3 * Many manager configuration settings that are only applicable to user
4 manager or system manager can be always set. It would be better to reject
5 them when parsing config.
9 * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
13 * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
15 * rework mount.c and swap.c to follow proper state enumeration/deserialization
16 semantics, like we do for device.c now
20 * add --copy-from and --copy-to command to systemd-dissect which copies stuff
21 in and out of a disk image
23 * add systemd.random_seed= on the kernel cmdline, taking some hex or base64
24 encoded data. During earliest boot, credit it to entropy. This is not useful
25 for general purpose systems, but certainly for testing environments in VMs
26 and such, as it allows us to boot up instantly with fully initialized entropy
27 pool even if RNG pass-thru is not available.
29 * Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
31 * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
33 * warn if User=nobody is used in a unit file. It's the overflow UID after all,
34 and the service might thus get access to files it really should not get
35 access to on NFS and userns environments.
37 * build short web pages out of each catalog entry, build them along with man
38 pages, and include hyperlinks to them in the journal output
40 * machined: add API to acquire UID range. add API to mount/dissect loopback
41 file. Both protected by PK. Then make nspawn use these APIs to run
42 unprivileged containers. i.e. push the truly privileged bits into machined,
43 so that the client side can remain entirely unprivileged, with SUID or
46 * journald: do journal file writing out-of-process, with one writer process per
47 client UID, so that synthetic hash table collisions can slow down a specific
48 user's journal stream down but not the others.
50 * add "throttling" to sd-event event sources: optionally, when we wake up too
51 often for one, let's turn it off entirely for a while. Use that for the
52 /proc/self/mountinfo logic.
54 * move our systemd-user PAM snippet to /usr/, which PAM appears to support
57 * nspawn: support time namespaces
59 * add ConditionSecurity=tpm2
61 * Remove any support for booting without /usr pre-mounted in the initrd entirely.
62 Update INITRD_INTERFACE.md accordingly.
64 * pid1: Move to tracking of main pid/control pid of units per pidfd
66 * pid1: support new clone3() fork-into-cgroup feature
68 * pid1: also remove PID files of a service when the service starts, not just
71 * make us use dynamically fewer deps for containers in general purpose distros:
72 o turn into dlopen() deps:
73 - pcre2 (always) — irrelevant on Fedora, since dep by
74 libselinux, but should benefit Debian
75 - libpwquality (always) - only relevant for homed, and maybe soon
78 - p11-kit-trust (always)
79 - kmod-libs (only when called from PID 1)
80 - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup)
82 - libpam (only when called from PID 1)
83 - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
84 since they are so basic and our defaults)
85 o move into separate libsystemd-shared-iptables.so .so
86 - iptables-libs (only used by nspawn + networkd)
88 * seccomp: when SystemCallArchitectures=native is set then don't install any
89 other seccomp filters for any of the other archs, in order to reduce the
90 number of seccomp filters we install needlessly.
92 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
93 Apparently kernel performance is much better with fewer larger seccomp
94 filters than with more smaller seccomp filters.
96 * systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
97 mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
99 * make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and
100 provide man page. Given that we now have a tool that can generate images like
101 this, it's useful to have one that can dump contents of them, too.
103 * All tools that support --root= should also learn --image= so that they can
104 operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
105 sysusers, systemctl, repart, journalctl, coredumpctl.
107 * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
109 * seccomp: don't install filters for ABIs that are masked anyway for the
112 * seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
114 * per-service credential system. Specifically: add LoadCredential= (for loading
115 cred from file), AcquireCredential= (for asking user for cred, via
116 ask-password), PassCredential= (for passing on credential systemd itself
117 got). Then, place credentials in a per-service, immutable ramfs instance (so
118 that it cannot be swapped out), destroy after use. Also pass via keyring
119 (with graceful fallback to cover for containers). Define CredentialPath= for
120 defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH
121 env var for services to the result. Also pass via fd passing (optionally).
123 * homed: add native recovery key support. use 48 lowercase modhex characters
124 (192bit), show qr code of it, include pattern expression in user record.
126 * homed: introduce "degraded" state for home directories that weren't cleanly
127 unmounted (use xattr we add and remove on the loop back file)
129 * homed: during login resize fs automatically towards size goal. Specifically,
130 resize to diskSize if possible, but leave a certain amount (configured by a
131 new value diskLeaveFreeSize) of space free on the backing fs.
133 * homed: permit multiple user record signing keys to be used locally, and pick
134 the right one for signing records automatically depending on a pre-existing
137 * homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
138 and insert a local signature instead.
140 * homed: as an extension to the directory+subvolume backend: if located on
141 especially marked fs, then sync down password into LUKS header of that fs,
142 and always verify passwords against it too. Bootstrapping is a problem
143 though: if no one is logged in (or no other user even exists yet), how do you
144 unlock the volume in order to create the first user and add the first pw.
146 * homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
148 * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
151 * homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
154 * when systemd-nspawn and suchlike dissect an OS image, and there are multiple
155 root partitions, do an strverscmp() on the partition label and boot
156 first. That is inspired how sd-boot figures out which kernel to boot, and
157 thus allows defining OS images which can be A/B updated and we default to the
158 newest version automatically, both in nspawn and in sd-boot
160 * cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
161 devices. (see: https://github.com/mjec/fido2-hmac-secret)
163 * systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
166 * homed/userdb: distinguish passwords and recovery keys in the records, since
167 we probably want to use different PBKDF algorithms/settings for them:
168 passwords have low entropy but recovery keys should have good entropy key
169 hence we can make them quicker to work.
172 - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
173 - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
174 - make it operate on loopback files, dissecting enough to find ESP to operate on
176 * Maybe add a separate GPT partition type to the discoverable partition spec
177 for "hibernate" partitions, that are exactly like swap partitions but only
178 activated right before hibernation and thus never used for regular swapping.
180 * by default, in systemd --user service bump the OOMAdjust to 100, as privs
181 allow so that systemd survives
183 * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a
184 "base64:" prefix. Useful in particular for pkcs11 mode.
186 * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use
187 systemd-makefs.service instead.
189 * socket units: allow creating a udev monitor socket with ListenDevices= or so,
190 with matches, then activate app through that passing socket over
192 * unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
194 - port sd_id128_get_machine_app_specific() over from khash
195 - port resolved over from libgcrypt (DNSSEC code)
196 - port journald + fsprg over from libgcrypt
197 - port importd over from libgcrypt
198 - when that's done: kill khash.c
199 - when that's done: kill gnutls support in resolved
201 * kill zenata, all hail weblate?
203 * when we resize disks (homed?) always round up to 4K sectors, not 512K
205 * add growvol and makevol options for /etc/crypttab, similar to
206 x-systemd.growfs and x-systemd-makefs.
208 * hook up the TPM to /etc/crypttab, with a new option that is similar to the
209 new PKCS#11 option in crypttab, and allows unlocking a LUKS volume via a key
210 unsealed from the TPM. Optionally, if TPM is not available fall back to
211 TPM-less mode, and set up linear DM mapping instead (inspired by kpartx), so
212 that the device paths stay the same, regardless if crypto is used or not.
214 * systemd-repart: by default generate minimized partition tables (i.e. tables
215 that only cover the space actually used, excluding any free space at the
216 end), in order to maximize dd'ability. Requires libfdisk work, see
217 https://github.com/karelzak/util-linux/issues/907
219 * systemd-repart: optionally, allow specifying a path to initialize new
220 partitions from, i.e. an fs image file or a source device node. This would
221 then turn systemd-repart into a simple installer: with a few .repart files
222 you could replicate the host system on another device. a full installer would
223 then be: "systemd-repart /dev/sda && bootctl install /dev/sda &&
224 systemd-firstboot --image= …"
226 * systemd-repart: MBR partition table support. Care needs to be taken regarding
227 Type=, so that partition definitions can sanely apply to both the GPT and the
228 MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types
229 for the two partition types explicitly. And provide an internal mapping so
230 that "Type=linux-generic" maps to the right types for both partition tables
233 * systemd-repart: allow sizing partitions as factor of available RAM, so that
234 we can reasonably size swap partitions for hibernation.
236 * systemd-repart: allow running mkfs before making partitions pop up +
237 encryption via LUKS to allow booting into an empty root with only /usr mounted in
239 * systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
241 * systemd-repart: allow boolean option that ensures that if existing partition
242 doesn't exist within the configured size bounds the whole command fails. This
243 is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set
244 of repart files for the case where ESP is large enough and one where it isn't
245 and XBOOTLDR is added in instead. Then apply the former first, and if it
246 fails to apply use the latter.
248 * systemd-repart: add per-partition option to never reuse existing partition
249 and always create anew even if matching partition already exists.
251 * systemd-repart: add per-partition option to fail if partition already exist,
252 i.e. is not added new. Similar, add option to fail if partition does not exist yet.
254 * systemd-repart: add --size=auto for generating/resizing images of minimal
255 size, i.e. where the image file is sized exactly as large as necessary taking
256 SizeMin= into account, but not a single byte larger.
258 * systemd-repart: allow disabling growing of specific partitions, or making
259 them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
261 * systemd-repart: add specifier expansion, add especifier that refers to root
262 device node of current system, /usr device node, and matching verity, so that
263 an installer can be made a "copy" installer of the booted OS
265 * systemd-repart: make it a static checker during early boot for existence and
266 absence of other partitions for trusted boot environments
268 * systemd-repart: allow config of partition uuid
270 * userdb: allow username prefix searches in varlink API, allow realname and
271 realname substr searches in varlink API
273 * userdb: allow uid/gid range checks
275 * userdb: allow existence checks
277 * pid1: activation by journal search expression
279 * when switching root from initrd to host, set the machine_id env var so that
280 if the host has no machine ID set yet we continue to use the random one the
283 * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to
284 it fo reaping assigned but unknown children. This needs to some special care
285 to operate somewhat sensibly in light of priorities: P_ALL will return
286 arbitrary processes, regardless of the priority we want to watch them with,
287 hence on each event loop iteration check all processes which we shall watch
288 with higher prio explicitly, and then watch the entire rest with P_ALL.
290 * tweak sd-event's child watching: keep a prioq of children to watch and use
291 waitid() only on the children with the highest priority until one is waitable
292 and ignore all lower-prio ones from that point on
294 * maybe introduce xattrs that can be set on the root dir of the root fs
295 partition that declare the volatility mode to use the image in. Previously I
296 thought marking this via GPT partition flags but that's not ideal since
297 that's outside of the LUKS encryption/verity verification, and we probably
298 shouldn't operate in a volatile mode unless we got told so from a trusted
301 * figure out automatic partition discovery when combining writable root dir
304 * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that
305 may be used to mark a whole binary as non-coredumpable. Would fix:
306 https://bugs.freedesktop.org/show_bug.cgi?id=69447
308 * teach parse_timestamp() timezones like the calendar spec already knows it
310 * beef up hibernation to optionally do swapon/swapoff immediately before/after
313 * beef up s2h to implement a battery watch loop: instead of entering
314 hibernation unconditionally after coming back from resume make a decision
315 based on the battery load level: if battery level is above a specific
316 threshold, go to suspend again, only hibernate if below it. This means we'd
317 stick to suspend usually, but fall back to hibernation only when battery runs
318 empty (well, subject to our sampling interval). Related to this, check if we
319 can make ACPI _BTP (i.e. /sys/class/power_supply/*/alarm) work for us too,
320 i.e. see if it can wake up machines from suspend, so that we could resume
321 automatically when the system is low on power and move automatically to
322 hibernation mode. (see
323 https://uefi.org/sites/default/files/resources/ACPI%206_2_A_Sept29.pdf
325 https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby-wake-sources
328 * add an explicit "vertical" mode to format-table, so that "systemctl
329 status"-like outputs (i.e. with a series of field names left and values
330 right) become genuine first class citizens, and we gain automatic, sane JSON
333 * systemd-firstboot: teach it dissector magic, so that you can point it to some
334 disk image and it will just set everything in it all behind the scenes.
336 * We should probably replace /var/log/README, /etc/rc.d/README with symlinks
337 that are linked to these places instead of copied. After all they are
338 constant vendor data.
340 * maybe add kernel cmdline params: to force random seed crediting
342 * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
343 so that we make cgroup agent logic safe
345 * nspawn/machined: add API to invoke binary in container, then use that as
346 fallback in "machinectl shell"
348 * logind: rework pam_logind to also do a bus call in case of invocation from
349 user@.service, which returns the XDG_RUNTIME_DIR value, and make this
350 behaviour selectable via pam module option.
353 - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth
354 - hook up machined/nspawn users with a varlink user query interface
355 - rollback when resize fails mid-operation
356 - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
358 - shrink fs on logout?
359 - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
360 - create on activate?
361 - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
362 - communicate clearly when usb stick is safe to remove. probably involves
363 beefing up logind to make pam session close hook synchronous and wait until
364 systemd --user is shut down.
365 - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service
366 - maybe make automatic, read-only, time-based reflink-copies of LUKS disk images (think: time machine)
367 - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory)
368 - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work
369 - fingerprint authentication, pattern authentication, …
370 - make sure "classic" user records can also be managed by homed
371 - description field for groups
372 - make size of $XDG_RUNTIME_DIR configurable in user record
373 - reuse pwquality magic in firstboot
374 - query password from kernel keyring first
375 - update even if record is "absent"
376 - add a "access mode" + "fstype" field to the "status" section of json identity records reflecting the actually used access mode and fstype, even on non-luks backends
377 - move acct mgmt stuff from pam_systemd_home to pam_systemd?
378 - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for
379 - make slice for users configurable (requires logind rework)
380 - logind: populate auto-login list bus property from PKCS#11 token
381 - when determining state of a LUKS home directory, check DM suspended sysfs file
383 * introduce a new per-process uuid, similar to the boot id, the machine id, the
384 invocation id, that is derived from process creds, specifically a hashed
385 combination of AT_RANDOM + getpid() + the starttime from
386 /proc/self/status. Then add these ids implicitly when logging. Deriving this
387 uuid from these three things has the benefit that it can be derived easily
388 from /proc/$PID/ in a stable, and unique way that changes on both fork() and
391 * let's not GC a unit while its ratelimits are still pending
393 * when killing due to service watchdog timeout maybe detect whether target
394 process is under ptracing and then log loudly and continue instead.
396 * introduce a new group to own TPM devices
398 * make rfkill uaccess controllable by default, i.e. steal rule from
399 gnome-bluetooth and friends
401 * tweak journald context caching. In addition to caching per-process attributes
402 keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
403 keyed by cgroup path, and guarded by ctime changes. This should provide us
404 with a nice speed-up on services that have many processes running in the same
407 * make MAINPID= message reception checks even stricter: if service uses User=,
408 then check sending UID and ignore message if it doesn't match the user or
411 * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device"
414 * when importing an fs tree with machined, optionally apply userns-rec-chown
416 * when importing an fs tree with machined, complain if image is not an OS
418 * Maybe introduce a helper safe_exec() or so, which is to execve() which
419 safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit
420 to 1K implicitly, unless explicitly opted-out.
422 * rework seccomp/nnp logic that even if User= is used in combination with
423 a seccomp option we don't have to set NNP. For that, change uid first whil
424 keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap.
426 * add a concept for automatically loading per-unit secrets off disk and
427 inserting them into the kernel keyring. Maybe SecretsDirectory= similar to
428 ConfigurationDirectory=.
430 * when no locale is configured, default to UEFI's PlatformLang variable
432 * bootctl,sd-boot: actually honour the "architecture" key
434 * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and
435 usefaultd() and make systemd-analyze check for it.
437 * paranoia: whenever we process passwords, call mlock() on the memory
438 first. i.e. look for all places we use free_and_erasep() and
439 augment them with mlock(). Also use MADV_DONTDUMP.
441 * Move RestrictAddressFamily= to the new cgroup create socket
443 * support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly
446 * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in
447 log.c and sd-journal-send
449 * optionally: turn on cgroup delegation for per-session scope units
451 * introduce per-unit (i.e. per-slice, per-service) journal log size limits.
453 * sd-boot: automatically load EFI modules from some drop-in dir, so that people
454 can add in file system drivers and such
456 * sd-boot: optionally, show boot menu when previous default boot item has
457 non-zero "tries done" count
459 * introduce an option (or replacement) for "systemctl show" that outputs all
460 properties as JSON, similar to busctl's new JSON output. In contrast to that
461 it should skip the variant type string though.
463 * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which
464 contains some identifier for the project, which allows us to include
465 clickable links to source files generating these log messages. The identifier
466 could be some abberviated URL prefix or so (taking inspiration from Go
467 imports). For example, for systemd we could use
468 CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is
469 sufficient to build a link by prefixing "http://" and suffixing the
472 * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
473 make clickable links from log messages carrying a MESSAGE_ID, that lead to
474 some explanatory text online.
476 * maybe extend .path units to expose fanotify() per-mount change events
478 * Add a "systemctl list-units --by-slice" mode or so, which rearranges the
479 output of "systemctl list-units" slightly by showing the tree structure of
480 the slices, and the units attached to them.
482 * the a-posteriori stopping of units bound to units that disappeared logic
483 should be reworked: there should be a queue of units, and we should only
484 enqueue stop jobs from a defer event that processes queue instead of
485 right-away when we find a unit that is bound to one that doesn't exist
486 anymore. (similar to how the stop-unneeded queue has been reworked the same
489 * nspawn: make nspawn suitable for shell pipelines: instead of triggering a
490 hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
491 for hangup or ^D before passing on the EOF.
493 * When reloading configuration PID 1 should reset all its properties to the
494 original defaults before calling parse_config()
496 * nspawn: greater control over selinux label?
498 * hibernate/s2h: make this robust and safe to enable in Fedora by default.
501 1. add resume_offset support to the resume code (i.e. support swap files
503 2. check if swap is on weird storage and refuse if so
504 3. add auto-detection of hibernation images
506 * cgroups: use inotify to get notified when somebody else modifies cgroups
507 owned by us, then log a friendly warning.
509 * beef up log.c with support for stripping ANSI sequences from strings, so that
510 it is OK to include them in log strings. This would be particularly useful so
511 that our log messages could contain clickable links for example for unit
512 files and suchlike we operate on.
514 * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
516 * add attach --enable and attach --now (for attach+enable+start)
518 * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
519 selected user is resolvable in the service even if it ships its own /etc/passwd)
521 * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
522 other doesn't. What a disaster. Probably to exclude it. Also
523 DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative
526 * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
527 usually IN_ATTRIB is the right way to watch deleted files, as the former only
528 fires when a file is actually removed from disk, i.e. the link count drops to
529 zero and is not open anymore, while the latter happens when a file is
530 unlinked from any dir.
532 * port systemctl, busctl, … over to format-table.[ch]'s table formatters
534 * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
536 * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
538 * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
539 files and directories that are left writable for a unit, and which are
540 removed after the unit goes down again. A bit like --ephemeral for
541 systemd-nspawn but for system services. If used together with RootImage= this
542 should reflink the image file itself.
544 Related: add Ephemeral=<path1> <path2> … which would allow marking
545 specific paths only like this.
547 * add CopyFile= or so as unit file setting that may be used to copy files or
548 directory trees from the host to the services RootImage= and RootDirectory=
549 environment. Which we can use for /etc/machine-id and in particular
550 /etc/resolv.conf. Should be smart and do something useful on read-only
551 images, for example fallback to read-only bind mounting the file instead.
553 * show invocation ID in systemd-run output
555 * bypass SIGTERM state in unit files if KillSignal is SIGKILL
557 * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
558 and so on, which would mean we could report errors and such.
560 * teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
563 * introduce DefaultSlice= or so in system.conf that allows changing where we
564 place our units by default, i.e. change system.slice to something
565 else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
566 be moved somewhere else too. Finally machined and logind should get similar
567 options so that it is possible to move user session scopes and machines to a
568 different slice too by default. Usecase: people who want to put resources on
569 the entire system, with the exception of one specific service. See:
570 https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
572 * maybe rework get_user_creds() to query the user database if $SHELL is used
573 for root, but only then.
575 * be stricter with fds we receive for the fdstore: close them asynchronously
577 * calenderspec: add support for week numbers and day numbers within a
578 year. This would allow us to define "bi-weekly" triggers safely.
580 * sd-bus: add vtable flag, that may be used to request client creds implicitly
581 and asynchronously before dispatching the operation
583 * make use of ethtool veth peer info in machined, for automatically finding out
584 host-side interface pointing to the container.
586 * add some special mode to LogsDirectory=/StateDirectory=… that allows
587 declaring these directories without necessarily pulling in deps for them, or
588 creating them when starting up. That way, we could declare that
589 systemd-journald writes to /var/log/journal, which could be useful when we
590 doing disk usage calculations and so on.
592 * taint systemd if there are fewer than 65536 users assigned (userns) to the system.
594 * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char
596 * add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
597 the runtime dir as we maintain for the fdstore: i.e. keep it around as long
598 as the unit is running or has a job queued.
600 * support projid-based quota in machinectl for containers
602 * add a way to lock down cgroup migration: a boolean, which when set for a unit
603 makes sure the processes in it can never migrate out of it
605 * blog about fd store and restartable services
607 * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
609 * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
610 magic meaning and is no longer upgraded to something else if set explicitly.
612 * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
613 make it lose its identity, i.e. be anonymous. For this we'd have to patch
614 through the whole tree to make all code deal with the case where no machine
617 * optionally, collect cgroup resource data, and store it in per-unit RRD files,
618 suitable for processing with rrdtool. Add bus API to access this data, and
619 possibly implement a CPULoad property based on it.
621 * beef up pam_systemd to take unit file settings such as cgroups properties as
624 * maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
625 the quota of a the user indicated in User= via unit file settings, like the
626 other resource management concepts. Would mix nicely with DynamicUser=1. Or
627 alternatively, do this with projids, so that we can also cover services
628 running as root. Quota should probably cover all the special dirs such as
629 StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
630 is set, plus the whole disk space any image configured with RootImage=.
632 * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
633 disks to see if the UID is already in use.
635 * add "systemctl wait" or so, which does what "systemd-run --wait" does, but
636 for all units. It should be both a way to pin units into memory as well as a
637 wait to retrieve their exit data.
639 * expose IO accounting data on the bus, show it in systemd-run --wait and log
640 about it in the resource log message
642 * show whether a service has out-of-date configuration in "systemctl status" by
643 using mtime data of ConfigurationDirectory=.
645 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
646 creates a static, persistent user rather than a dynamic, transient user. We
647 can leverage code from sysusers.d for this.
649 * add some optional flag to ReadWritePaths= and friends, that has the effect
650 that we create the dir in question when the service is started. Example:
652 ReadWritePaths=:/var/lib/foobar
654 * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
655 the sd-journal logging socket, and, if the timeout is set to 0, sets
656 O_NONBLOCK on it. That way people can control if and when to block for
659 * hostnamed: populate form factor data from a new hwdb database, so that old
660 yogas can be recognized as "convertible" too, even if they predate the DMI
661 "convertible" form factor
663 * Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing
664 after all. Be strict however, only support the equivalent of nspawn's
665 --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such
668 * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
669 the service cgroup, which is supposed to monitor the service, and when it
670 exits the service is considered failed by its monitor.
672 * track the per-service PAM process properly (i.e. as an additional control
673 process), so that it may be queried on the bus and everything.
675 * add a new "debug" job mode, that is propagated to unit_start() and for
676 services results in two things: we raise SIGSTOP right before invoking
677 execve() and turn off watchdog support. Then, use that to implement
678 "systemd-gdb" for attaching to the start-up of any system service in its
681 * gpt-auto logic: related to the above, maybe support a "secondary" root
682 partition, that is mounted to / and is writable, and where the actual root's
683 /usr is mounted into.
685 * gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
687 * drop nss-myhostname in favour of nss-resolve?
689 * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
690 then use that for the setting used in user@.service. It should be understood
691 relative to the configured default value.
693 * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
695 * enable LockMLOCK to take a percentage value relative to physical memory
697 * Permit masking specific netlink APIs with RestrictAddressFamily=
699 * nspawn: support that /proc, /sys/, /dev are pre-mounted
701 * define gpt header bits to select volatility mode
703 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
705 * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
707 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
709 * ProtectKeyRing= to take keyring calls away
711 * RemoveKeyRing= to remove all keyring entries of the specified user
713 * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
714 on PID 1 with the relevant signals, and makes relevant files in /sys and
715 /proc (such as the sysrq stuff) unavailable
717 * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
719 * journalctl: make sure -f ends when the container indicated by -M terminates
721 * mount: automatically search for "main" partition of an image has multiple
724 * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
725 find a way to map the User=/Group= of the service to the right name. This way
726 a user/group for a service only has to exist on the host for the right
729 * add bus API for creating unit files in /etc, reusing the code for transient units
731 * add bus API to remove unit files from /etc
733 * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
735 * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
736 kernel doesn't support linkat() that replaces existing files, currently)
738 * transient units: don't bother with actually setting unit properties, we
739 reload the unit file anyway
741 * journald: sigbus API via a signal-handler safe function that people may call
742 from the SIGBUS handler
744 * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
746 * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
747 in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
749 * cache sd_event_now() result from before the first iteration...
751 * PID1: find a way how we can reload unit file configuration for
752 specific units only, without reloading the whole of systemd
754 * add an explicit parser for LimitRTPRIO= that verifies
755 the specified range and generates sane error messages for incorrect
758 * when we detect that there are waiting jobs but no running jobs, do something
760 * push CPUAffinity= also into the "cpuset" cgroup controller
762 * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
764 * there's probably something wrong with having user mounts below /sys,
765 as we have for debugfs. for example, src/core/mount.c handles mounts
766 prefixed with /sys generally special.
767 http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
769 * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
771 * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
773 * add a job mode that will fail if a transaction would mean stopping
774 running units. Use this in timedated to manage the NTP service
776 http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
778 * The udev blkid built-in should expose a property that reflects
779 whether media was sensed in USB CF/SD card readers. This should then
780 be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
781 picked up by systemd unless they contain a medium. This would mirror
782 the behaviour we already have for CD drives.
784 * networkd/udev: implement SR_IOV configuration in .link files:
785 http://lists.freedesktop.org/archives/systemd-devel/2015-January/027451.html
787 * hostnamectl: show root image uuid
789 * Find a solution for SMACK capabilities stuff:
790 http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
792 * "systemctl preset-all" should probably order the unit files it
793 operates on lexicographically before starting to work, in order to
794 ensure deterministic behaviour if two unit files conflict (like DMs
797 * synchronize console access with BSD locks:
798 http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
800 * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
801 http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
803 * figure out when we can use the coarse timers
805 * add "systemctl start -v foobar.service" that shows logs of a service
806 while the start command runs. This is non-trivial to do without
807 races though, since we should flush out all journal messages before
808 returning from the "systemctl stop".
810 * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists
812 * maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=
814 * maybe allow timer units with an empty Units= setting, so that they
815 can be used for resuming the system but nothing else.
817 * what to do about udev db binary stability for apps? (raw access is not an option)
819 * systemctl: if some operation fails, show log output?
821 * systemctl edit: use equivalent of cat() to insert existing config as a comment, prepended with #.
822 Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc.
824 * exponential backoff in timesyncd when we cannot reach a server
826 * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
828 * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
830 * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
831 (throughout the codebase, not only PID1)
835 - service registration
836 - service/domain/types browsing
838 - DNS-SD service registration from socket units
839 - resolved should optionally register additional per-interface LLMNR
840 names, so that for the container case we can establish the same name
841 (maybe "host") for referencing the server, everywhere.
842 - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
843 - hook up resolved with machined-based address resolution
845 * refcounting in sd-resolve is borked
847 * Add a new verb "systemctl top"
849 * add new gpt type for btrfs volumes
851 * support empty /etc boots nicely:
852 - nspawn/gpt-generator: introduce new gpt partition type for /usr
854 * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
856 * a way for container managers to turn off getty starting via $container_headless= or so...
858 * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
860 * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
861 they run added to the initial transaction and thus confuse Type=idle.
863 * add bus api to query unit file's X fields.
865 * gpt-auto-generator:
866 - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
867 - Make /home automount rather than mount?
869 * add generator that pulls in systemd-network from containers when
870 CAP_NET_ADMIN is set, more than the loopback device is defined, even
871 when it is otherwise off
873 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
875 * implement Distribute= in socket units to allow running multiple
876 service instances processing the listening socket, and open this up
879 * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
880 $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
881 should SIGSTOP all unit processes in a loop until all processes of
882 it are fully stopped. This can later be used for app management by
883 desktop UIs such as gnome-shell to freeze apps that are not visible
884 on screen, not unlike how job control works on the shell
887 - implement per-slice CPUFairScheduling=1 switch
888 - introduce high-level settings for RT budget, swappiness
889 - how to reset dynamically changed unit cgroup attributes sanely?
890 - when reloading configuration, apply new cgroup configuration
891 - when recursively showing the cgroup hierarchy, optionally also show
892 the hierarchies of child processes
895 - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
897 * when we detect low battery and no AC on boot, show pretty splash and refuse boot
899 * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
901 * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
903 * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
905 * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs
907 * If we try to find a unit via a dangling symlink, generate a clean
908 error. Currently, we just ignore it and read the unit from the search
911 * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
913 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
915 * load .d/*.conf dropins for device units
919 - GetAllProperties() on a non-existing object does not result in a failure currently
920 - port to sd-resolve for connecting to TCP dbus servers
921 - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
922 - see if we can drop more message validation on the sending side
923 - add API to clone sd_bus_message objects
924 - longer term: priority inheritance
926 - NameLost/NameAcquired obsolete
929 - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
932 - allow multiple signal handlers per signal?
933 - document chaining of signal handler for SIGCHLD and child handlers
934 - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
936 * investigate endianness issues of UUID vs. GUID
938 * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
939 should be able to safely try another attempt when the bus call LoadUnit() is invoked.
941 * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
943 * add a pam module that on password changes updates any LUKS slot where the password matches
946 - add unit tests for config_parse_device_allow()
948 * seems that when we follow symlinks to units we prefer the symlink
949 destination path over /etc and /usr. We should not do that. Instead
950 /etc should always override /run+/usr and also any symlink
953 * when isolating, try to figure out a way how we implicitly can order
954 all units we stop before the isolating unit...
956 * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
958 * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add
959 ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at
960 https://github.com/systemd/systemd/pull/15109#issuecomment-607740136.
962 * BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify
963 that the boot loader should be installed to the ESP. Define a way
964 how an installer can figure out whether a BLS compliant boot loader
967 * think about requeuing jobs when daemon-reload is issued? usecase:
968 the initrd issues a reload after fstab from the host is accessible
969 and we might want to requeue the mounts local-fs acquired through
972 * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
974 * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
976 * shutdown logging: store to EFI var, and store to USB stick?
978 * merge unit_kill_common() and unit_kill_context()
981 - honor language efi variables for default language selection (if there are any?)
982 - honor timezone efi variables for default timezone selection (if there are any?)
983 - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
985 - recognize the case when not booted on EFI
987 * maybe do not install getty@tty1.service symlink in /etc but in /usr?
989 * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
991 * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
994 - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
995 - logind: wakelock/opportunistic suspend support
996 - Add pretty name for seats in logind
997 - logind: allow showing logout dialog from system?
998 - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
999 - if pam_systemd is invoked by su from a process that is outside of a
1000 any session we should probably just become a NOP, since that's
1001 usually not a real user session but just some system code that just
1003 - logind: make the Suspend()/Hibernate() bus calls wait for the for
1004 the job to be completed. before returning, so that clients can wait
1005 for "systemctl suspend" to finish to know when the suspending is
1007 - logind: when the power button is pressed short, just popup a
1008 logout dialog. If it is pressed for 1s, do the usual
1009 shutdown. Inspiration are Macs here.
1010 - expose "Locked" property on logind sesison objects
1011 - maybe allow configuration of the StopTimeout for session scopes
1012 - rename session scope so that it includes the UID. THat way
1013 the session scope can be arranged freely in slices and we don't have
1014 make assumptions about their slice anymore.
1015 - follow PropertiesChanged state more closely, to deal with quick logouts and
1017 - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
1020 - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
1021 - journald: also get thread ID from client, plus thread name
1022 - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
1023 - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
1024 - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively?
1025 - declare the local journal protocol stable in the wiki interface chart
1026 - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
1027 - journald: when dropping msgs due to ratelimit make sure to write
1028 "dropped %u messages" not only when we are about to print the next
1029 message that works, but already after a short timeout
1030 - check if we can make journalctl by default use --follow mode inside of less if called without args?
1031 - maybe add API to send pairs of iovecs via sd_journal_send
1032 - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
1033 - journactl: support negative filtering, i.e. FOOBAR!="waldo",
1034 and !FOOBAR for events without FOOBAR.
1035 - journal: store timestamp of journal_file_set_offline() int he header,
1036 so it is possible to display when the file was last synced.
1037 - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
1038 - journal: find a way to allow dropping history early, based on priority, other rules
1039 - journal: When used on NFS, check payload hashes
1040 - journald: add kernel cmdline option to disable ratelimiting for debug purposes
1041 - refuse taking lower-case variable names in sd_journal_send() and friends.
1042 - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
1043 - journal: deal nicely with byte-by-byte copied files, especially regards header
1044 - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
1045 - Replace utmp, wtmp, btmp, and lastlog completely with journal
1046 - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
1047 - when a kernel driver logs in a tight loop, we should ratelimit that too.
1048 - journald: optionally, log debug messages to /run but everything else to /var
1049 - journald: when we drop syslog messages because the syslog socket is
1050 full, make sure to write how many messages are lost as first thing
1051 to syslog when it works again.
1052 - journald: allow per-priority and per-service retention times when rotating/vacuuming
1053 - journald: make use of uid-range.h to managed uid ranges to split
1055 - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
1056 - improve journalctl performance by loading journal files
1057 lazily. Encode just enough information in the file name, so that we
1058 do not have to open it to know that it is not interesting for us, for
1059 the most common operations.
1060 - man: document that corrupted journal files is nothing to act on
1061 - rework journald sigbus stuff to use mutex
1062 - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
1063 services that run under their own user ids, and use User= (but only
1064 in a world where userns is ubiquitous since otherwise we cannot
1065 invoke those daemons on the host AND in a container anymore). Also,
1066 if LimitNPROC= is used without User= we should warn and refuse
1068 - journalctl --verify: don't show files that are currently being
1069 written to as FAIL, but instead show that their are being written to.
1070 - add journalctl -H that talks via ssh to a remote peer and passes through
1072 - add a version of --merge which also merges /var/log/journal/remote
1073 - journalctl: -m should access container journals directly by enumerating
1074 them via machined, and also watch containers coming and going.
1075 Benefit: nspawn --ephemeral would start working nicely with the journal.
1076 - assign MESSAGE_ID to log messages about failed services
1078 * add a test if all entries in the catalog are properly formatted.
1079 (Adding dashes in a catalog entry currently results in the catalog entry
1080 being silently skipped. journalctl --update-catalog must warn about this,
1081 and we should also have a unit test to check that all our message are OK.)
1084 - document that deps in [Unit] sections ignore Alias= fields in
1085 [Install] units of other units, unless those units are disabled
1086 - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
1087 - document that service reload may be implemented as service reexec
1088 - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
1089 - document systemd-journal-flush.service properly
1090 - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
1091 - man: document the very specific env the shutdown drop-in tools live in
1092 - man: add more examples to man pages
1093 - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
1094 - document root=gpt-auto properly
1097 - add systemctl switch to dump transaction without executing it
1098 - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
1099 - "systemctl disable" on a static unit prints no message and does
1100 nothing. "systemctl enable" does nothing, and gives a bad message
1101 about it. Should fix both to print nice actionable messages.
1102 - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
1103 - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
1104 - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
1105 - systemctl: "Journal has been rotated since unit was started." message is misleading
1106 - systemctl status output should include list of triggering units and their status
1109 - "systemctl mask" should find all names by which a unit is accessible
1110 (i.e. by scanning for symlinks to it) and link them all to /dev/null
1113 - timer units should get the ability to trigger when:
1115 - Modulate timer frequency based on battery state
1117 * add libsystemd-password or so to query passwords during boot using the password agent logic
1119 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
1121 * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
1123 * make repeated alt-ctrl-del presses printing a dump
1125 * hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ...
1127 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
1130 - emulate /dev/kmsg using CUSE and turn off the syslog syscall
1131 with seccomp. That should provide us with a useful log buffer that
1132 systemd can log to during early boot, and disconnect container logs
1133 from the kernel's logs.
1134 - as soon as networkd has a bus interface, hook up --network-interface=,
1135 --network-bridge= with networkd, to trigger netdev creation should an
1136 interface be missing
1137 - a nice way to boot up without machine id set, so that it is set at boot
1138 automatically for supporting --ephemeral. Maybe hash the host machine id
1139 together with the machine name to generate the machine id for the container
1140 - fix logic always print a final newline on output.
1141 https://github.com/systemd/systemd/pull/272#issuecomment-113153176
1142 - should optionally support receiving WATCHDOG=1 messages from its payload
1144 - optionally automatically add FORWARD rules to iptables whenever nspawn is
1145 running, remove them when shut down.
1148 - refuse mounting over a mount point
1149 - automatically discover .roothash files in dissect, similarly to nspawn
1152 - add an API so that libvirt-lxc can inform us about network interfaces being
1153 removed or added to an existing machine
1154 - "machinectl migrate" or similar to copy a container from or to a
1155 difference host, via ssh
1156 - introduce systemd-nspawn-ephemeral@.service, and hook it into
1157 "machinectl start" with a new --ephemeral switch
1158 - "machinectl status" should also show internal logs of the container in
1160 - "machinectl history"
1162 - "machinectl commit" that takes a writable snapshot of a tree, invokes a
1163 shell in it, and marks it read-only after use
1166 - cryptsetup-generator: allow specification of passwords in crypttab itself
1167 - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
1169 * hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it
1170 https://bugs.freedesktop.org/show_bug.cgi?id=54712
1172 * add a dependency on standard-conf.xml and other included files to man pages
1174 * MountFlags=shared acts as MountFlags=slave right now.
1176 * properly handle loop back mounts via fstab, especially regards to fsck/passno
1178 * initialize the hostname from the fs label of /, if /etc/hostname does not exist?
1183 - add trigger --subsystem-match=usb/usb_device device
1184 - reimport udev db after MOVE events for devices without dev_t
1186 * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
1188 * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
1191 - save coredump in Windows/Mozilla minidump format
1192 - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
1194 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
1196 * be able to specify a forced restart of service A where service B depends on, in case B
1197 needs to be auto-respawned?
1200 - apply "x" on "D" too (see patch from William Douglas)
1201 - instead of ignoring unknown fields, reject them.
1202 - creating new directories/subvolumes/fifos/device nodes
1203 should not follow symlinks. None of the other adjustment or creation
1204 calls follow symlinks.
1206 * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
1208 * verify that the AF_UNIX sockets of a service in the fs still exist
1209 when we start a service in order to avoid confusion when a user
1210 assumes starting a service is enough to make it accessible
1212 * Make it possible to set the keymap independently from the font on
1213 the kernel cmdline. Right now setting one resets also the other.
1215 * and a dbus call to generate target from current state
1217 * write blog stories about:
1218 - hwdb: what belongs into it, lsusb
1219 - enabling dbus services
1220 - how to make changes to sysctl and sysfs attributes
1222 - how to pass throw-away units to systemd, or dynamically change properties of existing units
1223 - testing with Harald's awesome test kit
1225 - how to develop against journal browsing APIs
1226 - the journal HTTP iface
1227 - non-cgroup resource management
1228 - dynamic resource management with cgroups
1229 - refreshed, longer missions statement
1230 - calendar time events
1231 - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
1232 - how to create your own target
1233 - instantiated apache, dovecot and so on
1234 - hooking a script into various stages of shutdown/rearly booot
1236 * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
1238 * dot output for --test showing the 'initial transaction'
1241 - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
1242 log both units as UNIT=, so that journalctl -u triggers on both.
1243 - generate better errors when people try to set transient properties
1244 that are not supported...
1245 http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
1246 - maybe introduce WantsMountsFor=? Usecase:
1247 http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
1248 - recreate systemd's D-Bus private socket file on SIGUSR2
1249 - move PAM code into its own binary
1250 - when we automatically restart a service, ensure we restart its rdeps, too.
1251 - hide PAM options in fragment parser when compile time disabled
1252 - Support --test based on current system state
1253 - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
1254 - after deserializing sockets in socket.c we should reapply sockopts and things
1255 - drop PID 1 reloading, only do reexecing (difficult: Reload()
1256 currently is properly synchronous, Reexec() is weird, because we
1257 cannot delay the response properly until we are back, so instead of
1258 being properly synchronous we just keep open the fd and close it
1259 when done. That means clients do not get a successful method reply,
1260 but much rather a disconnect on success.
1261 - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
1262 - when a bus name of a service disappears from the bus make sure to queue further activation requests
1265 - allow port=0 in .socket units
1266 - maybe introduce ExecRestartPre=
1267 - add ReloadSignal= for configuring a reload signal to use
1268 - implement Register= switch in .socket units to enable registration
1269 in Avahi, RPC and other socket registration services.
1270 - allow Type=simple with PIDFile=
1271 https://bugzilla.redhat.com/show_bug.cgi?id=723942
1272 - allow writing multiple conditions in unit files on one line
1273 - introduce Type=pid-file
1274 - introduce mix of BindTo and Requisite
1275 - add a concept of RemainAfterExit= to scope units
1276 - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
1277 - add verification of [Install] section to systemd-analyze verify
1280 - Make sure ID_PATH is always exported and complete for
1281 network devices where possible, so we can safely rely
1285 - add support for more attribute types
1286 - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
1289 - add more keys to [Route] and [Address] sections
1290 - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
1291 - add reduced [Link] support to .network files
1292 - properly handle routerless dhcp leases
1293 - work with non-Ethernet devices
1294 - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
1295 - the DHCP lease data (such as NTP/DNS) is still made available when
1296 a carrier is lost on a link. It should be removed instantly.
1297 - expose in the API the following bits:
1298 - option 15, domain name
1299 - option 12, hostname and/or option 81, fqdn
1300 - option 123, 144, geolocation
1301 - option 252, configure http proxy (PAC/wpad)
1302 - provide a way to define a per-network interface default metric value
1303 for all routes to it. possibly a second default for DHCP routes.
1304 - allow Name= to be specified repeatedly in the [Match] section. Maybe also
1305 support Name=foo*|bar*|baz ?
1306 - duplicate address check for static IPs (like ARPCHECK in network-scripts)
1307 - whenever uplink info changes, make DHCP server send out FORCERENEW
1309 * Figure out how to do unittests of networkd's state serialization
1312 - figure out how much we can increase Maximum Message Size
1315 - add functions to set previously stored IPv6 addresses on startup and get
1316 them at shutdown; store them in client->ia_na
1317 - write more test cases
1318 - implement reconfigure support, see 5.3., 15.11. and 22.20.
1319 - implement support for temporary adressess (IA_TA)
1320 - implement dhcpv6 authentication
1321 - investigate the usefulness of Confirm messages; i.e. are there any
1322 situations where the link changes without any loss in carrier detection
1324 - some servers don't do rapid commit without a filled in IA_NA, verify
1331 - natively watch for dbus-*.service symlinks (PENDING)
1332 - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
1334 * make cryptsetup lower --iter-time
1336 * kernel: add device_type = "fb", "fbcon" to class "graphics"
1338 * /usr/bin/service should actually show the new command line
1340 * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
1342 * neither pkexec nor sudo initialize environ[] from the PAM environment?
1344 * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
1346 * register catalog database signature as file magic
1348 * zsh shell completion:
1349 - <command> <verb> -<TAB> should complete options, but currently does not
1350 - systemctl add-wants,add-requires
1352 * systemctl status should know about 'systemd-analyze calendar ... --iterations='
1353 * If timer has just OnInactiveSec=..., it should fire after a specified time
1354 after being started.
1358 * look for close() vs. close_nointr() vs. close_nointr_nofail()
1360 * check for strerror(r) instead of strerror(-r)
1364 * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
1366 * use secure_getenv() instead of getenv() where appropriate
1368 * link up selected blog stories from man pages and unit files Documentation= fields
1369 String is not UTF-8 clean, ignoring assignment