X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=3fea3d221e4ae6341b49e11da8109cb1afef2175;hb=2e3e2750bb85239aad2a02b5f6afa26f1588f5f7;hp=e1754231c72fc025b2b303aa7b2361a34c5f32d3;hpb=cc832f977208a020cdef133b8f44d00040802b81;p=thirdparty%2Fsystemd.git diff --git a/NEWS b/NEWS index e1754231c72..3fea3d221e4 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ systemd System and Service Manager -CHANGES WITH 246 in spe: +CHANGES WITH 246: * The service manager gained basic support for cgroup v2 freezer. Units can now be suspended or resumed either using new systemctl verbs, @@ -40,8 +40,8 @@ CHANGES WITH 246 in spe: * .socket units gained a new boolean setting PassPacketInfo=. If enabled, the kernel will attach additional per-packet metadata to all - packets read from the socket, as ancillary message. This controls the - IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, + packets read from the socket, as an ancillary message. This controls + the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, depending on socket type. * .service units gained a new setting RootHash= which may be used to @@ -91,6 +91,15 @@ CHANGES WITH 246 in spe: from the documentation, but will now result in warnings when used, and be converted to "journal" and "journal+console" automatically. + * If the service setting User= is set to the "nobody" user, a warning + message is now written to the logs (but the value is nonetheless + accepted). Setting User=nobody is unsafe, since the primary purpose + of the "nobody" user is to own all files whose owner cannot be mapped + locally. It's in particular used by the NFS subsystem and in user + namespacing. By running a service under this user's UID it might get + read and even write access to all these otherwise unmappable files, + which is quite likely a major security problem. + * A new kernel command line option systemd.hostname= has been added that allows controlling the hostname that is initialized early during boot. @@ -132,8 +141,8 @@ CHANGES WITH 246 in spe: enabled by default, please submit a patch that adds it to the database (see /usr/lib/udev/hwdb.d/60-autosuspend.hwdb). - * systemd-udevd gained new configuration option timeout_signal= as well - as corresponding kernel command line option udev.timeout_signal=. + * systemd-udevd gained the new configuration option timeout_signal= as well + as a corresponding kernel command line option udev.timeout_signal=. The option can be used to configure the UNIX signal that the main daemon sends to the worker processes on timeout. Setting the signal to SIGABRT is useful for debugging. @@ -147,6 +156,9 @@ CHANGES WITH 246 in spe: * networkd.conf gained a new boolean setting ManageForeignRoutes=. If enabled systemd-networkd manages all routes configured by other tools. + * .network files managed by systemd-networkd gained a new section + [SR-IOV], in order to configure SR-IOV capable network devices. + * systemd-networkd's [IPv6Prefix] section in .network files gained a new boolean setting Assign=. If enabled an address from the prefix is automatically assigned to the interface. @@ -178,12 +190,12 @@ CHANGES WITH 246 in spe: traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have been added to configure various CAN-FD aspects. - * systemd-networkd's [DHCPv6] section gained a new WithoutRA= setting. - If enabled, DHCPv6 will be attempted right-away without requiring an - Router Advertisement packet suggesting it first. Conversely, the - [IPv6AcceptRA] section gained a boolean option DHCPv6Client= that may - be used to turn off the DHCPv6 client even if the RA packets suggest - it. + * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=. + When enabled, DHCPv6 will be attempted right-away without requiring an + Router Advertisement packet suggesting it first (i.e. without the 'M' + or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option + DHCPv6Client= that may be used to turn off the DHCPv6 client even if + the RA packets suggest it. * systemd-networkd's [DHCPv4] section gained a new setting UseGateway= which may be used to turn off use of the gateway information provided @@ -205,6 +217,9 @@ CHANGES WITH 246 in spe: Description"). Support for "MUD" URLs was also added to the LLDP stack, configurable in the [LLDP] section in .network files. + * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source' + mode. Also, the sections now support a new setting SourceMACAddress=. + * systemd-networkd's .netdev files now support a new setting VLANProtocol= in the [Bridge] section that allows configuration of the VLAN protocol to use. @@ -367,6 +382,21 @@ CHANGES WITH 246 in spe: storage and file system may now be configured explicitly, too, via the new /etc/systemd/homed.conf configuration file. + * systemd-homed now supports unlocking home directories with FIDO2 + security tokens that support the 'hmac-secret' extension, in addition + to the existing support for PKCS#11 security token unlocking + support. Note that many recent hardware security tokens support both + interfaces. The FIDO2 support is accessible via homectl's + --fido2-device= option. + + * homectl's --pkcs11-uri= setting now accepts two special parameters: + if "auto" is specified and only one suitable PKCS#11 security token + is plugged in, its URL is automatically determined and enrolled for + unlocking the home directory. If "list" is specified a brief table of + suitable PKCS#11 security tokens is shown. Similar, the new + --fido2-device= option also supports these two special values, for + automatically selecting and listing suitable FIDO2 devices. + * The /etc/crypttab tmp option now optionally takes an argument selecting the file system to use. Moreover, the default is now changed from ext2 to ext4. @@ -395,15 +425,6 @@ CHANGES WITH 246 in spe: control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs instance. - * systemd-firstboot gained a new --root-password-hashed= parameter for - setting the root user's password as UNIX password hash. There's a new - --delete-root-password switch which instead of setting a password for - the root user, removes it so that log-in without a password is - permitted. There's now --force which if specified means any existing - configuration is overwritten by the specified settings. It also - gained a new --kernel-command-line= parameter which may be used to - set the /etc/kernel/cmdline file of an OS image. - * A new generator systemd-xdg-autostart-generator has been added. It generates systemd unit files from XDG autostart .desktop files, and may be used to let the systemd user instance manage services that are @@ -422,6 +443,10 @@ CHANGES WITH 246 in spe: specified on the command line (by default, the tool will not override what has already been set before, i.e. is purely incremental). + * systemd-firstboot gained support for a new --image= switch, which is + similar to --root= but accepts the path to a disk image file, on + which it then operates. + * A new sd-path.h API has been added to libsystemd. It provides a simple API for retrieving various search paths and primary directories for various resources. @@ -475,10 +500,10 @@ CHANGES WITH 246 in spe: document the methods, signals and properties. * The expectations on user/group name syntax are now documented in - detail; documentation how classic home directories may be converted - into home directories managed by homed has been added; documentation - regarding integration of homed/userdb functionality in desktops has - been added: + detail; documentation on how classic home directories may be + converted into home directories managed by homed has been added; + documentation regarding integration of homed/userdb functionality in + desktops has been added: https://systemd.io/USER_NAMES https://systemd.io/CONVERTING_TO_HOMED @@ -489,10 +514,56 @@ CHANGES WITH 246 in spe: https://systemd.io/JOURNAL_FILE_FORMAT + * The interface for containers (https://systemd.io/CONTAINER_INTERFACE) + has been extended by a set of environment variables that expose + select fields from the host's os-release file to the container + payload. Similarly, host's os-release files can be mounted into the + container underneath /run/hosts. Together, those mechanisms provide a + standardized way to expose information about the host to the + container payload. Both interfaces are implemented in systemd-nspawn. + * All D-Bus services shipped in systemd now implement the generic LogControl1 D-Bus API which allows clients to change log level + target of the service during runtime. + Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander + Malafeev, Alin Popa, Amos Bird, Andreas Rammhold, AndreRH, Andrew + Doran, Anita Zhang, Ankit Jain, antznin, Arnaud Ferraris, Arthur Moraes + do Lago, Arusekk, Balaji Punnuru, Balint Reczey, Bastien Nocera, + bemarek, Benjamin Berg, Benjamin Dahlhoff, Benjamin Robin, Chris Down, + Chris Kerr, Christian Göttsche, Christian Hesse, Christian Oder, + Ciprian Hacman, codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan + Callaghan, Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, + David Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, + Dimitri John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, + Emmanuel Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, + ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger, + Finn, Florian Klink, Franck Bui, Frantisek Sumsal, Gaoyi, gaurav, Georg + Müller, Gergely Polonkai, Giedrius Statkevičius, Gigadoc2, gogogogi, + gzjsgdsb, Hans de Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, + James T. Lee, Jan Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy + Cline, Jérémy Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg + Behrmann, Jörg Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny + Levinsen, Kevin Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, + Lénaïc Huard, Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca + BRUNO, Lucas Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz + Stelmach, Maciej S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel + Holtmann, Marc Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt + Ranostay, Maxim Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, + Michael Gubbels, Michael Marley, Michał Bartoszkiewicz, Michal Koutný, + Michal Sekletar, Michal Sekletár, Mike Gilbert, Mike Kazantsev, ml, + Motiejus Jakštys, nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas + Hambüchen, Norbert Lange, Paul Cercueil, pelzvieh, Peter Hutterer, + Piero La Terza, Pieter Lexis, Piotr Drąg, Rafael Fontenelle, Richard + Petri, Ronan Pigott, Ross Lagerwall, Rubens Figueiredo, satmandu, + Sean-StarLabs, Sebastian Jennen, sterlinghughes, Susant Sahani, Thomas + Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes, + Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo, + Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal + Korman, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб + + – Warsaw, 2020-07-09 CHANGES WITH 245: