systemd System and Service Manager
+CHANGES WITH 236 in spe:
+
+ * The modprobe.d drop-in, introduced in v235 for the bonding module,
+ has been extended to also set the dummy module option numdummies=0,
+ resolving issues with the kernel creating dummy0.
+
+ * systemd-resolved now maintains a new dynamic
+ /run/systemd/resolve/stub-resolv.conf compatibility file. It is now
+ recommended to maintain /etc/resolv.conf as a symlink to this new
+ dynamic file. It points at the systemd-resolved stub DNS 127.0.0.53
+ resolver and it includes dynamically acquired search domains. This
+ achieves a more correct DNS resolution by software that bypasses
+ local DNS APIs (e.g. NSS).
+
+ * uaccess tag has been dropped from /dev/kvm and /dev/dri/renderD*.
+ These devices now have 0666 permsions by default. /dev/dri/renderD*
+ will now be owned by the render group along with /dev/kfd.
+
CHANGES WITH 235:
+ * INCOMPATIBILITY: systemd-logind.service and other long-running
+ services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
+ communication with the outside. This generally improves security of
+ the system, and is in almost all cases a safe and good choice, as
+ these services do not and should not provide any network-facing
+ functionality. However, systemd-logind uses the glibc NSS API to
+ query the user database. This creates problems on systems where NSS
+ is set up to directly consult network services for user database
+ lookups. In particular, this creates incompatibilities with the
+ "nss-nis" module, which attempts to directly contact the NIS/YP
+ network servers it is configured for, and will now consistently
+ fail. In such cases, it is possible to turn off IP sandboxing for
+ systemd-logind.service (set IPAddressDeny= in its [Service] section
+ to the empty string, via a .d/ unit file drop-in). Downstream
+ distributions might want to update their nss-nis packaging to include
+ such a drop-in snippet, accordingly, to hide this incompatibility
+ from the user. Another option is to make use of glibc's nscd service
+ to proxy such network requests through a privilege-separated, minimal
+ local caching daemon, or to switch to more modern technologies such
+ sssd, whose NSS hook-ups generally do not involve direct network
+ access. In general, we think it's definitely time to question the
+ implementation choices of nss-nis, i.e. whether it's a good idea
+ today to embed a network-facing loadable module into all local
+ processes that need to query the user database, including the most
+ trivial and benign ones, such as "ls". For more details about
+ IPAddressDeny= see below.
+
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
bond0 interface using systemd-networkd.
* systemd-analyze gained new verbs "get-log-level" and "get-log-target"
- which print the logging level and target of the system manager,
- respectively. They complement the existing "set-log-level" and
- "set-log-target" verbs, which can be used to change those values.
-
- * systemd-networkd .network DHCP setting UseMTU default has changed
- from false to true. Meaning, DHCP server advertised MTU setting is
- now applied by default. This resolves networking issues on low-mtu
- networks.
+ which print the logging level and target of the system manager. They
+ complement the existing "set-log-level" and "set-log-target" verbs
+ used to change those values.
* journald.conf gained a new boolean setting ReadKMsg= which defaults
to on. If turned off kernel log messages will not be read by
- systemd-journald and not be included in the logs. It also gained a
- new setting LineMax= for configuring the maximum line length to allow
- when converting STDOUT/STDERR log streams into individual log
- records. The new default for this value is 48K, up from the previous
- hardcoded 4K.
+ systemd-journald or included in the logs. It also gained a new
+ setting LineMax= for configuring the maximum line length in
+ STDOUT/STDERR log streams. The new default for this value is 48K, up
+ from the previous hardcoded 2048.
- * A new setting RuntimeDirectoryPreserve= for units has been added,
- which allows more detailed control of what to do with a runtime
- directory configured with RuntimeDirectory= (i.e. a directory below
- /run or $XDG_RUNTIME_DIR) after a unit is stopped.
+ * A new unit setting RuntimeDirectoryPreserve= has been added, which
+ allows more detailed control of what to do with a runtime directory
+ configured with RuntimeDirectory= (i.e. a directory below /run or
+ $XDG_RUNTIME_DIR) after a unit is stopped.
* The RuntimeDirectory= setting for units gained support for creating
deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
* Units gained new options StateDirectory=, CacheDirectory=,
LogsDirectory= and ConfigurationDirectory= which are closely related
to RuntimeDirectory= but manage per-service directories below
- /var/lib, /var/cache, /var/log and /etc. By making use of this it is
+ /var/lib, /var/cache, /var/log and /etc. By making use of them it is
possible to write unit files which when activated automatically gain
properly owned service specific directories in these locations, thus
making unit files self-contained and increasing compatibility with
unpopulated at boot. Matching these new settings there's also
StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
ConfigurationDirectoryMode= for configuring the access mode of these
- directories.
+ directories. These settings are particularly useful in combination
+ with DynamicUser=yes as they provide secure, properly-owned,
+ writable, and stateful locations for storage, excluded from the
+ sandbox that such services live in otherwise.
* Automake support has been removed from this release. systemd is now
Meson-only.
configuring TCP/IPv6 hardware segmentation offload.
* The IPv6 RA sender implementation may now optionally send out RDNSS
- and RDNSSL records for supplying DNS configuration to peers.
+ and RDNSSL records to supply DNS configuration to peers.
* systemd-nspawn gained support for a new --system-call-filter= command
- line option for adding/removing entries in the default system call
- filter it applies. Moreover systemd-nspawn has been changed to
+ line option for adding and removing entries in the default system
+ call filter it applies. Moreover systemd-nspawn has been changed to
implement a system call whitelist instead of a blacklist.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
are directly passed on to the activated transient service
- binary. This allows invoking arbitrary processes as systemd services
- (for example to take benefit of dependency management, accounting
- management, resource management or log management that is done
- automatically for services) — while still allowing them to be
+ executable. This allows invoking arbitrary processes as systemd
+ services (for example to take benefit of dependency management,
+ accounting management, resource management or log management that is
+ done automatically for services) — while still allowing them to be
integrated in a classic UNIX shell pipeline.
* When a service sends RELOAD=1 via sd_notify() and reload propagation
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
- * New system call filter groups @setuid, @memlock, @signal and
- @timer have been added, for usage with SystemCallFilter=
+ * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
+ @signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
* A new special target "getty-pre.target" has been added, which is
ordered before all text logins, and may be used to order services
- before, that shall run before these textual logins acquire access to
- the console.
+ before textual logins acquire access to the console.
* systemd will now attempt to load the virtio-rng.ko kernel module very
early on if a VM environment supporting this is detected. This should
* A _netdev option is now supported in /etc/crypttab that operates in a
similar way as the same option in /etc/fstab: it permits configuring
- encrypted devices that need to be ordered after the network coming
- up. Following this logic, two new special targets
+ encrypted devices that need to be ordered after the network is up.
+ Following this logic, two new special targets
remote-cryptsetup-pre.target and remote-cryptsetup.target have been
- added that are to cryptsetup.target what
- remote-fs.target/remote-fs-pre.target are to local-fs.target.
+ added that are to cryptsetup.target what remote-fs.target and
+ remote-fs-pre.target are to local-fs.target.
* Service units gained a new UnsetEnvironment= setting which permits
- unsetting specific environment variables for specific services that
- are normally passed to it (for example in order to mask out locale
+ unsetting specific environment variables for services that are
+ normally passed to it (for example in order to mask out locale
settings for specific services that can't deal with it).
* Units acquired a new boolean option IPAccounting=. When turned on, IP
enforced on every single IPv4 and IPv6 socket created by any process
of the service unit, and apply to ingress as well as egress traffic.
- * If CPUAccounting= or IPAccounting= is turned on for a unit a new,
- recognizable log message is generated each time the unit is stopped,
+ * If CPUAccounting= or IPAccounting= is turned on for a unit a new
+ structured log message is generated each time the unit is stopped,
containing information about the consumed resources of this
invocation.
used to control how the kernel keyring is set up for executed
processes.
+ * "systemctl poweroff", "systemctl reboot", "systemctl halt",
+ "systemctl kexec" and "systemctl exit" are now always asynchronous in
+ behaviour (that is: these commands return immediately after the
+ operation was enqueued instead of waiting for the operation to
+ complete). Previously, "systemctl poweroff" and "systemctl reboot"
+ were asynchronous on systems using systemd-logind (i.e. almost
+ always, and like they were on sysvinit), and the other three commands
+ were unconditionally synchronous. With this release this is cleaned
+ up, and callers will see the same asynchronous behaviour on all
+ systems for all five operations.
+
+ * systemd-logind gained new Halt() and CanHalt() bus calls for halting
+ the system.
+
* .timer units now accept calendar specifications in other timezones
than UTC or the local timezone.
+ * The tmpfiles snippet var.conf has been changed to create
+ /var/log/btmp with access mode 0660 instead of 0600. It was owned by
+ the "utmp" group already, and it appears to be generally understood
+ that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
+ databases. Previously this was implemented correctly for all these
+ databases excepts btmp, which has been opened up like this now
+ too. Note that while the other databases are world-readable
+ (i.e. 0644), btmp is not and remains more restrictive.
+
+ * The systemd-resolve tool gained a new --reset-server-features
+ switch. When invoked like this systemd-resolved will forget
+ everything it learnt about the features supported by the configured
+ upstream DNS servers, and restarts the feature probing logic on the
+ next resolver look-up for them at the highest feature level
+ again.
+
+ * The status dump systemd-resolved sends to the logs upon receiving
+ SIGUSR1 now also includes information about all DNS servers it is
+ configured to use, and the features levels it probed for them.
+
Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
- Burchardt, b1tninja, bengal, Benjamin Berg, Benjamin Robin, Charles
- Huber, Christian Hesse, Daniel Berrange, Daniel Mack, Daniel Rusek,
- dasj19, Davide Cavalca, Dimitri John Ledkov, Diogo Pereira, Djalal
- Harouni, dkg, dmig, Dmitry Torokhov, ettavolt, Evgeny Vereshchagin,
- Fabio Kung, Felipe Sateler, Franck Bui, g0tar, Hans de Goede, Harald
- Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov, Jakub Wilk, Jan
- Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen, John Lin,
- jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg Thalheim,
- Jouke Witteveen, juga0, Justin Michaud, Kai-Heng Feng, Lennart
- Poettering, Lion Yang, Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn,
- Marcel Hollerbach, Marcus Lundblad, Martin Pitt, Michael Biebl, Michael
- Grzeschik, Michal Sekletar, Mike Gilbert, Neil Brown, Nicolas Iooss,
- Patrik Flykt, pEJipE, Russell Stuart, S. Fan, Shengyao Xue, Stefan
- Pietsch, Susant Sahani, Tejun Heo, Thomas Miller, Thomas Sailer, Tobias
- Hunger, Tom Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø,
- userwithuid, Vito Caputo, vliaskov, WaLyong Cho, William Douglas, Xiang
+ Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
+ Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
+ Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
+ Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
+ ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
+ Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
+ Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
+ John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
+ Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
+ Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
+ Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
+ Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
+ Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
+ Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
+ Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
+ Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
+ Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
- — Berlin, 2017-09-XX
+ — Berlin, 2017-10-06
CHANGES WITH 234: