mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-02-02 09:47:03 +03:00
NEWS: fix typos and reword things
In particular, 'system/service credentials' are now described as simply 'credentials'. The selling point of credentials is that they are transparently propagated from the system to services, so distinguishing between system and service credentials is not important. The description of ordering against initrd-switch-root.target is completely rewritten. The old description was confused. I think the description of systemd-measure should be reworked to clearly describe what new functionality is provided and what policy changes are built on top. But I don't qrok the details, so I left this part unchanged.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
parent
01f516314f
commit
02380e1946
244
NEWS
244
NEWS
@ -2,38 +2,40 @@ systemd System and Service Manager
|
|||||||
|
|
||||||
CHANGES WITH 252 in spe:
|
CHANGES WITH 252 in spe:
|
||||||
|
|
||||||
Announcement of Future Feature Removal:
|
Announcements of Future Feature Removals:
|
||||||
|
|
||||||
* Please note that we intend to remove cgroupsv1 support from systemd
|
* We intend to remove cgroup v1 support from systemd release after the
|
||||||
release after EOY 2023. If you run services that make explicit use of
|
end of 2023. If you run services that make explicit use of cgroup v1
|
||||||
cgroupsv1 features, please implement compatibility with cgroupsv2
|
features (i.e. the "legacy hierarchy" with separate hierarchies for
|
||||||
sooner rather than later, if you haven't done so yet. Most of Linux
|
each controller), please implement compatibility with cgroup v2 (i.e.
|
||||||
|
the "unified hierarchy") sooner rather than later. Most of Linux
|
||||||
userspace has been ported over already.
|
userspace has been ported over already.
|
||||||
|
|
||||||
* Please note that we intend to remove support for split-usr and
|
* We intend to remove support for split-usr (/usr mounted separately
|
||||||
unmerged-usr. This will happen in the second half of 2023, in the
|
during boot) and unmerged-usr (parallel directories /bin and
|
||||||
first release that falls into that time window. For more details,
|
/usr/bin, /lib and /usr/lib, etc). This will happen in the second
|
||||||
see:
|
half of 2023, in the first release that falls into that time window.
|
||||||
|
For more details, see:
|
||||||
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
|
https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html
|
||||||
|
|
||||||
Compatibility Breaks:
|
Compatibility Breaks:
|
||||||
|
|
||||||
* ConditionKernelVersion= checks that use the = or != operator will now
|
* ConditionKernelVersion= checks that use the '=' or '!=' operators
|
||||||
do simple string compares (as opposed to version compare – á la
|
will now do simple string comparisons (instead of version comparisons
|
||||||
stverscmp() — as before, which is still done for the ordering
|
á la stverscmp()). Version comparisons are still done for the
|
||||||
operators <, >, <=, >=). Moreover, if no operator is specified a
|
ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
|
||||||
shell-style glob match is now done. This creates a minor
|
specified, a shell-style glob match is now done. This creates a minor
|
||||||
incompatibility compared to older systemd versions, in case the *, ?,
|
incompatibility compared to older systemd versions when the '*', '?',
|
||||||
[, ], characters have been used in such condition expressions before,
|
'[', ']' characters are used, as these will now match as shell globs
|
||||||
as these will now match per shell glob rules instead of
|
instead of literally. Given that kernel version strings typically do
|
||||||
literally. Given that kernel version strings typically do not include
|
not include these characters we expect little breakage through this
|
||||||
these characters we expect little breakage through this change.
|
change.
|
||||||
|
|
||||||
* The service manager will now read the SELinux label off unit files at
|
* The service manager will now read the SELinux label used for SELinux
|
||||||
the time it loads them, and then solely base SELinux access checks on
|
access checks from the unit file at the time it loads the file.
|
||||||
that. Previously it would read the SELinux label unit files at the
|
Previously, the label would be read at the moment of the access
|
||||||
moment of the access check, which would be problematic since at that
|
check, which was problematic since at that time the unit file might
|
||||||
time the unit file might already have been updated or removed.
|
already have been updated or removed.
|
||||||
|
|
||||||
New Features:
|
New Features:
|
||||||
|
|
||||||
@ -56,11 +58,11 @@ CHANGES WITH 252 in spe:
|
|||||||
* systemd-pcrphase is a new tool that is invoked at 4 places during
|
* systemd-pcrphase is a new tool that is invoked at 4 places during
|
||||||
system runtime, and measures additional words into TPM2 PCR 11, to
|
system runtime, and measures additional words into TPM2 PCR 11, to
|
||||||
mark milestones of the boot process. This allows binding access to
|
mark milestones of the boot process. This allows binding access to
|
||||||
specific TPM2-bound secrets to specific phases of the boot
|
specific TPM2-encrypted secrets to specific phases of the boot
|
||||||
process. (think: LUKS2 disk encryption key only accessible in the
|
process. (Think: LUKS2 disk encryption key only accessible in the
|
||||||
initrd, but not later)
|
initrd, but not later.)
|
||||||
|
|
||||||
Changes in systemd itself, i.e. the manager, and units
|
Changes in systemd itself, i.e. the manager and units
|
||||||
|
|
||||||
* The cpu controller is delegated to user manager units by default, and
|
* The cpu controller is delegated to user manager units by default, and
|
||||||
CPUWeight= settings are applied to the top-level user slice units
|
CPUWeight= settings are applied to the top-level user slice units
|
||||||
@ -70,54 +72,60 @@ CHANGES WITH 252 in spe:
|
|||||||
|
|
||||||
* Systemd can optionally do a full preset in the "first boot" condition
|
* Systemd can optionally do a full preset in the "first boot" condition
|
||||||
(instead of just enable-only). This behaviour is controlled by the
|
(instead of just enable-only). This behaviour is controlled by the
|
||||||
compile-time option -Dfirst-boot-full-preset=. Right now it defaults
|
compile-time option -Dfirst-boot-full-preset. Right now it defaults
|
||||||
to 'false', but the plan is to switch it to 'true' for the subsequent
|
to 'false', but the plan is to switch it to 'true' for the subsequent
|
||||||
release.
|
release.
|
||||||
|
|
||||||
* Systemd will set the taint flag 'support-ended' if it detects that
|
* Systemd will set the taint flag 'support-ended' if it detects that
|
||||||
the OS image is past its end-of-support date. (As declared in a new
|
the OS image is past its end-of-support date. This date is declared
|
||||||
/etc/os-release field.)
|
in a new /etc/os-release field SUPPORT_END= described below.
|
||||||
|
|
||||||
* Two new settings ConditionCredential= and AssertCredential= can be
|
* Two new settings ConditionCredential= and AssertCredential= can be
|
||||||
used to skip or fail units if a certain system credential is not
|
used to skip or fail units if a certain credential is not provided.
|
||||||
provided.
|
|
||||||
|
|
||||||
* ConditionMemory= accepts size suffixes (i.e. K, M, G, T).
|
* ConditionMemory= accepts size suffixes (K, M, G, T, …).
|
||||||
|
|
||||||
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
|
* DefaultSmackProcessLabel= can be used in system.conf and user.conf to
|
||||||
specify the SMACK security label to use when not specified in a unit
|
specify the SMACK security label to use when not specified in a unit
|
||||||
file.
|
file.
|
||||||
|
|
||||||
* DefaultDeviceTimeoutSec= can be used system.conf and user.conf to
|
* DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
|
||||||
specify the default timeout when waiting for device units to activate.
|
specify the default timeout when waiting for device units to
|
||||||
|
activate.
|
||||||
|
|
||||||
* C.UTF-8 is used as the default locale if nothing else has been
|
* C.UTF-8 is used as the default locale if nothing else has been
|
||||||
configured.
|
configured.
|
||||||
|
|
||||||
* Extend [Condition|Assert]Firmware= to conditionalize on certain
|
* [Condition|Assert]Firmware= have been extended to support certain
|
||||||
SMBIOS fields. For example ConditionFirmware=smbios-field(board_name
|
SMBIOS fields. For example
|
||||||
= "Custom Board") will conditionalize a unit so that it is only run
|
|
||||||
when /sys/class/dmi/id/board_name contains "Custom Board" (without
|
ConditionFirmware=smbios-field(board_name = "Custom Board")
|
||||||
|
|
||||||
|
conditionalizes the unit to run only when
|
||||||
|
/sys/class/dmi/id/board_name contains "Custom Board" (without the
|
||||||
quotes).
|
quotes).
|
||||||
|
|
||||||
* ConditionFirstBoot= now correctly evaluates as true only during the
|
* ConditionFirstBoot= now correctly evaluates as true only during the
|
||||||
boot phase of the first boot. A unit re-ran later, after booting has
|
boot phase of the first boot. A unit executed later, after booting
|
||||||
completed, will no longer evaluate this condition as true.
|
has completed, will no longer evaluate this condition as true.
|
||||||
|
|
||||||
* Socket units will now create sockets in the SELinuxContext= of the
|
* Socket units will now create sockets in the SELinuxContext= of the
|
||||||
associated service unit, if any.
|
associated service unit, if any.
|
||||||
|
|
||||||
* Boot phase transitions (start initrd → exit initrd → boot complete →
|
* Boot phase transitions (start initrd → exit initrd → boot complete →
|
||||||
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
|
shutdown) will be measured into TPM2 PCR 11, so that secrets can be
|
||||||
bound to specific runtime phases. E.g.: a LUKS encryption key can be
|
bound to a specific runtime phase. E.g.: a LUKS encryption key can be
|
||||||
unsealed only in the initrd.
|
unsealed only in the initrd.
|
||||||
|
|
||||||
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
|
* Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
|
||||||
also be provided to ExecStartPre= processes.
|
also be provided to ExecStartPre= processes.
|
||||||
|
|
||||||
* Various units are now correctly ordered with
|
* Various units are now correctly ordered against
|
||||||
initrd-switch-root.target where previously some were just
|
initrd-switch-root.target where previously a conflict without
|
||||||
(indirectly) ordered only with initrd-switch-root.service.
|
ordering was configured. A stop job for those units would be queued,
|
||||||
|
but without the ordering it could be executed only after
|
||||||
|
initrd-switch-root.service, leading to units not being restarted in
|
||||||
|
the host system as expected.
|
||||||
|
|
||||||
* In order to fully support the IPMI watchdog driver, which has not yet
|
* In order to fully support the IPMI watchdog driver, which has not yet
|
||||||
been ported to the new common watchdog device interface,
|
been ported to the new common watchdog device interface,
|
||||||
@ -128,10 +136,11 @@ CHANGES WITH 252 in spe:
|
|||||||
WatchdogDevice, WatchdogLastPingTimestamp,
|
WatchdogDevice, WatchdogLastPingTimestamp,
|
||||||
WatchdogLastPingTimestampMonotonic.
|
WatchdogLastPingTimestampMonotonic.
|
||||||
|
|
||||||
* At shutdown, API VFS (proc, sys, etc.) will be unmounted lazily.
|
* At shutdown, API virtual files systems (proc, sys, etc.) will be
|
||||||
|
unmounted lazily.
|
||||||
|
|
||||||
* At shutdown, we'll now try to log about processes blocking unmounting
|
* At shutdown, systemd will now log about processes blocking unmounting
|
||||||
of mounted file systems.
|
of file systems.
|
||||||
|
|
||||||
* A new meson build option 'clock-valid-range-usec-max' was added to
|
* A new meson build option 'clock-valid-range-usec-max' was added to
|
||||||
allow disabling system time correction if RTC returns a timestamp far
|
allow disabling system time correction if RTC returns a timestamp far
|
||||||
@ -142,19 +151,18 @@ CHANGES WITH 252 in spe:
|
|||||||
|
|
||||||
* PID 1 will now import system credentials from SMBIOS Type 11 fields
|
* PID 1 will now import system credentials from SMBIOS Type 11 fields
|
||||||
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
|
("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
|
||||||
simple, fast and generic path for supplying credentials from a VM
|
simple, fast and generic path for supplying credentials to a VM,
|
||||||
manager into a VM for further propagation into system services,
|
without involving external tools such as cloud-init/ignition.
|
||||||
entirely without external packages such as cloud-init/ignition.
|
|
||||||
|
|
||||||
* The CPUWeight= setting of unit files now accepts a new special value
|
* The CPUWeight= setting of unit files now accepts a new special value
|
||||||
"idle", which configures "idle" level scheduling for the unit.
|
"idle", which configures "idle" level scheduling for the unit.
|
||||||
|
|
||||||
* Service processes that are activated due to a .timer or .path unit
|
* Service processes that are activated due to a .timer or .path unit
|
||||||
triggering will now receive information about this via environment
|
triggering will now receive information about this via environment
|
||||||
variables. Do not that this is lossy information, as activation might
|
variables. Note that this is information is lossy, as activation
|
||||||
be coalesced and only one of the activation triggers will be
|
might be coalesced and only one of the activating triggers will be
|
||||||
reported. This is hence more useful for debugging/tracing activation,
|
reported. This is hence more suited for debugging or tracing rather
|
||||||
then for binding codeflow to.
|
than for behaviour decisions.
|
||||||
|
|
||||||
Changes in sd-boot, bootctl, and the Boot Loader Specification:
|
Changes in sd-boot, bootctl, and the Boot Loader Specification:
|
||||||
|
|
||||||
@ -163,13 +171,13 @@ CHANGES WITH 252 in spe:
|
|||||||
(e.g. comparisons for empty strings). Boot counting is now part of
|
(e.g. comparisons for empty strings). Boot counting is now part of
|
||||||
the main specification.
|
the main specification.
|
||||||
|
|
||||||
* New PCRs measurements are set during boot: PCR 11 for the the
|
* New PCRs measurements are performed during boot: PCR 11 for the the
|
||||||
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
|
kernel+initrd combo, PCR 13 for any sysext images. If a measurement
|
||||||
took place this is now reported to userspace via the new
|
took place this is now reported to userspace via the new
|
||||||
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
|
StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.
|
||||||
|
|
||||||
* As before, systemd-stub will measure kernel parameters and picked up
|
* As before, systemd-stub will measure kernel parameters and system
|
||||||
system credentials into PCR 12. It will now report this fact via the
|
credentials into PCR 12. It will now report this fact via the
|
||||||
StubPcrKernelParameters EFI variable to userspace.
|
StubPcrKernelParameters EFI variable to userspace.
|
||||||
|
|
||||||
* The UEFI monotonic boot counter is now included in the updated random
|
* The UEFI monotonic boot counter is now included in the updated random
|
||||||
@ -192,8 +200,8 @@ CHANGES WITH 252 in spe:
|
|||||||
|
|
||||||
* sd-stub now accepts (and passes to the initrd and then to the full
|
* sd-stub now accepts (and passes to the initrd and then to the full
|
||||||
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
|
OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
|
||||||
signatures of expected PCR values after boot, to allow sealing
|
signatures of expected PCR values, to allow sealing secrets via the
|
||||||
secrets via the TPM2 against pre-calculated PCR measurements.
|
TPM2 against pre-calculated PCR measurements.
|
||||||
|
|
||||||
Changes in the hardware database:
|
Changes in the hardware database:
|
||||||
|
|
||||||
@ -239,7 +247,7 @@ CHANGES WITH 252 in spe:
|
|||||||
|
|
||||||
* libsystemd now exports sd_bus_error_setfv() (a convenience function
|
* libsystemd now exports sd_bus_error_setfv() (a convenience function
|
||||||
for setting bus errors), sd_id128_string_equal (a convenience
|
for setting bus errors), sd_id128_string_equal (a convenience
|
||||||
function for 128bit ID string comparisons),
|
function for 128bit ID string comparisons), and
|
||||||
sd_bus_message_read_strv_extend() (a function to incrementally read
|
sd_bus_message_read_strv_extend() (a function to incrementally read
|
||||||
string arrays).
|
string arrays).
|
||||||
|
|
||||||
@ -264,56 +272,55 @@ CHANGES WITH 252 in spe:
|
|||||||
database given an explicit path to the file.
|
database given an explicit path to the file.
|
||||||
|
|
||||||
* The signal number argument to sd_event_add_signal() now can now be
|
* The signal number argument to sd_event_add_signal() now can now be
|
||||||
ORed with the SD_EVENT_SIGNAL_PROCMASK flag. if done this will
|
ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
|
||||||
automatically invoke sigprocmask() to block the specified
|
be automatically invoked to block the specified signal. This is
|
||||||
signal. This is useful to simplify invocations as the caller doesn't
|
useful to simplify invocations as the caller doesn't have to do this
|
||||||
have to do this manually first anymore.
|
manually.
|
||||||
|
|
||||||
* A new convenience call sd_event_set_signal_exit() has been added to
|
* A new convenience call sd_event_set_signal_exit() has been added to
|
||||||
sd-event, that sets up signal handling so that the event loop
|
sd-event to set up signal handling so that the event loop
|
||||||
automatically terminates cleanly on SIGTERM/SIGINT.
|
automatically terminates cleanly on SIGTERM/SIGINT.
|
||||||
|
|
||||||
Changes in other components:
|
Changes in other components:
|
||||||
|
|
||||||
* systemd-sysusers, systemd-tmpfiles and systemd-sysctl configuration
|
* systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
|
||||||
can now be provided via the system/service credential mechanism.
|
can now be provided via the credential mechanism.
|
||||||
|
|
||||||
* tmpfiles.d/ lines can read file contents to write from a credential
|
* tmpfiles.d/ lines can read file contents to write from a credential.
|
||||||
(and a new modifier char '^' to specify that the argument is a
|
The new modifier char '^' is used to specify that the argument is a
|
||||||
credential name). This mechanism is used to automatically populate
|
credential name. This mechanism is used to automatically populate
|
||||||
/etc/motd, /etc/issue, and /etc/hosts from credentials.
|
/etc/motd, /etc/issue, and /etc/hosts from credentials.
|
||||||
|
|
||||||
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
|
* tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
|
||||||
an inode if the specification is prefixed with ':' and the inode
|
an inode if the specification is prefixed with ':' and the inode
|
||||||
already exists.
|
already exists.
|
||||||
|
|
||||||
* tmpfiles.d/ now carries a line to automatically use an
|
* Default tmpfiles.d/ configuration now carries a line to automatically
|
||||||
'ssh.authorized_keys.root' system credential if provided to set up
|
use an 'ssh.authorized_keys.root' credential if provided to set up
|
||||||
the SSH authorized_keys file for the root user.
|
the SSH authorized_keys file for the root user.
|
||||||
|
|
||||||
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
|
* systemd-tmpfiles will now gracefully handle absent source of "C" copy
|
||||||
lines.
|
lines.
|
||||||
|
|
||||||
* tmpfiles.d/ F/w lines now optionally permit encoding of the data to
|
* tmpfiles.d/ F/w lines now optionally permit encoding of the payload
|
||||||
write in base64. This is useful to write arbitrary binary data into
|
in base64. This is useful to write arbitrary binary data into files.
|
||||||
arbitrary files at boot.
|
|
||||||
|
|
||||||
* systemd-analyze gained a new verb 'compare-versions' that implements
|
* systemd-analyze gained a new verb 'compare-versions' that implements
|
||||||
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
|
comparisons for versions strings (similarly to 'rpmdev-vercmp' and
|
||||||
'dpkg --compare-versions').
|
'dpkg --compare-versions').
|
||||||
|
|
||||||
* The pkgconfig and rpm macros files now export the directory for user
|
* The pkgconfig and rpm macros files now export the directory for user
|
||||||
units as 'user_tmpfiles_dir' and '_user_tmpfilesdir'.
|
units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.
|
||||||
|
|
||||||
* Detection of Parallels and KubeVirt virtualization has been added on
|
* Detection of Apple Virtualization and detection of Parallels and
|
||||||
non-x86 archs. Detection of Apple Virtualization has been added.
|
KubeVirt virtualization on non-x86 archs have been added.
|
||||||
|
|
||||||
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
|
* os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
|
||||||
user when their system will become unsupported.
|
user when their system will become unsupported.
|
||||||
|
|
||||||
* When performing suspend-then-hibernate, the system will estimate the
|
* When performing suspend-then-hibernate, the system will estimate the
|
||||||
discharge rate and use that to set the delay until hibernation, and
|
discharge rate and use that to set the delay until hibernation and
|
||||||
will hibernate immediately instead of suspending when running from a
|
hibernate immediately instead of suspending when running from a
|
||||||
battery and the capacity is below 5%.
|
battery and the capacity is below 5%.
|
||||||
|
|
||||||
* systemd-sysctl gained a --strict option to fail when a sysctl
|
* systemd-sysctl gained a --strict option to fail when a sysctl
|
||||||
@ -325,33 +332,34 @@ CHANGES WITH 252 in spe:
|
|||||||
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
|
* OpenSSL is the default crypto backend for systemd-resolved. (gnutls
|
||||||
is still supported.)
|
is still supported.)
|
||||||
|
|
||||||
* journalctl -o (and similar commands) now understands a new output mode
|
* 'journalctl -o' and similar commands now implement a new output mode
|
||||||
"short-delta". It is similar to "short-monotonic" but also shows the
|
"short-delta". It is similar to "short-monotonic", but also shows the
|
||||||
time delta between two messages.
|
time delta between subsequent messages.
|
||||||
|
|
||||||
* journalctl now respects the --quiet flag when verifying journal files
|
* journalctl now respects the --quiet flag when verifying consistency
|
||||||
consistency.
|
of journal files.
|
||||||
|
|
||||||
* systemd-journald log messages gained a new implicit field
|
* Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
|
||||||
_RUNTIME_SCOPE= that will indicate whether a message was logged in
|
will indicate whether a message was logged in the 'initrd' phase or
|
||||||
the 'initrd' phase or in the 'system' phase of the boot process.
|
in the 'system' phase of the boot process.
|
||||||
|
|
||||||
* systemd-journald gained a new compatibility flag
|
* Journal files gained a new compatibility flag
|
||||||
'HEADER_INCOMPATIBLE_COMPACT'. Journal files with this flag implement
|
'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
|
||||||
changes to the storage format that allow reducing journal files size on
|
to the storage format that allow reducing size on disk. As with other
|
||||||
disk. As with other compatibility flags, older journalctl versions will
|
compatibility flags, older journalctl versions will not be able to
|
||||||
not be able to read journal files using this new format. The environment
|
read journal files using this new format. The environment variable
|
||||||
variable 'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald
|
'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
|
||||||
to disable it. It is enabled by default.
|
disable this functionality. It is enabled by default.
|
||||||
|
|
||||||
* systemd-run's --working-directory= switch now works when used in
|
* systemd-run's --working-directory= switch now works when used in
|
||||||
combination with --scope.
|
combination with --scope.
|
||||||
|
|
||||||
* portablectl gained a --force flag (and a corresponding 0x2 flag is
|
* portablectl gained a --force flag to skip certain sanity checks. The
|
||||||
now accepted by the *WithExtensions() D-Bus methods of portabled) to
|
corresponding 0x2 flag is now accepted by the *WithExtensions() D-Bus
|
||||||
skip certain sanity checks. For now, this means that on attach/detach
|
methods of systemd-portabled. For now, this flag means that on
|
||||||
it will not be checked whether the unit(s) are already present and/or
|
attach/detach the checks whether the units are already present and
|
||||||
running. Callers must be sure to do those checks themselves.
|
running will be skipped. Callers must be sure to do those checks
|
||||||
|
themselves.
|
||||||
|
|
||||||
* systemd-portabled will now use the original filename to check
|
* systemd-portabled will now use the original filename to check
|
||||||
extension-release.NAME for correctness, in case it is passed a
|
extension-release.NAME for correctness, in case it is passed a
|
||||||
@ -369,23 +377,22 @@ CHANGES WITH 252 in spe:
|
|||||||
* systemd-resolved now persists DNSOverTLS in its state file too. This
|
* systemd-resolved now persists DNSOverTLS in its state file too. This
|
||||||
fixes a problem when used in combination with NetworkManager, which
|
fixes a problem when used in combination with NetworkManager, which
|
||||||
sends the setting only once, causing it to be lost if resolved was
|
sends the setting only once, causing it to be lost if resolved was
|
||||||
restarted at any point during runtime.
|
restarted at any point.
|
||||||
|
|
||||||
* systemd-resolved now exposes a varlink socket at
|
* systemd-resolved now exposes a varlink socket at
|
||||||
/run/systemd/resolve/io.systemd.Resolve.Monitor, which requires root
|
/run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
|
||||||
privileges to connect to.
|
root. Processed DNS requests in a JSON format will be published to
|
||||||
When a varlink client connects, processed DNS requests will be
|
any clients connected to this socket. resolvectl gained a 'monitor'
|
||||||
published on this monitor socket in JSON format.
|
verb to make use of this.
|
||||||
resolvectl gained a 'monitor' verb to use this socket.
|
|
||||||
|
|
||||||
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
|
* systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
|
||||||
instead of returning SERVFAIL, as per RFC:
|
instead of returning SERVFAIL, as per RFC:
|
||||||
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
|
https://datatracker.ietf.org/doc/html/rfc6840#section-5.2
|
||||||
|
|
||||||
* systemd-repart now supports creating squashfs partitions. Requires
|
* systemd-repart now supports creating squashfs partitions. This
|
||||||
squashfs-tools (mksquashfs).
|
requires mksquashfs from squashfs-tools.
|
||||||
|
|
||||||
* systemd-repart gained a --split flag to make it also generate split
|
* systemd-repart gained a --split flag to also generate split
|
||||||
artifacts, i.e. a separate file for each partition. This is useful in
|
artifacts, i.e. a separate file for each partition. This is useful in
|
||||||
conjunction with systemd-sysupdate or other tools, or to generate
|
conjunction with systemd-sysupdate or other tools, or to generate
|
||||||
split dm-verity artifacts.
|
split dm-verity artifacts.
|
||||||
@ -393,13 +400,12 @@ CHANGES WITH 252 in spe:
|
|||||||
* systemd-repart is now able to generate dm-verity partitions, including
|
* systemd-repart is now able to generate dm-verity partitions, including
|
||||||
signatures.
|
signatures.
|
||||||
|
|
||||||
* systemd-repart is now able to set a partition UUID to zero. This is
|
* systemd-repart can now set a partition UUID to zero, allowing it to
|
||||||
useful when we need to fill in the UUID later, such as when using
|
be filled in later, such as when using verity partitions.
|
||||||
verity partitions.
|
|
||||||
|
|
||||||
* systemd-repart now supports drop-ins for its configuration files.
|
* systemd-repart now supports drop-ins for its configuration files.
|
||||||
|
|
||||||
* Package metadata logged by systemd-coredump in the system journal are
|
* Package metadata logged by systemd-coredump in the system journal is
|
||||||
now more compact.
|
now more compact.
|
||||||
|
|
||||||
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
|
* xdg-autostart-service now expands 'tilde' characters in Exec lines.
|
||||||
@ -428,7 +434,7 @@ CHANGES WITH 252 in spe:
|
|||||||
variable when generating the 'sp_lstchg' field, to ensure an image
|
variable when generating the 'sp_lstchg' field, to ensure an image
|
||||||
build can be reproducible.
|
build can be reproducible.
|
||||||
|
|
||||||
* udevadmn 'wait' will now listen to kernel uevents too when called with
|
* 'udevadm wait' will now listen to kernel uevents too when called with
|
||||||
--initialized=no.
|
--initialized=no.
|
||||||
|
|
||||||
* When naming network devices udev will now consult the Devicetree
|
* When naming network devices udev will now consult the Devicetree
|
||||||
@ -446,7 +452,7 @@ CHANGES WITH 252 in spe:
|
|||||||
the seal key, aka the disk encryption key, and that auth value will be
|
the seal key, aka the disk encryption key, and that auth value will be
|
||||||
used in the session establishment. An attacker would need the pin
|
used in the session establishment. An attacker would need the pin
|
||||||
value to create the secure session and thus an active interposer
|
value to create the secure session and thus an active interposer
|
||||||
without the pin cannot interpose on TPM traffic.
|
without the pin cannot interpose on TPM2 traffic.
|
||||||
|
|
||||||
* systemd-growfs no longer requires udev to run.
|
* systemd-growfs no longer requires udev to run.
|
||||||
|
|
||||||
@ -463,10 +469,10 @@ CHANGES WITH 252 in spe:
|
|||||||
|
|
||||||
* systemd-dissect gained a new --umount switch that will safely and
|
* systemd-dissect gained a new --umount switch that will safely and
|
||||||
synchronously unmount all partitions of an image previously mounted
|
synchronously unmount all partitions of an image previously mounted
|
||||||
with `systemd-dissect --mount'.
|
with 'systemd-dissect --mount'.
|
||||||
|
|
||||||
* When using gcrypt, all systemd tools and services will now configure
|
* When using gcrypt, all systemd tools and services will now configure
|
||||||
it to prefer the OS RNG if there is one.
|
it to prefer the OS random number generator if present.
|
||||||
|
|
||||||
Experimental features:
|
Experimental features:
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user