manager or system manager can be always set. It would be better to reject
them when parsing config.
-* busctl prints errors to stdout:
- busctl tree org.freedesktop.systemd1 /org/freedesktop/systemd1
-
External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
-* wiki: update journal format documentation for lz4 additions
-
Janitorial Clean-ups:
* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
Features:
-* homed: add homed.conf setting DefaultStorage= or so
+* add --copy-from and --copy-to command to systemd-dissect which copies stuff
+ in and out of a disk image
+
+* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
+
+* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
+
+* add loud warning to the logs (with catalog entry) if systemd-udev-settle is
+ pulled into the boot process
+
+* build short web pages out of each catalog entry, build them along with man
+ pages, and include hyperlinks to them in the journal output
+
+* machined: add API to acquire UID range. add API to mount/dissect loopback
+ file. Both protected by PK. Then make nspawn use these APIs to run
+ unprivileged containers. i.e. push the truly privileged bits into machined,
+ so that the client side can remain entirely unprivileged, with SUID or
+ anything like that.
+
+* journald: do journal file writing out-of-process, with one writer process per
+ client UID, so that synthetic hash table collisions can slow down a specific
+ user's journal stream down but not the others.
+
+* add "throttling" to sd-event event sources: optionally, when we wake up too
+ often for one, let's turn it off entirely for a while. Use that for the
+ /proc/self/mountinfo logic.
+
+* move our systemd-user PAM snippet to /usr/, which PAM appears to support
+ these days
+
+* nspawn: support time namespaces
+
+* systemd-firstboot: make sure to always use chase_symlinks() before
+ reading/writing files
+
+* add ConditionSecurity=tpm2
+
+* Remove any support for booting without /usr pre-mounted in the initrd entirely.
+ Update INITRD_INTERFACE.md accordingly.
+
+* pid1: Move to tracking of main pid/control pid of units per pidfd
+
+* pid1: support new clone3() fork-into-cgroup feature
+
+* pid1: also remove PID files of a service when the service starts, not just
+ when it exits
+
+* make us use dynamically fewer deps for containers in general purpose distros:
+ o turn into dlopen() deps:
+ - pcre2 (always) — irrelevant on Fedora, since dep by
+ libselinux, but should benefit Debian
+ - libpwquality (always) - only relevant for homed, and maybe soon
+ firstboot
+ - elfutils (always)
+ - p11-kit-trust (always)
+ - kmod-libs (only when called from PID 1)
+ - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup)
+ - similar: libblkid
+ - libpam (only when called from PID 1)
+ - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
+ since they are so basic and our defaults)
+ o move into separate libsystemd-shared-iptables.so .so
+ - iptables-libs (only used by nspawn + networkd)
+
+* seccomp: when SystemCallArchitectures=native is set then don't install any
+ other seccomp filters for any of the other archs, in order to reduce the
+ number of seccomp filters we install needlessly.
+
+* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
+ Apparently kernel performance is much better with fewer larger seccomp
+ filters than with more smaller seccomp filters.
+
+* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
+ mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
+
+* make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and
+ provide man page. Given that we now have a tool that can generate images like
+ this, it's useful to have one that can dump contents of them, too.
+
+* All tools that support --root= should also learn --image= so that they can
+ operate on disk images directly. Specifically: bootctl, tmpfiles, sysusers,
+ systemctl, repart, journalctl, coredumpctl. (Already done: systemd-nspawn,
+ systemd-firstboot)
+
+* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
+
+* seccomp: don't install filters for ABIs that are masked anyway for the
+ specific service
+
+* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
+
+* per-service credential system. Specifically: add LoadCredential= (for loading
+ cred from file), AcquireCredential= (for asking user for cred, via
+ ask-password), PassCredential= (for passing on credential systemd itself
+ got). Then, place credentials in a per-service, immutable ramfs instance (so
+ that it cannot be swapped out), destroy after use. Also pass via keyring
+ (with graceful fallback to cover for containers). Define CredentialPath= for
+ defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH
+ env var for services to the result. Also pass via fd passing (optionally).
+
+* homed: add native recovery key support. use 48 lowercase modhex characters
+ (192bit), show qr code of it, include pattern expression in user record.
+
+* homed: introduce "degraded" state for home directories that weren't cleanly
+ unmounted (use xattr we add and remove on the loop back file)
+
+* homed: during login resize fs automatically towards size goal. Specifically,
+ resize to diskSize if possible, but leave a certain amount (configured by a
+ new value diskLeaveFreeSize) of space free on the backing fs.
+
+* homed: permit multiple user record signing keys to be used locally, and pick
+ the right one for signing records automatically depending on a pre-existing
+ signature
+
+* homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
+ and insert a local signature instead.
+
+* homed: as an extension to the directory+subvolume backend: if located on
+ especially marked fs, then sync down password into LUKS header of that fs,
+ and always verify passwords against it too. Bootstrapping is a problem
+ though: if no one is logged in (or no other user even exists yet), how do you
+ unlock the volume in order to create the first user and add the first pw.
+
+* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
easily?
-* journalctl --image= which is like --root= but operates on disk images
+* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
+ exists and responds.
* when systemd-nspawn and suchlike dissect an OS image, and there are multiple
root partitions, do an strverscmp() on the partition label and boot
thus allows defining OS images which can be A/B updated and we default to the
newest version automatically, both in nspawn and in sd-boot
-* drop sd_bus_message_set_priority() from sd-bus API and documentation as much
- as we can, it's a kdbus left-over and unlikely to come back on AF_UNIX, since
- it's not really implementable there.
-
-* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
- devices. (see: https://github.com/mjec/fido2-hmac-secret)
+* cryptsetup: support FIDO2 tokens for deriving keys (i.e. do what homed can do
+ also in plain cryptsetup)
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
creates
- teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
- make it operate on loopback files, dissecting enough to find ESP to operate on
+* Maybe add a separate GPT partition type to the discoverable partition spec
+ for "hibernate" partitions, that are exactly like swap partitions but only
+ activated right before hibernation and thus never used for regular swapping.
+
* by default, in systemd --user service bump the OOMAdjust to 100, as privs
allow so that systemd survives
-* honour specifiers in unit files that resolve to some very basic
- /etc/os-release data, such as ID, VERSION_ID, BUILD_ID, VARIANT_ID.
-
* cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
"base64:" prefix. Useful in particular for pkcs11 mode.
* socket units: allow creating a udev monitor socket with ListenDevices= or so,
with matches, then activate app through that passing socket over
-* unify on openssl:
+* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
+ confusion is gone)
- port sd_id128_get_machine_app_specific() over from khash
- port resolved over from libgcrypt (DNSSEC code)
- port journald + fsprg over from libgcrypt
end), in order to maximize dd'ability. Requires libfdisk work, see
https://github.com/karelzak/util-linux/issues/907
-* systemd-repart: optionally, allow specifying a path to initialize new
- partitions from, i.e. an fs image file or a source device node. This would
- then turn systemd-repart into a simple installer: with a few .repart files
- you could replicate the host system on another device. a full installer would
- then be: "systemd-repart /dev/sda && bootctl install /dev/sda &&
- systemd-firstboot --image= …"
-
* systemd-repart: MBR partition table support. Care needs to be taken regarding
Type=, so that partition definitions can sanely apply to both the GPT and the
MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
* systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
+* systemd-repart: allow boolean option that ensures that if existing partition
+ doesn't exist within the configured size bounds the whole command fails. This
+ is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
+ of repart files for the case where ESP is large enough and one where it isn't
+ and XBOOTLDR is added in instead. Then apply the former first, and if it
+ fails to apply use the latter.
+
+* systemd-repart: add per-partition option to never reuse existing partition
+ and always create anew even if matching partition already exists.
+
+* systemd-repart: add per-partition option to fail if partition already exist,
+ i.e. is not added new. Similar, add option to fail if partition does not exist yet.
+
+* systemd-repart: add --size=auto for generating/resizing images of minimal
+ size, i.e. where the image file is sized exactly as large as necessary taking
+ SizeMin= into account, but not a single byte larger.
+
* systemd-repart: allow disabling growing of specific partitions, or making
them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
-* systemd-repart: add specifier expansion, add especifier that refers to root
- device node of current system, /usr device node, and matching verity, so that
- an installer can be made a "copy" installer of the booted OS
-
* systemd-repart: make it a static checker during early boot for existence and
absence of other partitions for trusted boot environments
-* systemd-repart: when no configuration is found, exit early do not check
- partition table, so that it is safe to run in the initrd on any system
-
-* systemd-repart: allow config of partition uuid
-
* userdb: allow username prefix searches in varlink API, allow realname and
realname substr searches in varlink API
+* userdb: allow uid/gid range checks
+
* userdb: allow existence checks
-* pid: activation by journal search expression
+* pid1: activation by journal search expression
* when switching root from initrd to host, set the machine_id env var so that
if the host has no machine ID set yet we continue to use the random one the
* systemd-firstboot: teach it dissector magic, so that you can point it to some
disk image and it will just set everything in it all behind the scenes.
-* systemd-firstboot: add --force mode that replaces existing configuration.
-
* We should probably replace /var/log/README, /etc/rc.d/README with symlinks
that are linked to these places instead of copied. After all they are
constant vendor data.
-* maybe add kernel cmdline params: 1) to force first-boot mode + 2) to force
- random seed crediting
+* maybe add kernel cmdline params: to force random seed crediting
* nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
so that we make cgroup agent logic safe
- rollback when resize fails mid-operation
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
- resize on login?
- - fstrim on logout?
- shrink fs on logout?
- update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
- create on activate?
beefing up logind to make pam session close hook synchronous and wait until
systemd --user is shut down.
- logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
- - maybe make automatic, read-only, time-based reflink-copies of LUKS disk images (think: time machine)
+ - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
+ images (and btrfs snapshots of subvolumes) (think: time machine)
- distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
- in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
- fingerprint authentication, pattern authentication, …
- make slice for users configurable (requires logind rework)
- logind: populate auto-login list bus property from PKCS#11 token
- when determining state of a LUKS home directory, check DM suspended sysfs file
+ - introduce API for "making room", that grows/shrinks home directory
+ according to elastic parameters, discards blocks, and removes additional snapshots. Call it
+ either from UI when disk space gets low
* introduce a new per-process uuid, similar to the boot id, the machine id, the
invocation id, that is derived from process creds, specifically a hashed
* support projid-based quota in machinectl for containers
-* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks
- introduced) as the RTC epoch, instead of the mtime of NEWS.
-
* add a way to lock down cgroup migration: a boolean, which when set for a unit
makes sure the processes in it can never migrate out of it
* networkd:
- add more keys to [Route] and [Address] sections
- add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
- - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline)
- add reduced [Link] support to .network files
- - add Scope= parsing option for [Network]
- properly handle routerless dhcp leases
- work with non-Ethernet devices
- - add support for more bond options
- dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
- the DHCP lease data (such as NTP/DNS) is still made available when
a carrier is lost on a link. It should be removed instantly.
- expose in the API the following bits:
- - option 15, domain name and/or option 119, search list
+ - option 15, domain name
- option 12, hostname and/or option 81, fqdn
- option 123, 144, geolocation
- option 252, configure http proxy (PAC/wpad)
- allow Name= to be specified repeatedly in the [Match] section. Maybe also
support Name=foo*|bar*|baz ?
- duplicate address check for static IPs (like ARPCHECK in network-scripts)
- - allow DUID/IAID to be customized, see issue #394.
- whenever uplink info changes, make DHCP server send out FORCERENEW
-* networkd-wait-online:
- - make operstates to wait for configurable?
+* Figure out how to do unittests of networkd's state serialization
* dhcp:
- figure out how much we can increase Maximum Message Size
- natively watch for dbus-*.service symlinks (PENDING)
- teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
-* fix alsa mixer restore to not print error when no config is stored
-
* make cryptsetup lower --iter-time
-* patch kernel for xattr support in /dev, /proc/, /sys?
-
* kernel: add device_type = "fb", "fbcon" to class "graphics"
* /usr/bin/service should actually show the new command line
* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
-* fedora: F20: go timer units all the way, leave cron.daily for cron
-
* neither pkexec nor sudo initialize environ[] from the PAM environment?
* fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it