systemd System and Service Manager
+CHANGES WITH 236 in spe:
+
+ * The modprobe.d/ drop-in for the bonding.ko kernel module introduced
+ in v235 has been extended to also set the dummy.ko module option
+ numdummies=0, preventing the kernel from automatically creating
+ dummy0. All dummy interfaces must now be explicitly created.
+
+ * Unknown specifiers are now rejected. This applies to units and
+ tmpfiles.d configuration. Any percent characters that are followed by
+ a letter or digit that are not supposed to be interpreted as the
+ beginning of a specifier should be escaped by doubling ("%%").
+ (So "size=5%" is still accepted, as well as "size=5%,foo=bar", but
+ not "LABEL=x%y%z" since %y and %z are not valid specifiers today.)
+
+ * systemd-resolved now maintains a new dynamic
+ /run/systemd/resolve/stub-resolv.conf compatibility file. It is
+ recommended to make /etc/resolv.conf a symlink to it. This file
+ points at the systemd-resolved stub DNS 127.0.0.53 resolver and
+ includes dynamically acquired search domains, achieving more correct
+ DNS resolution by software that bypasses local DNS APIs such as NSS.
+
+ * The "uaccess" udev tag has been dropped from /dev/kvm and
+ /dev/dri/renderD*. These devices now have the 0666 permissions by
+ default (but this may be changed at build-time). /dev/dri/renderD*
+ will now be owned by the "render" group along with /dev/kfd.
+
+ * "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
+ systemd-journal-gatewayd.service and
+ systemd-journal-upload.service. This means "nss-systemd" must be
+ enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
+ services are resolved properly.
+
+ * In systemd-networkd, the IPv6 RA logic now optionally may announce
+ DNS server and domain information.
+
+ * Support for the LUKS2 on-disk format for encrypted partitions has
+ been added. This requires libcryptsetup2 during compilation and
+ runtime.
+
+ * The systemd --user instance will now signal "readiness" when its
+ basic.target unit has been reached, instead of when the run queue ran
+ empty for the first time.
+
+ * Unit files learnt three new % specifiers that are expanded during
+ loading: %S resolves to the top-level state directory (/var/lib for
+ the system instance, $XDG_CONFIG_HOME for the user instance), %C
+ resolves to the top-level cache directory (/var/cache for the system
+ instance, $XDG_CACHE_HOME for the user instance), %L resolves to the
+ top-level logs directory (/var/log for the system instance,
+ $XDG_CONFIG_HOME/log/ for the user instance). This matches the
+ existing %t specifier, that resolves to the top-level runtime
+ directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
+ user instance).
+
+ * journalctl learnt a new parameter --output-fields= for limiting the
+ set of journal fields to output in verbose and JSON output modes.
+
+ * systemd-timesyncd's configuration file gained a new option
+ RootDistanceMaxSec= for setting the maximum root distance of servers
+ it'll use, as well as the new options PollIntervalMinSec= and
+ PollIntervalMaxSec= to tweak the minimum and maximum poll interval.
+
+ * bootctl gained a new command "list" for listing all available boot
+ menu items on systems that follow the boot loader specification.
+
+ * systemctl gained a new --dry-run switch that shows what would be done
+ instead of doing it, and is currently supported by the shutdown and
+ sleep verbs.
+
+ * ConditionSecurity= can now detect the TOMOYO security module.
+
+ * Unit file [Install] sections are now also respected in unit drop-in
+ files. This is intended to be used by drop-ins under /usr/lib/.
+
+ * systemd-firstboot may now also set the initial keyboard mapping.
+
+ * Udev "changed" events for devices which are exposed as systemd
+ .device units are now propagated to units specified in
+ ReloadPropagatedFrom= as reload requests.
+
+ * If a udev device has a SYSTEMD_WANTS= property containing a systemd
+ unit template name (i.e. a name in the form of 'foobar@.service',
+ without the instance component between the '@' and - the '.'), then
+ the escaped sysfs path of the device is automatically used as the
+ instance.
+
+ * SystemCallFilter= in unit files has been extended so that an "errno"
+ can be specified individually for each system call. Example:
+ SystemCallFilter=~uname:EILSEQ.
+
+ * The cgroup delegation logic has been substantially updated. Delegate=
+ now optionally takes a list of controllers (instead of a boolean, as
+ before), which lists the controllers to delegate at least.
+
+ * The networkd DHCPv6 client now implements the FQDN option (RFC 4704).
+
+ * A new LogLevelMax= setting configures the maximum log level any
+ process of the service may log at (i.e. anything with a lesser
+ priority than what is specified is automatically dropped). A new
+ LogExtraFields= setting allows configuration of additional journal
+ fields to attach to all log records generated by any of the unit's
+ processes.
+
+ * New StandardInputData= and StandardInputText= settings along with the
+ new option StandardInput=data may be used to configure textual or
+ binary data that shall be passed to the executed service process via
+ standard input, encoded in-line in the unit file.
+
+ * StandardInput=, StandardOutput= and StandardError= may now be used to
+ connect stdin/stdout/stderr of executed processes directly with a
+ file or AF_UNIX socket in the file system, using the new "file:" option.
+
+ * A new unit file option CollectMode= has been added, that allows
+ tweaking the garbage collection logic for units. It may be used to
+ tell systemd to garbage collect units that have failed automatically
+ (normally it only GCs units that exited successfully). systemd-run
+ and systemd-mount expose this new functionality with a new -G option.
+
+ * "machinectl bind" may now be used to bind mount non-directories
+ (i.e. regularfiles, devices, fifos, sockets).
+
+ * systemd-analyze gained a new verb "calendar" for validating and
+ testing calendar time specifications to use for OnCalendar= in timer
+ units. Besides validating the expression it will calculate the next
+ time the specified expression would elapse.
+
+ * In addition to the pre-existing FailureAction= unit file setting
+ there's now SuccessAction=, for configuring a shutdown action to
+ execute when a unit completes successfully. This is useful in
+ particular inside containers that shall terminate after some workload
+ has been completed. Also, both options are now supported for all unit
+ types, not just services.
+
+ * networkds's IP rule support gained two new options
+ IncomingInterface= and OutgoingInterface= for configuring the incoming
+ and outgoing interfaces of configured rules. systemd-networkd also
+ gained support for "vxcan" network devices.
+
+ * networkd gained a new setting RequiredForOnline=, taking a
+ boolean. If set, systemd-wait-online will take it into consideration
+ when determining that the system is up, otherwise it will ignore the
+ interface for this purpose.
+
+ * The sd_notify() protocol gained support for a new operation: with
+ FDSTOREREMOVE=1 file descriptors may be removed from the per-service
+ store again, ahead of POLLHUP or POLLERR when they are removed
+ anyway.
+
+ Contributions from: aeywalee, Alan Jenkins, Alessandro Ghedini, Andrew
+ Jeddeloh, Antonio Rojas, Ari, bleep_blop, Carsten Strotmann, Christian
+ Brauner, Christian Hesse, Collin Eggert, Daniel Lockyer, Daniel Rusek,
+ Dimitri John Ledkov, Evgeny Vereshchagin, Florian Klink, Franck Bui,
+ gwendalcr, Hans de Goede, Jakub Wilk, Jérémy Rosen, jobol, John Lin,
+ juga0, Krzysztof Nowicki, Lars Karlitski, Lars Kellogg-Stedman, Lauri
+ Tirkkonen, Lennart Poettering, longersson, Lubomir Rintel, Lucas
+ Werkmeister, lukas, Lukáš Nykrýn, Lukasz Rubaszewski, Maciej
+ S. Szmigiero, macrothian, Mantas Mikulėnas, martingh, Mathieu
+ Trudel-Lapierre, Matija Skala, Michael Biebl, Michael Vogt, Michal
+ Sekletar, Mike Gilbert, Muhammet Kara, myrkr, Neil Brown, Ondrej
+ Kozina, Patrik Flykt, Peter Hutterer, Piotr Drąg, Razvan Cojocaru,
+ Robin McCorkell, Roland Hieber, Sergey Ptashnick, Shawn Landden, Shuang
+ Liu, Simon Arlott, Simon Peeters, Stefan Agner, Susant Sahani, Sylvain
+ Plantefève, Thomas Blume, Tom Stellard, Topi Miettinen, Vito Caputo,
+ Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zeal Jagannatha
+
+ — Berlin, 2017-12-XX
+
CHANGES WITH 235:
+ * INCOMPATIBILITY: systemd-logind.service and other long-running
+ services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
+ communication with the outside. This generally improves security of
+ the system, and is in almost all cases a safe and good choice, as
+ these services do not and should not provide any network-facing
+ functionality. However, systemd-logind uses the glibc NSS API to
+ query the user database. This creates problems on systems where NSS
+ is set up to directly consult network services for user database
+ lookups. In particular, this creates incompatibilities with the
+ "nss-nis" module, which attempts to directly contact the NIS/YP
+ network servers it is configured for, and will now consistently
+ fail. In such cases, it is possible to turn off IP sandboxing for
+ systemd-logind.service (set IPAddressDeny= in its [Service] section
+ to the empty string, via a .d/ unit file drop-in). Downstream
+ distributions might want to update their nss-nis packaging to include
+ such a drop-in snippet, accordingly, to hide this incompatibility
+ from the user. Another option is to make use of glibc's nscd service
+ to proxy such network requests through a privilege-separated, minimal
+ local caching daemon, or to switch to more modern technologies such
+ sssd, whose NSS hook-ups generally do not involve direct network
+ access. In general, we think it's definitely time to question the
+ implementation choices of nss-nis, i.e. whether it's a good idea
+ today to embed a network-facing loadable module into all local
+ processes that need to query the user database, including the most
+ trivial and benign ones, such as "ls". For more details about
+ IPAddressDeny= see below.
+
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
bond0 interface using systemd-networkd.
* systemd-analyze gained new verbs "get-log-level" and "get-log-target"
- which print the logging level and target of the system manager,
- respectively. They complement the existing "set-log-level" and
- "set-log-target" verbs, which can be used to change those values.
+ which print the logging level and target of the system manager. They
+ complement the existing "set-log-level" and "set-log-target" verbs
+ used to change those values.
* journald.conf gained a new boolean setting ReadKMsg= which defaults
to on. If turned off kernel log messages will not be read by
- systemd-journald and not be included in the logs. It also gained a
- new setting LineMax= for configuring the maximum line length to allow
- when converting STDOUT/STDERR log streams into individual log
- records. The new default for this value is 48K, up from the previous
- hardcoded 4K.
+ systemd-journald or included in the logs. It also gained a new
+ setting LineMax= for configuring the maximum line length in
+ STDOUT/STDERR log streams. The new default for this value is 48K, up
+ from the previous hardcoded 2048.
- * A new setting RuntimeDirectoryPreserve= for units has been added,
- which allows more detailed control of what to do with a runtime
- directory configured with RuntimeDirectory= (i.e. a directory below
- /run or $XDG_RUNTIME_DIR) after a unit is stopped.
+ * A new unit setting RuntimeDirectoryPreserve= has been added, which
+ allows more detailed control of what to do with a runtime directory
+ configured with RuntimeDirectory= (i.e. a directory below /run or
+ $XDG_RUNTIME_DIR) after a unit is stopped.
* The RuntimeDirectory= setting for units gained support for creating
deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
* Units gained new options StateDirectory=, CacheDirectory=,
LogsDirectory= and ConfigurationDirectory= which are closely related
to RuntimeDirectory= but manage per-service directories below
- /var/lib, /var/cache, /var/log and /etc. By making use of this it is
+ /var/lib, /var/cache, /var/log and /etc. By making use of them it is
possible to write unit files which when activated automatically gain
properly owned service specific directories in these locations, thus
making unit files self-contained and increasing compatibility with
unpopulated at boot. Matching these new settings there's also
StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
ConfigurationDirectoryMode= for configuring the access mode of these
- directories.
+ directories. These settings are particularly useful in combination
+ with DynamicUser=yes as they provide secure, properly-owned,
+ writable, and stateful locations for storage, excluded from the
+ sandbox that such services live in otherwise.
* Automake support has been removed from this release. systemd is now
Meson-only.
configuring TCP/IPv6 hardware segmentation offload.
* The IPv6 RA sender implementation may now optionally send out RDNSS
- and RDNSSL records for supplying DNS configuration to peers.
+ and RDNSSL records to supply DNS configuration to peers.
* systemd-nspawn gained support for a new --system-call-filter= command
- line option for adding/removing entries in the default system call
- filter it applies. Moreover systemd-nspawn has been changed to
+ line option for adding and removing entries in the default system
+ call filter it applies. Moreover systemd-nspawn has been changed to
implement a system call whitelist instead of a blacklist.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
are directly passed on to the activated transient service
- binary. This allows invoking arbitrary processes as systemd services
- (for example to take benefit of dependency management, accounting
- management, resource management or log management that is done
- automatically for services) — while still allowing them to be
+ executable. This allows invoking arbitrary processes as systemd
+ services (for example to take benefit of dependency management,
+ accounting management, resource management or log management that is
+ done automatically for services) — while still allowing them to be
integrated in a classic UNIX shell pipeline.
* When a service sends RELOAD=1 via sd_notify() and reload propagation
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
- * New system call filter groups @setuid, @memlock, @signal and
- @timer have been added, for usage with SystemCallFilter=
+ * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
+ @signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
* A new special target "getty-pre.target" has been added, which is
ordered before all text logins, and may be used to order services
- before, that shall run before these textual logins acquire access to
- the console.
+ before textual logins acquire access to the console.
* systemd will now attempt to load the virtio-rng.ko kernel module very
early on if a VM environment supporting this is detected. This should
* A _netdev option is now supported in /etc/crypttab that operates in a
similar way as the same option in /etc/fstab: it permits configuring
- encrypted devices that need to be ordered after the network coming
- up. Following this logic, two new special targets
+ encrypted devices that need to be ordered after the network is up.
+ Following this logic, two new special targets
remote-cryptsetup-pre.target and remote-cryptsetup.target have been
- added that are to cryptsetup.target what
- remote-fs.target/remote-fs-pre.target are to local-fs.target.
+ added that are to cryptsetup.target what remote-fs.target and
+ remote-fs-pre.target are to local-fs.target.
* Service units gained a new UnsetEnvironment= setting which permits
- unsetting specific environment variables for specific services that
- are normally passed to it (for example in order to mask out locale
+ unsetting specific environment variables for services that are
+ normally passed to it (for example in order to mask out locale
settings for specific services that can't deal with it).
* Units acquired a new boolean option IPAccounting=. When turned on, IP
enforced on every single IPv4 and IPv6 socket created by any process
of the service unit, and apply to ingress as well as egress traffic.
- * If CPUAccounting= or IPAccounting= is turned on for a unit a new,
- recognizable log message is generated each time the unit is stopped,
+ * If CPUAccounting= or IPAccounting= is turned on for a unit a new
+ structured log message is generated each time the unit is stopped,
containing information about the consumed resources of this
invocation.
* "systemctl poweroff", "systemctl reboot", "systemctl halt",
"systemctl kexec" and "systemctl exit" are now always asynchronous in
behaviour (that is: these commands return immediately after the
- operation was enqueued instead of waiting until the operation was
- completed). Previously, "systemctl poweroff" and "systemctl reboot"
+ operation was enqueued instead of waiting for the operation to
+ complete). Previously, "systemctl poweroff" and "systemctl reboot"
were asynchronous on systems using systemd-logind (i.e. almost
always, and like they were on sysvinit), and the other three commands
were unconditionally synchronous. With this release this is cleaned
than UTC or the local timezone.
* The tmpfiles snippet var.conf has been changed to create
- /var/log/btmp with access mode 0660 instead of 0600. It has been
- owned by the "utmp" group already, and it appears to be generally
- understood that members of "utmp" can modify/flush the
- utmp/wtmp/lastlog/btmp databases. Previously this was implemented
- correctly for all these database excepts btmp, which has been opened
- up like this now too. Note that while the other databases are
- world-readable (i.e. 0644), btmp is not and remains more restrictive.
+ /var/log/btmp with access mode 0660 instead of 0600. It was owned by
+ the "utmp" group already, and it appears to be generally understood
+ that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
+ databases. Previously this was implemented correctly for all these
+ databases excepts btmp, which has been opened up like this now
+ too. Note that while the other databases are world-readable
+ (i.e. 0644), btmp is not and remains more restrictive.
+
+ * The systemd-resolve tool gained a new --reset-server-features
+ switch. When invoked like this systemd-resolved will forget
+ everything it learnt about the features supported by the configured
+ upstream DNS servers, and restarts the feature probing logic on the
+ next resolver look-up for them at the highest feature level
+ again.
+
+ * The status dump systemd-resolved sends to the logs upon receiving
+ SIGUSR1 now also includes information about all DNS servers it is
+ configured to use, and the features levels it probed for them.
Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
- Burchardt, b1tninja, bengal, Benjamin Berg, Benjamin Robin, Charles
- Huber, Christian Hesse, Daniel Berrange, Daniel Mack, Daniel Rusek,
- dasj19, Davide Cavalca, Dimitri John Ledkov, Diogo Pereira, Djalal
- Harouni, dkg, dmig, Dmitry Torokhov, ettavolt, Evgeny Vereshchagin,
- Fabio Kung, Felipe Sateler, Franck Bui, g0tar, Hans de Goede, Harald
- Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov, Jakub Wilk, Jan
- Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen, John Lin,
- jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg Thalheim,
- Jouke Witteveen, juga0, Justin Michaud, Kai-Heng Feng, Lennart
- Poettering, Lion Yang, Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn,
- Marcel Hollerbach, Marcus Lundblad, Martin Pitt, Michael Biebl, Michael
- Grzeschik, Michal Sekletar, Mike Gilbert, Neil Brown, Nicolas Iooss,
- Patrik Flykt, pEJipE, Russell Stuart, S. Fan, Shengyao Xue, Stefan
- Pietsch, Susant Sahani, Tejun Heo, Thomas Miller, Thomas Sailer, Tobias
- Hunger, Tom Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø,
- userwithuid, Vito Caputo, vliaskov, WaLyong Cho, William Douglas, Xiang
+ Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
+ Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
+ Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
+ Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
+ ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
+ Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
+ Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
+ John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
+ Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
+ Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
+ Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
+ Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
+ Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
+ Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
+ Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
+ Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
+ Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
- — Berlin, 2017-10-XX
+ — Berlin, 2017-10-06
CHANGES WITH 234: