manager or system manager can be always set. It would be better to reject
them when parsing config.
+* userdbctl: "Password OK: yes" is shown even when there are no passwords
+ or the password is locked.
+
External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
Features:
-* add --copy-from and --copy-to command to systemd-dissect which copies stuff
- in and out of a disk image
+* nss-systemd: also synthesize shadow records for users/groups
+
+* nspawn: move "incoming mount" directory to /run/host, move "inaccessible"
+ nodes to /run/host, move notify socket (for sd_notify() between payload and
+ container manager)
+
+* make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
+
+* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it
+ and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET)
+
+* when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or
+ so, freeze the payload too.
+
+* repart: support setting up dm-integrity with HMAC
+
+* add /etc/integritytab, to support dm-integrity setups. In particular those
+ with HMAC as hash function, so that we can have a protected /home without
+ encryption (leaving encryption to the individual dirs/homed).
+
+* complement root=, rootflags=, rootfstype= with rootsubdir= which allows
+ mounting a subdir of the root fs as actual root. This can be used as
+ fstype-agnostic version of btrfs' rootflags=subvol=foobar.
* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
-* add loud warning to the logs (with catalog entry) if systemd-udev-settle is
- pulled into the boot process
-
* build short web pages out of each catalog entry, build them along with man
pages, and include hyperlinks to them in the journal output
* make us use dynamically fewer deps for containers in general purpose distros:
o turn into dlopen() deps:
- - pcre2 (always) — irrelevant on Fedora, since dep by
- libselinux, but should benefit Debian
- - libpwquality (always) - only relevant for homed, and maybe soon
- firstboot
+ - libidn2 (always)
- elfutils (always)
- p11-kit-trust (always)
- kmod-libs (only when called from PID 1)
- - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup)
- - similar: libblkid
+ - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
- libpam (only when called from PID 1)
- bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
since they are so basic and our defaults)
* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
-* make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and
- provide man page. Given that we now have a tool that can generate images like
- this, it's useful to have one that can dump contents of them, too.
-
* All tools that support --root= should also learn --image= so that they can
- operate on disk images directly. Specifically: bootctl, tmpfiles, sysusers,
- systemctl, repart, journalctl, coredumpctl. (Already done: systemd-nspawn,
- systemd-firstboot)
+ operate on disk images directly. Specifically: bootctl, systemctl,
+ coredumpctl. (Already done: systemd-nspawn, systemd-firstboot,
+ systemd-repart, systemd-tmpfiles, systemd-sysusers, journalctl)
* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
-* per-service credential system. Specifically: add LoadCredential= (for loading
- cred from file), AcquireCredential= (for asking user for cred, via
- ask-password), PassCredential= (for passing on credential systemd itself
- got). Then, place credentials in a per-service, immutable ramfs instance (so
- that it cannot be swapped out), destroy after use. Also pass via keyring
- (with graceful fallback to cover for containers). Define CredentialPath= for
- defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH
- env var for services to the result. Also pass via fd passing (optionally).
-
-* homed: add native recovery key support. use 48 lowercase modhex characters
- (192bit), show qr code of it, include pattern expression in user record.
-
-* homed: introduce "degraded" state for home directories that weren't cleanly
- unmounted (use xattr we add and remove on the loop back file)
+* credentials system:
+ - maybe add AcquireCredential= for querying a cred via ask-password
+ - maybe try to acquire creds via keyring?
+ - maybe try to pass creds via keyring?
+ - maybe optionally pass creds via memfd
+ - maybe add support for decrypting creds via TPM
+ - maybe add support for decrypting/importing creds via pkcs11
+ - make systemd-cryptsetup acquire pw via creds logic
+ - make PAMName= acquire pw via creds logic
+ - make macsec/wireguard code in networkd read key via creds logic
+ - make gatwayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
* homed: during login resize fs automatically towards size goal. Specifically,
resize to diskSize if possible, but leave a certain amount (configured by a
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
creates
-* homed/userdb: distinguish passwords and recovery keys in the records, since
- we probably want to use different PBKDF algorithms/settings for them:
- passwords have low entropy but recovery keys should have good entropy key
- hence we can make them quicker to work.
-
* bootctl:
- teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
- teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
* systemd-repart: allow sizing partitions as factor of available RAM, so that
we can reasonably size swap partitions for hibernation.
-* systemd-repart: allow running mkfs before making partitions pop up +
- encryption via LUKS to allow booting into an empty root with only /usr mounted in
-
* systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
* systemd-repart: allow boolean option that ensures that if existing partition
* systemd-repart: add per-partition option to fail if partition already exist,
i.e. is not added new. Similar, add option to fail if partition does not exist yet.
-* systemd-repart: add --size=auto for generating/resizing images of minimal
- size, i.e. where the image file is sized exactly as large as necessary taking
- SizeMin= into account, but not a single byte larger.
-
* systemd-repart: allow disabling growing of specific partitions, or making
them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
right) become genuine first class citizens, and we gain automatic, sane JSON
output for them.
-* systemd-firstboot: teach it dissector magic, so that you can point it to some
- disk image and it will just set everything in it all behind the scenes.
-
* We should probably replace /var/log/README, /etc/rc.d/README with symlinks
that are linked to these places instead of copied. After all they are
constant vendor data.
* homed:
- when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
- - hook up machined/nspawn users with a varlink user query interface
- rollback when resize fails mid-operation
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
- resize on login?
- in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
- fingerprint authentication, pattern authentication, …
- make sure "classic" user records can also be managed by homed
- - description field for groups
- make size of $XDG_RUNTIME_DIR configurable in user record
- - reuse pwquality magic in firstboot
- query password from kernel keyring first
- update even if record is "absent"
- add a "access mode" + "fstype" field to the "status" section of json identity records reflecting the actually used access mode and fstype, even on non-luks backends
directory trees from the host to the services RootImage= and RootDirectory=
environment. Which we can use for /etc/machine-id and in particular
/etc/resolv.conf. Should be smart and do something useful on read-only
- images, for example fallback to read-only bind mounting the file instead.
+ images, for example fall back to read-only bind mounting the file instead.
* show invocation ID in systemd-run output
- allow multiple signal handlers per signal?
- document chaining of signal handler for SIGCHLD and child handlers
- define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
+ - maybe support iouring as backend, so that we allow hooking read and write
+ operations instead of IO ready events into event loops. See considerations
+ here:
+ http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
* investigate endianness issues of UUID vs. GUID
- journald: also get thread ID from client, plus thread name
- journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
- add API to close/reopen/get fd for journal client fd in libsystemd-journal.
- - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively?
+ - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
- declare the local journal protocol stable in the wiki interface chart
- sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
- journald: when dropping msgs due to ratelimit make sure to write
- journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
- journactl: support negative filtering, i.e. FOOBAR!="waldo",
and !FOOBAR for events without FOOBAR.
- - journal: store timestamp of journal_file_set_offline() int he header,
+ - journal: store timestamp of journal_file_set_offline() in the header,
so it is possible to display when the file was last synced.
- journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
- journal: find a way to allow dropping history early, based on priority, other rules
them via machined, and also watch containers coming and going.
Benefit: nspawn --ephemeral would start working nicely with the journal.
- assign MESSAGE_ID to log messages about failed services
+ - check if loop in decompress_blob_xz() is necessary
* add a test if all entries in the catalog are properly formatted.
(Adding dashes in a catalog entry currently results in the catalog entry
- document systemd-journal-flush.service properly
- documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
- man: document the very specific env the shutdown drop-in tools live in
- - man: add more examples to man pages
+ - man: add more examples to man pages,
+ - in particular an example how to do the equivalent of switching runlevels
- man: maybe sort directives in man pages, and take sections from --help and apply them to man too
- document root=gpt-auto properly
- optionally automatically add FORWARD rules to iptables whenever nspawn is
running, remove them when shut down.
-* dissect
- - refuse mounting over a mount point
- - automatically discover .roothash files in dissect, similarly to nspawn
-
* machined:
- add an API so that libvirt-lxc can inform us about network interfaces being
removed or added to an existing machine