From: Lennart Poettering Date: Tue, 27 Jun 2023 16:44:57 +0000 (+0200) Subject: NEWS: more updates for future v254 X-Git-Tag: v254-rc1~99 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d7b3c52cb110b2c3b6e528577ae74b21e5250900;p=thirdparty%2Fsystemd.git NEWS: more updates for future v254 --- diff --git a/NEWS b/NEWS index 91deb34896e..6225a7409f8 100644 --- a/NEWS +++ b/NEWS @@ -11,15 +11,15 @@ CHANGES WITH 254 in spe: the "unified hierarchy") sooner rather than later. Most of Linux userspace has been ported over already. - * The next release (v255) will remove support for split-usr (/usr + * The next release (v255) will remove support for split-usr (/usr/ mounted separately during late boot, instead of being mounted by the initrd before switching to the rootfs) and unmerged-usr (parallel - directories /bin and /usr/bin, /lib and /usr/lib, …). - For more details, see: + directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more + details, see: https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html - * EnvironmentFile now treats the line following a comment line trailing - with escape as a non comment line. For details, see: + * EnvironmentFile= now treats the line following a comment line + trailing with escape as a non comment line. For details, see: https://github.com/systemd/systemd/issues/27975 * Support for System V service scripts is now deprecated and will be @@ -27,7 +27,7 @@ CHANGES WITH 254 in spe: *now* to include a native systemd unit file instead of a legacy System V script to retain compatibility with future systemd releases. - Security relevant changes: + Security Relevant Changes: * pam_systemd will now by default pass the CAP_WAKE_ALARM ambient process capability to invoked session processes of regular users on @@ -43,167 +43,532 @@ CHANGES WITH 254 in spe: permit more impactful operations such as system suspend to local users. - * The sd-journal API learnt a new call sd_journal_get_seqnum() for - retrieving the current log record's sequence number and sequence - number ID, which allows applications to order records the same way as - journal does internally already. The sequence number is now also - exported in the JSON and "export" output of the journal. - - * The default keymap to apply may now be chosen at build-time via the - new default-keymap meson option. - - * "Startup" memory settings are now supported. Previously IO and CPU - settings were already supported via StartupCPUWeight= and similar, - this adds the same logic for the various per-unit memory settings - StartupMemoryMax= and related. - - * The service manager gained support for enqueuing POSIX signals to - services that carry an additional integer value, exposing the - sigqueue() systemd call. This is exposed via new D-Bus calls - QueueSignalUnit() (and related), as well as in systemctl via the new - --kill-value= parameter. - - * systemd-notify gained a new --exec switch, which makes it execute the - specified command line after sending the requested messages. This is - useful for sending out READY=1 first, and then continuing invocation - without changing process ID, so that the tool can be nicely used - within an ExecStart= line of a unit file that uses Type=ready. - - * systemd-repart's drop-in files gained a new ExcludeFiles= option which - may be used to exclude certain files from the effect of CopyFiles=, - which allows populating newly created partitions automatically. - - * bootctl gained a new switch --print-root-device (or short: -R) that - prints the main block device the root file system is backed by. It's - useful for invocations such as "cfdisk $(bootctl -R)" to quickly have - a look at the partition table of the running OS. - - * systemctl gained a new "list-paths" verb, which shows all currently - active .path units, similar to how "systemctl list-timers" shows - active timers, and "systemctl list-sockets" shows active sockets. - - * The sd-event API gained new calls sd_event_add_memory_pressure(), - sd_event_source_set_memory_pressure_type(), - sd_event_source_set_memory_pressure_period() for creating and - configuring an event source that is called whenever the OS signals - memory pressure. Another call sd_event_trim_memory() is provided that - compacts the process' memory use by releasing allocated but unused - malloc() memory back to the kernel. This should improve system - behaviour under memory pressure, as on Linux traditionally provided no - mechanism to return process memory back to the kernel if the kernel - was under pressure to acquire some. This makes use of the kernel's PSI - interface. Most long-running services that systemd contains have been - hooked up with this, and in particular systems with low memory should - benefit from this. - - * Service units learnt the new MemoryPressureWatch=, - MemoryPressureThresholdSec= for configuring the PSI memory pressure - logic individually. If these options are used the - $MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment - variables will be set for the invoked services processes to inform - them about the requested memory pressure behaviour. (This is used by - the aforementioned sd-events API additions, if set.) - - * systemd-analyze gained a new "malloc" verb that shows the output - generated by glibc's malloc_info() on services that support it. Right - now, only the service manager has been updated accordingly. - - * systemd-stub will now look for the SMBIOS Type 1 field - "io.systemd.stub.kernel-cmdline-extra" and append its value to the - kernel command line it invokes. This is useful for VMMs such as qemu - to pass additional kernel command lines into the system even when - booting via full UEFI. - - * The sd-login API gained a new call sd_session_get_username() for - returning the user name who owns a specific login session. It also - gained a new call sd_session_get_start_time() for retrieving the time - the login session started. A new call sd_uid_get_login_time() returns - the time the specified user the time since when they most recently - were logged in continously with at least one session. - - * JSON user records gained a new set of fields capabilityAmbientSet and - capabilityBoundingSet which contain a list of POSIX capabilities to - set for the logged in users in the ambient and bounding sets, - respectively. homectl gained the ability to configure these two sets - for users via --capability-bounding-set=/--capability-ambient-set=. - - * pam_systemd learnt two new module options - default-capability-bounding-set= + default-capability-ambient-set= to - configure the default bounding sets for users as they are logging in, - if the JSON user record doesn't specify this explicitly (see - above). The built-in default for the ambient set now contains the - CAP_WAKE_ALARM, thus allowing regular users who may log in locally to - resume from a system suspend via a timer. (see above) - - * Most of systemd's long-running services now have a generic handler of - the SIGRTMIN+18 signal handler which executes various operations - depending on the sigqueue() parameter sent along. For example, values - 0x100…0x107 allow changing the maximum log level of such - services. 0x200…0x203 allow changing the log target of such - services. 0x300 make the services trim their memory similar to the - automatic PSI triggered action, see above. 0x301 make the services - output their malloc_info() data to the logs. - - * systemd-dissect will now show the intended CPU architecture of an - inspected DDI. - - * networkd's GENEVE support as gained a new .network option - InheritInnerProtocol=. - - * systemd-dissect will now install itself as mount helper for the "ddi" - pseudo-file type. This means you may now mount DDIs directly via - /bin/mount or /etc/fstab, making full use of embedded Verity - information and all other DDI features. Example: mount -t ddi - myimage.raw /some/where - - * The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new - value "auto". If used a kernel will be automatically analyzed, and if - it qualifies as UKI it will be installed as if the setting was to set - to "uki", otherwise via "bls". - - * udevadm gained the new "verify" verb for validating udev rules files - offline. - - * udev will now create symlinks to loopback block devices in the - /dev/loop/by-ref/ directory that are based on the .lo_file_name string - field selected during allocation. The systemd-dissect tool and the - util-linux losetup command now supports a complementing new switch - --loop-ref= for selecting the string. This means a loopback block - device may now be allocated under a caller chosen reference and can - subsequently be referenced by that without first having to look up the - block device name the caller ended up with. - - * udev also creates symlinks to loopback block devices in the - /dev/loop/by-ref/ directory based on the .st_dev/st_ino fields of the - inode attached to the loopback block device. This means that attaching - a file to a loopback device will implicitly make a handle available to - be found via that file's inode information. - - * The systemd-dissect tool gained the new switches --attach/--detach for - attaching a DDI to a loopback block device without mounting it. It - will automatically derive the right sector size from the image and set - up Verity and similar, but not mount the file systems in it. - - * When systemd-gpt-auto-generator or the DDI mounting logic mount an ESP - or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now - implied. Given that these file systems are typically untrusted - territory this should make mounting them automatically have less of a - security impact. - - * If MemoryDenyWriteExecute= is enabled for a service and the kernel - supports the new PR_SET_MDWE prctl() call it is used in preference - over seccomp() based system call filtering to achieve the same effect. - - * systemctl gained a new --when= switch which is honoured by the various - forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows - scheduling these operations by time, similar in fashion to how this - has been supported by SysV shutdown. - - * machinectl gained new "edit" and "cat" verbs for editing .nspawn - files, inspired by systemctl's verbs of the same which edit unit - files. - - Caught up to cafd2c0be404cb8879f91d15e05cc8b695b32629 + Service Manager: + + * "Startup" memory settings are now supported. Previously IO and CPU + settings were already supported via StartupCPUWeight= and similar, + this adds the same logic for the various per-unit memory settings + StartupMemoryMax= and related. + + * The service manager gained support for enqueuing POSIX signals to + services that carry an additional integer value, exposing the + sigqueue() systemd call. This is accessible via new D-Bus calls + QueueSignalUnit() (and related), as well as in systemctl via the new + --kill-value= parameter. + + * systemctl gained a new "list-paths" verb, which shows all currently + active .path units, similar to how "systemctl list-timers" shows + active timers, and "systemctl list-sockets" shows active sockets. + + * If MemoryDenyWriteExecute= is enabled for a service and the kernel + supports the new PR_SET_MDWE prctl() call it is used in preference + over seccomp() based system call filtering to achieve the same effect. + + * systemctl gained a new --when= switch which is honoured by the various + forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows + scheduling these operations by time, similar in fashion to how this + has been supported by SysV shutdown. + + * A new set of kernel command line options is now understood: + systemd.tty.term.=, systemd.tty.rows.=, + systemd.tty.columns.= allow configuring the TTY type and + dimensions for the tty specified via . When the service invokes + a service on a tty (via TTYName=) it will look for these and configure + the TTY accordingly. This is particularly useful in VM environments, + to propagate host terminal settings into the appropriate TTYs of the + guest. + + * A new RootEphemeral= setting is now understood in service units. It + takes a boolean argument. If enabled for services that use RootImage= + or RootDirectory= an ephemeral copy of the disk image or directory + tree is made when the service is started. It is removed automatically + when the service is stopped. + + * The service activation logic gained new settings RestartSteps= and + RestartMaxDelaySec= which allow exponentially growing restart + intervals for Restart=. + + * PID 1 will now automatically load the virtio_console kernel module + during early initialization if running in a suitable VM. This is done + so that early-boot logging can be written to the console if available. + + * Similar, virtio-vsock supported is loaded early too in suitable VM + environments. Since PID 1 sends sd_notify() notifications via + AF_VSOCK to the VMM these days (if requested), loading this early is + beneficial. + + * A new verb "fdstore" has been added to systemd-analyze to show the + current contents of the file descriptor store of a unit. This is + backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by + the service manager. + + * The service manager will now set a new $FDSTORE environment variable + when invoking processes for services that have the file descriptor + store enabled. + + * A new service option FileDescriptorStorePreserve= has been added that + allows tuning the life-cycle of the per-service file descriptor + store. If set to "yes" the entries in the fd store are retained even + after the service is fully stopped. + + * The "systemctl clean" command may now be used to clear the fdstore of + a service. + + * The PrivateUsers= setting is now implied for user services if certain + sandboxing options are enabled for them, that cannot be implemented + unprivileged unless a user namespace is allocated. (See comment about + this in the v253 NEWS below). + + * Unit *.preset files gained a new directive "ignore", in addition to + the existing "enable" and "disable". As the name suggests it leaves + units defined like this in its status quo, i.e. neither enables nor + disables them. + + * Service units gained a new setting DelegateSubgroup=. It takes the + name of a sub-cgroup to place any processes the service manager forks + off in. Previously, the service manager would place all service + processes directly in the top-level cgroup it creates for them, no + matter what. This usually meant that services with delegation enabled + would first have to move themselves down some level in order to not + conflict with the "no processes in inner cgroups" rule of + cgroupv2. With this option it is now possible to configure the name + of a subgroup to place all processes forked off by PID 1 in directly. + + * The service manager will now look for .upholds/ directories, similar + to the existing support for .wants/ and .requires/ directories, and + uses contained symlinked units for creating Upholds= + dependencies. The [Install] section of unit files gained support for + a new UpheldBy= directive to generate symlinks of this automatically + when a unit is enabled. + + * The service manager now supports a new kernel command line option + systemd.default_device_timeout_sec=, which may be used to override + the default timeout for .device units. + + * A new "soft-reboot" mechanism has been added to the service + manager. A "soft reboot" is similar to a regular reboot, except that + it affects userspace only: the service manager shuts down the running + services and other units, then optionally switches into a new root + file system (mounted to /run/nextroot/), and then passes control to a + systemd instace in the new file system which then starts the system + up again. The kernel is not rebooted and neither is hardware, + firmware or boot loader. It is a fast, lightweight mechanism to + quickly reset or update userspace, without the latency that a full + system reset involves. Moreover, open file descriptors may be passed + across the soft reboot into the new system where they will be passed + back to the originating services. This allows pinning resources + across the reboot, thus minimizing grey-out time further. Moreover, + it is possible to allow specific crucial services to survive the + reboot process, if they run off a separate root file system (i.e. use + RootDirectory= or RootImage=, or are portable services). This new + reboot mechanism is accessible via the new "systemctl soft-reboot" + command. + + * A new service setting MemoryKSM= has been added, which may be used to + enable kernel same-page merging individually for services. + + * A new service setting ImportCredentials= has been added that + configures LoadCredential= and LoadCredentialEncrypted= and searches + for credentials to import from the system, and supports globbing. + + Journal: + + * The sd-journal API learnt a new call sd_journal_get_seqnum() for + retrieving the current log record's sequence number and sequence + number ID, which allows applications to order records the same way as + journal does internally already. The sequence number is now also + exported in the JSON and "export" output of the journal. + + * journalctl gained a new switch --truncate-newline. If specified + multi-line log records will be truncated at the first newline, + i.e. only the first line of each log message is shown. + + systemd-repart: + + * systemd-repart's drop-in files gained a new ExcludeFiles= option which + may be used to exclude certain files from the effect of CopyFiles=, + which allows populating newly created partitions automatically. + + * systemd-repart's Verity support now implements the Minimize= setting + to minimize the size of the resulting partition. + + * systemd-repart gained a new --offline= switch, which may be used to + control whether images shall be built "online" or "offline", + i.e. whether to make use of kernel facilities such as loopback block + devices and DM or not. + + * If systemd-repart is told to populate a newly created ESP or XBOOTLDR + partition with some files it will now default to VFAT rather than + ext4, unless specified otherwise. + + * systemd-repart gained a new --architecture= switch. If specified, the + per-architecture GPT partition types (i.e. the root and /usr/ + partitions) configured in the partition drop-in files are + automatically adjusted to match the selected architecture, in order + to simplify cross-architecture DDI building. + + systemd-boot, systemd-stub, ukify, bootctl, kernel-install: + + * bootctl gained a new switch --print-root-device (or short: -R) that + prints the main block device the root file system is backed by. It's + useful for invocations such as "cfdisk $(bootctl -R)" to quickly have + a look at the partition table of the running OS. + + * systemd-stub will now look for the SMBIOS Type 1 field + "io.systemd.stub.kernel-cmdline-extra" and append its value to the + kernel command line it invokes. This is useful for VMMs such as qemu + to pass additional kernel command lines into the system even when + booting via full UEFI. It's measured into TPM PCR 12. + + * The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new + value "auto". If used a kernel will be automatically analyzed, and if + it qualifies as UKI it will be installed as if the setting was to set + to "uki", otherwise via "bls". + + * systemd-stub can now optionally load UEFI PE "add-on" images that may + contain additional kernel command line information. These "add-ons" + superficially look like a regular UEFI executable, and are expected + to be signed via SecureBoot/shim. However, they do not actually + contain code, but instead a subset of the PE sections that UKIs + support. They are supposed to provide a way to extend UKIs with + additional resources in a secure and authenticated way. Currently, + only the .cmdline PE section may be used in add-ons, in which case + any specified string is appended to the command line embedded into + the UKI itself. In future we expect other sections to be made + extensible like this as well, for example the .initrd section. + + * ukify has been updated to allow building these UEFI PE "add-on" + images. + + * ukify gained a new "genkey" verb for generating a set of of key pairs + to sign UKIs and their PCR data with. + + * The kernel-install script has been rewritten in C, and reuses much of + the infrastructure of existing tools such as bootctl. Moreover it + gained support for --root= and --image= switches, to operate relative + to some root file system or DDI. It also gained --esp-path= and + --boot-path= options to override the path to the ESP, and the $BOOT + partition. Options --make-entry-directory= and --entry-token= have + been added as well, similar to bootctl's options of the same name. + + * A new kernel-install plugin 60-ukify has been added which will + combine kernel/initrd locally into an UKI and sign them with a local + key. This may be used to switch to UKI mode even on systems where a + local kernel or initrd shall be supported. (Typically UKIs are built + and signed on OS vendor systems.) + + * The ukify tool now supports "petool" in addition to the pre-existing + "sbsign" for signing UKIs. + + * systemd-measure and systemd-stub now look for a new .uname PE section + that should encode the kernel's "uname -r" string. + + * systemd-measure may now calculate expected PCR hashes for a UKI + "offline", i.e. requires no access to a TPM (neither physical nor + software emulated). + + Memory Pressure & Control: + + * The sd-event API gained new calls sd_event_add_memory_pressure(), + sd_event_source_set_memory_pressure_type(), + sd_event_source_set_memory_pressure_period() for creating and + configuring an event source that is called whenever the OS signals + memory pressure. Another call sd_event_trim_memory() is provided that + compacts the process' memory use by releasing allocated but unused + malloc() memory back to the kernel. This should improve system + behaviour under memory pressure, as on Linux traditionally provided no + mechanism to return process memory back to the kernel if the kernel + was under pressure to acquire some. This makes use of the kernel's PSI + interface. Most long-running services that systemd contains have been + hooked up with this, and in particular systems with low memory should + benefit from this. + + * Service units learnt the new MemoryPressureWatch=, + MemoryPressureThresholdSec= for configuring the PSI memory pressure + logic individually. If these options are used the + $MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment + variables will be set for the invoked services processes to inform + them about the requested memory pressure behaviour. (This is used by + the aforementioned sd-events API additions, if set.) + + * systemd-analyze gained a new "malloc" verb that shows the output + generated by glibc's malloc_info() on services that support it. Right + now, only the service manager has been updated accordingly. + + User & Session Management: + + * The sd-login API gained a new call sd_session_get_username() for + returning the user name who owns a specific login session. It also + gained a new call sd_session_get_start_time() for retrieving the time + the login session started. A new call sd_session_get_leader() has + been added to return the PID of the "leader" process of a session. A + new call sd_uid_get_login_time() returns the time the specified user + the time since when they most recently were logged in continously + with at least one session. + + * JSON user records gained a new set of fields capabilityAmbientSet and + capabilityBoundingSet which contain a list of POSIX capabilities to + set for the logged in users in the ambient and bounding sets, + respectively. homectl gained the ability to configure these two sets + for users via --capability-bounding-set=/--capability-ambient-set=. + + * pam_systemd learnt two new module options + default-capability-bounding-set= + default-capability-ambient-set= to + configure the default bounding sets for users as they are logging in, + if the JSON user record doesn't specify this explicitly (see + above). The built-in default for the ambient set now contains the + CAP_WAKE_ALARM, thus allowing regular users who may log in locally to + resume from a system suspend via a timer. (see above) + + * The Session D-Bus objects systemd-logind provides gained a new + SetTTY() method call for updating the TTY of a session after it has + been allocated already. This is useful for SSH sessions which are + typically allocated first, and for which a TTY is added in later. + + * The sd-login API gained a new call sd_pid_notifyf_with_fds() which + combines the various other sd_pid_notify() flavours into one: takes a + format string, an overriding PID, and a set of file descriptors to + send along. It also gained a new call sd_pid_notify_barrier() which + is equivalent to sd_notify_barrier() but allows specification of the + originating PID. + + * "loginctl list-users" and "loginctl list-sessions" will now show the + state of each logged in user/session in their tabular output. It will + also show the current idle state of sessions. + + DDIs: + + * systemd-dissect will now show the intended CPU architecture of an + inspected DDI. + + * systemd-dissect will now install itself as mount helper for the "ddi" + pseudo-file system type. This means you may now mount DDIs directly + via /bin/mount or /etc/fstab, making full use of embedded Verity + information and all other DDI features. Example: mount -t ddi + myimage.raw /some/where + + * The systemd-dissect tool gained the new switches --attach/--detach for + attaching a DDI to a loopback block device without mounting it. It + will automatically derive the right sector size from the image and set + up Verity and similar, but not mount the file systems in it. + + * When systemd-gpt-auto-generator or the DDI mounting logic mount an ESP + or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now + implied. Given that these file systems are typically untrusted + territory this should make mounting them automatically have less of a + security impact. + + * All tools that parse DDIs (such as systemd-nspawn, systemd-dissect, + systemd-tmpfiles, …) now understand a new switch --image-policy= which + takes a string encoding image dissection policy. With this mechanism + automatic discovery and use of specific partition types and the + cryptographic requirements on the partitions (Verity, LUKS, …) can be + restricted, permitting better control of the exposed attack surfaces + when mounting disk images. systemd-gpt-auto-generator will honour such + an image policy too, configurable via the systemd.image_policy= kernel + command line option. Unit files gained the RootImagePolicy=, + MountImagePolicy= and ExtensionImagePolicy= to configure the same for + disk images a service runs off. + + * systemd-analyze gained a new verb "image-policy" for validating and + parsing image policy strings. + + * systemd-dissect gained support for a new --validate switch for + superficially validating DDI structure, and checking whether a + specific image policy allows the DDI. + + Network Management: + + * networkd's GENEVE support as gained a new .network option + InheritInnerProtocol=. + + Device Management: + + * udevadm gained the new "verify" verb for validating udev rules files + offline. + + * udev will now create symlinks to loopback block devices in the + /dev/loop/by-ref/ directory that are based on the .lo_file_name string + field selected during allocation. The systemd-dissect tool and the + util-linux losetup command now supports a complementing new switch + --loop-ref= for selecting the string. This means a loopback block + device may now be allocated under a caller chosen reference and can + subsequently be referenced by that without first having to look up the + block device name the caller ended up with. + + * udev also creates symlinks to loopback block devices in the + /dev/loop/by-ref/ directory based on the .st_dev/st_ino fields of the + inode attached to the loopback block device. This means that attaching + a file to a loopback device will implicitly make a handle available to + be found via that file's inode information. + + * udev gained a new tool "iocost" that can be used to configure QoS IO + cost data based on hwdb information onto suitable block devices. Also + see https://github.com/iocost-benchmark/iocost-benchmarks. + + TPM2 Support + Disk Encryption & Authentication: + + * systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK + ("Storage Primary Key") as first step in the TPM2, and then use that + for binding FDE to, if TPM2 support is used. This matches + recommendations of TCG (see + https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf) + + * systemd-cryptenroll and other tools that take TPM2 PCR parameters now + understand textual identifiers for these PCRs. + + * systemd-veritysetup + /etc/veritytab gained support for a series of + new options: hash-offset=, superblock=, format=, data-block-size=, + hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=, + fec-offset=, fec-roots= to configure various aspects of a Verity + volume. + + * systemd-cryptsetup + /etc/crypttab gained support for a new + veracrypt-pim= option for setting the Personal Iteration Multiplier + of veracrypt volumes. + + * systemd-integritysetup + /etc/integritytab gained support for a new + mode= setting for controlling the dm-integrity mode (journal, bitmap, + direct) for the volume. + + systemd-tmpfiles: + + * The ACL support in tmpfiles.d/ has been updated: if an uppercase "X" + access right is specified this is equivalent to "x" but only if the + inode in question already has the executable bit set for at least + some user/group. Otherwise the "x" bit will be turned off. + + * tmpfiles.d/'s C line type now understands a new modifier "+": a line + with C+ will result in a "merge" copy, i.e. all files of the source + tree are copied into the target tree, even if that tree already + exists, resulting in a combined tree of files already present in the + target tree and those copied in. + + * systemd-tmpfiles gained a new --graceful switch. If specified lines + with unknown users/groups will silently be skipped. + + systemd-notify: + + * systemd-notify gained two new options --fd= and --fdname= for sending + arbitrary file descriptors to the service manager (while specifying an + explicit name for it). + + * systemd-notify gained a new --exec switch, which makes it execute the + specified command line after sending the requested messages. This is + useful for sending out READY=1 first, and then continuing invocation + without changing process ID, so that the tool can be nicely used + within an ExecStart= line of a unit file that uses Type=ready. + + sd-event + sd-bus APIs: + + * The sd-event API gained a new call sd_event_source_leave_ratelimit() + which may be used to explicitly end a rate-limit state an event + source might be in, resetting all rate limiting counters. + + * When the sd-bus library is used to make connections to AF_UNIX D-Bus + sockets, it will now encode the "description" one can set via + sd_bus_set_description into the source socket address. It will also + look for this information when accepting a connection. This is useful + to track individual D-Bus connections on a D-Bus broker for debug + purposes. + + systemd-resolved: + + * systemd-resolved gained a new resolved.conf setting + StateRetentionSec= which may be used to retain cached DNS records + even after their nominal TTL, and use them in case upstream DNS + servers cannot be reached. This should make name resolution more + resilient in case of network problems. + + * resolvectl gained a new verb "show-cache" for showing current cache + contents of systemd-resolved. + + Other: + + * The default keymap to apply may now be chosen at build-time via the + new default-keymap meson option. + + * Most of systemd's long-running services now have a generic handler of + the SIGRTMIN+18 signal handler which executes various operations + depending on the sigqueue() parameter sent along. For example, values + 0x100…0x107 allow changing the maximum log level of such + services. 0x200…0x203 allow changing the log target of such + services. 0x300 make the services trim their memory similar to the + automatic PSI triggered action, see above. 0x301 make the services + output their malloc_info() data to the logs. + + * machinectl gained new "edit" and "cat" verbs for editing .nspawn + files, inspired by systemctl's verbs of the same which edit unit + files. Similar, networkctl gained the same verbs for editing + .network, .netdev, .link files. + + * A new syscall filter group "@sandbox" has been added that contains + syscalls for sandboxing system calls such as those for seccomp and + Landlock. + + * New documentation has been added: + + https://systemd.io/COREDUMP + https://systemd.io/MEMORY_PRESSURE + + * systemd-firstboot gained a new --reset option. If specified the + settings in /etc/ it normally initializes are reset instead. + + * systemd-sysext is now a multi-call binary and also installed under the + systemd-confext alias name (via a symlink). When invoked that way it + will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a + powerful, atomic, secure configuration management of sorts, that + locally can merge configuration from multiple confext configuration + images into a single immutable tree. + + * The --network-macvlan=, --network-ipvlan=, --network-interface= + switches of systemd-nspawn may now optionally take the intended + network interface inside the container. + + * All our programs will now send an sd_notify() message with their exit + status in the EXIT_STATUS= field when exiting, using the usual + protocol, including PID 1. This is useful for VMMs and container + managers to collect an exit status from a system as it shuts down, as + set via "systemctl exit …". This is particularly useful in test cases + and similar, as invocations via a VM can now nicely propagate an exit + status to the host, similar to local processes. + + * systemd-run gained a new switch --expand-environment=no to disable + server-side enviornment variable expansion in specified command + lines. + + * The systemd-system-update-generator has been update to also look for + the special flag file /etc/system-update in addition to the existing + support for /system-update to decide whether to enter system update + mode. + + * The /dev/hugepages file system is now mounted with nosuid + nodev + mount options by default. + + * systemd-fstab-generator now understands two new kernel command line + options systemd.mount-extra= and systemd.swap-extra= which may be + used to configure additional mounts or swaps via the kernel command + line, in a format similar to /etc/fstab lines. + + * systemd-sysupdate' sysupdate.d/ drop-ins gained a new setting + PathRelativeTo=, which can be set to "esp", "xbootldr", "boot", in + which case the Path= setting is taken relative to the ESP or XBOOTLDR + partitions, rather than the system's root directory /. The relevant + directories are automatically discovered. + + * The systemd-ac-power tool gained a new switch --low, which reports + whether the battery charge is considered "low", similar to how the + s2h suspend logic checks this state to decide whether to enter system + suspend or hibernation. + + * The /etc/os-release file now has two new optional fields VENDOR_NAME= + and VENDOR_URL= carrying information about the vendor of the OS. + + * When the system hibernates information about the used device and + offset is now written to a non-volatile EFI variable. On next boot + the system will attempt to resume from the location indicated in this + EFI variable. This should make hibernation a lot more robust, and + requiring no manual configuration of the resume location. CHANGES WITH 253: