X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=blobdiff_plain;f=NEWS;h=95685ed7f71102d6bbe42f34349f008e174031d9;hp=e1754231c72fc025b2b303aa7b2361a34c5f32d3;hb=da012db02d85ea990efcc3dbea9cf5473de85fe8;hpb=63b7e7b4ba649e058be77fd9e8e565f39eda513e diff --git a/NEWS b/NEWS index e1754231c72..95685ed7f71 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ systemd System and Service Manager -CHANGES WITH 246 in spe: +CHANGES WITH 246: * The service manager gained basic support for cgroup v2 freezer. Units can now be suspended or resumed either using new systemctl verbs, @@ -40,8 +40,8 @@ CHANGES WITH 246 in spe: * .socket units gained a new boolean setting PassPacketInfo=. If enabled, the kernel will attach additional per-packet metadata to all - packets read from the socket, as ancillary message. This controls the - IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, + packets read from the socket, as an ancillary message. This controls + the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, depending on socket type. * .service units gained a new setting RootHash= which may be used to @@ -74,6 +74,18 @@ CHANGES WITH 246 in spe: notation when the 0o prefix is used and binary notation if the 0b prefix is used. + * Various command line parameters and configuration file settings that + configure key or certificate files now optionally take paths to + AF_UNIX sockets in the file system. If configured that way a stream + connection is made to the socket and the required data read from + it. This is a simple and natural extension to the existing regular + file logic, and permits other software to provide keys or + certificates via simple IPC services, for example when unencrypted + storage on disk is not desired. Specifically, systemd-networkd's + Wireguard and MACSEC key file settings as well as + systemd-journal-gatewayd's and systemd-journal-remote's PEM + key/certificate parameters support this now. + * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other configuration files that support specifier expansion learnt six new specifiers: %a resolves to the current architecture, %o/%w/%B/%W @@ -91,6 +103,25 @@ CHANGES WITH 246 in spe: from the documentation, but will now result in warnings when used, and be converted to "journal" and "journal+console" automatically. + * If the service setting User= is set to the "nobody" user, a warning + message is now written to the logs (but the value is nonetheless + accepted). Setting User=nobody is unsafe, since the primary purpose + of the "nobody" user is to own all files whose owner cannot be mapped + locally. It's in particular used by the NFS subsystem and in user + namespacing. By running a service under this user's UID it might get + read and even write access to all these otherwise unmappable files, + which is quite likely a major security problem. + + * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm, + and others) now have a size and inode limits applied (50% of RAM for + /tmp and /dev/shm, 10% of RAM for other mounts, etc.) + + * nss-mymachines lost support for resolution of users and groups, and + now only does resolution of hostnames. This functionality is now + provided by nss-systemd. Thus, the 'mymachines' entry should be + removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf + (and 'systemd' added if it is not already there). + * A new kernel command line option systemd.hostname= has been added that allows controlling the hostname that is initialized early during boot. @@ -132,8 +163,8 @@ CHANGES WITH 246 in spe: enabled by default, please submit a patch that adds it to the database (see /usr/lib/udev/hwdb.d/60-autosuspend.hwdb). - * systemd-udevd gained new configuration option timeout_signal= as well - as corresponding kernel command line option udev.timeout_signal=. + * systemd-udevd gained the new configuration option timeout_signal= as well + as a corresponding kernel command line option udev.timeout_signal=. The option can be used to configure the UNIX signal that the main daemon sends to the worker processes on timeout. Setting the signal to SIGABRT is useful for debugging. @@ -147,13 +178,22 @@ CHANGES WITH 246 in spe: * networkd.conf gained a new boolean setting ManageForeignRoutes=. If enabled systemd-networkd manages all routes configured by other tools. + * .network files managed by systemd-networkd gained a new section + [SR-IOV], in order to configure SR-IOV capable network devices. + * systemd-networkd's [IPv6Prefix] section in .network files gained a new boolean setting Assign=. If enabled an address from the prefix is automatically assigned to the interface. - * systemd-networkd's [Network] section gained a new setting - IPv6PDSubnetId= that allows explicit configuration of the preferred - subnet that networkd's Prefix Delegation logic assigns to interfaces. + * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which + controls delegated prefixes assigned by DHCPv6 client. The section + has three settings: SubnetID=, Assign=, and Token=. The setting + SubnetID= allows explicit configuration of the preferred subnet that + systemd-networkd's Prefix Delegation logic assigns to interfaces. If + Assign= is enabled (which is the default) an address from any acquired + delegated prefix is automatically chosen and assigned to the + interface. The setting Token= specifies an optional address generation + mode for Assign=. * systemd-networkd's [Network] section gained a new setting IPv4AcceptLocal=. If enabled the interface accepts packets with local @@ -178,12 +218,12 @@ CHANGES WITH 246 in spe: traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have been added to configure various CAN-FD aspects. - * systemd-networkd's [DHCPv6] section gained a new WithoutRA= setting. - If enabled, DHCPv6 will be attempted right-away without requiring an - Router Advertisement packet suggesting it first. Conversely, the - [IPv6AcceptRA] section gained a boolean option DHCPv6Client= that may - be used to turn off the DHCPv6 client even if the RA packets suggest - it. + * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=. + When enabled, DHCPv6 will be attempted right-away without requiring an + Router Advertisement packet suggesting it first (i.e. without the 'M' + or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option + DHCPv6Client= that may be used to turn off the DHCPv6 client even if + the RA packets suggest it. * systemd-networkd's [DHCPv4] section gained a new setting UseGateway= which may be used to turn off use of the gateway information provided @@ -205,6 +245,9 @@ CHANGES WITH 246 in spe: Description"). Support for "MUD" URLs was also added to the LLDP stack, configurable in the [LLDP] section in .network files. + * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source' + mode. Also, the sections now support a new setting SourceMACAddress=. + * systemd-networkd's .netdev files now support a new setting VLANProtocol= in the [Bridge] section that allows configuration of the VLAN protocol to use. @@ -223,11 +266,6 @@ CHANGES WITH 246 in spe: interface which is fully set up for host communication, simply by carefully picking an interface name to use. - * A new boolean option AssignAcquiredDelegatedPrefixAddress= has been - added to the [DHCPv6] section of .network files. If enabled (which is - the default) an address from any acquired delegated prefix is - automatically chosen and assigned to the interface. - * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric= which sets the route priority for routes specified by the DHCP server. @@ -244,10 +282,11 @@ CHANGES WITH 246 in spe: interface. There are new "up" and "down" commands to bring specific interfaces up or down. - * systemd-resolved's DNS= configuration option now optionally accepts - DNS server addresses suffixed by "#" followed by a host name. If - used, the DNS-over-TLS certificate is validated to match the - specified hostname. + * systemd-resolved's DNS= configuration option now optionally accepts a + port number (after ":") and a host name (after "#"). When the host + name is specified, the DNS-over-TLS certificate is validated to match + the specified hostname. Additionally, in case of IPv6 addresses, an + interface may be specified (after "%"). * systemd-resolved may be configured to forward single-label DNS names. This is not standard-conformant, but may make sense in setups where @@ -314,6 +353,13 @@ CHANGES WITH 246 in spe: MESSAGE=. This is useful to retrieve a very specific set of fields without any decoration. + * The sd-journal.h API gained two new functions: + sd_journal_enumerate_available_unique() and + sd_journal_enumerate_available_data() that operate like their + counterparts that lack the _available_ in the name, but skip items + that cannot be read and processed by the local implementation + (i.e. are compressed in an unsupported format or such), + * coredumpctl gained a new --file= switch, matching the same one in journalctl: a specific journal file may be specified to read the coredump data from. @@ -367,6 +413,21 @@ CHANGES WITH 246 in spe: storage and file system may now be configured explicitly, too, via the new /etc/systemd/homed.conf configuration file. + * systemd-homed now supports unlocking home directories with FIDO2 + security tokens that support the 'hmac-secret' extension, in addition + to the existing support for PKCS#11 security token unlocking + support. Note that many recent hardware security tokens support both + interfaces. The FIDO2 support is accessible via homectl's + --fido2-device= option. + + * homectl's --pkcs11-uri= setting now accepts two special parameters: + if "auto" is specified and only one suitable PKCS#11 security token + is plugged in, its URL is automatically determined and enrolled for + unlocking the home directory. If "list" is specified a brief table of + suitable PKCS#11 security tokens is shown. Similar, the new + --fido2-device= option also supports these two special values, for + automatically selecting and listing suitable FIDO2 devices. + * The /etc/crypttab tmp option now optionally takes an argument selecting the file system to use. Moreover, the default is now changed from ext2 to ext4. @@ -395,15 +456,6 @@ CHANGES WITH 246 in spe: control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs instance. - * systemd-firstboot gained a new --root-password-hashed= parameter for - setting the root user's password as UNIX password hash. There's a new - --delete-root-password switch which instead of setting a password for - the root user, removes it so that log-in without a password is - permitted. There's now --force which if specified means any existing - configuration is overwritten by the specified settings. It also - gained a new --kernel-command-line= parameter which may be used to - set the /etc/kernel/cmdline file of an OS image. - * A new generator systemd-xdg-autostart-generator has been added. It generates systemd unit files from XDG autostart .desktop files, and may be used to let the systemd user instance manage services that are @@ -417,10 +469,16 @@ CHANGES WITH 246 in spe: also gained a new switch --root-password-hashed= which is like --root-password= but accepts a pre-hashed UNIX password as argument. The new option --delete-root-password may be used to unset - any password for the root user (dangerous!). A new --force option may - be used to override any already set settings with the parameters - specified on the command line (by default, the tool will not override - what has already been set before, i.e. is purely incremental). + any password for the root user (dangerous!). The --root-shell= switch + may be used to control the shell to use for the root account. A new + --force option may be used to override any already set settings with + the parameters specified on the command line (by default, the tool + will not override what has already been set before, i.e. is purely + incremental). + + * systemd-firstboot gained support for a new --image= switch, which is + similar to --root= but accepts the path to a disk image file, on + which it then operates. * A new sd-path.h API has been added to libsystemd. It provides a simple API for retrieving various search paths and primary @@ -475,10 +533,10 @@ CHANGES WITH 246 in spe: document the methods, signals and properties. * The expectations on user/group name syntax are now documented in - detail; documentation how classic home directories may be converted - into home directories managed by homed has been added; documentation - regarding integration of homed/userdb functionality in desktops has - been added: + detail; documentation on how classic home directories may be + converted into home directories managed by homed has been added; + documentation regarding integration of homed/userdb functionality in + desktops has been added: https://systemd.io/USER_NAMES https://systemd.io/CONVERTING_TO_HOMED @@ -489,10 +547,62 @@ CHANGES WITH 246 in spe: https://systemd.io/JOURNAL_FILE_FORMAT + * The interface for containers (https://systemd.io/CONTAINER_INTERFACE) + has been extended by a set of environment variables that expose + select fields from the host's os-release file to the container + payload. Similarly, host's os-release files can be mounted into the + container underneath /run/host. Together, those mechanisms provide a + standardized way to expose information about the host to the + container payload. Both interfaces are implemented in systemd-nspawn. + * All D-Bus services shipped in systemd now implement the generic LogControl1 D-Bus API which allows clients to change log level + target of the service during runtime. + * Only relevant for developers: the mkosi.default symlink has been + dropped from version control. Please create a symlink to one of the + distribution-specific defaults in .mkosi/ based on your preference. + + Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander + Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird, + Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain, + antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji + Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg, + Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian + Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy, + codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan, + Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David + Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri + John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel + Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, + ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger, + Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui, + Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius + Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de + Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan + Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy + Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg + Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin + Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard, + Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas + Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej + S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc + Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim + Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels, + Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár, + Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys, + nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert + Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter + Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross + Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian + Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas + Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes, + Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo, + Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal + Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб + + – Warsaw, 2020-07-30 CHANGES WITH 245: