systemd System and Service Manager
-CHANGES WITH 242 in spe:
+CHANGES WITH 243 in spe:
+
+ * Previously, filters defined with SystemCallFilter= would have the
+ effect that an calling an offending system call would terminate the
+ calling thread. This behaviour never made much sense, since killing
+ individual threads of unexpecting processes is likely to create more
+ problems than it solves. With this release the default action changed
+ from killing the thread to killing the whole process. For this to
+ work correctly both a kernel version (>= 4.14) and a libseccomp
+ version (>= 2.4.0) supporting this new seccomp action is required. If
+ an older kernel or libseccomp is used the old behaviour continues to
+ be used. This change does not affect any services that have no system
+ call filters defined, or that use SystemCallErrorNumber= (and thus
+ see EPERM or another error instead of being killed when calling an
+ offending system call). Note that systemd documentation always
+ claimed that the whole process is killed. With this change behaviour
+ is thus adjusted to match the documentation.
+
+ * The "kernel.pid_max" sysctl is now bumped to 4194304 by default,
+ i.e. the full 22bit range the kernel allows, up from the old 16bit
+ range. This should improve security and robustness a bit, as PID
+ collisions are made less likely (though certainly still
+ possible). There are rumours this might create compatibility
+ problems, though at this moment no practical ones are known to
+ us. Downstream distributions are hence advised to undo this change in
+ their builds if they are concerned about maximum compatibility, but
+ for everybody else we recommend leaving the value bumped. Besides
+ improving security and robustness this should also simplify things as
+ the maximum number of allowed concurrent tasks was previously bounded
+ by both "kernel.pid_max" and "kernel.threads-max" and now only a
+ single knob is left ("kernel.threads-max"). There have been concerns
+ that usability is affected by this change because larger PID numbers
+ are harder to type, but we believe the change from 5 digit PIDs to 7
+ digit PIDs is not too hampering for usability.
+
+ * MemoryLow and MemoryMin gained hierarchy-aware counterparts,
+ DefaultMemoryLow and DefaultMemoryMin, which can be used to
+ hierarchically set default memory protection values for a particular
+ subtree of the unit hierarchy.
+
+ * Memory protection directives can now take a value of zero, allowing
+ explicit opting out of a default value propagated by an ancestor.
+
+ * systemd now defaults to the "unified" cgroup hierarchy setup during
+ build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
+ default. Previously, -Ddefault-hierarchy=hybrid was the default. This
+ change reflects the fact that cgroupsv2 support has matured
+ substantially in both systemd and in the kernel, and is clearly the
+ way forward. Downstream production distributions might want to
+ continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
+ their builds as unfortunately the popular container managers have not
+ caught up with the kernel API changes.
+
+ * Man pages are not built by default anymore (html pages were already
+ disabled by default), to make development builds quicker. When
+ building systemd for a full installation with documentation, meson
+ should be called -Dman=true and/or -Dhtml=true as appropriate. The
+ default was changed based on the assumption that quick one-off or
+ repeated development builds are much more common than full optimized
+ builds for installation, and people need to pass various other
+ options to when doing "proper" builds anyway, so the gain from making
+ development builds quicker is bigger than the one time disruption for
+ packagers.
+
+ Two scripts are created in the *build* directory to generate and
+ preview man and html pages on demand, e.g.:
+
+ build/man/man systemctl
+ build/man/html systemd.index
+
+ * The D-Bus "wire format" for CPUAffinity attribute is changed on
+ big-endian machines. Before, bytes were written and read in native
+ machine order as exposed by the native libc __cpu_mask interface.
+ Now, little-endian order is always used (CPUs 0–7 are described by
+ bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
+ This change fixes D-Bus calls that cross endianness boundary.
+
+ The presentation format used for CPUAffinity by systemctl show and
+ systemd-analyze dump is changed to present CPU indices instead of the
+ raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be shown
+ as CPUAffinity=03000000000000000000000000000… (on little-endian) or
+ CPUAffinity=00000000000000300000000000000… (on 64-bit big-endian),
+ and is now shown as CPUAffinity=0-1, matching the input format. The
+ maximum integer that will be printed in new format is 8191 (four
+ digits), while the old format always used a very long number (with
+ the length varying by architecture), so they can be unambiguously
+ distinguished.
+
+ * /usr/sbin/halt.local is no longer supported. Implementation in
+ distributions was inconsistent and it seems this functionality was
+ very rarely used.
+
+ To replace this functionality, users should:
+ - either define a new unit and make it a dependency of final.target
+ (systemctl add-wants final.target my-halt-local.service)
+ - or move the shutdown script to /usr/lib/systemd/system-shutdown/
+ and ensure that it accepts "halt", "poweroff", "reboot", and
+ "kexec" as an argument, see the description in systemd-shutdown(8).
+
+ * When a [Match] section in .link or .network file is empty (contains
+ no match patterns), a warning will be emitted. Please add any "match
+ all" pattern instead, e.g. OriginalName=* or Name=* in case all
+ interfaces should really be matched.
+
+ …
+
+CHANGES WITH 242:
* In .link files, MACAddressPolicy=persistent (the default) is changed
to cover more devices. For devices like bridges, tun, tap, bond, and
generators do not automatically pull in the corresponding .mount unit
as a Wants= dependency. This means that simply plugging in the device
will not cause the mount unit to be started automatically. But please
- note that the mount unit may be started for other reasons, in particular
- if it is part of local-fs.target, and any unit which (transitively)
- depends on local-fs.target is started.
+ note that the mount unit may be started for other reasons, in
+ particular if it is part of local-fs.target, and any unit which
+ (transitively) depends on local-fs.target is started.
- * $PIDFILE is set to point the absolute path configured with PIDFile=
- for processes of that service.
+ * networkctl list/status/lldp now accept globbing wildcards for network
+ interface names to match against all existing interfaces.
+
+ * The $PIDFILE environment variable is set to point the absolute path
+ configured with PIDFile= for processes of that service.
* The fallback DNS server list was augmented with Cloudflare public DNS
servers. Use `-Ddns-servers=` to set a different fallback.
when a USB Device Controller is detected (which means that the system
is a USB peripheral).
- * A new unit setting CPUQuotaPeriodSec= assigns the CPU time quota
- specified by CPUQuota= is measured.
+ * A new unit setting CPUQuotaPeriodSec= assigns the time period
+ relatively to which the CPU time quota specified by CPUQuota= is
+ measured.
- A new unit setting ProtectHostname= may be used to prevent services
+ * A new unit setting ProtectHostname= may be used to prevent services
from modifying hostname information (even if they otherwise would
have privileges to do so).
- A new unit setting NetworkNamespacePath= may be used to specify a
+ * A new unit setting NetworkNamespacePath= may be used to specify a
namespace for service or socket units through a path referring to a
Linux network namespace pseudo-file.
- * systemd-networkd recognizes a new operation state 'enslaved',
- used (instead of 'degraded' or 'carrier') for interfaces which form
- a bridge, bond, or similar, and an new 'degraded-carrier'
- operational state used for the bond or bridge master interface
- when one of the enslaved devices is not operational.
-
- The RequiredForOnline= setting in .network files may now specify a
+ * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
+ have an effect on .socket units: when used the listening socket is
+ created within the configured network namespace instead of the host
+ namespace.
+
+ * ExecStart= command lines in unit files may now be prefixed with ':'
+ in which case environment variable substitution is
+ disabled. (Supported for the other ExecXYZ= settings, too.)
+
+ * .timer units gained two new boolean settings OnClockChange= and
+ OnTimezoneChange= which may be used to also trigger a unit when the
+ system clock is changed or the local timezone is
+ modified. systemd-run has been updated to make these options easily
+ accessible from the command line for transient timers.
+
+ * Two new conditions for units have been added: ConditionMemory= may be
+ used to conditionalize a unit based on installed system
+ RAM. ConditionCPUs= may be used to conditionalize a unit based on
+ installed CPU cores.
+
+ * The @default system call filter group understood by SystemCallFilter=
+ has been updated to include the new rseq() system call introduced in
+ kernel 4.15.
+
+ * A new time-set.target has been added that indicates that the system
+ time has been set from a local source (possibly imprecise). The
+ existing time-sync.target is stronger and indicates that the time has
+ been synchronized with a precise external source. Services where
+ approximate time is sufficient should use the new target.
+
+ * "systemctl start" (and related commands) learnt a new
+ --show-transaction option. If specified brief information about all
+ jobs queued because of the requested operation is shown.
+
+ * systemd-networkd recognizes a new operation state 'enslaved', used
+ (instead of 'degraded' or 'carrier') for interfaces which form a
+ bridge, bond, or similar, and an new 'degraded-carrier' operational
+ state used for the bond or bridge master interface when one of the
+ enslaved devices is not operational.
+
+ * .network files learnt the new IgnoreCarrierLoss= option for leaving
+ networks configured even if the carrier is lost.
+
+ * The RequiredForOnline= setting in .network files may now specify a
minimum operational state required for the interface to be considered
- "online" by systemd-networkd-wait-online.
+ "online" by systemd-networkd-wait-online. Related to this
+ systemd-networkd-wait-online gained a new option --operational-state=
+ to configure the same, and its --interface= option was updated to
+ optionally also take an operational state specific for an interface.
+
+ * systemd-networkd-wait-online gained a new setting --any for waiting
+ for only one of the requested interfaces instead of all of them.
* systemd-networkd now implements L2TP tunnels.
- * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix= may
- be used to cause autonomous and onlink prefixes received in IPv6
+ * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
+ may be used to cause autonomous and onlink prefixes received in IPv6
Router Advertisements to be ignored.
- New MulticastFlood=, NeighborSuppression=, and Learning= settings
- may be used to tweak bridge behaviour.
+ * New MulticastFlood=, NeighborSuppression=, and Learning= .network
+ file settings may be used to tweak bridge behaviour.
- * A new .netdev setting PrivateKeyFile= may be used to point to private
- key for a WireGuard interface.
+ * The new TripleSampling= option in .network files may be used to
+ configure CAN triple sampling.
- * crypttab now supports the same-cpu-crypt and submit-from-crypt-cpus
- to tweak encryption work scheduling details.
+ * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
+ used to point to private or preshared key for a WireGuard interface.
+
+ * /etc/crypttab now supports the same-cpu-crypt and
+ submit-from-crypt-cpus options to tweak encryption work scheduling
+ details.
* systemd-tmpfiles will now take a BSD file lock before operating on a
contents of directory. This may be used to temporarily exclude
directories from aging by taking the same lock (useful for example
when extracting a tarball into /tmp or /var/tmp as a privileged user,
which might create files with really old timestamps, which
- nevertheless should not be deleted).
+ nevertheless should not be deleted). For further details, see:
+
+ https://systemd.io/TEMPORARY_DIRECTORIES
+
+ * systemd-tmpfiles' h line type gained support for the
+ FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
+ controlling project quota inheritance.
* sd-boot and bootctl now implement support for an Extended Boot Loader
(XBOOTLDR) partition, that is intended to be mounted to /boot, in
Configuration file fragments, kernels, initrds and other EFI images
to boot will be loaded from both the ESP and XBOOTLDR partitions.
The XBOOTLDR partition was previously described by the Boot Loader
- Specification, but implementation was missing in sd-boot.
+ Specification, but implementation was missing in sd-boot. Support for
+ this concept allows using the sd-boot boot loader in more
+ conservative scenarios where the boot loader itself is placed in the
+ ESP but the kernels to boot (and their metadata) in a separate
+ partition.
- * A system may now be booted with systemd.volatile=overlay, which
- causes the root file system to be set up an overlayfs mount combining
- the root-only root directory with a writable tmpfs. In this setup,
- the underlying root device is not modified, and any changes are lost
- at reboot.
+ * A system may now be booted with systemd.volatile=overlay on the
+ kernel command line, which causes the root file system to be set up
+ an overlayfs mount combining the root-only root directory with a
+ writable tmpfs. In this setup, the underlying root device is not
+ modified, and any changes are lost at reboot.
- * systemd-nspawn can now create volatile overlays with overlayfs.
+ * Similar, systemd-nspawn can now boot containers with a volatile
+ overlayfs root with the new --volatile=overlay switch.
* systemd-nspawn can now consume OCI runtime bundles using a new
--oci-bundle= option. This implementation is fully usable, with most
new code and functionality, this feature should most likely not
be used in production yet.
- systmed-nspawn now supports various options described by the
- OCI runtime specification on the command-line and in .nspawn files:
+ * systemd-nspawn now supports various options described by the OCI
+ runtime specification on the command-line and in .nspawn files:
--inaccessible=/Inaccessible= may be used to mask parts of the file
- system tree, --console/--pipe may be used to configure how standard
+ system tree, --console=/--pipe may be used to configure how standard
input, output, and error are set up.
* busctl learned the `emit` verb to generate D-Bus signals.
configuration spread over multiple files, for example system and user
presets, tmpfiles.d, sysusers.d, udev rules, etc.
- * journalctl learnt a new --cursor-file option that points to a file
+ * systemd-analyze calendar now takes an optional new parameter
+ --iterations= which may be used to show a maximum number of iterations
+ the specified expression will elapse next.
+
+ * The sd-bus C API gained support for naming method parameters in the
+ introspection data.
+
+ * systemd-logind gained D-Bus APIs to specify the "reboot parameter"
+ the reboot() system call expects.
+
+ * journalctl learnt a new --cursor-file= option that points to a file
from which a cursor should be loaded in the beginning and to which
the updated cursor should be stored at the end.
during reboot with their own operations.
* systemctl can be used to request a reboot into the boot loader menu
- or a specific boot loader entry with the new --boot-load-menu=
- and --boot-loader-entry= options to a reboot command.
+ or a specific boot loader entry with the new --boot-load-menu= and
+ --boot-loader-entry= options to a reboot command. (This requires a
+ boot loader that supports this, for example sd-boot.)
* kernel-install will no longer unconditionally create the output
directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
This makes it easier to use kernel-install with plugins which support
a different layout of the bootloader partitions (for example grub2).
+ * During package installation (with `ninja install`), we would create
+ symlinks for getty@tty1.service, systemd-networkd.service,
+ systemd-networkd.socket, systemd-resolved.service,
+ remote-cryptsetup.target, remote-fs.target,
+ systemd-networkd-wait-online.service, and systemd-timesyncd.service
+ in /etc, as if `systemctl enable` was called for those units, to make
+ the system usable immediately after installation. Now this is not
+ done anymore, and instead calling `systemctl preset-all` is
+ recommended after the first installation of systemd.
+
+ * A new boolean sandboxing option RestrictSUIDSGID= has been added that
+ is built on seccomp. When turned on creation of SUID/SGID files is
+ prohibited.
+
+ * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
+ implied if DynamicUser= is turned on for a service. This hardens
+ these services, so that they neither can benefit from nor create
+ SUID/SGID executables. This is a minor compatibility breakage, given
+ that when DynamicUser= was first introduced SUID/SGID behaviour was
+ unaffected. However, the security benefit of these two options is
+ substantial, and the setting is still relatively new, hence we opted
+ to make it mandatory for services with dynamic users.
+
+ Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
+ Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
+ Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
+ Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
+ Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
+ Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
+ Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
+ Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
+ Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
+ Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
+ Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
+ Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
+ Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
+ Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
+ Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
+ Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
+ Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Warsaw, 2019-04-11
+
CHANGES WITH 241:
* The default locale can now be configured at compile time. Otherwise,
* Journal messages that are generated whenever a unit enters the failed
state are now tagged with a unique MESSAGE_ID. Similarly, messages
generated whenever a service process exits are now made recognizable,
- too. A taged message is also emitted whenever a unit enters the
+ too. A tagged message is also emitted whenever a unit enters the
"dead" state on success.
* systemd-run gained a new switch --working-directory= for configuring
not created by systemd-sysusers anymore.
NOTE: This has a chance of breaking nss-ldap and similar NSS modules
- that embedd a network facing module into any process using getpwuid()
+ that embed a network facing module into any process using getpwuid()
or related call: the dynamic allocation of the user ID for
systemd-resolved.service means the service manager has to check NSS
if the user name is already taken when forking off the service. Since
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is systemd-udevd.service
- wher this is now used by default.
+ where this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is true
when the system is booted in UEFI "secure mode".
/etc/machine-id. If the machine ID could not be determined,
$KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
anything in the entry directory (passed as the second argument) if
- $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatiblity, a
+ $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
temporary directory is passed as the entry directory and removed
after all the plugins exit.
* We temporarily dropped the "-l" switch for fsck invocations,
since they collide with the flock() logic above. util-linux
upstream has been changed already to avoid this conflict,
- and we will readd "-l" as soon as util-linux with this
+ and we will re-add "-l" as soon as util-linux with this
change has been released.
* The dependency on libattr has been removed. Since a long
where the local administrator's configuration in /etc always
overrides any other settings.
- Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van
+ Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
David Strauss, Dimitris Spingos, Djalal Harouni, Eelco
projects / thirdparty / systemd.git / blobdiff