X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=be4fc55a39ede43a91369c2c848e19e5b1b8c06e;hb=2bfdd6dc548fbe30d153278f63f43b9e466ff0ca;hp=03fe0eca83e4080a2ab6cbc8ace3c43757fc3f4c;hpb=e01d9e2193ad4699a0507fc631613b5666d4d897;p=thirdparty%2Fsystemd.git diff --git a/NEWS b/NEWS index 03fe0eca83e..be4fc55a39e 100644 --- a/NEWS +++ b/NEWS @@ -1,13 +1,525 @@ systemd System and Service Manager -CHANGES WITH 239 in spe: +CHANGES WITH 240 in spe: + + * NoNewPrivileges=yes has been set for all long-running services + implemented by systemd. Previously, this was problematic due to + SELinux (as this would also prohibit the transition from PID1's label + to the service's label). This restriction has since been lifted, but + an SELinux policy update is required. + (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.) + + * DynamicUser=yes is dropped from systemd-networkd.service, + systemd-resolved.service and systemd-timesyncd.service, which was + enabled in v239 for systemd-networkd.service and systemd-resolved.service, + and since v236 for systemd-timesyncd.service. The users and groups + systemd-network, systemd-resolve and systemd-timesync are created + by systemd-sysusers again. Distributors or system administrators + may need to create these users and groups if they not exist (or need + to re-enable DynamicUser= for those units) while upgrading systemd. + + * When unit files are loaded from disk, previously systemd would + sometimes (depending on the unit loading order) load units from the + target path of symlinks in .wants/ or .requires/ directories of other + units. This meant that unit could be loaded from different paths + depending on whether the unit was requested explicitly or as a + dependency of another unit, not honouring the priority of directories + in search path. It also meant that it was possible to successfully + load and start units which are not found in the unit search path, as + long as they were requested as a dependency and linked to from + .wants/ or .requires/. The target paths of those symlinks are not + used for loading units anymore and the unit file must be found in + the search path. + + * A new service type has been added: Type=exec. It's very similar to + Type=simple but ensures the service manager will wait for both fork() + and execve() of the main service binary to complete before proceeding + with follow-up units. This is primarily useful so that the manager + propagates any errors in the preparation phase of service execution + back to the job that requested the unit to be started. For example, + consider a service that has ExecStart= set to a file system binary + that doesn't exist. With Type=simple starting the unit would be + considered instantly successful, as only fork() has to complete + successfully and the manager does not wait for execve(), and hence + its failure is seen "too late". With the new Type=exec service type + starting the unit will fail, as the manager will wait for the + execve() and notice its failure, which is then propagated back to the + start job. + + NOTE: with the next release 241 of systemd we intend to change the + systemd-run tool to default to Type=exec for transient services + started by it. This should be mostly safe, but in specific corner + cases might result in problems, as the systemd-run tool will then + block on NSS calls (such as user name look-ups due to User=) done + between the fork() and execve(), which under specific circumstances + might cause problems. It is recommended to specify "-p Type=simple" + explicitly in the few cases where this applies. For regular, + non-transient services (i.e. those defined with unit files on disk) + we will continue to default to Type=simple. + + * The Linux kernel's current default RLIMIT_NOFILE resource limit for + userspace processes is set to 1024 (soft) and 4096 + (hard). Previously, systemd passed this on unmodified to all + processes it forked off. With this systemd release the hard limit + systemd passes on is increased to 512K, overriding the kernel's + defaults and substantially increasing the number of simultaneous file + descriptors unprivileged userspace processes can allocate. Note that + the soft limit remains at 1024 for compatibility reasons: the + traditional UNIX select() call cannot deal with file descriptors >= + 1024 and increasing the soft limit globally might thus result in + programs unexpectedly allocating a high file descriptor and thus + failing abnormally when attempting to use it with select() (of + course, programs shouldn't use select() anymore, and prefer + poll()/epoll, but the call unfortunately remains undeservedly popular + at this time). This change reflects the fact that file descriptor + handling in the Linux kernel has been optimized in more recent + kernels and allocating large numbers of them should be much cheaper + both in memory and in performance than it used to be. Programs that + want to take benefit of the increased limit have to "opt-in" into + high file descriptors explicitly by raising their soft limit. Of + course, when they do that they must acknowledge that they cannot use + select() anymore (and neither can any shared library they use — or + any shared library used by any shared library they use and so on). + Which default hard limit is most appropriate is of course hard to + decide. However, given reports that ~300K file descriptors are used + in real-life applications we believe 512K is sufficiently high as new + default for now. Note that there are also reports that using very + high hard limits (e.g. 1G) is problematic: some software allocates + large arrays with one element for each potential file descriptor + (Java, …) — a high hard limit thus triggers excessively large memory + allocations in these applications. Hopefully, the new default of 512K + is a good middle ground: higher than what real-life applications + currently need, and low enough for avoid triggering excessively large + allocations in problematic software. (And yes, somebody should fix + Java.) + + * The fs.nr_open and fs.file-max sysctls are now automatically bumped + to the highest possible values, as separate accounting of file + descriptors is no longer necessary, as memcg tracks them correctly as + part of the memory accounting anyway. Thus, from the four limits on + file descriptors currently enforced (fs.file-max, fs.nr_open, + RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two, + and keep only the latter two. A set of build-time options + (-Dbump-proc-sys-fs-file-max=no and -Dbump-proc-sys-fs-nr-open=no) + has been added to revert this change in behaviour, which might be + an option for systems that turn off memcg in the kernel. + + * When no /etc/locale.conf file exists (and hence no locale settings + are in place), systemd will now use the "C.UTF-8" locale by default, + and set LANG= to it. This locale is supported by various + distributions including Fedora, with clear indications that upstream + glibc is going to make it available too. This locale enables UTF-8 + mode by default, which appears appropriate for 2018. + + * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by + default. This effectively switches the RFC3704 Reverse Path filtering + from Strict mode to Loose mode. This is more appropriate for hosts + that have multiple links with routes to the same networks (e.g. + a client with a Wi-Fi and Ethernet both connected to the internet). + + Consult the kernel documentation for details on this sysctl: + https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt + + * CPUAccounting=yes no longer enables the CPU controller when using + kernel 4.15+ and the unified cgroup hierarchy, as required accounting + statistics are now provided independently from the CPU controller. + + * Support for disabling a particular cgroup controller within a sub-tree + has been added through the DisableControllers= directive. + + * The new "MemoryMin=" unit file property may now be used to set the + memory usage protection limit of processes invoked by the unit. This + controls the cgroupsv2 memory.min attribute. Similarly, the new + "IODeviceLatencyTargetSec=" property has been added, wrapping the new + cgroupsv2 io.latency cgroup property for configuring per-service I/O + latency. + + * systemd now supports the cgroupsv2 devices BPF logic, as counterpart + to the cgroupsv1 "devices" cgroup controller. + + * systemd-escape now is able to combine --unescape with --template. It + also learnt a new option --instance for extracting and unescaping the + instance part of a unit name. + + * sd-bus now provides the sd_bus_message_readv() which is similar to + sd_bus_message_read() but takes a va_list object. The pair + sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout() + has been added for configuring the default method call timeout to + use. sd_bus_error_move() may be used to efficiently move the contents + from one sd_bus_error structure to another, invalidating the + source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may + be used to control whether a bus connection object is automatically + flushed when an sd-event loop is exited. + + * When processing classic BSD syslog log messages, journald will now + save the original time-stamp string supplied in the new + SYSLOG_TIMESTAMP= journal field. This permits consumers to + reconstruct the original BSD syslog message more correctly. + + * StandardOutput=/StandardError= in service files gained support for + new "append:…" parameters, for connecting STDOUT/STDERR of a service + to a file, and appending to it. + + * The signal to use as last step of killing of unit processes is now + configurable. Previously it was hard-coded to SIGKILL, which may now + be overridden with the new KillSignal= setting. Note that this is the + signal used when regular termination (i.e. SIGTERM) does not suffice. + Similarly, the signal used when aborting a program in case of a + watchdog timeout may now be configured too (WatchdogSignal=). + + * The XDG_SESSION_DESKTOP environment variable may now be configured in + the pam_systemd argument line, using the new desktop= switch. This is + useful to initialize it properly from a display manager without + having to touch C code. + + * Most configuration options that previously accepted percentage values + now also accept permille values with the '‰' suffix (instead of '%'). + + * systemd-logind will offer hibernation only if the currently used + kernel image is still available on disk. + + * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for + DNS-over-TLS. + + * systemd-resolved's configuration file resolved.conf gained a new + option ReadEtcHosts= which may be used to turn off processing and + honoring /etc/hosts entries. + + * The "--wait" switch may now be passed to "systemctl + is-system-running", in which case the tool will synchronously wait + until the system finished start-up. + + * hostnamed gained a new bus call to determine the DMI product UUID. + + * On x86-64 systemd will now prefer using the RDRAND processor + instruction over /dev/urandom whenever it requires randomness that + neither has to be crypto-grade nor should be reproducible. This + should substantially reduce the amount of entropy systemd requests + from the kernel during initialization on such systems, though not + reduce it to zero. (Why not zero? systemd still needs to allocate + UUIDs and such uniquely, which require high-quality randomness.) + + * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP + tunnels. It also gained a new option ForceDHCPv6PDOtherInformation= + for forcing the "Other Information" bit in IPv6 RA messages. The + bonding logic gained four new options AdActorSystemPriority=, + AdUserPortKey=, AdActorSystem= for configuring various 802.3ad + aspects, and DynamicTransmitLoadBalancing= for enabling dynamic + shuffling of flows. The tunnel logic gained a new + IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid + Deployment. The policy rule logic gained four new options IPProtocol=, + SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained + support for the MulticastToUnicast= option. networkd also gained + support for configuring static IPv4 ARP or IPv6 neighbor entries. + + * .preset files (as read by 'systemctl preset') may now be used to + instantiate services. + + * /etc/crypttab now understands the sector-size= option to configure + the sector size for an encrypted partition. + + * Key material for encrypted disks may now be placed on a formatted + medium, and referenced from /etc/crypttab by the UUID of the file + system, followed by "=" suffixed by the path to the key file. + + * The "collect" udev component has been removed without replacement, as + it is neither used nor maintained. + + * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=, + LogsDirectory=, ConfigurationDirectory= settings are used in a + service the executed processes will now receive a set of environment + variables containing the full paths of these directories. + Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY, + LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options + are used. Note that these options may be used multiple times per + service in which case the resulting paths will be concatenated and + separated by colons. + + * Predictable interface naming has been extended to cover InfiniBand + NICs. They will be exposed with an "ib" prefix. + + * tmpfiles.d/ line types may now be suffixed with a '-' character, in + which case the respective line failing is ignored. + + * .link files may now be used to configure the equivalent to the + "ethtool advertise" commands. + + * The sd-device.h and sd-hwdb.h APIs are now exported, as an + alternative to libudev.h. Previously, the latter was just an internal + wrapper around the former, but now these two APIs are exposed + directly. + + * sd-id128.h gained a new function sd_id128_get_boot_app_specific() + which calculates an app-specific boot ID similar to how + sd_id128_get_machine_app_specific() generates an app-specific machine + ID. + + * A new tool systemd-id128 has been added that can be used to determine + and generate various 128bit IDs. + + * /etc/os-release gained two new standardized fields DOCUMENTATION_URL= + and LOGO=. + + * systemd-hibernate-resume-generator will now honor the "noresume" + kernel command line option, in which case it will bypass resuming + from any hibernated image. + + * The systemd-sleep.conf configuration file gained new options + AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=, + AllowHybridSleep= for prohibiting specific sleep modes even if the + kernel exports them. + + * portablectl is now officially supported and has thus moved to + /usr/bin/. + + * bootctl learnt the two new commands "set-default" and "set-oneshot" + for setting the default boot loader item to boot to (either + persistently or only for the next boot). This is currently only + compatible with sd-boot, but may be implemented on other boot loaders + too, that follow the boot loader interface. The updated interface is + now documented here: + + https://systemd.io/BOOT_LOADER_INTERFACE + + * A new kernel command line option systemd.early_core_pattern= is now + understood which may be used to influence the core_pattern PID 1 + installs during early boot. + + * busctl learnt two new options -j and --json= for outputting method + call replies, properties and monitoring output in JSON. + + * journalctl's JSON output now supports simple ANSI coloring as well as + a new "json-seq" mode for generating RFC7464 output. + + * Unit files now support the %g/%G specifiers that resolve to the UNIX + group/GID of the service manager runs as, similar to the existing + %u/%U specifiers that resolve to the UNIX user/UID. + + * systemd-logind learnt a new global configuration option + UserStopDelaySec= that may be set in logind.conf. It specifies how + long the systemd --user instance shall remain started after a user + logs out. This is useful to speed up repetitive re-connections of the + same user, as it means the user's service manager doesn't have to be + stopped/restarted on each iteration, but can be reused between + subsequent options. This setting defaults to 10s. systemd-logind also + exports two new properties on its Manager D-Bus objects indicating + whether the system's lid is currently closed, and whether the system + is on AC power. + + * systemd gained support for a generic boot counting logic, which + generically permits automatic reverting to older boot loader entries + if newer updated ones don't work. The boot loader side is implemented + in sd-boot, but is kept open for other boot loaders too. For details + see: + + https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT + + * The SuccessAction=/FailureAction= unit file settings now learnt two + new parameters: "exit" and "exit-force", which result in immediate + exiting of the service manager, and are only useful in systemd --user + and container environments. + + * Unit files gained support for a pair of options + FailureActionExitStatus=/SuccessActionExitStatus= for configuring the + exit status to use as service manager exit status when + SuccessAction=/FailureAction= is set to exit or exit-force. + + * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service + options may now be used to configure the log rate limiting applied by + journald per-service. + + * systemd-analyze gained a new verb "timespan" for parsing and + normalizing time span values (i.e. strings like "5min 7s 8us"). + + * systemd-analyze also gained a new verb "security" for analyzing the + security and sand-boxing settings of services in order to determine an + "exposure level" for them, indicating whether a service would benefit + from more sand-boxing options turned on for them. + + * "systemd-analyze syscall-filter" will now also show system calls + supported by the local kernel but not included in any of the defined + groups. + + * .nspawn files now understand the Ephemeral= setting, matching the + --ephemeral command line switch. + + * sd-event gained the new APIs sd_event_source_get_floating() and + sd_event_source_set_floating() for controlling whether a specific + event source is "floating", i.e. destroyed along with the even loop + object itself. + + * Unit objects on D-Bus gained a new "Refs" property that lists all + clients that currently have a reference on the unit (to ensure it is + not unloaded). + + * The JoinControllers= option in system.conf is no longer supported, as + it didn't work correctly, is hard to support properly, is legacy (as + the concept only exists on cgroupsv1) and apparently wasn't used. + + * Journal messages that are generated whenever a unit enters the failed + state are now tagged with a unique MESSAGE_ID. Similarly, messages + generated whenever a service process exits are now made recognizable, + too. A taged message is also emitted whenever a unit enters the + "dead" state on success. + + * systemd-run gained a new switch --working-directory= for configuring + the working directory of the service to start. A shortcut -d is + equivalent, setting the working directory of the service to the + current working directory of the invoking program. The new --shell + (or just -S) option has been added for invoking the $SHELL of the + caller as a service, and implies --pty --same-dir --wait --collect + --service-type=exec. Or in other words, "systemd-run -S" is now the + quickest way to quickly get an interactive in a fully clean and + well-defined system service context. + + * machinectl gained a new verb "import-fs" for importing an OS tree + from a directory. Moreover, when a directory or tarball is imported + and single top-level directory found with the OS itself below the OS + tree is automatically mangled and moved one level up. + + * systemd-importd will no longer set up an implicit btrfs loop-back + file system on /var/lib/machines. If one is already set up, it will + continue to be used. + + * A new generator "systemd-run-generator" has been added. It will + synthesize a unit from one or more program command lines included in + the kernel command line. This is very useful in container managers + for example: + + # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"' + + This will run "systemd-nspawn" on an image, invoke the specified + command line and immediately shut down the container again, returning + the command line's exit code. + + * The block device locking logic is now documented: + + https://systemd.io/BLOCK_DEVICE_LOCKING + + * loginctl and machinectl now optionally output the various tables in + JSON using the --output= switch. It is our intention to add similar + support to systemctl and all other commands. + + * udevadm's query and trigger verb now optionally take a .device unit + name as argument. + + * systemd-udevd's network naming logic now understands a new + net.naming-scheme= kernel command line switch, which may be used to + pick a specific version of the naming scheme. This helps stabilizing + interface names even as systemd/udev are updated and the naming logic + is improved. + + * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and + SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to + initialize one to all 0xFF. + + * After loading the SELinux policy systemd will now recursively relabel + all files and directories listed in + /run/systemd/relabel-extra.d/*.relabel (which should be simple + newline separated lists of paths) in addition to the ones it already + implicitly relabels in /run, /dev and /sys. After the relabelling is + completed the *.relabel files (and /run/systemd/relabel-extra.d/) are + removed. This is useful to permit initrds (i.e. code running before + the SELinux policy is in effect) to generate files in the host + filesystem safely and ensure that the correct label is applied during + the transition to the host OS. + + * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding + mknod() handling in user namespaces. Previously mknod() would always + fail with EPERM in user namespaces. Since 4.18 mknod() will succeed + but device nodes generated that way cannot be opened, and attempts to + open them result in EPERM. This breaks the "graceful fallback" logic + in systemd's PrivateDevices= sand-boxing option. This option is + implemented defensively, so that when systemd detects it runs in a + restricted environment (such as a user namespace, or an environment + where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD) + where device nodes cannot be created the effect of PrivateDevices= is + bypassed (following the logic that 2nd-level sand-boxing is not + essential if the system systemd runs in is itself already sand-boxed + as a whole). This logic breaks with 4.18 in container managers where + user namespacing is used: suddenly PrivateDevices= succeeds setting + up a private /dev/ file system containing devices nodes — but when + these are opened they don't work. + + At this point is is recommended that container managers utilizing + user namespaces that intend to run systemd in the payload explicitly + block mknod() with seccomp or similar, so that the graceful fallback + logic works again. + + We are very sorry for the breakage and the requirement to change + container configurations for newer kernels. It's purely caused by an + incompatible kernel change. The relevant kernel developers have been + notified about this userspace breakage quickly, but they chose to + ignore it. + + Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander + Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson, + Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov, + asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt + Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen + Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius + Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn + Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner, + David Anderson, Davide Cavalca, David Leeds, David Malcolm, David + Strauss, David Tardon, Dimitri John Ledkov, dj-kaktus, Dongsu Park, + Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, Evgeni Golov, + Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad, Faizal Luthfi, + Felix Yan, Filipe Brandenburger, Franck Bui, Frank Schaefer, Frantisek + Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe Scrivano, glitsj16, + Hans de Goede, Harald Hoyer, Harry Mallon, Harshit Jain, Helmut Grohne, + Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan Timmer, Jan Janssen, + Jan Pokorný, Jan Synacek, Jason A. Donenfeld, javitoom, Jérémy Nouhaud, + Jiuyang Liu, João Paulo Rechi Vita, Joe Hershberger, Joe Rayhawk, Joerg + Behrmann, Joerg Steffens, Jonas Dorel, Jon Ringle, Josh Soref, Julian + Andres Klode, Jun Bo Bi, Jürg Billeter, Keith Busch, Khem Raj, Kirill + Marinushkin, Larry Bernstone, Lennart Poettering, Lion Yang, Li Song, + Lorenz Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin + Janvier, Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, + Marcin Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, + Marko Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin + Wilck, Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael + Olbrich, Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal + Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal + Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby, + Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł + Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller, + Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez, + Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam + Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher, + Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee + (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen + Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim, + Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas + Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias + Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore + Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech + Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward, + Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe, + Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein + + — Somewhere, 2018-12-yy + +CHANGES WITH 239: * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id" - builtin may name network interfaces differently than in previous - versions. SR-IOV virtual functions and NPAR partitions with PCI - function numbers of 8 and above will be named more predictably, and - udev may generate names based on the PCI slot number in some cases - where it previously did not. + builtin will name network interfaces differently than in previous + versions for virtual network interfaces created with SR-IOV and NPAR + and for devices where the PCI network controller device does not have + a slot number associated. + + SR-IOV virtual devices are now named based on the name of the parent + interface, with a suffix of "v", where is the virtual device + number. Previously those virtual devices were named as if completely + independent. + + The ninth and later NPAR virtual devices will be named following the + scheme used for the first eight NPAR partitions. Previously those + devices were not renamed and the kernel default (eth) was used. + + "net_id" will also generate names for PCI devices where the PCI + network controller device does not have an associated slot number + itself, but one of its parents does. Previously those devices were + not renamed and the kernel default (eth) was used. * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in systemd-logind.service. Since v235, IPAddressDeny=any has been set to @@ -69,7 +581,28 @@ CHANGES WITH 239 in spe: * systemd-resolved.service and systemd-networkd.service now set DynamicUser=yes. The users systemd-resolve and systemd-network are - not created by systemd-sysusers. + not created by systemd-sysusers anymore. + + NOTE: This has a chance of breaking nss-ldap and similar NSS modules + that embedd a network facing module into any process using getpwuid() + or related call: the dynamic allocation of the user ID for + systemd-resolved.service means the service manager has to check NSS + if the user name is already taken when forking off the service. Since + the user in the common case won't be defined in /etc/passwd the + lookup is likely to trigger nss-ldap which in turn might use NSS to + ask systemd-resolved for hostname lookups. This will hence result in + a deadlock: a user name lookup in order to start + systemd-resolved.service will result in a host name lookup for which + systemd-resolved.service needs to be started already. There are + multiple ways to work around this problem: pre-allocate the + "systemd-resolve" user on such systems, so that nss-ldap won't be + triggered; or use a different NSS package that doesn't do networking + in-process but provides a local asynchronous name cache; or configure + the NSS package to avoid lookups for UIDs in the range `pkg-config + systemd --variable=dynamicuidmin` … `pkg-config systemd + --variable=dynamicuidmax`, so that it does not consider itself + authoritative for the same UID range systemd allocates dynamic users + from. * The systemd-resolve tool has been renamed to resolvectl (it also remains available under the old name, for compatibility), and its @@ -82,7 +615,7 @@ CHANGES WITH 239 in spe: Debian and FreeBSD resolvconf tool. * Support for suspend-then-hibernate has been added, i.e. a sleep mode - where the system initially suspends, and after a time-out resumes and + where the system initially suspends, and after a timeout resumes and hibernates again. * networkd's ClientIdentifier= now accepts a new option "duid-only". If @@ -133,9 +666,10 @@ CHANGES WITH 239 in spe: name following the last dash. * Unit files and other configuration files that support specifier - expansion now understand another two new specifiers: %T and %V will + expansion now understand another three new specifiers: %T and %V will resolve to /tmp and /var/tmp respectively, or whatever temporary - directory has been set for the calling user. + directory has been set for the calling user. %E will expand to either + /etc (for system units) or $XDG_CONFIG_HOME (for user units). * The ExecStart= lines of unit files are no longer required to reference absolute paths. If non-absolute paths are specified the @@ -206,9 +740,10 @@ CHANGES WITH 239 in spe: example, "systemd-tmpfiles --cat-config" will now output the full list of tmpfiles.d/ lines in place. - * timedatectl gained two new verbs "timesync-status" (to show the - current NTP synchronization state of systemd-timesyncd) and - "show-timesync" (to show bus properties of systemd-timesyncd). + * timedatectl gained three new verbs: "show" shows bus properties of + systemd-timedated, "timesync-status" shows the current NTP + synchronization state of systemd-timesyncd, and "show-timesync" + shows bus properties of systemd-timesyncd. * systemd-timesyncd gained a bus interface on which it exposes details about its state. @@ -285,9 +820,16 @@ CHANGES WITH 239 in spe: * New documentation has been added to document cgroups delegation, portable services and the various code quality tools we have set up: - https://github.com/systemd/systemd/blob/master/doc/CGROUP_DELEGATION.md - https://github.com/systemd/systemd/blob/master/doc/PORTABLE_SERVICES.md - https://github.com/systemd/systemd/blob/master/doc/CODE_QUALITY.md + https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md + https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md + https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md + + * The Boot Loader Specification has been added to the source tree. + + https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md + + While moving it into our source tree we have updated it and further + changes are now accepted through the usual github PR workflow. * pam_systemd will now look for PAM userdata fields systemd.memory_max, systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by @@ -313,34 +855,46 @@ CHANGES WITH 239 in spe: system namespacing options. One such service is systemd-udevd.service wher this is now used by default. + * ConditionSecurity= gained a new value "uefi-secureboot" that is true + when the system is booted in UEFI "secure mode". + + * A new unit "system-update-pre.target" is added, which defines an + optional synchronization point for offline system updates, as + implemented by the pre-existing "system-update.target" unit. It + allows ordering services before the service that executes the actual + update process in a generic way. + Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale, Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian - J. Murrell, Bruno Vernay, Chris Lesiak, Christian Brauner, Christian - Hesse, Daniel Dao, Daniel Lin, Danylo Korostil, Davide Cavalca, David - Tardon, Dimitri John Ledkov, Dmitriy Geels, Douglas Christman, Elia - Geretto, emelenas, Evegeny Vereshchagin, Evgeny Vereshchagin, Felipe - Sateler, Feng Sun, Filipe Brandenburger, Franck Bui, futpib, Giuseppe - Scrivano, Guillem Jover, guixxx, Hans de Goede, Henrique Dante de + J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner, + Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel + Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John + Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil + Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe + Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover, + guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov, - James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir, João Paulo - Rechi Vita, Joost Heitbrink, Jui-Chi Ricky Liang, Jürg Billeter, - Kai-Heng Feng, Karol Augustin, Krzysztof Nowicki, Lauri Tirkkonen, - Lennart Poettering, Leonard König, Long Li, Luca Boccassi, Lucas - Werkmeister, Marcel Hoppe, Marc Kleine-Budde, Mario Limonciello, Martin - Jansa, Martin Wilck, Mathieu Malaterre, Matteo F. Vescovi, Matthew - McGinn, Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, - Michal Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan - Pässler, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride Legovini, - Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot, Peter - Hutterer, Peter Jones, Philip Sequeira, Philip Withnall, Piotr Drąg, - Radostin Stoyanov, Ricardo Salveti de Araujo, Rosen Penev, Rubén Suárez - Alvarez, Ryan Gonzalez, Salvo Tomaselli, Sebastian Reichel, Sergio - Lindo Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, - Susant Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias - Jungel, Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van - Mourik, Yu Watanabe, Zbigniew Jędrzejewski-Szmek - - — Berlin, 2018-06-XX + Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir, + Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky + Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers, + Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König, + Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc + Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu + Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott, + Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal + Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler, + Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride + Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot, + Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip + Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo, + Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez, + Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo + Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant + Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel, + Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik, + Yu Watanabe, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2018-06-22 CHANGES WITH 238: @@ -512,10 +1066,9 @@ CHANGES WITH 237: different from what the documentation said, and not particularly useful, as repeated systemd-tmpfiles invocations would not be idempotent and grow such files without bounds. With this release - behaviour has been altered slightly, to match what the documentation - says: lines of this type only have an effect if the indicated files - don't exist yet, and only then the argument string is written to the - file. + behaviour has been altered to match what the documentation says: + lines of this type only have an effect if the indicated files don't + exist yet, and only then the argument string is written to the file. * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change systemd-tmpfiles behaviour: previously, read-only files owned by root @@ -1588,7 +2141,7 @@ CHANGES WITH 233: * Documentation has been added that lists all of systemd's low-level environment variables: - https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md + https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md * sd-daemon gained a new API sd_is_socket_sockaddr() for determining whether a specific socket file descriptor matches a specified socket @@ -3293,11 +3846,10 @@ CHANGES WITH 226: correct dequeuing of real-time signals, without losing signal events. - * When systemd requests a PolicyKit decision when managing - units it will now add additional fields to the request, - including unit name and desired operation. This enables more - powerful PolicyKit policies, that make decisions depending - on these parameters. + * When systemd requests a polkit decision when managing units it + will now add additional fields to the request, including unit + name and desired operation. This enables more powerful polkit + policies, that make decisions depending on these parameters. * nspawn learnt support for .nspawn settings files, that may accompany the image files or directories of containers, and @@ -3332,13 +3884,12 @@ CHANGES WITH 225: options and allows other programs to query the values. * SELinux access control when enabling/disabling units is no - longer enforced with this release. The previous - implementation was incorrect, and a new corrected - implementation is not yet available. As unit file operations - are still protected via PolicyKit and D-Bus policy this is - not a security problem. Yet, distributions which care about - optimal SELinux support should probably not stabilize on - this release. + longer enforced with this release. The previous implementation + was incorrect, and a new corrected implementation is not yet + available. As unit file operations are still protected via + polkit and D-Bus policy this is not a security problem. Yet, + distributions which care about optimal SELinux support should + probably not stabilize on this release. * sd-bus gained support for matches of type "arg0has=", that test for membership of strings in string arrays sent in bus @@ -3710,11 +4261,10 @@ CHANGES WITH 220: * systemd-importd gained support for verifying downloaded images with gpg2 (previously only gpg1 was supported). - * systemd-machined, systemd-logind, systemd: most bus calls - are now accessible to unprivileged processes via - PolicyKit. Also, systemd-logind will now allow users to kill - their own sessions without further privileges or - authorization. + * systemd-machined, systemd-logind, systemd: most bus calls are + now accessible to unprivileged processes via polkit. Also, + systemd-logind will now allow users to kill their own sessions + without further privileges or authorization. * systemd-shutdownd has been removed. This service was previously responsible for implementing scheduled shutdowns @@ -4369,7 +4919,7 @@ CHANGES WITH 217: /run/systemd/user directory that was already previously supported, but is under the control of the user. - * Job timeouts (i.e. time-outs on the time a job that is + * Job timeouts (i.e. timeouts on the time a job that is queued stays in the run queue) can now optionally result in immediate reboot or power-off actions (JobTimeoutAction= and JobTimeoutRebootArgument=). This is useful on ".target" @@ -4496,11 +5046,11 @@ CHANGES WITH 217: directly from now on, again. * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus - message flag has been added for all of systemd's PolicyKit - authenticated method calls has been added. In particular - this now allows optional interactive authorization via - PolicyKit for many of PID1's privileged operations such as - unit file enabling and disabling. + message flag has been added for all of systemd's polkit + authenticated method calls has been added. In particular this + now allows optional interactive authorization via polkit for + many of PID1's privileged operations such as unit file + enabling and disabling. * "udevadm hwdb --update" learnt a new switch "--usr" for placing the rebuilt hardware database in /usr instead of @@ -4579,11 +5129,11 @@ CHANGES WITH 216: well as the user/group databases, which should enhance compatibility with certain tools like grpck. - * A number of bus APIs of PID 1 now optionally consult - PolicyKit to permit access for otherwise unprivileged - clients under certain conditions. Note that this currently - doesn't support interactive authentication yet, but this is - expected to be added eventually, too. + * A number of bus APIs of PID 1 now optionally consult polkit to + permit access for otherwise unprivileged clients under certain + conditions. Note that this currently doesn't support + interactive authentication yet, but this is expected to be + added eventually, too. * /etc/machine-info now has new fields for configuring the deployment environment of the machine, as well as the @@ -7056,8 +7606,8 @@ CHANGES WITH 198: the rest of the package. It also has been updated to work correctly in initrds. - * Policykit previously has been runtime optional, and is now - also compile time optional via a configure switch. + * polkit previously has been runtime optional, and is now also + compile time optional via a configure switch. * systemd-analyze has been reimplemented in C. Also "systemctl dot" has moved into systemd-analyze. @@ -7225,9 +7775,9 @@ CHANGES WITH 197: user/vendor or is automatically determined from ACPI and DMI information if possible. - * A number of PolicyKit actions are now bound together with - "imply" rules. This should simplify creating UIs because - many actions will now authenticate similar ones as well. + * A number of polkit actions are now bound together with "imply" + rules. This should simplify creating UIs because many actions + will now authenticate similar ones as well. * Unit files learnt a new condition ConditionACPower= which may be used to conditionalize a unit depending on whether an @@ -7366,14 +7916,13 @@ CHANGES WITH 196: to maintain the necessary patches downstream, or find a different solution. (Talk to us if you have questions!) - * Various systemd components will now bypass PolicyKit checks - for root and otherwise handle properly if PolicyKit is not - found to be around. This should fix most issues for - PolicyKit-less systems. Quite frankly this should have been - this way since day one. It is absolutely our intention to - make systemd work fine on PolicyKit-less systems, and we - consider it a bug if something does not work as it should if - PolicyKit is not around. + * Various systemd components will now bypass polkit checks for + root and otherwise handle properly if polkit is not found to + be around. This should fix most issues for polkit-less + systems. Quite frankly this should have been this way since + day one. It is absolutely our intention to make systemd work + fine on polkit-less systems, and we consider it a bug if + something does not work as it should if polkit is not around. * For embedded systems it is now possible to build udev and systemd without blkid and/or kmod support.