Features:
+* We should probably replace /var/log/README, /etc/rc.d/README with symlinks
+ that are linked to these places instead of copied. After all they are
+ constant vendor data.
+
+* seed: check if first-boot and then don't do anything
+
+* logind: rework pam_logind to also do a bus call in case of invocation from
+ user@.service, which returns the XDG_RUNTIME_DIR value, and make this
+ behaviour selectable via pam module option.
+
+* introduce a new per-process uuid, similar to the boot id, the machine id, the
+ invocation id, that is derived from process creds, specifically a hashed
+ combination of AT_RANDOM + getpid() + the starttime from
+ /proc/self/status. Then add these ids implicitly when logging. Deriving this
+ uuid from these three things has the benefit that it can be derived easily
+ from /proc/$PID/ in a stable, and unique way that changes on both fork() and
+ exec().
+
+* let's not GC a unit while its ratelimits are still pending
+
+* when killing due to service watchdog timeout maybe detect whether target
+ process is under ptracing and then log loudly and continue instead.
+
+* introduce a new group to own TPM devices
+
+* make rfkill uaccess controllable by default, i.e. steal rule from
+ gnome-bluetooth and friends
+
+* warn if udev rules files are marked executable (docker?)
+
* tweak journald context caching. In addition to caching per-process attributes
keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
keyed by cgroup path, and guarded by ctime changes. This should provide us
with a nice speed-up on services that have many processes running in the same
cgroup.
-* clean up sleep.c:
- - Use CLOCK_BOOTTIME_ALARM for waking up s2h instead of RTC ioctls
- - Parse sleep.conf only once, and parse its whole contents so that we don't
- have to parse it again and again in s2h
- - Make sure resume= and resume_offset= on the kernel cmdline always take
- precedence
-
-* maybe add a seccomp-based high-level filter that blocks creation of suid/sgid
- files.
-
* make MAINPID= message reception checks even stricter: if service uses User=,
then check sending UID and ignore message if it doesn't match the user or
root.
safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
to 1K implicitly, unless explicitly opted-out.
-* rework seccomp/nnp logic that that even if User= is used in combination with
+* rework seccomp/nnp logic that even if User= is used in combination with
a seccomp option we don't have to set NNP. For that, change uid first whil
keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
* bootctl,sd-boot: actually honour the "architecture" key
-* set memory.oom.group in cgroup v2 for all leaf cgroups (kernel v4.19+)
-
* add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
usefaultd() and make systemd-analyze check for it.
* paranoia: whenever we process passwords, call mlock() on the memory
- first. i.e. look for all places we use string_erase()/string_free_erase() and
- augment them with mlock(). Also use MADV_DONTDUMP
-
-* whenever oom_kill memory.event event is triggered print a nice log message
+ first. i.e. look for all places we use free_and_erasep() and
+ augment them with mlock(). Also use MADV_DONTDUMP.
* Move RestrictAddressFamily= to the new cgroup create socket
sufficient to build a link by prefixing "http://" and suffixing the
CODE_FILE.
-* when outputting log data with journalctl and the log data includes references
- to configuration files (CONFIG_FILE=), create a clickable link for it.
-
* Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
make clickable links from log messages carrying a MESSAGE_ID, that lead to
some explanatory text online.
selected user is resolvable in the service even if it ships its own /etc/passwd)
* Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
- other doesn't. What a desaster. Probably to exclude it. Also
+ other doesn't. What a disaster. Probably to exclude it. Also
DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative
numbers.
specific paths only like this.
* add CopyFile= or so as unit file setting that may be used to copy files or
- directory trees from the host to te services RootImage= and RootDirectory=
+ directory trees from the host to the services RootImage= and RootDirectory=
environment. Which we can use for /etc/machine-id and in particular
/etc/resolv.conf. Should be smart and do something useful on read-only
images, for example fallback to read-only bind mounting the file instead.
-* nspawn's console TTY should be allocated from within the container, not
- mounted in from the outside
-
* show invocation ID in systemd-run output
* bypass SIGTERM state in unit files if KillSignal is SIGKILL
* expose IO accounting data on the bus, show it in systemd-run --wait and log
about it in the resource log message
-* add "systemctl purge" for flushing out configuration, state, logs, ... of a
- unit when it is stopped
-
* show whether a service has out-of-date configuration in "systemctl status" by
using mtime data of ConfigurationDirectory=.
* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
* there's probably something wrong with having user mounts below /sys,
- as we have for debugfs. for exmaple, src/core/mount.c handles mounts
+ as we have for debugfs. for example, src/core/mount.c handles mounts
prefixed with /sys generally special.
http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
* maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=
-* consider showing the unit names during boot up in the status output, not just the unit descriptions
-
* maybe allow timer units with an empty Units= setting, so that they
can be used for resuming the system but nothing else.
* systemctl: if some operation fails, show log output?
-* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #.
+* systemctl edit: use equivalent of cat() to insert existing config as a comment, prepended with #.
Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc.
* exponential backoff in timesyncd when we cannot reach a server
* merge unit_kill_common() and unit_kill_context()
-* introduce ExecCondition= in services
-
* EFI:
- honor language efi variables for default language selection (if there are any?)
- honor timezone efi variables for default timezone selection (if there are any?)
- change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
* bootctl
- - verify that the files boot entries point to exist
- recognize the case when not booted on EFI
- - specify paths for boot entries
* maybe do not install getty@tty1.service symlink in /etc but in /usr?
- sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
- journald: when dropping msgs due to ratelimit make sure to write
"dropped %u messages" not only when we are about to print the next
- message that works, but alraedy after a short tiemout
+ message that works, but already after a short timeout
- check if we can make journalctl by default use --follow mode inside of less if called without args?
- maybe add API to send pairs of iovecs via sd_journal_send
- journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
* support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
-* default to actual 32-bit PIDs, via /proc/sys/kernel/pid_max
-
* be able to specify a forced restart of service A where service B depends on, in case B
needs to be auto-respawned?