X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=blobdiff_plain;f=NEWS;h=e5a66126479b3213d978462dd9fc24ed7c0edba4;hp=f61262fd570c6c2777663b0f412a0afee2c5ee91;hb=1a31d050f26834efdd6bfc5bdd233a2ec11cf294;hpb=9fa326b18aef0c1e5c80e23a5b41de02155e6f7e diff --git a/NEWS b/NEWS index f61262fd570..e5a66126479 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,387 @@ systemd System and Service Manager +CHANGES WITH 243 in spe: + + * Previously, filters defined with SystemCallFilter= would have the + effect that an calling an offending system call would terminate the + calling thread. This behaviour never made much sense, since killing + individual threads of unexpecting processes is likely to create more + problems than it solves. With this release the default action changed + from killing the thread to killing the whole process. For this to + work correctly both a kernel version (>= 4.14) and a libseccomp + version (>= 2.4.0) supporting this new seccomp action is required. If + an older kernel or libseccomp is used the old behaviour continues to + be used. This change does not affect any services that have no system + call filters defined, or that use SystemCallErrorNumber= (and thus + see EPERM or another error instead of being killed when calling an + offending system call). Note that systemd documentation always + claimed that the whole process is killed. With this change behaviour + is thus adjusted to match the documentation. + + * The "kernel.pid_max" sysctl is now bumped to 4194304 by default, + i.e. the full 22bit range the kernel allows, up from the old 16bit + range. This should improve security and robustness a bit, as PID + collisions are made less likely (though certainly still + possible). There are rumours this might create compatibility + problems, though at this moment no practical ones are known to + us. Downstream distributions are hence advised to undo this change in + their builds if they are concerned about maximum compatibility, but + for everybody else we recommend leaving the value bumped. Besides + improving security and robustness this should also simplify things as + the maximum number of allowed concurrent tasks was previously bounded + by both "kernel.pid_max" and "kernel.threads-max" and now only a + single knob is left ("kernel.threads-max"). There have been concerns + that usability is affected by this change because larger PID numbers + are harder to type, but we believe the change from 5 digit PIDs to 7 + digit PIDs is not too hampering for usability. + + * MemoryLow and MemoryMin gained hierarchy-aware counterparts, + DefaultMemoryLow and DefaultMemoryMin, which can be used to + hierarchically set default memory protection values for a particular + subtree of the unit hierarchy. + + * Memory protection directives can now take a value of zero, allowing + explicit opting out of a default value propagated by an ancestor. + + * systemd now defaults to the "unified" cgroup hierarchy setup during + build-time, i.e. -Ddefault-hierarchy=unified is now the build-time + default. Previously, -Ddefault-hierarchy=hybrid was the default. This + change reflects the fact that cgroupsv2 support has matured + substantially in both systemd and in the kernel, and is clearly the + way forward. Downstream production distributions might want to + continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for + their builds as unfortunately the popular container managers have not + caught up with the kernel API changes. + + * Man pages are not built by default anymore (html pages were already + disabled by default), to make development builds quicker. When + building systemd for a full installation with documentation, meson + should be called -Dman=true and/or -Dhtml=true as appropriate. The + default was changed based on the assumption that quick one-off or + repeated development builds are much more common than full optimized + builds for installation, and people need to pass various other + options to when doing "proper" builds anyway, so the gain from making + development builds quicker is bigger than the one time disruption for + packagers. + + Two scripts are created in the *build* directory to generate and + preview man and html pages on demand, e.g.: + + build/man/man systemctl + build/man/html systemd.index + + * The D-Bus "wire format" for CPUAffinity attribute is changed on + big-endian machines. Before, bytes were written and read in native + machine order as exposed by the native libc __cpu_mask interface. + Now, little-endian order is always used (CPUs 0–7 are described by + bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on). + This change fixes D-Bus calls that cross endianness boundary. + + The presentation format used for CPUAffinity by systemctl show and + systemd-analyze dump is changed to present CPU indices instead of the + raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be shown + as CPUAffinity=03000000000000000000000000000… (on little-endian) or + CPUAffinity=00000000000000300000000000000… (on 64-bit big-endian), + and is now shown as CPUAffinity=0-1, matching the input format. The + maximum integer that will be printed in new format is 8191 (four + digits), while the old format always used a very long number (with + the length varying by architecture), so they can be unambiguously + distinguished. + + * /usr/sbin/halt.local is no longer supported. Implementation in + distributions was inconsistent and it seems this functionality was + very rarely used. + + To replace this functionality, users should: + - either define a new unit and make it a dependency of final.target + (systemctl add-wants final.target my-halt-local.service) + - or move the shutdown script to /usr/lib/systemd/system-shutdown/ + and ensure that it accepts "halt", "poweroff", "reboot", and + "kexec" as an argument, see the description in systemd-shutdown(8). + + * When a [Match] section in .link or .network file is empty (contains + no match patterns), a warning will be emitted. Please add any "match + all" pattern instead, e.g. OriginalName=* or Name=* in case all + interfaces should really be matched. + + … + +CHANGES WITH 242: + + * In .link files, MACAddressPolicy=persistent (the default) is changed + to cover more devices. For devices like bridges, tun, tap, bond, and + similar interfaces that do not have other identifying information, + the interface name is used as the basis for persistent seed for MAC + and IPv4LL addresses. The way that devices that were handled + previously is not changed, and this change is about covering more + devices then previously by the "persistent" policy. + + MACAddressPolicy=random may be used to force randomized MACs and + IPv4LL addresses for a device if desired. + + Hint: the log output from udev (at debug level) was enhanced to + clarify what policy is followed and which attributes are used. + `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/` + may be used to view this. + + Hint: if a bridge interface is created without any slaves, and gains + a slave later, then now the bridge does not inherit slave's MAC. + To inherit slave's MAC, for example, create the following file: + ``` + # /etc/systemd/network/98-bridge-inherit-mac.link + [Match] + Type=bridge + + [Link] + MACAddressPolicy=none + ``` + + * The .device units generated by systemd-fstab-generator and other + generators do not automatically pull in the corresponding .mount unit + as a Wants= dependency. This means that simply plugging in the device + will not cause the mount unit to be started automatically. But please + note that the mount unit may be started for other reasons, in + particular if it is part of local-fs.target, and any unit which + (transitively) depends on local-fs.target is started. + + * networkctl list/status/lldp now accept globbing wildcards for network + interface names to match against all existing interfaces. + + * The $PIDFILE environment variable is set to point the absolute path + configured with PIDFile= for processes of that service. + + * The fallback DNS server list was augmented with Cloudflare public DNS + servers. Use `-Ddns-servers=` to set a different fallback. + + * A new special target usb-gadget.target will be started automatically + when a USB Device Controller is detected (which means that the system + is a USB peripheral). + + * A new unit setting CPUQuotaPeriodSec= assigns the time period + relatively to which the CPU time quota specified by CPUQuota= is + measured. + + * A new unit setting ProtectHostname= may be used to prevent services + from modifying hostname information (even if they otherwise would + have privileges to do so). + + * A new unit setting NetworkNamespacePath= may be used to specify a + namespace for service or socket units through a path referring to a + Linux network namespace pseudo-file. + + * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now + have an effect on .socket units: when used the listening socket is + created within the configured network namespace instead of the host + namespace. + + * ExecStart= command lines in unit files may now be prefixed with ':' + in which case environment variable substitution is + disabled. (Supported for the other ExecXYZ= settings, too.) + + * .timer units gained two new boolean settings OnClockChange= and + OnTimezoneChange= which may be used to also trigger a unit when the + system clock is changed or the local timezone is + modified. systemd-run has been updated to make these options easily + accessible from the command line for transient timers. + + * Two new conditions for units have been added: ConditionMemory= may be + used to conditionalize a unit based on installed system + RAM. ConditionCPUs= may be used to conditionalize a unit based on + installed CPU cores. + + * The @default system call filter group understood by SystemCallFilter= + has been updated to include the new rseq() system call introduced in + kernel 4.15. + + * A new time-set.target has been added that indicates that the system + time has been set from a local source (possibly imprecise). The + existing time-sync.target is stronger and indicates that the time has + been synchronized with a precise external source. Services where + approximate time is sufficient should use the new target. + + * "systemctl start" (and related commands) learnt a new + --show-transaction option. If specified brief information about all + jobs queued because of the requested operation is shown. + + * systemd-networkd recognizes a new operation state 'enslaved', used + (instead of 'degraded' or 'carrier') for interfaces which form a + bridge, bond, or similar, and an new 'degraded-carrier' operational + state used for the bond or bridge master interface when one of the + enslaved devices is not operational. + + * .network files learnt the new IgnoreCarrierLoss= option for leaving + networks configured even if the carrier is lost. + + * The RequiredForOnline= setting in .network files may now specify a + minimum operational state required for the interface to be considered + "online" by systemd-networkd-wait-online. Related to this + systemd-networkd-wait-online gained a new option --operational-state= + to configure the same, and its --interface= option was updated to + optionally also take an operational state specific for an interface. + + * systemd-networkd-wait-online gained a new setting --any for waiting + for only one of the requested interfaces instead of all of them. + + * systemd-networkd now implements L2TP tunnels. + + * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix= + may be used to cause autonomous and onlink prefixes received in IPv6 + Router Advertisements to be ignored. + + * New MulticastFlood=, NeighborSuppression=, and Learning= .network + file settings may be used to tweak bridge behaviour. + + * The new TripleSampling= option in .network files may be used to + configure CAN triple sampling. + + * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be + used to point to private or preshared key for a WireGuard interface. + + * /etc/crypttab now supports the same-cpu-crypt and + submit-from-crypt-cpus options to tweak encryption work scheduling + details. + + * systemd-tmpfiles will now take a BSD file lock before operating on a + contents of directory. This may be used to temporarily exclude + directories from aging by taking the same lock (useful for example + when extracting a tarball into /tmp or /var/tmp as a privileged user, + which might create files with really old timestamps, which + nevertheless should not be deleted). For further details, see: + + https://systemd.io/TEMPORARY_DIRECTORIES + + * systemd-tmpfiles' h line type gained support for the + FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5), + controlling project quota inheritance. + + * sd-boot and bootctl now implement support for an Extended Boot Loader + (XBOOTLDR) partition, that is intended to be mounted to /boot, in + addition to the ESP partition mounted to /efi or /boot/efi. + Configuration file fragments, kernels, initrds and other EFI images + to boot will be loaded from both the ESP and XBOOTLDR partitions. + The XBOOTLDR partition was previously described by the Boot Loader + Specification, but implementation was missing in sd-boot. Support for + this concept allows using the sd-boot boot loader in more + conservative scenarios where the boot loader itself is placed in the + ESP but the kernels to boot (and their metadata) in a separate + partition. + + * A system may now be booted with systemd.volatile=overlay on the + kernel command line, which causes the root file system to be set up + an overlayfs mount combining the root-only root directory with a + writable tmpfs. In this setup, the underlying root device is not + modified, and any changes are lost at reboot. + + * Similar, systemd-nspawn can now boot containers with a volatile + overlayfs root with the new --volatile=overlay switch. + + * systemd-nspawn can now consume OCI runtime bundles using a new + --oci-bundle= option. This implementation is fully usable, with most + features in the specification implemented, but since this a lot of + new code and functionality, this feature should most likely not + be used in production yet. + + * systemd-nspawn now supports various options described by the OCI + runtime specification on the command-line and in .nspawn files: + --inaccessible=/Inaccessible= may be used to mask parts of the file + system tree, --console=/--pipe may be used to configure how standard + input, output, and error are set up. + + * busctl learned the `emit` verb to generate D-Bus signals. + + * systemd-analyze cat-config may be used to gather and display + configuration spread over multiple files, for example system and user + presets, tmpfiles.d, sysusers.d, udev rules, etc. + + * systemd-analyze calendar now takes an optional new parameter + --iterations= which may be used to show a maximum number of iterations + the specified expression will elapse next. + + * The sd-bus C API gained support for naming method parameters in the + introspection data. + + * systemd-logind gained D-Bus APIs to specify the "reboot parameter" + the reboot() system call expects. + + * journalctl learnt a new --cursor-file= option that points to a file + from which a cursor should be loaded in the beginning and to which + the updated cursor should be stored at the end. + + * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now + detected by systemd-detect-virt (and may also be used in + ConditionVirtualization=). + + * The behaviour of systemd-logind may now be modified with environment + variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP, + $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and + $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either + skip the relevant operation completely (when set to false), or to + create a flag file in /run/systemd (when set to true), instead of + actually commencing the real operation when requested. The presence + of /run/systemd/reboot-to-firmware-setup, + /run/systemd/reboot-to-boot-loader-menu, and + /run/systemd/reboot-to-boot-loader-entry, may be used by alternative + boot loader implementations to replace some steps logind performs + during reboot with their own operations. + + * systemctl can be used to request a reboot into the boot loader menu + or a specific boot loader entry with the new --boot-load-menu= and + --boot-loader-entry= options to a reboot command. (This requires a + boot loader that supports this, for example sd-boot.) + + * kernel-install will no longer unconditionally create the output + directory (e.g. /efi//) for boot loader + snippets, but will do only if the machine-specific parent directory + (i.e. /efi//) already exists. bootctl has been modified + to create this parent directory during sd-boot installation. + + This makes it easier to use kernel-install with plugins which support + a different layout of the bootloader partitions (for example grub2). + + * During package installation (with `ninja install`), we would create + symlinks for getty@tty1.service, systemd-networkd.service, + systemd-networkd.socket, systemd-resolved.service, + remote-cryptsetup.target, remote-fs.target, + systemd-networkd-wait-online.service, and systemd-timesyncd.service + in /etc, as if `systemctl enable` was called for those units, to make + the system usable immediately after installation. Now this is not + done anymore, and instead calling `systemctl preset-all` is + recommended after the first installation of systemd. + + * A new boolean sandboxing option RestrictSUIDSGID= has been added that + is built on seccomp. When turned on creation of SUID/SGID files is + prohibited. + + * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now + implied if DynamicUser= is turned on for a service. This hardens + these services, so that they neither can benefit from nor create + SUID/SGID executables. This is a minor compatibility breakage, given + that when DynamicUser= was first introduced SUID/SGID behaviour was + unaffected. However, the security benefit of these two options is + substantial, and the setting is still relatively new, hence we opted + to make it mandatory for services with dynamic users. + + Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin, + Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani, + Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin, + Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black, + Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny + Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, + Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun + Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski, + Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart + Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias + Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal + Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone, + Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan + Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant + Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo + Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi + Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu, + Yu Watanabe, Zbigniew Jędrzejewski-Szmek + + — Warsaw, 2019-04-11 + CHANGES WITH 241: * The default locale can now be configured at compile time. Otherwise, @@ -468,7 +850,7 @@ CHANGES WITH 240: * Journal messages that are generated whenever a unit enters the failed state are now tagged with a unique MESSAGE_ID. Similarly, messages generated whenever a service process exits are now made recognizable, - too. A taged message is also emitted whenever a unit enters the + too. A tagged message is also emitted whenever a unit enters the "dead" state on success. * systemd-run gained a new switch --working-directory= for configuring @@ -710,7 +1092,7 @@ CHANGES WITH 239: not created by systemd-sysusers anymore. NOTE: This has a chance of breaking nss-ldap and similar NSS modules - that embedd a network facing module into any process using getpwuid() + that embed a network facing module into any process using getpwuid() or related call: the dynamic allocation of the user ID for systemd-resolved.service means the service manager has to check NSS if the user name is already taken when forking off the service. Since @@ -979,7 +1361,7 @@ CHANGES WITH 239: PrivateDevices=, ProtectSystem=, …) are used. This option is hence primarily useful for services that do not use any of the other file system namespacing options. One such service is systemd-udevd.service - wher this is now used by default. + where this is now used by default. * ConditionSecurity= gained a new value "uefi-secureboot" that is true when the system is booted in UEFI "secure mode". @@ -1957,12 +2339,14 @@ CHANGES WITH 234: systemd-logind to be safe. See https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.) - * All kernel install plugins are called with the environment variable + * All kernel-install plugins are called with the environment variable KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by - /etc/machine-id. If the file is missing or empty, the variable is - empty and BOOT_DIR_ABS is the path of a temporary directory which is - removed after all the plugins exit. So, if KERNEL_INSTALL_MACHINE_ID - is empty, all plugins should not put anything in BOOT_DIR_ABS. + /etc/machine-id. If the machine ID could not be determined, + $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put + anything in the entry directory (passed as the second argument) if + $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a + temporary directory is passed as the entry directory and removed + after all the plugins exit. Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir @@ -5688,7 +6072,7 @@ CHANGES WITH 214: * We temporarily dropped the "-l" switch for fsck invocations, since they collide with the flock() logic above. util-linux upstream has been changed already to avoid this conflict, - and we will readd "-l" as soon as util-linux with this + and we will re-add "-l" as soon as util-linux with this change has been released. * The dependency on libattr has been removed. Since a long @@ -5746,7 +6130,7 @@ CHANGES WITH 214: * Socket units gained a new Symlinks= setting. It takes a list of symlinks to create to file system sockets or FIFOs created by the specific Unix sockets. This is useful to - manage symlinks to socket nodes with the same life-cycle as + manage symlinks to socket nodes with the same lifecycle as the socket itself. * The /dev/log socket and /dev/initctl FIFO have been moved to @@ -5974,7 +6358,7 @@ CHANGES WITH 213: where the local administrator's configuration in /etc always overrides any other settings. - Contributions fron: Ali H. Caliskan, Alison Chaiken, Bas van + Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch, Dan Kilman, Dave Reisner, David Härdeman, David Herrmann, David Strauss, Dimitris Spingos, Djalal Harouni, Eelco @@ -6054,7 +6438,7 @@ CHANGES WITH 212: users who are logged out cannot continue to consume IPC resources. This covers SysV memory, semaphores and message queues as well as POSIX shared memory and message - queues. Traditionally, SysV and POSIX IPC had no life-cycle + queues. Traditionally, SysV and POSIX IPC had no lifecycle limits. With this functionality, that is corrected. This may be turned off by using the RemoveIPC= switch of logind.conf. @@ -6204,7 +6588,7 @@ CHANGES WITH 211: systemd-networkd. * The sd-bus.h bus API gained a new sd_bus_track object for - tracking the life-cycle of bus peers. Note that sd-bus.h is + tracking the lifecycle of bus peers. Note that sd-bus.h is still not a public API though (unless you specify --enable-kdbus on the configure command line, which however voids your warranty and you get no API stability guarantee).