1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 09:21:26 +03:00

Merge pull request #6936 from poettering/news-235

News 235
This commit is contained in:
Lennart Poettering 2017-09-28 19:22:55 +02:00 committed by GitHub
commit e88fe88877
3 changed files with 217 additions and 10 deletions

212
NEWS
View File

@ -2,14 +2,14 @@ systemd System and Service Manager
CHANGES WITH 235:
* modprobe.d drop-in is now shipped by default that sets bonding module
option max_bonds=0. This overrides the kernel default, to avoid
conflicts and ambiguity as to whether or not bond0 should be managed
by networkd or not. This resolves multiple bugs of bond0 properties
not being applied, when bond0 is configured with
networkd. Distributors may choose to not package this, however in
that case users will be prevented from correctly managing bond0
interface using networkd.
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
managed by systemd-networkd or not. This resolves multiple issues
with bond0 properties not being applied, when bond0 is configured
with systemd-networkd. Distributors may choose to not package this,
however in that case users will be prevented from correctly managing
bond0 interface using systemd-networkd.
* systemd-analyze gained new verbs "get-log-level" and "get-log-target"
which print the logging level and target of the system manager,
@ -17,10 +17,204 @@ CHANGES WITH 235:
"set-log-target" verbs, which can be used to change those values.
* systemd-networkd .network DHCP setting UseMTU default has changed
from false to true. Meaning, DHCP server advertised mtu setting is
from false to true. Meaning, DHCP server advertised MTU setting is
now applied by default. This resolves networking issues on low-mtu
networks.
* journald.conf gained a new boolean setting ReadKMsg= which defaults
to on. If turned off kernel log messages will not be read by
systemd-journald and not be included in the logs. It also gained a
new setting LineMax= for configuring the maximum line length to allow
when converting STDOUT/STDERR log streams into individual log
records. The new default for this value is 48K, up from the previous
hardcoded 4K.
* A new setting RuntimeDirectoryPreserve= for units has been added,
which allows more detailed control of what to do with a runtime
directory configured with RuntimeDirectory= (i.e. a directory below
/run or $XDG_RUNTIME_DIR) after a unit is stopped.
* The RuntimeDirectory= setting for units gained support for creating
deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
one top-level directory.
* Units gained new options StateDirectory=, CacheDirectory=,
LogsDirectory= and ConfigurationDirectory= which are closely related
to RuntimeDirectory= but manage per-service directories below
/var/lib, /var/cache, /var/log and /etc. By making use of this it is
possible to write unit files which when activated automatically gain
properly owned service specific directories in these locations, thus
making unit files self-contained and increasing compatibility with
stateless systems and factory reset where /etc or /var are
unpopulated at boot. Matching these new settings there's also
StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
ConfigurationDirectoryMode= for configuring the access mode of these
directories.
* Automake support has been removed from this release. systemd is now
Meson-only.
* systemd-journald will now aggressively cache client metadata during
runtime, speeding up log write performance under pressure. This comes
at a small price though: as much of the metadata is read
asynchronously from /proc/ (and isn't implicitly attached to log
datagrams by the kernel, like UID/GID/PID/SELinux are) this means the
metadata stored alongside a log entry might be slightly
out-of-date. Previously it could only be slightly newer than the log
message. The time window is small however, and given that the kernel
is unlikely to be improved anytime soon in this regard, this appears
acceptable to us.
* nss-myhostname/systemd-resolved will now by default synthesize an
A/AAAA resource record for the "_gateway" hostname, pointing to the
current default IP gateway. Previously it did that for the "gateway"
name, hampering adoption, as some distributions wanted to leave that
host name open for local use. The old behaviour may still be
requested at build time.
* systemd-networkd's [Address] section in .network files gained a new
Scope= setting for configuring the IP address scope. The [Network]
section gained a new boolean setting ConfigureWithoutCarrier= that
tells systemd-networkd to ignore link sensing when configuring the
device. The [DHCP] section gained a new Anonymize= boolean option for
turning on a number of options suggested in RFC 7844. A new
[RoutingPolicyRule] section has been added for configuring the IP
routing policy. The [Route] section has gained support for a new
Type= setting which permits configuring
blackhole/unreachable/prohibit routes.
* The [VRF] section in .netdev files gained a new Table= setting for
configuring the routing table to use. The [Tunnel] section gained a
new Independent= boolean field for configuring tunnels independent of
an underlying network interface. The [Bridge] section gained a new
GroupForwardMask= option for configuration of propagation of link
local frames between bridge ports.
* The WakeOnLan= setting in .link files gained support for a number of
new modes. A new TCP6SegmentationOffload= setting has been added for
configuring TCP/IPv6 hardware segmentation offload.
* The IPv6 RA sender implementation may now optionally send out RDNSS
and RDNSSL records for supplying DNS configuration to peers.
* systemd-nspawn gained support for a new --system-call-filter= command
line option for adding/removing entries in the default system call
filter it applies. Moreover systemd-nspawn has been changed to
implement a system call whitelist instead of a blacklist.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
are directly passed on to the activated transient service
binary. This allows invoking arbitrary processes as systemd services
(for example to take benefit of dependency management, accounting
management, resource management or log management that is done
automatically for services) — while still allowing them to be
integrated in a classic UNIX shell pipeline.
* When a service sends RELOAD=1 via sd_notify() and reload propagation
using ReloadPropagationTo= is configured, a reload is now propagated
to configured units. (Previously this was only done on explicitly
requested reloads, using "systemctl reload" or an equivalent
command.)
* For each service unit a restart counter is now kept: it is increased
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
* New system call filter groups @setuid, @credentials, @memlock,
@signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
* ExecStart= lines in unit files gained two new modifiers: when a
command line is prefixed with "!" the command will be executed as
configured, except for the credentials applied by
setuid()/setgid()/setgroups(). It is very similar to the pre-existing
"+", but does still apply namespacing options unlike "+". There's
also "!!" now, which is mostly identical, but becomes a NOP on
systems that support ambient capabilities. This is useful to write
unit files that work with ambient capabilities where possible but
automatically fall back to traditional privilege dropping mechanisms
on systems where this is not supported.
* ListenNetlink= settings in socket units now support RDMA netlink
sockets.
* A new unit file setting LockPersonality= has been added which permits
locking down the chosen execution domain ("personality") of a service
during runtime.
* A new special target "getty-pre.target" has been added, which is
ordered before all text logins, and may be used to order services
before, that shall run before these textual logins acquire access to
the console.
* systemd will now attempt to load the virtio-rng.ko kernel module very
early on if a VM environment supporting this is detected. This should
improve entropy during early boot in virtualized environments.
* A _netdev option is now supported in /etc/crypttab that operates in a
similar way as the same option in /etc/fstab: it permits configuring
encrypted devices that need to be ordered after the network coming
up. Following this logic, two new special targets
remote-cryptsetup-pre.target and remote-cryptsetup.target have been
added that are to cryptsetup.target what
remote-fs.target/remote-fs-pre.target are to local-fs.target.
* Service units gained a new UnsetEnvironment= setting which permits
unsetting specific environment variables for specific services that
are normally passed to it (for example in order to mask out locale
settings for specific services that can't deal with it).
* Units acquired a new boolean option IPAccounting=. When turned on, IP
traffic accounting (packet count as well as byte count) is done for
the service, and shown as part of "systemctl status" or "systemd-run
--wait".
* Service units acquired two new options IPAddressAllow= and
IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
for configuring a simple IP access control list for all sockets of
the unit. These options are available also on .slice and .socket
units, permitting flexible access list configuration for individual
services as well as groups of services (as defined by a slice unit),
including system-wide. Note that IP ACLs configured this way are
enforced on every single IPv4 and IPv6 socket created by any process
of the service unit, and apply to ingress as well as egress traffic.
* If CPUAccounting= or IPAccounting= is turned on for a unit a new,
recognizable log message is generated each time the unit is stopped,
containing information about the consumed resources of this
invocation.
* A new setting KeyringMode= has been added to unit files, which may be
used to control how the kernel keyring is set up for executed
processes.
* .timer units now accept calendar specifications in other timezones
than UTC or the local timezone.
Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
Burchardt, b1tninja, bengal, Benjamin Berg, Benjamin Robin, Charles
Huber, Christian Hesse, Daniel Berrange, Daniel Mack, Daniel Rusek,
dasj19, Davide Cavalca, Dimitri John Ledkov, Diogo Pereira, Djalal
Harouni, dkg, dmig, Dmitry Torokhov, ettavolt, Evgeny Vereshchagin,
Fabio Kung, Felipe Sateler, Franck Bui, g0tar, Hans de Goede, Harald
Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov, Jakub Wilk, Jan
Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen, John Lin,
jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg Thalheim,
Jouke Witteveen, juga0, Justin Michaud, Kai-Heng Feng, Lennart
Poettering, Lion Yang, Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn,
Marcel Hollerbach, Marcus Lundblad, Martin Pitt, Michael Biebl, Michael
Grzeschik, Michal Sekletar, Mike Gilbert, Neil Brown, Nicolas Iooss,
Patrik Flykt, pEJipE, Russell Stuart, S. Fan, Shengyao Xue, Stefan
Pietsch, Susant Sahani, Tejun Heo, Thomas Miller, Thomas Sailer, Tobias
Hunger, Tom Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø,
userwithuid, Vito Caputo, vliaskov, WaLyong Cho, William Douglas, Xiang
Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2017-09-XX
CHANGES WITH 234:
* Meson is now supported as build system in addition to Automake. It is

13
TODO
View File

@ -24,6 +24,19 @@ Janitorial Clean-ups:
Features:
* expose IO accounting data on the bus, show it in systemd-run --wait and log
about it in the resource log message
* add "systemctl purge" for flushing out configuration, state, logs, ... of a
unit when it is stopped
* show whether a service has out-of-date configuration in "systemctl status" by
using mtime data of ConfigurationDirectory=.
* Properly chmod() RuntimeDirectory=, StateDirectory=, LogsDirectory= and
CacheDirectory= when we start up and the directory isn't properly owned. In
particular to make DynamicUser= work
* replace all uses of fgets() + LINE_MAX by read_line()
* set IPAddressDeny=any on all services that shouldn't do networking (possibly

View File

@ -1,5 +1,5 @@
project('systemd', 'c',
version : '234',
version : '235',
license : 'LGPLv2+',
default_options: [
'c_std=gnu99',