systemd System and Service Manager
-CHANGES WITH 239 in spe:
+CHANGES WITH 240 in spe:
+
+ * A new service type has been added: Type=exec. It's very similar to
+ Type=simple and ensures the service manager will wait for both fork()
+ and execve() of the main service binary to complete before proceeding
+ with follow-up units. This is primarily useful so that the manager
+ propagates any errors in the preparation phase of service execution
+ back to the job that requested the unit to be started. For example,
+ consider a service that has ExecStart= set to a file system binary
+ that doesn't exist. With Type=simple starting the unit would
+ typically succeed instantly, as only fork() has to complete
+ successfully and execve() is not waited for, and hence its failure is
+ seen "too late". With the new Type=exec service type starting the
+ unit will fail, as the execve() will be waited for and will fail,
+ which is then propagated back to the start job.
+
+ NOTE: with the next release 241 of systemd we intend to change the
+ systemd-run tool to default to Type=exec for transient services
+ started by it. This should be mostly safe, but in specific corner
+ cases might result in problems, as the systemd-run tool will then
+ block on NSS calls (such as user name lookups due to User=) done
+ between the fork() and execve(), which under specific circumstances
+ might cause problems. It is recommended to specify "-p Type=simple"
+ explicitly in the few cases where this applies. For regular,
+ non-transient services (i.e. those defined with unit files on disk)
+ we will continue to default to Type=simple.
+
+CHANGES WITH 239:
* NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
- builtin may name network interfaces differently than in previous
- versions. SR-IOV virtual functions and NPAR partitions with PCI
- function numbers of 8 and above will be named more predictably, and
- udev may generate names based on the PCI slot number in some cases
- where it previously did not.
+ builtin will name network interfaces differently than in previous
+ versions for virtual network interfaces created with SR-IOV and NPAR
+ and for devices where the PCI network controller device does not have
+ a slot number associated.
+
+ SR-IOV virtual devices are now named based on the name of the parent
+ interface, with a suffix of "v<N>", where <N> is the virtual device
+ number. Previously those virtual devices were named as if completely
+ independent.
+
+ The ninth and later NPAR virtual devices will be named following the
+ scheme used for the first eight NPAR partitions. Previously those
+ devices were not renamed and the kernel default (eth<n>) was used.
+
+ "net_id" will also generate names for PCI devices where the PCI
+ network controller device does not have an associated slot number
+ itself, but one of its parents does. Previously those devices were
+ not renamed and the kernel default (eth<n>) was used.
* AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
systemd-logind.service. Since v235, IPAddressDeny=any has been set to
- the unit. So, it is expected that the default behavior of systemd-logind
- is not changed. However, if distribution packagers or administrators
- disabled or modified IPAddressDeny= setting by a drop-in config file,
- then it may be necessary to update the file to re-enable AF_INET and
- AF_INET6 to support network user name services, e.g. NIS.
-
- * When the RestrictNamespaces= unit property is specified multiple times,
- then the specified types are merged now. Previously, only the last
- assignment was used. So, if distribution packagers or administrators
- modified the setting by a drop-in config file, then it may be necessary
- to update the file.
+ the unit. So, it is expected that the default behavior of
+ systemd-logind is not changed. However, if distribution packagers or
+ administrators disabled or modified IPAddressDeny= setting by a
+ drop-in config file, then it may be necessary to update the file to
+ re-enable AF_INET and AF_INET6 to support network user name services,
+ e.g. NIS.
+
+ * When the RestrictNamespaces= unit property is specified multiple
+ times, then the specified types are merged now. Previously, only the
+ last assignment was used. So, if distribution packagers or
+ administrators modified the setting by a drop-in config file, then it
+ may be necessary to update the file.
* When OnFailure= is used in combination with Restart= on a service
unit, then the specified units will no longer be triggered on
* systemctl disable/unmask/preset/preset-all cannot be used with
--runtime. Previously this was allowed, but resulted in unintuitive
- behaviour that wasn't useful. systemctl disable/unmask will now
- undo both runtime and persistent enablement/masking, i.e. it will
- remove any relevant symlinks both in /run and /etc.
+ behaviour that wasn't useful. systemctl disable/unmask will now undo
+ both runtime and persistent enablement/masking, i.e. it will remove
+ any relevant symlinks both in /run and /etc.
+
+ * Note that all long-running system services shipped with systemd will
+ now default to a system call whitelist (rather than a blacklist, as
+ before). In particular, systemd-udevd will now enforce one too. For
+ most cases this should be safe, however downstream distributions
+ which disabled sandboxing of systemd-udevd (specifically the
+ MountFlags= setting), might want to disable this security feature
+ too, as the default whitelisting will prohibit all mount, swap,
+ reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally turn
off Windows and MacOS boot partition discovery as well as
screen resolution for HiDPI systems, and now provides loader
configuration settings to change the resolution explicitly.
+ * systemd-resolved now supports DNS-over-TLS. It's still
+ turned off by default, use DNSOverTLS=opportunistic to turn it on in
+ resolved.conf. We intend to make this the default as soon as couple
+ of additional techniques for optimizing the initial latency caused by
+ establishing a TLS/TCP connection are implemented.
+
+ * systemd-resolved.service and systemd-networkd.service now set
+ DynamicUser=yes. The users systemd-resolve and systemd-network are
+ not created by systemd-sysusers anymore.
+
+ NOTE: This has a chance of breaking nss-ldap and similar NSS modules
+ that embedd a network facing module into any process using getpwuid()
+ or related call: the dynamic allocation of the user ID for
+ systemd-resolved.service means the service manager has to check NSS
+ if the user name is already taken when forking off the service. Since
+ the user in the common case won't be defined in /etc/passwd the
+ lookup is likely to trigger nss-ldap which in turn might use NSS to
+ ask systemd-resolved for hostname lookups. This will hence result in
+ a deadlock: a user name lookup in order to start
+ systemd-resolved.service will result in a host name lookup for which
+ systemd-resolved.service needs to be started already. There are
+ multiple ways to work around this problem: pre-allocate the
+ "systemd-resolve" user on such systems, so that nss-ldap won't be
+ triggered; or use a different NSS package that doesn't do networking
+ in-process but provides a local asynchronous name cache; or configure
+ the NSS package to avoid lookups for UIDs in the range `pkg-config
+ systemd --variable=dynamicuidmin` … `pkg-config systemd
+ --variable=dynamicuidmax`, so that it does not consider itself
+ authoritative for the same UID range systemd allocates dynamic users
+ from.
+
* The systemd-resolve tool has been renamed to resolvectl (it also
remains available under the old name, for compatibility), and its
interface is now verb-based, similar in style to the other <xyz>ctl
tools, such as systemctl or loginctl.
- * The resolvectl/systemd-resolve tool also provides 'resolveconf'
- compatibility. It may be symlinked under the 'resolveconf' name, in
+ * The resolvectl/systemd-resolve tool also provides 'resolvconf'
+ compatibility. It may be symlinked under the 'resolvconf' name, in
which case it will take arguments and input compatible with the
Debian and FreeBSD resolvconf tool.
name following the last dash.
* Unit files and other configuration files that support specifier
- expansion now understand another two new specifiers: %T and %V will
+ expansion now understand another three new specifiers: %T and %V will
resolve to /tmp and /var/tmp respectively, or whatever temporary
- directory has been set for the calling user.
+ directory has been set for the calling user. %E will expand to either
+ /etc (for system units) or $XDG_CONFIG_HOME (for user units).
* The ExecStart= lines of unit files are no longer required to
reference absolute paths. If non-absolute paths are specified the
* Units gained a new load state "bad-setting", which is used when a
unit file was loaded, but contained fatal errors which prevent it
- from being started (for example, an ExecStart= path which references
- a non-existent executable).
+ from being started (for example, a service unit has been defined
+ lacking both ExecStart= and ExecStop= lines).
* coredumpctl's "gdb" verb has been renamed to "debug", in order to
support alternative debuggers, for example lldb. The old name
example, "systemd-tmpfiles --cat-config" will now output the full
list of tmpfiles.d/ lines in place.
- * timedatectl gained two new verbs "timesync-status" (to show the
- current NTP synchronization state of systemd-timesyncd) and
- "show-timesync" (to show bus properties of systemd-timesyncd).
+ * timedatectl gained three new verbs: "show" shows bus properties of
+ systemd-timedated, "timesync-status" shows the current NTP
+ synchronization state of systemd-timesyncd, and "show-timesync"
+ shows bus properties of systemd-timesyncd.
* systemd-timesyncd gained a bus interface on which it exposes details
about its state.
+ * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
+ understood by systemd-timedated. It takes a colon-separated list of
+ unit names of NTP client services. The list is used by
+ "timedatectl set-ntp".
+
* systemd-nspawn gained a new --rlimit= switch for setting initial
resource limits for the container payload. There's a new switch
--hostname= to explicitly override the container's hostname. A new
https://github.com/systemd/systemd/blob/master/doc/PORTABLE_SERVICES.md
https://github.com/systemd/systemd/blob/master/doc/CODE_QUALITY.md
+ * The Boot Loader Specification has been added to the source tree.
+
+ https://github.com/systemd/systemd/blob/master/doc/BOOT_LOADER_SPECIFICATION.md
+
+ While moving it into our source tree we have updated it and further
+ changes are now accepted through the usual github PR workflow.
+
* pam_systemd will now look for PAM userdata fields systemd.memory_max,
systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
earlier PAM modules. The data in these fields is used to initialize
query the default, built-in $PATH PID 1 will pass to the services it
manages.
+ * A new unit file setting PrivateMounts= has been added. It's a boolean
+ option. If enabled the unit's processes are invoked in their own file
+ system namespace. Note that this behaviour is also implied if any
+ other file system namespacing options (such as PrivateTmp=,
+ PrivateDevices=, ProtectSystem=, …) are used. This option is hence
+ primarily useful for services that do not use any of the other file
+ system namespacing options. One such service is systemd-udevd.service
+ wher this is now used by default.
+
+ * ConditionSecurity= gained a new value "uefi-secureboot" that is true
+ when the system is booted in UEFI "secure mode".
+
+ * A new unit "system-update-pre.target" is added, which defines an
+ optional synchronization point for offline system updates, as
+ implemented by the pre-existing "system-update.target" unit. It
+ allows ordering services before the service that executes the actual
+ update process in a generic way.
+
Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
- Alexander Kurtz, Alex Gartrell, Anssi Hannula, Antique, Arnaud
- Rebillout, Brian J. Murrell, Bruno Vernay, Chris Lesiak, Christian
- Brauner, Christian Hesse, Daniel Dao, Daniel Lin, Danylo Korostil,
- Davide Cavalca, David Tardon, Dimitri John Ledkov, Dmitriy Geels,
- Douglas Christman, Elia Geretto, emelenas, Evegeny Vereshchagin, Evgeny
- Vereshchagin, Felipe Sateler, Feng Sun, Filipe Brandenburger, Franck
- Bui, futpib, Giuseppe Scrivano, Guillem Jover, guixxx, Hans de Goede,
- Henrique Dante de Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko,
- Ivan Shapovalov, James Cowgill, Jan Janssen, Jan Synacek, Jared
- Kazimir, João Paulo Rechi Vita, Joost Heitbrink, juergbi, Jui-Chi Ricky
- Liang, Kai-Heng Feng, Karol Augustin, Krzysztof Nowicki, Lauri
- Tirkkonen, Lennart Poettering, Leonard, Long Li, Luca Boccassi, Lucas
- Werkmeister, Marcel Hoppe, Marc Kleine-Budde, Mario Limonciello, Martin
- Jansa, Martin Wilck, Mathieu Malaterre, Matteo F. Vescovi, Michael
- Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal Sekletar,
- Mike Gilbert, Mikhail Kasimov, Milan, Milan Broz, mourikwa, Muhammet
- Kara, Nicolas Boichat, Omer Katz, Paride Legovini, Paul Menzel, Paul
- Milliken, Peter A. Bigot, Peter Hutterer, Peter Jones, Philip Sequeira,
- Philip Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de
- Araujo, Rosen Penev, rubensa, Ryan Gonzalez, Salvo 'LtWorf' Tomaselli,
- Sebastian Reichel, Sergio Lindo Mansilla, Stefan Schweter, Stephen
- Hemminger, Stuart Hayes, Susant Sahani, Sylvain Plantefève, Thomas
- H. P. Andersen, Tobias Jungel, Tomasz Torcz, Vito Caputo, Will Dietz,
- Will Thompson, xginn8, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
-
- — Berlin, 2018-06-XX
+ Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
+ J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
+ Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
+ Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
+ Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
+ Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
+ Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
+ guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
+ Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
+ Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
+ Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
+ Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
+ Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
+ Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
+ Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
+ Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
+ Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
+ Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
+ Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
+ Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
+ Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
+ Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
+ Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
+ Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
+ Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
+ Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
+ Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2018-06-22
CHANGES WITH 238:
correct dequeuing of real-time signals, without losing
signal events.
- * When systemd requests a PolicyKit decision when managing
- units it will now add additional fields to the request,
- including unit name and desired operation. This enables more
- powerful PolicyKit policies, that make decisions depending
- on these parameters.
+ * When systemd requests a polkit decision when managing units it
+ will now add additional fields to the request, including unit
+ name and desired operation. This enables more powerful polkit
+ policies, that make decisions depending on these parameters.
* nspawn learnt support for .nspawn settings files, that may
accompany the image files or directories of containers, and
options and allows other programs to query the values.
* SELinux access control when enabling/disabling units is no
- longer enforced with this release. The previous
- implementation was incorrect, and a new corrected
- implementation is not yet available. As unit file operations
- are still protected via PolicyKit and D-Bus policy this is
- not a security problem. Yet, distributions which care about
- optimal SELinux support should probably not stabilize on
- this release.
+ longer enforced with this release. The previous implementation
+ was incorrect, and a new corrected implementation is not yet
+ available. As unit file operations are still protected via
+ polkit and D-Bus policy this is not a security problem. Yet,
+ distributions which care about optimal SELinux support should
+ probably not stabilize on this release.
* sd-bus gained support for matches of type "arg0has=", that
test for membership of strings in string arrays sent in bus
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
- * systemd-machined, systemd-logind, systemd: most bus calls
- are now accessible to unprivileged processes via
- PolicyKit. Also, systemd-logind will now allow users to kill
- their own sessions without further privileges or
- authorization.
+ * systemd-machined, systemd-logind, systemd: most bus calls are
+ now accessible to unprivileged processes via polkit. Also,
+ systemd-logind will now allow users to kill their own sessions
+ without further privileges or authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
directly from now on, again.
* Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
- message flag has been added for all of systemd's PolicyKit
- authenticated method calls has been added. In particular
- this now allows optional interactive authorization via
- PolicyKit for many of PID1's privileged operations such as
- unit file enabling and disabling.
+ message flag has been added for all of systemd's polkit
+ authenticated method calls has been added. In particular this
+ now allows optional interactive authorization via polkit for
+ many of PID1's privileged operations such as unit file
+ enabling and disabling.
* "udevadm hwdb --update" learnt a new switch "--usr" for
placing the rebuilt hardware database in /usr instead of
well as the user/group databases, which should enhance
compatibility with certain tools like grpck.
- * A number of bus APIs of PID 1 now optionally consult
- PolicyKit to permit access for otherwise unprivileged
- clients under certain conditions. Note that this currently
- doesn't support interactive authentication yet, but this is
- expected to be added eventually, too.
+ * A number of bus APIs of PID 1 now optionally consult polkit to
+ permit access for otherwise unprivileged clients under certain
+ conditions. Note that this currently doesn't support
+ interactive authentication yet, but this is expected to be
+ added eventually, too.
* /etc/machine-info now has new fields for configuring the
deployment environment of the machine, as well as the
the rest of the package. It also has been updated to work
correctly in initrds.
- * Policykit previously has been runtime optional, and is now
- also compile time optional via a configure switch.
+ * polkit previously has been runtime optional, and is now also
+ compile time optional via a configure switch.
* systemd-analyze has been reimplemented in C. Also "systemctl
dot" has moved into systemd-analyze.
user/vendor or is automatically determined from ACPI and DMI
information if possible.
- * A number of PolicyKit actions are now bound together with
- "imply" rules. This should simplify creating UIs because
- many actions will now authenticate similar ones as well.
+ * A number of polkit actions are now bound together with "imply"
+ rules. This should simplify creating UIs because many actions
+ will now authenticate similar ones as well.
* Unit files learnt a new condition ConditionACPower= which
may be used to conditionalize a unit depending on whether an
to maintain the necessary patches downstream, or find a
different solution. (Talk to us if you have questions!)
- * Various systemd components will now bypass PolicyKit checks
- for root and otherwise handle properly if PolicyKit is not
- found to be around. This should fix most issues for
- PolicyKit-less systems. Quite frankly this should have been
- this way since day one. It is absolutely our intention to
- make systemd work fine on PolicyKit-less systems, and we
- consider it a bug if something does not work as it should if
- PolicyKit is not around.
+ * Various systemd components will now bypass polkit checks for
+ root and otherwise handle properly if polkit is not found to
+ be around. This should fix most issues for polkit-less
+ systems. Quite frankly this should have been this way since
+ day one. It is absolutely our intention to make systemd work
+ fine on polkit-less systems, and we consider it a bug if
+ something does not work as it should if polkit is not around.
* For embedded systems it is now possible to build udev and
systemd without blkid and/or kmod support.
projects / thirdparty / systemd.git / blobdiff