or otherwise process uevents. Please note that this incompatibility
is not fault of systemd or udev, but caused by an incompatible kernel
change that happened back in Linux 4.12, but is becoming more and
- more visible as the new uvents are generated by more kernel drivers.
+ more visible as the new uevents are generated by more kernel drivers.
To minimize issues resulting from this kernel change (but not avoid
them entirely) starting with systemd-udevd 247 the udev "tags"
desired the location to which systemd installs its PAM stack
configuration may be changed via the -Dpamconfdir Meson option.
- * The runtime dependencies on libqrencode, libpcre2, libpwquality and
- libcryptsetup have been changed to be based on dlopen(): instead of
- regular dynamic library dependencies declared in the binary ELF
- headers, these libraries are now loaded on demand only, if they are
- available. If the libraries cannot be found the relevant operations
- will fail gracefully, or a suitable fallback logic is chosen. This is
- supposed to be useful for general purpose distributions, as it allows
- minimizing the list of dependencies the systemd packages pull in,
- permitting building of more minimal OS images, while still making use
- of these "weak" dependencies should they be installed. Since many
- package managers automatically synthesize package dependencies from
- ELF shared library dependencies, some additional manual packaging
- work has to be done now to replace those (slightly downgraded from
- "required" to "recommended" or whatever is conceptually suitable for
- the package manager). Note that this change does not alter build-time
- behaviour: as before the build-time dependencies have to be installed
- during build, even if they now are optional during runtime.
+ * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
+ libpwquality and libcryptsetup have been changed to be based on
+ dlopen(): instead of regular dynamic library dependencies declared in
+ the binary ELF headers, these libraries are now loaded on demand
+ only, if they are available. If the libraries cannot be found the
+ relevant operations will fail gracefully, or a suitable fallback
+ logic is chosen. This is supposed to be useful for general purpose
+ distributions, as it allows minimizing the list of dependencies the
+ systemd packages pull in, permitting building of more minimal OS
+ images, while still making use of these "weak" dependencies should
+ they be installed. Since many package managers automatically
+ synthesize package dependencies from ELF shared library dependencies,
+ some additional manual packaging work has to be done now to replace
+ those (slightly downgraded from "required" to "recommended" or
+ whatever is conceptually suitable for the package manager). Note that
+ this change does not alter build-time behaviour: as before the
+ build-time dependencies have to be installed during build, even if
+ they now are optional during runtime.
* sd-event.h gained a new call sd_event_add_time_relative() for
installing timers relative to the current time. This is mostly a
convenience wrapper around the pre-existing sd_event_add_time() call
which installs absolute timers.
+ * sd-event event sources may now be placed in a new "exit-on-failure"
+ mode, which may be controlled via the new
+ sd_event_source_get_exit_on_failure() and
+ sd_event_source_set_exit_on_failure() functions. If enabled, any
+ failure returned by the event source handler functions will result in
+ exiting the event loop (unlike the default behaviour of just
+ disabling the event source but continuing with the event loop). This
+ feature is useful to set for all event sources that define "primary"
+ program behaviour (where failure should be fatal) in contrast to
+ "auxiliary" behaviour (where failure should remain local).
+
+ * Most event source types sd-event supports now accept a NULL handler
+ function, in which case the event loop is exited once the event
+ source is to be dispatched, using the userdata pointer — converted to
+ a signed integer — as exit code of the event loop. Previously this
+ was supported for IO and signal event sources already. Exit event
+ sources still do not support this (simply because it makes little
+ sense there, as the event loop is already exiting when they are
+ dispatched).
+
* A new per-unit setting RootImageOptions= has been added which allows
tweaking the mount options for any file system mounted as effect of
the RootImage= setting.
them in local timezone or UTC, or whether to show µs granularity.
* Alibaba's "pouch" container manager is now detected by
- systemd-detect-virt, ConditionVirtualization= and similar constructs.
+ systemd-detect-virt, ConditionVirtualization= and similar
+ constructs. Similar, they now also recognize IBM PowerVM machine
+ virtualization.
* systemd-nspawn has been reworked to use the /run/host/incoming/ as
place to use for propagating external mounts into the
deprecated and undocumented for 6 years. systemd started to warn
about its use 1.5 years ago. It has now been removed entirely.
- * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
- systemd-nspawn all system call filter violations will be logged by
- the kernel (audit). This is useful for tracking down system calls
- invoked by container payloads that are prohibited by the container's
- system call filter policy.
-
* sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
a sd_bus_error struct and a list of error names, and checks if the
error matches one of these names. It's a convenience wrapper that is
* Behaviour of system call filter allow lists has changed slightly:
system calls that are contained in @known will result in a EPERM by
default, while those not contained in it result in ENOSYS. This
- should improve compatibility because known syscalls will thus be
+ should improve compatibility because known system calls will thus be
communicated as prohibited, while unknown (and thus newer ones) will
be communicated as not implemented, which hopefully has the greatest
chance of triggering the right fallback code paths in client
applications.
+ * "systemd-analyze syscall-filter" will now show two separate sections
+ at the bottom of the output: system calls known during systemd build
+ time but not included in any of the filter groups shown above, and
+ system calls defined on the local kernel but known during systemd
+ build time.
+
+ * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
+ systemd-nspawn all system call filter violations will be logged by
+ the kernel (audit). This is useful for tracking down system calls
+ invoked by container payloads that are prohibited by the container's
+ system call filter policy.
+
* Two new unit file settings ProtectProc= and ProcSubset= have been
added that expose the hidepid= and subset= mount options of procfs.
All processes of the unit will only see processes in /proc that are
now be marked to be independent of any underlying network interface
via the new Independent= boolean setting.
+ * systemd-networkd's Gateway= setting in .network files now accepts the
+ special values _dhcp4 and _ipv6ra to configure additional, locally
+ defined, explicit routes to the gateway acquired via DHCP or IPv6
+ Router Advertisements.
+
* systemctl gained support for two new verbs: "service-log-level" and
"service-log-target" may be used on services that implement the
generic org.freedesktop.LogControl1 D-Bus interface to dynamically
* The SystemCallErrorNumber= unit file setting now accepts the new
"kill" and "log" actions, in addition to arbitrary error number
specifications as before. If "kill" the the processes are killed on
- the event, if "log" the offending syscall is audit logged.
+ the event, if "log" the offending system call is audit logged.
* A new SystemCallLog= unit file setting has been added that accepts a
- list of syscalls that shall be logged about (audit).
+ list of system calls that shall be logged about (audit).
* The OS image dissection logic (as used by RootImage= in unit files or
systemd-nspawn's --image= switch) has gained support for identifying
will now log the thread ID in their log output. This is useful when
working with heavily threaded programs.
- * If the SYSTEMD_RDRAND enviroment variable is set to "0", systemd will
+ * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
not use the RDRAND CPU instruction. This is useful in environments
such as replay debuggers where non-deterministic behaviour is not
desirable.
- * When building systemd the Meson option
- -Dcompat-mutable-uid-boundaries may now be specified. If enabled,
- systemd reads the system UID boundaries from /etc/login.defs, instead
- of using the built-in values selected during build-time. This is an
- option to improve compatibility for upgrades from old systems. It's
- strongly recommended not to make use of this functionality on new
- systems (or even enable it during build), as it makes something
- runtime-configurable that is mostly an implementation detail of the
- OS, and permits avoidable differences in deployments that create all
- kinds of problems in the long run.
+ * The autopaging logic in systemd's various tools (such as systemctl)
+ has been updated to turn on "secure" mode in "less"
+ (i.e. $LESSECURE=1) if execution in a "sudo" environment is
+ detected. This disables invoking external programs from the pager,
+ via the pipe logic. This behaviour may be overridden via the new
+ $SYSTEMD_PAGERSECURE environment variable.
+
+ * Units which have resource limits (.service, .mount, .swap, .slice,
+ .socket, and .slice) gained new configuration settings
+ ManagedOOMSwap=, ManagedOOMMemoryPressure=, and
+ ManagedOOMMemoryPressureLimitPercent= that specify resource pressure
+ limits and optional action taken by systemd-oomd.
+
+ * A new service systemd-oomd has been added. It monitors resource
+ contention for selected parts of the unit hierarchy using the PSI
+ information reported by the kernel, and kills processes when memory
+ or swap pressure is above configured limits. This service is only
+ enabled in developer mode (see below) and should be considered a
+ preview in this release. Behaviour details and option names are
+ subject to change without the usual backwards-compatibility promises.
+
+ * A new helper oomctl has been added to introspect systemd-oomd state.
+ If also is only available in developer mode and should be considered
+ a preview without the usual backwards-compatibility promises.
+
+ * New meson option -Dcompat-mutable-uid-boundaries= has been added. If
+ enabled, systemd reads the system UID boundaries from /etc/login.defs
+ at runtime, instead of using the built-in values selected during
+ build. This is an option to improve compatibility for upgrades from
+ old systems. It's strongly recommended not to make use of this
+ functionality on new systems (or even enable it during build), as it
+ makes something runtime-configurable that is mostly an implementation
+ detail of the OS, and permits avoidable differences in deployments
+ that create all kinds of problems in the long run.
+
+ * New meson option '-Dmode=developer|release' has been added. When
+ 'developer', additional checks and features are enabled that are
+ relevant during upstream development, e.g. verification that
+ semi-automatically-generated documentation has been properly updated
+ following API changes. Those checks are considered hints for
+ developers and are not actionable in downstream builds. In addition,
+ extra features that are not ready for general consumption may be
+ enabled in developer mode. It is thus recommended to set
+ '-Dmode=release' in end-user and distro builds.
+
+ * systemd-cryptsetup gained support for processing detached LUKS
+ headers specified on the kernel command line via the header=
+ parameter of the luks.options= kernel command line option. The same
+ device/path syntax as for key files is supported for header files
+ like this.
+
+ * The "net_id" built-in of udev has been updated to ignore ACPI _SUN
+ slot index data for devices that are connected through a PCI bridge
+ where the _SUN index is associated with the bridge instead of the
+ network device itself. Previously this would create ambiguous device
+ naming if multiple network interfaces were connected to the same PCI
+ bridge. Since this is a naming scheme incompatibility on systems that
+ possess hardware like this it has been introduced as new naming
+ scheme "v247". The previous scheme can be selected via the
+ "net.naming-scheme=v245" kernel command line parameter.
+
+ * ConditionFirstBoot= semantics have been modified to be safe towards
+ abnormal system power-off during first boot. Specifically, the
+ "systemd-machine-id-commit.service" service now acts as boot
+ milestone indicating when the first boot process is sufficiently
+ complete in order to not consider the next following boot also a
+ first boot. If the system is reset before this unit is reached the
+ first time, the next boot will still be considered a first boot; once
+ it has been reached, no further boots will be considered a first
+ boot. The "first-boot-complete.target" unit now acts as official hook
+ point to order against this. If a service shall be run on every boot
+ until the first boot fully succeeds it may thus be ordered before
+ this target unit (and pull it in) and carry ConditionFirstBoot=
+ appropriately.
+
+ * bootctl's set-default and set-oneshot commands now accept the three
+ special strings "@default", "@oneshot", "@current" in place of a boot
+ entry id. These strings are resolved to the current default and
+ oneshot boot loader entry, as well as the currently booted one. Thus
+ a command "bootctl set-default @current" may be used to make the
+ currently boot menu item the new default for all subsequent boots.
+
+ * A new generic target unit "initrd-cryptsetup.target" has been added
+ that is supposed to pull in all encrypted volumes that shall be set
+ up during the initrd phase. It takes the place of "cryptsetup.target"
+ and "remote-cryptsetup.target" that exist during the host boot
+ phase. In other words, the new "initrd-cryptsetup.target" is supposed
+ to take the role for "initrd-fs.target", but for encrypted volumes.
+
+ * "systemctl edit" has been updated to show the original effective unit
+ contents in commented form in the text editor.
+
+ Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
+ Ross, Amitanand.Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
+ Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,
+ Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep
+ Dey, Charles Lee, Chris Down, Christian Göttsche, Clemens Gruber, Daan
+ De Meyer, Daniele Medri, Daniel Mack, Dan Streetman, David Tardon,
+ Dimitri John Ledkov, Dmitry Borodaenko, Elisei Roca, ErrantSpore,
+ Etienne Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian
+ Klink, Franck Bui, Frantisek Sumsal, George Rawlinson, germanztz,
+ Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews,
+ Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler,
+ huangyong, Hubert Kario, Ikey Doherty, Jan Chren, Jan Schlüter, Jérémy
+ Nouhaud, Joerg Behrmann, Jonathan Lebon, Juergen Hoetzel, Julien
+ Humbert, Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kyle
+ Huey, Kyle Russell, Lennart Poettering, lichangze, Luca Boccassi, Lucas
+ Werkmeister, Marc Kleine-Budde, Marco Wang, Marti Raudsepp,
+ masmullin2000, Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael
+ Scherer, Michal Koutný, Michal Sekletár, Michal Suchanek, Mikael
+ Szreder, Milo Casagrande, mirabilos, Mitsuha_QuQ, mog422, Nazar
+ Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen,
+ Olivier Le Moal, Ondrej Kozina, Pass Automated Testing Suite, Pedro
+ Ruiz, Peter Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan
+ C, Renaud Métrich, Robert Marko, Ronan Pigott, Roy Chen (陳彥廷),
+ RussianNeuroMancer, Samanta Navarro, Samuel BF, scootergrisen, Steve
+ Dodd, Susant Sahani, Tobias Hunger, Tobias Kaufmann, Topi Miettinen,
+ Vito Caputo, Weblate, Wen Yang, williamvds, Yuri Chornoivan, Yu
+ Watanabe, Zbigniew Jędrzejewski-Szmek, Zmicer Turok, Дамјан
+ Георгиевски
+ – ???, 2020-10-XX
CHANGES WITH 246:
projects / thirdparty / systemd.git / blobdiff