systemd System and Service Manager
+CHANGES WITH 236 in spe:
+
+ * The modprobe.d drop-in, introduced in v235 for the bonding module,
+ has been extended to also set the dummy module option numdummies=0,
+ resolving issues with the kernel creating dummy0.
+
+ * systemd-resolved now maintains a new dynamic
+ /run/systemd/resolve/stub-resolv.conf compatibility file. It is now
+ recommended to maintain /etc/resolv.conf as a symlink to this new
+ dynamic file. It points at the systemd-resolved stub DNS 127.0.0.53
+ resolver and it includes dynamically acquired search domains. This
+ achieves a more correct DNS resolution by software that bypasses
+ local DNS APIs (e.g. NSS).
+
+ * uaccess tag has been dropped from /dev/kvm and /dev/dri/renderD*.
+ These devices now have 0666 permsions by default. /dev/dri/renderD*
+ will now be owned by the render group along with /dev/kfd.
+
CHANGES WITH 235:
+ * INCOMPATIBILITY: systemd-logind.service and other long-running
+ services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
+ communication with the outside. This generally improves security of
+ the system, and is in almost all cases a safe and good choice, as
+ these services do not and should not provide any network-facing
+ functionality. However, systemd-logind uses the glibc NSS API to
+ query the user database. This creates problems on systems where NSS
+ is set up to directly consult network services for user database
+ lookups. In particular, this creates incompatibilities with the
+ "nss-nis" module, which attempts to directly contact the NIS/YP
+ network servers it is configured for, and will now consistently
+ fail. In such cases, it is possible to turn off IP sandboxing for
+ systemd-logind.service (set IPAddressDeny= in its [Service] section
+ to the empty string, via a .d/ unit file drop-in). Downstream
+ distributions might want to update their nss-nis packaging to include
+ such a drop-in snippet, accordingly, to hide this incompatibility
+ from the user. Another option is to make use of glibc's nscd service
+ to proxy such network requests through a privilege-separated, minimal
+ local caching daemon, or to switch to more modern technologies such
+ sssd, whose NSS hook-ups generally do not involve direct network
+ access. In general, we think it's definitely time to question the
+ implementation choices of nss-nis, i.e. whether it's a good idea
+ today to embed a network-facing loadable module into all local
+ processes that need to query the user database, including the most
+ trivial and benign ones, such as "ls". For more details about
+ IPAddressDeny= see below.
+
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
- * New system call filter groups @setuid, @memlock, @signal and
- @timer have been added, for usage with SystemCallFilter=
+ * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
+ @signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
too. Note that while the other databases are world-readable
(i.e. 0644), btmp is not and remains more restrictive.
+ * The systemd-resolve tool gained a new --reset-server-features
+ switch. When invoked like this systemd-resolved will forget
+ everything it learnt about the features supported by the configured
+ upstream DNS servers, and restarts the feature probing logic on the
+ next resolver look-up for them at the highest feature level
+ again.
+
+ * The status dump systemd-resolved sends to the logs upon receiving
+ SIGUSR1 now also includes information about all DNS servers it is
+ configured to use, and the features levels it probed for them.
+
Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
- Burchardt, b1tninja, bengal, Benjamin Berg, Benjamin Robin, Charles
- Huber, Christian Hesse, Daniel Berrange, Daniel Mack, Daniel Rusek,
- dasj19, Davide Cavalca, Dimitri John Ledkov, Diogo Pereira, Djalal
- Harouni, dkg, dmig, Dmitry Torokhov, ettavolt, Evgeny Vereshchagin,
- Fabio Kung, Felipe Sateler, Franck Bui, g0tar, Hans de Goede, Harald
- Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov, Jakub Wilk, Jan
- Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen, John Lin,
- jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg Thalheim,
- Jouke Witteveen, juga0, Justin Michaud, Kai-Heng Feng, Lennart
- Poettering, Lion Yang, Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn,
- Marcel Hollerbach, Marcus Lundblad, Martin Pitt, Michael Biebl, Michael
- Grzeschik, Michal Sekletar, Mike Gilbert, Neil Brown, Nicolas Iooss,
- Patrik Flykt, pEJipE, Piotr Drąg, Russell Stuart, S. Fan, Shengyao Xue,
- Stefan Pietsch, Susant Sahani, Tejun Heo, Thomas Miller, Thomas Sailer,
- Tobias Hunger, Tom Gundersen, Tommi Rantala, Topi Miettinen, Torstein
- Husebø, userwithuid, Vasilis Liaskovitis, Vito Caputo, WaLyong Cho,
- William Douglas, Xiang Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
-
- — Berlin, 2017-10-XX
+ Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
+ Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
+ Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
+ Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
+ ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
+ Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
+ Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
+ John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
+ Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
+ Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
+ Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
+ Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
+ Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
+ Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
+ Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
+ Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
+ Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
+ Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2017-10-06
CHANGES WITH 234: