systemd System and Service Manager
-CHANGES WITH 246 in spe:
+CHANGES WITH 246:
- * The various programs included in systemd can now optionally output
- their log messages on stderr prefixed with a timestamp, controlled by
- the $SYSTEMD_LOG_TIME environment variable.
+ * The service manager gained basic support for cgroup v2 freezer. Units
+ can now be suspended or resumed either using new systemctl verbs,
+ freeze and thaw respectively, or via D-Bus.
+
+ * PID 1 may now automatically load pre-compiled AppArmor policies from
+ /etc/apparmor/earlypolicy during early boot.
+
+ * The CPUAffinity= setting in service unit files now supports a new
+ special value "numa" that causes the CPU affinity masked to be set
+ based on the NUMA mask.
+
+ * systemd will now log about all left-over processes remaining in a
+ unit when the unit is stopped. It will now warn about services using
+ KillMode=none, as this is generally an unsafe thing to make use of.
+
+ * Two new unit file settings
+ ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
+ added. They may be used to check whether a specific file system path
+ resides on a block device that is encrypted on the block level
+ (i.e. using dm-crypt/LUKS).
+
+ * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
+ has been added that may be used for simple environment checks. This
+ is particularly useful when passing in environment variables from a
+ container manager (or from PAM in case of the systemd --user
+ instance).
+
+ * .service unit files now accept a new setting CoredumpFilter= which
+ allows configuration of the memory sections coredumps of the
+ service's processes shall include.
+
+ * .mount units gained a new ReadWriteOnly= boolean option. If set
+ it will not be attempted to mount a file system read-only if mounting
+ in read-write mode doesn't succeed. An option x-systemd.rw-only is
+ available in /etc/fstab to control the same.
+
+ * .socket units gained a new boolean setting PassPacketInfo=. If
+ enabled, the kernel will attach additional per-packet metadata to all
+ packets read from the socket, as an ancillary message. This controls
+ the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
+ depending on socket type.
+
+ * .service units gained a new setting RootHash= which may be used to
+ specify the root hash for verity enabled disk images which are
+ specified in RootImage=. RootVerity= may be used to specify a path to
+ the Verity data matching a RootImage= file system. (The latter is
+ only useful for images that do not contain the Verity data embedded
+ into the same image that carries a GPT partition table following the
+ Discoverable Partition Specification). Similarly, systemd-nspawn
+ gained a new switch --verity-data= that takes a path to a file with
+ the verity data of the disk image supplied in --image=, if the image
+ doesn't contain the verity data itself.
+
+ * .service units gained a new setting RootHashSignature= which takes
+ either a base64 encoded PKCS#7 signature of the root hash specified
+ with RootHash=, or a path to a file to read the signature from. This
+ allows validation of the root hash against public keys available in
+ the kernel keyring, and is only supported on recent kernels
+ (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to
+ systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for
+ this mechanism has also been added to systemd-veritysetup.
+
+ * .service unit files gained two new options
+ TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to
+ tune behaviour if a start or stop timeout is hit, i.e. whether to
+ terminate the service with SIGTERM, SIGABRT or SIGKILL.
+
+ * Most options in systemd that accept hexadecimal values prefixed with
+ 0x in additional to the usual decimal notation now also support octal
+ notation when the 0o prefix is used and binary notation if the 0b
+ prefix is used.
+
+ * Various command line parameters and configuration file settings that
+ configure key or certificate files now optionally take paths to
+ AF_UNIX sockets in the file system. If configured that way a stream
+ connection is made to the socket and the required data read from
+ it. This is a simple and natural extension to the existing regular
+ file logic, and permits other software to provide keys or
+ certificates via simple IPC services, for example when unencrypted
+ storage on disk is not desired. Specifically, systemd-networkd's
+ Wireguard and MACSEC key file settings as well as
+ systemd-journal-gatewayd's and systemd-journal-remote's PEM
+ key/certificate parameters support this now.
+
+ * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
+ configuration files that support specifier expansion learnt six new
+ specifiers: %a resolves to the current architecture, %o/%w/%B/%W
+ resolve to the various ID fields from /etc/os-release, %l resolves to
+ the "short" hostname of the system, i.e. the hostname configured in
+ the kernel truncated at the first dot.
+
+ * Support for the .include syntax in unit files has been removed. The
+ concept has been obsolete for 6 years and we started warning about
+ its pending removal 2 years ago (also see NEWS file below). It's
+ finally gone now.
+
+ * StandardError= and StandardOutput= in unit files no longer support
+ the "syslog" and "syslog-console" switches. They were long removed
+ from the documentation, but will now result in warnings when used,
+ and be converted to "journal" and "journal+console" automatically.
+
+ * If the service setting User= is set to the "nobody" user, a warning
+ message is now written to the logs (but the value is nonetheless
+ accepted). Setting User=nobody is unsafe, since the primary purpose
+ of the "nobody" user is to own all files whose owner cannot be mapped
+ locally. It's in particular used by the NFS subsystem and in user
+ namespacing. By running a service under this user's UID it might get
+ read and even write access to all these otherwise unmappable files,
+ which is quite likely a major security problem.
+
+ * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
+ and others) now have a size and inode limits applied (50% of RAM for
+ /tmp, 10% of RAM for /dev/shm, etc.)
+
+ * nss-mymachines lost support for resolution of users and groups, and
+ now only does resolution of hostnames. This functionality is now
+ provided by nss-systemd. Thus, the 'mymachines' entry should be
+ removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
+ (and 'systemd' added if it is not already there).
+
+ * A new kernel command line option systemd.hostname= has been added
+ that allows controlling the hostname that is initialized early during
+ boot.
+
+ * A kernel command line option "udev.blockdev_read_only" has been
+ added. If specified all hardware block devices that show up are
+ immediately marked as read-only by udev. This option is useful for
+ making sure that a specific boot under no circumstances modifies data
+ on disk. Use "blockdev --setrw" to undo the effect of this, per
+ device.
* A new boolean kernel command line option systemd.swap= has been
added, which may be used to turn off automatic activation of swap
- devices, as listed in /etc/fstab.
+ devices listed in /etc/fstab.
- * The CPUAffinity= setting in service unit files now supports a new
- special value "numa". If used, the NUMA mask is copied into the CPU
- affinity mask.
+ * New kernel command line options systemd.condition-needs-update= and
+ systemd.condition-first-boot= have been added, which override the
+ result of the ConditionNeedsUpdate= and ConditionFirstBoot=
+ conditions.
- * The man pages for the sd-bus and sd-hwdb APIs have been completed.
+ * A new kernel command line option systemd.clock-usec= has been added
+ that allows setting the system clock to the specified time in µs
+ since Jan 1st, 1970 early during boot. This is in particular useful
+ in order to make test cases more reliable.
- * networkctl gained the new "forcerenew" command for forcing all DHCP
- server clients to renew their lease. The interface "status" output
- will now show numerous additional fields of information about an
- interface. There are new "up" and "down" commands to bring specific
- interfaces up or down.
+ * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
+ systemd-coredump to save core files for suid processes. When saving
+ the core file, systemd-coredump will use the effective uid and gid of
+ the process that faulted.
+
+ * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
+ now automatically set to "Y" at boot, in order to enable pstore
+ generation for collection with systemd-pstore.
+
+ * A new 'hwdb' file has been added that collects information about PCI
+ and USB devices that correctly support auto-suspend, on top of the
+ databases for this we import from the ChromiumOS project. If you have
+ a device that supports auto-suspend correctly and where it should be
+ enabled by default, please submit a patch that adds it to the
+ database (see /usr/lib/udev/hwdb.d/60-autosuspend.hwdb).
+
+ * systemd-udevd gained the new configuration option timeout_signal= as well
+ as a corresponding kernel command line option udev.timeout_signal=.
+ The option can be used to configure the UNIX signal that the main
+ daemon sends to the worker processes on timeout. Setting the signal
+ to SIGABRT is useful for debugging.
+
+ * .link files managed by systemd-udevd gained options RxFlowControl=,
+ TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
+ order to configure various flow control parameters. They also gained
+ RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
+ frame ring buffer sizes.
+
+ * networkd.conf gained a new boolean setting ManageForeignRoutes=. If
+ enabled systemd-networkd manages all routes configured by other tools.
+
+ * .network files managed by systemd-networkd gained a new section
+ [SR-IOV], in order to configure SR-IOV capable network devices.
* systemd-networkd's [IPv6Prefix] section in .network files gained a
new boolean setting Assign=. If enabled an address from the prefix is
automatically assigned to the interface.
+ * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
+ controls delegated prefixes assigned by DHCPv6 client. The section
+ has three settings: SubnetID=, Assign=, and Token=. The setting
+ SubnetID= allows explicit configuration of the preferred subnet that
+ systemd-networkd's Prefix Delegation logic assigns to interfaces. If
+ Assign= is enabled (which is the default) an address from any acquired
+ delegated prefix is automatically chosen and assigned to the
+ interface. The setting Token= specifies an optional address generation
+ mode for Assign=.
+
* systemd-networkd's [Network] section gained a new setting
- IPv6PDSubnetId= that allows explicit configuration of the preferred
- subnet that networkd's Prefix Delegation logic assigns to an
- interfaces.
+ IPv4AcceptLocal=. If enabled the interface accepts packets with local
+ source addresses.
* systemd-networkd gained support for configuring the HTB queuing
discipline in the [HierarchyTokenBucket] and
[GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake"
in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and
[DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO],
- "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast] and
- "HHF" in [HeavyHitterFilter].
+ "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF"
+ in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and
+ "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass].
* systemd-networkd gained support for a new Termination= setting in the
[CAN] section for configuring the termination resistor. It also
traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have
been added to configure various CAN-FD aspects.
- * .link files managed by systemd-udevd gained options RxFlowControl=,
- TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
- order to configure various flow control parameters. They also gained
- RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
- frame ring buffer sizes.
-
- * systemd-networkd's [DHCPv6] section gained a new WithoutRA= boolean
- setting. If enabled, DHCPv6 will be attempted right-away without
- requiring an Router Advertisement packet suggesting it
- first. Conversely, the [IPv6AcceptRA] gained a boolean option
+ * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=.
+ When enabled, DHCPv6 will be attempted right-away without requiring an
+ Router Advertisement packet suggesting it first (i.e. without the 'M'
+ or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option
DHCPv6Client= that may be used to turn off the DHCPv6 client even if
the RA packets suggest it.
Description"). Support for "MUD" URLs was also added to the LLDP
stack, configurable in the [LLDP] section in .network files.
- * systemd-resolved's DNS= configuration option now optionally accepts
- DNS server addresses suffixed by "#" followed by a host name. If
- used, the DNS-over-TLS certificate is validated to match the
- specified hostname.
+ * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source'
+ mode. Also, the sections now support a new setting SourceMACAddress=.
- * systemd-resolved may be configured to forward single-label DNS names.
- This is not standard-conformant, but may make sense in setups where
- public DNS servers are not used.
+ * systemd-networkd's .netdev files now support a new setting
+ VLANProtocol= in the [Bridge] section that allows configuration of
+ the VLAN protocol to use.
- * systemd-resolved's DNS-over-TLS support gained SNI validation.
+ * systemd-networkd supports a new Group= setting in the [Link] section
+ of the .network files, to control the link group.
- * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
- systemd-coredump to save core files for suid processes. When saving
- the core file, systemd-coredump will use the effective uid and gid of
- the process that faulted.
+ * systemd-networkd's [Network] section gained a new
+ IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6
+ link local address is generated.
- * "systemctl list-units" and "systemctl list-machines" no longer hide
- their first output column with --no-legend. To hide the first column,
- use --plain.
+ * A new default .network file is now shipped that matches TUN/TAP
+ devices that begin with "vt-" in their name. Such interfaces will
+ have IP routing onto the host links set up automatically. This is
+ supposed to be used by VM managers to trivially acquire a network
+ interface which is fully set up for host communication, simply by
+ carefully picking an interface name to use.
- * The service manager gained basic support for cgroup v2 freezer. Units
- can now be suspended or resumed either using new systemctl verbs,
- freeze and thaw respectively, or via D-Bus.
+ * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
+ which sets the route priority for routes specified by the DHCP server.
- * systemd-udevd gained new configuration option timeout_signal= as well
- as coresponding kernel command line option udev.timeout_signal.
- The option can be used to configure the UNIX signal that the main
- daemon sends to the worker processes on timeout.
+ * systemd-networkd's [DHCPv6] section gained a new setting VendorClass=
+ which configures the vendor class information sent to DHCP server.
- * A new sd-path.h API has been added to libsystemd. It provides a
- simple API for retrieving various search paths and primary
- directories for various resources.
+ * The BlackList= settings in .network files' [DHCPv4] and
+ [IPv6AcceptRA] sections have been renamed DenyList=. The old names
+ are still understood to provide compatibility.
- * The sd-bus API gained a number of convenience functions that take
- va_list arguments rather than "...". For example, there's now
- sd_bus_call_methodv() to match sd_bus_call_method(). Previously,
- these were missing since the calls are convenience calls only and
- could be put together from the more low-level functions they build
- on.
+ * networkctl gained the new "forcerenew" command for forcing all DHCP
+ server clients to renew their lease. The interface "status" output
+ will now show numerous additional fields of information about an
+ interface. There are new "up" and "down" commands to bring specific
+ interfaces up or down.
- * sd-bus vtable entries learnt a new flag SD_BUS_VTABLE_ABSOLUTE_OFFSET
- which alters how the userdata pointer to pass to the callbacks is
- determined. If the flag is set the offset field is converted as-is
- into a pointer, without adding it to the object pointer the vtable is
- associated with.
+ * systemd-resolved's DNS= configuration option now optionally accepts a
+ port number (after ":") and a host name (after "#"). When the host
+ name is specified, the DNS-over-TLS certificate is validated to match
+ the specified hostname. Additionally, in case of IPv6 addresses, an
+ interface may be specified (after "%").
- * sd-bus now exposes four new functions:
- sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
- sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
- validate strings to check if they qualify as various D-Bus concepts.
+ * systemd-resolved may be configured to forward single-label DNS names.
+ This is not standard-conformant, but may make sense in setups where
+ public DNS servers are not used.
- * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
- SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
- that simplify adding argument names to D-Bus methods and signals.
+ * systemd-resolved's DNS-over-TLS support gained SNI validation.
+
+ * systemd-nspawn's --resolv-conf= switch gained a number of new
+ supported values. Specifically, options starting with "replace-" are
+ like those prefixed "copy-" but replace any existing resolv.conf
+ file. And options ending in "-uplink" and "-stub" can now be used to
+ propagate other flavours of resolv.conf into the container (as
+ defined by systemd-resolved).
+
+ * The various programs included in systemd can now optionally output
+ their log messages on stderr prefixed with a timestamp, controlled by
+ the $SYSTEMD_LOG_TIME environment variable.
* systemctl gained a new "-P" switch that is a shortcut for "--value
--property=…".
- * The expectations on user/group name syntax are now documented in
- detail; documentation how classic home directories may be converted
- into home directories managed by homed has been added; documentation
- regarding integration of homed/userdb functionality in desktops has
- been added:
+ * "systemctl list-units" and "systemctl list-machines" no longer hide
+ their first output column with --no-legend. To hide the first column,
+ use --plain.
- https://systemd.io/USER_NAMES
- https://systemd.io/CONVERTING_TO_HOMED
- https://systemd.io/USERDB_AND_DESKTOPS
+ * "systemctl reboot" takes the option "--reboot-argument=".
+ The optional positional argument to "systemctl reboot" is now
+ being deprecated in favor of this option.
* systemd-run gained a new switch --slice-inherit. If specified the
unit it generates is placed in the same slice as the systemd-run
process itself.
- * service unit files now accept a new setting CoredumpFilter= which
- allows configuration of the memory sections coredumps of the
- service's processes shall include.
-
- * coredumpctl gained a new --file= switch, matching the same one in
- journalctl: a specific journal file may be specified to read the
- coredump data from.
-
- * Various D-Bus APIs of systemd daemons now have man pages that
- document the methods, signals and properties.
+ * systemd-journald gained support for zstd compression of large fields
+ in journal files. The hash tables in journal files have been hardened
+ against hash collisions. This is an incompatible change and means
+ that journal files created with new systemd versions are not readable
+ with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
+ environment variable for systemd-journald.service is set to 0 this
+ new hardening functionality may be turned off, so that generated
+ journal files remain compatible with older journalctl
+ implementations.
+
+ * journalctl will now include a clickable link in the default output for
+ each log message for which an URL with further documentation is
+ known. This is only supported on terminal emulators that support
+ clickable hyperlinks, and is turned off if a pager is used (since
+ "less" still doesn't support hyperlinks,
+ unfortunately). Documentation URLs may be included in log messages
+ either by including a DOCUMENTATION= journal field in it, or by
+ associating a journal message catalog entry with the log message's
+ MESSAGE_ID, which then carries a "Documentation:" tag.
* journald.conf gained a new boolean setting Audit= that may be used to
control whether systemd-journald will enable audit during
initialization.
- * A new default .network file is now shipped that matches TUN/TAP
- devices that begin with "vt-" in their name. Such interfaces will
- have IP routing onto the host links set up automatically. This is
- supposed to be used by VM managers to trivially acquire a network
- interface which is fully set up for host communication, simply by
- carefully picking an interface name to use.
+ * when systemd-journald's log stream is broken up into multiple lines
+ because the PID of the sender changed this is indicated in the
+ generated log records via the _LINE_BREAK=pid-change field.
- * All D-Bus services shipped in systemd now implement the generic
- LogControl1 D-Bus API which allows clients to change log level +
- target of the service during runtime.
+ * journalctl's "-o cat" output mode will now show one or more journal
+ fields specified with --output-fields= instead of unconditionally
+ MESSAGE=. This is useful to retrieve a very specific set of fields
+ without any decoration.
- * systemd-nspawn's --resolv-conf= switch gained a number of new
- supported values. Specifically, options starting with "replace-" are
- like those prefixed "copy-" but replace any existing resolv.conf
- file. And options ending in "-uplink" and "-stub" can now be used to
- propagate other flavours of resolv.conf into the container (as
- defined by systemd-resolved).
+ * The sd-journal.h API gained two new functions:
+ sd_journal_enumerate_available_unique() and
+ sd_journal_enumerate_available_data() that operate like their
+ counterparts that lack the _available_ in the name, but skip items
+ that cannot be read and processed by the local implementation
+ (i.e. are compressed in an unsupported format or such),
+
+ * coredumpctl gained a new --file= switch, matching the same one in
+ journalctl: a specific journal file may be specified to read the
+ coredump data from.
+
+ * coredumps collected by systemd-coredump may now be compressed using
+ the zstd algorithm.
* systemd-binfmt gained a new switch --unregister for unregistering all
registered entries at once. This is now invoked automatically at
shutdown, so that binary formats registered with the "F" flag will
not block clean file system unmounting.
- * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
- configuration files that support specifier expansion learnt six new
- specifiers: %a resolves to the current architecture, %o/%w/%B/%W
- resolve to the various ID fields from /etc/os-release, %l resolves to
- the "short" hostname of the system, i.e. the kernel configured
- hostname, truncated at the first dot.
-
* systemd-notify's --pid= switch gained new values: "parent", "self",
"auto" for controlling which PID to send to the service manager: the
systemd-notify process' PID, or the one of the process invoking it.
- * When sending a file descriptor (fd) to the service manager to keep
- track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
- may be specified. If passed the service manager will refrain from
- poll()ing on the file descriptor. Traditionally (and when the
- parameter is not specified), the service manager will poll it for
- POLLHUP or POLLERR events, and immediately close the fds in that
- case.
-
- * A new call sd_notify_barrier() has been added to the sd-daemon.h
- API. The call will block until all previously sent sd_notify()
- messages have been processed by the service manager. This is useful
- to remove races caused by a process already having disappeared at the
- time a notification message is processed by the service manager,
- making correct attribution impossible. The systemd-notify tool will
- now make use of this call implicitly, but this can be turned off again
- via the new --no-block switch.
-
* systemd-logind's Session bus object learnt a new method call
SetType() for temporarily updating the session type of an already
allocated session. This is useful for upgrading tty sessions to
graphical ones once a compositor is invoked.
- * .mount units gained a new ReadWriteOnly= boolean option. If set
- it will not be attempted to mount a file system read-only if mounting
- in read-write mode doesn't succeed. An option x-systemd.rw-only is
- available in /etc/fstab to control the same.
-
- * coredumps collected by systemd-coredump may now be compressed using
- the zstd algorithm.
-
- * journalctl's "-o cat" output mode will now show one or more journal
- fields specified with --output-fields= instead of unconditionally
- MESSAGE=. This is useful to retrieve a very specific set of fields
- without any decoration.
-
* systemd-socket-proxy gained a new switch --exit-idle-time= for
configuring an exit-on-idle time.
- * systemd-homed's LUKS backend gained the ability to discard empty file
- system blocks automatically when the user logs out. This is enabled
- by default to ensure that home directories take minimal space when
- logged out but get full size guarantees when logged in. This may be
- controlled with the new --luks-offline-discard= switch to homectl.
-
- * If systemd-homed detects that /home/ is encrypted as a whole it will
- now default to the directory or subvolume backends instead of the
- LUKS backend, in order to avoid double encryption. The default
- storage and file system may now be configured explicitly, too, via
- the new /etc/systemd/homed.conf configuration file.
-
- * when systemd-journald's log stream is broken up into multiple lines
- because the PID of the sender changed this is indicated in the
- generated log records via the _LINE_BREAK=pid-change field.
-
- * systemd-networkd's .netdev files now support a new setting
- VLANProtocol= in the [Bridge] section that allows configuration of
- the VLAN protocol to use.
-
* systemd-repart's --empty= setting gained a new value "create". If
specified a new empty regular disk image file is created under the
specified name. Its size may be specified with the new --size=
* systemd-repart drop-ins now support a new UUID= setting to control
the UUID to assign to a newly created partition.
- * StandardError= and StandardOutput= in unit files no longer support
- the "syslog" and "syslog-console" switches. They were long removed
- from the documentation, but will now result in warnings when used,
- and be converted to "journal" and "journal+console" automatically.
+ * systemd-repart's SizeMin= per-partition parameter now defaults to 10M
+ instead of 0.
- * systemd-networkd supports a new Group= setting in the [Link] section
- of the .network files, to control the link group.
+ * systemd-repart's Label= setting now support the usual, simple
+ specifier expansion.
- * Two new unit file settings
- ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
- added. They may be used to check whether a specific file system path
- resides on a block device that is encrypted on the block level
- (i.e. using dm-crypt/LUKS).
-
- * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
- has been added that may be used for simple environment checks. This
- is particularly useful when passing in environment variables from a
- container manager (or from PAM in case of the systemd --user
- instance).
-
- * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
- now automatically set to "Y" at boot, in order to enable pstore
- generation for collection with systemd-pstore.
+ * systemd-homed's LUKS backend gained the ability to discard empty file
+ system blocks automatically when the user logs out. This is enabled
+ by default to ensure that home directories take minimal space when
+ logged out but get full size guarantees when logged in. This may be
+ controlled with the new --luks-offline-discard= switch to homectl.
- * New kernel command line options systemd.condition-needs-update= and
- systemd.condition-first-boot= have been added, which override the
- result of the ConditionNeedsUpdate= and ConditionFirstBoot=
- conditions.
+ * If systemd-homed detects that /home/ is encrypted as a whole it will
+ now default to the directory or subvolume backends instead of the
+ LUKS backend, in order to avoid double encryption. The default
+ storage and file system may now be configured explicitly, too, via
+ the new /etc/systemd/homed.conf configuration file.
- * A new kernel command line option systemd.clock-usec= has been added
- that allows setting the system clock to the specified time in µs
- since Jan 1st, 1970 early during boot. This is in particular useful
- in order to make test cases more reliable.
-
- * A new kernel command line option systemd.hostname= has been added
- that allows controlling the hostname that is initialized early during
- boot.
+ * systemd-homed now supports unlocking home directories with FIDO2
+ security tokens that support the 'hmac-secret' extension, in addition
+ to the existing support for PKCS#11 security token unlocking
+ support. Note that many recent hardware security tokens support both
+ interfaces. The FIDO2 support is accessible via homectl's
+ --fido2-device= option.
+
+ * homectl's --pkcs11-uri= setting now accepts two special parameters:
+ if "auto" is specified and only one suitable PKCS#11 security token
+ is plugged in, its URL is automatically determined and enrolled for
+ unlocking the home directory. If "list" is specified a brief table of
+ suitable PKCS#11 security tokens is shown. Similar, the new
+ --fido2-device= option also supports these two special values, for
+ automatically selecting and listing suitable FIDO2 devices.
* The /etc/crypttab tmp option now optionally takes an argument
selecting the file system to use. Moreover, the default is now
/etc/cryptsetup-keys.d/<volume>.key and
/run/cryptsetup-keys.d/<volume>.key, if any of these files exist.
+ * systemd-cryptsetup may now activate Microsoft BitLocker volumes via
+ /etc/crypttab, during boot.
+
* logind.conf gained a new RuntimeDirectoryInodesMax= setting to
control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs
instance.
- * systemd-firstboot gained a new --root-password-hashed= parameter for
- setting the root user's password as UNIX password hash. There's a new
- --delete-root-password switch which instead of setting a password for
- the root user, removes it so that log-in without a password is
- permitted. There's now --force which if specified means any existing
- configuration is overwritten by the specified settings. It also
- gained a new --kernel-command-line= parameter which may be used to
- set the /etc/kernel/cmdline file of an OS image.
-
* A new generator systemd-xdg-autostart-generator has been added. It
- automatically generates systemd unit files from XDG autostart
- .desktop files, and is useful for allowing systemd to manage services
- defined that way safely and automatically.
+ generates systemd unit files from XDG autostart .desktop files, and
+ may be used to let the systemd user instance manage services that are
+ started automatically as part of the desktop session.
+
+ * "bootctl" gained a new verb "reboot-to-firmware" that may be used
+ to query and change the firmware's 'reboot into firmware' setup flag.
+
+ * systemd-firstboot gained a new switch --kernel-command-line= that may
+ be used to initialize the /etc/kernel/cmdline file of the image. It
+ also gained a new switch --root-password-hashed= which is like
+ --root-password= but accepts a pre-hashed UNIX password as
+ argument. The new option --delete-root-password may be used to unset
+ any password for the root user (dangerous!). The --root-shell= switch
+ may be used to control the shell to use for the root account. A new
+ --force option may be used to override any already set settings with
+ the parameters specified on the command line (by default, the tool
+ will not override what has already been set before, i.e. is purely
+ incremental).
+
+ * systemd-firstboot gained support for a new --image= switch, which is
+ similar to --root= but accepts the path to a disk image file, on
+ which it then operates.
- * systemd will now log about all left-over processes remaining in a
- unit when the unit is stopped. It will now warn about services using
- KillMode=none, as this is generally an unsafe thing to make use of.
+ * A new sd-path.h API has been added to libsystemd. It provides a
+ simple API for retrieving various search paths and primary
+ directories for various resources.
- * .socket units gained a new boolean setting PassPacketInfo=. If
- enabled, the kernel will attach additional per-packet metadata to all
- packets read from the socket, as ancillary message. This controls the
- IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
- depending on socket type.
+ * A new call sd_notify_barrier() has been added to the sd-daemon.h
+ API. The call will block until all previously sent sd_notify()
+ messages have been processed by the service manager. This is useful
+ to remove races caused by a process already having disappeared at the
+ time a notification message is processed by the service manager,
+ making correct attribution impossible. The systemd-notify tool will
+ now make use of this call implicitly, but this can be turned off again
+ via the new --no-block switch.
- * A new boolean option AssignAcquiredDelegatedPrefixAddress= has been
- added to the [DHCPv6] section of .network files. If enabled (which is
- the default) an address from any acquired delegated prefix is
- automatically chosen and assigned to the interface.
+ * When sending a file descriptor (fd) to the service manager to keep
+ track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
+ may be specified. If passed the service manager will refrain from
+ poll()ing on the file descriptor. Traditionally (and when the
+ parameter is not specified), the service manager will poll it for
+ POLLHUP or POLLERR events, and immediately close the fds in that
+ case.
- * "systemctl reboot" takes the option "--reboot-argument=".
- The optional positional argument to "systemctl reboot" is now
- being deprecated in favor of this option.
+ * The service manager (PID1) gained a new D-Bus method call
+ SetShowStatus() which may be used to control whether it shall show
+ boot-time status output on the console. This method has a similar
+ effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1.
- * Support for the .include syntax in unit files has been removed. The
- concept has been obsolete for 6 years and we started warning about
- its pending removal 2 years ago (also see NEWS file below). It's
- finally gone now.
+ * The sd-bus API gained a number of convenience functions that take
+ va_list arguments rather than "...". For example, there's now
+ sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make
+ it easier to build wrappers that accept variadic arguments and want
+ to pass a ready va_list structure to sd-bus.
- * The BlackList= settings in .network files' [DHCPv4] and
- [IPv6AcceptRA] sections have been renamed DenyList=. The old names
- are still understood to provide compatibility.
+ * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET
+ flag which alters how the userdata pointer to pass to the callbacks
+ is determined. When the flag is set, the offset field is converted
+ as-is into a pointer, without adding it to the object pointer the
+ vtable is associated with.
+
+ * sd-bus now exposes four new functions:
+ sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
+ sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
+ validate strings to check if they qualify as various D-Bus concepts.
+
+ * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
+ SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
+ that simplify adding argument names to D-Bus methods and signals.
+
+ * The man pages for the sd-bus and sd-hwdb APIs have been completed.
+
+ * Various D-Bus APIs of systemd daemons now have man pages that
+ document the methods, signals and properties.
+
+ * The expectations on user/group name syntax are now documented in
+ detail; documentation on how classic home directories may be
+ converted into home directories managed by homed has been added;
+ documentation regarding integration of homed/userdb functionality in
+ desktops has been added:
+
+ https://systemd.io/USER_NAMES
+ https://systemd.io/CONVERTING_TO_HOMED
+ https://systemd.io/USERDB_AND_DESKTOPS
+
+ * Documentation for the on-disk Journal file format has been updated
+ and has now moved to:
+
+ https://systemd.io/JOURNAL_FILE_FORMAT
+
+ * The interface for containers (https://systemd.io/CONTAINER_INTERFACE)
+ has been extended by a set of environment variables that expose
+ select fields from the host's os-release file to the container
+ payload. Similarly, host's os-release files can be mounted into the
+ container underneath /run/host. Together, those mechanisms provide a
+ standardized way to expose information about the host to the
+ container payload. Both interfaces are implemented in systemd-nspawn.
+
+ * All D-Bus services shipped in systemd now implement the generic
+ LogControl1 D-Bus API which allows clients to change log level +
+ target of the service during runtime.
+
+ * Only relevant for developers: the mkosi.default symlink has been
+ dropped from version control. Please create a symlink to one of the
+ distribution-specific defaults in .mkosi/ based on your preference.
+
+ Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
+ Malafeev, Alin Popa, Alvin Šipraga, Amos Bird, Andreas Rammhold,
+ AndreRH, Andrew Doran, Anita Zhang, Ankit Jain, antznin, Arnaud
+ Ferraris, Arthur Moraes do Lago, Arusekk, Balaji Punnuru, Balint
+ Reczey, Bastien Nocera, bemarek, Benjamin Berg, Benjamin Dahlhoff,
+ Benjamin Robin, Chris Down, Chris Kerr, Christian Göttsche, Christian
+ Hesse, Christian Oder, Ciprian Hacman, Clinton Roy, codicodi, Corey
+ Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan, Daniel Fullmer,
+ Daniel Rusek, Dan Streetman, Dave Reisner, David Edmundson, David Wood,
+ Denis Pronin, Diego Escalante Urrelo, Dimitri John Ledkov,
+ dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel Garette, Eric
+ Anderson, Eric DeVolder, Evgeny Vereshchagin, ExtinctFire, fangxiuning,
+ Ferran Pallarès Roca, Filipe Brandenburger, Filippo Falezza, Finn,
+ Florian Klink, Florian Mayer, Franck Bui, Frantisek Sumsal, gaurav,
+ Georg Müller, Gergely Polonkai, Giedrius Statkevičius, Gigadoc2,
+ gogogogi, gzjsgdsb, Hans de Goede, Haochen Tong, ianhi, ignapk, Jakov
+ Smolic, James T. Lee, Jan Janssen, Jan Klötzke, Jan Palus, Jay Burger,
+ Jeremy Cline, Jérémy Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro,
+ Joerg Behrmann, Jörg Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny
+ Levinsen, Kevin Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus,
+ Lénaïc Huard, Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca
+ BRUNO, Lucas Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz
+ Stelmach, Maciej S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel
+ Holtmann, Marc Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt
+ Ranostay, Maxim Fomin, MaxVerevkin, Michael Biebl, Michael Chapman,
+ Michael Gubbels, Michael Marley, Michał Bartoszkiewicz, Michal Koutný,
+ Michal Sekletár, Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml,
+ Motiejus Jakštys, nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas
+ Hambüchen, Norbert Lange, Paul Cercueil, pelzvieh, Peter Hutterer,
+ Piero La Terza, Pieter Lexis, Piotr Drąg, Rafael Fontenelle, Richard
+ Petri, Ronan Pigott, Ross Lagerwall, Rubens Figueiredo, satmandu,
+ Sean-StarLabs, Sebastian Jennen, sterlinghughes, Surhud More, Susant
+ Sahani, szb512, Thomas Haller, Tobias Hunger, Tom, Tomáš Pospíšek,
+ Tomer Shechner, Tom Hughes, Topi Miettinen, Tudor Roman, Uwe
+ Kleine-König, Valery0xff, Vito Caputo, Vladimir Panteleev, Vladyslav
+ Tronko, Wen Yang, Yegor Vialov, Yigal Korman, Yi Gao, YmrDtnJu, Yuri
+ Chornoivan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Zhu Li, Дамјан
+ Георгиевски, наб
+
+ – Warsaw, 2020-07-24
CHANGES WITH 245:
projects / thirdparty / systemd.git / blobdiff