field.
* systemd-networkd's [DHCPServer] section gained a new set of options
- POP3Servers=, SMTPServers=, LPRServers= for including server
+ EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server
information about these three protocols in the DHCP lease. It also
gained support for including "MUD" URLs ("Manufacturer Usage
Description"). Support for "MUD" URLs was also added to the LLDP
used, the DNS-over-TLS certificate is validated to match the
specified hostname.
+ * systemd-resolved may be configured to forward single-label DNS names.
+ This is not standard-conformant, but may make sense in setups where
+ public DNS servers are not used.
+
+ * systemd-resolved's DNS-over-TLS support gained SNI validation.
+
* The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
systemd-coredump to save core files for suid processes. When saving
the core file, systemd-coredump will use the effective uid and gid of
can now be suspended or resumed either using new systemctl verbs,
freeze and thaw respectively, or via D-Bus.
+ * systemd-udevd gained new configuration option timeout_signal= as well
+ as coresponding kernel command line option udev.timeout_signal.
+ The option can be used to configure the UNIX signal that the main
+ daemon sends to the worker processes on timeout.
+
* A new sd-path.h API has been added to libsystemd. It provides a
simple API for retrieving various search paths and primary
directories for various resources.
into a pointer, without adding it to the object pointer the vtable is
associated with.
- * sd-bus now exposed four new functions:
+ * sd-bus now exposes four new functions:
sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
validate strings to check if they qualify as various D-Bus concepts.
+ * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
+ SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
+ that simplify adding argument names to D-Bus methods and signals.
+
* systemctl gained a new "-P" switch that is a shortcut for "--value
--property=…".
hostname, truncated at the first dot.
* systemd-notify's --pid= switch gained new values: "parent", "self",
- "auto" for controlling which PID to send to the service managing: the
+ "auto" for controlling which PID to send to the service manager: the
systemd-notify process' PID, or the one of the process invoking it.
* When sending a file descriptor (fd) to the service manager to keep
allocated session. This is useful for upgrading tty sessions to
graphical ones once a compositor is invoked.
- * .mount units gained a new ReadWriteOnly= boolean option. If set the
+ * .mount units gained a new ReadWriteOnly= boolean option. If set
it will not be attempted to mount a file system read-only if mounting
- it read-write mode doesn't succeed. An option x-systemd.rw-only is
+ in read-write mode doesn't succeed. An option x-systemd.rw-only is
available in /etc/fstab to control the same.
* coredumps collected by systemd-coredump may now be compressed using
* systemd-repart's --empty= setting gained a new value "create". If
specified a new empty regular disk image file is created under the
- specified name. It's size may be specified with the new --size=
+ specified name. Its size may be specified with the new --size=
option. The latter is also supported without the "create" mode, in
order to grow existing disk image files to the specified size. These
- two new options make are useful when creating or manipulating
- disk images instead of operating on actual block devices.
+ two new options are useful when creating or manipulating disk images
+ instead of operating on actual block devices.
* systemd-repart drop-ins now support a new UUID= setting to control
the UUID to assign to a newly created partition.
instance).
* The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
- not automatically set to "Y" at boot, in order to enable pstore
+ now automatically set to "Y" at boot, in order to enable pstore
generation for collection with systemd-pstore.
* New kernel command line options systemd.condition-needs-update= and
unit when the unit is stopped. It will now warn about services using
KillMode=none, as this is generally an unsafe thing to make use of.
+ * .socket units gained a new boolean setting PassPacketInfo=. If
+ enabled, the kernel will attach additional per-packet metadata to all
+ packets read from the socket, as ancillary message. This controls the
+ IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
+ depending on socket type.
+
+ * A new boolean option AssignAcquiredDelegatedPrefixAddress= has been
+ added to the [DHCPv6] section of .network files. If enabled (which is
+ the default) an address from any acquired delegated prefix is
+ automatically chosen and assigned to the interface.
+
+ * "systemctl reboot" takes the option "--reboot-argument=".
+ The optional positional argument to "systemctl reboot" is now
+ being deprecated in favor of this option.
+
+ * Support for the .include syntax in unit files has been removed. The
+ concept has been obsolete for 6 years and we started warning about
+ its pending removal 2 years ago (also see NEWS file below). It's
+ finally gone now.
+
+ * The BlackList= settings in .network files' [DHCPv4] and
+ [IPv6AcceptRA] sections have been renamed DenyList=. The old names
+ are still understood to provide compatibility.
+
CHANGES WITH 245:
* A new tool "systemd-repart" has been added, that operates as an
* systemd-sysusers gained support for creating users with the primary
group named differently than the user.
- * systemd-resolved's DNS-over-TLS support gained SNI validation.
-
* systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
gained support for growing XFS partitions. Previously it supported
only ext4 and btrfs partitions.
of the PAM session, for example for time-limited logins.
* A new @pkey system call group is now defined to make it easier to
- whitelist memory protection syscalls for containers and services
+ allow-list memory protection syscalls for containers and services
which need to use them.
* systemd-udevd: removed the 30s timeout for killing stale workers on
* udev now provides a program (fido_id) that identifies FIDO CTAP1
("U2F")/CTAP2 security tokens based on the usage declared in their
report and descriptor and outputs suitable environment variables.
- This replaces the externally maintained whitelists of all known
+ This replaces the externally maintained allow lists of all known
security tokens that were used previously.
- * Automatically generated autosuspend udev rules for whitelisted
+ * Automatically generated autosuspend udev rules for allow-listed
devices have been imported from the Chromium OS project. This should
improve power saving with many more devices.
* systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
option for configuring the maximum number of DHCP lease requests. It
- also learnt a new BlackList= option for blacklisting DHCP servers (a
+ also learnt a new BlackList= option for deny-listing DHCP servers (a
similar setting has also been added to the IPv6 RA client), as well
as a SendRelease= option for configuring whether to send a DHCP
RELEASE message when terminating.
any relevant symlinks both in /run and /etc.
* Note that all long-running system services shipped with systemd will
- now default to a system call whitelist (rather than a blacklist, as
+ now default to a system call allow list (rather than a deny list, as
before). In particular, systemd-udevd will now enforce one too. For
most cases this should be safe, however downstream distributions
which disabled sandboxing of systemd-udevd (specifically the
MountFlags= setting), might want to disable this security feature
- too, as the default whitelisting will prohibit all mount, swap,
+ too, as the default allow-listing will prohibit all mount, swap,
reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally turn
* systemd-nspawn gained support for a new --system-call-filter= command
line option for adding and removing entries in the default system
call filter it applies. Moreover systemd-nspawn has been changed to
- implement a system call whitelist instead of a blacklist.
+ implement a system call allow list instead of a deny list.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
fsck's progress report to an AF_UNIX socket in the file
system.
- * udev will no longer create device symlinks for all block
- devices by default. A blacklist for excluding special block
- devices from this logic has been turned into a whitelist
- that requires picking block devices explicitly that require
- device symlinks.
+ * udev will no longer create device symlinks for all block devices by
+ default. A deny list for excluding special block devices from this
+ logic has been turned into a allow list that requires picking block
+ devices explicitly that require device symlinks.
* A new (currently still internal) API sd-device.h has been
added to libsystemd. This modernized API is supposed to
Wikipedia. We explicitly document which base applies for
each configuration option.
- * The DeviceAllow= setting in unit files now supports a syntax
- to whitelist an entire group of devices node majors at once,
- based on the /proc/devices listing. For example, with the
- string "char-pts", it is now possible to whitelist all
- current and future pseudo-TTYs at once.
+ * The DeviceAllow= setting in unit files now supports a syntax to
+ allow-list an entire group of devices node majors at once, based on
+ the /proc/devices listing. For example, with the string "char-pts",
+ it is now possible to allow-list all current and future pseudo-TTYs
+ at once.
* sd-event learned a new "post" event source. Event sources of
this type are triggered by the dispatching of any event
* journalctl gained the new "--header" switch to introspect
header data of journal files.
- * A new setting SystemCallFilters= has been added to services
- which may be used to apply blacklists or whitelists to
- system calls. This is based on SECCOMP Mode 2 of Linux 3.5.
+ * A new setting SystemCallFilters= has been added to services which may
+ be used to apply deny lists or allow lists to system calls. This is
+ based on SECCOMP Mode 2 of Linux 3.5.
* nspawn gained a new --link-journal= switch (and quicker: -j)
to link the container journal with the host. This makes it