manager or system manager can be always set. It would be better to reject
them when parsing config.
+* userdbctl: "Password OK: yes" is shown even when there are no passwords
+ or the password is locked.
+
External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
Features:
-* nss-systemd: also synthesize shadow records for users/groups
+* export action of device object on sd-device, so that monitor becomes useful
+
+* add root=tmpfs that mounts a tmpfs to /sysroot (to be used in combination
+ with usr=…, for a similar effect as systemd.volatile=yes but without the
+ "hide-out" effect). Also, add root=gpt-auto-late support or so, that is like
+ root=gpt-auto but initially mounts a tmpfs to /sysroot, and then revisits
+ later after systemd-repart ran. Usecase: let's ship images with only /usr
+ partition, then on first boot create the root partition. In this case we want
+ to read the repart data from /usr before the root partition exists. Add
+ usr=gpt-auto that automatically finds a /usr partition.
-* make use of the new statx mountid and rootmount fields in path_get_mnt_id()
- and fd_is_mount_point()
+* change SwitchRoot() implementation in PID 1 to use pivot_root(".", "."), as
+ documented in the pivot_root(2) man page, so that we can drop the /oldroot
+ temporary dir.
-* nspawn: move "incoming mount" directory to /run/host, move "inaccessible"
- nodes to /run/host, move notify socket (for sd_notify() between payload and
- container manager)
+* special case some calls of chase_symlinks() to use openat2() internally, so
+ that the kernel does what we otherwise do.
+
+* homed: keep an fd to the homedir open at all times, to keep the fs pinned
+ (autofs and such) while user is loged in.
+
+* nss-systemd: also synthesize shadow records for users/groups
* make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np().
mounting a subdir of the root fs as actual root. This can be used as
fstype-agnostic version of btrfs' rootflags=subvol=foobar.
-* Support ProtectProc= or so, using: https://patchwork.kernel.org/cover/11310197/
-
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
* build short web pages out of each catalog entry, build them along with man
often for one, let's turn it off entirely for a while. Use that for the
/proc/self/mountinfo logic.
-* move our systemd-user PAM snippet to /usr/, which PAM appears to support
- these days
-
* nspawn: support time namespaces
* systemd-firstboot: make sure to always use chase_symlinks() before
* make us use dynamically fewer deps for containers in general purpose distros:
o turn into dlopen() deps:
- - libpwquality (always) - only relevant for homed, and maybe soon
- firstboot
+ - libidn2 (always)
- elfutils (always)
- p11-kit-trust (always)
- kmod-libs (only when called from PID 1)
- - cryptsetup-libs (only in RootImage= handling in PID 1, but not in systemd-cryptsetup)
- - similar: libblkid
+ - libblkid (only in RootImage= handling in PID 1, but not elsewhere)
- libpam (only when called from PID 1)
- bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are,
since they are so basic and our defaults)
* seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging.
-* per-service credential system. Specifically: add LoadCredential= (for loading
- cred from file), AcquireCredential= (for asking user for cred, via
- ask-password), PassCredential= (for passing on credential systemd itself
- got). Then, place credentials in a per-service, immutable ramfs instance (so
- that it cannot be swapped out), destroy after use. Also pass via keyring
- (with graceful fallback to cover for containers). Define CredentialPath= for
- defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH
- env var for services to the result. Also pass via fd passing (optionally).
-
-* homed: add native recovery key support. use 48 lowercase modhex characters
- (192bit), show qr code of it, include pattern expression in user record.
-
-* homed: introduce "degraded" state for home directories that weren't cleanly
- unmounted (use xattr we add and remove on the loop back file)
+* credentials system:
+ - maybe add AcquireCredential= for querying a cred via ask-password
+ - maybe try to acquire creds via keyring?
+ - maybe try to pass creds via keyring?
+ - maybe optionally pass creds via memfd
+ - maybe add support for decrypting creds via TPM
+ - maybe add support for decrypting/importing creds via pkcs11
+ - make systemd-cryptsetup acquire pw via creds logic
+ - make PAMName= acquire pw via creds logic
+ - make macsec/wireguard code in networkd read key via creds logic
+ - make gatwayd/remote read key via creds logic
+ - add sd_notify() command for flushing out creds not needed anymore
* homed: during login resize fs automatically towards size goal. Specifically,
resize to diskSize if possible, but leave a certain amount (configured by a
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
creates
-* homed/userdb: distinguish passwords and recovery keys in the records, since
- we probably want to use different PBKDF algorithms/settings for them:
- passwords have low entropy but recovery keys should have good entropy key
- hence we can make them quicker to work.
-
* bootctl:
- teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation
- teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host
- when that's done: kill khash.c
- when that's done: kill gnutls support in resolved
-* kill zenata, all hail weblate?
-
* when we resize disks (homed?) always round up to 4K sectors, not 512K
* add growvol and makevol options for /etc/crypttab, similar to
* systemd-repart: allow sizing partitions as factor of available RAM, so that
we can reasonably size swap partitions for hibernation.
-* systemd-repart: allow running mkfs before making partitions pop up +
- encryption via LUKS to allow booting into an empty root with only /usr mounted in
-
* systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
* systemd-repart: allow boolean option that ensures that if existing partition
* systemd-repart: add per-partition option to fail if partition already exist,
i.e. is not added new. Similar, add option to fail if partition does not exist yet.
-* systemd-repart: add --size=auto for generating/resizing images of minimal
- size, i.e. where the image file is sized exactly as large as necessary taking
- SizeMin= into account, but not a single byte larger.
-
* systemd-repart: allow disabling growing of specific partitions, or making
them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
- fingerprint authentication, pattern authentication, …
- make sure "classic" user records can also be managed by homed
- make size of $XDG_RUNTIME_DIR configurable in user record
- - reuse pwquality magic in firstboot
- query password from kernel keyring first
- update even if record is "absent"
- add a "access mode" + "fstype" field to the "status" section of json identity records reflecting the actually used access mode and fstype, even on non-luks backends
directory trees from the host to the services RootImage= and RootDirectory=
environment. Which we can use for /etc/machine-id and in particular
/etc/resolv.conf. Should be smart and do something useful on read-only
- images, for example fallback to read-only bind mounting the file instead.
+ images, for example fall back to read-only bind mounting the file instead.
* show invocation ID in systemd-run output
* sd-bus: add vtable flag, that may be used to request client creds implicitly
and asynchronously before dispatching the operation
+* sd-bus: parse addresses given in sd_bus_set_addresses immediately and not
+ only when used. Add unit tests.
+
* make use of ethtool veth peer info in machined, for automatically finding out
host-side interface pointing to the container.
yogas can be recognized as "convertible" too, even if they predate the DMI
"convertible" form factor
-* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing
- after all. Be strict however, only support the equivalent of nspawn's
- --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such
- as MAINPID.
-
* Add ExecMonitor= setting. May be used multiple times. Forks off a process in
the service cgroup, which is supposed to monitor the service, and when it
exits the service is considered failed by its monitor.
* add new gpt type for btrfs volumes
-* support empty /etc boots nicely:
- - nspawn/gpt-generator: introduce new gpt partition type for /usr
-
* generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
* a way for container managers to turn off getty starting via $container_headless= or so...
service instances processing the listening socket, and open this up
for ReusePort=
-* introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
- $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
- should SIGSTOP all unit processes in a loop until all processes of
- it are fully stopped. This can later be used for app management by
- desktop UIs such as gnome-shell to freeze apps that are not visible
- on screen, not unlike how job control works on the shell
-
* cgroups:
- implement per-slice CPUFairScheduling=1 switch
- introduce high-level settings for RT budget, swappiness
- journald: also get thread ID from client, plus thread name
- journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
- add API to close/reopen/get fd for journal client fd in libsystemd-journal.
- - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively?
+ - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
- declare the local journal protocol stable in the wiki interface chart
- sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
- journald: when dropping msgs due to ratelimit make sure to write