CHANGES WITH 258 in spe:
Incompatible changes:
* Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) has been
removed. cgroup v2 ('unified' hierarchy) will always be mounted
during system bootup and systemd-nspawn container initialization.
* The minimum kernel baseline version has been bumped to v5.4 (released
in 2019), with the recommended version now going up to v5.7. Consult
the README file for a list of required kernel APIs.
* The default access mode of tty/pts device nodes has been changed to
0600, which was 0620 in the older releases, due to general security
concerns about terminals being written to by other users. To restore
the old default access mode, use the '-Dtty-mode=0620' meson build
option. (This effectively means "mesg n" is now the default, rather
than "mesg y", see mesg(1) man page for help.)
* systemd-run's --expand-environment= switch, which was disabled
by default when combined with --scope, has been changed to be
enabled by default. This brings cmdline expansion of transient
scopes on par with services.
* systemd-logind PAM sessions that previously were automatically
determined to be of class "background", and which are owned by root
or system accounts, will now automatically be set to class
"background-light" instead. PAM sessions that previously were
automatically determined to be of class "user", and which are owned
by non-root system users, will now automatically be set to class
"user-light" instead. This effectively means that cron jobs or FTP
sessions (i.e. all PAM sessions that have no TTY assigned and neither
are graphical) for system users no longer pull in a service manager
by default. This behaviour can be changed by explicitly setting the
session class (for example via the class= parameter to
pam_systemd.so, or by setting the XDG_SESSION_CLASS environment
variable as input for the service's PAM stack). This change does not
affect graphical sessions, nor does it affect regular users. This is
an incompatible change of sorts, since per-user services will
typically not be available for such PAM sessions of system users.
* systemd-udevd ignores OWNER=/GROUP= settings with a non-system
user/group specified in udev rules files, to avoid device nodes being
owned by a non-system user/group. It is recommended to check udev
rules files with 'udevadm verify' and/or 'udevadm test' commands if
the specified user/group in OWNER=/GROUP= are valid.
Similarly, systemd-networkd refuses User=/Group= settings with a
non-system user/group specified in .netdev files for Tun/Tap
interfaces.
* systemd-cryptenroll, systemd-repart and systemd-creds no longer
default to locking TPM2 enrollments to the current, literal value of
PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
firmware. This change reflects the fact that nowadays SecureBoot
policies are updated (at least) as frequently as firmware code
(simply because SecureBoot policy updates are typically managed by
fwupd these days). The new default PCR mask for new TPM2 enrollments
is thus empty by default. It is recommended to use managed
systemd-pcrlock policies for binding to PCR 7 instead (as well as
combining such policies with signed policies for PCR 11). Or in other
words, it's recommended to make more use of the logic behind the
--tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-pcrlock=
switches of the mentioned tools in place of --tpm2-pcrs=.
* Support for the SystemdOptions EFI variable has been removed.
* Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
(deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
and '-Dnscd=' (deprecated in v257) have been removed.
* OpenSSL is now the only supported cryptography backend for
systemd-resolved and systemd-importd, and support for gnutls and
gcrypt has been removed. Hence, 'gnutls' setting for the
'-Ddns-over-tls=' meson option has been deprecated. Also, the
'-Dcryptolib=' meson option has been deprecated. They will be removed
in a future release.
* systemd-logind's session tracking, which used to be performed via a
FIFO installed in the client, now uses PIDFDs. The file descriptor
returned by CreateSession() and related calls is therefore unused.
Moreover, the exit of the session leader process will immediately
cause the session to be stopped.
* To work around limitations of X11's keyboard handling systemd's
keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
mapped the microphone mute and touchpad on/off/toggle keys to the
function keys F20, F21, F22, F23 instead of their correct key codes.
This key code mangling has been removed from udev.
To maintain compatibility with X11 applications that rely on the old
function key code mappings, this mangling has now been added to the
relevant X11 keyboard driver modules. In order to ensure these keys
continue to work, update to xf86-input-evdev >= 2.11.0 and
xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
* The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() has
been removed, which was deprecated since v257.
* systemd-networkd previously emitted the machine ID as chassis ID
through LLDP protocol, but now emits a deterministic ID,
cryptographically derived from the machine ID as chassis ID. If you
want to use the previous behavior, please set
SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
systemd-networkd.
* Support for the !! command line prefix on ExecStart= lines (and
related) has been removed, and if specified will be ignored. The
concept was supposed to provide compatibility with kernels that
predated the introduction of "ambient" process capabilities. However,
the kernel baseline of the systemd project is now far beyond any
kernels that lacked support for it, hence the prefix serves no
purpose anymore.
* The default keyring for systemd-importd and related tools, shipped
in /usr/lib/systemd/, has been renamed from import-pubring.gpg to
import-pubring.pgp, as it is supported by other PGP tools as well as
GPG. The local keyring /etc/systemd/import-pubring.gpg is still parsed
if present, to preserve backward compatibility.
* Normally, per-user encrypted credentials are decrypted via the the
systemd-creds.socket Varlink service, while the per-system ones are
directly encrypted within the execution context of the intended
service (which hence typically required access to /dev/tpmrm0). This
has been changed: units that enable either PrivateDevices= or use
DeviceAllow=/DevicePolicy= (and thus restrict access to device nodes)
will now also make use of the systemd-creds.socket Varlink
functionality, and will not attempt to decrypt the credentials
in-process (and attempt to try to talk to the TPM for that).
Previously, encrypted credentials for per-system services were
incompatible with PrivateDevices= and resulted in automatic extension
of the DeviceAllow= list. The latter behaviour has been removed.
* The command 'journalctl --follow' now exits with success on
SIGTERM/SIGINT and when the pipe it is writing to is disconnected.
* Support for System V style system state control has been removed:
- The /dev/initctl device node has been removed.
- The initctl, runlevel, and telinit commands have been removed.
- Support for system state control via the init command (e.g.
'init 3') has been removed.
- The units runlevel[0-6].target have been removed.
- The concept of runlevels has been removed, so runlevel transitions
are no longer recorded in the utmp/wtmp databases.
* Support for traditional /forcefsck and /fastboot files to control
execution mode of fsck on boot has been removed from systemd-fsck. To
control the mode, please use the fsck.mode= kernel command line option
or newly introduced fsck.mode credential.
* Support for traditional /forcequotacheck file to control execution
mode of quotacheck on boot has been removed from systemd-quotacheck.
To control the mode, please use the quotacheck.mode= kernel command
line option of newly introduced quotacheck.mode credential.
Announcements of Future Feature Removals:
* Support for System V service scripts is deprecated and will be
removed in v259. Please make sure to update your software *now* to
include a native systemd unit file instead of a legacy System V
script to retain compatibility with future systemd releases.
* Support for systemd-repart's FactoryReset EFI variable has been
deprecated and support for it will be removed in v260. Use the newer,
more generic FactoryResetRequest variable instead, which can be
managed by "systemd-factory-reset request" and "systemd-factory-reset
complete".
* The meson option '-Dintegration-tests=' has been deprecated, and will
be removed in a future release.
* The legacy iptables support through libiptc will be removed in v259.
Only nftables backend will be supported by systemd-networkd and
systemd-nspawn since v259.
* Required minimum versions of following components are planned to be
raised in the next release:
* Linux kernel >= 5.10 (recommended >= 5.14),
* glibc >= 2.34,
* libxcrypt >= 4.4.0 (libcrypt in glibc will be no longer supported),
* util-linux >= 2.37,
* elfutils >= 0.177,
* openssl >= 3.0.0,
* cryptsetup >= 2.4.0,
* libfido2 >= 1.5.0,
* libseccomp >= 2.4.0,
* python >= 3.9.0.
Please provide feedback on systemd-devel if this would cause problems.
Service manager/PID1:
* The PrivateUsers= unit setting now accepts a new value "full", which
is similar to "identity", but maps the whole 32bit UID range instead
of just the first 2¹⁶.
* The ProtectHostname= unit setting now accepts a new value "private",
which is similar to "yes", but allows the unit's processes to
modify the hostname. Since a UTC namespace is allocated for the unit
this hostname change remains local to the unit, and does not affect
the system as a whole. Optionally, the "private" string may be
suffixed by a colon and a literal hostname specification, which is
then used to initialize the hostname of the namespace to.
* .mount units now also support systemd credentials
(i.e. SetCredential=/LoadCredential=/ImportCredential= and related
settings). Previously this was available for service units only.
* A new unit file condition ConditionKernelModuleLoaded= has been added
that may be used to check if a certain kernel module is already
loaded (or built into the kernel). This is used to shortcut
modprobe@.service instances, reducing redundant explicit modprobe
invocations at boot to cover for kernels that have various subsystems
built-in, while still providing support for kernels that have those
subsystems built as loadable modules.
* Encrypted systemd service credentials are now available for user
services too, including if locked to TPM. Previously, they could only
be used for system services.
* Services instantiated for Accept=yes socket units will now include
the Linux socket cookie (SO_COOKIE) in the instance name, as well as
the PIDFD inode ID for the peer (the latter is only available for
AF_UNIX sockets). This should make it easier to match specific
service instances to the connections and peers they are associated
with.
* The security rules enforced by the per-unit AttachProcesses() bus API
call have been relaxed a bit: unprivileged clients may now use the
call on arbitrary processes which run in any user namespace owned by
the client's UID. Previously, a stricter rule applied that required
the UIDs of the process to move and of the client to match exactly.
* A new per-unit RemoveSubgroup() D-Bus API call has been added that
makes the service manager attempt to remove a sub-cgroup of units
with cgroup delegation enabled. This is useful for unprivileged user
namespace operation, where subgroups might be owned by user IDs that
do not match the user ID the unit was delegated to, as is typical in
user namespace scenarios. Per-user service managers will use this new
call provided by the per-system service manager to clean up user
units that contain cgroups owned by user namespace UIDs.
* .mount units gained support for a special x-systemd.graceful-option=
pseudo-mount option, which may be used to list additional mount
options that shall be used for the mount when it is established,
under the condition the local kernel supports them. If the local
kernel does not, they are automatically removed from the option
string. This only works for kernel-level mount options, not for those
implemented in userspace. This is useful for various purposes, for
example to include "usrquota" for tmpfs mount options where that's
supported.
* Per-user quota is now enabled on /dev/shm/ and /tmp/ (the latter only
if backed by tmpfs).
* If PAMName= is used for a service and the PAM session prompts for a
password, it will now be queried via the systemd-ask-password
logic. Previously the prompt would simply be denied, typically causing
the PAM session (and thus service activation) to fail. One effect of
this change is that when lingering is enabled for a systemd-homed
user the user's password will now be prompted at boot to unlock the
user's home directory in order to be able to start the per-user
service manager early, as requested.
* The $MAINPID and $MANAGERPID environment variables we pass to
processes executed for service units are now paired with new
environment variables $MAINPIDFDID and $MANAGERPIDFDID. These new
environment variables contain the numeric inode ID of the pidfd for
the relevant process. As these 64bit IDs are unique for all processes
of a specific Linux boot they can be used to race-freely reference a
process, unlike the PID which is subject to races by recycling.
* So far the ConditionHost= condition matched against the local host
name and machine UUID. It now also matches against the local product
ID of the system (as provided by SMBIOS/DMI) and the boot ID.
* A new setting DelegateNamespaces= for units has been added, which
controls which type of Linux namespaces to delegate to the invoked
unit processes. This primarily controls if the listed namespace types
shall be owned by the host user namespace, or by the private user
namespace of the unit. In the former case services cannot modify the
relevant namespaces since they don't own it, in the latter case they
can.
* If the service manager receives a RESTART_RESET=1 sd_notify() message
from a service, it will now reset the automatic restart counter it
maintains for the service. This is useful to give services control
over RestartMaxDelaySec=/RestartSteps= progress.
* The /etc/hostname file may now include question mark characters
("?"), which when read will be initialized by hexadecimal digits
hashed from the machine ID. This is useful when managing a fleet of
devices that each shall have a valid and distinct hostname, generated
in a predictable fashion. Example: if /etc/hostname contains
"foobar-????-????" each booted system will end up with a hostname
such as "foobar-7aaf-846c" or similar.
* ConditionKernelVersion= has been replaced by a more generic
ConditionVersion= setting, that can check the versions of more key
components of the OS, besides the kernel. Initially, that's systemd's
and glibc's versions. The older setting remains supported for
compatibility.
* Slice units gained new ConcurrencySoftMax= and ConcurrencyHardMax=
settings which control how many concurrent units may be active and
queued for the slice at the same time. If more services are queued
for a slice than the soft limit, they won't be dispatched until the
concurrency falls below the limit again, but they remain in the job
queue. If more services are queued than the hard limit the jobs will
fail. This introduces a powerful job execution mechanism to systemd,
with strong resource management, and support for hierarchial job
pools (by means of slices).
* ExecStart= lines (and the other ExecXYZ= lines) now support a new '|'
prefix that causes the command line to be invoked via a shell.
* A basic Varlink API is now implemented in the service manager that
can be used to determine its current state, and list units and their
states.
* Processes invoked via the .socket Accept=yes logic will now get an
environment variable $SO_COOKIE that contains the Linux socket
cookie (which otherwise can be acquired via getsockopt()) of the
connection socket, formatted in decimal.
* When a service's configuration is reloaded (via "systemctl reload" or
an equivalent operation), any confext images for the services are
also reloaded.
* A new RandomizedOffsetSec= setting has been added to .timer units
which allows configured of a randomized but stable time offset for
when the timer shall elapse.
* Whenever a TTY is initialized by the service manager, an attempt is
made to read the terminfo identifier from it via DCS sequences, as
part of the regular ANSI sequence initialization scheme. The
identifier is used to initialize $TERM. This is not done if $TERM is
already set from some other sources. Note that the DCS sequence for
this is widely supported, but not universal (at this point VTE-based
terminal emulators lack the necessary support). This functionality
should be particularly useful on serial TTYs as $TERM information
will likely be initialized to a useful value instead of a badly
guessed default of vt220.
* .socket units gained a new PassPIDFD= setting that controls the new
SO_PASSPIDFD socket option for AF_UNIX socket. There's also a new
setting AcceptFileDescriptors= that controls the new SO_PASSRIGHTS.
* A new job type "lenient" has been added, that is similar to the
existing "fail" job mode, and which will fail the submitted
transaction immediately if it would stop any currently running unit.
* .socket units gained a new pair of settings DeferTrigger= and
DeferTriggerMaxSec= which modify triggering behaviour of the
socket. When used this will cause the triggered unit to be enqueued
with the new "lenient" job mode, and if the submission of the
transaction fails it is later retried to be submitted (up to a
configurable timeout), whenever a unit is stopped.
* The "preset" logic has been extended so that there are now three
preset directories: one that declares the default enablement state
for per-system services run on the host, one for per-user services,
and – now new – one for per-system services that are run in the
initrd. This reflects the fact that in many cases services that shall
be enabled by default on the host should not be enabled by default in
the initrd, or vice versa. Note that while the regular per-system
preset policy defaults to enabled, the one for the initrd defaults to
disabled.
* There are now new per-service settings
StateDirectoryQuota=/StateDirectoryAccounting=,
CacheDirectoryQuota=/CacheDirectoryAccounting=,
LogsDirectoryQuota=/LogsDirectoryAccounting= which allow doing
per-unit quota of the indicated per-unit directories. This is
implemented via project quota, as supported by xfs and ext4. This
does not support btrfs, currently. If quota accounting is enabled
this information is shown in the usual "systemctl status" output.
* The service manager gained a new KillUnitSubgroup() syscall which may
be used to send a signal to a sub-control group of the unit's control
group. systemctl kill gained a new --kill-subgroup= switch to make
this available from the shell.
* A new PrivateBPF= switch has been added for unit files, which may be
used to mount a private bpffs instance for the unit's processes.
* Four new options added to mount the bpffs with the delegate options:
BPFDelegateCommands= BPFDelegateMaps=
BPFDelegatePrograms= BPFDelegateAttachments=
These allow an unprivileged container to use some BPF functionalities.
See also https://lwn.net/Articles/947173/
* New user manager services systemd-nspawn@.service and
systemd-vmspawn@.service and a machines.target unit to manage them
have been added.
systemd-journald & journal-remote:
* journalctl's --setup-keys command now supports JSON output.
* HTTP compression negotiation has been added to journal-upload and
journal-remote.
* journal-remote/journal-upload now support inserting additional HTTP
fields into their requests, via the Header= configuration file setting.
* journalctl gained a new --synchronize-on-exit=yes switch. If
specified in combination with --follow and the journalctl process
receives SIGINT (for example because the user hits Ctrl-C), a
synchronization request is enqueued to systemd-journald, and log
output continues until it completes. Or in other words, when this
option is used any log output submitted before the SIGINT is
guaranteed to be shown before journactl exits.
* systemd-journald's Synchronize() Varlink call has been reworked so
that it no longer returns only once the logging subsystem has become
completely idle, but already when all messages queued before the call
was initiated are definitely written to disk. Effectively this means
that the call is now guaranteed to complete in bounded time, even
though it's slightly weaker in effect.
* Many of systemd-journald's Varlink calls (such as the aforementioned
Synchronize()) are now available to unprivileged clients.
systemd-udevd & systemd-hwdb:
* A new udev property ID_NET_BRING_UP_BEFORE_JOINING_BRIDGE= is now
supported that may be set on network interface devices (via hwdb),
and tells systemd-networkd to bring the interface up before joining
it to a bridge device.
* A new udev property ID_NET_NAME_INCLUDE_DOMAIN= is now supported that
may be set on network interface devices (via hwdb), that indicates
that the automatic network device naming logic should suppress
inclusion of the PCI domain in the naming scheme. This is used for
Azure MANA devices.
* A new udev property ID_AV_LIGHTS= has been defined that may be set on
USB controlled A/V lights. Devices marked like this (via hwdb) will
have the uaccess logic enabled, i.e. they will be associated with a
seat and unprivileged users will get access to them.
* udevadm's trigger command gained a switch --include-parents. If
specified udevadm will not just trigger all devices matching whatever
is specified otherwise on the command line, but also all parent
devices of these devices.
* systemd-udevd now provides a Varlink interface with various runtime
and lifecycle operations. It mostly replaces the previous private,
undocumented "control" IPC API spoken between udevadm and
systemd-udevd.
* .link files gained two new knobs ReceiveFCS= (which controls whether
to pass the Frame Check Sequence value up the stack) and ReceiveAll=
(which controls whether to accept damaged Ethernet frames). It also
gained a knob PartialGenericSegmentationOffload= for controlling
Partial GSO support.
* 'udevadm info/trigger/test/test-builtin' commands now also take device
IDs to specify devices.
* udevadm test gained a new "--verbose" switch for generating
additional debug output for the test.
* The OPTIONS= udev expression now supports the new "dump" value, which
will result in the current event's status to be logged at the moment
the expression is processed. This is useful for debugging udev rules.
* A new kernel command line option udev.trace= has been added that
allows enabling udev's tracing logic while booting an OS. udevadm
control gained a new --trace= switch to change the same setting at
runtime.
* udevadm test gained a new --extra-rules-dir= switch which may be
used to look for udev rules in additional directories for testing
purposes.
* udevadm gained a new "cat" command for showing the contents of
installed rules files.
* udev will now create /dev/input/by-{id,path}/* style symlinks for
hidraw devices too. (Previously these would be created for other
input device types only.)
* *.link files gained support for configuring various Energy Efficient
Ethernet (EEE) settings in a new [EnergyEfficientEthernet] section.
* udevadm test gained a new --json= switch for generating JSON output.
* A new udev builtin "factory_reset" has been added that simply reports
if the system is currently booted in factory reset mode. This can be
used by udev rules that determine the location of the root file
system, in order to decide whether to expect that a root file already
exists or still needs to be created/formatted/encrypted.
* The "blkid" builtin of udev has been changed to determine the host
root file system by looking for the used ESP/XBOOTLDR only while
running in the initrd. When running after the initrd→host transition
it now just uses the root file system already mounted to /. Of
course, usually this should have the same results, but there are
situations thinkable where the ESP is on one disk and the root fs on
another, and we better not second guess this once we transitioned
onto the root file system.
* A new udev builtin "dissect_image" has been added that uses the usual
DDI image dissection code to identify partitions and their use and
relationships. This is used by new udev rules to generate a set of
symlinks in /dev/disk/by-designator/ that point to the various
discovered partitions by their designator.
* Android debug USB interfaces (ADB DbC, ADB, Fastboot) are now
automatically marked for unprivileged access, generically via a new
ID_DEBUG_APPLIANCE= udev property. Or in other words, running "adb"
again your Android phone connected via USB, set to debug mode should
just work without any additional rules.
* A new standard group "clock" has been introduced that is now used by
default for PTP and RTC device nodes in /dev/.
systemd-networkd:
* systemd-networkd now supports configuring the timeout for IPv4
Duplicate Address Detection via a new setting
IPv4DuplicateAddressDetectionTimeoutSec=. The default timeout value
has been changed from 7 seconds to 200 milliseconds.
* systemd-networkd gained support for IPv6 SIP, i.e. DHCPv6 options
SD_DHCP6_OPTION_SIP_SERVER_DOMAIN_NAME (21) and
SD_DHCP6_OPTION_SIP_SERVER_ADDRESS (22), controlled by a new UseSIP=
option in the [DHCPv6] section.
* A new MPLSRouting= setting in the [Network] section in .network files
can be used to control whether Multi-Protocol Label Switching is
enabled on an interface.
* A system-wide default for ClientIdentifier= may now be set in
networkd.conf. (Previously this had to be configured individually in
each .network file.)
* PersistLeases= setting in [DHCPServer] section now also accepts
"runtime", to make the DHCP server saves and loads bound leases on
the runtime storage.
* A new Preference= setting has been added to the [IPv6RoutePrefix]
section to configure the route preference field.
* New LinkLocalLearning=, Locked=, MACAuthenticationBypass=,
VLANTunnel= settings have been added the [Bridge] section of .network
files.
* .netdev files gained new External=/VNIFilter= settings in [VXLAN]
section.
* .netdev files can now configure HSR/SRP network devices too, via a
new [HSR] section.
* The LLDP client will now pick up the VLAN Id from LLDP data. The LLDP
sender will now send this field on VLAN devices.
* The DHCPv4 client in systemd-networkd now also supports BOOTP (via a
new BOOTP= setting).
* The Local= setting in [Tunnel] section gained a new "dhcp_pd" value
to allow setting the local address based on dhcp-pd addresses.
sd-varlink & sd-json:
* An API call sd_varlink_reset_fds() has been added that undoes the
effect of sd_varlink_push_fd() (the API for submitting file
descriptors to send along with a method call), without actually
sending a Varlink message.
* An API call sd_varlink_server_listen_name() has been added that is
just like sd_varlink_server_listen_auto() but takes one additional
parameter: the file descriptor name (in the sense of $LISTEN_FDNAMES)
to look for, instead of "varlink". This is useful for services that
implement multiple Varlink services on distinct sockets and shall be
activatable through either.
* A pair of API calls sd_json_variant_type_from_string() and
sd_json_variant_type_to_string() have been added that may be used to
convert the JSON variant type identifier into a string representation
and back.
* A pair of API calls sd_varlink_get_input_fd() and
sd_varlink_get_output_fd() have been added that allow querying the
connection file descriptors individually for each direction, in case
two distinct file descriptors are used (for example in stdin/stdout
scenarios).
* A new API call sd_varlink_get_current_method() has been added which
reports the method call name currently being processed.
* Two new flags SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT and
SD_VARLINK_SERVER_ALLOW_FD_PASSING_OUTPUT have been defined, which
may be passed to sd_varlink_server_new(), and ensure that any
connections associated with the server instance are automatically
created with file descriptor passing enabled for input or output.
* The "io.systemd.System" fallback Varlink errors that sd-varlink
generates for Linux 'errno' style error numbers now carry both the
numeric value (as before) and the symbolic name (i.e. "ENOENT"),
ensuring that the error remains somewhat portable (as the numeric
values are Linux and possibly architecture-specific).
* The generic "io.systemd.service" Varlink service that various of our
long-running services implement, gained a new GetEnvironment() call
that returns the current environment block of the service's main
process. In addition, this service interface has been implemented in
many more long-running services.
* A new sd-varlink call sd_varlink_get_description() has been added
that returns the string previously set via
sd_varlink_set_description().
* A new sd-varlink API call sd_varlink_get_n_fds() has been added that
returns the number of pending incoming file descriptors on the
current message.
* A new flag SD_VARLINK_SERVER_MODE_MKDIR_0755 may now be ORed into the
mode parameter of sd_varlink_server_listen_address(). If specified
then any leading directories in the provided AF_UNIX socket path are
automatically created with an 0755 access mode, should they be
missing.
* sd_varlink_idl_parse() and sd_varlink_interface_free() have been
added to sd-varlink, which can be used to parse Varlink IDL data.
varlinkctl:
* varlinkctl gained a new --exec switch. When used a command line of a
command to execute once a Varlink method call reply has been received
may be specified. The command will receive the method call reply on
standard input in JSON format, and any passed file descriptors via
the $LISTEN_FDS protocol. This is useful for invoking method calls
that return file descriptors from shell scripts.
* varlinkctl gained a new --push-fd= switch which may be used to issue
a Varlink method call and send along one or more file descriptors on
transports that support it (i.e. AF_UNIX).
sd-device:
* A new API call sd_device_enumerator_add_all_parents() has been added
that may be used to include all parent devices of otherwise matching
devices in the enumeration.
* A new API call sd_device_get_sysattr_value_with_size() has been added
that returns a sysfs attribute file in binary form along with its
size.
systemd-logind:
* A new configuration knob WallMessages= has been added to logind.conf,
which may be used to control whether wall(1) style messages shall be
sent to all consoles when the system goes down.
* A new pseudo session class "none" has been defined. This may be used
with the class= parameter of pam_systemd.so (and some other places)
to disable allocation of a systemd-logind session for a specific
session. Note that this is not a recommended mode of operation, as
such "ghost" sessions will not be properly accounted for, and are
excluded from the per-user/per-session resource accounting.
* Two new session classes "user-light"/"user-early-light" have been
added, that are just like the regular "user"/"user-early" session
classes, but differ in one way: they do not cause activation of the
per-user service manager. These new session classes are now used for
logins of non-regular users which are used in a non-interactive way.
* The pidfd inode ID of a session's leader process is now exposed as
D-Bus property for session objects, in addition to the PID. The inode
ID is a 64bit unique identifier for a process that is not vulnerable
to recycling issues.
systemd-resolved:
* When issuing parallel A and AAAA lookups for the same domain name,
and one succeeds quickly, we'll now shorten the timeout for the
other. This should improve behaviour with DNS servers whose IPv6
support is flaky and reply to A quickly but not at all to AAAA.
* The "Monitor" Varlink IPC API of systemd-resolved now gained support
for a new SubscribeDNSConfiguration() call that enables subscription
to any DNS configuration changes, as they happen.
* systemd-networkd-wait-online gained a new --dns switch that ensures
that not only network connectivity is available, but also DNS
configuration is established in systemd-resolved, making use of the
new, aforementioned Varlink interface.
* resolved.conf gained a new setting RefuseRecordTypes= which takes a
list of RR types for which to refuse lookup attempts. This may be
used to for example block A or AAAA lookups on IPv4- or IPv6-only
hosts.
* A new DNS "delegate zone" concept has been introduced, which are
additional lookup scopes (on top of the existing per-interface and
the one global scope so far supported in resolved), which carry one
or more DNS server addresses and a DNS search/routing domain. It
allows routing requests to specific domains to specific servers.
Delegate zones can be configured via drop-ins below
/etc/systemd/dns-delegate.d/*.dns-delegate.
* "resolvectl query -t sshfp" will now decode the returned RR
information, and show the cryptographic algorithms by name instead of
number.
* The search domains hard cap has been bumped from 256 to 1024, in order
to accommodate complex network setups.
systemd-hostnamed:
* The system hardware's serial number may now be read from DeviceTree
too, in addition to the existing SMBIOS/DMI based logic.
* New properties for the Chassis Asset Tag, the hardware SKU, and the
hardware version are now provided (backed by SMBIOS/DMI).
* hostnamed also exposes properties now for the image ID and image
version (this is very useful on image-based systems).
systemd-stub, systemd-boot & bootctl:
* UEFI firmware images may now be embedded in UKIs (in an ".efifw" PE
section), for use in bring-your-own-firmware scenarios in
Confidential Computing. The firmware is matched via CHIDs to the
local invoking VM, in a fashion conceptually close to the DeviceTree
selection already available since v257. If a suitable firmware image
is found at boot, and the system's firmware version does not match it,
the update is applied and the system is rebooted. If the firmware
matches, boot proceeds as usual.
* When systemd-stub is invoked through a network boot provided UKI, it
will now query the source URL and write it to the LoaderDeviceURL EFI
variable. This may then be used by Linux userspace to look for
further resources (such as a root disk image) at the same location.
* systemd-boot now understands two new Boot Loader Specification Type #1
stanzas: "uki" and "uki-url", which is very similar to "efi" and
"linux", and references an UKI, the latter on a remote HTTP/HTTPS
server. The latter is particularly relevant for implementing a fully
UKI based boot process, but with network provided UKI images.
* systemd-boot now looks for the special SMBIOS Type #11 vendor strings
io.systemd.boot.entries-extra=, and synthesizes additional boot menu
entries from the provided data. This is useful with systemd-vmspawn's
--smbios11= switch, see below.
* systemd-stub now defaults to a minimum of 120 available PE sections,
instead of the previous default of 30. This reflects the fact that
multi-profile UKI typically require a lot more sections than
traditional single-profile UKIs. Note that this is just a
compile-time default, downstream distributions might choose to raise
this further – in particular on ARM systems where many Devicetree
blobs shall be embedded into an UKI.
* systemd-boot's loader.conf configuration file gained a new
"reboot-on-error" setting which controls what to do if booting a
selected entry fails, i.e. whether to reboot or just show the menu
again.
* bootctl's --no-variables switch has been replaced by
--variables=yes/no. By setting --variables=yes modification of EFI
variables can be forced now in environments where we'd previously
automatically turn this off (e.g. in choot() contexts).
* bootctl's --graceful is now implicitly enabled when running in a
chroot, to ease integration in packaging scriptlets.
* systemd-stub gained support for a couple of "extension" CHIDs, that
are not part of the Microsoft's original spec, and which include EDID
display identification information in the hash. This may be used to
match Devicetree blobs in UKIs. "systemd-analyze chid" has been
updated to support these extension CHIDs, too. (They are clearly
marked as extensions CHIDs, to emphasize they are systemd's own
invention, and not based on the Windows CHID spec.)
* systemd-boot's loader.conf configuration file gained a new
secure-boot-enroll-action setting which controls the action to take
once automatic Secure Boot keys have been enrolled, i.e. whether to
reboot or whether to shut down the system.
* Userspace may set a new LoaderSysFail EFI variable. It is used by
systemd-boot: when set and the system firmware reports some kind of
system failure (for now this is pretty much only about failed
firmware updates), systemd-boot will use the specified entry instead
of following the usual fallback entry selection logic. bootctl gained
a new "set-sysfail" verb to set this variable.
* systemd-boot will now set LoaderTpm2ActivePcrBanks EFI variable to
let the userspace know which TPM2 PCR banks are available. This is
more reliable then trying to figure this out through sysfs.
* systemd-stub will now also load global sysexts and confexts from
ESP/loader/extensions/*.{sysext,confext}.raw.
systemd-nsresourced & systemd-mountfsd:
* When a new user namespace is registered and a name for it must be
supplied, this name may now optionally be mangled automatically so
that it follows the naming rules for namespaces employed. This makes
it easier to provide suitable identifiers to the service, without any
client-side preparations or clean-ups, and thus ensures allocation of
a userns can ultimately "just work".
* A special, fixed UID/GID range has been defined called the "foreign"
UID/GID range. It's intended to be used to persistently own
bootable OS/container images on disk (i.e. OS trees that use a
UID/GID assignments not local to the host, but "foreign", i.e. they
have their own /etc/passwd + /etc/group table or similar database),
so that they can be mapped to other user namespace UID/GID ranges at
runtime through ID-mapped mounts.
* systemd-mountfsd gained a new IPC call accessible to unprivileged
clients for acquiring an ID-mapped mount for any OS/container
directory tree which is itself owned by the foreign UID/GID range,
and has a parent directory owned by the caller's UID. This means the
systemd-nsresourced/systemd-mountfsd combination is now suitable for
running unprivileged containers both from a disk image and from a
directory tree.
* When activating a DDI via mountfsd's MountImage() call the returned
data will now include the literal path to attach each returned path
to, to simplify implementation of clients.
* systemd-nsresourced gained an API for allocating a network TAP device
to associate with a user namespaces. This can be used by unprivileged
VMMs, to acquire IP networking. The network interface associated with
the TAP device comes with a matching .link and .network file, so that
systemd-networkd will set up IP routing (with masquerading) on it
automatically.
* systemd-nsresourced will now always ask polkit for authorization of
its operations, even if they are supposed to be accessible to
unprivileged clients, so that the PK policy has the last word.
* systemd-nsresourced gained a new API call MakeDirectory(), which
creates a new directory, owned by the foreign UID range. It's
supposed to be used in conjunction with MountDirectory() for creating
and populating new container trees within user/$HOME context.
systemd-nspawn:
* Support for unprivileged invocation of container images stored in
plain directories has been added, using the new IPC APIs provided by
"systemd-mountfsd", see above.
* systemd-nspawn's --private-users= switch now supports a new value
"managed", which will ensure allocation of a userns via
systemd-nsresourced, even if run privileged.
* If systemd-nspawn is used interactively, two new special key
sequences can be used to trigger an immediate clean shutdown or
reboot of the container with systemd running as PID 1: '^]^]p' for
shutdown and '^]^]r' for reboot. This is in addition to the
previously supported '^]^]^]' which triggers immediate shutdown
without going through the usual shutdown logic.
* systemd-nspawn will now invoke the TTY password agent if invoked
interactively and without privileges. This makes sure unprivileged
containers start to work even when no other polkit agent is currently
running for the user. The usual --no-ask-password switch is now also
available in systemd-nspawn to disable this.
* systemd-nspawn gained a new --bind-user-shell= switch which allows to
tweak the shell field of users bound into a container with
--bind-user=….
systemd-vmspawn:
* A new --smbios11= switch may be used to pass an SMBIOS Type #11
vendor string easily into the booted process. This has various uses,
one of them is to add additional menu entries to systemd-boot for a
specific invocation. Example:
--smbios11=io.systemd.boot.entries-extra:particleos-current.conf=$'title ParticleOS Current\nuki-url http://example.com/somedir/uki.efi'
* A new switch --grow-image= has been added taking a size in bytes. If
specified, the image booted into is grown to the specified size if
found to be smaller.
* systemd-vmspawn supports unprivileged networking now, using
systemd-nsresourced's new API to acquire a TAP network device
unprivileged.
* systemd-vmspawn now supports --slice and --property= settings,
matching systemd-nspawn.
* A new --tpm-state= setting allows precise control of TPM state
persistency.
* A new --notify-ready= setting can be used to specify whether to
expect a READY=1 notification from the guest.
systemd-machined:
* systemd-machined now provides a comprehensive Varlink IPC API.
* The pidfd inode ID of a machine's leader process is now exposed as
D-Bus property for machine objects, in addition to the PID. The inode
ID is a 64bit unique identifier for a process that is not vulnerable
to recycling issues.
* A new "org.freedesktop.machine1.register-machine" polkit action is
used when checking for privileges to register a machine. Previously,
"org.freedesktop.machine1.create-machine" was used for creation and
registration operations. The policy for the new action is more
permissive: active users are allowed to perform the action without
authentication.
* systemd-machined now also tracks the "supervisor" process of a
machine, i.e. the host process that manages the payload. This
information is exposed through the Supervisor/SupervisorPIDFDId D-Bus
properties and "supervisor"/supervisorProcessId" varlink properties.
systemd-measure, ukify, systemd-keyutil, systemd-sbsign:
* systemd-measure gained a new "policy-digest" verb. It's a lot like
"sign" but instead of calculating the right TPM policy digest for a
specific UKI to sign and then signing it, it leaves the latter step
out. This is useful to implement offline signing of the policy digest
of UKIS. ukify gained a --policy-digest option that exposes this
logic.
* ukify gained a new --sign-profile= switch for signing a specific UKI
profile (to support multi-profile UKIs).
* ukify gained a pair of --join-pcrsig= and --pcrsig= options which is
useful for offline signing TPM PCR policies, as it allows inserting
pre-prepared PCR signature blobs into a UKI.
* ukify gained a new --pcr-certificate= switch that takes the path to
an X.509 certificate to use in place of a PEM public key, as provided
via the existing --pcr-public=.
* systemd-keyutil gained a new verb "pkcs7" which can be used to
convert between PKCS#1 and PKCS#7 signatures. The --content= switch
may be used to generate inline signatures (as opposed to the default
of detached signatures). It also gained a new --hash-algorithm=
switch to select the hash algorithm for signatures.
* systemd-sbsign learnt support for offline SecureBoot signing via
--prepare-offline-signing, --signed-data=, --signed-data-signature=.
TPM2:
* A new PCR phase string is now measured into PCR 11 when storage
target mode is entered, ensuring that access to TPM key material can
be taken away, once storage target mode is activated.
* Similarly, a new string is measured when booting into factory reset
mode.
* A new service systemd-tpm2-clear.service has been introduced that can
be used to request clearing of the local TPM on next reboot. It comes
with a kernel command line option systemd.tpm2_allow_clear= that
controls its effect. The unit is hooked into the generic
factory-reset.target unit, so that it can do its thing when a factory
reset is requested.
* If systemd-pcrextend (i.e. the tool making the various userspace TPM
PCR measurements) fails to do its thing, an immediate reboot is now
triggered, ensuring that somehow making PCR extensions fails cannot
be used to gain access to TPM objects to which access should have
been blocked already via PCR measurements.
* systemd-pcrlock gained a new "is-supported" verb that determines
whether local TPM and system provide all necessary functionality for
systemd-pcrlock to work. It does a superset of the checks
"systemd-analyze has-tpm2" does, and additionally ensures that the
TPM supports PolicyAuthorizeNV and SHA-256.
systemd-userdbd & systemd-homed:
* User records now support a new field "aliases" that may list
additional names the user record shall be accessible under. Any
string listed in the "aliases" array may be used wherever and
whenever the primary name may be used too, for example when logging
in. systemd-homed and in particular homectl have been updated to
support configuration of such alias names.
* If a user record has an initialized "realm" field, then the record
may now be referenced via the primary user name or any alias name,
suffixed with "@" and the realm, too.
* User records gained new fields tmpLimit, tmpLimitScale, devShmLimit,
devShmLimitScale which enforce quota on /tmp/ and /dev/shm/ at login
time, either in absolute or in relative values. These values default
to 80% for regular users, ensuring that a single user cannot easily
DoS a local system by taking away all disk space in /tmp/. The
homectl tool has been updated to make these new fields configurable.
* The userdb Varlink interface has been extended to support server-side
filtering by UID/GID min/max, fuzzy name matching and user
disposition. Previously this was supported by the userdbctl
client-side only. With this, userdb providers may now optionally
implement this server-side too in order to optimize the lookups.
* User records now support a concept of home "areas",
i.e. subdirectories of the primary $HOME directory that a user can
log into. This is useful to maintain separate development
environments or configuration contexts, but within the ownership of
the same user. Support for this is implemented in systemd-homed, but
is conceptually open to other backends, too.
New home areas can be created via "mkdir -p ~/Areas/ && cp /etc/skel
~/Areas/foo", or removed by "rm -rf ~/Areas/foo". Whenever prompted
for login and a user name is requested, it is possible to enter a
username suffixed by "%" and the area name in order to log into the
specified area of the user. (e.g. "bar%foo"). Effectively this
ensures that $HOME and $XDG_RUNTIME_DIR include the area choice after
login. Note that at this moment it's not possible to log into a full
graphical session with this, since we'd have to start a per-area user
service manager for that, and we currently do not do this. But we
hope to provide this in one of the next releases. In order to
implement all this user records gained a new "defaultArea" field,
which is configurable with homectl's --default-area= switch.
* An explicit MIME type application/x.systemd-home is now used for all
LUKS *.home files managed by systemd.
* userdbctl gained a new switch --from-file=. If used the tool will not
look up a user or group record from the system's user database but
instead read it from the specified JSON file, and then present it in
the usual, human-readable fashion.
* systemd-homed gained D-Bus API calls for listing, adding, removing and
showing use record signing keys.
* homectl gained the verbs "list-signing-keys", "get-signing-key",
"add-signing-key", "remove-signing-key" and a switch
--key-name=. These may be used to easily make a single home directory
usable on multiple systems. A system credential
home.add-signing-key.* has been added that allows provisioning such
user record signing keys at boot.
* homectl gained a new switch "--dry-run" which can be used when
registering/creating users, and which will show the user record data
before it's submitted to systemd-homed. The tool will then terminate
before the submission.
* User/group records' perMachine section now support negative matches
too (i.e. for settings that apply to all systems but some selected
few).
* systemd-homed gained a bus API call AdoptHome() for "adopting" a
.home file or .homedir directory from a foreign system
locally. homectl added a verb "adopt" exposing the new call. Together
with the signing key management functionality described above it
makes it very easy to migrate homes between systems.
* systemd-homed gained two new bus API calls RegisterHome() and
UnregisterHome() for registering a home locally by providing just the
user record, without any logic to actually create the home directory.
homectl gained "register" and "unregister" verbs exposing this. This
is useful for registering network user accounts locally, i.e. where
some foreign user record and home directory already exists on some
server, and just need to be registered locally. This can be used to
make a local systemd-homed home directory securely accessible from
some other system:
$ homectl update lennart --ssh-authorized-keys=… -N \
--storage=cifs --cifs-service="//$HOSTNAME/lennart"
$ homectl get-signing-key |
ssh targetsystem homectl add-signing-key --key-name="$HOSTNAME".public
$ homectl inspect -E lennart |
ssh targetsystem homectl register -
$ ssh lennart@targetsystem
There's also a new system credential 'home.register.*' that causes
registration for the provided user record automatically at boot.
* homectl gained a new switch --seize= taking a boolean argument. If
true when used together with the "create" or "register" verbs any
cryptographic signature information is stripped from the user record,
taking over the user record for local ownership. This switch is
useful when migrating a home directory to a different host, without
retaining the relationship to the originating host.
* homectl gained a new --match= switch which allows to generate
accounts with perMachine matching sections.
* userdbctl gained a new verb "load-credentials", with a service unit
systemd-userdb-load-credentials.service which invokes it. When
invoked this command will look for any passed credentials named
userdb.user.* or userdb.group.*. These credentials may contain
user/group records in JSON format. They will be copied into
/run/userdb/ (where static userdb JSON records can be placed), with
the appropriate symlink from the UID/GID added in, as any membership
relationships between user/groups replicated as .membership files. Or
in other words: it's very easy to provision a complete user/group
record in an invoked system, by providing the user/group JSON record
as system credential. Note that these credentials are unrelated to
similar credentials supported by systemd-homed. "userdb
load-credentials" creates "static" user records via drop-in files in
/run/userdb/ (and thus covers system users and suchlike) while
systemd-homed creates only systemd-homed managed use (i.e. only
regular users).
* User/group records gained a new "uuid" field that may be used to
place an identifying UUID in the record.
systemd-run and run0:
* run0 gained a new --lightweight= switch which controls whether to
pull in a service manager for the target session (i.e. this
ultimately chooses between the "user"/"user-early" session class on
one hand or the "user-light"/"user-early-light" session class on the
other, see above).
* systemd-run gained a new --job-mode= switch for controlling the job
mode when enqueuing the start job for the transient unit. This is
similar to the switch of the same name of "systemctl start".
* run0 gained a new --area= switch for directly entering a specific
home area (see above).
* systemd-run/run0 gained a new --pty-late switch that is just like
--pty but sets up TTY forwarding only once the unit is fully
activated. This is relevant for avoiding TTY ownership collisions between
the TTY forwarding and potential password queries using the
systemd-ask-password infrastructure. run0 now defaults to this mode for
interactive operations.
* The --chdir= switch now accepts the special value '~' to force
changing into the target user's home directory.
* run0 gained a new --via-shell switch that ensures any specified
command is invoked via the target user's shell instead of directly.
DDI support & systemd-dissect:
* systemd-dissect gained a new --loop-ref-auto switch which initializes
the --look-ref= field from a suitable string derived from the DDI
filename.
* systemd-dissect's --attach command now supports a new --quiet switch
that suppressed output of the loopback device node path that is
usually shown.
* A generic service template systemd-loop@.service has been added that
wraps "systemd-dissect --attach", and attaches a disk image whose
path is encoded in the instance identifier of the unit to a new
loopback block device. This may be used to attach arbitrary disk
images to loopback devices at boot.
* There's now a per-user counterpart of /var/lib/machines/ defined as
~/.local/state/machines/. Various tools such as systemd-nspawn +
systemd-vmspawn now will search this directory when looking for a
disk image, when invoked in unprivileged user context.
systemd-dissect's --discover command may now be combined with --user
or --system to choose in which of the directory scopes to look for
images.
* systemd-dissect gained a new --all switch. If specified the tool will
not just discover DDIs (i.e. disk images) but also images stored in
regular directories.
* systemd-dissect gained a new "--shift" switch for recursively
re-chown()ing a directory tree from one set of UID/GIDs to another.
This may be used to shift a tree from the base-0-UID range to the
foreign UID range or back.
* systemd-dissect gained new --usr-hash= and --usr-hash-sig= options,
that are similar to the existing --root-hash=/--root-hash-sig=
options, but for the /usr/ partition. This allows the root hash of
the /usr/ Verity volume and its signature to be specified.
* When dissecting/mounting a DDI disk image, and no Verity root hash or
signature is provided, suitable values are now automatically
discovered from the image itself.
* systemd-gpt-auto-generator now understands root=dissect and
mount.usr=dissect as kernel command line options that explicitly
request the full blown DDI dissector to be used to discover the root
and /usr/ file system, including automatic Verity root hash and
signature discovery, automatic handling of versioning, image policy
enforcement and filtering and so on.
* The DDI dissection logic now understands a concept of partition
"filtering". A partition filter is simply a per-designator globbing
pattern to match the partition labels against. This may be used
support parallel installations of multiple operating systems on the
same disk, where each OS names its partitions with a specific prefix
or similar. systemd-dissect gained a new --image-filter= switch to
configure this filter. The new "dissect_image" udev plugin and
systemd-gpt-auto-generator now understand the new
systemd.image_filter= kernel command line switch configuring this
filter for the system.
systemd-importd & importctl:
* systemd-pull/importctl now supports ASCII armored (*.asc) GPG signatures.
* The systemd.pull= and rd.systemd.pull= kernel command line switches
(which may be used to automatically download a VM, container, confext,
or sysext at boot) now understand a new flag "blockdev". When
specified the downloaded image is attached to a loopback block device
after download. This may be used to boot directly into a disk image
downloaded via HTTP via a kernel command line like this:
rd.systemd.pull=raw,machine,verify=no,blockdev:image:https://192.168.100.1:8081/image.raw \
root=/dev/disk/by-loop-ref/image.raw-part2
* systemd.pull=/rd.systemd.pull= also gained support for a new flag
"bootorigin". If specified and if the system was network booted
through systemd-stub (which now sets the LoaderDeviceURL EFI
variable, see above), the URL to boot from is now automatically
formed from the UKI network boot URL with a new suffix. Example:
rd.systemd.pull=raw,machine,verify=no,blockdev,bootorigin:rootdisk:image.raw.xz \
root=/dev/disk/by-loop-ref/rootdisk.raw-part2
* The systemd.pull=/rd.systemd.pull= switches now also support a new
flag "runtime=", taking a boolean argument. If true the downloaded
image is placed below the /run/ hierarchy instead of /var/. It
defaults to true for rd.systemd.pull= (i.e. for downloads made in the
initrd), and false for systemd.pull= (i.e. for those made after the
initrd→host transition).
* New generic target units imports-pre.target and imports.target have
been introduced that are ordered before and after all downloads.
* systemd-importd gained support for downloading images compressed with
zstd now, too. (In addition to .xz, .gz and .bz2.)
Factory Reset:
* A new tool systemd-factory-reset has been added that may be used to
request or cancel a factory reset request for the next reboot. It is
also accessible via its own Varlink API.
* A new target unit factory-reset-now.target has been added that
executes an immediate factory reset. (Previously factory-reset.target
existed already that requested it for next reboot).
* A new kernel command line option systemd.factory_reset= has been
added for explicitly requesting a factory reset. (Implemented via a
new systemd-factory-reset-generator)
* A new document explaining the factory reset logic in detail has been
added. It is available online here:
https://systemd.io/FACTORY_RESET
systemd-repart:
* systemd-repart gained a new switch --join-signature= for supporting
offline Verity signing.
* systemd-repart gained a new switch --append-fstab= for controlling
how to write or append automatically generated /etc/fstab entries.
* CopyFiles= lines can now contain an "fsverity=copy" flag to preserve
the fs-verity status of the source files when populating the
filesystem.
* systemd-repart has been updated to automatically generate the
extended attributes systemd-validatefs@.service understands (see
below), for all partitions it recognizes. Controllable via the
AddValidateFS= partition setting (which defaults to true).
* repart.d/ drop-ins gained a new setting FileSystemSectorSize= which
allows configuring the sector size that file systems for newly
formatted file systems explicitly.
* systemd-repart will now enforce a minimum size for ESP/XBOOTLDR
partitions of 100M (on 512b sector drives) or 260M (on 4K sector
drives), in accordance to the requirements for these kind of
partitions.
* The Format= setting in repart.d/ files gained support for a special
value "empty". This is a shortcut to set up an empty partition and
set the partition label to "_empty", and set the "NoAuto" GPT
flag. The former is useful as systemd-sysupdate recognizes empty
partitions that way, the latter is useful to ensure that the
partition is not automatically made used of as is, on any OS that
supports GPT.
systemd-analyze:
* systemd-analyze gained a new "chid" verb, which shows the "Computer
Hardware IDs" (CHIDs) of the local system. This is useful for
preparing CHID-to-DeviceTree mappings when building UKIs.
* systemd-analyze gained a new "transient-settings" verb, which shows
all unit settings one can configure dynamically via the
"--property="/"-p" switch when invoking transient units.
* systemd-analyze gained a new "unit-shell" verb that invokes an
interactive shell inside the namespaces of the main process
of a specified unit. This is useful for debugging unit sandboxes, and
getting an idea how things look like from the "inside" of a service.
* systemd-analyze gained a new "unit-gdb" verb to attach a debugger
to a unit.
Other:
* systemd-ask-password now provides a small Varlink API to
interactively query the user for a password using the usual agent
logic. This makes it easier for external programs (for example
daemons) to query for boot-time passwords and similar, using
systemd's infrastructure.
* The logging logic in systemd's codebase now implements the
DEBUG_INVOCATION= interface added to service management in v257. Or
in other words: the RestartMode=debug setting may now be added for
any of systemd's own service and has the intended effect of enabling
debug logging if it gets automatically restarted.
* The "package note" specification ELF binaries has been extended to
cover PE binaries (i.e. UEFI binaries), too.
* New kernel command line parameters systemd.break= and
rd.systemd.break= have been introduced that insert interactive (as
in: shell prompt) "breakpoints" into the boot process at various
locations, in order to simplify debugging. For now four breakpoints
are defined: "pre-udev", "pre-basic", "pre-mount",
"pre-switch-root". Similar functionality has previously existed in
the Dracut initrd generator, but is generalized with this new
concept, and extended to the post-switch-root boot phases.
* The systemd-path tool now learnt new paths for the per-system and
per-user credential store.
* A new tool systemd-pty-forward has been added that allocates a pseudo
TTY ("PTY") and invokes a process on it, forwarding any output to the
TTY it is invoked on. It can optionally apply background coloring and
suchlike, and is mostly just a separate tool that makes the PTY
forwarding logic used in systemd-nspawn, systemd-vmspawn, run0
available separately.
* systemd-oomd can now reload its configuration at runtime, following
the usual protocols.
* systemd-detect & ConditionVirtualization= now recognize the "Arm
Confidential Compute Architecture" (cca) confidential virtualization.
* systemd-detect-virt now correctly distinguishes between bare-metal
and virtualized machines in Google Compute Engine, and will not
report the former as virtualized.
* systemd-sysusers now generates Linux audit records when it adds
system users.
* systemd-firstboot's interactive prompts for locale or keymaps now
support tab completion.
* systemd-mount gained support for a new --canonicalize= switch that
may be used to turn off client-side path canonicalization before
trying to unmount some path.
* systemd-notify gained a new --fork switch which inverts the role that
systemd-notify plays in the sd_notify() protocol: instead of sending
out notification messages, it will listen for them, forking off a
command that is expected to send them. Once READY=1 is received
systemd-notify will exit, leaving the child running. This is useful
for correctly forking off processes that implement the sd_notify()
protocol from shell scripts.
* systemd-fstab-generator now supports a root=bind:… syntax for
creating bind mounts for the root file system. This is useful for
booting into tarballs downloaded at boot. As an example, consider a
kernel command line like this:
rd.systemd.pull=tar,machine,verify=no:root:http://192.168.100.1:8081/image.tar root=bind:/run/machines/root ip=any
* libapparmor is now loaded via dlopen() instead of using direct shared
library linking. This allows downstream distributions to provide AA
support as a runtime option instead of making the AA userspace a
mandatory dependency.
* A new generic remote-integritysetup.target unit has been added that
matches remote-veritysetup.target and remote-cryptsetup.target's role
for remote block devices, but for dm-integrity devices.
* A new document about finding boot components and the root disk of the
OS has been added. It's available online here:
https://systemd.io/ROOTFS_DISCOVERY
* Whenever any systemd tool begins or ends a new TTY context (i.e. takes
over a TTY for some time) a new OSC sequence is now emitted, with
various details about the context. This new OSC sequence can be
interpreted by terminal emulators to visualize the context/source TTY
output originates from or to show various kinds of metadata for
it. The OSC sequence is specified in this document:
https://systemd.io/OSC_CONTEXT
Contexts are generated for systemd-nspawn/systemd-vmspawn boots, for
run0 or systemd-run sessions, whenever PAM TTY sessions start or end,
and when shell command executions start and end. Metadata sent along
contains hostname, machine ID, boot ID, exit status, unit information
and more.
* If PID 1 makes up a suitable $TERM for a TTY it activates a service
on (in case there are no other hints on how to choose it) it will now
also set $COLORTERM=truecolor. Moreover, if $COLORTERM or $NO_COLOR
are set on the kernel cmdline we'll now import them into PID1's
environment block, just like $TERM itself. Moreover, systemd-nspawn
and run0 will now propagate $COLORTERM and $NO_COLOR from the calling
to the target environment, if set, just like $TERM is already
handled. Or to say this with different words: the triplet of $TERM,
$COLORTERM, $NO_COLOR is now processed jointly and in similar ways,
wherever appropriate.
* systemd-update-done gained a new --root= switch to operate in
"offline" mode on a specific file system tree.
* A new template service systemd-validatefs@.service has been added
that can validate usage of file systems. Specifically, it will look
for certain extended attributes stored on the top-level directory
inode of the mount, which may encode various constraints on use of
the file system. For example, it may encode a directory path the file
system must be mounted to, a GPT type UUID that must be used for the
partition the file system is located in and more. This provides
protection in case GPT auto-discovery is used to discover the mounts,
but essential metadata outside of the file system itself has been
tampered with. This operates under the assumption that the extended
attributes on the root inode of the file system are protected by
dm-verity or dm-crypt/dm-integrity, even if the GPT metadata has no
equivalent cryptographic protection. If a file system carries these
extended attributes but they do not match the current use and
location of the file system an immediate reboot is triggered.
* systemd-gpt-auto-generator now understands a new mount option
x-systemd.validatefs for /etc/fstab entries. If specified an instance
of systemd-validatefs@.service is automatically pulled in by the
relevant mount.
* systemd-fstab-auto-generator and systemd-gpt-auto-generator now
understand root=off on the kernel command line which may be used to
turn off any automatic or non-automatic mounting of the root file
system. This is useful in scenarios where a boot process shall never
transition from initrd context into host context.
* systemd-ssh-proxy now supports an alternative syntax for connecting
to SSH-over-AF_VSOCK, in order to support scp and rsync better: "scp
foo.txt vsock%4711:" should work now. (The pre-existing syntax used
"/" instead of "%" as separator, which is ambiguous in scp/rsync
context even if not for ssh itself.)
* "systemctl start" and related verbs now support a new --verbose
mode. If specified the live log output of the units operated on is
shown as long as the operation lasts.
* sd-bus: a new API call sd_bus_message_dump_json() returns a JSON
representation of a D-Bus message.
* sd-daemon: a new call sd_pidfd_get_inode_id() has been added
for acquiring the unique inode ID of a pidfd, coupling the
$MAINPIDFDID/$MANAGERPIDFDID and session/machine leader pidfd IDs
exposed as described above.
* systemd-coredump will now attach a new COREDUMP_DUMPABLE= journal
field to all coredumps indicating the "dumpable" per-process flag (as
settable via PR_SET_DUMPABLE) at the moment the coredump took
place. It will also add a new journal field COREDUMP_BY_PIDFD= that
indicates whether the coredump was acquired via a stable pidfd to the
process.
* systemd-sysext (and portable services with sysexts applied) will now
take the os-release "ID_LIKE=" field into account when validating that
a sysext images is compatible with the underlying image. Previously
it would only check "ID=".
* A new UID range has been defined for "greeters", i.e. graphical login
prompt UIs that shall be security isolated from each other. This is
supposed to be used by graphical display managers (specifically:
gdm), to ensure that it is harder to exploit the UI sessions used to
prompt the user for login credentials, in order to gain access to the
prompts of other users.
* systemd-socket-activate gained a new --now switch which ensures the
specified binary is immediately invoked, and not delayed until a
connection comes in.
* systemd-ssh-generator will now generate the AF_VSOCK ssh listener
.socket unit, so that a tiny new helper "systemd-ssh-issue" is
invoked when the socket is bound, that generates a drop-in file
/run/issue.d/50-ssh-vsock.issue that is shown by "login" and other
subsystems at login time. The file reports the AF_VSOCK CID of the
system, along with very brief information how to connect to the
system via ssh-over-AF_VSOCK. Or in other words: if the system is
booted up in an AF_VSOCK capable VM the console login screen shown
once boot-up is complete will tell you how to connect to the system
via SSH, if that's available.
* systemd-fsck gained fsck.mode and fsck.repair credentials support to
control the execution mode of fsck.
* systemd-quotacheck gained quotacheck.mode credential support to
control the execution mode of quotacheck.
Contributors
Contributions from: 16mc1r, A. Wilcox, Aaron Rogers,
Abderrahim Kitouni, Adam Williamson, Adrian Vovk, Ahmad Fatoum,
Alberto Planas, Alex, Alex Xu (Hello71), Alexander Bruy,
Alexander Krabler, Alexander Kurtz, Alexander Shopov,
Alexander Stepchenko, Allison Karlitskaya, Aman Verma,
Américo Monteiro, Andika Triwidada, AndreFerreiraMsc,
Andreas Henriksson, Andreas Schneider, Andreas Stührk,
Andres Beltran, Andrew Sayers, Andrii Chubatiuk, André Monteiro,
Andy Shevchenko, Ani Sinha, Anthony Avina, Anthony Messina,
Anton Ryzhov, Antonio Alvarez Feijoo, Arian van Putten,
Arkadiusz Bokowy, Arnaudv6, AsciiWolf, Avram Dorfman,
Bastien Nocera, Beniamino Galvani, Brett Holman, Busayo Dada,
ButterflyOfFire, Carlo Teubner, Chris Grant, Chris Hofstaedtler,
Chris Mayo, Christian Glombek, Christian Hesse, Colin Foster,
Cosima Neidahl, Craig McLure, Daan De Meyer, DaanDeMeyer,
Dai MIKURUBE, Dan McGregor, Dan Streetman, Daniel Foster,
Daniel Rusek, Daniil, David C. Manuelda, David Härdeman,
David Rheinsberg, David Tardon, Debarshi Ray, Deli Zhang,
Devilish Spirits, Dimitri John Ledkov, Duncan Overbruck,
Dusty Mabe, Eaterminer, Eisuke Kawashima, Emilio Sepulveda,
Emir SARI, Emmanuel Ferdman, Enrico Tagliavini, Erik Larsson,
Erin Shepherd, Ettore Atalan, Fabian Möller, Fabian Vogt,
Fco. Javier F. Serrador, Federico Giovanardi, Fleuria,
Florian Schmaus, Franck Bui, Frantisek Sumsal, Frede Braendstrup,
Gabríel Arthúr Pétursson, Gavin Li, George Tsiamasiotis,
Graham Clinch, Grimmauld, H A, Hang Li, Harrison Vanderbyl,
Hendrik Wolff, Henri Aunin, Igor Opaniuk, Itxaka, Ivan Kruglov,
Ivan Trubach, Jacob McNamee, James Hilliard, Jan Engelhardt,
Jan Kalabza, Jan Macku, Jan Vaclav, Jan Čermák, Jared Baur,
Jaroslav Škarvada, Javier Francisco, Jelle van der Waa,
Jeremy Linton, Jesper Nilsson, Jesse Guo, Jim Spentzos,
Joaquim Monteiro, Joey Holtzman, John Rinehart, Jonas Gorski,
Jordan Petridis, Jose Ortuno, Jules Lamur, Justinas Kairys,
Jörg Behrmann, Katariina Lounento, Kevin P. Fleming, Khem Raj,
KidGrimes, Kurt Borja, Lennart Poettering, Li Tian, Lin Jian,
Linus Heckemann, Lorenzo Arena, Louis Sautier, LuK1337,
Luca Boccassi, Lucas Adriano Salles, Luke Yeager, Lukáš Nykrýn,
Luna Jernberg, Léane GRASSER, Marco Trevisan (Treviño),
Marcos Alano, Mario Limonciello, Markus Kurz, Martin Hundebøll,
Martin Srebotnjak, Martin Wilck, Mate Kukri, Matteo Croce,
Matthew Schwartz, Matthias Lisin, Matthieu Baerts (NGI0),
Matthieu LAURENT, MaxHearnden, Michael Catanzaro, Michael Ferrari,
Michael Limiero, Michael Olbrich, Michal Koutný,
Michal Sekletár, Michał Moczulski, Mike Yuan, Miroslav Lichvar,
Morten Hauke Solvang, Muhammad Nuzaihan Bin Kamal Luddin,
Myrrh Periwinkle, Nathan, NetSysFire, Nick Labich, Nick Owens,
Nick Rosbrook, Nils K, Noel Georgi, Nuno Sá, Oliver Schramm,
Paul Fertser, Pavithra Barithaya, Philip Freeman, Philip Withnall,
Piotr Drąg, Pontus Lundkvist, Ricky Tigg, RocketDev, Ronan Pigott,
Rostislav Lastochkin, Rudi Heitbaum, Ryan Blue, Ryan Thompson,
Ryan Wilson, Salim B, Salvatore Cocuzza, Sam James, Sam Leonard,
Samuel Dionne-Riel, Sea-Eun Lee, Septatrix, Shubhendra Kushwaha,
Silvio Knizek, Solar Designer, SoloSaravanan, Sonia Zorba,
Soumyadeep Ghosh, Stefan Hansson, Stefan Herbrechtsmeier,
Steve Ramage, Temuri Doghonadze, TheHillBright, Thomas Hebb,
Thorsten Kukuk, Tim Crawford, Tim Small, Tim Vangehugten,
Tobias Heider, Tobias Klauser, Todd C. Miller, Tommi Rantala,
Tommy Unger, Trollimpo, Ubuntu, Valentin David, Valentin Hăloiu,
Vasiliy Kovalev, Vishal Chillara Srinivas, Vishwanath Chandapur,
Vitaly Kuznetsov, Volodymyr Shkriabets, Vyacheslav Yurkov,
Werner Sembach, Y T, Yaping Li, Yu Watanabe, ZIHCO,
Zbigniew Jędrzejewski-Szmek, andrejpodzimek, anonymix007, cvlc12,
damnkiwi6120, davjav, fishears, hanjinpeng, haxibami, herbrechtsmeier,
honjow, hsu zangmen, igo95862, jane400, jinyaoguo, joo es,
kanitha chim, keentux, kmeaw, luc-salles, madroach, maia x.,
msizanoen, naly zzwd, nkraetzschmar, nl6720, novenary, peelz,
persmule, richfifeg, ssoss, tim tom, tuxmainy, tytan652, ver4a,
victor-ok, vlefebvre, wrvsrx, wtmpx, xinpeng wang, z z,
Дамјан Георгиевски, 铝箔
— Edinburgh, 2025/08/20
