systemd System and Service Manager
+CHANGES WITH 250 in spe:
+
+ * Support for encrypted and authenticated credentials has been
+ added. This extends the credentials logic introduced with v247 to
+ support non-interactive symmetric encryption and authentication,
+ based on a key that is stored on the /var/ file system or in the TPM2
+ chip (if available), or the combination of both (by default if a TPM2
+ chip exists the combination is used, otherwise the /var/ key
+ only). The credentials are automatically decrypted at the moment a
+ service is started, and are made accessible to the service itself in
+ unencrypted form. A new tool `systemd-creds` has been added to
+ encrypt credentials for this purpose, and two new service file
+ settings LoadCredentialEncrypted= and SetCredentialEncrypted= have
+ been added to configure encrypted credentials prepared that way. This
+ feature is useful for ensuring sensitive material such as SSL
+ certificates, passwords and similar are stored securely when at rest
+ and only decrypted when needed, and in a way that can be reproduced
+ only on the local OS installation and hardware.
+
+ * systemd-gpt-auto-generator can now automatically set up discoverable
+ LUKS2 encrypted swap partitions.
+
+ * The GPT Discoverable Partitions Specification has been updated
+ substantially to support Root and /usr/ partitions for the majority
+ of architectures systemd supports. This include platforms that do not
+ natively support UEFI. Even though GPT is specified under UEFI
+ umbrella its useful on other systems too. Specifically,
+ systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
+ Portable Services make heavy use of the concept, none of which are
+ specific to UEFI.
+
+ * The GPT Discoverable Partitions Specifications has learnt a new set
+ of partitions that may carry PKCS#7 signatures for Verity partitions,
+ encoded in a simple JSON format. This implements a simple mechanism
+ for building disk images that are fully authenticated and can be
+ tested against a set of cryptographic certificates. This is now
+ implemented for the various systemd tools that can operate with disk
+ images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
+ Portable services/RootImage=, systemd-tmpfiles, systemd-sysusers, and
+ so on. The PKCS#7 signatures are passed to the kernel (where they are
+ checked against certificates from the kernel keyring), or can be
+ verified against certificates provided in userspace (via a simple
+ drop-in file mechanism).
+
+ * systemd-dissect's inspection logic will now report for which uses a
+ disk image is intended. Specifically, it will display whether an
+ image is suitable for booting on UEFI or in a container (using
+ systemd-nspawn's --image= switch), whether it can be used as portable
+ service, or attached as system extension.
+
+ * The system-extension.d/ drop-in files now support a new field
+ SYSEXT_SCOPE= that may encode which purpose a system extension image
+ is for: one of "initrd", "system" or "portable". This is useful to
+ make images more self-descriptive, and to ensure system extensions
+ cannot be attached in the wrong contexts.
+
+ * The os-release file learnt a new PORTABLE_PREFIXES= field which may
+ be used in portable service images to indicate which unit prefixes
+ are supported.
+
+ * The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
+ now is able to decode images for non-native architectures as well.
+
+ * systemd-logind gained a new settings HandlePowerKeyLongPress=,
+ HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
+ HandleHibernateKeyLongPress= which may be used to configure actions
+ when the relevant keys are pressed for more than 5s. This is useful
+ on devices that only have hardware for a subset of these keys. By
+ default, if the reboot key is pressed long the poweroff operation is
+ now triggered, and when the suspend key is pressed long the hibernate
+ operation is triggered. Long pressing the other two keys currently
+ does not trigger any operation by default.
+
+ * When showing unit status updates on the console during boot and
+ shutdown, and a service is slow to start so that the KITT animation
+ is shown, the most recent sd_notify() STATUS= text is now shown as
+ well. Services may use this to make the boot/shutdown output easier
+ to understand, and to indicate what precisely a service that is slow
+ to start or stop is waiting for. Specifically, the per-user service
+ manager instance now reports what it is doing and which service it is
+ waiting for this way to the system service manager.
+
+ * The service manager will now re-execute on reception of the
+ SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
+ only when running as PID 1. There was no signal to request this when
+ running as per-user service manager, i.e. as any other PID than
+ 1. SIGRTMIN+25 will work in any case, i.e. both as system and user
+ service manager.
+
+ * The hardware watchdog logic in PID 1 gained support for operating
+ with the default timeout configured in the hardware, instead of
+ insisting on re-configuring it. Set RuntimeWatchdogSec=default to
+ request this behavior.
+
+ * A new kernel command line option systemd.watchdog_sec= is now
+ understood which may be used to override the hardware watchdog
+ time-out for the boot.
+
+ * A new setting DefaultOOMScoreAdjust= is now supported in
+ /etc/systemd/system.conf + /etc/systemd/user.conf that may be used to
+ set the default process OOM score adjustment value for processes
+ forked off the service manager. For per-user service managers this
+ now defaults to 100, but for per-system service managers is left as
+ is. This means that by default now services forked off the user
+ service manager are more likely to be killed by the OOM killer than
+ system services or the managers themselves.
+
+ * A new per-service setting RestrictFileSystems= as been added that
+ restricts the file systems a service has access to by their
+ type. This is based on the new BPF LSM of the Linux kernel. This is
+ an effective way to make certain API file systems unavailable to
+ services (and thus minimizing attack surface). A new command
+ "systemd-analyze filesystems" has been added that lists all known
+ file system types (and how they are grouped together under useful
+ group handles).
+
+ * Services now support a new setting RestrictNetworkInterfaces= for
+ restricting access to specific network interfaces.
+
+ * New service unit files gained new settings StartupAllowedCPUs= and
+ StartupAllowedMemoryNodes=. These are similar to their counterparts
+ without the "Startup" prefix and apply during the boot process
+ only. This is useful to improve boot-time behavior of the system and
+ assign resources differently during boot than during regular
+ runtime. This is similar to the preexisting StartupCPUWeight=
+ vs. CPUWeight.
+
+ * Related to this: the various StartupXYZ= settings
+ (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
+ during shutdown. The settings not prefixed with "Startup" hence apply
+ during regular runtime, and those that are prefixed like that apply
+ during boot and shutdown.
+
+ * The per-user service manager learnt support for communicating with
+ systemd-oomd to acquire OOM kill information.
+
+ * A new service setting ExecSearchPath= has been added that allows
+ changing the search path for executables for services. It affects how
+ the binaries specified in ExecStart= and similar are searched and
+ also affects the $PATH environment variable passed to invoked
+ processes.
+
+ * A new setting RuntimeRandomizedExtraSec= has been added for service
+ and scope units that allows extending the runtime time-out as
+ configured by RuntimeMaxSec= with a randomized amount.
+
+ * The syntax of the service unit settings RuntimeDirectory=,
+ StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
+ if the specified string is now suffixed with a colon, followed by
+ another filename, the latter will be created as symbolic link to the
+ specified directory. This allows creating these service directories
+ together with alias symlinks to make them available under multiple
+ names.
+
+ * Service unit files gained two new settings TTYRows=/TTYColumns= for
+ configuring rows/columns of the TTY device passed to
+ stdin/stdout/stderr of the service. This is useful to propagate TTY
+ dimensions from another environment.
+
+ * A new service unit file setting ExitType= has been added, that allows
+ configuring when precisely to assume a service has exited. By default
+ systemd watches the main process of a service only to determine its
+ lifetime. By setting ExitType=cgroup it can be told to wait for the
+ last process in a cgroup instead.
+
+ * Automount unit files gained a new setting ExtraOptions= that can be
+ used to configure additional mount options to pass to the kernel when
+ mounting the autofs instance.
+
+ * "Urlification" (i.e. generation of ESC sequences that generate
+ clickable hyperlinks in modern terminals) may now be turned off
+ altogether during build-time.
+
+ * The tpm2/fido2/pkcs11 support in systemd-cryptsetup is now also built
+ as plug-in for upstream cryptsetup. This means plain cryptsetup may
+ now be used to unlock volumes set up this way.
+
+ * The TPM2 logic in cryptsetup will now automatically detect systems
+ where the TPM2 chip supports SHA256 PCR banks but the firmware only
+ updates the SHA1 banks. In such a case PCR policies will be
+ automatically bound to the latter, not the former. This makes the PCR
+ policies reliable, but of course do not provide the same level of
+ trust as SHA256 banks.
+
+ * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
+ RSA primary keys in addition to ECC, improving compatibility with
+ TPM2 chips that do not support ECC. RSA keys are much slower to use
+ than ECC, and hence are only used if ECC is not available.
+
+ * /etc/crypttab gained support for a new token-timeout= setting for
+ encrypted volumes that allow configuration of a maximum time to wait
+ for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses the
+ logic will query the user for a regular passphrase/recovery key
+ instead.
+
+ * Support for activating dm-integrity volumes at boot via a new file
+ /etc/integritytab and a tool systemd-integritysetup has been
+ added. This behaves similar to the existing /etc/crypttab and
+ /etc/veritytab, but deals with dm-integrity instead of
+ dm-crypt/dm-verity.
+
+ * The systemd-veritysetup-generator now understands a new usrhash=
+ kernel command line option for specifying the Verity root hash for
+ the partition backing the /usr/ file system. A matching set of
+ systemd.verity_usr_* kernel command line options has been added as
+ well. These all work similar to the corresponding options for the
+ root partition.
+
+ * The sd-device API gained a new API call sd_device_get_diskseq() to
+ return the DISKSEQ property of a device structure. The "disk
+ sequence" concept is a new feature recently introduced to the Linux
+ kernel that allows detecting reuse cycles of block devices, i.e. can
+ be used to recognize when loopback block devices are reused for a
+ different purpose or CD-ROM drives get their media changed.
+
+ * A new unit systemd-boot-update.service has been added. If enabled
+ (the default) and the sd-boot loader is detected to be installed, it
+ is automatically updated to the newest version if it's out of
+ date. This is useful to ensure the boot loader remains up-to-date,
+ and updates automatically propagate from the OS tree in /usr/.
+
+ * A new generic target unit factory-reset.target has been added. It is
+ hooked into systemd-logind similar in fashion to
+ reboot/poweroff/suspend/hibernate, and is supposed to be used to
+ initiate a factory reset operation. What precisely this operation
+ entails is up for the implementer to decide, the primary goal of the
+ new unit is provide a framework where to plug in the implementation
+ and how to trigger it.
+
+ * A new meson build-time option 'clock-valid-range-usec-max' has been
+ added which takes a time in µs and defaults to 15 years. If the RTC
+ time is noticed to be more than the specified time ahead of the
+ built-in epoch of systemd (which by default is the release timestamp
+ of systemd) it is assumed that the RTC is not working correctly, and
+ the RTC is reset to the epoch. (It already is reset to the epoch when
+ noticed to be before it.) This should increase the chance that time
+ doesn't accidentally jump too far ahead due to faulty hardware or
+ batteries.
+
+ * .network files gained a new UplinkInterface in the [IPv6SendRA]
+ section, for automatically propagating DNS settings from other
+ interfaces.
+
+ * The static lease DHCP server logic in systemd-networkd may now serve
+ IP addresses outside of the configured IP pool range for the server.
+
+ * A new setting SaveIntervalSec= has been added to systemd-timesyncd,
+ which may be used to automatically save the current system time to
+ disk in regular intervals. This is useful to maintain a roughly
+ monotonic clock even without RTC hardware and with some robustness
+ against abnormal system shutdown.
+
+ * CAN support in systemd-networkd gained four new settings Loopback=,
+ OneShot=, PresumeAck=, ClassicDataLengthCode= for tweaking CAN
+ control modes. It gained a number of further settings for tweaking
+ CAN timing quanta.
+
+ * DHCPv4 client support in systemd-networkd learnt a new Label= option
+ for configuring the address label to apply to configure IPv4
+ addresses.
+
+ * The various systemd-networkd "ethtool" buffer settings now understand
+ the special value "max" to configure the buffers to the maximum the
+ hardware supports.
+
+ * systemd-networkd's .link files may now configure a large variety of
+ NIC coalescing settings, plus more hardware offload settings.
+
+ * systemd-analyze verify gained support for a pair of new --image= +
+ --root= switches for verifying units below a specific root
+ directory/image instead of on the host.
+
+ * systemd-analyze verify gained support for verifying unit files under
+ an explicitly specified unit name, independently of what the filename
+ actually is.
+
+ * The [IPv6AcceptRA] section of .network files gained support for a new
+ UseMTU= setting that may be used to control whether to apply the
+ announced MTU settings to the local interface.
+
+ * systemd-networkd now ships with another default .network file:
+ 80-container-vb.network. It matches host-side network bridge device
+ created by systemd-nspawn's --network-bridge or --network-zone
+ switch.
+
+ * .link files gained a new WakeOnLanPassword= setting in the [Link]
+ section that allows to specify a WoL "SecureOn" password on hardware
+ that supports this.
+
+ * DHCPv6 Prefix Delegation gained new settings UplinkInterface= and
+ UseDelegatedPrefix= for configuring how to propagate delegated
+ prefixes between uplink and downlink interfaces.
+
+ * The [IPv6AcceptRA] section of .network files now understands two new
+ settings UseGateway=/UseRoutePrefix= for explicitly configuring
+ whether to use the relevant fields from the IPv6 Router Advertisement
+ records.
+
+ * The [CAKE] section of .network files gained a new setting
+ AutoRateIngress= for controlling automatic capacity estimation for
+ CAKE.
+
+ * IPv6 tokens configured in .network files may now optionally take a
+ secret key (i.e. Token=prefixstable:…)
+
+ * A new SuppressInterfaceGroup= setting has been added to the
+ [RoutingPolicyRule] section of .network files.
+
+ * The IgnoreCarrierLoss= setting in the [Network] section of .network
+ files now accepts a duration to be specified, controlling how time to
+ wait before no longer ignoring carrier losses.
+
+ * systemd-analyze verify gained a new switch --recursive-errors= which
+ controls whether to only fail on errors found in the specified units
+ or recursively any dependent units.
+
+ * systemd-analyze security now supports a new --offline mode for
+ analyzing unit files stored on disk instead of loaded units. It may
+ be combined with --root=/--image to analyze unit files container in a
+ root directory or disk image. It also learnt a new --threshold=
+ parameter for specifying an exposure level threshold: if the exposure
+ level exceeds the specified value the call will fail. It also gained
+ a new --security-policy= switch for configuring security policies to
+ enforce on the units. A policy is a JSON file that lists which tests
+ shall be weighted how much to determine the overall exposure
+ level. It also gained a new --json= switch for generating JSON
+ output. Altogether these new features are useful for fully automatic
+ analysis and enforcement of security policies on unit files.
+
+ * systemd-analyze learnt a new --quiet switch for reducing
+ non-essential output. It's honored by the "dot", "syscall-filter",
+ "filesystems" commands.
+
+ * systemd-nspawn's --setenv= switch now supports an additional syntax:
+ if only a variable name is specified (i.e. without being suffixed by
+ a '=' character and a value) the current value of the environment
+ variable is propagated to the container. e.g. --setenv=FOO will
+ lookup the current value of $FOO in the environment, and pass it down
+ to the container. Similar behavior has been added to homectl's,
+ machinectl's and systemd-run's --setenv= switch.
+
+ * systemd-nspawn gained a new switch --suppress-sync= which may be used
+ to optionally suppress the effect of the sync()/fsync()/fdatasync()
+ system calls for the container payload. This is useful for build
+ system environments where safety against abnormal system shutdown is
+ not essential as all build artifacts can be regenerated any time, but
+ the performance win is beneficial.
+
+ * systemd-nspawn will now raise RLIMIT_NOFILE's hard limit to the same
+ value that PID 1 raises it for most forked off processes.
+
+ * systemd-nspawn's --bind=/--bind-ro= switches now optionally take
+ uidmap/nouidmap options as last parameter. If "uidmap" is used the
+ bind mounts are created with UID mapping taking place that ensures
+ the host's file ownerships are mapped 1:1 to container file
+ ownerships, even if user namespacing is used. This way
+ files/directories bound into containers will no longer show up as
+ owned by the nobody user as they typically do if no special care is
+ taken to shift them manually.
+
+ * When discovering Windows installations sd-boot will now attempt to
+ extract the Windows version found.
+
+ * The color scheme to use in sd-boot may now be configured at
+ build-time.
+
+ * systemd-boot will now paint the input cursor on its own instead of
+ relying on the firmware to do so, increasing compatibility with broken
+ firmware that doesn't make the cursor reasonably visible.
+
+ * sd-boot gained the ability to change screen resolution during
+ boot-time, by hitting the "r" key. This will cycle through available
+ resolutions and save them.
+
+ * sd-boot gained support for automatically loading all EFI drivers
+ placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
+ Partition (ESP). These drivers are loaded before the menu entries are
+ searched and loaded. This is useful for easily loading additional
+ file system drivers for the XBOOTLDR partition or similar.
+
+ * sd-boot learnt a new hotkey "f". When pressed the system will enter
+ firmware setup. This is useful in environments where it is difficult
+ to hit the right keys early enough to enter the firmware, and works
+ on any firmware regardless which key it natively uses.
+
+ * sd-boot gained support for automatically booting into the menu item
+ selected on the last boot (using the "@saved" identifier for menu
+ items).
+
+ * sd-boot now embeds a .osrel PE section like we expect from Boot
+ Loader Specification Type #2 Unified Kernels. This means sd-boot
+ itself may be used in place of a Type #2 Unified Kernel. This is
+ useful for debugging purposes as it allows chain-loading one a
+ (development) sd-boot instance from another.
+
+ * sd-boot now supports a new "devicetree" field in Boot Loader
+ Specification Type #1 entries: if configured the specified device
+ tree file is installed before the kernel is invoked. This is useful
+ for installing/applying new devicetree files without updating the
+ kernel image.
+
+ * Similar, sd-stub now can read devicetree data from a PE section
+ ".dtb" and apply it before invoking the kernel.
+
+ * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
+ gained the ability to pick up credentials and sysext files placed
+ next to the kernel image file during initialization, wrap them in a
+ cpio archive and pass them as additional initrd to the invoked Linux
+ kernel, placing them in the /.extra/ directory of the initrd
+ environment. This is useful to implement trusted initrd environments
+ which are fully authenticated but still can be extended (via sysexts)
+ and parameterized (via encrypted/authenticated credentials, see
+ above).
+
+ * sd-stub now comes with a full man page, that explains its feature set
+ and how to combine a kernel image, an initrd and the stub to build a
+ complete EFI unified kernel image, implementing Boot Loader
+ Specification Type #2.
+
+ * sd-stub may now provide the initrd to the execute kernel via the
+ LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
+ non-x86 architectures.
+
+ * bootctl learnt the new set-timeout and set-timeout-oneshot that may
+ be used to set the boot menu time-out of the boot loader (for all or
+ just the subsequent boot).
+
+ * systemd-importd now honors new environment variables
+ $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
+ $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
+ generation, btrfs quota setup and disk synchronization.
+
+ * systemd-sysext now optionally doesn't insist on extension-release.d/
+ files to be placed in the image under the image's right name. If the
+ file system xattr user.extension-release.strict is set on the
+ extension release file it is accepted regardless of its name. This
+ relaxes security restrictions a bit, as system extension may be
+ attached under a wrong name this way.
+
+ * udevadm's test-builtin command learnt a new --action= switch for
+ testing the built-in with the specified action (in place of the
+ default of 'add'.
+
+ * udevadm info gained new switches --property=/--value for showing only
+ specific udev properties/values instead of all.
+
+ * A new hwdb database has been added that contains matches for various
+ types of signal analyzers (protocol analyzers, logic analyzers,
+ oscilloscopes, multimeters, bench power supplies, etc.) that should
+ be accessible to regular users.
+
+ * A new hwdb database entry has been added that carries information
+ about what type of camera discovered cameras are (regular or
+ infrared), and in which direction they point (front or back).
+
+ * A new build-time meson option "extra-net-naming-schemes=" has been
+ added for defining additional naming schemes schemes definitions for
+ udev's network interface naming logic. This is useful for enterprise
+ distributions and similar which want to pin the schemes of certain
+ distribution releases under a specific name and previously had to
+ patched our sources to introduce new named schemes.
+
+ * The predictable naming logic for network interfaces has been extended
+ to generate stable names from Xen netfront device information.
+
+ * hostnamed's chassis property can now be sourced from chassis-type
+ field encoded in devicetree (in addition to the preexisting DMI
+ support).
+
+ * systemd-cgls now optionally display cgroup IDs and extended
+ attributes for each cgroup. (Controllable via the new --xattr= +
+ --cgroup-id= switches.)
+
+ * coredumpctl gained a new --all switch for operating on all
+ Journal files instead of just the local ones.
+
+ * systemd-homed will now try to unmount an activate home area in
+ regular intervals once the user logged out fully. Previously this was
+ attempted exactly once but if the home directory was busy for some
+ reason it was not tried again.
+
+ * systemd-homed's LUKS2 home area backend will now issue a BSD file
+ system lock on the image file while the home area is active
+ (i.e. mounted). If a home area is found to be locked logins are
+ politely refused. This should improve behavior when using home areas
+ images that are accessible via the network from multiple clients, and
+ reduce the chance of accidental file system corruption in that case.
+
+ * Optionally, systemd-homed will now drop the kernel buffer cache once
+ a user fully logged out, configurable via the new --drop-caches=
+ homectl switch.
+
+ * systemd-homed now makes use of UID mapped mounts for the home
+ areas. If the kernel and used file system support it, files are now
+ internally owned by the "nobody" user (i.e. the user typically used
+ for indicating "this ownership is not mapped"), and dynamically
+ mapped to the UID used locally on the system via the UID mapping
+ mount logic of recent kernels. This makes migrating home areas
+ between different systems cheap as recursively chown()ing file system
+ trees is no longer necessary.
+
+ * systemd-homed's CIFS backend now optionally supports CIFS service
+ names with a directory suffix, in order to place home directories in
+ a subdirectory of a CIFS share, instead of the top-level directory.
+
+ * systemd-homed's CIFS backend gained support for specifying additional
+ mount options in the JSON user record (cifsExtraMountOptions field,
+ and --cifs-extra-mount-options= homectl switch). This is for example
+ useful for configuring mount options such as "noserverino" that some
+ SMB3 services require (for example: use that to run a homed home
+ directory from a FritzBox SMB3 share this way).
+
+ * systemd-homed will now default to btrfs' zstd compression for home
+ areas. This is inspired by Fedora's recent decision to enable this by
+ default.
+
+ * Additional mount options to use when mounting the file system of
+ LUKS2 volumes in systemd-homed has been added. Via the
+ $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
+ $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
+ systemd-homed or via the luksExtraMountOptions user record JSON
+ property. (Exposed via homectl --luks-extra-mount-options)
+
+ * homectl's resize command now takes the special size specifications
+ "min" and "max" to shrink/grow the home area to the minimum/maximum
+ size possible, taking disk usage/space constraints and file system
+ limitations into account. Resizing is now generally graceful: the
+ logic will try to get as close to the specified size as possible, but
+ not consider it a failure if the request couldn't be fulfilled
+ precisely.
+
+ * systemd-homed gained the ability to automatically shrink home areas
+ on logout to their minimal size and grow them again on next
+ login. This ensures that while inactive a home area only takes up the
+ minimal space necessary, but once activated provides sufficient space
+ for the user's needs. This behavior is only supported if btrfs is
+ used as file system inside the home area (because only for btrfs
+ online growing/shrinking is implemented in the kernel). This
+ behavior is now enabled by default, but may be controlled via the
+ new --auto-resize-mode= setting of homectl.
+
+ * systemd-homed gained support for automatically re-balancing free disk
+ space among active home areas, in case the LUKS2 backends are used,
+ and no explicit disk size was requested. This way disk space is
+ automatically managed and home areas resized in regular intervals and
+ manual resizing when disk space becomes scarce should not be
+ necessary anymore. This behavior is only supported if btrfs is used
+ within the home areas (as only then online shrinking and growing is
+ supported), and may be configured via the new rebalanceWeight JSON
+ user record field (as exposed via the new --rebalance-weight= homectl
+ setting). Re-balancing is mostly automatic, but can also be requested
+ explicitly via "homectl rebalance", which is synchronous, and thus
+ may be used to wait until a rebalance run is complete.
+
+ * userdbctl gained a --json= switch for configured the JSON formatting
+ to use when outputting user or group records.
+
+ * userdbctl gained a new --multiplexer= switch for explicitly
+ configuring whether to use the systemd-userdbd server side user
+ record resolution logic.
+
+ * userdbctl's ssh-authorized-keys command learnt a new --chain switch,
+ for chaining up another command to execute after completing the
+ look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
+ configuration of a single command to invoke this maybe used to invoke
+ multiple: first userdbctl's own implementation, and then any other
+ also configured in the command line.
+
+ * The sd-event API gained a new function sd_event_add_inotify_fd() that
+ is similar to sd_event_add_inotify() but accepts a file descriptor
+ instead of a path in the file system for referencing the inode to
+ watch.
+
+ * The sd-event API gained a new function
+ sd_event_source_set_ratelimit_expire_callback() that may be used to
+ define a callback function that is called whenever an event source
+ leaves the rate limiting phase.
+
+ * New documentation has been added explaining which steps are necessary
+ to port systemd to a new architecture:
+
+ https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
+
+ * The x-systemd.makefs option in /etc/fstab now explicitly supports
+ f2fs file systems.
+
+ * The systemd-getty-generator now honors a new kernel command line
+ argument systemd.getty_auto= and a new environment variable
+ $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
+ example useful for turning off gettys inside of containers or similar
+ environments.
+
+ * systemd-resolved now listens on a second DNS stub address: 127.0.0.54
+ (in addition to 127.0.0.53, as before). If DNS requests are sent to
+ this address they are propagated in "bypass" mode only, i.e. are
+ almost not processed locally, but mostly forwarded as-is to the
+ current upstream DNS servers. This provides a stable DNS server
+ address that proxies all requests dynamically to the right upstream
+ DNS servers even if these dynamically change. This stub does not do
+ mDNS/LLMNR resolution. However, it will translate look-ups to
+ DNS-over-TLS if necessary. This new stub is particularly useful in
+ container/VM environments, or for tethering setups: use DNAT to
+ redirect traffic to any IP address to this stub.
+
CHANGES WITH 249:
* When operating on disk images via the --image= switch of various
Consult the kernel documentation for details on this sysctl:
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
-
+
* The v239 change to turn on "net.ipv4.tcp_ecn" by default has been
reverted.
projects / thirdparty / systemd.git / commitdiff
