X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=TODO;h=6751bd96aa70d863bbb77b54f8039737e54d88d0;hb=5c236388c39e7c2422e48d55961bba53b5feae71;hp=947274ea19358299f32e8b692fcc9897e9f9b29f;hpb=b3d15d90c0ea163ddea1de82cc8e6f2f1aaefa4b;p=thirdparty%2Fsystemd.git diff --git a/TODO b/TODO index 947274ea193..6751bd96aa7 100644 --- a/TODO +++ b/TODO @@ -4,15 +4,10 @@ Bugfixes: manager or system manager can be always set. It would be better to reject them when parsing config. -* busctl prints errors to stdout: - busctl tree org.freedesktop.systemd1 /org/freedesktop/systemd1 - External: * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. -* wiki: update journal format documentation for lz4 additions - Janitorial Clean-ups: * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again @@ -22,11 +17,43 @@ Janitorial Clean-ups: Features: +* add --copy-from and --copy-to command to systemd-dissect which copies stuff + in and out of a disk image + +* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/ + +* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it + +* add loud warning to the logs (with catalog entry) if systemd-udev-settle is + pulled into the boot process + +* build short web pages out of each catalog entry, build them along with man + pages, and include hyperlinks to them in the journal output + +* machined: add API to acquire UID range. add API to mount/dissect loopback + file. Both protected by PK. Then make nspawn use these APIs to run + unprivileged containers. i.e. push the truly privileged bits into machined, + so that the client side can remain entirely unprivileged, with SUID or + anything like that. + +* journald: do journal file writing out-of-process, with one writer process per + client UID, so that synthetic hash table collisions can slow down a specific + user's journal stream down but not the others. + +* add "throttling" to sd-event event sources: optionally, when we wake up too + often for one, let's turn it off entirely for a while. Use that for the + /proc/self/mountinfo logic. + * move our systemd-user PAM snippet to /usr/, which PAM appears to support these days * nspawn: support time namespaces +* add ConditionSecurity=tpm2 + +* Remove any support for booting without /usr pre-mounted in the initrd entirely. + Update INITRD_INTERFACE.md accordingly. + * pid1: Move to tracking of main pid/control pid of units per pidfd * pid1: support new clone3() fork-into-cgroup feature @@ -34,6 +61,34 @@ Features: * pid1: also remove PID files of a service when the service starts, not just when it exits +* make us use dynamically fewer deps for containers in general purpose distros: + o turn into dlopen() deps: + - pcre2 (always) — irrelevant on Fedora, since dep by + libselinux, but should benefit Debian + - libpwquality (always) - only relevant for homed, and maybe soon + firstboot + - elfutils (always) + - p11-kit-trust (always) + - kmod-libs (only when called from PID 1) + - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup) + - similar: libblkid + - libpam (only when called from PID 1) + - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are, + since they are so basic and our defaults) + o move into separate libsystemd-shared-iptables.so .so + - iptables-libs (only used by nspawn + networkd) + +* seccomp: when SystemCallArchitectures=native is set then don't install any + other seccomp filters for any of the other archs, in order to reduce the + number of seccomp filters we install needlessly. + +* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. + Apparently kernel performance is much better with fewer larger seccomp + filters than with more smaller seccomp filters. + +* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum, + mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such + * make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and provide man page. Given that we now have a tool that can generate images like this, it's useful to have one that can dump contents of them, too. @@ -42,6 +97,13 @@ Features: operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles, sysusers, systemctl, repart, journalctl, coredumpctl. +* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out + +* seccomp: don't install filters for ABIs that are masked anyway for the + specific service + +* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging. + * per-service credential system. Specifically: add LoadCredential= (for loading cred from file), AcquireCredential= (for asking user for cred, via ask-password), PassCredential= (for passing on credential systemd itself @@ -71,7 +133,7 @@ Features: * homed: as an extension to the directory+subvolume backend: if located on especially marked fs, then sync down password into LUKS header of that fs, and always verify passwords against it too. Bootstrapping is a problem - though: if noone is logged in (or no other user even exists yet), how do you + though: if no one is logged in (or no other user even exists yet), how do you unlock the volume in order to create the first user and add the first pw. * homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt @@ -104,6 +166,10 @@ Features: - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host - make it operate on loopback files, dissecting enough to find ESP to operate on +* Maybe add a separate GPT partition type to the discoverable partition spec + for "hibernate" partitions, that are exactly like swap partitions but only + activated right before hibernation and thus never used for regular swapping. + * by default, in systemd --user service bump the OOMAdjust to 100, as privs allow so that systemd survives @@ -116,7 +182,8 @@ Features: * socket units: allow creating a udev monitor socket with ListenDevices= or so, with matches, then activate app through that passing socket over -* unify on openssl: +* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license + confusion is gone) - port sd_id128_get_machine_app_specific() over from khash - port resolved over from libgcrypt (DNSSEC code) - port journald + fsprg over from libgcrypt @@ -142,13 +209,6 @@ Features: end), in order to maximize dd'ability. Requires libfdisk work, see https://github.com/karelzak/util-linux/issues/907 -* systemd-repart: optionally, allow specifying a path to initialize new - partitions from, i.e. an fs image file or a source device node. This would - then turn systemd-repart into a simple installer: with a few .repart files - you could replicate the host system on another device. a full installer would - then be: "systemd-repart /dev/sda && bootctl install /dev/sda && - systemd-firstboot --image= …" - * systemd-repart: MBR partition table support. Care needs to be taken regarding Type=, so that partition definitions can sanely apply to both the GPT and the MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types @@ -164,18 +224,29 @@ Features: * systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag +* systemd-repart: allow boolean option that ensures that if existing partition + doesn't exist within the configured size bounds the whole command fails. This + is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set + of repart files for the case where ESP is large enough and one where it isn't + and XBOOTLDR is added in instead. Then apply the former first, and if it + fails to apply use the latter. + +* systemd-repart: add per-partition option to never reuse existing partition + and always create anew even if matching partition already exists. + +* systemd-repart: add per-partition option to fail if partition already exist, + i.e. is not added new. Similar, add option to fail if partition does not exist yet. + +* systemd-repart: add --size=auto for generating/resizing images of minimal + size, i.e. where the image file is sized exactly as large as necessary taking + SizeMin= into account, but not a single byte larger. + * systemd-repart: allow disabling growing of specific partitions, or making them (think ESP: we don't ever want to grow it, since we cannot resize vfat) -* systemd-repart: add specifier expansion, add especifier that refers to root - device node of current system, /usr device node, and matching verity, so that - an installer can be made a "copy" installer of the booted OS - * systemd-repart: make it a static checker during early boot for existence and absence of other partitions for trusted boot environments -* systemd-repart: allow config of partition uuid - * userdb: allow username prefix searches in varlink API, allow realname and realname substr searches in varlink API @@ -242,14 +313,11 @@ Features: * systemd-firstboot: teach it dissector magic, so that you can point it to some disk image and it will just set everything in it all behind the scenes. -* systemd-firstboot: add --force mode that replaces existing configuration. - * We should probably replace /var/log/README, /etc/rc.d/README with symlinks that are linked to these places instead of copied. After all they are constant vendor data. -* maybe add kernel cmdline params: 1) to force first-boot mode + 2) to force - random seed crediting +* maybe add kernel cmdline params: to force random seed crediting * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events, so that we make cgroup agent logic safe @@ -1200,17 +1268,14 @@ Features: * networkd: - add more keys to [Route] and [Address] sections - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) - - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline) - add reduced [Link] support to .network files - - add Scope= parsing option for [Network] - properly handle routerless dhcp leases - work with non-Ethernet devices - - add support for more bond options - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? - the DHCP lease data (such as NTP/DNS) is still made available when a carrier is lost on a link. It should be removed instantly. - expose in the API the following bits: - - option 15, domain name and/or option 119, search list + - option 15, domain name - option 12, hostname and/or option 81, fqdn - option 123, 144, geolocation - option 252, configure http proxy (PAC/wpad) @@ -1219,11 +1284,9 @@ Features: - allow Name= to be specified repeatedly in the [Match] section. Maybe also support Name=foo*|bar*|baz ? - duplicate address check for static IPs (like ARPCHECK in network-scripts) - - allow DUID/IAID to be customized, see issue #394. - whenever uplink info changes, make DHCP server send out FORCERENEW -* networkd-wait-online: - - make operstates to wait for configurable? +* Figure out how to do unittests of networkd's state serialization * dhcp: - figure out how much we can increase Maximum Message Size @@ -1248,20 +1311,14 @@ External: - natively watch for dbus-*.service symlinks (PENDING) - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service -* fix alsa mixer restore to not print error when no config is stored - * make cryptsetup lower --iter-time -* patch kernel for xattr support in /dev, /proc/, /sys? - * kernel: add device_type = "fb", "fbcon" to class "graphics" * /usr/bin/service should actually show the new command line * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= -* fedora: F20: go timer units all the way, leave cron.daily for cron - * neither pkexec nor sudo initialize environ[] from the PAM environment? * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it