or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
from interfering with systems where the ESP is explicitly configured
to be mounted at some path, for example /boot/efi/ (this type of
- setup is obsolete but still commonly found).
+ setup is obsolete, but still commonly found).
* The behavior of systemd-sleep and systemd-homed has been updated to
freeze user sessions when entering the various sleep modes or when
embedded in the file name. The files are ordered by version and
the newest one is selected.
- systemd-nspawn --image=/--directory=, systemd-dissect, and the
- RootDirectory=, RootImage=, ExtensionImages=, and
+ systemd-nspawn --image=/--directory=, systemd-dissect, systemd-portabled,
+ and the RootDirectory=, RootImage=, ExtensionImages=, and
ExtensionDirectories= settings for units now support the vpick
protocol and allow the latest version to be selected automatically if
a "*.v/" directory is specified as the source.
- * Encrypted service credentials may now be made accessible to
+ * Encrypted service credentials can now be made accessible to
unprivileged users. systemd-creds gained new options --user/--uid=
for encrypting/decrypting a credential for a specific user.
* New command-line tool 'importctl' to download, import, and export
disk images via systemd-importd is added with the following verbs:
pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar,
- export-raw, list-transfers, cancel-transfer. This functionality was
- previously available in "machinectl", where it was exclusively for
- machine image. The new "importctl" generalizes this for sysext,
- confext, portable service images, too.
+ export-raw, list-transfers, and cancel-transfer. This functionality
+ was previously available in "machinectl", where it was used
+ exclusively for machine images. The new "importctl" generalizes this
+ for sysext, confext, and portable service images.
Service Management:
enabled by default in the initrd.
* New unit setting WantsMountsFor= has been added. It is analogous to
- RequiresMountsFor=, but with a Wants= dependency instead of
- Requires=. This new logic is used in various places where mounts were
- added as dependencies for other settings (WorkingDirectory=-…,
+ RequiresMountsFor=, but creates a Wants= dependency instead of
+ Requires=. This new logic is now used in various places where mounts
+ were added as dependencies for other settings (WorkingDirectory=-…,
PrivateTmp=yes, cryptsetup lines with 'nofail').
* New unit setting MemoryZSwapWriteback= can be used to control the new
* The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope()
D-Bus method to devolve some processes from a service into a new
- scope. This new scope will remain even if the original service unit
- is restarted. Control group properties of the new scope are copied
- from the originating unit, so various limits are retained.
+ scope. This new scope will remain running, even when the original
+ service unit is restarted or stopped. This allows a service unit to
+ split out some worker processes which need to continue running.
+ Control group properties of the new scope are copied from the
+ originating unit, so various limits are retained.
* Units now expose properties EffectiveMemoryMax=,
EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the
system credential.
* The systemd binary will no longer chainload sysvinit's "telinit"
- binary when called under the init/telinit name on a system that
- isn't booted with systemd. This previously has been supported to make
- sure a distribution that has both init systems installed can be
- reasonably switched from one to the other via a simple
- reboot. Distributions apparently have lost interest in this, and the
- functionality has not been supported on the primary distribution this
- was still intended for for a longer time, and hence has been removed
- now.
-
- * A new concept called "capsules" has been introduced. "Capsules"
- encapsulate additional per-user service managers, whose users are
- transient and are only defined as long as the service manager
- is running (implemented via DynamicUser=1). These service managers run
- off home directories defined in /var/lib/capsules/<name>, where
- <name> is a the capsule's name. These home directories can contain
- regular per-user services and other units. A capsule is started via a
- simple "systemctl start capsule@<name>.service". See the
- capsule@.service(5) man page for further details. Various systemd
- tools (including, and most importantly, systemctl and systemd-run)
- have been updated to interact with capsules via the new
+ binary when called under the init/telinit name on a system that isn't
+ booted with systemd. This previously has been supported to make sure
+ a distribution that has both init systems installed can reasonably
+ switch from one to the other via a simple reboot. Distributions
+ apparently have lost interest in this, and the functionality has not
+ been supported on the primary distribution this was still intended
+ for for a long time, and hence has been removed now.
+
+ * A new concept called "capsules" has been introduced. "Capsules" wrap
+ additional per-user service managers, whose users are transient and
+ are only defined as long as the service manager is running. (This is
+ implemented via DynamicUser=1), allowing a user manager to be used to
+ manager a group of processes without needing to create an actual user
+ account. These service managers run with home directories of
+ /var/lib/capsules/<capsule-name> and can contain regular services and
+ other units. A capsule is started via a simple "systemctl start
+ capsule@<name>.service". See the capsule@.service(5) man page for
+ further details.
+
+ Various systemd tools (including, and most importantly, systemctl and
+ systemd-run) have been updated to interact with capsules via the new
"--capsule="/"-C" switch.
* .socket units gained a new setting PassFileDescriptorsToExec=, taking
encapsulates are passed to the ExecStartPost=, ExecStopPre=,
ExecStopPost= using the usual $LISTEN_FDS interface. This may be used
for doing additional initializations on the sockets once they are
- allocated (for example, install an additional eBPF program on them).
+ allocated. (For example, to install an additional eBPF program on
+ them).
* The .socket setting MaxConnectionsPerSource= (which so far put a
limit on concurrent connections per IP in Accept=yes socket units),
services in a simple Accept=yes mode.
* The service manager will now maintain a counter of soft reboot cycles
- the system went through so far. It may be queried via the D-Bus APIs.
+ the system went through. It may be queried via the D-Bus APIs.
* systemd's execution logic now supports the new pidfd_spawn() API
introduced by glibc 2.39, which allows us to invoke a subprocess in a
target cgroup and get a pidfd back in a single operation.
- * systemd/PID 1 will now send an additional sd_notify() message to its
+ * systemd/PID 1 will now send an additional sd_notify() message to its
supervising VMM or container manager reporting the selected hostname
("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at
boot. Moreover, the service manager will send additional sd_notify()
reports "ssh-access.target" being reached a VMM/container manager
knows it can now connect to the system via SSH. Finally, a new
sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment
- PID 1 successfully completed installation of its various UNIX process
- signal handlers (i.e. the moment where SIGRTMIN+4 sent to PID 1 will
- start to have the effect of shutting down the system cleanly).
+ PID 1 has successfully completed installation of its various UNIX
+ process signal handlers (i.e. the moment where SIGRTMIN+4 sent to
+ PID 1 will start to have the effect of shutting down the system
+ cleanly).
+
+ * New D-Bus properties ExecMainHandoverTimestamp and
+ ExecMainHandoverTimestampMonotonic are now published by services of
+ type exec, dbus, notify, and notify-reload.
+ This timestamp is taken as the very last operation before executing
+ a service's binary, which allows users to accurately track when
+ execution control of the process is handed over from systemd to the
+ payload.
Journal:
* confexts are loaded by systemd-stub from the ESP as well.
- * The pcrlock policy is saved in an unencrypted credential file
- "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
- /loader/credentials/ directory. It will be picked up at boot by
- systemd-stub and passed to the initrd, where it can be used to unlock
- the root file system.
-
* kernel-install gained support for --root= for the 'list' verb.
- * systemd-pcrlock gained an --entry-token= option to configure the
- entry-token.
-
- * systemd-pcrlock now provides a basic Varlink interface and can be run
- as a daemon via a template unit.
-
* bootctl now provides a basic Varlink interface and can be run as a
daemon via a template unit.
for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
supported). It also now supports UEFI "Custom" mode.
+ * The pcrlock policy is saved in an unencrypted credential file
+ "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
+ /loader/credentials/ directory. It will be picked up at boot by
+ systemd-stub and passed to the initrd, where it can be used to unlock
+ the root file system.
+
+ * systemd-pcrlock gained an --entry-token= option to configure the
+ entry-token.
+
+ * systemd-pcrlock now provides a basic Varlink interface and can be run
+ as a daemon via a template unit.
+
+ * systemd-pcrlock's TPM nvindex access policy has been modified, this
+ means that previous pcrlock policies stored in nvindexes are
+ invalidated. They must be removed (systemd-pcrlock remove-policy) and
+ recreated (systemd-pcrlock make-policy). For the time being
+ systemd-pcrlock remains an experimental feature, but it is expected
+ to become stable in the next release, i.e. v257.
+
+ * systemd-pcrlock's --recovery-pin= switch now takes three values:
+ "hide", "show", "query". If "show" is selected the automatically
+ generated recovery PIN is shown to the user. If "query" is selected
+ then the PIN is queried from the user.
+
systemd-run/run0:
* systemd-run is now a multi-call binary. When invoked as 'run0', it
--ssh-key-type= to optionally set up transient SSH keys to pass to the
invoked VMs in order to be able to SSH into them once booted.
+ * systemd-vmspawn will now enable various "HyperV enlightenments" and
+ the "VM Generation ID" on the VMs.
+
+ * A new environment variable $SYSTEMD_VMSPAWN_QEMU_EXTRA may carry
+ additional qemu command line options to pass to qemu.
+
systemd-repart:
* systemd-repart gained new options --generate-fstab= and
sd_journal_stream_fd() but creates a log stream targeted at a
specific log namespace.
+ * The sd-id128 API gained a new API call
+ sd_id128_get_invocation_app_specific() for acquiring an app-specific
+ ID that is derived from the service invocation ID.
+
systemd-cryptsetup/systemd-cryptenroll:
+ * The device node argument to systemd-cryptenroll is now optional. If
+ omitted it will be derived automatically from the backing block
+ device of /var/ (which quite likely is the same as the root file
+ system, hence effectively means if you don't specify things otherwise
+ the tool will now default to enrolling a key into the root file
+ system's LUKS device).
+
* systemd-cryptenroll can now enroll directly with a PKCS11 public key
(instead of a certificate).
used to specify the TTY for the debug shell, independently of
enabling or disabling it.
- Contributions from: A S Alam, AKHIL KUMAR, Abraham Samuel Adekunle,
- Adrian Vovk, Adrian Wannenmacher, Alan Liang, Alberto Planas,
- Alexander Zavyalov, Anders Jonsson, Andika Triwidada, Andres Beltran,
- Andrew Sayers, Antonio Alvarez Feijoo, Arthur Zamarin, Artur Pak,
- AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann, Black-Hole1,
- Bryan Jacobs, Burak Gerz, Carlos Garnacho, Chandra Pratap,
- Chris Simons, Christian Wesselhoeft, Clayton Craft, Colin Geniet,
- Colin Walters, Costa Tsaousis, Cristian Rodríguez, Daan De Meyer,
+ Contributions from: A S Alam, AKHIL KUMAR,
+ Abraham Samuel Adekunle, Adrian Vovk, Adrian Wannenmacher,
+ Alan Liang, Alberto Planas, Alexander Zavyalov, Anders Jonsson,
+ Andika Triwidada, Andres Beltran, Andrew Sayers,
+ Antonio Alvarez Feijoo, Arthur Zamarin, Artur Pak, AtariDreams,
+ Benjamin Franzke, Bernhard M. Wiedemann, Black-Hole1, Bryan Jacobs,
+ Burak Gerz, Carlos Garnacho, Chandra Pratap, Chris Simons,
+ Christian Wesselhoeft, Clayton Craft, Colin Geniet, Colin Walters,
+ Costa Tsaousis, Cristian Rodríguez, Daan De Meyer,
Damien Challet, Dan Streetman, David Tardon, David Venhoek,
Diego Viola, Dionna Amalie Glaze, Dmitry Konishchev,
Edson Juliano Drosdeck, Eisuke Kawashima, Eli Schwartz,
Emanuele Giuseppe Esposito, Eric Daigle, Evgeny Vereshchagin,
- Felix Riemann, Fernando Fernandez Mancera, Florian Schmaus, Franck Bui,
- Frantisek Sumsal, Friedrich Altheide, Gabríel Arthúr Pétursson,
- Gaël Donval, Georges Basile Stavracas Neto, Gerd Hoffmann, GNOME
- Foundation, Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald
- Brinkmann, Heinrich Schuchardt, Henry Li, Holger Assmann, Ivan Kruglov,
- Ivan Shapovalov, Jakub Sitnicki, James Muir, Jan Engelhardt, Jan Macku,
- Jeff King, JmbFountain, Joakim Nohlgård, Julius Alexandre,
- Jörg Behrmann, Keian, Kirk, Kristian Klausen, Krzesimir Nowak,
- Lars Ellenberg, Lennart Poettering, Luca Boccassi, Ludwig Nussel,
- Lukáš Nykrýn, Luxiter, Maanya Goenka, Mariano Giménez,
- Markus Merklinger, Martin Ivicic, Martin Trigaux, Martin Wilck,
+ Felix Riemann, Fernando Fernandez Mancera, Florian Schmaus,
+ Franck Bui, Frantisek Sumsal, Friedrich Altheide,
+ Gabríel Arthúr Pétursson, Gaël Donval, Georges Basile Stavracas
+ Neto, Gerd Hoffmann, GNOME Foundation, Guilhem Lettron,
+ Göran Uddeborg, Hans de Goede, Harald Brinkmann,
+ Heinrich Schuchardt, Henry Li, Holger Assmann, Ivan Kruglov,
+ Ivan Shapovalov, Jakub Sitnicki, James Muir, Jan Engelhardt,
+ Jan Macku, Jeff King, JmbFountain, Joakim Nohlgård,
+ Jonathan Conder, Julius Alexandre, Jörg Behrmann, Keian, Kirk,
+ Kristian Klausen, Krzesimir Nowak, Lars Ellenberg,
+ Lennart Poettering, Luca Boccassi, Ludwig Nussel, Lukáš Nykrýn,
+ Luxiter, Maanya Goenka, Mariano Giménez, Markus Merklinger,
+ Martin Ivicic, Martin Srebotnjak, Martin Trigaux, Martin Wilck,
Matt Layher, Matt Muggeridge, Matteo Croce, Matthias Lisin,
- Max Gautier, Max Staudt, Michael Biebl, Michal Koutný, Michal Sekletár,
- Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, MrSmör,
- Nandakumar Raghavan, Nick Cao, Nick Rosbrook, Ole Peder Brandtzæg,
- Ondrej Kozina, Oğuz Ersen, Pablo Méndez Hernández, Pierre GRASSER,
+ Max Gautier, Max Staudt, MaxHearnden, Michael Biebl,
+ Michal Koutný, Michal Sekletár, Mike Gilbert, Mike Yuan,
+ Mikko Ylinen, MkfsSion, MrSmör, Nandakumar Raghavan, Nick Cao,
+ Nick Rosbrook, Norbert Lange, Ole Peder Brandtzæg, Ondrej Kozina,
+ Oğuz Ersen, Pablo Méndez Hernández, Pierre GRASSER,
Piotr Drąg, QuonXF, Rafaël Kooi, Raito Bezarius, Reid Wahl,
- Renjaya Raga Zenta, Richard Maw, Roland Hieber, Ronan Pigott, Rose,
- Ross Burton, Sam Leonard, Samuel BF, Sergei Zhmylev, Sergey A, Shulhan,
- SidhuRupinder, Sludge, Stuart Hayhurst, Susant Sahani,
- Takashi Sakamoto, Temuri Doghonadze, Thilo Fromm, Thomas Blume,
- TobiPeterG, Tomáš Pecka, Topi Miettinen, Tycho Andersen, Unique-Usman,
- Usman Akinyemi, Vasiliy Kovalev, Vasiliy Stelmachenok,
+ Renjaya Raga Zenta, Richard Maw, Roland Hieber, Ronan Pigott,
+ Rose, Ross Burton, Sam Leonard, Samuel BF, Sarvajith Adyanthaya,
+ Sergei Zhmylev, Sergey A, Shulhan, SidhuRupinder, Sludge,
+ Stuart Hayhurst, Susant Sahani, Takashi Sakamoto,
+ Temuri Doghonadze, Thilo Fromm, Thomas Blume, TobiPeterG,
+ Tobias Fleig, Tomáš Pecka, Topi Miettinen, Tycho Andersen,
+ Unique-Usman, Usman Akinyemi, Vasiliy Kovalev, Vasiliy Stelmachenok,
Vishal Chillara Srinivas, Vitaly Kuznetsov, Vito Caputo,
Vladimir Stoiakin, Werner Sembach, Will Springer, Winterhuman,
- Xiaotian Wu, Yu Watanabe, Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek,
- Zmyeir, aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti,
- hfavisado, hulkoba, ksaleem, medusalix, mille-feuille, mkubiak, mooo,
- msizanoen, networkException, nl6720, r-vdp, runiq, samuelvw01,
- sharad3001, sushmbha, wangyuhang, zzywysm, İ. Ensar Gülşen,
- Štěpán Němec, 我超厉害, 김인수
+ Xiaotian Wu, Yu Watanabe, Yuri Chornoivan,
+ Zbigniew Jędrzejewski-Szmek, Zmyeir, aslepykh, chenjiayi,
+ cpackham-atlnz, cunshunxia, djantti, hfavisado, hulkoba, ksaleem,
+ medusalix, mille-feuille, mkubiak, mooo, msizanoen, networkException,
+ nl6720, r-vdp, runiq, samuelvw01, sharad3001, sushmbha, wangyuhang,
+ zzywysm, İ. Ensar Gülşen, Štěpán Němec, 我超厉害,
+ 김인수
— Happy Place, 2024-04-XX
projects / thirdparty / systemd.git / blobdiff