From: Zbigniew Jędrzejewski-Szmek Date: Thu, 12 Sep 2024 11:25:12 +0000 (+0200) Subject: NEWS: the first big batch for v257 X-Git-Tag: v257-rc1~465 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcc359010c0a0d8366ade913bad72acb98f4f0ef;p=thirdparty%2Fsystemd.git NEWS: the first big batch for v257 --- diff --git a/NEWS b/NEWS index b7c33113df8..ef3a5158cd2 100644 --- a/NEWS +++ b/NEWS @@ -44,18 +44,244 @@ CHANGES WITH 257 in spe: but it should make the inhibitor logic easier to use and understand, and also help avoiding accidental reboots and shutdowns. New 'delay-weak' and 'block-weak' inhibitor modes were added, if taken they will make - the inhibitor lock work as in the previous versions. + the inhibitor lock work as in the previous versions. Inhibitor locks + can also be taken by remote users (subject to polkit policy). * systemd-nspawn will now mount the unified cgroup hierarchy into a container if no systemd installation is found in a container's root filesystem. `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=0` can be used to override this behavior. + libsystemd: + + * New sd-json component is now available as part of libsystemd. The + goal of the library is to allow structures to be conveniently + created in C code and serialized to JSON, and for JSON to + conveniently deserialized into in-memory structures, using callbacks + to handle specific keys. Various data types like integers, floats, + booleans, strings, UUIDs, hex-encoded strings, and arrays are + supported natively. + + Service and system management: + + * Environment variable $REMOTE_ADDR is now set when using socket + activation for AF_UNIX sockets. + + * Multipath TCP (MPTCP) is now supported as a socket protocol. + + * New crypttab options fido2-pin=, fido2-up=, fido2-uv= can be used to + enable/disable the PIN query, User Presence check, and User + Verification. + + * New crypttab option password-cache=yes|no|read-only can be used to + customize password caching. + + * New fstab option x-systemd.wants= creates "Wants" dependencies. + (This is similar to the previously available x-systemd.requires=.) + + * The initialization of the system clock during boot and updates has + been simplified: either pid1 or systemd-timesyncd will pick the + latest time as indicated by the compiled-in epoch, + /usr/lib/clock-epoch, and /var/lib/systemd/timesync/clock. See + systemd(1) for an detailed updated description. + + * Ctrl-Alt-Delete is reenabled during late shutdown, so that the user + can still initiate a reboot if the system freezes. + + * Unit option PrivateUsers=identity can be used to request a user + namespace with an identity mapping for the first 65536 UIDs/GIDs. + This is analogous to the systemd-nspawn's --private-users=identity. + + * Unit option PrivateTmp=disconnected can be used to specify that a + separate tmpfs instance should be used for /tmp and /var/tmp for the + unit. + + * A new sleep.conf HibernateOnACPower= option can be used to enable + hibernation in suspend-then-hibernate mode even when connected to a + power source. + + * udev rules now set 'uaccess' for /dev/udmabuf, giving locally + logged-in users access to the hardware. This is necessary to support + IPMI cameras with libcamera. + + * New RELEASE_TYPE= and EXPERIMENT= fields are documented for the + os-release file. For example, "RELEASE_TYPE=development|stable|lts" + can be used to indicate various stages of the release life cycle, + and "RELEASE_TYPE=experimental" can indicate experimental builds, + with the EXPERIMENT= field providing a human-readable description of + the nature of the experiment. + + * The manager (and various other tools too) use pidfds in more places + to refer to processes. + + * A bunch of patches to ease building against musl have been merged. + + * A build option -D link-executor-shared=false can be used to build + the systemd-executor binary (added in the previous release) in a way + where it does not link to shared libsystemd-shared-….so library. + PID1 holds a reference to the executor binary that was on disk when + the manager was started or restarted, but the shared libraries it is + linked to are not loaded until the executor binary needs to be used. + This partial static linking is a workaround for the issue where, + during upgrades, the old libsystemd-shared-….so may have already + been removed and the pinned executor binary will just fail to + execute. + + systemd-logind: + + * New DesignatedMaintenanceTime= configuration option allows + shutdowns to be automatically scheduled at the specified time. + + * logind now reacts to Ctrl-Alt-Shift-Esc being pressed. It will send + out a org.freedesktop.login1.SecureAttentionKey signal, indicating a + request by the user for the system to display a secure login dialog. + The handling of SAK can be suppressed in logind configuration. + + systemd-machined: + + * Unprivileged clients are now allowed to register VMs and containers. + Machines started via the systemd-vmspawn@.service unit will now be + registered with systemd-machined. + systemd-resolved: - * 'resolvconf' command now supports '-p' switch. If specified, the + * resolvconf command now supports '-p' switch. If specified, the interface will not be used as the default route. + * resolvectl now allows interactive polkit authorization. It gained a + --no-ask-password option to suppress it. + + systemd-networkd and networkctl: + + * IPv6 address labels can be configured in a new [IPv6AddressLabel] + section with Prefix= and Label= settings. + + * 'networkctl edit' can now read the new contents from standard input + with the new --stdin option. + + * networkctl gained a --no-ask-password option to suppress interactive + polkit authorization. + + systemd-boot, systemd-stub, and related tools: + + * The EFI stub now supports loading of .ucode sections with microcode + from addons. + + * A new .profile PE section type is now documented and supported in + systemd-measure, ukify, systemd-stub and systemd-boot. Those new + sections allow multiple "profiles" to be stored together in the UKI, + with .profile sections creating groupings the UKI, allowing some + sections to be shared and other sections like .cmdline or .initrd + unique to the profile. + + * ukify gained an --extend switch to import an existing UKI to + be extended, and a --measure-base= switch to support measurement + of multi-profile UKIs. + + The journal: + + * journalctl can now list invocations of a unit with the + --list-invocation options and show logs for a specific invocation + with the new --invocation/-I option. (This is analogous to the + --list-boots/--boot/-b options.) + + systemd-sysupdate and related tools: + + * systemd-sysupdate can be run as system service, allowing + unprivileged clients to update the system via D-Bus calls. + + A new updatectl command-line tool can be used to control the + service. + + * systemd-sysupdate gained a new --offline option to force it to + operate locally. This is useful when listing locally installed + versions. + + * systemd-sysupdate gained a new --transfer-source= option to set the + directory to which transfer sources cofigured with + PathRelativeTo=explicit will be interpreted. + + Miscellaneous: + + * systemctl now supports the --now option with the 'reenable' verb. + + * systemd-analyze will now show the SMBIOS #11 vendor strings set for + the machine with a new 'smbios11' verb. + + * systemd-analyze gained a new --instance= option that can be used to + provide an instance name to analyze multiple templates instantiated + with the same instance name. + + * The 'tpm2' verb which lists usable TPM2 devices has been moved from + systemd-creds to systemd-analyze. + + * varlinkctl gained a new verb 'list-methods' to show a list of + methods implemented by a service. + + * varlinkctl gained a --quiet/-q option to suppress method call + replies. + + * varlinkctl gained a --graceful= option to suppress specified Varlink + errors. + + * varlinkctl gained a --timeout= option to limit how long the + invocation can take. + + * varlinkctl allows remote invocations over ssh, via the new + "ssh-exec:" address specification. It'll make an ssh connection, + start the specified executable on the remote, and communicate with + the remote process using the Varlink protocol. + + "ssh:" address specification has been renamed to "ssh-unix:". + (The old syntax is still supported for backwards compatibility.) + + * bootctl gained a --random-seed=yes|no option to control provisioning + of the random seed file in ESP. (This is useful when producing an + image that will be used multiple times.) + + * systemd-cryptenroll gained new options -fido2-salt-file= and + --fido2-parameters-in-header= to simplify manual enrollment of FIDO2 + tokens. + + * systemd-cryptenroll, systemd-repart, and systemd-storagetm gained a + new --list-devices option to list appropriate candidate block + devices. + + * systemd-repart's CopyBlocks= directive can now use a char device as + source (in addition to previously supported regular files and block + devices). + + * systemd-repart gained a new Compression= and CompressionLevel= + settings to enable internal compression in filesystems created + offline. + + * systemd-repart understands a new MakeSymlinks= option to create one + or more symlinks (each specified as a symlink name and target). + + * systemd-mount can now output JSON with a new --json= switch. + + * A new generator sytemd-import-generator has been added to + synthetisize image download jobs. This provides functionality + similar to importctl, but configured via the kernel command line and + system credentials. + + * systemd-inhibit now allows interactive polkit authorization. It + gained a --no-ask-password option to suppress it. + + * systemd-id128 gained a new 'var-partition-uuid' verb to calculate + the DPS UUID for /var/ keyed by the local machine-id. + + * locatectl gained a -l/--full option to show output without + ellipsization. + + * 'busctl monitor' gained new options --num-matches= and --timeout= + to set the number of matches or limit the runtime of the command. + This is intended to be used in scripts. + + * systemd-run can output some data as JSON via the new --json= option. + + * timedatectl now supports interactive polkit authorization. + — , CHANGES WITH 256: