X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=d9f4e2be94c6d855a304fda66f8c3c0839f3cdb5;hb=52d86690d68779b120a4380f7cc740825827fb0d;hp=07ad6875b0a75cc60b04607c3cd6a9029edd30be;hpb=704ae536595a045fe6c396f55e81c43751cb8e98;p=thirdparty%2Fsystemd.git diff --git a/NEWS b/NEWS index 07ad6875b0a..d9f4e2be94c 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,76 @@ systemd System and Service Manager -CHANGES WITH 239 in spe: +CHANGES WITH 240 in spe: + + * A new service type has been added: Type=exec. It's very similar to + Type=simple and ensures the service manager will wait for both fork() + and execve() of the main service binary to complete before proceeding + with follow-up units. This is primarily useful so that the manager + propagates any errors in the preparation phase of service execution + back to the job that requested the unit to be started. For example, + consider a service that has ExecStart= set to a file system binary + that doesn't exist. With Type=simple starting the unit would + typically succeed instantly, as only fork() has to complete + successfully and execve() is not waited for, and hence its failure is + seen "too late". With the new Type=exec service type starting the + unit will fail, as the execve() will be waited for and will fail, + which is then propagated back to the start job. + + NOTE: with the next release 241 of systemd we intend to change the + systemd-run tool to default to Type=exec for transient services + started by it. This should be mostly safe, but in specific corner + cases might result in problems, as the systemd-run tool will then + block on NSS calls (such as user name lookups due to User=) done + between the fork() and execve(), which under specific circumstances + might cause problems. It is recommended to specify "-p Type=simple" + explicitly in the few cases where this applies. For regular, + non-transient services (i.e. those defined with unit files on disk) + we will continue to default to Type=simple. + + * The Linux kernel's current default RLIMIT_NOFILE resource limit for + userspace processes is set to 1024 (soft) and 4096 + (hard). Previously, systemd passed this on unmodified to all + processes it forked off. With this systemd release the hard limit + systemd passes on is increased to 256K, overriding the kernel's + defaults and substantially increasing the number of simultaneous file + descriptors unprivileged userspace processes can allocate. Note that + the soft limit remains at 1024 for compatibility reasons: the + traditional UNIX select() call cannot deal with file descriptors >= + 1024 and increasing the soft limit globally might thus result in + programs unexpectedly allocating a high file descriptor and thus + failing abnormally when attempting to use it with select() (of + course, programs shouldn't use select() anymore, and prefer + poll()/epoll, but the call unfortunately remains undeservedly popular + at this time). This change reflects the fact that file descriptor + handling in the Linux kernel has been optimized in more recent + kernels and allocating large numbers of them should be much cheaper + both in memory and in performance than it used to be. Programs that + want to take benefit of the increased limit have to "opt-in" into + high file descriptors explicitly by setting their soft limit to the + hard limit during initialization. Of course, when doing that they + must do this acknowledging the fact that they cannot use select() + anymore (and neither can any shared library they use — or any shared + library used by any shared library they use and so on). + + * The fs.nr_open and fs.file-max sysctls are now automatically bumped + to the highest possible values, as separate accounting of file + descriptors is no longer necessary, as memcg tracks them correctly as + part of the memory accounting anyway. Thus, from the four limits on + file descriptors currently enforced (fs.file-max, fs.nr_open, + RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two, + and keep only the latter two. A set of build-time options + (-Dbump-proc-sys-fs-file-max=no and -Dbump-proc-sys-fs-nr-open=no) + has been added to revert this change in behaviour, which might be + an option for systems that turn off memcg in the kernel. + + * When no /etc/locale.conf file exists (and hence no locale settings + are in place), systemd will now use the "C.UTF-8" locale by default, + and set LANG= to it. This locale is supported by various + distributions including Fedora, with clear indications that upstream + glibc is going to make it available too. This locale enables UTF-8 + mode by default, which appears appropriate for 2018. + +CHANGES WITH 239: * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id" builtin will name network interfaces differently than in previous @@ -82,7 +152,28 @@ CHANGES WITH 239 in spe: * systemd-resolved.service and systemd-networkd.service now set DynamicUser=yes. The users systemd-resolve and systemd-network are - not created by systemd-sysusers. + not created by systemd-sysusers anymore. + + NOTE: This has a chance of breaking nss-ldap and similar NSS modules + that embedd a network facing module into any process using getpwuid() + or related call: the dynamic allocation of the user ID for + systemd-resolved.service means the service manager has to check NSS + if the user name is already taken when forking off the service. Since + the user in the common case won't be defined in /etc/passwd the + lookup is likely to trigger nss-ldap which in turn might use NSS to + ask systemd-resolved for hostname lookups. This will hence result in + a deadlock: a user name lookup in order to start + systemd-resolved.service will result in a host name lookup for which + systemd-resolved.service needs to be started already. There are + multiple ways to work around this problem: pre-allocate the + "systemd-resolve" user on such systems, so that nss-ldap won't be + triggered; or use a different NSS package that doesn't do networking + in-process but provides a local asynchronous name cache; or configure + the NSS package to avoid lookups for UIDs in the range `pkg-config + systemd --variable=dynamicuidmin` … `pkg-config systemd + --variable=dynamicuidmax`, so that it does not consider itself + authoritative for the same UID range systemd allocates dynamic users + from. * The systemd-resolve tool has been renamed to resolvectl (it also remains available under the old name, for compatibility), and its @@ -300,13 +391,13 @@ CHANGES WITH 239 in spe: * New documentation has been added to document cgroups delegation, portable services and the various code quality tools we have set up: - https://github.com/systemd/systemd/blob/master/doc/CGROUP_DELEGATION.md - https://github.com/systemd/systemd/blob/master/doc/PORTABLE_SERVICES.md - https://github.com/systemd/systemd/blob/master/doc/CODE_QUALITY.md + https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md + https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md + https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md * The Boot Loader Specification has been added to the source tree. - https://github.com/systemd/systemd/blob/master/doc/BOOT_LOADER_SPECIFICATION.md + https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md While moving it into our source tree we have updated it and further changes are now accepted through the usual github PR workflow. @@ -374,7 +465,7 @@ CHANGES WITH 239 in spe: Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik, Yu Watanabe, Zbigniew Jędrzejewski-Szmek - — Berlin, 2018-06-XX + — Berlin, 2018-06-22 CHANGES WITH 238: @@ -546,10 +637,9 @@ CHANGES WITH 237: different from what the documentation said, and not particularly useful, as repeated systemd-tmpfiles invocations would not be idempotent and grow such files without bounds. With this release - behaviour has been altered slightly, to match what the documentation - says: lines of this type only have an effect if the indicated files - don't exist yet, and only then the argument string is written to the - file. + behaviour has been altered to match what the documentation says: + lines of this type only have an effect if the indicated files don't + exist yet, and only then the argument string is written to the file. * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change systemd-tmpfiles behaviour: previously, read-only files owned by root @@ -1622,7 +1712,7 @@ CHANGES WITH 233: * Documentation has been added that lists all of systemd's low-level environment variables: - https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md + https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md * sd-daemon gained a new API sd_is_socket_sockaddr() for determining whether a specific socket file descriptor matches a specified socket @@ -3327,11 +3417,10 @@ CHANGES WITH 226: correct dequeuing of real-time signals, without losing signal events. - * When systemd requests a PolicyKit decision when managing - units it will now add additional fields to the request, - including unit name and desired operation. This enables more - powerful PolicyKit policies, that make decisions depending - on these parameters. + * When systemd requests a polkit decision when managing units it + will now add additional fields to the request, including unit + name and desired operation. This enables more powerful polkit + policies, that make decisions depending on these parameters. * nspawn learnt support for .nspawn settings files, that may accompany the image files or directories of containers, and @@ -3366,13 +3455,12 @@ CHANGES WITH 225: options and allows other programs to query the values. * SELinux access control when enabling/disabling units is no - longer enforced with this release. The previous - implementation was incorrect, and a new corrected - implementation is not yet available. As unit file operations - are still protected via PolicyKit and D-Bus policy this is - not a security problem. Yet, distributions which care about - optimal SELinux support should probably not stabilize on - this release. + longer enforced with this release. The previous implementation + was incorrect, and a new corrected implementation is not yet + available. As unit file operations are still protected via + polkit and D-Bus policy this is not a security problem. Yet, + distributions which care about optimal SELinux support should + probably not stabilize on this release. * sd-bus gained support for matches of type "arg0has=", that test for membership of strings in string arrays sent in bus @@ -3744,11 +3832,10 @@ CHANGES WITH 220: * systemd-importd gained support for verifying downloaded images with gpg2 (previously only gpg1 was supported). - * systemd-machined, systemd-logind, systemd: most bus calls - are now accessible to unprivileged processes via - PolicyKit. Also, systemd-logind will now allow users to kill - their own sessions without further privileges or - authorization. + * systemd-machined, systemd-logind, systemd: most bus calls are + now accessible to unprivileged processes via polkit. Also, + systemd-logind will now allow users to kill their own sessions + without further privileges or authorization. * systemd-shutdownd has been removed. This service was previously responsible for implementing scheduled shutdowns @@ -4530,11 +4617,11 @@ CHANGES WITH 217: directly from now on, again. * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus - message flag has been added for all of systemd's PolicyKit - authenticated method calls has been added. In particular - this now allows optional interactive authorization via - PolicyKit for many of PID1's privileged operations such as - unit file enabling and disabling. + message flag has been added for all of systemd's polkit + authenticated method calls has been added. In particular this + now allows optional interactive authorization via polkit for + many of PID1's privileged operations such as unit file + enabling and disabling. * "udevadm hwdb --update" learnt a new switch "--usr" for placing the rebuilt hardware database in /usr instead of @@ -4613,11 +4700,11 @@ CHANGES WITH 216: well as the user/group databases, which should enhance compatibility with certain tools like grpck. - * A number of bus APIs of PID 1 now optionally consult - PolicyKit to permit access for otherwise unprivileged - clients under certain conditions. Note that this currently - doesn't support interactive authentication yet, but this is - expected to be added eventually, too. + * A number of bus APIs of PID 1 now optionally consult polkit to + permit access for otherwise unprivileged clients under certain + conditions. Note that this currently doesn't support + interactive authentication yet, but this is expected to be + added eventually, too. * /etc/machine-info now has new fields for configuring the deployment environment of the machine, as well as the @@ -7090,8 +7177,8 @@ CHANGES WITH 198: the rest of the package. It also has been updated to work correctly in initrds. - * Policykit previously has been runtime optional, and is now - also compile time optional via a configure switch. + * polkit previously has been runtime optional, and is now also + compile time optional via a configure switch. * systemd-analyze has been reimplemented in C. Also "systemctl dot" has moved into systemd-analyze. @@ -7259,9 +7346,9 @@ CHANGES WITH 197: user/vendor or is automatically determined from ACPI and DMI information if possible. - * A number of PolicyKit actions are now bound together with - "imply" rules. This should simplify creating UIs because - many actions will now authenticate similar ones as well. + * A number of polkit actions are now bound together with "imply" + rules. This should simplify creating UIs because many actions + will now authenticate similar ones as well. * Unit files learnt a new condition ConditionACPower= which may be used to conditionalize a unit depending on whether an @@ -7400,14 +7487,13 @@ CHANGES WITH 196: to maintain the necessary patches downstream, or find a different solution. (Talk to us if you have questions!) - * Various systemd components will now bypass PolicyKit checks - for root and otherwise handle properly if PolicyKit is not - found to be around. This should fix most issues for - PolicyKit-less systems. Quite frankly this should have been - this way since day one. It is absolutely our intention to - make systemd work fine on PolicyKit-less systems, and we - consider it a bug if something does not work as it should if - PolicyKit is not around. + * Various systemd components will now bypass polkit checks for + root and otherwise handle properly if polkit is not found to + be around. This should fix most issues for polkit-less + systems. Quite frankly this should have been this way since + day one. It is absolutely our intention to make systemd work + fine on polkit-less systems, and we consider it a bug if + something does not work as it should if polkit is not around. * For embedded systems it is now possible to build udev and systemd without blkid and/or kmod support.