X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=TODO;h=88fd20ad3eda0050e33e71bfc1060998c4541da3;hb=ddd8e23dc9d6ab33b3b3c243369042a325ba618d;hp=f2309228c88a80dd32a45a035bd1a83f0fc766b0;hpb=3d9237d666e1ac5450132e26ed3a2ed508dbfea7;p=thirdparty%2Fsystemd.git diff --git a/TODO b/TODO index f2309228c88..88fd20ad3ed 100644 --- a/TODO +++ b/TODO @@ -4,15 +4,10 @@ Bugfixes: manager or system manager can be always set. It would be better to reject them when parsing config. -* busctl prints errors to stdout: - busctl tree org.freedesktop.systemd1 /org/freedesktop/systemd1 - External: * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. -* wiki: update journal format documentation for lz4 additions - Janitorial Clean-ups: * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again @@ -22,18 +17,114 @@ Janitorial Clean-ups: Features: +* make use of the new statx mountid and rootmount fields in path_get_mnt_id() + and fd_is_mount_point() + +* make use of new loopback setup ioctl to setup loopback devices in one atomic + ioctl + +* nspawn: move "incoming mount" directory to /run/host, move "inaccessible" + nodes to /run/host, move notify socket (for sd_notify() between payload and + container manager) + +* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it + and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET) + +* repart: support setting up dm-integrity with HMAC + +* add /etc/integritytab, to support dm-integrity setups. In particular those + with HMAC as hash function, so that we can have a protected /home without + encryption (leaving encryption to the individual dirs/homed). + +* complement root=, rootflags=, rootfstype= with rootsubdir= which allows + mounting a subdir of the root fs as actual root. This can be used as + fstype-agnostic version of btrfs' rootflags=subvol=foobar. + +* add --copy-from and --copy-to command to systemd-dissect which copies stuff + in and out of a disk image + +* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/ + +* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it + +* build short web pages out of each catalog entry, build them along with man + pages, and include hyperlinks to them in the journal output + +* machined: add API to acquire UID range. add API to mount/dissect loopback + file. Both protected by PK. Then make nspawn use these APIs to run + unprivileged containers. i.e. push the truly privileged bits into machined, + so that the client side can remain entirely unprivileged, with SUID or + anything like that. + +* journald: do journal file writing out-of-process, with one writer process per + client UID, so that synthetic hash table collisions can slow down a specific + user's journal stream down but not the others. + +* add "throttling" to sd-event event sources: optionally, when we wake up too + often for one, let's turn it off entirely for a while. Use that for the + /proc/self/mountinfo logic. + * move our systemd-user PAM snippet to /usr/, which PAM appears to support these days * nspawn: support time namespaces +* systemd-firstboot: make sure to always use chase_symlinks() before + reading/writing files + +* add ConditionSecurity=tpm2 + +* Remove any support for booting without /usr pre-mounted in the initrd entirely. + Update INITRD_INTERFACE.md accordingly. + * pid1: Move to tracking of main pid/control pid of units per pidfd * pid1: support new clone3() fork-into-cgroup feature +* pid1: also remove PID files of a service when the service starts, not just + when it exits + +* make us use dynamically fewer deps for containers in general purpose distros: + o turn into dlopen() deps: + - libpwquality (always) - only relevant for homed, and maybe soon + firstboot + - elfutils (always) + - p11-kit-trust (always) + - kmod-libs (only when called from PID 1) + - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup) + - similar: libblkid + - libpam (only when called from PID 1) + - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are, + since they are so basic and our defaults) + o move into separate libsystemd-shared-iptables.so .so + - iptables-libs (only used by nspawn + networkd) + +* seccomp: when SystemCallArchitectures=native is set then don't install any + other seccomp filters for any of the other archs, in order to reduce the + number of seccomp filters we install needlessly. + +* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. + Apparently kernel performance is much better with fewer larger seccomp + filters than with more smaller seccomp filters. + +* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum, + mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such + +* make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and + provide man page. Given that we now have a tool that can generate images like + this, it's useful to have one that can dump contents of them, too. + * All tools that support --root= should also learn --image= so that they can - operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles, - sysusers, systemctl, repart, journalctl, coredumpctl. + operate on disk images directly. Specifically: bootctl, tmpfiles, sysusers, + systemctl, repart, journalctl, coredumpctl. (Already done: systemd-nspawn, + systemd-firstboot) + +* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out + +* seccomp: don't install filters for ABIs that are masked anyway for the + specific service + +* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging. * per-service credential system. Specifically: add LoadCredential= (for loading cred from file), AcquireCredential= (for asking user for cred, via @@ -61,30 +152,28 @@ Features: * homed: add a way to "adopt" a home directory, i.e. strip foreign signatures and insert a local signature instead. -* Maybe expose path_is_encrypted() as a new ConditionPathIsEncrypted=? - * homed: as an extension to the directory+subvolume backend: if located on especially marked fs, then sync down password into LUKS header of that fs, and always verify passwords against it too. Bootstrapping is a problem - though: if noone is logged in (or no other user even exists yet), how do you + though: if no one is logged in (or no other user even exists yet), how do you unlock the volume in order to create the first user and add the first pw. * homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt -* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it - exists and responds. - * homed: maybe pre-create ~/.cache as subvol so that it can have separate quota easily? +* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it + exists and responds. + * when systemd-nspawn and suchlike dissect an OS image, and there are multiple root partitions, do an strverscmp() on the partition label and boot first. That is inspired how sd-boot figures out which kernel to boot, and thus allows defining OS images which can be A/B updated and we default to the newest version automatically, both in nspawn and in sd-boot -* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking - devices. (see: https://github.com/mjec/fido2-hmac-secret) +* cryptsetup: support FIDO2 tokens for deriving keys (i.e. do what homed can do + also in plain cryptsetup) * systemd-gpt-auto should probably set x-systemd.growfs on the mounts it creates @@ -99,6 +188,10 @@ Features: - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host - make it operate on loopback files, dissecting enough to find ESP to operate on +* Maybe add a separate GPT partition type to the discoverable partition spec + for "hibernate" partitions, that are exactly like swap partitions but only + activated right before hibernation and thus never used for regular swapping. + * by default, in systemd --user service bump the OOMAdjust to 100, as privs allow so that systemd survives @@ -111,7 +204,8 @@ Features: * socket units: allow creating a udev monitor socket with ListenDevices= or so, with matches, then activate app through that passing socket over -* unify on openssl: +* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license + confusion is gone) - port sd_id128_get_machine_app_specific() over from khash - port resolved over from libgcrypt (DNSSEC code) - port journald + fsprg over from libgcrypt @@ -137,13 +231,6 @@ Features: end), in order to maximize dd'ability. Requires libfdisk work, see https://github.com/karelzak/util-linux/issues/907 -* systemd-repart: optionally, allow specifying a path to initialize new - partitions from, i.e. an fs image file or a source device node. This would - then turn systemd-repart into a simple installer: with a few .repart files - you could replicate the host system on another device. a full installer would - then be: "systemd-repart /dev/sda && bootctl install /dev/sda && - systemd-firstboot --image= …" - * systemd-repart: MBR partition table support. Care needs to be taken regarding Type=, so that partition definitions can sanely apply to both the GPT and the MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types @@ -159,21 +246,29 @@ Features: * systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag +* systemd-repart: allow boolean option that ensures that if existing partition + doesn't exist within the configured size bounds the whole command fails. This + is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set + of repart files for the case where ESP is large enough and one where it isn't + and XBOOTLDR is added in instead. Then apply the former first, and if it + fails to apply use the latter. + +* systemd-repart: add per-partition option to never reuse existing partition + and always create anew even if matching partition already exists. + +* systemd-repart: add per-partition option to fail if partition already exist, + i.e. is not added new. Similar, add option to fail if partition does not exist yet. + +* systemd-repart: add --size=auto for generating/resizing images of minimal + size, i.e. where the image file is sized exactly as large as necessary taking + SizeMin= into account, but not a single byte larger. + * systemd-repart: allow disabling growing of specific partitions, or making them (think ESP: we don't ever want to grow it, since we cannot resize vfat) -* systemd-repart: add specifier expansion, add especifier that refers to root - device node of current system, /usr device node, and matching verity, so that - an installer can be made a "copy" installer of the booted OS - * systemd-repart: make it a static checker during early boot for existence and absence of other partitions for trusted boot environments -* systemd-repart: allow config of partition uuid - -* systemd-repart: add --make= switch for fallocating a new file of the - specified size first. - * userdb: allow username prefix searches in varlink API, allow realname and realname substr searches in varlink API @@ -240,14 +335,11 @@ Features: * systemd-firstboot: teach it dissector magic, so that you can point it to some disk image and it will just set everything in it all behind the scenes. -* systemd-firstboot: add --force mode that replaces existing configuration. - * We should probably replace /var/log/README, /etc/rc.d/README with symlinks that are linked to these places instead of copied. After all they are constant vendor data. -* maybe add kernel cmdline params: 1) to force first-boot mode + 2) to force - random seed crediting +* maybe add kernel cmdline params: to force random seed crediting * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events, so that we make cgroup agent logic safe @@ -261,7 +353,6 @@ Features: * homed: - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth - - hook up machined/nspawn users with a varlink user query interface - rollback when resize fails mid-operation - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid) - resize on login? @@ -273,7 +364,8 @@ Features: beefing up logind to make pam session close hook synchronous and wait until systemd --user is shut down. - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service - - maybe make automatic, read-only, time-based reflink-copies of LUKS disk images (think: time machine) + - maybe make automatic, read-only, time-based reflink-copies of LUKS disk + images (and btrfs snapshots of subvolumes) (think: time machine) - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory) - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work - fingerprint authentication, pattern authentication, … @@ -289,6 +381,9 @@ Features: - make slice for users configurable (requires logind rework) - logind: populate auto-login list bus property from PKCS#11 token - when determining state of a LUKS home directory, check DM suspended sysfs file + - introduce API for "making room", that grows/shrinks home directory + according to elastic parameters, discards blocks, and removes additional snapshots. Call it + either from UI when disk space gets low * introduce a new per-process uuid, similar to the boot id, the machine id, the invocation id, that is derived from process creds, specifically a hashed @@ -509,9 +604,6 @@ Features: * support projid-based quota in machinectl for containers -* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks - introduced) as the RTC epoch, instead of the mtime of NEWS. - * add a way to lock down cgroup migration: a boolean, which when set for a unit makes sure the processes in it can never migrate out of it @@ -845,6 +937,10 @@ Features: - allow multiple signal handlers per signal? - document chaining of signal handler for SIGCHLD and child handlers - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... + - maybe support iouring as backend, so that we allow hooking read and write + operations instead of IO ready events into event loops. See considerations + here: + http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html * investigate endianness issues of UUID vs. GUID @@ -945,7 +1041,7 @@ Features: - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access - journactl: support negative filtering, i.e. FOOBAR!="waldo", and !FOOBAR for events without FOOBAR. - - journal: store timestamp of journal_file_set_offline() int he header, + - journal: store timestamp of journal_file_set_offline() in the header, so it is possible to display when the file was last synced. - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. - journal: find a way to allow dropping history early, based on priority, other rules @@ -987,6 +1083,7 @@ Features: them via machined, and also watch containers coming and going. Benefit: nspawn --ephemeral would start working nicely with the journal. - assign MESSAGE_ID to log messages about failed services + - check if loop in decompress_blob_xz() is necessary * add a test if all entries in the catalog are properly formatted. (Adding dashes in a catalog entry currently results in the catalog entry @@ -1002,7 +1099,8 @@ Features: - document systemd-journal-flush.service properly - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] - man: document the very specific env the shutdown drop-in tools live in - - man: add more examples to man pages + - man: add more examples to man pages, + - in particular an example how to do the equivalent of switching runlevels - man: maybe sort directives in man pages, and take sections from --help and apply them to man too - document root=gpt-auto properly @@ -1201,17 +1299,14 @@ Features: * networkd: - add more keys to [Route] and [Address] sections - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) - - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline) - add reduced [Link] support to .network files - - add Scope= parsing option for [Network] - properly handle routerless dhcp leases - work with non-Ethernet devices - - add support for more bond options - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? - the DHCP lease data (such as NTP/DNS) is still made available when a carrier is lost on a link. It should be removed instantly. - expose in the API the following bits: - - option 15, domain name and/or option 119, search list + - option 15, domain name - option 12, hostname and/or option 81, fqdn - option 123, 144, geolocation - option 252, configure http proxy (PAC/wpad) @@ -1220,11 +1315,9 @@ Features: - allow Name= to be specified repeatedly in the [Match] section. Maybe also support Name=foo*|bar*|baz ? - duplicate address check for static IPs (like ARPCHECK in network-scripts) - - allow DUID/IAID to be customized, see issue #394. - whenever uplink info changes, make DHCP server send out FORCERENEW -* networkd-wait-online: - - make operstates to wait for configurable? +* Figure out how to do unittests of networkd's state serialization * dhcp: - figure out how much we can increase Maximum Message Size @@ -1249,20 +1342,14 @@ External: - natively watch for dbus-*.service symlinks (PENDING) - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service -* fix alsa mixer restore to not print error when no config is stored - * make cryptsetup lower --iter-time -* patch kernel for xattr support in /dev, /proc/, /sys? - * kernel: add device_type = "fb", "fbcon" to class "graphics" * /usr/bin/service should actually show the new command line * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= -* fedora: F20: go timer units all the way, leave cron.daily for cron - * neither pkexec nor sudo initialize environ[] from the PAM environment? * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it