systemd System and Service Manager
-CHANGES WITH 230 in spe:
+CHANGES WITH 231:
+
+ * When using systemd's default tmp.mount for /tmp, this will now be
+ mounted with the "nosuid" and "nodev" options. This avoids
+ privilege escalation attacks that put traps and exploits into /tmp.
+ However, this might cause some problems if you e. g. put container
+ images or overlays into /tmp; if you need this, override tmp.mount's
+ "Options=" with a drop-in, or mount /tmp from /etc/fstab with your
+ desired options.
+
+ * systemd-resolved gained a new "Cache=" option in resolved.conf.
+ Local caching makes DNS poisoning attacks slightly easier and allows
+ a local user to detect whether any other user on the same machine has
+ recently visited a given DNS name (privacy). If that is a concern,
+ you can disable local caching with this option at the cost of slower
+ DNS resolution (which is particularly expensive with DNSSEC). The
+ default continues to be "yes" (i. e. caching is enabled).
+
+ Contributions from: ...
+
+ — Somewhere, 2016-XX-XX
+
+CHANGES WITH 230:
* DNSSEC is now turned on by default in systemd-resolved (in
"allow-downgrade" mode), but may be turned off during compile time by
* systemd-resolve conveniently resolves DANE records with the --tlsa
option and OPENPGPKEY records with the --openpgp option. It also
- supports dumping raw DNS record data via the new --raw= switch now.
+ supports dumping raw DNS record data via the new --raw= switch.
* systemd-logind will now by default terminate user processes that are
part of the user session scope unit (session-XX.scope) when the user
Previous defaults can be restored at compile time by the
--without-kill-user-processes option to "configure".
+ * systemd-logind gained new configuration settings SessionsMax= and
+ InhibitorsMax=, both with a default of 8192. It will not register new
+ user sessions or inhibitors above this limit.
+
+ * systemd-logind will now reload configuration on SIGHUP.
+
* The unified cgroup hierarchy added in Linux 4.5 is now supported.
Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
enable. Also, support for the "io" cgroup controller in the unified
* The IAID and DUID unique identifier sent in DHCP requests may now be
configured for the system and each .network file managed by
- systemd-networkd.
+ systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.
+
+ * systemd-networkd gained support for configuring proxy ARP support for
+ each interface, via the ProxyArp= setting in .network files. It also
+ gained support for configuring the multicast querier feature of
+ bridge devices, via the new MulticastQuerier= setting in .netdev
+ files. Similarly, snooping on the IGMP traffic can be controlled
+ via the new setting MulticastSnooping=.
+
+ A new setting PreferredLifetime= has been added for addresses
+ configured in .network file to configure the lifetime intended for an
+ address.
+
+ The systemd-networkd DHCP server gained the option EmitRouter=, which
+ defaults to yes, to configure whether the DHCP Option 3 (Router)
+ should be emitted.
* The testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
when closing journal files, thus reducing impact of slow disk I/O on
logging performance.
+ * The sd-journal API gained two new calls
+ sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
+ can be used to open journal files using file descriptors instead of
+ file or directory paths. sd_journal_open_container() has been
+ deprecated, sd_journal_open_directory_fd() should be used instead
+ with the flag SD_JOURNAL_OS_ROOT.
+
+ * journalctl learned a new output mode "-o short-unix" that outputs log
+ lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
+ UTC). It also gained support for a new --no-hostname setting to
+ suppress the hostname column in the family of "short" output modes.
+
* systemd-ask-password now optionally skips printing of the password to
stdout with --no-output which can be useful in scripts.
(devices tagged with ID_MAKER_TOOL) are now tagged with
"uaccess" and are available to logged in users.
- * systemd-bootchart has been split out to a separate repository:
- https://github.com/systemd/systemd-bootchart
-
- * The compatibility libraries libsystemd-daemon.so,
- libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
- which have been deprecated since systemd-209 have been removed along
- with the corresponding pkg-config files. All symbols provided by
- those libraries are provided by libsystemd.so.
-
- * The Capabilities= unit file setting has been removed (it is ignored
- for backwards compatibility). AmbientCapabilities= and
- CapabilityBoundingSet= should be used instead.
+ * The DeviceAllow= unit setting now supports specifiers (with "%").
* "systemctl show" gained a new --value switch, which allows print a
only the contents of a specific unit property, without also printing
the property's name. Similar support was added to "show*" verbs
of loginctl and machinectl that output "key=value" lists.
+ * A new unit type "generated" was added for files dynamically generated
+ by generator tools. Similarly, a new unit type "transient" is used
+ for unit files created using the runtime API. "systemctl enable" will
+ refuse to operate on such files.
+
* A new command "systemctl revert" has been added that may be used to
revert to the vendor version of a unit file, in case local changes
have been made by adding drop-ins or overriding the unit file.
* "machinectl clean" gained a new verb to automatically remove all or
just hidden container images.
- * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
- merged into the kernel in its current form.
-
- * systemd-networkd gained support for configuring proxy ARP support for
- each interface, via the ProxyArp= setting in .network files. It also
- gained support for configuring the multicast querier feature of
- bridge devices, via the new MulticastQuerier= setting in .netdev
- files. A new setting PreferredLifetime= has been added for addresses
- configured in .network file to configure the lifetime intended for an
- address.
-
* systemd-tmpfiles gained support for a new line type "e" for emptying
directories, if they exist, without creating them if they don't.
- * journalctl learned a new output mode "-o short-unix" that outputs log
- lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
- UTC). It also gained support for a new --no-hostname setting to
- suppress the hostname column in the family of "short" output modes.
-
* systemd-nspawn gained support for automatically patching the UID/GIDs
of the owners and the ACLs of all files and directories in a
container tree to match the UID/GID user namespacing range selected
container, via the new --private-users=pick setting (which implies
--private-user-chown). Together, these options for the first time
make user namespacing for nspawn containers fully automatic and thus
- deployable. The systemd-nspaw@.service template unit file has been
+ deployable. The systemd-nspawn@.service template unit file has been
changed to use this functionality by default.
* systemd-nspawn gained a new --network-zone= switch, that allows
* Note that the effect of the PrivateDevices= unit file setting changed
slightly with this release: the per-device /dev file system will be
mounted read-only from this version on, and will have "noexec"
- set. This (minor) change of behaviour might cause some (exceptional)
+ set. This (minor) change of behavior might cause some (exceptional)
legacy software to break, when PrivateDevices=yes is set for its
service. Please leave PrivateDevices= off if you run into problems
with this.
- Contributions from: Alban Crequy, Alexander Kuleshov, Alex Crawford,
- Andrew Eikum, Beniamino Galvani, Benjamin Robin, Benjamin ROBIN, Biao
- Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Colin Guthrie, Daniel
- J Walsh, Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
+ * systemd-bootchart has been split out to a separate repository:
+ https://github.com/systemd/systemd-bootchart
+
+ * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
+ merged into the kernel in its current form.
+
+ * The compatibility libraries libsystemd-daemon.so,
+ libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
+ which have been deprecated since systemd-209 have been removed along
+ with the corresponding pkg-config files. All symbols provided by
+ those libraries are provided by libsystemd.so.
+
+ * The Capabilities= unit file setting has been removed (it is ignored
+ for backwards compatibility). AmbientCapabilities= and
+ CapabilityBoundingSet= should be used instead.
+
+ * A new special target has been added, initrd-root-device.target,
+ which creates a synchronization point for dependencies of the root
+ device in early userspace. Initramfs builders must ensure that this
+ target is now included in early userspace.
+
+ Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
+ Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
+ Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
+ Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
+ Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
- Bui, frankheckenbach, Georgia Brikis, Harald Hoyer, Hendrik Brueckner,
- Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo Puustinen, Jakub
- Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth, kayrus, Klearchos
- Chaloulos, Lennart Poettering, Lubomir Rintel, Lukas Nykryn, Lukáš
- Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, Michael Biebl,
- michaelolbrich, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletar,
- Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin, mulkieran,
- muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween, Nicolas
- Braud-Santoni, Patrik Flykt, Peter Hutterer, Petr Lautrbach, Petros
- Angelatos, Piotr Drąg, Rabin Vincent, Robert Węcławski, Ronny
- Chevalier, Samuel Tardieu, Stefan Schallenberg, Steven Siloti, Susant
- Sahani, Sylvain Plantefève, Taylor Smock, tblume, Tejun Heo, Thomas
- Blume, Thomas Haller, Thomas Hindoe Paaboel Andersen, Thomas
- H. P. Andersen, Tobias Klauser, Tom Gundersen, Torstein Husebø, Umut
- Tezduyar Lindskog, Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam),
- Vladimir Panteleev, Wieland Hoffmann, Wouter Verhelst, Yu Watanabe,
- Zbigniew Jędrzejewski-Szmek
+ Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
+ Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
+ Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
+ John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
+ Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
+ Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
+ Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
+ Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
+ mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
+ Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
+ Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
+ Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
+ Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
+ Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
+ Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
+ Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
+ Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
+ Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek
- — Berlin, 2016-05-XX
+ — Fairfax, 2016-05-21
CHANGES WITH 229:
the service.
* Timer units gained support for a new RemainAfterElapse=
- setting which takes a boolean argument. It defaults on on,
+ setting which takes a boolean argument. It defaults to on,
exposing behaviour unchanged to previous releases. If set to
off, timer units are unloaded after they elapsed if they
cannot elapse again. This is particularly useful for
* Support for USB FunctionFS activation has been added. This
allows implementation of USB gadget services that are
activated as soon as they are requested, so that they don't
- have to run continously, similar to classic socket
+ have to run continuously, similar to classic socket
activation.
* The "systemctl exit" command now optionally takes an
* systemd-networkd gained support for:
- - Setting the IPv6 Router Advertisment settings via
+ - Setting the IPv6 Router Advertisement settings via
IPv6AcceptRouterAdvertisements= in .network files.
- Configuring the HelloTimeSec=, MaxAgeSec= and
files controlled by the number of files that shall remain,
in addition to the already existing control by size and by
date. This is useful as journal interleaving performance
- degrades with too many seperate journal files, and allows
+ degrades with too many separate journal files, and allows
putting an effective limit on them. The new setting defaults
to 100, but this may be changed by setting SystemMaxFiles=
and RuntimeMaxFiles= in journald.conf. Also, the
available, systemd will fall back to the legacy cgroup
hierarchy setup, as before. Host system and containers can
mix and match legacy and unified hierarchies as they
- wish. nspawn understands the $UNIFIED_CROUP_HIERARCHY
+ wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY
environment variable to individually select the hierarchy to
use for executed containers. By default, nspawn will use the
unified hierarchy for the containers if the host uses the
* We do not mount the "cpuset" controller anymore together with
"cpu" and "cpuacct", as "cpuset" groups generally cannot be
started if no parameters are assigned to it. "cpuset" hence
- broke code that assumed it it could create "cpu" groups and
+ broke code that assumed it could create "cpu" groups and
just start them.
* journalctl -f will now subscribe to terminal size changes,
projects / thirdparty / systemd.git / blobdiff