X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=99194b02d0b068f3fd522eb9384925f510032881;hb=6457e88902a9e2cf0b7f184a8e50a7ef666bcc78;hp=3fea3d221e4ae6341b49e11da8109cb1afef2175;hpb=5553041a623f003ba978d3888c458651f525e647;p=thirdparty%2Fsystemd.git diff --git a/NEWS b/NEWS index 3fea3d221e4..99194b02d0b 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,106 @@ systemd System and Service Manager +CHANGES WITH 247 in spe: + + * KERNEL API INCOMPATIBILTY: Linux 4.12 introduced two new uevents + "bind" and "unbind" to the Linux device model. When this kernel + change was made, systemd-udevd was only minimally updated to handle + and propagate these new event types. The introduction of these new + uevents (which are typically generated for USB devices and devices + needing a firmware upload before being functional) resulted in a + number of software issues, we so far didn't address (mostly because + there was hope the kernel maintainers would themeselves address these + issues in some form – which did not happen). To handle them properly, + many (if not most) udev rules files shipped in various packages need + updating, and so do many programs that monitor or enumerate devices + with libudev or sd-device, or otherwise process uevents. Please note + that this incompatibility is not fault of systemd or udev, but caused + by an incompatible kernel change that happened back in Linux 4.12. + + To minimize issues resulting from this kernel change (but not avoid + them entirely) starting with systemd-udevd 247 the udev "tags" + concept (which is a concept for marking and filtering devices during + enumeration and monitoring) has been reworked: udev tags are now + "sticky", meaning that once a tag is assigned to a device it will not + be removed from the device again until the device itself is removed + (i.e. unplugged). This makes sure that any application monitoring + devices that match a specific tag is guaranteed to both see uevents + where the device starts being relevant, and those where it stops + being relevant (the latter now regularly happening due to the new + "unbind" uevent type). The udev tags concept is hence now a concept + tied to a *device* instead of a device *event* — unlike for example + udev properties whose lifecycle (as before) is generally tied to a + device event, meaning that the previously determined properties are + forgotten whenever a new uevent is processed. + + With the newly redefined udev tags concept, sometimes it's necessary + to determine which tags are the ones applied by the most recent + uevent/database update, in order to discern them from those + originating from earlier uevents/database updates of the same + device. To accommodate for this a new automatic property CURRENT_TAGS + has been added that works similar to the existing TAGS property but + only lists tags set by the most recent uevent/database + update. Similar, the libudev/sd-device API has been updated with new + functions to enumerate these 'current' tags, in addition to the + existing APIs that now enumerate the 'sticky' ones. + + To properly handle "bind"/"unbind" on Linux 4.12 and newer it is + essential that all udev rules files and applications are updated to + handle the new events. Specifically: + + • All rule files that currently use a header guard similar to + ACTION!="add|change",GOTO="xyz_end" should be updated to use + ACTION=="remove",GOTO="xyz_end" instead, so that the + properties/tags they add are also applied whenever "bind" (or + "unbind") is seen. (This is most important for all physical device + types — as that's for which "bind" and "unbind" are currently + usually generated, for all other device types this change is still + recommended but not as important — but certainly prepares for + future kernel uevent type additions). + + • Similar, all code monitoring devices that contains an 'if' branch + discerning the "add" + "change" uevent actions from all other + uevents actions (i.e. considering devices only relevant after "add" + or "change", and irrelevant on all other events) should be reworked + to instead negatively check for "remove" only (i.e. considering + devices relevant after all event types, except for "remove", which + invalidates the device). Note that this also means that devices + should be considered relevant on "unbind", even though conceptually + this — in some form — invalidates the device. Since the precise + effect of "unbind" is not generically defined, devices should be + considered relevant even after "unbind", however I/O errors + accessing the device should then be handled gracefully. + + • Any code that uses device tags for deciding whether a device is + relevant or not most likely needs to be updated to use the new + udev_device_has_current_tag() API (or sd_device_has_current_tag() + in case sd-device is used), to check whether the tag is set + at the moment an uevent is seen (as opposed to the existing + udev_device_has_tag() API which checks if the tag ever existed on + the device, following the API concept redefinition explained + above). + + We are very sorry for this breakage and the requirement to update + packages using these interfaces. We'd again like to underline that + this is not caused by systemd/udev changes, but result of a kernel + behaviour change. + + * Since PAM 1.2.0 (2015) configuration snippets may be placed in + /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the + latter it takes precedence over the former, similar to how most of + systemd's own configuration is handled. Given that PAM stack + definitions are primarily put together by OS vendors/distributions + (though possibly overridden by users), this systemd release moves its + own PAM stack configuration for the "systemd-user" PAM service (i.e. + for the PAM session invoked by the per-user user@.service instance) + from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all + packages' vendor versions of their PAM stack definitions from + /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not + desired the location to which systemd installs its PAM stack + configuration file may be changed via the "pamconfdir" meson variable + at build time, optionally undoing this change of default paths + introduced with systemd 247. + CHANGES WITH 246: * The service manager gained basic support for cgroup v2 freezer. Units @@ -74,6 +175,18 @@ CHANGES WITH 246: notation when the 0o prefix is used and binary notation if the 0b prefix is used. + * Various command line parameters and configuration file settings that + configure key or certificate files now optionally take paths to + AF_UNIX sockets in the file system. If configured that way a stream + connection is made to the socket and the required data read from + it. This is a simple and natural extension to the existing regular + file logic, and permits other software to provide keys or + certificates via simple IPC services, for example when unencrypted + storage on disk is not desired. Specifically, systemd-networkd's + Wireguard and MACSEC key file settings as well as + systemd-journal-gatewayd's and systemd-journal-remote's PEM + key/certificate parameters support this now. + * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other configuration files that support specifier expansion learnt six new specifiers: %a resolves to the current architecture, %o/%w/%B/%W @@ -100,6 +213,18 @@ CHANGES WITH 246: read and even write access to all these otherwise unmappable files, which is quite likely a major security problem. + * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm, + and others) now have a size and inode limits applied (50% of RAM for + /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note + that the implicit kernel default is 50% too, so there is no change + in the size limit for /tmp and /dev/shm. + + * nss-mymachines lost support for resolution of users and groups, and + now only does resolution of hostnames. This functionality is now + provided by nss-systemd. Thus, the 'mymachines' entry should be + removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf + (and 'systemd' added if it is not already there). + * A new kernel command line option systemd.hostname= has been added that allows controlling the hostname that is initialized early during boot. @@ -134,12 +259,17 @@ CHANGES WITH 246: now automatically set to "Y" at boot, in order to enable pstore generation for collection with systemd-pstore. - * A new 'hwdb' file has been added that collects information about PCI - and USB devices that correctly support auto-suspend, on top of the - databases for this we import from the ChromiumOS project. If you have - a device that supports auto-suspend correctly and where it should be - enabled by default, please submit a patch that adds it to the - database (see /usr/lib/udev/hwdb.d/60-autosuspend.hwdb). + * We provide a set of udev rules to enable auto-suspend on PCI and USB + devices that were tested to correctly support it. Previously, this + was distributed as a set of udev rules, but has now been replaced by + by a set of hwdb entries (and a much shorter udev rule to take action + if the device modalias matches one of the new hwdb entries). + + As before, entries are periodically imported from the database + maintained by the ChromiumOS project. If you have a device that + supports auto-suspend correctly and where it should be enabled by + default, please submit a patch that adds it to the database (see + /usr/lib/udev/hwdb.d/60-autosuspend.hwdb). * systemd-udevd gained the new configuration option timeout_signal= as well as a corresponding kernel command line option udev.timeout_signal=. @@ -163,9 +293,15 @@ CHANGES WITH 246: new boolean setting Assign=. If enabled an address from the prefix is automatically assigned to the interface. - * systemd-networkd's [Network] section gained a new setting - IPv6PDSubnetId= that allows explicit configuration of the preferred - subnet that networkd's Prefix Delegation logic assigns to interfaces. + * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which + controls delegated prefixes assigned by DHCPv6 client. The section + has three settings: SubnetID=, Assign=, and Token=. The setting + SubnetID= allows explicit configuration of the preferred subnet that + systemd-networkd's Prefix Delegation logic assigns to interfaces. If + Assign= is enabled (which is the default) an address from any acquired + delegated prefix is automatically chosen and assigned to the + interface. The setting Token= specifies an optional address generation + mode for Assign=. * systemd-networkd's [Network] section gained a new setting IPv4AcceptLocal=. If enabled the interface accepts packets with local @@ -238,11 +374,6 @@ CHANGES WITH 246: interface which is fully set up for host communication, simply by carefully picking an interface name to use. - * A new boolean option AssignAcquiredDelegatedPrefixAddress= has been - added to the [DHCPv6] section of .network files. If enabled (which is - the default) an address from any acquired delegated prefix is - automatically chosen and assigned to the interface. - * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric= which sets the route priority for routes specified by the DHCP server. @@ -259,10 +390,11 @@ CHANGES WITH 246: interface. There are new "up" and "down" commands to bring specific interfaces up or down. - * systemd-resolved's DNS= configuration option now optionally accepts - DNS server addresses suffixed by "#" followed by a host name. If - used, the DNS-over-TLS certificate is validated to match the - specified hostname. + * systemd-resolved's DNS= configuration option now optionally accepts a + port number (after ":") and a host name (after "#"). When the host + name is specified, the DNS-over-TLS certificate is validated to match + the specified hostname. Additionally, in case of IPv6 addresses, an + interface may be specified (after "%"). * systemd-resolved may be configured to forward single-label DNS names. This is not standard-conformant, but may make sense in setups where @@ -329,6 +461,13 @@ CHANGES WITH 246: MESSAGE=. This is useful to retrieve a very specific set of fields without any decoration. + * The sd-journal.h API gained two new functions: + sd_journal_enumerate_available_unique() and + sd_journal_enumerate_available_data() that operate like their + counterparts that lack the _available_ in the name, but skip items + that cannot be read and processed by the local implementation + (i.e. are compressed in an unsupported format or such), + * coredumpctl gained a new --file= switch, matching the same one in journalctl: a specific journal file may be specified to read the coredump data from. @@ -438,10 +577,12 @@ CHANGES WITH 246: also gained a new switch --root-password-hashed= which is like --root-password= but accepts a pre-hashed UNIX password as argument. The new option --delete-root-password may be used to unset - any password for the root user (dangerous!). A new --force option may - be used to override any already set settings with the parameters - specified on the command line (by default, the tool will not override - what has already been set before, i.e. is purely incremental). + any password for the root user (dangerous!). The --root-shell= switch + may be used to control the shell to use for the root account. A new + --force option may be used to override any already set settings with + the parameters specified on the command line (by default, the tool + will not override what has already been set before, i.e. is purely + incremental). * systemd-firstboot gained support for a new --image= switch, which is similar to --root= but accepts the path to a disk image file, on @@ -518,7 +659,7 @@ CHANGES WITH 246: has been extended by a set of environment variables that expose select fields from the host's os-release file to the container payload. Similarly, host's os-release files can be mounted into the - container underneath /run/hosts. Together, those mechanisms provide a + container underneath /run/host. Together, those mechanisms provide a standardized way to expose information about the host to the container payload. Both interfaces are implemented in systemd-nspawn. @@ -526,44 +667,50 @@ CHANGES WITH 246: LogControl1 D-Bus API which allows clients to change log level + target of the service during runtime. + * Only relevant for developers: the mkosi.default symlink has been + dropped from version control. Please create a symlink to one of the + distribution-specific defaults in .mkosi/ based on your preference. + Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander - Malafeev, Alin Popa, Amos Bird, Andreas Rammhold, AndreRH, Andrew - Doran, Anita Zhang, Ankit Jain, antznin, Arnaud Ferraris, Arthur Moraes - do Lago, Arusekk, Balaji Punnuru, Balint Reczey, Bastien Nocera, - bemarek, Benjamin Berg, Benjamin Dahlhoff, Benjamin Robin, Chris Down, - Chris Kerr, Christian Göttsche, Christian Hesse, Christian Oder, - Ciprian Hacman, codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan - Callaghan, Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, - David Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, - Dimitri John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, - Emmanuel Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, + Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird, + Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain, + antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji + Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg, + Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian + Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy, + codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan, + Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David + Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri + John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel + Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger, - Finn, Florian Klink, Franck Bui, Frantisek Sumsal, Gaoyi, gaurav, Georg - Müller, Gergely Polonkai, Giedrius Statkevičius, Gigadoc2, gogogogi, - gzjsgdsb, Hans de Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, - James T. Lee, Jan Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy - Cline, Jérémy Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg - Behrmann, Jörg Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny - Levinsen, Kevin Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, - Lénaïc Huard, Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca - BRUNO, Lucas Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz - Stelmach, Maciej S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel - Holtmann, Marc Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt - Ranostay, Maxim Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, - Michael Gubbels, Michael Marley, Michał Bartoszkiewicz, Michal Koutný, - Michal Sekletar, Michal Sekletár, Mike Gilbert, Mike Kazantsev, ml, - Motiejus Jakštys, nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas - Hambüchen, Norbert Lange, Paul Cercueil, pelzvieh, Peter Hutterer, - Piero La Terza, Pieter Lexis, Piotr Drąg, Rafael Fontenelle, Richard - Petri, Ronan Pigott, Ross Lagerwall, Rubens Figueiredo, satmandu, - Sean-StarLabs, Sebastian Jennen, sterlinghughes, Susant Sahani, Thomas + Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui, + Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius + Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de + Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan + Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy + Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg + Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin + Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard, + Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas + Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej + S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc + Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim + Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels, + Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár, + Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys, + nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert + Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter + Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross + Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian + Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes, Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo, Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal - Korman, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew + Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб - – Warsaw, 2020-07-09 + – Warsaw, 2020-07-30 CHANGES WITH 245: