Service Manager:
- * The way services are spawned has been overhauled. Previously, a process
- was forked that shared all of the manager's memory (via copy-on-write)
- while doing all the required set ups (e.g.: mount namespaces, CGroup
- configuration, etc.) before exec'ing the target executable. This was
- problematic for various reasons: several glibc APIs were called that
- are not supposed to be used after a fork but before an exec, copy-on-write
- meant that if either process (the manager or the child) touched a memory
- page a copy was triggered, and also the memory footprint of the child
- process was that of the manager but with the memory limits of the service.
- From this version onward, the new process is spawned using CLONE_VM and
- CLONE_VFORK semantics via posix_spawn, and it immediately execs a new
- internal binary, systemd-executor, that receives the configuration to
- apply via memfd, and sets up the process before exec'ing the target
+ * The way services are spawned has been overhauled. Previously, a
+ process was forked that shared all of the manager's memory (via
+ copy-on-write) while doing all the required set ups (e.g.: mount
+ namespaces, CGroup configuration, etc.) before exec'ing the target
+ executable. This was problematic for various reasons: several glibc
+ APIs were called that are not supposed to be used after a fork but
+ before an exec, copy-on-write meant that if either process (the
+ manager or the child) touched a memory page a copy was triggered, and
+ also the memory footprint of the child process was that of the
+ manager but with the memory limits of the service. From this version
+ onward, the new process is spawned using CLONE_VM and CLONE_VFORK
+ semantics via posix_spawn(), and it immediately execs a new internal
+ binary, systemd-executor, that receives the configuration to apply
+ via memfd, and sets up the process before exec'ing the target
executable.
- * Internal process tracking is being changed to use PIDFDs instead of PIDs
- when the kernel supports it, to improve robustness and reliability.
+ * Most of the internal process tracking is being changed to use PIDFDs
+ instead of PIDs when the kernel supports it, to improve robustness
+ and reliability.
* A new option SurviveFinalKillSignal= is now supported to configure a
unit to skip units on the final SIGTERM/SIGKILL spree on shutdown. This
is part of the required configuration to let a unit's processes survive
a soft-reboot operation without being interrupted.
- * Sysext images can now set EXTENSION_RELOAD_MANAGER=1 in their
- extension-release files to automatically daemon-reload when
- merging/refreshing/unmerging on boot. This should be used only in
- exceptional circumstances, as it can cause very difficult to debug
- race conditions and lockups.
+ * System extension images (sysext) can now set
+ EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
+ automatically reload the service manager (PID 1) when
+ merging/refreshing/unmerging on boot. Generally, while this can be
+ used to ship services in system extension images it's recommended to
+ do that via portable services instead.
* The ExtensionImages= and ExtensionDirectories= options now support
confexts images/directories.
use numeric cgroup IDs, which change every time a service is restarted, making
them hard to use in a systemd environment.
- * A new option CoredumpReceive= can be set, together with Delegate=yes, to
- make systemd-coredump on the host forward core files from processes crashed
- inside the delegated CGroup subtree to systemd-coredump running in the
- container.
+ * A new option CoredumpReceive= can be set for service and scope units,
+ together with Delegate=yes, to make systemd-coredump on the host
+ forward core files from processes crashed inside the delegated CGroup
+ subtree to systemd-coredump running in the container. This new option
+ is by default used by systemd-nspawn containers that use the "--boot"
+ switch, i.e. are fully booted up.
* A new ConditionSecurity=measured-uki option is now available, to ensure
a unit can only run when the system has been booted from a measured UKI.
SetLoginEnvironment= is now supported to determine whether to also set
$HOME, $LOGNAME and $SHELL.
- * Socket units now support a new PollLimit= option to configure a limit on
- how often polling events on the file descriptors backing this unit will
- be considered.
+ * Socket units now support a new pair of
+ PollLimitBurst=/PollLimitInterval= options to configure a limit on
+ how often polling events on the file descriptors backing this unit
+ will be considered within a time window.
* Scope units can now be created passing PIDFDs instead of PIDs to select
the processes they should include.
- * Sending SIGRTMIN+18 with 0x500 as value will now cause the manager to
- dump the list of currently pending jobs.
+ * Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
+ manager to dump the list of currently pending jobs.
* If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and machinectl
bind and mount-image verbs will now cause the new mount to to replace
TPM2 Support + Disk Encryption & Authentication:
- * systemd-cryptenroll now allows specifying a PCR bank and hash digest in
- the --tpm2-pcrs= option.
+ * systemd-cryptenroll now allows specifying a PCR bank and explicit hash
+ value in the --tpm2-pcrs= option.
* systemd-cryptenroll now allows specifying a TPM2 key handle to be used
instead of the default SRK via the new --tpm2-seal-key-handle= option.
* The TPM2 Storage Root Key will now be set up, if not already present,
by a new systemd-tpm2-setup.service early boot service.
- * The internal systemd-pcrphase executable has been renamed to systemd-pcrextend.
+ * The internal systemd-pcrphase executable has been renamed to
+ systemd-pcrextend.
+
+ * The systemd-pcrextend tool gained a new --pcr= switch to override
+ which PCR to measure into.
- * systemd-pcrextend now exposes a Varlink interface at io.systemd.PCRExtend
- that can be used to do measurements and event logging on demand.
+ * systemd-pcrextend now exposes a Varlink interface at
+ io.systemd.PCRExtend that can be used to do measurements and event
+ logging on demand.
* TPM measurements are now also written to an event log at
- /run/log/systemd/tpm2-measure.log, using the TCG Canonical Event Log
- format, together with the existing journald entries.
+ /run/log/systemd/tpm2-measure.log, using a derivative of the TCG
+ Canonical Event Log format. Previously we'd only log them to the
+ journal, where they however were subject to rotation and similar.
systemd-boot, systemd-stub, ukify, bootctl, kernel-install:
SecureBoot is enabled. For more details see:
https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c
- * systemd-boot gained new hotkeys to reboot and power off the system from
- the boot menu.
+ * systemd-boot gained new hotkeys to reboot and power off the system
+ from the boot menu ("B" and "O"). If the "auto-poweroff" and
+ "auto-reboot" options in loader.conf are set these entries are also
+ shown as menu items (which is useful on devices lacking a regular
+ keyboard).
- * systemd-boot will now show auto-generated reboot and poweroff entries in
- the boot menu.
-
- * systemd-boot gained a new configuration value menu-disabled for the
+ * systemd-boot gained a new configuration value "menu-disabled" for the
set-timeout option, to allow completely disabling the boot menu,
including the hotkey.
- * systemd-boot will now measure the content of loader.conf in PCR5.
+ * systemd-boot will now measure the content of loader.conf in TPM2 PCR
+ 5.
- * systemd-stub will now concatenate the content of all kernel command-line
- addons before measuring them in PCR12, in a single measurement, instead
- of measuring them individually.
+ * systemd-stub will now concatenate the content of all kernel
+ command-line addons before measuring them in TPM2 PCR 12, in a single
+ measurement, instead of measuring them individually.
- * systemd-stub will now measure and load Devicetree Blob addons, which are
- searched and loaded following the same model as the existing kernel
- command-line addons.
+ * systemd-stub will now measure and load Devicetree Blob addons, which
+ are searched and loaded following the same model as the existing
+ kernel command-line addons.
* systemd-stub will now ignore unauthenticated kernel command line options
passed from systemd-boot when running inside Confidential VMs with UEFI
have been added to make it easier to generate these types of DDIs,
without having to provide repart.d definitions for them.
- * The dm-verity salt and UUID will now be derived from the specified seed.
+ * The dm-verity salt and UUID will now be derived from the specified
+ seed value.
* New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be
- configured in repart.d configuration files.
+ configured in repart.d/ configuration files.
- * A new Subvolumes= setting is now supported in repart.d configuration
+ * A new Subvolumes= setting is now supported in repart.d/ configuration
files, to indicate which directories in the target partition should be
btrfs subvolumes.
attaching a file to a loopback device will implicitly make a handle
available to be found via that file's inode information.
- * udevadm info gained support for JSON output via a new --json flag, and
+ * udevadm info gained support for JSON output via a new --json= flag, and
for filtering output using the same mechanism that udevadm trigger
already implements.
It is now enabled by default and is part of the new "v255" naming
scheme.
+ * A new hwdb/rules file has been added that sets the
+ ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces
+ that should usually only be configured with link-local addressing
+ (IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or
+ Thunderbolt networking. systemd-networkd and NetworkManager (soon)
+ will make use of this information to apply an appropriate network
+ configuration by default.
+
+ * The ID_NET_DRIVER property on network interfaces is now set
+ relatively early in the udev rule set so that other rules may rely on
+ its use. This is implemented in a new "net-driver" udev built-in.
+
Network Management:
* The "duid-only" option for DHCPv4 client's ClientIdentifier= setting
89-ethernet.network matches all Ethernet interfaces and enables both
DHCPv4 and DHCPv6 clients.
- Changes in systemd-analyze:
+ * If a ID_NET_MANAGED_BY= udev property is set on a network device and
+ it is any other string than "io.systemd.Network" then networkd will
+ not manage this device. This may be used to allow multiple network
+ management services to run in parallel and assign ownership of
+ specific devices explicitly. NetworkManager will soon implement a
+ similar logic.
- * "systemd-analyze plot" has gained tooltips on each unit name with
- related-unit information in its svg output, such as Before=,
- Requires=, and similar properties.
-
- Other:
-
- * A new varlinkctl tool has been added to allow interfacing with
- Varlink services, and introspection has been added to all such
- services.
+ systemctl:
* systemctl is-failed now checks the system state if no unit is
specified.
system has been setup in /run/nextroot/ when a reboot operation
is invoked.
- * systemd-sysext and systemd-confext now expose a Varlink service
- at io.systemd.sysext.
+ Login management:
* wall messages now work even when utmp support is disabled, using
systemd-logind to query the necessary information.
the additional information is the type of operation that is about to
be executed.
+ Hibernation & Suspend:
+
+ * The kernel and OS versions will no longer be checked on resume from
+ hibernation.
+
+ * Hibernation into swap files backed by btrfs are now
+ supported. (Previously this was supported only for other file
+ systems.)
+
+ Other:
+
+ * "systemd-analyze plot" has gained tooltips on each unit name with
+ related-unit information in its svg output, such as Before=,
+ Requires=, and similar properties.
+
+ * A new varlinkctl tool has been added to allow interfacing with
+ Varlink services, and introspection has been added to all such
+ services.
+
+ * systemd-sysext and systemd-confext now expose a Varlink service
+ at io.systemd.sysext.
+
* systemd-sysupdate now accepts directories in the MatchPattern= option.
* systemd-run will now output the invocation ID of the launched
combination with --cat-config to suppress uninteresting configuration
lines, such as comments.
- * systemd-resolved gained a new DumpStatistics() Varlink method, and
- resolvectl gained a new corresponding show-server-state verb that
- calls it.
+ * resolvectl gained a new "show-server-state" command that shows
+ current statistics of the resolver. This is backed by a new
+ DumpStatistics() Varlink method provided by systemd-resolved.
* systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers
property changes.
* vconsole now supports KEYMAP=@kernel for preserving the kernel keymap
as-is.
- * The kernel and OS versions will no longer be checked on resume from
- hibernation.
-
* seccomp now supports the LoongArch64 architecture.
* systemd-id128 now supports a new -P option to show only values, and
quickly get access to the local disk. It's inspired by MacOS "target
disk mode".
+ * A new component "systemd-bsod" has been added, which can show logged
+ error messages full screen, if they have a log level of LOG_EMERG log
+ level.
+
+ * The systemd-dissect tool's --with command will now set the
+ $SYSTEMD_DISSECT_DEVICE environment variable to the block device it
+ operates on for the invoked process.
+
+ * The systemd-mount tool gained a new --tmpfs switch for mounting a new
+ 'tmpfs' instance. This is useful since it does so via .mount units
+ and thus can be executed remotely or in containers.
+
+ * The various tools in systemd that take "verbs" (such as systemctl,
+ loginctl, machinectl, …) now will suggest a close verb name in case
+ the user specified an unrecognized one.
+
+ * libsystemd now exports a new function sd_id128_get_app_specific()
+ that generates "app-specific" 128bit IDs from any ID. It's similar to
+ sd_id128_get_machine_app_specific() and
+ sd_id128_get_boot_app_specific() but takes the ID to base calculation
+ on as input. This new functionality is also exposed in the
+ "systemd-id128" tool where you can now combine --app= with `show`.
+
+ * All tools that parse timestamps now can also parse RFC3339 style
+ timestamps that include the "T" and Z" characters.
+
+ * New documentation as been added:
+
+ https://systemd.io/FILE_DESCRIPTOR_STORE
+ https://systemd.io/TPM2_PCR_MEASUREMENTS
+ https://systemd.io/MOUNT_REQUIREMENTS.md
+
+ * The codebase now recognizes the suffix .confext.raw and .sysext.raw
+ as alternative to the .raw suffix generally accepted for DDIs. It is
+ recommended to name configuration extensions and system extensions
+ with such suffixes, to indicate their purpose in the name.
+
+ * The sd-device API gained a new function
+ sd_device_enumerator_add_match_property_required() which allows
+ configuring matches on properties that are strictly required. This is
+ different from the existing sd_device_enumerator_add_match_property()
+ matches of which one one needs to apply.
+
+ * The MAC adress the veth side of an nspawn container shall get
+ assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC
+ environment variable.
+
+ * The libiptc dependency is not implemented via dlopen(), so that tools
+ such as networkd and nspawn no longer have a hard dependency on the
+ shared library when compiled with support for libiptc.
+
Contributions from: 김인수, Abderrahim Kitouni, Adam Williamson,
Alexandre Peixoto Ferreira, Alex Hudspith, Alvin Alvarado,
André Paiusco, Antonio Alvarez Feijoo, Anton Lundin,
Arseny Maslennikov, Arthur Shau, Balázs Úr, beh_10257,
Benjamin Peterson, Bertrand Jacquin, Brian Norris, Chris Patterson,
- Christian Hergert, Christian Hesse, Christian Kirbach,
- commondservice, Curtis Klein, cvlc12, Daan De Meyer,
- Daniel P. Berrangé, Daniel Rusek, Dan Streetman,
- David Rheinsberg, David Santamaría Rogado, David Tardon,
+ Christian Hergert, Christian Hesse, Christian Kirbach, commondservice,
+ Curtis Klein, cvlc12, Daan De Meyer, Daniel P. Berrangé, Daniel Rusek,
+ Dan Streetman, David Rheinsberg, David Santamaría Rogado, David Tardon,
dependabot[bot], Dmitry V. Levin, Emanuele Giuseppe Esposito,
Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt,
- felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games,
- Gioele Barabucci, Hugo Carvalho, huyubiao, IllusionMan1212,
- Jade Lovelace, janana, Jan Janssen, Jan Kuparinen, Jan Macku,
- Jin Liu, Joerg Behrmann, Johannes Segitz, Jordan Rome,
- Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm,
- Kingbom Dou, Kiran Vemula, Laszlo Gombos, Lennart Poettering,
- Luca Boccassi, Lucas Adriano Salles, Lukas, Maanya Goenka, Maarten,
- Malte Poll, Marc Pervaz Boocha, Martin Beneš, Martin Wilck,
- Mathieu Tortuyaux, Matthias Schiffer, Maxim Mikityanskiy,
- Max Kellermann, Michael A Cassaniti, Michael Biebl, Michael Kuhn,
- Michael Vasseur, Michal Koutný, Michal Sekletár, Mike Yuan,
- Milton D. Miller II, mordner, msizanoen, NAHO, Nandakumar Raghavan,
- Nick Rosbrook, NRK, Oğuz Ersen, Omojola Joshua, pelaufer,
- Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg, Priit Laes,
- Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini, Reto Schneider,
- Richard Maw, Robby Red, RoepLuke, Roland Hieber, Ronan Pigott,
- Sam James, Sergey A, Susant Sahani, Sven Joachim,
- Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek,
- Topi Miettinen, Valentin David, Valentin Lefebvre,
- Victor Westerhuis, Vincent Haupert, Vishal Chillara Srinivas,
- Warren, Xiaotian Wu, xinpeng wang, Yu Watanabe,
- Zbigniew Jędrzejewski-Szmek, наб
+ felixdoerre, Franck Bui, Frantisek Sumsal, G2-Games, Gioele Barabucci,
+ Hugo Carvalho, huyubiao, IllusionMan1212, Jade Lovelace, janana,
+ Jan Janssen, Jan Kuparinen, Jan Macku, Jin Liu, Joerg Behrmann,
+ Johannes Segitz, Jordan Rome, Jordan Williams, Julien Malka,
+ Juno Computers, Khem Raj, khm, Kingbom Dou, Kiran Vemula,
+ Laszlo Gombos, Lennart Poettering, Luca Boccassi, Lucas Adriano Salles,
+ Lukas, Maanya Goenka, Maarten, Malte Poll, Marc Pervaz Boocha,
+ Martin Beneš, Martin Wilck, Mathieu Tortuyaux, Matthias Schiffer,
+ Maxim Mikityanskiy, Max Kellermann, Michael A Cassaniti, Michael Biebl,
+ Michael Kuhn, Michael Vasseur, Michal Koutný, Michal Sekletár,
+ Mike Yuan, Milton D. Miller II, mordner, msizanoen, NAHO,
+ Nandakumar Raghavan, Nick Rosbrook, NRK, Oğuz Ersen, Omojola Joshua,
+ pelaufer, Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg,
+ Priit Laes, Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini,
+ Reto Schneider, Richard Maw, Robby Red, RoepLuke, Roland Hieber,
+ Ronan Pigott, Sam James, Sergey A, Susant Sahani, Sven Joachim,
+ Takashi Sakamoto, Thorsten Kukuk, Tj, Tomasz Świątek, Topi Miettinen,
+ Valentin David, Valentin Lefebvre, Victor Westerhuis, Vincent Haupert,
+ Vishal Chillara Srinivas, Warren, Xiaotian Wu, xinpeng wang,
+ Yu Watanabe, Zbigniew Jędrzejewski-Szmek, наб
CHANGES WITH 254:
projects / thirdparty / systemd.git / commitdiff
