Merge pull request #10757 from Antique/cgroupv2

[thirdparty/systemd.git] / TODO

Bugfixes:

* copy.c: set the right chattrs before copying files and others after

* Many manager configuration settings that are only applicable to user
  manager or system manager can be always set. It would be better to reject
  them when parsing config.

External:

* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.

* wiki: update journal format documentation for lz4 additions

Janitorial Clean-ups:

* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again

* rework mount.c and swap.c to follow proper state enumeration/deserialization
  semantics, like we do for device.c now

Features:

* systemd-gpt-auto: if we find the root dir mounted read-only and the gpt flag
  doesn't say so generate job that remounts it writable

* When logind.conf contains HandleLidSwitch=suspend-then-hibernate and we can't
  hibernate because the swap partition isn't large enough, still suspend

* Now that C.UTF-8 is standardized in glibc, default to it if locale.conf
  doesn't set anything otherwise

* bootctl: implement Type #2 boot loader entry discovery

* bootctl,sd-boot: actually honour the "architecture" key

* consider splitting out all temporary file creation APIs (we have so many in
  fileio.h and elsewhere!) into a new util file of its own.

* set memory.oom.group in cgroupsv2 for all leaf cgroups

* drop umask() calls and suchlike from our generators, pid1 should set things up correctly anyway

* paranoia: whenever we process passwords, call mlock() on the memory
  first. i.e. look for all places we use string_erase()/string_free_erase() and
  augment them with mlock()

* whenever oom_kill memory.event event is triggered print a nice log message

* Move RestrictAddressFamily= to the new cgroup create socket

* support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly
  patching around

* maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
  log.c and sd-journal-send

* chown() tty a service is attached to after the service goes down

* optionally: turn on cgroup delegation for per-session scope units

* introduce per-unit (i.e. per-slice, per-service) journal log size limits.

* optionally, if a per-partition GPT flag is set for the root/home/… partitions
  format the partition on next boot and unset the flag, in order to implement
  factory reset. also, add a second flag that simply indicates whether such a
  scheme is supported. then, add a tool (or maybe beef up systemd-dissect) to
  show state of these flags, and optionally trigger such a factory reset on
  next boot by setting the flag.

* sd-boot: search drop-ins in $BOOT, too

* sd-boot: add "oneshot boot timeout" variable support

* sd-boot: automatically load EFI modules from some drop-in dir, so that people
  can add in file system drivers and such

* esp generator: also mount $BOOT if found

* sd-boot: optionally, show boot menu when previous default boot item has
  non-zero "tries done" count

* logind: add "boot into bootmenu" API, and possibly even "boot into windows"
  and "boot into macos".

* bootspec.c: also enumerate EFI unified kernel images.

* maybe extend .path units to expose fanotify() per-mount change events

* Add a "systemctl list-units --by-slice" mode or so, which rearranges the
  output of "systemctl list-units" slightly by showing the tree structure of
  the slices, and the units attached to them.

* the a-posteriori stopping of units bound to units that disappeared logic
  should be reworked: there should be a queue of units, and we should only
  enqeue stop jobs from a defer event that processes queue instead of
  right-away when we find a unit that is bound to one that doesn't exist
  anymore. (similar to how the stop-unneeded queue has been reworked the same
  way)

* nspawn: make nspawn suitable for shell pipelines: instead of triggering a
  hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
  for hangup or ^D before passing on the EOF.

* When reloading configuration PID 1 should reset all its properties to the
  original defaults before calling parse_config()

* Add OnTimezoneChange= and OnTimeChange= stanzas to .timer units in order to
  schedule events based on time and timezone changes.

* nspawn: greater control over selinux label?

* cgroups: figure out if we can somehow communicate in a cleaner way whether a
  systemd instance not running in the cgroup root shall or shall not manage the
  attributes of its top-level cgroup. Currently it assumes it manages all, but
  then might get EPERM due to permission porblems/userns, which is OK, but this
  should be revisited to make clearer and also work if the payload systemd runs
  with full privs and without userns.

* hibernate/s2h: make this robust and safe to enable in Fedora by default.
  Specifically:

  1. add resume_offset support to the resume code (i.e. support swap files
     properly)
  2. check if swap is on weird storage and refuse if so
  3. add autodetection of hibernation images

* cgroups: use inotify to get notified when somebody else modifies cgroups
  owned by us, then log a friendly warning.

* beef up log.c with support for stripping ANSI sequences from strings, so that
  it is OK to include them in log strings. This would be particularly useful so
  that our log messages could contain clickable links for example for unit
  files and suchlike we operate on.

* add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)

* add attach --enable and attach --now (for attach+enable+start)

* sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
  selected user is resolvable in the service even if it ships its own /etc/passwd)

* Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
  other doesn't. What a desaster. Probably to exclude it. Also
  DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative
  numbers.

* Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
  usually IN_ATTRIB is the right way to watch deleted files, as the former only
  fires when a file is actually removed from disk, i.e. the link count drops to
  zero and is not open anymore, while the latter happens when a file is
  unlinked from any dir.

* port systemctl, busctl, … over to format-table.[ch]'s table formatters

* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up

* add --vacuum-xyz options to coredumpctl, matching those journalctl already has.

* SuccessExitStatus= and friends should probably also accept symbolic exit
  codes names, i.e. error codes from the list maintained in exit-codes.[ch]

* introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
  files and directories that are left writable for a unit, and which are
  removed after the unit goes down again. A bit like --ephemeral for
  systemd-nspawn but for system services. If used together with RootImage= this
  should reflink the image file itself.

  Related: add Ephemeral=<path1> <path2> … which would allow marking
  specific paths only like this.

* add CopyFile= or so as unit file setting that may be used to copy files or
  directory trees from the host to te services RootImage= and RootDirectory=
  environment. Which we can use for /etc/machine-id and in particular
  /etc/resolv.conf. Should be smart and do something useful on read-only
  images, for example fallback to read-only bind mounting the file instead.

* nspawn's console TTY should be allocated from within the container, not
  mounted in from the outside

* show invocation ID in systemd-run output

* bypass SIGTERM state in unit files if KillSignal is SIGKILL

* tree-wide: ensure we always block the signals we hook into with
  sd_event_add_signal() first

* add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
  and so on, which would mean we could report errors and such.

* teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
  project quota

* introduce DefaultSlice= or so in system.conf that allows changing where we
  place our units by default, i.e. change system.slice to something
  else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
  be moved somewhere else too. Finally machined and logind should get similar
  options so that it is possible to move user session scopes and machines to a
  different slice too by default. Usecase: people who want to put resources on
  the entire system, with the exception of one specific service. See:
  https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html

* maybe rework get_user_creds() to query the user database if $SHELL is used
  for root, but only then.

* be stricter with fds we receive for the fdstore: close them asynchronously

* calenderspec: add support for week numbers and day numbers within a
  year. This would allow us to define "bi-weekly" triggers safely.

* sd-bus: add vtable flag, that may be used to request client creds implicitly
  and asynchronously before dispatching the operation

* make use of ethtool veth peer info in machined, for automatically finding out
  host-side interface pointing to the container.

* add some special mode to LogsDirectory=/StateDirectory=… that allows
  declaring these directories without necessarily pulling in deps for them, or
  creating them when starting up. That way, we could declare that
  systemd-journald writes to /var/log/journal, which could be useful when we
  doing disk usage calculations and so on.

* taint systemd if there are fewer than 65536 users assigned (userns) to the system.

* deprecate PermissionsStartOnly= and RootDirectoryStartOnly= in favour of the ExecStart= prefix chars

* add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
  the runtime dir as we maintain for the fdstore: i.e. keep it around as long
  as the unit is running or has a job queued.

* support projid-based quota in machinectl for containers, and then drop
  implicit btrfs loopback magic in machined

* Add NetworkNamespacePath= to specify a path to a network namespace

* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks
  introduced) as the RTC epoch, instead of the mtime of NEWS.

* add a way to lock down cgroup migration: a boolean, which when set for a unit
  makes sure the processes in it can never migrate out of it

* blog about fd store and restartable services

* document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document

* rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
  magic meaning and is no longer upgraded to something else if set explicitly.

* in the long run: permit a system with /etc/machine-id linked to /dev/null, to
  make it lose its identity, i.e. be anonymous. For this we'd have to patch
  through the whole tree to make all code deal with the case where no machine
  ID is available.

* optionally, collect cgroup resource data, and store it in per-unit RRD files,
  suitable for processing with rrdtool. Add bus API to access this data, and
  possibly implement a CPULoad property based on it.

* beef up pam_systemd to take unit file settings such as cgroups properties as
  parameters

* a new "systemd-analyze security" tool outputting a checklist of security
  features a service does and does not implement

* maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
  the quota of a the user indicated in User= via unit file settings, like the
  other resource management concepts. Would mix nicely with DynamicUser=1. Or
  alternatively, do this with projids, so that we can also cover services
  running as root. Quota should probably cover all the special dirs such as
  StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
  is set, plus the whole disk space any image configured with RootImage=.

* Introduce "exit" as an EmergencyAction value, and allow to configure a
  per-unit success/failure exit code to configure. This would be useful for
  running commands inside of services inside of containers, which could then
  propagate their failure state all the way up.

* In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
  disks to see if the UID is already in use.

* add "systemctl wait" or so, which does what "systemd-run --wait" does, but
  for all units. It should be both a way to pin units into memory as well as a
  wait to retrieve their exit data.

* expose IO accounting data on the bus, show it in systemd-run --wait and log
  about it in the resource log message

* add "systemctl purge" for flushing out configuration, state, logs, ... of a
  unit when it is stopped

* show whether a service has out-of-date configuration in "systemctl status" by
  using mtime data of ConfigurationDirectory=.

* replace all uses of fgets() + LINE_MAX by read_line()

* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
  creates a static, persistent user rather than a dynamic, transient user. We
  can leverage code from sysusers.d for this.

* add some optional flag to ReadWritePaths= and friends, that has the effect
  that we create the dir in question when the service is started. Example:

  ReadWritePaths=:/var/lib/foobar

* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
  the sd-journal logging socket, and, if the timeout is set to 0, sets
  O_NONBLOCK on it. That way people can control if and when to block for
  logging.

* hostnamed: populate form factor data from a new hwdb database, so that old
  yogas can be recognized as "convertible" too, even if they predate the DMI
  "convertible" form factor

* Maybe add a small tool invoked early at boot, that adds in or resizes
  partitions automatically, to be used when the media used is actually larger
  than the image written onto it is.

* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing
  after all. Be strict however, only support the equivalent of nspawn's
  --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such
  as MAINPID.

* Add ExecMonitor= setting. May be used multiple times. Forks off a process in
  the service cgroup, which is supposed to monitor the service, and when it
  exits the service is considered failed by its monitor.

* track the per-service PAM process properly (i.e. as an additional control
  process), so that it may be queried on the bus and everything.

* add a new "debug" job mode, that is propagated to unit_start() and for
  services results in two things: we raise SIGSTOP right before invoking
  execve() and turn off watchdog support. Then, use that to implement
  "systemd-gdb" for attaching to the start-up of any system service in its
  natural habitat.

* maybe introduce gpt auto discovery for /var/tmp?

* maybe add gpt-partition-based user management: each user gets his own
  LUKS-encrypted GPT partition with a new GPT type. A small nss module
  enumerates users via udev partition enumeration. UIDs are assigned in a fixed
  way: the partition index is added as offset to some fixed base uid. User name
  is stored in GPT partition name. A PAM module authenticates the user via the
  LUKS partition password. Benefits: strong per-user security, compatibility
  with stateless/read-only/verity-enabled root. (other idea: do this based on
  loopback files in /home, without GPT involvement)

* gpt-auto logic: introduce support for discovering /var matching an image. For
  that, use a partition type UUID that is hashed from the OS name (as encoded
  in /etc/os-release), the architecture, and 4 new bits from the gpt flags
  field of the root partition. This way can easily support multiple OS
  installations on the same GPT partition table, without problems with
  unmatched /var partitions.

* gpt-auto logic: related to the above, maybe support a "secondary" root
  partition, that is mounted to / and is writable, and where the actual root's
  /usr is mounted into.

* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file

* drop nss-myhostname in favour of nss-resolve?

* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
  then use that for the setting used in user@.service. It should be understood
  relative to the configured default value.

* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us

* enable LockMLOCK to take a percentage value relative to physical memory

* Permit masking specific netlink APIs with RestrictAddressFamily=

* nspawn: support that /proc, /sys/, /dev are pre-mounted

* define gpt header bits to select volatility mode

* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files

* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc

* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)

* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)

* ProtectKeyRing= to take keyring calls away

* RemoveKeyRing= to remove all keyring entries of the specified user

* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
  on PID 1 with the relevant signals, and makes relevant files in /sys and
  /proc (such as the sysrq stuff) unavailable

* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things

* journalctl: make sure -f ends when the container indicated by -M terminates

* mount: automatically search for "main" partition of an image has multiple
  partitions

* expose the "privileged" flag of ExecCommand on the bus, and open it up to
  transient units

* in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
  find a way to map the User=/Group= of the service to the right name. This way
  a user/group for a service only has to exist on the host for the right
  mapping to work.

* add bus API for creating unit files in /etc, reusing the code for transient units

* add bus API to remove unit files from /etc

* add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)

* rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
  kernel doesn't support linkat() that replaces existing files, currently)

* transient units: don't bother with actually setting unit properties, we
  reload the unit file anyway

* journald: sigbus API via a signal-handler safe function that people may call
  from the SIGBUS handler

* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown

* resolved: when routing queries, make sure only look for the *longest* suffix...

* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
  in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle

* cache sd_event_now() result from before the first iteration...

* add systemctl stop --job-mode=triggering that follows TRIGGERED_BY deps and adds them to the same transaction

* PID1: find a way how we can reload unit file configuration for
  specific units only, without reloading the whole of systemd

* add an explicit parser for LimitRTPRIO= that verifies
  the specified range and generates sane error messages for incorrect
  specifications.

* when we detect that there are waiting jobs but no running jobs, do something

* push CPUAffinity= also into the "cpuset" cgroup controller (only after the cpuset controller got ported to the unified hierarchy)

* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)

* there's probably something wrong with having user mounts below /sys,
  as we have for debugfs. for exmaple, src/core/mount.c handles mounts
  prefixed with /sys generally special.
  http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html

* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline

* docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date

* add a job mode that will fail if a transaction would mean stopping
  running units. Use this in timedated to manage the NTP service
  state.
  http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html

* Maybe add support for the equivalent of "ethtool advertise" to .link files?
  http://lists.freedesktop.org/archives/systemd-devel/2015-April/030112.html

* The udev blkid built-in should expose a property that reflects
  whether media was sensed in USB CF/SD card readers. This should then
  be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
  picked up by systemd unless they contain a medium. This would mirror
  the behaviour we already have for CD drives.

* networkd/udev: implement SR_IOV configuration in .link files:
  http://lists.freedesktop.org/archives/systemd-devel/2015-January/027451.html

* hostnamectl: show root image uuid

* Find a solution for SMACK capabilities stuff:
  http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html

* "systemctl preset-all" should probably order the unit files it
  operates on lexicographically before starting to work, in order to
  ensure deterministic behaviour if two unit files conflict (like DMs
  do, for example)

* synchronize console access with BSD locks:
  http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html

* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
  http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html

* in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column

* figure out when we can use the coarse timers

* add "systemctl start -v foobar.service" that shows logs of a service
  while the start command runs. This is non-trivial to do without
  races though, since we should flush out all journal messages before
  returning from the "systemctl stop".

* firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists

* maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=

* consider showing the unit names during boot up in the status output, not just the unit descriptions

* maybe allow timer units with an empty Units= setting, so that they
  can be used for resuming the system but nothing else.

* what to do about udev db binary stability for apps? (raw access is not an option)

* man: maybe use the word "inspect" rather than "introspect"?

* systemctl: if some operation fails, show log output?

* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #.
  Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc.

* exponential backoff in timesyncd when we cannot reach a server

* timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM

* merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....

* systemd.show_status= should probably have a mode where only failed
  units are shown.

* add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
  (throughout the codebase, not only PID1)

* resolved:
  - mDNS/DNS-SD
        - service registration
        - service/domain/types browsing
        - avahi compat
  - DNS-SD service registration from socket units
  - resolved should optionally register additional per-interface LLMNR
    names, so that for the container case we can establish the same name
    (maybe "host") for referencing the server, everywhere.
  - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
  - hook up resolved with machined-based address resolution

* refcounting in sd-resolve is borked

* Add a new verb "systemctl top"

* add new gpt type for btrfs volumes

* support empty /etc boots nicely:
  - nspawn/gpt-generator: introduce new gpt partition type for /usr

* generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.

* a way for container managers to turn off getty starting via $container_headless= or so...

* figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit

* For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
  they run added to the initial transaction and thus confuse Type=idle.

* add bus api to query unit file's X fields.

* gpt-auto-generator:
  - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
  - Make /home automount rather than mount?

* add generator that pulls in systemd-network from containers when
  CAP_NET_ADMIN is set, more than the loopback device is defined, even
  when it is otherwise off

* MessageQueueMessageSize= (and suchlike) should use parse_iec_size().

* implement Distribute= in socket units to allow running multiple
  service instances processing the listening socket, and open this up
  for ReusePort=

* socket units: support creating sockets in different namespace,
  opening it up for JoinsNamespaceOf=. This would require to fork off
  a tiny process that joins the namespace and creates/binds the socket
  and passes this back to PID1 via SCM_RIGHTS. This also could be used
  to allow Chown/chgrp on sockets without requiring NSS in PID 1.

* introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
  $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
  should SIGSTOP all unit processes in a loop until all processes of
  it are fully stopped. This can later be used for app management by
  desktop UIs such as gnome-shell to freeze apps that are not visible
  on screen, not unlike how job control works on the shell

* cgroups:
  - implement per-slice CPUFairScheduling=1 switch
  - handle jointly mounted controllers correctly
  - introduce high-level settings for RT budget, swappiness
  - how to reset dynamically changed unit cgroup attributes sanely?
  - when reloading configuration, apply new cgroup configuration
  - when recursively showing the cgroup hierarchy, optionally also show
    the hierarchies of child processes

* transient units:
  - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt

* Automatically configure swap partition to use for hibernation by looking for largest swap partition on the root disk?

* when we detect low battery and no AC on boot, show pretty splash and refuse boot

* libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops

* be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1

* rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it

* After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs

* If we try to find a unit via a dangling symlink, generate a clean
  error. Currently, we just ignore it and read the unit from the search
  path anyway.

* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up

* man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.

* load .d/*.conf dropins for device units

* allow implementation of InaccessibleDirectories=/ plus
  ReadOnlyDirectories=... for whitelisting files for a service.

* sd-bus:
  - EBADSLT handling
  - GetAllProperties() on a non-existing object does not result in a failure currently
  - port to sd-resolve for connecting to TCP dbus servers
  - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
  - see if we can drop more message validation on the sending side
  - add API to clone sd_bus_message objects
  - longer term: priority inheritance
  - dbus spec updates:
       - NameLost/NameAcquired obsolete
       - GVariant
       - path escaping
  - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now

* sd-event
  - allow multiple signal handlers per signal?
  - document chaining of signal handler for SIGCHLD and child handlers
  - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
  - generate a failure of a default event loop is executed out-of-thread

* investigate endianness issues of UUID vs. GUID

* dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
  should be able to safely try another attempt when the bus call LoadUnit() is invoked.

* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.

* add a pam module that on password changes updates any LUKS slot where the password matches

* maybe add a generator that looks for "systemd.run=" on the kernel cmdline for container usercases...

* test/:
  - add unit tests for config_parse_device_allow()

* seems that when we follow symlinks to units we prefer the symlink
  destination path over /etc and /usr. We should not do that. Instead
  /etc should always override /run+/usr and also any symlink
  destination.

* when isolating, try to figure out a way how we implicitly can order
  all units we stop before the isolating unit...

* teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})

* BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify
  that the boot loader should be installed to the ESP. Define a way
  how an installer can figure out whether a BLS compliant boot loader
  is installed.

* think about requeuing jobs when daemon-reload is issued? usecase:
  the initrd issues a reload after fstab from the host is accessible
  and we might want to requeue the mounts local-fs acquired through
  that automatically.

* systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()

* remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good

* shutdown logging: store to EFI var, and store to USB stick?

* merge unit_kill_common() and unit_kill_context()

* introduce ExecCondition= in services

* EFI:
  - honor language efi variables for default language selection (if there are any?)
  - honor timezone efi variables for default timezone selection (if there are any?)
  - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables

* maybe do not install getty@tty1.service symlink in /etc but in /usr?

* print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word

* mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.

* logind:
  - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
  - logind: wakelock/opportunistic suspend support
  - Add pretty name for seats in logind
  - logind: allow showing logout dialog from system?
  - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
  - if pam_systemd is invoked by su from a process that is outside of a
    any session we should probably just become a NOP, since that's
    usually not a real user session but just some system code that just
    needs setuid().
  - logind: make the Suspend()/Hibernate() bus calls wait for the for
    the job to be completed. before returning, so that clients can wait
    for "systemctl suspend" to finish to know when the suspending is
    complete.
  - logind: when the power button is pressed short, just popup a
    logout dialog. If it is pressed for 1s, do the usual
    shutdown. Inspiration are Macs here.
  - expose "Locked" property on logind sesison objects
  - maybe allow configuration of the StopTimeout for session scopes
  - rename session scope so that it includes the UID. THat way
    the session scope can be arranged freely in slices and we don't have
    make assumptions about their slice anymore.
  - follow PropertiesChanged state more closely, to deal with quick logouts and
    relogins

* exec: when deinitializating a tty device fix the perms and group, too, not only when initializing. Set access mode/gid to 0620/tty.

* journal:
  - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
  - import and delete pstore filesystem content at startup
  - journald: also get thread ID from client, plus thread name
  - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
  - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
  - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively?
  - declare the local journal protocol stable in the wiki interface chart
  - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
  - journald: when dropping msgs due to ratelimit make sure to write
    "dropped %u messages" not only when we are about to print the next
    message that works, but alraedy after a short tiemout
  - check if we can make journalctl by default use --follow mode inside of less if called without args?
  - maybe add API to send pairs of iovecs via sd_journal_send
  - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
  - journactl: support negative filtering, i.e. FOOBAR!="waldo",
    and !FOOBAR for events without FOOBAR.
  - journal: store timestamp of journal_file_set_offline() int he header,
    so it is possible to display when the file was last synced.
  - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
  - journal: find a way to allow dropping history early, based on priority, other rules
  - journal: When used on NFS, check payload hashes
  - journald: add kernel cmdline option to disable ratelimiting for debug purposes
  - refuse taking lower-case variable names in sd_journal_send() and friends.
  - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
  - journal: deal nicely with byte-by-byte copied files, especially regards header
  - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
  - Replace utmp, wtmp, btmp, and lastlog completely with journal
  - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
  - when a kernel driver logs in a tight loop, we should ratelimit that too.
  - journald: optionally, log debug messages to /run but everything else to /var
  - journald: when we drop syslog messages because the syslog socket is
    full, make sure to write how many messages are lost as first thing
    to syslog when it works again.
  - change systemd-journal-flush into a service that stays around during
    boot, and causes the journal to be moved back to /run on shutdown,
    so that we do not keep /var busy. This needs to happen synchronously,
    hence doing this via signals is not going to work.
  - optionally support running journald from the command line for testing purposes in external projects
  - journald: allow per-priority and per-service retention times when rotating/vacuuming
  - journald: make use of uid-range.h to managed uid ranges to split
    journals in.
  - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
  - improve journalctl performance by loading journal files
    lazily. Encode just enough information in the file name, so that we
    do not have to open it to know that it is not interesting for us, for
    the most common operations.
  - man: document that corrupted journal files is nothing to act on
  - rework journald sigbus stuff to use mutex
  - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
    services that run under their own user ids, and use User= (but only
    in a world where userns is ubiquitous since otherwise we cannot
    invoke those daemons on the host AND in a container anymore). Also,
    if LimitNPROC= is used without User= we should warn and refuse
    operation.
  - journalctl --verify: don't show files that are currently being
    written to as FAIL, but instead show that their are being written to.
  - add journalctl -H that talks via ssh to a remote peer and passes through
    binary logs data
  - add a version of --merge which also merges /var/log/journal/remote
  - journalctl: -m should access container journals directly by enumerating
    them via machined, and also watch containers coming and going.
    Benefit: nspawn --ephemeral would start working nicely with the journal.
  - assign MESSAGE_ID to log messages about failed services

* add a test if all entries in the catalog are properly formatted.
    (Adding dashes in a catalog entry currently results in the catalog entry
     being silently skipped. journalctl --update-catalog must warn about this,
     and we should also have a unit test to check that all our message are OK.)

* document:
  - document that deps in [Unit] sections ignore Alias= fields in
    [Install] units of other units, unless those units are disabled
  - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
  - document that service reload may be implemented as service reexec
  - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
  - document systemd-journal-flush.service properly
  - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
  - man: document the very specific env the shutdown drop-in tools live in
  - man: add more examples to man pages
  - man: maybe sort directives in man pages, and take sections from --help and apply them to man too

* systemctl:
  - add systemctl switch to dump transaction without executing it
  - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
  - "systemctl disable" on a static unit prints no message and does
    nothing. "systemctl enable" does nothing, and gives a bad message
    about it. Should fix both to print nice actionable messages.
  - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
  - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
  - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
  - systemctl: "Journal has been rotated since unit was started." message is misleading
  - systemctl status output should include list of triggering units and their status

* unit install:
  - "systemctl mask" should find all names by which a unit is accessible
    (i.e. by scanning for symlinks to it) and link them all to /dev/null

* timer units:
  - timer units should get the ability to trigger when:
    o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET)
    o DST changes
    o timezone changes
  - Modulate timer frequency based on battery state

* add libsystemd-password or so to query passwords during boot using the password agent logic

* clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed

* on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel

* make repeated alt-ctrl-del presses printing a dump

* hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ...

* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not

* nspawn:
  - emulate /dev/kmsg using CUSE and turn off the syslog syscall
    with seccomp. That should provide us with a useful log buffer that
    systemd can log to during early boot, and disconnect container logs
    from the kernel's logs.
  - as soon as networkd has a bus interface, hook up --network-interface=,
    --network-bridge= with networkd, to trigger netdev creation should an
    interface be missing
  - a nice way to boot up without machine id set, so that it is set at boot
    automatically for supporting --ephemeral. Maybe hash the host machine id
    together with the machine name to generate the machine id for the container
  - fix logic always print a final newline on output.
    https://github.com/systemd/systemd/pull/272#issuecomment-113153176
  - should optionally support receiving WATCHDOG=1 messages from its payload
    PID 1...
  - optionally automatically add FORWARD rules to iptables whenever nspawn is
    running, remove them when shut down.
  - maybe make copying of /etc/resolv.conf optional, and skip it if --read-only
    is used

* dissect
  - refuse mounting over a mount point
  - automatically discover .roothash files in dissect, similarly to nspawn

* machined:
  - add an API so that libvirt-lxc can inform us about network interfaces being
    removed or added to an existing machine
  - "machinectl migrate" or similar to copy a container from or to a
    difference host, via ssh
  - introduce systemd-nspawn-ephemeral@.service, and hook it into
    "machinectl start" with a new --ephemeral switch
  - "machinectl status" should also show internal logs of the container in
    question
  - "machinectl history"
  - "machinectl diff"
  - "machinectl commit" that takes a writable snapshot of a tree, invokes a
    shell in it, and marks it read-only after use

* importd:
  - generate a nice warning if mkfs.btrfs is missing

* cryptsetup:
  - cryptsetup-generator: allow specification of passwords in crypttab itself
  - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator

* hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it
  https://bugs.freedesktop.org/show_bug.cgi?id=54712

* add a dependency on standard-conf.xml and other included files to man pages

* MountFlags=shared acts as MountFlags=slave right now.

* properly handle loop back mounts via fstab, especially regards to fsck/passno

* initialize the hostname from the fs label of /, if /etc/hostname does not exist?

* udev:
  - move to LGPL
  - kill scsi_id
  - add trigger --subsystem-match=usb/usb_device device
  - reimport udev db after MOVE events for devices without dev_t

* There's currently no way to cancel fsck (used to be possible via C-c or c on the console)

* add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/

* coredump:
  - save coredump in Windows/Mozilla minidump format
  - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps

* support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)

* default to actual 32-bit PIDs, via /proc/sys/kernel/pid_max

* be able to specify a forced restart of service A where service B depends on, in case B
  needs to be auto-respawned?

* tmpfiles:
  - apply "x" on "D" too (see patch from William Douglas)
  - replace F with f+.
  - instead of ignoring unknown fields, reject them.
  - creating new directories/subvolumes/fifos/device nodes
    should not follow symlinks. None of the other adjustment or creation
    calls follow symlinks.

* make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early

* verify that the AF_UNIX sockets of a service in the fs still exist
  when we start a service in order to avoid confusion when a user
  assumes starting a service is enough to make it accessible

* Make it possible to set the keymap independently from the font on
  the kernel cmdline. Right now setting one resets also the other.

* and a dbus call to generate target from current state

* write blog stories about:
  - hwdb: what belongs into it, lsusb
  - enabling dbus services
  - how to make changes to sysctl and sysfs attributes
  - remote access
  - how to pass throw-away units to systemd, or dynamically change properties of existing units
  - testing with Harald's awesome test kit
  - auto-restart
  - how to develop against journal browsing APIs
  - the journal HTTP iface
  - non-cgroup resource management
  - dynamic resource management with cgroups
  - refreshed, longer missions statement
  - calendar time events
  - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
  - how to create your own target
  - instantiated apache, dovecot and so on
  - hooking a script into various stages of shutdown/rearly booot

* investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.

* dot output for --test showing the 'initial transaction'

* pid1:
  - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
    log both units as UNIT=, so that journalctl -u triggers on both.
  - generate better errors when people try to set transient properties
    that are not supported...
    http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
  - maybe introduce WantsMountsFor=? Usecase:
    http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
  - recreate systemd's D-Bus private socket file on SIGUSR2
  - move PAM code into its own binary
  - when we automatically restart a service, ensure we restart its rdeps, too.
  - hide PAM options in fragment parser when compile time disabled
  - Support --test based on current system state
  - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
  - after deserializing sockets in socket.c we should reapply sockopts and things
  - drop PID 1 reloading, only do reexecing (difficult: Reload()
    currently is properly synchronous, Reexec() is weird, because we
    cannot delay the response properly until we are back, so instead of
    being properly synchronous we just keep open the fd and close it
    when done. That means clients do not get a successful method reply,
    but much rather a disconnect on success.
  - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
  - when a bus name of a service disappears from the bus make sure to queue further activation requests

* unit files:
  - allow port=0 in .socket units
  - maybe introduce ExecRestartPre=
  - add ReloadSignal= for configuring a reload signal to use
  - implement Register= switch in .socket units to enable registration
    in Avahi, RPC and other socket registration services.
  - allow Type=simple with PIDFile=
    https://bugzilla.redhat.com/show_bug.cgi?id=723942
  - allow writing multiple conditions in unit files on one line
  - load-fragment: when loading a unit file via a chain of symlinks
    verify that it is not masked via any of the names traversed.
  - introduce Type=pid-file
  - introduce mix of BindTo and Requisite
  - add a concept of RemainAfterExit= to scope units
  - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely

* udev-link-config:
   - Make sure ID_PATH is always exported and complete for
     network devices where possible, so we can safely rely
     on Path= matching
   - check MTUBytes parsing (expecting size_t but we are using unsigned)

* sd-rtnl:
   - add support for more attribute types
   - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places

* networkd:
   - add more keys to [Route] and [Address] sections
   - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
   - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline)
   - add reduced [Link] support to .network files
   - add Scope= parsing option for [Network]
   - properly handle routerless dhcp leases
   - work with non-Ethernet devices
   - add support for more bond options
   - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
   - the DHCP lease data (such as NTP/DNS) is still made available when
     a carrier is lost on a link. It should be removed instantly.
   - expose in the API the following bits:
         - option 15, domain name and/or option 119, search list
         - option 12, host name and/or option 81, fqdn
         - option 123, 144, geolocation
         - option 252, configure http proxy (PAC/wpad)
   - provide a way to define a per-network interface default metric value
     for all routes to it. possibly a second default for DHCP routes.
   - allow Name= to be specified repeatedly in the [Match] section. Maybe also
     support Name=foo*|bar*|baz ?
   - duplicate address check for static IPs (like ARPCHECK in network-scripts)
   - allow DUID/IAID to be customized, see issue #394.
   - whenever uplink info changes, make DHCP server send out FORCERENEW

* networkd-wait-online:
   - make operstates to wait for configurable?

* dhcp:
   - figure out how much we can increase Maximum Message Size

* dhcp6:
   - add functions to set previously stored IPv6 addresses on startup and get
     them at shutdown; store them in client->ia_na
   - write more test cases
   - implement reconfigure support, see 5.3., 15.11. and 22.20.
   - implement support for temporary adressess (IA_TA)
   - implement dhcpv6 authentication
   - investigate the usefulness of Confirm messages; i.e. are there any
     situations where the link changes without any loss in carrier detection
     or interface down
   - some servers don't do rapid commit without a filled in IA_NA, verify
     this behavior
   - RouteTable= ?

External:

* dbus:
   - natively watch for dbus-*.service symlinks (PENDING)
   - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service

* fix alsa mixer restore to not print error when no config is stored

* make cryptsetup lower --iter-time

* patch kernel for xattr support in /dev, /proc/, /sys?

* kernel: add device_type = "fb", "fbcon" to class "graphics"

* /usr/bin/service should actually show the new command line

* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=

* fedora: F20: go timer units all the way, leave cron.daily for cron

* neither pkexec nor sudo initialize environ[] from the PAM environment?

* fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it

* register catalog database signature as file magic

* zsh shell completion:
  - <command> <verb> -<TAB> should complete options, but currently does not
  - systemctl add-wants,add-requires


Regularly:

* look for close() vs. close_nointr() vs. close_nointr_nofail()

* check for strerror(r) instead of strerror(-r)

* pahole

* set_put(), hashmap_put() return values check. i.e. == 0 does not free()!

* use secure_getenv() instead of getenv() where appropriate

* link up selected blog stories from man pages and unit files Documentation= fields