Features:
+* make use of the new statx mountid and rootmount fields in path_get_mnt_id()
+ and fd_is_mount_point()
+
+* make use of new loopback setup ioctl to setup loopback devices in one atomic
+ ioctl
+
+* nspawn: move "incoming mount" directory to /run/host, move "inaccessible"
+ nodes to /run/host, move notify socket (for sd_notify() between payload and
+ container manager)
+
+* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it
+ and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET)
+
+* repart: support setting up dm-integrity with HMAC
+
+* add /etc/integritytab, to support dm-integrity setups. In particular those
+ with HMAC as hash function, so that we can have a protected /home without
+ encryption (leaving encryption to the individual dirs/homed).
+
+* complement root=, rootflags=, rootfstype= with rootsubdir= which allows
+ mounting a subdir of the root fs as actual root. This can be used as
+ fstype-agnostic version of btrfs' rootflags=subvol=foobar.
+
* add --copy-from and --copy-to command to systemd-dissect which copies stuff
in and out of a disk image
-* add systemd.random_seed= on the kernel cmdline, taking some hex or base64
- encoded data. During earliest boot, credit it to entropy. This is not useful
- for general purpose systems, but certainly for testing environments in VMs
- and such, as it allows us to boot up instantly with fully initialized entropy
- pool even if RNG pass-thru is not available.
-
* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
-* warn if User=nobody is used in a unit file. It's the overflow UID after all,
- and the service might thus get access to files it really should not get
- access to on NFS and userns environments.
-
* build short web pages out of each catalog entry, build them along with man
pages, and include hyperlinks to them in the journal output
anything like that.
* journald: do journal file writing out-of-process, with one writer process per
- client UID, so tht synthetic hash table collisions can slow down a specific
+ client UID, so that synthetic hash table collisions can slow down a specific
user's journal stream down but not the others.
* add "throttling" to sd-event event sources: optionally, when we wake up too
* nspawn: support time namespaces
+* systemd-firstboot: make sure to always use chase_symlinks() before
+ reading/writing files
+
* add ConditionSecurity=tpm2
* Remove any support for booting without /usr pre-mounted in the initrd entirely.
* make us use dynamically fewer deps for containers in general purpose distros:
o turn into dlopen() deps:
- - pcre2 (always) — irrelevant on Fedora, since dep by
- libselinux, but should benefit Debian
- libpwquality (always) - only relevant for homed, and maybe soon
firstboot
- elfutils (always)
this, it's useful to have one that can dump contents of them, too.
* All tools that support --root= should also learn --image= so that they can
- operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
- sysusers, systemctl, repart, journalctl, coredumpctl.
+ operate on disk images directly. Specifically: bootctl, tmpfiles, sysusers,
+ systemctl, repart, journalctl, coredumpctl. (Already done: systemd-nspawn,
+ systemd-firstboot)
* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
-* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
- exists and responds.
-
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
easily?
+* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
+ exists and responds.
+
* when systemd-nspawn and suchlike dissect an OS image, and there are multiple
root partitions, do an strverscmp() on the partition label and boot
first. That is inspired how sd-boot figures out which kernel to boot, and
thus allows defining OS images which can be A/B updated and we default to the
newest version automatically, both in nspawn and in sd-boot
-* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
- devices. (see: https://github.com/mjec/fido2-hmac-secret)
+* cryptsetup: support FIDO2 tokens for deriving keys (i.e. do what homed can do
+ also in plain cryptsetup)
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
creates
end), in order to maximize dd'ability. Requires libfdisk work, see
https://github.com/karelzak/util-linux/issues/907
-* systemd-repart: optionally, allow specifying a path to initialize new
- partitions from, i.e. an fs image file or a source device node. This would
- then turn systemd-repart into a simple installer: with a few .repart files
- you could replicate the host system on another device. a full installer would
- then be: "systemd-repart /dev/sda && bootctl install /dev/sda &&
- systemd-firstboot --image= …"
-
* systemd-repart: MBR partition table support. Care needs to be taken regarding
Type=, so that partition definitions can sanely apply to both the GPT and the
MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
* systemd-repart: allow disabling growing of specific partitions, or making
them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
-* systemd-repart: add specifier expansion, add especifier that refers to root
- device node of current system, /usr device node, and matching verity, so that
- an installer can be made a "copy" installer of the booted OS
-
* systemd-repart: make it a static checker during early boot for existence and
absence of other partitions for trusted boot environments
-* systemd-repart: allow config of partition uuid
-
* userdb: allow username prefix searches in varlink API, allow realname and
realname substr searches in varlink API
* homed:
- when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
- - hook up machined/nspawn users with a varlink user query interface
- rollback when resize fails mid-operation
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
- resize on login?
beefing up logind to make pam session close hook synchronous and wait until
systemd --user is shut down.
- logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
- - maybe make automatic, read-only, time-based reflink-copies of LUKS disk images (think: time machine)
+ - maybe make automatic, read-only, time-based reflink-copies of LUKS disk
+ images (and btrfs snapshots of subvolumes) (think: time machine)
- distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
- in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
- fingerprint authentication, pattern authentication, …
- make slice for users configurable (requires logind rework)
- logind: populate auto-login list bus property from PKCS#11 token
- when determining state of a LUKS home directory, check DM suspended sysfs file
+ - introduce API for "making room", that grows/shrinks home directory
+ according to elastic parameters, discards blocks, and removes additional snapshots. Call it
+ either from UI when disk space gets low
* introduce a new per-process uuid, similar to the boot id, the machine id, the
invocation id, that is derived from process creds, specifically a hashed
- allow multiple signal handlers per signal?
- document chaining of signal handler for SIGCHLD and child handlers
- define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
+ - maybe support iouring as backend, so that we allow hooking read and write
+ operations instead of IO ready events into event loops. See considerations
+ here:
+ http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
* investigate endianness issues of UUID vs. GUID
- journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
- journactl: support negative filtering, i.e. FOOBAR!="waldo",
and !FOOBAR for events without FOOBAR.
- - journal: store timestamp of journal_file_set_offline() int he header,
+ - journal: store timestamp of journal_file_set_offline() in the header,
so it is possible to display when the file was last synced.
- journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
- journal: find a way to allow dropping history early, based on priority, other rules
them via machined, and also watch containers coming and going.
Benefit: nspawn --ephemeral would start working nicely with the journal.
- assign MESSAGE_ID to log messages about failed services
+ - check if loop in decompress_blob_xz() is necessary
* add a test if all entries in the catalog are properly formatted.
(Adding dashes in a catalog entry currently results in the catalog entry
- document systemd-journal-flush.service properly
- documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
- man: document the very specific env the shutdown drop-in tools live in
- - man: add more examples to man pages
+ - man: add more examples to man pages,
+ - in particular an example how to do the equivalent of switching runlevels
- man: maybe sort directives in man pages, and take sections from --help and apply them to man too
- document root=gpt-auto properly