From efeb864cb547a2cbf96dc0053a8bdb4d9190b364 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 12 Jun 2024 05:50:45 +0200 Subject: Merging upstream version 256. Signed-off-by: Daniel Baumann --- TODO | 408 +++++++++++++++++++++++++++++++++++++------------------------------ 1 file changed, 223 insertions(+), 185 deletions(-) (limited to 'TODO') diff --git a/TODO b/TODO index e8b62bf..b375327 100644 --- a/TODO +++ b/TODO @@ -128,21 +128,209 @@ Deprecations and removals: * Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm trigger"'s waiting logic, since we can then rely on uuid-tagged uevents -* remove remaining tpm1.2 support from sd-stub - Features: +* consider reworking json_build() to imply a top-level JSON_BUILD_OBJECT(), + since that's what we want in 99% of cases. Then provide json_build_any() or + so that can build other variant types top-level too. + +* rework tpm2_parse_pcr_argument_to_mask() to refuse literal hash value + specifications. They are currently parsed but ignored. We should refuse them + however, to not confuse people. + +* use name_to_handle_at() with AT_HANDLE_FID instead of .st_ino (inode + number) for identifying inodes, for example in copy.c when finding hard + links, or loop-util.c for tracking backing files, and other places. + +* cryptenroll/cryptsetup/homed: add unlock mechanism that combines tpm2 and + fido2, as well as tpm2 + ssh-agent, inspired by ChromeOS' logic: encrypt the + volume key with the TPM, with a policy that insists that a nonce is signed by + the fido2 device's key or ssh-agent key. Thus, add unlock/login time the TPM + generates a nonce, which is sent as a challenge to the fido2/ssh-agent, which + returns a signature which is handed to the tpm, which then reveals the volume + key to the PC. + +* cryptenroll/cryptsetup/homed: similar to this, implement TOTP backed by TPM. + +* expose the handoff timestamp fully via the D-Bus properties that contain + ExecStatus information + +* properly serialize the ExecStatus data from all ExecCommand objects + associated with services, sockets, mounts and swaps. Currently, the data is + flushed out on reload, which is quite a limitation. + +* Clean up "reboot argument" handling, i.e. set it through some IPC service + instead of directly via /run/, so that it can be sensible set remotely. + +* userdb: add concept for user "aliases", to cover for cases where you can log + in under the name lennart@somenetworkfsserver, and it would automatically + generate a local user, and from the one both names can be used to allow + logins into the same account. + +* systemd-tpm2-support: add a some logic that detects if system is in DA + lockout mode, and queries the user for TPM recovery PIN then. + +* systemd-repart should probably enable btrfs' "temp_fsid" feature for all file + systems it creates, as we have no interest in RAID for repart, and it should + make sure that we can mount them trivially everywhere. + +* systemd-nspawn should get the same SSH key support that vmspawn now has. + +* insert the new pidfs inode number as a third field into PidRef, so that + PidRef are reasonably serializable without having to pass around fds. + +* systemd-analyze smbios11 to dump smbios type 11 vendor strings + +* move documentation about our common env vars (SYSTEMD_LOG_LEVEL, + SYSTEMD_PAGER, …) into a man page of its own, and just link it from our + various man pages that so far embed the whole list again and again, in an + attempt to reduce clutter and noise a bid. + +* vmspawn switch default swtpm PCR bank to SHA384-only (away from SHA256), at + least on 64bit archs, simply because SHA384 is typically double the hashing + speed than SHA256 on 64bit archs (since based on 64bit words unlike SHA256 + which uses 32bit words). + +* In vmspawn/nspawn/machined wait for X_SYSTEMD_UNIT_ACTIVE=ssh-active.target + and X_SYSTEMD_SIGNAL_LEVEL=2 as indication whether/when SSH and the POSIX + signals are available. Similar for D-Bus (but just use sockets.target for + that). Report as property for the machine. + +* teach nspawn/machined a new bus call/verb that gets you a + shell in containers that have no sensible pid1, via joining the container, + and invoking a shell directly. Then provide another new bus call/vern that is + somewhat automatic: if we detect that pid1 is running and fully booted up we + provide a proper login shell, otherwise just a joined shell. Then expose that + as primary way into the container. + +* make vmspawn/nspawn/importd/machined a bit more usable in a WSL-like + fashion. i.e. teach unpriv systemd-vmspawn/systemd-nspawn a reasonable + --bind-user= behaviour that mounts the calling user through into the + machine. Then, ship importd with a small database of well known distro images + along with their pinned signature keys. Then add some minimal glue that binds + this together: downloads a suitable image if not done so yet, starts it in + the bg via vmspawn/nspawn if not done so yet and then requests a shell inside + it for the invoking user. + +* make varlink.h a public API, i.e. give all symbols an sd_ prefix, and rename + header file to sd-varlink.h. This of course also means we have to make json.h + public the same way. Convert the function param checks from assert() to + assert_ret(). Only export the stuff we are sure about, and keep some symbols + internally where things are not clear whether we want other projects to use. + +* machined: allow running in a per-user instance too, to allow unpriv + systemd-nspawn and systemd-vmspawn do something useful. (Alternatively: open + up system machined to unpriv client's registering their machines, and enforce + they come with some prefix or suffix that clarifies they are the + user's. i.e. when a user registers a machine it must be called + foobar. or so.). + +* importd/…: define per-user dirs for container/VM images too. + +* add a new specifier to unit files that figures out the DDI the unit file is + from, tracing through overlayfs, DM, loopback block device. + +* importd/importctl + - import generator + - port tar handling to libarchive + - add varlink interface + - download images into .v/ dirs + +* in os-release define a field that can be initialized at build time from + SOURCE_DATE_EPOCH (maybe even under that name?). Would then be used to + initialize the timestamp logic of ConditionNeedsUpdate=. + +* nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into + shell pipelines, i.e. add easy to use switch that turns off console status + output, and generates the right credentials for systemd-run-generator so that + a program is invoked, and its output captured, with correct EOF handling and + exit code propagation + +* new systemd-analyze "join" verb or so, for debugging services. Would be + nsenter on steroids, i.e invoke a shell or command line in an environment as + close as we can make it for the MainPID of a service. Should be built around + pidfd, so that we can reasonably robustly do this. Would only cover the + execution environment like namespaces, but not the privilege settings. + +* varlink: extend varlink IDL macros to include documentation strings + +* Introduce a CGroupRef structure, inspired by PidRef. Should contain cgroup + path, cgroup id, and cgroup fd. Use it to continuously pin all v2 cgroups via + a cgroup_ref field in the CGroupRuntime structure. Eventually switch things + over to do all cgroupfs access only via that structure's fd. + +* Get rid of the symlinks in /run/systemd/units/* and exclusively use cgroupfs + xattrs to convey info about invocation ids, logging settings and so on. + support for cgroupfs xattrs in the "trusted." namespace was added in linux + 3.7, i.e. which we don't pretend to support anymore. + +* rewrite bpf-devices in libbpf/C code, rather than home-grown BPF assembly, to + match bpf-restrict-fs, bpf-restrict-ifaces, bpf-socket-bind + +* ditto: rewrite bpf-firewall in libbpf/C code + +* credentials: if we ever acquire a secure way to derive cgroup id of socket + peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to + allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next + step use this to implement per-app/per-service encrypted directories, where + we set up fscrypt on the StateDirectory= with a randomized key which is + stored as xattr on the directory, encrypted as a credential. + +* credentials: optionally include a per-user secret in scoped user-credential + encryption keys. should come from homed in some way, derived from the luks + volume key or fscrypt directory key. + +* credentials: add a flag to the scoped credentials that if set require PK + reauthentication when unlocking a secret. + +* teach systemd --user to properly load credentials off disk, with + /etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY= + actually works too when run with user privs. + +* extend the smbios11 logic for passing credentials so that instead of passing + the credential data literally it can also just reference an AF_VSOCK CID/port + to read them from. This way the data doesn't remain in the SMBIOS blob during + runtime, but only in the credentials fs. + +* machined: make machine registration available via varlink to simplify + nspawn/vmspawn, and to have an extensible way to register VM/machine metadata + +* ssh-proxy: add support for "ssh machine/foobar" to automatically connect to + machined registered machine "foobar". Requires updating machined to track CID + and unix-export dir of containers. + +* add a new ExecStart= flag that inserts the configured user's shell as first + word in the command line. (maybe use character '.'). Usecase: tool such as + run0 can use that to spawn the target user's default shell. + +* varlink: figure out how to do docs for our varlink interfaces. Idea: install + interface files augmented with docs in /usr/share/ somewhere. And have + functionality in varlinkctl to merge interface info extracted from binaries + with interface info on disk. And store the doc strings only in the latter. + +* introduce mntid_t, and make it 64bit, as apparently the kernel switched to + 64bit mount ids + +* use udev rule networkd ownership property to take ownership of network + interfaces nspawn creates + +* mountfsd/nsresourced + - userdb: maybe allow callers to map one uid to their own uid + - bpflsm: allow writes if resulting UID on disk would be userns' owner UID + - make encrypted DDIs work (password…) + - add API for creating a new file system from scratch (together with some + dm-integrity/HMAC key). Should probably work using systemd-repart (access + via varlink). + - add api to make an existing file "trusted" via dm-integry/HMAC key + - port: portabled + - port: tmpfiles, sysusers and similar + - lets see if we can make runtime bind mounts into unpriv nspawn work + * add a kernel cmdline switch (and cred?) for marking a system to be "headless", in which case we never open /dev/console for reading, only for writing. This would then mean: systemd-firstboot would process creds but not ask interactively, getty would not be started and so on. -* extend mime database with mime types for: - - journal files - - credential files - - hwdb files - - catalog files - * cryptsetup: new crypttab option to auto-grow a luks device to its backing partition size. new crypttab option to reencrypt a luks device with a new volume key. @@ -181,10 +369,7 @@ Features: PCRs. * vmspawn: - - enable hyperv extension by default (https://www.qemu.org/docs/master/system/i386/hyperv.html) - - register with machined - run in scope unit when invoked from command line, and machined registration is off - - support --directory= via virtiofs - sd_notify support - --ephemeral support - --read-only support @@ -192,7 +377,6 @@ Features: suspend inhibitor to implement this. request clean suspend by generating suspend key presses. - support for "real" networking via "-n" and --network-bridge= - - automatically run service "at the side" for swtpm - translate SIGTERM to clean ACPI shutdown event * systemd-pcrmachine should probably also measure the SMBIOS system UUID. @@ -227,19 +411,6 @@ Features: policy from currently booted kernel/event log, to close gap for first boot for pre-built images -* add a new systemd-project@.service that is very similar to user@.service but - uses DynamicUser=1 and no PAMName= to invoke an unprivileged somewhat - light-weight service manager. Use HOME=/var/lib/systemd/projects/%i as home - dir. Similar for $XDG_RUNTIME_DIR. Start project@%i.target. Use LogField= to - add a field identifying the project. - -* logind: add a new dbus call Sleep() which automatically redirects to one of - Suspend(), Hibernate(), SuspendThenHibernate() depending on what is - available, and also subject to some local configuration in - logind.conf. Should default to SuspendThenHibernate() if available, and then - fallback to Suspend() and finally Hibernate() if not. Then expose this as - "systemctl sleep", and tell DEs to default to this. - * in sd-boot and sd-stub measure the SMBIOS vendor strings to some PCR (at least some subset of them that look like systemd stuff), because apparently some firmware does not, but systemd honours it. avoid duplicate measurement @@ -276,21 +447,6 @@ Features: /var/lib/sysexts/ which can be used to place only DDIs that shall be used as sysext -* in pid1: move out all cgroup state settings from Unit into a new object - CGroupState or so which is allocated when we realize the unit into a cgroup, - and then remains referenced by it. The new object should also carry an fd to - the realized cgroup, to pin it (and later execute all cgroup operations over, - once we drop cgroupv1 compat). - -* add new "systemd-ssh-generator", which allows basic ssh config via - credentials (host key). It generates sshd.socket for IP, but also - sshd-vsock.socket for listening on AF_VSOCK when running in a VM, and - sshd-unix.socket on AF_UNIX when running in a container. It also generates a - matching sshd.service file with a host key passed in on the cmdline via - credentials. Then, add a ssh_config drop-in that matches some suitable - hostname pattern and has a ProxyCommand set that allows connecting to any - local VM/container that way without any networking configured. - * Varlinkification of the following command line tools, to open them up to other programs via IPC: - bootctl @@ -298,16 +454,12 @@ Features: - coredumpcl - systemd-bless-boot - systemd-measure - - systemd-creds (allowing clients to encrypt credentials locally) - systemd-cryptenroll (to allow UIs to enroll FIDO2 keys and such) - systemd-dissect - systemd-sysupdate - systemd-analyze - - systemd-pcrlock (to allow fwupd to relax policy) - kernel-install - -* Varlink: add glue code to allow varlink clients to be authenticated via - Polkit by passing client pidfd over. + - systemd-mount (with PK so that desktop environments could use it to mount disks) * in the service manager, pick up ERRNO= + BUSERROR= + VARLINKERROR= error identifiers, and store them along with the exit status of a server and report @@ -332,7 +484,7 @@ Features: * systemd-tpm2-setup should probably have a factory reset logic, i.e. when some kernel command line option is set we reset the TPM (equivalent of tpm2_clear - -c owner?). + -c owner? or rather echo 5 >/sys/class/tpm/tpm0/ppi/request?). * systemd-tpm2-setup should support a mode where we refuse booting if the SRK changed. (Must be opt-in, to not break systems which are supposed to be @@ -354,12 +506,9 @@ Features: - get_ctty_devnr() - pid1: sd_notify() receiver should use SCM_PIDFD to authenticate client - actually wait for POLLIN on pidref's pidfd in service logic - - exec_spawn() + safe_fork() - openpt_allocate_in_namespace() - - sd_bus_creds - unit_attach_pid_to_cgroup_via_bus() - cg_attach() – requires new kernel feature - - varlink_get_peer_pid() * ddi must be listed as block device fstype @@ -414,12 +563,6 @@ Features: fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the local stubs, so that we can make the stub available via ipv6 too. -* introduce a .microcode PE section for sd-stub which we'll pass as first initrd - to the kernel which will then upload it to the CPU. This should be distinct - from .initrd to guarantee right ordering. also, and maybe more importantly - support .microcode in PE add-ons, so that a microcode update can be shipped - independently of any kernel. - * Maybe add SwitchRootEx() as new bus call that takes env vars to set for new PID 1 as argument. When adding SwitchRootEx() we should maybe also add a flags param that allows disabling and enabling whether serialization is @@ -465,6 +608,17 @@ Features: line, and then generate a mount unit for it using a udev generated symlink based on lo_file_name. +* teach systemd-nspawn the boot assessment logic: hook up vpick's try counters + with success notifications from nspawn payloads. When this is enabled, + automatically support reverting back to older OS version images if newer ones + fail to boot. + +* implement new "systemd-fsrebind" tool that works like gpt-auto-generator but + looks at a root dir and then applies vpick on various dirs/images to pick a + root tree, a /usr/ tree, a /home/, a /srv/, a /var/ tree and so on. Dirs + could also be btrfs subvols (combine with btrfs auto-snapshort approach for + creating versions like these automatically). + * remove tomoyo support, it's obsolete and unmaintained apparently * In .socket units, add ConnectStream=, ConnectDatagram=, @@ -516,9 +670,6 @@ Features: grow exponentially in size to ensure O(log(n)) time for finding them on access. -* Use CLONE_INTO_CGROUP to spawn systemd-executor, once glibc supports it in - posix_spawn(). - * Make nspawn to a frontend for systemd-executor, so that we have to ways into the executor: via unit files/dbus/varlink through PID1 and via cmdline/OCI through nspawn. @@ -657,10 +808,6 @@ Features: - If run on every boot, should it use the sysupdate config from the host on subsequent boots? -* provide an API (probably IPC) to apps to encrypt/decrypt - credentials. use case: allow bluez bluetooth daemon to pass pairings to initrd - that way, without shelling out to our tools. - * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they use PCR 7 which should contain secureboot state db/dbx. Which sounded like a safe bet, given that it should change only on policy changes, and not @@ -696,17 +843,6 @@ Features: * automatic boot assessment: add one more default success check that just waits for a bit after boot, and blesses the boot if the system stayed up that long. -* implement concept of "versioned" resources inside a dir, and write a spec for - it. Make all tools in systemd, in particular - RootImage=/RootDirectory=/--image=/--directory= implement this. Idea: - directories ending in ".v/" indicate a directory with versioned resources in - them. Versioned resources inside a .v dir are always named in the pattern - _[+[-]]. - -* add support for using this .v/ logic on the root fs itself: in the initrd, - after mounting the rootfs, look for root-.v/ in the root fs, and then - apply the logic, moving the switch root logic there. - * systemd-repart: add support for generating ISO9660 images * systemd-repart: in addition to the existing "factory reset" mode (which @@ -806,19 +942,10 @@ Features: early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a directory, and paths ending that way can be refused early in many contexts. -* systemd-measure: allow operating with PEM certificates in addition to PEM - public keys when signing PCR values. SecureBoot and our Verity signatures - operate with certificates already, hence I guess we should also just deal for - convenience with certificates for the PCR stuff too. - * systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it would just use the same public key specified with --public-key= (or the one automatically derived from --private-key=). -* push people to use ".sysext.raw" as suffix for sysext DDIs (DDI = - discoverable disk images, i.e. the new name for gpt disk images following the - discoverable disk spec). [Also: just ".sysext/" for directory-based sysext] - * Add "purpose" flag to partition flags in discoverable partition spec that indicate if partition is intended for sysext, for portable service, for booting and so on. Then, when dissecting DDI allow specifying a purpose to @@ -830,15 +957,13 @@ Features: keyring, so that the kernel does this validation for us for verity and kernel modules -* for systemd-confext: add a tool that can generate suitable DDIs with verity + - sig using squashfs-tools-ng's library. Maybe just systemd-repart called under - a new name with a built-in config? - * lock down acceptable encrypted credentials at boot, via simple allowlist, maybe on kernel command line: systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked down kernels from credentials generated on the host with a weak kernel +* Merge systemd-creds options --uid= (which accepts user names) and --user. + * Add support for extra verity configuration options to systemd-repart (FEC, hash type, etc) @@ -912,8 +1037,6 @@ Features: should probably also one you can use to get a remote attestation quote. * Process credentials in: - • networkd/udevd: add a way to define additional .link, .network, .netdev files - via the credentials logic. • crypttab-generator: allow defining additional crypttab-like volumes via credentials (similar: verity-generator, integrity-generator). Use fstab-generator logic as inspiration. @@ -927,10 +1050,6 @@ Features: file system paths to enable on start. • make systemd-fstab-generator look for a system credential encoding root= or usr= - • systemd-homed: when initializing, look for a credential - systemd.homed.register or so with JSON user records to automatically - register if not registered yet. Use case: deploy a system, and add an - account one can directly log into. • in gpt-auto-generator: check partition uuids against such uuids supplied via sd-stub credentials. That way, we can support parallel OS installations with pre-built kernels. @@ -1004,9 +1123,6 @@ Features: file to move there, since it is managed by privileged code (i.e. homed) and not unprivileged code. -* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that - that hooks up userdbctl ssh-key stuff. - * maybe add support for binding and connecting AF_UNIX sockets in the file system outside of the 108ch limit. When connecting, open O_PATH fd to socket inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink @@ -1118,8 +1234,6 @@ Features: images as OS payloads. i.e. have a generic OS image you can point to any payload you like, which is then downloaded, securely verified and run. -* deprecate cgroupsv1 further (print log message at boot) - * systemd-dissect: add --cat switch for dumping files such as /etc/os-release * per-service sandboxing option: ProtectIds=. If used, will overmount @@ -1169,36 +1283,8 @@ Features: passwords, not just the first. i.e. if there are multiple defined, prefer unlocked over locked and prefer non-empty over empty. -* maybe add a tool inspired by the GPT auto discovery spec that runs in the - initrd and rearranges the rootfs hierarchy via bind mounts, if - enabled. Specifically in some top-level dir /@auto/ it will look for - dirs/symlinks/subvolumes that are named after their purpose, and optionally - encode a version as well as assessment counters, and then mount them into the - file system tree to boot into, similar to how we do that for the gpt auto - logic. Maybe then bind mount the original root into /.superior or something - like that (so that update tools can look there). Further discussion in this - thread: - https://lists.freedesktop.org/archives/systemd-devel/2021-November/047059.html - The GPT dissection logic should automatically enable this tool whenever we - detect a specially marked root fs (i.e introduce a new generic root gpt type - for this, that is arch independent). The also implement this in the image - dissection logic, so that nspawn/RootImage= and so on grok it. Maybe make - generic enough so that it can also work for ostrees arrangements. - -* if a path ending in ".auto.d/" is set for RootDirectory=/RootImage= then do a - strverscmp() of everything inside that dir and use that. i.e. implement very - simple version control. Also use this in systemd-nspawn --image= and so on. - -* homed: while a home dir is not activated generate slightly different NSS - records for it, that reports the home dir as "/" and the shell as some binary - provided by us. Then, when an SSH login happens and SSH permits it our binary - is invoked. This binary can then talk to homed and activate the homedir if - it's not around yet, prompting the user for a password. Once that succeeded - we'll switch to the real user record, i.e. home dir and shell, and our tool - exec()s the latter. Net effect: ssh'ing into a homed account will just work: - we'll neatly prompt for the homedir's password if its needed. –– Building on - this we could take this even further: since this tool will potentially have - access to the client's ssh-agent (if ssh-agent forwarding is enabled) we +* homed: if the homed shell fallback thing has access to an SSH agent, try to + use it to unlock home dir (if ssh-agent forwarding is enabled). We could implement SSH unlocking of a homedir with that: when enrolling a new ssh pubkey in a user record we'd ask the ssh-agent to sign some random value with the privkey, then use that as luks key to unlock the home dir. Will not @@ -1232,14 +1318,6 @@ Features: .p7s is available in the image, use it to protect the system.attached copy with fs-verity, so that it cannot be tampered with -* logind introduce two types of sessions: "heavy" and "light". The former would - be our current sessions. But the latter would be a new type of session that - is mostly the same but does not pull in user@.service or wait for it. Then, - allow configuration which type of session is desired via pam_systemd - parameters, and then make user@.service's session one of these "light" ones. - People could then choose to make FTP sessions and suchlike "light" if they - don't want the service manager to be started for that. - * /etc/veritytab: allow that the roothash column can be specified as fs path including a path to an AF_UNIX path, similar to how we do things with the keys of /etc/crypttab. That way people can store/provide the roothash @@ -1337,16 +1415,11 @@ Features: - pass creds via keyring? - pass creds via memfd? - acquire + decrypt creds from pkcs11? - - make systemd-cryptsetup acquire pw via creds logic - make PAMName= acquire pw via creds logic - - make macsec/wireguard code in networkd read key via creds logic - - make gatwayd/remote read key via creds logic + - make macsec code in networkd read key via creds logic (copy logic from + wireguard) + - make gatewayd/remote read key via creds logic - add sd_notify() command for flushing out creds not needed anymore - - make user manager instances create and use a user-specific key (the one in - /var/lib is root-only) and add --user switch to systemd-creds to use it - -* add tpm.target or so which is delayed until TPM2 device showed up in case - firmware indicates there is one. * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades and such @@ -1375,6 +1448,9 @@ Features: * systemd-analyze netif that explains predictable interface (or networkctl) +* Figure out naming of verbs in systemd-analyze: we have (singular) capability, + exit-status, but (plural) filesystems, architectures. + * Add service setting to run a service within the specified VRF. i.e. do the equivalent of "ip vrf exec". @@ -1388,25 +1464,20 @@ Features: * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it -* pid1: support new clone3() fork-into-cgroup feature - * pid1: also remove PID files of a service when the service starts, not just when it exits * make us use dynamically fewer deps for containers in general purpose distros: o turn into dlopen() deps: - - kmod-libs (only when called from PID 1) - libblkid (only in RootImage= handling in PID 1, but not elsewhere) - libpam (only when called from PID 1) - - bzip2, xz, lz4 (always — gzip and zstd should probably stay static deps the way they are, - since they are so basic and our defaults) * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. Apparently kernel performance is much better with fewer larger seccomp filters than with more smaller seccomp filters. -* systemd-path: add ESP and XBOOTLDR path. Add "private" runtime/state/cache dir enum, - mapping to $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such +* systemd-path: Add "private" runtime/state/cache dir enum, mapping to + $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out @@ -1547,8 +1618,6 @@ Features: that our log messages could contain clickable links for example for unit files and suchlike we operate on. -* importd: add ability download images for portabled + sysext - * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the @@ -1740,7 +1809,7 @@ Features: * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline -* docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date +* docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REATLIME up to date * add a job mode that will fail if a transaction would mean stopping running units. Use this in timedated to manage the NTP service @@ -1834,8 +1903,6 @@ Features: * transient units: - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt -* when we detect low battery and no AC on boot, show pretty splash and refuse boot - * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 @@ -1850,8 +1917,6 @@ Features: * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. -* load .d/*.conf dropins for device units - * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ @@ -1880,10 +1945,7 @@ Features: - generate better errors when people try to set transient properties that are not supported... https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html - - maybe introduce WantsMountsFor=? Use case: - https://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html - recreate systemd's D-Bus private socket file on SIGUSR2 - - move PAM code into its own binary - when we automatically restart a service, ensure we restart its rdeps, too. - hide PAM options in fragment parser when compile time disabled - Support --test based on current system state @@ -1928,8 +1990,6 @@ Features: * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not -* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login. - * add a pam module that on password changes updates any LUKS slot where the password matches * test/: @@ -2236,8 +2296,6 @@ Features: - fingerprint authentication, pattern authentication, … - make sure "classic" user records can also be managed by homed - make size of $XDG_RUNTIME_DIR configurable in user record - - query password from kernel keyring first - - update even if record is "absent" - move acct mgmt stuff from pam_systemd_home to pam_systemd? - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for - make slice for users configurable (requires logind rework) @@ -2260,21 +2318,12 @@ Features: - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt - maybe pre-create ~/.cache as subvol so that it can have separate quota easily? - - add a switch to homectl (maybe called --first-boot) where it will check if - any non-system users exist, and if not prompts interactively for basic user - info, mimicking systemd-firstboot. Then, place this in a service that runs - after systemd-homed, but before gdm and friends, as a simple, barebones - fallback logic to get a regular user created on uninitialized systems. - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with systemd-cryptsetup, so that it can unlock homed volumes - maybe make all *.home files owned by `systemd-home` user or so, so that we can easily set overall quota for all users - on login, if we can't fallocate initially, but rebalance is on, then allow login in discard mode, then immediately rebalance, then turn off discard - - extend user records with optional "bulk" data. Specifically, a user - avatar/photo or so. This data should be stored along with the user record, - but probably shouldn't be part of the record itself, since it might be - large. - add "homectl unbind" command to remove local user record of an inactive home dir @@ -2353,14 +2402,10 @@ Features: * systemctl: - add systemctl switch to dump transaction without executing it - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done - - "systemctl disable" on a static unit prints no message and does - nothing. "systemctl enable" does nothing, and gives a bad message - about it. Should fix both to print nice actionable messages. - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? - systemctl: "Journal has been rotated since unit was started." message is misleading - - systemctl status output should include list of triggering units and their status * introduce an option (or replacement) for "systemctl show" that outputs all properties as JSON, similar to busctl's new JSON output. In contrast to that @@ -2446,12 +2491,6 @@ Features: or two sockets. - Support running nspawn as an unprivileged user. -* machined: add API to acquire UID range. add API to mount/dissect loopback - file. Both protected by PK. Then make nspawn use these APIs to run - unprivileged containers. i.e. push the truly privileged bits into machined, - so that the client side can remain entirely unprivileged, with SUID or - anything like that. - * machined: - add an API so that libvirt-lxc can inform us about network interfaces being removed or added to an existing machine @@ -2482,18 +2521,17 @@ Features: * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) * tmpfiles: - - apply "x" on "D" too (see patch from William Douglas) - allow time-based cleanup in r and R too - instead of ignoring unknown fields, reject them. - creating new directories/subvolumes/fifos/device nodes should not follow symlinks. None of the other adjustment or creation calls follow symlinks. - - add --test mode - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4 project quota - teach tmpfiles.d m/M to move / atomic move + symlink old -> new - add new line type for setting btrfs subvolume attributes (i.e. rw/ro) - tmpfiles: add new line type for setting fcaps + - add -n as shortcut for --dry-run in tmpfiles & sysusers & possibly other places * udev-link-config: - Make sure ID_PATH is always exported and complete for -- cgit v1.2.3