image configured with RootImage=.
1152 * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
1153 disks to see if the UID is already in use.
1155 * expose IO accounting data on the bus, show it in systemd-run --wait and log
1156 about it in the resource log message
1158 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
1159 creates a static, persistent user rather than a dynamic, transient user. We
1160 can leverage code from sysusers.d for this.
1162 * add some optional flag to ReadWritePaths= and friends, that has the effect
1163 that we create the dir in question when the service is started. Example:
1165 ReadWritePaths=:/var/lib/foobar
1167 * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
1168 the service cgroup, which is supposed to monitor the service, and when it
1169 exits the service is considered failed by its monitor.
1171 * track the per-service PAM process properly (i.e. as an additional control
1172 process), so that it may be queried on the bus and everything.
1174 * add a new "debug" job mode, that is propagated to unit_start() and for
1175 services results in two things: we raise SIGSTOP right before invoking
1176 execve() and turn off watchdog support. Then, use that to implement
1177 "systemd-gdb" for attaching to the start-up of any system service in its
1180 * gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
1182 * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
1183 then use that for the setting used in user@.service. It should be understood
1184 relative to the configured default value.
1186 * enable LockMLOCK to take a percentage value relative to physical memory
1188 * Permit masking specific netlink APIs with RestrictAddressFamily=
1190 * define gpt header bits to select volatility mode
1192 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
1194 * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
1196 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
1198 * ProtectKeyRing= to take keyring calls away
1200 * RemoveKeyRing= to remove all keyring entries of the specified user
1202 * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
1203 on PID 1 with the relevant signals, and makes relevant files in /sys and
1204 /proc (such as the sysrq stuff) unavailable
1206 * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
1207 via the new unprivileged Landlock LSM (https://landlock.io)
1209 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
1211 * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
1212 find a way to map the User=/Group= of the service to the right name. This way
1213 a user/group for a service only has to exist on the host for the right
1216 * add bus API for creating unit files in /etc, reusing the code for transient units
1218 * add bus API to remove unit files from /etc
1220 * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
1222 * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
1223 kernel doesn't support linkat() that replaces existing files, currently)
1225 * transient units: don't bother with actually setting unit properties, we
1226 reload the unit file anyway
1228 * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
1230 * cache sd_event_now() result from before the first iteration...
1232 * PID1: find a way how we can reload unit file configuration for
1233 specific units only, without reloading the whole of systemd
1235 * add an explicit parser for LimitRTPRIO= that verifies
1236 the specified range and generates sane error messages for incorrect
1239 * when we detect that there are waiting jobs but no running jobs, do something
1241 * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
1243 * there's probably something wrong with having user mounts below /sys,
1244 as we have for debugfs. for example, src/core/mount.c handles mounts
1245 prefixed with /sys generally special.
1246 https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
1248 * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
1250 * initrd-parse-etc.service: can we skip daemon-reload if /sysroot/etc/fstab is missing?
1251 Note that we start initrd-fs.target and initrd-cleanup.target there, so a straightforward
1252 ConditionPathExists= is not enough.
1254 * docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
1256 * add a job mode that will fail if a transaction would mean stopping
1257 running units. Use this in timedated to manage the NTP service
1259 https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
1261 * The udev blkid built-in should expose a property that reflects
1262 whether media was sensed in USB CF/SD card readers. This should then
1263 be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
1264 picked up by systemd unless they contain a medium. This would mirror
1265 the behaviour we already have for CD drives.
1267 * hostnamectl: show root image uuid
1269 * Find a solution for SMACK capabilities stuff:
1270 https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
1272 * synchronize console access with BSD locks:
1273 https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
1275 * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
1276 https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
1278 * figure out when we can use the coarse timers
1280 * maybe allow timer units with an empty Units= setting, so that they
1281 can be used for resuming the system but nothing else.
1283 * what to do about udev db binary stability for apps? (raw access is not an option)
1285 * exponential backoff in timesyncd when we cannot reach a server
1287 * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
1289 * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
1291 * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
1292 (throughout the codebase, not only PID1)
1294 * drop nss-myhostname in favour of nss-resolve?
1298 - service registration
1299 - service/domain/types browsing
1301 - DNS-SD service registration from socket units
1302 - resolved should optionally register additional per-interface LLMNR
1303 names, so that for the container case we can establish the same name
1304 (maybe "host") for referencing the server, everywhere.
1305 - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
1306 - hook up resolved with machined-based address resolution
1308 * refcounting in sd-resolve is borked
1310 * add new gpt type for btrfs volumes
1312 * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
1314 * a way for container managers to turn off getty starting via $container_headless= or so...
1316 * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
1318 * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
1319 they run added to the initial transaction and thus confuse Type=idle.
1321 * add bus api to query unit file's X fields.
1323 * gpt-auto-generator:
1324 - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
1325 - Make /home automount rather than mount?
1327 * add generator that pulls in systemd-network from containers when
1328 CAP_NET_ADMIN is set, more than the loopback device is defined, even
1329 when it is otherwise off
1331 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
1333 * implement Distribute= in socket units to allow running multiple
1334 service instances processing the listening socket, and open this up
1338 - implement per-slice CPUFairScheduling=1 switch
1339 - introduce high-level settings for RT budget, swappiness
1340 - how to reset dynamically changed unit cgroup attributes sanely?
1341 - when reloading configuration, apply new cgroup configuration
1342 - when recursively showing the cgroup hierarchy, optionally also show
1343 the hierarchies of child processes
1344 - add settings for cgroup.max.descendants and cgroup.max.depth,
1345 maybe use them for user@.service
1348 - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
1350 * when we detect low battery and no AC on boot, show pretty splash and refuse boot
1352 * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
1354 * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
1356 * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
1358 * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs
1360 * If we try to find a unit via a dangling symlink, generate a clean
1361 error. Currently, we just ignore it and read the unit from the search
1364 * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
1366 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
1368 * load .d/*.conf dropins for device units
1370 * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
1372 * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
1374 * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
1376 * verify that the AF_UNIX sockets of a service in the fs still exist
1377 when we start a service in order to avoid confusion when a user
1378 assumes starting a service is enough to make it accessible
1380 * Make it possible to set the keymap independently from the font on
1381 the kernel cmdline. Right now setting one resets also the other.
1383 * and a dbus call to generate target from current state
1385 * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
1387 * dot output for --test showing the 'initial transaction'
1389 * be able to specify a forced restart of service A where service B depends on, in case B
1390 needs to be auto-respawned?
1393 - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
1394 log both units as UNIT=, so that journalctl -u triggers on both.
1395 - generate better errors when people try to set transient properties
1396 that are not supported...
1397 https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
1398 - maybe introduce WantsMountsFor=? Usecase:
1399 https://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
1400 - recreate systemd's D-Bus private socket file on SIGUSR2
1401 - move PAM code into its own binary
1402 - when we automatically restart a service, ensure we restart its rdeps, too.
1403 - hide PAM options in fragment parser when compile time disabled
1404 - Support --test based on current system state
1405 - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
1406 - after deserializing sockets in socket.c we should reapply sockopts and things
1407 - drop PID 1 reloading, only do reexecing (difficult: Reload()
1408 currently is properly synchronous, Reexec() is weird, because we
1409 cannot delay the response properly until we are back, so instead of
1410 being properly synchronous we just keep open the fd and close it
1411 when done. That means clients do not get a successful method reply,
1412 but much rather a disconnect on success.
1413 - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
1414 - when a bus name of a service disappears from the bus make sure to queue further activation requests
1415 - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
1416 processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
1417 with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
1420 - allow port=0 in .socket units
1421 - maybe introduce ExecRestartPre=
1422 - add ReloadSignal= for configuring a reload signal to use
1423 - implement Register= switch in .socket units to enable registration
1424 in Avahi, RPC and other socket registration services.
1425 - allow Type=simple with PIDFile=
1426 https://bugzilla.redhat.com/show_bug.cgi?id=723942
1427 - allow writing multiple conditions in unit files on one line
1428 - introduce Type=pid-file
1429 - add a concept of RemainAfterExit= to scope units
1430 - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
1431 - add verification of [Install] section to systemd-analyze verify
1434 - timer units should get the ability to trigger when DST changes
1435 - Modulate timer frequency based on battery state
1437 * add libsystemd-password or so to query passwords during boot using the password agent logic
1439 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
1441 * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
1443 * make repeated alt-ctrl-del presses printing a dump
1445 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
1447 * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
1449 * add a pam module that on password changes updates any LUKS slot where the password matches
1452 - add unit tests for config_parse_device_allow()
1454 * seems that when we follow symlinks to units we prefer the symlink
1455 destination path over /etc and /usr. We should not do that. Instead
1456 /etc should always override /run+/usr and also any symlink
1459 * when isolating, try to figure out a way how we implicitly can order
1460 all units we stop before the isolating unit...
1462 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
1464 * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
1465 ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
1466 https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
1468 * BootLoaderSpec: Define a way how an installer can figure out whether a BLS
1469 compliant boot loader is installed.
1471 * think about requeuing jobs when daemon-reload is issued? usecase:
1472 the initrd issues a reload after fstab from the host is accessible
1473 and we might want to requeue the mounts local-fs acquired through
1476 * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
1478 * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
1480 * shutdown logging: store to EFI var, and store to USB stick?
1482 * merge unit_kill_common() and unit_kill_context()
1484 * add a dependency on standard-conf.xml and other included files to man pages
1486 * MountFlags=shared acts as MountFlags=slave right now.
1488 * properly handle loop back mounts via fstab, especially regards to fsck/passno
1490 * initialize the hostname from the fs label of /, if /etc/hostname does not exist?
1494 - GetAllProperties() on a non-existing object does not result in a failure currently
1495 - port to sd-resolve for connecting to TCP dbus servers
1496 - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
1497 - see if we can drop more message validation on the sending side
1498 - add API to clone sd_bus_message objects
1499 - longer term: priority inheritance
1500 - dbus spec updates:
1501 - NameLost/NameAcquired obsolete
1503 - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
1506 - allow multiple signal handlers per signal?
1507 - document chaining of signal handler for SIGCHLD and child handlers
1508 - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
1509 - maybe support iouring as backend, so that we allow hooking read and write
1510 operations instead of IO ready events into event loops. See considerations
1512 http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
1514 * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
1515 should be able to safely try another attempt when the bus call LoadUnit() is invoked.
1517 * maybe do not install getty@tty1.service symlink in /etc but in /usr?
1519 * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
1521 * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
1523 * firstboot: allow provisioning of /etc/hosts entries, so that we can via the
1524 credentials logic insert host name to resolve into containers/hosts. Usecase:
1525 fork a container, and make it ping some specific address which is defined by
1526 the host on invocation
1528 * systemd-firstboot: make sure to always use chase_symlinks() before
1529 reading/writing files
1531 * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists
1533 * sd-boot: define a drop-in dir in the ESP that may contain X.509
1534 certificates. If the firmware is detected to be in setup mode, automatically
1535 enroll them as PK/KEK/db, turn off setup mode and proceed. Optionally,
1536 instead of auto-enrolling them add them to the sd-boot menu, giving the user
1537 the option to manually enroll them, after selecting the menu entry. This way,
1538 installer images can just drop the certfiicates in the ESP, and on first boot
1539 can easily enroll the keys without ever booting up.
1541 * efi stub: optionally, load initrd from disk as a separate file, HMAC check it
1542 with key from TPM, bound to PCR, refusing if failing. This would then allow
1543 traditional distros that generate initrds locally to secure them with TPM:
1544 after generating the initrd, do the HMAC calculation, put result in initrd
1545 filename, done. This would then bind the validity of the initrd to the local
1546 host, and used kernel, and means people cannot change initrd or kernel
1547 without booting the kernel + initrd.
1550 - honor language efi variables for default language selection (if there are any?)
1551 - honor timezone efi variables for default timezone selection (if there are any?)
1552 - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
1554 - recognize the case when not booted on EFI
1556 * bootctl,sd-boot: actually honour the "architecture" key
1559 - show whether UEFI audit mode is available
1560 - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
1561 - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
1562 - make it operate on loopback files, dissecting enough to find ESP to operate on
1563 - bootspec: properly support boot attempt counters when parsing entry file names
1566 - optionally, support generating type #2 entries instead of type #1, including signing them
1569 - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
1570 - logind: wakelock/opportunistic suspend support
1571 - Add pretty name for seats in logind
1572 - logind: allow showing logout dialog from system?
1573 - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
1574 - if pam_systemd is invoked by su from a process that is outside of a
1575 any session we should probably just become a NOP, since that's
1576 usually not a real user session but just some system code that just
1578 - logind: make the Suspend()/Hibernate() bus calls wait for the for
1579 the job to be completed. before returning, so that clients can wait
1580 for "systemctl suspend" to finish to know when the suspending is
1582 - logind: when the power button is pressed short, just popup a
1583 logout dialog. If it is pressed for 1s, do the usual
1584 shutdown. Inspiration are Macs here.
1585 - expose "Locked" property on logind session objects
1586 - maybe allow configuration of the StopTimeout for session scopes
1587 - rename session scope so that it includes the UID. THat way
1588 the session scope can be arranged freely in slices and we don't have
1589 make assumptions about their slice anymore.
1590 - follow PropertiesChanged state more closely, to deal with quick logouts and
1592 - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
1593 - expose details of boot entries on the bus. In particular, it should be possible
1594 to query the list of boot entry titles that bootctl / sd-boot would show.
1595 Currently we only expose their identifiers.
1597 * move multiseat vid/pid matches from logind udev rule to hwdb
1599 * logind: rework pam_logind to also do a bus call in case of invocation from
1600 user@.service, which returns the XDG_RUNTIME_DIR value, and make this
1601 behaviour selectable via pam module option.
1603 * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
1604 in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
1607 - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
1608 - journald: also get thread ID from client, plus thread name
1609 - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
1610 - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
1611 - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
1612 - declare the local journal protocol stable in the wiki interface chart
1613 - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
1614 - journald: when dropping msgs due to ratelimit make sure to write
1615 "dropped %u messages" not only when we are about to print the next
1616 message that works, but already after a short timeout
1617 - check if we can make journalctl by default use --follow mode inside of less if called without args?
1618 - maybe add API to send pairs of iovecs via sd_journal_send
1619 - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
1620 - journactl: support negative filtering, i.e. FOOBAR!="waldo",
1621 and !FOOBAR for events without FOOBAR.
1622 - journal: store timestamp of journal_file_set_offline() in the header,
1623 so it is possible to display when the file was last synced.
1624 - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
1625 - journal: find a way to allow dropping history early, based on priority, other rules
1626 - journal: When used on NFS, check payload hashes
1627 - journald: add kernel cmdline option to disable ratelimiting for debug purposes
1628 - refuse taking lower-case variable names in sd_journal_send() and friends.
1629 - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
1630 - journal: deal nicely with byte-by-byte copied files, especially regards header
1631 - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
1632 - Replace utmp, wtmp, btmp, and lastlog completely with journal
1633 - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
1634 - when a kernel driver logs in a tight loop, we should ratelimit that too.
1635 - journald: optionally, log debug messages to /run but everything else to /var
1636 - journald: when we drop syslog messages because the syslog socket is
1637 full, make sure to write how many messages are lost as first thing
1638 to syslog when it works again.
1639 - journald: allow per-priority and per-service retention times when rotating/vacuuming
1640 - journald: make use of uid-range.h to managed uid ranges to split
1642 - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
1643 - improve journalctl performance by loading journal files
1644 lazily. Encode just enough information in the file name, so that we
1645 do not have to open it to know that it is not interesting for us, for
1646 the most common operations.
1647 - man: document that corrupted journal files is nothing to act on
1648 - rework journald sigbus stuff to use mutex
1649 - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
1650 services that run under their own user ids, and use User= (but only
1651 in a world where userns is ubiquitous since otherwise we cannot
1652 invoke those daemons on the host AND in a container anymore). Also,
1653 if LimitNPROC= is used without User= we should warn and refuse
1655 - journalctl --verify: don't show files that are currently being
1656 written to as FAIL, but instead show that their are being written to.
1657 - add journalctl -H that talks via ssh to a remote peer and passes through
1659 - add a version of --merge which also merges /var/log/journal/remote
1660 - journalctl: -m should access container journals directly by enumerating
1661 them via machined, and also watch containers coming and going.
1662 Benefit: nspawn --ephemeral would start working nicely with the journal.
1663 - assign MESSAGE_ID to log messages about failed services
1664 - check if loop in decompress_blob_xz() is necessary
1666 * journald: support RFC3164 fully for the incoming syslog transport, see
1667 https://github.com/systemd/systemd/issues/19251#issuecomment-816601955
1669 * Hook up journald's FSS logic with TPM2: seal the verification disk by
1670 time-based policy, so that the verification key can remain on host and ve
1673 * build short web pages out of each catalog entry, build them along with man
1674 pages, and include hyperlinks to them in the journal output
1676 * journald: do journal file writing out-of-process, with one writer process per
1677 client UID, so that synthetic hash table collisions can slow down a specific
1678 user's journal stream down but not the others.
1680 * tweak journald context caching. In addition to caching per-process attributes
1681 keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
1682 keyed by cgroup path, and guarded by ctime changes. This should provide us
1683 with a nice speed-up on services that have many processes running in the same
1686 * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
1687 the sd-journal logging socket, and, if the timeout is set to 0, sets
1688 O_NONBLOCK on it. That way people can control if and when to block for
1691 * journalctl: make sure -f ends when the container indicated by -M terminates
1693 * journald: sigbus API via a signal-handler safe function that people may call
1694 from the SIGBUS handler
1696 * add a test if all entries in the catalog are properly formatted.
1697 (Adding dashes in a catalog entry currently results in the catalog entry
1698 being silently skipped. journalctl --update-catalog must warn about this,
1699 and we should also have a unit test to check that all our message are OK.)
1702 - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
1703 - rollback when resize fails mid-operation
1704 - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
1705 - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
1706 - create on activate?
1707 - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
1708 - communicate clearly when usb stick is safe to remove. probably involves
1709 beefing up logind to make pam session close hook synchronous and wait until
1710 systemd --user is shut down.
1711 - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
1712 - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
1713 images (and btrfs snapshots of subvolumes) (think: time machine)
1714 - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
1715 - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
1716 - fingerprint authentication, pattern authentication, …
1717 - make sure "classic" user records can also be managed by homed
1718 - make size of $XDG_RUNTIME_DIR configurable in user record
1719 - query password from kernel keyring first
1720 - update even if record is "absent"
1721 - move acct mgmt stuff from pam_systemd_home to pam_systemd?
1722 - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
1723 - make slice for users configurable (requires logind rework)
1724 - logind: populate auto-login list bus property from PKCS#11 token
1725 - when determining state of a LUKS home directory, check DM suspended sysfs file
1726 - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
1727 so that mounts propagate down but not up - eg, user A setting up a backup volume
1728 doesn't mean user B sees it
1729 - use credentials logic/TPM2 logic to store homed signing key
1730 - permit multiple user record signing keys to be used locally, and pick
1731 the right one for signing records automatically depending on a pre-existing
1733 - add a way to "adopt" a home directory, i.e. strip foreign signatures
1734 and insert a local signature instead.
1735 - as an extension to the directory+subvolume backend: if located on
1736 especially marked fs, then sync down password into LUKS header of that fs,
1737 and always verify passwords against it too. Bootstrapping is a problem
1738 though: if no one is logged in (or no other user even exists yet), how do you
1739 unlock the volume in order to create the first user and add the first pw.
1740 - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
1741 - maybe pre-create ~/.cache as subvol so that it can have separate quota
1743 - add a switch to homectl (maybe called --first-boot) where it will check if
1744 any non-system users exist, and if not prompts interactively for basic user
1745 info, mimicking systemd-firstboot. Then, place this in a service that runs
1746 after systemd-homed, but before gdm and friends, as a simple, barebones
1747 fallback logic to get a regular user created on uninitialized systems.
1748 - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
1749 systemd-cryptsetup, so that it can unlock homed volumes
1750 - maybe make all *.home files owned by `systemd-home` user or so, so that we
1751 can easily set overall quota for all users
1752 - on login, if we can't fallocate initially, but rebalance is on, then allow
1753 login in discard mode, then immediately rebalance, then turn off discard
1754 - extend user records with optional "bulk" data. Specifically, a user
1755 avatar/photo or so. This data should be stored along with the user record,
1756 but probably shouldn't be part of the record itself, since it might be
1759 * add a new switch --auto-definitions=yes/no or so to systemd-repart. If
1760 specified, synthesize a definition automatically if we can: enlarge last
1761 partition on disk, but only if it is marked for growing and not read-only.
1763 * systemd-repart: read LUKS encryption key from $CREDENTIALS_DIRECTORY
1765 * systemd-repart: add a switch to factory reset the partition table without
1766 immediately applying the new configuration again. i.e. --factory-reset=leave
1767 or so. (this is useful to factory reset an image, then putting it into
1768 another machine, ensuring that luks key is generated on new machine, not old)
1770 * systemd-repart: support setting up dm-integrity with HMAC
1772 * systemd-repart: maybe remove half-initialized image on failure. It fails
1773 if the output file exists, so a repeated invocation will usually fail if
1774 something goes wrong on the way.
1776 * systemd-repart: drop pager mode on normal operation?
1778 * systemd-repart: by default generate minimized partition tables (i.e. tables
1779 that only cover the space actually used, excluding any free space at the
1780 end), in order to maximize dd'ability. Requires libfdisk work, see
1781 https://github.com/karelzak/util-linux/issues/907
1783 * systemd-repart: MBR partition table support. Care needs to be taken regarding
1784 Type=, so that partition definitions can sanely apply to both the GPT and the
1785 MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
1786 for the two partition types explicitly. And provide an internal mapping so
1787 that "Type=linux-generic" maps to the right types for both partition tables
1790 * systemd-repart: allow sizing partitions as factor of available RAM, so that
1791 we can reasonably size swap partitions for hibernation.
1793 * systemd-repart: allow boolean option that ensures that if existing partition
1794 doesn't exist within the configured size bounds the whole command fails. This
1795 is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
1796 of repart files for the case where ESP is large enough and one where it isn't
1797 and XBOOTLDR is added in instead. Then apply the former first, and if it
1798 fails to apply use the latter.
1800 * systemd-repart: add per-partition option to never reuse existing partition
1801 and always create anew even if matching partition already exists.
1803 * systemd-repart: add per-partition option to fail if partition already exist,
1804 i.e. is not added new. Similar, add option to fail if partition does not exist yet.
1806 * systemd-repart: allow disabling growing of specific partitions, or making
1807 them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
1809 * systemd-repart: make it a static checker during early boot for existence and
1810 absence of other partitions for trusted boot environments
1813 - document that deps in [Unit] sections ignore Alias= fields in
1814 [Install] units of other units, unless those units are disabled
1815 - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
1816 - document that service reload may be implemented as service reexec
1817 - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
1818 - document systemd-journal-flush.service properly
1819 - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
1820 - man: document the very specific env the shutdown drop-in tools live in
1821 - man: add more examples to man pages,
1822 - in particular an example how to do the equivalent of switching runlevels
1823 - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
1824 - document root=gpt-auto properly
1827 - add systemctl switch to dump transaction without executing it
1828 - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
1829 - "systemctl disable" on a static unit prints no message and does
1830 nothing. "systemctl enable" does nothing, and gives a bad message
1831 about it. Should fix both to print nice actionable messages.
1832 - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
1833 - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
1834 - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
1835 - systemctl: "Journal has been rotated since unit was started." message is misleading
1836 - systemctl status output should include list of triggering units and their status
1838 * introduce an option (or replacement) for "systemctl show" that outputs all
1839 properties as JSON, similar to busctl's new JSON output. In contrast to that
1840 it should skip the variant type string though.
1842 * add an explicit "vertical" mode to format-table, so that "systemctl
1843 status"-like outputs (i.e. with a series of field names left and values
1844 right) become genuine first class citizens, and we gain automatic, sane JSON
1847 * Add a "systemctl list-units --by-slice" mode or so, which rearranges the
1848 output of "systemctl list-units" slightly by showing the tree structure of
1849 the slices, and the units attached to them.
1851 * add "systemctl wait" or so, which does what "systemd-run --wait" does, but
1852 for all units. It should be both a way to pin units into memory as well as a
1853 wait to retrieve their exit data.
1855 * show whether a service has out-of-date configuration in "systemctl status" by
1856 using mtime data of ConfigurationDirectory=.
1858 * "systemctl preset-all" should probably order the unit files it
1859 operates on lexicographically before starting to work, in order to
1860 ensure deterministic behaviour if two unit files conflict (like DMs
1863 * add "systemctl start -v foobar.service" that shows logs of a service
1864 while the start command runs. This is non-trivial to do without
1865 races though, since we should flush out all journal messages before
1866 returning from the "systemctl stop".
1868 * systemctl: if some operation fails, show log output?
1870 * Add a new verb "systemctl top"
1873 - "systemctl mask" should find all names by which a unit is accessible
1874 (i.e. by scanning for symlinks to it) and link them all to /dev/null
1877 - emulate /dev/kmsg using CUSE and turn off the syslog syscall
1878 with seccomp. That should provide us with a useful log buffer that
1879 systemd can log to during early boot, and disconnect container logs
1880 from the kernel's logs.
1881 - as soon as networkd has a bus interface, hook up --network-interface=,
1882 --network-bridge= with networkd, to trigger netdev creation should an
1883 interface be missing
1884 - a nice way to boot up without machine id set, so that it is set at boot
1885 automatically for supporting --ephemeral. Maybe hash the host machine id
1886 together with the machine name to generate the machine id for the container
1887 - fix logic always print a final newline on output.
1888 https://github.com/systemd/systemd/pull/272#issuecomment-113153176
1889 - should optionally support receiving WATCHDOG=1 messages from its payload
1891 - optionally automatically add FORWARD rules to iptables whenever nspawn is
1892 running, remove them when shut down.
1894 * nspawn: add support for sysext extensions, too. i.e. a new --extension=
1895 switch that takes one or more arguments, and applies the extensions already
1898 * when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or
1899 so, freeze the payload too.
1901 * machined: add API to acquire UID range. add API to mount/dissect loopback
1902 file. Both protected by PK. Then make nspawn use these APIs to run
1903 unprivileged containers. i.e. push the truly privileged bits into machined,
1904 so that the client side can remain entirely unprivileged, with SUID or
1907 * nspawn: support time namespaces
1909 * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
1910 so that we make cgroup agent logic safe
1912 * nspawn/machined: add API to invoke binary in container, then use that as
1913 fallback in "machinectl shell"
1915 * nspawn: make nspawn suitable for shell pipelines: instead of triggering a
1916 hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
1917 for hangup or ^D before passing on the EOF.
1919 * nspawn: greater control over selinux label?
1921 * nspawn: support that /proc, /sys/, /dev are pre-mounted
1924 - add an API so that libvirt-lxc can inform us about network interfaces being
1925 removed or added to an existing machine
1926 - "machinectl migrate" or similar to copy a container from or to a
1927 difference host, via ssh
1928 - introduce systemd-nspawn-ephemeral@.service, and hook it into
1929 "machinectl start" with a new --ephemeral switch
1930 - "machinectl status" should also show internal logs of the container in
1932 - "machinectl history"
1934 - "machinectl commit" that takes a writable snapshot of a tree, invokes a
1935 shell in it, and marks it read-only after use
1940 - add trigger --subsystem-match=usb/usb_device device
1941 - reimport udev db after MOVE events for devices without dev_t
1944 - save coredump in Windows/Mozilla minidump format
1945 - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
1947 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
1950 - apply "x" on "D" too (see patch from William Douglas)
1951 - instead of ignoring unknown fields, reject them.
1952 - creating new directories/subvolumes/fifos/device nodes
1953 should not follow symlinks. None of the other adjustment or creation
1954 calls follow symlinks.
1956 - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
1960 - Make sure ID_PATH is always exported and complete for
1961 network devices where possible, so we can safely rely
1965 - add support for more attribute types
1966 - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
1969 - add more keys to [Route] and [Address] sections
1970 - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
1971 - add reduced [Link] support to .network files
1972 - properly handle routerless dhcp leases
1973 - work with non-Ethernet devices
1974 - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
1975 - the DHCP lease data (such as NTP/DNS) is still made available when
1976 a carrier is lost on a link. It should be removed instantly.
1977 - expose in the API the following bits:
1978 - option 15, domain name
1979 - option 12, hostname and/or option 81, fqdn
1980 - option 123, 144, geolocation
1981 - option 252, configure http proxy (PAC/wpad)
1982 - provide a way to define a per-network interface default metric value
1983 for all routes to it. possibly a second default for DHCP routes.
1984 - allow Name= to be specified repeatedly in the [Match] section. Maybe also
1985 support Name=foo*|bar*|baz ?
1986 - whenever uplink info changes, make DHCP server send out FORCERENEW
1988 * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
1990 * Figure out how to do unittests of networkd's state serialization
1993 - figure out how much we can increase Maximum Message Size
1996 - add functions to set previously stored IPv6 addresses on startup and get
1997 them at shutdown; store them in client->ia_na
1998 - write more test cases
1999 - implement reconfigure support, see 5.3., 15.11. and 22.20.
2000 - implement support for temporary adressess (IA_TA)
2001 - implement dhcpv6 authentication
2002 - investigate the usefulness of Confirm messages; i.e. are there any
2003 situations where the link changes without any loss in carrier detection
2005 - some servers don't do rapid commit without a filled in IA_NA, verify