Features:
-* dissect: when we discover squashfs, don't claim we had a "writable" partition
- in systemd-dissect
+* add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
+ the runtime dir as we maintain for the fdstore: i.e. keep it around as long
+ as the unit is running or has a job queued.
-* systemd-run should have a way how to connect a pair of pipes to
- stdout/stderr/stdin of the invoked service
+* hook up sd-bus' creds stuff with SO_PEERGROUPS
-* set LockPersonality= on all our services
+* add async version of sd_bus_add_match and make use of that
+
+* let's log the "tainted" string at boot
+
+* Add NetworkNamespacePath= to specify a path to a network namespace
+
+* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks
+ introduced) as the RTC epoch, instead of the mtime of NEWS.
+
+* add a way to lock down cgroup migration: a boolean, which when set for a unit
+ makes sure the processes in it can never migrate out of it
+
+* complain if a unit starts up and there are already processes in its cgroup
+
+* blog about fd store and restartable services
+
+* document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
+
+* rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
+ magic meaning and is no longer upgraded to something else if set explicitly.
+
+* add a way to remove fds from the fdstore by name, and make logind use it
+
+* in the long run: permit a system with /etc/machine-id linked to /dev/null, to
+ make it lose its identity, i.e. be anonymous. For this we'd have to patch
+ through the whole tree to make all code deal with the case where no machine
+ ID is available.
+
+* optionally, collect cgroup resource data, and store it in per-unit RRD files,
+ suitable for processing with rrdtool. Add bus API to access this data, and
+ possibly implement a CPULoad property based on it.
+
+* In journalctl add a way how "-o verbose" and suchlike can be tweaked to show
+ only a specific set of properties
+
+* beef up pam_systemd to take unit file settings such as cgroups properties as
+ parameters
+
+* export UID ranges nspawns's --private-user and DynamicUser= uses in
+ the systemd.pc pkg-config file, the same way we already expose the system
+ user boundary there
+
+* a new "systemd-analyze security" tool outputting a checklist of security
+ features a service does and does not implement
+
+* Whenever we check a UID against the system UID range, also check for the
+ dynamic UID range
+
+* maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
+ the quota of a the user indicated in User= via unit file settings, like the
+ other resource management concepts. Would mix nicely with DynamicUser=1
+
+* add dissect_image_warn() as a wrapper around dissect_image() that prints
+ friendly log messages for the returned errors, so that we don't have to
+ duplicate that in nspawn, systemd-dissect and PID 1.
+
+* add "systemctl wait" or so, which does what "systemd-run --wait" does, but
+ for all units. It should be both a way to pin units into memory as well as a
+ wait to retrieve their exit data.
+
+* maybe set a new set of env vars for services, based on RuntimeDirectory=,
+ StateDirectory=, LogsDirectory=, CacheDirectory= and ConfigurationDirectory=
+ automatically. For example, there could be $RUNTIME_DIRECTORY,
+ $STATE_DIRECTORY, $LOGS_DIRECTORY=, $CACHE_DIRECTORY and
+ $CONFIGURATION_DIRECTORY or so. This could be useful to write services that
+ can adapt to varying directories for these purposes. Special care has to be
+ taken if multiple dirs are configured. Maybe avoid setting the env vars in
+ that case?
+
+* introduce SuccessAction= that permits shutting down the system when a service
+ succeeds. This is useful to replace "ExecPost=/usr/bin/systemctl poweroff" and
+ similar constructs, which are frequently used. This is particularly nice for
+ implementation of a systemd.run= kernel command line option that runs some
+ command and immediately shuts down.
+
+* expose IO accounting data on the bus, show it in systemd-run --wait and log
+ about it in the resource log message
+
+* rework unbase64 code to drop whitespace automatically, so that we don't have
+ to drop it first.
+
+* add "systemctl purge" for flushing out configuration, state, logs, ... of a
+ unit when it is stopped
+
+* show whether a service has out-of-date configuration in "systemctl status" by
+ using mtime data of ConfigurationDirectory=.
+
+* replace all uses of fgets() + LINE_MAX by read_line()
* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
creates a static, persistent user rather than a dynamic, transient user. We
diffs remain minimal (in particular: the OUI databases we import are not
sorted, and not stable)
-* set SystemCallArchitectures=native on all our services
-
* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
the sd-journal logging socket, and, if the timeout is set to 0, sets
O_NONBLOCK on it. That way people can control if and when to block for
* tighten sd_notify() MAINPID= checks a bit: don't accept foreign PIDs (i.e.
PIDs not managed by the service manager)
-* journald: when we recv a log datagram via the native or syslog transports,
- search for the PID in the active stream connections, and let's make sure to
- always process the datagrams before the streams. Then, cache client metadata
- per stream in the stream object. This way we can somewhat fix the race with
- quickly exiting processes which log as long as they had their own stream
- connection...
-
* hostnamed: populate form factor data from a new hwdb database, so that old
yogas can be recognized as "convertible" too, even if they predate the DMI
"convertible" form factor
--as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such
as MAINPID.
-* change the dependency Set* objects in Unit structures to become Hashmap*, and
- then store a bit mask who created a specific dependency: the source unit via
- fragment configuration, the destination unit via fragment configuration, or
- the source unit via udev rules (in case of .device units), or any combination
- thereof. This information can then be used to flush out old udev-created
- dependencies when the udev properties change, and eventually to implement a
- "systemctl refresh" operation for reloading the configuration of individual
- units without reloading the whole set.
-
* Add ExecMonitor= setting. May be used multiple times. Forks off a process in
the service cgroup, which is supposed to monitor the service, and when it
exits the service is considered failed by its monitor.
* maybe introduce gpt auto discovery for /var/tmp?
-* set ProtectSystem=strict for all our usual services.
-
-* fix PrivateNetwork= so that we fall back gracefully on kernels lacking
- namespacing support (similar for the other namespacing options)
-
* maybe add gpt-partition-based user management: each user gets his own
LUKS-encrypted GPT partition with a new GPT type. A small nss module
enumerates users via udev partition enumeration. UIDs are assigned in a fixed
then use that for the setting used in user@.service. It should be understood
relative to the configured default value.
-* on cgroupsv2 add DelegateControllers=, to pick the precise cgroup controllers to delegate
-
* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
* enable LockMLOCK to take a percentage value relative to physical memory
-* switch to ProtectSystem=strict for all our long-running services where that's possible
-
* Permit masking specific netlink APIs with RestrictAddressFamily=
* nspawn: start UID allocation loop from hash of container name
* DeviceAllow= should also generate seccomp filters for mknod()
-* Add DataDirectory=, CacheDirectory= and LogDirectory= to match
- RuntimeDirectory=, and create it as necessary when starting a service, owned by the right user.
-
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
* journalctl: make sure -f ends when the container indicated by -M terminates
prefixed with /sys generally special.
http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
-* man: document that unless you use StandardError=null the shell >/dev/stderr won't work in shell scripts in services
-
* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
* docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
* Rework systemctl's GetAll property parsing to use the generic bus_map_all_properties() API
-* implement a per-service firewall based on net_cls
-
* Port various tools to make use of verbs.[ch], where applicable: busctl,
coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
* introduce systemd-timesync-wait.service or so to sync on an NTP fix?
-* systemd --user should issue sd_notify() upon reaching basic.target, not on becoming idle
-
* consider showing the unit names during boot up in the status output, not just the unit descriptions
* maybe allow timer units with an empty Units= setting, so that they
* maybe add a generator that looks for "systemd.run=" on the kernel cmdline for container usercases...
-* cgtop: make cgtop useful in a container
-
* test/:
- add 'set -e' to scripts in test/
- make stuff in test/ work with separate output dir
- document that deps in [Unit] sections ignore Alias= fields in
[Install] units of other units, unless those units are disabled
- man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
- - document the exit codes when services fail before they are exec()ed
- document that service reload may be implemented as service reexec
- document in wiki how to map ical recurrence events to systemd timer unit calendar specifications
- add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
* cryptsetup:
- cryptsetup-generator: allow specification of passwords in crypttab itself
- - move cryptsetup key caching into kernel keyctl?
- https://bugs.freedesktop.org/show_bug.cgi?id=54982
- support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
* hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it
* create /sbin/init symlinks from the build system
+* add a dependency on standard-conf.xml and other included files to man pages
+
* MountFlags=shared acts as MountFlags=slave right now.
* properly handle loop back mounts via fstab, especially regards to fsck/passno
- add trigger --subsystem-match=usb/usb_device device
- reimport udev db after MOVE events for devices without dev_t
-* when a service has the same env var set twice we actually store it twice and return that in systemctl show -p... We should only show the last setting
-
* There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
* add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
* dot output for --test showing the 'initial transaction'
-* fingerprint.target, wireless.target, gps.target, netdevice.target
-
* pid1:
- - .timer units should optionally support CLOCK_BOOTTIME in addition to CLOCK_MONOTONIC
- When logging about multiple units (stopping BoundTo units, conflicts, etc.),
log both units as UNIT=, so that journalctl -u triggers on both.
- generate better errors when people try to set transient properties
- load-fragment: when loading a unit file via a chain of symlinks
verify that it is not masked via any of the names traversed.
- introduce Type=pid-file
- - ExecOnFailure=/usr/bin/foo
- introduce mix of BindTo and Requisite
- add a concept of RemainAfterExit= to scope units
- - Set NoNewPrivileges= on all of our own services, where that makes sense
- Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
- - consider adding RuntimeDirectoryUser= + RuntimeDirectoryGroup=
* udev-link-config:
- Make sure ID_PATH is always exported and complete for
* dhcp:
- figure out how much we can increase Maximum Message Size
- - support RFC4702 (pass FQDN)
* dhcp6:
- add functions to set previously stored IPv6 addresses on startup and get
* drop accountsservice's StandardOutput=syslog and Type=dbus fields
-* dbus: in fedora, make /var/lib/dbus/machine-id a symlink to /etc/machine-id
-
* /usr/bin/service should actually show the new command line
* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=