forked from systemd/systemd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
5501 lines (4413 loc) · 265 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
systemd System and Service Manager
CHANGES WITH 227:
* systemd now depends on util-linux v2.27. More specifically,
the newly added mount monitor feature in libmount now
replaces systemd's former own implementation.
* libmount mandates /etc/mtab not to be regular file, and
systemd now enforces this condition at early boot.
/etc/mtab has been deprecated and warned about for a very
long time, so systems running systemd should already have
stopped having this file around as anything else than a
symlink to /proc/self/mounts.
* Support for the "pids" cgroup controller has been added.
It allows accounting the number of tasks in a cgroup and
enforcing limits on it. This adds two new setting
TasksAccounting= and TasksMax= to each unit, as well as a
global option DefaultTasksAccounting=.
* Support for the "net_cls" cgroup controller has been added.
It allows assigning a net class ID to each task in the
cgroup, which can then be used in firewall rules and traffic
shaping configurations. Note that the kernel netfilter net
class code does not currently work reliably for ingress
packets on unestablished sockets.
This adds a new config directive called NetClass= to CGroup
enabled units. Allowed values are positive numbers for fixed
assignments and "auto" for picking a free value
automatically.
* 'systemctl is-system-running' now returns 'offline' if the
system is not booted with systemd. This command can now be
used as a substitute for 'systemd-notify --booted'.
* Watchdog timeouts have been increased to 3 minutes for all
in-tree service files. Apparently, disk IO issues are more
frequent than we hoped, and user reported >1 minute waiting
for disk IO.
* 'machine-id-commit' functionality has been merged into
'machine-id-setup --commit'. The separate binary has been
removed.
* The WorkingDirectory= directive in unit files may now be
set to the special value '~'. In this case, the working
directory is set to the home directory of the user configured
in User=.
* "machinectl shell" will now open the shell in the home
directory of the selected user by default.
* A new systemd.crash_reboot=1 kernel command line option has
been added that triggers a reboot after crashing. This can
also be set through CrashReboot= in systemd.conf.
* The CrashChVT= configuration file setting is renamed to
CrashChangeVT=, following our usual logic of not abbreviating
unnecessarily. The old directive is still supported for compat
reasons. Also, this directive now takes an integer value
between 1 and 63, or a boolean value. The formerly supported
'-1' value for disabling stays around for compat reasons.
* The PrivateTmp=, PrivateDevices=, PrivateNetwork=,
NoNewPrivileges=, TTYPath=, WorkingDirectory= and
RootDirectory= properties can now be set for transient
units.
* The systemd-analyze tool gained a new "set-log-target" verb
to change the logging target the system manager logs to
dynamically during runtime. This is similar to how
"systemd-analyze set-log-level" already changes the log
level.
* In nspawn /sys is now mounted as tmpfs, with only a selected
set of subdirectories mounted in from the real sysfs. This
enhances security slightly, and is useful for ensuring user
namespaces work correctly.
* Support for USB FunctionFS activation has been added. This
allows implementation of USB gadget services that are
activated as soon as they are requested, so that they don't
have to run continously, similar to classic socket
activation.
* The "systemctl exit" command now optionally takes an
additional parameter that sets the exit code to return from
the systemd manager when exiting. This is only relevant when
running the systemd user instance, or when running the
system instance in a container.
* sd-bus gained the new API calls sd_bus_path_encode_many()
and sd_bus_path_decode_many() that allow easy encoding and
decoding of multiple identifier strings inside a D-Bus
object path. Another new call sd_bus_default_flush_close()
has been added to flush and close per-thread default
connections.
* systemd-cgtop gained support for a -M/--machine= switch to
show the control groups within a certain container only.
* "systemctl kill" gained support for an optional --fail
switch. If specified the requested operation will fail of no
processes have been killed, because the unit had no
processes attached, or similar.
* A new (still internal) libary API sd-ipv4acd has been added,
that implements address conflict detection for IPv4. It's
based on code from sd-ipv4ll, and will be useful for
detecting DHCP address conflicts.
* The RuntimeDirectory= setting now understands unit
specifiers like %i or %f.
* networkd gained support for setting the IPv6 Router
Advertisment settings via IPv6AcceptRouterAdvertisements= in
.network files.
* udev will now create /dev/disk/by-path links for ATA devices
on kernels where that is supported.
* When downloading tar or raw images using "machinectl
pull-tar" or "machinectl pull-raw", a matching ".nspawn"
file is now also downloaded, if it is available and stored
next to the image file.
* Units of type ".socket" gained a new boolean setting
Writable= which is only useful in conjunction with
ListenSpecial=. If true, enables opening the specified
special file in O_RDWR mode rather than O_RDONLY mode.
* systemd-rfkill has been reworked to become a singleton
service that is activated through /dev/rfkill on each rfkill
state change and saves the settings to disk. This way,
systemd-rfkill is now compatible with devices that exist
only intermittendly, and even restores state if the previous
system shutdown was abrupt rather than clean.
* Galician, Seriban, Turkish and Korean translations were added.
Contributions from:
-- Berlin, 2015-09-xx
CHANGES WITH 226:
* The DHCP implementation of systemd-networkd gained a set of
new features:
- The DHCP server now supports emitting DNS and NTP
information. It may be enabled and configured via
EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS
and NTP information is enabled, but no servers are
configured, the corresponding uplink information (if there
is any) is propagated.
- Server and client now support transmission and reception
of timezone information. It can be configured via the
newly introduced network options UseTimezone=,
EmitTimezone=, and Timezone=. Transmission of timezone
information is enabled between host and containers by
default now: the container will change its local timezone
to what the host has set.
- Lease timeouts can now be configured via
MaxLeaseTimeSec= and DefaultLeaseTimeSec=.
- The DHCP server improved on the stability of
leases. Clients are more likely to get the same lease
information back, even if the server loses state.
- The DHCP server supports two new configuration options to
control the lease address pool metrics, PoolOffset= and
PoolSize=.
* The encapsulation limit of tunnels in systemd-networkd may
now be configured via 'EncapsulationLimit='. It allows
modifying the maximum additional levels of encapsulation
that are permitted to be prepended to a packet.
* systemd now supports the concept of user buses replacing
session buses, if used with dbus-1.10 (and enabled via dbus
--enable-user-session). It previously only supported this on
kdbus-enabled systems, and this release expands this to
'dbus-daemon' systems.
* systemd-networkd now supports predictable interface names
for virtio devices.
* systemd now optionally supports the new Linux kernel
"unified" control group hierarchy. If enabled via the kernel
command-line option 'systemd.unified_cgroup_hierarchy=1',
systemd will try to mount the unified cgroup hierarchy
directly on /sys/fs/cgroup. If not enabled, or not
available, systemd will fall back to the legacy cgroup
hierarchy setup, as before. Host system and containers can
mix and match legacy and unified hierarchies as they
wish. nspawn understands the $UNIFIED_CROUP_HIERARCHY
environment variable to individually select the hierarchy to
use for executed containers. By default, nspawn will use the
unified hierarchy for the containers if the host uses the
unified hierarchy, and the legacy hierarchy otherwise.
Please note that at this point the unified hierarchy is an
experimental kernel feature and is likely to change in one
of the next kernel releases. Therefore, it should not be
enabled by default in downstream distributions yet. The
minimum required kernel version for the unified hierarchy to
work is 4.2. Note that when the unified hierarchy is used
for the first time delegated access to controllers is
safe. Because of this systemd-nspawn containers will get
access to controllers now, as will systemd user
sessions. This means containers and user sessions may now
manage their own resources, partitioning up what the system
grants them.
* A new special scope unit "init.scope" has been introduced
that encapsulates PID 1 of the system. It may be used to
determine resource usage and enforce resource limits on PID
1 itself. PID 1 hence moved out of the root of the control
group tree.
* The cgtop tool gained support for filtering out kernel
threads when counting tasks in a control group. Also, the
count of processes is now recursively summed up by
default. Two options -k and --recursive= have been added to
revert to old behaviour. The tool has also been updated to
work correctly in containers now.
* systemd-nspawn's --bind= and --bind-ro= options have been
extended to allow creation of non-recursive bind mounts.
* libsystemd gained two new calls sd_pid_get_cgroup() and
sd_peer_get_cgroup() which return the control group path of
a process or peer of a connected AF_UNIX socket. This
function call is particularly useful when implementing
delegated subtrees support in the control group hierarchy.
* The "sd-event" event loop API of libsystemd now supports
correct dequeuing of real-time signals, without losing
signal events.
* When systemd requests a PolicyKit decision when managing
units it will now add additional fields to the request,
including unit name and desired operation. This enables more
powerful PolicyKit policies, that make decisions depending
on these parameters.
* nspawn learnt support for .nspawn settings files, that may
accompany the image files or directories of containers, and
may contain additional settings for the container. This is
an alternative to configuring container parameters via the
nspawn command line.
Contributions from: Cristian Rodríguez, Daniel Mack, David
Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe
Brandenburger, Hans de Goede, Jan Alexander Steffens, Jan
Synacek, Kay Sievers, Lennart Poettering, Mangix, Marcel
Holtmann, Martin Pitt, Michael Biebl, Michael Chapman, Michal
Sekletar, Peter Hutterer, Piotr Drąg, reverendhomer, Robin
Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Torstein Husebø
-- Berlin, 2015-09-08
CHANGES WITH 225:
* machinectl gained a new verb 'shell' which opens a fresh
shell on the target container or the host. It is similar to
the existing 'login' command of machinectl, but spawns the
shell directly without prompting for username or
password. The pseudo machine '.host' now refers to the local
host and is used by default. Hence, 'machinectl shell' can
be used as replacement for 'su -' which spawns a session as
a fresh systemd unit in a way that is fully isolated from
the originating session.
* systemd-networkd learned to cope with private-zone DHCP
options and allows other programs to query the values.
* SELinux access control when enabling/disabling units is no
longer enforced with this release. The previous
implementation was incorrect, and a new corrected
implementation is not yet available. As unit file operations
are still protected via PolicyKit and D-Bus policy this is
not a security problem. Yet, distributions which care about
optimal SELinux support should probably not stabilize on
this release.
* sd-bus gained support for matches of type "arg0has=", that
test for membership of strings in string arrays sent in bus
messages.
* systemd-resolved now dumps the contents of its DNS and LLMNR
caches to the logs on reception of the SIGUSR1 signal. This
is useful to debug DNS behaviour.
* The coredumpctl tool gained a new --directory= option to
operate on journal files in a specific directory.
* "systemctl reboot" and related commands gained a new
"--message=" option which may be used to set a free-text
wall message when shutting down or rebooting the
system. This message is also logged, which is useful for
figuring out the reason for a reboot or shutdown a
posteriori.
* The "systemd-resolve-host" tool's -i switch now takes
network interface numbers as alternative to interface names.
* A new unit file setting for services has been introduced:
UtmpMode= allows configuration of how precisely systemd
handles utmp and wtmp entries for the service if this is
enabled. This allows writing services that appear similar to
user sessions in the output of the "w", "who", "last" and
"lastlog" tools.
* systemd-resolved will now locally synthesize DNS resource
records for the "localhost" and "gateway" domains as well as
the local hostname. This should ensure that clients querying
RRs via resolved will get similar results as those going via
NSS, if nss-myhostname is enabled.
Contributions from: Alastair Hughes, Alex Crawford, Daniel
Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski,
Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan
Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers,
Kefeng Wang, Lennart Poettering, Major Hayden, Marcel
Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt
Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim,
Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer,
reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings,
Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe
Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts,
WaLyong Cho, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-08-27
CHANGES WITH 224:
* The systemd-efi-boot-generator functionality was merged into
systemd-gpt-auto-generator.
* systemd-networkd now supports Group Policy for vxlan
devices. It can be enabled via the new boolean configuration
option called 'GroupPolicyExtension='.
Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David
Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart
Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen
-- Berlin, 2015-07-31
CHANGES WITH 223:
* The python-systemd code has been removed from the systemd repository.
A new repository has been created which accommodates the code from
now on, and we kindly ask distributions to create a separate package
for this: https://github.com/systemd/python-systemd
* The systemd daemon will now reload its main configuration
(/etc/systemd/system.conf) on daemon-reload.
* sd-dhcp now exposes vendor specific extensions via
sd_dhcp_lease_get_vendor_specific().
* systemd-networkd gained a number of new configuration options.
- A new boolean configuration option for TAP devices called
'VNetHeader='. If set, the IFF_VNET_HDR flag is set for the
device, thus allowing to send and receive GSO packets.
- A new tunnel configuration option called 'CopyDSCP='.
If enabled, the DSCP field of ip6 tunnels is copied into the
decapsulated packet.
- A set of boolean bridge configuration options were added.
'UseBPDU=', 'HairPin=', 'FastLeave=', 'AllowPortToBeRoot=',
and 'UnicastFlood=' are now parsed by networkd and applied to the
respective bridge link device via the respective IFLA_BRPORT_*
netlink attribute.
- A new string configuration option to override the hostname sent
to a DHCP server, called 'Hostname='. If set and 'SendHostname='
is true, networkd will use the configured hostname instead of the
system hostname when sending DHCP requests.
- A new tunnel configuration option called 'IPv6FlowLabel='. If set,
networkd will configure the IPv6 flow-label of the tunnel device
according to RFC2460.
- The 'macvtap' virtual network devices are now supported, similar to
the already supported 'macvlan' devices.
* systemd-resolved now implements RFC5452 to improve resilience against
cache poisoning. Additionally, source port randomization is enabled
by default to further protect against DNS spoofing attacks.
* nss-mymachines now supports translating UIDs and GIDs of running
containers with user-namespaces enabled. If a container 'foo'
translates a host uid 'UID' to the container uid 'TUID', then
nss-mymachines will also map uid 'UID' to/from username 'vu-foo-TUID'
(with 'foo' and 'TUID' replaced accordingly). Similarly, groups are
mapped as 'vg-foo-TGID'.
Contributions from: Beniamino Galvani, cee1, Christian Hesse, Daniel
Buch, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov,
HATAYAMA Daisuke, Ivan Shapovalov, Jan Alexander Steffens (heftig),
Johan Ouwerkerk, Jose Carlos Venegas Munoz, Karel Zak, Kay Sievers,
Lennart Poettering, Lidong Zhong, Martin Pitt, Michael Biebl, Michael
Olbrich, Michal Schmidt, Michal Sekletar, Mike Gilbert, Namhyung Kim,
Nick Owens, Peter Hutterer, Richard Maw, Steven Allen, Sungbae Yoo,
Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo,
Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-07-29
CHANGES WITH 222:
* udev does not longer support the WAIT_FOR_SYSFS= key in udev rules.
There are no known issues with current sysfs, and udev does not need
or should be used to work around such bugs.
* udev does no longer enable USB HID power management. Several reports
indicate, that some devices cannot handle that setting.
* The udev accelerometer helper was removed. The functionality
is now fully included in iio-sensor-proxy. But this means,
older iio-sensor-proxy versions will no longer provide
accelerometer/orientation data with this systemd version.
Please upgrade iio-sensor-proxy to version 1.0.
* networkd gained a new configuration option IPv6PrivacyExtensions=
which enables IPv6 privacy extensions (RFC 4941, "Privacy Extensions
for Stateless Address") on selected networks.
* For the sake of fewer build-time dependencies and less code in the
main repository, the python bindings are about to be removed in the
next release. A new repository has been created which accommodates
the code from now on, and we kindly ask distributions to create a
separate package for this. The removal will take place in v223.
https://github.com/systemd/python-systemd
Contributions from: Abdo Roig-Maranges, Andrew Eikum, Bastien Nocera,
Cédric Delmas, Christian Hesse, Christos Trochalakis, Daniel Mack,
daurnimator, David Herrmann, Dimitri John Ledkov, Eric Biggers, Eric
Cook, Felipe Sateler, Geert Jansen, Gerd Hoffmann, Gianpaolo Macario,
Greg Kroah-Hartman, Iago López Galeiras, Jan Alexander Steffens
(heftig), Jan Engelhardt, Jay Strict, Kay Sievers, Lennart Poettering,
Markus Knetschke, Martin Pitt, Michael Biebl, Michael Marineau, Michal
Sekletar, Miguel Bernal Marin, Peter Hutterer, Richard Maw, rinrinne,
Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-07-07
CHANGES WITH 221:
* The sd-bus.h and sd-event.h APIs have now been declared
stable and have been added to the official interface of
libsystemd.so. sd-bus implements an alternative D-Bus client
library, that is relatively easy to use, very efficient and
supports both classic D-Bus as well as kdbus as transport
backend. sd-event is a generic event loop abstraction that
is built around Linux epoll, but adds features such as event
prioritization or efficient timer handling. Both APIs are good
choices for C programs looking for a bus and/or event loop
implementation that is minimal and does not have to be
portable to other kernels.
* kdbus support is no longer compile-time optional. It is now
always built-in. However, it can still be disabled at
runtime using the kdbus=0 kernel command line setting, and
that setting may be changed to default to off, by specifying
--disable-kdbus at build-time. Note though that the kernel
command line setting has no effect if the kdbus.ko kernel
module is not installed, in which case kdbus is (obviously)
also disabled. We encourage all downstream distributions to
begin testing kdbus by adding it to the kernel images in the
development distributions, and leaving kdbus support in
systemd enabled.
* The minimal required util-linux version has been bumped to
2.26.
* Support for chkconfig (--enable-chkconfig) was removed in
favor of calling an abstraction tool
/lib/systemd/systemd-sysv-install. This needs to be
implemented for your distribution. See "SYSV INIT.D SCRIPTS"
in README for details.
* If there's a systemd unit and a SysV init script for the
same service name, and the user executes "systemctl enable"
for it (or a related call), then this will now enable both
(or execute the related operation on both), not just the
unit.
* The libudev API documentation has been converted from gtkdoc
into man pages.
* gudev has been removed from the systemd tree, it is now an
external project.
* The systemd-cgtop tool learnt a new --raw switch to generate
"raw" (machine parsable) output.
* networkd's IPForwarding= .network file setting learnt the
new setting "kernel", which ensures that networkd does not
change the IP forwarding sysctl from the default kernel
state.
* The systemd-logind bus API now exposes a new boolean
property "Docked" that reports whether logind considers the
system "docked", i.e. connected to a docking station or not.
Contributions from: Alex Crawford, Andreas Pokorny, Andrei
Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez,
Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann,
David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed
Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario,
Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek,
Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang,
Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart
Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario
Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich,
Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes,
Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip
Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani,
Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner
Fink, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-06-19
CHANGES WITH 220:
* The gudev library has been extracted into a separate repository
available at: https://git.gnome.org/browse/libgudev/
It is now managed as part of the Gnome project. Distributions
are recommended to pass --disable-gudev to systemd and use
gudev from the Gnome project instead. gudev is still included
in systemd, for now. It will be removed soon, though. Please
also see the announcement-thread on systemd-devel:
http://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html
* systemd now exposes a CPUUsageNSec= property for each
service unit on the bus, that contains the overall consumed
CPU time of a service (the sum of what each process of the
service consumed). This value is only available if
CPUAccounting= is turned on for a service, and is then shown
in the "systemctl status" output.
* Support for configuring alternative mappings of the old SysV
runlevels to systemd targets has been removed. They are now
hardcoded in a way that runlevels 2, 3, 4 all map to
multi-user.target and 5 to graphical.target (which
previously was already the default behaviour).
* The auto-mounter logic gained support for mount point
expiry, using a new TimeoutIdleSec= setting in .automount
units. (Also available as x-systemd.idle-timeout= in /etc/fstab).
* The EFI System Partition (ESP) as mounted to /boot by
systemd-efi-boot-generator will now be unmounted
automatically after 2 minutes of not being used. This should
minimize the risk of ESP corruptions.
* New /etc/fstab options x-systemd.requires= and
x-systemd.requires-mounts-for= are now supported to express
additional dependencies for mounts. This is useful for
journalling file systems that support external journal
devices or overlay file systems that require underlying file
systems to be mounted.
* systemd does not support direct live-upgrades (via systemctl
daemon-reexec) from versions older than v44 anymore. As no
distribution we are aware of shipped such old versions in a
stable release this should not be problematic.
* When systemd forks off a new per-connection service instance
it will now set the $REMOTE_ADDR environment variable to the
remote IP address, and $REMOTE_PORT environment variable to
the remote IP port. This behaviour is similar to the
corresponding environment variables defined by CGI.
* systemd-networkd gained support for uplink failure
detection. The BindCarrier= option allows binding interface
configuration dynamically to the link sense of other
interfaces. This is useful to achieve behaviour like in
network switches.
* systemd-networkd gained support for configuring the DHCP
client identifier to use when requesting leases.
* systemd-networkd now has a per-network UseNTP= option to
configure whether NTP server information acquired via DHCP
is passed on to services like systemd-timesyncd.
* systemd-networkd gained support for vti6 tunnels.
* Note that systemd-networkd manages the sysctl variable
/proc/sys/net/ipv[46]/conf/*/forwarding for each interface
it is configured for since v219. The variable controls IP
forwarding, and is a per-interface alternative to the global
/proc/sys/net/ipv[46]/ip_forward. This setting is
configurable in the IPForward= option, which defaults to
"no". This means if networkd is used for an interface it is
no longer sufficient to set the global sysctl option to turn
on IP forwarding! Instead, the .network file option
IPForward= needs to be turned on! Note that the
implementation of this behaviour was broken in v219 and has
been fixed in v220.
* Many bonding and vxlan options are now configurable in
systemd-networkd.
* systemd-nspawn gained a new --property= setting to set unit
properties for the container scope. This is useful for
setting resource parameters (e.g "CPUShares=500") on
containers started from the command line.
* systemd-nspawn gained a new --private-users= switch to make
use of user namespacing available on recent Linux kernels.
* systemd-nspawn may now be called as part of a shell pipeline
in which case the pipes used for stdin and stdout are passed
directly to the process invoked in the container, without
indirection via a pseudo tty.
* systemd-nspawn gained a new switch to control the UNIX
signal to use when killing the init process of the container
when shutting down.
* systemd-nspawn gained a new --overlay= switch for mounting
overlay file systems into the container using the new kernel
overlayfs support.
* When a container image is imported via systemd-importd and
the host file system is not btrfs, a loopback block device
file is created in /var/lib/machines.raw with a btrfs file
system inside. It is then mounted to /var/lib/machines to
enable btrfs features for container management. The loopback
file and btrfs file system is grown as needed when container
images are imported via systemd-importd.
* systemd-machined/systemd-importd gained support for btrfs
quota, to enforce container disk space limits on disk. This
is exposed in "machinectl set-limit".
* systemd-importd now can import containers from local .tar,
.raw and .qcow2 images, and export them to .tar and .raw. It
can also import dkr v2 images now from the network (on top
of v1 as before).
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
* systemd-machined, systemd-logind, systemd: most bus calls
are now accessible to unprivileged processes via
PolicyKit. Also, systemd-logind will now allow users to kill
their own sessions without further privileges or
authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
as exposed in /usr/bin/shutdown's time parameter. This
functionality has now been moved into systemd-logind and is
accessible via a bus interface.
* "systemctl reboot" gained a new switch --firmware-setup that
can be used to reboot into the EFI firmware setup, if that
is available. systemd-logind now exposes an API on the bus
to trigger such reboots, in case graphical desktop UIs want
to cover this functionality.
* "systemctl enable", "systemctl disable" and "systemctl mask"
now support a new "--now" switch. If specified the units
that are enabled will also be started, and the ones
disabled/masked also stopped.
* The Gummiboot EFI boot loader tool has been merged into
systemd, and renamed to "systemd-boot". The bootctl tool has been
updated to support systemd-boot.
* An EFI kernel stub has been added that may be used to create
kernel EFI binaries that contain not only the actual kernel,
but also an initrd, boot splash, command line and OS release
information. This combined binary can then be signed as a
single image, so that the firmware can verify it all in one
step. systemd-boot has special support for EFI binaries created
like this and can extract OS release information from them
and show them in the boot menu. This functionality is useful
to implement cryptographically verified boot schemes.
* Optional support has been added to systemd-fsck to pass
fsck's progress report to an AF_UNIX socket in the file
system.
* udev will no longer create device symlinks for all block
devices by default. A blacklist for excluding special block
devices from this logic has been turned into a whitelist
that requires picking block devices explicitly that require
device symlinks.
* A new (currently still internal) API sd-device.h has been
added to libsystemd. This modernized API is supposed to
replace libudev eventually. In fact, already much of libudev
is now just a wrapper around sd-device.h.
* A new hwdb database for storing metadata about pointing
stick devices has been added.
* systemd-tmpfiles gained support for setting file attributes
similar to the "chattr" tool with new 'h' and 'H' lines.
* systemd-journald will no longer unconditionally set the
btrfs NOCOW flag on new journal files. This is instead done
with tmpfiles snippet using the new 'h' line type. This
allows easy disabling of this logic, by masking the
journal-nocow.conf tmpfiles file.
* systemd-journald will now translate audit message types to
human readable identifiers when writing them to the
journal. This should improve readability of audit messages.
* The LUKS logic gained support for the offset= and skip=
options in /etc/crypttab, as previously implemented by
Debian.
* /usr/lib/os-release gained a new optional field VARIANT= for
distributions that support multiple variants (such as a
desktop edition, a server edition, ...)
Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel,
Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž
Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian
Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel
Mack, Daniel Mustieles, daurnimator, Davide Bettio, David
Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov,
Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke,
Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López
Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan
Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John
Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay
Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas
De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz
Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel
Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett,
Michael Biebl, Michael Marineau, Michael Olbrich, Michal
Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik
Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter
Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny
Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick,
Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker,
Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas
Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will
Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-05-22
CHANGES WITH 219:
* Introduce a new API "sd-hwdb.h" for querying the hardware
metadata database. With this minimal interface one can query
and enumerate the udev hwdb, decoupled from the old libudev
library. libudev's interface for this is now only a wrapper
around sd-hwdb. A new tool systemd-hwdb has been added to
interface with and update the database.
* When any of systemd's tools copies files (for example due to
tmpfiles' C lines) a btrfs reflink will attempted first,
before bytewise copying is done.
* systemd-nspawn gained a new --ephemeral switch. When
specified a btrfs snapshot is taken of the container's root
directory, and immediately removed when the container
terminates again. Thus, a container can be started whose
changes never alter the container's root directory, and are
lost on container termination. This switch can also be used
for starting a container off the root file system of the
host without affecting the host OS. This switch is only
available on btrfs file systems.
* systemd-nspawn gained a new --template= switch. It takes the
path to a container tree to use as template for the tree
specified via --directory=, should that directory be
missing. This allows instantiating containers dynamically,
on first run. This switch is only available on btrfs file
systems.
* When a .mount unit refers to a mount point on which multiple
mounts are stacked, and the .mount unit is stopped all of
the stacked mount points will now be unmounted until no
mount point remains.
* systemd now has an explicit notion of supported and
unsupported unit types. Jobs enqueued for unsupported unit
types will now fail with an "unsupported" error code. More
specifically .swap, .automount and .device units are not
supported in containers, .busname units are not supported on
non-kdbus systems. .swap and .automount are also not
supported if their respective kernel compile time options
are disabled.
* machinectl gained support for two new "copy-from" and
"copy-to" commands for copying files from a running
container to the host or vice versa.
* machinectl gained support for a new "bind" command to bind
mount host directories into local containers. This is
currently only supported for nspawn containers.
* networkd gained support for configuring bridge forwarding
database entries (fdb) from .network files.
* A new tiny daemon "systemd-importd" has been added that can
download container images in tar, raw, qcow2 or dkr formats,
and make them available locally in /var/lib/machines, so
that they can run as nspawn containers. The daemon can GPG
verify the downloads (not supported for dkr, since it has no
provisions for verifying downloads). It will transparently
decompress bz2, xz, gzip compressed downloads if necessary,
and restore sparse files on disk. The daemon uses privilege
separation to ensure the actual download logic runs with
fewer privileges than the daemon itself. machinectl has
gained new commands "pull-tar", "pull-raw" and "pull-dkr" to
make the functionality of importd available to the
user. With this in place the Fedora and Ubuntu "Cloud"
images can be downloaded and booted as containers unmodified
(the Fedora images lack the appropriate GPG signature files
currently, so they cannot be verified, but this will change
soon, hopefully). Note that downloading images is currently
only fully supported on btrfs.
* machinectl is now able to list container images found in
/var/lib/machines, along with some metadata about sizes of
disk and similar. If the directory is located on btrfs and
quota is enabled, this includes quota display. A new command
"image-status" has been added that shows additional
information about images.
* machinectl is now able to clone container images
efficiently, if the underlying file system (btrfs) supports
it, with the new "machinectl list-images" command. It also
gained commands for renaming and removing images, as well as
marking them read-only or read-write (supported also on
legacy file systems).
* networkd gained support for collecting LLDP network
announcements, from hardware that supports this. This is
shown in networkctl output.
* systemd-run gained support for a new -t (--pty) switch for
invoking a binary on a pty whose input and output is
connected to the invoking terminal. This allows executing
processes as system services while interactively
communicating with them via the terminal. Most interestingly
this is supported across container boundaries. Invoking
"systemd-run -t /bin/bash" is an alternative to running a
full login session, the difference being that the former
will not register a session, nor go through the PAM session
setup.
* tmpfiles gained support for a new "v" line type for creating
btrfs subvolumes. If the underlying file system is a legacy
file system, this automatically degrades to creating a
normal directory. Among others /var/lib/machines is now
created like this at boot, should it be missing.
* The directory /var/lib/containers/ has been deprecated and
been replaced by /var/lib/machines. The term "machines" has
been used in the systemd context as generic term for both
VMs and containers, and hence appears more appropriate for
this, as the directory can also contain raw images bootable
via qemu/kvm.
* systemd-nspawn when invoked with -M but without --directory=
or --image= is now capable of searching for the container
root directory, subvolume or disk image automatically, in
/var/lib/machines. [email protected] has been updated
to make use of this, thus allowing it to be used for raw
disk images, too.
* A new machines.target unit has been introduced that is
supposed to group all containers/VMs invoked as services on
the system. [email protected] has been updated to
integrate with that.
* machinectl gained a new "start" command, for invoking a
container as a service. "machinectl start foo" is mostly
equivalent to "systemctl start [email protected]",
but handles escaping in a nicer way.
* systemd-nspawn will now mount most of the cgroupfs tree
read-only into each container, with the exception of the
container's own subtree in the name=systemd hierarchy.
* journald now sets the special FS_NOCOW file flag for its
journal files. This should improve performance on btrfs, by
avoiding heavy fragmentation when journald's write-pattern
is used on COW file systems. It degrades btrfs' data
integrity guarantees for the files to the same levels as for
ext3/ext4 however. This should be OK though as journald does
its own data integrity checks and all its objects are
checksummed on disk. Also, journald should handle btrfs disk
full events a lot more gracefully now, by processing SIGBUS
errors, and not relying on fallocate() anymore.
* When journald detects that journal files it is writing to
have been deleted it will immediately start new journal
files.
* systemd now provides a way to store file descriptors
per-service in PID 1.This is useful for daemons to ensure
that fds they require are not lost during a daemon
restart. The fds are passed to the daemon on the next
invocation in the same way socket activation fds are
passed. This is now used by journald to ensure that the
various sockets connected to all the system's stdout/stderr
are not lost when journald is restarted. File descriptors
may be stored in PID 1 via the sd_pid_notify_with_fds() API,
an extension to sd_notify(). Note that a limit is enforced
on the number of fds a service can store in PID 1, and it
defaults to 0, so that no fds may be stored, unless this is
explicitly turned on.
* The default TERM variable to use for units connected to a
terminal, when no other value is explicitly is set is now
vt220 rather than vt102. This should be fairly safe still,
but allows PgUp/PgDn work.
* The /etc/crypttab option header= as known from Debian is now
supported.
* "loginctl user-status" and "loginctl session-status" will
now show the last 10 lines of log messages of the
user/session following the status output. Similar,
"machinectl status" will show the last 10 log lines
associated with a virtual machine or container
service. (Note that this is usually not the log messages
done in the VM/container itself, but simply what the
container manager logs. For nspawn this includes all console
output however.)
* "loginctl session-status" without further argument will now
show the status of the session of the caller. Similar,
"lock-session", "unlock-session", "activate",
"enable-linger", "disable-linger" may now be called without
session/user parameter in which case they apply to the
caller's session/user.
* An X11 session scriptlet is now shipped that uploads
$DISPLAY and $XAUTHORITY into the environment of the systemd
--user daemon if a session begins. This should improve
compatibility with X11 enabled applications run as systemd
user services.
* Generators are now subject to masking via /etc and /run, the
same way as unit files.
* networkd .network files gained support for configuring
per-link IPv4/IPv6 packet forwarding as well as IPv4
masquerading. This is by default turned on for veth links to
containers, as registered by systemd-nspawn. This means that
nspawn containers run with --network-veth will now get
automatic routed access to the host's networks without any
further configuration or setup, as long as networkd runs on
the host.
* systemd-nspawn gained the --port= (-p) switch to expose TCP
or UDP posts of a container on the host. With this in place
it is possible to run containers with private veth links
(--network-veth), and have their functionality exposed on
the host as if their services were running directly on the
host.
* systemd-nspawn's --network-veth switch now gained a short
version "-n", since with the changes above it is now truly
useful out-of-the-box. The [email protected] has been
updated to make use of it too by default.
* systemd-nspawn will now maintain a per-image R/W lock, to
ensure that the same image is not started more than once
writable. (It's OK to run an image multiple times
simultaneously in read-only mode.)
* systemd-nspawn's --image= option is now capable of
dissecting and booting MBR and GPT disk images that contain
only a single active Linux partition. Previously it
supported only GPT disk images with proper GPT type
IDs. This allows running cloud images from major
distributions directly with systemd-nspawn, without
modification.