* copy.c: set the right chattrs before copying files and others after
+* Many manager configuration settings that are only applicable to user
+ manager or system manager can be always set. It would be better to reject
+ them when parsing config.
+
+* Clarify what IPAddress* matches (source, destination, both?)
+
External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
Features:
+* when we fork off generators and such, lower LIMIT_NOFILE soft limit to 1K
+
+* rework seccomp/nnp logic that that even if User= is used in combination with
+ a seccomp option we don't have to set NNP. For that, change uid first whil
+ keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
+
+* add a concept for automatically loading per-unit secrets off disk and
+ inserting them into the kernel keyring. Maybe SecretsDirectory= similar to
+ ConfigurationDirectory=.
+
+* systemd-gpt-auto: if we find the root dir mounted read-only and the gpt flag
+ doesn't say so generate job that remounts it writable
+
+* when no locale is configured, default to UEFI's PlatformLang variable
+
+* When logind.conf contains HandleLidSwitch=suspend-then-hibernate and we can't
+ hibernate because the swap partition isn't large enough, still suspend
+
+* bootctl: implement Type #2 boot loader entry discovery
+
+* bootctl,sd-boot: actually honour the "architecture" key
+
+* when a socket unit is spawned with an AF_UNIX path in /var/run, complain and
+ patch it to use /run instead
+
* consider splitting out all temporary file creation APIs (we have so many in
fileio.h and elsewhere!) into a new util file of its own.
-* set memory.oom.group in cgroupsv2 for all leaf cgroups
+* set memory.oom.group in cgroupsv2 for all leaf cgroups (kernel v4.19+)
+
+* add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
+ usefaultd() and make systemd-analyze check for it.
+
+* drop umask() calls and suchlike from our generators, pid1 should set things up correctly anyway
+
+* paranoia: whenever we process passwords, call mlock() on the memory
+ first. i.e. look for all places we use string_erase()/string_free_erase() and
+ augment them with mlock()
* whenever oom_kill memory.event event is triggered print a nice log message
* support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly
patching around
+* maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
+ log.c and sd-journal-send
+
* chown() tty a service is attached to after the service goes down
+* optionally: turn on cgroup delegation for per-session scope units
+
+* introduce per-unit (i.e. per-slice, per-service) journal log size limits.
+
* optionally, if a per-partition GPT flag is set for the root/home/… partitions
format the partition on next boot and unset the flag, in order to implement
factory reset. also, add a second flag that simply indicates whether such a
show state of these flags, and optionally trigger such a factory reset on
next boot by setting the flag.
-* logind: maybe watch utmp asynchronously using inotify, and populate our own
- tracked session metadata from the fields available therein. Why bother? Right
- now, all "ssh" sessions will be tracked without their TTY by logind (which is
- not just unfriendly to users as this means "loginctl session-status" shows
- less information than "who" in many cases, but also breaks the IdleAction
- logic, as we never can detect such sessions as idle, as we have no TTY to
- watch). ssh sets the PAM_TTY field on its PAM sessions to "ssh" rather than
- the actual pty, because the PAM session is opened early on for new
- connections, but the PTY only registered much later (if at all). ssh writes
- the utmp record only after a TTY is actually registered, hence we could use
- this data then, and use it if it is available. Using utmp for this is ugly of
- course, and watching things asynchronously even more so, but it should be
- good enough for the idle detection logic at least.
+* sd-boot: search drop-ins in $BOOT, too
+
+* sd-boot: add "oneshot boot timeout" variable support
+
+* sd-boot: automatically load EFI modules from some drop-in dir, so that people
+ can add in file system drivers and such
+
+* esp generator: also mount $BOOT if found
+
+* sd-boot: optionally, show boot menu when previous default boot item has
+ non-zero "tries done" count
+
+* logind: add "boot into bootmenu" API, and possibly even "boot into windows"
+ and "boot into macos".
+
+* bootspec.c: also enumerate EFI unified kernel images.
+
+* maybe set a special xattr on cgroups that have delegate=yes set, to make it
+ easy to mark cut points
+
+* introduce an option (or replacement) for "systemctl show" that outputs all
+ properties as JSON, similar to busctl's new JSON output. In contrast to that
+ it should skip the variant type string though.
+
+* augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
+ contains some identifier for the project, which allows us to include
+ clickable links to source files generating these log messages. The identifier
+ could be some abberviated URL prefix or so (taking inspiration from Go
+ imports). For example, for systemd we could use
+ CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
+ sufficient to build a link by prefixing "http://" and suffixing the
+ CODE_FILE.
+
+* when outputting log data with journalctl and the log data includes references
+ to configuration files (CONFIG_FILE=), create a clickable link for it.
+
+* Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
+ make clickable links from log messages carrying a MESSAGE_ID, that lead to
+ some explanatory text online.
* maybe extend .path units to expose fanotify() per-mount change events
* calenderspec: add support for week numbers and day numbers within a
year. This would allow us to define "bi-weekly" triggers safely.
-* add bpf-based implementation of devices cgroup controller logic for compat
- with cgroupsv2 as supported by newest kernel
-
* sd-bus: add vtable flag, that may be used to request client creds implicitly
and asynchronously before dispatching the operation
* taint systemd if there are fewer than 65536 users assigned (userns) to the system.
-* deprecate PermissionsStartOnly= and RootDirectoryStartOnly= in favour of the ExecStart= prefix chars
+* deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
* add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
the runtime dir as we maintain for the fdstore: i.e. keep it around as long
as the unit is running or has a job queued.
-* support projid-based quota in machinectl for containers, and then drop
- implicit btrfs loopback magic in machined
+* support projid-based quota in machinectl for containers
* Add NetworkNamespacePath= to specify a path to a network namespace
* beef up pam_systemd to take unit file settings such as cgroups properties as
parameters
-* a new "systemd-analyze security" tool outputting a checklist of security
- features a service does and does not implement
-
* maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
the quota of a the user indicated in User= via unit file settings, like the
other resource management concepts. Would mix nicely with DynamicUser=1. Or
on PID 1 with the relevant signals, and makes relevant files in /sys and
/proc (such as the sysrq stuff) unavailable
-* DeviceAllow= should also generate seccomp filters for mknod()
-
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
* journalctl: make sure -f ends when the container indicated by -M terminates
* maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=
-* introduce systemd-timesync-wait.service or so to sync on an NTP fix?
-
* consider showing the unit names during boot up in the status output, not just the unit descriptions
* maybe allow timer units with an empty Units= setting, so that they
- document chaining of signal handler for SIGCHLD and child handlers
- define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
- generate a failure of a default event loop is executed out-of-thread
- - maybe add support for inotify events (which we can do safely now, with O_PATH)
* investigate endianness issues of UUID vs. GUID
* add a pam module that on password changes updates any LUKS slot where the password matches
-* maybe add a generator that looks for "systemd.run=" on the kernel cmdline for container usercases...
-
* test/:
- add unit tests for config_parse_device_allow()
* logind:
- logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
- - When we update the kernel all kind of hibernation should be prohibited until shutdown/reboot
- logind: wakelock/opportunistic suspend support
- Add pretty name for seats in logind
- logind: allow showing logout dialog from system?
- - session scopes/user unit: add RequiresMountsFor for the home directory of the user
- add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
- if pam_systemd is invoked by su from a process that is outside of a
any session we should probably just become a NOP, since that's
"machinectl start" with a new --ephemeral switch
- "machinectl status" should also show internal logs of the container in
question
- - "machinectl list-images" should show os-release data, as well as
- machine-info data (including deployment level)
- "machinectl history"
- "machinectl diff"
- "machinectl commit" that takes a writable snapshot of a tree, invokes a
shell in it, and marks it read-only after use
-* importd:
- - generate a nice warning if mkfs.btrfs is missing
-
* cryptsetup:
- cryptsetup-generator: allow specification of passwords in crypttab itself
- support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
* kernel: add device_type = "fb", "fbcon" to class "graphics"
-* drop accountsservice's StandardOutput=syslog and Type=dbus fields
-
* /usr/bin/service should actually show the new command line
* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=