1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00

Merge pull request #3784 from poettering/NEWS-v231

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2016-07-22 21:28:31 -04:00
commit 2880b01d8f
3 changed files with 208 additions and 24 deletions

View File

@ -64,3 +64,9 @@ Tom Rini <trini@kernel.crashing.org>
Paul Mundt <lethal@linux-sh.org>
Atul Sabharwal <atul.sabharwal@intel.com>
Daniel Machon <Danielmachon@live.dk>
Thomas Blume <Thomas.Blume@suse.com>
Pablo Lezaeta Reyes <prflr88@gmail.com>
Otto Wallenius <otto_026@hotmail.com>
Tom Yan <tom.ty89@gmail.com>
Marty Plummer <ntzrmtthihu777@gmail.com>
Brian Boylston <brian.boylston@hpe.com>

208
NEWS
View File

@ -2,23 +2,207 @@ systemd System and Service Manager
CHANGES WITH 231:
* When using systemd's default tmp.mount for /tmp, this will now be
mounted with the "nosuid" and "nodev" options. This avoids
privilege escalation attacks that put traps and exploits into /tmp.
However, this might cause some problems if you e. g. put container
* In service units the various ExecXYZ= settings have been extended
with an additional special character as first argument of the
assigned value: if the character '!' is used the specified command
line it will be run with full privileges, regardless of User=,
Group=, CapabilityBoundingSet= and similar options. The effect is
similar to the existing PermissionsStartOnly= option, but allows
configuration of this concept for each executed command line
independently.
* Services may now alter the service watchdog timeout at runtime by
sending a WATCHDOG_USEC= message via sd_notify().
* MemoryLimit= and related unit settings now optionally take percentage
specifications. The percentage is taken relative to the amount of
physical memory in the system (or in case of containers, the assigned
amount of memory). This allows scaling service resources neatly with
the amount of RAM available on the system. Similar, systemd-logind's
RuntimeDirectorySize= option now also optionally takes percentage
values.
* In similar fashion TasksMax= takes percentage values now, too. The
value is taken relative to the configured maximum number of processes
on the system. The per-service task maximum has been changed to 15%
using this functionality. (Effectively this is an increase of 512 →
4915 for service units, given the kernel's default pid_max setting.)
* Calendar time specifications in .timer units now understand a ".."
syntax for time ranges. Example: "4..7:10" may now be used for
defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
7:10am every day.
* The InaccessableDirectories=, ReadOnlyDirectories= and
ReadWriteDirectories= unit file settings have been renamed to
InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be
applied to all kinds of file nodes, and not just directories, with
the exception of symlinks. Specifically these settings may now be
used on block and character device nodes, UNIX sockets and FIFOS as
well as regular files. The old names of these settings remain
available for compatibility.
* systemd will now log about all service processes it kills forcibly
(using SIGKILL) because they remained after the clean shutdown phase
of the service completed. This should help identifying services that
shut down uncleanly. Moreover if KillUserProcesses= is enabled in
systemd-logind's configuration a similar log message is generated for
processes killed at the end of each session due to this setting.
* systemd will now set the $JOURNAL_STREAM environment variable for all
services whose stdout/stderr are connected to the Journal (which
effectively means by default: all services). The variable contains
the device and inode number of the file descriptor used for
stdout/stderr. This may be used by invoked programs to detect whether
their stdout/stderr is connected to the Journal, in which case they
can switch over to direct Journal communication, thus being able to
pass extended, structured metadata along with their log messages. As
one example, this is now used by glib's logging primitives.
* When using systemd's default tmp.mount unit for /tmp, the mount point
will now be established with the "nosuid" and "nodev" options. This
avoids privilege escalation attacks that put traps and exploits into
/tmp. However, this might cause problems if you e. g. put container
images or overlays into /tmp; if you need this, override tmp.mount's
"Options=" with a drop-in, or mount /tmp from /etc/fstab with your
desired options.
* systemd-resolved gained a new "Cache=" option in resolved.conf.
Local caching makes DNS poisoning attacks slightly easier and allows
a local user to detect whether any other user on the same machine has
recently visited a given DNS name (privacy). If that is a concern,
you can disable local caching with this option at the cost of slower
DNS resolution (which is particularly expensive with DNSSEC). The
default continues to be "yes" (i. e. caching is enabled).
* systemd now supports the "memory" cgroup controller also on
cgroupsv2.
Contributions from: ...
* The systemd-cgtop tool now optionally takes a control group path as
command line argument. If specified, the control group list shown is
limited to subgroups of that group.
* The SystemCallFilter= unit file setting gained support for
pre-defined, named system call filter sets. For example
SystemCallFilter=@clock is now an effective way to make all clock
changing-related system calls unavailanle to a service. A number of
similar pre-defined groups are defined. Writing system call filters
for system services is simplified substantially with this new
concept. Accordingly, all of systemd's own, long-running services now
enable system call filtering based on this, by default.
* A new service setting MemoryDenyWriteExecute= has been added, taking
a boolean value. If turned on, a service may no longer create memory
mappings that are writable and executable at the same time. This
enhances security for services where this is enabled as it becomes
harder to dynamically write and then execute memory in exploited
service processes. This option has been enabled for all of systemd's
own long-running services.
* A new RestrictRealtime= service setting has been added, taking a
boolean argument. If set the service's processes may no longer
acquire realtime scheduling. This improves security as realtime
scheduling may otherwise be used to easily freeze the system.
* systemd-nspawn gained a new switch --notify-ready= taking a boolean
value. This may be used for requesting that the system manager inside
of the container reports start-up completion to nspawn which then
propagates this notification further to the service manager
supervising nspawn itself. A related option NotifyReady= in .nspawn
files has been added too. This functionality allows ordering of the
start-up of multiple containers using the usual systemd ordering
primitives.
* machinectl gained a new command "stop" that is an alias for
"terminate".
* systemd-resolved gained support for contacting DNS servers on
link-local IPv6 addresses.
* If systemd-resolved receives the SIGUSR2 signal it will now flush all
its caches. A method call for requesting the same operation has been
added to the bus API too, and is made available via "systemd-resolve
--flush-caches".
* systemd-resolved gained a new --status switch. If passed a brief
summary of the used DNS configuration with per-interface information
is shown.
* resolved.conf gained a new Cache= boolean option, defaulting to
on. If turned off local DNS caching is disabled. This comes with a
performance penalty in particular when DNSSEC is enabled. Note that
resolved disables its internaly caching implicitly anyway, when the
configured DNS server is on a host-local IP address such as ::1 or
127.0.0.1, thus automatically avoiding double local caching.
* systemd-resolved now listens on the local IP address 127.0.0.53:53
for DNS requests. This improves compatibility with local programs
that do not use the libc NSS or systemd-resolved's bus APIs for name
resolution. This minimal DNS service is only available to local
programs and does not implement the full DNS protocol, but enough to
cover local DNS clients. A new, static resolv.conf file, listing just
this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is
now recommended to make /etc/resolv.conf a symlink to this file in
order to route all DNS lookups to systemd-resolved, regardless if
done via NSS, the bus API or raw DNS packets. Note that this local
DNS service is not as fully featured as the libc NSS or
systemd-resolved's bus APIs. For example, as unicast DNS cannot be
used to deliver link-local address information (as this implies
sending a local interface index along), LLMNR/mDNS support via this
interface is severely restricted. It is thus strongly recommended for
all applications to use the libc NSS API or native systemd-resolved
bus API instead.
* systemd-networkd's bridge support learned a new setting
VLANFiltering= for controlling VLAN filtering. Moreover a new section
in .network files has been added for configuring VLAN bridging in
more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].
* systemd-networkd's IPv6 Router Advertisement code now makes use of
the DNSSL and RDNSS options. This means IPv6 DNS configuration may
now be acquired without relying on DHCPv6. Two new options
UseDomains= and UseDNS= have been added to configure this behaviour.
* systemd-networkd's IPv6AcceptRouterAdvertisements= option has been
renamed IPv6AcceptRA=, without altering its behaviour. The old
setting name remains available for compatibility reasons.
* The systemd-networkd VTI/VTI6 tunneling support gained new options
Key=, InputKey= and OutputKey=.
* systemd-networkd gained support for VRF ("Virtual Routing Function")
interface configuration.
* "systemctl edit" may now be used to create new unit files by
specifying the --force switch.
* sd-event gained a new function sd_event_get_iteration() for
requesting the current iteration counter of the event loop. It starts
at zero and is increased by one with each event loop iteration.
* Configuration for "mkosi" is now part of the systemd
repository. mkosi is a tool to easily build legacy-free OS images,
and is available on github: https://github.com/systemd/mkosi. If
"mkosi" is invoked in the build tree a new raw OS image is generated
incorporating the systemd sources currently being worked on and a
clean, fresh distribution installation. The generated OS image may be
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physcial
UEFI PC. This functionality is particularly useful to easily test
local changes made to systemd in a pristine, defined environment. See
HACKING for details.
Contributions from: 0xAX, Alessandro Puccetti, Alessio Igor Bogani,
Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika Triwidada,
Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar Burchardt,
Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse, Christian
Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David Herrmann,
David Michael, Djalal Harouni, Doug Christman, Douglas Christman, Elias
Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler,
Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan
Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke
Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart
Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel
Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov,
Michael Biebl, Michael Karcher, michaelolbrich, Michał Bartoszkiewicz,
Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran,
Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier,
Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas
Haller, Thomas Hindoe Paaboel Andersen, Thomas H. P. Andersen, Tobias
Jungel, Tom Gundersen, Tom Yan, Topi Miettinen, Torstein Husebø,
Valentin Vidić, Viktar Vaŭčkievič, Weng Xuetian, Werner Fink, Zbigniew
Jędrzejewski-Szmek
— Somewhere, 2016-XX-XX

View File

@ -204,19 +204,13 @@
<varlistentry>
<term><varname>Cache=</varname></term>
<listitem><para>Takes a boolean argument. If "yes" (the default),
resolving a domain name which already got queried earlier will re-use
the previous result as long as that is still valid, and thus does not
need to do an actual network request.</para>
<listitem><para>Takes a boolean argument. If "yes" (the default), resolving a domain name which already got
queried earlier will return the previous result as long as it is still valid, and thus does not result in a new
network request. Be aware that that turning off caching comes at a performance penalty, which is particularly
high when DNSSEC is used.</para>
<para>However, local caching slightly increases the chance of a
successful DNS poisoning attack, and might also be a privacy problem in
some environments: By measuring the time it takes to resolve a
particular network name, a user can determine whether any other user on
the same machine recently visited that name. If either of these is a
concern, you may disable the local caching. Be aware that this comes at
a performance cost, which is <emphasis>very</emphasis> high with DNSSEC.
</para></listitem>
<para>Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address
(such as 127.0.0.1 or ::1), in order to avoid duplicate local caching.</para></listitem>
</varlistentry>
</variablelist>