systemd System and Service Manager
+CHANGES WITH 243 in spe:
+
+ * The "kernel.pid_max" sysctl is now bumped to 4194304 by default,
+ i.e. the full 22bit range the kernel allows, up from the old 16bit
+ range. This should improve security and robustness a bit, as PID
+ collisions are made less likely (though certainly still
+ possible). There are rumours this might create compatibility
+ problems, though at this moment no practical ones are known to
+ us. Downstream distributions are hence advised to undo this change in
+ their builds if they are concerned about maximum compatibility, but
+ for everybody else we recommend leaving the value bumped. Besides
+ improving security and robustness this should also simplify things as
+ the maximum number of allowed concurrent tasks was previously bounded
+ by both "kernel.pid_max" and "kernel.threads-max" and now only a
+ single knob is left ("kernel.threads-max"). There have been concerns
+ that usability is affected by this change because larger PID numbers
+ are harder to type, but we believe the change from 5 digit PIDs to 7
+ digit PIDs is not too hampering for usability.
+
+ * MemoryLow and MemoryMin gained hierarchy-aware counterparts,
+ DefaultMemoryLow and DefaultMemoryMin, which can be used to
+ hierarchically set default memory protection values for a particular
+ subtree of the unit hierarchy.
+
+ * Memory protection directives can now take a value of zero, allowing
+ explicit opting out of a default value propagated by an ancestor.
+
+ …
+
CHANGES WITH 242:
* In .link files, MACAddressPolicy=persistent (the default) is changed
* Two new conditions for units have been added: ConditionMemory= may be
used to conditionalize a unit based on installed system
RAM. ConditionCPUs= may be used to conditionalize a unit based on
- install CPU cores.
+ installed CPU cores.
* The @default system call filter group understood by SystemCallFilter=
has been updated to include the new rseq() system call introduced in
a different layout of the bootloader partitions (for example grub2).
* During package installation (with `ninja install`), we would create
- symlinks for systemd-networkd.service, systemd-networkd.socket,
- systemd-resolved.service, remote-cryptsetup.target, remote-fs.target,
+ symlinks for getty@tty1.service, systemd-networkd.service,
+ systemd-networkd.socket, systemd-resolved.service,
+ remote-cryptsetup.target, remote-fs.target,
systemd-networkd-wait-online.service, and systemd-timesyncd.service
in /etc, as if `systemctl enable` was called for those units, to make
the system usable immediately after installation. Now this is not
* Journal messages that are generated whenever a unit enters the failed
state are now tagged with a unique MESSAGE_ID. Similarly, messages
generated whenever a service process exits are now made recognizable,
- too. A taged message is also emitted whenever a unit enters the
+ too. A tagged message is also emitted whenever a unit enters the
"dead" state on success.
* systemd-run gained a new switch --working-directory= for configuring
not created by systemd-sysusers anymore.
NOTE: This has a chance of breaking nss-ldap and similar NSS modules
- that embedd a network facing module into any process using getpwuid()
+ that embed a network facing module into any process using getpwuid()
or related call: the dynamic allocation of the user ID for
systemd-resolved.service means the service manager has to check NSS
if the user name is already taken when forking off the service. Since
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is systemd-udevd.service
- wher this is now used by default.
+ where this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is true
when the system is booted in UEFI "secure mode".
/etc/machine-id. If the machine ID could not be determined,
$KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
anything in the entry directory (passed as the second argument) if
- $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatiblity, a
+ $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
temporary directory is passed as the entry directory and removed
after all the plugins exit.
* We temporarily dropped the "-l" switch for fsck invocations,
since they collide with the flock() logic above. util-linux
upstream has been changed already to avoid this conflict,
- and we will readd "-l" as soon as util-linux with this
+ and we will re-add "-l" as soon as util-linux with this
change has been released.
* The dependency on libattr has been removed. Since a long
where the local administrator's configuration in /etc always
overrides any other settings.
- Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van
+ Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
David Strauss, Dimitris Spingos, Djalal Harouni, Eelco