systemd System and Service Manager
+CHANGES WITH 243 in spe:
+
+ * Previously, filters defined with SystemCallFilter= would have the
+ effect that an calling an offending system call would terminate the
+ calling thread. This behaviour never made much sense, since killing
+ individual threads of unexpecting processes is likely to create more
+ problems than it solves. With this release the default action changed
+ from killing the thread to killing the whole process. For this to
+ work correctly both a kernel version (>= 4.14) and a libseccomp
+ version (>= 2.4.0) supporting this new seccomp action is required. If
+ an older kernel or libseccomp is used the old behaviour continues to
+ be used. This change does not affect any services that have no system
+ call filters defined, or that use SystemCallErrorNumber= (and thus
+ see EPERM or another error instead of being killed when calling an
+ offending system call). Note that systemd documentation always
+ claimed that the whole process is killed. With this change behaviour
+ is thus adjusted to match the documentation.
+
+ * The "kernel.pid_max" sysctl is now bumped to 4194304 by default,
+ i.e. the full 22bit range the kernel allows, up from the old 16bit
+ range. This should improve security and robustness a bit, as PID
+ collisions are made less likely (though certainly still
+ possible). There are rumours this might create compatibility
+ problems, though at this moment no practical ones are known to
+ us. Downstream distributions are hence advised to undo this change in
+ their builds if they are concerned about maximum compatibility, but
+ for everybody else we recommend leaving the value bumped. Besides
+ improving security and robustness this should also simplify things as
+ the maximum number of allowed concurrent tasks was previously bounded
+ by both "kernel.pid_max" and "kernel.threads-max" and now only a
+ single knob is left ("kernel.threads-max"). There have been concerns
+ that usability is affected by this change because larger PID numbers
+ are harder to type, but we believe the change from 5 digit PIDs to 7
+ digit PIDs is not too hampering for usability.
+
+ * MemoryLow and MemoryMin gained hierarchy-aware counterparts,
+ DefaultMemoryLow and DefaultMemoryMin, which can be used to
+ hierarchically set default memory protection values for a particular
+ subtree of the unit hierarchy.
+
+ * Memory protection directives can now take a value of zero, allowing
+ explicit opting out of a default value propagated by an ancestor.
+
+ * systemd now defaults to the "unified" cgroup hierarchy setup during
+ build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
+ default. Previously, -Ddefault-hierarchy=hybrid was the default. This
+ change reflects the fact that cgroupsv2 support has matured
+ substantially in both systemd and in the kernel, and is clearly the
+ way forward. Downstream production distributions might want to
+ continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
+ their builds as unfortunately the popular container managers have not
+ caught up with the kernel API changes.
+
+ * Man pages are not built by default anymore (html pages were already
+ disabled by default), to make development builds quicker. When
+ building systemd for a full installation with documentation, meson
+ should be called -Dman=true and/or -Dhtml=true as appropriate. The
+ default was changed based on the assumption that quick one-off or
+ repeated development builds are much more common than full optimized
+ builds for installation, and people need to pass various other
+ options to when doing "proper" builds anyway, so the gain from making
+ development builds quicker is bigger than the one time disruption for
+ packagers.
+
+ Two scripts are created in the *build* directory to generate and
+ preview man and html pages on demand, e.g.:
+
+ build/man/man systemctl
+ build/man/html systemd.index
+
+ * The D-Bus "wire format" for CPUAffinity attribute is changed on
+ big-endian machines. Before, bytes were written and read in native
+ machine order as exposed by the native libc __cpu_mask interface.
+ Now, little-endian order is always used (CPUs 0–7 are described by
+ bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
+ This change fixes D-Bus calls that cross endianness boundary.
+
+ The presentation format used for CPUAffinity by systemctl show and
+ systemd-analyze dump is changed to present CPU indices instead of the
+ raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be shown
+ as CPUAffinity=03000000000000000000000000000… (on little-endian) or
+ CPUAffinity=00000000000000300000000000000… (on 64-bit big-endian),
+ and is now shown as CPUAffinity=0-1, matching the input format. The
+ maximum integer that will be printed in new format is 8191 (four
+ digits), while the old format always used a very long number (with
+ the length varying by architecture), so they can be unambiguously
+ distinguished.
+
+ * /usr/sbin/halt.local is no longer supported. Implementation in
+ distributions was inconsistent and it seems this functionality was
+ very rarely used.
+
+ To replace this functionality, users should:
+ - either define a new unit and make it a dependency of final.target
+ (systemctl add-wants final.target my-halt-local.service)
+ - or move the shutdown script to /usr/lib/systemd/system-shutdown/
+ and ensure that it accepts "halt", "poweroff", "reboot", and
+ "kexec" as an argument, see the description in systemd-shutdown(8).
+
+ * When a [Match] section in .link or .network file is empty (contains
+ no match patterns), a warning will be emitted. Please add any "match
+ all" pattern instead, e.g. OriginalName=* or Name=* in case all
+ interfaces should really be matched.
+
+ …
+
+CHANGES WITH 242:
+
+ * In .link files, MACAddressPolicy=persistent (the default) is changed
+ to cover more devices. For devices like bridges, tun, tap, bond, and
+ similar interfaces that do not have other identifying information,
+ the interface name is used as the basis for persistent seed for MAC
+ and IPv4LL addresses. The way that devices that were handled
+ previously is not changed, and this change is about covering more
+ devices then previously by the "persistent" policy.
+
+ MACAddressPolicy=random may be used to force randomized MACs and
+ IPv4LL addresses for a device if desired.
+
+ Hint: the log output from udev (at debug level) was enhanced to
+ clarify what policy is followed and which attributes are used.
+ `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
+ may be used to view this.
+
+ * The .device units generated by systemd-fstab-generator and other
+ generators do not automatically pull in the corresponding .mount unit
+ as a Wants= dependency. This means that simply plugging in the device
+ will not cause the mount unit to be started automatically. But please
+ note that the mount unit may be started for other reasons, in
+ particular if it is part of local-fs.target, and any unit which
+ (transitively) depends on local-fs.target is started.
+
+ * networkctl list/status/lldp now accept globbing wildcards for network
+ interface names to match against all existing interfaces.
+
+ * The $PIDFILE environment variable is set to point the absolute path
+ configured with PIDFile= for processes of that service.
+
+ * The fallback DNS server list was augmented with Cloudflare public DNS
+ servers. Use `-Ddns-servers=` to set a different fallback.
+
+ * A new special target usb-gadget.target will be started automatically
+ when a USB Device Controller is detected (which means that the system
+ is a USB peripheral).
+
+ * A new unit setting CPUQuotaPeriodSec= assigns the time period
+ relatively to which the CPU time quota specified by CPUQuota= is
+ measured.
+
+ * A new unit setting ProtectHostname= may be used to prevent services
+ from modifying hostname information (even if they otherwise would
+ have privileges to do so).
+
+ * A new unit setting NetworkNamespacePath= may be used to specify a
+ namespace for service or socket units through a path referring to a
+ Linux network namespace pseudo-file.
+
+ * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
+ have an effect on .socket units: when used the listening socket is
+ created within the configured network namespace instead of the host
+ namespace.
+
+ * ExecStart= command lines in unit files may now be prefixed with ':'
+ in which case environment variable substitution is
+ disabled. (Supported for the other ExecXYZ= settings, too.)
+
+ * .timer units gained two new boolean settings OnClockChange= and
+ OnTimezoneChange= which may be used to also trigger a unit when the
+ system clock is changed or the local timezone is
+ modified. systemd-run has been updated to make these options easily
+ accessible from the command line for transient timers.
+
+ * Two new conditions for units have been added: ConditionMemory= may be
+ used to conditionalize a unit based on installed system
+ RAM. ConditionCPUs= may be used to conditionalize a unit based on
+ installed CPU cores.
+
+ * The @default system call filter group understood by SystemCallFilter=
+ has been updated to include the new rseq() system call introduced in
+ kernel 4.15.
+
+ * A new time-set.target has been added that indicates that the system
+ time has been set from a local source (possibly imprecise). The
+ existing time-sync.target is stronger and indicates that the time has
+ been synchronized with a precise external source. Services where
+ approximate time is sufficient should use the new target.
+
+ * "systemctl start" (and related commands) learnt a new
+ --show-transaction option. If specified brief information about all
+ jobs queued because of the requested operation is shown.
+
+ * systemd-networkd recognizes a new operation state 'enslaved', used
+ (instead of 'degraded' or 'carrier') for interfaces which form a
+ bridge, bond, or similar, and an new 'degraded-carrier' operational
+ state used for the bond or bridge master interface when one of the
+ enslaved devices is not operational.
+
+ * .network files learnt the new IgnoreCarrierLoss= option for leaving
+ networks configured even if the carrier is lost.
+
+ * The RequiredForOnline= setting in .network files may now specify a
+ minimum operational state required for the interface to be considered
+ "online" by systemd-networkd-wait-online. Related to this
+ systemd-networkd-wait-online gained a new option --operational-state=
+ to configure the same, and its --interface= option was updated to
+ optionally also take an operational state specific for an interface.
+
+ * systemd-networkd-wait-online gained a new setting --any for waiting
+ for only one of the requested interfaces instead of all of them.
+
+ * systemd-networkd now implements L2TP tunnels.
+
+ * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
+ may be used to cause autonomous and onlink prefixes received in IPv6
+ Router Advertisements to be ignored.
+
+ * New MulticastFlood=, NeighborSuppression=, and Learning= .network
+ file settings may be used to tweak bridge behaviour.
+
+ * The new TripleSampling= option in .network files may be used to
+ configure CAN triple sampling.
+
+ * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
+ used to point to private or preshared key for a WireGuard interface.
+
+ * /etc/crypttab now supports the same-cpu-crypt and
+ submit-from-crypt-cpus options to tweak encryption work scheduling
+ details.
+
+ * systemd-tmpfiles will now take a BSD file lock before operating on a
+ contents of directory. This may be used to temporarily exclude
+ directories from aging by taking the same lock (useful for example
+ when extracting a tarball into /tmp or /var/tmp as a privileged user,
+ which might create files with really old timestamps, which
+ nevertheless should not be deleted). For further details, see:
+
+ https://systemd.io/TEMPORARY_DIRECTORIES
+
+ * systemd-tmpfiles' h line type gained support for the
+ FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
+ controlling project quota inheritance.
+
+ * sd-boot and bootctl now implement support for an Extended Boot Loader
+ (XBOOTLDR) partition, that is intended to be mounted to /boot, in
+ addition to the ESP partition mounted to /efi or /boot/efi.
+ Configuration file fragments, kernels, initrds and other EFI images
+ to boot will be loaded from both the ESP and XBOOTLDR partitions.
+ The XBOOTLDR partition was previously described by the Boot Loader
+ Specification, but implementation was missing in sd-boot. Support for
+ this concept allows using the sd-boot boot loader in more
+ conservative scenarios where the boot loader itself is placed in the
+ ESP but the kernels to boot (and their metadata) in a separate
+ partition.
+
+ * A system may now be booted with systemd.volatile=overlay on the
+ kernel command line, which causes the root file system to be set up
+ an overlayfs mount combining the root-only root directory with a
+ writable tmpfs. In this setup, the underlying root device is not
+ modified, and any changes are lost at reboot.
+
+ * Similar, systemd-nspawn can now boot containers with a volatile
+ overlayfs root with the new --volatile=overlay switch.
+
+ * systemd-nspawn can now consume OCI runtime bundles using a new
+ --oci-bundle= option. This implementation is fully usable, with most
+ features in the specification implemented, but since this a lot of
+ new code and functionality, this feature should most likely not
+ be used in production yet.
+
+ * systemd-nspawn now supports various options described by the OCI
+ runtime specification on the command-line and in .nspawn files:
+ --inaccessible=/Inaccessible= may be used to mask parts of the file
+ system tree, --console=/--pipe may be used to configure how standard
+ input, output, and error are set up.
+
+ * busctl learned the `emit` verb to generate D-Bus signals.
+
+ * systemd-analyze cat-config may be used to gather and display
+ configuration spread over multiple files, for example system and user
+ presets, tmpfiles.d, sysusers.d, udev rules, etc.
+
+ * systemd-analyze calendar now takes an optional new parameter
+ --iterations= which may be used to show a maximum number of iterations
+ the specified expression will elapse next.
+
+ * The sd-bus C API gained support for naming method parameters in the
+ introspection data.
+
+ * systemd-logind gained D-Bus APIs to specify the "reboot parameter"
+ the reboot() system call expects.
+
+ * journalctl learnt a new --cursor-file= option that points to a file
+ from which a cursor should be loaded in the beginning and to which
+ the updated cursor should be stored at the end.
+
+ * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now
+ detected by systemd-detect-virt (and may also be used in
+ ConditionVirtualization=).
+
+ * The behaviour of systemd-logind may now be modified with environment
+ variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP,
+ $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and
+ $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either
+ skip the relevant operation completely (when set to false), or to
+ create a flag file in /run/systemd (when set to true), instead of
+ actually commencing the real operation when requested. The presence
+ of /run/systemd/reboot-to-firmware-setup,
+ /run/systemd/reboot-to-boot-loader-menu, and
+ /run/systemd/reboot-to-boot-loader-entry, may be used by alternative
+ boot loader implementations to replace some steps logind performs
+ during reboot with their own operations.
+
+ * systemctl can be used to request a reboot into the boot loader menu
+ or a specific boot loader entry with the new --boot-load-menu= and
+ --boot-loader-entry= options to a reboot command. (This requires a
+ boot loader that supports this, for example sd-boot.)
+
+ * kernel-install will no longer unconditionally create the output
+ directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
+ snippets, but will do only if the machine-specific parent directory
+ (i.e. /efi/<machine-id>/) already exists. bootctl has been modified
+ to create this parent directory during sd-boot installation.
+
+ This makes it easier to use kernel-install with plugins which support
+ a different layout of the bootloader partitions (for example grub2).
+
+ * During package installation (with `ninja install`), we would create
+ symlinks for getty@tty1.service, systemd-networkd.service,
+ systemd-networkd.socket, systemd-resolved.service,
+ remote-cryptsetup.target, remote-fs.target,
+ systemd-networkd-wait-online.service, and systemd-timesyncd.service
+ in /etc, as if `systemctl enable` was called for those units, to make
+ the system usable immediately after installation. Now this is not
+ done anymore, and instead calling `systemctl preset-all` is
+ recommended after the first installation of systemd.
+
+ * A new boolean sandboxing option RestrictSUIDSGID= has been added that
+ is built on seccomp. When turned on creation of SUID/SGID files is
+ prohibited.
+
+ * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
+ implied if DynamicUser= is turned on for a service. This hardens
+ these services, so that they neither can benefit from nor create
+ SUID/SGID executables. This is a minor compatibility breakage, given
+ that when DynamicUser= was first introduced SUID/SGID behaviour was
+ unaffected. However, the security benefit of these two options is
+ substantial, and the setting is still relatively new, hence we opted
+ to make it mandatory for services with dynamic users.
+
+ Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
+ Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
+ Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
+ Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
+ Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
+ Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
+ Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
+ Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
+ Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
+ Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
+ Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
+ Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
+ Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
+ Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
+ Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
+ Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
+ Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Warsaw, 2019-04-11
+
CHANGES WITH 241:
* The default locale can now be configured at compile time. Otherwise,
* Journal messages that are generated whenever a unit enters the failed
state are now tagged with a unique MESSAGE_ID. Similarly, messages
generated whenever a service process exits are now made recognizable,
- too. A taged message is also emitted whenever a unit enters the
+ too. A tagged message is also emitted whenever a unit enters the
"dead" state on success.
* systemd-run gained a new switch --working-directory= for configuring
not created by systemd-sysusers anymore.
NOTE: This has a chance of breaking nss-ldap and similar NSS modules
- that embedd a network facing module into any process using getpwuid()
+ that embed a network facing module into any process using getpwuid()
or related call: the dynamic allocation of the user ID for
systemd-resolved.service means the service manager has to check NSS
if the user name is already taken when forking off the service. Since
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is systemd-udevd.service
- wher this is now used by default.
+ where this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is true
when the system is booted in UEFI "secure mode".
/etc/machine-id. If the machine ID could not be determined,
$KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
anything in the entry directory (passed as the second argument) if
- $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatiblity, a
+ $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
temporary directory is passed as the entry directory and removed
after all the plugins exit.
* We temporarily dropped the "-l" switch for fsck invocations,
since they collide with the flock() logic above. util-linux
upstream has been changed already to avoid this conflict,
- and we will readd "-l" as soon as util-linux with this
+ and we will re-add "-l" as soon as util-linux with this
change has been released.
* The dependency on libattr has been removed. Since a long
where the local administrator's configuration in /etc always
overrides any other settings.
- Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van
+ Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
David Strauss, Dimitris Spingos, Djalal Harouni, Eelco