notation when the 0o prefix is used and binary notation if the 0b
prefix is used.
+ * Various command line parameters and configuration file settings that
+ configure key or certificate files now optionally take paths to
+ AF_UNIX sockets in the file system. If configured that way a stream
+ connection is made to the socket and the required data read from
+ it. This is a simple and natural extension to the existing regular
+ file logic, and permits other software to provide keys or
+ certificates via simple IPC services, for example when unencrypted
+ storage on disk is not desired. Specifically, systemd-networkd's
+ Wireguard and MACSEC key file settings as well as
+ systemd-journal-gatewayd's and systemd-journal-remote's PEM
+ key/certificate parameters support this now.
+
* Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
configuration files that support specifier expansion learnt six new
specifiers: %a resolves to the current architecture, %o/%w/%B/%W
read and even write access to all these otherwise unmappable files,
which is quite likely a major security problem.
+ * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
+ and others) now have a size and inode limits applied (50% of RAM for
+ /tmp and /dev/shm, 10% of RAM for other mounts, etc.)
+
+ * nss-mymachines lost support for resolution of users and groups, and
+ now only does resolution of hostnames. This functionality is now
+ provided by nss-systemd. Thus, the 'mymachines' entry should be
+ removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
+ (and 'systemd' added if it is not already there).
+
* A new kernel command line option systemd.hostname= has been added
that allows controlling the hostname that is initialized early during
boot.
new boolean setting Assign=. If enabled an address from the prefix is
automatically assigned to the interface.
- * systemd-networkd's [Network] section gained a new setting
- IPv6PDSubnetId= that allows explicit configuration of the preferred
- subnet that networkd's Prefix Delegation logic assigns to interfaces.
+ * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
+ controls delegated prefixes assigned by DHCPv6 client. The section
+ has three settings: SubnetID=, Assign=, and Token=. The setting
+ SubnetID= allows explicit configuration of the preferred subnet that
+ systemd-networkd's Prefix Delegation logic assigns to interfaces. If
+ Assign= is enabled (which is the default) an address from any acquired
+ delegated prefix is automatically chosen and assigned to the
+ interface. The setting Token= specifies an optional address generation
+ mode for Assign=.
* systemd-networkd's [Network] section gained a new setting
IPv4AcceptLocal=. If enabled the interface accepts packets with local
interface which is fully set up for host communication, simply by
carefully picking an interface name to use.
- * A new boolean option AssignAcquiredDelegatedPrefixAddress= has been
- added to the [DHCPv6] section of .network files. If enabled (which is
- the default) an address from any acquired delegated prefix is
- automatically chosen and assigned to the interface.
-
* systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
which sets the route priority for routes specified by the DHCP server.
interface. There are new "up" and "down" commands to bring specific
interfaces up or down.
- * systemd-resolved's DNS= configuration option now optionally accepts
- DNS server addresses suffixed by "#" followed by a host name. If
- used, the DNS-over-TLS certificate is validated to match the
- specified hostname.
+ * systemd-resolved's DNS= configuration option now optionally accepts a
+ port number (after ":") and a host name (after "#"). When the host
+ name is specified, the DNS-over-TLS certificate is validated to match
+ the specified hostname. Additionally, in case of IPv6 addresses, an
+ interface may be specified (after "%").
* systemd-resolved may be configured to forward single-label DNS names.
This is not standard-conformant, but may make sense in setups where
MESSAGE=. This is useful to retrieve a very specific set of fields
without any decoration.
+ * The sd-journal.h API gained two new functions:
+ sd_journal_enumerate_available_unique() and
+ sd_journal_enumerate_available_data() that operate like their
+ counterparts that lack the _available_ in the name, but skip items
+ that cannot be read and processed by the local implementation
+ (i.e. are compressed in an unsupported format or such),
+
* coredumpctl gained a new --file= switch, matching the same one in
journalctl: a specific journal file may be specified to read the
coredump data from.
also gained a new switch --root-password-hashed= which is like
--root-password= but accepts a pre-hashed UNIX password as
argument. The new option --delete-root-password may be used to unset
- any password for the root user (dangerous!). A new --force option may
- be used to override any already set settings with the parameters
- specified on the command line (by default, the tool will not override
- what has already been set before, i.e. is purely incremental).
+ any password for the root user (dangerous!). The --root-shell= switch
+ may be used to control the shell to use for the root account. A new
+ --force option may be used to override any already set settings with
+ the parameters specified on the command line (by default, the tool
+ will not override what has already been set before, i.e. is purely
+ incremental).
* systemd-firstboot gained support for a new --image= switch, which is
similar to --root= but accepts the path to a disk image file, on
has been extended by a set of environment variables that expose
select fields from the host's os-release file to the container
payload. Similarly, host's os-release files can be mounted into the
- container underneath /run/hosts. Together, those mechanisms provide a
+ container underneath /run/host. Together, those mechanisms provide a
standardized way to expose information about the host to the
container payload. Both interfaces are implemented in systemd-nspawn.
LogControl1 D-Bus API which allows clients to change log level +
target of the service during runtime.
- * Various command line parameters and configuration file settings that
- configure key or certificate files now optionally take paths to
- AF_UNIX sockets in the file system. If configured that way a stream
- connection is made to the socket and the required data read from
- it. This is a simple and natural extension to the existing regular
- file logic, and permits other software to provide keys or
- certificates via simple IPC services, for example when unencrypted
- storage on disk is not desired. Specifically, systemd-networkd's
- Wireguard and MACSEC key file settings as well as
- systemd-journal-gatewayd's and systemd-journal-remote's PEM
- key/certificate parameters support this now.
+ * Only relevant for developers: the mkosi.default symlink has been
+ dropped from version control. Please create a symlink to one of the
+ distribution-specific defaults in .mkosi/ based on your preference.
Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
- Malafeev, Alin Popa, Amos Bird, Andreas Rammhold, AndreRH, Andrew
- Doran, Anita Zhang, Ankit Jain, antznin, Arnaud Ferraris, Arthur Moraes
- do Lago, Arusekk, Balaji Punnuru, Balint Reczey, Bastien Nocera,
- bemarek, Benjamin Berg, Benjamin Dahlhoff, Benjamin Robin, Chris Down,
- Chris Kerr, Christian Göttsche, Christian Hesse, Christian Oder,
- Ciprian Hacman, codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan
- Callaghan, Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner,
- David Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo,
- Dimitri John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca,
- Emmanuel Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
+ Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird,
+ Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain,
+ antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji
+ Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg,
+ Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian
+ Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy,
+ codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan,
+ Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David
+ Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri
+ John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel
+ Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger,
- Finn, Florian Klink, Franck Bui, Frantisek Sumsal, Gaoyi, gaurav, Georg
- Müller, Gergely Polonkai, Giedrius Statkevičius, Gigadoc2, gogogogi,
- gzjsgdsb, Hans de Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic,
- James T. Lee, Jan Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy
- Cline, Jérémy Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg
- Behrmann, Jörg Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny
- Levinsen, Kevin Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus,
- Lénaïc Huard, Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca
- BRUNO, Lucas Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz
- Stelmach, Maciej S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel
- Holtmann, Marc Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt
- Ranostay, Maxim Fomin, MaxVerevkin, Michael Biebl, Michael Chapman,
- Michael Gubbels, Michael Marley, Michał Bartoszkiewicz, Michal Koutný,
- Michal Sekletar, Michal Sekletár, Mike Gilbert, Mike Kazantsev, ml,
- Motiejus Jakštys, nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas
- Hambüchen, Norbert Lange, Paul Cercueil, pelzvieh, Peter Hutterer,
- Piero La Terza, Pieter Lexis, Piotr Drąg, Rafael Fontenelle, Richard
- Petri, Ronan Pigott, Ross Lagerwall, Rubens Figueiredo, satmandu,
- Sean-StarLabs, Sebastian Jennen, sterlinghughes, Susant Sahani, Thomas
+ Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui,
+ Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius
+ Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de
+ Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan
+ Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy
+ Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg
+ Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin
+ Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard,
+ Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas
+ Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej
+ S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc
+ Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim
+ Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels,
+ Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár,
+ Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys,
+ nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert
+ Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter
+ Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross
+ Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian
+ Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas
Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes,
Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo,
Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal
- Korman, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
+ Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб
- – Warsaw, 2020-07-09
+ – Warsaw, 2020-07-30
CHANGES WITH 245: