mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
update TODO
This commit is contained in:
parent
9d43e0335f
commit
00244c49df
44
TODO
44
TODO
@ -130,6 +130,14 @@ Deprecations and removals:
|
||||
|
||||
Features:
|
||||
|
||||
* userdb: add concept for user "aliases", to cover for cases where you can log
|
||||
in under the name lennart@somenetworkfsserver, and it would automatically
|
||||
generate a local user, and from the one both names can be used to allow
|
||||
logins into the same account.
|
||||
|
||||
* systemd-tpm2-support: add a some logic that detects if system is in DA
|
||||
lockout mode, and queries the user for TPM recovery PIN then.
|
||||
|
||||
* systemd-repart should probably enable btrfs' "temp_fsid" feature for all file
|
||||
systems it creates, as we have no interest in RAID for repart, and it should
|
||||
make sure that we can mount them trivially everywhere.
|
||||
@ -524,12 +532,6 @@ Features:
|
||||
fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the
|
||||
local stubs, so that we can make the stub available via ipv6 too.
|
||||
|
||||
* introduce a .microcode PE section for sd-stub which we'll pass as first initrd
|
||||
to the kernel which will then upload it to the CPU. This should be distinct
|
||||
from .initrd to guarantee right ordering. also, and maybe more importantly
|
||||
support .microcode in PE add-ons, so that a microcode update can be shipped
|
||||
independently of any kernel.
|
||||
|
||||
* Maybe add SwitchRootEx() as new bus call that takes env vars to set for new
|
||||
PID 1 as argument. When adding SwitchRootEx() we should maybe also add a
|
||||
flags param that allows disabling and enabling whether serialization is
|
||||
@ -637,9 +639,6 @@ Features:
|
||||
grow exponentially in size to ensure O(log(n)) time for finding them on
|
||||
access.
|
||||
|
||||
* Use CLONE_INTO_CGROUP to spawn systemd-executor, once glibc supports it in
|
||||
posix_spawn().
|
||||
|
||||
* Make nspawn to a frontend for systemd-executor, so that we have to ways into
|
||||
the executor: via unit files/dbus/varlink through PID1 and via cmdline/OCI
|
||||
through nspawn.
|
||||
@ -912,11 +911,6 @@ Features:
|
||||
early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a
|
||||
directory, and paths ending that way can be refused early in many contexts.
|
||||
|
||||
* systemd-measure: allow operating with PEM certificates in addition to PEM
|
||||
public keys when signing PCR values. SecureBoot and our Verity signatures
|
||||
operate with certificates already, hence I guess we should also just deal for
|
||||
convenience with certificates for the PCR stuff too.
|
||||
|
||||
* systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it
|
||||
would just use the same public key specified with --public-key= (or the one
|
||||
automatically derived from --private-key=).
|
||||
@ -932,10 +926,6 @@ Features:
|
||||
keyring, so that the kernel does this validation for us for verity and kernel
|
||||
modules
|
||||
|
||||
* for systemd-confext: add a tool that can generate suitable DDIs with verity +
|
||||
sig using squashfs-tools-ng's library. Maybe just systemd-repart called under
|
||||
a new name with a built-in config?
|
||||
|
||||
* lock down acceptable encrypted credentials at boot, via simple allowlist,
|
||||
maybe on kernel command line:
|
||||
systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked
|
||||
@ -1213,8 +1203,6 @@ Features:
|
||||
images as OS payloads. i.e. have a generic OS image you can point to any
|
||||
payload you like, which is then downloaded, securely verified and run.
|
||||
|
||||
* deprecate cgroupsv1 further (print log message at boot)
|
||||
|
||||
* systemd-dissect: add --cat switch for dumping files such as /etc/os-release
|
||||
|
||||
* per-service sandboxing option: ProtectIds=. If used, will overmount
|
||||
@ -1396,7 +1384,6 @@ Features:
|
||||
- pass creds via keyring?
|
||||
- pass creds via memfd?
|
||||
- acquire + decrypt creds from pkcs11?
|
||||
- make systemd-cryptsetup acquire pw via creds logic
|
||||
- make PAMName= acquire pw via creds logic
|
||||
- make macsec code in networkd read key via creds logic (copy logic from
|
||||
wireguard)
|
||||
@ -1458,8 +1445,8 @@ Features:
|
||||
Apparently kernel performance is much better with fewer larger seccomp
|
||||
filters than with more smaller seccomp filters.
|
||||
|
||||
* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum,
|
||||
mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
|
||||
* systemd-path: Add "private" runtime/state/cache dir enum, mapping to
|
||||
$RUNTIME_DIRECTORY, $STATE_DIRECTORY and such
|
||||
|
||||
* seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out
|
||||
|
||||
@ -1885,8 +1872,6 @@ Features:
|
||||
* transient units:
|
||||
- add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
|
||||
|
||||
* when we detect low battery and no AC on boot, show pretty splash and refuse boot
|
||||
|
||||
* libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
|
||||
|
||||
* be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
|
||||
@ -1930,7 +1915,6 @@ Features:
|
||||
that are not supported...
|
||||
https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
|
||||
- recreate systemd's D-Bus private socket file on SIGUSR2
|
||||
- move PAM code into its own binary
|
||||
- when we automatically restart a service, ensure we restart its rdeps, too.
|
||||
- hide PAM options in fragment parser when compile time disabled
|
||||
- Support --test based on current system state
|
||||
@ -1975,8 +1959,6 @@ Features:
|
||||
|
||||
* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
|
||||
|
||||
* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
|
||||
|
||||
* add a pam module that on password changes updates any LUKS slot where the password matches
|
||||
|
||||
* test/:
|
||||
@ -2478,12 +2460,6 @@ Features:
|
||||
or two sockets.
|
||||
- Support running nspawn as an unprivileged user.
|
||||
|
||||
* machined: add API to acquire UID range. add API to mount/dissect loopback
|
||||
file. Both protected by PK. Then make nspawn use these APIs to run
|
||||
unprivileged containers. i.e. push the truly privileged bits into machined,
|
||||
so that the client side can remain entirely unprivileged, with SUID or
|
||||
anything like that.
|
||||
|
||||
* machined:
|
||||
- add an API so that libvirt-lxc can inform us about network interfaces being
|
||||
removed or added to an existing machine
|
||||
|
Loading…
Reference in New Issue
Block a user