systemd System and Service Manager
-CHANGES WITH 238 in spe:
+CHANGES WITH 240 in spe:
+
+ * NoNewPrivileges=yes has been set for all long-running services
+ implemented by systemd. Previously, this was problematic due to
+ SELinux (as this would also prohibit the transition from PID1's label
+ to the service's label). This restriction has since been lifted, but
+ an SELinux policy update is required.
+ (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)
+
+ * DynamicUser=yes is dropped from systemd-networkd.service,
+ systemd-resolved.service and systemd-timesyncd.service, which was
+ enabled in v239 for systemd-networkd.service and systemd-resolved.service,
+ and since v236 for systemd-timesyncd.service. The users and groups
+ systemd-network, systemd-resolve and systemd-timesync are created
+ by systemd-sysusers again. Distributors or system administrators
+ may need to create these users and groups if they not exist (or need
+ to re-enable DynamicUser= for those units) while upgrading systemd.
+
+ * When unit files are loaded from disk, previously systemd would
+ sometimes (depending on the unit loading order) load units from the
+ target path of symlinks in .wants/ or .requires/ directories of other
+ units. This meant that unit could be loaded from different paths
+ depending on whether the unit was requested explicitly or as a
+ dependency of another unit, not honouring the priority of directories
+ in search path. It also meant that it was possible to successfully
+ load and start units which are not found in the unit search path, as
+ long as they were requested as a dependency and linked to from
+ .wants/ or .requires/. The target paths of those symlinks are not
+ used for loading units anymore and the unit file must be found in
+ the search path.
+
+ * A new service type has been added: Type=exec. It's very similar to
+ Type=simple but ensures the service manager will wait for both fork()
+ and execve() of the main service binary to complete before proceeding
+ with follow-up units. This is primarily useful so that the manager
+ propagates any errors in the preparation phase of service execution
+ back to the job that requested the unit to be started. For example,
+ consider a service that has ExecStart= set to a file system binary
+ that doesn't exist. With Type=simple starting the unit would be
+ considered instantly successful, as only fork() has to complete
+ successfully and the manager does not wait for execve(), and hence
+ its failure is seen "too late". With the new Type=exec service type
+ starting the unit will fail, as the manager will wait for the
+ execve() and notice its failure, which is then propagated back to the
+ start job.
+
+ NOTE: with the next release 241 of systemd we intend to change the
+ systemd-run tool to default to Type=exec for transient services
+ started by it. This should be mostly safe, but in specific corner
+ cases might result in problems, as the systemd-run tool will then
+ block on NSS calls (such as user name look-ups due to User=) done
+ between the fork() and execve(), which under specific circumstances
+ might cause problems. It is recommended to specify "-p Type=simple"
+ explicitly in the few cases where this applies. For regular,
+ non-transient services (i.e. those defined with unit files on disk)
+ we will continue to default to Type=simple.
+
+ * The Linux kernel's current default RLIMIT_NOFILE resource limit for
+ userspace processes is set to 1024 (soft) and 4096
+ (hard). Previously, systemd passed this on unmodified to all
+ processes it forked off. With this systemd release the hard limit
+ systemd passes on is increased to 512K, overriding the kernel's
+ defaults and substantially increasing the number of simultaneous file
+ descriptors unprivileged userspace processes can allocate. Note that
+ the soft limit remains at 1024 for compatibility reasons: the
+ traditional UNIX select() call cannot deal with file descriptors >=
+ 1024 and increasing the soft limit globally might thus result in
+ programs unexpectedly allocating a high file descriptor and thus
+ failing abnormally when attempting to use it with select() (of
+ course, programs shouldn't use select() anymore, and prefer
+ poll()/epoll, but the call unfortunately remains undeservedly popular
+ at this time). This change reflects the fact that file descriptor
+ handling in the Linux kernel has been optimized in more recent
+ kernels and allocating large numbers of them should be much cheaper
+ both in memory and in performance than it used to be. Programs that
+ want to take benefit of the increased limit have to "opt-in" into
+ high file descriptors explicitly by raising their soft limit. Of
+ course, when they do that they must acknowledge that they cannot use
+ select() anymore (and neither can any shared library they use — or
+ any shared library used by any shared library they use and so on).
+ Which default hard limit is most appropriate is of course hard to
+ decide. However, given reports that ~300K file descriptors are used
+ in real-life applications we believe 512K is sufficiently high as new
+ default for now. Note that there are also reports that using very
+ high hard limits (e.g. 1G) is problematic: some software allocates
+ large arrays with one element for each potential file descriptor
+ (Java, …) — a high hard limit thus triggers excessively large memory
+ allocations in these applications. Hopefully, the new default of 512K
+ is a good middle ground: higher than what real-life applications
+ currently need, and low enough for avoid triggering excessively large
+ allocations in problematic software. (And yes, somebody should fix
+ Java.)
+
+ * The fs.nr_open and fs.file-max sysctls are now automatically bumped
+ to the highest possible values, as separate accounting of file
+ descriptors is no longer necessary, as memcg tracks them correctly as
+ part of the memory accounting anyway. Thus, from the four limits on
+ file descriptors currently enforced (fs.file-max, fs.nr_open,
+ RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
+ and keep only the latter two. A set of build-time options
+ (-Dbump-proc-sys-fs-file-max=no and -Dbump-proc-sys-fs-nr-open=no)
+ has been added to revert this change in behaviour, which might be
+ an option for systems that turn off memcg in the kernel.
+
+ * When no /etc/locale.conf file exists (and hence no locale settings
+ are in place), systemd will now use the "C.UTF-8" locale by default,
+ and set LANG= to it. This locale is supported by various
+ distributions including Fedora, with clear indications that upstream
+ glibc is going to make it available too. This locale enables UTF-8
+ mode by default, which appears appropriate for 2018.
+
+ * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by
+ default. This effectively switches the RFC3704 Reverse Path filtering
+ from Strict mode to Loose mode. This is more appropriate for hosts
+ that have multiple links with routes to the same networks (e.g.
+ a client with a Wi-Fi and Ethernet both connected to the internet).
+
+ Consult the kernel documentation for details on this sysctl:
+ https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+
+ * CPUAccounting=yes no longer enables the CPU controller when using
+ kernel 4.15+ and the unified cgroup hierarchy, as required accounting
+ statistics are now provided independently from the CPU controller.
+
+ * Support for disabling a particular cgroup controller within a sub-tree
+ has been added through the DisableControllers= directive.
+
+ * The new "MemoryMin=" unit file property may now be used to set the
+ memory usage protection limit of processes invoked by the unit. This
+ controls the cgroupsv2 memory.min attribute. Similarly, the new
+ "IODeviceLatencyTargetSec=" property has been added, wrapping the new
+ cgroupsv2 io.latency cgroup property for configuring per-service I/O
+ latency.
+
+ * systemd now supports the cgroupsv2 devices BPF logic, as counterpart
+ to the cgroupsv1 "devices" cgroup controller.
+
+ * systemd-escape now is able to combine --unescape with --template. It
+ also learnt a new option --instance for extracting and unescaping the
+ instance part of a unit name.
+
+ * sd-bus now provides the sd_bus_message_readv() which is similar to
+ sd_bus_message_read() but takes a va_list object. The pair
+ sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout()
+ has been added for configuring the default method call timeout to
+ use. sd_bus_error_move() may be used to efficiently move the contents
+ from one sd_bus_error structure to another, invalidating the
+ source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may
+ be used to control whether a bus connection object is automatically
+ flushed when an sd-event loop is exited.
+
+ * When processing classic BSD syslog log messages, journald will now
+ save the original time-stamp string supplied in the new
+ SYSLOG_TIMESTAMP= journal field. This permits consumers to
+ reconstruct the original BSD syslog message more correctly.
+
+ * StandardOutput=/StandardError= in service files gained support for
+ new "append:…" parameters, for connecting STDOUT/STDERR of a service
+ to a file, and appending to it.
+
+ * The signal to use as last step of killing of unit processes is now
+ configurable. Previously it was hard-coded to SIGKILL, which may now
+ be overridden with the new KillSignal= setting. Note that this is the
+ signal used when regular termination (i.e. SIGTERM) does not suffice.
+ Similarly, the signal used when aborting a program in case of a
+ watchdog timeout may now be configured too (WatchdogSignal=).
+
+ * The XDG_SESSION_DESKTOP environment variable may now be configured in
+ the pam_systemd argument line, using the new desktop= switch. This is
+ useful to initialize it properly from a display manager without
+ having to touch C code.
+
+ * Most configuration options that previously accepted percentage values
+ now also accept permille values with the '‰' suffix (instead of '%').
+
+ * systemd-logind will offer hibernation only if the currently used
+ kernel image is still available on disk.
+
+ * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for
+ DNS-over-TLS.
+
+ * systemd-resolved's configuration file resolved.conf gained a new
+ option ReadEtcHosts= which may be used to turn off processing and
+ honoring /etc/hosts entries.
+
+ * The "--wait" switch may now be passed to "systemctl
+ is-system-running", in which case the tool will synchronously wait
+ until the system finished start-up.
+
+ * hostnamed gained a new bus call to determine the DMI product UUID.
+
+ * On x86-64 systemd will now prefer using the RDRAND processor
+ instruction over /dev/urandom whenever it requires randomness that
+ neither has to be crypto-grade nor should be reproducible. This
+ should substantially reduce the amount of entropy systemd requests
+ from the kernel during initialization on such systems, though not
+ reduce it to zero. (Why not zero? systemd still needs to allocate
+ UUIDs and such uniquely, which require high-quality randomness.)
+
+ * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP
+ tunnels. It also gained a new option ForceDHCPv6PDOtherInformation=
+ for forcing the "Other Information" bit in IPv6 RA messages. The
+ bonding logic gained four new options AdActorSystemPriority=,
+ AdUserPortKey=, AdActorSystem= for configuring various 802.3ad
+ aspects, and DynamicTransmitLoadBalancing= for enabling dynamic
+ shuffling of flows. The tunnel logic gained a new
+ IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid
+ Deployment. The policy rule logic gained four new options IPProtocol=,
+ SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained
+ support for the MulticastToUnicast= option. networkd also gained
+ support for configuring static IPv4 ARP or IPv6 neighbor entries.
+
+ * .preset files (as read by 'systemctl preset') may now be used to
+ instantiate services.
+
+ * /etc/crypttab now understands the sector-size= option to configure
+ the sector size for an encrypted partition.
+
+ * Key material for encrypted disks may now be placed on a formatted
+ medium, and referenced from /etc/crypttab by the UUID of the file
+ system, followed by "=" suffixed by the path to the key file.
+
+ * The "collect" udev component has been removed without replacement, as
+ it is neither used nor maintained.
+
+ * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=,
+ LogsDirectory=, ConfigurationDirectory= settings are used in a
+ service the executed processes will now receive a set of environment
+ variables containing the full paths of these directories.
+ Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY,
+ LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options
+ are used. Note that these options may be used multiple times per
+ service in which case the resulting paths will be concatenated and
+ separated by colons.
+
+ * Predictable interface naming has been extended to cover InfiniBand
+ NICs. They will be exposed with an "ib" prefix.
+
+ * tmpfiles.d/ line types may now be suffixed with a '-' character, in
+ which case the respective line failing is ignored.
+
+ * .link files may now be used to configure the equivalent to the
+ "ethtool advertise" commands.
+
+ * The sd-device.h and sd-hwdb.h APIs are now exported, as an
+ alternative to libudev.h. Previously, the latter was just an internal
+ wrapper around the former, but now these two APIs are exposed
+ directly.
+
+ * sd-id128.h gained a new function sd_id128_get_boot_app_specific()
+ which calculates an app-specific boot ID similar to how
+ sd_id128_get_machine_app_specific() generates an app-specific machine
+ ID.
+
+ * A new tool systemd-id128 has been added that can be used to determine
+ and generate various 128bit IDs.
+
+ * /etc/os-release gained two new standardized fields DOCUMENTATION_URL=
+ and LOGO=.
+
+ * systemd-hibernate-resume-generator will now honor the "noresume"
+ kernel command line option, in which case it will bypass resuming
+ from any hibernated image.
+
+ * The systemd-sleep.conf configuration file gained new options
+ AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=,
+ AllowHybridSleep= for prohibiting specific sleep modes even if the
+ kernel exports them.
+
+ * portablectl is now officially supported and has thus moved to
+ /usr/bin/.
+
+ * bootctl learnt the two new commands "set-default" and "set-oneshot"
+ for setting the default boot loader item to boot to (either
+ persistently or only for the next boot). This is currently only
+ compatible with sd-boot, but may be implemented on other boot loaders
+ too, that follow the boot loader interface. The updated interface is
+ now documented here:
+
+ https://systemd.io/BOOT_LOADER_INTERFACE
+
+ * A new kernel command line option systemd.early_core_pattern= is now
+ understood which may be used to influence the core_pattern PID 1
+ installs during early boot.
+
+ * busctl learnt two new options -j and --json= for outputting method
+ call replies, properties and monitoring output in JSON.
+
+ * journalctl's JSON output now supports simple ANSI coloring as well as
+ a new "json-seq" mode for generating RFC7464 output.
+
+ * Unit files now support the %g/%G specifiers that resolve to the UNIX
+ group/GID of the service manager runs as, similar to the existing
+ %u/%U specifiers that resolve to the UNIX user/UID.
+
+ * systemd-logind learnt a new global configuration option
+ UserStopDelaySec= that may be set in logind.conf. It specifies how
+ long the systemd --user instance shall remain started after a user
+ logs out. This is useful to speed up repetitive re-connections of the
+ same user, as it means the user's service manager doesn't have to be
+ stopped/restarted on each iteration, but can be reused between
+ subsequent options. This setting defaults to 10s. systemd-logind also
+ exports two new properties on its Manager D-Bus objects indicating
+ whether the system's lid is currently closed, and whether the system
+ is on AC power.
+
+ * systemd gained support for a generic boot counting logic, which
+ generically permits automatic reverting to older boot loader entries
+ if newer updated ones don't work. The boot loader side is implemented
+ in sd-boot, but is kept open for other boot loaders too. For details
+ see:
+
+ https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT
+
+ * The SuccessAction=/FailureAction= unit file settings now learnt two
+ new parameters: "exit" and "exit-force", which result in immediate
+ exiting of the service manager, and are only useful in systemd --user
+ and container environments.
+
+ * Unit files gained support for a pair of options
+ FailureActionExitStatus=/SuccessActionExitStatus= for configuring the
+ exit status to use as service manager exit status when
+ SuccessAction=/FailureAction= is set to exit or exit-force.
+
+ * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service
+ options may now be used to configure the log rate limiting applied by
+ journald per-service.
+
+ * systemd-analyze gained a new verb "timespan" for parsing and
+ normalizing time span values (i.e. strings like "5min 7s 8us").
+
+ * systemd-analyze also gained a new verb "security" for analyzing the
+ security and sand-boxing settings of services in order to determine an
+ "exposure level" for them, indicating whether a service would benefit
+ from more sand-boxing options turned on for them.
+
+ * "systemd-analyze syscall-filter" will now also show system calls
+ supported by the local kernel but not included in any of the defined
+ groups.
+
+ * .nspawn files now understand the Ephemeral= setting, matching the
+ --ephemeral command line switch.
+
+ * sd-event gained the new APIs sd_event_source_get_floating() and
+ sd_event_source_set_floating() for controlling whether a specific
+ event source is "floating", i.e. destroyed along with the even loop
+ object itself.
+
+ * Unit objects on D-Bus gained a new "Refs" property that lists all
+ clients that currently have a reference on the unit (to ensure it is
+ not unloaded).
+
+ * The JoinControllers= option in system.conf is no longer supported, as
+ it didn't work correctly, is hard to support properly, is legacy (as
+ the concept only exists on cgroupsv1) and apparently wasn't used.
+
+ * Journal messages that are generated whenever a unit enters the failed
+ state are now tagged with a unique MESSAGE_ID. Similarly, messages
+ generated whenever a service process exits are now made recognizable,
+ too. A taged message is also emitted whenever a unit enters the
+ "dead" state on success.
+
+ * systemd-run gained a new switch --working-directory= for configuring
+ the working directory of the service to start. A shortcut -d is
+ equivalent, setting the working directory of the service to the
+ current working directory of the invoking program. The new --shell
+ (or just -S) option has been added for invoking the $SHELL of the
+ caller as a service, and implies --pty --same-dir --wait --collect
+ --service-type=exec. Or in other words, "systemd-run -S" is now the
+ quickest way to quickly get an interactive in a fully clean and
+ well-defined system service context.
+
+ * machinectl gained a new verb "import-fs" for importing an OS tree
+ from a directory. Moreover, when a directory or tarball is imported
+ and single top-level directory found with the OS itself below the OS
+ tree is automatically mangled and moved one level up.
+
+ * systemd-importd will no longer set up an implicit btrfs loop-back
+ file system on /var/lib/machines. If one is already set up, it will
+ continue to be used.
+
+ * A new generator "systemd-run-generator" has been added. It will
+ synthesize a unit from one or more program command lines included in
+ the kernel command line. This is very useful in container managers
+ for example:
+
+ # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"'
+
+ This will run "systemd-nspawn" on an image, invoke the specified
+ command line and immediately shut down the container again, returning
+ the command line's exit code.
+
+ * The block device locking logic is now documented:
+
+ https://systemd.io/BLOCK_DEVICE_LOCKING
+
+ * loginctl and machinectl now optionally output the various tables in
+ JSON using the --output= switch. It is our intention to add similar
+ support to systemctl and all other commands.
+
+ * udevadm's query and trigger verb now optionally take a .device unit
+ name as argument.
+
+ * systemd-udevd's network naming logic now understands a new
+ net.naming-scheme= kernel command line switch, which may be used to
+ pick a specific version of the naming scheme. This helps stabilizing
+ interface names even as systemd/udev are updated and the naming logic
+ is improved.
+
+ * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and
+ SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to
+ initialize one to all 0xFF.
+
+ * After loading the SELinux policy systemd will now recursively relabel
+ all files and directories listed in
+ /run/systemd/relabel-extra.d/*.relabel (which should be simple
+ newline separated lists of paths) in addition to the ones it already
+ implicitly relabels in /run, /dev and /sys. After the relabelling is
+ completed the *.relabel files (and /run/systemd/relabel-extra.d/) are
+ removed. This is useful to permit initrds (i.e. code running before
+ the SELinux policy is in effect) to generate files in the host
+ filesystem safely and ensure that the correct label is applied during
+ the transition to the host OS.
+
+ * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding
+ mknod() handling in user namespaces. Previously mknod() would always
+ fail with EPERM in user namespaces. Since 4.18 mknod() will succeed
+ but device nodes generated that way cannot be opened, and attempts to
+ open them result in EPERM. This breaks the "graceful fallback" logic
+ in systemd's PrivateDevices= sand-boxing option. This option is
+ implemented defensively, so that when systemd detects it runs in a
+ restricted environment (such as a user namespace, or an environment
+ where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD)
+ where device nodes cannot be created the effect of PrivateDevices= is
+ bypassed (following the logic that 2nd-level sand-boxing is not
+ essential if the system systemd runs in is itself already sand-boxed
+ as a whole). This logic breaks with 4.18 in container managers where
+ user namespacing is used: suddenly PrivateDevices= succeeds setting
+ up a private /dev/ file system containing devices nodes — but when
+ these are opened they don't work.
+
+ At this point is is recommended that container managers utilizing
+ user namespaces that intend to run systemd in the payload explicitly
+ block mknod() with seccomp or similar, so that the graceful fallback
+ logic works again.
+
+ We are very sorry for the breakage and the requirement to change
+ container configurations for newer kernels. It's purely caused by an
+ incompatible kernel change. The relevant kernel developers have been
+ notified about this userspace breakage quickly, but they chose to
+ ignore it.
+
+ Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander
+ Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson,
+ Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov,
+ asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt
+ Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen
+ Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius
+ Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn
+ Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner,
+ David Anderson, Davide Cavalca, David Leeds, David Malcolm, David
+ Strauss, David Tardon, Dimitri John Ledkov, dj-kaktus, Dongsu Park,
+ Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, Evgeni Golov,
+ Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad, Faizal Luthfi,
+ Felix Yan, Filipe Brandenburger, Franck Bui, Frank Schaefer, Frantisek
+ Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe Scrivano, glitsj16,
+ Hans de Goede, Harald Hoyer, Harry Mallon, Harshit Jain, Helmut Grohne,
+ Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan Timmer, Jan Janssen,
+ Jan Pokorný, Jan Synacek, Jason A. Donenfeld, javitoom, Jérémy Nouhaud,
+ Jiuyang Liu, João Paulo Rechi Vita, Joe Hershberger, Joe Rayhawk, Joerg
+ Behrmann, Joerg Steffens, Jonas Dorel, Jon Ringle, Josh Soref, Julian
+ Andres Klode, Jun Bo Bi, Jürg Billeter, Keith Busch, Khem Raj, Kirill
+ Marinushkin, Larry Bernstone, Lennart Poettering, Lion Yang, Li Song,
+ Lorenz Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin
+ Janvier, Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou,
+ Marcin Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros,
+ Marko Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin
+ Wilck, Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael
+ Olbrich, Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal
+ Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal
+ Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby,
+ Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł
+ Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller,
+ Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez,
+ Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam
+ Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher,
+ Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee
+ (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen
+ Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim,
+ Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas
+ Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias
+ Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore
+ Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech
+ Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward,
+ Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein
+
+ — Somewhere, 2018-12-yy
+
+CHANGES WITH 239:
+
+ * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
+ builtin will name network interfaces differently than in previous
+ versions for virtual network interfaces created with SR-IOV and NPAR
+ and for devices where the PCI network controller device does not have
+ a slot number associated.
+
+ SR-IOV virtual devices are now named based on the name of the parent
+ interface, with a suffix of "v<N>", where <N> is the virtual device
+ number. Previously those virtual devices were named as if completely
+ independent.
+
+ The ninth and later NPAR virtual devices will be named following the
+ scheme used for the first eight NPAR partitions. Previously those
+ devices were not renamed and the kernel default (eth<n>) was used.
+
+ "net_id" will also generate names for PCI devices where the PCI
+ network controller device does not have an associated slot number
+ itself, but one of its parents does. Previously those devices were
+ not renamed and the kernel default (eth<n>) was used.
+
+ * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
+ systemd-logind.service. Since v235, IPAddressDeny=any has been set to
+ the unit. So, it is expected that the default behavior of
+ systemd-logind is not changed. However, if distribution packagers or
+ administrators disabled or modified IPAddressDeny= setting by a
+ drop-in config file, then it may be necessary to update the file to
+ re-enable AF_INET and AF_INET6 to support network user name services,
+ e.g. NIS.
+
+ * When the RestrictNamespaces= unit property is specified multiple
+ times, then the specified types are merged now. Previously, only the
+ last assignment was used. So, if distribution packagers or
+ administrators modified the setting by a drop-in config file, then it
+ may be necessary to update the file.
+
+ * When OnFailure= is used in combination with Restart= on a service
+ unit, then the specified units will no longer be triggered on
+ failures that result in restarting. Previously, the specified units
+ would be activated each time the unit failed, even when the unit was
+ going to be restarted automatically. This behaviour contradicted the
+ documentation. With this release the code is adjusted to match the
+ documentation.
+
+ * systemd-tmpfiles will now print a notice whenever it encounters
+ tmpfiles.d/ lines referencing the /var/run/ directory. It will
+ recommend reworking them to use the /run/ directory instead (for
+ which /var/run/ is simply a symlinked compatibility alias). This way
+ systemd-tmpfiles can properly detect line conflicts and merge lines
+ referencing the same file by two paths, without having to access
+ them.
+
+ * systemctl disable/unmask/preset/preset-all cannot be used with
+ --runtime. Previously this was allowed, but resulted in unintuitive
+ behaviour that wasn't useful. systemctl disable/unmask will now undo
+ both runtime and persistent enablement/masking, i.e. it will remove
+ any relevant symlinks both in /run and /etc.
+
+ * Note that all long-running system services shipped with systemd will
+ now default to a system call whitelist (rather than a blacklist, as
+ before). In particular, systemd-udevd will now enforce one too. For
+ most cases this should be safe, however downstream distributions
+ which disabled sandboxing of systemd-udevd (specifically the
+ MountFlags= setting), might want to disable this security feature
+ too, as the default whitelisting will prohibit all mount, swap,
+ reboot and clock changing operations from udev rules.
+
+ * sd-boot acquired new loader configuration settings to optionally turn
+ off Windows and MacOS boot partition discovery as well as
+ reboot-into-firmware menu items. It is also able to pick a better
+ screen resolution for HiDPI systems, and now provides loader
+ configuration settings to change the resolution explicitly.
+
+ * systemd-resolved now supports DNS-over-TLS. It's still
+ turned off by default, use DNSOverTLS=opportunistic to turn it on in
+ resolved.conf. We intend to make this the default as soon as couple
+ of additional techniques for optimizing the initial latency caused by
+ establishing a TLS/TCP connection are implemented.
+
+ * systemd-resolved.service and systemd-networkd.service now set
+ DynamicUser=yes. The users systemd-resolve and systemd-network are
+ not created by systemd-sysusers anymore.
+
+ NOTE: This has a chance of breaking nss-ldap and similar NSS modules
+ that embedd a network facing module into any process using getpwuid()
+ or related call: the dynamic allocation of the user ID for
+ systemd-resolved.service means the service manager has to check NSS
+ if the user name is already taken when forking off the service. Since
+ the user in the common case won't be defined in /etc/passwd the
+ lookup is likely to trigger nss-ldap which in turn might use NSS to
+ ask systemd-resolved for hostname lookups. This will hence result in
+ a deadlock: a user name lookup in order to start
+ systemd-resolved.service will result in a host name lookup for which
+ systemd-resolved.service needs to be started already. There are
+ multiple ways to work around this problem: pre-allocate the
+ "systemd-resolve" user on such systems, so that nss-ldap won't be
+ triggered; or use a different NSS package that doesn't do networking
+ in-process but provides a local asynchronous name cache; or configure
+ the NSS package to avoid lookups for UIDs in the range `pkg-config
+ systemd --variable=dynamicuidmin` … `pkg-config systemd
+ --variable=dynamicuidmax`, so that it does not consider itself
+ authoritative for the same UID range systemd allocates dynamic users
+ from.
+
+ * The systemd-resolve tool has been renamed to resolvectl (it also
+ remains available under the old name, for compatibility), and its
+ interface is now verb-based, similar in style to the other <xyz>ctl
+ tools, such as systemctl or loginctl.
+
+ * The resolvectl/systemd-resolve tool also provides 'resolvconf'
+ compatibility. It may be symlinked under the 'resolvconf' name, in
+ which case it will take arguments and input compatible with the
+ Debian and FreeBSD resolvconf tool.
+
+ * Support for suspend-then-hibernate has been added, i.e. a sleep mode
+ where the system initially suspends, and after a timeout resumes and
+ hibernates again.
+
+ * networkd's ClientIdentifier= now accepts a new option "duid-only". If
+ set the client will only send a DUID as client identifier.
+
+ * The nss-systemd glibc NSS module will now enumerate dynamic users and
+ groups in effect. Previously, it could resolve UIDs/GIDs to user
+ names/groups and vice versa, but did not support enumeration.
+
+ * journald's Compress= configuration setting now optionally accepts a
+ byte threshold value. All journal objects larger than this threshold
+ will be compressed, smaller ones will not. Previously this threshold
+ was not configurable and set to 512.
+
+ * A new system.conf setting NoNewPrivileges= is now available which may
+ be used to turn off acquisition of new privileges system-wide
+ (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
+ for all its children). Note that turning this option on means setuid
+ binaries and file system capabilities lose their special powers.
+ While turning on this option is a big step towards a more secure
+ system, doing so is likely to break numerous pre-existing UNIX tools,
+ in particular su and sudo.
+
+ * A new service systemd-time-sync-wait.service has been added. If
+ enabled it will delay the time-sync.target unit at boot until time
+ synchronization has been received from the network. This
+ functionality is useful on systems lacking a local RTC or where it is
+ acceptable that the boot process shall be delayed by external network
+ services.
+
+ * When hibernating, systemd will now inform the kernel of the image
+ write offset, on kernels new enough to support this. This means swap
+ files should work for hibernation now.
+
+ * When loading unit files, systemd will now look for drop-in unit files
+ extensions in additional places. Previously, for a unit file name
+ "foo-bar-baz.service" it would look for dropin files in
+ "foo-bar-baz.service.d/*.conf". Now, it will also look in
+ "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
+ service name truncated after all inner dashes. This scheme allows
+ writing drop-ins easily that apply to a whole set of unit files at
+ once. It's particularly useful for mount and slice units (as their
+ naming is prefix based), but is also useful for service and other
+ units, for packages that install multiple unit files at once,
+ following a strict naming regime of beginning the unit file name with
+ the package's name. Two new specifiers are now supported in unit
+ files to match this: %j and %J are replaced by the part of the unit
+ name following the last dash.
+
+ * Unit files and other configuration files that support specifier
+ expansion now understand another three new specifiers: %T and %V will
+ resolve to /tmp and /var/tmp respectively, or whatever temporary
+ directory has been set for the calling user. %E will expand to either
+ /etc (for system units) or $XDG_CONFIG_HOME (for user units).
+
+ * The ExecStart= lines of unit files are no longer required to
+ reference absolute paths. If non-absolute paths are specified the
+ specified binary name is searched within the service manager's
+ built-in $PATH, which may be queried with 'systemd-path
+ search-binaries-default'. It's generally recommended to continue to
+ use absolute paths for all binaries specified in unit files.
+
+ * Units gained a new load state "bad-setting", which is used when a
+ unit file was loaded, but contained fatal errors which prevent it
+ from being started (for example, a service unit has been defined
+ lacking both ExecStart= and ExecStop= lines).
+
+ * coredumpctl's "gdb" verb has been renamed to "debug", in order to
+ support alternative debuggers, for example lldb. The old name
+ continues to be available however, for compatibility reasons. Use the
+ new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
+ to pick an alternative debugger instead of the default gdb.
+
+ * systemctl and the other tools will now output escape sequences that
+ generate proper clickable hyperlinks in various terminal emulators
+ where useful (for example, in the "systemctl status" output you can
+ now click on the unit file name to quickly open it in the
+ editor/viewer of your choice). Note that not all terminal emulators
+ support this functionality yet, but many do. Unfortunately, the
+ "less" pager doesn't support this yet, hence this functionality is
+ currently automatically turned off when a pager is started (which
+ happens quite often due to auto-paging). We hope to remove this
+ limitation as soon as "less" learns these escape sequences. This new
+ behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
+ environment variable. For details on these escape sequences see:
+ https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda
+
+ * networkd's .network files now support a new IPv6MTUBytes= option for
+ setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
+ option in the [Route] section to configure the MTU to use for
+ specific routes. It also gained support for configuration of the DHCP
+ "UserClass" option through the new UserClass= setting. It gained
+ three new options in the new [CAN] section for configuring CAN
+ networks. The MULTICAST and ALLMULTI interface flags may now be
+ controlled explicitly with the new Multicast= and AllMulticast=
+ settings.
+
+ * networkd will now automatically make use of the kernel's route
+ expiration feature, if it is available.
+
+ * udevd's .link files now support setting the number of receive and
+ transmit channels, using the RxChannels=, TxChannels=,
+ OtherChannels=, CombinedChannels= settings.
+
+ * Support for UDPSegmentationOffload= has been removed, given its
+ limited support in hardware, and waning software support.
+
+ * networkd's .netdev files now support creating "netdevsim" interfaces.
+
+ * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
+ to query the unit belonging to a specific kernel control group.
+
+ * systemd-analyze gained a new verb "cat-config", which may be used to
+ dump the contents of any configuration file, with all its matching
+ drop-in files added in, and honouring the usual search and masking
+ logic applied to systemd configuration files. For example use
+ "systemd-analyze cat-config systemd/system.conf" to get the complete
+ system configuration file of systemd how it would be loaded by PID 1
+ itself. Similar to this, various tools such as systemd-tmpfiles or
+ systemd-sysusers, gained a new option "--cat-config", which does the
+ corresponding operation for their own configuration settings. For
+ example, "systemd-tmpfiles --cat-config" will now output the full
+ list of tmpfiles.d/ lines in place.
+
+ * timedatectl gained three new verbs: "show" shows bus properties of
+ systemd-timedated, "timesync-status" shows the current NTP
+ synchronization state of systemd-timesyncd, and "show-timesync"
+ shows bus properties of systemd-timesyncd.
+
+ * systemd-timesyncd gained a bus interface on which it exposes details
+ about its state.
+
+ * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
+ understood by systemd-timedated. It takes a colon-separated list of
+ unit names of NTP client services. The list is used by
+ "timedatectl set-ntp".
+
+ * systemd-nspawn gained a new --rlimit= switch for setting initial
+ resource limits for the container payload. There's a new switch
+ --hostname= to explicitly override the container's hostname. A new
+ --no-new-privileges= switch may be used to control the
+ PR_SET_NO_NEW_PRIVS flag for the container payload. A new
+ --oom-score-adjust= switch controls the OOM scoring adjustment value
+ for the payload. The new --cpu-affinity= switch controls the CPU
+ affinity of the container payload. The new --resolv-conf= switch
+ allows more detailed control of /etc/resolv.conf handling of the
+ container. Similarly, the new --timezone= switch allows more detailed
+ control of /etc/localtime handling of the container.
+
+ * systemd-detect-virt gained a new --list switch, which will print a
+ list of all currently known VM and container environments.
+
+ * Support for "Portable Services" has been added, see
+ doc/PORTABLE_SERVICES.md for details. Currently, the support is still
+ experimental, but this is expected to change soon. Reflecting this
+ experimental state, the "portablectl" binary is not installed into
+ /usr/bin yet. The binary has to be called with the full path
+ /usr/lib/systemd/portablectl instead.
+
+ * journalctl's and systemctl's -o switch now knows a new log output
+ mode "with-unit". The output it generates is very similar to the
+ regular "short" mode, but displays the unit name instead of the
+ syslog tag for each log line. Also, the date is shown with timezone
+ information. This mode is probably more useful than the classic
+ "short" output mode for most purposes, except where pixel-perfect
+ compatibility with classic /var/log/messages formatting is required.
+
+ * A new --dump-bus-properties switch has been added to the systemd
+ binary, which may be used to dump all supported D-Bus properties.
+ (Options which are still supported, but are deprecated, are *not*
+ shown.)
+
+ * sd-bus gained a set of new calls:
+ sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
+ enable/disable the "floating" state of a bus slot object,
+ i.e. whether the slot object pins the bus it is allocated for into
+ memory or if the bus slot object gets disconnected when the bus goes
+ away. sd_bus_open_with_description(),
+ sd_bus_open_user_with_description(),
+ sd_bus_open_system_with_description() may be used to allocate bus
+ objects and set their description string already during allocation.
+
+ * sd-event gained support for watching inotify events from the event
+ loop, in an efficient way, sharing inotify handles between multiple
+ users. For this a new function sd_event_add_inotify() has been added.
+
+ * sd-event and sd-bus gained support for calling special user-supplied
+ destructor functions for userdata pointers associated with
+ sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
+ functions sd_bus_slot_set_destroy_callback,
+ sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
+ sd_bus_track_get_destroy_callback,
+ sd_event_source_set_destroy_callback,
+ sd_event_source_get_destroy_callback have been added.
+
+ * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.
+
+ * PID 1 will now automatically reschedule .timer units whenever the
+ local timezone changes. (They previously got rescheduled
+ automatically when the system clock changed.)
+
+ * New documentation has been added to document cgroups delegation,
+ portable services and the various code quality tools we have set up:
+
+ https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
+ https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md
+ https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md
+
+ * The Boot Loader Specification has been added to the source tree.
+
+ https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md
+
+ While moving it into our source tree we have updated it and further
+ changes are now accepted through the usual github PR workflow.
+
+ * pam_systemd will now look for PAM userdata fields systemd.memory_max,
+ systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
+ earlier PAM modules. The data in these fields is used to initialize
+ the session scope's resource properties. Thus external PAM modules
+ may now configure per-session limits, for example sourced from
+ external user databases.
+
+ * socket units with Accept=yes will now maintain a "refused" counter in
+ addition to the existing "accepted" counter, counting connections
+ refused due to the enforced limits.
+
+ * The "systemd-path search-binaries-default" command may now be use to
+ query the default, built-in $PATH PID 1 will pass to the services it
+ manages.
+
+ * A new unit file setting PrivateMounts= has been added. It's a boolean
+ option. If enabled the unit's processes are invoked in their own file
+ system namespace. Note that this behaviour is also implied if any
+ other file system namespacing options (such as PrivateTmp=,
+ PrivateDevices=, ProtectSystem=, …) are used. This option is hence
+ primarily useful for services that do not use any of the other file
+ system namespacing options. One such service is systemd-udevd.service
+ wher this is now used by default.
+
+ * ConditionSecurity= gained a new value "uefi-secureboot" that is true
+ when the system is booted in UEFI "secure mode".
+
+ * A new unit "system-update-pre.target" is added, which defines an
+ optional synchronization point for offline system updates, as
+ implemented by the pre-existing "system-update.target" unit. It
+ allows ordering services before the service that executes the actual
+ update process in a generic way.
+
+ Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
+ Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
+ J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
+ Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
+ Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
+ Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
+ Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
+ Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
+ guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
+ Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
+ Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
+ Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
+ Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
+ Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
+ Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
+ Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
+ Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
+ Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
+ Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
+ Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
+ Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
+ Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
+ Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
+ Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
+ Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
+ Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
+ Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
+ Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2018-06-22
+
+CHANGES WITH 238:
* The MemoryAccounting= unit property now defaults to on. After
discussions with the upstream control group maintainers we learnt
other forms of resource accounting (CPU, IO, IP) remain off for now,
because it's not clear yet that their impact is small enough to move
from opt-in to opt-out. We recommend downstreams to leave memory
- accounting on by default if kernel 4.14 or higher is are primarily
+ accounting on by default if kernel 4.14 or higher is primarily
used. On very resource constrained systems or when support for old
kernels is a necessity, -Dmemory-accounting-default=false can be used
to revert this change.
+ * rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
+ %udev_rules_update) and the journal catalog (%journal_catalog_update)
+ from the upgrade scriptlets of individual packages now do nothing.
+ Transfiletriggers have been added which will perform those updates
+ once at the end of the transaction.
+
+ Similar transfiletriggers have been added to execute any sysctl.d
+ and binfmt.d rules. Thus, it should be unnecessary to provide any
+ scriptlets to execute this configuration from package installation
+ scripts.
+
+ * systemd-sysusers gained a mode where the configuration to execute is
+ specified on the command line, but this configuration is not executed
+ directly, but instead it is merged with the configuration on disk,
+ and the result is executed. This is useful for package installation
+ scripts which want to create the user before installing any files on
+ disk (in case some of those files are owned by that user), while
+ still allowing local admin overrides.
+
+ This functionality is exposed to rpm scriptlets through a new
+ %sysusers_create_package macro. Old %sysusers_create and
+ %sysusers_create_inline macros are deprecated.
+
+ A transfiletrigger for sysusers.d configuration is now installed,
+ which means that it should be unnecessary to call systemd-sysusers from
+ package installation scripts, unless the package installs any files
+ owned by those newly-created users, in which case
+ %sysusers_create_package should be used.
+
+ * Analogous change has been done for systemd-tmpfiles: it gained a mode
+ where the command-line configuration is merged with the configuration
+ on disk. This is exposed as the new %tmpfiles_create_package macro,
+ and %tmpfiles_create is deprecated. A transfiletrigger is installed
+ for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles
+ from package installation scripts.
+
+ * sysusers.d configuration for a user may now also specify the group
+ number, in addition to the user number ("u username 123:456"), or
+ without the user number ("u username -:456").
+
+ * Configution items for systemd-sysusers can now be specified as
+ positional arguments when the new --inline switch is used.
+
+ * The login shell of users created through sysusers.d may now be
+ specified (previously, it was always /bin/sh for root and
+ /sbin/nologin for other users).
+
+ * systemd-analyze gained a new --global switch to look at global user
+ configuration. It also gained a unit-paths verb to list the unit load
+ paths that are compiled into systemd (which can be used with
+ --systemd, --user, or --global).
+
+ * udevadm trigger gained a new --settle/-w option to wait for any
+ triggered events to finish (but just those, and not any other events
+ which are triggered meanwhile).
+
+ * The action that systemd-logind takes when the lid is closed and the
+ machine is connected to external power can now be configured using
+ HandleLidSwitchExternalPower= in logind.conf. Previously, this action
+ was determined by HandleLidSwitch=, and, for backwards compatibility,
+ is still is, if HandleLidSwitchExternalPower= is not explicitly set.
+
+ * journalctl will periodically call sd_journal_process() to make it
+ resilient against inotify queue overruns when journal files are
+ rotated very quickly.
+
+ * Two new functions in libsystemd — sd_bus_get_n_queued_read and
+ sd_bus_get_n_queued_write — may be used to check the number of
+ pending bus messages.
+
+ * systemd gained a new
+ org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call
+ which can be used to migrate foreign processes to scope and service
+ units. The primary user for this new API is systemd itself: the
+ systemd --user instance uses this call of the systemd --system
+ instance to migrate processes if it itself gets the request to
+ migrate processes and the kernel refuses this due to access
+ restrictions. Thanks to this "systemd-run --scope --user …" works
+ again in pure cgroups v2 environments when invoked from the user
+ session scope.
+
+ * A new TemporaryFileSystem= setting can be used to mask out part of
+ the real file system tree with tmpfs mounts. This may be combined
+ with BindPaths= and BindReadOnlyPaths= to hide files or directories
+ not relevant to the unit, while still allowing some paths lower in
+ the tree to be accessed.
+
+ ProtectHome=tmpfs may now be used to hide user home and runtime
+ directories from units, in a way that is mostly equivalent to
+ "TemporaryFileSystem=/home /run/user /root".
+
+ * Non-service units are now started with KeyringMode=shared by default.
+ This means that mount and swapon and other mount tools have access
+ to keys in the main keyring.
+
+ * /sys/fs/bpf is now mounted automatically.
+
+ * QNX virtualization is now detected by systemd-detect-virt and may
+ be used in ConditionVirtualization=.
+
+ * IPAccounting= may now be enabled also for slice units.
+
+ * A new -Dsplit-bin= build configuration switch may be used to specify
+ whether bin and sbin directories are merged, or if they should be
+ included separately in $PATH and various listings of executable
+ directories. The build configuration scripts will try to autodetect
+ the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
+ system, but distributions are encouraged to configure this
+ explicitly.
+
+ * A new -Dok-color= build configuration switch may be used to change
+ the colour of "OK" status messages.
+
+ * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
+ PrivateNetwork=yes was buggy in previous versions of systemd. This
+ means that after the upgrade and daemon-reexec, any such units must
+ be restarted.
+
+ * INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles
+ will not exclude read-only files owned by root from cleanup.
+
+ Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
+ Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
+ Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
+ de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
+ Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
+ Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
+ Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
+ Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
+ Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
+ Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
+ MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
+ Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
+ Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
+ Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
+ Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
+ Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)
+
+ — Warsaw, 2018-03-05
+
CHANGES WITH 237:
* Some keyboards come with a zoom see-saw or rocker which until now got
different from what the documentation said, and not particularly
useful, as repeated systemd-tmpfiles invocations would not be
idempotent and grow such files without bounds. With this release
- behaviour has been altered slightly, to match what the documentation
- says: lines of this type only have an effect if the indicated files
- don't exist yet, and only then the argument string is written to the
- file.
+ behaviour has been altered to match what the documentation says:
+ lines of this type only have an effect if the indicated files don't
+ exist yet, and only then the argument string is written to the file.
* FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change
systemd-tmpfiles behaviour: previously, read-only files owned by root
systemd.service_watchdogs= for controlling the same.
* Two new "log-level" and "log-target" options for systemd-analyze were
- addded that merge the now deprecated get-log-level, set-log-level and
+ added that merge the now deprecated get-log-level, set-log-level and
get-log-target, set-log-target pairs. The deprecated options are still
understood for backwards compatibility. The two new options print the
current value when no arguments are given, and set them when a
store again, ahead of POLLHUP or POLLERR when they are removed
anyway.
- * A new document UIDS-GIDS.md has been added to the source tree, that
- documents the UID/GID range and assignment assumptions and
+ * A new document doc/UIDS-GIDS.md has been added to the source tree,
+ that documents the UID/GID range and assignment assumptions and
requirements of systemd.
* The watchdog device PID 1 will ping may now be configured through the
(domain search list).
* systemd-networkd gained support for serving IPv6 address ranges using
- the Router Advertisment protocol. The new .network configuration
+ the Router Advertisement protocol. The new .network configuration
section [IPv6Prefix] may be used to configure the ranges to
serve. This is implemented based on a new, minimal, native server
implementation of RA.
* Documentation has been added that lists all of systemd's low-level
environment variables:
- https://github.com/systemd/systemd/blob/master/ENVIRONMENT.md
+ https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
whether a specific socket file descriptor matches a specified socket
counted multiple times, if it takes multiple references.
* sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
- sd_bus_get_exit_on_disconnect(). They may be used to to make a
+ sd_bus_get_exit_on_disconnect(). They may be used to make a
process using sd-bus automatically exit if the bus connection is
severed.
with future releases) that the components link to. This should
decrease systemd footprint both in memory during runtime and on
disk. Note that the shared library is not for public use, and is
- neither API not ABI stable, but is likely to change with every new
+ neither API nor ABI stable, but is likely to change with every new
released update. Packagers need to make sure that binaries
linking to libsystemd-shared.so are updated in step with the
library.
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
UEFI PC. This functionality is particularly useful to easily test
local changes made to systemd in a pristine, defined environment. See
- HACKING for details.
+ doc/HACKING for details.
* configure learned the --with-support-url= option to specify the
distribution's bugtracker.
correct dequeuing of real-time signals, without losing
signal events.
- * When systemd requests a PolicyKit decision when managing
- units it will now add additional fields to the request,
- including unit name and desired operation. This enables more
- powerful PolicyKit policies, that make decisions depending
- on these parameters.
+ * When systemd requests a polkit decision when managing units it
+ will now add additional fields to the request, including unit
+ name and desired operation. This enables more powerful polkit
+ policies, that make decisions depending on these parameters.
* nspawn learnt support for .nspawn settings files, that may
accompany the image files or directories of containers, and
options and allows other programs to query the values.
* SELinux access control when enabling/disabling units is no
- longer enforced with this release. The previous
- implementation was incorrect, and a new corrected
- implementation is not yet available. As unit file operations
- are still protected via PolicyKit and D-Bus policy this is
- not a security problem. Yet, distributions which care about
- optimal SELinux support should probably not stabilize on
- this release.
+ longer enforced with this release. The previous implementation
+ was incorrect, and a new corrected implementation is not yet
+ available. As unit file operations are still protected via
+ polkit and D-Bus policy this is not a security problem. Yet,
+ distributions which care about optimal SELinux support should
+ probably not stabilize on this release.
* sd-bus gained support for matches of type "arg0has=", that
test for membership of strings in string arrays sent in bus
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
- * systemd-machined, systemd-logind, systemd: most bus calls
- are now accessible to unprivileged processes via
- PolicyKit. Also, systemd-logind will now allow users to kill
- their own sessions without further privileges or
- authorization.
+ * systemd-machined, systemd-logind, systemd: most bus calls are
+ now accessible to unprivileged processes via polkit. Also,
+ systemd-logind will now allow users to kill their own sessions
+ without further privileges or authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
/run/systemd/user directory that was already previously
supported, but is under the control of the user.
- * Job timeouts (i.e. time-outs on the time a job that is
+ * Job timeouts (i.e. timeouts on the time a job that is
queued stays in the run queue) can now optionally result in
immediate reboot or power-off actions (JobTimeoutAction= and
JobTimeoutRebootArgument=). This is useful on ".target"
directly from now on, again.
* Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
- message flag has been added for all of systemd's PolicyKit
- authenticated method calls has been added. In particular
- this now allows optional interactive authorization via
- PolicyKit for many of PID1's privileged operations such as
- unit file enabling and disabling.
+ message flag has been added for all of systemd's polkit
+ authenticated method calls has been added. In particular this
+ now allows optional interactive authorization via polkit for
+ many of PID1's privileged operations such as unit file
+ enabling and disabling.
* "udevadm hwdb --update" learnt a new switch "--usr" for
placing the rebuilt hardware database in /usr instead of
well as the user/group databases, which should enhance
compatibility with certain tools like grpck.
- * A number of bus APIs of PID 1 now optionally consult
- PolicyKit to permit access for otherwise unprivileged
- clients under certain conditions. Note that this currently
- doesn't support interactive authentication yet, but this is
- expected to be added eventually, too.
+ * A number of bus APIs of PID 1 now optionally consult polkit to
+ permit access for otherwise unprivileged clients under certain
+ conditions. Note that this currently doesn't support
+ interactive authentication yet, but this is expected to be
+ added eventually, too.
* /etc/machine-info now has new fields for configuring the
deployment environment of the machine, as well as the
the rest of the package. It also has been updated to work
correctly in initrds.
- * Policykit previously has been runtime optional, and is now
- also compile time optional via a configure switch.
+ * polkit previously has been runtime optional, and is now also
+ compile time optional via a configure switch.
* systemd-analyze has been reimplemented in C. Also "systemctl
dot" has moved into systemd-analyze.
user/vendor or is automatically determined from ACPI and DMI
information if possible.
- * A number of PolicyKit actions are now bound together with
- "imply" rules. This should simplify creating UIs because
- many actions will now authenticate similar ones as well.
+ * A number of polkit actions are now bound together with "imply"
+ rules. This should simplify creating UIs because many actions
+ will now authenticate similar ones as well.
* Unit files learnt a new condition ConditionACPower= which
may be used to conditionalize a unit depending on whether an
to maintain the necessary patches downstream, or find a
different solution. (Talk to us if you have questions!)
- * Various systemd components will now bypass PolicyKit checks
- for root and otherwise handle properly if PolicyKit is not
- found to be around. This should fix most issues for
- PolicyKit-less systems. Quite frankly this should have been
- this way since day one. It is absolutely our intention to
- make systemd work fine on PolicyKit-less systems, and we
- consider it a bug if something does not work as it should if
- PolicyKit is not around.
+ * Various systemd components will now bypass polkit checks for
+ root and otherwise handle properly if polkit is not found to
+ be around. This should fix most issues for polkit-less
+ systems. Quite frankly this should have been this way since
+ day one. It is absolutely our intention to make systemd work
+ fine on polkit-less systems, and we consider it a bug if
+ something does not work as it should if polkit is not around.
* For embedded systems it is now possible to build udev and
systemd without blkid and/or kmod support.
projects / thirdparty / systemd.git / blobdiff