diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 13:00:47 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 13:00:47 +0000 |
commit | 2cb7e0aaedad73b076ea18c6900b0e86c5760d79 (patch) | |
tree | da68ca54bb79f4080079bf0828acda937593a4e1 /NEWS | |
parent | Initial commit. (diff) | |
download | systemd-2cb7e0aaedad73b076ea18c6900b0e86c5760d79.tar.xz systemd-2cb7e0aaedad73b076ea18c6900b0e86c5760d79.zip |
Adding upstream version 247.3.upstream/247.3upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 11836 |
1 files changed, 11836 insertions, 0 deletions
@@ -0,0 +1,11836 @@ +systemd System and Service Manager + +CHANGES WITH 247: + + * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents + "bind" and "unbind" to the Linux device model. When this kernel + change was made, systemd-udevd was only minimally updated to handle + and propagate these new event types. The introduction of these new + uevents (which are typically generated for USB devices and devices + needing a firmware upload before being functional) resulted in a + number of issues which we so far didn't address. We hoped the kernel + maintainers would themselves address these issues in some form, but + that did not happen. To handle them properly, many (if not most) udev + rules files shipped in various packages need updating, and so do many + programs that monitor or enumerate devices with libudev or sd-device, + or otherwise process uevents. Please note that this incompatibility + is not fault of systemd or udev, but caused by an incompatible kernel + change that happened back in Linux 4.14, but is becoming more and + more visible as the new uevents are generated by more kernel drivers. + + To minimize issues resulting from this kernel change (but not avoid + them entirely) starting with systemd-udevd 247 the udev "tags" + concept (which is a concept for marking and filtering devices during + enumeration and monitoring) has been reworked: udev tags are now + "sticky", meaning that once a tag is assigned to a device it will not + be removed from the device again until the device itself is removed + (i.e. unplugged). This makes sure that any application monitoring + devices that match a specific tag is guaranteed to both see uevents + where the device starts being relevant, and those where it stops + being relevant (the latter now regularly happening due to the new + "unbind" uevent type). The udev tags concept is hence now a concept + tied to a *device* instead of a device *event* — unlike for example + udev properties whose lifecycle (as before) is generally tied to a + device event, meaning that the previously determined properties are + forgotten whenever a new uevent is processed. + + With the newly redefined udev tags concept, sometimes it's necessary + to determine which tags are the ones applied by the most recent + uevent/database update, in order to discern them from those + originating from earlier uevents/database updates of the same + device. To accommodate for this a new automatic property CURRENT_TAGS + has been added that works similar to the existing TAGS property but + only lists tags set by the most recent uevent/database + update. Similarly, the libudev/sd-device API has been updated with + new functions to enumerate these 'current' tags, in addition to the + existing APIs that now enumerate the 'sticky' ones. + + To properly handle "bind"/"unbind" on Linux 4.14 and newer it is + essential that all udev rules files and applications are updated to + handle the new events. Specifically: + + • All rule files that currently use a header guard similar to + ACTION!="add|change",GOTO="xyz_end" should be updated to use + ACTION=="remove",GOTO="xyz_end" instead, so that the + properties/tags they add are also applied whenever "bind" (or + "unbind") is seen. (This is most important for all physical device + types — those for which "bind" and "unbind" are currently + generated, for all other device types this change is still + recommended but not as important — but certainly prepares for + future kernel uevent type additions). + + • Similarly, all code monitoring devices that contains an 'if' branch + discerning the "add" + "change" uevent actions from all other + uevents actions (i.e. considering devices only relevant after "add" + or "change", and irrelevant on all other events) should be reworked + to instead negatively check for "remove" only (i.e. considering + devices relevant after all event types, except for "remove", which + invalidates the device). Note that this also means that devices + should be considered relevant on "unbind", even though conceptually + this — in some form — invalidates the device. Since the precise + effect of "unbind" is not generically defined, devices should be + considered relevant even after "unbind", however I/O errors + accessing the device should then be handled gracefully. + + • Any code that uses device tags for deciding whether a device is + relevant or not most likely needs to be updated to use the new + udev_device_has_current_tag() API (or sd_device_has_current_tag() + in case sd-device is used), to check whether the tag is set at the + moment an uevent is seen (as opposed to the existing + udev_device_has_tag() API which checks if the tag ever existed on + the device, following the API concept redefinition explained + above). + + We are very sorry for this breakage and the requirement to update + packages using these interfaces. We'd again like to underline that + this is not caused by systemd/udev changes, but result of a kernel + behaviour change. + + * UPCOMING INCOMPATIBILITY: So far most downstream distribution + packages have not retriggered devices once the udev package (or any + auxiliary package installing additional udev rules) is updated. We + intend to work with major distributions to change this, so that + "udevadm trigger -a change" is issued on such upgrades, ensuring that + the updated ruleset is applied to the devices already discovered, so + that (asynchronously) after the upgrade completed the udev database + is consistent with the updated rule set. This means udev rules must + be ready to be retriggered with a "change" action any time, and + result in correct and complete udev database entries. While the + majority of udev rule files known to us currently get this right, + some don't. Specifically, there are udev rules files included in + various packages that only set udev properties on the "add" action, + but do not handle the "change" action. If a device matching those + rules is retriggered with the "change" action (as is intended here) + it would suddenly lose the relevant properties. This always has been + problematic, but as soon as all udev devices are triggered on relevant + package upgrades this will become particularly so. It is strongly + recommended to fix offending rules so that they can handle a "change" + action at any time, and acquire all necessary udev properties even + then. Or in other words: the header guard mentioned above + (ACTION=="remove",GOTO="xyz_end") is the correct approach to handle + this, as it makes sure rules are rerun on "change" correctly, and + accumulate the correct and complete set of udev properties. udev rule + definitions that cannot handle "change" events being triggered at + arbitrary times should be considered buggy. + + * The MountAPIVFS= service file setting now defaults to on if + RootImage= and RootDirectory= are used, which means that with those + two settings /proc/, /sys/ and /dev/ are automatically properly set + up for services. Previous behaviour may be restored by explicitly + setting MountAPIVFS=off. + + * Since PAM 1.2.0 (2015) configuration snippets may be placed in + /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the + latter it takes precedence over the former, similar to how most of + systemd's own configuration is handled. Given that PAM stack + definitions are primarily put together by OS vendors/distributions + (though possibly overridden by users), this systemd release moves its + own PAM stack configuration for the "systemd-user" PAM service (i.e. + for the PAM session invoked by the per-user user@.service instance) + from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all + packages' vendor versions of their PAM stack definitions from + /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not + desired the location to which systemd installs its PAM stack + configuration may be changed via the -Dpamconfdir Meson option. + + * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2, + libpwquality and libcryptsetup have been changed to be based on + dlopen(): instead of regular dynamic library dependencies declared in + the binary ELF headers, these libraries are now loaded on demand + only, if they are available. If the libraries cannot be found the + relevant operations will fail gracefully, or a suitable fallback + logic is chosen. This is supposed to be useful for general purpose + distributions, as it allows minimizing the list of dependencies the + systemd packages pull in, permitting building of more minimal OS + images, while still making use of these "weak" dependencies should + they be installed. Since many package managers automatically + synthesize package dependencies from ELF shared library dependencies, + some additional manual packaging work has to be done now to replace + those (slightly downgraded from "required" to "recommended" or + whatever is conceptually suitable for the package manager). Note that + this change does not alter build-time behaviour: as before the + build-time dependencies have to be installed during build, even if + they now are optional during runtime. + + * sd-event.h gained a new call sd_event_add_time_relative() for + installing timers relative to the current time. This is mostly a + convenience wrapper around the pre-existing sd_event_add_time() call + which installs absolute timers. + + * sd-event event sources may now be placed in a new "exit-on-failure" + mode, which may be controlled via the new + sd_event_source_get_exit_on_failure() and + sd_event_source_set_exit_on_failure() functions. If enabled, any + failure returned by the event source handler functions will result in + exiting the event loop (unlike the default behaviour of just + disabling the event source but continuing with the event loop). This + feature is useful to set for all event sources that define "primary" + program behaviour (where failure should be fatal) in contrast to + "auxiliary" behaviour (where failure should remain local). + + * Most event source types sd-event supports now accept a NULL handler + function, in which case the event loop is exited once the event + source is to be dispatched, using the userdata pointer — converted to + a signed integer — as exit code of the event loop. Previously this + was supported for IO and signal event sources already. Exit event + sources still do not support this (simply because it makes little + sense there, as the event loop is already exiting when they are + dispatched). + + * A new per-unit setting RootImageOptions= has been added which allows + tweaking the mount options for any file system mounted as effect of + the RootImage= setting. + + * Another new per-unit setting MountImages= has been added, that allows + mounting additional disk images into the file system tree accessible + to the service. + + * Timer units gained a new FixedRandomDelay= boolean setting. If + enabled, the random delay configured with RandomizedDelaySec= is + selected in a way that is stable on a given system (though still + different for different units). + + * Socket units gained a new setting Timestamping= that takes "us", "ns" + or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket + options. + + * systemd-repart now generates JSON output when requested with the new + --json= switch. + + * systemd-machined's OpenMachineShell() bus call will now pass + additional policy metadata data fields to the PolicyKit + authentication request. + + * systemd-tmpfiles gained a new -E switch, which is equivalent to + --exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run + --exclude=/sys. It's particularly useful in combination with --root=, + when operating on OS trees that do not have any of these four runtime + directories mounted, as this means no files below these subtrees are + created or modified, since those mount points should probably remain + empty. + + * systemd-tmpfiles gained a new --image= switch which is like --root=, + but takes a disk image instead of a directory as argument. The + specified disk image is mounted inside a temporary mount namespace + and the tmpfiles.d/ drop-ins stored in the image are executed and + applied to the image. systemd-sysusers similarly gained a new + --image= switch, that allows the sysusers.d/ drop-ins stored in the + image to be applied onto the image. + + * Similarly, the journalctl command also gained an --image= switch, + which is a quick one-step solution to look at the log data included + in OS disk images. + + * journalctl's --output=cat option (which outputs the log content + without any metadata, just the pure text messages) will now make use + of terminal colors when run on a suitable terminal, similarly to the + other output modes. + + * JSON group records now support a "description" string that may be + used to add a human-readable textual description to such groups. This + is supposed to match the user's GECOS field which traditionally + didn't have a counterpart for group records. + + * The "systemd-dissect" tool that may be used to inspect OS disk images + and that was previously installed to /usr/lib/systemd/ has now been + moved to /usr/bin/, reflecting its updated status of an officially + supported tool with a stable interface. It gained support for a new + --mkdir switch which when combined with --mount has the effect of + creating the directory to mount the image to if it is missing + first. It also gained two new commands --copy-from and --copy-to for + copying files and directories in and out of an OS image without the + need to manually mount it. It also acquired support for a new option + --json= to generate JSON output when inspecting an OS image. + + * The cgroup2 file system is now mounted with the + "memory_recursiveprot" mount option, supported since kernel 5.7. This + means that the MemoryLow= and MemoryMin= unit file settings now apply + recursively to whole subtrees. + + * systemd-homed now defaults to using the btrfs file system — if + available — when creating home directories in LUKS volumes. This may + be changed with the DefaultFileSystemType= setting in homed.conf. + It's now the default file system in various major distributions and + has the major benefit for homed that it can be grown and shrunk while + mounted, unlike the other contenders ext4 and xfs, which can both be + grown online, but not shrunk (in fact xfs is the technically most + limited option here, as it cannot be shrunk at all). + + * JSON user records managed by systemd-homed gained support for + "recovery keys". These are basically secondary passphrases that can + unlock user accounts/home directories. They are computer-generated + rather than user-chosen, and typically have greater entropy. + homectl's --recovery-key= option may be used to add a recovery key to + a user account. The generated recovery key is displayed as a QR code, + so that it can be scanned to be kept in a safe place. This feature is + particularly useful in combination with systemd-homed's support for + FIDO2 or PKCS#11 authentication, as a secure fallback in case the + security tokens are lost. Recovery keys may be entered wherever the + system asks for a password. + + * systemd-homed now maintains a "dirty" flag for each LUKS encrypted + home directory which indicates that a home directory has not been + deactivated cleanly when offline. This flag is useful to identify + home directories for which the offline discard logic did not run when + offlining, and where it would be a good idea to log in again to catch + up. + + * systemctl gained a new parameter --timestamp= which may be used to + change the style in which timestamps are output, i.e. whether to show + them in local timezone or UTC, or whether to show µs granularity. + + * Alibaba's "pouch" container manager is now detected by + systemd-detect-virt, ConditionVirtualization= and similar + constructs. Similar, they now also recognize IBM PowerVM machine + virtualization. + + * systemd-nspawn has been reworked to use the /run/host/incoming/ as + place to use for propagating external mounts into the + container. Similarly /run/host/notify is now used as the socket path + for container payloads to communicate with the container manager + using sd_notify(). The container manager now uses the + /run/host/inaccessible/ directory to place "inaccessible" file nodes + of all relevant types which may be used by the container payload as + bind mount source to over-mount inodes to make them inaccessible. + /run/host/container-manager will now be initialized with the same + string as the $container environment variable passed to the + container's PID 1. /run/host/container-uuid will be initialized with + the same string as $container_uuid. This means the /run/host/ + hierarchy is now the primary way to make host resources available to + the container. The Container Interface documents these new files and + directories: + + https://systemd.io/CONTAINER_INTERFACE + + * Support for the "ConditionNull=" unit file condition has been + deprecated and undocumented for 6 years. systemd started to warn + about its use 1.5 years ago. It has now been removed entirely. + + * sd-bus.h gained a new API call sd_bus_error_has_names(), which takes + a sd_bus_error struct and a list of error names, and checks if the + error matches one of these names. It's a convenience wrapper that is + useful in cases where multiple errors shall be handled the same way. + + * A new system call filter list "@known" has been added, that contains + all system calls known at the time systemd was built. + + * Behaviour of system call filter allow lists has changed slightly: + system calls that are contained in @known will result in a EPERM by + default, while those not contained in it result in ENOSYS. This + should improve compatibility because known system calls will thus be + communicated as prohibited, while unknown (and thus newer ones) will + be communicated as not implemented, which hopefully has the greatest + chance of triggering the right fallback code paths in client + applications. + + * "systemd-analyze syscall-filter" will now show two separate sections + at the bottom of the output: system calls known during systemd build + time but not included in any of the filter groups shown above, and + system calls defined on the local kernel but known during systemd + build time. + + * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for + systemd-nspawn all system call filter violations will be logged by + the kernel (audit). This is useful for tracking down system calls + invoked by container payloads that are prohibited by the container's + system call filter policy. + + * If the $SYSTEMD_SECCOMP=0 environment variable is set for + systemd-nspawn (and other programs that use seccomp) all seccomp + filtering is turned off. + + * Two new unit file settings ProtectProc= and ProcSubset= have been + added that expose the hidepid= and subset= mount options of procfs. + All processes of the unit will only see processes in /proc that are + are owned by the unit's user. This is an important new sandboxing + option that is recommended to be set on all system services. All + long-running system services that are included in systemd itself set + this option now. This option is only supported on kernel 5.8 and + above, since the hidepid= option supported on older kernels was not a + per-mount option but actually applied to the whole PID namespace. + + * Socket units gained a new boolean setting FlushPending=. If enabled + all pending socket data/connections are flushed whenever the socket + unit enters the "listening" state, i.e. after the associated service + exited. + + * The unit file setting NUMAMask= gained a new "all" value: when used, + all existing NUMA nodes are added to the NUMA mask. + + * A new "credentials" logic has been added to system services. This is + a simple mechanism to pass privileged data to services in a safe and + secure way. It's supposed to be used to pass per-service secret data + such as passwords or cryptographic keys but also associated less + private information such as user names, certificates, and similar to + system services. Each credential is identified by a short user-chosen + name and may contain arbitrary binary data. Two new unit file + settings have been added: SetCredential= and LoadCredential=. The + former allows setting a credential to a literal string, the latter + sets a credential to the contents of a file (or data read from a + user-chosen AF_UNIX stream socket). Credentials are passed to the + service via a special credentials directory, one file for each + credential. The path to the credentials directory is passed in a new + $CREDENTIALS_DIRECTORY environment variable. Since the credentials + are passed in the file system they may be easily referenced in + ExecStart= command lines too, thus no explicit support for the + credentials logic in daemons is required (though ideally daemons + would look for the bits they need in $CREDENTIALS_DIRECTORY + themselves automatically, if set). The $CREDENTIALS_DIRECTORY is + backed by unswappable memory if privileges allow it, immutable if + privileges allow it, is accessible only to the service's UID, and is + automatically destroyed when the service stops. + + * systemd-nspawn supports the same credentials logic. It can both + consume credentials passed to it via the aforementioned + $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on + to its payload. The service manager/PID 1 has been updated to match + this: it can also accept credentials from the container manager that + invokes it (in fact: any process that invokes it), and passes them on + to its services. Thus, credentials can be propagated recursively down + the tree: from a system's service manager to a systemd-nspawn + service, to the service manager that runs as container payload and to + the service it runs below. Credentials may also be added on the + systemd-nspawn command line, using new --set-credential= and + --load-credential= command line switches that match the + aforementioned service settings. + + * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in + the partition drop-ins which may be used to format/LUKS + encrypt/populate any created partitions. The partitions are + encrypted/formatted/populated before they are registered in the + partition table, so that they appear atomically: either the + partitions do not exist yet or they exist fully encrypted, formatted, + and populated — there is no time window where they are + "half-initialized". Thus the system is robust to abrupt shutdown: if + the tool is terminated half-way during its operations on next boot it + will start from the beginning. + + * systemd-repart's --size= operation gained a new "auto" value. If + specified, and operating on a loopback file it is automatically sized + to the minimal size the size constraints permit. This is useful to + use "systemd-repart" as an image builder for minimally sized images. + + * systemd-resolved now gained a third IPC interface for requesting name + resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink + interface is now supported. The nss-resolve NSS module has been + modified to use this new interface instead of D-Bus. Using Varlink + has a major benefit over D-Bus: it works without a broker service, + and thus already during earliest boot, before the dbus daemon has + been started. This means name resolution via systemd-resolved now + works at the same time systemd-networkd operates: from earliest boot + on, including in the initrd. + + * systemd-resolved gained support for a new DNSStubListenerExtra= + configuration file setting which may be used to specify additional IP + addresses the built-in DNS stub shall listen on, in addition to the + main one on 127.0.0.53:53. + + * Name lookups issued via systemd-resolved's D-Bus and Varlink + interfaces (and thus also via glibc NSS if nss-resolve is used) will + now honour a trailing dot in the hostname: if specified the search + path logic is turned off. Thus "resolvectl query foo." is now + equivalent to "resolvectl query --search=off foo.". + + * systemd-resolved gained a new D-Bus property "ResolvConfMode" that + exposes how /etc/resolv.conf is currently managed: by resolved (and + in which mode if so) or another subsystem. "resolvctl" will display + this property in its status output. + + * The resolv.conf snippets systemd-resolved provides will now set "." + as the search domain if no other search domain is known. This turns + off the derivation of an implicit search domain by nss-dns for the + hostname, when the hostname is set to an FQDN. This change is done to + make nss-dns using resolv.conf provided by systemd-resolved behave + more similarly to nss-resolve. + + * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of + /tmp/ and /var/tmp/ based on file timestamps) now looks at the + "birth" time (btime) of a file in addition to the atime, mtime, and + ctime. + + * systemd-analyze gained a new verb "capability" that lists all known + capabilities by the systemd build and by the kernel. + + * If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and + advance the system clock to it at boot if it is noticed to be before + that time. Previously, PID 1 would only advance the time to an epoch + time that is set during build-time. With this new file OS builders + can change this epoch timestamp on individual OS images without + having to rebuild systemd. + + * systemd-logind will now listen to the KEY_RESTART key from the Linux + input layer and reboot the system if it is pressed, similarly to how + it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART + was originally defined in the Multimedia context (to restart playback + of a song or film), but is now primarily used in various embedded + devices for "Reboot" buttons. Accordingly, systemd-logind will now + honour it as such. This may configured in more detail via the new + HandleRebootKey= and RebootKeyIgnoreInhibited=. + + * systemd-nspawn/systemd-machined will now reconstruct hardlinks when + copying OS trees, for example in "systemd-nspawn --ephemeral", + "systemd-nspawn --template=", "machinectl clone" and similar. This is + useful when operating with OSTree images, which use hardlinks heavily + throughout, and where such copies previously resulting in "exploding" + hardlinks. + + * systemd-nspawn's --console= setting gained support for a new + "autopipe" value, which is identical to "interactive" when invoked on + a TTY, and "pipe" otherwise. + + * systemd-networkd's .network files gained support for explicitly + configuring the multicast membership entries of bridge devices in the + [BridgeMDB] section. It also gained support for the PIE queuing + discipline in the [FlowQueuePIE] sections. + + * systemd-networkd's .netdev files may now be used to create "BareUDP" + tunnels, configured in the new [BareUDP] setting. + + * systemd-networkd's Gateway= setting in .network files now accepts the + special values "_dhcp4" and "_ipv6ra" to configure additional, + locally defined, explicit routes to the gateway acquired via DHCP or + IPv6 Router Advertisements. The old setting "_dhcp" is deprecated, + but still accepted for backwards compatibility. + + * systemd-networkd's [IPv6PrefixDelegation] section and + IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and + IPv6SendRA= (the old names are still accepted for backwards + compatibility). + + * systemd-networkd's .network files gained the DHCPv6PrefixDelegation= + boolean setting in [Network] section. If enabled, the delegated prefix + gained by another link will be configured, and an address within the + prefix will be assigned. + + * systemd-networkd's .network files gained the Announce= boolean setting + in [DHCPv6PrefixDelegation] section. When enabled, the delegated + prefix will be announced through IPv6 router advertisement (IPv6 RA). + The setting is enabled by default. + + * VXLAN tunnels may now be marked as independent of any underlying + network interface via the new Independent= boolean setting. + + * systemctl gained support for two new verbs: "service-log-level" and + "service-log-target" may be used on services that implement the + generic org.freedesktop.LogControl1 D-Bus interface to dynamically + adjust the log level and target. All of systemd's long-running + services support this now, but ideally all system services would + implement this interface to make the system more uniformly + debuggable. + + * The SystemCallErrorNumber= unit file setting now accepts the new + "kill" and "log" actions, in addition to arbitrary error number + specifications as before. If "kill" the processes are killed on the + event, if "log" the offending system call is audit logged. + + * A new SystemCallLog= unit file setting has been added that accepts a + list of system calls that shall be logged about (audit). + + * The OS image dissection logic (as used by RootImage= in unit files or + systemd-nspawn's --image= switch) has gained support for identifying + and mounting explicit /usr/ partitions, which are now defined in the + discoverable partition specification. This should be useful for + environments where the root file system is + generated/formatted/populated dynamically on first boot and combined + with an immutable /usr/ tree that is supplied by the vendor. + + * In the final phase of shutdown, within the systemd-shutdown binary + we'll now try to detach MD devices (i.e software RAID) in addition to + loopback block devices and DM devices as before. This is supposed to + be a safety net only, in order to increase robustness if things go + wrong. Storage subsystems are expected to properly detach their + storage volumes during regular shutdown already (or in case of + storage backing the root file system: in the initrd hook we return to + later). + + * If the SYSTEMD_LOG_TID environment variable is set all systemd tools + will now log the thread ID in their log output. This is useful when + working with heavily threaded programs. + + * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will + not use the RDRAND CPU instruction. This is useful in environments + such as replay debuggers where non-deterministic behaviour is not + desirable. + + * The autopaging logic in systemd's various tools (such as systemctl) + has been updated to turn on "secure" mode in "less" + (i.e. $LESSECURE=1) if execution in a "sudo" environment is + detected. This disables invoking external programs from the pager, + via the pipe logic. This behaviour may be overridden via the new + $SYSTEMD_PAGERSECURE environment variable. + + * Units which have resource limits (.service, .mount, .swap, .slice, + .socket, and .slice) gained new configuration settings + ManagedOOMSwap=, ManagedOOMMemoryPressure=, and + ManagedOOMMemoryPressureLimitPercent= that specify resource pressure + limits and optional action taken by systemd-oomd. + + * A new service systemd-oomd has been added. It monitors resource + contention for selected parts of the unit hierarchy using the PSI + information reported by the kernel, and kills processes when memory + or swap pressure is above configured limits. This service is only + enabled by default in developer mode (see below) and should be + considered a preview in this release. Behaviour details and option + names are subject to change without the usual backwards-compatibility + promises. + + * A new helper oomctl has been added to introspect systemd-oomd state. + It is only enabled by default in developer mode and should be + considered a preview without the usual backwards-compatibility + promises. + + * New meson option -Dcompat-mutable-uid-boundaries= has been added. If + enabled, systemd reads the system UID boundaries from /etc/login.defs + at runtime, instead of using the built-in values selected during + build. This is an option to improve compatibility for upgrades from + old systems. It's strongly recommended not to make use of this + functionality on new systems (or even enable it during build), as it + makes something runtime-configurable that is mostly an implementation + detail of the OS, and permits avoidable differences in deployments + that create all kinds of problems in the long run. + + * New meson option '-Dmode=developer|release' has been added. When + 'developer', additional checks and features are enabled that are + relevant during upstream development, e.g. verification that + semi-automatically-generated documentation has been properly updated + following API changes. Those checks are considered hints for + developers and are not actionable in downstream builds. In addition, + extra features that are not ready for general consumption may be + enabled in developer mode. It is thus recommended to set + '-Dmode=release' in end-user and distro builds. + + * systemd-cryptsetup gained support for processing detached LUKS + headers specified on the kernel command line via the header= + parameter of the luks.options= kernel command line option. The same + device/path syntax as for key files is supported for header files + like this. + + * The "net_id" built-in of udev has been updated to ignore ACPI _SUN + slot index data for devices that are connected through a PCI bridge + where the _SUN index is associated with the bridge instead of the + network device itself. Previously this would create ambiguous device + naming if multiple network interfaces were connected to the same PCI + bridge. Since this is a naming scheme incompatibility on systems that + possess hardware like this it has been introduced as new naming + scheme "v247". The previous scheme can be selected via the + "net.naming-scheme=v245" kernel command line parameter. + + * ConditionFirstBoot= semantics have been modified to be safe towards + abnormal system power-off during first boot. Specifically, the + "systemd-machine-id-commit.service" service now acts as boot + milestone indicating when the first boot process is sufficiently + complete in order to not consider the next following boot also a + first boot. If the system is reset before this unit is reached the + first time, the next boot will still be considered a first boot; once + it has been reached, no further boots will be considered a first + boot. The "first-boot-complete.target" unit now acts as official hook + point to order against this. If a service shall be run on every boot + until the first boot fully succeeds it may thus be ordered before + this target unit (and pull it in) and carry ConditionFirstBoot= + appropriately. + + * bootctl's set-default and set-oneshot commands now accept the three + special strings "@default", "@oneshot", "@current" in place of a boot + entry id. These strings are resolved to the current default and + oneshot boot loader entry, as well as the currently booted one. Thus + a command "bootctl set-default @current" may be used to make the + currently boot menu item the new default for all subsequent boots. + + * "systemctl edit" has been updated to show the original effective unit + contents in commented form in the text editor. + + * Units in user mode are now segregated into three new slices: + session.slice (units that form the core of graphical session), + app.slice ("normal" user applications), and background.slice + (low-priority tasks). Unless otherwise configured, user units are + placed in app.slice. The plan is to add resource limits and + protections for the different slices in the future. + + * New GPT partition types for RISCV32/64 for the root and /usr + partitions, and their associated Verity partitions have been defined, + and are now understood by systemd-gpt-auto-generator, and the OS + image dissection logic. + + Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa + Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar + Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1, + Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep + Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann, + Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel + Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov, + Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne + Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink, + Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz, + Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews, + Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler, + huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren, + Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan + Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert, + Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan + Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering, + lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc + Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000, + Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal + Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo + Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar + Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen, + Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing + Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter + Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C, + Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko, + Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer, + Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd, + Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi + Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck, + williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски + + – Warsaw, 2020-11-26 + +CHANGES WITH 246: + + * The service manager gained basic support for cgroup v2 freezer. Units + can now be suspended or resumed either using new systemctl verbs, + freeze and thaw respectively, or via D-Bus. + + * PID 1 may now automatically load pre-compiled AppArmor policies from + /etc/apparmor/earlypolicy during early boot. + + * The CPUAffinity= setting in service unit files now supports a new + special value "numa" that causes the CPU affinity masked to be set + based on the NUMA mask. + + * systemd will now log about all left-over processes remaining in a + unit when the unit is stopped. It will now warn about services using + KillMode=none, as this is generally an unsafe thing to make use of. + + * Two new unit file settings + ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been + added. They may be used to check whether a specific file system path + resides on a block device that is encrypted on the block level + (i.e. using dm-crypt/LUKS). + + * Another pair of new settings ConditionEnvironment=/AssertEnvironment= + has been added that may be used for simple environment checks. This + is particularly useful when passing in environment variables from a + container manager (or from PAM in case of the systemd --user + instance). + + * .service unit files now accept a new setting CoredumpFilter= which + allows configuration of the memory sections coredumps of the + service's processes shall include. + + * .mount units gained a new ReadWriteOnly= boolean option. If set + it will not be attempted to mount a file system read-only if mounting + in read-write mode doesn't succeed. An option x-systemd.rw-only is + available in /etc/fstab to control the same. + + * .socket units gained a new boolean setting PassPacketInfo=. If + enabled, the kernel will attach additional per-packet metadata to all + packets read from the socket, as an ancillary message. This controls + the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options, + depending on socket type. + + * .service units gained a new setting RootHash= which may be used to + specify the root hash for verity enabled disk images which are + specified in RootImage=. RootVerity= may be used to specify a path to + the Verity data matching a RootImage= file system. (The latter is + only useful for images that do not contain the Verity data embedded + into the same image that carries a GPT partition table following the + Discoverable Partition Specification). Similarly, systemd-nspawn + gained a new switch --verity-data= that takes a path to a file with + the verity data of the disk image supplied in --image=, if the image + doesn't contain the verity data itself. + + * .service units gained a new setting RootHashSignature= which takes + either a base64 encoded PKCS#7 signature of the root hash specified + with RootHash=, or a path to a file to read the signature from. This + allows validation of the root hash against public keys available in + the kernel keyring, and is only supported on recent kernels + (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to + systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for + this mechanism has also been added to systemd-veritysetup. + + * .service unit files gained two new options + TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to + tune behaviour if a start or stop timeout is hit, i.e. whether to + terminate the service with SIGTERM, SIGABRT or SIGKILL. + + * Most options in systemd that accept hexadecimal values prefixed with + 0x in additional to the usual decimal notation now also support octal + notation when the 0o prefix is used and binary notation if the 0b + prefix is used. + + * Various command line parameters and configuration file settings that + configure key or certificate files now optionally take paths to + AF_UNIX sockets in the file system. If configured that way a stream + connection is made to the socket and the required data read from + it. This is a simple and natural extension to the existing regular + file logic, and permits other software to provide keys or + certificates via simple IPC services, for example when unencrypted + storage on disk is not desired. Specifically, systemd-networkd's + Wireguard and MACSEC key file settings as well as + systemd-journal-gatewayd's and systemd-journal-remote's PEM + key/certificate parameters support this now. + + * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other + configuration files that support specifier expansion learnt six new + specifiers: %a resolves to the current architecture, %o/%w/%B/%W + resolve to the various ID fields from /etc/os-release, %l resolves to + the "short" hostname of the system, i.e. the hostname configured in + the kernel truncated at the first dot. + + * Support for the .include syntax in unit files has been removed. The + concept has been obsolete for 6 years and we started warning about + its pending removal 2 years ago (also see NEWS file below). It's + finally gone now. + + * StandardError= and StandardOutput= in unit files no longer support + the "syslog" and "syslog-console" switches. They were long removed + from the documentation, but will now result in warnings when used, + and be converted to "journal" and "journal+console" automatically. + + * If the service setting User= is set to the "nobody" user, a warning + message is now written to the logs (but the value is nonetheless + accepted). Setting User=nobody is unsafe, since the primary purpose + of the "nobody" user is to own all files whose owner cannot be mapped + locally. It's in particular used by the NFS subsystem and in user + namespacing. By running a service under this user's UID it might get + read and even write access to all these otherwise unmappable files, + which is quite likely a major security problem. + + * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm, + and others) now have a size and inode limits applied (50% of RAM for + /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note + that the implicit kernel default is 50% too, so there is no change + in the size limit for /tmp and /dev/shm. + + * nss-mymachines lost support for resolution of users and groups, and + now only does resolution of hostnames. This functionality is now + provided by nss-systemd. Thus, the 'mymachines' entry should be + removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf + (and 'systemd' added if it is not already there). + + * A new kernel command line option systemd.hostname= has been added + that allows controlling the hostname that is initialized early during + boot. + + * A kernel command line option "udev.blockdev_read_only" has been + added. If specified all hardware block devices that show up are + immediately marked as read-only by udev. This option is useful for + making sure that a specific boot under no circumstances modifies data + on disk. Use "blockdev --setrw" to undo the effect of this, per + device. + + * A new boolean kernel command line option systemd.swap= has been + added, which may be used to turn off automatic activation of swap + devices listed in /etc/fstab. + + * New kernel command line options systemd.condition-needs-update= and + systemd.condition-first-boot= have been added, which override the + result of the ConditionNeedsUpdate= and ConditionFirstBoot= + conditions. + + * A new kernel command line option systemd.clock-usec= has been added + that allows setting the system clock to the specified time in µs + since Jan 1st, 1970 early during boot. This is in particular useful + in order to make test cases more reliable. + + * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows + systemd-coredump to save core files for suid processes. When saving + the core file, systemd-coredump will use the effective uid and gid of + the process that faulted. + + * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is + now automatically set to "Y" at boot, in order to enable pstore + generation for collection with systemd-pstore. + + * We provide a set of udev rules to enable auto-suspend on PCI and USB + devices that were tested to correctly support it. Previously, this + was distributed as a set of udev rules, but has now been replaced by + by a set of hwdb entries (and a much shorter udev rule to take action + if the device modalias matches one of the new hwdb entries). + + As before, entries are periodically imported from the database + maintained by the ChromiumOS project. If you have a device that + supports auto-suspend correctly and where it should be enabled by + default, please submit a patch that adds it to the database (see + /usr/lib/udev/hwdb.d/60-autosuspend.hwdb). + + * systemd-udevd gained the new configuration option timeout_signal= as well + as a corresponding kernel command line option udev.timeout_signal=. + The option can be used to configure the UNIX signal that the main + daemon sends to the worker processes on timeout. Setting the signal + to SIGABRT is useful for debugging. + + * .link files managed by systemd-udevd gained options RxFlowControl=, + TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in + order to configure various flow control parameters. They also gained + RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo + frame ring buffer sizes. + + * networkd.conf gained a new boolean setting ManageForeignRoutes=. If + enabled systemd-networkd manages all routes configured by other tools. + + * .network files managed by systemd-networkd gained a new section + [SR-IOV], in order to configure SR-IOV capable network devices. + + * systemd-networkd's [IPv6Prefix] section in .network files gained a + new boolean setting Assign=. If enabled an address from the prefix is + automatically assigned to the interface. + + * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which + controls delegated prefixes assigned by DHCPv6 client. The section + has three settings: SubnetID=, Assign=, and Token=. The setting + SubnetID= allows explicit configuration of the preferred subnet that + systemd-networkd's Prefix Delegation logic assigns to interfaces. If + Assign= is enabled (which is the default) an address from any acquired + delegated prefix is automatically chosen and assigned to the + interface. The setting Token= specifies an optional address generation + mode for Assign=. + + * systemd-networkd's [Network] section gained a new setting + IPv4AcceptLocal=. If enabled the interface accepts packets with local + source addresses. + + * systemd-networkd gained support for configuring the HTB queuing + discipline in the [HierarchyTokenBucket] and + [HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may + be configured in the [PFIFO] section, "GRED" in + [GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake" + in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and + [DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO], + "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF" + in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and + "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass]. + + * systemd-networkd gained support for a new Termination= setting in the + [CAN] section for configuring the termination resistor. It also + gained a new ListenOnly= setting for controlling whether to only + listen on CAN interfaces, without interfering with traffic otherwise + (which is useful for debugging/monitoring CAN network + traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have + been added to configure various CAN-FD aspects. + + * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=. + When enabled, DHCPv6 will be attempted right-away without requiring an + Router Advertisement packet suggesting it first (i.e. without the 'M' + or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option + DHCPv6Client= that may be used to turn off the DHCPv6 client even if + the RA packets suggest it. + + * systemd-networkd's [DHCPv4] section gained a new setting UseGateway= + which may be used to turn off use of the gateway information provided + by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be + used to configure how to process leases that lack a lifetime option. + + * systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new + setting SendVendorOption= allowing configuration of additional vendor + options to send in the DHCP requests/responses. The [DHCPv6] section + gained a new SendOption= setting for sending arbitrary DHCP + options. RequestOptions= has been added to request arbitrary options + from the server. UserClass= has been added to set the DHCP user class + field. + + * systemd-networkd's [DHCPServer] section gained a new set of options + EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server + information about these three protocols in the DHCP lease. It also + gained support for including "MUD" URLs ("Manufacturer Usage + Description"). Support for "MUD" URLs was also added to the LLDP + stack, configurable in the [LLDP] section in .network files. + + * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source' + mode. Also, the sections now support a new setting SourceMACAddress=. + + * systemd-networkd's .netdev files now support a new setting + VLANProtocol= in the [Bridge] section that allows configuration of + the VLAN protocol to use. + + * systemd-networkd supports a new Group= setting in the [Link] section + of the .network files, to control the link group. + + * systemd-networkd's [Network] section gained a new + IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6 + link local address is generated. + + * A new default .network file is now shipped that matches TUN/TAP + devices that begin with "vt-" in their name. Such interfaces will + have IP routing onto the host links set up automatically. This is + supposed to be used by VM managers to trivially acquire a network + interface which is fully set up for host communication, simply by + carefully picking an interface name to use. + + * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric= + which sets the route priority for routes specified by the DHCP server. + + * systemd-networkd's [DHCPv6] section gained a new setting VendorClass= + which configures the vendor class information sent to DHCP server. + + * The BlackList= settings in .network files' [DHCPv4] and + [IPv6AcceptRA] sections have been renamed DenyList=. The old names + are still understood to provide compatibility. + + * networkctl gained the new "forcerenew" command for forcing all DHCP + server clients to renew their lease. The interface "status" output + will now show numerous additional fields of information about an + interface. There are new "up" and "down" commands to bring specific + interfaces up or down. + + * systemd-resolved's DNS= configuration option now optionally accepts a + port number (after ":") and a host name (after "#"). When the host + name is specified, the DNS-over-TLS certificate is validated to match + the specified hostname. Additionally, in case of IPv6 addresses, an + interface may be specified (after "%"). + + * systemd-resolved may be configured to forward single-label DNS names. + This is not standard-conformant, but may make sense in setups where + public DNS servers are not used. + + * systemd-resolved's DNS-over-TLS support gained SNI validation. + + * systemd-nspawn's --resolv-conf= switch gained a number of new + supported values. Specifically, options starting with "replace-" are + like those prefixed "copy-" but replace any existing resolv.conf + file. And options ending in "-uplink" and "-stub" can now be used to + propagate other flavours of resolv.conf into the container (as + defined by systemd-resolved). + + * The various programs included in systemd can now optionally output + their log messages on stderr prefixed with a timestamp, controlled by + the $SYSTEMD_LOG_TIME environment variable. + + * systemctl gained a new "-P" switch that is a shortcut for "--value + --property=…". + + * "systemctl list-units" and "systemctl list-machines" no longer hide + their first output column with --no-legend. To hide the first column, + use --plain. + + * "systemctl reboot" takes the option "--reboot-argument=". + The optional positional argument to "systemctl reboot" is now + being deprecated in favor of this option. + + * systemd-run gained a new switch --slice-inherit. If specified the + unit it generates is placed in the same slice as the systemd-run + process itself. + + * systemd-journald gained support for zstd compression of large fields + in journal files. The hash tables in journal files have been hardened + against hash collisions. This is an incompatible change and means + that journal files created with new systemd versions are not readable + with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean + environment variable for systemd-journald.service is set to 0 this + new hardening functionality may be turned off, so that generated + journal files remain compatible with older journalctl + implementations. + + * journalctl will now include a clickable link in the default output for + each log message for which an URL with further documentation is + known. This is only supported on terminal emulators that support + clickable hyperlinks, and is turned off if a pager is used (since + "less" still doesn't support hyperlinks, + unfortunately). Documentation URLs may be included in log messages + either by including a DOCUMENTATION= journal field in it, or by + associating a journal message catalog entry with the log message's + MESSAGE_ID, which then carries a "Documentation:" tag. + + * journald.conf gained a new boolean setting Audit= that may be used to + control whether systemd-journald will enable audit during + initialization. + + * when systemd-journald's log stream is broken up into multiple lines + because the PID of the sender changed this is indicated in the + generated log records via the _LINE_BREAK=pid-change field. + + * journalctl's "-o cat" output mode will now show one or more journal + fields specified with --output-fields= instead of unconditionally + MESSAGE=. This is useful to retrieve a very specific set of fields + without any decoration. + + * The sd-journal.h API gained two new functions: + sd_journal_enumerate_available_unique() and + sd_journal_enumerate_available_data() that operate like their + counterparts that lack the _available_ in the name, but skip items + that cannot be read and processed by the local implementation + (i.e. are compressed in an unsupported format or such), + + * coredumpctl gained a new --file= switch, matching the same one in + journalctl: a specific journal file may be specified to read the + coredump data from. + + * coredumps collected by systemd-coredump may now be compressed using + the zstd algorithm. + + * systemd-binfmt gained a new switch --unregister for unregistering all + registered entries at once. This is now invoked automatically at + shutdown, so that binary formats registered with the "F" flag will + not block clean file system unmounting. + + * systemd-notify's --pid= switch gained new values: "parent", "self", + "auto" for controlling which PID to send to the service manager: the + systemd-notify process' PID, or the one of the process invoking it. + + * systemd-logind's Session bus object learnt a new method call + SetType() for temporarily updating the session type of an already + allocated session. This is useful for upgrading tty sessions to + graphical ones once a compositor is invoked. + + * systemd-socket-proxy gained a new switch --exit-idle-time= for + configuring an exit-on-idle time. + + * systemd-repart's --empty= setting gained a new value "create". If + specified a new empty regular disk image file is created under the + specified name. Its size may be specified with the new --size= + option. The latter is also supported without the "create" mode, in + order to grow existing disk image files to the specified size. These + two new options are useful when creating or manipulating disk images + instead of operating on actual block devices. + + * systemd-repart drop-ins now support a new UUID= setting to control + the UUID to assign to a newly created partition. + + * systemd-repart's SizeMin= per-partition parameter now defaults to 10M + instead of 0. + + * systemd-repart's Label= setting now support the usual, simple + specifier expansion. + + * systemd-homed's LUKS backend gained the ability to discard empty file + system blocks automatically when the user logs out. This is enabled + by default to ensure that home directories take minimal space when + logged out but get full size guarantees when logged in. This may be + controlled with the new --luks-offline-discard= switch to homectl. + + * If systemd-homed detects that /home/ is encrypted as a whole it will + now default to the directory or subvolume backends instead of the + LUKS backend, in order to avoid double encryption. The default + storage and file system may now be configured explicitly, too, via + the new /etc/systemd/homed.conf configuration file. + + * systemd-homed now supports unlocking home directories with FIDO2 + security tokens that support the 'hmac-secret' extension, in addition + to the existing support for PKCS#11 security token unlocking + support. Note that many recent hardware security tokens support both + interfaces. The FIDO2 support is accessible via homectl's + --fido2-device= option. + + * homectl's --pkcs11-uri= setting now accepts two special parameters: + if "auto" is specified and only one suitable PKCS#11 security token + is plugged in, its URL is automatically determined and enrolled for + unlocking the home directory. If "list" is specified a brief table of + suitable PKCS#11 security tokens is shown. Similar, the new + --fido2-device= option also supports these two special values, for + automatically selecting and listing suitable FIDO2 devices. + + * The /etc/crypttab tmp option now optionally takes an argument + selecting the file system to use. Moreover, the default is now + changed from ext2 to ext4. + + * There's a new /etc/crypttab option "keyfile-erase". If specified the + key file listed in the same line is removed after use, regardless if + volume activation was successful or not. This is useful if the key + file is only acquired transiently at runtime and shall be erased + before the system continues to boot. + + * There's also a new /etc/crypttab option "try-empty-password". If + specified, before asking the user for a password it is attempted to + unlock the volume with an empty password. This is useful for + installing encrypted images whose password shall be set on first boot + instead of at installation time. + + * systemd-cryptsetup will now attempt to load the keys to unlock + volumes with automatically from files in + /etc/cryptsetup-keys.d/<volume>.key and + /run/cryptsetup-keys.d/<volume>.key, if any of these files exist. + + * systemd-cryptsetup may now activate Microsoft BitLocker volumes via + /etc/crypttab, during boot. + + * logind.conf gained a new RuntimeDirectoryInodesMax= setting to + control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs + instance. + + * A new generator systemd-xdg-autostart-generator has been added. It + generates systemd unit files from XDG autostart .desktop files, and + may be used to let the systemd user instance manage services that are + started automatically as part of the desktop session. + + * "bootctl" gained a new verb "reboot-to-firmware" that may be used + to query and change the firmware's 'reboot into firmware' setup flag. + + * systemd-firstboot gained a new switch --kernel-command-line= that may + be used to initialize the /etc/kernel/cmdline file of the image. It + also gained a new switch --root-password-hashed= which is like + --root-password= but accepts a pre-hashed UNIX password as + argument. The new option --delete-root-password may be used to unset + any password for the root user (dangerous!). The --root-shell= switch + may be used to control the shell to use for the root account. A new + --force option may be used to override any already set settings with + the parameters specified on the command line (by default, the tool + will not override what has already been set before, i.e. is purely + incremental). + + * systemd-firstboot gained support for a new --image= switch, which is + similar to --root= but accepts the path to a disk image file, on + which it then operates. + + * A new sd-path.h API has been added to libsystemd. It provides a + simple API for retrieving various search paths and primary + directories for various resources. + + * A new call sd_notify_barrier() has been added to the sd-daemon.h + API. The call will block until all previously sent sd_notify() + messages have been processed by the service manager. This is useful + to remove races caused by a process already having disappeared at the + time a notification message is processed by the service manager, + making correct attribution impossible. The systemd-notify tool will + now make use of this call implicitly, but this can be turned off again + via the new --no-block switch. + + * When sending a file descriptor (fd) to the service manager to keep + track of, using the sd_notify() mechanism, a new parameter FDPOLL=0 + may be specified. If passed the service manager will refrain from + poll()ing on the file descriptor. Traditionally (and when the + parameter is not specified), the service manager will poll it for + POLLHUP or POLLERR events, and immediately close the fds in that + case. + + * The service manager (PID1) gained a new D-Bus method call + SetShowStatus() which may be used to control whether it shall show + boot-time status output on the console. This method has a similar + effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1. + + * The sd-bus API gained a number of convenience functions that take + va_list arguments rather than "...". For example, there's now + sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make + it easier to build wrappers that accept variadic arguments and want + to pass a ready va_list structure to sd-bus. + + * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET + flag which alters how the userdata pointer to pass to the callbacks + is determined. When the flag is set, the offset field is converted + as-is into a pointer, without adding it to the object pointer the + vtable is associated with. + + * sd-bus now exposes four new functions: + sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() + + sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will + validate strings to check if they qualify as various D-Bus concepts. + + * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(), + SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros + that simplify adding argument names to D-Bus methods and signals. + + * The man pages for the sd-bus and sd-hwdb APIs have been completed. + + * Various D-Bus APIs of systemd daemons now have man pages that + document the methods, signals and properties. + + * The expectations on user/group name syntax are now documented in + detail; documentation on how classic home directories may be + converted into home directories managed by homed has been added; + documentation regarding integration of homed/userdb functionality in + desktops has been added: + + https://systemd.io/USER_NAMES + https://systemd.io/CONVERTING_TO_HOMED + https://systemd.io/USERDB_AND_DESKTOPS + + * Documentation for the on-disk Journal file format has been updated + and has now moved to: + + https://systemd.io/JOURNAL_FILE_FORMAT + + * The interface for containers (https://systemd.io/CONTAINER_INTERFACE) + has been extended by a set of environment variables that expose + select fields from the host's os-release file to the container + payload. Similarly, host's os-release files can be mounted into the + container underneath /run/host. Together, those mechanisms provide a + standardized way to expose information about the host to the + container payload. Both interfaces are implemented in systemd-nspawn. + + * All D-Bus services shipped in systemd now implement the generic + LogControl1 D-Bus API which allows clients to change log level + + target of the service during runtime. + + * Only relevant for developers: the mkosi.default symlink has been + dropped from version control. Please create a symlink to one of the + distribution-specific defaults in .mkosi/ based on your preference. + + Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander + Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird, + Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain, + antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji + Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg, + Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian + Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy, + codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan, + Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David + Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri + John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel + Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin, + ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger, + Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui, + Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius + Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de + Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan + Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy + Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg + Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin + Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard, + Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas + Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej + S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc + Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim + Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels, + Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár, + Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys, + nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert + Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter + Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross + Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian + Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas + Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes, + Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo, + Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal + Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб + + – Warsaw, 2020-07-30 + +CHANGES WITH 245: + + * A new tool "systemd-repart" has been added, that operates as an + idempotent declarative repartitioner for GPT partition tables. + Specifically, a set of partitions that must or may exist can be + configured via drop-in files, and during every boot the partition + table on disk is compared with these files, creating missing + partitions or growing existing ones based on configurable relative + and absolute size constraints. The tool is strictly incremental, + i.e. does not delete, shrink or move partitions, but only adds and + grows them. The primary use-case is OS images that ship in minimized + form, that on first boot are grown to the size of the underlying + block device or augmented with additional partitions. For example, + the root partition could be extended to cover the whole disk, or a + swap or /home partitions could be added on first boot. It can also be + used for systems that use an A/B update scheme but ship images with + just the A partition, with B added on first boot. The tool is + primarily intended to be run in the initrd, shortly before + transitioning into the host OS, but can also be run after the + transition took place. It automatically discovers the disk backing + the root file system, and should hence not require any additional + configuration besides the partition definition drop-ins. If no + configuration drop-ins are present, no action is taken. + + * A new component "userdb" has been added, along with a small daemon + "systemd-userdbd.service" and a client tool "userdbctl". The framework + allows defining rich user and group records in a JSON format, + extending on the classic "struct passwd" and "struct group" + structures. Various components in systemd have been updated to + process records in this format, including systemd-logind and + pam-systemd. The user records are intended to be extensible, and + allow setting various resource management, security and runtime + parameters that shall be applied to processes and sessions of the + user as they log in. This facility is intended to allow associating + such metadata directly with user/group records so that they can be + produced, extended and consumed in unified form. We hope that + eventually frameworks such as sssd will generate records this way, so + that for the first time resource management and various other + per-user settings can be configured in LDAP directories and then + provided to systemd (specifically to systemd-logind and pam-system) + to apply on login. For further details see: + + https://systemd.io/USER_RECORD + https://systemd.io/GROUP_RECORD + https://systemd.io/USER_GROUP_API + + * A small new service systemd-homed.service has been added, that may be + used to securely manage home directories with built-in encryption. + The complete user record data is unified with the home directory, + thus making home directories naturally migratable. Its primary + back-end is based on LUKS volumes, but fscrypt, plain directories, + and other storage schemes are also supported. This solves a couple of + problems we saw with traditional ways to manage home directories, in + particular when it comes to encryption. For further discussion of + this, see the video of Lennart's talk at AllSystemsGo! 2019: + + https://media.ccc.de/v/ASG2019-164-reinventing-home-directories + + For further details about the format and expectations on home + directories this new daemon makes, see: + + https://systemd.io/HOME_DIRECTORY + + * systemd-journald is now multi-instantiable. In addition to the main + instance systemd-journald.service there's now a template unit + systemd-journald@.service, with each instance defining a new named + log 'namespace' (whose name is specified via the instance part of the + unit name). A new unit file setting LogNamespace= has been added, + taking such a namespace name, that assigns services to the specified + log namespaces. As each log namespace is serviced by its own + independent journal daemon, this functionality may be used to improve + performance and increase isolation of applications, at the price of + losing global message ordering. Each instance of journald has a + separate set of configuration files, with possibly different disk + usage limitations and other settings. + + journalctl now takes a new option --namespace= to show logs from a + specific log namespace. The sd-journal.h API gained + sd_journal_open_namespace() for opening the log stream of a specific + log namespace. systemd-journald also gained the ability to exit on + idle, which is useful in the context of log namespaces, as this means + log daemons for log namespaces can be activated automatically on + demand and will stop automatically when no longer used, minimizing + resource usage. + + * When systemd-tmpfiles copies a file tree using the 'C' line type it + will now label every copied file according to the SELinux database. + + * When systemd/PID 1 detects it is used in the initrd it will now boot + into initrd.target rather than default.target by default. This should + make it simpler to build initrds with systemd as for many cases the + only difference between a host OS image and an initrd image now is + the presence of the /etc/initrd-release file. + + * A new kernel command line option systemd.cpu_affinity= is now + understood. It's equivalent to the CPUAffinity= option in + /etc/systemd/system.conf and allows setting the CPU mask for PID 1 + itself and the default for all other processes. + + * When systemd/PID 1 is reloaded (with systemctl daemon-reload or + equivalent), the SELinux database is now reloaded, ensuring that + sockets and other file system objects are generated taking the new + database into account. + + * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and + "quiet" has been changed to imply that instead of + "systemd.show-status=auto". In this mode, only messages about errors + and significant delays in boot are shown on the console. + + * The sd-event.h API gained native support for the new Linux "pidfd" + concept. This permits watching processes using file descriptors + instead of PID numbers, which fixes a number of races and makes + process supervision more robust and efficient. All of systemd's + components will now use pidfds if the kernel supports it for process + watching, with the exception of PID 1 itself, unfortunately. We hope + to move PID 1 to exclusively using pidfds too eventually, but this + requires some more kernel work first. (Background: PID 1 watches + processes using waitid() with the P_ALL flag, and that does not play + together nicely with pidfds yet.) + + * Closely related to this, the sd-event.h API gained two new calls + sd_event_source_send_child_signal() (for sending a signal to a + watched process) and sd_event_source_get_child_process_own() (for + marking a process so that it is killed automatically whenever the + event source watching it is freed). + + * systemd-networkd gained support for configuring Token Bucket Filter + (TBF) parameters in its qdisc configuration support. Similarly, + support for Stochastic Fairness Queuing (SFQ), Controlled-Delay + Active Queue Management (CoDel), and Fair Queue (FQ) has been added. + + * systemd-networkd gained support for Intermediate Functional Block + (IFB) network devices. + + * systemd-networkd gained support for configuring multi-path IP routes, + using the new MultiPathRoute= setting in the [Route] section. + + * systemd-networkd's DHCPv4 client has been updated to support a new + SendDecline= option. If enabled, duplicate address detection is done + after a DHCP offer is received from the server. If a conflict is + detected, the address is declined. The DHCPv4 client also gained + support for a new RouteMTUBytes= setting that allows to configure the + MTU size to be used for routes generated from DHCPv4 leases. + + * The PrefixRoute= setting in systemd-networkd's [Address] section of + .network files has been deprecated, and replaced by AddPrefixRoute=, + with its sense inverted. + + * The Gateway= setting of [Route] sections of .network files gained + support for a special new value "_dhcp". If set, the configured + static route uses the gateway host configured via DHCP. + + * New User= and SuppressPrefixLength= settings have been implemented + for the [RoutingPolicyRule] section of .network files to configure + source routing based on UID ranges and prefix length, respectively. + + * sd-bus gained a new API call sd_bus_message_sensitive() that marks a + D-Bus message object as "sensitive". Those objects are erased from + memory when they are freed. This concept is intended to be used for + messages that contain security sensitive data. A new flag + SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods + in sd-bus vtables, causing any incoming and outgoing messages of + those methods to be implicitly marked as "sensitive". + + * sd-bus gained a new API call sd_bus_message_dump() for dumping the + contents of a message (or parts thereof) to standard output for + debugging purposes. + + * systemd-sysusers gained support for creating users with the primary + group named differently than the user. + + * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab) + gained support for growing XFS partitions. Previously it supported + only ext4 and btrfs partitions. + + * The support for /etc/crypttab gained a new x-initrd.attach option. If + set, the specified encrypted volume is unlocked already in the + initrd. This concept corresponds to the x-initrd.mount option in + /etc/fstab. + + * systemd-cryptsetup gained native support for unlocking encrypted + volumes utilizing PKCS#11 smartcards, i.e. for example to bind + encryption of volumes to YubiKeys. This is exposed in the new + pkcs11-uri= option in /etc/crypttab. + + * The /etc/fstab support in systemd now supports two new mount options + x-systemd.{required,wanted}-by=, for explicitly configuring the units + that the specified mount shall be pulled in by, in place of + the usual local-fs.target/remote-fs.target. + + * The https://systemd.io/ web site has been relaunched, directly + populated with most of the documentation included in the systemd + repository. systemd also acquired a new logo, thanks to Tobias + Bernard. + + * systemd-udevd gained support for managing "alternative" network + interface names, as supported by new Linux kernels. For the first + time this permits assigning multiple (and longer!) names to a network + interface. systemd-udevd will now by default assign the names + generated via all supported naming schemes to each interface. This + may be further tweaked with .link files and the AlternativeName= and + AlternativeNamesPolicy= settings. Other components of systemd have + been updated to support the new alternative names wherever + appropriate. For example, systemd-nspawn will now generate + alternative interface names for the host-facing side of container + veth links based on the full container name without truncation. + + * systemd-nspawn interface naming logic has been updated in another way + too: if the main interface name (i.e. as opposed to new-style + "alternative" names) based on the container name is truncated, a + simple hashing scheme is used to give different interface names to + multiple containers whose names all begin with the same prefix. Since + this changes the primary interface names pointing to containers if + truncation happens, the old scheme may still be requested by + selecting an older naming scheme, via the net.naming-scheme= kernel + command line option. + + * PrivateUsers= in service files now works in services run by the + systemd --user per-user instance of the service manager. + + * A new per-service sandboxing option ProtectClock= has been added that + locks down write access to the system clock. It takes away device + node access to /dev/rtc as well as the system calls that set the + system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities. + Note that this option does not affect access to auxiliary services + that allow changing the clock, for example access to + systemd-timedated. + + * The systemd-id128 tool gained a new "show" verb for listing or + resolving a number of well-known UUIDs/128bit IDs, currently mostly + GPT partition table types. + + * The Discoverable Partitions Specification has been updated to support + /var and /var/tmp partition discovery. Support for this has been + added to systemd-gpt-auto-generator. For details see: + + https://systemd.io/DISCOVERABLE_PARTITIONS + + * "systemctl list-unit-files" has been updated to show a new column + with the suggested enablement state based on the vendor preset files + for the respective units. + + * "systemctl" gained a new option "--with-dependencies". If specified + commands such as "systemctl status" or "systemctl cat" will now show + all specified units along with all units they depend on. + + * networkctl gained support for showing per-interface logs in its + "status" output. + + * systemd-networkd-wait-online gained support for specifying the maximum + operational state to wait for, and to wait for interfaces to + disappear. + + * The [Match] section of .link and .network files now supports a new + option PermanentMACAddress= which may be used to check against the + permanent MAC address of a network device even if a randomized MAC + address is used. + + * The [TrafficControlQueueingDiscipline] section in .network files has + been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix + dropped from the individual setting names. + + * Any .link and .network files that have an empty [Match] section (this + also includes empty and commented-out files) will now be + rejected. systemd-udev and systemd-networkd started warning about + such files in version 243. + + * systemd-logind will now validate access to the operation of changing + the virtual terminal via a polkit action. By default, only users + with at least one session on a local VT are granted permission. + + * When systemd sets up PAM sessions that invoked service processes + shall run in, the pam_setcred() API is now invoked, thus permitting + PAM modules to set additional credentials for the processes. + + * portablectl attach/detach verbs now accept --now and --enable options + to combine attachment with enablement and invocation, or detachment + with stopping and disablement. + + * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was + fixed, which in turn exposed bugs in unit configuration of services + which have Type=oneshot and should only run once, but do not have + RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot + service may be started again after exiting successfully, for example + as a dependency in another transaction. Affected services included + some internal systemd services (most notably + systemd-vconsole-setup.service, which was updated to have + RemainAfterExit=yes), and plymouth-start.service. Please ensure that + plymouth has been suitably updated or patched before upgrading to + this systemd release. See + https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some + additional discussion. + + Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita + Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis, + Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles + (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt, + Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek, + Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David + Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin, + ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck + Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem + Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain + Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin + Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming, + Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca + Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew + Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike + Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange, + Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa + Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard, + Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain + Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas + Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser, + Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland + Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri + Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu + DONG + + – Warsaw, 2020-03-06 + +CHANGES WITH 244: + + * Support for the cpuset cgroups v2 controller has been added. + Processes may be restricted to specific CPUs using the new + AllowedCPUs= setting, and to specific memory NUMA nodes using the new + AllowedMemoryNodes= setting. + + * The signal used in restart jobs (as opposed to e.g. stop jobs) may + now be configured using a new RestartKillSignal= setting. This + allows units which signals to request termination to implement + different behaviour when stopping in preparation for a restart. + + * "systemctl clean" may now be used also for socket, mount, and swap + units. + + * systemd will also read configuration options from the EFI variable + SystemdOptions. This may be used to configure systemd behaviour when + modifying the kernel command line is inconvenient, but configuration + on disk is read too late, for example for the options related to + cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to + set the EFI variable. + + * systemd will now disable printk ratelimits in early boot. This should + allow us to capture more logs from the early boot phase where normal + storage is not available and the kernel ring buffer is used for + logging. Configuration on the kernel command line has higher priority + and overrides the systemd setting. + + systemd programs which log to /dev/kmsg directly use internal + ratelimits to prevent runaway logging. (Normally this is only used + during early boot, so in practice this change has very little + effect.) + + * Unit files now support top level dropin directories of the form + <unit_type>.d/ (e.g. service.d/) that may be used to add configuration + that affects all corresponding unit files. + + * systemctl gained support for 'stop --job-mode=triggering' which will + stop the specified unit and any units which could trigger it. + + * Unit status display now includes units triggering and triggered by + the unit being shown. + + * The RuntimeMaxSec= setting is now supported by scopes, not just + .service units. This is particularly useful for PAM sessions which + create a scope unit for the user login. systemd.runtime_max_sec= + setting may used with the pam_systemd module to limit the duration + of the PAM session, for example for time-limited logins. + + * A new @pkey system call group is now defined to make it easier to + allow-list memory protection syscalls for containers and services + which need to use them. + + * systemd-udevd: removed the 30s timeout for killing stale workers on + exit. systemd-udevd now waits for workers to finish. The hard-coded + exit timeout of 30s was too short for some large installations, where + driver initialization could be prematurely interrupted during initrd + processing if the root file system had been mounted and init was + preparing to switch root. If udevd is run without systemd and workers + are hanging while udevd receives an exit signal, udevd will now exit + when udev.event_timeout is reached for the last hanging worker. With + systemd, the exit timeout can additionally be configured using + TimeoutStopSec= in systemd-udevd.service. + + * udev now provides a program (fido_id) that identifies FIDO CTAP1 + ("U2F")/CTAP2 security tokens based on the usage declared in their + report and descriptor and outputs suitable environment variables. + This replaces the externally maintained allow lists of all known + security tokens that were used previously. + + * Automatically generated autosuspend udev rules for allow-listed + devices have been imported from the Chromium OS project. This should + improve power saving with many more devices. + + * udev gained a new "CONST{key}=value" setting that allows matching + against system-wide constants without forking a helper binary. + Currently "arch" and "virt" keys are supported. + + * udev now opens CDROMs in non-exclusive mode when querying their + capabilities. This should fix issues where other programs trying to + use the CDROM cannot gain access to it, but carries a risk of + interfering with programs writing to the disk, if they did not open + the device in exclusive mode as they should. + + * systemd-networkd does not create a default route for IPv4 link local + addressing anymore. The creation of the route was unexpected and was + breaking routing in various cases, but people who rely on it being + created implicitly will need to adjust. Such a route may be requested + with DefaultRouteOnDevice=yes. + + Similarly, systemd-networkd will not assign a link-local IPv6 address + when IPv6 link-local routing is not enabled. + + * Receive and transmit buffers may now be configured on links with + the new RxBufferSize= and TxBufferSize= settings. + + * systemd-networkd may now advertise additional IPv6 routes. A new + [IPv6RoutePrefix] section with Route= and LifetimeSec= options is + now supported. + + * systemd-networkd may now configure "next hop" routes using the + [NextHop] section and Gateway= and Id= settings. + + * systemd-networkd will now retain DHCP config on restarts by default + (but this may be overridden using the KeepConfiguration= setting). + The default for SendRelease= has been changed to true. + + * The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option + received from the server. + + The client will use the received SIP server list if UseSIP=yes is + set. + + The client may be configured to request specific options from the + server using a new RequestOptions= setting. + + The client may be configured to send arbitrary options to the server + using a new SendOption= setting. + + A new IPServiceType= setting has been added to configure the "IP + service type" value used by the client. + + * The DHCPv6 client learnt a new PrefixDelegationHint= option to + request prefix hints in the DHCPv6 solicitation. + + * The DHCPv4 server may be configured to send arbitrary options using + a new SendOption= setting. + + * The DHCPv4 server may now be configured to emit SIP server list using + the new EmitSIP= and SIP= settings. + + * systemd-networkd and networkctl may now renew DHCP leases on demand. + networkctl has a new 'networkctl renew' verb. + + * systemd-networkd may now reconfigure links on demand. networkctl + gained two new verbs: "reload" will reload the configuration, and + "reconfigure DEVICE…" will reconfigure one or more devices. + + * .network files may now match on SSID and BSSID of a wireless network, + i.e. the access point name and hardware address using the new SSID= + and BSSID= options. networkctl will display the current SSID and + BSSID for wireless links. + + .network files may also match on the wireless network type using the + new WLANInterfaceType= option. + + * systemd-networkd now includes default configuration that enables + link-local addressing when connected to an ad-hoc wireless network. + + * systemd-networkd may configure the Traffic Control queueing + disciplines in the kernel using the new + [TrafficControlQueueingDiscipline] section and Parent=, + NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=, + NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=, + NetworkEmulatorDuplicateRate= settings. + + * systemd-tmpfiles gained a new w+ setting to append to files. + + * systemd-analyze dump will now report when the memory configuration in + the kernel does not match what systemd has configured (usually, + because some external program has modified the kernel configuration + on its own). + + * systemd-analyze gained a new --base-time= switch instructs the + 'calendar' verb to resolve times relative to that timestamp instead + of the present time. + + * journalctl --update-catalog now produces deterministic output (making + reproducible image builds easier). + + * A new devicetree-overlay setting is now documented in the Boot Loader + Specification. + + * The default value of the WatchdogSec= setting used in systemd + services (the ones bundled with the project itself) may be set at + configuration time using the -Dservice-watchdog= setting. If set to + empty, the watchdogs will be disabled. + + * systemd-resolved validates IP addresses in certificates now when GnuTLS + is being used. + + * libcryptsetup >= 2.0.1 is now required. + + * A configuration option -Duser-path= may be used to override the $PATH + used by the user service manager. The default is again to use the same + path as the system manager. + + * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for + outputting the 128bit IDs in UUID format (i.e. in the "canonical + representation"). + + * Service units gained a new sandboxing option ProtectKernelLogs= which + makes sure the program cannot get direct access to the kernel log + buffer anymore, i.e. the syslog() system call (not to be confused + with the API of the same name in libc, which is not affected), the + /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made + inaccessible to the service. It's recommended to enable this setting + for all services that should not be able to read from or write to the + kernel log buffer, which are probably almost all. + + Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey, + Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo + Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio + Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe, + Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David + Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald + A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger, + Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen + Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan + Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson, + Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng, + Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering, + Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario + Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos, + Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar, + Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas + Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel, + Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle, + Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan + Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage, + Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom + Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe, + Zach Smith, Zbigniew Jędrzejewski-Szmek + + – Warsaw, 2019-11-29 + +CHANGES WITH 243: + + * This release enables unprivileged programs (i.e. requiring neither + setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests + by turning on the "net.ipv4.ping_group_range" sysctl of the Linux + kernel for the whole UNIX group range, i.e. all processes. This + change should be reasonably safe, as the kernel support for it was + specifically implemented to allow safe access to ICMP Echo for + processes lacking any privileges. If this is not desirable, it can be + disabled again by setting the parameter to "1 0". + + * Previously, filters defined with SystemCallFilter= would have the + effect that any calling of an offending system call would terminate + the calling thread. This behaviour never made much sense, since + killing individual threads of unsuspecting processes is likely to + create more problems than it solves. With this release the default + action changed from killing the thread to killing the whole + process. For this to work correctly both a kernel version (>= 4.14) + and a libseccomp version (>= 2.4.0) supporting this new seccomp + action is required. If an older kernel or libseccomp is used the old + behaviour continues to be used. This change does not affect any + services that have no system call filters defined, or that use + SystemCallErrorNumber= (and thus see EPERM or another error instead + of being killed when calling an offending system call). Note that + systemd documentation always claimed that the whole process is + killed. With this change behaviour is thus adjusted to match the + documentation. + + * On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to + 4194304 by default, i.e. the full 22bit range the kernel allows, up + from the old 16bit range. This should improve security and + robustness, as PID collisions are made less likely (though certainly + still possible). There are rumours this might create compatibility + problems, though at this moment no practical ones are known to + us. Downstream distributions are hence advised to undo this change in + their builds if they are concerned about maximum compatibility, but + for everybody else we recommend leaving the value bumped. Besides + improving security and robustness this should also simplify things as + the maximum number of allowed concurrent tasks was previously bounded + by both "kernel.pid_max" and "kernel.threads-max" and now effectively + only a single knob is left ("kernel.threads-max"). There have been + concerns that usability is affected by this change because larger PID + numbers are harder to type, but we believe the change from 5 digits + to 7 digits doesn't hamper usability. + + * MemoryLow= and MemoryMin= gained hierarchy-aware counterparts, + DefaultMemoryLow= and DefaultMemoryMin=, which can be used to + hierarchically set default memory protection values for a particular + subtree of the unit hierarchy. + + * Memory protection directives can now take a value of zero, allowing + explicit opting out of a default value propagated by an ancestor. + + * systemd now defaults to the "unified" cgroup hierarchy setup during + build-time, i.e. -Ddefault-hierarchy=unified is now the build-time + default. Previously, -Ddefault-hierarchy=hybrid was the default. This + change reflects the fact that cgroupsv2 support has matured + substantially in both systemd and in the kernel, and is clearly the + way forward. Downstream production distributions might want to + continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for + their builds as unfortunately the popular container managers have not + caught up with the kernel API changes. + + * Man pages are not built by default anymore (html pages were already + disabled by default), to make development builds quicker. When + building systemd for a full installation with documentation, meson + should be called with -Dman=true and/or -Dhtml=true as appropriate. + The default was changed based on the assumption that quick one-off or + repeated development builds are much more common than full optimized + builds for installation, and people need to pass various other + options to when doing "proper" builds anyway, so the gain from making + development builds quicker is bigger than the one time disruption for + packagers. + + Two scripts are created in the *build* directory to generate and + preview man and html pages on demand, e.g.: + + build/man/man systemctl + build/man/html systemd.index + + * libidn2 is used by default if both libidn2 and libidn are installed. + Please use -Dlibidn=true if libidn is preferred. + + * The D-Bus "wire format" of the CPUAffinity= attribute is changed on + big-endian machines. Before, bytes were written and read in native + machine order as exposed by the native libc __cpu_mask interface. + Now, little-endian order is always used (CPUs 0–7 are described by + bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on). + This change fixes D-Bus calls that cross endianness boundary. + + The presentation format used for CPUAffinity= by "systemctl show" and + "systemd-analyze dump" is changed to present CPU indices instead of + the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be + shown as CPUAffinity=03000000000000000000000000000… (on + little-endian) or CPUAffinity=00000000000000300000000000000… (on + 64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the + input format. The maximum integer that will be printed in the new + format is 8191 (four digits), while the old format always used a very + long number (with the length varying by architecture), so they can be + unambiguously distinguished. + + * /usr/sbin/halt.local is no longer supported. Implementation in + distributions was inconsistent and it seems this functionality was + very rarely used. + + To replace this functionality, users should: + - either define a new unit and make it a dependency of final.target + (systemctl add-wants final.target my-halt-local.service) + - or move the shutdown script to /usr/lib/systemd/system-shutdown/ + and ensure that it accepts "halt", "poweroff", "reboot", and + "kexec" as an argument, see the description in systemd-shutdown(8). + + * When a [Match] section in .link or .network file is empty (contains + no match patterns), a warning will be emitted. Please add any "match + all" pattern instead, e.g. OriginalName=* or Name=* in case all + interfaces should really be matched. + + * A new setting NUMAPolicy= may be used to set process memory + allocation policy. This setting can be specified in + /etc/systemd/system.conf and hence will set the default policy for + PID1. The default policy can be overridden on a per-service + basis. The related setting NUMAMask= is used to specify NUMA node + mask that should be associated with the selected policy. + + * PID 1 will now listen to Out-Of-Memory (OOM) events the kernel + generates when processes it manages are reaching their memory limits, + and will place their units in a special state, and optionally kill or + stop the whole unit. + + * The service manager will now expose bus properties for the IO + resources used by units. This information is also shown in "systemctl + status" now (for services that have IOAccounting=yes set). Moreover, + the IO accounting data is included in the resource log message + generated whenever a unit stops. + + * Units may now configure an explicit timeout to wait for when killed + with SIGABRT, for example when a service watchdog is hit. Previously, + the regular TimeoutStopSec= timeout was applied in this case too — + now a separate timeout may be set using TimeoutAbortSec=. + + * Services may now send a special WATCHDOG=trigger message with + sd_notify() to trigger an immediate "watchdog missed" event, and thus + trigger service termination. This is useful both for testing watchdog + handling, but also for defining error paths in services, that shall + be handled the same way as watchdog events. + + * There are two new per-unit settings IPIngressFilterPath= and + IPEgressFilterPath= which allow configuration of a BPF program + (usually by specifying a path to a program uploaded to /sys/fs/bpf/) + to apply to the IP packet ingress/egress path of all processes of a + unit. This is useful to allow running systemd services with BPF + programs set up externally. + + * systemctl gained a new "clean" verb for removing the state, cache, + runtime or logs directories of a service while it is terminated. The + new verb may also be used to remove the state maintained on disk for + timer units that have Persistent= configured. + + * During the last phase of shutdown systemd will now automatically + increase the log level configured in the "kernel.printk" sysctl so + that any relevant loggable events happening during late shutdown are + made visible. Previously, loggable events happening so late during + shutdown were generally lost if the "kernel.printk" sysctl was set to + high thresholds, as regular logging daemons are terminated at that + time and thus nothing is written to disk. + + * If processes terminated during the last phase of shutdown do not exit + quickly systemd will now show their names after a short time, to make + debugging easier. After a longer timeout they are forcibly killed, + as before. + + * journalctl (and the other tools that display logs) will now highlight + warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where + shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs + are now shown in blue color, to separate them visually from regular + logs. References to configuration files are now turned into clickable + links on terminals that support that. + + * systemd-journald will now stop logging to /var/log/journal during + shutdown when /var/ is on a separate mount, so that it can be + unmounted safely during shutdown. + + * systemd-resolved gained support for a new 'strict' DNS-over-TLS mode. + + * systemd-resolved "Cache=" configuration option in resolved.conf has + been extended to also accept the 'no-negative' value. Previously, + only a boolean option was allowed (yes/no), having yes as the + default. If this option is set to 'no-negative', negative answers are + not cached while the old cache heuristics are used positive answers. + The default remains unchanged. + + * The predictable naming scheme for network devices now supports + generating predictable names for "netdevsim" devices. + + Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD + udev property. + + Those two changes form a new net.naming-policy-scheme= entry. + Distributions which want to preserve naming stability may want to set + the -Ddefault-net-naming-scheme= configuration option. + + * systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm + interfaces natively. + + * systemd-networkd's bridge FDB support now allows configuration of a + destination address for each entry (Destination=), as well as the + VXLAN VNI (VNI=), as well as an option to declare what an entry is + associated with (AssociatedWith=). + + * systemd-networkd's DHCPv4 support now understands a new MaxAttempts= + option for configuring the maximum number of DHCP lease requests. It + also learnt a new BlackList= option for deny-listing DHCP servers (a + similar setting has also been added to the IPv6 RA client), as well + as a SendRelease= option for configuring whether to send a DHCP + RELEASE message when terminating. + + * systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured + separately in the [DHCPv4] and [DHCPv6] sections. + + * systemd-networkd's DHCP support will now optionally create an + implicit host route to the DNS server specified in the DHCP lease, in + addition to the routes listed explicitly in the lease. This should + ensure that in multi-homed systems DNS traffic leaves the systems on + the interface that acquired the DNS server information even if other + routes such as default routes exist. This behaviour may be turned on + with the new RoutesToDNS= option. + + * systemd-networkd's VXLAN support gained a new option + GenericProtocolExtension= for enabling VXLAN Generic Protocol + Extension support, as well as IPDoNotFragment= for setting the IP + "Don't fragment" bit on outgoing packets. A similar option has been + added to the GENEVE support. + + * In systemd-networkd's [Route] section you may now configure + FastOpenNoCookie= for configuring per-route TCP fast-open support, as + well as TTLPropagate= for configuring Label Switched Path (LSP) TTL + propagation. The Type= setting now supports local, broadcast, + anycast, multicast, any, xresolve routes, too. + + * systemd-networkd's [Network] section learnt a new option + DefaultRouteOnDevice= for automatically configuring a default route + onto the network device. + + * systemd-networkd's bridging support gained two new options ProxyARP= + and ProxyARPWifi= for configuring proxy ARP behaviour as well as + MulticastRouter= for configuring multicast routing behaviour. A new + option MulticastIGMPVersion= may be used to change bridge's multicast + Internet Group Management Protocol (IGMP) version. + + * systemd-networkd's FooOverUDP support gained the ability to configure + local and peer IP addresses via Local= and Peer=. A new option + PeerPort= may be used to configure the peer's IP port. + + * systemd-networkd's TUN support gained a new setting VnetHeader= for + tweaking Generic Segment Offload support. + + * The address family for policy rules may be specified using the new + Family= option in the [RoutingPolicyRule] section. + + * networkctl gained a new "delete" command for removing virtual network + devices, as well as a new "--stats" switch for showing device + statistics. + + * networkd.conf gained a new setting SpeedMeter= and + SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The + measured speed may be shown by 'networkctl status'. + + * "networkctl status" now displays MTU and queue lengths, and more + detailed information about VXLAN and bridge devices. + + * systemd-networkd's .network and .link files gained a new Property= + setting in the [Match] section, to match against devices with + specific udev properties. + + * systemd-networkd's tunnel support gained a new option + AssignToLoopback= for selecting whether to use the loopback device + "lo" as underlying device. + + * systemd-networkd's MACAddress= setting in the [Neighbor] section has + been renamed to LinkLayerAddress=, and it now allows configuration of + IP addresses, too. + + * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is + simplified: systemd-networkd will disable the sysctl (enable IPv6) if + IPv6 configuration (static or DHCPv6) was found for a given + interface. It will not touch the sysctl otherwise. + + * The order of entries is $PATH used by the user manager instance was + changed to put bin/ entries before the corresponding sbin/ entries. + It is recommended to not rely on this order, and only ever have one + binary with a given name in the system paths under /usr. + + * A new tool systemd-network-generator has been added that may generate + .network, .netdev and .link files from IP configuration specified on + the kernel command line in the format used by Dracut. + + * The CriticalConnection= setting in .network files is now deprecated, + and replaced by a new KeepConfiguration= setting which allows more + detailed configuration of the IP configuration to keep in place. + + * systemd-analyze gained a few new verbs: + + - "systemd-analyze timestamp" parses and converts timestamps. This is + similar to the existing "systemd-analyze calendar" command which + does the same for recurring calendar events. + + - "systemd-analyze timespan" parses and converts timespans (i.e. + durations as opposed to points in time). + + - "systemd-analyze condition" will parse and test ConditionXYZ= + expressions. + + - "systemd-analyze exit-status" will parse and convert exit status + codes to their names and back. + + - "systemd-analyze unit-files" will print a list of all unit + file paths and unit aliases. + + * SuccessExitStatus=, RestartPreventExitStatus=, and + RestartForceExitStatus= now accept exit status names (e.g. "DATAERR" + is equivalent to "65"). Those exit status name mappings may be + displayed with the systemd-analyze exit-status verb describe above. + + * systemd-logind now exposes a per-session SetBrightness() bus call, + which may be used to securely change the brightness of a kernel + brightness device, if it belongs to the session's seat. By using this + call unprivileged clients can make changes to "backlight" and "leds" + devices securely with strict requirements on session membership. + Desktop environments may use this to generically make brightness + changes to such devices without shipping private SUID binaries or + udev rules for that purpose. + + * "udevadm info" gained a --wait-for-initialization switch to wait for + a device to be initialized. + + * systemd-hibernate-resume-generator will now look for resumeflags= on + the kernel command line, which is similar to rootflags= and may be + used to configure device timeout for the hibernation device. + + * sd-event learnt a new API call sd_event_source_disable_unref() for + disabling and unref'ing an event source in a single function. A + related call sd_event_source_disable_unrefp() has been added for use + with gcc's cleanup extension. + + * The sd-id128.h public API gained a new definition + SD_ID128_UUID_FORMAT_STR for formatting a 128bit ID in UUID format + with printf(). + + * "busctl introspect" gained a new switch --xml-interface for dumping + XML introspection data unmodified. + + * PID 1 may now show the unit name instead of the unit description + string in its status output during boot. This may be configured in + the StatusUnitFormat= setting in /etc/systemd/system.conf or the + kernel command line option systemd.status_unit_format=. + + * PID 1 now understands a new option KExecWatchdogSec= in + /etc/systemd/system.conf to set a watchdog timeout for kexec reboots. + Previously watchdog functionality was only available for regular + reboots. The new setting defaults to off, because we don't know in + the general case if the watchdog will be reset after kexec (some + drivers do reset it, but not all), and the new userspace might not be + configured to handle the watchdog. + + Moreover, the old ShutdownWatchdogSec= setting has been renamed to + RebootWatchdogSec= to more clearly communicate what it is about. The + old name is still accepted for compatibility. + + * The systemd.debug_shell kernel command line option now optionally + takes a tty name to spawn the debug shell on, which allows a + different tty to be selected than the built-in default. + + * Service units gained a new ExecCondition= setting which will run + before ExecStartPre= and either continue execution of the unit (for + clean exit codes), stop execution without marking the unit failed + (for exit codes 1 through 254), or stop execution and fail the unit + (for exit code 255 or abnormal termination). + + * A new service systemd-pstore.service has been added that pulls data + from /sys/fs/pstore/ and saves it to /var/lib/pstore for later + review. + + * timedatectl gained new verbs for configuring per-interface NTP + service configuration for systemd-timesyncd. + + * "localectl list-locales" won't list non-UTF-8 locales anymore. It's + 2019. (You can set non-UTF-8 locales though, if you know their name.) + + * If variable assignments in sysctl.d/ files are prefixed with "-" any + failures to apply them are now ignored. + + * systemd-random-seed.service now optionally credits entropy when + applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to + true for the service to enable this behaviour, but please consult the + documentation first, since this comes with a couple of caveats. + + * systemd-random-seed.service is now a synchronization point for full + initialization of the kernel's entropy pool. Services that require + /dev/urandom to be correctly initialized should be ordered after this + service. + + * The systemd-boot boot loader has been updated to optionally maintain + a random seed file in the EFI System Partition (ESP). During the boot + phase, this random seed is read and updated with a new seed + cryptographically derived from it. Another derived seed is passed to + the OS. The latter seed is then credited to the kernel's entropy pool + very early during userspace initialization (from PID 1). This allows + systems to boot up with a fully initialized kernel entropy pool from + earliest boot on, and thus entirely removes all entropy pool + initialization delays from systems using systemd-boot. Special care + is taken to ensure different seeds are derived on system images + replicated to multiple systems. "bootctl status" will show whether + a seed was received from the boot loader. + + * bootctl gained two new verbs: + + - "bootctl random-seed" will generate the file in ESP and an EFI + variable to allow a random seed to be passed to the OS as described + above. + + - "bootctl is-installed" checks whether systemd-boot is currently + installed. + + * bootctl will warn if it detects that boot entries are misconfigured + (for example if the kernel image was removed without purging the + bootloader entry). + + * A new document has been added describing systemd's use and support + for the kernel's entropy pool subsystem: + + https://systemd.io/RANDOM_SEEDS + + * When the system is hibernated the swap device to write the + hibernation image to is now automatically picked from all available + swap devices, preferring the swap device with the highest configured + priority over all others, and picking the device with the most free + space if there are multiple devices with the highest priority. + + * /etc/crypttab support has learnt a new keyfile-timeout= per-device + option that permits selecting the timeout how long to wait for a + device with an encryption key before asking for the password. + + * IOWeight= has learnt to properly set the IO weight when using the + BFQ scheduler officially found in kernels 5.0+. + + * A new mailing list has been created for reporting of security issues: + systemd-security@redhat.com. For mode details, see + https://systemd.io/CONTRIBUTING#security-vulnerability-reports. + + Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht + Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey, + Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris + Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy, + Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan + Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi + Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas + Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor, + Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui, + Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López + Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob + Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan + Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen, + Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson, + Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski, + Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy, + Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca + Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt, + Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich, + Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný, + Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85, + Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE, + Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert + Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer, + Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant + Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud + Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala, + Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann, + William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan, + Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei + + – Camerino, 2019-09-03 + +CHANGES WITH 242: + + * In .link files, MACAddressPolicy=persistent (the default) is changed + to cover more devices. For devices like bridges, tun, tap, bond, and + similar interfaces that do not have other identifying information, + the interface name is used as the basis for persistent seed for MAC + and IPv4LL addresses. The way that devices that were handled + previously is not changed, and this change is about covering more + devices then previously by the "persistent" policy. + + MACAddressPolicy=random may be used to force randomized MACs and + IPv4LL addresses for a device if desired. + + Hint: the log output from udev (at debug level) was enhanced to + clarify what policy is followed and which attributes are used. + `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>` + may be used to view this. + + Hint: if a bridge interface is created without any slaves, and gains + a slave later, then now the bridge does not inherit slave's MAC. + To inherit slave's MAC, for example, create the following file: + ``` + # /etc/systemd/network/98-bridge-inherit-mac.link + [Match] + Type=bridge + + [Link] + MACAddressPolicy=none + ``` + + * The .device units generated by systemd-fstab-generator and other + generators do not automatically pull in the corresponding .mount unit + as a Wants= dependency. This means that simply plugging in the device + will not cause the mount unit to be started automatically. But please + note that the mount unit may be started for other reasons, in + particular if it is part of local-fs.target, and any unit which + (transitively) depends on local-fs.target is started. + + * networkctl list/status/lldp now accept globbing wildcards for network + interface names to match against all existing interfaces. + + * The $PIDFILE environment variable is set to point the absolute path + configured with PIDFile= for processes of that service. + + * The fallback DNS server list was augmented with Cloudflare public DNS + servers. Use `-Ddns-servers=` to set a different fallback. + + * A new special target usb-gadget.target will be started automatically + when a USB Device Controller is detected (which means that the system + is a USB peripheral). + + * A new unit setting CPUQuotaPeriodSec= assigns the time period + relatively to which the CPU time quota specified by CPUQuota= is + measured. + + * A new unit setting ProtectHostname= may be used to prevent services + from modifying hostname information (even if they otherwise would + have privileges to do so). + + * A new unit setting NetworkNamespacePath= may be used to specify a + namespace for service or socket units through a path referring to a + Linux network namespace pseudo-file. + + * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now + have an effect on .socket units: when used the listening socket is + created within the configured network namespace instead of the host + namespace. + + * ExecStart= command lines in unit files may now be prefixed with ':' + in which case environment variable substitution is + disabled. (Supported for the other ExecXYZ= settings, too.) + + * .timer units gained two new boolean settings OnClockChange= and + OnTimezoneChange= which may be used to also trigger a unit when the + system clock is changed or the local timezone is + modified. systemd-run has been updated to make these options easily + accessible from the command line for transient timers. + + * Two new conditions for units have been added: ConditionMemory= may be + used to conditionalize a unit based on installed system + RAM. ConditionCPUs= may be used to conditionalize a unit based on + installed CPU cores. + + * The @default system call filter group understood by SystemCallFilter= + has been updated to include the new rseq() system call introduced in + kernel 4.15. + + * A new time-set.target has been added that indicates that the system + time has been set from a local source (possibly imprecise). The + existing time-sync.target is stronger and indicates that the time has + been synchronized with a precise external source. Services where + approximate time is sufficient should use the new target. + + * "systemctl start" (and related commands) learnt a new + --show-transaction option. If specified brief information about all + jobs queued because of the requested operation is shown. + + * systemd-networkd recognizes a new operation state 'enslaved', used + (instead of 'degraded' or 'carrier') for interfaces which form a + bridge, bond, or similar, and an new 'degraded-carrier' operational + state used for the bond or bridge master interface when one of the + enslaved devices is not operational. + + * .network files learnt the new IgnoreCarrierLoss= option for leaving + networks configured even if the carrier is lost. + + * The RequiredForOnline= setting in .network files may now specify a + minimum operational state required for the interface to be considered + "online" by systemd-networkd-wait-online. Related to this + systemd-networkd-wait-online gained a new option --operational-state= + to configure the same, and its --interface= option was updated to + optionally also take an operational state specific for an interface. + + * systemd-networkd-wait-online gained a new setting --any for waiting + for only one of the requested interfaces instead of all of them. + + * systemd-networkd now implements L2TP tunnels. + + * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix= + may be used to cause autonomous and onlink prefixes received in IPv6 + Router Advertisements to be ignored. + + * New MulticastFlood=, NeighborSuppression=, and Learning= .network + file settings may be used to tweak bridge behaviour. + + * The new TripleSampling= option in .network files may be used to + configure CAN triple sampling. + + * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be + used to point to private or preshared key for a WireGuard interface. + + * /etc/crypttab now supports the same-cpu-crypt and + submit-from-crypt-cpus options to tweak encryption work scheduling + details. + + * systemd-tmpfiles will now take a BSD file lock before operating on a + contents of directory. This may be used to temporarily exclude + directories from aging by taking the same lock (useful for example + when extracting a tarball into /tmp or /var/tmp as a privileged user, + which might create files with really old timestamps, which + nevertheless should not be deleted). For further details, see: + + https://systemd.io/TEMPORARY_DIRECTORIES + + * systemd-tmpfiles' h line type gained support for the + FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5), + controlling project quota inheritance. + + * sd-boot and bootctl now implement support for an Extended Boot Loader + (XBOOTLDR) partition, that is intended to be mounted to /boot, in + addition to the ESP partition mounted to /efi or /boot/efi. + Configuration file fragments, kernels, initrds and other EFI images + to boot will be loaded from both the ESP and XBOOTLDR partitions. + The XBOOTLDR partition was previously described by the Boot Loader + Specification, but implementation was missing in sd-boot. Support for + this concept allows using the sd-boot boot loader in more + conservative scenarios where the boot loader itself is placed in the + ESP but the kernels to boot (and their metadata) in a separate + partition. + + * A system may now be booted with systemd.volatile=overlay on the + kernel command line, which causes the root file system to be set up + an overlayfs mount combining the root-only root directory with a + writable tmpfs. In this setup, the underlying root device is not + modified, and any changes are lost at reboot. + + * Similar, systemd-nspawn can now boot containers with a volatile + overlayfs root with the new --volatile=overlay switch. + + * systemd-nspawn can now consume OCI runtime bundles using a new + --oci-bundle= option. This implementation is fully usable, with most + features in the specification implemented, but since this a lot of + new code and functionality, this feature should most likely not + be used in production yet. + + * systemd-nspawn now supports various options described by the OCI + runtime specification on the command-line and in .nspawn files: + --inaccessible=/Inaccessible= may be used to mask parts of the file + system tree, --console=/--pipe may be used to configure how standard + input, output, and error are set up. + + * busctl learned the `emit` verb to generate D-Bus signals. + + * systemd-analyze cat-config may be used to gather and display + configuration spread over multiple files, for example system and user + presets, tmpfiles.d, sysusers.d, udev rules, etc. + + * systemd-analyze calendar now takes an optional new parameter + --iterations= which may be used to show a maximum number of iterations + the specified expression will elapse next. + + * The sd-bus C API gained support for naming method parameters in the + introspection data. + + * systemd-logind gained D-Bus APIs to specify the "reboot parameter" + the reboot() system call expects. + + * journalctl learnt a new --cursor-file= option that points to a file + from which a cursor should be loaded in the beginning and to which + the updated cursor should be stored at the end. + + * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now + detected by systemd-detect-virt (and may also be used in + ConditionVirtualization=). + + * The behaviour of systemd-logind may now be modified with environment + variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP, + $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and + $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either + skip the relevant operation completely (when set to false), or to + create a flag file in /run/systemd (when set to true), instead of + actually commencing the real operation when requested. The presence + of /run/systemd/reboot-to-firmware-setup, + /run/systemd/reboot-to-boot-loader-menu, and + /run/systemd/reboot-to-boot-loader-entry, may be used by alternative + boot loader implementations to replace some steps logind performs + during reboot with their own operations. + + * systemctl can be used to request a reboot into the boot loader menu + or a specific boot loader entry with the new --boot-load-menu= and + --boot-loader-entry= options to a reboot command. (This requires a + boot loader that supports this, for example sd-boot.) + + * kernel-install will no longer unconditionally create the output + directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader + snippets, but will do only if the machine-specific parent directory + (i.e. /efi/<machine-id>/) already exists. bootctl has been modified + to create this parent directory during sd-boot installation. + + This makes it easier to use kernel-install with plugins which support + a different layout of the bootloader partitions (for example grub2). + + * During package installation (with `ninja install`), we would create + symlinks for getty@tty1.service, systemd-networkd.service, + systemd-networkd.socket, systemd-resolved.service, + remote-cryptsetup.target, remote-fs.target, + systemd-networkd-wait-online.service, and systemd-timesyncd.service + in /etc, as if `systemctl enable` was called for those units, to make + the system usable immediately after installation. Now this is not + done anymore, and instead calling `systemctl preset-all` is + recommended after the first installation of systemd. + + * A new boolean sandboxing option RestrictSUIDSGID= has been added that + is built on seccomp. When turned on creation of SUID/SGID files is + prohibited. + + * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now + implied if DynamicUser= is turned on for a service. This hardens + these services, so that they neither can benefit from nor create + SUID/SGID executables. This is a minor compatibility breakage, given + that when DynamicUser= was first introduced SUID/SGID behaviour was + unaffected. However, the security benefit of these two options is + substantial, and the setting is still relatively new, hence we opted + to make it mandatory for services with dynamic users. + + Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin, + Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani, + Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin, + Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black, + Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny + Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal, + Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun + Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski, + Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart + Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias + Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal + Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone, + Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan + Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant + Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo + Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi + Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu, + Yu Watanabe, Zbigniew Jędrzejewski-Szmek + + — Warsaw, 2019-04-11 + +CHANGES WITH 241: + + * The default locale can now be configured at compile time. Otherwise, + a suitable default will be selected automatically (one of C.UTF-8, + en_US.UTF-8, and C). + + * The version string shown by systemd and other tools now includes the + git commit hash when built from git. An override may be specified + during compilation, which is intended to be used by distributions to + include the package release information. + + * systemd-cat can now filter standard input and standard error streams + for different syslog priorities using the new --stderr-priority= + option. + + * systemd-journald and systemd-journal-remote reject entries which + contain too many fields (CVE-2018-16865) and set limits on the + process' command line length (CVE-2018-16864). + + * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd + again. + + * A new network device NamePolicy "keep" is implemented for link files, + and used by default in 99-default.link (the fallback configuration + provided by systemd). With this policy, if the network device name + was already set by userspace, the device will not be renamed again. + This matches the naming scheme that was implemented before + systemd-240. If naming-scheme < 240 is specified, the "keep" policy + is also enabled by default, even if not specified. Effectively, this + means that if naming-scheme >= 240 is specified, network devices will + be renamed according to the configuration, even if they have been + renamed already, if "keep" is not specified as the naming policy in + the .link file. The 99-default.link file provided by systemd includes + "keep" for backwards compatibility, but it is recommended for user + installed .link files to *not* include it. + + The "kernel" policy, which keeps kernel names declared to be + "persistent", now works again as documented. + + * kernel-install script now optionally takes the paths to one or more + initrd files, and passes them to all plugins. + + * The mincore() system call has been dropped from the @system-service + system call filter group, as it is pretty exotic and may potentially + used for side-channel attacks. + + * -fPIE is dropped from compiler and linker options. Please specify + -Db_pie=true option to meson to build position-independent + executables. Note that the meson option is supported since meson-0.49. + + * The fs.protected_regular and fs.protected_fifos sysctls, which were + added in Linux 4.19 to make some data spoofing attacks harder, are + now enabled by default. While this will hopefully improve the + security of most installations, it is technically a backwards + incompatible change; to disable these sysctls again, place the + following lines in /etc/sysctl.d/60-protected.conf or a similar file: + + fs.protected_regular = 0 + fs.protected_fifos = 0 + + Note that the similar hardlink and symlink protection has been + enabled since v199, and may be disabled likewise. + + * The files read from the EnvironmentFile= setting in unit files now + parse backslashes inside quotes literally, matching the behaviour of + POSIX shells. + + * udevadm trigger, udevadm control, udevadm settle and udevadm monitor + now automatically become NOPs when run in a chroot() environment. + + * The tmpfiles.d/ "C" line type will now copy directory trees not only + when the destination is so far missing, but also if it already exists + as a directory and is empty. This is useful to cater for systems + where directory trees are put together from multiple separate mount + points but otherwise empty. + + * A new function sd_bus_close_unref() (and the associated + sd_bus_close_unrefp()) has been added to libsystemd, that combines + sd_bus_close() and sd_bus_unref() in one. + + * udevadm control learnt a new option for --ping for testing whether a + systemd-udevd instance is running and reacting. + + * udevadm trigger learnt a new option for --wait-daemon for waiting + systemd-udevd daemon to be initialized. + + Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer, + Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris + Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele + Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri + John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe + Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede, + James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan + Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost + Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor, + Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou, + marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike + Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen, + Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger + James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel, + Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi + Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски + + — Berlin, 2019-02-14 + +CHANGES WITH 240: + + * NoNewPrivileges=yes has been set for all long-running services + implemented by systemd. Previously, this was problematic due to + SELinux (as this would also prohibit the transition from PID1's label + to the service's label). This restriction has since been lifted, but + an SELinux policy update is required. + (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.) + + * DynamicUser=yes is dropped from systemd-networkd.service, + systemd-resolved.service and systemd-timesyncd.service, which was + enabled in v239 for systemd-networkd.service and systemd-resolved.service, + and since v236 for systemd-timesyncd.service. The users and groups + systemd-network, systemd-resolve and systemd-timesync are created + by systemd-sysusers again. Distributors or system administrators + may need to create these users and groups if they not exist (or need + to re-enable DynamicUser= for those units) while upgrading systemd. + Also, the clock file for systemd-timesyncd may need to move from + /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock. + + * When unit files are loaded from disk, previously systemd would + sometimes (depending on the unit loading order) load units from the + target path of symlinks in .wants/ or .requires/ directories of other + units. This meant that unit could be loaded from different paths + depending on whether the unit was requested explicitly or as a + dependency of another unit, not honouring the priority of directories + in search path. It also meant that it was possible to successfully + load and start units which are not found in the unit search path, as + long as they were requested as a dependency and linked to from + .wants/ or .requires/. The target paths of those symlinks are not + used for loading units anymore and the unit file must be found in + the search path. + + * A new service type has been added: Type=exec. It's very similar to + Type=simple but ensures the service manager will wait for both fork() + and execve() of the main service binary to complete before proceeding + with follow-up units. This is primarily useful so that the manager + propagates any errors in the preparation phase of service execution + back to the job that requested the unit to be started. For example, + consider a service that has ExecStart= set to a file system binary + that doesn't exist. With Type=simple starting the unit would be + considered instantly successful, as only fork() has to complete + successfully and the manager does not wait for execve(), and hence + its failure is seen "too late". With the new Type=exec service type + starting the unit will fail, as the manager will wait for the + execve() and notice its failure, which is then propagated back to the + start job. + + NOTE: with the next release 241 of systemd we intend to change the + systemd-run tool to default to Type=exec for transient services + started by it. This should be mostly safe, but in specific corner + cases might result in problems, as the systemd-run tool will then + block on NSS calls (such as user name look-ups due to User=) done + between the fork() and execve(), which under specific circumstances + might cause problems. It is recommended to specify "-p Type=simple" + explicitly in the few cases where this applies. For regular, + non-transient services (i.e. those defined with unit files on disk) + we will continue to default to Type=simple. + + * The Linux kernel's current default RLIMIT_NOFILE resource limit for + userspace processes is set to 1024 (soft) and 4096 + (hard). Previously, systemd passed this on unmodified to all + processes it forked off. With this systemd release the hard limit + systemd passes on is increased to 512K, overriding the kernel's + defaults and substantially increasing the number of simultaneous file + descriptors unprivileged userspace processes can allocate. Note that + the soft limit remains at 1024 for compatibility reasons: the + traditional UNIX select() call cannot deal with file descriptors >= + 1024 and increasing the soft limit globally might thus result in + programs unexpectedly allocating a high file descriptor and thus + failing abnormally when attempting to use it with select() (of + course, programs shouldn't use select() anymore, and prefer + poll()/epoll, but the call unfortunately remains undeservedly popular + at this time). This change reflects the fact that file descriptor + handling in the Linux kernel has been optimized in more recent + kernels and allocating large numbers of them should be much cheaper + both in memory and in performance than it used to be. Programs that + want to take benefit of the increased limit have to "opt-in" into + high file descriptors explicitly by raising their soft limit. Of + course, when they do that they must acknowledge that they cannot use + select() anymore (and neither can any shared library they use — or + any shared library used by any shared library they use and so on). + Which default hard limit is most appropriate is of course hard to + decide. However, given reports that ~300K file descriptors are used + in real-life applications we believe 512K is sufficiently high as new + default for now. Note that there are also reports that using very + high hard limits (e.g. 1G) is problematic: some software allocates + large arrays with one element for each potential file descriptor + (Java, …) — a high hard limit thus triggers excessively large memory + allocations in these applications. Hopefully, the new default of 512K + is a good middle ground: higher than what real-life applications + currently need, and low enough for avoid triggering excessively large + allocations in problematic software. (And yes, somebody should fix + Java.) + + * The fs.nr_open and fs.file-max sysctls are now automatically bumped + to the highest possible values, as separate accounting of file + descriptors is no longer necessary, as memcg tracks them correctly as + part of the memory accounting anyway. Thus, from the four limits on + file descriptors currently enforced (fs.file-max, fs.nr_open, + RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two, + and keep only the latter two. A set of build-time options + (-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false) + has been added to revert this change in behaviour, which might be + an option for systems that turn off memcg in the kernel. + + * When no /etc/locale.conf file exists (and hence no locale settings + are in place), systemd will now use the "C.UTF-8" locale by default, + and set LANG= to it. This locale is supported by various + distributions including Fedora, with clear indications that upstream + glibc is going to make it available too. This locale enables UTF-8 + mode by default, which appears appropriate for 2018. + + * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by + default. This effectively switches the RFC3704 Reverse Path filtering + from Strict mode to Loose mode. This is more appropriate for hosts + that have multiple links with routes to the same networks (e.g. + a client with a Wi-Fi and Ethernet both connected to the internet). + + Consult the kernel documentation for details on this sysctl: + https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt + + * CPUAccounting=yes no longer enables the CPU controller when using + kernel 4.15+ and the unified cgroup hierarchy, as required accounting + statistics are now provided independently from the CPU controller. + + * Support for disabling a particular cgroup controller within a sub-tree + has been added through the DisableControllers= directive. + + * cgroup_no_v1=all on the kernel command line now also implies + using the unified cgroup hierarchy, unless one explicitly passes + systemd.unified_cgroup_hierarchy=0 on the kernel command line. + + * The new "MemoryMin=" unit file property may now be used to set the + memory usage protection limit of processes invoked by the unit. This + controls the cgroup v2 memory.min attribute. Similarly, the new + "IODeviceLatencyTargetSec=" property has been added, wrapping the new + cgroup v2 io.latency cgroup property for configuring per-service I/O + latency. + + * systemd now supports the cgroup v2 devices BPF logic, as counterpart + to the cgroup v1 "devices" cgroup controller. + + * systemd-escape now is able to combine --unescape with --template. It + also learnt a new option --instance for extracting and unescaping the + instance part of a unit name. + + * sd-bus now provides the sd_bus_message_readv() which is similar to + sd_bus_message_read() but takes a va_list object. The pair + sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout() + has been added for configuring the default method call timeout to + use. sd_bus_error_move() may be used to efficiently move the contents + from one sd_bus_error structure to another, invalidating the + source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may + be used to control whether a bus connection object is automatically + flushed when an sd-event loop is exited. + + * When processing classic BSD syslog log messages, journald will now + save the original time-stamp string supplied in the new + SYSLOG_TIMESTAMP= journal field. This permits consumers to + reconstruct the original BSD syslog message more correctly. + + * StandardOutput=/StandardError= in service files gained support for + new "append:…" parameters, for connecting STDOUT/STDERR of a service + to a file, and appending to it. + + * The signal to use as last step of killing of unit processes is now + configurable. Previously it was hard-coded to SIGKILL, which may now + be overridden with the new KillSignal= setting. Note that this is the + signal used when regular termination (i.e. SIGTERM) does not suffice. + Similarly, the signal used when aborting a program in case of a + watchdog timeout may now be configured too (WatchdogSignal=). + + * The XDG_SESSION_DESKTOP environment variable may now be configured in + the pam_systemd argument line, using the new desktop= switch. This is + useful to initialize it properly from a display manager without + having to touch C code. + + * Most configuration options that previously accepted percentage values + now also accept permille values with the '‰' suffix (instead of '%'). + + * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for + DNS-over-TLS. + + * systemd-resolved's configuration file resolved.conf gained a new + option ReadEtcHosts= which may be used to turn off processing and + honoring /etc/hosts entries. + + * The "--wait" switch may now be passed to "systemctl + is-system-running", in which case the tool will synchronously wait + until the system finished start-up. + + * hostnamed gained a new bus call to determine the DMI product UUID. + + * On x86-64 systemd will now prefer using the RDRAND processor + instruction over /dev/urandom whenever it requires randomness that + neither has to be crypto-grade nor should be reproducible. This + should substantially reduce the amount of entropy systemd requests + from the kernel during initialization on such systems, though not + reduce it to zero. (Why not zero? systemd still needs to allocate + UUIDs and such uniquely, which require high-quality randomness.) + + * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP + tunnels. It also gained a new option ForceDHCPv6PDOtherInformation= + for forcing the "Other Information" bit in IPv6 RA messages. The + bonding logic gained four new options AdActorSystemPriority=, + AdUserPortKey=, AdActorSystem= for configuring various 802.3ad + aspects, and DynamicTransmitLoadBalancing= for enabling dynamic + shuffling of flows. The tunnel logic gained a new + IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid + Deployment. The policy rule logic gained four new options IPProtocol=, + SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained + support for the MulticastToUnicast= option. networkd also gained + support for configuring static IPv4 ARP or IPv6 neighbor entries. + + * .preset files (as read by 'systemctl preset') may now be used to + instantiate services. + + * /etc/crypttab now understands the sector-size= option to configure + the sector size for an encrypted partition. + + * Key material for encrypted disks may now be placed on a formatted + medium, and referenced from /etc/crypttab by the UUID of the file + system, followed by "=" suffixed by the path to the key file. + + * The "collect" udev component has been removed without replacement, as + it is neither used nor maintained. + + * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=, + LogsDirectory=, ConfigurationDirectory= settings are used in a + service the executed processes will now receive a set of environment + variables containing the full paths of these directories. + Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY, + LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options + are used. Note that these options may be used multiple times per + service in which case the resulting paths will be concatenated and + separated by colons. + + * Predictable interface naming has been extended to cover InfiniBand + NICs. They will be exposed with an "ib" prefix. + + * tmpfiles.d/ line types may now be suffixed with a '-' character, in + which case the respective line failing is ignored. + + * .link files may now be used to configure the equivalent to the + "ethtool advertise" commands. + + * The sd-device.h and sd-hwdb.h APIs are now exported, as an + alternative to libudev.h. Previously, the latter was just an internal + wrapper around the former, but now these two APIs are exposed + directly. + + * sd-id128.h gained a new function sd_id128_get_boot_app_specific() + which calculates an app-specific boot ID similar to how + sd_id128_get_machine_app_specific() generates an app-specific machine + ID. + + * A new tool systemd-id128 has been added that can be used to determine + and generate various 128bit IDs. + + * /etc/os-release gained two new standardized fields DOCUMENTATION_URL= + and LOGO=. + + * systemd-hibernate-resume-generator will now honor the "noresume" + kernel command line option, in which case it will bypass resuming + from any hibernated image. + + * The systemd-sleep.conf configuration file gained new options + AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=, + AllowHybridSleep= for prohibiting specific sleep modes even if the + kernel exports them. + + * portablectl is now officially supported and has thus moved to + /usr/bin/. + + * bootctl learnt the two new commands "set-default" and "set-oneshot" + for setting the default boot loader item to boot to (either + persistently or only for the next boot). This is currently only + compatible with sd-boot, but may be implemented on other boot loaders + too, that follow the boot loader interface. The updated interface is + now documented here: + + https://systemd.io/BOOT_LOADER_INTERFACE + + * A new kernel command line option systemd.early_core_pattern= is now + understood which may be used to influence the core_pattern PID 1 + installs during early boot. + + * busctl learnt two new options -j and --json= for outputting method + call replies, properties and monitoring output in JSON. + + * journalctl's JSON output now supports simple ANSI coloring as well as + a new "json-seq" mode for generating RFC7464 output. + + * Unit files now support the %g/%G specifiers that resolve to the UNIX + group/GID of the service manager runs as, similar to the existing + %u/%U specifiers that resolve to the UNIX user/UID. + + * systemd-logind learnt a new global configuration option + UserStopDelaySec= that may be set in logind.conf. It specifies how + long the systemd --user instance shall remain started after a user + logs out. This is useful to speed up repetitive re-connections of the + same user, as it means the user's service manager doesn't have to be + stopped/restarted on each iteration, but can be reused between + subsequent options. This setting defaults to 10s. systemd-logind also + exports two new properties on its Manager D-Bus objects indicating + whether the system's lid is currently closed, and whether the system + is on AC power. + + * systemd gained support for a generic boot counting logic, which + generically permits automatic reverting to older boot loader entries + if newer updated ones don't work. The boot loader side is implemented + in sd-boot, but is kept open for other boot loaders too. For details + see: + + https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT + + * The SuccessAction=/FailureAction= unit file settings now learnt two + new parameters: "exit" and "exit-force", which result in immediate + exiting of the service manager, and are only useful in systemd --user + and container environments. + + * Unit files gained support for a pair of options + FailureActionExitStatus=/SuccessActionExitStatus= for configuring the + exit status to use as service manager exit status when + SuccessAction=/FailureAction= is set to exit or exit-force. + + * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service + options may now be used to configure the log rate limiting applied by + journald per-service. + + * systemd-analyze gained a new verb "timespan" for parsing and + normalizing time span values (i.e. strings like "5min 7s 8us"). + + * systemd-analyze also gained a new verb "security" for analyzing the + security and sand-boxing settings of services in order to determine an + "exposure level" for them, indicating whether a service would benefit + from more sand-boxing options turned on for them. + + * "systemd-analyze syscall-filter" will now also show system calls + supported by the local kernel but not included in any of the defined + groups. + + * .nspawn files now understand the Ephemeral= setting, matching the + --ephemeral command line switch. + + * sd-event gained the new APIs sd_event_source_get_floating() and + sd_event_source_set_floating() for controlling whether a specific + event source is "floating", i.e. destroyed along with the even loop + object itself. + + * Unit objects on D-Bus gained a new "Refs" property that lists all + clients that currently have a reference on the unit (to ensure it is + not unloaded). + + * The JoinControllers= option in system.conf is no longer supported, as + it didn't work correctly, is hard to support properly, is legacy (as + the concept only exists on cgroup v1) and apparently wasn't used. + + * Journal messages that are generated whenever a unit enters the failed + state are now tagged with a unique MESSAGE_ID. Similarly, messages + generated whenever a service process exits are now made recognizable, + too. A tagged message is also emitted whenever a unit enters the + "dead" state on success. + + * systemd-run gained a new switch --working-directory= for configuring + the working directory of the service to start. A shortcut -d is + equivalent, setting the working directory of the service to the + current working directory of the invoking program. The new --shell + (or just -S) option has been added for invoking the $SHELL of the + caller as a service, and implies --pty --same-dir --wait --collect + --service-type=exec. Or in other words, "systemd-run -S" is now the + quickest way to quickly get an interactive in a fully clean and + well-defined system service context. + + * machinectl gained a new verb "import-fs" for importing an OS tree + from a directory. Moreover, when a directory or tarball is imported + and single top-level directory found with the OS itself below the OS + tree is automatically mangled and moved one level up. + + * systemd-importd will no longer set up an implicit btrfs loop-back + file system on /var/lib/machines. If one is already set up, it will + continue to be used. + + * A new generator "systemd-run-generator" has been added. It will + synthesize a unit from one or more program command lines included in + the kernel command line. This is very useful in container managers + for example: + + # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"' + + This will run "systemd-nspawn" on an image, invoke the specified + command line and immediately shut down the container again, returning + the command line's exit code. + + * The block device locking logic is now documented: + + https://systemd.io/BLOCK_DEVICE_LOCKING + + * loginctl and machinectl now optionally output the various tables in + JSON using the --output= switch. It is our intention to add similar + support to systemctl and all other commands. + + * udevadm's query and trigger verb now optionally take a .device unit + name as argument. + + * systemd-udevd's network naming logic now understands a new + net.naming-scheme= kernel command line switch, which may be used to + pick a specific version of the naming scheme. This helps stabilizing + interface names even as systemd/udev are updated and the naming logic + is improved. + + * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and + SD_ID128_ALLF to test if a 128bit ID is set to all 0xFF bytes, and to + initialize one to all 0xFF. + + * After loading the SELinux policy systemd will now recursively relabel + all files and directories listed in + /run/systemd/relabel-extra.d/*.relabel (which should be simple + newline separated lists of paths) in addition to the ones it already + implicitly relabels in /run, /dev and /sys. After the relabelling is + completed the *.relabel files (and /run/systemd/relabel-extra.d/) are + removed. This is useful to permit initrds (i.e. code running before + the SELinux policy is in effect) to generate files in the host + filesystem safely and ensure that the correct label is applied during + the transition to the host OS. + + * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding + mknod() handling in user namespaces. Previously mknod() would always + fail with EPERM in user namespaces. Since 4.18 mknod() will succeed + but device nodes generated that way cannot be opened, and attempts to + open them result in EPERM. This breaks the "graceful fallback" logic + in systemd's PrivateDevices= sand-boxing option. This option is + implemented defensively, so that when systemd detects it runs in a + restricted environment (such as a user namespace, or an environment + where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD) + where device nodes cannot be created the effect of PrivateDevices= is + bypassed (following the logic that 2nd-level sand-boxing is not + essential if the system systemd runs in is itself already sand-boxed + as a whole). This logic breaks with 4.18 in container managers where + user namespacing is used: suddenly PrivateDevices= succeeds setting + up a private /dev/ file system containing devices nodes — but when + these are opened they don't work. + + At this point it is recommended that container managers utilizing + user namespaces that intend to run systemd in the payload explicitly + block mknod() with seccomp or similar, so that the graceful fallback + logic works again. + + We are very sorry for the breakage and the requirement to change + container configurations for newer kernels. It's purely caused by an + incompatible kernel change. The relevant kernel developers have been + notified about this userspace breakage quickly, but they chose to + ignore it. + + * PermissionsStartOnly= setting is deprecated (but is still supported + for backwards compatibility). The same functionality is provided by + the more flexible "+", "!", and "!!" prefixes to ExecStart= and other + commands. + + * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by + pam_systemd anymore. + + * The naming scheme for network devices was changed to always rename + devices, even if they were already renamed by userspace. The "kernel" + policy was changed to only apply as a fallback, if no other naming + policy took effect. + + * The requirements to build systemd is bumped to meson-0.46 and + python-3.5. + + Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander + Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson, + Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov, + asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt + Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen + Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius + Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn + Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner, + David Anderson, Davide Cavalca, David Leeds, David Malcolm, David + Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus, + Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters, + Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad, + Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank + Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe + Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit + Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan + Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld, + javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi + Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens, + Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi, + Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry + Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz + Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier, + Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin + Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko + Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck, + Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich, + Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal + Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal + Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby, + Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł + Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller, + Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez, + Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam + Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher, + Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee + (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen + Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim, + Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas + Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias + Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore + Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech + Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward, + Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe, + Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein + + — Warsaw, 2018-12-21 + +CHANGES WITH 239: + + * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id" + builtin will name network interfaces differently than in previous + versions for virtual network interfaces created with SR-IOV and NPAR + and for devices where the PCI network controller device does not have + a slot number associated. + + SR-IOV virtual devices are now named based on the name of the parent + interface, with a suffix of "v<N>", where <N> is the virtual device + number. Previously those virtual devices were named as if completely + independent. + + The ninth and later NPAR virtual devices will be named following the + scheme used for the first eight NPAR partitions. Previously those + devices were not renamed and the kernel default (eth<n>) was used. + + "net_id" will also generate names for PCI devices where the PCI + network controller device does not have an associated slot number + itself, but one of its parents does. Previously those devices were + not renamed and the kernel default (eth<n>) was used. + + * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in + systemd-logind.service. Since v235, IPAddressDeny=any has been set to + the unit. So, it is expected that the default behavior of + systemd-logind is not changed. However, if distribution packagers or + administrators disabled or modified IPAddressDeny= setting by a + drop-in config file, then it may be necessary to update the file to + re-enable AF_INET and AF_INET6 to support network user name services, + e.g. NIS. + + * When the RestrictNamespaces= unit property is specified multiple + times, then the specified types are merged now. Previously, only the + last assignment was used. So, if distribution packagers or + administrators modified the setting by a drop-in config file, then it + may be necessary to update the file. + + * When OnFailure= is used in combination with Restart= on a service + unit, then the specified units will no longer be triggered on + failures that result in restarting. Previously, the specified units + would be activated each time the unit failed, even when the unit was + going to be restarted automatically. This behaviour contradicted the + documentation. With this release the code is adjusted to match the + documentation. + + * systemd-tmpfiles will now print a notice whenever it encounters + tmpfiles.d/ lines referencing the /var/run/ directory. It will + recommend reworking them to use the /run/ directory instead (for + which /var/run/ is simply a symlinked compatibility alias). This way + systemd-tmpfiles can properly detect line conflicts and merge lines + referencing the same file by two paths, without having to access + them. + + * systemctl disable/unmask/preset/preset-all cannot be used with + --runtime. Previously this was allowed, but resulted in unintuitive + behaviour that wasn't useful. systemctl disable/unmask will now undo + both runtime and persistent enablement/masking, i.e. it will remove + any relevant symlinks both in /run and /etc. + + * Note that all long-running system services shipped with systemd will + now default to a system call allow list (rather than a deny list, as + before). In particular, systemd-udevd will now enforce one too. For + most cases this should be safe, however downstream distributions + which disabled sandboxing of systemd-udevd (specifically the + MountFlags= setting), might want to disable this security feature + too, as the default allow-listing will prohibit all mount, swap, + reboot and clock changing operations from udev rules. + + * sd-boot acquired new loader configuration settings to optionally turn + off Windows and MacOS boot partition discovery as well as + reboot-into-firmware menu items. It is also able to pick a better + screen resolution for HiDPI systems, and now provides loader + configuration settings to change the resolution explicitly. + + * systemd-resolved now supports DNS-over-TLS. It's still + turned off by default, use DNSOverTLS=opportunistic to turn it on in + resolved.conf. We intend to make this the default as soon as couple + of additional techniques for optimizing the initial latency caused by + establishing a TLS/TCP connection are implemented. + + * systemd-resolved.service and systemd-networkd.service now set + DynamicUser=yes. The users systemd-resolve and systemd-network are + not created by systemd-sysusers anymore. + + NOTE: This has a chance of breaking nss-ldap and similar NSS modules + that embed a network facing module into any process using getpwuid() + or related call: the dynamic allocation of the user ID for + systemd-resolved.service means the service manager has to check NSS + if the user name is already taken when forking off the service. Since + the user in the common case won't be defined in /etc/passwd the + lookup is likely to trigger nss-ldap which in turn might use NSS to + ask systemd-resolved for hostname lookups. This will hence result in + a deadlock: a user name lookup in order to start + systemd-resolved.service will result in a hostname lookup for which + systemd-resolved.service needs to be started already. There are + multiple ways to work around this problem: pre-allocate the + "systemd-resolve" user on such systems, so that nss-ldap won't be + triggered; or use a different NSS package that doesn't do networking + in-process but provides a local asynchronous name cache; or configure + the NSS package to avoid lookups for UIDs in the range `pkg-config + systemd --variable=dynamicuidmin` … `pkg-config systemd + --variable=dynamicuidmax`, so that it does not consider itself + authoritative for the same UID range systemd allocates dynamic users + from. + + * The systemd-resolve tool has been renamed to resolvectl (it also + remains available under the old name, for compatibility), and its + interface is now verb-based, similar in style to the other <xyz>ctl + tools, such as systemctl or loginctl. + + * The resolvectl/systemd-resolve tool also provides 'resolvconf' + compatibility. It may be symlinked under the 'resolvconf' name, in + which case it will take arguments and input compatible with the + Debian and FreeBSD resolvconf tool. + + * Support for suspend-then-hibernate has been added, i.e. a sleep mode + where the system initially suspends, and after a timeout resumes and + hibernates again. + + * networkd's ClientIdentifier= now accepts a new option "duid-only". If + set the client will only send a DUID as client identifier. + + * The nss-systemd glibc NSS module will now enumerate dynamic users and + groups in effect. Previously, it could resolve UIDs/GIDs to user + names/groups and vice versa, but did not support enumeration. + + * journald's Compress= configuration setting now optionally accepts a + byte threshold value. All journal objects larger than this threshold + will be compressed, smaller ones will not. Previously this threshold + was not configurable and set to 512. + + * A new system.conf setting NoNewPrivileges= is now available which may + be used to turn off acquisition of new privileges system-wide + (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also + for all its children). Note that turning this option on means setuid + binaries and file system capabilities lose their special powers. + While turning on this option is a big step towards a more secure + system, doing so is likely to break numerous pre-existing UNIX tools, + in particular su and sudo. + + * A new service systemd-time-sync-wait.service has been added. If + enabled it will delay the time-sync.target unit at boot until time + synchronization has been received from the network. This + functionality is useful on systems lacking a local RTC or where it is + acceptable that the boot process shall be delayed by external network + services. + + * When hibernating, systemd will now inform the kernel of the image + write offset, on kernels new enough to support this. This means swap + files should work for hibernation now. + + * When loading unit files, systemd will now look for drop-in unit files + extensions in additional places. Previously, for a unit file name + "foo-bar-baz.service" it would look for dropin files in + "foo-bar-baz.service.d/*.conf". Now, it will also look in + "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the + service name truncated after all inner dashes. This scheme allows + writing drop-ins easily that apply to a whole set of unit files at + once. It's particularly useful for mount and slice units (as their + naming is prefix based), but is also useful for service and other + units, for packages that install multiple unit files at once, + following a strict naming regime of beginning the unit file name with + the package's name. Two new specifiers are now supported in unit + files to match this: %j and %J are replaced by the part of the unit + name following the last dash. + + * Unit files and other configuration files that support specifier + expansion now understand another three new specifiers: %T and %V will + resolve to /tmp and /var/tmp respectively, or whatever temporary + directory has been set for the calling user. %E will expand to either + /etc (for system units) or $XDG_CONFIG_HOME (for user units). + + * The ExecStart= lines of unit files are no longer required to + reference absolute paths. If non-absolute paths are specified the + specified binary name is searched within the service manager's + built-in $PATH, which may be queried with 'systemd-path + search-binaries-default'. It's generally recommended to continue to + use absolute paths for all binaries specified in unit files. + + * Units gained a new load state "bad-setting", which is used when a + unit file was loaded, but contained fatal errors which prevent it + from being started (for example, a service unit has been defined + lacking both ExecStart= and ExecStop= lines). + + * coredumpctl's "gdb" verb has been renamed to "debug", in order to + support alternative debuggers, for example lldb. The old name + continues to be available however, for compatibility reasons. Use the + new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable + to pick an alternative debugger instead of the default gdb. + + * systemctl and the other tools will now output escape sequences that + generate proper clickable hyperlinks in various terminal emulators + where useful (for example, in the "systemctl status" output you can + now click on the unit file name to quickly open it in the + editor/viewer of your choice). Note that not all terminal emulators + support this functionality yet, but many do. Unfortunately, the + "less" pager doesn't support this yet, hence this functionality is + currently automatically turned off when a pager is started (which + happens quite often due to auto-paging). We hope to remove this + limitation as soon as "less" learns these escape sequences. This new + behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY + environment variable. For details on these escape sequences see: + https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda + + * networkd's .network files now support a new IPv6MTUBytes= option for + setting the MTU used by IPv6 explicitly as well as a new MTUBytes= + option in the [Route] section to configure the MTU to use for + specific routes. It also gained support for configuration of the DHCP + "UserClass" option through the new UserClass= setting. It gained + three new options in the new [CAN] section for configuring CAN + networks. The MULTICAST and ALLMULTI interface flags may now be + controlled explicitly with the new Multicast= and AllMulticast= + settings. + + * networkd will now automatically make use of the kernel's route + expiration feature, if it is available. + + * udevd's .link files now support setting the number of receive and + transmit channels, using the RxChannels=, TxChannels=, + OtherChannels=, CombinedChannels= settings. + + * Support for UDPSegmentationOffload= has been removed, given its + limited support in hardware, and waning software support. + + * networkd's .netdev files now support creating "netdevsim" interfaces. + + * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used + to query the unit belonging to a specific kernel control group. + + * systemd-analyze gained a new verb "cat-config", which may be used to + dump the contents of any configuration file, with all its matching + drop-in files added in, and honouring the usual search and masking + logic applied to systemd configuration files. For example use + "systemd-analyze cat-config systemd/system.conf" to get the complete + system configuration file of systemd how it would be loaded by PID 1 + itself. Similar to this, various tools such as systemd-tmpfiles or + systemd-sysusers, gained a new option "--cat-config", which does the + corresponding operation for their own configuration settings. For + example, "systemd-tmpfiles --cat-config" will now output the full + list of tmpfiles.d/ lines in place. + + * timedatectl gained three new verbs: "show" shows bus properties of + systemd-timedated, "timesync-status" shows the current NTP + synchronization state of systemd-timesyncd, and "show-timesync" + shows bus properties of systemd-timesyncd. + + * systemd-timesyncd gained a bus interface on which it exposes details + about its state. + + * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now + understood by systemd-timedated. It takes a colon-separated list of + unit names of NTP client services. The list is used by + "timedatectl set-ntp". + + * systemd-nspawn gained a new --rlimit= switch for setting initial + resource limits for the container payload. There's a new switch + --hostname= to explicitly override the container's hostname. A new + --no-new-privileges= switch may be used to control the + PR_SET_NO_NEW_PRIVS flag for the container payload. A new + --oom-score-adjust= switch controls the OOM scoring adjustment value + for the payload. The new --cpu-affinity= switch controls the CPU + affinity of the container payload. The new --resolv-conf= switch + allows more detailed control of /etc/resolv.conf handling of the + container. Similarly, the new --timezone= switch allows more detailed + control of /etc/localtime handling of the container. + + * systemd-detect-virt gained a new --list switch, which will print a + list of all currently known VM and container environments. + + * Support for "Portable Services" has been added, see + doc/PORTABLE_SERVICES.md for details. Currently, the support is still + experimental, but this is expected to change soon. Reflecting this + experimental state, the "portablectl" binary is not installed into + /usr/bin yet. The binary has to be called with the full path + /usr/lib/systemd/portablectl instead. + + * journalctl's and systemctl's -o switch now knows a new log output + mode "with-unit". The output it generates is very similar to the + regular "short" mode, but displays the unit name instead of the + syslog tag for each log line. Also, the date is shown with timezone + information. This mode is probably more useful than the classic + "short" output mode for most purposes, except where pixel-perfect + compatibility with classic /var/log/messages formatting is required. + + * A new --dump-bus-properties switch has been added to the systemd + binary, which may be used to dump all supported D-Bus properties. + (Options which are still supported, but are deprecated, are *not* + shown.) + + * sd-bus gained a set of new calls: + sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to + enable/disable the "floating" state of a bus slot object, + i.e. whether the slot object pins the bus it is allocated for into + memory or if the bus slot object gets disconnected when the bus goes + away. sd_bus_open_with_description(), + sd_bus_open_user_with_description(), + sd_bus_open_system_with_description() may be used to allocate bus + objects and set their description string already during allocation. + + * sd-event gained support for watching inotify events from the event + loop, in an efficient way, sharing inotify handles between multiple + users. For this a new function sd_event_add_inotify() has been added. + + * sd-event and sd-bus gained support for calling special user-supplied + destructor functions for userdata pointers associated with + sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new + functions sd_bus_slot_set_destroy_callback, + sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback, + sd_bus_track_get_destroy_callback, + sd_event_source_set_destroy_callback, + sd_event_source_get_destroy_callback have been added. + + * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default. + + * PID 1 will now automatically reschedule .timer units whenever the + local timezone changes. (They previously got rescheduled + automatically when the system clock changed.) + + * New documentation has been added to document cgroups delegation, + portable services and the various code quality tools we have set up: + + https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md + https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md + https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md + + * The Boot Loader Specification has been added to the source tree. + + https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md + + While moving it into our source tree we have updated it and further + changes are now accepted through the usual github PR workflow. + + * pam_systemd will now look for PAM userdata fields systemd.memory_max, + systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by + earlier PAM modules. The data in these fields is used to initialize + the session scope's resource properties. Thus external PAM modules + may now configure per-session limits, for example sourced from + external user databases. + + * socket units with Accept=yes will now maintain a "refused" counter in + addition to the existing "accepted" counter, counting connections + refused due to the enforced limits. + + * The "systemd-path search-binaries-default" command may now be use to + query the default, built-in $PATH PID 1 will pass to the services it + manages. + + * A new unit file setting PrivateMounts= has been added. It's a boolean + option. If enabled the unit's processes are invoked in their own file + system namespace. Note that this behaviour is also implied if any + other file system namespacing options (such as PrivateTmp=, + PrivateDevices=, ProtectSystem=, …) are used. This option is hence + primarily useful for services that do not use any of the other file + system namespacing options. One such service is systemd-udevd.service + where this is now used by default. + + * ConditionSecurity= gained a new value "uefi-secureboot" that is true + when the system is booted in UEFI "secure mode". + + * A new unit "system-update-pre.target" is added, which defines an + optional synchronization point for offline system updates, as + implemented by the pre-existing "system-update.target" unit. It + allows ordering services before the service that executes the actual + update process in a generic way. + + * Systemd now emits warnings whenever .include syntax is used. + + Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale, + Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian + J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner, + Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel + Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John + Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil + Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe + Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover, + guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de + Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov, + Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir, + Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky + Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers, + Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König, + Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc + Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu + Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott, + Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal + Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler, + Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride + Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot, + Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip + Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo, + Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez, + Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo + Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant + Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel, + Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik, + Yu Watanabe, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2018-06-22 + +CHANGES WITH 238: + + * The MemoryAccounting= unit property now defaults to on. After + discussions with the upstream control group maintainers we learnt + that the negative impact of cgroup memory accounting on current + kernels is finally relatively minimal, so that it should be safe to + enable this by default without affecting system performance. Besides + memory accounting only task accounting is turned on by default, all + other forms of resource accounting (CPU, IO, IP) remain off for now, + because it's not clear yet that their impact is small enough to move + from opt-in to opt-out. We recommend downstreams to leave memory + accounting on by default if kernel 4.14 or higher is primarily + used. On very resource constrained systems or when support for old + kernels is a necessity, -Dmemory-accounting-default=false can be used + to revert this change. + + * rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update, + %udev_rules_update) and the journal catalog (%journal_catalog_update) + from the upgrade scriptlets of individual packages now do nothing. + Transfiletriggers have been added which will perform those updates + once at the end of the transaction. + + Similar transfiletriggers have been added to execute any sysctl.d + and binfmt.d rules. Thus, it should be unnecessary to provide any + scriptlets to execute this configuration from package installation + scripts. + + * systemd-sysusers gained a mode where the configuration to execute is + specified on the command line, but this configuration is not executed + directly, but instead it is merged with the configuration on disk, + and the result is executed. This is useful for package installation + scripts which want to create the user before installing any files on + disk (in case some of those files are owned by that user), while + still allowing local admin overrides. + + This functionality is exposed to rpm scriptlets through a new + %sysusers_create_package macro. Old %sysusers_create and + %sysusers_create_inline macros are deprecated. + + A transfiletrigger for sysusers.d configuration is now installed, + which means that it should be unnecessary to call systemd-sysusers from + package installation scripts, unless the package installs any files + owned by those newly-created users, in which case + %sysusers_create_package should be used. + + * Analogous change has been done for systemd-tmpfiles: it gained a mode + where the command-line configuration is merged with the configuration + on disk. This is exposed as the new %tmpfiles_create_package macro, + and %tmpfiles_create is deprecated. A transfiletrigger is installed + for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles + from package installation scripts. + + * sysusers.d configuration for a user may now also specify the group + number, in addition to the user number ("u username 123:456"), or + without the user number ("u username -:456"). + + * Configution items for systemd-sysusers can now be specified as + positional arguments when the new --inline switch is used. + + * The login shell of users created through sysusers.d may now be + specified (previously, it was always /bin/sh for root and + /sbin/nologin for other users). + + * systemd-analyze gained a new --global switch to look at global user + configuration. It also gained a unit-paths verb to list the unit load + paths that are compiled into systemd (which can be used with + --systemd, --user, or --global). + + * udevadm trigger gained a new --settle/-w option to wait for any + triggered events to finish (but just those, and not any other events + which are triggered meanwhile). + + * The action that systemd-logind takes when the lid is closed and the + machine is connected to external power can now be configured using + HandleLidSwitchExternalPower= in logind.conf. Previously, this action + was determined by HandleLidSwitch=, and, for backwards compatibility, + is still is, if HandleLidSwitchExternalPower= is not explicitly set. + + * journalctl will periodically call sd_journal_process() to make it + resilient against inotify queue overruns when journal files are + rotated very quickly. + + * Two new functions in libsystemd — sd_bus_get_n_queued_read and + sd_bus_get_n_queued_write — may be used to check the number of + pending bus messages. + + * systemd gained a new + org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call + which can be used to migrate foreign processes to scope and service + units. The primary user for this new API is systemd itself: the + systemd --user instance uses this call of the systemd --system + instance to migrate processes if it itself gets the request to + migrate processes and the kernel refuses this due to access + restrictions. Thanks to this "systemd-run --scope --user …" works + again in pure cgroup v2 environments when invoked from the user + session scope. + + * A new TemporaryFileSystem= setting can be used to mask out part of + the real file system tree with tmpfs mounts. This may be combined + with BindPaths= and BindReadOnlyPaths= to hide files or directories + not relevant to the unit, while still allowing some paths lower in + the tree to be accessed. + + ProtectHome=tmpfs may now be used to hide user home and runtime + directories from units, in a way that is mostly equivalent to + "TemporaryFileSystem=/home /run/user /root". + + * Non-service units are now started with KeyringMode=shared by default. + This means that mount and swapon and other mount tools have access + to keys in the main keyring. + + * /sys/fs/bpf is now mounted automatically. + + * QNX virtualization is now detected by systemd-detect-virt and may + be used in ConditionVirtualization=. + + * IPAccounting= may now be enabled also for slice units. + + * A new -Dsplit-bin= build configuration switch may be used to specify + whether bin and sbin directories are merged, or if they should be + included separately in $PATH and various listings of executable + directories. The build configuration scripts will try to autodetect + the proper values of -Dsplit-usr= and -Dsplit-bin= based on build + system, but distributions are encouraged to configure this + explicitly. + + * A new -Dok-color= build configuration switch may be used to change + the colour of "OK" status messages. + + * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with + PrivateNetwork=yes was buggy in previous versions of systemd. This + means that after the upgrade and daemon-reexec, any such units must + be restarted. + + * INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles + will not exclude read-only files owned by root from cleanup. + + Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet, + Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337, + Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo + de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel + Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny + Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib, + Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer, + Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld, + Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas + Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt, + MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren, + Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert + Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon + Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain + Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe, + Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić) + + — Warsaw, 2018-03-05 + +CHANGES WITH 237: + + * Some keyboards come with a zoom see-saw or rocker which until now got + mapped to the Linux "zoomin/out" keys in hwdb. However, these + keycodes are not recognized by any major desktop. They now produce + Up/Down key events so that they can be used for scrolling. + + * INCOMPATIBILITY: systemd-tmpfiles' "f" lines changed behaviour + slightly: previously, if an argument was specified for lines of this + type (i.e. the right-most column was set) this string was appended to + existing files each time systemd-tmpfiles was run. This behaviour was + different from what the documentation said, and not particularly + useful, as repeated systemd-tmpfiles invocations would not be + idempotent and grow such files without bounds. With this release + behaviour has been altered to match what the documentation says: + lines of this type only have an effect if the indicated files don't + exist yet, and only then the argument string is written to the file. + + * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change + systemd-tmpfiles behaviour: previously, read-only files owned by root + were always excluded from the file "aging" algorithm (i.e. the + automatic clean-up of directories like /tmp based on + atime/mtime/ctime). We intend to drop this restriction, and age files + by default even when owned by root and read-only. This behaviour was + inherited from older tools, but there have been requests to remove + it, and it's not obvious why this restriction was made in the first + place. Please speak up now, if you are aware of software that reqires + this behaviour, otherwise we'll remove the restriction in v238. + + * A new environment variable $SYSTEMD_OFFLINE is now understood by + systemctl. It takes a boolean argument. If on, systemctl assumes it + operates on an "offline" OS tree, and will not attempt to talk to the + service manager. Previously, this mode was implicitly enabled if a + chroot() environment was detected, and this new environment variable + now provides explicit control. + + * .path and .socket units may now be created transiently, too. + Previously only service, mount, automount and timer units were + supported as transient units. The systemd-run tool has been updated + to expose this new functionality, you may hence use it now to bind + arbitrary commands to path or socket activation on-the-fly from the + command line. Moreover, almost all properties are now exposed for the + unit types that already supported transient operation. + + * The systemd-mount command gained support for a new --owner= parameter + which takes a user name, which is then resolved and included in uid= + and gid= mount options string of the file system to mount. + + * A new unit condition ConditionControlGroupController= has been added + that checks whether a specific cgroup controller is available. + + * Unit files, udev's .link files, and systemd-networkd's .netdev and + .network files all gained support for a new condition + ConditionKernelVersion= for checking against specific kernel + versions. + + * In systemd-networkd, the [IPVLAN] section in .netdev files gained + support for configuring device flags in the Flags= setting. In the + same files, the [Tunnel] section gained support for configuring + AllowLocalRemote=. The [Route] section in .network files gained + support for configuring InitialCongestionWindow=, + InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now + understands RapidCommit=. + + * systemd-networkd's DHCPv6 support gained support for Prefix + Delegation. + + * sd-bus gained support for a new "watch-bind" feature. When this + feature is enabled, an sd_bus connection may be set up to connect to + an AF_UNIX socket in the file system as soon as it is created. This + functionality is useful for writing early-boot services that + automatically connect to the system bus as soon as it is started, + without ugly time-based polling. systemd-networkd and + systemd-resolved have been updated to make use of this + functionality. busctl exposes this functionality in a new + --watch-bind= command line switch. + + * sd-bus will now optionally synthesize a local "Connected" signal as + soon as a D-Bus connection is set up fully. This message mirrors the + already existing "Disconnected" signal which is synthesized when the + connection is terminated. This signal is generally useful but + particularly handy in combination with the "watch-bind" feature + described above. Synthesizing of this message has to be requested + explicitly through the new API call sd_bus_set_connected_signal(). In + addition a new call sd_bus_is_ready() has been added that checks + whether a connection is fully set up (i.e. between the "Connected" and + "Disconnected" signals). + + * sd-bus gained two new calls sd_bus_request_name_async() and + sd_bus_release_name_async() for asynchronously registering bus + names. Similar, there is now sd_bus_add_match_async() for installing + a signal match asynchronously. All of systemd's own services have + been updated to make use of these calls. Doing these operations + asynchronously has two benefits: it reduces the risk of deadlocks in + case of cyclic dependencies between bus services, and it speeds up + service initialization since synchronization points for bus + round-trips are removed. + + * sd-bus gained two new calls sd_bus_match_signal() and + sd_bus_match_signal_async(), which are similar to sd_bus_add_match() + and sd_bus_add_match_async() but instead of taking a D-Bus match + string take match fields as normal function parameters. + + * sd-bus gained two new calls sd_bus_set_sender() and + sd_bus_message_set_sender() for setting the sender name of outgoing + messages (either for all outgoing messages or for just one specific + one). These calls are only useful in direct connections as on + brokered connections the broker fills in the sender anyway, + overwriting whatever the client filled in. + + * sd-event gained a new pseudo-handle that may be specified on all API + calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When + used this refers to the default event loop object of the calling + thread. Note however that this does not implicitly allocate one — + which has to be done prior by using sd_event_default(). Similarly + sd-bus gained three new pseudo-handles SD_BUS_DEFAULT, + SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer + to the default bus of the specified type of the calling thread. Here + too this does not implicitly allocate bus connection objects, this + has to be done prior with sd_bus_default() and friends. + + * sd-event gained a new call pair + sd_event_source_{get|set}_io_fd_own(). This may be used to request + automatic closure of the file descriptor an IO event source watches + when the event source is destroyed. + + * systemd-networkd gained support for natively configuring WireGuard + connections. + + * In previous versions systemd synthesized user records both for the + "nobody" (UID 65534) and "root" (UID 0) users in nss-systemd and + internally. In order to simplify distribution-wide renames of the + "nobody" user (like it is planned in Fedora: nfsnobody → nobody), a + new transitional flag file has been added: if + /etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534 + user and group record within the systemd codebase is disabled. + + * systemd-notify gained a new --uid= option for selecting the source + user/UID to use for notification messages sent to the service + manager. + + * journalctl gained a new --grep= option to list only entries in which + the message matches a certain pattern. By default matching is case + insensitive if the pattern is lowercase, and case sensitive + otherwise. Option --case-sensitive=yes|no can be used to override + this an specify case sensitivity or case insensitivity. + + * There's now a "systemd-analyze service-watchdogs" command for printing + the current state of the service runtime watchdog, and optionally + enabling or disabling the per-service watchdogs system-wide if given a + boolean argument (i.e. the concept you configure in WatchdogSec=), for + debugging purposes. There's also a kernel command line option + systemd.service_watchdogs= for controlling the same. + + * Two new "log-level" and "log-target" options for systemd-analyze were + added that merge the now deprecated get-log-level, set-log-level and + get-log-target, set-log-target pairs. The deprecated options are still + understood for backwards compatibility. The two new options print the + current value when no arguments are given, and set them when a + level/target is given as an argument. + + * sysusers.d's "u" lines now optionally accept both a UID and a GID + specification, separated by a ":" character, in order to create users + where UID and GID do not match. + + Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov, + Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman + Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton + Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov, + Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui, + Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian + Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander + Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen, + Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg + Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering, + Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt, + Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy, + Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał + Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf + Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer, + Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer, + Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani, + Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz + Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary + Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян + Палаузов + + — Brno, 2018-01-28 + +CHANGES WITH 236: + + * The modprobe.d/ drop-in for the bonding.ko kernel module introduced + in v235 has been extended to also set the dummy.ko module option + numdummies=0, preventing the kernel from automatically creating + dummy0. All dummy interfaces must now be explicitly created. + + * Unknown '%' specifiers in configuration files are now rejected. This + applies to units and tmpfiles.d configuration. Any percent characters + that are followed by a letter or digit that are not supposed to be + interpreted as the beginning of a specifier should be escaped by + doubling ("%%"). (So "size=5%" is still accepted, as well as + "size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not + valid specifiers today.) + + * systemd-resolved now maintains a new dynamic + /run/systemd/resolve/stub-resolv.conf compatibility file. It is + recommended to make /etc/resolv.conf a symlink to it. This file + points at the systemd-resolved stub DNS 127.0.0.53 resolver and + includes dynamically acquired search domains, achieving more correct + DNS resolution by software that bypasses local DNS APIs such as NSS. + + * The "uaccess" udev tag has been dropped from /dev/kvm and + /dev/dri/renderD*. These devices now have the 0666 permissions by + default (but this may be changed at build-time). /dev/dri/renderD* + will now be owned by the "render" group along with /dev/kfd. + + * "DynamicUser=yes" has been enabled for systemd-timesyncd.service, + systemd-journal-gatewayd.service and + systemd-journal-upload.service. This means "nss-systemd" must be + enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these + services are resolved properly. + + * In /etc/fstab two new mount options are now understood: + x-systemd.makefs and x-systemd.growfs. The former has the effect that + the configured file system is formatted before it is mounted, the + latter that the file system is resized to the full block device size + after it is mounted (i.e. if the file system is smaller than the + partition it resides on, it's grown). This is similar to the fsck + logic in /etc/fstab, and pulls in systemd-makefs@.service and + systemd-growfs@.service as necessary, similar to + systemd-fsck@.service. Resizing is currently only supported on ext4 + and btrfs. + + * In systemd-networkd, the IPv6 RA logic now optionally may announce + DNS server and domain information. + + * Support for the LUKS2 on-disk format for encrypted partitions has + been added. This requires libcryptsetup2 during compilation and + runtime. + + * The systemd --user instance will now signal "readiness" when its + basic.target unit has been reached, instead of when the run queue ran + empty for the first time. + + * Tmpfiles.d with user configuration are now also supported. + systemd-tmpfiles gained a new --user switch, and snippets placed in + ~/.config/user-tmpfiles.d/ and corresponding directories will be + executed by systemd-tmpfiles --user running in the new + systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service + running in the user session. + + * Unit files and tmpfiles.d snippets learnt three new % specifiers: + %S resolves to the top-level state directory (/var/lib for the system + instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the + top-level cache directory (/var/cache for the system instance, + $XDG_CACHE_HOME for the user instance), %L resolves to the top-level + logs directory (/var/log for the system instance, + $XDG_CONFIG_HOME/log/ for the user instance). This matches the + existing %t specifier, that resolves to the top-level runtime + directory (/run for the system instance, and $XDG_RUNTIME_DIR for the + user instance). + + * journalctl learnt a new parameter --output-fields= for limiting the + set of journal fields to output in verbose and JSON output modes. + + * systemd-timesyncd's configuration file gained a new option + RootDistanceMaxSec= for setting the maximum root distance of servers + it'll use, as well as the new options PollIntervalMinSec= and + PollIntervalMaxSec= to tweak the minimum and maximum poll interval. + + * bootctl gained a new command "list" for listing all available boot + menu items on systems that follow the boot loader specification. + + * systemctl gained a new --dry-run switch that shows what would be done + instead of doing it, and is currently supported by the shutdown and + sleep verbs. + + * ConditionSecurity= can now detect the TOMOYO security module. + + * Unit file [Install] sections are now also respected in unit drop-in + files. This is intended to be used by drop-ins under /usr/lib/. + + * systemd-firstboot may now also set the initial keyboard mapping. + + * Udev "changed" events for devices which are exposed as systemd + .device units are now propagated to units specified in + ReloadPropagatedFrom= as reload requests. + + * If a udev device has a SYSTEMD_WANTS= property containing a systemd + unit template name (i.e. a name in the form of 'foobar@.service', + without the instance component between the '@' and - the '.'), then + the escaped sysfs path of the device is automatically used as the + instance. + + * SystemCallFilter= in unit files has been extended so that an "errno" + can be specified individually for each system call. Example: + SystemCallFilter=~uname:EILSEQ. + + * The cgroup delegation logic has been substantially updated. Delegate= + now optionally takes a list of controllers (instead of a boolean, as + before), which lists the controllers to delegate at least. + + * The networkd DHCPv6 client now implements the FQDN option (RFC 4704). + + * A new LogLevelMax= setting configures the maximum log level any + process of the service may log at (i.e. anything with a lesser + priority than what is specified is automatically dropped). A new + LogExtraFields= setting allows configuration of additional journal + fields to attach to all log records generated by any of the unit's + processes. + + * New StandardInputData= and StandardInputText= settings along with the + new option StandardInput=data may be used to configure textual or + binary data that shall be passed to the executed service process via + standard input, encoded in-line in the unit file. + + * StandardInput=, StandardOutput= and StandardError= may now be used to + connect stdin/stdout/stderr of executed processes directly with a + file or AF_UNIX socket in the file system, using the new "file:" option. + + * A new unit file option CollectMode= has been added, that allows + tweaking the garbage collection logic for units. It may be used to + tell systemd to garbage collect units that have failed automatically + (normally it only GCs units that exited successfully). systemd-run + and systemd-mount expose this new functionality with a new -G option. + + * "machinectl bind" may now be used to bind mount non-directories + (i.e. regularfiles, devices, fifos, sockets). + + * systemd-analyze gained a new verb "calendar" for validating and + testing calendar time specifications to use for OnCalendar= in timer + units. Besides validating the expression it will calculate the next + time the specified expression would elapse. + + * In addition to the pre-existing FailureAction= unit file setting + there's now SuccessAction=, for configuring a shutdown action to + execute when a unit completes successfully. This is useful in + particular inside containers that shall terminate after some workload + has been completed. Also, both options are now supported for all unit + types, not just services. + + * networkds's IP rule support gained two new options + IncomingInterface= and OutgoingInterface= for configuring the incoming + and outgoing interfaces of configured rules. systemd-networkd also + gained support for "vxcan" network devices. + + * networkd gained a new setting RequiredForOnline=, taking a + boolean. If set, systemd-wait-online will take it into consideration + when determining that the system is up, otherwise it will ignore the + interface for this purpose. + + * The sd_notify() protocol gained support for a new operation: with + FDSTOREREMOVE=1 file descriptors may be removed from the per-service + store again, ahead of POLLHUP or POLLERR when they are removed + anyway. + + * A new document doc/UIDS-GIDS.md has been added to the source tree, + that documents the UID/GID range and assignment assumptions and + requirements of systemd. + + * The watchdog device PID 1 will ping may now be configured through the + WatchdogDevice= configuration file setting, or by setting the + systemd.watchdog_service= kernel commandline option. + + * systemd-resolved's gained support for registering DNS-SD services on + the local network using MulticastDNS. Services may either be + registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or + the same dir below /run, /usr/lib), or through its D-Bus API. + + * The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond + extend the effective start, runtime, and stop time. The service must + continue to send EXTEND_TIMEOUT_USEC within the period specified to + prevent the service manager from making the service as timedout. + + * systemd-resolved's DNSSEC support gained support for RFC 8080 + (Ed25519 keys and signatures). + + * The systemd-resolve command line tool gained a new set of options + --set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=, + --set-nta= and --revert to configure per-interface DNS configuration + dynamically during runtime. It's useful for pushing DNS information + into systemd-resolved from DNS hook scripts that various interface + managing software supports (such as pppd). + + * systemd-nspawn gained a new --network-namespace-path= command line + option, which may be used to make a container join an existing + network namespace, by specifying a path to a "netns" file. + + Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini, + Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten + Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin + Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri + John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny + Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de + Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty, + Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef + Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars + Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel, + Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz + Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson, + Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala, + Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal + Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf + Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer, + Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran + Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon + Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant + Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem + Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich, + Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, Zeal Jagannatha + + — Berlin, 2017-12-14 + +CHANGES WITH 235: + + * INCOMPATIBILITY: systemd-logind.service and other long-running + services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP + communication with the outside. This generally improves security of + the system, and is in almost all cases a safe and good choice, as + these services do not and should not provide any network-facing + functionality. However, systemd-logind uses the glibc NSS API to + query the user database. This creates problems on systems where NSS + is set up to directly consult network services for user database + lookups. In particular, this creates incompatibilities with the + "nss-nis" module, which attempts to directly contact the NIS/YP + network servers it is configured for, and will now consistently + fail. In such cases, it is possible to turn off IP sandboxing for + systemd-logind.service (set IPAddressDeny= in its [Service] section + to the empty string, via a .d/ unit file drop-in). Downstream + distributions might want to update their nss-nis packaging to include + such a drop-in snippet, accordingly, to hide this incompatibility + from the user. Another option is to make use of glibc's nscd service + to proxy such network requests through a privilege-separated, minimal + local caching daemon, or to switch to more modern technologies such + sssd, whose NSS hook-ups generally do not involve direct network + access. In general, we think it's definitely time to question the + implementation choices of nss-nis, i.e. whether it's a good idea + today to embed a network-facing loadable module into all local + processes that need to query the user database, including the most + trivial and benign ones, such as "ls". For more details about + IPAddressDeny= see below. + + * A new modprobe.d drop-in is now shipped by default that sets the + bonding module option max_bonds=0. This overrides the kernel default, + to avoid conflicts and ambiguity as to whether or not bond0 should be + managed by systemd-networkd or not. This resolves multiple issues + with bond0 properties not being applied, when bond0 is configured + with systemd-networkd. Distributors may choose to not package this, + however in that case users will be prevented from correctly managing + bond0 interface using systemd-networkd. + + * systemd-analyze gained new verbs "get-log-level" and "get-log-target" + which print the logging level and target of the system manager. They + complement the existing "set-log-level" and "set-log-target" verbs + used to change those values. + + * journald.conf gained a new boolean setting ReadKMsg= which defaults + to on. If turned off kernel log messages will not be read by + systemd-journald or included in the logs. It also gained a new + setting LineMax= for configuring the maximum line length in + STDOUT/STDERR log streams. The new default for this value is 48K, up + from the previous hardcoded 2048. + + * A new unit setting RuntimeDirectoryPreserve= has been added, which + allows more detailed control of what to do with a runtime directory + configured with RuntimeDirectory= (i.e. a directory below /run or + $XDG_RUNTIME_DIR) after a unit is stopped. + + * The RuntimeDirectory= setting for units gained support for creating + deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just + one top-level directory. + + * Units gained new options StateDirectory=, CacheDirectory=, + LogsDirectory= and ConfigurationDirectory= which are closely related + to RuntimeDirectory= but manage per-service directories below + /var/lib, /var/cache, /var/log and /etc. By making use of them it is + possible to write unit files which when activated automatically gain + properly owned service specific directories in these locations, thus + making unit files self-contained and increasing compatibility with + stateless systems and factory reset where /etc or /var are + unpopulated at boot. Matching these new settings there's also + StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=, + ConfigurationDirectoryMode= for configuring the access mode of these + directories. These settings are particularly useful in combination + with DynamicUser=yes as they provide secure, properly-owned, + writable, and stateful locations for storage, excluded from the + sandbox that such services live in otherwise. + + * Automake support has been removed from this release. systemd is now + Meson-only. + + * systemd-journald will now aggressively cache client metadata during + runtime, speeding up log write performance under pressure. This comes + at a small price though: as much of the metadata is read + asynchronously from /proc/ (and isn't implicitly attached to log + datagrams by the kernel, like UID/GID/PID/SELinux are) this means the + metadata stored alongside a log entry might be slightly + out-of-date. Previously it could only be slightly newer than the log + message. The time window is small however, and given that the kernel + is unlikely to be improved anytime soon in this regard, this appears + acceptable to us. + + * nss-myhostname/systemd-resolved will now by default synthesize an + A/AAAA resource record for the "_gateway" hostname, pointing to the + current default IP gateway. Previously it did that for the "gateway" + name, hampering adoption, as some distributions wanted to leave that + hostname open for local use. The old behaviour may still be + requested at build time. + + * systemd-networkd's [Address] section in .network files gained a new + Scope= setting for configuring the IP address scope. The [Network] + section gained a new boolean setting ConfigureWithoutCarrier= that + tells systemd-networkd to ignore link sensing when configuring the + device. The [DHCP] section gained a new Anonymize= boolean option for + turning on a number of options suggested in RFC 7844. A new + [RoutingPolicyRule] section has been added for configuring the IP + routing policy. The [Route] section has gained support for a new + Type= setting which permits configuring + blackhole/unreachable/prohibit routes. + + * The [VRF] section in .netdev files gained a new Table= setting for + configuring the routing table to use. The [Tunnel] section gained a + new Independent= boolean field for configuring tunnels independent of + an underlying network interface. The [Bridge] section gained a new + GroupForwardMask= option for configuration of propagation of link + local frames between bridge ports. + + * The WakeOnLan= setting in .link files gained support for a number of + new modes. A new TCP6SegmentationOffload= setting has been added for + configuring TCP/IPv6 hardware segmentation offload. + + * The IPv6 RA sender implementation may now optionally send out RDNSS + and RDNSSL records to supply DNS configuration to peers. + + * systemd-nspawn gained support for a new --system-call-filter= command + line option for adding and removing entries in the default system + call filter it applies. Moreover systemd-nspawn has been changed to + implement a system call allow list instead of a deny list. + + * systemd-run gained support for a new --pipe command line option. If + used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run + are directly passed on to the activated transient service + executable. This allows invoking arbitrary processes as systemd + services (for example to take benefit of dependency management, + accounting management, resource management or log management that is + done automatically for services) — while still allowing them to be + integrated in a classic UNIX shell pipeline. + + * When a service sends RELOAD=1 via sd_notify() and reload propagation + using ReloadPropagationTo= is configured, a reload is now propagated + to configured units. (Previously this was only done on explicitly + requested reloads, using "systemctl reload" or an equivalent + command.) + + * For each service unit a restart counter is now kept: it is increased + each time the service is restarted due to Restart=, and may be + queried using "systemctl show -p NRestarts …". + + * New system call filter groups @aio, @sync, @chown, @setuid, @memlock, + @signal and @timer have been added, for usage with SystemCallFilter= + in unit files and the new --system-call-filter= command line option + of systemd-nspawn (see above). + + * ExecStart= lines in unit files gained two new modifiers: when a + command line is prefixed with "!" the command will be executed as + configured, except for the credentials applied by + setuid()/setgid()/setgroups(). It is very similar to the pre-existing + "+", but does still apply namespacing options unlike "+". There's + also "!!" now, which is mostly identical, but becomes a NOP on + systems that support ambient capabilities. This is useful to write + unit files that work with ambient capabilities where possible but + automatically fall back to traditional privilege dropping mechanisms + on systems where this is not supported. + + * ListenNetlink= settings in socket units now support RDMA netlink + sockets. + + * A new unit file setting LockPersonality= has been added which permits + locking down the chosen execution domain ("personality") of a service + during runtime. + + * A new special target "getty-pre.target" has been added, which is + ordered before all text logins, and may be used to order services + before textual logins acquire access to the console. + + * systemd will now attempt to load the virtio-rng.ko kernel module very + early on if a VM environment supporting this is detected. This should + improve entropy during early boot in virtualized environments. + + * A _netdev option is now supported in /etc/crypttab that operates in a + similar way as the same option in /etc/fstab: it permits configuring + encrypted devices that need to be ordered after the network is up. + Following this logic, two new special targets + remote-cryptsetup-pre.target and remote-cryptsetup.target have been + added that are to cryptsetup.target what remote-fs.target and + remote-fs-pre.target are to local-fs.target. + + * Service units gained a new UnsetEnvironment= setting which permits + unsetting specific environment variables for services that are + normally passed to it (for example in order to mask out locale + settings for specific services that can't deal with it). + + * Units acquired a new boolean option IPAccounting=. When turned on, IP + traffic accounting (packet count as well as byte count) is done for + the service, and shown as part of "systemctl status" or "systemd-run + --wait". + + * Service units acquired two new options IPAddressAllow= and + IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks, + for configuring a simple IP access control list for all sockets of + the unit. These options are available also on .slice and .socket + units, permitting flexible access list configuration for individual + services as well as groups of services (as defined by a slice unit), + including system-wide. Note that IP ACLs configured this way are + enforced on every single IPv4 and IPv6 socket created by any process + of the service unit, and apply to ingress as well as egress traffic. + + * If CPUAccounting= or IPAccounting= is turned on for a unit a new + structured log message is generated each time the unit is stopped, + containing information about the consumed resources of this + invocation. + + * A new setting KeyringMode= has been added to unit files, which may be + used to control how the kernel keyring is set up for executed + processes. + + * "systemctl poweroff", "systemctl reboot", "systemctl halt", + "systemctl kexec" and "systemctl exit" are now always asynchronous in + behaviour (that is: these commands return immediately after the + operation was enqueued instead of waiting for the operation to + complete). Previously, "systemctl poweroff" and "systemctl reboot" + were asynchronous on systems using systemd-logind (i.e. almost + always, and like they were on sysvinit), and the other three commands + were unconditionally synchronous. With this release this is cleaned + up, and callers will see the same asynchronous behaviour on all + systems for all five operations. + + * systemd-logind gained new Halt() and CanHalt() bus calls for halting + the system. + + * .timer units now accept calendar specifications in other timezones + than UTC or the local timezone. + + * The tmpfiles snippet var.conf has been changed to create + /var/log/btmp with access mode 0660 instead of 0600. It was owned by + the "utmp" group already, and it appears to be generally understood + that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp + databases. Previously this was implemented correctly for all these + databases excepts btmp, which has been opened up like this now + too. Note that while the other databases are world-readable + (i.e. 0644), btmp is not and remains more restrictive. + + * The systemd-resolve tool gained a new --reset-server-features + switch. When invoked like this systemd-resolved will forget + everything it learnt about the features supported by the configured + upstream DNS servers, and restarts the feature probing logic on the + next resolver look-up for them at the highest feature level + again. + + * The status dump systemd-resolved sends to the logs upon receiving + SIGUSR1 now also includes information about all DNS servers it is + configured to use, and the features levels it probed for them. + + Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander + Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar + Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles + Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel + Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John + Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov, + ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui, + Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov, + Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen, + John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg + Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud, + Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas + Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin + Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert, + Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell + Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo, + Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom + Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid, + Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang + Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2017-10-06 + +CHANGES WITH 234: + + * Meson is now supported as build system in addition to Automake. It is + our plan to remove Automake in one of our next releases, so that + Meson becomes our exclusive build system. Hence, please start using + the Meson build system in your downstream packaging. There's plenty + of documentation around how to use Meson, the extremely brief + summary: + + ./autogen.sh && ./configure && make && sudo make install + + becomes: + + meson build && ninja -C build && sudo ninja -C build install + + * Unit files gained support for a new JobRunningTimeoutUSec= setting, + which permits configuring a timeout on the time a job is + running. This is particularly useful for setting timeouts on jobs for + .device units. + + * Unit files gained two new options ConditionUser= and ConditionGroup= + for conditionalizing units based on the identity of the user/group + running a systemd user instance. + + * systemd-networkd now understands a new FlowLabel= setting in the + [VXLAN] section of .network files, as well as a Priority= in + [Bridge], GVRP= + MVRP= + LooseBinding= + ReorderHeader= in [VLAN] + and GatewayOnlink= + IPv6Preference= + Protocol= in [Route]. It also + gained support for configuration of GENEVE links, and IPv6 address + labels. The [Network] section gained the new IPv6ProxyNDP= setting. + + * .link files now understand a new Port= setting. + + * systemd-networkd's DHCP support gained support for DHCP option 119 + (domain search list). + + * systemd-networkd gained support for serving IPv6 address ranges using + the Router Advertisement protocol. The new .network configuration + section [IPv6Prefix] may be used to configure the ranges to + serve. This is implemented based on a new, minimal, native server + implementation of RA. + + * journalctl's --output= switch gained support for a new parameter + "short-iso-precise" for a mode where timestamps are shown as precise + ISO date values. + + * systemd-udevd's "net_id" builtin may now generate stable network + interface names from IBM PowerVM VIO devices as well as ACPI platform + devices. + + * MulticastDNS support in systemd-resolved may now be explicitly + enabled/disabled using the new MulticastDNS= configuration file + option. + + * systemd-resolved may now optionally use libidn2 instead of the libidn + for processing internationalized domain names. Support for libidn2 + should be considered experimental and should not be enabled by + default yet. + + * "machinectl pull-tar" and related call may now do verification of + downloaded images using SUSE-style .sha256 checksum files in addition + to the already existing support for validating using Ubuntu-style + SHA256SUMS files. + + * sd-bus gained support for a new sd_bus_message_appendv() call which + is va_list equivalent of sd_bus_message_append(). + + * sd-boot gained support for validating images using SHIM/MOK. + + * The SMACK code learnt support for "onlycap". + + * systemd-mount --umount is now much smarter in figuring out how to + properly unmount a device given its mount or device path. + + * The code to call libnss_dns as a fallback from libnss_resolve when + the communication with systemd-resolved fails was removed. This + fallback was redundant and interfered with the [!UNAVAIL=return] + suffix. See nss-resolve(8) for the recommended configuration. + + * systemd-logind may now be restarted without losing state. It stores + the file descriptors for devices it manages in the system manager + using the FDSTORE= mechanism. Please note that further changes in + other components may be required to make use of this (for example + Xorg has code to listen for stops of systemd-logind and terminate + itself when logind is stopped or restarted, in order to avoid using + stale file descriptors for graphical devices, which is now + counterproductive and must be reverted in order for restarts of + systemd-logind to be safe. See + https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.) + + * All kernel-install plugins are called with the environment variable + KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by + /etc/machine-id. If the machine ID could not be determined, + $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put + anything in the entry directory (passed as the second argument) if + $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a + temporary directory is passed as the entry directory and removed + after all the plugins exit. + + Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander + Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir + Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert, + Benjamin Robin, Boucman, Charles Plessy, Chris Chiu, Chris Lamb, + Christian Brauner, Christian Hesse, Colin Walters, Daniel Drake, + Danielle Church, Daniel Molkentin, Daniel Rusek, Daniel Wang, Davide + Cavalca, David Herrmann, David Michael, Dax Kelson, Dimitri John + Ledkov, Djalal Harouni, Dušan Kazik, Elias Probst, Evgeny Vereshchagin, + Federico Di Pierro, Felipe Sateler, Felix Zhang, Franck Bui, Gary + Tierney, George McCollister, Giedrius Statkevičius, Hans de Goede, + hecke, Hendrik Westerberg, Hristo Venev, Ian Wienand, Insun Pyo, Ivan + Shapovalov, James Cowgill, James Hemsing, Janne Heß, Jan Synacek, Jason + Reeder, João Paulo Rechi Vita, John Paul Adrian Glaubitz, Jörg + Thalheim, Josef Andersson, Josef Gajdusek, Julian Mehne, Kai Krakow, + Krzysztof Jackiewicz, Lars Karlitski, Lennart Poettering, Lluís Gili, + Lucas Werkmeister, Lukáš Nykrýn, Łukasz Stelmach, Mantas Mikulėnas, + Marcin Bachry, Marcus Cooper, Mark Stosberg, Martin Pitt, Matija Skala, + Matt Clarkson, Matthew Garrett, Matthias Greiner, Matthijs van Duin, + Max Resch, Michael Biebl, Michal Koutný, Michal Sekletar, Michal + Soltys, Michal Suchanek, Mike Gilbert, Nate Clark, Nathaniel R. Lewis, + Neil Brown, Nikolai Kondrashov, Pascal S. de Kloe, Pat Riehecky, Patrik + Flykt, Paul Kocialkowski, Peter Hutterer, Philip Withnall, Piotr + Szydełko, Rafael Fontenelle, Ray Strode, Richard Maw, Roelf Wichertjes, + Ronny Chevalier, Sarang S. Dalal, Sjoerd Simons, slodki, Stefan + Schweter, Susant Sahani, Ted Wood, Thomas Blume, Thomas Haller, Thomas + H. P. Andersen, Timothée Ravier, Tobias Jungel, Tobias Stoeckmann, Tom + Gundersen, Tom Yan, Torstein Husebø, Umut Tezduyar Lindskog, + userwithuid, Vito Caputo, Waldemar Brodkorb, WaLyong Cho, Yu, Li-Yu, + Yusuke Nojima, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан + Георгиевски + + — Berlin, 2017-07-12 + +CHANGES WITH 233: + + * The "hybrid" control group mode has been modified to improve + compatibility with "legacy" cgroups-v1 setups. Specifically, the + "hybrid" setup of /sys/fs/cgroup is now pretty much identical to + "legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named + cgroups-v1 hierarchy), the only externally visible change being that + the cgroups-v2 hierarchy is also mounted, to + /sys/fs/cgroup/unified. This should provide a large degree of + compatibility with "legacy" cgroups-v1, while taking benefit of the + better management capabilities of cgroups-v2. + + * The default control group setup mode may be selected both a boot-time + via a set of kernel command line parameters (specifically: + systemd.unified_cgroup_hierarchy= and + systemd.legacy_systemd_cgroup_controller=), as well as a compile-time + default selected on the configure command line + (--with-default-hierarchy=). The upstream default is "hybrid" + (i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but + this will change in a future systemd version to be "unified" (pure + cgroups-v2 mode). The third option for the compile time option is + "legacy", to enter pure cgroups-v1 mode. We recommend downstream + distributions to default to "hybrid" mode for release distributions, + starting with v233. We recommend "unified" for development + distributions (specifically: distributions such as Fedora's rawhide) + as that's where things are headed in the long run. Use "legacy" for + greatest stability and compatibility only. + + * Note one current limitation of "unified" and "hybrid" control group + setup modes: the kernel currently does not permit the systemd --user + instance (i.e. unprivileged code) to migrate processes between two + disconnected cgroup subtrees, even if both are managed and owned by + the user. This effectively means "systemd-run --user --scope" doesn't + work when invoked from outside of any "systemd --user" service or + scope. Specifically, it is not supported from session scopes. We are + working on fixing this in a future systemd version. (See #3388 for + further details about this.) + + * DBus policy files are now installed into /usr rather than /etc. Make + sure your system has dbus >= 1.9.18 running before upgrading to this + version, or override the install path with --with-dbuspolicydir= . + + * All python scripts shipped with systemd (specifically: the various + tests written in Python) now require Python 3. + + * systemd unit tests can now run standalone (without the source or + build directories), and can be installed into /usr/lib/systemd/tests/ + with 'make install-tests'. + + * Note that from this version on, CONFIG_CRYPTO_USER_API_HASH, + CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the + kernel. + + * Support for the %c, %r, %R specifiers in unit files has been + removed. Specifiers are not supposed to be dependent on configuration + in the unit file itself (so that they resolve the same regardless + where used in the unit files), but these specifiers were influenced + by the Slice= option. + + * The shell invoked by debug-shell.service now defaults to /bin/sh in + all cases. If distributions want to use a different shell for this + purpose (for example Fedora's /sbin/sushell) they need to specify + this explicitly at configure time using --with-debug-shell=. + + * The confirmation spawn prompt has been reworked to offer the + following choices: + + (c)ontinue, proceed without asking anymore + (D)ump, show the state of the unit + (f)ail, don't execute the command and pretend it failed + (h)elp + (i)nfo, show a short summary of the unit + (j)obs, show jobs that are in progress + (s)kip, don't execute the command and pretend it succeeded + (y)es, execute the command + + The 'n' choice for the confirmation spawn prompt has been removed, + because its meaning was confusing. + + The prompt may now also be redirected to an alternative console by + specifying the console as parameter to systemd.confirm_spawn=. + + * Services of Type=notify require a READY=1 notification to be sent + during startup. If no such message is sent, the service now fails, + even if the main process exited with a successful exit code. + + * Services that fail to start up correctly now always have their + ExecStopPost= commands executed. Previously, they'd enter "failed" + state directly, without executing these commands. + + * The option MulticastDNS= of network configuration files has acquired + an actual implementation. With MulticastDNS=yes a host can resolve + names of remote hosts and reply to mDNS A and AAAA requests. + + * When units are about to be started an additional check is now done to + ensure that all dependencies of type BindsTo= (when used in + combination with After=) have been started. + + * systemd-analyze gained a new verb "syscall-filter" which shows which + system call groups are defined for the SystemCallFilter= unit file + setting, and which system calls they contain. + + * A new system call filter group "@filesystem" has been added, + consisting of various file system related system calls. Group + "@reboot" has been added, covering reboot, kexec and shutdown related + calls. Finally, group "@swap" has been added covering swap + configuration related calls. + + * A new unit file option RestrictNamespaces= has been added that may be + used to restrict access to the various process namespace types the + Linux kernel provides. Specifically, it may be used to take away the + right for a service unit to create additional file system, network, + user, and other namespaces. This sandboxing option is particularly + relevant due to the high amount of recently discovered namespacing + related vulnerabilities in the kernel. + + * systemd-udev's .link files gained support for a new AutoNegotiation= + setting for configuring Ethernet auto-negotiation. + + * systemd-networkd's .network files gained support for a new + ListenPort= setting in the [DHCP] section to explicitly configure the + UDP client port the DHCP client shall listen on. + + * .network files gained a new Unmanaged= boolean setting for explicitly + excluding one or more interfaces from management by systemd-networkd. + + * The systemd-networkd ProxyARP= option has been renamed to + IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been + renamed to ReduceARPProxy=. The old names continue to be available + for compatibility. + + * systemd-networkd gained support for configuring IPv6 Proxy NDP + addresses via the new IPv6ProxyNDPAddress= .network file setting. + + * systemd-networkd's bonding device support gained support for two new + configuration options ActiveSlave= and PrimarySlave=. + + * The various options in the [Match] section of .network files gained + support for negative matching. + + * New systemd-specific mount options are now understood in /etc/fstab: + + x-systemd.mount-timeout= may be used to configure the maximum + permitted runtime of the mount command. + + x-systemd.device-bound may be set to bind a mount point to its + backing device unit, in order to automatically remove a mount point + if its backing device is unplugged. This option may also be + configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property + on the block device, which is now automatically set for all CDROM + drives, so that mounted CDs are automatically unmounted when they are + removed from the drive. + + x-systemd.after= and x-systemd.before= may be used to explicitly + order a mount after or before another unit or mount point. + + * Enqueued start jobs for device units are now automatically garbage + collected if there are no jobs waiting for them anymore. + + * systemctl list-jobs gained two new switches: with --after, for every + queued job the jobs it's waiting for are shown; with --before the + jobs which it's blocking are shown. + + * systemd-nspawn gained support for ephemeral boots from disk images + (or in other words: --ephemeral and --image= may now be + combined). Moreover, ephemeral boots are now supported for normal + directories, even if the backing file system is not btrfs. Of course, + if the file system does not support file system snapshots or + reflinks, the initial copy operation will be relatively expensive, but + this should still be suitable for many use cases. + + * Calendar time specifications in .timer units now support + specifications relative to the end of a month by using "~" instead of + "-" as separator between month and day. For example, "*-02~03" means + "the third last day in February". In addition a new syntax for + repeated events has been added using the "/" character. For example, + "9..17/2:00" means "every two hours from 9am to 5pm". + + * systemd-socket-proxyd gained a new parameter --connections-max= for + configuring the maximum number of concurrent connections. + + * sd-id128 gained a new API for generating unique IDs for the host in a + way that does not leak the machine ID. Specifically, + sd_id128_get_machine_app_specific() derives an ID based on the + machine ID a in well-defined, non-reversible, stable way. This is + useful whenever an identifier for the host is needed but where the + identifier shall not be useful to identify the system beyond the + scope of the application itself. (Internally this uses HMAC-SHA256 as + keyed hash function using the machine ID as input.) + + * NotifyAccess= gained a new supported value "exec". When set + notifications are accepted from all processes systemd itself invoked, + including all control processes. + + * .nspawn files gained support for defining overlay mounts using the + Overlay= and OverlayReadOnly= options. Previously this functionality + was only available on the systemd-nspawn command line. + + * systemd-nspawn's --bind= and --overlay= options gained support for + bind/overlay mounts whose source lies within the container tree by + prefixing the source path with "+". + + * systemd-nspawn's --bind= and --overlay= options gained support for + automatically allocating a temporary source directory in /var/tmp + that is removed when the container dies. Specifically, if the source + directory is specified as empty string this mechanism is selected. An + example usage is --overlay=+/var::/var, which creates an overlay + mount based on the original /var contained in the image, overlaid + with a temporary directory in the host's /var/tmp. This way changes + to /var are automatically flushed when the container shuts down. + + * systemd-nspawn --image= option does now permit raw file system block + devices (in addition to images containing partition tables, as + before). + + * The disk image dissection logic in systemd-nspawn gained support for + automatically setting up LUKS encrypted as well as Verity protected + partitions. When a container is booted from an encrypted image the + passphrase is queried at start-up time. When a container with Verity + data is started, the root hash is search in a ".roothash" file + accompanying the disk image (alternatively, pass the root hash via + the new --root-hash= command line option). + + * A new tool /usr/lib/systemd/systemd-dissect has been added that may + be used to dissect disk images the same way as systemd-nspawn does + it, following the Bootable Partition Specification. It may even be + used to mount disk images with complex partition setups (including + LUKS and Verity partitions) to a local host directory, in order to + inspect them. This tool is not considered public API (yet), and is + thus not installed into /usr/bin. Please do not rely on its + existence, since it might go away or be changed in later systemd + versions. + + * A new generator "systemd-verity-generator" has been added, similar in + style to "systemd-cryptsetup-generator", permitting automatic setup of + Verity root partitions when systemd boots up. In order to make use of + this your partition setup should follow the Discoverable Partitions + Specification, and the GPT partition ID of the root file system + partition should be identical to the upper 128bit of the Verity root + hash. The GPT partition ID of the Verity partition protecting it + should be the lower 128bit of the Verity root hash. If the partition + image follows this model it is sufficient to specify a single + "roothash=" kernel command line argument to both configure which root + image and verity partition to use as well as the root hash for + it. Note that systemd-nspawn's Verity support follows the same + semantics, meaning that disk images with proper Verity data in place + may be booted in containers with systemd-nspawn as well as on + physical systems via the verity generator. Also note that the "mkosi" + tool available at https://github.com/systemd/mkosi has been updated + to generate Verity protected disk images following this scheme. In + fact, it has been updated to generate disk images that optionally + implement a complete UEFI SecureBoot trust chain, involving a signed + kernel and initrd image that incorporates such a root hash as well as + a Verity-enabled root partition. + + * The hardware database (hwdb) udev supports has been updated to carry + accelerometer quirks. + + * All system services are now run with a fresh kernel keyring set up + for them. The invocation ID is stored by default in it, thus + providing a safe, non-overridable way to determine the invocation + ID of each service. + + * Service unit files gained new BindPaths= and BindReadOnlyPaths= + options for bind mounting arbitrary paths in a service-specific + way. When these options are used, arbitrary host or service files and + directories may be mounted to arbitrary locations in the service's + view. + + * Documentation has been added that lists all of systemd's low-level + environment variables: + + https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md + + * sd-daemon gained a new API sd_is_socket_sockaddr() for determining + whether a specific socket file descriptor matches a specified socket + address. + + * systemd-firstboot has been updated to check for the + systemd.firstboot= kernel command line option. It accepts a boolean + and when set to false the first boot questions are skipped. + + * systemd-fstab-generator has been updated to check for the + systemd.volatile= kernel command line option, which either takes an + optional boolean parameter or the special value "state". If used the + system may be booted in a "volatile" boot mode. Specifically, + "systemd.volatile" is used, the root directory will be mounted as + tmpfs, and only /usr is mounted from the actual root file system. If + "systemd.volatile=state" is used, the root directory will be mounted + as usual, but /var is mounted as tmpfs. This concept provides similar + functionality as systemd-nspawn's --volatile= option, but provides it + on physical boots. Use this option for implementing stateless + systems, or testing systems with all state and/or configuration reset + to the defaults. (Note though that many distributions are not + prepared to boot up without a populated /etc or /var, though.) + + * systemd-gpt-auto-generator gained support for LUKS encrypted root + partitions. Previously it only supported LUKS encrypted partitions + for all other uses, except for the root partition itself. + + * Socket units gained support for listening on AF_VSOCK sockets for + communication in virtualized QEMU environments. + + * The "configure" script gained a new option --with-fallback-hostname= + for specifying the fallback hostname to use if none is configured in + /etc/hostname. For example, by specifying + --with-fallback-hostname=fedora it is possible to default to a + hostname of "fedora" on pristine installations. + + * systemd-cgls gained support for a new --unit= switch for listing only + the control groups of a specific unit. Similar --user-unit= has been + added for listing only the control groups of a specific user unit. + + * systemd-mount gained a new --umount switch for unmounting a mount or + automount point (and all mount/automount points below it). + + * systemd will now refuse full configuration reloads (via systemctl + daemon-reload and related calls) unless at least 16MiB of free space + are available in /run. This is a safety precaution in order to ensure + that generators can safely operate after the reload completed. + + * A new unit file option RootImage= has been added, which has a similar + effect as RootDirectory= but mounts the service's root directory from + a disk image instead of plain directory. This logic reuses the same + image dissection and mount logic that systemd-nspawn already uses, + and hence supports any disk images systemd-nspawn supports, including + those following the Discoverable Partition Specification, as well as + Verity enabled images. This option enables systemd to run system + services directly off disk images acting as resource bundles, + possibly even including full integrity data. + + * A new MountAPIVFS= unit file option has been added, taking a boolean + argument. If enabled /proc, /sys and /dev (collectively called the + "API VFS") will be mounted for the service. This is only relevant if + RootDirectory= or RootImage= is used for the service, as these mounts + are of course in place in the host mount namespace anyway. + + * systemd-nspawn gained support for a new --pivot-root= switch. If + specified the root directory within the container image is pivoted to + the specified mount point, while the original root disk is moved to a + different place. This option enables booting of ostree images + directly with systemd-nspawn. + + * The systemd build scripts will no longer complain if the NTP server + addresses are not changed from the defaults. Google now supports + these NTP servers officially. We still recommend downstreams to + properly register an NTP pool with the NTP pool project though. + + * coredumpctl gained a new "--reverse" option for printing the list + of coredumps in reverse order. + + * coredumpctl will now show additional information about truncated and + inaccessible coredumps, as well as coredumps that are still being + processed. It also gained a new --quiet switch for suppressing + additional informational message in its output. + + * coredumpctl gained support for only showing coredumps newer and/or + older than specific timestamps, using the new --since= and --until= + options, reminiscent of journalctl's options by the same name. + + * The systemd-coredump logic has been improved so that it may be reused + to collect backtraces in non-compiled languages, for example in + scripting languages such as Python. + + * machinectl will now show the UID shift of local containers, if user + namespacing is enabled for them. + + * systemd will now optionally run "environment generator" binaries at + configuration load time. They may be used to add environment + variables to the environment block passed to services invoked. One + user environment generator is shipped by default that sets up + environment variables based on files dropped into /etc/environment.d + and ~/.config/environment.d/. + + * systemd-resolved now includes the new, recently published 2017 DNSSEC + root key (KSK). + + * hostnamed has been updated to report a new chassis type of + "convertible" to cover "foldable" laptops that can both act as a + tablet and as a laptop, such as various Lenovo Yoga devices. + + Contributions from: Adrián López, Alexander Galanin, Alexander + Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch + Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric + Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri, + Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner, + David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry + Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly, + Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn + Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter, + Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede, + Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan + Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen, + Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart + Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de + Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry, + Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de + Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal + Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak, + Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip + Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin + Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx, + Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi, + Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève, + Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor + Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar + Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb, + Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun, + YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр + Тихонов + + — Berlin, 2017-03-01 + +CHANGES WITH 232: + + * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and + RestrictAddressFamilies= enabled. These sandboxing options should + generally be compatible with the various external udev call-out + binaries we are aware of, however there may be exceptions, in + particular when exotic languages for these call-outs are used. In + this case, consider turning off these settings locally. + + * The new RemoveIPC= option can be used to remove IPC objects owned by + the user or group of a service when that service exits. + + * The new ProtectKernelModules= option can be used to disable explicit + load and unload operations of kernel modules by a service. In + addition access to /usr/lib/modules is removed if this option is set. + + * ProtectSystem= option gained a new value "strict", which causes the + whole file system tree with the exception of /dev, /proc, and /sys, + to be remounted read-only for a service. + + * The new ProtectKernelTunables= option can be used to disable + modification of configuration files in /sys and /proc by a service. + Various directories and files are remounted read-only, so access is + restricted even if the file permissions would allow it. + + * The new ProtectControlGroups= option can be used to disable write + access by a service to /sys/fs/cgroup. + + * Various systemd services have been hardened with + ProtectKernelTunables=yes, ProtectControlGroups=yes, + RestrictAddressFamilies=. + + * Support for dynamically creating users for the lifetime of a service + has been added. If DynamicUser=yes is specified, user and group IDs + will be allocated from the range 61184..65519 for the lifetime of the + service. They can be resolved using the new nss-systemd.so NSS + module. The module must be enabled in /etc/nsswitch.conf. Services + started in this way have PrivateTmp= and RemoveIPC= enabled, so that + any resources allocated by the service will be cleaned up when the + service exits. They also have ProtectHome=read-only and + ProtectSystem=strict enabled, so they are not able to make any + permanent modifications to the system. + + * The nss-systemd module also always resolves root and nobody, making + it possible to have no /etc/passwd or /etc/group files in minimal + container or chroot environments. + + * Services may be started with their own user namespace using the new + boolean PrivateUsers= option. Only root, nobody, and the uid/gid + under which the service is running are mapped. All other users are + mapped to nobody. + + * Support for the cgroup namespace has been added to systemd-nspawn. If + supported by kernel, the container system started by systemd-nspawn + will have its own view of the cgroup hierarchy. This new behaviour + can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable. + + * The new MemorySwapMax= option can be used to limit the maximum swap + usage under the unified cgroup hierarchy. + + * Support for the CPU controller in the unified cgroup hierarchy has + been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting= + options. This controller requires out-of-tree patches for the kernel + and the support is provisional. + + * Mount and automount units may now be created transiently + (i.e. dynamically at runtime via the bus API, instead of requiring + unit files in the file system). + + * systemd-mount is a new tool which may mount file systems – much like + mount(8), optionally pulling in additional dependencies through + transient .mount and .automount units. For example, this tool + automatically runs fsck on a backing block device before mounting, + and allows the automount logic to be used dynamically from the + command line for establishing mount points. This tool is particularly + useful when dealing with removable media, as it will ensure fsck is + run – if necessary – before the first access and that the file system + is quickly unmounted after each access by utilizing the automount + logic. This maximizes the chance that the file system on the + removable media stays in a clean state, and if it isn't in a clean + state is fixed automatically. + + * LazyUnmount=yes option for mount units has been added to expose the + umount --lazy option. Similarly, ForceUnmount=yes exposes the --force + option. + + * /efi will be used as the mount point of the EFI boot partition, if + the directory is present, and the mount point was not configured + through other means (e.g. fstab). If /efi directory does not exist, + /boot will be used as before. This makes it easier to automatically + mount the EFI partition on systems where /boot is used for something + else. + + * When operating on GPT disk images for containers, systemd-nspawn will + now mount the ESP to /boot or /efi according to the same rules as PID + 1 running on a host. This allows tools like "bootctl" to operate + correctly within such containers, in order to make container images + bootable on physical systems. + + * disk/by-id and disk/by-path symlinks are now created for NVMe drives. + + * Two new user session targets have been added to support running + graphical sessions under the systemd --user instance: + graphical-session.target and graphical-session-pre.target. See + systemd.special(7) for a description of how those targets should be + used. + + * The vconsole initialization code has been significantly reworked to + use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better + support unicode keymaps. Font and keymap configuration will now be + copied to all allocated virtual consoles. + + * FreeBSD's bhyve virtualization is now detected. + + * Information recorded in the journal for core dumps now includes the + contents of /proc/mountinfo and the command line of the process at + the top of the process hierarchy (which is usually the init process + of the container). + + * systemd-journal-gatewayd learned the --directory= option to serve + files from the specified location. + + * journalctl --root=… can be used to peruse the journal in the + /var/log/ directories inside of a container tree. This is similar to + the existing --machine= option, but does not require the container to + be active. + + * The hardware database has been extended to support + ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify + trackball devices. + + MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to + specify the click rate for mice which include a horizontal wheel with + a click rate that is different than the one for the vertical wheel. + + * systemd-run gained a new --wait option that makes service execution + synchronous. (Specifically, the command will not return until the + specified service binary exited.) + + * systemctl gained a new --wait option that causes the start command to + wait until the units being started have terminated again. + + * A new journal output mode "short-full" has been added which displays + timestamps with abbreviated English day names and adds a timezone + suffix. Those timestamps include more information than the default + "short" output mode, and can be passed directly to journalctl's + --since= and --until= options. + + * /etc/resolv.conf will be bind-mounted into containers started by + systemd-nspawn, if possible, so any changes to resolv.conf contents + are automatically propagated to the container. + + * The number of instances for socket-activated services originating + from a single IP address can be limited with + MaxConnectionsPerSource=, extending the existing setting of + MaxConnections=. + + * systemd-networkd gained support for vcan ("Virtual CAN") interface + configuration. + + * .netdev and .network configuration can now be extended through + drop-ins. + + * UDP Segmentation Offload, TCP Segmentation Offload, Generic + Segmentation Offload, Generic Receive Offload, Large Receive Offload + can be enabled and disabled using the new UDPSegmentationOffload=, + TCPSegmentationOffload=, GenericSegmentationOffload=, + GenericReceiveOffload=, LargeReceiveOffload= options in the + [Link] section of .link files. + + * The Spanning Tree Protocol, Priority, Aging Time, and the Default + Port VLAN ID can be configured for bridge devices using the new STP=, + Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge] + section of .netdev files. + + * The route table to which routes received over DHCP or RA should be + added can be configured with the new RouteTable= option in the [DHCP] + and [IPv6AcceptRA] sections of .network files. + + * The Address Resolution Protocol can be disabled on links managed by + systemd-networkd using the ARP=no setting in the [Link] section of + .network files. + + * New environment variables $SERVICE_RESULT, $EXIT_CODE and + $EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and + encode information about the result and exit codes of the current + service runtime cycle. + + * systemd-sysctl will now configure kernel parameters in the order + they occur in the configuration files. This matches what sysctl + has been traditionally doing. + + * kernel-install "plugins" that are executed to perform various + tasks after a new kernel is added and before an old one is removed + can now return a special value to terminate the procedure and + prevent any later plugins from running. + + * Journald's SplitMode=login setting has been deprecated. It has been + removed from documentation, and its use is discouraged. In a future + release it will be completely removed, and made equivalent to current + default of SplitMode=uid. + + * Storage=both option setting in /etc/systemd/coredump.conf has been + removed. With fast LZ4 compression storing the core dump twice is not + useful. + + * The --share-system systemd-nspawn option has been replaced with an + (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of + this functionality is discouraged. In addition the variables + $SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID, + $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of + individual namespaces. + + * "machinectl list" now shows the IP address of running containers in + the output, as well as OS release information. + + * "loginctl list" now shows the TTY of each session in the output. + + * sd-bus gained new API calls sd_bus_track_set_recursive(), + sd_bus_track_get_recursive(), sd_bus_track_count_name(), + sd_bus_track_count_sender(). They permit usage of sd_bus_track peer + tracking objects in a "recursive" mode, where a single client can be + counted multiple times, if it takes multiple references. + + * sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and + sd_bus_get_exit_on_disconnect(). They may be used to make a + process using sd-bus automatically exit if the bus connection is + severed. + + * Bus clients of the service manager may now "pin" loaded units into + memory, by taking an explicit reference on them. This is useful to + ensure the client can retrieve runtime data about the service even + after the service completed execution. Taking such a reference is + available only for privileged clients and should be helpful to watch + running services in a race-free manner, and in particular collect + information about exit statuses and results. + + * The nss-resolve module has been changed to strictly return UNAVAIL + when communication via D-Bus with resolved failed, and NOTFOUND when + a lookup completed but was negative. This means it is now possible to + neatly configure fallbacks using nsswitch.conf result checking + expressions. Taking benefit of this, the new recommended + configuration line for the "hosts" entry in /etc/nsswitch.conf is: + + hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname + + * A new setting CtrlAltDelBurstAction= has been added to + /etc/systemd/system.conf which may be used to configure the precise + behaviour if the user on the console presses Ctrl-Alt-Del more often + than 7 times in 2s. Previously this would unconditionally result in + an expedited, immediate reboot. With this new setting the precise + operation may be configured in more detail, and also turned off + entirely. + + * In .netdev files two new settings RemoteChecksumTx= and + RemoteChecksumRx= are now understood that permit configuring the + remote checksumming logic for VXLAN networks. + + * The service manager learnt a new "invocation ID" concept for invoked + services. Each runtime cycle of a service will get a new invocation + ID (a 128bit random UUID) assigned that identifies the current + run of the service uniquely and globally. A new invocation ID + is generated each time a service starts up. The journal will store + the invocation ID of a service along with any logged messages, thus + making the invocation ID useful for matching the online runtime of a + service with the offline log data it generated in a safe way without + relying on synchronized timestamps. In many ways this new service + invocation ID concept is similar to the kernel's boot ID concept that + uniquely and globally identifies the runtime of each boot. The + invocation ID of a service is passed to the service itself via an + environment variable ($INVOCATION_ID). A new bus call + GetUnitByInvocationID() has been added that is similar to GetUnit() + but instead of retrieving the bus path for a unit by its name + retrieves it by its invocation ID. The returned path is valid only as + long as the passed invocation ID is current. + + * systemd-resolved gained a new "DNSStubListener" setting in + resolved.conf. It either takes a boolean value or the special values + "udp" and "tcp", and configures whether to enable the stub DNS + listener on 127.0.0.53:53. + + * IP addresses configured via networkd may now carry additional + configuration settings supported by the kernel. New options include: + HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=, + PrefixRoute=, AutoJoin=. + + * The PAM configuration fragment file for "user@.service" shipped with + systemd (i.e. the --user instance of systemd) has been stripped to + the minimum necessary to make the system boot. Previously, it + contained Fedora-specific stanzas that did not apply to other + distributions. It is expected that downstream distributions add + additional configuration lines, matching their needs to this file, + using it only as rough template of what systemd itself needs. Note + that this reduced fragment does not even include an invocation of + pam_limits which most distributions probably want to add, even though + systemd itself does not need it. (There's also the new build time + option --with-pamconfdir=no to disable installation of the PAM + fragment entirely.) + + * If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO + capability is now also dropped from its set (in addition to + CAP_SYS_MKNOD as before). + + * In service unit files it is now possible to connect a specific named + file descriptor with stdin/stdout/stdout of an executed service. The + name may be specified in matching .socket units using the + FileDescriptorName= setting. + + * A number of journal settings may now be configured on the kernel + command line. Specifically, the following options are now understood: + systemd.journald.max_level_console=, + systemd.journald.max_level_store=, + systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=, + systemd.journald.max_level_wall=. + + * "systemctl is-enabled --full" will now show by which symlinks a unit + file is enabled in the unit dependency tree. + + * Support for VeraCrypt encrypted partitions has been added to the + "cryptsetup" logic and /etc/crypttab. + + * systemd-detect-virt gained support for a new --private-users switch + that checks whether the invoking processes are running inside a user + namespace. Similar, a new special value "private-users" for the + existing ConditionVirtualization= setting has been added, permitting + skipping of specific units in user namespace environments. + + Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John, + Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin + Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner, + Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez, + Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick, + Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg, + Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric + Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang, + Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke, + Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan + Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker, + Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski, + Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering, + Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš + Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou, + Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej + Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy, + Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike + Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer, + Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny + Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant + Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit, + Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut + Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann + E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek, Zeal Jagannatha + + — Santa Fe, 2016-11-03 + +CHANGES WITH 231: + + * In service units the various ExecXYZ= settings have been extended + with an additional special character as first argument of the + assigned value: if the character '+' is used the specified command + line it will be run with full privileges, regardless of User=, + Group=, CapabilityBoundingSet= and similar options. The effect is + similar to the existing PermissionsStartOnly= option, but allows + configuration of this concept for each executed command line + independently. + + * Services may now alter the service watchdog timeout at runtime by + sending a WATCHDOG_USEC= message via sd_notify(). + + * MemoryLimit= and related unit settings now optionally take percentage + specifications. The percentage is taken relative to the amount of + physical memory in the system (or in case of containers, the assigned + amount of memory). This allows scaling service resources neatly with + the amount of RAM available on the system. Similarly, systemd-logind's + RuntimeDirectorySize= option now also optionally takes percentage + values. + + * In similar fashion TasksMax= takes percentage values now, too. The + value is taken relative to the configured maximum number of processes + on the system. The per-service task maximum has been changed to 15% + using this functionality. (Effectively this is an increase of 512 → + 4915 for service units, given the kernel's default pid_max setting.) + + * Calendar time specifications in .timer units now understand a ".." + syntax for time ranges. Example: "4..7:10" may now be used for + defining a timer that is triggered at 4:10am, 5:10am, 6:10am and + 7:10am every day. + + * The InaccessableDirectories=, ReadOnlyDirectories= and + ReadWriteDirectories= unit file settings have been renamed to + InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be + applied to all kinds of file nodes, and not just directories, with + the exception of symlinks. Specifically these settings may now be + used on block and character device nodes, UNIX sockets and FIFOS as + well as regular files. The old names of these settings remain + available for compatibility. + + * systemd will now log about all service processes it kills forcibly + (using SIGKILL) because they remained after the clean shutdown phase + of the service completed. This should help identifying services that + shut down uncleanly. Moreover if KillUserProcesses= is enabled in + systemd-logind's configuration a similar log message is generated for + processes killed at the end of each session due to this setting. + + * systemd will now set the $JOURNAL_STREAM environment variable for all + services whose stdout/stderr are connected to the Journal (which + effectively means by default: all services). The variable contains + the device and inode number of the file descriptor used for + stdout/stderr. This may be used by invoked programs to detect whether + their stdout/stderr is connected to the Journal, in which case they + can switch over to direct Journal communication, thus being able to + pass extended, structured metadata along with their log messages. As + one example, this is now used by glib's logging primitives. + + * When using systemd's default tmp.mount unit for /tmp, the mount point + will now be established with the "nosuid" and "nodev" options. This + avoids privilege escalation attacks that put traps and exploits into + /tmp. However, this might cause problems if you e. g. put container + images or overlays into /tmp; if you need this, override tmp.mount's + "Options=" with a drop-in, or mount /tmp from /etc/fstab with your + desired options. + + * systemd now supports the "memory" cgroup controller also on + cgroup v2. + + * The systemd-cgtop tool now optionally takes a control group path as + command line argument. If specified, the control group list shown is + limited to subgroups of that group. + + * The SystemCallFilter= unit file setting gained support for + pre-defined, named system call filter sets. For example + SystemCallFilter=@clock is now an effective way to make all clock + changing-related system calls unavailable to a service. A number of + similar pre-defined groups are defined. Writing system call filters + for system services is simplified substantially with this new + concept. Accordingly, all of systemd's own, long-running services now + enable system call filtering based on this, by default. + + * A new service setting MemoryDenyWriteExecute= has been added, taking + a boolean value. If turned on, a service may no longer create memory + mappings that are writable and executable at the same time. This + enhances security for services where this is enabled as it becomes + harder to dynamically write and then execute memory in exploited + service processes. This option has been enabled for all of systemd's + own long-running services. + + * A new RestrictRealtime= service setting has been added, taking a + boolean argument. If set the service's processes may no longer + acquire realtime scheduling. This improves security as realtime + scheduling may otherwise be used to easily freeze the system. + + * systemd-nspawn gained a new switch --notify-ready= taking a boolean + value. This may be used for requesting that the system manager inside + of the container reports start-up completion to nspawn which then + propagates this notification further to the service manager + supervising nspawn itself. A related option NotifyReady= in .nspawn + files has been added too. This functionality allows ordering of the + start-up of multiple containers using the usual systemd ordering + primitives. + + * machinectl gained a new command "stop" that is an alias for + "terminate". + + * systemd-resolved gained support for contacting DNS servers on + link-local IPv6 addresses. + + * If systemd-resolved receives the SIGUSR2 signal it will now flush all + its caches. A method call for requesting the same operation has been + added to the bus API too, and is made available via "systemd-resolve + --flush-caches". + + * systemd-resolve gained a new --status switch. If passed a brief + summary of the used DNS configuration with per-interface information + is shown. + + * resolved.conf gained a new Cache= boolean option, defaulting to + on. If turned off local DNS caching is disabled. This comes with a + performance penalty in particular when DNSSEC is enabled. Note that + resolved disables its internal caching implicitly anyway, when the + configured DNS server is on a host-local IP address such as ::1 or + 127.0.0.1, thus automatically avoiding double local caching. + + * systemd-resolved now listens on the local IP address 127.0.0.53:53 + for DNS requests. This improves compatibility with local programs + that do not use the libc NSS or systemd-resolved's bus APIs for name + resolution. This minimal DNS service is only available to local + programs and does not implement the full DNS protocol, but enough to + cover local DNS clients. A new, static resolv.conf file, listing just + this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is + now recommended to make /etc/resolv.conf a symlink to this file in + order to route all DNS lookups to systemd-resolved, regardless if + done via NSS, the bus API or raw DNS packets. Note that this local + DNS service is not as fully featured as the libc NSS or + systemd-resolved's bus APIs. For example, as unicast DNS cannot be + used to deliver link-local address information (as this implies + sending a local interface index along), LLMNR/mDNS support via this + interface is severely restricted. It is thus strongly recommended for + all applications to use the libc NSS API or native systemd-resolved + bus API instead. + + * systemd-networkd's bridge support learned a new setting + VLANFiltering= for controlling VLAN filtering. Moreover a new section + in .network files has been added for configuring VLAN bridging in + more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN]. + + * systemd-networkd's IPv6 Router Advertisement code now makes use of + the DNSSL and RDNSS options. This means IPv6 DNS configuration may + now be acquired without relying on DHCPv6. Two new options + UseDomains= and UseDNS= have been added to configure this behaviour. + + * systemd-networkd's IPv6AcceptRouterAdvertisements= option has been + renamed IPv6AcceptRA=, without altering its behaviour. The old + setting name remains available for compatibility reasons. + + * The systemd-networkd VTI/VTI6 tunneling support gained new options + Key=, InputKey= and OutputKey=. + + * systemd-networkd gained support for VRF ("Virtual Routing Function") + interface configuration. + + * "systemctl edit" may now be used to create new unit files by + specifying the --force switch. + + * sd-event gained a new function sd_event_get_iteration() for + requesting the current iteration counter of the event loop. It starts + at zero and is increased by one with each event loop iteration. + + * A new rpm macro %systemd_ordering is provided by the macros.systemd + file. It can be used in lieu of %systemd_requires in packages which + don't use any systemd functionality and are intended to be installed + in minimal containers without systemd present. This macro provides + ordering dependencies to ensure that if the package is installed in + the same rpm transaction as systemd, systemd will be installed before + the scriptlets for the package are executed, allowing unit presets + to be handled. + + New macros %_systemdgeneratordir and %_systemdusergeneratordir have + been added to simplify packaging of generators. + + * The os-release file gained VERSION_CODENAME field for the + distribution nickname (e.g. VERSION_CODENAME=woody). + + * New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1 + can be set to disable parsing of metadata and the creation + of persistent symlinks for that device. + + * The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess" + to make them available to logged-in users has been reverted. + + * Much of the common code of the various systemd components is now + built into an internal shared library libsystemd-shared-231.so + (incorporating the systemd version number in the name, to be updated + with future releases) that the components link to. This should + decrease systemd footprint both in memory during runtime and on + disk. Note that the shared library is not for public use, and is + neither API nor ABI stable, but is likely to change with every new + released update. Packagers need to make sure that binaries + linking to libsystemd-shared.so are updated in step with the + library. + + * Configuration for "mkosi" is now part of the systemd + repository. mkosi is a tool to easily build legacy-free OS images, + and is available on github: https://github.com/systemd/mkosi. If + "mkosi" is invoked in the build tree a new raw OS image is generated + incorporating the systemd sources currently being worked on and a + clean, fresh distribution installation. The generated OS image may be + booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical + UEFI PC. This functionality is particularly useful to easily test + local changes made to systemd in a pristine, defined environment. See + doc/HACKING for details. + + * configure learned the --with-support-url= option to specify the + distribution's bugtracker. + + Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor + Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika + Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar + Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse, + Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David + Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias + Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler, + Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan + Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke + Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart + Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel + Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov, + Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz, + Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran, + Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier, + Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas + Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan, + Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič, + WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2016-07-25 + +CHANGES WITH 230: + + * DNSSEC is now turned on by default in systemd-resolved (in + "allow-downgrade" mode), but may be turned off during compile time by + passing "--with-default-dnssec=no" to "configure" (and of course, + during runtime with DNSSEC= in resolved.conf). We recommend + downstreams to leave this on at least during development cycles and + report any issues with the DNSSEC logic upstream. We are very + interested in collecting feedback about the DNSSEC validator and its + limitations in the wild. Note however, that DNSSEC support is + probably nothing downstreams should turn on in stable distros just + yet, as it might create incompatibilities with a few DNS servers and + networks. We tried hard to make sure we downgrade to non-DNSSEC mode + automatically whenever we detect such incompatible setups, but there + might be systems we do not cover yet. Hence: please help us testing + the DNSSEC code, leave this on where you can, report back, but then + again don't consider turning this on in your stable, LTS or + production release just yet. (Note that you have to enable + nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved + and its DNSSEC mode for hostname resolution from local + applications.) + + * systemd-resolve conveniently resolves DANE records with the --tlsa + option and OPENPGPKEY records with the --openpgp option. It also + supports dumping raw DNS record data via the new --raw= switch. + + * systemd-logind will now by default terminate user processes that are + part of the user session scope unit (session-XX.scope) when the user + logs out. This behavior is controlled by the KillUserProcesses= + setting in logind.conf, and the previous default of "no" is now + changed to "yes". This means that user sessions will be properly + cleaned up after, but additional steps are necessary to allow + intentionally long-running processes to survive logout. + + While the user is logged in at least once, user@.service is running, + and any service that should survive the end of any individual login + session can be started at a user service or scope using systemd-run. + systemd-run(1) man page has been extended with an example which shows + how to run screen in a scope unit underneath user@.service. The same + command works for tmux. + + After the user logs out of all sessions, user@.service will be + terminated too, by default, unless the user has "lingering" enabled. + To effectively allow users to run long-term tasks even if they are + logged out, lingering must be enabled for them. See loginctl(1) for + details. The default polkit policy was modified to allow users to + set lingering for themselves without authentication. + + Previous defaults can be restored at compile time by the + --without-kill-user-processes option to "configure". + + * systemd-logind gained new configuration settings SessionsMax= and + InhibitorsMax=, both with a default of 8192. It will not register new + user sessions or inhibitors above this limit. + + * systemd-logind will now reload configuration on SIGHUP. + + * The unified cgroup hierarchy added in Linux 4.5 is now supported. + Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to + enable. Also, support for the "io" cgroup controller in the unified + hierarchy has been added, so that the "memory", "pids" and "io" are + now the controllers that are supported on the unified hierarchy. + + WARNING: it is not possible to use previous systemd versions with + systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it + is necessary to also update systemd in the initramfs if using the + unified hierarchy. An updated SELinux policy is also required. + + * LLDP support has been extended, and both passive (receive-only) and + active (sender) modes are supported. Passive mode ("routers-only") is + enabled by default in systemd-networkd. Active LLDP mode is enabled + by default for containers on the internal network. The "networkctl + lldp" command may be used to list information gathered. "networkctl + status" will also show basic LLDP information on connected peers now. + + * The IAID and DUID unique identifier sent in DHCP requests may now be + configured for the system and each .network file managed by + systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options. + + * systemd-networkd gained support for configuring proxy ARP support for + each interface, via the ProxyArp= setting in .network files. It also + gained support for configuring the multicast querier feature of + bridge devices, via the new MulticastQuerier= setting in .netdev + files. Similarly, snooping on the IGMP traffic can be controlled + via the new setting MulticastSnooping=. + + A new setting PreferredLifetime= has been added for addresses + configured in .network file to configure the lifetime intended for an + address. + + The systemd-networkd DHCP server gained the option EmitRouter=, which + defaults to yes, to configure whether the DHCP Option 3 (Router) + should be emitted. + + * The testing tool /usr/lib/systemd/systemd-activate is renamed to + systemd-socket-activate and installed into /usr/bin. It is now fully + supported. + + * systemd-journald now uses separate threads to flush changes to disk + when closing journal files, thus reducing impact of slow disk I/O on + logging performance. + + * The sd-journal API gained two new calls + sd_journal_open_directory_fd() and sd_journal_open_files_fd() which + can be used to open journal files using file descriptors instead of + file or directory paths. sd_journal_open_container() has been + deprecated, sd_journal_open_directory_fd() should be used instead + with the flag SD_JOURNAL_OS_ROOT. + + * journalctl learned a new output mode "-o short-unix" that outputs log + lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970 + UTC). It also gained support for a new --no-hostname setting to + suppress the hostname column in the family of "short" output modes. + + * systemd-ask-password now optionally skips printing of the password to + stdout with --no-output which can be useful in scripts. + + * Framebuffer devices (/dev/fb*) and 3D printers and scanners + (devices tagged with ID_MAKER_TOOL) are now tagged with + "uaccess" and are available to logged in users. + + * The DeviceAllow= unit setting now supports specifiers (with "%"). + + * "systemctl show" gained a new --value switch, which allows print a + only the contents of a specific unit property, without also printing + the property's name. Similar support was added to "show*" verbs + of loginctl and machinectl that output "key=value" lists. + + * A new unit type "generated" was added for files dynamically generated + by generator tools. Similarly, a new unit type "transient" is used + for unit files created using the runtime API. "systemctl enable" will + refuse to operate on such files. + + * A new command "systemctl revert" has been added that may be used to + revert to the vendor version of a unit file, in case local changes + have been made by adding drop-ins or overriding the unit file. + + * "machinectl clean" gained a new verb to automatically remove all or + just hidden container images. + + * systemd-tmpfiles gained support for a new line type "e" for emptying + directories, if they exist, without creating them if they don't. + + * systemd-nspawn gained support for automatically patching the UID/GIDs + of the owners and the ACLs of all files and directories in a + container tree to match the UID/GID user namespacing range selected + for the container invocation. This mode is enabled via the new + --private-users-chown switch. It also gained support for + automatically choosing a free, previously unused UID/GID range when + starting a container, via the new --private-users=pick setting (which + implies --private-users-chown). Together, these options for the first + time make user namespacing for nspawn containers fully automatic and + thus deployable. The systemd-nspawn@.service template unit file has + been changed to use this functionality by default. + + * systemd-nspawn gained a new --network-zone= switch, that allows + creating ad-hoc virtual Ethernet links between multiple containers, + that only exist as long as at least one container referencing them is + running. This allows easy connecting of multiple containers with a + common link that implements an Ethernet broadcast domain. Each of + these network "zones" may be named relatively freely by the user, and + may be referenced by any number of containers, but each container may + only reference one of these "zones". On the lower level, this is + implemented by an automatically managed bridge network interface for + each zone, that is created when the first container referencing its + zone is created and removed when the last one referencing its zone + terminates. + + * The default start timeout may now be configured on the kernel command + line via systemd.default_timeout_start_sec=. It was already + configurable via the DefaultTimeoutStartSec= option in + /etc/systemd/system.conf. + + * Socket units gained a new TriggerLimitIntervalSec= and + TriggerLimitBurst= setting to configure a limit on the activation + rate of the socket unit. + + * The LimitNICE= setting now optionally takes normal UNIX nice values + in addition to the raw integer limit value. If the specified + parameter is prefixed with "+" or "-" and is in the range -20..19 the + value is understood as UNIX nice value. If not prefixed like this it + is understood as raw RLIMIT_NICE limit. + + * Note that the effect of the PrivateDevices= unit file setting changed + slightly with this release: the per-device /dev file system will be + mounted read-only from this version on, and will have "noexec" + set. This (minor) change of behavior might cause some (exceptional) + legacy software to break, when PrivateDevices=yes is set for its + service. Please leave PrivateDevices= off if you run into problems + with this. + + * systemd-bootchart has been split out to a separate repository: + https://github.com/systemd/systemd-bootchart + + * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be + merged into the kernel in its current form. + + * The compatibility libraries libsystemd-daemon.so, + libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so + which have been deprecated since systemd-209 have been removed along + with the corresponding pkg-config files. All symbols provided by + those libraries are provided by libsystemd.so. + + * The Capabilities= unit file setting has been removed (it is ignored + for backwards compatibility). AmbientCapabilities= and + CapabilityBoundingSet= should be used instead. + + * A new special target has been added, initrd-root-device.target, + which creates a synchronization point for dependencies of the root + device in early userspace. Initramfs builders must ensure that this + target is now included in early userspace. + + Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov, + Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin + Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens + Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh, + Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David + R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny + Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck + Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik + Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo + Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth, + John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos + Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir + Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt, + Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný, + Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin, + mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween, + Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern, + Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert + Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan + Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain + Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller, + Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen, + Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso, + Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev, + Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew + Jędrzejewski-Szmek + + — Fairfax, 2016-05-21 + +CHANGES WITH 229: + + * The systemd-resolved DNS resolver service has gained a substantial + set of new features, most prominently it may now act as a DNSSEC + validating stub resolver. DNSSEC mode is currently turned off by + default, but is expected to be turned on by default in one of the + next releases. For now, we invite everybody to test the DNSSEC logic + by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The + service also gained a full set of D-Bus interfaces, including calls + to configure DNS and DNSSEC settings per link (for use by external + network management software). systemd-resolved and systemd-networkd + now distinguish between "search" and "routing" domains. The former + are used to qualify single-label names, the latter are used purely + for routing lookups within certain domains to specific links. + resolved now also synthesizes RRs for all entries from /etc/hosts. + + * The systemd-resolve tool (which is a client utility for + systemd-resolved) has been improved considerably and is now fully + supported and documented. Hence it has moved from /usr/lib/systemd to + /usr/bin. + + * /dev/disk/by-path/ symlink support has been (re-)added for virtio + devices. + + * The coredump collection logic has been reworked: when a coredump is + collected it is now written to disk, compressed and processed + (including stacktrace extraction) from a new instantiated service + systemd-coredump@.service, instead of directly from the + /proc/sys/kernel/core_pattern hook we provide. This is beneficial as + processing large coredumps can take up a substantial amount of + resources and time, and this previously happened entirely outside of + systemd's service supervision. With the new logic the core_pattern + hook only does minimal metadata collection before passing off control + to the new instantiated service, which is configured with a time + limit, a nice level and other settings to minimize negative impact on + the rest of the system. Also note that the new logic will honour the + RLIMIT_CORE setting of the crashed process, which now allows users + and processes to turn off coredumping for their processes by setting + this limit. + + * The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1 + and all forked processes by default. Previously, PID 1 would leave + the setting at "0" for all processes, as set by the kernel. Note that + the resource limit traditionally has no effect on the generated + coredumps on the system if the /proc/sys/kernel/core_pattern hook + logic is used. Since the limit is now honoured (see above) its + default has been changed so that the coredumping logic is enabled by + default for all processes, while allowing specific opt-out. + + * When the stacktrace is extracted from processes of system users, this + is now done as "systemd-coredump" user, in order to sandbox this + potentially security sensitive parsing operation. (Note that when + processing coredumps of normal users this is done under the user ID + of process that crashed, as before.) Packagers should take notice + that it is now necessary to create the "systemd-coredump" system user + and group at package installation time. + + * The systemd-activate socket activation testing tool gained support + for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram + and --seqpacket switches. It also has been extended to support both + new-style and inetd-style file descriptor passing. Use the new + --inetd switch to request inetd-style file descriptor passing. + + * Most systemd tools now honor a new $SYSTEMD_COLORS environment + variable, which takes a boolean value. If set to false, ANSI color + output is disabled in the tools even when run on a terminal that + supports it. + + * The VXLAN support in networkd now supports two new settings + DestinationPort= and PortRange=. + + * A new systemd.machine_id= kernel command line switch has been added, + that may be used to set the machine ID in /etc/machine-id if it is + not initialized yet. This command line option has no effect if the + file is already initialized. + + * systemd-nspawn gained a new --as-pid2 switch that invokes any + specified command line as PID 2 rather than PID 1 in the + container. In this mode PID 1 is a minimal stub init process that + implements the special POSIX and Linux semantics of PID 1 regarding + signal and child process management. Note that this stub init process + is implemented in nspawn itself and requires no support from the + container image. This new logic is useful to support running + arbitrary commands in the container, as normal processes are + generally not prepared to run as PID 1. + + * systemd-nspawn gained a new --chdir= switch for setting the current + working directory for the process started in the container. + + * "journalctl /dev/sda" will now output all kernel log messages for + specified device from the current boot, in addition to all devices + that are parents of it. This should make log output about devices + pretty useful, as long as kernel drivers attach enough metadata to + the log messages. (The usual SATA drivers do.) + + * The sd-journal API gained two new calls + sd_journal_has_runtime_files() and sd_journal_has_persistent_files() + that report whether log data from /run or /var has been found. + + * journalctl gained a new switch "--fields" that prints all journal + record field names currently in use in the journal. This is backed + by two new sd-journal API calls sd_journal_enumerate_fields() and + sd_journal_restart_fields(). + + * Most configurable timeouts in systemd now expect an argument of + "infinity" to turn them off, instead of "0" as before. The semantics + from now on is that a timeout of "0" means "now", and "infinity" + means "never". To maintain backwards compatibility, "0" continues to + turn off previously existing timeout settings. + + * "systemctl reload-or-try-restart" has been renamed to "systemctl + try-reload-or-restart" to clarify what it actually does: the "try" + logic applies to both reloading and restarting, not just restarting. + The old name continues to be accepted for compatibility. + + * On boot-up, when PID 1 detects that the system clock is behind the + release date of the systemd version in use, the clock is now set + to the latter. Previously, this was already done in timesyncd, in order + to avoid running with clocks set to the various clock epochs such as + 1902, 1938 or 1970. With this change the logic is now done in PID 1 + in addition to timesyncd during early boot-up, so that it is enforced + before the first process is spawned by systemd. Note that the logic + in timesyncd remains, as it is more comprehensive and ensures + clock monotonicity by maintaining a persistent timestamp file in + /var. Since /var is generally not available in earliest boot or the + initrd, this part of the logic remains in timesyncd, and is not done + by PID 1. + + * Support for tweaking details in net_cls.class_id through the + NetClass= configuration directive has been removed, as the kernel + people have decided to deprecate that controller in cgroup v2. + Userspace tools such as nftables are moving over to setting rules + that are specific to the full cgroup path of a task, which obsoletes + these controllers anyway. The NetClass= directive is kept around for + legacy compatibility reasons. For a more in-depth description of the + kernel change, please refer to the respective upstream commit: + + https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671 + + * A new service setting RuntimeMaxSec= has been added that may be used + to specify a maximum runtime for a service. If the timeout is hit, the + service is terminated and put into a failure state. + + * A new service setting AmbientCapabilities= has been added. It allows + configuration of additional Linux process capabilities that are + passed to the activated processes. This is only available on very + recent kernels. + + * The process resource limit settings in service units may now be used + to configure hard and soft limits individually. + + * The various libsystemd APIs such as sd-bus or sd-event now publicly + expose support for gcc's __attribute__((cleanup())) C extension. + Specifically, for many object destructor functions alternative + versions have been added that have names suffixed with "p" and take a + pointer to a pointer to the object to destroy, instead of just a + pointer to the object itself. This is useful because these destructor + functions may be used directly as parameters to the cleanup + construct. Internally, systemd has been a heavy user of this GCC + extension for a long time, and with this change similar support is + now available to consumers of the library outside of systemd. Note + that by using this extension in your sources compatibility with old + and strictly ANSI compatible C compilers is lost. However, all gcc or + LLVM versions of recent years support this extension. + + * Timer units gained support for a new setting RandomizedDelaySec= that + allows configuring some additional randomized delay to the configured + time. This is useful to spread out timer events to avoid load peaks in + clusters or larger setups. + + * Calendar time specifications now support sub-second accuracy. + + * Socket units now support listening on SCTP and UDP-lite protocol + sockets. + + * The sd-event API now comes with a full set of man pages. + + * Older versions of systemd contained experimental support for + compressing journal files and coredumps with the LZ4 compressor that + was not compatible with the lz4 binary (due to API limitations of the + lz4 library). This support has been removed; only support for files + compatible with the lz4 binary remains. This LZ4 logic is now + officially supported and no longer considered experimental. + + * The dkr image import logic has been removed again from importd. dkr's + micro-services focus doesn't fit into the machine image focus of + importd, and quickly got out of date with the upstream dkr API. + + * Creation of the /run/lock/lockdev/ directory was dropped from + tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have + been available for many years. If you still need this, you need to + create your own tmpfiles.d config file with: + + d /run/lock/lockdev 0775 root lock - + + * The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction= + and RebootArgument= have been moved from the [Service] section of + unit files to [Unit], and they are now supported on all unit types, + not just service units. Of course, systemd will continue to + understand these settings also at the old location, in order to + maintain compatibility. + + Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander + Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov, + Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler, + Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan + Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack, + David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman, + Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen, + Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen, + Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub + Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek, + Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos, + lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel + Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer, + Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils + Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz, + Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant + Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel + Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito + Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2016-02-11 + +CHANGES WITH 228: + + * A number of properties previously only settable in unit + files are now also available as properties to set when + creating transient units programmatically via the bus, as it + is exposed with systemd-run's --property= + setting. Specifically, these are: SyslogIdentifier=, + SyslogLevelPrefix=, TimerSlackNSec=, OOMScoreAdjust=, + EnvironmentFile=, ReadWriteDirectories=, + ReadOnlyDirectories=, InaccessibleDirectories=, + ProtectSystem=, ProtectHome=, RuntimeDirectory=. + + * When creating transient services via the bus API it is now + possible to pass in a set of file descriptors to use as + STDIN/STDOUT/STDERR for the invoked process. + + * Slice units may now be created transiently via the bus APIs, + similar to the way service and scope units may already be + created transiently. + + * Wherever systemd expects a calendar timestamp specification + (like in journalctl's --since= and --until= switches) UTC + timestamps are now supported. Timestamps suffixed with "UTC" + are now considered to be in Universal Time Coordinated + instead of the local timezone. Also, timestamps may now + optionally be specified with sub-second accuracy. Both of + these additions also apply to recurring calendar event + specification, such as OnCalendar= in timer units. + + * journalctl gained a new "--sync" switch that asks the + journal daemon to write all so far unwritten log messages to + disk and sync the files, before returning. + + * systemd-tmpfiles learned two new line types "q" and "Q" that + operate like "v", but also set up a basic btrfs quota + hierarchy when used on a btrfs file system with quota + enabled. + + * tmpfiles' "v", "q" and "Q" will now create a plain directory + instead of a subvolume (even on a btrfs file system) if the + root directory is a plain directory, and not a + subvolume. This should simplify things with certain chroot() + environments which are not aware of the concept of btrfs + subvolumes. + + * systemd-detect-virt gained a new --chroot switch to detect + whether execution takes place in a chroot() environment. + + * CPUAffinity= now takes CPU index ranges in addition to + individual indexes. + + * The various memory-related resource limit settings (such as + LimitAS=) now understand the usual K, M, G, ... suffixes to + the base of 1024 (IEC). Similar, the time-related resource + limit settings understand the usual min, h, day, ... + suffixes now. + + * There's a new system.conf setting DefaultTasksMax= to + control the default TasksMax= setting for services and + scopes running on the system. (TasksMax= is the primary + setting that exposes the "pids" cgroup controller on systemd + and was introduced in the previous systemd release.) The + setting now defaults to 512, which means services that are + not explicitly configured otherwise will only be able to + create 512 processes or threads at maximum, from this + version on. Note that this means that thread- or + process-heavy services might need to be reconfigured to set + TasksMax= to a higher value. It is sufficient to set + TasksMax= in these specific unit files to a higher value, or + even "infinity". Similar, there's now a logind.conf setting + UserTasksMax= that defaults to 4096 and limits the total + number of processes or tasks each user may own + concurrently. nspawn containers also have the TasksMax= + value set by default now, to 8192. Note that all of this + only has an effect if the "pids" cgroup controller is + enabled in the kernel. The general benefit of these changes + should be a more robust and safer system, that provides a + certain amount of per-service fork() bomb protection. + + * systemd-nspawn gained the new --network-veth-extra= switch + to define additional and arbitrarily-named virtual Ethernet + links between the host and the container. + + * A new service execution setting PassEnvironment= has been + added that allows importing select environment variables + from PID1's environment block into the environment block of + the service. + + * Timer units gained support for a new RemainAfterElapse= + setting which takes a boolean argument. It defaults to on, + exposing behaviour unchanged to previous releases. If set to + off, timer units are unloaded after they elapsed if they + cannot elapse again. This is particularly useful for + transient timer units, which shall not stay around longer + than until they first elapse. + + * systemd will now bump the net.unix.max_dgram_qlen to 512 by + default now (the kernel default is 16). This is beneficial + for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it + allows substantially larger numbers of queued + datagrams. This should increase the capability of systemd to + parallelize boot-up, as logging and sd_notify() are unlikely + to stall execution anymore. If you need to change the value + from the new defaults, use the usual sysctl.d/ snippets. + + * The compression framing format used by the journal or + coredump processing has changed to be in line with what the + official LZ4 tools generate. LZ4 compression support in + systemd was considered unsupported previously, as the format + was not compatible with the normal tools. With this release + this has changed now, and it is hence safe for downstream + distributions to turn it on. While not compressing as well + as the XZ, LZ4 is substantially faster, which makes + it a good default choice for the compression logic in the + journal and in coredump handling. + + * Any reference to /etc/mtab has been dropped from + systemd. The file has been obsolete since a while, but + systemd refused to work on systems where it was incorrectly + set up (it should be a symlink or non-existent). Please make + sure to update to util-linux 2.27.1 or newer in conjunction + with this systemd release, which also drops any reference to + /etc/mtab. If you maintain a distribution make sure that no + software you package still references it, as this is a + likely source of bugs. There's also a glibc bug pending, + asking for removal of any reference to this obsolete file: + + https://sourceware.org/bugzilla/show_bug.cgi?id=19108 + + Note that only util-linux versions built with + --enable-libmount-force-mountinfo are supported. + + * Support for the ".snapshot" unit type has been removed. This + feature turned out to be little useful and little used, and + has now been removed from the core and from systemctl. + + * The dependency types RequiresOverridable= and + RequisiteOverridable= have been removed from systemd. They + have been used only very sparingly to our knowledge and + other options that provide a similar effect (such as + systemctl --mode=ignore-dependencies) are much more useful + and commonly used. Moreover, they were only half-way + implemented as the option to control behaviour regarding + these dependencies was never added to systemctl. By removing + these dependency types the execution engine becomes a bit + simpler. Unit files that use these dependencies should be + changed to use the non-Overridable dependency types + instead. In fact, when parsing unit files with these + options, that's what systemd will automatically convert them + too, but it will also warn, asking users to fix the unit + files accordingly. Removal of these dependency types should + only affect a negligible number of unit files in the wild. + + * Behaviour of networkd's IPForward= option changed + (again). It will no longer maintain a per-interface setting, + but propagate one way from interfaces where this is enabled + to the global kernel setting. The global setting will be + enabled when requested by a network that is set up, but + never be disabled again. This change was made to make sure + IPv4 and IPv6 behaviour regarding packet forwarding is + similar (as the Linux IPv6 stack does not support + per-interface control of this setting) and to minimize + surprises. + + * In unit files the behaviour of %u, %U, %h, %s has + changed. These specifiers will now unconditionally resolve + to the various user database fields of the user that the + systemd instance is running as, instead of the user + configured in the specific unit via User=. Note that this + effectively doesn't change much, as resolving of these + specifiers was already turned off in the --system instance + of systemd, as we cannot do NSS lookups from PID 1. In the + --user instance of systemd these specifiers where correctly + resolved, but hardly made any sense, since the user instance + lacks privileges to do user switches anyway, and User= is + hence useless. Moreover, even in the --user instance of + systemd behaviour was awkward as it would only take settings + from User= assignment placed before the specifier into + account. In order to unify and simplify the logic around + this the specifiers will now always resolve to the + credentials of the user invoking the manager (which in case + of PID 1 is the root user). + + Contributions from: Andrew Jones, Beniamino Galvani, Boyuan + Yang, Daniel Machon, Daniel Mack, David Herrmann, David + Reynolds, David Strauss, Dongsu Park, Evgeny Vereshchagin, + Felipe Sateler, Filipe Brandenburger, Franck Bui, Hristo + Venev, Iago López Galeiras, Jan Engelhardt, Jan Janssen, Jan + Synacek, Jesus Ornelas Aguayo, Karel Zak, kayrus, Kay Sievers, + Lennart Poettering, Liu Yuan Yuan, Mantas Mikulėnas, Marcel + Holtmann, Marcin Bachry, Marcos Alano, Marcos Mello, Mark + Theunissen, Martin Pitt, Michael Marineau, Michael Olbrich, + Michal Schmidt, Michal Sekletar, Mirco Tischler, Nick Owens, + Nicolas Cornu, Patrik Flykt, Peter Hutterer, reverendhomer, + Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Shawn Landden, + Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen, + Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew + Jędrzejewski-Szmek + + — Berlin, 2015-11-18 + +CHANGES WITH 227: + + * systemd now depends on util-linux v2.27. More specifically, + the newly added mount monitor feature in libmount now + replaces systemd's former own implementation. + + * libmount mandates /etc/mtab not to be regular file, and + systemd now enforces this condition at early boot. + /etc/mtab has been deprecated and warned about for a very + long time, so systems running systemd should already have + stopped having this file around as anything else than a + symlink to /proc/self/mounts. + + * Support for the "pids" cgroup controller has been added. It + allows accounting the number of tasks in a cgroup and + enforcing limits on it. This adds two new setting + TasksAccounting= and TasksMax= to each unit, as well as a + global option DefaultTasksAccounting=. + + * Support for the "net_cls" cgroup controller has been added. + It allows assigning a net class ID to each task in the + cgroup, which can then be used in firewall rules and traffic + shaping configurations. Note that the kernel netfilter net + class code does not currently work reliably for ingress + packets on unestablished sockets. + + This adds a new config directive called NetClass= to CGroup + enabled units. Allowed values are positive numbers for fixed + assignments and "auto" for picking a free value + automatically. + + * 'systemctl is-system-running' now returns 'offline' if the + system is not booted with systemd. This command can now be + used as a substitute for 'systemd-notify --booted'. + + * Watchdog timeouts have been increased to 3 minutes for all + in-tree service files. Apparently, disk IO issues are more + frequent than we hoped, and user reported >1 minute waiting + for disk IO. + + * 'machine-id-commit' functionality has been merged into + 'machine-id-setup --commit'. The separate binary has been + removed. + + * The WorkingDirectory= directive in unit files may now be set + to the special value '~'. In this case, the working + directory is set to the home directory of the user + configured in User=. + + * "machinectl shell" will now open the shell in the home + directory of the selected user by default. + + * The CrashChVT= configuration file setting is renamed to + CrashChangeVT=, following our usual logic of not + abbreviating unnecessarily. The old directive is still + supported for compat reasons. Also, this directive now takes + an integer value between 1 and 63, or a boolean value. The + formerly supported '-1' value for disabling stays around for + compat reasons. + + * The PrivateTmp=, PrivateDevices=, PrivateNetwork=, + NoNewPrivileges=, TTYPath=, WorkingDirectory= and + RootDirectory= properties can now be set for transient + units. + + * The systemd-analyze tool gained a new "set-log-target" verb + to change the logging target the system manager logs to + dynamically during runtime. This is similar to how + "systemd-analyze set-log-level" already changes the log + level. + + * In nspawn /sys is now mounted as tmpfs, with only a selected + set of subdirectories mounted in from the real sysfs. This + enhances security slightly, and is useful for ensuring user + namespaces work correctly. + + * Support for USB FunctionFS activation has been added. This + allows implementation of USB gadget services that are + activated as soon as they are requested, so that they don't + have to run continuously, similar to classic socket + activation. + + * The "systemctl exit" command now optionally takes an + additional parameter that sets the exit code to return from + the systemd manager when exiting. This is only relevant when + running the systemd user instance, or when running the + system instance in a container. + + * sd-bus gained the new API calls sd_bus_path_encode_many() + and sd_bus_path_decode_many() that allow easy encoding and + decoding of multiple identifier strings inside a D-Bus + object path. Another new call sd_bus_default_flush_close() + has been added to flush and close per-thread default + connections. + + * systemd-cgtop gained support for a -M/--machine= switch to + show the control groups within a certain container only. + + * "systemctl kill" gained support for an optional --fail + switch. If specified the requested operation will fail of no + processes have been killed, because the unit had no + processes attached, or similar. + + * A new systemd.crash_reboot=1 kernel command line option has + been added that triggers a reboot after crashing. This can + also be set through CrashReboot= in systemd.conf. + + * The RuntimeDirectory= setting now understands unit + specifiers like %i or %f. + + * A new (still internal) library API sd-ipv4acd has been added, + that implements address conflict detection for IPv4. It's + based on code from sd-ipv4ll, and will be useful for + detecting DHCP address conflicts. + + * File descriptors passed during socket activation may now be + named. A new API sd_listen_fds_with_names() is added to + access the names. The default names may be overridden, + either in the .socket file using the FileDescriptorName= + parameter, or by passing FDNAME= when storing the file + descriptors using sd_notify(). + + * systemd-networkd gained support for: + + - Setting the IPv6 Router Advertisement settings via + IPv6AcceptRouterAdvertisements= in .network files. + + - Configuring the HelloTimeSec=, MaxAgeSec= and + ForwardDelaySec= bridge parameters in .netdev files. + + - Configuring PreferredSource= for static routes in + .network files. + + * The "ask-password" framework used to query for LUKS harddisk + passwords or SSL passwords during boot gained support for + caching passwords in the kernel keyring, if it is + available. This makes sure that the user only has to type in + a passphrase once if there are multiple objects to unlock + with the same one. Previously, such password caching was + available only when Plymouth was used; this moves the + caching logic into the systemd codebase itself. The + "systemd-ask-password" utility gained a new --keyname= + switch to control which kernel keyring key to use for + caching a password in. This functionality is also useful for + enabling display managers such as gdm to automatically + unlock the user's GNOME keyring if its passphrase, the + user's password and the harddisk password are the same, if + gdm-autologin is used. + + * When downloading tar or raw images using "machinectl + pull-tar" or "machinectl pull-raw", a matching ".nspawn" + file is now also downloaded, if it is available and stored + next to the image file. + + * Units of type ".socket" gained a new boolean setting + Writable= which is only useful in conjunction with + ListenSpecial=. If true, enables opening the specified + special file in O_RDWR mode rather than O_RDONLY mode. + + * systemd-rfkill has been reworked to become a singleton + service that is activated through /dev/rfkill on each rfkill + state change and saves the settings to disk. This way, + systemd-rfkill is now compatible with devices that exist + only intermittendly, and even restores state if the previous + system shutdown was abrupt rather than clean. + + * The journal daemon gained support for vacuuming old journal + files controlled by the number of files that shall remain, + in addition to the already existing control by size and by + date. This is useful as journal interleaving performance + degrades with too many separate journal files, and allows + putting an effective limit on them. The new setting defaults + to 100, but this may be changed by setting SystemMaxFiles= + and RuntimeMaxFiles= in journald.conf. Also, the + "journalctl" tool gained the new --vacuum-files= switch to + manually vacuum journal files to leave only the specified + number of files in place. + + * udev will now create /dev/disk/by-path links for ATA devices + on kernels where that is supported. + + * Galician, Serbian, Turkish and Korean translations were added. + + Contributions from: Aaro Koskinen, Alban Crequy, Beniamino + Galvani, Benjamin Robin, Branislav Blaskovic, Chen-Han Hsiao + (Stanley), Daniel Buch, Daniel Machon, Daniel Mack, David + Herrmann, David Milburn, doubleodoug, Evgeny Vereshchagin, + Felipe Franciosi, Filipe Brandenburger, Fran Dieguez, Gabriel + de Perthuis, Georg Müller, Hans de Goede, Hendrik Brueckner, + Ivan Shapovalov, Jacob Keller, Jan Engelhardt, Jan Janssen, + Jan Synacek, Jens Kuske, Karel Zak, Kay Sievers, Krzesimir + Nowak, Krzysztof Kotlenga, Lars Uebernickel, Lennart + Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, + Marcel Holtmann, Marius Thesing, Martin Pitt, Michael Biebl, + Michael Gebetsroither, Michal Schmidt, Michal Sekletar, Mike + Gilbert, Muhammet Kara, nazgul77, Nicolas Cornu, NoXPhasma, + Olof Johansson, Patrik Flykt, Pawel Szewczyk, reverendhomer, + Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Susant Sahani, + Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel + Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich, + Zbigniew Jędrzejewski-Szmek, Марко М. Костић + + — Berlin, 2015-10-07 + +CHANGES WITH 226: + + * The DHCP implementation of systemd-networkd gained a set of + new features: + + - The DHCP server now supports emitting DNS and NTP + information. It may be enabled and configured via + EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS + and NTP information is enabled, but no servers are + configured, the corresponding uplink information (if there + is any) is propagated. + + - Server and client now support transmission and reception + of timezone information. It can be configured via the + newly introduced network options UseTimezone=, + EmitTimezone=, and Timezone=. Transmission of timezone + information is enabled between host and containers by + default now: the container will change its local timezone + to what the host has set. + + - Lease timeouts can now be configured via + MaxLeaseTimeSec= and DefaultLeaseTimeSec=. + + - The DHCP server improved on the stability of + leases. Clients are more likely to get the same lease + information back, even if the server loses state. + + - The DHCP server supports two new configuration options to + control the lease address pool metrics, PoolOffset= and + PoolSize=. + + * The encapsulation limit of tunnels in systemd-networkd may + now be configured via 'EncapsulationLimit='. It allows + modifying the maximum additional levels of encapsulation + that are permitted to be prepended to a packet. + + * systemd now supports the concept of user buses replacing + session buses, if used with dbus-1.10 (and enabled via dbus + --enable-user-session). It previously only supported this on + kdbus-enabled systems, and this release expands this to + 'dbus-daemon' systems. + + * systemd-networkd now supports predictable interface names + for virtio devices. + + * systemd now optionally supports the new Linux kernel + "unified" control group hierarchy. If enabled via the kernel + command-line option 'systemd.unified_cgroup_hierarchy=1', + systemd will try to mount the unified cgroup hierarchy + directly on /sys/fs/cgroup. If not enabled, or not + available, systemd will fall back to the legacy cgroup + hierarchy setup, as before. Host system and containers can + mix and match legacy and unified hierarchies as they + wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY + environment variable to individually select the hierarchy to + use for executed containers. By default, nspawn will use the + unified hierarchy for the containers if the host uses the + unified hierarchy, and the legacy hierarchy otherwise. + Please note that at this point the unified hierarchy is an + experimental kernel feature and is likely to change in one + of the next kernel releases. Therefore, it should not be + enabled by default in downstream distributions yet. The + minimum required kernel version for the unified hierarchy to + work is 4.2. Note that when the unified hierarchy is used + for the first time delegated access to controllers is + safe. Because of this systemd-nspawn containers will get + access to controllers now, as will systemd user + sessions. This means containers and user sessions may now + manage their own resources, partitioning up what the system + grants them. + + * A new special scope unit "init.scope" has been introduced + that encapsulates PID 1 of the system. It may be used to + determine resource usage and enforce resource limits on PID + 1 itself. PID 1 hence moved out of the root of the control + group tree. + + * The cgtop tool gained support for filtering out kernel + threads when counting tasks in a control group. Also, the + count of processes is now recursively summed up by + default. Two options -k and --recursive= have been added to + revert to old behaviour. The tool has also been updated to + work correctly in containers now. + + * systemd-nspawn's --bind= and --bind-ro= options have been + extended to allow creation of non-recursive bind mounts. + + * libsystemd gained two new calls sd_pid_get_cgroup() and + sd_peer_get_cgroup() which return the control group path of + a process or peer of a connected AF_UNIX socket. This + function call is particularly useful when implementing + delegated subtrees support in the control group hierarchy. + + * The "sd-event" event loop API of libsystemd now supports + correct dequeuing of real-time signals, without losing + signal events. + + * When systemd requests a polkit decision when managing units it + will now add additional fields to the request, including unit + name and desired operation. This enables more powerful polkit + policies, that make decisions depending on these parameters. + + * nspawn learnt support for .nspawn settings files, that may + accompany the image files or directories of containers, and + may contain additional settings for the container. This is + an alternative to configuring container parameters via the + nspawn command line. + + Contributions from: Cristian Rodríguez, Daniel Mack, David + Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe + Brandenburger, Hans de Goede, Jan Alexander Steffens, Jan + Synacek, Kay Sievers, Lennart Poettering, Mangix, Marcel + Holtmann, Martin Pitt, Michael Biebl, Michael Chapman, Michal + Sekletar, Peter Hutterer, Piotr Drąg, reverendhomer, Robin + Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel + Andersen, Tom Gundersen, Torstein Husebø + + — Berlin, 2015-09-08 + +CHANGES WITH 225: + + * machinectl gained a new verb 'shell' which opens a fresh + shell on the target container or the host. It is similar to + the existing 'login' command of machinectl, but spawns the + shell directly without prompting for username or + password. The pseudo machine '.host' now refers to the local + host and is used by default. Hence, 'machinectl shell' can + be used as replacement for 'su -' which spawns a session as + a fresh systemd unit in a way that is fully isolated from + the originating session. + + * systemd-networkd learned to cope with private-zone DHCP + options and allows other programs to query the values. + + * SELinux access control when enabling/disabling units is no + longer enforced with this release. The previous implementation + was incorrect, and a new corrected implementation is not yet + available. As unit file operations are still protected via + polkit and D-Bus policy this is not a security problem. Yet, + distributions which care about optimal SELinux support should + probably not stabilize on this release. + + * sd-bus gained support for matches of type "arg0has=", that + test for membership of strings in string arrays sent in bus + messages. + + * systemd-resolved now dumps the contents of its DNS and LLMNR + caches to the logs on reception of the SIGUSR1 signal. This + is useful to debug DNS behaviour. + + * The coredumpctl tool gained a new --directory= option to + operate on journal files in a specific directory. + + * "systemctl reboot" and related commands gained a new + "--message=" option which may be used to set a free-text + wall message when shutting down or rebooting the + system. This message is also logged, which is useful for + figuring out the reason for a reboot or shutdown a + posteriori. + + * The "systemd-resolve-host" tool's -i switch now takes + network interface numbers as alternative to interface names. + + * A new unit file setting for services has been introduced: + UtmpMode= allows configuration of how precisely systemd + handles utmp and wtmp entries for the service if this is + enabled. This allows writing services that appear similar to + user sessions in the output of the "w", "who", "last" and + "lastlog" tools. + + * systemd-resolved will now locally synthesize DNS resource + records for the "localhost" and "gateway" domains as well as + the local hostname. This should ensure that clients querying + RRs via resolved will get similar results as those going via + NSS, if nss-myhostname is enabled. + + Contributions from: Alastair Hughes, Alex Crawford, Daniel + Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski, + Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan + Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers, + Kefeng Wang, Lennart Poettering, Major Hayden, Marcel + Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt + Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim, + Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer, + reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings, + Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe + Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts, + WaLyong Cho, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2015-08-27 + +CHANGES WITH 224: + + * The systemd-efi-boot-generator functionality was merged into + systemd-gpt-auto-generator. + + * systemd-networkd now supports Group Policy for vxlan + devices. It can be enabled via the new boolean configuration + option called 'GroupPolicyExtension='. + + Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David + Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart + Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen + + — Berlin, 2015-07-31 + +CHANGES WITH 223: + + * The python-systemd code has been removed from the systemd repository. + A new repository has been created which accommodates the code from + now on, and we kindly ask distributions to create a separate package + for this: https://github.com/systemd/python-systemd + + * The systemd daemon will now reload its main configuration + (/etc/systemd/system.conf) on daemon-reload. + + * sd-dhcp now exposes vendor specific extensions via + sd_dhcp_lease_get_vendor_specific(). + + * systemd-networkd gained a number of new configuration options. + + - A new boolean configuration option for TAP devices called + 'VNetHeader='. If set, the IFF_VNET_HDR flag is set for the + device, thus allowing to send and receive GSO packets. + + - A new tunnel configuration option called 'CopyDSCP='. + If enabled, the DSCP field of ip6 tunnels is copied into the + decapsulated packet. + + - A set of boolean bridge configuration options were added. + 'UseBPDU=', 'HairPin=', 'FastLeave=', 'AllowPortToBeRoot=', + and 'UnicastFlood=' are now parsed by networkd and applied to the + respective bridge link device via the respective IFLA_BRPORT_* + netlink attribute. + + - A new string configuration option to override the hostname sent + to a DHCP server, called 'Hostname='. If set and 'SendHostname=' + is true, networkd will use the configured hostname instead of the + system hostname when sending DHCP requests. + + - A new tunnel configuration option called 'IPv6FlowLabel='. If set, + networkd will configure the IPv6 flow-label of the tunnel device + according to RFC2460. + + - The 'macvtap' virtual network devices are now supported, similar to + the already supported 'macvlan' devices. + + * systemd-resolved now implements RFC5452 to improve resilience against + cache poisoning. Additionally, source port randomization is enabled + by default to further protect against DNS spoofing attacks. + + * nss-mymachines now supports translating UIDs and GIDs of running + containers with user-namespaces enabled. If a container 'foo' + translates a host uid 'UID' to the container uid 'TUID', then + nss-mymachines will also map uid 'UID' to/from username 'vu-foo-TUID' + (with 'foo' and 'TUID' replaced accordingly). Similarly, groups are + mapped as 'vg-foo-TGID'. + + Contributions from: Beniamino Galvani, cee1, Christian Hesse, Daniel + Buch, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov, + HATAYAMA Daisuke, Ivan Shapovalov, Jan Alexander Steffens (heftig), + Johan Ouwerkerk, Jose Carlos Venegas Munoz, Karel Zak, Kay Sievers, + Lennart Poettering, Lidong Zhong, Martin Pitt, Michael Biebl, Michael + Olbrich, Michal Schmidt, Michal Sekletar, Mike Gilbert, Namhyung Kim, + Nick Owens, Peter Hutterer, Richard Maw, Steven Allen, Sungbae Yoo, + Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom + Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo, + Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2015-07-29 + +CHANGES WITH 222: + + * udev does not longer support the WAIT_FOR_SYSFS= key in udev rules. + There are no known issues with current sysfs, and udev does not need + or should be used to work around such bugs. + + * udev does no longer enable USB HID power management. Several reports + indicate, that some devices cannot handle that setting. + + * The udev accelerometer helper was removed. The functionality + is now fully included in iio-sensor-proxy. But this means, + older iio-sensor-proxy versions will no longer provide + accelerometer/orientation data with this systemd version. + Please upgrade iio-sensor-proxy to version 1.0. + + * networkd gained a new configuration option IPv6PrivacyExtensions= + which enables IPv6 privacy extensions (RFC 4941, "Privacy Extensions + for Stateless Address") on selected networks. + + * For the sake of fewer build-time dependencies and less code in the + main repository, the python bindings are about to be removed in the + next release. A new repository has been created which accommodates + the code from now on, and we kindly ask distributions to create a + separate package for this. The removal will take place in v223. + + https://github.com/systemd/python-systemd + + Contributions from: Abdo Roig-Maranges, Andrew Eikum, Bastien Nocera, + Cédric Delmas, Christian Hesse, Christos Trochalakis, Daniel Mack, + daurnimator, David Herrmann, Dimitri John Ledkov, Eric Biggers, Eric + Cook, Felipe Sateler, Geert Jansen, Gerd Hoffmann, Gianpaolo Macario, + Greg Kroah-Hartman, Iago López Galeiras, Jan Alexander Steffens + (heftig), Jan Engelhardt, Jay Strict, Kay Sievers, Lennart Poettering, + Markus Knetschke, Martin Pitt, Michael Biebl, Michael Marineau, Michal + Sekletar, Miguel Bernal Marin, Peter Hutterer, Richard Maw, rinrinne, + Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein + Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2015-07-07 + +CHANGES WITH 221: + + * The sd-bus.h and sd-event.h APIs have now been declared + stable and have been added to the official interface of + libsystemd.so. sd-bus implements an alternative D-Bus client + library, that is relatively easy to use, very efficient and + supports both classic D-Bus as well as kdbus as transport + backend. sd-event is a generic event loop abstraction that + is built around Linux epoll, but adds features such as event + prioritization or efficient timer handling. Both APIs are good + choices for C programs looking for a bus and/or event loop + implementation that is minimal and does not have to be + portable to other kernels. + + * kdbus support is no longer compile-time optional. It is now + always built-in. However, it can still be disabled at + runtime using the kdbus=0 kernel command line setting, and + that setting may be changed to default to off, by specifying + --disable-kdbus at build-time. Note though that the kernel + command line setting has no effect if the kdbus.ko kernel + module is not installed, in which case kdbus is (obviously) + also disabled. We encourage all downstream distributions to + begin testing kdbus by adding it to the kernel images in the + development distributions, and leaving kdbus support in + systemd enabled. + + * The minimal required util-linux version has been bumped to + 2.26. + + * Support for chkconfig (--enable-chkconfig) was removed in + favor of calling an abstraction tool + /lib/systemd/systemd-sysv-install. This needs to be + implemented for your distribution. See "SYSV INIT.D SCRIPTS" + in README for details. + + * If there's a systemd unit and a SysV init script for the + same service name, and the user executes "systemctl enable" + for it (or a related call), then this will now enable both + (or execute the related operation on both), not just the + unit. + + * The libudev API documentation has been converted from gtkdoc + into man pages. + + * gudev has been removed from the systemd tree, it is now an + external project. + + * The systemd-cgtop tool learnt a new --raw switch to generate + "raw" (machine parsable) output. + + * networkd's IPForwarding= .network file setting learnt the + new setting "kernel", which ensures that networkd does not + change the IP forwarding sysctl from the default kernel + state. + + * The systemd-logind bus API now exposes a new boolean + property "Docked" that reports whether logind considers the + system "docked", i.e. connected to a docking station or not. + + Contributions from: Alex Crawford, Andreas Pokorny, Andrei + Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez, + Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann, + David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed + Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario, + Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek, + Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang, + Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart + Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario + Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich, + Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes, + Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip + Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani, + Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein + Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner + Fink, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2015-06-19 + +CHANGES WITH 220: + + * The gudev library has been extracted into a separate repository + available at: https://git.gnome.org/browse/libgudev/ + It is now managed as part of the Gnome project. Distributions + are recommended to pass --disable-gudev to systemd and use + gudev from the Gnome project instead. gudev is still included + in systemd, for now. It will be removed soon, though. Please + also see the announcement-thread on systemd-devel: + https://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html + + * systemd now exposes a CPUUsageNSec= property for each + service unit on the bus, that contains the overall consumed + CPU time of a service (the sum of what each process of the + service consumed). This value is only available if + CPUAccounting= is turned on for a service, and is then shown + in the "systemctl status" output. + + * Support for configuring alternative mappings of the old SysV + runlevels to systemd targets has been removed. They are now + hardcoded in a way that runlevels 2, 3, 4 all map to + multi-user.target and 5 to graphical.target (which + previously was already the default behaviour). + + * The auto-mounter logic gained support for mount point + expiry, using a new TimeoutIdleSec= setting in .automount + units. (Also available as x-systemd.idle-timeout= in /etc/fstab). + + * The EFI System Partition (ESP) as mounted to /boot by + systemd-efi-boot-generator will now be unmounted + automatically after 2 minutes of not being used. This should + minimize the risk of ESP corruptions. + + * New /etc/fstab options x-systemd.requires= and + x-systemd.requires-mounts-for= are now supported to express + additional dependencies for mounts. This is useful for + journalling file systems that support external journal + devices or overlay file systems that require underlying file + systems to be mounted. + + * systemd does not support direct live-upgrades (via systemctl + daemon-reexec) from versions older than v44 anymore. As no + distribution we are aware of shipped such old versions in a + stable release this should not be problematic. + + * When systemd forks off a new per-connection service instance + it will now set the $REMOTE_ADDR environment variable to the + remote IP address, and $REMOTE_PORT environment variable to + the remote IP port. This behaviour is similar to the + corresponding environment variables defined by CGI. + + * systemd-networkd gained support for uplink failure + detection. The BindCarrier= option allows binding interface + configuration dynamically to the link sense of other + interfaces. This is useful to achieve behaviour like in + network switches. + + * systemd-networkd gained support for configuring the DHCP + client identifier to use when requesting leases. + + * systemd-networkd now has a per-network UseNTP= option to + configure whether NTP server information acquired via DHCP + is passed on to services like systemd-timesyncd. + + * systemd-networkd gained support for vti6 tunnels. + + * Note that systemd-networkd manages the sysctl variable + /proc/sys/net/ipv[46]/conf/*/forwarding for each interface + it is configured for since v219. The variable controls IP + forwarding, and is a per-interface alternative to the global + /proc/sys/net/ipv[46]/ip_forward. This setting is + configurable in the IPForward= option, which defaults to + "no". This means if networkd is used for an interface it is + no longer sufficient to set the global sysctl option to turn + on IP forwarding! Instead, the .network file option + IPForward= needs to be turned on! Note that the + implementation of this behaviour was broken in v219 and has + been fixed in v220. + + * Many bonding and vxlan options are now configurable in + systemd-networkd. + + * systemd-nspawn gained a new --property= setting to set unit + properties for the container scope. This is useful for + setting resource parameters (e.g. "CPUShares=500") on + containers started from the command line. + + * systemd-nspawn gained a new --private-users= switch to make + use of user namespacing available on recent Linux kernels. + + * systemd-nspawn may now be called as part of a shell pipeline + in which case the pipes used for stdin and stdout are passed + directly to the process invoked in the container, without + indirection via a pseudo tty. + + * systemd-nspawn gained a new switch to control the UNIX + signal to use when killing the init process of the container + when shutting down. + + * systemd-nspawn gained a new --overlay= switch for mounting + overlay file systems into the container using the new kernel + overlayfs support. + + * When a container image is imported via systemd-importd and + the host file system is not btrfs, a loopback block device + file is created in /var/lib/machines.raw with a btrfs file + system inside. It is then mounted to /var/lib/machines to + enable btrfs features for container management. The loopback + file and btrfs file system is grown as needed when container + images are imported via systemd-importd. + + * systemd-machined/systemd-importd gained support for btrfs + quota, to enforce container disk space limits on disk. This + is exposed in "machinectl set-limit". + + * systemd-importd now can import containers from local .tar, + .raw and .qcow2 images, and export them to .tar and .raw. It + can also import dkr v2 images now from the network (on top + of v1 as before). + + * systemd-importd gained support for verifying downloaded + images with gpg2 (previously only gpg1 was supported). + + * systemd-machined, systemd-logind, systemd: most bus calls are + now accessible to unprivileged processes via polkit. Also, + systemd-logind will now allow users to kill their own sessions + without further privileges or authorization. + + * systemd-shutdownd has been removed. This service was + previously responsible for implementing scheduled shutdowns + as exposed in /usr/bin/shutdown's time parameter. This + functionality has now been moved into systemd-logind and is + accessible via a bus interface. + + * "systemctl reboot" gained a new switch --firmware-setup that + can be used to reboot into the EFI firmware setup, if that + is available. systemd-logind now exposes an API on the bus + to trigger such reboots, in case graphical desktop UIs want + to cover this functionality. + + * "systemctl enable", "systemctl disable" and "systemctl mask" + now support a new "--now" switch. If specified the units + that are enabled will also be started, and the ones + disabled/masked also stopped. + + * The Gummiboot EFI boot loader tool has been merged into + systemd, and renamed to "systemd-boot". The bootctl tool has been + updated to support systemd-boot. + + * An EFI kernel stub has been added that may be used to create + kernel EFI binaries that contain not only the actual kernel, + but also an initrd, boot splash, command line and OS release + information. This combined binary can then be signed as a + single image, so that the firmware can verify it all in one + step. systemd-boot has special support for EFI binaries created + like this and can extract OS release information from them + and show them in the boot menu. This functionality is useful + to implement cryptographically verified boot schemes. + + * Optional support has been added to systemd-fsck to pass + fsck's progress report to an AF_UNIX socket in the file + system. + + * udev will no longer create device symlinks for all block devices by + default. A deny list for excluding special block devices from this + logic has been turned into a allow list that requires picking block + devices explicitly that require device symlinks. + + * A new (currently still internal) API sd-device.h has been + added to libsystemd. This modernized API is supposed to + replace libudev eventually. In fact, already much of libudev + is now just a wrapper around sd-device.h. + + * A new hwdb database for storing metadata about pointing + stick devices has been added. + + * systemd-tmpfiles gained support for setting file attributes + similar to the "chattr" tool with new 'h' and 'H' lines. + + * systemd-journald will no longer unconditionally set the + btrfs NOCOW flag on new journal files. This is instead done + with tmpfiles snippet using the new 'h' line type. This + allows easy disabling of this logic, by masking the + journal-nocow.conf tmpfiles file. + + * systemd-journald will now translate audit message types to + human readable identifiers when writing them to the + journal. This should improve readability of audit messages. + + * The LUKS logic gained support for the offset= and skip= + options in /etc/crypttab, as previously implemented by + Debian. + + * /usr/lib/os-release gained a new optional field VARIANT= for + distributions that support multiple variants (such as a + desktop edition, a server edition, ...) + + Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy, + Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin + Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel, + Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž + Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian + Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel + Mack, Daniel Mustieles, daurnimator, Davide Bettio, David + Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov, + Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke, + Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López + Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan + Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John + Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay + Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas + De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz + Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel + Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett, + Michael Biebl, Michael Marineau, Michael Olbrich, Michal + Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik + Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter + Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny + Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick, + Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker, + Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas + Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom + Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will + Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2015-05-22 + +CHANGES WITH 219: + + * Introduce a new API "sd-hwdb.h" for querying the hardware + metadata database. With this minimal interface one can query + and enumerate the udev hwdb, decoupled from the old libudev + library. libudev's interface for this is now only a wrapper + around sd-hwdb. A new tool systemd-hwdb has been added to + interface with and update the database. + + * When any of systemd's tools copies files (for example due to + tmpfiles' C lines) a btrfs reflink will attempted first, + before bytewise copying is done. + + * systemd-nspawn gained a new --ephemeral switch. When + specified a btrfs snapshot is taken of the container's root + directory, and immediately removed when the container + terminates again. Thus, a container can be started whose + changes never alter the container's root directory, and are + lost on container termination. This switch can also be used + for starting a container off the root file system of the + host without affecting the host OS. This switch is only + available on btrfs file systems. + + * systemd-nspawn gained a new --template= switch. It takes the + path to a container tree to use as template for the tree + specified via --directory=, should that directory be + missing. This allows instantiating containers dynamically, + on first run. This switch is only available on btrfs file + systems. + + * When a .mount unit refers to a mount point on which multiple + mounts are stacked, and the .mount unit is stopped all of + the stacked mount points will now be unmounted until no + mount point remains. + + * systemd now has an explicit notion of supported and + unsupported unit types. Jobs enqueued for unsupported unit + types will now fail with an "unsupported" error code. More + specifically .swap, .automount and .device units are not + supported in containers, .busname units are not supported on + non-kdbus systems. .swap and .automount are also not + supported if their respective kernel compile time options + are disabled. + + * machinectl gained support for two new "copy-from" and + "copy-to" commands for copying files from a running + container to the host or vice versa. + + * machinectl gained support for a new "bind" command to bind + mount host directories into local containers. This is + currently only supported for nspawn containers. + + * networkd gained support for configuring bridge forwarding + database entries (fdb) from .network files. + + * A new tiny daemon "systemd-importd" has been added that can + download container images in tar, raw, qcow2 or dkr formats, + and make them available locally in /var/lib/machines, so + that they can run as nspawn containers. The daemon can GPG + verify the downloads (not supported for dkr, since it has no + provisions for verifying downloads). It will transparently + decompress bz2, xz, gzip compressed downloads if necessary, + and restore sparse files on disk. The daemon uses privilege + separation to ensure the actual download logic runs with + fewer privileges than the daemon itself. machinectl has + gained new commands "pull-tar", "pull-raw" and "pull-dkr" to + make the functionality of importd available to the + user. With this in place the Fedora and Ubuntu "Cloud" + images can be downloaded and booted as containers unmodified + (the Fedora images lack the appropriate GPG signature files + currently, so they cannot be verified, but this will change + soon, hopefully). Note that downloading images is currently + only fully supported on btrfs. + + * machinectl is now able to list container images found in + /var/lib/machines, along with some metadata about sizes of + disk and similar. If the directory is located on btrfs and + quota is enabled, this includes quota display. A new command + "image-status" has been added that shows additional + information about images. + + * machinectl is now able to clone container images + efficiently, if the underlying file system (btrfs) supports + it, with the new "machinectl clone" command. It also + gained commands for renaming and removing images, as well as + marking them read-only or read-write (supported also on + legacy file systems). + + * networkd gained support for collecting LLDP network + announcements, from hardware that supports this. This is + shown in networkctl output. + + * systemd-run gained support for a new -t (--pty) switch for + invoking a binary on a pty whose input and output is + connected to the invoking terminal. This allows executing + processes as system services while interactively + communicating with them via the terminal. Most interestingly + this is supported across container boundaries. Invoking + "systemd-run -t /bin/bash" is an alternative to running a + full login session, the difference being that the former + will not register a session, nor go through the PAM session + setup. + + * tmpfiles gained support for a new "v" line type for creating + btrfs subvolumes. If the underlying file system is a legacy + file system, this automatically degrades to creating a + normal directory. Among others /var/lib/machines is now + created like this at boot, should it be missing. + + * The directory /var/lib/containers/ has been deprecated and + been replaced by /var/lib/machines. The term "machines" has + been used in the systemd context as generic term for both + VMs and containers, and hence appears more appropriate for + this, as the directory can also contain raw images bootable + via qemu/kvm. + + * systemd-nspawn when invoked with -M but without --directory= + or --image= is now capable of searching for the container + root directory, subvolume or disk image automatically, in + /var/lib/machines. systemd-nspawn@.service has been updated + to make use of this, thus allowing it to be used for raw + disk images, too. + + * A new machines.target unit has been introduced that is + supposed to group all containers/VMs invoked as services on + the system. systemd-nspawn@.service has been updated to + integrate with that. + + * machinectl gained a new "start" command, for invoking a + container as a service. "machinectl start foo" is mostly + equivalent to "systemctl start systemd-nspawn@foo.service", + but handles escaping in a nicer way. + + * systemd-nspawn will now mount most of the cgroupfs tree + read-only into each container, with the exception of the + container's own subtree in the name=systemd hierarchy. + + * journald now sets the special FS_NOCOW file flag for its + journal files. This should improve performance on btrfs, by + avoiding heavy fragmentation when journald's write-pattern + is used on COW file systems. It degrades btrfs' data + integrity guarantees for the files to the same levels as for + ext3/ext4 however. This should be OK though as journald does + its own data integrity checks and all its objects are + checksummed on disk. Also, journald should handle btrfs disk + full events a lot more gracefully now, by processing SIGBUS + errors, and not relying on fallocate() anymore. + + * When journald detects that journal files it is writing to + have been deleted it will immediately start new journal + files. + + * systemd now provides a way to store file descriptors + per-service in PID 1. This is useful for daemons to ensure + that fds they require are not lost during a daemon + restart. The fds are passed to the daemon on the next + invocation in the same way socket activation fds are + passed. This is now used by journald to ensure that the + various sockets connected to all the system's stdout/stderr + are not lost when journald is restarted. File descriptors + may be stored in PID 1 via the sd_pid_notify_with_fds() API, + an extension to sd_notify(). Note that a limit is enforced + on the number of fds a service can store in PID 1, and it + defaults to 0, so that no fds may be stored, unless this is + explicitly turned on. + + * The default TERM variable to use for units connected to a + terminal, when no other value is explicitly is set is now + vt220 rather than vt102. This should be fairly safe still, + but allows PgUp/PgDn work. + + * The /etc/crypttab option header= as known from Debian is now + supported. + + * "loginctl user-status" and "loginctl session-status" will + now show the last 10 lines of log messages of the + user/session following the status output. Similar, + "machinectl status" will show the last 10 log lines + associated with a virtual machine or container + service. (Note that this is usually not the log messages + done in the VM/container itself, but simply what the + container manager logs. For nspawn this includes all console + output however.) + + * "loginctl session-status" without further argument will now + show the status of the session of the caller. Similar, + "lock-session", "unlock-session", "activate", + "enable-linger", "disable-linger" may now be called without + session/user parameter in which case they apply to the + caller's session/user. + + * An X11 session scriptlet is now shipped that uploads + $DISPLAY and $XAUTHORITY into the environment of the systemd + --user daemon if a session begins. This should improve + compatibility with X11 enabled applications run as systemd + user services. + + * Generators are now subject to masking via /etc and /run, the + same way as unit files. + + * networkd .network files gained support for configuring + per-link IPv4/IPv6 packet forwarding as well as IPv4 + masquerading. This is by default turned on for veth links to + containers, as registered by systemd-nspawn. This means that + nspawn containers run with --network-veth will now get + automatic routed access to the host's networks without any + further configuration or setup, as long as networkd runs on + the host. + + * systemd-nspawn gained the --port= (-p) switch to expose TCP + or UDP posts of a container on the host. With this in place + it is possible to run containers with private veth links + (--network-veth), and have their functionality exposed on + the host as if their services were running directly on the + host. + + * systemd-nspawn's --network-veth switch now gained a short + version "-n", since with the changes above it is now truly + useful out-of-the-box. The systemd-nspawn@.service has been + updated to make use of it too by default. + + * systemd-nspawn will now maintain a per-image R/W lock, to + ensure that the same image is not started more than once + writable. (It's OK to run an image multiple times + simultaneously in read-only mode.) + + * systemd-nspawn's --image= option is now capable of + dissecting and booting MBR and GPT disk images that contain + only a single active Linux partition. Previously it + supported only GPT disk images with proper GPT type + IDs. This allows running cloud images from major + distributions directly with systemd-nspawn, without + modification. + + * In addition to collecting mouse dpi data in the udev + hardware database, there's now support for collecting angle + information for mouse scroll wheels. The database is + supposed to guarantee similar scrolling behavior on mice + that it knows about. There's also support for collecting + information about Touchpad types. + + * udev's input_id built-in will now also collect touch screen + dimension data and attach it to probed devices. + + * /etc/os-release gained support for a Distribution Privacy + Policy link field. + + * networkd gained support for creating "ipvlan", "gretap", + "ip6gre", "ip6gretap" and "ip6tnl" network devices. + + * systemd-tmpfiles gained support for "a" lines for setting + ACLs on files. + + * systemd-nspawn will now mount /tmp in the container to + tmpfs, automatically. + + * systemd now exposes the memory.usage_in_bytes cgroup + attribute and shows it for each service in the "systemctl + status" output, if available. + + * When the user presses Ctrl-Alt-Del more than 7x within 2s an + immediate reboot is triggered. This useful if shutdown is + hung and is unable to complete, to expedite the + operation. Note that this kind of reboot will still unmount + all file systems, and hence should not result in fsck being + run on next reboot. + + * A .device unit for an optical block device will now be + considered active only when a medium is in the drive. Also, + mount units are now bound to their backing devices thus + triggering automatic unmounting when devices become + unavailable. With this in place systemd will now + automatically unmount left-over mounts when a CD-ROM is + ejected or an USB stick is yanked from the system. + + * networkd-wait-online now has support for waiting for + specific interfaces only (with globbing), and for giving up + after a configurable timeout. + + * networkd now exits when idle. It will be automatically + restarted as soon as interfaces show up, are removed or + change state. networkd will stay around as long as there is + at least one DHCP state machine or similar around, that keep + it non-idle. + + * networkd may now configure IPv6 link-local addressing in + addition to IPv4 link-local addressing. + + * The IPv6 "token" for use in SLAAC may now be configured for + each .network interface in networkd. + + * Routes configured with networkd may now be assigned a scope + in .network files. + + * networkd's [Match] sections now support globbing and lists + of multiple space-separated matches per item. + + Contributions from: Alban Crequy, Alin Rauta, Andrey Chaser, + Bastien Nocera, Bruno Bottazzini, Carlos Garnacho, Carlos + Morata Castillo, Chris Atkinson, Chris J. Arges, Christian + Kirbach, Christian Seiler, Christoph Brill, Colin Guthrie, + Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack, + Dave Reisner, David Herrmann, Djalal Harouni, Erik Auerswald, + Filipe Brandenburger, Frank Theile, Gabor Kelemen, Gabriel de + Perthuis, Harald Hoyer, Hui Wang, Ivan Shapovalov, Jan + Engelhardt, Jan Synacek, Jay Faulkner, Johannes Hölzl, Jonas + Ådahl, Jonathan Boulle, Josef Andersson, Kay Sievers, Ken + Werner, Lennart Poettering, Lucas De Marchi, Lukas Märdian, + Lukas Nykryn, Lukasz Skalski, Luke Shumaker, Mantas Mikulėnas, + Manuel Mendez, Marcel Holtmann, Marc Schmitzer, Marko + Myllynen, Martin Pitt, Maxim Mikityanskiy, Michael Biebl, + Michael Marineau, Michael Olbrich, Michal Schmidt, Mindaugas + Baranauskas, Moez Bouhlel, Naveen Kumar, Patrik Flykt, Paul + Martin, Peter Hutterer, Peter Mattern, Philippe De Swert, + Piotr Drąg, Rafael Ferreira, Rami Rosen, Robert Milasan, Ronny + Chevalier, Sangjung Woo, Sebastien Bacher, Sergey Ptashnick, + Shawn Landden, Stéphane Graber, Susant Sahani, Sylvain + Plantefève, Thomas Hindoe Paaboel Andersen, Tim JP, Tom + Gundersen, Topi Miettinen, Torstein Husebø, Umut Tezduyar + Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland + Hoffmann, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2015-02-16 + +CHANGES WITH 218: + + * When querying unit file enablement status (for example via + "systemctl is-enabled"), a new state "indirect" is now known + which indicates that a unit might not be enabled itself, but + another unit listed in its Also= setting might be. + + * Similar to the various existing ConditionXYZ= settings for + units, there are now matching AssertXYZ= settings. While + failing conditions cause a unit to be skipped, but its job + to succeed, failing assertions declared like this will cause + a unit start operation and its job to fail. + + * hostnamed now knows a new chassis type "embedded". + + * systemctl gained a new "edit" command. When used on a unit + file, this allows extending unit files with .d/ drop-in + configuration snippets or editing the full file (after + copying it from /usr/lib to /etc). This will invoke the + user's editor (as configured with $EDITOR), and reload the + modified configuration after editing. + + * "systemctl status" now shows the suggested enablement state + for a unit, as declared in the (usually vendor-supplied) + system preset files. + + * nss-myhostname will now resolve the single-label hostname + "gateway" to the locally configured default IP routing + gateways, ordered by their metrics. This assigns a stable + name to the used gateways, regardless which ones are + currently configured. Note that the name will only be + resolved after all other name sources (if nss-myhostname is + configured properly) and should hence not negatively impact + systems that use the single-label hostname "gateway" in + other contexts. + + * systemd-inhibit now allows filtering by mode when listing + inhibitors. + + * Scope and service units gained a new "Delegate" boolean + property, which, when set, allows processes running inside the + unit to further partition resources. This is primarily + useful for systemd user instances as well as container + managers. + + * journald will now pick up audit messages directly from + the kernel, and log them like any other log message. The + audit fields are split up and fully indexed. This means that + journalctl in many ways is now a (nicer!) alternative to + ausearch, the traditional audit client. Note that this + implements only a minimal audit client. If you want the + special audit modes like reboot-on-log-overflow, please use + the traditional auditd instead, which can be used in + parallel to journald. + + * The ConditionSecurity= unit file option now understands the + special string "audit" to check whether auditing is + available. + + * journalctl gained two new commands --vacuum-size= and + --vacuum-time= to delete old journal files until the + remaining ones take up no more than the specified size on disk, + or are not older than the specified time. + + * A new, native PPPoE library has been added to sd-network, + systemd's library of light-weight networking protocols. This + library will be used in a future version of networkd to + enable PPPoE communication without an external pppd daemon. + + * The busctl tool now understands a new "capture" verb that + works similar to "monitor", but writes a packet capture + trace to STDOUT that can be redirected to a file which is + compatible with libcap's capture file format. This can then + be loaded in Wireshark and similar tools to inspect bus + communication. + + * The busctl tool now understands a new "tree" verb that shows + the object trees of a specific service on the bus, or of all + services. + + * The busctl tool now understands a new "introspect" verb that + shows all interfaces and members of objects on the bus, + including their signature and values. This is particularly + useful to get more information about bus objects shown by + the new "busctl tree" command. + + * The busctl tool now understands new verbs "call", + "set-property" and "get-property" for invoking bus method + calls, setting and getting bus object properties in a + friendly way. + + * busctl gained a new --augment-creds= argument that controls + whether the tool shall augment credential information it + gets from the bus with data from /proc, in a possibly + race-ful way. + + * nspawn's --link-journal= switch gained two new values + "try-guest" and "try-host" that work like "guest" and + "host", but do not fail if the host has no persistent + journalling enabled. -j is now equivalent to + --link-journal=try-guest. + + * macvlan network devices created by nspawn will now have + stable MAC addresses. + + * A new SmackProcessLabel= unit setting has been added, which + controls the SMACK security label processes forked off by + the respective unit shall use. + + * If compiled with --enable-xkbcommon, systemd-localed will + verify x11 keymap settings by compiling the given keymap. It + will spew out warnings if the compilation fails. This + requires libxkbcommon to be installed. + + * When a coredump is collected, a larger number of metadata + fields is now collected and included in the journal records + created for it. More specifically, control group membership, + environment variables, memory maps, working directory, + chroot directory, /proc/$PID/status, and a list of open file + descriptors is now stored in the log entry. + + * The udev hwdb now contains DPI information for mice. For + details see: + + http://who-t.blogspot.de/2014/12/building-a-dpi-database-for-mice.html + + * All systemd programs that read standalone configuration + files in /etc now also support a corresponding series of + .conf.d configuration directories in /etc/, /run/, + /usr/local/lib/, /usr/lib/, and (if configured with + --enable-split-usr) /lib/. In particular, the following + configuration files now have corresponding configuration + directories: system.conf user.conf, logind.conf, + journald.conf, sleep.conf, bootchart.conf, coredump.conf, + resolved.conf, timesyncd.conf, journal-remote.conf, and + journal-upload.conf. Note that distributions should use the + configuration directories in /usr/lib/; the directories in + /etc/ are reserved for the system administrator. + + * systemd-rfkill will no longer take the rfkill device name + into account when storing rfkill state on disk, as the name + might be dynamically assigned and not stable. Instead, the + ID_PATH udev variable combined with the rfkill type (wlan, + bluetooth, ...) is used. + + * A new service systemd-machine-id-commit.service has been + added. When used on systems where /etc is read-only during + boot, and /etc/machine-id is not initialized (but an empty + file), this service will copy the temporary machine ID + created as replacement into /etc after the system is fully + booted up. This is useful for systems that are freshly + installed with a non-initialized machine ID, but should get + a fixed machine ID for subsequent boots. + + * networkd's .netdev files now provide a large set of + configuration parameters for VXLAN devices. Similarly, the + bridge port cost parameter is now configurable in .network + files. There's also new support for configuring IP source + routing. networkd .link files gained support for a new + OriginalName= match that is useful to match against the + original interface name the kernel assigned. .network files + may include MTU= and MACAddress= fields for altering the MTU + and MAC address while being connected to a specific network + interface. + + * The LUKS logic gained supported for configuring + UUID-specific key files. There's also new support for naming + LUKS device from the kernel command line, using the new + luks.name= argument. + + * Timer units may now be transiently created via the bus API + (this was previously already available for scope and service + units). In addition it is now possible to create multiple + transient units at the same time with a single bus call. The + "systemd-run" tool has been updated to make use of this for + running commands on a specified time, in at(1)-style. + + * tmpfiles gained support for "t" lines, for assigning + extended attributes to files. Among other uses this may be + used to assign SMACK labels to files. + + Contributions from: Alin Rauta, Alison Chaiken, Andrej + Manduch, Bastien Nocera, Chris Atkinson, Chris Leech, Chris + Mayo, Colin Guthrie, Colin Walters, Cristian Rodríguez, + Daniele Medri, Daniel Mack, Dan Williams, Dan Winship, Dave + Reisner, David Herrmann, Didier Roche, Felipe Sateler, Gavin + Li, Hans de Goede, Harald Hoyer, Iago López Galeiras, Ivan + Shapovalov, Jakub Filak, Jan Janssen, Jan Synacek, Joe + Lawrence, Josh Triplett, Kay Sievers, Lennart Poettering, + Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Mantas + Mikulėnas, Marcel Holtmann, Martin Pitt, Maurizio Lombardi, + Michael Biebl, Michael Chapman, Michael Marineau, Michal + Schmidt, Michal Sekletar, Olivier Brunel, Patrik Flykt, Peter + Hutterer, Przemyslaw Kedzierski, Rami Rosen, Ray Strode, + Richard Schütz, Richard W.M. Jones, Ronny Chevalier, Ross + Lagerwall, Sean Young, Stanisław Pitucha, Susant Sahani, + Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen, + Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert + Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2014-12-10 + +CHANGES WITH 217: + + * journalctl gained the new options -t/--identifier= to match + on the syslog identifier (aka "tag"), as well as --utc to + show log timestamps in the UTC timezone. journalctl now also + accepts -n/--lines=all to disable line capping in a pager. + + * journalctl gained a new switch, --flush, that synchronously + flushes logs from /run/log/journal to /var/log/journal if + persistent storage is enabled. systemd-journal-flush.service + now waits until the operation is complete. + + * Services can notify the manager before they start a reload + (by sending RELOADING=1) or shutdown (by sending + STOPPING=1). This allows the manager to track and show the + internal state of daemons and closes a race condition when + the process is still running but has closed its D-Bus + connection. + + * Services with Type=oneshot do not have to have any ExecStart + commands anymore. + + * User units are now loaded also from + $XDG_RUNTIME_DIR/systemd/user/. This is similar to the + /run/systemd/user directory that was already previously + supported, but is under the control of the user. + + * Job timeouts (i.e. timeouts on the time a job that is + queued stays in the run queue) can now optionally result in + immediate reboot or power-off actions (JobTimeoutAction= and + JobTimeoutRebootArgument=). This is useful on ".target" + units, to limit the maximum time a target remains + undispatched in the run queue, and to trigger an emergency + operation in such a case. This is now used by default to + turn off the system if boot-up (as defined by everything in + basic.target) hangs and does not complete for at least + 15min. Also, if power-off or reboot hang for at least 30min + an immediate power-off/reboot operation is triggered. This + functionality is particularly useful to increase reliability + on embedded devices, but also on laptops which might + accidentally get powered on when carried in a backpack and + whose boot stays stuck in a hard disk encryption passphrase + question. + + * systemd-logind can be configured to also handle lid switch + events even when the machine is docked or multiple displays + are attached (HandleLidSwitchDocked= option). + + * A helper binary and a service have been added which can be + used to resume from hibernation in the initramfs. A + generator will parse the resume= option on the kernel + command line to trigger resume. + + * A user console daemon systemd-consoled has been + added. Currently, it is a preview, and will so far open a + single terminal on each session of the user marked as + Desktop=systemd-console. + + * Route metrics can be specified for DHCP routes added by + systemd-networkd. + + * The SELinux context of socket-activated services can be set + from the information provided by the networking stack + (SELinuxContextFromNet= option). + + * Userspace firmware loading support has been removed and + the minimum supported kernel version is thus bumped to 3.7. + + * Timeout for udev workers has been increased from 1 to 3 + minutes, but a warning will be printed after 1 minute to + help diagnose kernel modules that take a long time to load. + + * Udev rules can now remove tags on devices with TAG-="foobar". + + * systemd's readahead implementation has been removed. In many + circumstances it didn't give expected benefits even for + rotational disk drives and was becoming less relevant in the + age of SSDs. As none of the developers has been using + rotating media anymore, and nobody stepped up to actively + maintain this component of systemd it has now been removed. + + * Swap units can use Options= to specify discard options. + Discard options specified for swaps in /etc/fstab are now + respected. + + * Docker containers are now detected as a separate type of + virtualization. + + * The Password Agent protocol gained support for queries where + the user input is shown, useful e.g. for user names. + systemd-ask-password gained a new --echo option to turn that + on. + + * The default sysctl.d/ snippets will now set: + + net.core.default_qdisc = fq_codel + + This selects Fair Queuing Controlled Delay as the default + queuing discipline for network interfaces. fq_codel helps + fight the network bufferbloat problem. It is believed to be + a good default with no tuning required for most workloads. + Downstream distributions may override this choice. On 10Gbit + servers that do not do forwarding, "fq" may perform better. + Systems without a good clocksource should use "pfifo_fast". + + * If kdbus is enabled during build a new option BusPolicy= is + available for service units, that allows locking all service + processes into a stricter bus policy, in order to limit + access to various bus services, or even hide most of them + from the service's view entirely. + + * networkctl will now show the .network and .link file + networkd has applied to a specific interface. + + * sd-login gained a new API call sd_session_get_desktop() to + query which desktop environment has been selected for a + session. + + * UNIX utmp support is now compile-time optional to support + legacy-free systems. + + * systemctl gained two new commands "add-wants" and + "add-requires" for pulling in units from specific targets + easily. + + * If the word "rescue" is specified on the kernel command line + the system will now boot into rescue mode (aka + rescue.target), which was previously available only by + specifying "1" or "systemd.unit=rescue.target" on the kernel + command line. This new kernel command line option nicely + mirrors the already existing "emergency" kernel command line + option. + + * New kernel command line options mount.usr=, mount.usrflags=, + mount.usrfstype= have been added that match root=, rootflags=, + rootfstype= but allow mounting a specific file system to + /usr. + + * The $NOTIFY_SOCKET is now also passed to control processes of + services, not only the main process. + + * This version reenables support for fsck's -l switch. This + means at least version v2.25 of util-linux is required for + operation, otherwise dead-locks on device nodes may + occur. Again: you need to update util-linux to at least + v2.25 when updating systemd to v217. + + * The "multi-seat-x" tool has been removed from systemd, as + its functionality has been integrated into X servers 1.16, + and the tool is hence redundant. It is recommended to update + display managers invoking this tool to simply invoke X + directly from now on, again. + + * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus + message flag has been added for all of systemd's polkit + authenticated method calls has been added. In particular this + now allows optional interactive authorization via polkit for + many of PID1's privileged operations such as unit file + enabling and disabling. + + * "udevadm hwdb --update" learnt a new switch "--usr" for + placing the rebuilt hardware database in /usr instead of + /etc. When used only hardware database entries stored in + /usr will be used, and any user database entries in /etc are + ignored. This functionality is useful for vendors to ship a + pre-built database on systems where local configuration is + unnecessary or unlikely. + + * Calendar time specifications in .timer units now also + understand the strings "semi-annually", "quarterly" and + "minutely" as shortcuts (in addition to the preexisting + "annually", "hourly", ...). + + * systemd-tmpfiles will now correctly create files in /dev + at boot which are marked for creation only at boot. It is + recommended to always create static device nodes with 'c!' + and 'b!', so that they are created only at boot and not + overwritten at runtime. + + * When the watchdog logic is used for a service (WatchdogSec=) + and the watchdog timeout is hit the service will now be + terminated with SIGABRT (instead of just SIGTERM), in order + to make sure a proper coredump and backtrace is + generated. This ensures that hanging services will result in + similar coredump/backtrace behaviour as services that hit a + segmentation fault. + + Contributions from: Andreas Henriksson, Andrei Borzenkov, + Angus Gibson, Ansgar Burchardt, Ben Wolsieffer, Brandon L. + Black, Christian Hesse, Cristian Rodríguez, Daniel Buch, + Daniele Medri, Daniel Mack, Dan Williams, Dave Reisner, David + Herrmann, David Sommerseth, David Strauss, Emil Renner + Berthing, Eric Cook, Evangelos Foutras, Filipe Brandenburger, + Gustavo Sverzut Barbieri, Hans de Goede, Harald Hoyer, Hristo + Venev, Hugo Grostabussiat, Ivan Shapovalov, Jan Janssen, Jan + Synacek, Jonathan Liu, Juho Son, Karel Zak, Kay Sievers, Klaus + Purer, Koen Kooi, Lennart Poettering, Lukas Nykryn, Lukasz + Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann, + Marius Tessmann, Marko Myllynen, Martin Pitt, Michael Biebl, + Michael Marineau, Michael Olbrich, Michael Scherer, Michal + Schmidt, Michal Sekletar, Miroslav Lichvar, Patrik Flykt, + Philippe De Swert, Piotr Drąg, Rahul Sundaram, Richard + Weinberger, Robert Milasan, Ronny Chevalier, Ruben Kerkhof, + Santiago Vila, Sergey Ptashnick, Simon McVittie, Sjoerd + Simons, Stefan Brüns, Steven Allen, Steven Noonan, Susant + Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen, + Timofey Titovets, Tobias Hunger, Tom Gundersen, Torstein + Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew + Jędrzejewski-Szmek + + — Berlin, 2014-10-28 + +CHANGES WITH 216: + + * timedated no longer reads NTP implementation unit names from + /usr/lib/systemd/ntp-units.d/*.list. Alternative NTP + implementations should add a + + Conflicts=systemd-timesyncd.service + + to their unit files to take over and replace systemd's NTP + default functionality. + + * systemd-sysusers gained a new line type "r" for configuring + which UID/GID ranges to allocate system users/groups + from. Lines of type "u" may now add an additional column + that specifies the home directory for the system user to be + created. Also, systemd-sysusers may now optionally read user + information from STDIN instead of a file. This is useful for + invoking it from RPM preinst scriptlets that need to create + users before the first RPM file is installed since these + files might need to be owned by them. A new + %sysusers_create_inline RPM macro has been introduced to do + just that. systemd-sysusers now updates the shadow files as + well as the user/group databases, which should enhance + compatibility with certain tools like grpck. + + * A number of bus APIs of PID 1 now optionally consult polkit to + permit access for otherwise unprivileged clients under certain + conditions. Note that this currently doesn't support + interactive authentication yet, but this is expected to be + added eventually, too. + + * /etc/machine-info now has new fields for configuring the + deployment environment of the machine, as well as the + location of the machine. hostnamectl has been updated with + new command to update these fields. + + * systemd-timesyncd has been updated to automatically acquire + NTP server information from systemd-networkd, which might + have been discovered via DHCP. + + * systemd-resolved now includes a caching DNS stub resolver + and a complete LLMNR name resolution implementation. A new + NSS module "nss-resolve" has been added which can be used + instead of glibc's own "nss-dns" to resolve hostnames via + systemd-resolved. Hostnames, addresses and arbitrary RRs may + be resolved via systemd-resolved D-Bus APIs. In contrast to + the glibc internal resolver systemd-resolved is aware of + multi-homed system, and keeps DNS server and caches separate + and per-interface. Queries are sent simultaneously on all + interfaces that have DNS servers configured, in order to + properly handle VPNs and local LANs which might resolve + separate sets of domain names. systemd-resolved may acquire + DNS server information from systemd-networkd automatically, + which in turn might have discovered them via DHCP. A tool + "systemd-resolve-host" has been added that may be used to + query the DNS logic in resolved. systemd-resolved implements + IDNA and automatically uses IDNA or UTF-8 encoding depending + on whether classic DNS or LLMNR is used as transport. In the + next releases we intend to add a DNSSEC and mDNS/DNS-SD + implementation to systemd-resolved. + + * A new NSS module nss-mymachines has been added, that + automatically resolves the names of all local registered + containers to their respective IP addresses. + + * A new client tool "networkctl" for systemd-networkd has been + added. It currently is entirely passive and will query + networking configuration from udev, rtnetlink and networkd, + and present it to the user in a very friendly + way. Eventually, we hope to extend it to become a full + control utility for networkd. + + * .socket units gained a new DeferAcceptSec= setting that + controls the kernels' TCP_DEFER_ACCEPT sockopt for + TCP. Similarly, support for controlling TCP keep-alive + settings has been added (KeepAliveTimeSec=, + KeepAliveIntervalSec=, KeepAliveProbes=). Also, support for + turning off Nagle's algorithm on TCP has been added + (NoDelay=). + + * logind learned a new session type "web", for use in projects + like Cockpit which register web clients as PAM sessions. + + * timer units with at least one OnCalendar= setting will now + be started only after time-sync.target has been + reached. This way they will not elapse before the system + clock has been corrected by a local NTP client or + similar. This is particular useful on RTC-less embedded + machines, that come up with an invalid system clock. + + * systemd-nspawn's --network-veth= switch should now result in + stable MAC addresses for both the outer and the inner side + of the link. + + * systemd-nspawn gained a new --volatile= switch for running + container instances with /etc or /var unpopulated. + + * The kdbus client code has been updated to use the new Linux + 3.17 memfd subsystem instead of the old kdbus-specific one. + + * systemd-networkd's DHCP client and server now support + FORCERENEW. There are also new configuration options to + configure the vendor client identifier and broadcast mode + for DHCP. + + * systemd will no longer inform the kernel about the current + timezone, as this is necessarily incorrect and racy as the + kernel has no understanding of DST and similar + concepts. This hence means FAT timestamps will be always + considered UTC, similar to what Android is already + doing. Also, when the RTC is configured to the local time + (rather than UTC) systemd will never synchronize back to it, + as this might confuse Windows at a later boot. + + * systemd-analyze gained a new command "verify" for offline + validation of unit files. + + * systemd-networkd gained support for a couple of additional + settings for bonding networking setups. Also, the metric for + statically configured routes may now be configured. For + network interfaces where this is appropriate the peer IP + address may now be configured. + + * systemd-networkd's DHCP client will no longer request + broadcasting by default, as this tripped up some networks. + For hardware where broadcast is required the feature should + be switched back on using RequestBroadcast=yes. + + * systemd-networkd will now set up IPv4LL addresses (when + enabled) even if DHCP is configured successfully. + + * udev will now default to respect network device names given + by the kernel when the kernel indicates that these are + predictable. This behavior can be tweaked by changing + NamePolicy= in the relevant .link file. + + * A new library systemd-terminal has been added that + implements full TTY stream parsing and rendering. This + library is supposed to be used later on for implementing a + full userspace VT subsystem, replacing the current kernel + implementation. + + * A new tool systemd-journal-upload has been added to push + journal data to a remote system running + systemd-journal-remote. + + * journald will no longer forward all local data to another + running syslog daemon. This change has been made because + rsyslog (which appears to be the most commonly used syslog + implementation these days) no longer makes use of this, and + instead pulls the data out of the journal on its own. Since + forwarding the messages to a non-existent syslog server is + more expensive than we assumed we have now turned this + off. If you run a syslog server that is not a recent rsyslog + version, you have to turn this option on again + (ForwardToSyslog= in journald.conf). + + * journald now optionally supports the LZ4 compressor for + larger journal fields. This compressor should perform much + better than XZ which was the previous default. + + * machinectl now shows the IP addresses of local containers, + if it knows them, plus the interface name of the container. + + * A new tool "systemd-escape" has been added that makes it + easy to escape strings to build unit names and similar. + + * sd_notify() messages may now include a new ERRNO= field + which is parsed and collected by systemd and shown among the + "systemctl status" output for a service. + + * A new component "systemd-firstboot" has been added that + queries the most basic systemd information (timezone, + hostname, root password) interactively on first + boot. Alternatively it may also be used to provision these + things offline on OS images installed into directories. + + * The default sysctl.d/ snippets will now set + + net.ipv4.conf.default.promote_secondaries=1 + + This has the benefit of no flushing secondary IP addresses + when primary addresses are removed. + + Contributions from: Ansgar Burchardt, Bastien Nocera, Colin + Walters, Dan Dedrick, Daniel Buch, Daniel Korostil, Daniel + Mack, Dan Williams, Dave Reisner, David Herrmann, Denis + Kenzior, Eelco Dolstra, Eric Cook, Hannes Reinecke, Harald + Hoyer, Hong Shick Pak, Hui Wang, Jean-André Santoni, Jóhann + B. Guðmundsson, Jon Severinsson, Karel Zak, Kay Sievers, Kevin + Wells, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, + Marc-Antoine Perennou, Martin Pitt, Michael Biebl, Michael + Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar, + Miguel Angel Ajo, Mike Gilbert, Olivier Brunel, Robert + Schiele, Ronny Chevalier, Simon McVittie, Sjoerd Simons, Stef + Walter, Steven Noonan, Susant Sahani, Tanu Kaskinen, Thomas + Blume, Thomas Hindoe Paaboel Andersen, Timofey Titovets, + Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut + Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2014-08-19 + +CHANGES WITH 215: + + * A new tool systemd-sysusers has been added. This tool + creates system users and groups in /etc/passwd and + /etc/group, based on static declarative system user/group + definitions in /usr/lib/sysusers.d/. This is useful to + enable factory resets and volatile systems that boot up with + an empty /etc directory, and thus need system users and + groups created during early boot. systemd now also ships + with two default sysusers.d/ files for the most basic + users and groups systemd and the core operating system + require. + + * A new tmpfiles snippet has been added that rebuilds the + essential files in /etc on boot, should they be missing. + + * A directive for ensuring automatic clean-up of + /var/cache/man/ has been removed from the default + configuration. This line should now be shipped by the man + implementation. The necessary change has been made to the + man-db implementation. Note that you need to update your man + implementation to one that ships this line, otherwise no + automatic clean-up of /var/cache/man will take place. + + * A new condition ConditionNeedsUpdate= has been added that + may conditionalize services to only run when /etc or /var + are "older" than the vendor operating system resources in + /usr. This is useful for reconstructing or updating /etc + after an offline update of /usr or a factory reset, on the + next reboot. Services that want to run once after such an + update or reset should use this condition and order + themselves before the new systemd-update-done.service, which + will mark the two directories as fully updated. A number of + service files have been added making use of this, to rebuild + the udev hardware database, the journald message catalog and + dynamic loader cache (ldconfig). The systemd-sysusers tool + described above also makes use of this now. With this in + place it is now possible to start up a minimal operating + system with /etc empty cleanly. For more information on the + concepts involved see this recent blog story: + + http://0pointer.de/blog/projects/stateless.html + + * A new system group "input" has been introduced, and all + input device nodes get this group assigned. This is useful + for system-level software to get access to input devices. It + complements what is already done for "audio" and "video". + + * systemd-networkd learnt minimal DHCPv4 server support in + addition to the existing DHCPv4 client support. It also + learnt DHCPv6 client and IPv6 Router Solicitation client + support. The DHCPv4 client gained support for static routes + passed in from the server. Note that the [DHCPv4] section + known in older systemd-networkd versions has been renamed to + [DHCP] and is now also used by the DHCPv6 client. Existing + .network files using settings of this section should be + updated, though compatibility is maintained. Optionally, the + client hostname may now be sent to the DHCP server. + + * networkd gained support for vxlan virtual networks as well + as tun/tap and dummy devices. + + * networkd gained support for automatic allocation of address + ranges for interfaces from a system-wide pool of + addresses. This is useful for dynamically managing a large + number of interfaces with a single network configuration + file. In particular this is useful to easily assign + appropriate IP addresses to the veth links of a large number + of nspawn instances. + + * RPM macros for processing sysusers, sysctl and binfmt + drop-in snippets at package installation time have been + added. + + * The /etc/os-release file should now be placed in + /usr/lib/os-release. The old location is automatically + created as symlink. /usr/lib is the more appropriate + location of this file, since it shall actually describe the + vendor operating system shipped in /usr, and not the + configuration stored in /etc. + + * .mount units gained a new boolean SloppyOptions= setting + that maps to mount(8)'s -s option which enables permissive + parsing of unknown mount options. + + * tmpfiles learnt a new "L+" directive which creates a symlink + but (unlike "L") deletes a pre-existing file first, should + it already exist and not already be the correct + symlink. Similarly, "b+", "c+" and "p+" directives have been + added as well, which create block and character devices, as + well as fifos in the filesystem, possibly removing any + pre-existing files of different types. + + * For tmpfiles' "L", "L+", "C" and "C+" directives the final + 'argument' field (which so far specified the source to + symlink/copy the files from) is now optional. If omitted the + same file os copied from /usr/share/factory/ suffixed by the + full destination path. This is useful for populating /etc + with essential files, by copying them from vendor defaults + shipped in /usr/share/factory/etc. + + * A new command "systemctl preset-all" has been added that + applies the service preset settings to all installed unit + files. A new switch --preset-mode= has been added that + controls whether only enable or only disable operations + shall be executed. + + * A new command "systemctl is-system-running" has been added + that allows checking the overall state of the system, for + example whether it is fully up and running. + + * When the system boots up with an empty /etc, the equivalent + to "systemctl preset-all" is executed during early boot, to + make sure all default services are enabled after a factory + reset. + + * systemd now contains a minimal preset file that enables the + most basic services systemd ships by default. + + * Unit files' [Install] section gained a new DefaultInstance= + field for defining the default instance to create if a + template unit is enabled with no instance specified. + + * A new passive target cryptsetup-pre.target has been added + that may be used by services that need to make they run and + finish before the first LUKS cryptographic device is set up. + + * The /dev/loop-control and /dev/btrfs-control device nodes + are now owned by the "disk" group by default, opening up + access to this group. + + * systemd-coredump will now automatically generate a + stack trace of all core dumps taking place on the system, + based on elfutils' libdw library. This stack trace is logged + to the journal. + + * systemd-coredump may now optionally store coredumps directly + on disk (in /var/lib/systemd/coredump, possibly compressed), + instead of storing them unconditionally in the journal. This + mode is the new default. A new configuration file + /etc/systemd/coredump.conf has been added to configure this + and other parameters of systemd-coredump. + + * coredumpctl gained a new "info" verb to show details about a + specific coredump. A new switch "-1" has also been added + that makes sure to only show information about the most + recent entry instead of all entries. Also, as the tool is + generally useful now the "systemd-" prefix of the binary + name has been removed. Distributions that want to maintain + compatibility with the old name should add a symlink from + the old name to the new name. + + * journald's SplitMode= now defaults to "uid". This makes sure + that unprivileged users can access their own coredumps with + coredumpctl without restrictions. + + * New kernel command line options "systemd.wants=" (for + pulling an additional unit during boot), "systemd.mask=" + (for masking a specific unit for the boot), and + "systemd.debug-shell" (for enabling the debug shell on tty9) + have been added. This is implemented in the new generator + "systemd-debug-generator". + + * systemd-nspawn will now by default filter a couple of + syscalls for containers, among them those required for + kernel module loading, direct x86 IO port access, swap + management, and kexec. Most importantly though + open_by_handle_at() is now prohibited for containers, + closing a hole similar to a recently discussed vulnerability + in docker regarding access to files on file hierarchies the + container should normally not have access to. Note that, for + nspawn, we generally make no security claims anyway (and + this is explicitly documented in the man page), so this is + just a fix for one of the most obvious problems. + + * A new man page file-hierarchy(7) has been added that + contains a minimized, modernized version of the file system + layout systemd expects, similar in style to the FHS + specification or hier(5). A new tool systemd-path(1) has + been added to query many of these paths for the local + machine and user. + + * Automatic time-based clean-up of $XDG_RUNTIME_DIR is no + longer done. Since the directory now has a per-user size + limit, and is cleaned on logout this appears unnecessary, + in particular since this now brings the lifecycle of this + directory closer in line with how IPC objects are handled. + + * systemd.pc now exports a number of additional directories, + including $libdir (which is useful to identify the library + path for the primary architecture of the system), and a + couple of drop-in directories. + + * udev's predictable network interface names now use the dev_port + sysfs attribute, introduced in linux 3.15 instead of dev_id to + distinguish between ports of the same PCI function. dev_id should + only be used for ports using the same HW address, hence the need + for dev_port. + + * machined has been updated to export the OS version of a + container (read from /etc/os-release and + /usr/lib/os-release) on the bus. This is now shown in + "machinectl status" for a machine. + + * A new service setting RestartForceExitStatus= has been + added. If configured to a set of exit signals or process + return values, the service will be restarted when the main + daemon process exits with any of them, regardless of the + Restart= setting. + + * systemctl's -H switch for connecting to remote systemd + machines has been extended so that it may be used to + directly connect to a specific container on the + host. "systemctl -H root@foobar:waldi" will now connect as + user "root" to host "foobar", and then proceed directly to + the container named "waldi". Note that currently you have to + authenticate as user "root" for this to work, as entering + containers is a privileged operation. + + Contributions from: Andreas Henriksson, Benjamin Steinwender, + Carl Schaefer, Christian Hesse, Colin Ian King, Cristian + Rodríguez, Daniel Mack, Dave Reisner, David Herrmann, Eugene + Yakubovich, Filipe Brandenburger, Frederic Crozat, Hristo + Venev, Jan Engelhardt, Jonathan Boulle, Kay Sievers, Lennart + Poettering, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine + Perennou, Marcel Holtmann, Michael Marineau, Michael Olbrich, + Michał Bartoszkiewicz, Michal Sekletar, Patrik Flykt, Ronan Le + Martret, Ronny Chevalier, Ruediger Oertel, Steven Noonan, + Susant Sahani, Thadeu Lima de Souza Cascardo, Thomas Hindoe + Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar + Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2014-07-03 + +CHANGES WITH 214: + + * As an experimental feature, udev now tries to lock the + disk device node (flock(LOCK_SH|LOCK_NB)) while it + executes events for the disk or any of its partitions. + Applications like partitioning programs can lock the + disk device node (flock(LOCK_EX)) and claim temporary + device ownership that way; udev will entirely skip all event + handling for this disk and its partitions. If the disk + was opened for writing, the close will trigger a partition + table rescan in udev's "watch" facility, and if needed + synthesize "change" events for the disk and all its partitions. + This is now unconditionally enabled, and if it turns out to + cause major problems, we might turn it on only for specific + devices, or might need to disable it entirely. Device Mapper + devices are excluded from this logic. + + * We temporarily dropped the "-l" switch for fsck invocations, + since they collide with the flock() logic above. util-linux + upstream has been changed already to avoid this conflict, + and we will re-add "-l" as soon as util-linux with this + change has been released. + + * The dependency on libattr has been removed. Since a long + time, the extended attribute calls have moved to glibc, and + libattr is thus unnecessary. + + * Virtualization detection works without privileges now. This + means the systemd-detect-virt binary no longer requires + CAP_SYS_PTRACE file capabilities, and our daemons can run + with fewer privileges. + + * systemd-networkd now runs under its own "systemd-network" + user. It retains the CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, + CAP_NET_BROADCAST, CAP_NET_RAW capabilities though, but + loses the ability to write to files owned by root this way. + + * Similarly, systemd-resolved now runs under its own + "systemd-resolve" user with no capabilities remaining. + + * Similarly, systemd-bus-proxyd now runs under its own + "systemd-bus-proxy" user with only CAP_IPC_OWNER remaining. + + * systemd-networkd gained support for setting up "veth" + virtual Ethernet devices for container connectivity, as well + as GRE and VTI tunnels. + + * systemd-networkd will no longer automatically attempt to + manually load kernel modules necessary for certain tunnel + transports. Instead, it is assumed the kernel loads them + automatically when required. This only works correctly on + very new kernels. On older kernels, please consider adding + the kernel modules to /etc/modules-load.d/ as a work-around. + + * The resolv.conf file systemd-resolved generates has been + moved to /run/systemd/resolve/. If you have a symlink from + /etc/resolv.conf, it might be necessary to correct it. + + * Two new service settings, ProtectHome= and ProtectSystem=, + have been added. When enabled, they will make the user data + (such as /home) inaccessible or read-only and the system + (such as /usr) read-only, for specific services. This allows + very light-weight per-service sandboxing to avoid + modifications of user data or system files from + services. These two new switches have been enabled for all + of systemd's long-running services, where appropriate. + + * Socket units gained new SocketUser= and SocketGroup= + settings to set the owner user and group of AF_UNIX sockets + and FIFOs in the file system. + + * Socket units gained a new RemoveOnStop= setting. If enabled, + all FIFOS and sockets in the file system will be removed + when the specific socket unit is stopped. + + * Socket units gained a new Symlinks= setting. It takes a list + of symlinks to create to file system sockets or FIFOs + created by the specific Unix sockets. This is useful to + manage symlinks to socket nodes with the same lifecycle as + the socket itself. + + * The /dev/log socket and /dev/initctl FIFO have been moved to + /run, and have been replaced by symlinks. This allows + connecting to these facilities even if PrivateDevices=yes is + used for a service (which makes /dev/log itself unavailable, + but /run is left). This also has the benefit of ensuring + that /dev only contains device nodes, directories and + symlinks, and nothing else. + + * sd-daemon gained two new calls sd_pid_notify() and + sd_pid_notifyf(). They are similar to sd_notify() and + sd_notifyf(), but allow overriding of the source PID of + notification messages if permissions permit this. This is + useful to send notify messages on behalf of a different + process (for example, the parent process). The + systemd-notify tool has been updated to make use of this + when sending messages (so that notification messages now + originate from the shell script invoking systemd-notify and + not the systemd-notify process itself. This should minimize + a race where systemd fails to associate notification + messages to services when the originating process already + vanished. + + * A new "on-abnormal" setting for Restart= has been added. If + set, it will result in automatic restarts on all "abnormal" + reasons for a process to exit, which includes unclean + signals, core dumps, timeouts and watchdog timeouts, but + does not include clean and unclean exit codes or clean + signals. Restart=on-abnormal is an alternative for + Restart=on-failure for services that shall be able to + terminate and avoid restarts on certain errors, by + indicating so with an unclean exit code. Restart=on-failure + or Restart=on-abnormal is now the recommended setting for + all long-running services. + + * If the InaccessibleDirectories= service setting points to a + mount point (or if there are any submounts contained within + it), it is now attempted to completely unmount it, to make + the file systems truly unavailable for the respective + service. + + * The ReadOnlyDirectories= service setting and + systemd-nspawn's --read-only parameter are now recursively + applied to all submounts, too. + + * Mount units may now be created transiently via the bus APIs. + + * The support for SysV and LSB init scripts has been removed + from the systemd daemon itself. Instead, it is now + implemented as a generator that creates native systemd units + from these scripts when needed. This enables us to remove a + substantial amount of legacy code from PID 1, following the + fact that many distributions only ship a very small number + of LSB/SysV init scripts nowadays. + + * Privileged Xen (dom0) domains are not considered + virtualization anymore by the virtualization detection + logic. After all, they generally have unrestricted access to + the hardware and usually are used to manage the unprivileged + (domU) domains. + + * systemd-tmpfiles gained a new "C" line type, for copying + files or entire directories. + + * systemd-tmpfiles "m" lines are now fully equivalent to "z" + lines. So far, they have been non-globbing versions of the + latter, and have thus been redundant. In future, it is + recommended to only use "z". "m" has hence been removed + from the documentation, even though it stays supported. + + * A tmpfiles snippet to recreate the most basic structure in + /var has been added. This is enough to create the /var/run → + /run symlink and create a couple of structural + directories. This allows systems to boot up with an empty or + volatile /var. Of course, while with this change, the core OS + now is capable with dealing with a volatile /var, not all + user services are ready for it. However, we hope that sooner + or later, many service daemons will be changed upstream so + that they are able to automatically create their necessary + directories in /var at boot, should they be missing. This is + the first step to allow state-less systems that only require + the vendor image for /usr to boot. + + * systemd-nspawn has gained a new --tmpfs= switch to mount an + empty tmpfs instance to a specific directory. This is + particularly useful for making use of the automatic + reconstruction of /var (see above), by passing --tmpfs=/var. + + * Access modes specified in tmpfiles snippets may now be + prefixed with "~", which indicates that they shall be masked + by whether the existing file or directory is currently + writable, readable or executable at all. Also, if specified, + the sgid/suid/sticky bits will be masked for all + non-directories. + + * A new passive target unit "network-pre.target" has been + added which is useful for services that shall run before any + network is configured, for example firewall scripts. + + * The "floppy" group that previously owned the /dev/fd* + devices is no longer used. The "disk" group is now used + instead. Distributions should probably deprecate usage of + this group. + + Contributions from: Camilo Aguilar, Christian Hesse, Colin Ian + King, Cristian Rodríguez, Daniel Buch, Dave Reisner, David + Strauss, Denis Tikhomirov, John, Jonathan Liu, Kay Sievers, + Lennart Poettering, Mantas Mikulėnas, Mark Eichin, Ronny + Chevalier, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel + Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew + Jędrzejewski-Szmek + + — Berlin, 2014-06-11 + +CHANGES WITH 213: + + * A new "systemd-timesyncd" daemon has been added for + synchronizing the system clock across the network. It + implements an SNTP client. In contrast to NTP + implementations such as chrony or the NTP reference server, + this only implements a client side, and does not bother with + the full NTP complexity, focusing only on querying time from + one remote server and synchronizing the local clock to + it. Unless you intend to serve NTP to networked clients or + want to connect to local hardware clocks, this simple NTP + client should be more than appropriate for most + installations. The daemon runs with minimal privileges, and + has been hooked up with networkd to only operate when + network connectivity is available. The daemon saves the + current clock to disk every time a new NTP sync has been + acquired, and uses this to possibly correct the system clock + early at bootup, in order to accommodate for systems that + lack an RTC such as the Raspberry Pi and embedded devices, + and to make sure that time monotonically progresses on these + systems, even if it is not always correct. To make use of + this daemon, a new system user and group "systemd-timesync" + needs to be created on installation of systemd. + + * The queue "seqnum" interface of libudev has been disabled, as + it was generally incompatible with device namespacing as + sequence numbers of devices go "missing" if the devices are + part of a different namespace. + + * "systemctl list-timers" and "systemctl list-sockets" gained + a --recursive switch for showing units of these types also + for all local containers, similar in style to the already + supported --recursive switch for "systemctl list-units". + + * A new RebootArgument= setting has been added for service + units, which may be used to specify a kernel reboot argument + to use when triggering reboots with StartLimitAction=. + + * A new FailureAction= setting has been added for service + units which may be used to specify an operation to trigger + when a service fails. This works similarly to + StartLimitAction=, but unlike it, controls what is done + immediately rather than only after several attempts to + restart the service in question. + + * hostnamed got updated to also expose the kernel name, + release, and version on the bus. This is useful for + executing commands like hostnamectl with the -H switch. + systemd-analyze makes use of this to properly display + details when running non-locally. + + * The bootchart tool can now show cgroup information in the + graphs it generates. + + * The CFS CPU quota cgroup attribute is now exposed for + services. The new CPUQuota= switch has been added for this + which takes a percentage value. Setting this will have the + result that a service may never get more CPU time than the + specified percentage, even if the machine is otherwise idle. + + * systemd-networkd learned IPIP and SIT tunnel support. + + * LSB init scripts exposing a dependency on $network will now + get a dependency on network-online.target rather than simply + network.target. This should bring LSB handling closer to + what it was on SysV systems. + + * A new fsck.repair= kernel option has been added to control + how fsck shall deal with unclean file systems at boot. + + * The (.ini) configuration file parser will now silently ignore + sections whose names begin with "X-". This may be used to maintain + application-specific extension sections in unit files. + + * machined gained a new API to query the IP addresses of + registered containers. "machinectl status" has been updated + to show these addresses in its output. + + * A new call sd_uid_get_display() has been added to the + sd-login APIs for querying the "primary" session of a + user. The "primary" session of the user is elected from the + user's sessions and generally a graphical session is + preferred over a text one. + + * A minimal systemd-resolved daemon has been added. It + currently simply acts as a companion to systemd-networkd and + manages resolv.conf based on per-interface DNS + configuration, possibly supplied via DHCP. In the long run + we hope to extend this into a local DNSSEC enabled DNS and + mDNS cache. + + * The systemd-networkd-wait-online tool is now enabled by + default. It will delay network-online.target until a network + connection has been configured. The tool primarily integrates + with networkd, but will also make a best effort to make sense + of network configuration performed in some other way. + + * Two new service options StartupCPUShares= and + StartupBlockIOWeight= have been added that work similarly to + CPUShares= and BlockIOWeight= however only apply during + system startup. This is useful to prioritize certain services + differently during bootup than during normal runtime. + + * hostnamed has been changed to prefer the statically + configured hostname in /etc/hostname (unless set to + 'localhost' or empty) over any dynamic one supplied by + dhcp. With this change, the rules for picking the hostname + match more closely the rules of other configuration settings + where the local administrator's configuration in /etc always + overrides any other settings. + + Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van + den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch, + Dan Kilman, Dave Reisner, David Härdeman, David Herrmann, + David Strauss, Dimitris Spingos, Djalal Harouni, Eelco + Dolstra, Evan Nemerson, Florian Albrechtskirchinger, Greg + Kroah-Hartman, Harald Hoyer, Holger Hans Peter Freyther, Jan + Engelhardt, Jani Nikula, Jason St. John, Jeffrey Clark, + Jonathan Boulle, Kay Sievers, Lennart Poettering, Lukas + Nykryn, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas, + Marcel Holtmann, Martin Pitt, Matthew Monaco, Michael + Marineau, Michael Olbrich, Michal Sekletar, Mike Gilbert, Nis + Martensen, Patrik Flykt, Philip Lorenz, poma, Ray Strode, + Reyad Attiyat, Robert Milasan, Scott Thrasher, Stef Walter, + Steven Siloti, Susant Sahani, Tanu Kaskinen, Thomas Bächler, + Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar + Lindskog, WaLyong Cho, Will Woods, Zbigniew + Jędrzejewski-Szmek + + — Beijing, 2014-05-28 + +CHANGES WITH 212: + + * When restoring the screen brightness at boot, stay away from + the darkest setting or from the lowest 5% of the available + range, depending on which is the larger value of both. This + should effectively protect the user from rebooting into a + black screen, should the brightness have been set to minimum + by accident. + + * sd-login gained a new sd_machine_get_class() call to + determine the class ("vm" or "container") of a machine + registered with machined. + + * sd-login gained new calls + sd_peer_get_{session,owner_uid,unit,user_unit,slice,machine_name}(), + to query the identity of the peer of a local AF_UNIX + connection. They operate similarly to their sd_pid_get_xyz() + counterparts. + + * PID 1 will now maintain a system-wide system state engine + with the states "starting", "running", "degraded", + "maintenance", "stopping". These states are bound to system + startup, normal runtime, runtime with at least one failed + service, rescue/emergency mode and system shutdown. This + state is shown in the "systemctl status" output when no unit + name is passed. It is useful to determine system state, in + particularly when doing so for many systems or containers at + once. + + * A new command "list-machines" has been added to "systemctl" + that lists all local OS containers and shows their system + state (see above), if systemd runs inside of them. + + * systemctl gained a new "-r" switch to recursively enumerate + units on all local containers, when used with the + "list-unit" command (which is the default one that is + executed when no parameters are specified). + + * The GPT automatic partition discovery logic will now honour + two GPT partition flags: one may be set on a partition to + cause it to be mounted read-only, and the other may be set + on a partition to ignore it during automatic discovery. + + * Two new GPT type UUIDs have been added for automatic root + partition discovery, for 32-bit and 64-bit ARM. This is not + particularly useful for discovering the root directory on + these architectures during bare-metal boots (since UEFI is + not common there), but still very useful to allow booting of + ARM disk images in nspawn with the -i option. + + * MAC addresses of interfaces created with nspawn's + --network-interface= switch will now be generated from the + machine name, and thus be stable between multiple invocations + of the container. + + * logind will now automatically remove all IPC objects owned + by a user if she or he fully logs out. This makes sure that + users who are logged out cannot continue to consume IPC + resources. This covers SysV memory, semaphores and message + queues as well as POSIX shared memory and message + queues. Traditionally, SysV and POSIX IPC had no lifecycle + limits. With this functionality, that is corrected. This may + be turned off by using the RemoveIPC= switch of logind.conf. + + * The systemd-machine-id-setup and tmpfiles tools gained a + --root= switch to operate on a specific root directory, + instead of /. + + * journald can now forward logged messages to the TTYs of all + logged in users ("wall"). This is the default for all + emergency messages now. + + * A new tool systemd-journal-remote has been added to stream + journal log messages across the network. + + * /sys/fs/cgroup/ is now mounted read-only after all cgroup + controller trees are mounted into it. Note that the + directories mounted beneath it are not read-only. This is a + security measure and is particularly useful because glibc + actually includes a search logic to pick any tmpfs it can + find to implement shm_open() if /dev/shm is not available + (which it might very well be in namespaced setups). + + * machinectl gained a new "poweroff" command to cleanly power + down a local OS container. + + * The PrivateDevices= unit file setting will now also drop the + CAP_MKNOD capability from the capability bound set, and + imply DevicePolicy=closed. + + * PrivateDevices=, PrivateNetwork= and PrivateTmp= is now used + comprehensively on all long-running systemd services where + this is appropriate. + + * systemd-udevd will now run in a disassociated mount + namespace. To mount directories from udev rules, make sure to + pull in mount units via SYSTEMD_WANTS properties. + + * The kdbus support gained support for uploading policy into + the kernel. sd-bus gained support for creating "monitoring" + connections that can eavesdrop into all bus communication + for debugging purposes. + + * Timestamps may now be specified in seconds since the UNIX + epoch Jan 1st, 1970 by specifying "@" followed by the value + in seconds. + + * Native tcpwrap support in systemd has been removed. tcpwrap + is old code, not really maintained anymore and has serious + shortcomings, and better options such as firewalls + exist. For setups that require tcpwrap usage, please + consider invoking your socket-activated service via tcpd, + like on traditional inetd. + + * A new system.conf configuration option + DefaultTimerAccuracySec= has been added that controls the + default AccuracySec= setting of .timer units. + + * Timer units gained a new WakeSystem= switch. If enabled, + timers configured this way will cause the system to resume + from system suspend (if the system supports that, which most + do these days). + + * Timer units gained a new Persistent= switch. If enabled, + timers configured this way will save to disk when they have + been last triggered. This information is then used on next + reboot to possible execute overdue timer events, that + could not take place because the system was powered off. + This enables simple anacron-like behaviour for timer units. + + * systemctl's "list-timers" will now also list the time a + timer unit was last triggered in addition to the next time + it will be triggered. + + * systemd-networkd will now assign predictable IPv4LL + addresses to its local interfaces. + + Contributions from: Brandon Philips, Daniel Buch, Daniel Mack, + Dave Reisner, David Herrmann, Gerd Hoffmann, Greg + Kroah-Hartman, Hendrik Brueckner, Jason St. John, Josh + Triplett, Kay Sievers, Lennart Poettering, Marc-Antoine + Perennou, Michael Marineau, Michael Olbrich, Miklos Vajna, + Patrik Flykt, poma, Sebastian Thorarensen, Thomas Bächler, + Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom Gundersen, + Umut Tezduyar Lindskog, Wieland Hoffmann, Zbigniew + Jędrzejewski-Szmek + + — Berlin, 2014-03-25 + +CHANGES WITH 211: + + * A new unit file setting RestrictAddressFamilies= has been + added to restrict which socket address families unit + processes gain access to. This takes address family names + like "AF_INET" or "AF_UNIX", and is useful to minimize the + attack surface of services via exotic protocol stacks. This + is built on seccomp system call filters. + + * Two new unit file settings RuntimeDirectory= and + RuntimeDirectoryMode= have been added that may be used to + manage a per-daemon runtime directories below /run. This is + an alternative for setting up directory permissions with + tmpfiles snippets, and has the advantage that the runtime + directory's lifetime is bound to the daemon runtime and that + the daemon starts up with an empty directory each time. This + is particularly useful when writing services that drop + privileges using the User= or Group= setting. + + * The DeviceAllow= unit setting now supports globbing for + matching against device group names. + + * The systemd configuration file system.conf gained new + settings DefaultCPUAccounting=, DefaultBlockIOAccounting=, + DefaultMemoryAccounting= to globally turn on/off accounting + for specific resources (cgroups) for all units. These + settings may still be overridden individually in each unit + though. + + * systemd-gpt-auto-generator is now able to discover /srv and + root partitions in addition to /home and swap partitions. It + also supports LUKS-encrypted partitions now. With this in + place, automatic discovery of partitions to mount following + the Discoverable Partitions Specification + (https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec) + is now a lot more complete. This allows booting without + /etc/fstab and without root= on the kernel command line on + systems prepared appropriately. + + * systemd-nspawn gained a new --image= switch which allows + booting up disk images and Linux installations on any block + device that follow the Discoverable Partitions Specification + (see above). This means that installations made with + appropriately updated installers may now be started and + deployed using container managers, completely + unmodified. (We hope that libvirt-lxc will add support for + this feature soon, too.) + + * systemd-nspawn gained a new --network-macvlan= setting to + set up a private macvlan interface for the + container. Similarly, systemd-networkd gained a new + Kind=macvlan setting in .netdev files. + + * systemd-networkd now supports configuring local addresses + using IPv4LL. + + * A new tool systemd-network-wait-online has been added to + synchronously wait for network connectivity using + systemd-networkd. + + * The sd-bus.h bus API gained a new sd_bus_track object for + tracking the lifecycle of bus peers. Note that sd-bus.h is + still not a public API though (unless you specify + --enable-kdbus on the configure command line, which however + voids your warranty and you get no API stability guarantee). + + * The $XDG_RUNTIME_DIR runtime directories for each user are + now individual tmpfs instances, which has the benefit of + introducing separate pools for each user, with individual + size limits, and thus making sure that unprivileged clients + can no longer negatively impact the system or other users by + filling up their $XDG_RUNTIME_DIR. A new logind.conf setting + RuntimeDirectorySize= has been introduced that allows + controlling the default size limit for all users. It + defaults to 10% of the available physical memory. This is no + replacement for quotas on tmpfs though (which the kernel + still does not support), as /dev/shm and /tmp are still + shared resources used by both the system and unprivileged + users. + + * logind will now automatically turn off automatic suspending + on laptop lid close when more than one display is + connected. This was previously expected to be implemented + individually in desktop environments (such as GNOME), + however has been added to logind now, in order to fix a + boot-time race where a desktop environment might not have + been started yet and thus not been able to take an inhibitor + lock at the time where logind already suspends the system + due to a closed lid. + + * logind will now wait at least 30s after each system + suspend/resume cycle, and 3min after system boot before + suspending the system due to a closed laptop lid. This + should give USB docking stations and similar enough time to + be probed and configured after system resume and boot in + order to then act as suspend blocker. + + * systemd-run gained a new --property= setting which allows + initialization of resource control properties (and others) + for the created scope or service unit. Example: "systemd-run + --property=BlockIOWeight=10 updatedb" may be used to run + updatedb at a low block IO scheduling weight. + + * systemd-run's --uid=, --gid=, --setenv=, --setenv= switches + now also work in --scope mode. + + * When systemd is compiled with kdbus support, basic support + for enforced policies is now in place. (Note that enabling + kdbus still voids your warranty and no API compatibility + promises are made.) + + Contributions from: Andrey Borzenkov, Ansgar Burchardt, Armin + K., Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni, + Harald Hoyer, Henrik Grindal Bakken, Jasper St. Pierre, Kay + Sievers, Kieran Clancy, Lennart Poettering, Lukas Nykryn, + Mantas Mikulėnas, Marcel Holtmann, Mark Oteiza, Martin Pitt, + Mike Gilbert, Peter Rajnoha, poma, Samuli Suominen, Stef + Walter, Susant Sahani, Tero Roponen, Thomas Andersen, Thomas + Bächler, Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom + Gundersen, Umut Tezduyar Lindskog, Uoti Urpala, Zachary Cook, + Zbigniew Jędrzejewski-Szmek + + — Berlin, 2014-03-12 + +CHANGES WITH 210: + + * systemd will now relabel /dev after loading the SMACK policy + according to SMACK rules. + + * A new unit file option AppArmorProfile= has been added to + set the AppArmor profile for the processes of a unit. + + * A new condition check ConditionArchitecture= has been added + to conditionalize units based on the system architecture, as + reported by uname()'s "machine" field. + + * systemd-networkd now supports matching on the system + virtualization, architecture, kernel command line, hostname + and machine ID. + + * logind is now a lot more aggressive when suspending the + machine due to a closed laptop lid. Instead of acting only + on the lid close action, it will continuously watch the lid + status and act on it. This is useful for laptops where the + power button is on the outside of the chassis so that it can + be reached without opening the lid (such as the Lenovo + Yoga). On those machines, logind will now immediately + re-suspend the machine if the power button has been + accidentally pressed while the laptop was suspended and in a + backpack or similar. + + * logind will now watch SW_DOCK switches and inhibit reaction + to the lid switch if it is pressed. This means that logind + will not suspend the machine anymore if the lid is closed + and the system is docked, if the laptop supports SW_DOCK + notifications via the input layer. Note that ACPI docking + stations do not generate this currently. Also note that this + logic is usually not fully sufficient and Desktop + Environments should take a lid switch inhibitor lock when an + external display is connected, as systemd will not watch + this on its own. + + * nspawn will now make use of the devices cgroup controller by + default, and only permit creation of and access to the usual + API device nodes like /dev/null or /dev/random, as well as + access to (but not creation of) the pty devices. + + * We will now ship a default .network file for + systemd-networkd that automatically configures DHCP for + network interfaces created by nspawn's --network-veth or + --network-bridge= switches. + + * systemd will now understand the usual M, K, G, T suffixes + according to SI conventions (i.e. to the base 1000) when + referring to throughput and hardware metrics. It will stay + with IEC conventions (i.e. to the base 1024) for software + metrics, according to what is customary according to + Wikipedia. We explicitly document which base applies for + each configuration option. + + * The DeviceAllow= setting in unit files now supports a syntax to + allow-list an entire group of devices node majors at once, based on + the /proc/devices listing. For example, with the string "char-pts", + it is now possible to allow-list all current and future pseudo-TTYs + at once. + + * sd-event learned a new "post" event source. Event sources of + this type are triggered by the dispatching of any event + source of a type that is not "post". This is useful for + implementing clean-up and check event sources that are + triggered by other work being done in the program. + + * systemd-networkd is no longer statically enabled, but uses + the usual [Install] sections so that it can be + enabled/disabled using systemctl. It still is enabled by + default however. + + * When creating a veth interface pair with systemd-nspawn, the + host side will now be prefixed with "vb-" if + --network-bridge= is used, and with "ve-" if --network-veth + is used. This way, it is easy to distinguish these cases on + the host, for example to apply different configuration to + them with systemd-networkd. + + * The compatibility libraries for libsystemd-journal.so, + libsystem-id128.so, libsystemd-login.so and + libsystemd-daemon.so do not make use of IFUNC + anymore. Instead, we now build libsystemd.so multiple times + under these alternative names. This means that the footprint + is drastically increased, but given that these are + transitional compatibility libraries, this should not matter + much. This change has been made necessary to support the ARM + platform for these compatibility libraries, as the ARM + toolchain is not really at the same level as the toolchain + for other architectures like x86 and does not support + IFUNC. Please make sure to use --enable-compat-libs only + during a transitional period! + + * The .include syntax has been deprecated and is not documented + anymore. Drop-in files in .d directories should be used instead. + + Contributions from: Andreas Fuchs, Armin K., Colin Walters, + Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni, + Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper + St. Pierre, Kay Sievers, Lennart Poettering, Łukasz Stelmach, + Marcel Holtmann, Michael Scherer, Michal Sekletar, Mike + Gilbert, Samuli Suominen, Thomas Bächler, Thomas Hindoe + Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog, + Zbigniew Jędrzejewski-Szmek + + — Berlin, 2014-02-24 + +CHANGES WITH 209: + + * A new component "systemd-networkd" has been added that can + be used to configure local network interfaces statically or + via DHCP. It is capable of bringing up bridges, VLANs, and + bonding. Currently, no hook-ups for interactive network + configuration are provided. Use this for your initrd, + container, embedded, or server setup if you need a simple, + yet powerful, network configuration solution. This + configuration subsystem is quite nifty, as it allows wildcard + hotplug matching in interfaces. For example, with a single + configuration snippet, you can configure that all Ethernet + interfaces showing up are automatically added to a bridge, + or similar. It supports link-sensing and more. + + * A new tool "systemd-socket-proxyd" has been added which can + act as a bidirectional proxy for TCP sockets. This is + useful for adding socket activation support to services that + do not actually support socket activation, including virtual + machines and the like. + + * Add a new tool to save/restore rfkill state on + shutdown/boot. + + * Save/restore state of keyboard backlights in addition to + display backlights on shutdown/boot. + + * udev learned a new SECLABEL{} construct to label device + nodes with a specific security label when they appear. For + now, only SECLABEL{selinux} is supported, but the syntax is + prepared for additional security frameworks. + + * udev gained a new scheme to configure link-level attributes + from files in /etc/systemd/network/*.link. These files can + match against MAC address, device path, driver name and type, + and will apply attributes like the naming policy, link speed, + MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC + address assignment policy (randomized, ...). + + * The configuration of network interface naming rules for + "permanent interface names" has changed: a new NamePolicy= + setting in the [Link] section of .link files determines the + priority of possible naming schemes (onboard, slot, MAC, + path). The default value of this setting is determined by + /usr/lib/net/links/99-default.link. Old + 80-net-name-slot.rules udev configuration file has been + removed, so local configuration overriding this file should + be adapted to override 99-default.link instead. + + * When the User= switch is used in a unit file, also + initialize $SHELL= based on the user database entry. + + * systemd no longer depends on libdbus. All communication is + now done with sd-bus, systemd's low-level bus library + implementation. + + * kdbus support has been added to PID 1 itself. When kdbus is + enabled, this causes PID 1 to set up the system bus and + enable support for a new ".busname" unit type that + encapsulates bus name activation on kdbus. It works a little + bit like ".socket" units, except for bus names. A new + generator has been added that converts classic dbus1 service + activation files automatically into native systemd .busname + and .service units. + + * sd-bus: add a light-weight vtable implementation that allows + defining objects on the bus with a simple static const + vtable array of its methods, signals and properties. + + * systemd will not generate or install static dbus + introspection data anymore to /usr/share/dbus-1/interfaces, + as the precise format of these files is unclear, and + nothing makes use of it. + + * A proxy daemon is now provided to proxy clients connecting + via classic D-Bus AF_UNIX sockets to kdbus, to provide full + compatibility with classic D-Bus. + + * A bus driver implementation has been added that supports the + classic D-Bus bus driver calls on kdbus, also for + compatibility purposes. + + * A new API "sd-event.h" has been added that implements a + minimal event loop API built around epoll. It provides a + couple of features that direct epoll usage is lacking: + prioritization of events, scales to large numbers of timer + events, per-event timer slack (accuracy), system-wide + coalescing of timer events, exit handlers, watchdog + supervision support using systemd's sd_notify() API, child + process handling. + + * A new API "sd-rntl.h" has been added that provides an API + around the route netlink interface of the kernel, similar in + style to "sd-bus.h". + + * A new API "sd-dhcp-client.h" has been added that provides a + small DHCPv4 client-side implementation. This is used by + "systemd-networkd". + + * There is a new kernel command line option + "systemd.restore_state=0|1". When set to "0", none of the + systemd tools will restore saved runtime state to hardware + devices. More specifically, the rfkill and backlight states + are not restored. + + * The FsckPassNo= compatibility option in mount/service units + has been removed. The fstab generator will now add the + necessary dependencies automatically, and does not require + PID1's support for that anymore. + + * journalctl gained a new switch, --list-boots, that lists + recent boots with their times and boot IDs. + + * The various tools like systemctl, loginctl, timedatectl, + busctl, systemd-run, ... have gained a new switch "-M" to + connect to a specific, local OS container (as direct + connection, without requiring SSH). This works on any + container that is registered with machined, such as those + created by libvirt-lxc or nspawn. + + * systemd-run and systemd-analyze also gained support for "-H" + to connect to remote hosts via SSH. This is particularly + useful for systemd-run because it enables queuing of jobs + onto remote systems. + + * machinectl gained a new command "login" to open a getty + login in any local container. This works with any container + that is registered with machined (such as those created by + libvirt-lxc or nspawn), and which runs systemd inside. + + * machinectl gained a new "reboot" command that may be used to + trigger a reboot on a specific container that is registered + with machined. This works on any container that runs an init + system of some kind. + + * systemctl gained a new "list-timers" command to print a nice + listing of installed timer units with the times they elapse + next. + + * Alternative reboot() parameters may now be specified on the + "systemctl reboot" command line and are passed to the + reboot() system call. + + * systemctl gained a new --job-mode= switch to configure the + mode to queue a job with. This is a more generic version of + --fail, --irreversible, and --ignore-dependencies, which are + still available but not advertised anymore. + + * /etc/systemd/system.conf gained new settings to configure + various default timeouts of units, as well as the default + start limit interval and burst. These may still be overridden + within each Unit. + + * PID1 will now export on the bus profile data of the security + policy upload process (such as the SELinux policy upload to + the kernel). + + * journald: when forwarding logs to the console, include + timestamps (following the setting in + /sys/module/printk/parameters/time). + + * OnCalendar= in timer units now understands the special + strings "yearly" and "annually". (Both are equivalent) + + * The accuracy of timer units is now configurable with the new + AccuracySec= setting. It defaults to 1min. + + * A new dependency type JoinsNamespaceOf= has been added that + allows running two services within the same /tmp and network + namespace, if PrivateNetwork= or PrivateTmp= are used. + + * A new command "cat" has been added to systemctl. It outputs + the original unit file of a unit, and concatenates the + contents of additional "drop-in" unit file snippets, so that + the full configuration is shown. + + * systemctl now supports globbing on the various "list-xyz" + commands, like "list-units" or "list-sockets", as well as on + those commands which take multiple unit names. + + * journalctl's --unit= switch gained support for globbing. + + * All systemd daemons now make use of the watchdog logic so + that systemd automatically notices when they hang. + + * If the $container_ttys environment variable is set, + getty-generator will automatically spawn a getty for each + listed tty. This is useful for container managers to request + login gettys to be spawned on as many ttys as needed. + + * %h, %s, %U specifier support is not available anymore when + used in unit files for PID 1. This is because NSS calls are + not safe from PID 1. They stay available for --user + instances of systemd, and as special case for the root user. + + * loginctl gained a new "--no-legend" switch to turn off output + of the legend text. + + * The "sd-login.h" API gained three new calls: + sd_session_is_remote(), sd_session_get_remote_user(), + sd_session_get_remote_host() to query information about + remote sessions. + + * The udev hardware database now also carries vendor/product + information of SDIO devices. + + * The "sd-daemon.h" API gained a new sd_watchdog_enabled() to + determine whether watchdog notifications are requested by + the system manager. + + * Socket-activated per-connection services now include a + short description of the connection parameters in the + description. + + * tmpfiles gained a new "--boot" option. When this is not used, + only lines where the command character is not suffixed with + "!" are executed. When this option is specified, those + options are executed too. This partitions tmpfiles + directives into those that can be safely executed at any + time, and those which should be run only at boot (for + example, a line that creates /run/nologin). + + * A new API "sd-resolve.h" has been added which provides a simple + asynchronous wrapper around glibc NSS hostname resolution + calls, such as getaddrinfo(). In contrast to glibc's + getaddrinfo_a(), it does not use signals. In contrast to most + other asynchronous name resolution libraries, this one does + not reimplement DNS, but reuses NSS, so that alternate + hostname resolution systems continue to work, such as mDNS, + LDAP, etc. This API is based on libasyncns, but it has been + cleaned up for inclusion in systemd. + + * The APIs "sd-journal.h", "sd-login.h", "sd-id128.h", + "sd-daemon.h" are no longer found in individual libraries + libsystemd-journal.so, libsystemd-login.so, + libsystemd-id128.so, libsystemd-daemon.so. Instead, we have + merged them into a single library, libsystemd.so, which + provides all symbols. The reason for this is cyclic + dependencies, as these libraries tend to use each other's + symbols. So far, we have managed to workaround that by linking + a copy of a good part of our code into each of these + libraries again and again, which, however, makes certain + things hard to do, like sharing static variables. Also, it + substantially increases footprint. With this change, there + is only one library for the basic APIs systemd + provides. Also, "sd-bus.h", "sd-memfd.h", "sd-event.h", + "sd-rtnl.h", "sd-resolve.h", "sd-utf8.h" are found in this + library as well, however are subject to the --enable-kdbus + switch (see below). Note that "sd-dhcp-client.h" is not part + of this library (this is because it only consumes, never + provides, services of/to other APIs). To make the transition + easy from the separate libraries to the unified one, we + provide the --enable-compat-libs compile-time switch which + will generate stub libraries that are compatible with the + old ones but redirect all calls to the new one. + + * All of the kdbus logic and the new APIs "sd-bus.h", + "sd-memfd.h", "sd-event.h", "sd-rtnl.h", "sd-resolve.h", + and "sd-utf8.h" are compile-time optional via the + "--enable-kdbus" switch, and they are not compiled in by + default. To make use of kdbus, you have to explicitly enable + the switch. Note however, that neither the kernel nor the + userspace API for all of this is considered stable yet. We + want to maintain the freedom to still change the APIs for + now. By specifying this build-time switch, you acknowledge + that you are aware of the instability of the current + APIs. + + * Also, note that while kdbus is pretty much complete, + it lacks one thing: proper policy support. This means you + can build a fully working system with all features; however, + it will be highly insecure. Policy support will be added in + one of the next releases, at the same time that we will + declare the APIs stable. + + * When the kernel command line argument "kdbus" is specified, + systemd will automatically load the kdbus.ko kernel module. At + this stage of development, it is only useful for testing kdbus + and should not be used in production. Note: if "--enable-kdbus" + is specified, and the kdbus.ko kernel module is available, and + "kdbus" is added to the kernel command line, the entire system + runs with kdbus instead of dbus-daemon, with the above mentioned + problem of missing the system policy enforcement. Also a future + version of kdbus.ko or a newer systemd will not be compatible with + each other, and will unlikely be able to boot the machine if only + one of them is updated. + + * systemctl gained a new "import-environment" command which + uploads the caller's environment (or parts thereof) into the + service manager so that it is inherited by services started + by the manager. This is useful to upload variables like + $DISPLAY into the user service manager. + + * A new PrivateDevices= switch has been added to service units + which allows running a service with a namespaced /dev + directory that does not contain any device nodes for + physical devices. More specifically, it only includes devices + such as /dev/null, /dev/urandom, and /dev/zero which are API + entry points. + + * logind has been extended to support behaviour like VT + switching on seats that do not support a VT. This makes + multi-session available on seats that are not the first seat + (seat0), and on systems where kernel support for VTs has + been disabled at compile-time. + + * If a process holds a delay lock for system sleep or shutdown + and fails to release it in time, we will now log its + identity. This makes it easier to identify processes that + cause slow suspends or power-offs. + + * When parsing /etc/crypttab, support for a new key-slot= + option as supported by Debian is added. It allows indicating + which LUKS slot to use on disk, speeding up key loading. + + * The sd_journal_sendv() API call has been checked and + officially declared to be async-signal-safe so that it may + be invoked from signal handlers for logging purposes. + + * Boot-time status output is now enabled automatically after a + short timeout if boot does not progress, in order to give + the user an indication what she or he is waiting for. + + * The boot-time output has been improved to show how much time + remains until jobs expire. + + * The KillMode= switch in service units gained a new possible + value "mixed". If set, and the unit is shut down, then the + initial SIGTERM signal is sent only to the main daemon + process, while the following SIGKILL signal is sent to + all remaining processes of the service. + + * When a scope unit is registered, a new property "Controller" + may be set. If set to a valid bus name, systemd will send a + RequestStop() signal to this name when it would like to shut + down the scope. This may be used to hook manager logic into + the shutdown logic of scope units. Also, scope units may now + be put in a special "abandoned" state, in which case the + manager process which created them takes no further + responsibilities for it. + + * When reading unit files, systemd will now verify + the access mode of these files, and warn about certain + suspicious combinations. This has been added to make it + easier to track down packaging bugs where unit files are + marked executable or world-writable. + + * systemd-nspawn gained a new "--setenv=" switch to set + container-wide environment variables. The similar option in + systemd-activate was renamed from "--environment=" to + "--setenv=" for consistency. + + * systemd-nspawn has been updated to create a new kdbus domain + for each container that is invoked, thus allowing each + container to have its own set of system and user buses, + independent of the host. + + * systemd-nspawn gained a new --drop-capability= switch to run + the container with less capabilities than the default. Both + --drop-capability= and --capability= now take the special + string "all" for dropping or keeping all capabilities. + + * systemd-nspawn gained new switches for executing containers + with specific SELinux labels set. + + * systemd-nspawn gained a new --quiet switch to not generate + any additional output but the container's own console + output. + + * systemd-nspawn gained a new --share-system switch to run a + container without PID namespacing enabled. + + * systemd-nspawn gained a new --register= switch to control + whether the container is registered with systemd-machined or + not. This is useful for containers that do not run full + OS images, but only specific apps. + + * systemd-nspawn gained a new --keep-unit which may be used + when invoked as the only program from a service unit, and + results in registration of the unit service itself in + systemd-machined, instead of a newly opened scope unit. + + * systemd-nspawn gained a new --network-interface= switch for + moving arbitrary interfaces to the container. The new + --network-veth switch creates a virtual Ethernet connection + between host and container. The new --network-bridge= + switch then allows assigning the host side of this virtual + Ethernet connection to a bridge device. + + * systemd-nspawn gained a new --personality= switch for + setting the kernel personality for the container. This is + useful when running a 32-bit container on a 64-bit host. A + similar option Personality= is now also available for service + units to use. + + * logind will now also track a "Desktop" identifier for each + session which encodes the desktop environment of it. This is + useful for desktop environments that want to identify + multiple running sessions of itself easily. + + * A new SELinuxContext= setting for service units has been + added that allows setting a specific SELinux execution + context for a service. + + * Most systemd client tools will now honour $SYSTEMD_LESS for + settings of the "less" pager. By default, these tools will + override $LESS to allow certain operations to work, such as + jump-to-the-end. With $SYSTEMD_LESS, it is possible to + influence this logic. + + * systemd's "seccomp" hook-up has been changed to make use of + the libseccomp library instead of using its own + implementation. This has benefits for portability among + other things. + + * For usage together with SystemCallFilter=, a new + SystemCallErrorNumber= setting has been introduced that + allows configuration of a system error number to be returned + on filtered system calls, instead of immediately killing the + process. Also, SystemCallArchitectures= has been added to + limit access to system calls of a particular architecture + (in order to turn off support for unused secondary + architectures). There is also a global + SystemCallArchitectures= setting in system.conf now to turn + off support for non-native system calls system-wide. + + * systemd requires a kernel with a working name_to_handle_at(), + please see the kernel config requirements in the README file. + + Contributions from: Adam Williamson, Alex Jia, Anatol Pomozov, + Ansgar Burchardt, AppleBloom, Auke Kok, Bastien Nocera, + Chengwei Yang, Christian Seiler, Colin Guthrie, Colin Walters, + Cristian Rodríguez, Daniel Buch, Daniele Medri, Daniel J + Walsh, Daniel Mack, Dan McGee, Dave Reisner, David Coppa, + David Herrmann, David Strauss, Djalal Harouni, Dmitry Pisklov, + Elia Pinto, Florian Weimer, George McCollister, Goffredo + Baroncelli, Greg Kroah-Hartman, Hendrik Brueckner, Igor + Zhbanov, Jan Engelhardt, Jan Janssen, Jason A. Donenfeld, + Jason St. John, Jasper St. Pierre, Jóhann B. Guðmundsson, Jose + Ignacio Naranjo, Karel Zak, Kay Sievers, Kristian Høgsberg, + Lennart Poettering, Lubomir Rintel, Lukas Nykryn, Lukasz + Skalski, Łukasz Stelmach, Luke Shumaker, Mantas Mikulėnas, + Marc-Antoine Perennou, Marcel Holtmann, Marcos Felipe Rasia de + Mello, Marko Myllynen, Martin Pitt, Matthew Monaco, Michael + Marineau, Michael Scherer, Michał Górny, Michal Sekletar, + Michele Curti, Oleksii Shevchuk, Olivier Brunel, Patrik Flykt, + Pavel Holica, Raudi, Richard Marko, Ronny Chevalier, Sébastien + Luttringer, Sergey Ptashnick, Shawn Landden, Simon Peeters, + Stefan Beller, Susant Sahani, Sylvain Plantefeve, Sylvia Else, + Tero Roponen, Thomas Bächler, Thomas Hindoe Paaboel Andersen, + Tom Gundersen, Umut Tezduyar Lindskog, Unai Uribarri, Václav + Pavlín, Vincent Batts, WaLyong Cho, William Giokas, Yang + Zhiyong, Yin Kangkai, Yuxuan Shui, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2014-02-20 + +CHANGES WITH 208: + + * logind has gained support for facilitating privileged input + and drm device access for unprivileged clients. This work is + useful to allow Wayland display servers (and similar + programs, such as kmscon) to run under the user's ID and + access input and drm devices which are normally + protected. When this is used (and the kernel is new enough) + logind will "mute" IO on the file descriptors passed to + Wayland as long as it is in the background and "unmute" it + if it returns into the foreground. This allows secure + session switching without allowing background sessions to + eavesdrop on input and display data. This also introduces + session switching support if VT support is turned off in the + kernel, and on seats that are not seat0. + + * A new kernel command line option luks.options= is understood + now which allows specifying LUKS options for usage for LUKS + encrypted partitions specified with luks.uuid=. + + * tmpfiles.d(5) snippets may now use specifier expansion in + path names. More specifically %m, %b, %H, %v, are now + replaced by the local machine id, boot id, hostname, and + kernel version number. + + * A new tmpfiles.d(5) command "m" has been introduced which + may be used to change the owner/group/access mode of a file + or directory if it exists, but do nothing if it does not. + + * This release removes high-level support for the + MemorySoftLimit= cgroup setting. The underlying kernel + cgroup attribute memory.soft_limit= is currently badly + designed and likely to be removed from the kernel API in its + current form, hence we should not expose it for now. + + * The memory.use_hierarchy cgroup attribute is now enabled for + all cgroups systemd creates in the memory cgroup + hierarchy. This option is likely to be come the built-in + default in the kernel anyway, and the non-hierarchical mode + never made much sense in the intrinsically hierarchical + cgroup system. + + * A new field _SYSTEMD_SLICE= is logged along with all journal + messages containing the slice a message was generated + from. This is useful to allow easy per-customer filtering of + logs among other things. + + * systemd-journald will no longer adjust the group of journal + files it creates to the "systemd-journal" group. Instead we + rely on the journal directory to be owned by the + "systemd-journal" group, and its setgid bit set, so that the + kernel file system layer will automatically enforce that + journal files inherit this group assignment. The reason for + this change is that we cannot allow NSS look-ups from + journald which would be necessary to resolve + "systemd-journal" to a numeric GID, because this might + create deadlocks if NSS involves synchronous queries to + other daemons (such as nscd, or sssd) which in turn are + logging clients of journald and might block on it, which + would then dead lock. A tmpfiles.d(5) snippet included in + systemd will make sure the setgid bit and group are + properly set on the journal directory if it exists on every + boot. However, we recommend adjusting it manually after + upgrades too (or from RPM scriptlets), so that the change is + not delayed until next reboot. + + * Backlight and random seed files in /var/lib/ have moved into + the /var/lib/systemd/ directory, in order to centralize all + systemd generated files in one directory. + + * Boot time performance measurements (as displayed by + "systemd-analyze" for example) will now read ACPI 5.0 FPDT + performance information if that's available to determine how + much time BIOS and boot loader initialization required. With + a sufficiently new BIOS you hence no longer need to boot + with Gummiboot to get access to such information. + + Contributions from: Andrey Borzenkov, Chen Jie, Colin Walters, + Cristian Rodríguez, Dave Reisner, David Herrmann, David + Mackey, David Strauss, Eelco Dolstra, Evan Callicoat, Gao + feng, Harald Hoyer, Jimmie Tauriainen, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt, + Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty, + Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2013-10-02 + +CHANGES WITH 207: + + * The Restart= option for services now understands a new + on-watchdog setting, which will restart the service + automatically if the service stops sending out watchdog keep + alive messages (as configured with WatchdogSec=). + + * The getty generator (which is responsible for bringing up a + getty on configured serial consoles) will no longer only + start a getty on the primary kernel console but on all + others, too. This makes the order in which console= is + specified on the kernel command line less important. + + * libsystemd-logind gained a new sd_session_get_vt() call to + retrieve the VT number of a session. + + * If the option "tries=0" is set for an entry of /etc/crypttab + its passphrase is queried indefinitely instead of any + maximum number of tries. + + * If a service with a configure PID file terminates its PID + file will now be removed automatically if it still exists + afterwards. This should put an end to stale PID files. + + * systemd-run will now also take relative binary path names + for execution and no longer insists on absolute paths. + + * InaccessibleDirectories= and ReadOnlyDirectories= now take + paths that are optionally prefixed with "-" to indicate that + it should not be considered a failure if they do not exist. + + * journalctl -o (and similar commands) now understands a new + output mode "short-precise", it is similar to "short" but + shows timestamps with usec accuracy. + + * The option "discard" (as known from Debian) is now + synonymous to "allow-discards" in /etc/crypttab. In fact, + "discard" is preferred now (since it is easier to remember + and type). + + * Some licensing clean-ups were made, so that more code is now + LGPL-2.1 licensed than before. + + * A minimal tool to save/restore the display backlight + brightness across reboots has been added. It will store the + backlight setting as late as possible at shutdown, and + restore it as early as possible during reboot. + + * A logic to automatically discover and enable home and swap + partitions on GPT disks has been added. With this in place + /etc/fstab becomes optional for many setups as systemd can + discover certain partitions located on the root disk + automatically. Home partitions are recognized under their + GPT type ID 933ac7e12eb44f13b8440e14e2aef915. Swap + partitions are recognized under their GPT type ID + 0657fd6da4ab43c484e50933c84b4f4f. + + * systemd will no longer pass any environment from the kernel + or initrd to system services. If you want to set an + environment for all services, do so via the kernel command + line systemd.setenv= assignment. + + * The systemd-sysctl tool no longer natively reads the file + /etc/sysctl.conf. If desired, the file should be symlinked + from /etc/sysctl.d/99-sysctl.conf. Apart from providing + legacy support by a symlink rather than built-in code, it + also makes the otherwise hidden order of application of the + different files visible. (Note that this partly reverts to a + pre-198 application order of sysctl knobs!) + + * The "systemctl set-log-level" and "systemctl dump" commands + have been moved to systemd-analyze. + + * systemd-run learned the new --remain-after-exit switch, + which causes the scope unit not to be cleaned up + automatically after the process terminated. + + * tmpfiles learned a new --exclude-prefix= switch to exclude + certain paths from operation. + + * journald will now automatically flush all messages to disk + as soon as a message at the log level CRIT, ALERT or EMERG + is received. + + Contributions from: Andrew Cook, Brandon Philips, Christian + Hesse, Christoph Junghans, Colin Walters, Daniel Schaal, + Daniel Wallace, Dave Reisner, David Herrmann, Gao feng, George + McCollister, Giovanni Campagna, Hannes Reinecke, Harald Hoyer, + Herczeg Zsolt, Holger Hans Peter Freyther, Jan Engelhardt, + Jesper Larsen, Kay Sievers, Khem Raj, Lennart Poettering, + Lukas Nykryn, Maciej Wereski, Mantas Mikulėnas, Marcel + Holtmann, Martin Pitt, Michael Biebl, Michael Marineau, + Michael Scherer, Michael Stapelberg, Michal Sekletar, Michał + Górny, Olivier Brunel, Ondrej Balaz, Ronny Chevalier, Shawn + Landden, Steven Hiscocks, Thomas Bächler, Thomas Hindoe + Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao, + William Giokas, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2013-09-13 + +CHANGES WITH 206: + + * The documentation has been updated to cover the various new + concepts introduced with 205. + + * Unit files now understand the new %v specifier which + resolves to the kernel version string as returned by "uname + -r". + + * systemctl now supports filtering the unit list output by + load state, active state and sub state, using the new + --state= parameter. + + * "systemctl status" will now show the results of the + condition checks (like ConditionPathExists= and similar) of + the last start attempts of the unit. They are also logged to + the journal. + + * "journalctl -b" may now be used to look for boot output of a + specific boot. Try "journalctl -b -1" for the previous boot, + but the syntax is substantially more powerful. + + * "journalctl --show-cursor" has been added which prints the + cursor string the last shown log line. This may then be used + with the new "journalctl --after-cursor=" switch to continue + browsing logs from that point on. + + * "journalctl --force" may now be used to force regeneration + of an FSS key. + + * Creation of "dead" device nodes has been moved from udev + into kmod and tmpfiles. Previously, udev would read the kmod + databases to pre-generate dead device nodes based on meta + information contained in kernel modules, so that these would + be auto-loaded on access rather then at boot. As this + does not really have much to do with the exposing actual + kernel devices to userspace this has always been slightly + alien in the udev codebase. Following the new scheme kmod + will now generate a runtime snippet for tmpfiles from the + module meta information and it now is tmpfiles' job to the + create the nodes. This also allows overriding access and + other parameters for the nodes using the usual tmpfiles + facilities. As side effect this allows us to remove the + CAP_SYS_MKNOD capability bit from udevd entirely. + + * logind's device ACLs may now be applied to these "dead" + devices nodes too, thus finally allowing managed access to + devices such as /dev/snd/sequencer without loading the + backing module right-away. + + * A new RPM macro has been added that may be used to apply + tmpfiles configuration during package installation. + + * systemd-detect-virt and ConditionVirtualization= now can + detect User-Mode-Linux machines (UML). + + * journald will now implicitly log the effective capabilities + set of processes in the message metadata. + + * systemd-cryptsetup has gained support for TrueCrypt volumes. + + * The initrd interface has been simplified (more specifically, + support for passing performance data via environment + variables and fsck results via files in /run has been + removed). These features were non-essential, and are + nowadays available in a much nicer way by having systemd in + the initrd serialize its state and have the hosts systemd + deserialize it again. + + * The udev "keymap" data files and tools to apply keyboard + specific mappings of scan to key codes, and force-release + scan code lists have been entirely replaced by a udev + "keyboard" builtin and a hwdb data file. + + * systemd will now honour the kernel's "quiet" command line + argument also during late shutdown, resulting in a + completely silent shutdown when used. + + * There's now an option to control the SO_REUSEPORT socket + option in .socket units. + + * Instance units will now automatically get a per-template + subslice of system.slice unless something else is explicitly + configured. For example, instances of sshd@.service will now + implicitly be placed in system-sshd.slice rather than + system.slice as before. + + * Test coverage support may now be enabled at build time. + + Contributions from: Dave Reisner, Frederic Crozat, Harald + Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jan + Janssen, Jason St. John, Jesper Larsen, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Maciej Wereski, Martin Pitt, Michael + Olbrich, Ramkumar Ramachandra, Ross Lagerwall, Shawn Landden, + Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William + Giokas, Zbigniew Jędrzejewski-Szmek + + — Berlin, 2013-07-23 + +CHANGES WITH 205: + + * Two new unit types have been introduced: + + Scope units are very similar to service units, however, are + created out of pre-existing processes — instead of PID 1 + forking off the processes. By using scope units it is + possible for system services and applications to group their + own child processes (worker processes) in a powerful way + which then maybe used to organize them, or kill them + together, or apply resource limits on them. + + Slice units may be used to partition system resources in an + hierarchical fashion and then assign other units to them. By + default there are now three slices: system.slice (for all + system services), user.slice (for all user sessions), + machine.slice (for VMs and containers). + + Slices and scopes have been introduced primarily in + context of the work to move cgroup handling to a + single-writer scheme, where only PID 1 + creates/removes/manages cgroups. + + * There's a new concept of "transient" units. In contrast to + normal units these units are created via an API at runtime, + not from configuration from disk. More specifically this + means it is now possible to run arbitrary programs as + independent services, with all execution parameters passed + in via bus APIs rather than read from disk. Transient units + make systemd substantially more dynamic then it ever was, + and useful as a general batch manager. + + * logind has been updated to make use of scope and slice units + for managing user sessions. As a user logs in he will get + his own private slice unit, to which all sessions are added + as scope units. We also added support for automatically + adding an instance of user@.service for the user into the + slice. Effectively logind will no longer create cgroup + hierarchies on its own now, it will defer entirely to PID 1 + for this by means of scope, service and slice units. Since + user sessions this way become entities managed by PID 1 + the output of "systemctl" is now a lot more comprehensive. + + * A new mini-daemon "systemd-machined" has been added which + may be used by virtualization managers to register local + VMs/containers. nspawn has been updated accordingly, and + libvirt will be updated shortly. machined will collect a bit + of meta information about the VMs/containers, and assign + them their own scope unit (see above). The collected + meta-data is then made available via the "machinectl" tool, + and exposed in "ps" and similar tools. machined/machinectl + is compile-time optional. + + * As discussed earlier, the low-level cgroup configuration + options ControlGroup=, ControlGroupModify=, + ControlGroupPersistent=, ControlGroupAttribute= have been + removed. Please use high-level attribute settings instead as + well as slice units. + + * A new bus call SetUnitProperties() has been added to alter + various runtime parameters of a unit. This is primarily + useful to alter cgroup parameters dynamically in a nice way, + but will be extended later on to make more properties + modifiable at runtime. systemctl gained a new set-properties + command that wraps this call. + + * A new tool "systemd-run" has been added which can be used to + run arbitrary command lines as transient services or scopes, + while configuring a number of settings via the command + line. This tool is currently very basic, however already + very useful. We plan to extend this tool to even allow + queuing of execution jobs with time triggers from the + command line, similar in fashion to "at". + + * nspawn will now inform the user explicitly that kernels with + audit enabled break containers, and suggest the user to turn + off audit. + + * Support for detecting the IMA and AppArmor security + frameworks with ConditionSecurity= has been added. + + * journalctl gained a new "-k" switch for showing only kernel + messages, mimicking dmesg output; in addition to "--user" + and "--system" switches for showing only user's own logs + and system logs. + + * systemd-delta can now show information about drop-in + snippets extending unit files. + + * libsystemd-bus has been substantially updated but is still + not available as public API. + + * systemd will now look for the "debug" argument on the kernel + command line and enable debug logging, similar to what + "systemd.log_level=debug" already did before. + + * "systemctl set-default", "systemctl get-default" has been + added to configure the default.target symlink, which + controls what to boot into by default. + + * "systemctl set-log-level" has been added as a convenient + way to raise and lower systemd logging threshold. + + * "systemd-analyze plot" will now show the time the various + generators needed for execution, as well as information + about the unit file loading. + + * libsystemd-journal gained a new sd_journal_open_files() call + for opening specific journal files. journactl also gained a + new switch to expose this new functionality. Previously we + only supported opening all files from a directory, or all + files from the system, as opening individual files only is + racy due to journal file rotation. + + * systemd gained the new DefaultEnvironment= setting in + /etc/systemd/system.conf to set environment variables for + all services. + + * If a privileged process logs a journal message with the + OBJECT_PID= field set, then journald will automatically + augment this with additional OBJECT_UID=, OBJECT_GID=, + OBJECT_COMM=, OBJECT_EXE=, ... fields. This is useful if + system services want to log events about specific client + processes. journactl/systemctl has been updated to make use + of this information if all log messages regarding a specific + unit is requested. + + Contributions from: Auke Kok, Chengwei Yang, Colin Walters, + Cristian Rodríguez, Daniel Albers, Daniel Wallace, Dave + Reisner, David Coppa, David King, David Strauss, Eelco + Dolstra, Gabriel de Perthuis, Harald Hoyer, Jan Alexander + Steffens, Jan Engelhardt, Jan Janssen, Jason St. John, Johan + Heikkilä, Karel Zak, Karol Lewandowski, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Mantas Mikulėnas, Marius Vollmer, + Martin Pitt, Michael Biebl, Michael Olbrich, Michael Tremer, + Michal Schmidt, Michał Bartoszkiewicz, Nirbheek Chauhan, + Pierre Neidhardt, Ross Burton, Ross Lagerwall, Sean McGovern, + Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar, + Václav Pavlín, Zachary Cook, Zbigniew Jędrzejewski-Szmek, + Łukasz Stelmach, 장동준 + +CHANGES WITH 204: + + * The Python bindings gained some minimal support for the APIs + exposed by libsystemd-logind. + + * ConditionSecurity= gained support for detecting SMACK. Since + this condition already supports SELinux and AppArmor we only + miss IMA for this. Patches welcome! + + Contributions from: Karol Lewandowski, Lennart Poettering, + Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 203: + + * systemd-nspawn will now create /etc/resolv.conf if + necessary, before bind-mounting the host's file onto it. + + * systemd-nspawn will now store meta information about a + container on the container's cgroup as extended attribute + fields, including the root directory. + + * The cgroup hierarchy has been reworked in many ways. All + objects any of the components systemd creates in the cgroup + tree are now suffixed. More specifically, user sessions are + now placed in cgroups suffixed with ".session", users in + cgroups suffixed with ".user", and nspawn containers in + cgroups suffixed with ".nspawn". Furthermore, all cgroup + names are now escaped in a simple scheme to avoid collision + of userspace object names with kernel filenames. This work + is preparation for making these objects relocatable in the + cgroup tree, in order to allow easy resource partitioning of + these objects without causing naming conflicts. + + * systemctl list-dependencies gained the new switches + --plain, --reverse, --after and --before. + + * systemd-inhibit now shows the process name of processes that + have taken an inhibitor lock. + + * nss-myhostname will now also resolve "localhost" + implicitly. This makes /etc/hosts an optional file and + nicely handles that on IPv6 ::1 maps to both "localhost" and + the local hostname. + + * libsystemd-logind.so gained a new call + sd_get_machine_names() to enumerate running containers and + VMs (currently only supported by very new libvirt and + nspawn). sd_login_monitor can now be used to watch + VMs/containers coming and going. + + * .include is not allowed recursively anymore, and only in + unit files. Usually it is better to use drop-in snippets in + .d/*.conf anyway, as introduced with systemd 198. + + * systemd-analyze gained a new "critical-chain" command that + determines the slowest chain of units run during system + boot-up. It is very useful for tracking down where + optimizing boot time is the most beneficial. + + * systemd will no longer allow manipulating service paths in + the name=systemd:/system cgroup tree using ControlGroup= in + units. (But is still fine with it in all other dirs.) + + * There's a new systemd-nspawn@.service service file that may + be used to easily run nspawn containers as system + services. With the container's root directory in + /var/lib/container/foobar it is now sufficient to run + "systemctl start systemd-nspawn@foobar.service" to boot it. + + * systemd-cgls gained a new parameter "--machine" to list only + the processes within a certain container. + + * ConditionSecurity= now can check for "apparmor". We still + are lacking checks for SMACK and IMA for this condition + check though. Patches welcome! + + * A new configuration file /etc/systemd/sleep.conf has been + added that may be used to configure which kernel operation + systemd is supposed to execute when "suspend", "hibernate" + or "hybrid-sleep" is requested. This makes the new kernel + "freeze" state accessible to the user. + + * ENV{SYSTEMD_WANTS} in udev rules will now implicitly escape + the passed argument if applicable. + + Contributions from: Auke Kok, Colin Guthrie, Colin Walters, + Cristian Rodríguez, Daniel Buch, Daniel Wallace, Dave Reisner, + Evangelos Foutras, Greg Kroah-Hartman, Harald Hoyer, Josh + Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn, + MUNEDA Takahiro, Mantas Mikulėnas, Mirco Tischler, Nathaniel + Chen, Nirbheek Chauhan, Ronny Chevalier, Ross Lagerwall, Tom + Gundersen, Umut Tezduyar, Ville Skyttä, Zbigniew + Jędrzejewski-Szmek + +CHANGES WITH 202: + + * The output of 'systemctl list-jobs' got some polishing. The + '--type=' argument may now be passed more than once. A new + command 'systemctl list-sockets' has been added which shows + a list of kernel sockets systemd is listening on with the + socket units they belong to, plus the units these socket + units activate. + + * The experimental libsystemd-bus library got substantial + updates to work in conjunction with the (also experimental) + kdbus kernel project. It works well enough to exchange + messages with some sophistication. Note that kdbus is not + ready yet, and the library is mostly an elaborate test case + for now, and not installable. + + * systemd gained a new unit 'systemd-static-nodes.service' + that generates static device nodes earlier during boot, and + can run in conjunction with udev. + + * libsystemd-login gained a new call sd_pid_get_user_unit() + to retrieve the user systemd unit a process is running + in. This is useful for systems where systemd is used as + session manager. + + * systemd-nspawn now places all containers in the new /machine + top-level cgroup directory in the name=systemd + hierarchy. libvirt will soon do the same, so that we get a + uniform separation of /system, /user and /machine for system + services, user processes and containers/virtual + machines. This new cgroup hierarchy is also useful to stick + stable names to specific container instances, which can be + recognized later this way (this name may be controlled + via systemd-nspawn's new -M switch). libsystemd-login also + gained a new call sd_pid_get_machine_name() to retrieve the + name of the container/VM a specific process belongs to. + + * bootchart can now store its data in the journal. + + * libsystemd-journal gained a new call + sd_journal_add_conjunction() for AND expressions to the + matching logic. This can be used to express more complex + logical expressions. + + * journactl can now take multiple --unit= and --user-unit= + switches. + + * The cryptsetup logic now understands the "luks.key=" kernel + command line switch for specifying a file to read the + decryption key from. Also, if a configured key file is not + found the tool will now automatically fall back to prompting + the user. + + * Python systemd.journal module was updated to wrap recently + added functions from libsystemd-journal. The interface was + changed to bring the low level interface in s.j._Reader + closer to the C API, and the high level interface in + s.j.Reader was updated to wrap and convert all data about + an entry. + + Contributions from: Anatol Pomozov, Auke Kok, Harald Hoyer, + Henrik Grindal Bakken, Josh Triplett, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Mantas Mikulėnas Marius Vollmer, + Martin Jansa, Martin Pitt, Michael Biebl, Michal Schmidt, + Mirco Tischler, Pali Rohar, Simon Peeters, Steven Hiscocks, + Tom Gundersen, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 201: + + * journalctl --update-catalog now understands a new --root= + option to operate on catalogs found in a different root + directory. + + * During shutdown after systemd has terminated all running + services a final killing loop kills all remaining left-over + processes. We will now print the name of these processes + when we send SIGKILL to them, since this usually indicates a + problem. + + * If /etc/crypttab refers to password files stored on + configured mount points automatic dependencies will now be + generated to ensure the specific mount is established first + before the key file is attempted to be read. + + * 'systemctl status' will now show information about the + network sockets a socket unit is listening on. + + * 'systemctl status' will also shown information about any + drop-in configuration file for units. (Drop-In configuration + files in this context are files such as + /etc/systemd/systemd/foobar.service.d/*.conf) + + * systemd-cgtop now optionally shows summed up CPU times of + cgroups. Press '%' while running cgtop to switch between + percentage and absolute mode. This is useful to determine + which cgroups use up the most CPU time over the entire + runtime of the system. systemd-cgtop has also been updated + to be 'pipeable' for processing with further shell tools. + + * 'hostnamectl set-hostname' will now allow setting of FQDN + hostnames. + + * The formatting and parsing of time span values has been + changed. The parser now understands fractional expressions + such as "5.5h". The formatter will now output fractional + expressions for all time spans under 1min, i.e. "5.123456s" + rather than "5s 123ms 456us". For time spans under 1s + millisecond values are shown, for those under 1ms + microsecond values are shown. This should greatly improve + all time-related output of systemd. + + * libsystemd-login and libsystemd-journal gained new + functions for querying the poll() events mask and poll() + timeout value for integration into arbitrary event + loops. + + * localectl gained the ability to list available X11 keymaps + (models, layouts, variants, options). + + * 'systemd-analyze dot' gained the ability to filter for + specific units via shell-style globs, to create smaller, + more useful graphs. I.e. it is now possible to create simple + graphs of all the dependencies between only target units, or + of all units that Avahi has dependencies with. + + Contributions from: Cristian Rodríguez, Dr. Tilmann Bubeck, + Harald Hoyer, Holger Hans Peter Freyther, Kay Sievers, Kelly + Anderson, Koen Kooi, Lennart Poettering, Maksim Melnikau, + Marc-Antoine Perennou, Marius Vollmer, Martin Pitt, Michal + Schmidt, Oleksii Shevchuk, Ronny Chevalier, Simon McVittie, + Steven Hiscocks, Thomas Weißschuh, Umut Tezduyar, Václav + Pavlín, Zbigniew Jędrzejewski-Szmek, Łukasz Stelmach + +CHANGES WITH 200: + + * The boot-time readahead implementation for rotating media + will now read the read-ahead data in multiple passes which + consist of all read requests made in equidistant time + intervals. This means instead of strictly reading read-ahead + data in its physical order on disk we now try to find a + middle ground between physical and access time order. + + * /etc/os-release files gained a new BUILD_ID= field for usage + on operating systems that provide continuous builds of OS + images. + + Contributions from: Auke Kok, Eelco Dolstra, Kay Sievers, + Lennart Poettering, Lukas Nykryn, Martin Pitt, Václav Pavlín + William Douglas, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 199: + + * systemd-python gained an API exposing libsystemd-daemon. + + * The SMACK setup logic gained support for uploading CIPSO + security policy. + + * Behaviour of PrivateTmp=, ReadWriteDirectories=, + ReadOnlyDirectories= and InaccessibleDirectories= has + changed. The private /tmp and /var/tmp directories are now + shared by all processes of a service (which means + ExecStartPre= may now leave data in /tmp that ExecStart= of + the same service can still access). When a service is + stopped its temporary directories are immediately deleted + (normal clean-up with tmpfiles is still done in addition to + this though). + + * By default, systemd will now set a couple of sysctl + variables in the kernel: the safe sysrq options are turned + on, IP route verification is turned on, and source routing + disabled. The recently added hardlink and softlink + protection of the kernel is turned on. These settings should + be reasonably safe, and good defaults for all new systems. + + * The predictable network naming logic may now be turned off + with a new kernel command line switch: net.ifnames=0. + + * A new libsystemd-bus module has been added that implements a + pretty complete D-Bus client library. For details see: + + https://lists.freedesktop.org/archives/systemd-devel/2013-March/009797.html + + * journald will now explicitly flush the journal files to disk + at the latest 5min after each write. The file will then also + be marked offline until the next write. This should increase + reliability in case of a crash. The synchronization delay + can be configured via SyncIntervalSec= in journald.conf. + + * There's a new remote-fs-setup.target unit that can be used + to pull in specific services when at least one remote file + system is to be mounted. + + * There are new targets timers.target and paths.target as + canonical targets to pull user timer and path units in + from. This complements sockets.target with a similar + purpose for socket units. + + * libudev gained a new call udev_device_set_attribute_value() + to set sysfs attributes of a device. + + * The udev daemon now sets the default number of worker + processes executed in parallel based on the number of available + CPUs instead of the amount of available RAM. This is supposed + to provide a more reliable default and limit a too aggressive + parallelism for setups with 1000s of devices connected. + + Contributions from: Auke Kok, Colin Walters, Cristian + Rodríguez, Daniel Buch, Dave Reisner, Frederic Crozat, Hannes + Reinecke, Harald Hoyer, Jan Alexander Steffens, Jan + Engelhardt, Josh Triplett, Kay Sievers, Lennart Poettering, + Mantas Mikulėnas, Martin Pitt, Mathieu Bridon, Michael Biebl, + Michal Schmidt, Michal Sekletar, Miklos Vajna, Nathaniel Chen, + Oleksii Shevchuk, Ozan Çağlayan, Thomas Hindoe Paaboel + Andersen, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, + Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 198: + + * Configuration of unit files may now be extended via drop-in + files without having to edit/override the unit files + themselves. More specifically, if the administrator wants to + change one value for a service file foobar.service he can + now do so by dropping in a configuration snippet into + /etc/systemd/system/foobar.service.d/*.conf. The unit logic + will load all these snippets and apply them on top of the + main unit configuration file, possibly extending or + overriding its settings. Using these drop-in snippets is + generally nicer than the two earlier options for changing + unit files locally: copying the files from + /usr/lib/systemd/system/ to /etc/systemd/system/ and editing + them there; or creating a new file in /etc/systemd/system/ + that incorporates the original one via ".include". Drop-in + snippets into these .d/ directories can be placed in any + directory systemd looks for units in, and the usual + overriding semantics between /usr/lib, /etc and /run apply + for them too. + + * Most unit file settings which take lists of items can now be + reset by assigning the empty string to them. For example, + normally, settings such as Environment=FOO=BAR append a new + environment variable assignment to the environment block, + each time they are used. By assigning Environment= the empty + string the environment block can be reset to empty. This is + particularly useful with the .d/*.conf drop-in snippets + mentioned above, since this adds the ability to reset list + settings from vendor unit files via these drop-ins. + + * systemctl gained a new "list-dependencies" command for + listing the dependencies of a unit recursively. + + * Inhibitors are now honored and listed by "systemctl + suspend", "systemctl poweroff" (and similar) too, not only + GNOME. These commands will also list active sessions by + other users. + + * Resource limits (as exposed by the various control group + controllers) can now be controlled dynamically at runtime + for all units. More specifically, you can now use a command + like "systemctl set-cgroup-attr foobar.service cpu.shares + 2000" to alter the CPU shares a specific service gets. These + settings are stored persistently on disk, and thus allow the + administrator to easily adjust the resource usage of + services with a few simple commands. This dynamic resource + management logic is also available to other programs via the + bus. Almost any kernel cgroup attribute and controller is + supported. + + * systemd-vconsole-setup will now copy all font settings to + all allocated VTs, where it previously applied them only to + the foreground VT. + + * libsystemd-login gained the new sd_session_get_tty() API + call. + + * This release drops support for a few legacy or + distribution-specific LSB facility names when parsing init + scripts: $x-display-manager, $mail-transfer-agent, + $mail-transport-agent, $mail-transfer-agent, $smtp, + $null. Also, the mail-transfer-agent.target unit backing + this has been removed. Distributions which want to retain + compatibility with this should carry the burden for + supporting this themselves and patch support for these back + in, if they really need to. Also, the facilities $syslog and + $local_fs are now ignored, since systemd does not support + early-boot LSB init scripts anymore, and these facilities + are implied anyway for normal services. syslog.target has + also been removed. + + * There are new bus calls on PID1's Manager object for + cancelling jobs, and removing snapshot units. Previously, + both calls were only available on the Job and Snapshot + objects themselves. + + * systemd-journal-gatewayd gained SSL support. + + * The various "environment" files, such as /etc/locale.conf + now support continuation lines with a backslash ("\") as + last character in the line, similarly in style (but different) + to how this is supported in shells. + + * For normal user processes the _SYSTEMD_USER_UNIT= field is + now implicitly appended to every log entry logged. systemctl + has been updated to filter by this field when operating on a + user systemd instance. + + * nspawn will now implicitly add the CAP_AUDIT_WRITE and + CAP_AUDIT_CONTROL capabilities to the capabilities set for + the container. This makes it easier to boot unmodified + Fedora systems in a container, which however still requires + audit=0 to be passed on the kernel command line. Auditing in + kernel and userspace is unfortunately still too broken in + context of containers, hence we recommend compiling it out + of the kernel or using audit=0. Hopefully this will be fixed + one day for good in the kernel. + + * nspawn gained the new --bind= and --bind-ro= parameters to + bind mount specific directories from the host into the + container. + + * nspawn will now mount its own devpts file system instance + into the container, in order not to leak pty devices from + the host into the container. + + * systemd will now read the firmware boot time performance + information from the EFI variables, if the used boot loader + supports this, and takes it into account for boot performance + analysis via "systemd-analyze". This is currently supported + only in conjunction with Gummiboot, but could be supported + by other boot loaders too. For details see: + + https://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface + + * A new generator has been added that automatically mounts the + EFI System Partition (ESP) to /boot, if that directory + exists, is empty, and no other file system has been + configured to be mounted there. + + * logind will now send out PrepareForSleep(false) out + unconditionally, after coming back from suspend. This may be + used by applications as asynchronous notification for + system resume events. + + * "systemctl unlock-sessions" has been added, that allows + unlocking the screens of all user sessions at once, similar + to how "systemctl lock-sessions" already locked all users + sessions. This is backed by a new D-Bus call UnlockSessions(). + + * "loginctl seat-status" will now show the master device of a + seat. (i.e. the device of a seat that needs to be around for + the seat to be considered available, usually the graphics + card). + + * tmpfiles gained a new "X" line type, that allows + configuration of files and directories (with wildcards) that + shall be excluded from automatic cleanup ("aging"). + + * udev default rules set the device node permissions now only + at "add" events, and do not change them any longer with a + later "change" event. + + * The log messages for lid events and power/sleep keypresses + now carry a message ID. + + * We now have a substantially larger unit test suite, but this + continues to be work in progress. + + * udevadm hwdb gained a new --root= parameter to change the + root directory to operate relative to. + + * logind will now issue a background sync() request to the kernel + early at shutdown, so that dirty buffers are flushed to disk early + instead of at the last moment, in order to optimize shutdown + times a little. + + * A new bootctl tool has been added that is an interface for + certain boot loader operations. This is currently a preview + and is likely to be extended into a small mechanism daemon + like timedated, localed, hostnamed, and can be used by + graphical UIs to enumerate available boot options, and + request boot into firmware operations. + + * systemd-bootchart has been relicensed to LGPLv2.1+ to match + the rest of the package. It also has been updated to work + correctly in initrds. + + * polkit previously has been runtime optional, and is now also + compile time optional via a configure switch. + + * systemd-analyze has been reimplemented in C. Also "systemctl + dot" has moved into systemd-analyze. + + * "systemctl status" with no further parameters will now print + the status of all active or failed units. + + * Operations such as "systemctl start" can now be executed + with a new mode "--irreversible" which may be used to queue + operations that cannot accidentally be reversed by a later + job queuing. This is by default used to make shutdown + requests more robust. + + * The Python API of systemd now gained a new module for + reading journal files. + + * A new tool kernel-install has been added that can install + kernel images according to the Boot Loader Specification: + + https://www.freedesktop.org/wiki/Specifications/BootLoaderSpec + + * Boot time console output has been improved to provide + animated boot time output for hanging jobs. + + * A new tool systemd-activate has been added which can be used + to test socket activation with, directly from the command + line. This should make it much easier to test and debug + socket activation in daemons. + + * journalctl gained a new "--reverse" (or -r) option to show + journal output in reverse order (i.e. newest line first). + + * journalctl gained a new "--pager-end" (or -e) option to jump + to immediately jump to the end of the journal in the + pager. This is only supported in conjunction with "less". + + * journalctl gained a new "--user-unit=" option, that works + similarly to "--unit=" but filters for user units rather than + system units. + + * A number of unit files to ease adoption of systemd in + initrds has been added. This moves some minimal logic from + the various initrd implementations into systemd proper. + + * The journal files are now owned by a new group + "systemd-journal", which exists specifically to allow access + to the journal, and nothing else. Previously, we used the + "adm" group for that, which however possibly covers more + than just journal/log file access. This new group is now + already used by systemd-journal-gatewayd to ensure this + daemon gets access to the journal files and as little else + as possible. Note that "make install" will also set FS ACLs + up for /var/log/journal to give "adm" and "wheel" read + access to it, in addition to "systemd-journal" which owns + the journal files. We recommend that packaging scripts also + add read access to "adm" + "wheel" to /var/log/journal, and + all existing/future journal files. To normal users and + administrators little changes, however packagers need to + ensure to create the "systemd-journal" system group at + package installation time. + + * The systemd-journal-gatewayd now runs as unprivileged user + systemd-journal-gateway:systemd-journal-gateway. Packaging + scripts need to create these system user/group at + installation time. + + * timedated now exposes a new boolean property CanNTP that + indicates whether a local NTP service is available or not. + + * systemd-detect-virt will now also detect xen PVs + + * The pstore file system is now mounted by default, if it is + available. + + * In addition to the SELinux and IMA policies we will now also + load SMACK policies at early boot. + + Contributions from: Adel Gadllah, Aleksander Morgado, Auke + Kok, Ayan George, Bastien Nocera, Colin Walters, Daniel Buch, + Daniel Wallace, Dave Reisner, David Herrmann, David Strauss, + Eelco Dolstra, Enrico Scholz, Frederic Crozat, Harald Hoyer, + Jan Janssen, Jonathan Callen, Kay Sievers, Lennart Poettering, + Lukas Nykryn, Mantas Mikulėnas, Marc-Antoine Perennou, Martin + Pitt, Mauro Dreissig, Max F. Albrecht, Michael Biebl, Michael + Olbrich, Michal Schmidt, Michal Sekletar, Michal Vyskocil, + Michał Bartoszkiewicz, Mirco Tischler, Nathaniel Chen, Nestor + Ovroy, Oleksii Shevchuk, Paul W. Frields, Piotr Drąg, Rob + Clark, Ryan Lortie, Simon McVittie, Simon Peeters, Steven + Hiscocks, Thomas Hindoe Paaboel Andersen, Tollef Fog Heen, Tom + Gundersen, Umut Tezduyar, William Giokas, Zbigniew + Jędrzejewski-Szmek, Zeeshan Ali (Khattak) + +CHANGES WITH 197: + + * Timer units now support calendar time events in addition to + monotonic time events. That means you can now trigger a unit + based on a calendar time specification such as "Thu,Fri + 2013-*-1,5 11:12:13" which refers to 11:12:13 of the first + or fifth day of any month of the year 2013, given that it is + a thursday or friday. This brings timer event support + considerably closer to cron's capabilities. For details on + the supported calendar time specification language see + systemd.time(7). + + * udev now supports a number of different naming policies for + network interfaces for predictable names, and a combination + of these policies is now the default. Please see this wiki + document for details: + + https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames + + * Auke Kok's bootchart implementation has been added to the + systemd tree. It is an optional component that can graph the + boot in quite some detail. It is one of the best bootchart + implementations around and minimal in its code and + dependencies. + + * nss-myhostname has been integrated into the systemd source + tree. nss-myhostname guarantees that the local hostname + always stays resolvable via NSS. It has been a weak + requirement of systemd-hostnamed since a long time, and + since its code is actually trivial we decided to just + include it in systemd's source tree. It can be turned off + with a configure switch. + + * The read-ahead logic is now capable of properly detecting + whether a btrfs file system is on SSD or rotating media, in + order to optimize the read-ahead scheme. Previously, it was + only capable of detecting this on traditional file systems + such as ext4. + + * In udev, additional device properties are now read from the + IAB in addition to the OUI database. Also, Bluetooth company + identities are attached to the devices as well. + + * In service files %U may be used as specifier that is + replaced by the configured user name of the service. + + * nspawn may now be invoked without a controlling TTY. This + makes it suitable for invocation as its own service. This + may be used to set up a simple containerized server system + using only core OS tools. + + * systemd and nspawn can now accept socket file descriptors + when they are started for socket activation. This enables + implementation of socket activated nspawn + containers. i.e. think about autospawning an entire OS image + when the first SSH or HTTP connection is received. We expect + that similar functionality will also be added to libvirt-lxc + eventually. + + * journalctl will now suppress ANSI color codes when + presenting log data. + + * systemctl will no longer show control group information for + a unit if the control group is empty anyway. + + * logind can now automatically suspend/hibernate/shutdown the + system on idle. + + * /etc/machine-info and hostnamed now also expose the chassis + type of the system. This can be used to determine whether + the local system is a laptop, desktop, handset or + tablet. This information may either be configured by the + user/vendor or is automatically determined from ACPI and DMI + information if possible. + + * A number of polkit actions are now bound together with "imply" + rules. This should simplify creating UIs because many actions + will now authenticate similar ones as well. + + * Unit files learnt a new condition ConditionACPower= which + may be used to conditionalize a unit depending on whether an + AC power source is connected or not, of whether the system + is running on battery power. + + * systemctl gained a new "is-failed" verb that may be used in + shell scripts and suchlike to check whether a specific unit + is in the "failed" state. + + * The EnvironmentFile= setting in unit files now supports file + globbing, and can hence be used to easily read a number of + environment files at once. + + * systemd will no longer detect and recognize specific + distributions. All distribution-specific #ifdeffery has been + removed, systemd is now fully generic and + distribution-agnostic. Effectively, not too much is lost as + a lot of the code is still accessible via explicit configure + switches. However, support for some distribution specific + legacy configuration file formats has been dropped. We + recommend distributions to simply adopt the configuration + files everybody else uses now and convert the old + configuration from packaging scripts. Most distributions + already did that. If that's not possible or desirable, + distributions are welcome to forward port the specific + pieces of code locally from the git history. + + * When logging a message about a unit systemd will now always + log the unit name in the message meta data. + + * localectl will now also discover system locale data that is + not stored in locale archives, but directly unpacked. + + * logind will no longer unconditionally use framebuffer + devices as seat masters, i.e. as devices that are required + to be existing before a seat is considered preset. Instead, + it will now look for all devices that are tagged as + "seat-master" in udev. By default, framebuffer devices will + be marked as such, but depending on local systems, other + devices might be marked as well. This may be used to + integrate graphics cards using closed source drivers (such + as NVidia ones) more nicely into logind. Note however, that + we recommend using the open source NVidia drivers instead, + and no udev rules for the closed-source drivers will be + shipped from us upstream. + + Contributions from: Adam Williamson, Alessandro Crismani, Auke + Kok, Colin Walters, Daniel Wallace, Dave Reisner, David + Herrmann, David Strauss, Dimitrios Apostolou, Eelco Dolstra, + Eric Benoit, Giovanni Campagna, Hannes Reinecke, Henrik + Grindal Bakken, Hermann Gausterer, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann, + Martin Pitt, Matthew Monaco, Michael Biebl, Michael Terry, + Michal Schmidt, Michal Sekletar, Michał Bartoszkiewicz, Oleg + Samarin, Pekka Lundstrom, Philip Nilsson, Ramkumar + Ramachandra, Richard Yao, Robert Millan, Sami Kerola, Shawn + Landden, Thomas Hindoe Paaboel Andersen, Thomas Jarosch, + Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, Zbigniew + Jędrzejewski-Szmek + +CHANGES WITH 196: + + * udev gained support for loading additional device properties + from an indexed database that is keyed by vendor/product IDs + and similar device identifiers. For the beginning this + "hwdb" is populated with data from the well-known PCI and + USB database, but also includes PNP, ACPI and OID data. In + the longer run this indexed database shall grow into + becoming the one central database for non-essential + userspace device metadata. Previously, data from the PCI/USB + database was only attached to select devices, since the + lookup was a relatively expensive operation due to O(n) time + complexity (with n being the number of entries in the + database). Since this is now O(1), we decided to add in this + data for all devices where this is available, by + default. Note that the indexed database needs to be rebuilt + when new data files are installed. To achieve this you need + to update your packaging scripts to invoke "udevadm hwdb + --update" after installation of hwdb data files. For + RPM-based distributions we introduced the new + %udev_hwdb_update macro for this purpose. + + * The Journal gained support for the "Message Catalog", an + indexed database to link up additional information with + journal entries. For further details please check: + + https://www.freedesktop.org/wiki/Software/systemd/catalog + + The indexed message catalog database also needs to be + rebuilt after installation of message catalog files. Use + "journalctl --update-catalog" for this. For RPM-based + distributions we introduced the %journal_catalog_update + macro for this purpose. + + * The Python Journal bindings gained support for the standard + Python logging framework. + + * The Journal API gained new functions for checking whether + the underlying file system of a journal file is capable of + properly reporting file change notifications, or whether + applications that want to reflect journal changes "live" + need to recheck journal files continuously in appropriate + time intervals. + + * It is now possible to set the "age" field for tmpfiles + entries to 0, indicating that files matching this entry + shall always be removed when the directories are cleaned up. + + * coredumpctl gained a new "gdb" verb which invokes gdb + right-away on the selected coredump. + + * There's now support for "hybrid sleep" on kernels that + support this, in addition to "suspend" and "hibernate". Use + "systemctl hybrid-sleep" to make use of this. + + * logind's HandleSuspendKey= setting (and related settings) + now gained support for a new "lock" setting to simply + request the screen lock on all local sessions, instead of + actually executing a suspend or hibernation. + + * systemd will now mount the EFI variables file system by + default. + + * Socket units now gained support for configuration of the + SMACK security label. + + * timedatectl will now output the time of the last and next + daylight saving change. + + * We dropped support for various legacy and distro-specific + concepts, such as insserv, early-boot SysV services + (i.e. those for non-standard runlevels such as 'b' or 'S') + or ArchLinux /etc/rc.conf support. We recommend the + distributions who still need support this to either continue + to maintain the necessary patches downstream, or find a + different solution. (Talk to us if you have questions!) + + * Various systemd components will now bypass polkit checks for + root and otherwise handle properly if polkit is not found to + be around. This should fix most issues for polkit-less + systems. Quite frankly this should have been this way since + day one. It is absolutely our intention to make systemd work + fine on polkit-less systems, and we consider it a bug if + something does not work as it should if polkit is not around. + + * For embedded systems it is now possible to build udev and + systemd without blkid and/or kmod support. + + * "systemctl switch-root" is now capable of switching root + more than once. I.e. in addition to transitions from the + initrd to the host OS it is now possible to transition to + further OS images from the host. This is useful to implement + offline updating tools. + + * Various other additions have been made to the RPM macros + shipped with systemd. Use %udev_rules_update() after + installing new udev rules files. %_udevhwdbdir, + %_udevrulesdir, %_journalcatalogdir, %_tmpfilesdir, + %_sysctldir are now available which resolve to the right + directories for packages to place various data files in. + + * journalctl gained the new --full switch (in addition to + --all, to disable ellipsation for long messages. + + Contributions from: Anders Olofsson, Auke Kok, Ben Boeckel, + Colin Walters, Cosimo Cecchi, Daniel Wallace, Dave Reisner, + Eelco Dolstra, Holger Hans Peter Freyther, Kay Sievers, + Chun-Yi Lee, Lekensteyn, Lennart Poettering, Mantas Mikulėnas, + Marti Raudsepp, Martin Pitt, Mauro Dreissig, Michael Biebl, + Michal Schmidt, Michal Sekletar, Miklos Vajna, Nis Martensen, + Oleksii Shevchuk, Olivier Brunel, Ramkumar Ramachandra, Thomas + Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tony + Camuso, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 195: + + * journalctl gained new --since= and --until= switches to + filter by time. It also now supports nice filtering for + units via --unit=/-u. + + * Type=oneshot services may use ExecReload= and do the + right thing. + + * The journal daemon now supports time-based rotation and + vacuuming, in addition to the usual disk-space based + rotation. + + * The journal will now index the available field values for + each field name. This enables clients to show pretty drop + downs of available match values when filtering. The bash + completion of journalctl has been updated + accordingly. journalctl gained a new switch -F to list all + values a certain field takes in the journal database. + + * More service events are now written as structured messages + to the journal, and made recognizable via message IDs. + + * The timedated, localed and hostnamed mini-services which + previously only provided support for changing time, locale + and hostname settings from graphical DEs such as GNOME now + also have a minimal (but very useful) text-based client + utility each. This is probably the nicest way to changing + these settings from the command line now, especially since + it lists available options and is fully integrated with bash + completion. + + * There's now a new tool "systemd-coredumpctl" to list and + extract coredumps from the journal. + + * We now install a README each in /var/log/ and + /etc/rc.d/init.d explaining where the system logs and init + scripts went. This hopefully should help folks who go to + that dirs and look into the otherwise now empty void and + scratch their heads. + + * When user-services are invoked (by systemd --user) the + $MANAGERPID env var is set to the PID of systemd. + + * SIGRTMIN+24 when sent to a --user instance will now result + in immediate termination of systemd. + + * gatewayd received numerous feature additions such as a + "follow" mode, for live syncing and filtering. + + * browse.html now allows filtering and showing detailed + information on specific entries. Keyboard navigation and + mouse screen support has been added. + + * gatewayd/journalctl now supports HTML5/JSON + Server-Sent-Events as output. + + * The SysV init script compatibility logic will now + heuristically determine whether a script supports the + "reload" verb, and only then make this available as + "systemctl reload". + + * "systemctl status --follow" has been removed, use "journalctl + -u" instead. + + * journald.conf's RuntimeMinSize=, PersistentMinSize= settings + have been removed since they are hardly useful to be + configured. + + * And I'd like to take the opportunity to specifically mention + Zbigniew for his great contributions. Zbigniew, you rock! + + Contributions from: Andrew Eikum, Christian Hesse, Colin + Guthrie, Daniel J Walsh, Dave Reisner, Eelco Dolstra, Ferenc + Wágner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas + Mikulėnas, Martin Mikkelsen, Martin Pitt, Michael Olbrich, + Michael Stapelberg, Michal Schmidt, Sebastian Ott, Thomas + Bächler, Umut Tezduyar, Will Woods, Wulf C. Krueger, Zbigniew + Jędrzejewski-Szmek, Сковорода Никита Андреевич + +CHANGES WITH 194: + + * If /etc/vconsole.conf is non-existent or empty we will no + longer load any console font or key map at boot by + default. Instead the kernel defaults will be left + intact. This is definitely the right thing to do, as no + configuration should mean no configuration, and hard-coding + font names that are different on all archs is probably a bad + idea. Also, the kernel default key map and font should be + good enough for most cases anyway, and mostly identical to + the userspace fonts/key maps we previously overloaded them + with. If distributions want to continue to default to a + non-kernel font or key map they should ship a default + /etc/vconsole.conf with the appropriate contents. + + Contributions from: Colin Walters, Daniel J Walsh, Dave + Reisner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Tollef + Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 193: + + * journalctl gained a new --cursor= switch to show entries + starting from the specified location in the journal. + + * We now enforce a size limit on journal entry fields exported + with "-o json" in journalctl. Fields larger than 4K will be + assigned null. This can be turned off with --all. + + * An (optional) journal gateway daemon is now available as + "systemd-journal-gatewayd.service". This service provides + access to the journal via HTTP and JSON. This functionality + will be used to implement live log synchronization in both + pull and push modes, but has various other users too, such + as easy log access for debugging of embedded devices. Right + now it is already useful to retrieve the journal via HTTP: + + # systemctl start systemd-journal-gatewayd.service + # wget http://localhost:19531/entries + + This will download the journal contents in a + /var/log/messages compatible format. The same as JSON: + + # curl -H"Accept: application/json" http://localhost:19531/entries + + This service is also accessible via a web browser where a + single static HTML5 app is served that uses the JSON logic + to enable the user to do some basic browsing of the + journal. This will be extended later on. Here's an example + screenshot of this app in its current state: + + http://0pointer.de/public/journal-gatewayd + + Contributions from: Kay Sievers, Lennart Poettering, Robert + Milasan, Tom Gundersen + +CHANGES WITH 192: + + * The bash completion logic is now available for journalctl + too. + + * We do not mount the "cpuset" controller anymore together with + "cpu" and "cpuacct", as "cpuset" groups generally cannot be + started if no parameters are assigned to it. "cpuset" hence + broke code that assumed it could create "cpu" groups and + just start them. + + * journalctl -f will now subscribe to terminal size changes, + and line break accordingly. + + Contributions from: Dave Reisner, Kay Sievers, Lennart + Poettering, Lukas Nykrynm, Mirco Tischler, Václav Pavlín + +CHANGES WITH 191: + + * nspawn will now create a symlink /etc/localtime in the + container environment, copying the host's timezone + setting. Previously this has been done via a bind mount, but + since symlinks cannot be bind mounted this has now been + changed to create/update the appropriate symlink. + + * journalctl -n's line number argument is now optional, and + will default to 10 if omitted. + + * journald will now log the maximum size the journal files may + take up on disk. This is particularly useful if the default + built-in logic of determining this parameter from the file + system size is used. Use "systemctl status + systemd-journald.service" to see this information. + + * The multi-seat X wrapper tool has been stripped down. As X + is now capable of enumerating graphics devices via udev in a + seat-aware way the wrapper is not strictly necessary + anymore. A stripped down temporary stop-gap is still shipped + until the upstream display managers have been updated to + fully support the new X logic. Expect this wrapper to be + removed entirely in one of the next releases. + + * HandleSleepKey= in logind.conf has been split up into + HandleSuspendKey= and HandleHibernateKey=. The old setting + is not available anymore. X11 and the kernel are + distinguishing between these keys and we should too. This + also means the inhibition lock for these keys has been split + into two. + + Contributions from: Dave Airlie, Eelco Dolstra, Lennart + Poettering, Lukas Nykryn, Václav Pavlín + +CHANGES WITH 190: + + * Whenever a unit changes state we will now log this to the + journal and show along the unit's own log output in + "systemctl status". + + * ConditionPathIsMountPoint= can now properly detect bind + mount points too. (Previously, a bind mount of one file + system to another place in the same file system could not be + detected as mount, since they shared struct stat's st_dev + field.) + + * We will now mount the cgroup controllers cpu, cpuacct, + cpuset and the controllers net_cls, net_prio together by + default. + + * nspawn containers will now have a virtualized boot + ID. (i.e. /proc/sys/kernel/random/boot_id is now mounted + over with a randomized ID at container initialization). This + has the effect of making "journalctl -b" do the right thing + in a container. + + * The JSON output journal serialization has been updated not + to generate "endless" list objects anymore, but rather one + JSON object per line. This is more in line how most JSON + parsers expect JSON objects. The new output mode + "json-pretty" has been added to provide similar output, but + neatly aligned for readability by humans. + + * We dropped all explicit sync() invocations in the shutdown + code. The kernel does this implicitly anyway in the kernel + reboot() syscall. halt(8)'s -n option is now a compatibility + no-op. + + * We now support virtualized reboot() in containers, as + supported by newer kernels. We will fall back to exit() if + CAP_SYS_REBOOT is not available to the container. Also, + nspawn makes use of this now and will actually reboot the + container if the containerized OS asks for that. + + * journalctl will only show local log output by default + now. Use --merge (-m) to show remote log output, too. + + * libsystemd-journal gained the new sd_journal_get_usage() + call to determine the current disk usage of all journal + files. This is exposed in the new "journalctl --disk-usage" + command. + + * journald gained a new configuration setting SplitMode= in + journald.conf which may be used to control how user journals + are split off. See journald.conf(5) for details. + + * A new condition type ConditionFileNotEmpty= has been added. + + * tmpfiles' "w" lines now support file globbing, to write + multiple files at once. + + * We added Python bindings for the journal submission + APIs. More Python APIs for a number of selected APIs will + likely follow. Note that we intend to add native bindings + only for the Python language, as we consider it common + enough to deserve bindings shipped within systemd. There are + various projects outside of systemd that provide bindings + for languages such as PHP or Lua. + + * Many conditions will now resolve specifiers such as %i. In + addition, PathChanged= and related directives of .path units + now support specifiers as well. + + * There's now a new RPM macro definition for the system preset + dir: %_presetdir. + + * journald will now warn if it ca not forward a message to the + syslog daemon because its socket is full. + + * timedated will no longer write or process /etc/timezone, + except on Debian. As we do not support late mounted /usr + anymore /etc/localtime always being a symlink is now safe, + and hence the information in /etc/timezone is not necessary + anymore. + + * logind will now always reserve one VT for a text getty (VT6 + by default). Previously if more than 6 X sessions where + started they took up all the VTs with auto-spawned gettys, + so that no text gettys were available anymore. + + * udev will now automatically inform the btrfs kernel logic + about btrfs RAID components showing up. This should make + simple hotplug based btrfs RAID assembly work. + + * PID 1 will now increase its RLIMIT_NOFILE to 64K by default + (but not for its children which will stay at the kernel + default). This should allow setups with a lot more listening + sockets. + + * systemd will now always pass the configured timezone to the + kernel at boot. timedated will do the same when the timezone + is changed. + + * logind's inhibition logic has been updated. By default, + logind will now handle the lid switch, the power and sleep + keys all the time, even in graphical sessions. If DEs want + to handle these events on their own they should take the new + handle-power-key, handle-sleep-key and handle-lid-switch + inhibitors during their runtime. A simple way to achieve + that is to invoke the DE wrapped in an invocation of: + + systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch ... + + * Access to unit operations is now checked via SELinux taking + the unit file label and client process label into account. + + * systemd will now notify the administrator in the journal + when he over-mounts a non-empty directory. + + * There are new specifiers that are resolved in unit files, + for the hostname (%H), the machine ID (%m) and the boot ID + (%b). + + Contributions from: Allin Cottrell, Auke Kok, Brandon Philips, + Colin Guthrie, Colin Walters, Daniel J Walsh, Dave Reisner, + Eelco Dolstra, Jan Engelhardt, Kay Sievers, Lennart + Poettering, Lucas De Marchi, Lukas Nykryn, Mantas Mikulėnas, + Martin Pitt, Matthias Clasen, Michael Olbrich, Pierre Schmitz, + Shawn Landden, Thomas Hindoe Paaboel Andersen, Tom Gundersen, + Václav Pavlín, Yin Kangkai, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 189: + + * Support for reading structured kernel messages from + /dev/kmsg has now been added and is enabled by default. + + * Support for reading kernel messages from /proc/kmsg has now + been removed. If you want kernel messages in the journal + make sure to run a recent kernel (>= 3.5) that supports + reading structured messages from /dev/kmsg (see + above). /proc/kmsg is now exclusive property of classic + syslog daemons again. + + * The libudev API gained the new + udev_device_new_from_device_id() call. + + * The logic for file system namespace (ReadOnlyDirectory=, + ReadWriteDirectoy=, PrivateTmp=) has been reworked not to + require pivot_root() anymore. This means fewer temporary + directories are created below /tmp for this feature. + + * nspawn containers will now see and receive all submounts + made on the host OS below the root file system of the + container. + + * Forward Secure Sealing is now supported for Journal files, + which provide cryptographical sealing of journal files so + that attackers cannot alter log history anymore without this + being detectable. Lennart will soon post a blog story about + this explaining it in more detail. + + * There are two new service settings RestartPreventExitStatus= + and SuccessExitStatus= which allow configuration of exit + status (exit code or signal) which will be excepted from the + restart logic, resp. consider successful. + + * journalctl gained the new --verify switch that can be used + to check the integrity of the structure of journal files and + (if Forward Secure Sealing is enabled) the contents of + journal files. + + * nspawn containers will now be run with /dev/stdin, /dev/fd/ + and similar symlinks pre-created. This makes running shells + as container init process a lot more fun. + + * The fstab support can now handle PARTUUID= and PARTLABEL= + entries. + + * A new ConditionHost= condition has been added to match + against the hostname (with globs) and machine ID. This is + useful for clusters where a single OS image is used to + provision a large number of hosts which shall run slightly + different sets of services. + + * Services which hit the restart limit will now be placed in a + failure state. + + Contributions from: Bertram Poettering, Dave Reisner, Huang + Hang, Kay Sievers, Lennart Poettering, Lukas Nykryn, Martin + Pitt, Simon Peeters, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 188: + + * When running in --user mode systemd will now become a + subreaper (PR_SET_CHILD_SUBREAPER). This should make the ps + tree a lot more organized. + + * A new PartOf= unit dependency type has been introduced that + may be used to group services in a natural way. + + * "systemctl enable" may now be used to enable instances of + services. + + * journalctl now prints error log levels in red, and + warning/notice log levels in bright white. It also supports + filtering by log level now. + + * cgtop gained a new -n switch (similar to top), to configure + the maximum number of iterations to run for. It also gained + -b, to run in batch mode (accepting no input). + + * The suffix ".service" may now be omitted on most systemctl + command lines involving service unit names. + + * There's a new bus call in logind to lock all sessions, as + well as a loginctl verb for it "lock-sessions". + + * libsystemd-logind.so gained a new call sd_journal_perror() + that works similar to libc perror() but logs to the journal + and encodes structured information about the error number. + + * /etc/crypttab entries now understand the new keyfile-size= + option. + + * shutdown(8) now can send a (configurable) wall message when + a shutdown is cancelled. + + * The mount propagation mode for the root file system will now + default to "shared", which is useful to make containers work + nicely out-of-the-box so that they receive new mounts from + the host. This can be undone locally by running "mount + --make-rprivate /" if needed. + + * The prefdm.service file has been removed. Distributions + should maintain this unit downstream if they intend to keep + it around. However, we recommend writing normal unit files + for display managers instead. + + * Since systemd is a crucial part of the OS we will now + default to a number of compiler switches that improve + security (hardening) such as read-only relocations, stack + protection, and suchlike. + + * The TimeoutSec= setting for services is now split into + TimeoutStartSec= and TimeoutStopSec= to allow configuration + of individual time outs for the start and the stop phase of + the service. + + Contributions from: Artur Zaprzala, Arvydas Sidorenko, Auke + Kok, Bryan Kadzban, Dave Reisner, David Strauss, Harald Hoyer, + Jim Meyering, Kay Sievers, Lennart Poettering, Mantas + Mikulėnas, Martin Pitt, Michal Schmidt, Michal Sekletar, Peter + Alfredsen, Shawn Landden, Simon Peeters, Terence Honles, Tom + Gundersen, Zbigniew Jędrzejewski-Szmek + +CHANGES WITH 187: + + * The journal and id128 C APIs are now fully documented as man + pages. + + * Extra safety checks have been added when transitioning from + the initial RAM disk to the main system to avoid accidental + data loss. + + * /etc/crypttab entries now understand the new keyfile-offset= + option. + + * systemctl -t can now be used to filter by unit load state. + + * The journal C API gained the new sd_journal_wait() call to + make writing synchronous journal clients easier. + + * journalctl gained the new -D switch to show journals from a + specific directory. + + * journalctl now displays a special marker between log + messages of two different boots. + + * The journal is now explicitly flushed to /var via a service + systemd-journal-flush.service, rather than implicitly simply + by seeing /var/log/journal to be writable. + + * journalctl (and the journal C APIs) can now match for much + more complex expressions, with alternatives and + disjunctions. + + * When transitioning from the initial RAM disk to the main + system we will now kill all processes in a killing spree to + ensure no processes stay around by accident. + + * Three new specifiers may be used in unit files: %u, %h, %s + resolve to the user name, user home directory resp. user + shell. This is useful for running systemd user instances. + + * We now automatically rotate journal files if their data + object hash table gets a fill level > 75%. We also size the + hash table based on the configured maximum file size. This + together should lower hash collisions drastically and thus + speed things up a bit. + + * journalctl gained the new "--header" switch to introspect + header data of journal files. + + * A new setting SystemCallFilters= has been added to services which may + be used to apply deny lists or allow lists to system calls. This is + based on SECCOMP Mode 2 of Linux 3.5. + + * nspawn gained a new --link-journal= switch (and quicker: -j) + to link the container journal with the host. This makes it + very easy to centralize log viewing on the host for all + guests while still keeping the journal files separated. + + * Many bugfixes and optimizations + + Contributions from: Auke Kok, Eelco Dolstra, Harald Hoyer, Kay + Sievers, Lennart Poettering, Malte Starostik, Paul Menzel, Rex + Tsai, Shawn Landden, Tom Gundersen, Ville Skyttä, Zbigniew + Jędrzejewski-Szmek + +CHANGES WITH 186: + + * Several tools now understand kernel command line arguments, + which are only read when run in an initial RAM disk. They + usually follow closely their normal counterparts, but are + prefixed with rd. + + * There's a new tool to analyze the readahead files that are + automatically generated at boot. Use: + + /usr/lib/systemd/systemd-readahead analyze /.readahead + + * We now provide an early debug shell on tty9 if this enabled. Use: + + systemctl enable debug-shell.service + + * All plymouth related units have been moved into the Plymouth + package. Please make sure to upgrade your Plymouth version + as well. + + * systemd-tmpfiles now supports getting passed the basename of + a configuration file only, in which case it will look for it + in all appropriate directories automatically. + + * udevadm info now takes a /dev or /sys path as argument, and + does the right thing. Example: + + udevadm info /dev/sda + udevadm info /sys/class/block/sda + + * systemctl now prints a warning if a unit is stopped but a + unit that might trigger it continues to run. Example: a + service is stopped but the socket that activates it is left + running. + + * "systemctl status" will now mention if the log output was + shortened due to rotation since a service has been started. + + * The journal API now exposes functions to determine the + "cutoff" times due to rotation. + + * journald now understands SIGUSR1 and SIGUSR2 for triggering + immediately flushing of runtime logs to /var if possible, + resp. for triggering immediate rotation of the journal + files. + + * It is now considered an error if a service is attempted to + be stopped that is not loaded. + + * XDG_RUNTIME_DIR now uses numeric UIDs instead of usernames. + + * systemd-analyze now supports Python 3 + + * tmpfiles now supports cleaning up directories via aging + where the first level dirs are always kept around but + directories beneath it automatically aged. This is enabled + by prefixing the age field with '~'. + + * Seat objects now expose CanGraphical, CanTTY properties + which is required to deal with very fast bootups where the + display manager might be running before the graphics drivers + completed initialization. + + * Seat objects now expose a State property. + + * We now include RPM macros for service enabling/disabling + based on the preset logic. We recommend RPM based + distributions to make use of these macros if possible. This + makes it simpler to reuse RPM spec files across + distributions. + + * We now make sure that the collected systemd unit name is + always valid when services log to the journal via + STDOUT/STDERR. + + * There's a new man page kernel-command-line(7) detailing all + command line options we understand. + + * The fstab generator may now be disabled at boot by passing + fstab=0 on the kernel command line. + + * A new kernel command line option modules-load= is now understood + to load a specific kernel module statically, early at boot. + + * Unit names specified on the systemctl command line are now + automatically escaped as needed. Also, if file system or + device paths are specified they are automatically turned + into the appropriate mount or device unit names. Example: + + systemctl status /home + systemctl status /dev/sda + + * The SysVConsole= configuration option has been removed from + system.conf parsing. + + * The SysV search path is no longer exported on the D-Bus + Manager object. + + * The Names= option has been removed from unit file parsing. + + * There's a new man page bootup(7) detailing the boot process. + + * Every unit and every generator we ship with systemd now + comes with full documentation. The self-explanatory boot is + complete. + + * A couple of services gained "systemd-" prefixes in their + name if they wrap systemd code, rather than only external + code. Among them fsck@.service which is now + systemd-fsck@.service. + + * The HaveWatchdog property has been removed from the D-Bus + Manager object. + + * systemd.confirm_spawn= on the kernel command line should now + work sensibly. + + * There's a new man page crypttab(5) which details all options + we actually understand. + + * systemd-nspawn gained a new --capability= switch to pass + additional capabilities to the container. + + * timedated will now read known NTP implementation unit names + from /usr/lib/systemd/ntp-units.d/*.list, + systemd-timedated-ntp.target has been removed. + + * journalctl gained a new switch "-b" that lists log data of + the current boot only. + + * The notify socket is in the abstract namespace again, in + order to support daemons which chroot() at start-up. + + * There is a new Storage= configuration option for journald + which allows configuration of where log data should go. This + also provides a way to disable journal logging entirely, so + that data collected is only forwarded to the console, the + kernel log buffer or another syslog implementation. + + * Many bugfixes and optimizations + + Contributions from: Auke Kok, Colin Guthrie, Dave Reisner, + David Strauss, Eelco Dolstra, Kay Sievers, Lennart Poettering, + Lukas Nykryn, Michal Schmidt, Michal Sekletar, Paul Menzel, + Shawn Landden, Tom Gundersen + +CHANGES WITH 185: + + * "systemctl help <unit>" now shows the man page if one is + available. + + * Several new man pages have been added. + + * MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, + MaxLevelConsole= can now be specified in + journald.conf. These options allow reducing the amount of + data stored on disk or forwarded by the log level. + + * TimerSlackNSec= can now be specified in system.conf for + PID1. This allows system-wide power savings. + + Contributions from: Dave Reisner, Kay Sievers, Lauri Kasanen, + Lennart Poettering, Malte Starostik, Marc-Antoine Perennou, + Matthias Clasen + +CHANGES WITH 184: + + * logind is now capable of (optionally) handling power and + sleep keys as well as the lid switch. + + * journalctl now understands the syntax "journalctl + /usr/bin/avahi-daemon" to get all log output of a specific + daemon. + + * CapabilityBoundingSet= in system.conf now also influences + the capability bound set of usermode helpers of the kernel. + + Contributions from: Daniel Drake, Daniel J. Walsh, Gert + Michael Kulyk, Harald Hoyer, Jean Delvare, Kay Sievers, + Lennart Poettering, Matthew Garrett, Matthias Clasen, Paul + Menzel, Shawn Landden, Tero Roponen, Tom Gundersen + +CHANGES WITH 183: + + * Note that we skipped 139 releases here in order to set the + new version to something that is greater than both udev's + and systemd's most recent version number. + + * udev: all udev sources are merged into the systemd source tree now. + All future udev development will happen in the systemd tree. It + is still fully supported to use the udev daemon and tools without + systemd running, like in initramfs or other init systems. Building + udev though, will require the *build* of the systemd tree, but + udev can be properly *run* without systemd. + + * udev: /lib/udev/devices/ are not read anymore; systemd-tmpfiles + should be used to create dead device nodes as workarounds for broken + subsystems. + + * udev: RUN+="socket:..." and udev_monitor_new_from_socket() is + no longer supported. udev_monitor_new_from_netlink() needs to be + used to subscribe to events. + + * udev: when udevd is started by systemd, processes which are left + behind by forking them off of udev rules, are unconditionally cleaned + up and killed now after the event handling has finished. Services or + daemons must be started as systemd services. Services can be + pulled-in by udev to get started, but they can no longer be directly + forked by udev rules. + + * udev: the daemon binary is called systemd-udevd now and installed + in /usr/lib/systemd/. Standalone builds or non-systemd systems need + to adapt to that, create symlink, or rename the binary after building + it. + + * libudev no longer provides these symbols: + udev_monitor_from_socket() + udev_queue_get_failed_list_entry() + udev_get_{dev,sys,run}_path() + The versions number was bumped and symbol versioning introduced. + + * systemd-loginctl and systemd-journalctl have been renamed + to loginctl and journalctl to match systemctl. + + * The config files: /etc/systemd/systemd-logind.conf and + /etc/systemd/systemd-journald.conf have been renamed to + logind.conf and journald.conf. Package updates should rename + the files to the new names on upgrade. + + * For almost all files the license is now LGPL2.1+, changed + from the previous GPL2.0+. Exceptions are some minor stuff + of udev (which will be changed to LGPL2.1 eventually, too), + and the MIT licensed sd-daemon.[ch] library that is suitable + to be used as drop-in files. + + * systemd and logind now handle system sleep states, in + particular suspending and hibernating. + + * logind now implements a sleep/shutdown/idle inhibiting logic + suitable for a variety of uses. Soonishly Lennart will blog + about this in more detail. + + * var-run.mount and var-lock.mount are no longer provided + (which previously bind mounted these directories to their new + places). Distributions which have not converted these + directories to symlinks should consider stealing these files + from git history and add them downstream. + + * We introduced the Documentation= field for units and added + this to all our shipped units. This is useful to make it + easier to explore the boot and the purpose of the various + units. + + * All smaller setup units (such as + systemd-vconsole-setup.service) now detect properly if they + are run in a container and are skipped when + appropriate. This guarantees an entirely noise-free boot in + Linux container environments such as systemd-nspawn. + + * A framework for implementing offline system updates is now + integrated, for details see: + https://www.freedesktop.org/wiki/Software/systemd/SystemUpdates + + * A new service type Type=idle is available now which helps us + avoiding ugly interleaving of getty output and boot status + messages. + + * There's now a system-wide CapabilityBoundingSet= option to + globally reduce the set of capabilities for the + system. This is useful to drop CAP_SYS_MKNOD, CAP_SYS_RAWIO, + CAP_NET_RAW, CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE or + even CAP_NET_ADMIN system-wide for secure systems. + + * There are now system-wide DefaultLimitXXX= options to + globally change the defaults of the various resource limits + for all units started by PID 1. + + * Harald Hoyer's systemd test suite has been integrated into + systemd which allows easy testing of systemd builds in qemu + and nspawn. (This is really awesome! Ask us for details!) + + * The fstab parser is now implemented as generator, not inside + of PID 1 anymore. + + * systemctl will now warn you if .mount units generated from + /etc/fstab are out of date due to changes in fstab that + have not been read by systemd yet. + + * systemd is now suitable for usage in initrds. Dracut has + already been updated to make use of this. With this in place + initrds get a slight bit faster but primarily are much + easier to introspect and debug since "systemctl status" in + the host system can be used to introspect initrd services, + and the journal from the initrd is kept around too. + + * systemd-delta has been added, a tool to explore differences + between user/admin configuration and vendor defaults. + + * PrivateTmp= now affects both /tmp and /var/tmp. + + * Boot time status messages are now much prettier and feature + proper english language. Booting up systemd has never been + so sexy. + + * Read-ahead pack files now include the inode number of all + files to pre-cache. When the inode changes the pre-caching + is not attempted. This should be nicer to deal with updated + packages which might result in changes of read-ahead + patterns. + + * We now temporaritly lower the kernel's read_ahead_kb variable + when collecting read-ahead data to ensure the kernel's + built-in read-ahead does not add noise to our measurements + of necessary blocks to pre-cache. + + * There's now RequiresMountsFor= to add automatic dependencies + for all mounts necessary for a specific file system path. + + * MountAuto= and SwapAuto= have been removed from + system.conf. Mounting file systems at boot has to take place + in systemd now. + + * nspawn now learned a new switch --uuid= to set the machine + ID on the command line. + + * nspawn now learned the -b switch to automatically search + for an init system. + + * vt102 is now the default TERM for serial TTYs, upgraded from + vt100. + + * systemd-logind now works on VT-less systems. + + * The build tree has been reorganized. The individual + components now have directories of their own. + + * A new condition type ConditionPathIsReadWrite= is now available. + + * nspawn learned the new -C switch to create cgroups for the + container in other hierarchies. + + * We now have support for hardware watchdogs, configurable in + system.conf. + + * The scheduled shutdown logic now has a public API. + + * We now mount /tmp as tmpfs by default, but this can be + masked and /etc/fstab can override it. + + * Since udisks does not make use of /media anymore we are not + mounting a tmpfs on it anymore. + + * journalctl gained a new --local switch to only interleave + locally generated journal files. + + * We can now load the IMA policy at boot automatically. + + * The GTK tools have been split off into a systemd-ui. + + Contributions from: Andreas Schwab, Auke Kok, Ayan George, + Colin Guthrie, Daniel Mack, Dave Reisner, David Ward, Elan + Ruusamäe, Frederic Crozat, Gergely Nagy, Guillermo Vidal, + Hannes Reinecke, Harald Hoyer, Javier Jardón, Kay Sievers, + Lennart Poettering, Lucas De Marchi, Léo Gillot-Lamure, + Marc-Antoine Perennou, Martin Pitt, Matthew Monaco, Maxim + A. Mikityanskiy, Michael Biebl, Michael Olbrich, Michal + Schmidt, Nis Martensen, Patrick McCarty, Roberto Sassu, Shawn + Landden, Sjoerd Simons, Sven Anders, Tollef Fog Heen, Tom + Gundersen + +CHANGES WITH 44: + + * This is mostly a bugfix release + + * Support optional initialization of the machine ID from the + KVM or container configured UUID. + + * Support immediate reboots with "systemctl reboot -ff" + + * Show /etc/os-release data in systemd-analyze output + + * Many bugfixes for the journal, including endianness fixes and + ensuring that disk space enforcement works + + * sd-login.h is C++ compatible again + + * Extend the /etc/os-release format on request of the Debian + folks + + * We now refuse non-UTF8 strings used in various configuration + and unit files. This is done to ensure we do not pass invalid + data over D-Bus or expose it elsewhere. + + * Register Mimo USB Screens as suitable for automatic seat + configuration + + * Read SELinux client context from journal clients in a race + free fashion + + * Reorder configuration file lookup order. /etc now always + overrides /run in order to allow the administrator to always + and unconditionally override vendor-supplied or + automatically generated data. + + * The various user visible bits of the journal now have man + pages. We still lack man pages for the journal API calls + however. + + * We now ship all man pages in HTML format again in the + tarball. + + Contributions from: Dave Reisner, Dirk Eibach, Frederic + Crozat, Harald Hoyer, Kay Sievers, Lennart Poettering, Marti + Raudsepp, Michal Schmidt, Shawn Landden, Tero Roponen, Thierry + Reding + +CHANGES WITH 43: + + * This is mostly a bugfix release + + * systems lacking /etc/os-release are no longer supported. + + * Various functionality updates to libsystemd-login.so + + * Track class of PAM logins to distinguish greeters from + normal user logins. + + Contributions from: Kay Sievers, Lennart Poettering, Michael + Biebl + +CHANGES WITH 42: + + * This is an important bugfix release for v41. + + * Building man pages is now optional which should be useful + for those building systemd from git but unwilling to install + xsltproc. + + * Watchdog support for supervising services is now usable. In + a future release support for hardware watchdogs + (i.e. /dev/watchdog) will be added building on this. + + * Service start rate limiting is now configurable and can be + turned off per service. When a start rate limit is hit a + reboot can automatically be triggered. + + * New CanReboot(), CanPowerOff() bus calls in systemd-logind. + + Contributions from: Benjamin Franzke, Bill Nottingham, + Frederic Crozat, Lennart Poettering, Michael Olbrich, Michal + Schmidt, Michał Górny, Piotr Drąg + +CHANGES WITH 41: + + * The systemd binary is installed /usr/lib/systemd/systemd now; + An existing /sbin/init symlink needs to be adapted with the + package update. + + * The code that loads kernel modules has been ported to invoke + libkmod directly, instead of modprobe. This means we do not + support systems with module-init-tools anymore. + + * Watchdog support is now already useful, but still not + complete. + + * A new kernel command line option systemd.setenv= is + understood to set system wide environment variables + dynamically at boot. + + * We now limit the set of capabilities of systemd-journald. + + * We now set SIGPIPE to ignore by default, since it only is + useful in shell pipelines, and has little use in general + code. This can be disabled with IgnoreSIPIPE=no in unit + files. + + Contributions from: Benjamin Franzke, Kay Sievers, Lennart + Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen, + William Douglas + +CHANGES WITH 40: + + * This is mostly a bugfix release + + * We now expose the reason why a service failed in the + "Result" D-Bus property. + + * Rudimentary service watchdog support (will be completed over + the next few releases.) + + * When systemd forks off in order execute some service we will + now immediately changes its argv[0] to reflect which process + it will execute. This is useful to minimize the time window + with a generic argv[0], which makes bootcharts more useful + + Contributions from: Alvaro Soliverez, Chris Paulson-Ellis, Kay + Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt, + Mike Kazantsev, Ray Strode + +CHANGES WITH 39: + + * This is mostly a test release, but incorporates many + bugfixes. + + * New systemd-cgtop tool to show control groups by their + resource usage. + + * Linking against libacl for ACLs is optional again. If + disabled, support tracking device access for active logins + goes becomes unavailable, and so does access to the user + journals by the respective users. + + * If a group "adm" exists, journal files are automatically + owned by them, thus allow members of this group full access + to the system journal as well as all user journals. + + * The journal now stores the SELinux context of the logging + client for all entries. + + * Add C++ inclusion guards to all public headers + + * New output mode "cat" in the journal to print only text + messages, without any meta data like date or time. + + * Include tiny X server wrapper as a temporary stop-gap to + teach XOrg udev display enumeration. This is used by display + managers such as gdm, and will go away as soon as XOrg + learned native udev hotplugging for display devices. + + * Add new systemd-cat tool for executing arbitrary programs + with STDERR/STDOUT connected to the journal. Can also act as + BSD logger replacement, and does so by default. + + * Optionally store all locally generated coredumps in the + journal along with meta data. + + * systemd-tmpfiles learnt four new commands: n, L, c, b, for + writing short strings to files (for usage for /sys), and for + creating symlinks, character and block device nodes. + + * New unit file option ControlGroupPersistent= to make cgroups + persistent, following the mechanisms outlined in + https://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups + + * Support multiple local RTCs in a sane way + + * No longer monopolize IO when replaying readahead data on + rotating disks, since we might starve non-file-system IO to + death, since fanotify() will not see accesses done by blkid, + or fsck. + + * Do not show kernel threads in systemd-cgls anymore, unless + requested with new -k switch. + + Contributions from: Dan Horák, Kay Sievers, Lennart + Poettering, Michal Schmidt + +CHANGES WITH 38: + + * This is mostly a test release, but incorporates many + bugfixes. + + * The git repository moved to: + git://anongit.freedesktop.org/systemd/systemd + ssh://git.freedesktop.org/git/systemd/systemd + + * First release with the journal + http://0pointer.de/blog/projects/the-journal.html + + * The journal replaces both systemd-kmsg-syslogd and + systemd-stdout-bridge. + + * New sd_pid_get_unit() API call in libsystemd-logind + + * Many systemadm clean-ups + + * Introduce remote-fs-pre.target which is ordered before all + remote mounts and may be used to start services before all + remote mounts. + + * Added Mageia support + + * Add bash completion for systemd-loginctl + + * Actively monitor PID file creation for daemons which exit in + the parent process before having finished writing the PID + file in the daemon process. Daemons which do this need to be + fixed (i.e. PID file creation must have finished before the + parent exits), but we now react a bit more gracefully to them. + + * Add colourful boot output, mimicking the well-known output + of existing distributions. + + * New option PassCredentials= for socket units, for + compatibility with a recent kernel ABI breakage. + + * /etc/rc.local is now hooked in via a generator binary, and + thus will no longer act as synchronization point during + boot. + + * systemctl list-unit-files now supports --root=. + + * systemd-tmpfiles now understands two new commands: z, Z for + relabelling files according to the SELinux database. This is + useful to apply SELinux labels to specific files in /sys, + among other things. + + * Output of SysV services is now forwarded to both the console + and the journal by default, not only just the console. + + * New man pages for all APIs from libsystemd-login. + + * The build tree got reorganized and the build system is a + lot more modular allowing embedded setups to specifically + select the components of systemd they are interested in. + + * Support for Linux systems lacking the kernel VT subsystem is + restored. + + * configure's --with-rootdir= got renamed to + --with-rootprefix= to follow the naming used by udev and + kmod + + * Unless specified otherwise we will now install to /usr instead + of /usr/local by default. + + * Processes with '@' in argv[0][0] are now excluded from the + final shut-down killing spree, following the logic explained + in: + https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons + + * All processes remaining in a service cgroup when we enter + the START or START_PRE states are now killed with + SIGKILL. That means it is no longer possible to spawn + background processes from ExecStart= lines (which was never + supported anyway, and bad style). + + * New PropagateReloadTo=/PropagateReloadFrom= options to bind + reloading of units together. + + Contributions from: Bill Nottingham, Daniel J. Walsh, Dave + Reisner, Dexter Morgan, Gregs Gregs, Jonathan Nieder, Kay + Sievers, Lennart Poettering, Michael Biebl, Michal Schmidt, + Michał Górny, Ran Benita, Thomas Jarosch, Tim Waugh, Tollef + Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek |