X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=1f187c895babef16f927b5a6147c5e1ba9ca02f8;hb=19632f6dbb6697182c95f719055a883df7fb8569;hp=ba69ec02b23acb99431a2ca3e8d638850f221253;hpb=95cde1ed2412d48ca8a685b9000155f148caec1b;p=thirdparty%2Fsystemd.git diff --git a/NEWS b/NEWS index ba69ec02b23..1f187c895ba 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,136 @@ systemd System and Service Manager -CHANGES WITH 240 in spe: +CHANGES WITH 241 in spe: + + * The default locale can now be configured at compile time. Otherwise, + a suitable default will be selected automatically (one of C.UTF-8, + en_US.UTF-8, and C). + + * The version string shown by systemd and other tools now includes the + git commit hash when built from git. An override may be specified + during compilation, which is intended to be used by distributions to + include the package release information. + + * systemd-cat can now filter standard input and standard error streams + for different syslog priorities using the new --stderr-priority= + option. + + * systemd-journald and systemd-journal-remote reject entries which + contain too many fields (CVE-2018-16865) and set limits on the + process' command line length (CVE-2018-16864). + + * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd + again. + + * A new network device NamePolicy "keep" is implemented for link files, + and used by default in 99-default.link (the fallback configuration + provided by systemd). With this policy, if the network device name + was already set by userspace, the device will not be renamed again. + This matches the naming scheme that was implemented before + systemd-240. If naming-scheme < 240 is specified, the "keep" policy + is also enabled by default, even if not specified. Effectively, this + means that if naming-scheme >= 240 is specified, network devices will + be renamed according to the configuration, even if they have been + renamed already, if "keep" is not specified as the naming policy in + the .link file. The 99-default.link file provided by systemd includes + "keep" for backwards compatibility, but it is recommended for user + installed .link files to *not* include it. + + The "kernel" policy, which keeps kernel names declared to be + "persistent", now works again as documented. + + * kernel-install script now optionally takes the paths to one or more + initrd files, and passes them to all plugins. + + * The mincore() system call has been dropped from the @system-service + system call filter group, as it is pretty exotic and may potentially + used for side-channel attacks. + + * -fPIE is dropped from compiler and linker options. Please specify + -Db_pie=true option to meson to build position-independent + executables. Note that the meson option is supported since meson-0.49. + + * The fs.protected_regular and fs.protected_fifos sysctls, which were + added in Linux 4.19 to make some data spoofing attacks harder, are + now enabled by default. While this will hopefully improve the + security of most installations, it is technically a backwards + incompatible change; to disable these sysctls again, place the + following lines in /etc/sysctl.d/60-protected.conf or a similar file: + + fs.protected_regular = 0 + fs.protected_fifos = 0 + + Note that the similar hardlink and symlink protection has been + enabled since v199, and may be disabled likewise. + + * The files read from the EnvironmentFile= setting in unit files now + parse backslashes inside quotes literally, matching the behaviour of + POSIX shells. + + * udevadm trigger, udevadm control, udevadm settle and udevadm monitor + now automatically become NOPs when run in a chroot() environment. + + * The tmpfiles.d/ "C" line type will now copy directory trees not only + when the destination is so far missing, but also if it already exists + as a directory and is empty. This is useful to cater for systems + where directory trees are put together from multiple separate mount + points but otherwise empty. + + * A new function sd_bus_close_unref() (and the associated + sd_bus_close_unrefp()) has been added to libsystemd, that combines + sd_bus_close() and sd_bus_unref() in one. + + * udevadm control learnt a new option for --ping for testing whether a + systemd-udevd instance is running and reacting. + + Contributions from: Aaron Plattner, Alex Mayer, Ayman Bagabas, + Beniamino Galvani, bl33pbl0p, Burt P, Chris Down, Chris Lamb, Chris + Morin, Claudius Ellsel, dana, Daniel Axtens, Daniele Medri, Dave + Reisner, dcanuhe, Dimitri John Ledkov, Evgeny Vereshchagin, Fabrice + Fontaine, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, howl, + ikelos, James Hilliard, Jani Uusitalo, Jan Janssen, Jonathan Roemer, + Jonathon Kowalski, Joost Heitbrink, Jörg Thalheim, Lennart Poettering, + Louis Taylor, Lucas Werkmeister, Marc-Antoine Perennou, marvelousblack, + Michael Biebl, Michael Sloan, Michal Sekletar, Mike Auty, Mike Gilbert, + Mikhail Kasimov, Niklas Hambüchen, Patrick Williams, Paul Seyfert, + Philip Withnall, rogerjames99, Ronnie P. Thomas, Ryan Gonzalez, Sam + Morris, Susant Sahani, Taro Yamada, Thomas Haller, Topi Miettinen, + YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsergeant77 + + — Berlin, 2018-XX-XX + +CHANGES WITH 240: + + * NoNewPrivileges=yes has been set for all long-running services + implemented by systemd. Previously, this was problematic due to + SELinux (as this would also prohibit the transition from PID1's label + to the service's label). This restriction has since been lifted, but + an SELinux policy update is required. + (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.) + + * DynamicUser=yes is dropped from systemd-networkd.service, + systemd-resolved.service and systemd-timesyncd.service, which was + enabled in v239 for systemd-networkd.service and systemd-resolved.service, + and since v236 for systemd-timesyncd.service. The users and groups + systemd-network, systemd-resolve and systemd-timesync are created + by systemd-sysusers again. Distributors or system administrators + may need to create these users and groups if they not exist (or need + to re-enable DynamicUser= for those units) while upgrading systemd. + Also, the clock file for systemd-timesyncd may need to move from + /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock. + + * When unit files are loaded from disk, previously systemd would + sometimes (depending on the unit loading order) load units from the + target path of symlinks in .wants/ or .requires/ directories of other + units. This meant that unit could be loaded from different paths + depending on whether the unit was requested explicitly or as a + dependency of another unit, not honouring the priority of directories + in search path. It also meant that it was possible to successfully + load and start units which are not found in the unit search path, as + long as they were requested as a dependency and linked to from + .wants/ or .requires/. The target paths of those symlinks are not + used for loading units anymore and the unit file must be found in + the search path. * A new service type has been added: Type=exec. It's very similar to Type=simple but ensures the service manager will wait for both fork() @@ -98,15 +228,19 @@ CHANGES WITH 240 in spe: * Support for disabling a particular cgroup controller within a sub-tree has been added through the DisableControllers= directive. + * cgroup_no_v1=all on the kernel command line now also implies + using the unified cgroup hierarchy, unless one explicitly passes + systemd.unified_cgroup_hierarchy=0 on the kernel command line. + * The new "MemoryMin=" unit file property may now be used to set the memory usage protection limit of processes invoked by the unit. This - controls the cgroupsv2 memory.min attribute. Similarly, the new + controls the cgroup v2 memory.min attribute. Similarly, the new "IODeviceLatencyTargetSec=" property has been added, wrapping the new - cgroupsv2 io.latency cgroup property for configuring per-service I/O + cgroup v2 io.latency cgroup property for configuring per-service I/O latency. - * systemd now supports the cgroupsv2 devices BPF logic, as counterpart - to the cgroupsv1 "devices" cgroup controller. + * systemd now supports the cgroup v2 devices BPF logic, as counterpart + to the cgroup v1 "devices" cgroup controller. * systemd-escape now is able to combine --unescape with --template. It also learnt a new option --instance for extracting and unescaping the @@ -134,7 +268,7 @@ CHANGES WITH 240 in spe: * The signal to use as last step of killing of unit processes is now configurable. Previously it was hard-coded to SIGKILL, which may now be overridden with the new KillSignal= setting. Note that this is the - signal used when regular termination (i.e. SIGTERM) does suffice. + signal used when regular termination (i.e. SIGTERM) does not suffice. Similarly, the signal used when aborting a program in case of a watchdog timeout may now be configured too (WatchdogSignal=). @@ -146,9 +280,6 @@ CHANGES WITH 240 in spe: * Most configuration options that previously accepted percentage values now also accept permille values with the '‰' suffix (instead of '%'). - * systemd-logind will offer hibernation only if the currently used - kernel image is still available on disk. - * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for DNS-over-TLS. @@ -325,7 +456,7 @@ CHANGES WITH 240 in spe: * The JoinControllers= option in system.conf is no longer supported, as it didn't work correctly, is hard to support properly, is legacy (as - the concept only exists on cgroupsv1) and apparently wasn't used. + the concept only exists on cgroup v1) and apparently wasn't used. * Journal messages that are generated whenever a unit enters the failed state are now tagged with a unique MESSAGE_ID. Similarly, messages @@ -384,51 +515,108 @@ CHANGES WITH 240 in spe: SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to initialize one to all 0xFF. + * After loading the SELinux policy systemd will now recursively relabel + all files and directories listed in + /run/systemd/relabel-extra.d/*.relabel (which should be simple + newline separated lists of paths) in addition to the ones it already + implicitly relabels in /run, /dev and /sys. After the relabelling is + completed the *.relabel files (and /run/systemd/relabel-extra.d/) are + removed. This is useful to permit initrds (i.e. code running before + the SELinux policy is in effect) to generate files in the host + filesystem safely and ensure that the correct label is applied during + the transition to the host OS. + + * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding + mknod() handling in user namespaces. Previously mknod() would always + fail with EPERM in user namespaces. Since 4.18 mknod() will succeed + but device nodes generated that way cannot be opened, and attempts to + open them result in EPERM. This breaks the "graceful fallback" logic + in systemd's PrivateDevices= sand-boxing option. This option is + implemented defensively, so that when systemd detects it runs in a + restricted environment (such as a user namespace, or an environment + where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD) + where device nodes cannot be created the effect of PrivateDevices= is + bypassed (following the logic that 2nd-level sand-boxing is not + essential if the system systemd runs in is itself already sand-boxed + as a whole). This logic breaks with 4.18 in container managers where + user namespacing is used: suddenly PrivateDevices= succeeds setting + up a private /dev/ file system containing devices nodes — but when + these are opened they don't work. + + At this point is is recommended that container managers utilizing + user namespaces that intend to run systemd in the payload explicitly + block mknod() with seccomp or similar, so that the graceful fallback + logic works again. + + We are very sorry for the breakage and the requirement to change + container configurations for newer kernels. It's purely caused by an + incompatible kernel change. The relevant kernel developers have been + notified about this userspace breakage quickly, but they chose to + ignore it. + + * PermissionsStartOnly= setting is deprecated (but is still supported + for backwards compatibility). The same functionality is provided by + the more flexible "+", "!", and "!!" prefixes to ExecStart= and other + commands. + + * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by + pam_systemd anymore. + + * The naming scheme for network devices was changed to always rename + devices, even if they were already renamed by userspace. The "kernel" + policy was changed to only apply as a fallback, if no other naming + policy took effect. + + * The requirements to build systemd is bumped to meson-0.46 and + python-3.5. + Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson, Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov, asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt - Morbach, Benjamin Berg, Carlo Caione, Cedric Viou, Chen Qi, ChenQi1989, - Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius - Ellsel, ColinGuthrie, dana, Daniel, Daniele Medri, Daniel Kahn Gillmor, - Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner, David - Anderson, Davide Cavalca, David Leeds, David Malcolm, David Strauss, - David Tardon, Dimitri John Ledkov, dj-kaktus, Dongsu Park, Elias - Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, Evgeni Golov, - Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad, faizalluthfi, - Felix Yan, Filipe Brandenburger, Franck Bui, Frank Schaefer, Frantisek - Sumsal, Gianluca Boiano, Giuseppe Scrivano, glitsj16, Hans de Goede, - Harald Hoyer, Harry Mallon, Harshit Jain, hellcp, Helmut Grohne, Henry - Tung, Hui Yiqun, imayoda, Insun Pyo, INSUN PYO, Iwan Timmer, - jambonmcyeah, Jan Janssen, Jan Pokorný, Jan Synacek, Jason - A. Donenfeld, javitoom, Jérémy Nouhaud, Jiuyang liu, João Paulo Rechi + Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen + Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius + Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn + Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner, + David Anderson, Davide Cavalca, David Leeds, David Malcolm, David + Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus, + Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, + Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad, + Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank + Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe + Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit + Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan + Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld, + javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens, - Jonas DOREL, Jon Ringle, Josh Soref, Julian Andres Klode, Jürg - Billeter, Keith Busch, killermoehre, Kirill Marinushkin, Lennart - Poettering, LennartPoettering, Liberasys, Lion Yang, Li Song, Lorenz + Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi, + Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry + Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier, Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck, Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich, - Michael 'pbone' Pobega, Michal Koutný, Michal Sekletar, Michal Soltys, - Mike Gilbert, Mike Palmer, Muhammet Kara, Neal Gompa, Network Silence, - nikolas, NOGISAKA Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, - Paweł Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, remueller, + Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal + Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal + Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby, + Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł + Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller, Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez, - Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, - Samuel Morris, Sandy, scootergrisen, seb128, Sergey Ptashnick, Shawn - Landden, Shengyao Xue, Shih-Yuan Lee (FourDollars), Sjoerd Simons, - Stephen Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven - Joachim, Sylvain Plantefève, TanuKaskinen, Tejun Heo, Thiago Macieira, - Thomas Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, - Tobias Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, - Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech Trefny, - welaq, William A. Kennington III, William Douglas, Wyatt Ward, Xiang - Fan, Xi Ruoyao, Xuanwo, Yann E. MORIN, YmrDtnJu, Yu Watanabe, Zbigniew - Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein - - — Somewhere, 2018-xx-yy + Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam + Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher, + Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee + (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen + Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim, + Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas + Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias + Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore + Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech + Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward, + Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe, + Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein + + — Warsaw, 2018-12-21 CHANGES WITH 239: @@ -795,6 +983,8 @@ CHANGES WITH 239: allows ordering services before the service that executes the actual update process in a generic way. + * Systemd now emits warnings whenever .include syntax is used. + Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale, Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner, @@ -921,7 +1111,7 @@ CHANGES WITH 238: instance to migrate processes if it itself gets the request to migrate processes and the kernel refuses this due to access restrictions. Thanks to this "systemd-run --scope --user …" works - again in pure cgroups v2 environments when invoked from the user + again in pure cgroup v2 environments when invoked from the user session scope. * A new TemporaryFileSystem= setting can be used to mask out part of @@ -2637,7 +2827,7 @@ CHANGES WITH 231: desired options. * systemd now supports the "memory" cgroup controller also on - cgroupsv2. + cgroup v2. * The systemd-cgtop tool now optionally takes a control group path as command line argument. If specified, the control group list shown is @@ -6164,6 +6354,9 @@ CHANGES WITH 210: IFUNC. Please make sure to use --enable-compat-libs only during a transitional period! + * The .include syntax has been deprecated and is not documented + anymore. Drop-in files in .d directories should be used instead. + Contributions from: Andreas Fuchs, Armin K., Colin Walters, Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni, Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper