Features:
+* expose IO accounting data on the bus, show it in systemd-run --wait and log
+ about it in the resource log message
+
+* add "systemctl purge" for flushing out configuration, state, logs, ... of a
+ unit when it is stopped
+
+* show whether a service has out-of-date configuration in "systemctl status" by
+ using mtime data of ConfigurationDirectory=.
+
+* Properly chmod() RuntimeDirectory=, StateDirectory=, LogsDirectory= and
+ CacheDirectory= when we start up and the directory isn't properly owned. In
+ particular to make DynamicUser= work
+
+* replace all uses of fgets() + LINE_MAX by read_line()
+
+* set IPAddressDeny=any on all services that shouldn't do networking (possibly
+ combined with IPAddressAllow=localhost).
+
* dissect: when we discover squashfs, don't claim we had a "writable" partition
in systemd-dissect
-* set LockPersonality= on all our services
-
* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
creates a static, persistent user rather than a dynamic, transient user. We
can leverage code from sysusers.d for this.
diffs remain minimal (in particular: the OUI databases we import are not
sorted, and not stable)
-* set SystemCallArchitectures=native on all our services
-
* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
the sd-journal logging socket, and, if the timeout is set to 0, sets
O_NONBLOCK on it. That way people can control if and when to block for
* maybe introduce gpt auto discovery for /var/tmp?
-* set ProtectSystem=strict for all our usual services.
-
* fix PrivateNetwork= so that we fall back gracefully on kernels lacking
namespacing support (similar for the other namespacing options)
* enable LockMLOCK to take a percentage value relative to physical memory
-* switch to ProtectSystem=strict for all our long-running services where that's possible
-
* Permit masking specific netlink APIs with RestrictAddressFamily=
* nspawn: start UID allocation loop from hash of container name