* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
-* wiki: update journal format documentation for lz4 additions
-
Janitorial Clean-ups:
* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
Features:
+* add --copy-from and --copy-to command to systemd-dissect which copies stuff
+ in and out of a disk image
+
+* add systemd.random_seed= on the kernel cmdline, taking some hex or base64
+ encoded data. During earliest boot, credit it to entropy. This is not useful
+ for general purpose systems, but certainly for testing environments in VMs
+ and such, as it allows us to boot up instantly with fully initialized entropy
+ pool even if RNG pass-thru is not available.
+
+* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
+
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
* build short web pages out of each catalog entry, build them along with man
so that the client side can remain entirely unprivileged, with SUID or
anything like that.
+* journald: do journal file writing out-of-process, with one writer process per
+ client UID, so tht synthetic hash table collisions can slow down a specific
+ user's journal stream down but not the others.
+
* add "throttling" to sd-event event sources: optionally, when we wake up too
often for one, let's turn it off entirely for a while. Use that for the
/proc/self/mountinfo logic.
* add ConditionSecurity=tpm2
+* Remove any support for booting without /usr pre-mounted in the initrd entirely.
+ Update INITRD_INTERFACE.md accordingly.
+
* pid1: Move to tracking of main pid/control pid of units per pidfd
* pid1: support new clone3() fork-into-cgroup feature
* pid1: also remove PID files of a service when the service starts, not just
when it exits
+* make us use dynamically fewer deps for containers in general purpose distros:
+ o turn into dlopen() deps:
+ - pcre2 (always) — irrelevant on Fedora, since dep by
+ libselinux, but should benefit Debian
+ - libpwquality (always) - only relevant for homed, and maybe soon
+ firstboot
+ - elfutils (always)
+ - p11-kit-trust (always)
+ - kmod-libs (only when called from PID 1)
+ - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup)
+ - similar: libblkid
+ - libpam (only when called from PID 1)
+ - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
+ since they are so basic and our defaults)
+ o move into separate libsystemd-shared-iptables.so .so
+ - iptables-libs (only used by nspawn + networkd)
+
+* seccomp: when SystemCallArchitectures=native is set then don't install any
+ other seccomp filters for any of the other archs, in order to reduce the
+ number of seccomp filters we install needlessly.
+
+* seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
+ Apparently kernel performance is much better with fewer larger seccomp
+ filters than with more smaller seccomp filters.
+
+* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
+ mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
+
* make "systemd-dissect" an official supported tool, i.e. move to /usr/bin/ and
provide man page. Given that we now have a tool that can generate images like
this, it's useful to have one that can dump contents of them, too.
operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
sysusers, systemctl, repart, journalctl, coredumpctl.
+* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
+
+* seccomp: don't install filters for ABIs that are masked anyway for the
+ specific service
+
+* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
+
* per-service credential system. Specifically: add LoadCredential= (for loading
cred from file), AcquireCredential= (for asking user for cred, via
ask-password), PassCredential= (for passing on credential systemd itself
* socket units: allow creating a udev monitor socket with ListenDevices= or so,
with matches, then activate app through that passing socket over
-* unify on openssl:
+* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
+ confusion is gone)
- port sd_id128_get_machine_app_specific() over from khash
- port resolved over from libgcrypt (DNSSEC code)
- port journald + fsprg over from libgcrypt
projects / thirdparty / systemd.git / blobdiff