That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for
x86 and v6.2 for arm.
- * In v260: remove support for deprecated FactoryReset EFI variable in
- systemd-repart, replaced by FactoryResetRequest.
+ - Remove support for deprecated FactoryReset EFI variable in
+ systemd-repart, replaced by FactoryResetRequest (was planned for v260).
- * Consider removing root=gpt-auto, and push people to use root=dissect instead.
+ - Consider removing root=gpt-auto, and push people to use root=dissect instead.
- * remove any trace of "cpuacct" cgroup controller, it's a cgroupv1 thing.
+ - remove any trace of "cpuacct" cgroup controller, it's a cgroupv1 thing.
similar "devices"
- Features:
- * sysext: make systemd-{sys,conf}ext-sysroot.service work in the split '/var'
- configuration.
+ ## Features
- * introduce a concept of /etc/machine-info "TAGS=" field that allows tagging
- machines with zero, one or more roles, states or other forms of
- categorization. Then, add a way of using this in sysupdate to automatically
- enable certain transfers, one for each role.
+ - a small tool that can do basic btrfs raid policy mgmt. i.e. gets started as
+ part of the initial transaction for some btrfs raid fs, waits for some time,
+ then puts message on screen (plymouth, console) that some devices apparently
+ are not showing up, then counts down, eventually set a flag somewhere, and
+ retriggers the fs is was invoked for, which causes the udev rules to rerun
+ that assemble the btrfs raid, but this time force degraded assembly.
- * sd-varlink: add fully async modes of the protocol upgrade stuff
+ - a way for container managers to turn off getty starting via $container_headless= or so...
- * repart: maybe remove iso9660/eltorito superblock from disk when booting via
- gpt, if there is one.
+ - add "conditions" for bls type 1 and type 2 profiles that allow suppressing
+ them under various conditions: 1. if tpm2 is available or not available;
+ 2. if sb is on or off; 3. if we are netbooted or not; …
- * crypttab/gpt-auto-generator: allow explicit control over which unlock mechs
- to permit, and maybe have a global headless kernel cmdline option
+ - add "homectl export" and "homectl import" that gets you an "atomic" snapshot
+ of your homedir, i.e. either a tarball or a snapshot of the underlying disk
+ (use FREEZE/THAW to make it consistent, btrfs snapshots)
- * start making use of the new --graceful switch to util-linux' umount command
+ - Add "purpose" flag to partition flags in discoverable partition spec that
+ indicate if partition is intended for sysext, for portable service, for
+ booting and so on. Then, when dissecting DDI allow specifying a purpose to
+ use as additional search condition. Use case: images that combined a sysext
+ partition with a portable service partition in one.
- * sysusers: allow specifying a path to an inode *and* a literal UID in the UID
- column, so that if the inode exists it is used, and if not the literal UID is
- used. Use this for services such as the imds one, which run under their own
- UID in the initrd, and whose data should survive to the host, properly owned.
+ - add "systemctl wait" or so, which does what "systemd-run --wait" does, but
+ for all units. It should be both a way to pin units into memory as well as a
+ wait to retrieve their exit data.
- * add service file setting to force the fwmark (a la SO_MARK) to some value, so
- that we can allowlist certain services for imds this way.
+ - add "systemd-analyze debug" + AttachDebugger= in unit files: The former
+ specifies a command to execute; the latter specifies that an already running
+ "systemd-analyze debug" instance shall be contacted and execution paused
+ until it gives an OK. That way, tools like gdb or strace can be safely be
+ invoked on processes forked off PID 1.
- * lock down swtpm a bit to make it harder to extract keys from it as it is
- running. i.e. make ptracing + termination hard from the outside. also run
- swtpm as unpriv user (not trivial, probably requires patch swtpm, as it needs
- to allocate vtpm device), to lock it down from the inside.
+ - add "systemd-sysext identify" verb, that you can point on any file in /usr/
+ and that determines from which overlayfs layer it originates, which image, and with
+ what it was signed.
- * once swtpm's sd_notify() support has landed in the distributions, remove the
- invocation in tpm2-swtpm.c and let swtpm handle it.
+ - add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
- * make systemd work nicely without /bin/sh, logins and associated shell tools around
- - make sure debug shell service (sushell) has a nice failure mode, prints a message and reboots
- - varlink interface for "systemctl start" and friends
- - https://github.com/util-linux/util-linux/issues/4117
+ - Add a "systemctl list-units --by-slice" mode or so, which rearranges the
+ output of "systemctl list-units" slightly by showing the tree structure of
+ the slices, and the units attached to them.
- * imds: maybe do smarter api version handling
+ - Add a concept of ListenStream=anonymous to socket units: listen on a socket
+ that is deleted in the fs. Use case would be with ConnectSocket= above.
- * drop NV_ORDERLY flag from the product uuid nvpcr. Effect of the flag is that
- it pushes the thing into TPM RAM, but a TPM usually has very little of that,
- less than NVRAM. hence setting the flag amplifies space issues. Unsetting the
- flag increases wear issues on the NVRAM, however, but this should be limited
- for the product uuid nvpcr, since its only changed once per boot. this needs
- to be configurable by nvpcr however, as other nvpcrs are different,
- i.e. verity one receives many writes during system uptime quite
- possibly. (also, NV_ORDERLY makes stuff faster, and dropping it costs
- possibly up to 100ms supposedly)
+ - add a ConnectSocket= setting to service unit files, that may reference a
+ socket unit, and which will connect to the socket defined therein, and pass
+ the resulting fd to the service program via socket activation proto.
- * instead of going directly for DefineSpace when initializing nvpcrs, check if
- they exist first. apparently DEfineSpace is broken on some tpms, and also
- creates log spam if the nvindex already exists.
+ - add a dbus call to generate target from current state
- * on first login of a user, measure its identity to some nvpcr
+ - add a dependency on standard-conf.xml and other included files to man pages
- * sd-lldp: pick up 802.3 maximum frame size/mtu, to be able to detect jumbo
- frame capable networks
+ - add a job mode that will fail if a transaction would mean stopping
+ running units. Use this in timedated to manage the NTP service
+ state.
+ https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
- * networkd: maintain a file in /run/ that can be symlinked into /run/issue.d/
- that always shows the current primary IP address
+ - add a kernel cmdline switch (and cred?) for marking a system to be
+ "headless", in which case we never open /dev/console for reading, only for
+ writing. This would then mean: systemd-firstboot would process creds but not
+ ask interactively, getty would not be started and so on.
- * oci: add support for blake hashes for layers
+ - add a Load= setting which takes literal data in text or base64 format, and
+ puts it into a memfd, and passes that. This enables some fun stuff, such as
+ embedding bash scripts in unit files, by combining Load= with
+ ExecStart=/bin/bash /proc/self/fd/3
- * oci: add support for "importctl import-oci" which implements the "OCI layout"
- spec (i.e. acquiring via local fs access), as opposed to the current
- "importctl pull-oci" which focusses on the "OCI image spec", i.e. downloads
- from the web (i.e. acquiring via URLs).
+ - add a mechanism we can drop capabilities from pid1 *before* transitioning
+ from initrd to host. i.e. before we transition into the slightly lower trust
+ domain that is the host systems we might want to get rid of some caps.
+ Example: CAP_SYS_BPF in the signed bpf loading logic above. (We already have
+ CapabilityBoundingSet= in system.conf, but that is enforced when pid 1
+ initializes, rather then when it transitions to the next.)
- * oci: support "data" in any OCI descriptor, not just manifest config.
+ - add a new "debug" job mode, that is propagated to unit_start() and for
+ services results in two things: we raise SIGSTOP right before invoking
+ execve() and turn off watchdog support. Then, use that to implement
+ "systemd-gdb" for attaching to the start-up of any system service in its
+ natural habitat.
- * report:
- - plug "facts" into systemd-report too, i.e. stuff that is more static, such as hostnames, ssh keys and so on.
- - pass filtering hints to services, so that they can also be applied server-side, not just client side
- - metrics from pid1: suppress metrics form units that are inactive and have nothing to report
- - add "hint-suppress-zero" flag (which suppresses all metrics which are zero)
- - add "hint-object" parameter (which only queries info about certain object)
- - make systemd-report a varlink service
+ - add a new flag to chase() that stops chasing once the first missing
+ component is found and then allows the caller to create the rest.
- * implement a varlink registry service, similar to the one of the reference
- implementation, backed by /run/varlink/registry/. Then, also implement
- connect-via-registry-resolution in sd-varlink and varlinkctl. Care needs to
- be taken to do the resolution asynchronousy. Also, note that the Varlink
- reference implementation uses a different address syntax, which needs to be
- taken into account.
+ - add a new PE binary section ".mokkeys" or so which sd-stub will insert into
+ Mok keyring, by overriding/extending whatever shim sets in the EFI
+ var. Benefit: we can extend the kernel module keyring at ukify time,
+ i.e. without recompiling the kernel, taking an upstream OS' kernel and adding
+ a local key to it.
- * have a signal that reloads every unit that supports reloading
+ - add a new specifier to unit files that figures out the DDI the unit file is
+ from, tracing through overlayfs, DM, loopback block device.
- * systemd: add storage API via varlink, where everyone can drop a socket in a
- dir, similar, do the same thing for networking
+ - add a new switch --auto-definitions=yes/no or so to systemd-repart. If
+ specified, synthesize a definition automatically if we can: enlarge last
+ partition on disk, but only if it is marked for growing and not read-only.
- * do a console daemon that takes stdio fds for services and allows to reconnect
- to them later
+ - add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
+ usefaultd() and make systemd-analyze check for it.
- * report: have something that requests cloud workload identity bearer tokens
- and includes it in the report
+ - Add a new verb "systemctl top"
- * sysupdate: download multiple arbitrary patterns from same source
+ - add a pam module that on password changes updates any LUKS slot where the password matches
- * sysupdate: SHA256SUMS format with bearer tokens for each resource to download
+ - add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
+ then use that for the setting used in user@.service. It should be understood
+ relative to the configured default value.
- * sysupdate: decrypt SHA256SUMS with key from tpm
+ - add a plugin for factory reset logic that erases certain parts of the ESP,
+ but leaves others in place.
- * sysupdate: clean up stuff on disk that disappears from SHA256SUMS
+ - add a proper concept of a "developer" mode, i.e. where cryptographic
+ protections of the root OS are weakened after interactive confirmation, to
+ allow hackers to allow their own stuff. idea: allow entering developer mode
+ only via explicit choice in boot menu: i.e. add explicit boot menu item for
+ it. When developer mode is entered, generate a key pair in the TPM2, and add
+ the public part of it automatically to keychain of valid code signature keys
+ on subsequent boots. Then provide a tool to sign code with the key in the
+ TPM2. Ensure that boot menu item is the only way to enter developer mode, by
+ binding it to locality/PCRs so that keys cannot be generated otherwise.
- * sysupdate: turn http backend stuff int plugin via varlink
+ - add a system-wide seccomp filter list for syscalls, kill "acct()" "@obsolete"
+ and a few other legacy syscalls that way.
- * add new tool that can be used in debug mode runs in very early boot,
- generates a random password, passes it as credential to sysusers for the root
- user, then displays it on screen. people can use this to remotely log in.
+ - add a test if all entries in the catalog are properly formatted.
+ (Adding dashes in a catalog entry currently results in the catalog entry
+ being silently skipped. journalctl --update-catalog must warn about this,
+ and we should also have a unit test to check that all our message are OK.)
- * Maybe introduce an InodeRef structure inspired by PidRef, which references a
- specific inode, and combines: a path, an O_PATH fd, and possibly a FID into
- one. Why? We often pass around path and fd separately in chaseat() and similar
- calls. Because passing around both separately is cumbersome we sometimes only
- one pass one, once the other and sometimes both. It would make the code a lot
- simpler if we could path both around at the same time in a simple way, via an
- InodeRef which *both* pins the inode via an fd, *and* gives us a friendly
- name for it.
+ - add a utility that can be used with the kernel's
+ CONFIG_STATIC_USERMODEHELPER_PATH and then handles them within pid1 so that
+ security, resource management and cgroup settings can be enforced properly
+ for all umh processes.
- * systemd-sysupdate: for each transfer support looking at multiple sources,
- pick source with newest entry. If multiple sources have the same entry, use
- first configured source. Usecase: "sideload" components from local dirs,
- without disabling remote sources.
+ - add a way to lock down cgroup migration: a boolean, which when set for a unit
+ makes sure the processes in it can never migrate out of it
- * systemd-sysupdate: support "revoked" items, which cause the client to
- downgrade/upgrade
+ - add ability to path_is_valid() to classify paths that refer to a dir from
+ those which may refer to anything, and use that in various places to filter
+ early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a
+ directory, and paths ending that way can be refused early in many contexts.
- * portable services: attach not only unit files to host, but also simple
- binaries to a tmpfs path in $PATH.
+ - Add ACL-based access management to .socket units. i.e. add AllowPeerUser= +
+ AllowPeerGroup= that installs additional user/group ACL entries on AF_UNIX
+ sockets.
- * systemd-sysext: add "exec" command or so that is a bit like "refresh" but
- runs it in a new namespace and then just executes the selected binary within
- it. Could be useful to run one-off binaries inside a sysext as a CLI tool.
+ - Add AddUser= setting to unit files, similar to DynamicUser=1 which however
+ creates a static, persistent user rather than a dynamic, transient user. We
+ can leverage code from sysusers.d for this.
- * systemd-repart: implement Integrity=data/meta and Integrity=inline for non-LUKS
- case. Currently, only Integrity=inline combined with Encrypt= is implemented
- and uses libcryptsetup features. Add support for plain dm-integrity setups when
- integrity tags are stored by the device (inline), interleaved with data (data),
- and on a separate device (meta).
+ - add an explicit parser for LimitRTPRIO= that verifies
+ the specified range and generates sane error messages for incorrect
+ specifications.
- * homed/pam_systemd: allow authentication by ssh-agent, so that run0/polkit can
- be allowed if caller comes with the right ssh-agent keys.
+ - Add and pickup tpm2 metadata for creds structure.
+
+ - add another PE section ".fname" or so that encodes the intended filename for
+ PE file, and validate that when loading add-ons and similar before using
+ it. This is particularly relevant when we load multiple add-ons and want to
+ sort them to apply them in a define order. The order should not be under
+ control of the attacker.
- * machined: gc for OCI layers that are not referenced anymore by any .mstack/ links.
+ - add bus API for creating unit files in /etc, reusing the code for transient units
- * pull-oci: progress notification
+ - add bus api to query unit file's X fields.
- * networkd/machined: implement reverse name lookups in the resolved hook
+ - add bus API to remove unit files from /etc
- * networkd's resolved hook: optionally map all lease IP addresses handed out to
- the same hostname which is configured on the .network file. Optionally, even
- derive this single name from the network interface name (i.e. probably
- altname or so). This way, when spawning a VM the host could pick the hostname
- for it and the client gets no say.
+ - add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
- * systemd-repart: add --ghost, that creates file systems, updates the kernel's
- partition table but does *not* update partition table on disk. This way, we
- have disk backed file systems that go effectively disappear on reboot. This
- is useful when booting from a "live" usb stick that is writable, as it means
- we do not have to place everything in memory. Moreover, we could then migrate
- the file systems to disk later (using btrfs device replacement), if needed as
- part of an installer logic.
+ - Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
+ ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
+ https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
- * journald: log pidfid as another field, i.e. _PIDFDID=
+ - add CopyFile= or so as unit file setting that may be used to copy files or
+ directory trees from the host to the services RootImage= and RootDirectory=
+ environment. Which we can use for /etc/machine-id and in particular
+ /etc/resolv.conf. Should be smart and do something useful on read-only
+ images, for example fall back to read-only bind mounting the file instead.
- * measure all log-in attempts into a new nvpcr
+ - Add ELF section to make systemd main binary recognizable cleanly, the same
+ way as we make sd-boot recognizable via PE section.
- * maybe rework systemd-modules-load to be a generator that just instantiates
- modprobe@.service a bunch of times
+ - Add ExecMonitor= setting. May be used multiple times. Forks off a process in
+ the service cgroup, which is supposed to monitor the service, and when it
+ exits the service is considered failed by its monitor.
- * Split vconsole-setup in two, of which the second is started via udev (instead
- of the "restart" job it currently fires). That way, boot becomes purely
- positive again, and we can nicely order the two against each other.
+ - add field to bls type 1 and type 2 profiles that ensures an item is never
+ considered for automatic selection
- * Add ELF section to make systemd main binary recognizable cleanly, the same
- way as we make sd-boot recognizable via PE section.
+ - add generator that pulls in systemd-network from containers when
+ CAP_NET_ADMIN is set, more than the loopback device is defined, even
+ when it is otherwise off
- * Add knob to cryptsetup, to trigger automatic reboot on failure to unlock
+ - add growvol and makevol options for /etc/crypttab, similar to
+ x-systemd.growfs and x-systemd-makefs.
+
+ - Add knob to cryptsetup, to trigger automatic reboot on failure to unlock
disk. Enable this by default for rootfs, also in gpt-auto-generator
- * replace bootctl's PE version check to actually use APIs from pe-binary.[ch]
- to find binary version.
+ - add linker script that implicitly adds symbol for build ID and new coredump
+ json package metadata, and use that when logging
- * replace symlink_label(), mknodat_label(), btrfs_subvol_make_label(),
- mkdir_label() and related calls by flags-based calls that use
- label_ops_pre()/label_ops_post().
+ - add new gpt type for btrfs volumes
- * maybe reconsider whether virtualization consoles (hvc1) are considered local
- or remote. i.e. are they more like an ssh login, or more like a /dev/tty1
- login? Lennart used to believe the former, but maybe the latter is more
- appropriate? This has effect on polkit interactivity, since it would mean
- questions via hvc0 would suddenly use the local polkit property. But this
- also raises the question whether such sessions shall be considered active or
- not
+ - add new tool that can be used in debug mode runs in very early boot,
+ generates a random password, passes it as credential to sysusers for the root
+ user, then displays it on screen. people can use this to remotely log in.
- * automatically reset specific EFI vars on factory reset (make this generic
- enough so that infrac can be used to erase shim's mok vars?)
+ - add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
- * similar: add a plugin for factory reset logic that erases certain parts of
- the ESP, but leaves others in place.
+ - add PR_SET_DUMPABLE service setting
- * flush_fd() should probably try to be smart and stop reading once we know that
- all further queued data was enqueued after flush_fd() was originally
- called. For that, try SIOCINQ if fd refers to stream socket, and look at
- timestamps for datagram sockets.
+ - add proper .osrel matching for PE addons. i.e. refuse applying an addon
+ intended for a different OS. Take inspiration from how confext/sysext are
+ matched against OS.
- * Similar flush_accept() should look at sockdiag queued sockets count and exit
- once we flushed out the specified number of connections.
+ - add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
+ and so on, which would mean we could report errors and such.
- * maybe introduce a new per-unit drop-in directory .confext.d/ that may contain
- symlinks to confext images to enable for the unit.
-- Add RebootUptimeMinSec= knob to PID 1, that makes systemd-shutdown sleep
- until the specified uptime has passed, to lengthen tight boot loops.
-
+ - add service file setting to force the fwmark (a la SO_MARK) to some value, so
+ that we can allowlist certain services for imds this way.
- * nspawn: map foreign UID range through 1:1
+ - Add service unit setting ConnectStream= which takes IP addresses and connects to them.
- * a small tool that can do basic btrfs raid policy mgmt. i.e. gets started as
- part of the initial transaction for some btrfs raid fs, waits for some time,
- then puts message on screen (plymouth, console) that some devices apparently
- are not showing up, then counts down, eventually set a flag somewhere, and
- retriggers the fs is was invoked for, which causes the udev rules to rerun
- that assemble the btrfs raid, but this time force degraded assembly.
+ - add some optional flag to ReadWritePaths= and friends, that has the effect
+ that we create the dir in question when the service is started. Example:
- * systemd-repart: make useful to duplicate current OS onto a second disk, so
- that we can sanely copy ESP contents, /usr/ images, and then set up btrfs
- raid for the root fs to extend/mirror the existing install. This would be
- very similar to the concept of live-install-through-btrfs-migration.
+ ReadWritePaths=:/var/lib/foobar
- * introduce /etc/boottab or so which lists block devices that bootctl +
- kernel-install shall update the ESPs on (and register in EFI BootXYZ
- variables), in addition to whatever is currently the booted /usr/.
- systemd-sysupdate should also take it into consideration and update the
- /usr/ images on all listed devices.
+ - add some service that makes an atomic snapshot of PCR state and event log up
+ to that point available, possibly even with quote by the TPM.
- * replace all uses of fopen_temporary() by fopen_tmpfile_linkable() +
- flink_tmpfile() and then get rid of fopen_temporary(). Benefit: use O_TMPFILE
- pervasively, and avoid rename() wherever we can.
+ - add some special mode to LogsDirectory=/StateDirectory=… that allows
+ declaring these directories without necessarily pulling in deps for them, or
+ creating them when starting up. That way, we could declare that
+ systemd-journald writes to /var/log/journal, which could be useful when we
+ doing disk usage calculations and so on.
- * loginctl: show argv[] of "leader" process in tabular list-sessions output
+ - add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
- * loginctl: show "service identifier" in tabular list-sessions output, to make
- run0 sessions easily visible.
+ - add support for activating nvme-oF devices at boot automatically via kernel
+ cmdline, and maybe even support a syntax such as
+ root=nvme:\<trtype>:\<traddr>:\<trsvcid>:\<nqn>:\<partition> to boot directly from
+ nvme-oF
- * run0: maybe enable utmp for run0 sessions, so that they are easily visible.
+ - add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing
+ an encrypted image on some host given a public key belonging to a specific
+ other host, so that only hosts possessing the private key in the TPM2 chip
+ can decrypt the volume key and activate the volume. Use case: systemd-confext
+ for a central orchestrator to generate confext images securely that can only
+ be activated on one specific host (which can be used for installing a bunch
+ of creds in /etc/credstore/ for example). Extending on this: allow binding
+ LUKS2 TPM based encryption also to the TPM2 internal clock. Net result:
+ prepare a confext image that can only be activated on a specific host that
+ runs a specific software in a specific time window. confext would be
+ automatically invalidated outside of it.
- * maybe beef up sd-event: optionally, allow sd-event to query the timestamp of
- next pending datagram inside a SOCK_DGRAM IO fd, and order event source
- dispatching by that. Enable this on the native + syslog sockets in journald,
- so that we add correct ordering between the two. Use MSG_PEEK + SCM_TIMESTAMP
- for this.
+ - Add support for extra verity configuration options to systemd-repart (FEC,
+ hash type, etc)
- * bsod: add target "bsod.target" or so, which invokes systemd-bsod.target and
- waits and then reboots. Then use OnFailure=bsod.target from various jobs that
- should result in system reboots, such as TPM tamper detection cases.
+ - Add SUPPORT_END_URL= field to os-release with more *actionable* information
+ what to do if support ended
- * honour validatefs xattrs in dissect-image.c too
+ - Add systemd-analyze security checks for RestrictFileSystems= and
+ RestrictNetworkInterfaces=
- * pcrextend: maybe add option to disable measurements entirely via kernel cmdline
+ - Add systemd-mount@.service which is instantiated for a block device and
+ invokes systemd-mount and exits. This is then useful to use in
+ ENV{SYSTEMD_WANTS} in udev rules, and a bit prettier than using RUN+=
- * tpm2-setup: reboot if we detect SRK changed
+ - Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the
+ initrd to bootstrap the initrd to populate the initial partitions. Some things
+ to figure out:
+ - Should it run on firstboot or on every boot?
+ - If run on every boot, should it use the sysupdate config from the host on
+ subsequent boots?
- * validatefs: validate more things: check if image id + os id of initrd match
- target mount, so that we refuse early any attempts to boot into different
- images with the wrong kernels. check min/max kernel version too. all encoded
- via xattrs in the target fs.
+ - add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
+ (throughout the codebase, not only PID1)
- * pcrextend: when we fail to measure, reboot the system (at least optionally).
- important because certain measurements are supposed to "destroy" tpm object
- access.
+ - Add UKI profile conditioning so that profiles are only available if secure
+ boot is turned off, or only on. similar, add conditions on TPM availability,
+ network boot, and other conditions.
- * pcrextend: after measuring get an immediate quote from the TPM, and validate
- it. if it doesn't check out, i.e. the measurement we made doesn't appear in
- the PCR then also reboot.
+ - Allocate UIDs/GIDs automatically in userdbctl load-credentials if none are
+ included in the user/group record credentials
- * cryptsetup: add boolean for disabling use of any password/recovery key slots.
- (i.e. that we can operate in a tpm-only mode, and thus protect us from rogue
- root disks)
+ - allow dynamic modifications of ConcurrencyHardMax= and ConcurrencySoftMax=
+ via DBus (and with that also by daemon-reload). Similar for portabled.
- * complete varlink introspection comments:
- - io.systemd.Hostname
- - io.systemd.ManagedOOM
- - io.systemd.Network
- - io.systemd.PCRLock
- - io.systemd.Resolve.Monitor
- - io.systemd.Resolve
- - io.systemd.oom
- - io.systemd.sysext
+ - also include packaging metadata (á la
+ https://systemd.io/PACKAGE_METADATA_FOR_EXECUTABLE_FILES/) in our UEFI PE
+ binaries, using the same JSON format.
- * maybe define a /etc/machine-info field for the ANSI color to associate with a
- hostname. Then use it for the shell prompt to highlight the hostname. If no
- color is explicitly set, hash a color automatically from the hostname as a
- fallback, in a reasonable way. Take inspiration from the ANSI_COLOR= field
- that already exists in /etc/os-release, i.e. use the same field name and
- syntax. When hashing the color, use the hsv_to_rgb() helper we already have,
- fixate S and V to something reasonable and constant, and derive the H from
- the hostname. Ultimate goal with this: give people a visual hint about the
- system they are on if the have many to deal with, by giving each a color
- identity. This code should be placed in hostnamed, so that clients can query
- the color via varlink or dbus.
-
- * unify how blockdev_get_root() and sysupdate find the default root block device
-
- * Maybe rename pkcs7 and public verbs of systemd-keyutil to be more verb like.
-
- * maybe extend the capsule concept to the per-user instance too: invokes a
- systemd --user instance with a subdir of $HOME as $HOME, and a subdir of
- $XDG_RUNTIME_DIR as $XDG_RUNTIME_DIR.
-
- * add "homectl export" and "homectl import" that gets you an "atomic" snapshot
- of your homedir, i.e. either a tarball or a snapshot of the underlying disk
- (use FREEZE/THAW to make it consistent, btrfs snapshots)
-
- * maybe introduce a new partition that we can store debug logs and similar at
- the very last moment of shutdown. idea would be to store reference to block
- device (major + minor + partition id + diskeq?) in /run somewhere, than use
- that from systemd-shutdown, just write a raw JSON blob into the partition.
- Include timestamp, boot id and such, plus kmsg. on next boot immediately
- import into journal. maybe use timestamp for making clock more monotonic.
- also use this to detect unclean shutdowns, boot into special target if
- detected
-
- * fix homed/homectl confusion around terminology, i.e. "home directory"
- vs. "home" vs. "home area". Stick to one term for the concept, and it
- probably shouldn't contain "area".
-
- * sd-boot: do something useful if we find exactly zero entries (ignoring items
- such as reboot/poweroff/factory reset). Show a help text or so.
-
- * sd-boot: optionally ask for confirmation before executing certain operations
- (e.g. factory resets, storagetm with world access, and so on)
-
- * add field to bls type 1 and type 2 profiles that ensures an item is never
- considered for automatic selection
-
- * add "conditions" for bls type 1 and type 2 profiles that allow suppressing
- them under various conditions: 1. if tpm2 is available or not available;
- 2. if sb is on or off; 3. if we are netbooted or not; …
-
- * logind: invoke a service manager for "area" logins too. i.e. instantiate
- user@.service also for logins where XDG_AREA is set, in per-area fashion, and
- ref count it properly. Benefit: graphical logins should start working with
- the area logic.
-
- * repart: introduce concept of "ghost" partitions, that we setup in almost all
- ways like other partitions, but do not actually register in the actual gpt
- table, but only tell the kernel about via BLKPG ioctl. These partitions are
- disk backed (hence can be large), but not persistent (as they are invisible
- on next boot). Could be used by live media and similar, to boot up as usual
- but automatically start at zero on each boot. There should also be a way to
- make ghost partitions properly persistent on request.
+ - also parse out primary GPT disk label uuid from gpt partition device path at
+ boot and pass it as efi var to OS.
- * repart: introduce MigrateFileSystem= or so which is a bit like
- CopyFiles=/CopyBlocks= but operates via btrfs device logic: adds target as
- new device then removes source from btrfs. Usecase: a live medium which uses
- "ghost" partitions as suggested above, which can become persistent on request
- on another device.
+ - as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
+ https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
- * make nspawn containers, portable services and vmspawn VMs optionally survive
- soft reboot wholesale.
+ - augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
+ contains some identifier for the project, which allows us to include
+ clickable links to source files generating these log messages. The identifier
+ could be some abbreviated URL prefix or so (taking inspiration from Go
+ imports). For example, for systemd we could use
+ CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
+ sufficient to build a link by prefixing "http://" and suffixing the
+ CODE_FILE.
- * Turn systemd-networkd-wait-online into a small varlink service that people
- can talk to and specify exactly what to wait for via a method call, and get a
- response back once that level of "online" is reached.
+ - Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
+ make clickable links from log messages carrying a MESSAGE_ID, that lead to
+ some explanatory text online.
- * introduce a small "systemd-installer" tool or so, that glues
- systemd-repart-as-installer and bootctl-install into one. Would just
- interactively ask user for target disk (with completion and so on), and then do
- two varlink calls to the the two tools with the right parameters. To support
- "offline" operation, optionally invoke the two tools directly as child
- processes with varlink communication over socketpair(). This all should be
- useful as blueprint for graphical installers which should do the same.
+ - automatic boot assessment: add one more default success check that just waits
+ for a bit after boot, and blesses the boot if the system stayed up that long.
- * Make run0 forward various signals to the forked process so that sending
- signals to a child process works roughly the same regardless of whether the
- child process is spawned via run0 or not.
+ - automatically ignore threaded cgroups in cg_xyz().
- * write a document explaining how to write correct udev rules. Mention things
- such as:
- 1. do not do lists of vid/pid matches, use hwdb for that
- 2. add|change action matches are typically wrong, should be != remove
- 3. use GOTO, make rules short
- 4. people shouldn't try to make rules file non-world-readable
+ - automatically mount one virtiofs during early boot phase to /run/host/,
+ similar to how we do that for nspawn, based on some clear tag.
- * make killing more debuggable: when we kill a service do so setting the
- .si_code field with a little bit of info. Specifically, we can set a
- recognizable value to first of all indicate that it's systemd that did the
- killing. Secondly, we can give a reason for the killing, i.e. OOM or so, and
- also the phase we are in, and which process we think we are killing (i.e.
- main vs control process, useful in case of sd_notify() MAINPID= debugging).
- Net result: people who try to debug why their process gets killed should have
- some minimal, nice metadata directly on the signal event.
+ - automatically propagate LUKS password credential into cryptsetup from host
+ (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor
+ supplied password.
- * sd-boot/sd-stub: install a uefi "handle" to a sidecar dir of bls type #1
- entries with an "uki" or "uki-url" stanza, and make sd-stub look for
- that. That way we can parameterize type #1 entries nicely.
+ - automatically reset specific EFI vars on factory reset (make this generic
+ enough so that infra can be used to erase shim's mok vars?)
- * add a system-wide seccomp filter list for syscalls, kill "acct()" "@obsolete"
- and a few other legacy syscalls that way.
+ - be able to specify a forced restart of service A where service B depends on, in case B
+ needs to be auto-respawned?
- * maybe introduce "@icky" as a seccomp filter group, which contains acct() and
- certain other syscalls that aren't quite obsolete, but certainly icky.
+ - be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
- * revisit how we pass fs images and initrd to the kernel. take uefi http boot
- ramdisks as inspiration: for any confext/sysext/initrd erofs/DDI image simply
- generate a fake pmem region in the UEFI memory tables, that Linux then turns
- into /dev/pmemX. Then turn of cpio-based initrd logic in linux kernel,
- instead let kernel boot directly into /dev/pmem0. In order to allow our usual
- cpio-based parameterization, teach PID 1 to just uncompress cpio ourselves
- early on, from another pmem device. (Related to this, maybe introduce a new
- PE section .ramdisk that just synthesizes pmem devices from arbitrary
- blobs. Could be particularly useful in add-ons)
+ - beef up log.c with support for stripping ANSI sequences from strings, so that
+ it is OK to include them in log strings. This would be particularly useful so
+ that our log messages could contain clickable links for example for unit
+ files and suchlike we operate on.
- * also parse out primary GPT disk label uuid from gpt partition device path at
- boot and pass it as efi var to OS.
+ - beef up pam_systemd to take unit file settings such as cgroups properties as
+ parameters
- * storagetm: maybe also serve the specified disk via HTTP? we have glue for
- microhttpd anyway already. Idea would also be serve currently booted UKI as
- separate HTTP resource, so that EFI http boot on another system could
- directly boot from our system, with full access to the hdd.
+ - blog about fd store and restartable services
- * support specifying download hash sum in systemd-import-generator expression
- to pin image/tarball.
+ - **bootctl:**
+ - recognize the case when not booted on EFI
+ - add tool for registering BootXXX entry that boots from some http
+ server of your choice (i.e. like kernel-bootcfg --add-uri=)
+ - add reboot-to-disk which takes a block device name, and
+ automatically sets things up so that system reboots into that device next.
+ - show whether UEFI audit mode is available
+ - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
+ - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
- * support boot into nvme-over-tcp: add generator that allows specifying nvme
- devices on kernel cmdline + credentials. Also maybe add interactive mode
- (where the user is prompted for nvme info), in order to boot from other
- system's HDD.
+ - BootLoaderSpec: define a way how an installer can figure out whether a BLS
+ compliant boot loader is installed.
- * ptyfwd: use osc context information in vmspawn/nspawn/… to optionally only
- listen to ^]]] key when no further vmspawn/nspawn context is allocated
+ - BootLoaderSpec: document @saved pseudo-entry, update mention in BLI
- * ptyfwd: usec osc context information to propagate status messages from
- vmspawn/nspawn to service manager's "status" string, reporting what is
- currently in the fg
+ - bootspec: permit graceful "update" from type #2 to type #1. If both a type #1
+ and a type #2 entry exist under otherwise the exact same name, then use the
+ type #1 entry, and ignore the type #2 entry. This way, people can "upgrade"
+ from the UKI with all parameters baked in to a Type #1 .conf file with manual
+ parametrization, if needed. This matches our usual rule that admin config
+ should win over vendor defaults.
- * nspawn/vmspawn: define hotkey that one can hit on the primary interface to
- ask for a friendly, acpi style shutdown.
+ - bpf: see if we can address opportunistic inode sharing of immutable fs images
+ with BPF. i.e. if bpf gives us power to hook into openat() and return a
+ different inode than is requested for which we however it has same contents
+ then we can use that to implement opportunistic inode sharing among DDIs:
+ make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also
+ dictate that DDIs should come with a top-level subdir where all reg files are
+ linked into by their SHA256 sum. Then, whenever an inode is opened with the
+ xattr set, check bpf table to find dirs with hashes for other prior DDIs and
+ try to use inode from there.
- * for better compat with major clouds: implement simple PTP device support in
- timesyncd
+ - bpf: see if we can use BPF to solve the syslog message cgroup source problem:
+ one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to
+ implicitly contain the source cgroup id. Another idea would be to patch
+ sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target
+ sockaddr.
- * for better compat with major clouds: recognize clouds via hwdb on DMI device,
- and add udev properties to it that help with handling IMDS, i.e. entrypoint
- URL, which fields to find ip hostname, ssh key, …
+ - bsod: add target "bsod.target" or so, which invokes systemd-bsod.target and
+ waits and then reboots. Then use OnFailure=bsod.target from various jobs that
+ should result in system reboots, such as TPM tamper detection cases.
- * for better compat with major clouds: introduce imds mini client service that
- sets up primary netif in a private netns (ipvlan?) to query imds without
- affecting rest of the host. pick up literal credentials from there plus the
- fields the hwdb reports for the other fields and turn them into credentials.
- then write generator that used detected virtualization info and plugs this
- service into the early boot, waiting for the DMI and network device to show
- up.
+ - bsod: maybe use graphical mode. Use DRM APIs directly, see
+ https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
+ for doing that.
- * Add UKI profile conditioning so that profiles are only available if secure
- boot is turned off, or only on. similar, add conditions on TPM availability,
- network boot, and other conditions.
+ - build short web pages out of each catalog entry, build them along with man
+ pages, and include hyperlinks to them in the journal output
- * fix bug around run0 background color on ls in fresh terminal
+ - busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
+ exists and responds.
- * Reset TPM2 DA bit on each successful boot
+ - bypass SIGTERM state in unit files if KillSignal is SIGKILL
- * systemd-repart: add --installer or so, that will intractively ask for a
- target disk, maybe ask for confirmation, and install something on disk. Then,
- hook that into installer.target or so, so that it can be used to
- install/replicate installs
+ - cache sd_event_now() result from before the first iteration...
- * systemd-cryptenroll: add --firstboot or so, that will interactively ask user
- whether recovery key shall be enrolled and do so
+ - calenderspec: add support for week numbers and day numbers within a
+ year. This would allow us to define "bi-weekly" triggers safely.
- * bootctl: add tool for registering BootXXX entry that boots from some http
- server of your choice (i.e. like kernel-bootcfg --add-uri=)
+ - cgroups: use inotify to get notified when somebody else modifies cgroups
+ owned by us, then log a friendly warning.
- * maybe introduce container-shell@.service or so, to match
- container-getty.service but skips authentication, so you get a shell prompt
- directly. Usecase: wsl-like stuff (they have something pretty much like
- that). Question: how to pick user for this. Instance parameter? somehow from
- credential (would probably require some binary that converts credential to
- User= parameter?
+ - **cgroups:**
+ - implement per-slice CPUFairScheduling=1 switch
+ - introduce high-level settings for RT budget, swappiness
+ - how to reset dynamically changed unit cgroup attributes sanely?
+ - when reloading configuration, apply new cgroup configuration
+ - when recursively showing the cgroup hierarchy, optionally also show
+ the hierarchies of child processes
+ - add settings for cgroup.max.descendants and cgroup.max.depth,
+ maybe use them for user@.service
- * systemd-firstboot: optionally install an ssh key for root for offline use.
+ - chase(): take inspiration from path_extract_filename() and return
+ O_DIRECTORY if input path contains trailing slash.
- * Allocate UIDs/GIDs automatically in userdbctl load-credentials if none are
- included in the user/group record credentials
+ - Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
+ usually IN_ATTRIB is the right way to watch deleted files, as the former only
+ fires when a file is actually removed from disk, i.e. the link count drops to
+ zero and is not open anymore, while the latter happens when a file is
+ unlinked from any dir.
- * introduce new ANSI sequence for communicating log level and structured error
- metadata to terminals.
+ - Clean up "reboot argument" handling, i.e. set it through some IPC service
+ instead of directly via /run/, so that it can be sensible set remotely.
- * in pid1: include ExecStart= cmdlines (and other Exec*= cmdlines) in polkit
- request, so that policies can match against command lines.
+ - clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
- * allow dynamic modifications of ConcurrencyHardMax= and ConcurrencySoftMax=
- via DBus (and with that also by daemon-reload)
+ - **complete varlink introspection comments:**
+ - io.systemd.Hostname
+ - io.systemd.ManagedOOM
+ - io.systemd.Network
+ - io.systemd.PCRLock
+ - io.systemd.Resolve.Monitor
+ - io.systemd.Resolve
+ - io.systemd.oom
+ - io.systemd.sysext
- * sysupdated: introduce per-user version that can update per-user installed dDIs
+ - confext/sysext: instead of mounting the overlayfs directly on /etc/ + /usr/,
+ insert an intermediary bind mount on itself there. This has the benefit that
+ services where mount propagation from the root fs is off, an still have
+ confext/sysext propagated in.
- * portabled: similar
+ - consider adding a new partition type, just for /opt/ for usage in system
+ extensions
- * resolved: make resolved process DNR DHCP info
+ - coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
+ may be used to mark a whole binary as non-coredumpable. Would fix:
+ https://bugs.freedesktop.org/show_bug.cgi?id=69447
- * maybe introduce an OSC sequence that signals when we ask for a password, so
- that terminal emulators can maybe connect a password manager or so, and
- highlight things specially.
+ - **coredump:**
+ - save coredump in Windows/Mozilla minidump format
+ - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
+ - add examples for other distros in PACKAGE_METADATA_FOR_EXECUTABLE_FILES
- * start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
- generically, so that image discovery recognizes bcachefs subvols too.
+ - **credentials system:**
+ - acquire from EFI variable?
+ - acquire via ask-password?
+ - acquire creds via keyring?
+ - pass creds via keyring?
+ - pass creds via memfd?
+ - acquire + decrypt creds from pkcs11?
+ - make macsec code in networkd read key via creds logic (copy logic from
+ wireguard)
+ - make gatewayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
+ - if we ever acquire a secure way to derive cgroup id of socket
+ peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to
+ allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next
+ step use this to implement per-app/per-service encrypted directories, where
+ we set up fscrypt on the StateDirectory= with a randomized key which is
+ stored as xattr on the directory, encrypted as a credential.
+ - optionally include a per-user secret in scoped user-credential
+ encryption keys. should come from homed in some way, derived from the luks
+ volume key or fscrypt directory key.
+ - add a flag to the scoped credentials that if set require PK
+ reauthentication when unlocking a secret.
+ - rework docs. The list in
+ https://systemd.io/CREDENTIALS/#well-known-credentials is very stale.
+ Document credentials in individual man pages, generate list as in
+ systemd.directives.
+
+ - creds: add a new cred format that reused the JSON structures we use in the
+ LUKS header, so that we get the various newer policies for free.
- * foreign uid:
- - add support to export-fs, import-fs
- - systemd-dissect should learn mappings, too, when doing mtree and such
+ - cryptenroll/cryptsetup/homed: add unlock mechanism that combines tpm2 and
+ fido2, as well as tpm2 + ssh-agent, inspired by ChromeOS' logic: encrypt the
+ volume key with the TPM, with a policy that insists that a nonce is signed by
+ the fido2 device's key or ssh-agent key. Thus, add unlock/login time the TPM
+ generates a nonce, which is sent as a challenge to the fido2/ssh-agent, which
+ returns a signature which is handed to the tpm, which then reveals the volume
+ key to the PC.
- * resolved: report ttl in resolution replies if we know it. This data is useful
- for tools such as wireguard which want to periodically re-resolve DNS names,
- and might want to use the TTL has hint for that.
+ - cryptenroll/cryptsetup/homed: similar to this, implement TOTP backed by TPM.
- * journald: beef up ClientContext logic to store pidfd_id of peer, to validate
- we really use the right cache entry
+ - cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
+ internal clock.
- * journald: log client's pidfd id as a new automatic field _PIDFDID= or so.
+ - **cryptsetup:**
+ - cryptsetup-generator: allow specification of passwords in crypttab itself
+ - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
+ - add boolean for disabling use of any password/recovery key slots.
+ (i.e. that we can operate in a tpm-only mode, and thus protect us from rogue
+ root disks)
+ - new crypttab option to auto-grow a luks device to its backing
+ partition size. new crypttab option to reencrypt a luks device with a new
+ volume key.
+ - a mechanism that allows signing a volume key with some key that
+ has to be present in the kernel keyring, or similar, to ensure that confext
+ DDIs can be encrypted against the local SRK but signed with the admin's key
+ and thus can authenticated locally before they are decrypted.
+ - add option for automatically removing empty password slot on boot
+ - optionally, when run during boot-up and password is never
+ entered, and we are on battery power (or so), power off machine again
+ - when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
+ allow plymouth to abort the waiting and enter pw instead
+ - allow encoding key directly in /etc/crypttab, maybe with a
+ "base64:" prefix. Useful in particular for pkcs11 mode.
+ - reimplement the mkswap/mke2fs in cryptsetup-generator to use
+ systemd-makefs.service instead.
+
++- sysext: make systemd-{sys,conf}ext-sysroot.service work in the split `/var`
++ configuration.
+
- * journald: split up ClientContext cache in two: one cache keyed by pid/pidfdid
- with process information, and another one keyed by cgroup path/cgroupid with
- cgroup information. This way if a service consisting of many logging
- processes can take benefit of the cgroup caching.
++- introduce a concept of /etc/machine-info "TAGS=" field that allows tagging
++ machines with zero, one or more roles, states or other forms of
++ categorization. Then, add a way of using this in sysupdate to automatically
++ enable certain transfers, one for each role.
+
- * system lsmbpf policy that prohibits creating files owned by "nobody"
- system-wide
++- sd-varlink: add fully async modes of the protocol upgrade stuff
+
- * system lsmpbf policy that prohibits creating or opening device nodes outside
- of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null,
- /dev/zero, /dev/urandom and so on.
++- repart: maybe remove iso9660/eltorito superblock from disk when booting via
++ gpt, if there is one.
+
- * system lsmbpf policy that enforces that block device backed mounts may only
- be established on top of dm-crypt or dm-verity devices, or an allowlist of
- file systems (which should probably include vfat, for compat with the ESP)
+ - crypttab/gpt-auto-generator: allow explicit control over which unlock mechs
+ to permit, and maybe have a global headless kernel cmdline option
- * $SYSTEMD_EXECPID that the service manager sets should
- be augmented with $SYSTEMD_EXECPIDFD (and similar for
- other env vars we might send).
+ - currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
- * port copy.c over to use LabelOps for all labelling.
+ - dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
+ should be able to safely try another attempt when the bus call LoadUnit() is invoked.
- * get rid of compat with libbpf.so.0 (retainly only for libbpf.so.1)
+ - ddi must be listed as block device fstype
- * define a generic "report" varlink interface, which services can implement to
+ - define a generic "report" varlink interface, which services can implement to
provide health/statistics data about themselves. then define a dir somewhere
in /run/ where components can bind such sockets. Then make journald, logind,
and pid1 itself implement this and expose various stats on things there. Then
portabled/… up to udev to watch block devices coming up with the flags set, and
use it.
- * sd-boot should look for information what to boot in SMBIOS, too, so that VM
- managers can tell sd-boot what to boot into and suchlike
+ - maybe add support for binding and connecting AF_UNIX sockets in the file
+ system outside of the 108ch limit. When connecting, open O_PATH fd to socket
+ inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
+ to target dir in /tmp, and bind through it.
- * add "systemd-sysext identify" verb, that you can point on any file in /usr/
- and that determines from which overlayfs layer it originates, which image, and with
- what it was signed.
+ - Maybe add SwitchRootEx() as new bus call that takes env vars to set for new
+ PID 1 as argument. When adding SwitchRootEx() we should maybe also add a
+ flags param that allows disabling and enabling whether serialization is
+ requested during switch root.
- * systemd-creds: extend encryption logic to support asymmetric
- encryption/authentication. Idea: add new verb "systemd-creds public-key"
- which generates a priv/pub key pair on the TPM2 and stores the priv key
- locally in /var. It then outputs a certificate for the pub part to stdout.
- This can then be copied/taken elsewhere, and can be used for encrypting creds
- that only the host on its specific hw can decrypt. Then, support a drop-in
- dir with certificates that can be used to authenticate credentials. Flow of
- operations is then this: build image with owner certificate, then after
- boot up issue "systemd-creds public-key" to acquire pubkey of the machine.
- Then, when passing data to the machine, sign with privkey belonging to one of
- the dropped in certs and encrypted with machine pubkey, and pass to machine.
- Machine is then able to authenticate you, and confidentiality is guaranteed.
+ - maybe allow timer units with an empty Units= setting, so that they
+ can be used for resuming the system but nothing else.
- * building on top of the above, the pub/priv key pair generated on the TPM2
- should probably also one you can use to get a remote attestation quote.
+ - maybe beef up sd-event: optionally, allow sd-event to query the timestamp of
+ next pending datagram inside a SOCK_DGRAM IO fd, and order event source
+ dispatching by that. Enable this on the native + syslog sockets in journald,
+ so that we add correct ordering between the two. Use MSG_PEEK + SCM_TIMESTAMP
+ for this.
- * Process credentials in:
- • crypttab-generator: allow defining additional crypttab-like volumes via
- credentials (similar: verity-generator, integrity-generator). Use
- fstab-generator logic as inspiration.
- • run-generator: allow defining additional commands to run via a credential
- • resolved: allow defining additional /etc/hosts entries via a credential (it
- might make sense to then synthesize a new combined /etc/hosts file in /run
- and bind mount it on /etc/hosts for other clients that want to read it.
- • repart: allow defining additional partitions via credential
- • timesyncd: pick NTP server info from credential
- • portabled: read a credential "portable.extra" or so, that takes a list of
- file system paths to enable on start.
- • make systemd-fstab-generator look for a system credential encoding root= or
- usr=
- • in gpt-auto-generator: check partition uuids against such uuids supplied via
- sd-stub credentials. That way, we can support parallel OS installations with
- pre-built kernels.
+ - maybe define a /etc/machine-info field for the ANSI color to associate with a
+ hostname. Then use it for the shell prompt to highlight the hostname. If no
+ color is explicitly set, hash a color automatically from the hostname as a
+ fallback, in a reasonable way. Take inspiration from the ANSI_COLOR= field
+ that already exists in /etc/os-release, i.e. use the same field name and
+ syntax. When hashing the color, use the hsv_to_rgb() helper we already have,
+ fixate S and V to something reasonable and constant, and derive the H from
+ the hostname. Ultimate goal with this: give people a visual hint about the
+ system they are on if the have many to deal with, by giving each a color
+ identity. This code should be placed in hostnamed, so that clients can query
+ the color via varlink or dbus.
- * define a JSON format for units, separating out unit definitions from unit
- runtime state. Then, expose it:
+ - maybe do not install getty@tty1.service symlink in /etc but in /usr?
- 1. Add Describe() method to Unit D-Bus object that returns a JSON object
- about the unit.
- 2. Expose this natively via Varlink, in similar style
- 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor
- binary which reads the JSON definition and runs it), to address the cow
- trap issue and the fact that NSS is actually forbidden in
- forked-but-not-exec'ed children
- 4. Add varlink API to run transient units based on provided JSON definitions
+ - maybe extend .path units to expose fanotify() per-mount change events
- * Add SUPPORT_END_URL= field to os-release with more *actionable* information
- what to do if support ended
+ - maybe extend the capsule concept to the per-user instance too: invokes a
+ systemd --user instance with a subdir of $HOME as $HOME, and a subdir of
+ $XDG_RUNTIME_DIR as $XDG_RUNTIME_DIR.
- * pam_systemd: on interactive logins, maybe show SUPPORT_END information at
- login time, à la motd
+ - Maybe extend the service protocol to support handling of some specific SIGRT
+ signal for setting service log level, that carries the level via the
+ sigqueue() data parameter. Enable this via unit file setting.
- * sd-boot: instead of unconditionally deriving the ESP to search boot loader
- spec entries in from the paths of sd-boot binary, let's optionally allow it
- to be configured on sd-boot cmdline + efi var. Use case: embed sd-boot in the
- UEFI firmware (for example, ovmf supports that via qemu cmdline option), and
- use it to load stuff from the ESP.
+ - maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
+ log.c and sd-journal-send
- * mount /var/ from initrd, so that we can apply sysext and stuff before the
- initrd transition. Specifically:
- 1. There should be a var= kernel cmdline option, matching root= and usr=
- 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk
- 3. mount.x-initrd mount option in fstab should be implied for /var
+ - maybe introduce "@icky" as a seccomp filter group, which contains acct() and
+ certain other syscalls that aren't quite obsolete, but certainly icky.
- * make persistent restarts easier by adding a new setting OpenPersistentFile=
- or so, which allows opening one or more files that is "persistent" across
- service restarts, hot reboot, cold reboots (depending on configuration): the
- files are created empty on first invocation, and on subsequent invocations
- the files are reboot. The files would be backed by tmpfs, pmem or /var
- depending on desired level of persistency.
+ - Maybe introduce a helper safe_exec() or so, which is to execve() which
+ safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
+ to 1K implicitly, unless explicitly opted-out.
- * sd-event: add ability to "chain" event sources. Specifically, add a call
- sd_event_source_chain(x, y), which will automatically enable event source y
- in oneshot mode once x is triggered. Use case: in src/core/mount.c implement
- the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
- seen, trigger the rescan defer event source automatically, and allow it to be
- dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
- dispatch order is strictly controlled by priorities again. (next step: chain
- event sources to the ratelimit being over)
+ - maybe introduce a new partition that we can store debug logs and similar at
+ the very last moment of shutdown. idea would be to store reference to block
+ device (major + minor + partition id + diskseq?) in /run somewhere, than use
+ that from systemd-shutdown, just write a raw JSON blob into the partition.
+ Include timestamp, boot id and such, plus kmsg. on next boot immediately
+ import into journal. maybe use timestamp for making clock more monotonic.
+ also use this to detect unclean shutdowns, boot into special target if
+ detected
- * if we fork of a service with StandardOutput=journal, and it forks off a
- subprocess that quickly dies, we might not be able to identify the cgroup it
- comes from, but we can still derive that from the stdin socket its output
- came from. We apparently don't do that right now.
+ - maybe introduce a new per-unit drop-in directory .confext.d/ that may contain
+ symlinks to confext images to enable for the unit.
- * add PR_SET_DUMPABLE service setting
+ - Maybe introduce an InodeRef structure inspired by PidRef, which references a
+ specific inode, and combines: a path, an O_PATH fd, and possibly a FID into
+ one. Why? We often pass around path and fd separately in chaseat() and similar
+ calls. Because passing around both separately is cumbersome we sometimes only
+ one pass one, once the other and sometimes both. It would make the code a lot
+ simpler if we could path both around at the same time in a simple way, via an
+ InodeRef which *both* pins the inode via an fd, *and* gives us a friendly
+ name for it.
- * homed/userdb: maybe define a "companion" dir for home directories where apps
- can safely put privileged stuff in. Would not be writable by the user, but
- still conceptually belong to the user. Would be included in user's quota if
- possible, even if files are not owned by UID of user. Use case: container
- images that owned by arbitrary UIDs, and are owned/managed by the users, but
- are not directly belonging to the user's UID. Goal: we shouldn't place more
- privileged dirs inside of unprivileged dirs, and thus containers really
- should not be placed inside of traditional UNIX home dirs (which are owned by
- users themselves) but somewhere else, that is separate, but still close
- by. Inform user code about path to this companion dir via env var, so that
- container managers find it. the ~/.identity file is also a candidate for a
- file to move there, since it is managed by privileged code (i.e. homed) and
- not unprivileged code.
+ - maybe introduce an OSC sequence that signals when we ask for a password, so
+ that terminal emulators can maybe connect a password manager or so, and
+ highlight things specially.
- * maybe add support for binding and connecting AF_UNIX sockets in the file
- system outside of the 108ch limit. When connecting, open O_PATH fd to socket
- inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
- to target dir in /tmp, and bind through it.
+ - maybe introduce container-shell@.service or so, to match
+ container-getty.service but skips authentication, so you get a shell prompt
+ directly. Usecase: wsl-like stuff (they have something pretty much like
+ that). Question: how to pick user for this. Instance parameter? somehow from
+ credential (would probably require some binary that converts credential to
+ User= parameter?
- * add a proper concept of a "developer" mode, i.e. where cryptographic
- protections of the root OS are weakened after interactive confirmation, to
- allow hackers to allow their own stuff. idea: allow entering developer mode
- only via explicit choice in boot menu: i.e. add explicit boot menu item for
- it. When developer mode is entered, generate a key pair in the TPM2, and add
- the public part of it automatically to keychain of valid code signature keys
- on subsequent boots. Then provide a tool to sign code with the key in the
- TPM2. Ensure that boot menu item is the only way to enter developer mode, by
- binding it to locality/PCRs so that keys cannot be generated otherwise.
+ - maybe introduce xattrs that can be set on the root dir of the root fs
+ partition that declare the volatility mode to use the image in. Previously I
+ thought marking this via GPT partition flags but that's not ideal since
+ that's outside of the LUKS encryption/verity verification, and we probably
+ shouldn't operate in a volatile mode unless we got told so from a trusted
+ source.
- * services: add support for cryptographically unlocking per-service directories
- via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to
- set up the directory so that it can only be accessed if host and app are in
- order.
+ - maybe prohibit setuid() to the nobody user, to lock things down, via seccomp.
+ the nobody is not a user any code should run under, ever, as that user would
+ possibly get a lot of access to resources it really shouldn't be getting
+ access to due to the userns + nfs semantics of the user. Alternatively: use
+ the seccomp log action, and allow it.
- * update HACKING.md to suggest developing systemd with the ideas from:
- https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html
- https://0pointer.net/blog/running-an-container-off-the-host-usr.html
+ - maybe reconsider whether virtualization consoles (hvc1) are considered local
+ or remote. i.e. are they more like an ssh login, or more like a /dev/tty1
+ login? Lennart used to believe the former, but maybe the latter is more
+ appropriate? This has effect on polkit interactivity, since it would mean
+ questions via hvc0 would suddenly use the local polkit property. But this
+ also raises the question whether such sessions shall be considered active or
+ not
- * sd-event: compat wd reuse in inotify code: keep a set of removed watch
- descriptors, and clear this set piecemeal when we see the IN_IGNORED event
- for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
- see an inotify wd event check against this set, and if it is contained ignore
- the event. (to be fully correct this would have to count the occurrences, in
- case the same wd is reused multiple times before we start processing
- IN_IGNORED again)
+ - Maybe rename pkcs7 and public verbs of systemd-keyutil to be more verb like.
- * for vendor-built signed initrds:
- - kernel-install should be able to install encrypted creds automatically for
- machine id, root pw, rootfs uuid, resume partition uuid, and place next to
- EFI kernel, for sd-stub to pick them up. These creds should be locked to
- the TPM, and bind to the right PCR the kernel is measured to.
- - kernel-install should be able to pick up initrd sysexts automatically and
- place them next to EFI kernel, for sd-stub to pick them up.
- - systemd-fstab-generator should look for rootfs device to mount in creds
- - systemd-resume-generator should look for resume partition uuid in creds
+ - maybe rework systemd-modules-load to be a generator that just instantiates
+ modprobe@.service a bunch of times
- * Maybe extend the service protocol to support handling of some specific SIGRT
- signal for setting service log level, that carries the level via the
- sigqueue() data parameter. Enable this via unit file setting.
+ - maybe teach repart.d/ dropins a new setting MakeMountNodes= or so, which is
+ just like MakeDirectories=, but uses an access mode of 0000 and sets the +i
+ chattr bit. This is useful as protection against early uses of /var/ or /tmp/
+ before their contents is mounted.
- * sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services,
- then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically
- fixed to "2", i.e. the official host cid) and the expected guest cid, for the
- two sides of the channel. The latter env var could then be used in an
- appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
- directly to host service manager.
+ - maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
+ is issued.
- * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
- sd_device object, so that data passed into sd_device_new_from_devnum() can
- also be queried.
+ - maybe: in PID1, when we detect we run in an initrd, make superblock read-only
+ early on, but provide opt-out via kernel cmdline.
- * sd-event: optionally, if per-event source rate limit is hit, downgrade
- priority, but leave enabled, and once ratelimit window is over, upgrade
- priority again. That way we can combat event source starvation without
- stopping processing events from one source entirely.
+ - measure all log-in attempts into a new nvpcr
- * sd-event: similar to existing inotify support add fanotify support (given
- that apparently new features in this area are only going to be added to the
- latter).
+ - measure credentials picked up from SMBIOS to some suitable PCR
- * sd-event: add 1st class event source for clock changes
+ - measure GPT and LUKS headers somewhere when we use them (i.e. in
+ systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?)
- * sd-event: add 1st class event source for timezone changes
+ - measure some string via pcrphase whenever we end up booting into emergency
+ mode.
- * sysext: measure all activated sysext into a TPM PCR
+ - measure some string via pcrphase whenever we resume from hibernate
- * systemd-dissect: show available versions inside of a disk image, i.e. if
- multiple versions are around of the same resource, show which ones. (in other
- words: show partition labels).
+ - Merge systemd-creds options --uid= (which accepts user names) and --user.
- * systemd-dissect: add --cat switch for dumping files such as /etc/os-release
+ - merge unit_kill_common() and unit_kill_context()
- * per-service sandboxing option: ProtectIds=. If used, will overmount
- /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to
- make it harder for the service to identify the host. Depending on the user
- setting it should be fully randomized at invocation time, or a hash of the
- real thing, keyed by the unit name or so. Of course, there are other ways to
- get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU
- ids), so this knob would only be useful in combination with other lockdown
- options. Particularly useful for portable services, and anything else that
- uses RootDirectory= or RootImage=. (Might also over-mount
- /sys/class/dmi/id/*{uuid,serial} with /dev/null).
+ - MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
- * doc: prep a document explaining resolved's internal objects, i.e. Query
- vs. Question vs. Transaction vs. Stream and so on.
+ - mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user
+ among other things such as dynamic uid ranges for containers and so on. That
+ way no one can create files there with these uids and we enforce they are only
+ used transiently, never persistently.
- * doc: prep a document explaining PID 1's internal logic, i.e. transactions,
- jobs, units
+ - mount /var/ from initrd, so that we can apply sysext and stuff before the
+ initrd transition. Specifically:
+ 1. There should be a var= kernel cmdline option, matching root= and usr=
+ 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk
+ 3. mount.x-initrd mount option in fstab should be implied for /var
- * automatically ignore threaded cgroups in cg_xyz().
+ - mount most file systems with a restrictive uidmap. e.g. mount /usr/ with a
+ uidmap that blocks out anything outside 0…1000 (i.e. system users) and similar.
- * add linker script that implicitly adds symbol for build ID and new coredump
- json package metadata, and use that when logging
+ - mount the root fs with MS_NOSUID by default, and then mount /usr/ without
+ both so that suid executables can only be placed there. Do this already in
+ the initrd. If /usr/ is not split out create a bind mount automatically.
- * Enable RestrictFileSystems= for all our long-running services (similar:
- RestrictNetworkInterfaces=)
+ - mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
- * Add systemd-analyze security checks for RestrictFileSystems= and
- RestrictNetworkInterfaces=
+ - MountFlags=shared acts as MountFlags=slave right now.
- * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
- internal clock.
+ - **mountfsd/nsresourced:**
+ - userdb: maybe allow callers to map one uid to their own uid
+ - bpflsm: allow writes if resulting UID on disk would be userns' owner UID
+ - make encrypted DDIs work (password…)
+ - add API for creating a new file system from scratch (together with some
+ dm-integrity/HMAC key). Should probably work using systemd-repart (access
+ via varlink).
+ - add api to make an existing file "trusted" via dm-integry/HMAC key
+ - port: portabled
+ - port: tmpfiles, sysusers and similar
+ - lets see if we can make runtime bind mounts into unpriv nspawn work
- * man: rework os-release(5), and clearly separate our extension-release.d/ and
- initrd-release parts, i.e. list explicitly which fields are about what.
+ - move documentation about our common env vars (SYSTEMD_LOG_LEVEL,
+ SYSTEMD_PAGER, …) into a man page of its own, and just link it from our
+ various man pages that so far embed the whole list again and again, in an
+ attempt to reduce clutter and noise a bid.
- * sysext: before applying a sysext, do a superficial validation run so that
- things are not rearranged to wildy. I.e. protect against accidental fuckups,
- such as masking out /usr/lib/ or so. We should probably refuse if existing
- inodes are replaced by other types of inodes or so.
+ - move multiseat vid/pid matches from logind udev rule to hwdb
- * userdb: when synthesizing NSS records, pick "best" password from defined
- passwords, not just the first. i.e. if there are multiple defined, prefer
- unlocked over locked and prefer non-empty over empty.
+ - Move RestrictAddressFamily= to the new cgroup create socket
- * homed: if the homed shell fallback thing has access to an SSH agent, try to
- use it to unlock home dir (if ssh-agent forwarding is enabled). We
- could implement SSH unlocking of a homedir with that: when enrolling a new
- ssh pubkey in a user record we'd ask the ssh-agent to sign some random value
- with the privkey, then use that as luks key to unlock the home dir. Will not
- work for ECDSA keys since their signatures contain a random component, but
- will work for RSA and Ed25519 keys.
+ - networkd's resolved hook: optionally map all lease IP addresses handed out to
+ the same hostname which is configured on the .network file. Optionally, even
+ derive this single name from the network interface name (i.e. probably
+ altname or so). This way, when spawning a VM the host could pick the hostname
+ for it and the client gets no say.
- * userdbd: implement an additional varlink service socket that provides the
- host user db in restricted form, then allow this to be bind mounted into
- sandboxed environments that want the host database in minimal form. All
- records would be stripped of all meta info, except the basic UID/name
- info. Then use this in portabled environments that do not use PrivateUsers=1.
+ - networkd/machined: implement reverse name lookups in the resolved hook
- * portabled: when extracting unit files and copying to system.attached, if a
- .p7s is available in the image, use it to protect the system.attached copy
- with fs-verity, so that it cannot be tampered with
-
- * /etc/veritytab: allow that the roothash column can be specified as fs path
- including a path to an AF_UNIX path, similar to how we do things with the
- keys of /etc/crypttab. That way people can store/provide the roothash
- externally and provide to us on demand only.
+ - networkd: maintain a file in /run/ that can be symlinked into /run/issue.d/
+ that always shows the current primary IP address
- * rework recursive read-only remount to use new mount API
+ - **networkd:**
+ - add more keys to [Route] and [Address] sections
+ - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
+ - add reduced [Link] support to .network files
+ - properly handle routerless dhcp leases
+ - work with non-Ethernet devices
+ - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
+ - the DHCP lease data (such as NTP/DNS) is still made available when
+ a carrier is lost on a link. It should be removed instantly.
+ - expose in the API the following bits:
+ - option 15, domain name
+ - option 12, hostname and/or option 81, fqdn
+ - option 123, 144, geolocation
+ - option 252, configure http proxy (PAC/wpad)
+ - provide a way to define a per-network interface default metric value
+ for all routes to it. possibly a second default for DHCP routes.
+ - allow Name= to be specified repeatedly in the [Match] section. Maybe also
+ support Name=foo*|bar*|baz ?
+ - whenever uplink info changes, make DHCP server send out FORCERENEW
+
+ - nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into
+ shell pipelines, i.e. add easy to use switch that turns off console status
+ output, and generates the right credentials for systemd-run-generator so that
+ a program is invoked, and its output captured, with correct EOF handling and
+ exit code propagation
- * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release
- data in the image, make sure the image filename actually matches this, so
- that images cannot be misused.
+ - nspawn/vmspawn: define hotkey that one can hit on the primary interface to
+ ask for a friendly, acpi style shutdown.
- * sysupdate:
- - add fuzzing to the pattern parser
- - support casync as download mechanism
- - "systemd-sysupdate update --all" support, that iterates through all components
- defined on the host, plus all images installed into /var/lib/machines/,
- /var/lib/portable/ and so on.
- - Allow invocation with a single transfer definition, i.e. with
- --definitions= pointing to a file rather than a dir.
- - add ability to disable implicit decompression of downloaded artifacts,
- i.e. a Compress=no option in the transfer definitions
+ - **nspawn:**
+ - emulate /dev/kmsg using CUSE and turn off the syslog syscall
+ with seccomp. That should provide us with a useful log buffer that
+ systemd can log to during early boot, and disconnect container logs
+ from the kernel's logs.
+ - as soon as networkd has a bus interface, hook up --network-interface=,
+ --network-bridge= with networkd, to trigger netdev creation should an
+ interface be missing
+ - a nice way to boot up without machine id set, so that it is set at boot
+ automatically for supporting --ephemeral. Maybe hash the host machine id
+ together with the machine name to generate the machine id for the container
+ - fix logic always print a final newline on output.
+ https://github.com/systemd/systemd/pull/272#issuecomment-113153176
+ - should optionally support receiving WATCHDOG=1 messages from its payload
+ PID 1...
+ - optionally automatically add FORWARD rules to iptables whenever nspawn is
+ running, remove them when shut down.
+ - add support for sysext extensions, too. i.e. a new --extension= switch that
+ takes one or more arguments, and applies the extensions already during
+ startup.
+ - when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU
+ or so, freeze the payload too.
+ - support time namespaces
+ - on cgroupsv1 issue cgroup empty handler process based on host events, so
+ that we make cgroup agent logic safe
+ - add API to invoke binary in container, then use that as fallback in
+ "machinectl shell"
+ - make nspawn suitable for shell pipelines: instead of triggering a hangup
+ when input is finished, send ^D, which synthesizes an EOF. Then wait for
+ hangup or ^D before passing on the EOF.
+ - greater control over selinux label?
+ - support that /proc, /sys/, /dev are pre-mounted
+ - maybe allow TPM passthrough, backed by swtpm, and measure --image= hash
+ into its PCR 11, so that nspawn instances can be TPM enabled, and partake
+ in measurements/remote attestation and such. swtpm would run outside of
+ control of container, and ideally would itself bind its encryption keys to
+ host TPM.
+ - make boot assessment do something sensible in a container. i.e send an
+ sd_notify() from payload to container manager once boot-up is completed
+ successfully, and use that in nspawn for dealing with boot counting,
+ implemented in the partition table labels and directory names.
+ - optionally set up nftables/iptables routes that forward UDP/TCP traffic on
+ port 53 to resolved stub 127.0.0.54
+ - maybe optionally insert .nspawn file as GPT partition into images, so that
+ such container images are entirely stand-alone and can be updated as one.
+ - The subreaper logic we currently have seems overly complex. We should
+ investigate whether creating the inner child with CLONE_PARENT isn't better.
+ - Reduce the number of sockets that are currently in use and just rely on one
+ or two sockets.
+ - map foreign UID range through 1:1
+ - systemd-nspawn should get the same SSH key support that vmspawn now has.
- * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
+ - oci: add support for "importctl import-oci" which implements the "OCI layout"
+ spec (i.e. acquiring via local fs access), as opposed to the current
+ "importctl pull-oci" which focusses on the "OCI image spec", i.e. downloads
+ from the web (i.e. acquiring via URLs).
- * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
- reception limit the kernel silently enforces.
+ - oci: add support for blake hashes for layers
- * Add service unit setting ConnectStream= which takes IP addresses and connects to them.
+ - oci: support "data" in any OCI descriptor, not just manifest config.
- * Similar, Load= which takes literal data in text or base64 format, and puts it
- into a memfd, and passes that. This enables some fun stuff, such as embedding
- bash scripts in unit files, by combining Load= with ExecStart=/bin/bash
- /proc/self/fd/3
+ - On boot, auto-generate an asymmetric key pair from the TPM,
+ and use it for validating DDIs and credentials. Maybe upload it to the kernel
+ keyring, so that the kernel does this validation for us for verity and kernel
+ modules
- * add a ConnectSocket= setting to service unit files, that may reference a
- socket unit, and which will connect to the socket defined therein, and pass
- the resulting fd to the service program via socket activation proto.
+ - on first login of a user, measure its identity to some nvpcr
- * Add a concept of ListenStream=anonymous to socket units: listen on a socket
- that is deleted in the fs. Use case would be with ConnectSocket= above.
+ - on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?)
- * importd: support image signature verification with PKCS#7 + OpenBSD signify
- logic, as alternative to crummy gpg
+ - once swtpm's sd_notify() support has landed in the distributions, remove the
+ invocation in tpm2-swtpm.c and let swtpm handle it.
- * add "systemd-analyze debug" + AttachDebugger= in unit files: The former
- specifies a command to execute; the latter specifies that an already running
- "systemd-analyze debug" instance shall be contacted and execution paused
- until it gives an OK. That way, tools like gdb or strace can be safely be
- invoked on processes forked off PID 1.
+ - Once the root fs LUKS volume key is measured into PCR 15, default to binding
+ credentials to PCR 15 in "systemd-creds"
- * expose MS_NOSYMFOLLOW in various places
+ - optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
- * credentials system:
- - acquire from EFI variable?
- - acquire via ask-password?
- - acquire creds via keyring?
- - pass creds via keyring?
- - pass creds via memfd?
- - acquire + decrypt creds from pkcs11?
- - make macsec code in networkd read key via creds logic (copy logic from
- wireguard)
- - make gatewayd/remote read key via creds logic
- - add sd_notify() command for flushing out creds not needed anymore
+ - optionally, collect cgroup resource data, and store it in per-unit RRD files,
+ suitable for processing with rrdtool. Add bus API to access this data, and
+ possibly implement a CPULoad property based on it.
- * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
- and such
+ - optionally: turn on cgroup delegation for per-session scope units
- * introduce a new group to own TPM devices
+ - pam_systemd: on interactive logins, maybe show SUPPORT_END information at
+ login time, à la motd
- * cryptsetup: add option for automatically removing empty password slot on boot
+ - pam_systemd_home: add module parameter to control whether to only accept
+ only password or only pcks11/fido2 auth, and then use this to hook nicely
+ into two of the three PAM stacks gdm provides.
+ See discussion at https://github.com/authselect/authselect/pull/311
- * cryptsetup: optionally, when run during boot-up and password is never
- entered, and we are on battery power (or so), power off machine again
+ - paranoia: whenever we process passwords, call mlock() on the memory
+ first. i.e. look for all places we use free_and_erasep() and
+ augment them with mlock(). Also use MADV_DONTDUMP.
+ Alternatively (preferably?) use memfd_secret().
- * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
- allow plymouth to abort the waiting and enter pw instead
+ - pcrextend/tpm2-util: add a concept of "rotation" to event log. i.e. allow
+ trailing parts of the logs if time or disk space limit is hit. Protect the
+ boot-time measurements however (i.e. up to some point where things are
+ settled), since we need those for pcrlock measurements and similar. When
+ deleting entries for rotation, place an event that declares how many items
+ have been dropped, and what the hash before and after that.
- * make cryptsetup lower --iter-time
+ - pcrextend: after measuring get an immediate quote from the TPM, and validate
+ it. if it doesn't check out, i.e. the measurement we made doesn't appear in
+ the PCR then also reboot.
- * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
- "base64:" prefix. Useful in particular for pkcs11 mode.
+ - pcrextend: maybe add option to disable measurements entirely via kernel cmdline
- * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
- systemd-makefs.service instead.
+ - pcrextend: when we fail to measure, reboot the system (at least optionally).
+ important because certain measurements are supposed to "destroy" tpm object
+ access.
- * cryptsetup:
- - cryptsetup-generator: allow specification of passwords in crypttab itself
- - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
+ - pcrlock: add support for multi-profile UKIs
- * systemd-analyze netif that explains predictable interface (or networkctl)
+ - **pcrlock:**
+ - add kernel-install plugin that automatically creates UKI .pcrlock file when
+ UKI is installed, and removes it when it is removed again
+ - automatically install PE measurement of sd-boot on "bootctl install"
+ - pre-calc sysext + kernel cmdline measurements
+ - pre-calc cryptsetup root key measurement
+ - maybe make systemd-repart generate .pcrlock for old and new GPT header in
+ /run?
+ - Add support for more than 8 branches per PCR OR
+ - add "systemd-pcrlock lock-kernel-current" or so which synthesizes .pcrlock
+ policy from currently booted kernel/event log, to close gap for first boot
+ for pre-built images
- * systemd-analyze inspect-elf should show other notes too, at least build-id.
+ - per-service sandboxing option: ProtectIds=. If used, will overmount
+ /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to
+ make it harder for the service to identify the host. Depending on the user
+ setting it should be fully randomized at invocation time, or a hash of the
+ real thing, keyed by the unit name or so. Of course, there are other ways to
+ get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU
+ ids), so this knob would only be useful in combination with other lockdown
+ options. Particularly useful for portable services, and anything else that
+ uses RootDirectory= or RootImage=. (Might also over-mount
+ /sys/class/dmi/id/*{uuid,serial} with /dev/null).
- * Figure out naming of verbs in systemd-analyze: we have (singular) capability,
- exit-status, but (plural) filesystems, architectures.
+ - Permit masking specific netlink APIs with RestrictAddressFamily=
- * special case some calls of chase() to use openat2() internally, so
- that the kernel does what we otherwise do.
+ - pick up creds from EFI vars
- * add a new flag to chase() that stops chasing once the first missing
- component is found and then allows the caller to create the rest.
+ - PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
- * make use of new glibc 2.32 APIs sigabbrev_np().
+ - **pid1:**
+ - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
+ log both units as UNIT=, so that journalctl -u triggers on both.
+ - generate better errors when people try to set transient properties
+ that are not supported...
+ https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
+ - recreate systemd's D-Bus private socket file on SIGUSR2
+ - when we automatically restart a service, ensure we restart its rdeps, too.
+ - hide PAM options in fragment parser when compile time disabled
+ - Support --test based on current system state
+ - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
+ - after deserializing sockets in socket.c we should reapply sockopts and things
+ - drop PID 1 reloading, only do reexecing (difficult: Reload()
+ currently is properly synchronous, Reexec() is weird, because we
+ cannot delay the response properly until we are back, so instead of
+ being properly synchronous we just keep open the fd and close it
+ when done. That means clients do not get a successful method reply,
+ but much rather a disconnect on success.
+ - when breaking cycles drop services from /run first, then from /etc, then from /usr
+ - when a bus name of a service disappears from the bus make sure to queue further activation requests
+ - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
+ processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
+ with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
+ - ExtensionImages= deduplication for services is currently only applied to disk images without GPT envelope.
+ This should be extended to work with proper DDIs too, as well as directory confext/sysext. Moreover,
+ system-wide confext/sysext should support this too.
+ - Pin the mount namespace via FD by sending it back from sd-exec to the manager, and use it
+ for live mounting, instead of doing it via PID
+ - also remove PID files of a service when the service starts, not just
+ when it exits
+ - activation by journal search expression
+ - lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
+ - find a way how we can reload unit file configuration for
+ specific units only, without reloading the whole of systemd
+
+ - **PidRef conversion work:**
+ - cg_pid_get_xyz()
+ - pid_from_same_root_fs()
+ - get_ctty_devnr()
+ - actually wait for POLLIN on pidref's pidfd in service logic
+ - openpt_allocate_in_namespace()
+ - unit_attach_pid_to_cgroup_via_bus()
+ - cg_attach() – requires new kernel feature
+ - journald's process cache
- * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
+ - port copy.c over to use LabelOps for all labelling.
- * pid1: also remove PID files of a service when the service starts, not just
- when it exits
+ - portable services: attach not only unit files to host, but also simple
+ binaries to a tmpfs path in $PATH.
- * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
- Apparently kernel performance is much better with fewer larger seccomp
- filters than with more smaller seccomp filters.
+ - portabled: when extracting unit files and copying to system.attached, if a
+ .p7s is available in the image, use it to protect the system.attached copy
+ with fs-verity, so that it cannot be tampered with
- * systemd-path: Add "private" runtime/state/cache dir enum, mapping to
- $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
+ - print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
- * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
+ - **Process credentials in:**
+ - crypttab-generator: allow defining additional crypttab-like volumes via
+ credentials (similar: verity-generator, integrity-generator). Use
+ fstab-generator logic as inspiration.
+ - run-generator: allow defining additional commands to run via a credential
+ - resolved: allow defining additional /etc/hosts entries via a credential (it
+ might make sense to then synthesize a new combined /etc/hosts file in /run
+ and bind mount it on /etc/hosts for other clients that want to read it.
+ - repart: allow defining additional partitions via credential
+ - timesyncd: pick NTP server info from credential
+ - portabled: read a credential "portable.extra" or so, that takes a list of
+ file system paths to enable on start.
+ - make systemd-fstab-generator look for a system credential encoding root= or
+ usr=
+ - in gpt-auto-generator: check partition uuids against such uuids supplied via
+ sd-stub credentials. That way, we can support parallel OS installations with
+ pre-built kernels.
- * seccomp: don't install filters for ABIs that are masked anyway for the
- specific service
+ - properly handle loop back mounts via fstab, especially regards to fsck/passno
- * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
- exists and responds.
+ - properly serialize the ExecStatus data from all ExecCommand objects
+ associated with services, sockets, mounts and swaps. Currently, the data is
+ flushed out on reload, which is quite a limitation.
- * socket units: allow creating a udev monitor socket with ListenDevices= or so,
- with matches, then activate app through that passing socket over
+ - ProtectClock= (drops CAP_SYS_TIMES, adds seccomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
- * unify on openssl:
- - figure out what to do about libmicrohttpd:
- - 1.x is stable and has a hard dependency on gnutls
- - 2.x is in development and has openssl support
- - Worth testing against 2.x in our CI?
- - port fsprg over to openssl
+ - ProtectKeyRing= to take keyring calls away
- * add growvol and makevol options for /etc/crypttab, similar to
- x-systemd.growfs and x-systemd-makefs.
+ - ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
- * userdb: allow existence checks
+ - ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
+ on PID 1 with the relevant signals, and makes relevant files in /sys and
+ /proc (such as the sysrq stuff) unavailable
- * pid1: activation by journal search expression
+ - ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
- * when switching root from initrd to host, set the machine_id env var so that
- if the host has no machine ID set yet we continue to use the random one the
- initrd had set.
+ - ptyfwd: use osc context information in vmspawn/nspawn/… to optionally only
+ listen to ^]]] key when no further vmspawn/nspawn context is allocated
- * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
- it for reaping assigned but unknown children. This needs to some special care
- to operate somewhat sensibly in light of priorities: P_ALL will return
- arbitrary processes, regardless of the priority we want to watch them with,
- hence on each event loop iteration check all processes which we shall watch
- with higher prio explicitly, and then watch the entire rest with P_ALL.
+ - ptyfwd: usec osc context information to propagate status messages from
+ vmspawn/nspawn to service manager's "status" string, reporting what is
+ currently in the fg
- * tweak sd-event's child watching: keep a prioq of children to watch and use
- waitid() only on the children with the highest priority until one is waitable
- and ignore all lower-prio ones from that point on
+ - pull-oci: progress notification
- * maybe introduce xattrs that can be set on the root dir of the root fs
- partition that declare the volatility mode to use the image in. Previously I
- thought marking this via GPT partition flags but that's not ideal since
- that's outside of the LUKS encryption/verity verification, and we probably
- shouldn't operate in a volatile mode unless we got told so from a trusted
- source.
+ - redefine /var/lib/extensions/ as the dir one can place all three of sysext,
+ confext as well is multi-modal DDIs that qualify as both. Then introduce
+ /var/lib/sysexts/ which can be used to place only DDIs that shall be used as
+ sysext
- * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
- may be used to mark a whole binary as non-coredumpable. Would fix:
- https://bugs.freedesktop.org/show_bug.cgi?id=69447
+ - refcounting in sd-resolve is borked
- * teach parse_timestamp() timezones like the calendar spec already knows it
+ - refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
- * We should probably replace /etc/rc.d/README with a symlink to doc
- content. After all it is constant vendor data.
+ - remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
- * maybe add kernel cmdline params: to force random seed crediting
+ - remove tomoyo support, it's obsolete and unmaintained apparently
- * let's not GC a unit while its ratelimits are still pending
+ - RemoveKeyRing= to remove all keyring entries of the specified user
- * when killing due to service watchdog timeout maybe detect whether target
- process is under ptracing and then log loudly and continue instead.
+ - repart + cryptsetup: support file systems that are encrypted and use verity
+ on top. Usecase: confexts that shall be signed by the admin but also be
+ confidential. Then, add a new --make-ddi=confext-encrypted for this.
- * make rfkill uaccess controllable by default, i.e. steal rule from
- gnome-bluetooth and friends
+ - repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions,
+ that have a new type uuid and can "extend" earlier partitions, to work around
+ the fact that systemd-repart can only grow the last partition defined. During
+ activation we'd simply set up a dm-linear mapping to merge them again. A
+ partition that is to be extended would just set a bit in the partition flags
+ field to indicate that there's another extension partition to look for. The
+ identifying UUID of the extension partition would be hashed in counter mode
+ from the uuid of the original partition it extends. Inspiration for this is
+ the "dynamic partitions" concept of new Android. This would be a minimalistic
+ concept of a volume manager, with the extents it manages being exposes as GPT
+ partitions. I a partition is extended multiple times they should probably
+ grow exponentially in size to ensure O(log(n)) time for finding them on
+ access.
- * make MAINPID= message reception checks even stricter: if service uses User=,
- then check sending UID and ignore message if it doesn't match the user or
- root.
+ - repart: introduce concept of "ghost" partitions, that we setup in almost all
+ ways like other partitions, but do not actually register in the actual gpt
+ table, but only tell the kernel about via BLKPG ioctl. These partitions are
+ disk backed (hence can be large), but not persistent (as they are invisible
+ on next boot). Could be used by live media and similar, to boot up as usual
+ but automatically start at zero on each boot. There should also be a way to
+ make ghost partitions properly persistent on request.
- * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
- is issued.
+ - repart: introduce MigrateFileSystem= or so which is a bit like
+ CopyFiles=/CopyBlocks= but operates via btrfs device logic: adds target as
+ new device then removes source from btrfs. Usecase: a live medium which uses
+ "ghost" partitions as suggested above, which can become persistent on request
+ on another device.
- * when importing an fs tree with machined, optionally apply userns-rec-chown
+ - replace all \x1b, \x1B, \033 C string escape sequences in our codebase with a
+ more readable \e. It's a GNU extension, but a ton more readable than the
+ others, and most importantly it doesn't result in confusing errors if you
+ suffix the escape sequence with one more decimal digit, because compilers
+ think you might actually specify a value outside the 8bit range with that.
- * when importing an fs tree with machined, complain if image is not an OS
-
- * Maybe introduce a helper safe_exec() or so, which is to execve() which
- safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
- to 1K implicitly, unless explicitly opted-out.
+ - replace all uses of fopen_temporary() by fopen_tmpfile_linkable() +
+ flink_tmpfile() and then get rid of fopen_temporary(). Benefit: use O_TMPFILE
+ pervasively, and avoid rename() wherever we can.
- * rework seccomp/nnp logic that even if User= is used in combination with
- a seccomp option we don't have to set NNP. For that, change uid first while
- keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
+ - replace bootctl's PE version check to actually use APIs from pe-binary.[ch]
+ to find binary version.
- * when no locale is configured, default to UEFI's PlatformLang variable
+ - replace symlink_label(), mknodat_label(), btrfs_subvol_make_label(),
+ mkdir_label() and related calls by flags-based calls that use
+ label_ops_pre()/label_ops_post().
- * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
- usefaultd() and make systemd-analyze check for it.
+ - report: have something that requests cloud workload identity bearer tokens
+ and includes it in the report
- * paranoia: whenever we process passwords, call mlock() on the memory
- first. i.e. look for all places we use free_and_erasep() and
- augment them with mlock(). Also use MADV_DONTDUMP.
- Alternatively (preferably?) use memfd_secret().
+ - **report:**
+ - plug "facts" into systemd-report too, i.e. stuff that is more static, such as hostnames, ssh keys and so on.
+ - pass filtering hints to services, so that they can also be applied server-side, not just client side
+ - metrics from pid1: suppress metrics form units that are inactive and have nothing to report
+ - add "hint-suppress-zero" flag (which suppresses all metrics which are zero)
+ - add "hint-object" parameter (which only queries info about certain object)
+ - make systemd-report a varlink service
- * Move RestrictAddressFamily= to the new cgroup create socket
+ - Reset TPM2 DA bit on each successful boot
- * optionally: turn on cgroup delegation for per-session scope units
+ - **resolved:**
+ - mDNS/DNS-SD
+ - service registration
+ - service/domain/types browsing
+ - avahi compat
+ - DNS-SD service registration from socket units
+ - resolved should optionally register additional per-interface LLMNR
+ names, so that for the container case we can establish the same name
+ (maybe "host") for referencing the server, everywhere.
+ - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
+ - make resolved process DNR DHCP info
+ - report ttl in resolution replies if we know it. This data is useful
+ for tools such as wireguard which want to periodically re-resolve DNS names,
+ and might want to use the TTL has hint for that.
+ - take possession of some IPv6 ULA address (let's say
+ fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the
+ local stubs, so that we can make the stub available via ipv6 too.
+
+ - revisit how we pass fs images and initrd to the kernel. take uefi http boot
+ ramdisks as inspiration: for any confext/sysext/initrd erofs/DDI image simply
+ generate a fake pmem region in the UEFI memory tables, that Linux then turns
+ into /dev/pmemX. Then turn of cpio-based initrd logic in linux kernel,
+ instead let kernel boot directly into /dev/pmem0. In order to allow our usual
+ cpio-based parameterization, teach PID 1 to just uncompress cpio ourselves
+ early on, from another pmem device. (Related to this, maybe introduce a new
+ PE section .ramdisk that just synthesizes pmem devices from arbitrary
+ blobs. Could be particularly useful in add-ons)
- * sd-boot: optionally, show boot menu when previous default boot item has
- non-zero "tries done" count
+ - rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
+ magic meaning and is no longer upgraded to something else if set explicitly.
- * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
- contains some identifier for the project, which allows us to include
- clickable links to source files generating these log messages. The identifier
- could be some abberviated URL prefix or so (taking inspiration from Go
- imports). For example, for systemd we could use
- CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
- sufficient to build a link by prefixing "http://" and suffixing the
- CODE_FILE.
+ - rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
+ kernel doesn't support linkat() that replaces existing files, currently)
- * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
- make clickable links from log messages carrying a MESSAGE_ID, that lead to
- some explanatory text online.
+ - rework journalctl -M to be based on a machined method that generates a mount
+ fd of the relevant journal dirs in the container with uidmapping applied to
+ allow the host to read it, while making everything read-only.
- * maybe extend .path units to expose fanotify() per-mount change events
+ - rework loopback support in fstab: when "loop" option is used, then
+ instantiate a new systemd-loop@.service for the source path, set the
+ lo_file_name field for it to something recognizable derived from the fstab
+ line, and then generate a mount unit for it using a udev generated symlink
+ based on lo_file_name.
- * hibernate/s2h: if swap is on weird storage and refuse if so
+ - rework recursive read-only remount to use new mount API
- * cgroups: use inotify to get notified when somebody else modifies cgroups
- owned by us, then log a friendly warning.
+ - rework seccomp/nnp logic that even if User= is used in combination with
+ a seccomp option we don't have to set NNP. For that, change uid first while
+ keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
- * beef up log.c with support for stripping ANSI sequences from strings, so that
- it is OK to include them in log strings. This would be particularly useful so
- that our log messages could contain clickable links for example for unit
- files and suchlike we operate on.
+ - rewrite bpf-devices in libbpf/C code, rather than home-grown BPF assembly, to
+ match bpf-restrict-fs, bpf-restrict-ifaces, bpf-socket-bind
- * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
+ - rewrite bpf-firewall in libbpf/C code
- * sync dynamic uids/gids between host+portable service (i.e. if DynamicUser=1 is set for a service, make sure that the
- selected user is resolvable in the service even if it ships its own /etc/passwd)
+ - rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
- * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
- other doesn't. What a disaster. Probably to exclude it.
+ - rough proposed implementation design for remote attestation infra: add a tool
+ that generates a quote of local PCRs and NvPCRs, along with synchronous log
+ snapshot. use "audit session" logic for that, so that we get read-outs and
+ signature in one step. Then turn this into a JSON object. Use the "TCG TSS 2.0
+ JSON Data Types and Policy Language" format to encode the signature. And CEL
+ for the measurement log.
- * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
- usually IN_ATTRIB is the right way to watch deleted files, as the former only
- fires when a file is actually removed from disk, i.e. the link count drops to
- zero and is not open anymore, while the latter happens when a file is
- unlinked from any dir.
+ - run0: maybe enable utmp for run0 sessions, so that they are easily visible.
- * systemctl, machinectl, loginctl: port "status" commands over to
- format-table.c's vertical output logic.
+ - sd-boot/sd-stub: install a uefi "handle" to a sidecar dir of bls type #1
+ entries with an "uki" or "uki-url" stanza, and make sd-stub look for
+ that. That way we can parameterize type #1 entries nicely.
- * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
+ - **sd-boot:**
+ - do something useful if we find exactly zero entries (ignoring items
+ such as reboot/poweroff/factory reset). Show a help text or so.
+ - optionally ask for confirmation before executing certain operations
+ (e.g. factory resets, storagetm with world access, and so on)
+ - for each installed OS, grey out older entries (i.e. all but the
+ newest), to indicate they are obsolete
+ - we probably should include all BootXY EFI variable defined boot
+ entries in our menu, and then suppress ourselves. Benefit: instant
+ compatibility with all other OSes which register things there, in particular
+ on other disks. Always boot into them via NextBoot EFI variable, to not
+ affect PCR values.
+ - should look for information what to boot in SMBIOS, too, so that VM
+ managers can tell sd-boot what to boot into and suchlike
+ - instead of unconditionally deriving the ESP to search boot loader
+ spec entries in from the paths of sd-boot binary, let's optionally allow it
+ to be configured on sd-boot cmdline + efi var. Use case: embed sd-boot in the
+ UEFI firmware (for example, ovmf supports that via qemu cmdline option), and
+ use it to load stuff from the ESP.
+ - optionally, show boot menu when previous default boot item has
+ non-zero "tries done" count
+
+ - **sd-bus:**
+ - EBADSLT handling
+ - GetAllProperties() on a non-existing object does not result in a failure currently
+ - port to sd-resolve for connecting to TCP dbus servers
+ - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
+ - see if we can drop more message validation on the sending side
+ - add API to clone sd_bus_message objects
+ - longer term: priority inheritance
+ - dbus spec updates:
+ - NameLost/NameAcquired obsolete
+ - path escaping
+ - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
+ - add vtable flag, that may be used to request client creds implicitly
+ and asynchronously before dispatching the operation
+ - parse addresses given in sd_bus_set_addresses immediately and not
+ only when used. Add unit tests.
+
+ - **sd-device:**
+ - add an API for acquiring list of child devices, given a device
+ objects (i.e. all child dirents that dirs or symlinks to dirs)
+ - maybe pin the sysfs dir with an fd, during the entire runtime of
+ an sd_device, then always work based on that.
+ - should return the devnum type (i.e. 'b' or 'c') via some API for an
+ sd_device object, so that data passed into sd_device_new_from_devnum() can
+ also be queried.
+
+ - **sd-event:**
+ - allow multiple signal handlers per signal?
+ - document chaining of signal handler for SIGCHLD and child handlers
+ - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
+ - maybe support iouring as backend, so that we allow hooking read and write
+ operations instead of IO ready events into event loops. See considerations
+ here:
+ http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html
+ - add ability to "chain" event sources. Specifically, add a call
+ sd_event_source_chain(x, y), which will automatically enable event source y
+ in oneshot mode once x is triggered. Use case: in src/core/mount.c implement
+ the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is
+ seen, trigger the rescan defer event source automatically, and allow it to be
+ dispatched *before* the SIGCHLD is handled (based on priorities). Benefit:
+ dispatch order is strictly controlled by priorities again. (next step: chain
+ event sources to the ratelimit being over)
+ - compat wd reuse in inotify code: keep a set of removed watch
+ descriptors, and clear this set piecemeal when we see the IN_IGNORED event
+ for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
+ see an inotify wd event check against this set, and if it is contained ignore
+ the event. (to be fully correct this would have to count the occurrences, in
+ case the same wd is reused multiple times before we start processing
+ IN_IGNORED again)
+ - optionally, if per-event source rate limit is hit, downgrade
+ priority, but leave enabled, and once ratelimit window is over, upgrade
+ priority again. That way we can combat event source starvation without
+ stopping processing events from one source entirely.
+ - similar to existing inotify support add fanotify support (given
+ that apparently new features in this area are only going to be added to the
+ latter).
+ - add 1st class event source for clock changes
+ - add 1st class event source for timezone changes
+ - add native support for P_ALL waitid() watching, then move PID 1 to
+ it for reaping assigned but unknown children. This needs to some special care
+ to operate somewhat sensibly in light of priorities: P_ALL will return
+ arbitrary processes, regardless of the priority we want to watch them with,
+ hence on each event loop iteration check all processes which we shall watch
+ with higher prio explicitly, and then watch the entire rest with P_ALL.
+
+ - sd-journal puts a limit on parallel journal files to view at once. journald
+ should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to
+ ensure we never generate more files than we can actually view.
- * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
+ - sd-lldp: pick up 802.3 maximum frame size/mtu, to be able to detect jumbo
+ frame capable networks
- * add CopyFile= or so as unit file setting that may be used to copy files or
- directory trees from the host to the services RootImage= and RootDirectory=
- environment. Which we can use for /etc/machine-id and in particular
- /etc/resolv.conf. Should be smart and do something useful on read-only
- images, for example fall back to read-only bind mounting the file instead.
+ - **sd-rtnl:**
+ - add support for more attribute types
+ - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
- * bypass SIGTERM state in unit files if KillSignal is SIGKILL
+ - **sd-stub:**
+ - detect if we are running with uefi console output on serial, and if so
+ automatically add console= to kernel cmdline matching the same port.
+ - add ".bootcfg" section for kernel bootconfig data (as per
+ https://docs.kernel.org/admin-guide/bootconfig.html)
- * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
- and so on, which would mean we could report errors and such.
+ - sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services,
+ then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically
+ fixed to "2", i.e. the official host cid) and the expected guest cid, for the
+ two sides of the channel. The latter env var could then be used in an
+ appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
+ directly to host service manager.
- * introduce DefaultSlice= or so in system.conf that allows changing where we
- place our units by default, i.e. change system.slice to something
- else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
- be moved somewhere else too. Finally machined and logind should get similar
- options so that it is possible to move user session scopes and machines to a
- different slice too by default. Use case: people who want to put resources on
- the entire system, with the exception of one specific service. See:
- https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
+ - **seccomp:**
+ - maybe use seccomp_merge() to merge our filters per-arch if we can.
+ Apparently kernel performance is much better with fewer larger seccomp
+ filters than with more smaller seccomp filters.
+ - by default mask x32 ABI system wide on x86-64. it's on its way out
+ - don't install filters for ABIs that are masked anyway for the
+ specific service
- * calenderspec: add support for week numbers and day numbers within a
- year. This would allow us to define "bi-weekly" triggers safely.
+ - seems that when we follow symlinks to units we prefer the symlink
+ destination path over /etc and /usr. We should not do that. Instead
+ /etc should always override /run+/usr and also any symlink
+ destination.
- * sd-bus: add vtable flag, that may be used to request client creds implicitly
- and asynchronously before dispatching the operation
+ - .service with invalid Sockets= starts successfully.
- * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
- only when used. Add unit tests.
+ - services: add support for cryptographically unlocking per-service directories
+ via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to
+ set up the directory so that it can only be accessed if host and app are in
+ order.
- * make use of ethtool veth peer info in machined, for automatically finding out
- host-side interface pointing to the container.
+ - shared/wall: Once more programs are taught to prefer sd-login over utmp,
+ switch the default wall implementation to wall_logind
+ (https://github.com/systemd/systemd/pull/29051#issuecomment-1704917074)
- * add some special mode to LogsDirectory=/StateDirectory=… that allows
- declaring these directories without necessarily pulling in deps for them, or
- creating them when starting up. That way, we could declare that
- systemd-journald writes to /var/log/journal, which could be useful when we
- doing disk usage calculations and so on.
+ - show whether a service has out-of-date configuration in "systemctl status" by
+ using mtime data of ConfigurationDirectory=.
- * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
+ - shutdown logging: store to EFI var, and store to USB stick?
- * support projid-based quota in machinectl for containers
+ - signed bpf loading: to address need for signature verification for bpf
+ programs when they are loaded, and given the bpf folks don't think this is
+ realistic in kernel space, maybe add small daemon that facilitates this
+ loading on request of clients, validates signatures and then loads the
+ programs. This daemon should be the only daemon with privs to do load BPF on
+ the system. It might be a good idea to run this daemon already in the initrd,
+ and leave it around during the initrd transition, to continue serve requests.
+ Should then live in its own fs namespace that inherits from the initrd's
+ fs tree, not from the host, to isolate it properly. Should set
+ PR_SET_DUMPABLE so that it cannot be ptraced from the host. Should have
+ CAP_SYS_BPF as only service around.
- * add a way to lock down cgroup migration: a boolean, which when set for a unit
- makes sure the processes in it can never migrate out of it
+ - SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed,
+ localed, oomd, timedated.
- * blog about fd store and restartable services
+ - socket units: allow creating a udev monitor socket with ListenDevices= or so,
+ with matches, then activate app through that passing socket over
- * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
+ - special case some calls of chase() to use openat2() internally, so
+ that the kernel does what we otherwise do.
- * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
- magic meaning and is no longer upgraded to something else if set explicitly.
+ - Split vconsole-setup in two, of which the second is started via udev (instead
+ of the "restart" job it currently fires). That way, boot becomes purely
+ positive again, and we can nicely order the two against each other.
- * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
- make it lose its identity, i.e. be anonymous. For this we'd have to patch
- through the whole tree to make all code deal with the case where no machine
- ID is available.
+ - start making use of the new --graceful switch to util-linux' umount command
- * optionally, collect cgroup resource data, and store it in per-unit RRD files,
- suitable for processing with rrdtool. Add bus API to access this data, and
- possibly implement a CPULoad property based on it.
+ - start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
+ generically, so that image discovery recognizes bcachefs subvols too.
- * beef up pam_systemd to take unit file settings such as cgroups properties as
- parameters
+ - storagetm: maybe also serve the specified disk via HTTP? we have glue for
+ microhttpd anyway already. Idea would also be serve currently booted UKI as
+ separate HTTP resource, so that EFI http boot on another system could
+ directly boot from our system, with full access to the hdd.
- * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
- disks to see if the UID is already in use.
+ - **storagetm:**
+ - add USB mass storage device logic, so that all local disks are also exposed
+ as mass storage devices on systems that have a USB controller that can
+ operate in device mode
+ - add NVMe authentication
- * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
- creates a static, persistent user rather than a dynamic, transient user. We
- can leverage code from sysusers.d for this.
+ - support boot into nvme-over-tcp: add generator that allows specifying nvme
+ devices on kernel cmdline + credentials. Also maybe add interactive mode
+ (where the user is prompted for nvme info), in order to boot from other
+ system's HDD.
- * add some optional flag to ReadWritePaths= and friends, that has the effect
- that we create the dir in question when the service is started. Example:
+ - support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
- ReadWritePaths=:/var/lib/foobar
+ - support projid-based quota in machinectl for containers
- * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
- the service cgroup, which is supposed to monitor the service, and when it
- exits the service is considered failed by its monitor.
+ - Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
+ via the new unprivileged Landlock LSM (https://landlock.io)
- * track the per-service PAM process properly (i.e. as an additional control
- process), so that it may be queried on the bus and everything.
+ - support specifying download hash sum in systemd-import-generator expression
+ to pin image/tarball.
- * add a new "debug" job mode, that is propagated to unit_start() and for
- services results in two things: we raise SIGSTOP right before invoking
- execve() and turn off watchdog support. Then, use that to implement
- "systemd-gdb" for attaching to the start-up of any system service in its
- natural habitat.
+ - sync dynamic uids/gids between host+portable service (i.e. if DynamicUser=1 is set for a service, make sure that the
+ selected user is resolvable in the service even if it ships its own /etc/passwd)
- * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
- then use that for the setting used in user@.service. It should be understood
- relative to the configured default value.
+ - synchronize console access with BSD locks:
+ https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
- * enable LockMLOCK to take a percentage value relative to physical memory
+ - sysext: before applying a sysext, do a superficial validation run so that
+ things are not rearranged to wildy. I.e. protect against accidental fuckups,
+ such as masking out /usr/lib/ or so. We should probably refuse if existing
+ inodes are replaced by other types of inodes or so.
- * Permit masking specific netlink APIs with RestrictAddressFamily=
+ - sysext: measure all activated sysext into a TPM PCR
- * define gpt header bits to select volatility mode
+ - system BPF LSM policy that enforces that block device backed mounts may only
+ be established on top of dm-crypt or dm-verity devices, or an allowlist of
+ file systems (which should probably include vfat, for compat with the ESP)
- * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
+ - system BPF LSM policy that prohibits creating files owned by "nobody"
+ system-wide
- * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
+ - system BPF LSM policy that prohibits creating or opening device nodes outside
+ of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null,
+ /dev/zero, /dev/urandom and so on.
- * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
+ - "systemctl preset-all" should probably order the unit files it
+ operates on lexicographically before starting to work, in order to
+ ensure deterministic behaviour if two unit files conflict (like DMs
+ do, for example)
- * ProtectKeyRing= to take keyring calls away
+ - systemctl, machinectl, loginctl: port "status" commands over to
+ format-table.c's vertical output logic.
- * RemoveKeyRing= to remove all keyring entries of the specified user
+ - **systemctl:**
+ - add systemctl switch to dump transaction without executing it
+ - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
+ - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
+ - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
+ - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
+ - systemctl: "Journal has been rotated since unit was started." message is misleading
+ - if some operation fails, show log output?
- * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
- on PID 1 with the relevant signals, and makes relevant files in /sys and
- /proc (such as the sysrq stuff) unavailable
+ - systemd-analyze inspect-elf should show other notes too, at least build-id.
- * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances
- via the new unprivileged Landlock LSM (https://landlock.io)
+ - systemd-analyze netif that explains predictable interface (or networkctl)
- * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
+ - systemd-analyze: port "pcrs" verb to talk directly to TPM device, instead of
+ using sysfs interface (well, or maybe not, as that would require privileges?)
- * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
- find a way to map the User=/Group= of the service to the right name. This way
- a user/group for a service only has to exist on the host for the right
- mapping to work.
+ - systemd-boot: maybe add support for collapsing menu entries of the same OS
+ into one item that can be opened (like in a "tree view" UI element) or
+ collapsed. If only a single OS is installed, disable this mode, but if
+ multiple OSes are installed might make sense to default to it, so that user
+ is not immediately bombarded with a multitude of Linux kernel versions but
+ only one for each OS.
- * add bus API for creating unit files in /etc, reusing the code for transient units
+ - systemd-creds: extend encryption logic to support asymmetric
+ encryption/authentication. Idea: add new verb "systemd-creds public-key"
+ which generates a priv/pub key pair on the TPM2 and stores the priv key
+ locally in /var. It then outputs a certificate for the pub part to stdout.
+ This can then be copied/taken elsewhere, and can be used for encrypting creds
+ that only the host on its specific hw can decrypt. Then, support a drop-in
+ dir with certificates that can be used to authenticate credentials. Flow of
+ operations is then this: build image with owner certificate, then after
+ boot up issue "systemd-creds public-key" to acquire pubkey of the machine.
+ Then, when passing data to the machine, sign with privkey belonging to one of
+ the dropped in certs and encrypted with machine pubkey, and pass to machine.
+ Machine is then able to authenticate you, and confidentiality is guaranteed.
- * add bus API to remove unit files from /etc
+ - systemd-cryptenroll: add --firstboot or so, that will interactively ask user
+ whether recovery key shall be enrolled and do so
- * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
+ - systemd-dissect: add --cat switch for dumping files such as /etc/os-release
- * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
- kernel doesn't support linkat() that replaces existing files, currently)
+ - systemd-dissect: show available versions inside of a disk image, i.e. if
+ multiple versions are around of the same resource, show which ones. (in other
+ words: show partition labels).
- * transient units: don't bother with actually setting unit properties, we
- reload the unit file anyway
+ - systemd-firstboot: optionally install an ssh key for root for offline use.
- * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
+ - systemd-gpt-auto-generator: add kernel cmdline option to override block
+ device to dissect. also support dissecting a regular file. useccase: include
+ encrypted/verity root fs in UKI.
- * cache sd_event_now() result from before the first iteration...
+ - systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
- * PID1: find a way how we can reload unit file configuration for
- specific units only, without reloading the whole of systemd
+ - **systemd-measure tool:**
+ - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11
- * add an explicit parser for LimitRTPRIO= that verifies
- the specified range and generates sane error messages for incorrect
- specifications.
+ - systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
+ would just use the same public key specified with --public-key= (or the one
+ automatically derived from --private-key=).
- * when we detect that there are waiting jobs but no running jobs, do something
+ - systemd-mount should only consider modern file systems when mounting, similar
+ to systemd-dissect
- * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
+ - systemd-path: Add "private" runtime/state/cache dir enum, mapping to
+ $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
- * there's probably something wrong with having user mounts below /sys,
- as we have for debugfs. for example, src/core/mount.c handles mounts
- prefixed with /sys generally special.
- https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
+ - **systemd-pcrextend:**
+ - once we have that start measuring every sysext we apply, every confext,
+ every RootImage= we apply, every nspawn and so on. All in separate fake
+ PCRs.
- * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
+ - **systemd-repart:**
+ - implement Integrity=data/meta and Integrity=inline for non-LUKS
+ case. Currently, only Integrity=inline combined with Encrypt= is implemented
+ and uses libcryptsetup features. Add support for plain dm-integrity setups when
+ integrity tags are stored by the device (inline), interleaved with data (data),
+ and on a separate device (meta).
+ - add --ghost, that creates file systems, updates the kernel's
+ partition table but does *not* update partition table on disk. This way, we
+ have disk backed file systems that go effectively disappear on reboot. This
+ is useful when booting from a "live" usb stick that is writable, as it means
+ we do not have to place everything in memory. Moreover, we could then migrate
+ the file systems to disk later (using btrfs device replacement), if needed as
+ part of an installer logic.
+ - make useful to duplicate current OS onto a second disk, so
+ that we can sanely copy ESP contents, /usr/ images, and then set up btrfs
+ raid for the root fs to extend/mirror the existing install. This would be
+ very similar to the concept of live-install-through-btrfs-migration.
+ - add --installer or so, that will interactively ask for a
+ target disk, maybe ask for confirmation, and install something on disk. Then,
+ hook that into installer.target or so, so that it can be used to
+ install/replicate installs
+ - should probably enable btrfs' "temp_fsid" feature for all file
+ systems it creates, as we have no interest in RAID for repart, and it should
+ make sure that we can mount them trivially everywhere.
+ - add support for formatting dm-crypt + dm-integrity file
+ systems.
+ - also derive the volume key from the seed value, for the
+ aforementioned purpose.
- - add support for generating ISO9660 images
+ - in addition to the existing "factory reset" mode (which
+ simply empties existing partitions marked for that). add a mode where
+ partitions marked for it are entirely removed. Use case: remove secondary OS
+ copy, and redundant partitions entirely, and recreate them anew.
+ - if the GPT *disk* UUID (i.e. the one global for the entire
+ disk) is set to all FFFFF then use this as trigger for factory reset, in
+ addition to the existing mechanisms via EFI variables and kernel command
+ line. Benefit: works also on non-EFI systems, and can be requested on one
+ boot, for the next.
+ - read LUKS encryption key from $CREDENTIALS_DIRECTORY
+ - support setting up dm-integrity with HMAC
+ - maybe remove half-initialized image on failure. It fails
+ if the output file exists, so a repeated invocation will usually fail if
+ something goes wrong on the way.
+ - by default generate minimized partition tables (i.e. tables
+ that only cover the space actually used, excluding any free space at the
+ end), in order to maximize dd'ability. Requires libfdisk work, see
+ https://github.com/karelzak/util-linux/issues/907
+ - MBR partition table support. Care needs to be taken regarding
+ Type=, so that partition definitions can sanely apply to both the GPT and the
+ MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
+ for the two partition types explicitly. And provide an internal mapping so
+ that "Type=linux-generic" maps to the right types for both partition tables
+ automatically.
+ - allow sizing partitions as factor of available RAM, so that
+ we can reasonably size swap partitions for hibernation.
+ - allow boolean option that ensures that if existing partition
+ doesn't exist within the configured size bounds the whole command fails. This
+ is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
+ of repart files for the case where ESP is large enough and one where it isn't
+ and XBOOTLDR is added in instead. Then apply the former first, and if it
+ fails to apply use the latter.
+ - add per-partition option to never reuse existing partition
+ and always create anew even if matching partition already exists.
+ - add per-partition option to fail if partition already exist,
+ i.e. is not added new. Similar, add option to fail if partition does not exist yet.
+ - allow disabling growing of specific partitions, or making
+ them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
+ Also add option to disable operation via kernel command line.
+ - make it a static checker during early boot for existence and
+ absence of other partitions for trusted boot environments
+ - add support for SD_GPT_FLAG_GROWFS also on real systems, i.e.
+ generate some unit to actually enlarge the fs after growing the partition
+ during boot.
+ - do not print "Successfully resized …" when no change was done.
+
+ - systemd-stub: maybe store a "boot counter" in the ESP, and pass it down to
+ userspace to allow ordering boots (for example in journalctl). The counter
+ would be monotonically increased on every boot.
- * docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REALTIME up to date
+ - systemd-sysext: add "exec" command or so that is a bit like "refresh" but
+ runs it in a new namespace and then just executes the selected binary within
+ it. Could be useful to run one-off binaries inside a sysext as a CLI tool.
- * add a job mode that will fail if a transaction would mean stopping
- running units. Use this in timedated to manage the NTP service
- state.
- https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
-- systemd-sysext: optionally, run it in initrd already, before transitioning
- into host, to open up possibility for services shipped like that.
-
+ - systemd-tmpfiles: add concept for conditionalizing lines on factory reset
+ boot, or on first boot.
- * The udev blkid built-in should expose a property that reflects
- whether media was sensed in USB CF/SD card readers. This should then
- be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
- picked up by systemd unless they contain a medium. This would mirror
- the behaviour we already have for CD drives.
+ - systemd-tpm2-setup should support a mode where we refuse booting if the SRK
+ changed. (Must be opt-in, to not break systems which are supposed to be
+ migratable between PCs)
- * hostnamectl: show root image uuid
+ - systemd-tpm2-support: add a some logic that detects if system is in DA
+ lockout mode, and queries the user for TPM recovery PIN then.
- * Find a solution for SMACK capabilities stuff:
- https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
+ - systemd: add storage API via varlink, where everyone can drop a socket in a
+ dir, similar, do the same thing for networking
- * synchronize console access with BSD locks:
- https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
-
- * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
- https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
-
- * figure out when we can use the coarse timers
-
- * maybe allow timer units with an empty Units= setting, so that they
- can be used for resuming the system but nothing else.
-
- * what to do about udev db binary stability for apps? (raw access is not an option)
-
- * exponential backoff in timesyncd when we cannot reach a server
+ - $SYSTEMD_EXECPID that the service manager sets should
+ be augmented with $SYSTEMD_EXECPIDFD (and similar for
+ other env vars we might send).
- * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
+ - **sysupdate:**
+ - add fuzzing to the pattern parser
+ - support casync as download mechanism
+ - "systemd-sysupdate update --all" support, that iterates through all components
+ defined on the host, plus all images installed into /var/lib/machines/,
+ /var/lib/portable/ and so on.
+ - Allow invocation with a single transfer definition, i.e. with
+ --definitions= pointing to a file rather than a dir.
+ - add ability to disable implicit decompression of downloaded artifacts,
+ i.e. a Compress=no option in the transfer definitions
+ - download multiple arbitrary patterns from same source
+ - SHA256SUMS format with bearer tokens for each resource to download
+ - decrypt SHA256SUMS with key from tpm
+ - clean up stuff on disk that disappears from SHA256SUMS
+ - turn http backend stuff int plugin via varlink
+ - for each transfer support looking at multiple sources,
+ pick source with newest entry. If multiple sources have the same entry, use
+ first configured source. Usecase: "sideload" components from local dirs,
+ without disabling remote sources.
+ - support "revoked" items, which cause the client to
+ downgrade/upgrade
+ - introduce per-user version that can update per-user installed dDIs
+ - make transport pluggable, so people can plug casync or
+ similar behind it, instead of http.
+
+ - sysusers: allow specifying a path to an inode *and* a literal UID in the UID
+ column, so that if the inode exists it is used, and if not the literal UID is
+ used. Use this for services such as the imds one, which run under their own
+ UID in the initrd, and whose data should survive to the host, properly owned.
- * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
- (throughout the codebase, not only PID1)
+ - teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
- * drop nss-myhostname in favour of nss-resolve?
+ - teach nspawn/machined a new bus call/verb that gets you a
+ shell in containers that have no sensible pid1, via joining the container,
+ and invoking a shell directly. Then provide another new bus call/vern that is
+ somewhat automatic: if we detect that pid1 is running and fully booted up we
+ provide a proper login shell, otherwise just a joined shell. Then expose that
+ as primary way into the container.
- * resolved:
- - mDNS/DNS-SD
- - service registration
- - service/domain/types browsing
- - avahi compat
- - DNS-SD service registration from socket units
- - resolved should optionally register additional per-interface LLMNR
- names, so that for the container case we can establish the same name
- (maybe "host") for referencing the server, everywhere.
- - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
+ - teach parse_timestamp() timezones like the calendar spec already knows it
- * refcounting in sd-resolve is borked
+ - teach systemd-nspawn the boot assessment logic: hook up vpick's try counters
+ with success notifications from nspawn payloads. When this is enabled,
+ automatically support reverting back to older OS version images if newer ones
+ fail to boot.
- * add new gpt type for btrfs volumes
+ - **test/:**
+ - add unit tests for config_parse_device_allow()
- * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
+ - The bind(AF_UNSPEC) construct (for resetting sockets to their initial state)
+ should be blocked in many cases because it punches holes in many sandboxes.
- * a way for container managers to turn off getty starting via $container_headless= or so...
+ - the pub/priv key pair generated on the TPM2 should probably also be one you
+ can use to get a remote attestation quote.
- * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
+ - The udev blkid built-in should expose a property that reflects
+ whether media was sensed in USB CF/SD card readers. This should then
+ be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
+ picked up by systemd unless they contain a medium. This would mirror
+ the behaviour we already have for CD drives.
- * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
- they run added to the initial transaction and thus confuse Type=idle.
+ - There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
- * add bus api to query unit file's X fields.
+ - there's probably something wrong with having user mounts below /sys,
+ as we have for debugfs. for example, src/core/mount.c handles mounts
+ prefixed with /sys generally special.
+ https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
- * gpt-auto-generator:
- - Make /home automount rather than mount?
+ - think about requeuing jobs when daemon-reload is issued? use case:
+ the initrd issues a reload after fstab from the host is accessible
+ and we might want to requeue the mounts local-fs acquired through
+ that automatically.
- * add generator that pulls in systemd-network from containers when
- CAP_NET_ADMIN is set, more than the loopback device is defined, even
- when it is otherwise off
+ - **timer units:**
+ - timer units should get the ability to trigger when DST changes
+ - Modulate timer frequency based on battery state
- * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
+ - timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
- * implement Distribute= in socket units to allow running multiple
- service instances processing the listening socket, and open this up
- for ReusePort=
+ - timesyncd: when saving/restoring clock try to take boot time into account.
+ Specifically, along with the saved clock, store the current boot ID. When
+ starting, check if the boot id matches. If so, don't do anything (we are on
+ the same boot and clock just kept running anyway). If not, then read
+ CLOCK_BOOTTIME (which started at boot), and add it to the saved clock
+ timestamp, to compensate for the time we spent booting. If EFI timestamps are
+ available, also include that in the calculation. With this we'll then only
+ miss the time spent during shutdown after timesync stopped and before the
+ system actually reset.
- * cgroups:
- - implement per-slice CPUFairScheduling=1 switch
- - introduce high-level settings for RT budget, swappiness
- - how to reset dynamically changed unit cgroup attributes sanely?
- - when reloading configuration, apply new cgroup configuration
- - when recursively showing the cgroup hierarchy, optionally also show
- the hierarchies of child processes
- - add settings for cgroup.max.descendants and cgroup.max.depth,
- maybe use them for user@.service
+ - tiny varlink service that takes a fd passed in and serves it via http. Then
+ make use of that in networkd, and expose some EFI binary of choice for
+ DHCP/HTTP base EFI boot.
- * transient units:
- - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
+ - **tmpfiles:**
+ - allow time-based cleanup in r and R too
+ - instead of ignoring unknown fields, reject them.
+ - creating new directories/subvolumes/fifos/device nodes
+ should not follow symlinks. None of the other adjustment or creation
+ calls follow symlinks.
+ - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
+ project quota
+ - teach tmpfiles.d m/M to move / atomic move + symlink old -> new
+ - add new line type for setting btrfs subvolume attributes (i.e. rw/ro)
+ - tmpfiles: add new line type for setting fcaps
+ - add -n as shortcut for --dry-run in tmpfiles & sysusers & possibly other places
+ - add new line type for moving files from some source dir to some
+ target dir. then use that to move sysexts/confexts and stuff from initrd
+ tmpfs to /run/, so that host can pick things up.
- * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
+ - To mimic the new tpm2-measure-pcr= crypttab option and tpm2-measure-nvpcr=
+ veritytab option, add the same to integritytab (measuring the HMAC key if one
+ is used)
- * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
+ - tpm2-setup: reboot if we detect SRK changed
- * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
+ - tpm2: add (optional) support for generating a local signing key from PCR 15
+ state. use private key part to sign PCR 7+14 policies. stash signatures for
+ expected PCR7+14 policies in EFI var. use public key part in disk encryption.
+ generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can
+ securely bind against SecureBoot/shim state, without having to renroll
+ everything on each update (but we still have to generate one sig on each
+ update, but that should be robust/idempotent). needs rollback protection, as
+ usual.
- * If we try to find a unit via a dangling symlink, generate a clean
- error. Currently, we just ignore it and read the unit from the search
- path anyway.
+ - TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades
+ and such
- * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
+ - track the per-service PAM process properly (i.e. as an additional control
+ process), so that it may be queried on the bus and everything.
- * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
+ - transient units: don't bother with actually setting unit properties, we
+ reload the unit file anyway
- * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
+ - **transient units:**
+ - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
- * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
+ - Turn systemd-networkd-wait-online into a small varlink service that people
+ can talk to and specify exactly what to wait for via a method call, and get a
+ response back once that level of "online" is reached.
- * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
+ - tweak journald context caching. In addition to caching per-process attributes
+ keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
+ keyed by cgroup path, and guarded by ctime changes. This should provide us
+ with a nice speed-up on services that have many processes running in the same
+ cgroup.
- * verify that the AF_UNIX sockets of a service in the fs still exist
- when we start a service in order to avoid confusion when a user
- assumes starting a service is enough to make it accessible
+ - tweak sd-event's child watching: keep a prioq of children to watch and use
+ waitid() only on the children with the highest priority until one is waitable
+ and ignore all lower-prio ones from that point on
- * Make it possible to set the keymap independently from the font on
- the kernel cmdline. Right now setting one resets also the other.
+ - **udev-link-config:**
+ - Make sure ID_PATH is always exported and complete for
+ network devices where possible, so we can safely rely
+ on Path= matching
- * and a dbus call to generate target from current state
+ - **udev:**
+ - move to LGPL
+ - kill scsi_id
+ - add trigger --subsystem-match=usb/usb_device device
+ - reimport udev db after MOVE events for devices without dev_t
+ - re-enable ProtectClock= once only cgroupsv2 is supported.
+ See f562abe2963bad241d34e0b308e48cf114672c84.
- * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
+ - **udevadm: to make symlink querying with udevadm nicer:**
+ - do not enable the pager for queries like 'udevadm info -q symlink -r'
+ - add mode with newlines instead of spaces (for grep)?
- * dot output for --test showing the 'initial transaction'
+ - udevd: extend memory pressure logic: also kill any idle worker processes
- * be able to specify a forced restart of service A where service B depends on, in case B
- needs to be auto-respawned?
+ - unify how blockdev_get_root() and sysupdate find the default root block device
- * pid1:
- - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
- log both units as UNIT=, so that journalctl -u triggers on both.
- - generate better errors when people try to set transient properties
- that are not supported...
- https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
- - recreate systemd's D-Bus private socket file on SIGUSR2
- - when we automatically restart a service, ensure we restart its rdeps, too.
- - hide PAM options in fragment parser when compile time disabled
- - Support --test based on current system state
- - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
- - after deserializing sockets in socket.c we should reapply sockopts and things
- - drop PID 1 reloading, only do reexecing (difficult: Reload()
- currently is properly synchronous, Reexec() is weird, because we
- cannot delay the response properly until we are back, so instead of
- being properly synchronous we just keep open the fd and close it
- when done. That means clients do not get a successful method reply,
- but much rather a disconnect on success.
- - when breaking cycles drop services from /run first, then from /etc, then from /usr
- - when a bus name of a service disappears from the bus make sure to queue further activation requests
- - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all
- processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores
- with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst
- - ExtensionImages= deduplication for services is currently only applied to disk images without GPT envelope.
- This should be extended to work with proper DDIs too, as well as directory confext/sysext. Moreover,
- system-wide confext/sysext should support this too.
- - Pin the mount namespace via FD by sending it back from sd-exec to the manager, and use it
- for live mounting, instead of doing it via PID
+ - **unify on openssl:**
+ - figure out what to do about libmicrohttpd:
+ - 1.x is stable and has a hard dependency on gnutls
+ - 2.x is in development and has openssl support
+ - Worth testing against 2.x in our CI?
+ - port fsprg over to openssl
- * unit files:
+ - **unit files:**
- allow port=0 in .socket units
- maybe introduce ExecRestartPre=
- implement Register= switch in .socket units to enable registration
projects / thirdparty / systemd.git / commitdiff
