systemd System and Service Manager
-CHANGES WITH 239 in spe:
+CHANGES WITH 240 in spe:
+
+ * A new service type has been added: Type=exec. It's very similar to
+ Type=simple and ensures the service manager will wait for both fork()
+ and execve() of the main service binary to complete before proceeding
+ with follow-up units. This is primarily useful so that the manager
+ propagates any errors in the preparation phase of service execution
+ back to the job that requested the unit to be started. For example,
+ consider a service that has ExecStart= set to a file system binary
+ that doesn't exist. With Type=simple starting the unit would
+ typically succeed instantly, as only fork() has to complete
+ successfully and execve() is not waited for, and hence its failure is
+ seen "too late". With the new Type=exec service type starting the
+ unit will fail, as the execve() will be waited for and will fail,
+ which is then propagated back to the start job.
+
+ NOTE: with the next release 241 of systemd we intend to change the
+ systemd-run tool to default to Type=exec for transient services
+ started by it. This should be mostly safe, but in specific corner
+ cases might result in problems, as the systemd-run tool will then
+ block on NSS calls (such as user name lookups due to User=) done
+ between the fork() and execve(), which under specific circumstances
+ might cause problems. It is recommended to specify "-p Type=simple"
+ explicitly in the few cases where this applies. For regular,
+ non-transient services (i.e. those defined with unit files on disk)
+ we will continue to default to Type=simple.
+
+ * The Linux kernel's current default RLIMIT_NOFILE resource limit for
+ userspace processes is set to 1024 (soft) and 4096
+ (hard). Previously, systemd passed this on unmodified to all
+ processes it forked off. With this systemd release the hard limit
+ systemd passes on is increased to 256K, overriding the kernel's
+ defaults and substantially increasing the number of simultaneous file
+ descriptors unprivileged userspace processes can allocate. Note that
+ the soft limit remains at 1024 for compatibility reasons: the
+ traditional UNIX select() call cannot deal with file descriptors >=
+ 1024 and increasing the soft limit globally might thus result in
+ programs unexpectedly allocating a high file descriptor and thus
+ failing abnormally when attempting to use it with select() (of
+ course, programs shouldn't use select() anymore, and prefer
+ poll()/epoll, but the call unfortunately remains undeservedly popular
+ at this time). This change reflects the fact that file descriptor
+ handling in the Linux kernel has been optimized in more recent
+ kernels and allocating large numbers of them should be much cheaper
+ both in memory and in performance than it used to be. Programs that
+ want to take benefit of the increased limit have to "opt-in" into
+ high file descriptors explicitly by setting their soft limit to the
+ hard limit during initialization. Of course, when doing that they
+ must do this acknowledging the fact that they cannot use select()
+ anymore (and neither can any shared library they use — or any shared
+ library used by any shared library they use and so on).
+
+ * The fs.nr_open and fs.file-max sysctls are now automatically bumped
+ to the highest possible values, as separate accounting of file
+ descriptors is no longer necessary, as memcg tracks them correctly as
+ part of the memory accounting anyway. Thus, from the four limits on
+ file descriptors currently enforced (fs.file-max, fs.nr_open,
+ RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
+ and keep only the latter two. A set of build-time options
+ (-Dbump-proc-sys-fs-file-max=no and -Dbump-proc-sys-fs-nr-open=no)
+ has been added to revert this change in behaviour, which might be
+ an option for systems that turn off memcg in the kernel.
+
+ * When no /etc/locale.conf file exists (and hence no locale settings
+ are in place), systemd will now use the "C.UTF-8" locale by default,
+ and set LANG= to it. This locale is supported by various
+ distributions including Fedora, with clear indications that upstream
+ glibc is going to make it available too. This locale enables UTF-8
+ mode by default, which appears appropriate for 2018.
+
+CHANGES WITH 239:
* NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
- builtin may name network interfaces differently than in previous
- versions. SR-IOV virtual functions and NPAR partitions with PCI
- function numbers of 8 and above will be named more predictably, and
- udev may generate names based on the PCI slot number in some cases
- where it previously did not.
+ builtin will name network interfaces differently than in previous
+ versions for virtual network interfaces created with SR-IOV and NPAR
+ and for devices where the PCI network controller device does not have
+ a slot number associated.
+
+ SR-IOV virtual devices are now named based on the name of the parent
+ interface, with a suffix of "v<N>", where <N> is the virtual device
+ number. Previously those virtual devices were named as if completely
+ independent.
+
+ The ninth and later NPAR virtual devices will be named following the
+ scheme used for the first eight NPAR partitions. Previously those
+ devices were not renamed and the kernel default (eth<n>) was used.
+
+ "net_id" will also generate names for PCI devices where the PCI
+ network controller device does not have an associated slot number
+ itself, but one of its parents does. Previously those devices were
+ not renamed and the kernel default (eth<n>) was used.
* AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
systemd-logind.service. Since v235, IPAddressDeny=any has been set to
both runtime and persistent enablement/masking, i.e. it will remove
any relevant symlinks both in /run and /etc.
+ * Note that all long-running system services shipped with systemd will
+ now default to a system call whitelist (rather than a blacklist, as
+ before). In particular, systemd-udevd will now enforce one too. For
+ most cases this should be safe, however downstream distributions
+ which disabled sandboxing of systemd-udevd (specifically the
+ MountFlags= setting), might want to disable this security feature
+ too, as the default whitelisting will prohibit all mount, swap,
+ reboot and clock changing operations from udev rules.
+
* sd-boot acquired new loader configuration settings to optionally turn
off Windows and MacOS boot partition discovery as well as
reboot-into-firmware menu items. It is also able to pick a better
* systemd-resolved.service and systemd-networkd.service now set
DynamicUser=yes. The users systemd-resolve and systemd-network are
- not created by systemd-sysusers.
+ not created by systemd-sysusers anymore.
+
+ NOTE: This has a chance of breaking nss-ldap and similar NSS modules
+ that embedd a network facing module into any process using getpwuid()
+ or related call: the dynamic allocation of the user ID for
+ systemd-resolved.service means the service manager has to check NSS
+ if the user name is already taken when forking off the service. Since
+ the user in the common case won't be defined in /etc/passwd the
+ lookup is likely to trigger nss-ldap which in turn might use NSS to
+ ask systemd-resolved for hostname lookups. This will hence result in
+ a deadlock: a user name lookup in order to start
+ systemd-resolved.service will result in a host name lookup for which
+ systemd-resolved.service needs to be started already. There are
+ multiple ways to work around this problem: pre-allocate the
+ "systemd-resolve" user on such systems, so that nss-ldap won't be
+ triggered; or use a different NSS package that doesn't do networking
+ in-process but provides a local asynchronous name cache; or configure
+ the NSS package to avoid lookups for UIDs in the range `pkg-config
+ systemd --variable=dynamicuidmin` … `pkg-config systemd
+ --variable=dynamicuidmax`, so that it does not consider itself
+ authoritative for the same UID range systemd allocates dynamic users
+ from.
* The systemd-resolve tool has been renamed to resolvectl (it also
remains available under the old name, for compatibility), and its
name following the last dash.
* Unit files and other configuration files that support specifier
- expansion now understand another two new specifiers: %T and %V will
+ expansion now understand another three new specifiers: %T and %V will
resolve to /tmp and /var/tmp respectively, or whatever temporary
- directory has been set for the calling user.
+ directory has been set for the calling user. %E will expand to either
+ /etc (for system units) or $XDG_CONFIG_HOME (for user units).
* The ExecStart= lines of unit files are no longer required to
reference absolute paths. If non-absolute paths are specified the
example, "systemd-tmpfiles --cat-config" will now output the full
list of tmpfiles.d/ lines in place.
- * timedatectl gained two new verbs "timesync-status" (to show the
- current NTP synchronization state of systemd-timesyncd) and
- "show-timesync" (to show bus properties of systemd-timesyncd).
+ * timedatectl gained three new verbs: "show" shows bus properties of
+ systemd-timedated, "timesync-status" shows the current NTP
+ synchronization state of systemd-timesyncd, and "show-timesync"
+ shows bus properties of systemd-timesyncd.
* systemd-timesyncd gained a bus interface on which it exposes details
about its state.
* New documentation has been added to document cgroups delegation,
portable services and the various code quality tools we have set up:
- https://github.com/systemd/systemd/blob/master/doc/CGROUP_DELEGATION.md
- https://github.com/systemd/systemd/blob/master/doc/PORTABLE_SERVICES.md
- https://github.com/systemd/systemd/blob/master/doc/CODE_QUALITY.md
+ https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
+ https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md
+ https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md
+
+ * The Boot Loader Specification has been added to the source tree.
+
+ https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md
+
+ While moving it into our source tree we have updated it and further
+ changes are now accepted through the usual github PR workflow.
* pam_systemd will now look for PAM userdata fields systemd.memory_max,
systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
system namespacing options. One such service is systemd-udevd.service
wher this is now used by default.
+ * ConditionSecurity= gained a new value "uefi-secureboot" that is true
+ when the system is booted in UEFI "secure mode".
+
+ * A new unit "system-update-pre.target" is added, which defines an
+ optional synchronization point for offline system updates, as
+ implemented by the pre-existing "system-update.target" unit. It
+ allows ordering services before the service that executes the actual
+ update process in a generic way.
+
Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
- J. Murrell, Bruno Vernay, Chris Lesiak, Christian Brauner, Christian
- Hesse, Daniel Dao, Daniel Lin, Danylo Korostil, Davide Cavalca, David
- Tardon, Dimitri John Ledkov, Dmitriy Geels, Douglas Christman, Elia
- Geretto, emelenas, Evegeny Vereshchagin, Evgeny Vereshchagin, Felipe
- Sateler, Feng Sun, Filipe Brandenburger, Franck Bui, futpib, Giuseppe
- Scrivano, Guillem Jover, guixxx, Hans de Goede, Henrique Dante de
+ J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
+ Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
+ Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
+ Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
+ Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
+ Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
+ guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
- James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir, João Paulo
- Rechi Vita, Joost Heitbrink, Jui-Chi Ricky Liang, Jürg Billeter,
- Kai-Heng Feng, Karol Augustin, Krzysztof Nowicki, Lauri Tirkkonen,
- Lennart Poettering, Leonard König, Long Li, Luca Boccassi, Lucas
- Werkmeister, Marcel Hoppe, Marc Kleine-Budde, Mario Limonciello, Martin
- Jansa, Martin Wilck, Mathieu Malaterre, Matteo F. Vescovi, Matthew
- McGinn, Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný,
- Michal Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan
- Pässler, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride Legovini,
- Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot, Peter
- Hutterer, Peter Jones, Philip Sequeira, Philip Withnall, Piotr Drąg,
- Radostin Stoyanov, Ricardo Salveti de Araujo, Rosen Penev, Rubén Suárez
- Alvarez, Ryan Gonzalez, Salvo Tomaselli, Sebastian Reichel, Sergio
- Lindo Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes,
- Susant Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias
- Jungel, Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van
- Mourik, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
-
- — Berlin, 2018-06-XX
+ Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
+ Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
+ Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
+ Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
+ Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
+ Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
+ Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
+ Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
+ Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
+ Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
+ Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
+ Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
+ Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
+ Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
+ Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
+ Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
+ Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
+ Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2018-06-22
CHANGES WITH 238:
different from what the documentation said, and not particularly
useful, as repeated systemd-tmpfiles invocations would not be
idempotent and grow such files without bounds. With this release
- behaviour has been altered slightly, to match what the documentation
- says: lines of this type only have an effect if the indicated files
- don't exist yet, and only then the argument string is written to the
- file.
+ behaviour has been altered to match what the documentation says:
+ lines of this type only have an effect if the indicated files don't
+ exist yet, and only then the argument string is written to the file.
* FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change
systemd-tmpfiles behaviour: previously, read-only files owned by root
* Documentation has been added that lists all of systemd's low-level
environment variables:
- https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md
+ https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
whether a specific socket file descriptor matches a specified socket
correct dequeuing of real-time signals, without losing
signal events.
- * When systemd requests a PolicyKit decision when managing
- units it will now add additional fields to the request,
- including unit name and desired operation. This enables more
- powerful PolicyKit policies, that make decisions depending
- on these parameters.
+ * When systemd requests a polkit decision when managing units it
+ will now add additional fields to the request, including unit
+ name and desired operation. This enables more powerful polkit
+ policies, that make decisions depending on these parameters.
* nspawn learnt support for .nspawn settings files, that may
accompany the image files or directories of containers, and
options and allows other programs to query the values.
* SELinux access control when enabling/disabling units is no
- longer enforced with this release. The previous
- implementation was incorrect, and a new corrected
- implementation is not yet available. As unit file operations
- are still protected via PolicyKit and D-Bus policy this is
- not a security problem. Yet, distributions which care about
- optimal SELinux support should probably not stabilize on
- this release.
+ longer enforced with this release. The previous implementation
+ was incorrect, and a new corrected implementation is not yet
+ available. As unit file operations are still protected via
+ polkit and D-Bus policy this is not a security problem. Yet,
+ distributions which care about optimal SELinux support should
+ probably not stabilize on this release.
* sd-bus gained support for matches of type "arg0has=", that
test for membership of strings in string arrays sent in bus
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
- * systemd-machined, systemd-logind, systemd: most bus calls
- are now accessible to unprivileged processes via
- PolicyKit. Also, systemd-logind will now allow users to kill
- their own sessions without further privileges or
- authorization.
+ * systemd-machined, systemd-logind, systemd: most bus calls are
+ now accessible to unprivileged processes via polkit. Also,
+ systemd-logind will now allow users to kill their own sessions
+ without further privileges or authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
directly from now on, again.
* Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
- message flag has been added for all of systemd's PolicyKit
- authenticated method calls has been added. In particular
- this now allows optional interactive authorization via
- PolicyKit for many of PID1's privileged operations such as
- unit file enabling and disabling.
+ message flag has been added for all of systemd's polkit
+ authenticated method calls has been added. In particular this
+ now allows optional interactive authorization via polkit for
+ many of PID1's privileged operations such as unit file
+ enabling and disabling.
* "udevadm hwdb --update" learnt a new switch "--usr" for
placing the rebuilt hardware database in /usr instead of
well as the user/group databases, which should enhance
compatibility with certain tools like grpck.
- * A number of bus APIs of PID 1 now optionally consult
- PolicyKit to permit access for otherwise unprivileged
- clients under certain conditions. Note that this currently
- doesn't support interactive authentication yet, but this is
- expected to be added eventually, too.
+ * A number of bus APIs of PID 1 now optionally consult polkit to
+ permit access for otherwise unprivileged clients under certain
+ conditions. Note that this currently doesn't support
+ interactive authentication yet, but this is expected to be
+ added eventually, too.
* /etc/machine-info now has new fields for configuring the
deployment environment of the machine, as well as the
the rest of the package. It also has been updated to work
correctly in initrds.
- * Policykit previously has been runtime optional, and is now
- also compile time optional via a configure switch.
+ * polkit previously has been runtime optional, and is now also
+ compile time optional via a configure switch.
* systemd-analyze has been reimplemented in C. Also "systemctl
dot" has moved into systemd-analyze.
user/vendor or is automatically determined from ACPI and DMI
information if possible.
- * A number of PolicyKit actions are now bound together with
- "imply" rules. This should simplify creating UIs because
- many actions will now authenticate similar ones as well.
+ * A number of polkit actions are now bound together with "imply"
+ rules. This should simplify creating UIs because many actions
+ will now authenticate similar ones as well.
* Unit files learnt a new condition ConditionACPower= which
may be used to conditionalize a unit depending on whether an
to maintain the necessary patches downstream, or find a
different solution. (Talk to us if you have questions!)
- * Various systemd components will now bypass PolicyKit checks
- for root and otherwise handle properly if PolicyKit is not
- found to be around. This should fix most issues for
- PolicyKit-less systems. Quite frankly this should have been
- this way since day one. It is absolutely our intention to
- make systemd work fine on PolicyKit-less systems, and we
- consider it a bug if something does not work as it should if
- PolicyKit is not around.
+ * Various systemd components will now bypass polkit checks for
+ root and otherwise handle properly if polkit is not found to
+ be around. This should fix most issues for polkit-less
+ systems. Quite frankly this should have been this way since
+ day one. It is absolutely our intention to make systemd work
+ fine on polkit-less systems, and we consider it a bug if
+ something does not work as it should if polkit is not around.
* For embedded systems it is now possible to build udev and
systemd without blkid and/or kmod support.