From 19f4f86bfed21c5326ed2acebe1163f3a83e832b Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 04:25:50 +0200 Subject: Adding upstream version 241. Signed-off-by: Daniel Baumann --- TODO | 1118 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1118 insertions(+) create mode 100644 TODO (limited to 'TODO') diff --git a/TODO b/TODO new file mode 100644 index 0000000..462db57 --- /dev/null +++ b/TODO @@ -0,0 +1,1118 @@ +Bugfixes: + +* copy.c: set the right chattrs before copying files and others after + +* Many manager configuration settings that are only applicable to user + manager or system manager can be always set. It would be better to reject + them when parsing config. + +* Clarify what IPAddress* matches (source, destination, both?) + +External: + +* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. + +* wiki: update journal format documentation for lz4 additions + +Janitorial Clean-ups: + +* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again + +* rework mount.c and swap.c to follow proper state enumeration/deserialization + semantics, like we do for device.c now + +Features: + +* make MAINPID= message reception checks even stricter: if service uses User=, + then check sending UID and ignore message if it doesn't match the user or + root. + +* maybe trigger a uevent "change" on a device if "systemctl reload xyz.device" + is issued. + +* when importing an fs tree with machined, optionally apply userns-rec-chown + +* when importing an fs tree with machined, complain if image is not an OS + +* Maybe introduce a helper safe_exec() or so, which is to execve() which + safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit + to 1K implicitly, unless explicitly opted-out. + +* rework seccomp/nnp logic that that even if User= is used in combination with + a seccomp option we don't have to set NNP. For that, change uid first whil + keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap. + +* add a concept for automatically loading per-unit secrets off disk and + inserting them into the kernel keyring. Maybe SecretsDirectory= similar to + ConfigurationDirectory=. + +* when no locale is configured, default to UEFI's PlatformLang variable + +* When logind.conf contains HandleLidSwitch=suspend-then-hibernate and we can't + hibernate because the swap partition isn't large enough, still suspend + +* bootctl: implement Type #2 boot loader entry discovery + +* bootctl,sd-boot: actually honour the "architecture" key + +* when a socket unit is spawned with an AF_UNIX path in /var/run, complain and + patch it to use /run instead + +* set memory.oom.group in cgroup v2 for all leaf cgroups (kernel v4.19+) + +* add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and + usefaultd() and make systemd-analyze check for it. + +* paranoia: whenever we process passwords, call mlock() on the memory + first. i.e. look for all places we use string_erase()/string_free_erase() and + augment them with mlock() + +* whenever oom_kill memory.event event is triggered print a nice log message + +* Move RestrictAddressFamily= to the new cgroup create socket + +* support the bind/connect/sendmsg cgroup stuff for sandboxing, and possibly + patching around + +* maybe implicitly attach monotonic+realtime timestamps to outgoing messages in + log.c and sd-journal-send + +* chown() tty a service is attached to after the service goes down + +* optionally: turn on cgroup delegation for per-session scope units + +* introduce per-unit (i.e. per-slice, per-service) journal log size limits. + +* optionally, if a per-partition GPT flag is set for the root/home/… partitions + format the partition on next boot and unset the flag, in order to implement + factory reset. also, add a second flag that simply indicates whether such a + scheme is supported. then, add a tool (or maybe beef up systemd-dissect) to + show state of these flags, and optionally trigger such a factory reset on + next boot by setting the flag. + +* sd-boot: search drop-ins in $BOOT, too + +* sd-boot: add "oneshot boot timeout" variable support + +* sd-boot: automatically load EFI modules from some drop-in dir, so that people + can add in file system drivers and such + +* esp generator: also mount $BOOT if found + +* sd-boot: optionally, show boot menu when previous default boot item has + non-zero "tries done" count + +* logind: add "boot into bootmenu" API, and possibly even "boot into windows" + and "boot into macos". + +* bootspec.c: also enumerate EFI unified kernel images. + +* maybe set a special xattr on cgroups that have delegate=yes set, to make it + easy to mark cut points + +* introduce an option (or replacement) for "systemctl show" that outputs all + properties as JSON, similar to busctl's new JSON output. In contrast to that + it should skip the variant type string though. + +* augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which + contains some identifier for the project, which allows us to include + clickable links to source files generating these log messages. The identifier + could be some abberviated URL prefix or so (taking inspiration from Go + imports). For example, for systemd we could use + CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is + sufficient to build a link by prefixing "http://" and suffixing the + CODE_FILE. + +* when outputting log data with journalctl and the log data includes references + to configuration files (CONFIG_FILE=), create a clickable link for it. + +* Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can + make clickable links from log messages carrying a MESSAGE_ID, that lead to + some explanatory text online. + +* maybe extend .path units to expose fanotify() per-mount change events + +* Add a "systemctl list-units --by-slice" mode or so, which rearranges the + output of "systemctl list-units" slightly by showing the tree structure of + the slices, and the units attached to them. + +* the a-posteriori stopping of units bound to units that disappeared logic + should be reworked: there should be a queue of units, and we should only + enqeue stop jobs from a defer event that processes queue instead of + right-away when we find a unit that is bound to one that doesn't exist + anymore. (similar to how the stop-unneeded queue has been reworked the same + way) + +* nspawn: make nspawn suitable for shell pipelines: instead of triggering a + hangup when input is finished, send ^D, which synthesizes an EOF. Then wait + for hangup or ^D before passing on the EOF. + +* When reloading configuration PID 1 should reset all its properties to the + original defaults before calling parse_config() + +* Add OnTimezoneChange= and OnTimeChange= stanzas to .timer units in order to + schedule events based on time and timezone changes. + +* nspawn: greater control over selinux label? + +* hibernate/s2h: make this robust and safe to enable in Fedora by default. + Specifically: + + 1. add resume_offset support to the resume code (i.e. support swap files + properly) + 2. check if swap is on weird storage and refuse if so + 3. add autodetection of hibernation images + +* cgroups: use inotify to get notified when somebody else modifies cgroups + owned by us, then log a friendly warning. + +* beef up log.c with support for stripping ANSI sequences from strings, so that + it is OK to include them in log strings. This would be particularly useful so + that our log messages could contain clickable links for example for unit + files and suchlike we operate on. + +* add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) + +* add attach --enable and attach --now (for attach+enable+start) + +* sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the + selected user is resolvable in the service even if it ships its own /etc/passwd) + +* Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the + other doesn't. What a desaster. Probably to exclude it. Also + DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative + numbers. + +* Check that users of inotify's IN_DELETE_SELF flag are using it properly, as + usually IN_ATTRIB is the right way to watch deleted files, as the former only + fires when a file is actually removed from disk, i.e. the link count drops to + zero and is not open anymore, while the latter happens when a file is + unlinked from any dir. + +* port systemctl, busctl, … over to format-table.[ch]'s table formatters + +* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up + +* add --vacuum-xyz options to coredumpctl, matching those journalctl already has. + +* SuccessExitStatus= and friends should probably also accept symbolic exit + codes names, i.e. error codes from the list maintained in exit-codes.[ch] + +* introduce Ephemeral= unit file switch, that creates an ephemeral copy of all + files and directories that are left writable for a unit, and which are + removed after the unit goes down again. A bit like --ephemeral for + systemd-nspawn but for system services. If used together with RootImage= this + should reflink the image file itself. + + Related: add Ephemeral= … which would allow marking + specific paths only like this. + +* add CopyFile= or so as unit file setting that may be used to copy files or + directory trees from the host to te services RootImage= and RootDirectory= + environment. Which we can use for /etc/machine-id and in particular + /etc/resolv.conf. Should be smart and do something useful on read-only + images, for example fallback to read-only bind mounting the file instead. + +* nspawn's console TTY should be allocated from within the container, not + mounted in from the outside + +* show invocation ID in systemd-run output + +* bypass SIGTERM state in unit files if KillSignal is SIGKILL + +* tree-wide: ensure we always block the signals we hook into with + sd_event_add_signal() first + +* add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1 + and so on, which would mean we could report errors and such. + +* teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4 + project quota + +* introduce DefaultSlice= or so in system.conf that allows changing where we + place our units by default, i.e. change system.slice to something + else. Similar, ManagerSlice= should exist so that PID1's own scope unit could + be moved somewhere else too. Finally machined and logind should get similar + options so that it is possible to move user session scopes and machines to a + different slice too by default. Usecase: people who want to put resources on + the entire system, with the exception of one specific service. See: + https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html + +* maybe rework get_user_creds() to query the user database if $SHELL is used + for root, but only then. + +* be stricter with fds we receive for the fdstore: close them asynchronously + +* calenderspec: add support for week numbers and day numbers within a + year. This would allow us to define "bi-weekly" triggers safely. + +* sd-bus: add vtable flag, that may be used to request client creds implicitly + and asynchronously before dispatching the operation + +* make use of ethtool veth peer info in machined, for automatically finding out + host-side interface pointing to the container. + +* add some special mode to LogsDirectory=/StateDirectory=… that allows + declaring these directories without necessarily pulling in deps for them, or + creating them when starting up. That way, we could declare that + systemd-journald writes to /var/log/journal, which could be useful when we + doing disk usage calculations and so on. + +* taint systemd if there are fewer than 65536 users assigned (userns) to the system. + +* deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char + +* add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for + the runtime dir as we maintain for the fdstore: i.e. keep it around as long + as the unit is running or has a job queued. + +* support projid-based quota in machinectl for containers + +* Add NetworkNamespacePath= to specify a path to a network namespace + +* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks + introduced) as the RTC epoch, instead of the mtime of NEWS. + +* add a way to lock down cgroup migration: a boolean, which when set for a unit + makes sure the processes in it can never migrate out of it + +* blog about fd store and restartable services + +* document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document + +* rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its + magic meaning and is no longer upgraded to something else if set explicitly. + +* in the long run: permit a system with /etc/machine-id linked to /dev/null, to + make it lose its identity, i.e. be anonymous. For this we'd have to patch + through the whole tree to make all code deal with the case where no machine + ID is available. + +* optionally, collect cgroup resource data, and store it in per-unit RRD files, + suitable for processing with rrdtool. Add bus API to access this data, and + possibly implement a CPULoad property based on it. + +* beef up pam_systemd to take unit file settings such as cgroups properties as + parameters + +* maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage + the quota of a the user indicated in User= via unit file settings, like the + other resource management concepts. Would mix nicely with DynamicUser=1. Or + alternatively, do this with projids, so that we can also cover services + running as root. Quota should probably cover all the special dirs such as + StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it + is set, plus the whole disk space any image configured with RootImage=. + +* In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant + disks to see if the UID is already in use. + +* add "systemctl wait" or so, which does what "systemd-run --wait" does, but + for all units. It should be both a way to pin units into memory as well as a + wait to retrieve their exit data. + +* expose IO accounting data on the bus, show it in systemd-run --wait and log + about it in the resource log message + +* add "systemctl purge" for flushing out configuration, state, logs, ... of a + unit when it is stopped + +* show whether a service has out-of-date configuration in "systemctl status" by + using mtime data of ConfigurationDirectory=. + +* replace all remaining uses of fgets() + LINE_MAX by read_line() + +* Add AddUser= setting to unit files, similar to DynamicUser=1 which however + creates a static, persistent user rather than a dynamic, transient user. We + can leverage code from sysusers.d for this. + +* add some optional flag to ReadWritePaths= and friends, that has the effect + that we create the dir in question when the service is started. Example: + + ReadWritePaths=:/var/lib/foobar + +* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for + the sd-journal logging socket, and, if the timeout is set to 0, sets + O_NONBLOCK on it. That way people can control if and when to block for + logging. + +* hostnamed: populate form factor data from a new hwdb database, so that old + yogas can be recognized as "convertible" too, even if they predate the DMI + "convertible" form factor + +* Maybe add a small tool invoked early at boot, that adds in or resizes + partitions automatically, to be used when the media used is actually larger + than the image written onto it is. + +* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing + after all. Be strict however, only support the equivalent of nspawn's + --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such + as MAINPID. + +* Add ExecMonitor= setting. May be used multiple times. Forks off a process in + the service cgroup, which is supposed to monitor the service, and when it + exits the service is considered failed by its monitor. + +* track the per-service PAM process properly (i.e. as an additional control + process), so that it may be queried on the bus and everything. + +* add a new "debug" job mode, that is propagated to unit_start() and for + services results in two things: we raise SIGSTOP right before invoking + execve() and turn off watchdog support. Then, use that to implement + "systemd-gdb" for attaching to the start-up of any system service in its + natural habitat. + +* maybe introduce gpt auto discovery for /var/tmp? + +* maybe add gpt-partition-based user management: each user gets his own + LUKS-encrypted GPT partition with a new GPT type. A small nss module + enumerates users via udev partition enumeration. UIDs are assigned in a fixed + way: the partition index is added as offset to some fixed base uid. User name + is stored in GPT partition name. A PAM module authenticates the user via the + LUKS partition password. Benefits: strong per-user security, compatibility + with stateless/read-only/verity-enabled root. (other idea: do this based on + loopback files in /home, without GPT involvement) + +* gpt-auto logic: introduce support for discovering /var matching an image. For + that, use a partition type UUID that is hashed from the OS name (as encoded + in /etc/os-release), the architecture, and 4 new bits from the gpt flags + field of the root partition. This way can easily support multiple OS + installations on the same GPT partition table, without problems with + unmatched /var partitions. + +* gpt-auto logic: related to the above, maybe support a "secondary" root + partition, that is mounted to / and is writable, and where the actual root's + /usr is mounted into. + +* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file + +* drop nss-myhostname in favour of nss-resolve? + +* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and + then use that for the setting used in user@.service. It should be understood + relative to the configured default value. + +* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us + +* enable LockMLOCK to take a percentage value relative to physical memory + +* Permit masking specific netlink APIs with RestrictAddressFamily= + +* nspawn: support that /proc, /sys/, /dev are pre-mounted + +* define gpt header bits to select volatility mode + +* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files + +* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc + +* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) + +* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) + +* ProtectKeyRing= to take keyring calls away + +* RemoveKeyRing= to remove all keyring entries of the specified user + +* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill + on PID 1 with the relevant signals, and makes relevant files in /sys and + /proc (such as the sysrq stuff) unavailable + +* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things + +* journalctl: make sure -f ends when the container indicated by -M terminates + +* mount: automatically search for "main" partition of an image has multiple + partitions + +* expose the "privileged" flag of ExecCommand on the bus, and open it up to + transient units + +* in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, + find a way to map the User=/Group= of the service to the right name. This way + a user/group for a service only has to exist on the host for the right + mapping to work. + +* add bus API for creating unit files in /etc, reusing the code for transient units + +* add bus API to remove unit files from /etc + +* add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) + +* rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the + kernel doesn't support linkat() that replaces existing files, currently) + +* transient units: don't bother with actually setting unit properties, we + reload the unit file anyway + +* journald: sigbus API via a signal-handler safe function that people may call + from the SIGBUS handler + +* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown + +* resolved: when routing queries, make sure only look for the *longest* suffix... + +* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it + in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle + +* cache sd_event_now() result from before the first iteration... + +* add systemctl stop --job-mode=triggering that follows TRIGGERED_BY deps and adds them to the same transaction + +* PID1: find a way how we can reload unit file configuration for + specific units only, without reloading the whole of systemd + +* add an explicit parser for LimitRTPRIO= that verifies + the specified range and generates sane error messages for incorrect + specifications. + +* when we detect that there are waiting jobs but no running jobs, do something + +* push CPUAffinity= also into the "cpuset" cgroup controller (only after the cpuset controller got ported to the unified hierarchy) + +* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) + +* there's probably something wrong with having user mounts below /sys, + as we have for debugfs. for exmaple, src/core/mount.c handles mounts + prefixed with /sys generally special. + http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html + +* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline + +* docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date + +* add a job mode that will fail if a transaction would mean stopping + running units. Use this in timedated to manage the NTP service + state. + http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html + +* The udev blkid built-in should expose a property that reflects + whether media was sensed in USB CF/SD card readers. This should then + be used to control SYSTEMD_READY=1/0 so that USB card readers aren't + picked up by systemd unless they contain a medium. This would mirror + the behaviour we already have for CD drives. + +* networkd/udev: implement SR_IOV configuration in .link files: + http://lists.freedesktop.org/archives/systemd-devel/2015-January/027451.html + +* hostnamectl: show root image uuid + +* Find a solution for SMACK capabilities stuff: + http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html + +* "systemctl preset-all" should probably order the unit files it + operates on lexicographically before starting to work, in order to + ensure deterministic behaviour if two unit files conflict (like DMs + do, for example) + +* synchronize console access with BSD locks: + http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html + +* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: + http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html + +* in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column + +* figure out when we can use the coarse timers + +* add "systemctl start -v foobar.service" that shows logs of a service + while the start command runs. This is non-trivial to do without + races though, since we should flush out all journal messages before + returning from the "systemctl stop". + +* firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists + +* maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment= + +* consider showing the unit names during boot up in the status output, not just the unit descriptions + +* maybe allow timer units with an empty Units= setting, so that they + can be used for resuming the system but nothing else. + +* what to do about udev db binary stability for apps? (raw access is not an option) + +* man: maybe use the word "inspect" rather than "introspect"? + +* systemctl: if some operation fails, show log output? + +* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #. + Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc. + +* exponential backoff in timesyncd when we cannot reach a server + +* timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM + +* merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share.... + +* systemd.show_status= should probably have a mode where only failed + units are shown. + +* add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL + (throughout the codebase, not only PID1) + +* resolved: + - mDNS/DNS-SD + - service registration + - service/domain/types browsing + - avahi compat + - DNS-SD service registration from socket units + - resolved should optionally register additional per-interface LLMNR + names, so that for the container case we can establish the same name + (maybe "host") for referencing the server, everywhere. + - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) + - hook up resolved with machined-based address resolution + +* refcounting in sd-resolve is borked + +* Add a new verb "systemctl top" + +* add new gpt type for btrfs volumes + +* support empty /etc boots nicely: + - nspawn/gpt-generator: introduce new gpt partition type for /usr + +* generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. + +* a way for container managers to turn off getty starting via $container_headless= or so... + +* figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit + +* For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services + they run added to the initial transaction and thus confuse Type=idle. + +* add bus api to query unit file's X fields. + +* gpt-auto-generator: + - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap? + - Make /home automount rather than mount? + +* add generator that pulls in systemd-network from containers when + CAP_NET_ADMIN is set, more than the loopback device is defined, even + when it is otherwise off + +* MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). + +* implement Distribute= in socket units to allow running multiple + service instances processing the listening socket, and open this up + for ReusePort= + +* socket units: support creating sockets in different namespace, + opening it up for JoinsNamespaceOf=. This would require to fork off + a tiny process that joins the namespace and creates/binds the socket + and passes this back to PID1 via SCM_RIGHTS. This also could be used + to allow Chown/chgrp on sockets without requiring NSS in PID 1. + +* introduce bus call FreezeUnit(s, b), as well as "systemctl freeze + $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls + should SIGSTOP all unit processes in a loop until all processes of + it are fully stopped. This can later be used for app management by + desktop UIs such as gnome-shell to freeze apps that are not visible + on screen, not unlike how job control works on the shell + +* cgroups: + - implement per-slice CPUFairScheduling=1 switch + - introduce high-level settings for RT budget, swappiness + - how to reset dynamically changed unit cgroup attributes sanely? + - when reloading configuration, apply new cgroup configuration + - when recursively showing the cgroup hierarchy, optionally also show + the hierarchies of child processes + +* transient units: + - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt + +* Automatically configure swap partition to use for hibernation by looking for largest swap partition on the root disk? + +* when we detect low battery and no AC on boot, show pretty splash and refuse boot + +* libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops + +* be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 + +* rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it + +* After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs + +* If we try to find a unit via a dangling symlink, generate a clean + error. Currently, we just ignore it and read the unit from the search + path anyway. + +* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up + +* man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. + +* load .d/*.conf dropins for device units + +* allow implementation of InaccessibleDirectories=/ plus + ReadOnlyDirectories=... for whitelisting files for a service. + +* sd-bus: + - EBADSLT handling + - GetAllProperties() on a non-existing object does not result in a failure currently + - port to sd-resolve for connecting to TCP dbus servers + - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself + - see if we can drop more message validation on the sending side + - add API to clone sd_bus_message objects + - longer term: priority inheritance + - dbus spec updates: + - NameLost/NameAcquired obsolete + - GVariant + - path escaping + - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now + +* sd-event + - allow multiple signal handlers per signal? + - document chaining of signal handler for SIGCHLD and child handlers + - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... + - generate a failure of a default event loop is executed out-of-thread + +* investigate endianness issues of UUID vs. GUID + +* dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we + should be able to safely try another attempt when the bus call LoadUnit() is invoked. + +* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login. + +* add a pam module that on password changes updates any LUKS slot where the password matches + +* test/: + - add unit tests for config_parse_device_allow() + +* seems that when we follow symlinks to units we prefer the symlink + destination path over /etc and /usr. We should not do that. Instead + /etc should always override /run+/usr and also any symlink + destination. + +* when isolating, try to figure out a way how we implicitly can order + all units we stop before the isolating unit... + +* teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) + +* BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify + that the boot loader should be installed to the ESP. Define a way + how an installer can figure out whether a BLS compliant boot loader + is installed. + +* think about requeuing jobs when daemon-reload is issued? usecase: + the initrd issues a reload after fstab from the host is accessible + and we might want to requeue the mounts local-fs acquired through + that automatically. + +* systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() + +* remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good + +* shutdown logging: store to EFI var, and store to USB stick? + +* merge unit_kill_common() and unit_kill_context() + +* introduce ExecCondition= in services + +* EFI: + - honor language efi variables for default language selection (if there are any?) + - honor timezone efi variables for default timezone selection (if there are any?) + - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables + +* maybe do not install getty@tty1.service symlink in /etc but in /usr? + +* print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word + +* mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units. + +* logind: + - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around + - logind: wakelock/opportunistic suspend support + - Add pretty name for seats in logind + - logind: allow showing logout dialog from system? + - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly. + - if pam_systemd is invoked by su from a process that is outside of a + any session we should probably just become a NOP, since that's + usually not a real user session but just some system code that just + needs setuid(). + - logind: make the Suspend()/Hibernate() bus calls wait for the for + the job to be completed. before returning, so that clients can wait + for "systemctl suspend" to finish to know when the suspending is + complete. + - logind: when the power button is pressed short, just popup a + logout dialog. If it is pressed for 1s, do the usual + shutdown. Inspiration are Macs here. + - expose "Locked" property on logind sesison objects + - maybe allow configuration of the StopTimeout for session scopes + - rename session scope so that it includes the UID. THat way + the session scope can be arranged freely in slices and we don't have + make assumptions about their slice anymore. + - follow PropertiesChanged state more closely, to deal with quick logouts and + relogins + +* exec: when deinitializating a tty device fix the perms and group, too, not only when initializing. Set access mode/gid to 0620/tty. + +* journal: + - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields + - import and delete pstore filesystem content at startup + - journald: also get thread ID from client, plus thread name + - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups + - add API to close/reopen/get fd for journal client fd in libsystemd-journal. + - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively? + - declare the local journal protocol stable in the wiki interface chart + - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg + - journald: when dropping msgs due to ratelimit make sure to write + "dropped %u messages" not only when we are about to print the next + message that works, but alraedy after a short tiemout + - check if we can make journalctl by default use --follow mode inside of less if called without args? + - maybe add API to send pairs of iovecs via sd_journal_send + - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access + - journactl: support negative filtering, i.e. FOOBAR!="waldo", + and !FOOBAR for events without FOOBAR. + - journal: store timestamp of journal_file_set_offline() int he header, + so it is possible to display when the file was last synced. + - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. + - journal: find a way to allow dropping history early, based on priority, other rules + - journal: When used on NFS, check payload hashes + - journald: add kernel cmdline option to disable ratelimiting for debug purposes + - refuse taking lower-case variable names in sd_journal_send() and friends. + - journald: we currently rotate only after MaxUse+MaxFilesize has been reached. + - journal: deal nicely with byte-by-byte copied files, especially regards header + - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit + - Replace utmp, wtmp, btmp, and lastlog completely with journal + - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax? + - when a kernel driver logs in a tight loop, we should ratelimit that too. + - journald: optionally, log debug messages to /run but everything else to /var + - journald: when we drop syslog messages because the syslog socket is + full, make sure to write how many messages are lost as first thing + to syslog when it works again. + - change systemd-journal-flush into a service that stays around during + boot, and causes the journal to be moved back to /run on shutdown, + so that we do not keep /var busy. This needs to happen synchronously, + hence doing this via signals is not going to work. + - optionally support running journald from the command line for testing purposes in external projects + - journald: allow per-priority and per-service retention times when rotating/vacuuming + - journald: make use of uid-range.h to managed uid ranges to split + journals in. + - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so... + - improve journalctl performance by loading journal files + lazily. Encode just enough information in the file name, so that we + do not have to open it to know that it is not interesting for us, for + the most common operations. + - man: document that corrupted journal files is nothing to act on + - rework journald sigbus stuff to use mutex + - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our + services that run under their own user ids, and use User= (but only + in a world where userns is ubiquitous since otherwise we cannot + invoke those daemons on the host AND in a container anymore). Also, + if LimitNPROC= is used without User= we should warn and refuse + operation. + - journalctl --verify: don't show files that are currently being + written to as FAIL, but instead show that their are being written to. + - add journalctl -H that talks via ssh to a remote peer and passes through + binary logs data + - add a version of --merge which also merges /var/log/journal/remote + - journalctl: -m should access container journals directly by enumerating + them via machined, and also watch containers coming and going. + Benefit: nspawn --ephemeral would start working nicely with the journal. + - assign MESSAGE_ID to log messages about failed services + +* add a test if all entries in the catalog are properly formatted. + (Adding dashes in a catalog entry currently results in the catalog entry + being silently skipped. journalctl --update-catalog must warn about this, + and we should also have a unit test to check that all our message are OK.) + +* document: + - document that deps in [Unit] sections ignore Alias= fields in + [Install] units of other units, unless those units are disabled + - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets + - document that service reload may be implemented as service reexec + - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr. + - document systemd-journal-flush.service properly + - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] + - man: document the very specific env the shutdown drop-in tools live in + - man: add more examples to man pages + - man: maybe sort directives in man pages, and take sections from --help and apply them to man too + +* systemctl: + - add systemctl switch to dump transaction without executing it + - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done + - "systemctl disable" on a static unit prints no message and does + nothing. "systemctl enable" does nothing, and gives a bad message + about it. Should fix both to print nice actionable messages. + - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service + - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible + - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? + - systemctl: "Journal has been rotated since unit was started." message is misleading + - systemctl status output should include list of triggering units and their status + +* unit install: + - "systemctl mask" should find all names by which a unit is accessible + (i.e. by scanning for symlinks to it) and link them all to /dev/null + +* timer units: + - timer units should get the ability to trigger when: + o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET) + o DST changes + o timezone changes + - Modulate timer frequency based on battery state + +* add libsystemd-password or so to query passwords during boot using the password agent logic + +* clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed + +* on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel + +* make repeated alt-ctrl-del presses printing a dump + +* hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ... + +* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not + +* nspawn: + - emulate /dev/kmsg using CUSE and turn off the syslog syscall + with seccomp. That should provide us with a useful log buffer that + systemd can log to during early boot, and disconnect container logs + from the kernel's logs. + - as soon as networkd has a bus interface, hook up --network-interface=, + --network-bridge= with networkd, to trigger netdev creation should an + interface be missing + - a nice way to boot up without machine id set, so that it is set at boot + automatically for supporting --ephemeral. Maybe hash the host machine id + together with the machine name to generate the machine id for the container + - fix logic always print a final newline on output. + https://github.com/systemd/systemd/pull/272#issuecomment-113153176 + - should optionally support receiving WATCHDOG=1 messages from its payload + PID 1... + - optionally automatically add FORWARD rules to iptables whenever nspawn is + running, remove them when shut down. + +* dissect + - refuse mounting over a mount point + - automatically discover .roothash files in dissect, similarly to nspawn + +* machined: + - add an API so that libvirt-lxc can inform us about network interfaces being + removed or added to an existing machine + - "machinectl migrate" or similar to copy a container from or to a + difference host, via ssh + - introduce systemd-nspawn-ephemeral@.service, and hook it into + "machinectl start" with a new --ephemeral switch + - "machinectl status" should also show internal logs of the container in + question + - "machinectl history" + - "machinectl diff" + - "machinectl commit" that takes a writable snapshot of a tree, invokes a + shell in it, and marks it read-only after use + +* cryptsetup: + - cryptsetup-generator: allow specification of passwords in crypttab itself + - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator + +* hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it + https://bugs.freedesktop.org/show_bug.cgi?id=54712 + +* add a dependency on standard-conf.xml and other included files to man pages + +* MountFlags=shared acts as MountFlags=slave right now. + +* properly handle loop back mounts via fstab, especially regards to fsck/passno + +* initialize the hostname from the fs label of /, if /etc/hostname does not exist? + +* udev: + - move to LGPL + - kill scsi_id + - add trigger --subsystem-match=usb/usb_device device + - reimport udev db after MOVE events for devices without dev_t + +* There's currently no way to cancel fsck (used to be possible via C-c or c on the console) + +* add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ + +* coredump: + - save coredump in Windows/Mozilla minidump format + - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps + +* support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) + +* default to actual 32-bit PIDs, via /proc/sys/kernel/pid_max + +* be able to specify a forced restart of service A where service B depends on, in case B + needs to be auto-respawned? + +* tmpfiles: + - apply "x" on "D" too (see patch from William Douglas) + - replace F with f+. + - instead of ignoring unknown fields, reject them. + - creating new directories/subvolumes/fifos/device nodes + should not follow symlinks. None of the other adjustment or creation + calls follow symlinks. + +* make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early + +* verify that the AF_UNIX sockets of a service in the fs still exist + when we start a service in order to avoid confusion when a user + assumes starting a service is enough to make it accessible + +* Make it possible to set the keymap independently from the font on + the kernel cmdline. Right now setting one resets also the other. + +* and a dbus call to generate target from current state + +* write blog stories about: + - hwdb: what belongs into it, lsusb + - enabling dbus services + - how to make changes to sysctl and sysfs attributes + - remote access + - how to pass throw-away units to systemd, or dynamically change properties of existing units + - testing with Harald's awesome test kit + - auto-restart + - how to develop against journal browsing APIs + - the journal HTTP iface + - non-cgroup resource management + - dynamic resource management with cgroups + - refreshed, longer missions statement + - calendar time events + - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell + - how to create your own target + - instantiated apache, dovecot and so on + - hooking a script into various stages of shutdown/rearly booot + +* investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support. + +* dot output for --test showing the 'initial transaction' + +* pid1: + - When logging about multiple units (stopping BoundTo units, conflicts, etc.), + log both units as UNIT=, so that journalctl -u triggers on both. + - generate better errors when people try to set transient properties + that are not supported... + http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html + - maybe introduce WantsMountsFor=? Usecase: + http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html + - recreate systemd's D-Bus private socket file on SIGUSR2 + - move PAM code into its own binary + - when we automatically restart a service, ensure we restart its rdeps, too. + - hide PAM options in fragment parser when compile time disabled + - Support --test based on current system state + - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). + - after deserializing sockets in socket.c we should reapply sockopts and things + - drop PID 1 reloading, only do reexecing (difficult: Reload() + currently is properly synchronous, Reexec() is weird, because we + cannot delay the response properly until we are back, so instead of + being properly synchronous we just keep open the fd and close it + when done. That means clients do not get a successful method reply, + but much rather a disconnect on success. + - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr + - when a bus name of a service disappears from the bus make sure to queue further activation requests + +* unit files: + - allow port=0 in .socket units + - maybe introduce ExecRestartPre= + - add ReloadSignal= for configuring a reload signal to use + - implement Register= switch in .socket units to enable registration + in Avahi, RPC and other socket registration services. + - allow Type=simple with PIDFile= + https://bugzilla.redhat.com/show_bug.cgi?id=723942 + - allow writing multiple conditions in unit files on one line + - load-fragment: when loading a unit file via a chain of symlinks + verify that it is not masked via any of the names traversed. + - introduce Type=pid-file + - introduce mix of BindTo and Requisite + - add a concept of RemainAfterExit= to scope units + - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely + +* udev-link-config: + - Make sure ID_PATH is always exported and complete for + network devices where possible, so we can safely rely + on Path= matching + - check MTUBytes parsing (expecting size_t but we are using unsigned) + +* sd-rtnl: + - add support for more attribute types + - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places + +* networkd: + - add more keys to [Route] and [Address] sections + - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) + - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline) + - add reduced [Link] support to .network files + - add Scope= parsing option for [Network] + - properly handle routerless dhcp leases + - work with non-Ethernet devices + - add support for more bond options + - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? + - the DHCP lease data (such as NTP/DNS) is still made available when + a carrier is lost on a link. It should be removed instantly. + - expose in the API the following bits: + - option 15, domain name and/or option 119, search list + - option 12, host name and/or option 81, fqdn + - option 123, 144, geolocation + - option 252, configure http proxy (PAC/wpad) + - provide a way to define a per-network interface default metric value + for all routes to it. possibly a second default for DHCP routes. + - allow Name= to be specified repeatedly in the [Match] section. Maybe also + support Name=foo*|bar*|baz ? + - duplicate address check for static IPs (like ARPCHECK in network-scripts) + - allow DUID/IAID to be customized, see issue #394. + - whenever uplink info changes, make DHCP server send out FORCERENEW + +* networkd-wait-online: + - make operstates to wait for configurable? + +* dhcp: + - figure out how much we can increase Maximum Message Size + +* dhcp6: + - add functions to set previously stored IPv6 addresses on startup and get + them at shutdown; store them in client->ia_na + - write more test cases + - implement reconfigure support, see 5.3., 15.11. and 22.20. + - implement support for temporary adressess (IA_TA) + - implement dhcpv6 authentication + - investigate the usefulness of Confirm messages; i.e. are there any + situations where the link changes without any loss in carrier detection + or interface down + - some servers don't do rapid commit without a filled in IA_NA, verify + this behavior + - RouteTable= ? + +External: + +* dbus: + - natively watch for dbus-*.service symlinks (PENDING) + - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service + +* fix alsa mixer restore to not print error when no config is stored + +* make cryptsetup lower --iter-time + +* patch kernel for xattr support in /dev, /proc/, /sys? + +* kernel: add device_type = "fb", "fbcon" to class "graphics" + +* /usr/bin/service should actually show the new command line + +* fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= + +* fedora: F20: go timer units all the way, leave cron.daily for cron + +* neither pkexec nor sudo initialize environ[] from the PAM environment? + +* fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it + +* register catalog database signature as file magic + +* zsh shell completion: + - - should complete options, but currently does not + - systemctl add-wants,add-requires + + +Regularly: + +* look for close() vs. close_nointr() vs. close_nointr_nofail() + +* check for strerror(r) instead of strerror(-r) + +* pahole + +* set_put(), hashmap_put() return values check. i.e. == 0 does not free()! + +* use secure_getenv() instead of getenv() where appropriate + +* link up selected blog stories from man pages and unit files Documentation= fields +String is not UTF-8 clean, ignoring assignment + timedatex.service: Consumed 26ms CPU time. -- cgit v1.2.3