X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=TODO;h=88fd20ad3eda0050e33e71bfc1060998c4541da3;hb=604b163a31712b7d3abd5b9627e07464adc31e38;hp=c4275b48e0852348d4b6fd4d3f0998ff3bcd007c;hpb=d3d0b763b4316e63fbf15926f8da45e6565b1a8b;p=thirdparty%2Fsystemd.git diff --git a/TODO b/TODO index c4275b48e08..88fd20ad3ed 100644 --- a/TODO +++ b/TODO @@ -8,8 +8,6 @@ External: * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. -* wiki: update journal format documentation for lz4 additions - Janitorial Clean-ups: * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again @@ -19,11 +17,31 @@ Janitorial Clean-ups: Features: -* add systemd.random_seed= on the kernel cmdline, taking some hex or base64 - encoded data. During earliest boot, credit it to entropy. This is not useful - for general purpose systems, but certainly for testing environments in VMs - and such, as it allows us to boot up instantly with fully initialized entropy - pool even if RNG pass-thru is not available. +* make use of the new statx mountid and rootmount fields in path_get_mnt_id() + and fd_is_mount_point() + +* make use of new loopback setup ioctl to setup loopback devices in one atomic + ioctl + +* nspawn: move "incoming mount" directory to /run/host, move "inaccessible" + nodes to /run/host, move notify socket (for sd_notify() between payload and + container manager) + +* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it + and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET) + +* repart: support setting up dm-integrity with HMAC + +* add /etc/integritytab, to support dm-integrity setups. In particular those + with HMAC as hash function, so that we can have a protected /home without + encryption (leaving encryption to the individual dirs/homed). + +* complement root=, rootflags=, rootfstype= with rootsubdir= which allows + mounting a subdir of the root fs as actual root. This can be used as + fstype-agnostic version of btrfs' rootflags=subvol=foobar. + +* add --copy-from and --copy-to command to systemd-dissect which copies stuff + in and out of a disk image * Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/ @@ -38,6 +56,10 @@ Features: so that the client side can remain entirely unprivileged, with SUID or anything like that. +* journald: do journal file writing out-of-process, with one writer process per + client UID, so that synthetic hash table collisions can slow down a specific + user's journal stream down but not the others. + * add "throttling" to sd-event event sources: optionally, when we wake up too often for one, let's turn it off entirely for a while. Use that for the /proc/self/mountinfo logic. @@ -47,6 +69,9 @@ Features: * nspawn: support time namespaces +* systemd-firstboot: make sure to always use chase_symlinks() before + reading/writing files + * add ConditionSecurity=tpm2 * Remove any support for booting without /usr pre-mounted in the initrd entirely. @@ -59,6 +84,29 @@ Features: * pid1: also remove PID files of a service when the service starts, not just when it exits +* make us use dynamically fewer deps for containers in general purpose distros: + o turn into dlopen() deps: + - libpwquality (always) - only relevant for homed, and maybe soon + firstboot + - elfutils (always) + - p11-kit-trust (always) + - kmod-libs (only when called from PID 1) + - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup) + - similar: libblkid + - libpam (only when called from PID 1) + - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are, + since they are so basic and our defaults) + o move into separate libsystemd-shared-iptables.so .so + - iptables-libs (only used by nspawn + networkd) + +* seccomp: when SystemCallArchitectures=native is set then don't install any + other seccomp filters for any of the other archs, in order to reduce the + number of seccomp filters we install needlessly. + +* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. + Apparently kernel performance is much better with fewer larger seccomp + filters than with more smaller seccomp filters. + * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum, mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such @@ -67,8 +115,9 @@ Features: this, it's useful to have one that can dump contents of them, too. * All tools that support --root= should also learn --image= so that they can - operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles, - sysusers, systemctl, repart, journalctl, coredumpctl. + operate on disk images directly. Specifically: bootctl, tmpfiles, sysusers, + systemctl, repart, journalctl, coredumpctl. (Already done: systemd-nspawn, + systemd-firstboot) * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out @@ -111,20 +160,20 @@ Features: * homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt -* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it - exists and responds. - * homed: maybe pre-create ~/.cache as subvol so that it can have separate quota easily? +* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it + exists and responds. + * when systemd-nspawn and suchlike dissect an OS image, and there are multiple root partitions, do an strverscmp() on the partition label and boot first. That is inspired how sd-boot figures out which kernel to boot, and thus allows defining OS images which can be A/B updated and we default to the newest version automatically, both in nspawn and in sd-boot -* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking - devices. (see: https://github.com/mjec/fido2-hmac-secret) +* cryptsetup: support FIDO2 tokens for deriving keys (i.e. do what homed can do + also in plain cryptsetup) * systemd-gpt-auto should probably set x-systemd.growfs on the mounts it creates @@ -139,6 +188,10 @@ Features: - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host - make it operate on loopback files, dissecting enough to find ESP to operate on +* Maybe add a separate GPT partition type to the discoverable partition spec + for "hibernate" partitions, that are exactly like swap partitions but only + activated right before hibernation and thus never used for regular swapping. + * by default, in systemd --user service bump the OOMAdjust to 100, as privs allow so that systemd survives @@ -151,7 +204,8 @@ Features: * socket units: allow creating a udev monitor socket with ListenDevices= or so, with matches, then activate app through that passing socket over -* unify on openssl: +* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license + confusion is gone) - port sd_id128_get_machine_app_specific() over from khash - port resolved over from libgcrypt (DNSSEC code) - port journald + fsprg over from libgcrypt @@ -177,13 +231,6 @@ Features: end), in order to maximize dd'ability. Requires libfdisk work, see https://github.com/karelzak/util-linux/issues/907 -* systemd-repart: optionally, allow specifying a path to initialize new - partitions from, i.e. an fs image file or a source device node. This would - then turn systemd-repart into a simple installer: with a few .repart files - you could replicate the host system on another device. a full installer would - then be: "systemd-repart /dev/sda && bootctl install /dev/sda && - systemd-firstboot --image= …" - * systemd-repart: MBR partition table support. Care needs to be taken regarding Type=, so that partition definitions can sanely apply to both the GPT and the MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types @@ -199,18 +246,29 @@ Features: * systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag +* systemd-repart: allow boolean option that ensures that if existing partition + doesn't exist within the configured size bounds the whole command fails. This + is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set + of repart files for the case where ESP is large enough and one where it isn't + and XBOOTLDR is added in instead. Then apply the former first, and if it + fails to apply use the latter. + +* systemd-repart: add per-partition option to never reuse existing partition + and always create anew even if matching partition already exists. + +* systemd-repart: add per-partition option to fail if partition already exist, + i.e. is not added new. Similar, add option to fail if partition does not exist yet. + +* systemd-repart: add --size=auto for generating/resizing images of minimal + size, i.e. where the image file is sized exactly as large as necessary taking + SizeMin= into account, but not a single byte larger. + * systemd-repart: allow disabling growing of specific partitions, or making them (think ESP: we don't ever want to grow it, since we cannot resize vfat) -* systemd-repart: add specifier expansion, add especifier that refers to root - device node of current system, /usr device node, and matching verity, so that - an installer can be made a "copy" installer of the booted OS - * systemd-repart: make it a static checker during early boot for existence and absence of other partitions for trusted boot environments -* systemd-repart: allow config of partition uuid - * userdb: allow username prefix searches in varlink API, allow realname and realname substr searches in varlink API @@ -295,7 +353,6 @@ Features: * homed: - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth - - hook up machined/nspawn users with a varlink user query interface - rollback when resize fails mid-operation - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid) - resize on login? @@ -307,7 +364,8 @@ Features: beefing up logind to make pam session close hook synchronous and wait until systemd --user is shut down. - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service - - maybe make automatic, read-only, time-based reflink-copies of LUKS disk images (think: time machine) + - maybe make automatic, read-only, time-based reflink-copies of LUKS disk + images (and btrfs snapshots of subvolumes) (think: time machine) - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory) - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work - fingerprint authentication, pattern authentication, … @@ -323,6 +381,9 @@ Features: - make slice for users configurable (requires logind rework) - logind: populate auto-login list bus property from PKCS#11 token - when determining state of a LUKS home directory, check DM suspended sysfs file + - introduce API for "making room", that grows/shrinks home directory + according to elastic parameters, discards blocks, and removes additional snapshots. Call it + either from UI when disk space gets low * introduce a new per-process uuid, similar to the boot id, the machine id, the invocation id, that is derived from process creds, specifically a hashed @@ -876,6 +937,10 @@ Features: - allow multiple signal handlers per signal? - document chaining of signal handler for SIGCHLD and child handlers - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... + - maybe support iouring as backend, so that we allow hooking read and write + operations instead of IO ready events into event loops. See considerations + here: + http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html * investigate endianness issues of UUID vs. GUID @@ -976,7 +1041,7 @@ Features: - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access - journactl: support negative filtering, i.e. FOOBAR!="waldo", and !FOOBAR for events without FOOBAR. - - journal: store timestamp of journal_file_set_offline() int he header, + - journal: store timestamp of journal_file_set_offline() in the header, so it is possible to display when the file was last synced. - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. - journal: find a way to allow dropping history early, based on priority, other rules @@ -1018,6 +1083,7 @@ Features: them via machined, and also watch containers coming and going. Benefit: nspawn --ephemeral would start working nicely with the journal. - assign MESSAGE_ID to log messages about failed services + - check if loop in decompress_blob_xz() is necessary * add a test if all entries in the catalog are properly formatted. (Adding dashes in a catalog entry currently results in the catalog entry @@ -1033,7 +1099,8 @@ Features: - document systemd-journal-flush.service properly - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] - man: document the very specific env the shutdown drop-in tools live in - - man: add more examples to man pages + - man: add more examples to man pages, + - in particular an example how to do the equivalent of switching runlevels - man: maybe sort directives in man pages, and take sections from --help and apply them to man too - document root=gpt-auto properly