From: Luca Boccassi Date: Tue, 4 Oct 2022 10:33:50 +0000 (+0100) Subject: Update NEWS X-Git-Tag: v252-rc1~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f77c0840d505825f14ff30921752cb26778bf53e;p=thirdparty%2Fsystemd.git Update NEWS --- diff --git a/NEWS b/NEWS index 1281964b21a..5cdd3c66504 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,11 @@ CHANGES WITH 252 in spe: sooner rather than later, if you haven't done so yet. Most of Linux userspace has been ported over already. + * Please note that we intend to remove support for split-usr and + unmerged-usr. This will happen in the second half of 2023, in the + first release that falls into that time window. For more details, see: + https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html + Compatibility Breaks: * ConditionKernelVersion= checks that use the = or != operator will now @@ -63,6 +68,33 @@ CHANGES WITH 252 in spe: conditionalize a unit so that it is only run when /sys/class/dmi/id/board_name contains "Custom Board" (without quotes). + * ConditionFirstBoot= now correctly evaluates as true only during the + boot phase of the first boot. A unit re-ran later, after booting has + completed, will no longer evaluate this condition as true. + + * Socket units will now create sockets in the SELinuxContext= of the + associated service unit, if any. + + * Boot phase transitions (start initrd -> exit initrd -> boot complete + -> shutdown) will be measured into PCR11, so that secrets can be bound + to specific runtime phases. E.g.: a LUKS encryption key can be + unsealed only in the initrd. + + * Credentials will now also be provided to ExecStartPre= processes. + + * Various units are now correctly ordered with initrd-switch-root.target + where previously some were just (indirectly) ordered only with + initrd-switch-root.service. + + * In order to fully support the IPMI watchdog driver, which has not yet + been ported to the new numbered device interface, /dev/watchdog0 will + be tried first and systemd will silently fallback to /dev/watchdog if + it is not found. + + * New watchdog-related D-Bus properties are now published by systemd: + WatchdogDevice, WatchdogLastPingTimestamp, + WatchdogLastPingTimestampMonotonic. + Changes in sd-boot, bootctl, and the Boot Loader Specification: * The Boot Loader Specification has been cleaned up and clarified. @@ -87,6 +119,13 @@ CHANGES WITH 252 in spe: * The sd-boot stub exports a StubFeatures flag, which is used by bootctl to show features supported by the stub that was used to boot. + * sd-boot will now try to detect and warn about overlapping PE sections. + + * sd-stub now accepts (and passes to the initrd and then to the full OS) + new PE sections '.pcrsig' and '.pcrkey' that can be used to embed + signatures of PCR policies, to allow sealing secrets via the TPM2 + against pre-calculated PCR measurements. + Changes in the hardware database: * 'systemd-hwdb query' now supports the '--root' option. @@ -111,24 +150,35 @@ CHANGES WITH 252 in spe: * The RapidCommit= is (re-)introduced to enable faster configuration via DHCPv6 (RFC 3315). + * networkd gained a new option TCPCongestionControlAlgorithm= that + allows setting a per-route TCP algorithm. + Changes in systemd-nspawn: * The --bind= and --overlay= options now support relative paths. - Changes in libsystemd and other libraries: + * The --bind= option nows supports a 'rootidmap' value, which will + use id-mapped mounts to map the root user inside the container to the + owner of the mounted directory on the host. - * libsystemd now exports the sd-netlink interface that provides - functions to send/receive/parse netlink and rtnl messages. + Changes in libsystemd and other libraries: * libsystemd now exports sd_bus_error_setfv (a convenience function for setting bus errors), sd_id128_string_equal (a convenience function for identifier comparisons), sd_bus_message_read_strv_extend (a function to incrementally read string arrays). + * libsystemd now exports sd_device_get_child_first/next as a high-level + interface for enumerating child devices. + * Private shared libraries (libsystemd-shared-nnn.so, libsystemd-core-nnn.so) are now installed into arch-specific directories to allow multi-arch installs. + * A new sd-gpt.h header is now published, listing GUIDs from the + Discoverable Partitions specification. For more details see: + https://systemd.io/DISCOVERABLE_PARTITIONS/ + Changes in other components: * sysusers and tmpfiles configuration can now be provided via the @@ -139,6 +189,15 @@ CHANGES WITH 252 in spe: This mechanism is used to automatically populate /etc/motd, /etc/issue, and /etc/hosts from credentials. + * tmpfiles will now avoid changing uid/gid/mode of an inode if the + specification is prefixed with ':' and the inode already exists. + + * tmpfiles will automatically use a 'ssh.authorized_keys.root' + credential if provided to set up the authorized_keys file for the root + user. + + * tmpfiles will now gracefully handle absent source of "C" copy lines. + * systemd-analyze gained a new verb 'compare-versions' that implements comparisons for versions strings (similarly to 'rpmdev-vercmp' and 'dpkg --compare-versions'). @@ -169,9 +228,91 @@ CHANGES WITH 252 in spe: "short-delta". It is similar to "short-monotonic" but also shows the time delta between two messages. + * journalctl now respects the '-quiet' flag when verifying journal files + consistency. + + * systemd-journald log messages gained a new implicit field + '_RUNTIME_SCOPE=' that will indicate whether a message was logged in + the 'initrd' phase or in the 'system' phase of the boot process. + + * systemd-run's '--working-directory' now works when used together with + '--scope'. + + * portablectl gained a '--force' flag (and a corresponding 0x2 flag is + now accepted by the *WithExtensions() D-Bus methods of portabled) to + skip certain sanity checks. For now, this means that on attach/detach + it will not be checked whether the unit(s) are already present and/or + running. Callers must be sure to do those checks themselves. + + * systemd-resolved now persists DNSOverTLS in its state file too. This + fixes a problem when used in combination with NetworkManager, which + sends the setting only once, causing it to be lost if resolved was + restarted at any point during runtime. + + * systemd-resolved now exposes a varlink socket, which requires root to + connect to, at /run/systemd/resolve/io.systemd.Resolve.Monitor + When a varlink client connects, processed DNS requests will be + published on this monitor socket in JSON format. + resolvectl gained a 'monitor' verb to use this socket. + + * systemd-resolved now treats unsupported DNSSEC algorithms are as + INSECURE instead of returning SERVFAIL, as per RFC: + https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 + + * systemd-repart now supports creating squashfs partitions. Requires + squashfs-tools (mksquashfs). + + * systemd-repart gained a '--split' flag to make it also generated split + artifacts, ie, a separate file for each partition. This is useful in + conjuction with systemd-sysupdate or other tools, or to generate split + dm-verity artifacts. + + * systemd-repart is now able to generate dm-verity partitions, including + signatures. + + * systemd-repart is now able to set a partition UUID to zero. This is + useful when we need to fill in the UUID later, such as when using + verity partitions. + + * Package metadata logged by systemd-coredump in the system journal is + now more compact. + + * xdg-autostart-service now expands 'tilde' characters in Exec lines. + + * systemd-oomd now automatically links against libatomic, if available. + + * systemd-pstore will now try to load only the efi_pstore kernel module, + instead of all possible modules that it supports. + + * systemd-logind will now schedule the next idle check from 'now' if the + atime timestamp cannot be found. + + * systemd-homed will now wait up to 30 seconds for workers to terminate, + rather than indefinitely. + + * systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment + variable when generating the 'sp_lstchg' field, to ensure an image + build can be reproducible. + + * udevadmn 'wait' will now listen to kernel uevents too when called with + '--initialized=no'. + + * All features and tools using the TPM2 will now communicate with it + using a bind key. Beforehand, the tpm2 support used encrypted sessions + by creating a primary key that was used to encrypt traffic. This + creates a problem as the key created for encrypting the traffic could + be faked by an active interposer on the bus. In cases when a pin is + used, a bind key will be used. The pin is used as the auth value for + the seal key, aka the disk encryption key, and that auth value will be + used in the session establishment. An attacker would need the pin + value to create the secure session and thus an active interposer + without the pin cannot interpose on TPM traffic. + + Experimental features: - * BPF programs can now be compiled with bpf-gcc. + * BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0 + and bpftool >= 7.0). * sd-boot can automatically enroll SecureBoot keys from files found on the ESP. This enrollment can be either automatic ('force' mode) or