Janitorial Clean-ups:
-* code cleanup: retire FOREACH_WORD_QUOTED, port to extract_first_word() loops instead
-
* replace manual readdir() loops with FOREACH_DIRENT or FOREACH_DIRENT_ALL
-* Get rid of the last strerror() invocations in favour of %m and strerror_r()
-
* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
Features:
-* introduce an "invocation ID" for units, that is randomly generated, and
- identifies each runtime-cycle of a unit. It should be set freshly each time
- we traverse inactive → activating/active, and should be the primary key to
- map offline data (stored in the journal) with online bus objects. Let's pass
- this as $SYSTEMD_INVOCATION_ID to services, as well as set this as xattr on
- the cgroup of a services. The former is accessible without privileges, the
- latter ensures the ID cannot be faked.
+* replace all canonicalize_file_name() invocations by chase_symlinks(), in
+ particulr those where a rootdir is relevant.
+
+* add parse_ip_port() or so, that is like safe_atou16() but checks for != 0
+
+* drop nss-myhostname in favour of nss-resolve?
+
+* drop internal dlopen() based nss-dns fallback in nss-resolve, and rely on the
+ external nsswitch.conf based one
+
+* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
+ then use that for the setting used in user@.service. It should be understood
+ relative to the configured default value.
-* Introduce ProtectSystem=strict for making the entire OS hierarchy read-only
- except for a select few
+* on cgroupsv2 add DelegateControllers=, to pick the precise cgroup controllers to delegate
+
+* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
+
+* enable LockMLOCK to take a percentage value relative to physical memory
+
+* switch to ProtectSystem=strict for all our long-running services where that's possible
+
+* If RootDirectory= is used, mount /proc, /sys, /dev into it, if not mounted yet
+
+* Permit masking specific netlink APIs with RestrictAddressFamily=
* nspawn: start UID allocation loop from hash of container name
* define gpt header bits to select volatility mode
-* nspawn: mount loopback filesystems with "discard"
-
* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
-* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
+* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
-* ProtectDevices= should also take iopl/ioperm/pciaccess away
+* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
* ProtectKeyRing= to take keyring calls away
-* ProtectControlGroups= which mounts all of /sys/fs/cgroup read-only
+* RemoveKeyRing= to remove all keyring entries of the specified user
-* ProtectKernelTunables= which mounts /sys and /proc/sys read-only
+* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
+ on PID 1 with the relevant signals, and makes relevant files in /sys and
+ /proc (such as the sysrq stuff) unavailable
-* RemoveKeyRing= to remove all keyring entries of the specified user
+* DeviceAllow= should also generate seccomp filters for mknod()
* Add DataDirectory=, CacheDirectory= and LogDirectory= to match
RuntimeDirectory=, and create it as necessary when starting a service, owned by the right user.
* Add BindDirectory= for allowing arbitrary, private bind mounts for services
-* Beef up RootDirectory= to use namespacing/bind mounts as soon as fs
- namespaces are enabled by the service
-
* Add RootImage= for mounting a disk image or file as root directory
-* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
-
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
* journalctl: make sure -f ends when the container indicated by -M terminates
* journald: sigbus API via a signal-handler safe function that people may call
from the SIGBUS handler
-* when using UTF8, ellipsize with "…" rather than "...", so that we can show more contents before truncating
-
* move specifier expansion from service_spawn() into load-fragment.c
* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
-* consider throwing a warning if a service declares it wants to be "Before=" a .device unit.
-
* there's probably something wrong with having user mounts below /sys,
as we have for debugfs. for exmaple, src/core/mount.c handles mounts
prefixed with /sys generally special.
* implement a per-service firewall based on net_cls
* Port various tools to make use of verbs.[ch], where applicable: busctl,
- bootctl, coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
+ coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
* hostnamectl: show root image uuid
* synchronize console access with BSD locks:
http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
-* as soon as we have kdbus, and sender timestamps, revisit coalescing multiple parallel daemon reloads:
+* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
* in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column
* timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
-* extract_many_words() should probably be used by a lot of code that
- currently uses FOREACH_WORD and friends. For example, most conf
- parsing callbacks should use it.
-
* merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
* systemd.show_status= should probably have a mode where only failed
* MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
-* "busctl status" works only as root on dbus1, since we cannot read
- /proc/$PID/exe
-
* implement Distribute= in socket units to allow running multiple
service instances processing the listening socket, and open this up
for ReusePort=
and passes this back to PID1 via SCM_RIGHTS. This also could be used
to allow Chown/chgrp on sockets without requiring NSS in PID 1.
-* New service property: maximum CPU runtime for a service
-
* introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
$UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
should SIGSTOP all unit processes in a loop until all processes of
error. Currently, we just ignore it and read the unit from the search
path anyway.
-* refuse boot if /etc/os-release is missing or /etc/machine-id cannot be set up
+* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
* btrfs raid assembly: some .device jobs stay stuck in the queue
-* make sure gdm does not use multi-user-x but the new default X configuration file, and then remove multi-user-x from systemd
-
* man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
* load .d/*.conf dropins for device units
message that works, but alraedy after a short tiemout
- check if we can make journalctl by default use --follow mode inside of less if called without args?
- maybe add API to send pairs of iovecs via sd_journal_send
- - journal: when writing journal auto-rotate if time jumps backwards
- journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
- journactl: support negative filtering, i.e. FOOBAR!="waldo",
and !FOOBAR for events without FOOBAR.
- man: maybe sort directives in man pages, and take sections from --help and apply them to man too
* systemctl:
- - systemctl list-jobs - show dependencies
- add systemctl switch to dump transaction without executing it
- Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
- "systemctl disable" on a static unit prints no message and does
- timer units should get the ability to trigger when:
o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET)
o DST changes
- - Support 2012-02~4 as syntax for specifying the fourth to last day of the month.
- Modulate timer frequency based on battery state
* add libsystemd-password or so to query passwords during boot using the password agent logic
* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
* nspawn:
- - to allow "linking" of nspawn containers, extend --network-bridge= so
- that it can dynamically create bridge interfaces that are refcounted
- by the containers on them. For each group of containers to link together
- nspawn -x should support ephemeral instances of gpt images
- emulate /dev/kmsg using CUSE and turn off the syslog syscall
with seccomp. That should provide us with a useful log buffer that
- as soon as networkd has a bus interface, hook up --network-interface=,
--network-bridge= with networkd, to trigger netdev creation should an
interface be missing
- - don't copy /etc/resolv.conf from host into container unless we are in
- shared-network mode
- a nice way to boot up without machine id set, so that it is set at boot
automatically for supporting --ephemeral. Maybe hash the host machine id
together with the machine name to generate the machine id for the container
is used
* machined:
- - "machinectl list" should probably show columns for OS version and IP
- addresses
- add an API so that libvirt-lxc can inform us about network interfaces being
removed or added to an existing machine
- "machinectl migrate" or similar to copy a container from or to a
* coredump:
- save coredump in Windows/Mozilla minidump format
- - move PID 1 segfaults to /var/lib/systemd/coredump?
+ - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
* support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
- maybe introduce WantsMountsFor=? Usecase:
http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
- recreate systemd's D-Bus private socket file on SIGUSR2
- - GC unreferenced jobs (such as .device jobs)
- move PAM code into its own binary
- when we automatically restart a service, ensure we restart its rdeps, too.
- - for services: do not set $HOME in services unless requested
- hide PAM options in fragment parser when compile time disabled
- Support --test based on current system state
- If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
- add reduced [Link] support to .network files
- add Scope= parsing option for [Network]
- properly handle routerless dhcp leases
- - add more attribute support for SIT tunnel
- work with non-Ethernet devices
- add support for more bond options
- dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
support Name=foo*|bar*|baz ?
- duplicate address check for static IPs (like ARPCHECK in network-scripts)
- allow DUID/IAID to be customized, see issue #394.
- - support configuration option for TSO (tcp segmentation offload)
- whenever uplink info changes, make DHCP server send out FORCERENEW
* networkd-wait-online:
or interface down
- some servers don't do rapid commit without a filled in IA_NA, verify
this behavior
+ - RouteTable= ?
External: