release to be enabled by default.
* "systemctl switch-root" is now restricted to initrd transitions only.
- Transitions between real systems should be done with "systemctl soft-reboot"
- instead.
- * The ip=off and ip=none kernel command line options interpreted by
+ Transitions between real systems should be done with
+ "systemctl soft-reboot" instead.
+
+ * The "ip=off" and "ip=none" kernel command line options interpreted by
systemd-network-generator will now result in IPv6RA + link-local
- addressing to be disabled, too. Previously DHCP was turned off, but
+ addressing being disabled, too. Previously DHCP was turned off, but
IPv6RA and IPv6 link-local addressing was left enabled.
* The NAMING_BRIDGE_MULTIFUNCTION_SLOT naming scheme has been deprecated
* The way services are spawned has been overhauled. Previously, a
process was forked that shared all of the manager's memory (via
- copy-on-write) while doing all the required set ups (e.g.: mount
+ copy-on-write) while doing all the required setup (e.g.: mount
namespaces, CGroup configuration, etc.) before exec'ing the target
executable. This was problematic for various reasons: several glibc
APIs were called that are not supposed to be used after a fork but
before an exec, copy-on-write meant that if either process (the
manager or the child) touched a memory page a copy was triggered, and
also the memory footprint of the child process was that of the
- manager but with the memory limits of the service. From this version
+ manager, but with the memory limits of the service. From this version
onward, the new process is spawned using CLONE_VM and CLONE_VFORK
- semantics via posix_spawn(), and it immediately execs a new internal
+ semantics via posix_spawn(3), and it immediately execs a new internal
binary, systemd-executor, that receives the configuration to apply
via memfd, and sets up the process before exec'ing the target
executable.
instead of PIDs when the kernel supports it, to improve robustness
and reliability.
- * A new option SurviveFinalKillSignal= is now supported to configure a
- unit to skip units on the final SIGTERM/SIGKILL spree on shutdown. This
- is part of the required configuration to let a unit's processes survive
- a soft-reboot operation without being interrupted.
+ * A new option SurviveFinalKillSignal= can be used to configure the
+ unit to be skipped in the final SIGTERM/SIGKILL spree on shutdown.
+ This is part of the required configuration to let a unit's processes
+ survive a soft-reboot operation.
* System extension images (sysext) can now set
EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
* The ExtensionImages= and ExtensionDirectories= options now support
confexts images/directories.
- * A new option NFTSet= provides a method for integrating dynamic cgroup IDs
- into firewall rules with NFT sets. The benefit of using this setting is to be
- able to use control group as a selector in firewall rules easily and this in
- turn allows more fine grained filtering. Also, NFT rules for cgroup matching
- use numeric cgroup IDs, which change every time a service is restarted, making
- them hard to use in a systemd environment.
+ * A new option NFTSet= provides a method for integrating dynamic cgroup
+ IDs into firewall rules with NFT sets. The benefit of using this
+ setting is to be able to use control group as a selector in firewall
+ rules easily and this in turn allows more fine grained filtering.
+ Also, NFT rules for cgroup matching use numeric cgroup IDs, which
+ change every time a service is restarted, making them hard to use in
+ systemd environment.
* A new option CoredumpReceive= can be set for service and scope units,
together with Delegate=yes, to make systemd-coredump on the host
- forward core files from processes crashed inside the delegated CGroup
- subtree to systemd-coredump running in the container. This new option
- is by default used by systemd-nspawn containers that use the "--boot"
- switch, i.e. are fully booted up.
+ forward core files from processes crashing inside the delegated
+ CGroup subtree to systemd-coredump running in the container. This new
+ option is by default used by systemd-nspawn containers that use the
+ "--boot" switch.
* A new ConditionSecurity=measured-uki option is now available, to ensure
a unit can only run when the system has been booted from a measured UKI.
* The $USER environment variable is now always set for services, while
previously it was only set if User= was specified. A new option
SetLoginEnvironment= is now supported to determine whether to also set
- $HOME, $LOGNAME and $SHELL.
+ $HOME, $LOGNAME, and $SHELL.
* Socket units now support a new pair of
PollLimitBurst=/PollLimitInterval= options to configure a limit on
how often polling events on the file descriptors backing this unit
will be considered within a time window.
- * Scope units can now be created passing PIDFDs instead of PIDs to select
+ * Scope units can now be created using PIDFDs instead of PIDs to select
the processes they should include.
* Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
manager to dump the list of currently pending jobs.
- * If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and machinectl
- bind and mount-image verbs will now cause the new mount to to replace
- the old mount (if any), instead of overmounting it.
+ * If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and
+ machinectl bind and mount-image verbs will now cause the new mount to
+ replace the old mount (if any), instead of overmounting it.
TPM2 Support + Disk Encryption & Authentication:
systemd-boot, systemd-stub, ukify, bootctl, kernel-install:
- * The 90-loaderentry kernel-install hook now supports installing device
- trees.
-
- * ukify is no longer considered experimental, and now ships in /usr/bin/.
-
- * ukify gained a new verb, inspect, that describes the sections of a UKI
- and print the content of the well-known sections.
-
* bootctl will now show whether the system was booted from a UKI in its
status output.
passed from systemd-boot when running inside Confidential VMs with UEFI
SecureBoot enabled.
+ * ukify is no longer considered experimental, and now ships in /usr/bin/.
+
+ * ukify gained a new verb inspect to describe the sections of a UKI and
+ print the contents of the well-known sections.
+
+ * ukify gained a new verb genkey to generate a set of of key pairs for
+ signing UKIs and their PCR data.
+
+ * The 90-loaderentry kernel-install hook now supports installing device
+ trees.
+
systemd-repart:
- * A new option --copy-from= that synthesizes partition definitions from
- the given image, which are then applied to the systemd-repart algorithm,
- has been added.
+ * A new option --copy-from= has been added that synthesizes partition
+ definitions from the given image, which are then applied by the
+ systemd-repart algorithm.
* A new option --copy-source= has been added, which can be used to specify
a directory to which CopyFiles= is considered relative to.
- * New --make-ddi=confext, --make-ddi=sysext and --make-ddi=portable options
- have been added to make it easier to generate these types of DDIs,
- without having to provide repart.d definitions for them.
+ * New --make-ddi=confext, --make-ddi=sysext, and --make-ddi=portable
+ options have been added to make it easier to generate these types of
+ DDIs, without having to provide repart.d definitions for them.
* The dm-verity salt and UUID will now be derived from the specified
seed value.
* udev will now create symlinks to loopback block devices in the
/dev/disk/by-loop-ref/ directory that are based on the .lo_file_name
string field selected during allocation. The systemd-dissect tool and
- the util-linux losetup command now supports a complementing new
- switch --loop-ref= for selecting the string. This means a loopback
- block device may now be allocated under a caller-chosen reference and
- can subsequently be referenced by that without first having to look
- up the block device name the caller ended up with.
+ the util-linux losetup command now supports a complementing new switch
+ --loop-ref= for selecting the string. This means a loopback block
+ device may now be allocated under a caller-chosen reference and can
+ subsequently be referenced without first having to look up the block
+ device name the caller ended up with.
* udev also creates symlinks to loopback block devices in the
/dev/disk/by-loop-inode/ directory based on the .st_dev/st_ino fields
is now dropped, as it never worked, hence it should not be used by
anyone.
- * The 'prefixstable' ipv6 address generation mode now considers the
- SSID when generating stable addresses, so that a different stable
- address is used when roaming between wireless networks. If you
- already use 'prefixstable' addresses with wireless networks, the
- stable address chosen will be changed by the update.
+ * The 'prefixstable' ipv6 address generation mode now considers the SSID
+ when generating stable addresses, so that a different stable address
+ is used when roaming between wireless networks. If you already use
+ 'prefixstable' addresses with wireless networks, the stable address
+ will be changed by the update.
- * The DHCPv4 client gained a RapidCommit= option, default true, which
+ * The DHCPv4 client gained a RapidCommit option, true by default, which
enables RFC4039 Rapid Commit behavior to obtain a lease in a
simplified 2-message exchange instead of the typical 4-message
- exchange if also supported by the DHCP server.
+ exchange, if also supported by the DHCP server.
* The DHCPv4 client gained new InitialCongestionWindow= and
InitialAdvertisedReceiveWindow= options for route configurations.
(RFC8925).
* The SendHostname= and Hostname= options are now available for the
- DHCPv6 client, independent of the DHCPv4 option, so that these
+ DHCPv6 client, independently of the DHCPv4= option, so that these
configuration values can be set independently for each client.
* The DHCPv4 and DHCPv6 client state can now be queried via D-Bus,
indirection of NFT set types.
* The [IPv6AcceptRA] section supports the following new options:
- UsePREF64=, UseHopLimit=, UseICMP6RateLimit= and NFTSet=.
+ UsePREF64=, UseHopLimit=, UseICMP6RateLimit=, and NFTSet=.
* The [IPv6SendRA] section supports the following new options:
- RetransmitSec=, HopLimit=, HomeAgent=, HomeAgentLifetimeSec= and
+ RetransmitSec=, HopLimit=, HomeAgent=, HomeAgentLifetimeSec=, and
HomeAgentPreference=.
* A new [IPv6PREF64Prefix] set of options, containing Prefix= and
advertisements (RFC8781).
* The network generator now configures the interfaces with only
- link-local addressing if ip=link-local is specified on the kernel
+ link-local addressing if "ip=link-local" is specified on the kernel
command line.
* The prefix of the configuration files generated by the network
* systemctl is-failed now checks the system state if no unit is
specified.
- * systemctl will now automatically soft-reboot if a new root file
- system has been setup in /run/nextroot/ when a reboot operation
- is invoked.
+ * systemctl will now automatically soft-reboot if a new root file system
+ is found under /run/nextroot/ when a reboot operation is invoked.
Login management:
- * wall messages now work even when utmp support is disabled, using
+ * Wall messages now work even when utmp support is disabled, using
systemd-logind to query the necessary information.
* systemd-logind now sends a new PrepareForShutdownWithMetadata D-Bus
- signal before shutdown/reboot/soft-reboot, that includes additional
- information with respect to what PrepareForShutdown has. Currently
- the additional information is the type of operation that is about to
- be executed.
+ signal before shutdown/reboot/soft-reboot that includes additional
+ information compared to the PrepareForShutdown signal. Currently the
+ additional information is the type of operation that is about to be
+ executed.
Hibernation & Suspend:
transient unit.
* systemd-analyze, systemd-tmpfiles, systemd-sysusers, systemd-sysctl,
- and systemd-binfmt gained a new --tldr option that can be used in
- combination with --cat-config to suppress uninteresting configuration
- lines, such as comments.
+ and systemd-binfmt gained a new --tldr option that can be used instead
+ of --cat-config to suppress uninteresting configuration lines, such as
+ comments and whitespace.
* resolvectl gained a new "show-server-state" command that shows
current statistics of the resolver. This is backed by a new
* seccomp now supports the LoongArch64 architecture.
- * systemd-id128 now supports a new -P option to show only values, and
- combining --app with the show verb.
+ * systemd-id128 now supports a new -P option to show only values. The
+ combination of -P and --app options is also supported.
- * A new pam_systemd_loadkey.so PAM module is now available, which
- allows automatically fetching the passphrase used by cryptsetup to
- unlock the root file system and setting it as the PAM authtok. This
- enables, among other things, configuring auto-unlock of the GNOME
- Keyring / KDE Wallet when autologin is configured.
+ * A new pam_systemd_loadkey.so PAM module is now available, which will
+ automatically fetch the passphrase used by cryptsetup to unlock the
+ root file system and set it as the PAM authtok. This enables, among
+ other things, configuring auto-unlock of the GNOME Keyring / KDE
+ Wallet when autologin is configured.
* Many meson options now use the 'feature' type, which means they
take enabled/disabled/auto as values.
- * A new meson option configfiledir can be used to change where
+ * A new meson option -Dconfigfiledir= can be used to change where
configuration files with default values are installed to.
* Options and verbs in man pages are now tagged with the version they
* ukify has been updated to allow building these UEFI PE "add-on"
images, using the new 'addon<EFI-ARCH>.efi.stub'.
- * ukify gained a new "genkey" verb for generating a set of of key pairs
- to sign UKIs and their PCR data with.
-
* ukify now accepts SBAT information to place in the .sbat PE section
of UKIs and addons. If a UKI is built the SBAT information from the
inner kernel is merged with any SBAT information associated with
projects / thirdparty / systemd.git / commitdiff
