systemd System and Service Manager
+CHANGES WITH 236 in spe:
+
+ * The modprobe.d/ drop-in for the bonding.ko kernel module introduced
+ in v235, has been extended to also set the dummy.ko module option
+ numdummies=0, resolving issues with the kernel creating the dummy0
+ network interface implicitly.
+
+ * systemd-resolved now maintains a new dynamic
+ /run/systemd/resolve/stub-resolv.conf compatibility file. It is now
+ recommended to maintain /etc/resolv.conf as a symlink to this new
+ dynamic file. It points at the systemd-resolved stub DNS 127.0.0.53
+ resolver and it includes dynamically acquired search domains. This
+ achieves a more correct DNS resolution by software that bypasses
+ local DNS APIs (e.g. NSS).
+
+ * The "uaccess" udev tag has been dropped from /dev/kvm and
+ /dev/dri/renderD*. These devices now have the 0666 permissions by
+ default (but this may be changed at build-time). /dev/dri/renderD*
+ will now be owned by the "render" group along with /dev/kfd.
+
+ * This enables "DynamicUser=yes" by default for
+ systemd-timesyncd.service, systemd-journal-gatewayd.service and
+ systemd-journal-upload.service. This means "nss-systemd" really
+ should be enabled in /etc/nsswitch.conf to ensure the UIDs assigned
+ to these services show up properly in the user database.
+
+ * In systemd-networkd, the IPv6 RA logic now optionally may announce
+ DNS server and domain information.
+
+ * Support for the LUKS2 on-disk format for encrypted partitions has
+ been added. This requires libcryptsetup2 during compilation and
+ runtime.
+
+ * The systemd --user instance will not signal "readiness" when its
+ basic.target unit has been reached, instead of when the run queue ran
+ empty for the first time.
+
+ * Unit files learnt three new % specifiers that are expanded during
+ loading: %S resolves to the top-level state directory (/var/lib for
+ the system instance, $XDG_CONFIG_HOME for the user instance), %C
+ resolves to the top-level cache directory (/var/cache for the system
+ instance, $XDG_CACHE_HOME for the user instance), %L resolves to the
+ top-level logs directory (/var/log for the system instance,
+ $XDG_CONFIG_HOME/log/ for the user instance). This matches the
+ existing %t specifier, that resolves to the top-level runtime
+ directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
+ user instance).
+
+ * journalctl learnt a new parameter --output-fields= for limiting the
+ set of journal fields to output in verbose and JSON output modes.
+
+ * systemd-timesyncd's configuration file gained a new option
+ RootDistanceMaxSec= for setting the maximum root distance, as well as
+ the new options PollIntervalMinSec= and PollIntervalMaxSec= to tweak
+ the minimum and maximum poll interval.
+
+ * bootctl gained a new command "list" for listing all available boot
+ menu items on systems that follor the boot loader specification.
+
+ * systemctl gained a new --dry-run switch that shows what would be done
+ instead of doing it, and is currently supported by the shutdown and
+ sleep verbs.
+
+ * ConditionSecurity= can now detect the TOMOYO security module.
+
+ * Unit file [Install] sections are now also respected in unit drop-in
+ files.
+
+ * systemd-firstboot may now also set up the initial keyboard mapping.
+
+ * When udev devices that are exposed as systemd .device units see a
+ "changed" events, this is propagated as reload from the units, in
+ respect to ReloadPropagatedFrom=.
+
+ * When a udev device with a SYSTEMD_WANTS= property containing a
+ systemd unit template name (i.e. a name in the form of
+ 'foobar@.service', without the instance component between the '@' and
+ the '.'), then the escaped sysfs path of the device is automatically
+ inserted when the unit is added as dependency.
+
+ * SystemCallFilter= in unit files has been extended so that an "errno"
+ can be specified individually for each system call. Example:
+ SystemCallFilter=~uname:EILSEQ.
+
+ * The cgroup delegation logic has been substantially updated. Delegate=
+ now optionally takes a list of controllers (instead of a boolean, as
+ before), which lists the controllers to delegate at least.
+
+ * The networkd DHCPv6 client now implements the FQDN option (RFC 4704)
+
+ * Two new unit file options have been added: LogLevelMax= configures
+ the maximum log level any process of the unit may log at
+ (i.e. anything with a lesser priority than what is specified is
+ automatically dropped). LogExtraFields= allows configuration of
+ additional journal fields to attach to all log records generated by
+ any of the unit's processes.
+
+ * A new unit file option CollectMode= has been added, that allows
+ tweaking the garbage collection logic for units. It may be used to
+ tell systemd to garbage collect units that have failed automatically
+ (normally it only GCs units that exited successfully). systemd-run
+ exposes this new functionality wiht a new -G option.
+
+ * Services gained a two new settings StandardInputData= and
+ StadardInputText=, along with a new option StandardInput=data. They
+ may be used to configure textual or binary data that shall be passed
+ to the executed service process via STDIN, encoded in-line in the
+ unit file.
+
+ * StandardInput=, StandardOutput= and StandardError= may now be used to
+ connect stdin/stdout/stderr of executed processes directly with a
+ file or AF_UNIX socket in the file system, using the new "file:" option.
+
+ * "machinectl bind" may now be used to bind mount non-directories
+ (i.e. regularfiles, devices, fifos, sockets).
+
+ * systemd-analyze gained a new verb "calendar" for validating and
+ testing calendar time specifications to use for OnCalendar= in timer
+ units. Besides validating the expression it will calculate the next
+ time the specified expression would elapse.
+
+ * In addition to the pre-existing FailureAction= unit file setting
+ there's now SuccessAction=, for configuring an shutdown action to
+ execute when a unit completed successfully. This is useful in
+ particular inside of containers that shall terminate after some
+ workload has been completed. Also, both options are now supported for
+ all unit types, not just services.
+
+ * networkds's IP rule support gained two new options
+ IncomingInterface=and OutgoingInterface= for configuring the incoming
+ and outgoing interfaces of configured rules. systemd-networkd also
+ gained support for "vxcan" network devices.
+
+ * networkd gained a new setting RequiredForOnline=, taking a
+ boolean. If set, systemd-wait-online will take it into consideration
+ when determining that the system is up, otherwise it will ignore the
+ interface for this purpose.
+
+ * The sd_notify() protocol gained support for a new operation: with
+ FDSTOREREMOVE=1 file descriptors may be removed from the per-service
+ store again, ahead of POLLHUP or POLLERR when they are removed
+ anyway.
+
+ Contributions from: aeywalee, Alan Jenkins, Alessandro Ghedini, Andrew
+ Jeddeloh, Antonio Rojas, Ari, bleep_blop, Carsten Strotmann, Christian
+ Brauner, Christian Hesse, Collin Eggert, Daniel Lockyer, Daniel Rusek,
+ Dimitri John Ledkov, Evgeny Vereshchagin, Florian Klink, Franck Bui,
+ gwendalcr, Hans de Goede, Jakub Wilk, Jérémy Rosen, jobol, John Lin,
+ juga0, Krzysztof Nowicki, Lars Karlitski, Lars Kellogg-Stedman, Lauri
+ Tirkkonen, Lennart Poettering, longersson, Lubomir Rintel, Lucas
+ Werkmeister, lukas, Lukáš Nykrýn, Lukasz Rubaszewski, Maciej
+ S. Szmigiero, macrothian, Mantas Mikulėnas, martingh, Mathieu
+ Trudel-Lapierre, Matija Skala, Michael Biebl, Michael Vogt, Michal
+ Sekletar, Mike Gilbert, Muhammet Kara, myrkr, Neil Brown, Ondrej
+ Kozina, Patrik Flykt, Peter Hutterer, Piotr Drąg, Razvan Cojocaru,
+ Robin McCorkell, Roland Hieber, Sergey Ptashnick, Shawn Landden, Shuang
+ Liu, Simon Arlott, Simon Peeters, Stefan Agner, Susant Sahani, Sylvain
+ Plantefève, Thomas Blume, Tom Stellard, Topi Miettinen, Vito Caputo,
+ Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zeal Jagannatha
+
+ — Berlin, 2017-12-XX
+
CHANGES WITH 235:
+ * INCOMPATIBILITY: systemd-logind.service and other long-running
+ services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
+ communication with the outside. This generally improves security of
+ the system, and is in almost all cases a safe and good choice, as
+ these services do not and should not provide any network-facing
+ functionality. However, systemd-logind uses the glibc NSS API to
+ query the user database. This creates problems on systems where NSS
+ is set up to directly consult network services for user database
+ lookups. In particular, this creates incompatibilities with the
+ "nss-nis" module, which attempts to directly contact the NIS/YP
+ network servers it is configured for, and will now consistently
+ fail. In such cases, it is possible to turn off IP sandboxing for
+ systemd-logind.service (set IPAddressDeny= in its [Service] section
+ to the empty string, via a .d/ unit file drop-in). Downstream
+ distributions might want to update their nss-nis packaging to include
+ such a drop-in snippet, accordingly, to hide this incompatibility
+ from the user. Another option is to make use of glibc's nscd service
+ to proxy such network requests through a privilege-separated, minimal
+ local caching daemon, or to switch to more modern technologies such
+ sssd, whose NSS hook-ups generally do not involve direct network
+ access. In general, we think it's definitely time to question the
+ implementation choices of nss-nis, i.e. whether it's a good idea
+ today to embed a network-facing loadable module into all local
+ processes that need to query the user database, including the most
+ trivial and benign ones, such as "ls". For more details about
+ IPAddressDeny= see below.
+
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
- * New system call filter groups @setuid, @memlock, @signal and
- @timer have been added, for usage with SystemCallFilter=
+ * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
+ @signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
- — Berlin, 2017-10-XX
+ — Berlin, 2017-10-06
CHANGES WITH 234:
projects / thirdparty / systemd.git / blobdiff