Features:
-* homed: permit multiple private keys to be used locally, and pick the right
- one for signing records automatically depending on a pre-existing signature
+* machined: add API to acquire UID range. add API to mount/dissect loopback
+ file. Both protected by PK. Then make nspawn use these APIs to run
+ unprivileged containers. i.e. push the truly privileged bits into machined,
+ so that the client side can remain entirely unprivileged, with SUID or
+ anything like that.
+
+* add "throttling" to sd-event event sources: optionally, when we wake up too
+ often for one, let's turn it off entirely for a while. Use that for the
+ /proc/self/mountinfo logic.
+
+* move our systemd-user PAM snippet to /usr/, which PAM appears to support
+ these days
+
+* nspawn: support time namespaces
+
+* pid1: Move to tracking of main pid/control pid of units per pidfd
+
+* pid1: support new clone3() fork-into-cgroup feature
+
+* pid1: also remove PID files of a service when the service starts, not just
+ when it exits
+
+* make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and
+ provide man page. Given that we now have a tool that can generate images like
+ this, it's useful to have one that can dump contents of them, too.
+
+* All tools that support --root= should also learn --image= so that they can
+ operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
+ sysusers, systemctl, repart, journalctl, coredumpctl.
+
+* per-service credential system. Specifically: add LoadCredential= (for loading
+ cred from file), AcquireCredential= (for asking user for cred, via
+ ask-password), PassCredential= (for passing on credential systemd itself
+ got). Then, place credentials in a per-service, immutable ramfs instance (so
+ that it cannot be swapped out), destroy after use. Also pass via keyring
+ (with graceful fallback to cover for containers). Define CredentialPath= for
+ defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH
+ env var for services to the result. Also pass via fd passing (optionally).
+
+* homed: add native recovery key support. use 48 lowercase modhex characters
+ (192bit), show qr code of it, include pattern expression in user record.
+
+* homed: introduce "degraded" state for home directories that weren't cleanly
+ unmounted (use xattr we add and remove on the loop back file)
+
+* homed: during login resize fs automatically towards size goal. Specifically,
+ resize to diskSize if possible, but leave a certain amount (configured by a
+ new value diskLeaveFreeSize) of space free on the backing fs.
+
+* homed: permit multiple user record signing keys to be used locally, and pick
+ the right one for signing records automatically depending on a pre-existing
+ signature
* homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
and insert a local signature instead.
+* homed: as an extension to the directory+subvolume backend: if located on
+ especially marked fs, then sync down password into LUKS header of that fs,
+ and always verify passwords against it too. Bootstrapping is a problem
+ though: if noone is logged in (or no other user even exists yet), how do you
+ unlock the volume in order to create the first user and add the first pw.
+
+* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
+
* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
exists and responds.
-* homed: add homed.conf setting DefaultStorage= or so
-
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
easily?
-* journalctl --image= which is like --root= but operates on disk images
-
* when systemd-nspawn and suchlike dissect an OS image, and there are multiple
root partitions, do an strverscmp() on the partition label and boot
first. That is inspired how sd-boot figures out which kernel to boot, and
* systemd-repart: make it a static checker during early boot for existence and
absence of other partitions for trusted boot environments
-* systemd-repart: when no configuration is found, exit early do not check
- partition table, so that it is safe to run in the initrd on any system
-
* systemd-repart: allow config of partition uuid
* userdb: allow username prefix searches in varlink API, allow realname and
* userdb: allow existence checks
-* pid: activation by journal search expression
+* pid1: activation by journal search expression
* when switching root from initrd to host, set the machine_id env var so that
if the host has no machine ID set yet we continue to use the random one the
that are linked to these places instead of copied. After all they are
constant vendor data.
-* maybe add kernel cmdline params: 1) to force first-boot mode + 2) to force
- random seed crediting
+* maybe add kernel cmdline params: to force random seed crediting
* nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
so that we make cgroup agent logic safe
* support projid-based quota in machinectl for containers
-* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks
- introduced) as the RTC epoch, instead of the mtime of NEWS.
-
* add a way to lock down cgroup migration: a boolean, which when set for a unit
makes sure the processes in it can never migrate out of it
* networkd:
- add more keys to [Route] and [Address] sections
- add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
- - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline)
- add reduced [Link] support to .network files
- - add Scope= parsing option for [Network]
- properly handle routerless dhcp leases
- work with non-Ethernet devices
- - add support for more bond options
- dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
- the DHCP lease data (such as NTP/DNS) is still made available when
a carrier is lost on a link. It should be removed instantly.
- expose in the API the following bits:
- - option 15, domain name and/or option 119, search list
+ - option 15, domain name
- option 12, hostname and/or option 81, fqdn
- option 123, 144, geolocation
- option 252, configure http proxy (PAC/wpad)
- allow Name= to be specified repeatedly in the [Match] section. Maybe also
support Name=foo*|bar*|baz ?
- duplicate address check for static IPs (like ARPCHECK in network-scripts)
- - allow DUID/IAID to be customized, see issue #394.
- whenever uplink info changes, make DHCP server send out FORCERENEW
-* networkd-wait-online:
- - make operstates to wait for configurable?
-
* dhcp:
- figure out how much we can increase Maximum Message Size
- natively watch for dbus-*.service symlinks (PENDING)
- teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
-* fix alsa mixer restore to not print error when no config is stored
-
* make cryptsetup lower --iter-time
-* patch kernel for xattr support in /dev, /proc/, /sys?
-
* kernel: add device_type = "fb", "fbcon" to class "graphics"
* /usr/bin/service should actually show the new command line
* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
-* fedora: F20: go timer units all the way, leave cron.daily for cron
-
* neither pkexec nor sudo initialize environ[] from the PAM environment?
* fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it