shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-18 06:03:42 +03:00
Code

Merge pull request #21704 from keszybz/news-250-2

Browse Source 
Adjust news and version numbers for v250-rc1
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-12-09 15:10:24 +01:00 committed by GitHub
commit 408ad9e4ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 244 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

431
NEWS
View File

@ -2,44 +2,43 @@ systemd System and Service Manager
CHANGES WITH 250 in spe: CHANGES WITH 250 in spe:
* Support for encrypted and authenticated credentials has been * Support for encrypted and authenticated credentials has been added.
added. This extends the credentials logic introduced with v247 to This extends the credential logic introduced with v247 to support
support non-interactive symmetric encryption and authentication, non-interactive symmetric encryption and authentication, based on a
based on a key that is stored on the /var/ file system or in the TPM2 key that is stored on the /var/ file system or in the TPM2 chip (if
chip (if available), or the combination of both (by default if a TPM2 available), or the combination of both (by default if a TPM2 chip
chip exists the combination is used, otherwise the /var/ key exists the combination is used, otherwise the /var/ key only). The
only). The credentials are automatically decrypted at the moment a credentials are automatically decrypted at the moment a service is
service is started, and are made accessible to the service itself in started, and are made accessible to the service itself in unencrypted
unencrypted form. A new tool `systemd-creds` has been added to form. A new tool 'systemd-creds' encrypts credentials for this
encrypt credentials for this purpose, and two new service file purpose, and two new service file settings LoadCredentialEncrypted=
settings LoadCredentialEncrypted= and SetCredentialEncrypted= have and SetCredentialEncrypted= configure such credentials.
been added to configure encrypted credentials prepared that way. This
feature is useful for ensuring sensitive material such as SSL This feature is useful to store sensitive material such as SSL
certificates, passwords and similar are stored securely when at rest certificates, passwords and similar securely at rest and only decrypt
and only decrypted when needed, and in a way that can be reproduced them when needed, and in a way that is tied to the local OS
only on the local OS installation and hardware. installation or hardware.
* systemd-gpt-auto-generator can now automatically set up discoverable * systemd-gpt-auto-generator can now automatically set up discoverable
LUKS2 encrypted swap partitions. LUKS2 encrypted swap partitions.
* The GPT Discoverable Partitions Specification has been updated * The GPT Discoverable Partitions Specification has been substantially
substantially to support Root and /usr/ partitions for the majority extended with support for root and /usr/ partitions for the majority
of architectures systemd supports. This include platforms that do not of architectures systemd supports. This includes platforms that do
natively support UEFI. Even though GPT is specified under UEFI not natively support UEFI, because even though GPT is specified under
umbrella its useful on other systems too. Specifically, UEFI umbrella, it is useful on other systems too. Specifically,
systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
Portable Services make heavy use of the concept, none of which are Portable Services use the concept without requiring UEFI.
specific to UEFI.
* The GPT Discoverable Partitions Specifications has learnt a new set * The GPT Discoverable Partitions Specifications has been extended with
of partitions that may carry PKCS#7 signatures for Verity partitions, a new set of partitions that may carry PKCS#7 signatures for Verity
encoded in a simple JSON format. This implements a simple mechanism partitions, encoded in a simple JSON format. This implements a simple
for building disk images that are fully authenticated and can be mechanism for building disk images that are fully authenticated and
tested against a set of cryptographic certificates. This is now can be tested against a set of cryptographic certificates. This is
implemented for the various systemd tools that can operate with disk now implemented for the various systemd tools that can operate with
images, such as systemd-nspawn, systemd-sysext, systemd-dissect, disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
Portable services/RootImage=, systemd-tmpfiles, systemd-sysusers, and Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
so on. The PKCS#7 signatures are passed to the kernel (where they are The PKCS#7 signatures are passed to the kernel (where they are
checked against certificates from the kernel keyring), or can be checked against certificates from the kernel keyring), or can be
verified against certificates provided in userspace (via a simple verified against certificates provided in userspace (via a simple
drop-in file mechanism). drop-in file mechanism).
@ -62,11 +61,11 @@ CHANGES WITH 250 in spe:
* The GPT image dissection logic in systemd-nspawn/systemd-dissect/… * The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
now is able to decode images for non-native architectures as well. now is able to decode images for non-native architectures as well.
This enables systemd-nspawn to boot images of non-native This allows systemd-nspawn to boot images of non-native architectures
architectures if the corresponding user mode emulator is installed if the corresponding user mode emulator is installed and
and systemd-binfmtd is running. systemd-binfmtd is running.
* systemd-logind gained a new settings HandlePowerKeyLongPress=, * systemd-logind gained new settings HandlePowerKeyLongPress=,
HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
HandleHibernateKeyLongPress= which may be used to configure actions HandleHibernateKeyLongPress= which may be used to configure actions
when the relevant keys are pressed for more than 5s. This is useful when the relevant keys are pressed for more than 5s. This is useful
@ -77,20 +76,19 @@ CHANGES WITH 250 in spe:
does not trigger any operation by default. does not trigger any operation by default.
* When showing unit status updates on the console during boot and * When showing unit status updates on the console during boot and
shutdown, and a service is slow to start so that the KITT animation shutdown, and a service is slow to start so that the cylon animation
is shown, the most recent sd_notify() STATUS= text is now shown as is shown, the most recent sd_notify() STATUS= text is now shown as
well. Services may use this to make the boot/shutdown output easier well. Services may use this to make the boot/shutdown output easier
to understand, and to indicate what precisely a service that is slow to understand, and to indicate what precisely a service that is slow
to start or stop is waiting for. Specifically, the per-user service to start or stop is waiting for. In particular, the per-user service
manager instance now reports what it is doing and which service it is manager instance now reports what it is doing and which service it is
waiting for this way to the system service manager. waiting for this way to the system service manager.
* The service manager will now re-execute on reception of the * The service manager will now re-execute on reception of the
SIGRTMIN+25 signal. It previously already did that on SIGTERM — but SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
only when running as PID 1. There was no signal to request this when only when running as PID 1. There was no signal to request this when
running as per-user service manager, i.e. as any other PID than running as per-user service manager, i.e. as any other PID than 1.
1. SIGRTMIN+25 will work in any case, i.e. both as system and user SIGRTMIN+25 works for both system and user managers.
service manager.
* The hardware watchdog logic in PID 1 gained support for operating * The hardware watchdog logic in PID 1 gained support for operating
with the default timeout configured in the hardware, instead of with the default timeout configured in the hardware, instead of
@ -111,9 +109,9 @@ CHANGES WITH 250 in spe:
system services or the managers themselves. system services or the managers themselves.
* A new per-service setting RestrictFileSystems= as been added that * A new per-service setting RestrictFileSystems= as been added that
restricts the file systems a service has access to by their restricts the file systems a service has access to by their type.
type. This is based on the new BPF LSM of the Linux kernel. This is This is based on the new BPF LSM of the Linux kernel. It provides an
an effective way to make certain API file systems unavailable to effective way to make certain API file systems unavailable to
services (and thus minimizing attack surface). A new command services (and thus minimizing attack surface). A new command
"systemd-analyze filesystems" has been added that lists all known "systemd-analyze filesystems" has been added that lists all known
file system types (and how they are grouped together under useful file system types (and how they are grouped together under useful
@ -122,7 +120,7 @@ CHANGES WITH 250 in spe:
* Services now support a new setting RestrictNetworkInterfaces= for * Services now support a new setting RestrictNetworkInterfaces= for
restricting access to specific network interfaces. restricting access to specific network interfaces.
* New service unit files gained new settings StartupAllowedCPUs= and * Service unit files gained new settings StartupAllowedCPUs= and
StartupAllowedMemoryNodes=. These are similar to their counterparts StartupAllowedMemoryNodes=. These are similar to their counterparts
without the "Startup" prefix and apply during the boot process without the "Startup" prefix and apply during the boot process
only. This is useful to improve boot-time behavior of the system and only. This is useful to improve boot-time behavior of the system and
@ -140,23 +138,23 @@ CHANGES WITH 250 in spe:
[Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
unit skip/fail activation if the system's (or a slice's) memory/cpu/io unit skip/fail activation if the system's (or a slice's) memory/cpu/io
pressure is above the configured threshold, using the kernel PSI pressure is above the configured threshold, using the kernel PSI
feature. Fore more details see systemd.unit.5 and feature. For more details see systemd.unit(5) and
https://www.kernel.org/doc/html/latest/accounting/psi.html https://www.kernel.org/doc/html/latest/accounting/psi.html
* The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
ProtectKernelLogs=yes can now be used. ProtectKernelLogs=yes can now be used.
* The default maximum number of inodes for /dev has been doubled, from * The default maximum numbers of inodes have been raised from 64k to 1m
64k to 128k. for /dev, and from 400k to 1m for /tmp.
* The per-user service manager learnt support for communicating with * The per-user service manager learnt support for communicating with
systemd-oomd to acquire OOM kill information. systemd-oomd to acquire OOM kill information.
* A new service setting ExecSearchPath= has been added that allows * A new service setting ExecSearchPath= has been added that allows
changing the search path for executables for services. It affects how changing the search path for executables for services. It affects
the binaries specified in ExecStart= and similar are searched and where we look for the binaries specified in ExecStart= and similar,
also affects the $PATH environment variable passed to invoked and the specified directories are also added the $PATH environment
processes. variable passed to invoked processes.
* A new setting RuntimeRandomizedExtraSec= has been added for service * A new setting RuntimeRandomizedExtraSec= has been added for service
and scope units that allows extending the runtime time-out as and scope units that allows extending the runtime time-out as
@ -164,7 +162,7 @@ CHANGES WITH 250 in spe:
* The syntax of the service unit settings RuntimeDirectory=, * The syntax of the service unit settings RuntimeDirectory=,
StateDirectory=, CacheDirectory=, LogsDirectory= has been extended: StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
if the specified string is now suffixed with a colon, followed by if the specified value is now suffixed with a colon, followed by
another filename, the latter will be created as symbolic link to the another filename, the latter will be created as symbolic link to the
specified directory. This allows creating these service directories specified directory. This allows creating these service directories
together with alias symlinks to make them available under multiple together with alias symlinks to make them available under multiple
@ -173,28 +171,28 @@ CHANGES WITH 250 in spe:
* Service unit files gained two new settings TTYRows=/TTYColumns= for * Service unit files gained two new settings TTYRows=/TTYColumns= for
configuring rows/columns of the TTY device passed to configuring rows/columns of the TTY device passed to
stdin/stdout/stderr of the service. This is useful to propagate TTY stdin/stdout/stderr of the service. This is useful to propagate TTY
dimensions from another environment. dimensions to a virtual machine.
* A new service unit file setting ExitType= has been added, that allows * A new service unit file setting ExitType= has been added that
configuring when precisely to assume a service has exited. By default specifies when to assume a service has exited. By default systemd
systemd watches the main process of a service only to determine its only watches the main process of a service. By setting
lifetime. By setting ExitType=cgroup it can be told to wait for the ExitType=cgroup it can be told to wait for the last process in a
last process in a cgroup instead. cgroup instead.
* Automount unit files gained a new setting ExtraOptions= that can be * Automount unit files gained a new setting ExtraOptions= that can be
used to configure additional mount options to pass to the kernel when used to configure additional mount options to pass to the kernel when
mounting the autofs instance. mounting the autofs instance.
* "Urlification" (i.e. generation of ESC sequences that generate * "Urlification" (generation of ESC sequences that generate clickable
clickable hyperlinks in modern terminals) may now be turned off hyperlinks in modern terminals) may now be turned off altogether
altogether during build-time. during build-time.
* The tpm2/fido2/pkcs11 support in systemd-cryptsetup is now also built * The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
as plug-in for upstream cryptsetup. This means plain cryptsetup may as a plug-in for cryptsetup. This means the plain cryptsetup command
now be used to unlock volumes set up this way. may now be used to unlock volumes set up this way.
* The TPM2 logic in cryptsetup will now automatically detect systems * The TPM2 logic in cryptsetup will now automatically detect systems
where the TPM2 chip supports SHA256 PCR banks but the firmware only where the TPM2 chip advertises SHA256 PCR banks but the firmware only
updates the SHA1 banks. In such a case PCR policies will be updates the SHA1 banks. In such a case PCR policies will be
automatically bound to the latter, not the former. This makes the PCR automatically bound to the latter, not the former. This makes the PCR
policies reliable, but of course do not provide the same level of policies reliable, but of course do not provide the same level of
@ -206,16 +204,15 @@ CHANGES WITH 250 in spe:
than ECC, and hence are only used if ECC is not available. than ECC, and hence are only used if ECC is not available.
* /etc/crypttab gained support for a new token-timeout= setting for * /etc/crypttab gained support for a new token-timeout= setting for
encrypted volumes that allow configuration of a maximum time to wait encrypted volumes that allows configuration of the maximum time to
for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses the wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
logic will query the user for a regular passphrase/recovery key the logic will query the user for a regular passphrase/recovery key
instead. instead.
* Support for activating dm-integrity volumes at boot via a new file * Support for activating dm-integrity volumes at boot via a new file
/etc/integritytab and a tool systemd-integritysetup has been /etc/integritytab and the tool systemd-integritysetup have been
added. This behaves similar to the existing /etc/crypttab and added. This is similar to /etc/crypttab and /etc/veritytab, but deals
/etc/veritytab, but deals with dm-integrity instead of with dm-integrity instead of dm-crypt/dm-verity.
dm-crypt/dm-verity.
* The systemd-veritysetup-generator now understands a new usrhash= * The systemd-veritysetup-generator now understands a new usrhash=
kernel command line option for specifying the Verity root hash for kernel command line option for specifying the Verity root hash for
@ -233,9 +230,9 @@ CHANGES WITH 250 in spe:
* A new unit systemd-boot-update.service has been added. If enabled * A new unit systemd-boot-update.service has been added. If enabled
(the default) and the sd-boot loader is detected to be installed, it (the default) and the sd-boot loader is detected to be installed, it
is automatically updated to the newest version if it's out of is automatically updated to the newest version when out of date. This
date. This is useful to ensure the boot loader remains up-to-date, is useful to ensure the boot loader remains up-to-date, and updates
and updates automatically propagate from the OS tree in /usr/. automatically propagate from the OS tree in /usr/.
* sd-boot will now build with SBAT by default in order to facilitate * sd-boot will now build with SBAT by default in order to facilitate
working with recent versions of Shim that require it to be present. working with recent versions of Shim that require it to be present.
@ -302,6 +299,38 @@ CHANGES WITH 250 in spe:
an explicitly specified unit name, independently of what the filename an explicitly specified unit name, independently of what the filename
actually is. actually is.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files under a root
directory or disk image. It also learnt a new --threshold= parameter
for specifying an exposure level threshold: if the exposure level
exceeds the specified value the call will fail. It also gained a new
--security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gain a new --json= switch for JSON output.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze security gained a --profile option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* The [IPv6AcceptRA] section of .network files gained support for a new * The [IPv6AcceptRA] section of .network files gained support for a new
UseMTU= setting that may be used to control whether to apply the UseMTU= setting that may be used to control whether to apply the
announced MTU settings to the local interface. announced MTU settings to the local interface.
@ -374,42 +403,11 @@ CHANGES WITH 250 in spe:
SuppressInterfaceGroup= setting. SuppressInterfaceGroup= setting.
* The IgnoreCarrierLoss= setting in the [Network] section of .network * The IgnoreCarrierLoss= setting in the [Network] section of .network
files now accepts a duration to be specified, controlling how time to files now allows a duration to be specified, controlling how long to
wait before no longer ignoring carrier losses. wait before reacting to carrier loss.
* The [DHCPServer] section of .network file gained a new Router= setting * The [DHCPServer] section of .network file gained a new Router=
to specify the router address. setting to specify the router address.
* systemd-analyze verify gained a new switch --recursive-errors= which
controls whether to only fail on errors found in the specified units
or recursively any dependent units.
* systemd-analyze security now supports a new --offline mode for
analyzing unit files stored on disk instead of loaded units. It may
be combined with --root=/--image to analyze unit files container in a
root directory or disk image. It also learnt a new --threshold=
parameter for specifying an exposure level threshold: if the exposure
level exceeds the specified value the call will fail. It also gained
a new --security-policy= switch for configuring security policies to
enforce on the units. A policy is a JSON file that lists which tests
shall be weighted how much to determine the overall exposure
level. It also gained a new --json= switch for generating JSON
output. Altogether these new features are useful for fully automatic
analysis and enforcement of security policies on unit files.
* systemd-analyze security gained a --profile option that can be used
to take into account a portable profile when analyzing portable
services, since a lot of the security-related settings are enabled
through them.
* systemd-analyze learnt a new --quiet switch for reducing
non-essential output. It's honored by the "dot", "syscall-filter",
"filesystems" commands.
* systemd-analyze learnt a new inspect-elf verb that parses ELF core
files, binaries and executables and prints metadata information,
including the build-id and other info described on:
https://systemd.io/COREDUMP_PACKAGE_METADATA/
* systemd-nspawn's --setenv= switch now supports an additional syntax: * systemd-nspawn's --setenv= switch now supports an additional syntax:
if only a variable name is specified (i.e. without being suffixed by if only a variable name is specified (i.e. without being suffixed by
@ -426,8 +424,8 @@ CHANGES WITH 250 in spe:
not essential as all build artifacts can be regenerated any time, but not essential as all build artifacts can be regenerated any time, but
the performance win is beneficial. the performance win is beneficial.
* systemd-nspawn will now raise RLIMIT_NOFILE's hard limit to the same * systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
value that PID 1 raises it for most forked off processes. same value that PID 1 uses for most forked off processes.
* systemd-nspawn's --bind=/--bind-ro= switches now optionally take * systemd-nspawn's --bind=/--bind-ro= switches now optionally take
uidmap/nouidmap options as last parameter. If "uidmap" is used the uidmap/nouidmap options as last parameter. If "uidmap" is used the
@ -435,28 +433,18 @@ CHANGES WITH 250 in spe:
the host's file ownerships are mapped 1:1 to container file the host's file ownerships are mapped 1:1 to container file
ownerships, even if user namespacing is used. This way ownerships, even if user namespacing is used. This way
files/directories bound into containers will no longer show up as files/directories bound into containers will no longer show up as
owned by the nobody user as they typically do if no special care is owned by the nobody user as they typically did if no special care was
taken to shift them manually. taken to shift them manually.
* When discovering Windows installations sd-boot will now attempt to * When discovering Windows installations sd-boot will now attempt to
extract the Windows version found. show the Windows version.
* The color scheme to use in sd-boot may now be configured at * The color scheme to use in sd-boot may now be configured at
build-time. build-time.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot gained the ability to change screen resolution during * sd-boot gained the ability to change screen resolution during
boot-time, by hitting the "r" key. This will cycle through available boot-time, by hitting the "r" key. This will cycle through available
resolutions and save them. resolutions and save the last selection.
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
searched and loaded. This is useful for easily loading additional
file system drivers for the XBOOTLDR partition or similar.
* sd-boot learnt a new hotkey "f". When pressed the system will enter * sd-boot learnt a new hotkey "f". When pressed the system will enter
firmware setup. This is useful in environments where it is difficult firmware setup. This is useful in environments where it is difficult
@ -467,6 +455,16 @@ CHANGES WITH 250 in spe:
selected on the last boot (using the "@saved" identifier for menu selected on the last boot (using the "@saved" identifier for menu
items). items).
* sd-boot gained support for automatically loading all EFI drivers
placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
Partition (ESP). These drivers are loaded before the menu entries are
loaded. This is useful e.g. to load additional file system drivers
for the XBOOTLDR partition.
* systemd-boot will now paint the input cursor on its own instead of
relying on the firmware to do so, increasing compatibility with broken
firmware that doesn't make the cursor reasonably visible.
* sd-boot now embeds a .osrel PE section like we expect from Boot * sd-boot now embeds a .osrel PE section like we expect from Boot
Loader Specification Type #2 Unified Kernels. This means sd-boot Loader Specification Type #2 Unified Kernels. This means sd-boot
itself may be used in place of a Type #2 Unified Kernel. This is itself may be used in place of a Type #2 Unified Kernel. This is
@ -479,14 +477,14 @@ CHANGES WITH 250 in spe:
for installing/applying new devicetree files without updating the for installing/applying new devicetree files without updating the
kernel image. kernel image.
* Similar, sd-stub now can read devicetree data from a PE section * Similarly, sd-stub now can read devicetree data from a PE section
".dtb" and apply it before invoking the kernel. ".dtb" and apply it before invoking the kernel.
* sd-stub (the EFI stub that can be glued in front of a Linux kernel) * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
gained the ability to pick up credentials and sysext files placed gained the ability to pick up credentials and sysext files placed
next to the kernel image file during initialization, wrap them in a next to the kernel image file, wrap them in a cpio archive and pass
cpio archive and pass them as additional initrd to the invoked Linux as an additional initrd to the invoked Linux kernel, in effect
kernel, placing them in the /.extra/ directory of the initrd placing those files in the /.extra/ directory of the initrd
environment. This is useful to implement trusted initrd environments environment. This is useful to implement trusted initrd environments
which are fully authenticated but still can be extended (via sysexts) which are fully authenticated but still can be extended (via sysexts)
and parameterized (via encrypted/authenticated credentials, see and parameterized (via encrypted/authenticated credentials, see
@ -497,24 +495,24 @@ CHANGES WITH 250 in spe:
complete EFI unified kernel image, implementing Boot Loader complete EFI unified kernel image, implementing Boot Loader
Specification Type #2. Specification Type #2.
* sd-stub may now provide the initrd to the execute kernel via the * sd-stub may now provide the initrd to the executed kernel via the
LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
non-x86 architectures. non-x86 architectures.
* bootctl learnt the new set-timeout and set-timeout-oneshot that may * bootctl learnt new set-timeout and set-timeout-oneshot commands that
be used to set the boot menu time-out of the boot loader (for all or may be used to set the boot menu time-out of the boot loader (for all
just the subsequent boot). or just the subsequent boot).
* systemd-sysext now optionally doesn't insist on extension-release.d/ * systemd-sysext now optionally doesn't insist on extension-release.d/
files to be placed in the image under the image's right name. If the files being placed in the image under the image's file name. If the
file system xattr user.extension-release.strict is set on the file system xattr user.extension-release.strict is set on the
extension release file it is accepted regardless of its name. This extension release file, it is accepted regardless of its name. This
relaxes security restrictions a bit, as system extension may be relaxes security restrictions a bit, as system extension may be
attached under a wrong name this way. attached under a wrong name this way.
* udevadm's test-builtin command learnt a new --action= switch for * udevadm's test-builtin command learnt a new --action= switch for
testing the built-in with the specified action (in place of the testing the built-in with the specified action (in place of the
default of 'add'. default 'add').
* udevadm info gained new switches --property=/--value for showing only * udevadm info gained new switches --property=/--value for showing only
specific udev properties/values instead of all. specific udev properties/values instead of all.
@ -525,27 +523,27 @@ CHANGES WITH 250 in spe:
be accessible to regular users. be accessible to regular users.
* A new hwdb database entry has been added that carries information * A new hwdb database entry has been added that carries information
about what type of camera discovered cameras are (regular or about types of cameras (regular or infrared), and in which direction
infrared), and in which direction they point (front or back). they point (front or back).
* A new rule to allow console users access to rfkill by default has been * A new rule to allow console users access to rfkill by default has been
added to hwdb. added to hwdb.
* A new build-time meson option "extra-net-naming-schemes=" has been * A new build-time meson option "extra-net-naming-schemes=" has been
added for defining additional naming schemes schemes definitions for added to define additional naming schemes schemes for udev's network
udev's network interface naming logic. This is useful for enterprise interface naming logic. This is useful for enterprise distributions
distributions and similar which want to pin the schemes of certain and similar which want to pin the schemes of certain distribution
distribution releases under a specific name and previously had to releases under a specific name and previously had to patch the
patched our sources to introduce new named schemes. sources to introduce new named schemes.
* The predictable naming logic for network interfaces has been extended * The predictable naming logic for network interfaces has been extended
to generate stable names from Xen netfront device information. to generate stable names from Xen netfront device information.
* hostnamed's chassis property can now be sourced from chassis-type * hostnamed's chassis property can now be sourced from chassis-type
field encoded in devicetree (in addition to the preexisting DMI field encoded in devicetree (in addition to the existing DMI
support). support).
* systemd-cgls now optionally display cgroup IDs and extended * systemd-cgls now optionally displays cgroup IDs and extended
attributes for each cgroup. (Controllable via the new --xattr= + attributes for each cgroup. (Controllable via the new --xattr= +
--cgroup-id= switches.) --cgroup-id= switches.)
@ -564,25 +562,25 @@ CHANGES WITH 250 in spe:
attempted exactly once but if the home directory was busy for some attempted exactly once but if the home directory was busy for some
reason it was not tried again. reason it was not tried again.
* systemd-homed's LUKS2 home area backend will now issue a BSD file * systemd-homed's LUKS2 home area backend will now create a BSD file
system lock on the image file while the home area is active system lock on the image file while the home area is active
(i.e. mounted). If a home area is found to be locked logins are (i.e. mounted). If a home area is found to be locked, logins are
politely refused. This should improve behavior when using home areas politely refused. This should improve behavior when using home areas
images that are accessible via the network from multiple clients, and images that are accessible via the network from multiple clients, and
reduce the chance of accidental file system corruption in that case. reduce the chance of accidental file system corruption in that case.
* Optionally, systemd-homed will now drop the kernel buffer cache once * Optionally, systemd-homed will now drop the kernel buffer cache once
a user fully logged out, configurable via the new --drop-caches= a user has fully logged out, configurable via the new --drop-caches=
homectl switch. homectl switch.
* systemd-homed now makes use of UID mapped mounts for the home * systemd-homed now makes use of UID mapped mounts for the home areas.
areas. If the kernel and used file system support it, files are now If the kernel and used file system support it, files are now
internally owned by the "nobody" user (i.e. the user typically used internally owned by the "nobody" user (i.e. the user typically used
for indicating "this ownership is not mapped"), and dynamically for indicating "this ownership is not mapped"), and dynamically
mapped to the UID used locally on the system via the UID mapping mapped to the UID used locally on the system via the UID mapping
mount logic of recent kernels. This makes migrating home areas mount logic of recent kernels. This makes migrating home areas
between different systems cheap as recursively chown()ing file system between different systems cheaper because recursively chown()ing file
trees is no longer necessary. system trees is no longer necessary.
* systemd-homed's CIFS backend now optionally supports CIFS service * systemd-homed's CIFS backend now optionally supports CIFS service
names with a directory suffix, in order to place home directories in names with a directory suffix, in order to place home directories in
@ -592,12 +590,12 @@ CHANGES WITH 250 in spe:
mount options in the JSON user record (cifsExtraMountOptions field, mount options in the JSON user record (cifsExtraMountOptions field,
and --cifs-extra-mount-options= homectl switch). This is for example and --cifs-extra-mount-options= homectl switch). This is for example
useful for configuring mount options such as "noserverino" that some useful for configuring mount options such as "noserverino" that some
SMB3 services require (for example: use that to run a homed home SMB3 services require (use that to run a homed home directory from a
directory from a FritzBox SMB3 share this way). FritzBox SMB3 share this way).
* systemd-homed will now default to btrfs' zstd compression for home * systemd-homed will now default to btrfs' zstd compression for home
areas. This is inspired by Fedora's recent decision to enable this by areas. This is inspired by Fedora's recent decision to switch to zstd
default. by default.
* Additional mount options to use when mounting the file system of * Additional mount options to use when mounting the file system of
LUKS2 volumes in systemd-homed has been added. Via the LUKS2 volumes in systemd-homed has been added. Via the
@ -616,13 +614,13 @@ CHANGES WITH 250 in spe:
* systemd-homed gained the ability to automatically shrink home areas * systemd-homed gained the ability to automatically shrink home areas
on logout to their minimal size and grow them again on next on logout to their minimal size and grow them again on next
login. This ensures that while inactive a home area only takes up the login. This ensures that while inactive, a home area only takes up
minimal space necessary, but once activated provides sufficient space the minimal space necessary, but once activated, it provides
for the user's needs. This behavior is only supported if btrfs is sufficient space for the user's needs. This behavior is only
used as file system inside the home area (because only for btrfs supported if btrfs is used as file system inside the home area
online growing/shrinking is implemented in the kernel). This (because only for btrfs online growing/shrinking is implemented in
behavior is now enabled by default, but may be controlled via the the kernel). This behavior is now enabled by default, but may be
new --auto-resize-mode= setting of homectl. controlled via the new --auto-resize-mode= setting of homectl.
* systemd-homed gained support for automatically re-balancing free disk * systemd-homed gained support for automatically re-balancing free disk
space among active home areas, in case the LUKS2 backends are used, space among active home areas, in case the LUKS2 backends are used,
@ -635,7 +633,7 @@ CHANGES WITH 250 in spe:
user record field (as exposed via the new --rebalance-weight= homectl user record field (as exposed via the new --rebalance-weight= homectl
setting). Re-balancing is mostly automatic, but can also be requested setting). Re-balancing is mostly automatic, but can also be requested
explicitly via "homectl rebalance", which is synchronous, and thus explicitly via "homectl rebalance", which is synchronous, and thus
may be used to wait until a rebalance run is complete. may be used to wait until the rebalance run is complete.
* userdbctl gained a --json= switch for configured the JSON formatting * userdbctl gained a --json= switch for configured the JSON formatting
to use when outputting user or group records. to use when outputting user or group records.
@ -647,9 +645,9 @@ CHANGES WITH 250 in spe:
* userdbctl's ssh-authorized-keys command learnt a new --chain switch, * userdbctl's ssh-authorized-keys command learnt a new --chain switch,
for chaining up another command to execute after completing the for chaining up another command to execute after completing the
look-up. Since the OpenSSH's AuthorizedKeysCommand only allows look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
configuration of a single command to invoke this maybe used to invoke configuration of a single command to invoke, this maybe used to
multiple: first userdbctl's own implementation, and then any other invoke multiple: first userdbctl's own implementation, and then any
also configured in the command line. other also configured in the command line.
* The sd-event API gained a new function sd_event_add_inotify_fd() that * The sd-event API gained a new function sd_event_add_inotify_fd() that
is similar to sd_event_add_inotify() but accepts a file descriptor is similar to sd_event_add_inotify() but accepts a file descriptor
@ -667,12 +665,12 @@ CHANGES WITH 250 in spe:
https://systemd.io/PORTING_TO_NEW_ARCHITECTURES https://systemd.io/PORTING_TO_NEW_ARCHITECTURES
* The x-systemd.makefs option in /etc/fstab now explicitly supports * The x-systemd.makefs option in /etc/fstab now explicitly supports
f2fs file systems. ext2, ext3, and f2fs file systems.
* The systemd-getty-generator now honors a new kernel command line * The systemd-getty-generator now honors a new kernel command line
argument systemd.getty_auto= and a new environment variable argument systemd.getty_auto= and a new environment variable
$SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
example useful for turning off gettys inside of containers or similar example useful to turn off gettys inside of containers or similar
environments. environments.
* systemd-resolved now listens on a second DNS stub address: 127.0.0.54 * systemd-resolved now listens on a second DNS stub address: 127.0.0.54
@ -697,42 +695,93 @@ CHANGES WITH 250 in spe:
* systemd-repart no longer requires OpenSSL. * systemd-repart no longer requires OpenSSL.
* systemd-sysusers will no longer create the redundant 'nobody' group by default, * systemd-sysusers will no longer create the redundant 'nobody' group
as the 'nobody' user is already created with an appropriate primary group. by default, as the 'nobody' user is already created with an
appropriate primary group.
* If a unit uses RuntimeMaxSec, systemctl show will now display it. * If a unit uses RuntimeMaxSec, systemctl show will now display it.
* systemctl show-environment gained support for --output=json. * systemctl show-environment gained support for --output=json.
* pam_systemd will now first try to use the X11 abstract socket, and * pam_systemd will now first try to use the X11 abstract socket, and
fallback to the socket file in /tmp/.X11-unix/ only if that does not work. fallback to the socket file in /tmp/.X11-unix/ only if that does not
work.
* systemd-journald will no longer go back to volatile storage regardless of * systemd-journald will no longer go back to volatile storage
configuration when its unit is restarted. regardless of configuration when its unit is restarted.
* Initial support for the LoongArch architecture has been added * Initial support for the LoongArch architecture has been added (system
(system calls, defines, etc). call lists, GPT partition table UUIDs, etc).
* A LICENSES/ directory is now included in the git tree. It contains a README.md * systemd-journald's own logging messages are now also logged to the
file that explains the licenses used by source files in this repository. journal itself when systemd-journald logs to /dev/kmsg.
It also contains the text of all applicable licenses as they appear on spdx.org.
* systemd-journald now re-enables COW for archived journal files on filesystems * systemd-journald now re-enables COW for archived journal files on
that support COW. One benefit of this change is that archived journal files will filesystems that support COW. One benefit of this change is that
now get compressed on btrfs filesystems that have compression enabled. archived journal files will now get compressed on btrfs filesystems
that have compression enabled.
* systemd-journald now truncates archived journal files and punches holes in unused * systemd-journald now deduplicates fields in a single log message
parts of archived journal files, leading to some minor reductions in disk usage. before adding it to the journal. In archived journal files, it will
also punch holes for unused parts and truncate the file as
appropriate, leading to reductions in disk usage.
* systemd-journald now deduplicates fields in a single log message before adding * journalctl --verify was extended with more informative error
it to the journal. messages.
* journalctl --verify was extended with more informative error messages. * More of sd-journal's functions are now resistant against journal file
corruption.
* More of sd-journal's functions are now resistant against journal file corruption. * A LICENSES/ directory is now included in the git tree. It contains a
README.md file that explains the licenses used by source files in
this repository. It also contains the text of all applicable
licenses as they appear on spdx.org.
* systemd-journald's own logging messages are now also logged to the journal itself Contributions from: Aakash Singh, Adolfo Jayme Barrientos, Albert Brox,
when systemd-journald logs to /dev/kmsg. Alberto Mardegan, Alexander Kanavin, alexlzhu, Alfonso Sánchez-Beato,
Alvin Šipraga, Alyssa Ross, Amir Omidi, Anatol Pomozov,
Andika Triwidada, Andreas Rammhold, Andreas Valder, Andrej Lajovic,
Andrew Soutar, Andrew Stone, Andy Chi, Anita Zhang, Anssi Hannula,
Antonio Alvarez Feijoo, Antony Deepak Thomas, Arnaud Ferraris,
Arvid E. Picciani, Bastien Nocera, Benjamin Berg,
Benjamin Herrenschmidt, Ben Stockett, Bogdan Seniuc, Boqun Feng,
Carl Lei, chlorophyll-zz, Chris Packham, Christian Brauner,
Christian Göttsche, Christian Wehrli, Christoph Anton Mitterer,
Cristian Rodríguez, Daan De Meyer, Daniel Maixner, Dann Frazier,
Dan Streetman, David Seifert, David Tardon, dependabot[bot],
Dimitri John Ledkov, Dimitri Papadopoulos, Dimitry Ishenko,
Dmitry Khlebnikov, Dominique Martinet, duament, Egor, Egor Ignatov,
Emil Renner Berthing, Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin,
Florian Klink, Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon,
GnunuX, Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
I-dont-need-name, Jack Dähn, James Hilliard, Jan Janssen,
Jan Kuparinen, Jan Macku, Jan Palus, jiangchuangang, jlempen,
John Lindgren, Jonas Dreßler, Jonas Witschel, Joris Hartog,
José Expósito, Julia Kartseva, Kai-Heng Feng, Kai Wohlfahrt,
Kay Siver Bø, KennthStailey, Kevin Kuehler, Kevin Orr, Khem Raj,
Kristian Klausen, Kyle Laker, lainahai, Lennart Poettering,
Lia Lenckowski, longpanda, Luca Boccassi, Luca BRUNO, Lukas Senionis,
Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
Milo Turner, ml, monosans, Nacho Barrientos, nassir90, nl6720,
Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Ross Jennings,
saikat0511, Scott Lamb, Sergei Trofimovich, Sho Iizuka,
Slava Bacherikov, Slimane Selyan Amiri, StefanBruens, Steven Siloti,
svonohr, Taiki Sugawara, Takashi Sakamoto, Takuro Onoue, Thomas Blume,
Thomas Haller, Thomas Mühlbacher, Tianlu Shao, Toke Høiland-Jørgensen,
Tom Yan, Tony Asleson, Topi Miettinen, Ulrich Ölmann, Urs Ritzmann,
Vincent Bernat, Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ,
Wu Xiaotian, xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei,
Yao Wei (魏銘廷), Yegor Alexeyev, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, наб
— Warsaw, 2021-12---
CHANGES WITH 249: CHANGES WITH 249:

2
man/custom-entities.ent.in
View File

@ -13,5 +13,5 @@
<!ENTITY DEBUGTTY "{{DEBUGTTY}}"> <!ENTITY DEBUGTTY "{{DEBUGTTY}}">
<!ENTITY RC_LOCAL_PATH "{{RC_LOCAL_PATH}}"> <!ENTITY RC_LOCAL_PATH "{{RC_LOCAL_PATH}}">
<!ENTITY HIGH_RLIMIT_NOFILE "{{HIGH_RLIMIT_NOFILE}}"> <!ENTITY HIGH_RLIMIT_NOFILE "{{HIGH_RLIMIT_NOFILE}}">
<!ENTITY fedora_latest_version "34"> <!ENTITY fedora_latest_version "35">
<!ENTITY fedora_cloud_release "1.2"> <!ENTITY fedora_cloud_release "1.2">

6
meson.build
View File

@ -1,7 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later # SPDX-License-Identifier: LGPL-2.1-or-later
project('systemd', 'c', project('systemd', 'c',
version : '249', version : '250',
license : 'LGPLv2+', license : 'LGPLv2+',
default_options: [ default_options: [
'c_std=gnu99', 'c_std=gnu99',
@ -13,8 +13,8 @@ project('systemd', 'c',
meson_version : '>= 0.53.2', meson_version : '>= 0.53.2',
) )
libsystemd_version = '0.32.0' libsystemd_version = '0.33.0'
libudev_version = '1.7.2' libudev_version = '1.7.3'
conf = configuration_data() conf = configuration_data()
conf.set_quoted('PROJECT_URL', 'https://www.freedesktop.org/wiki/Software/systemd') conf.set_quoted('PROJECT_URL', 'https://www.freedesktop.org/wiki/Software/systemd')