CHANGES WITH 242:
- In .link files, MACAddressPolicy=persistent (the default) is changed to cover more devices. For devices like bridges, tun, tap, bond, and similar interfaces that do not have other identifying information, the interface name is used as the basis for persistent seed for MAC and IPv4LL addresses. The way that devices that were handled previously is not changed, and this change is about covering more devices then previously by the "persistent" policy.
MACAddressPolicy=random may be used to force randomized MACs and IPv4LL addresses for a device if desired.
Hint: the log output from udev (at debug level) was enhanced to clarify what policy is followed and which attributes are used. `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/
- The .device units generated by systemd-fstab-generator and other generators do not automatically pull in the corresponding .mount unit as a Wants= dependency. This means that simply plugging in the device will not cause the mount unit to be started automatically. But please note that the mount unit may be started for other reasons, in particular if it is part of local-fs.target, and any unit which (transitively) depends on local-fs.target is started.
- networkctl list/status/lldp now accept globbing wildcards for network interface names to match against all existing interfaces.
- The $PIDFILE environment variable is set to point the absolute path configured with PIDFile= for processes of that service.
- The fallback DNS server list was augmented with Cloudflare public DNS servers. Use `-Ddns-servers=` to set a different fallback.
- A new special target usb-gadget.target will be started automatically when a USB Device Controller is detected (which means that the system is a USB peripheral).
- A new unit setting CPUQuotaPeriodSec= assigns the time period relatively to which the CPU time quota specified by CPUQuota= is measured.
- A new unit setting ProtectHostname= may be used to prevent services from modifying hostname information (even if they otherwise would have privileges to do so).
- A new unit setting NetworkNamespacePath= may be used to specify a namespace for service or socket units through a path referring to a Linux network namespace pseudo-file.
- The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now have an effect on .socket units: when used the listening socket is created within the configured network namespace instead of the host namespace.
- ExecStart= command lines in unit files may now be prefixed with ':' in which case environment variable substitution is disabled. (Supported for the other ExecXYZ= settings, too.)
- .timer units gained two new boolean settings OnClockChange= and OnTimezoneChange= which may be used to also trigger a unit when the system clock is changed or the local timezone is modified. systemd-run has been updated to make these options easily accessible from the command line for transient timers.
- Two new conditions for units have been added: ConditionMemory= may be used to conditionalize a unit based on installed system RAM. ConditionCPUs= may be used to conditionalize a unit based on install CPU cores.
- The @default system call filter group understood by SystemCallFilter= has been updated to include the new rseq() system call introduced in kernel 4.15.
- A new time-set.target has been added that indicates that the system time has been set from a local source (possibly imprecise). The existing time-sync.target is stronger and indicates that the time has been synchronized with a precise external source. Services where approximate time is sufficient should use the new target.
- "systemctl start" (and related commands) learnt a new--show-transaction option. If specified brief information about all jobs queued because of the requested operation is shown.
- systemd-networkd recognizes a new operation state 'enslaved', used (instead of 'degraded' or 'carrier') for interfaces which form a bridge, bond, or similar, and an new 'degraded-carrier' operational state used for the bond or bridge master interface when one of the enslaved devices is not operational.
- .network files learnt the new IgnoreCarrierLoss= option for leaving networks configured even if the carrier is lost.
- The RequiredForOnline= setting in .network files may now specify a minimum operational state required for the interface to be considered "online" by systemd-networkd-wait-online. Related to this systemd-networkd-wait-online gained a new option --operational-state= to configure the same, and its --interface= option was updated to optionally also take an operational state specific for an interface.
- systemd-networkd-wait-online gained a new setting --any for waiting for only one of the requested interfaces instead of all of them.
- systemd-networkd now implements L2TP tunnels.
- Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix= may be used to cause autonomous and onlink prefixes received in IPv6 Router Advertisements to be ignored.
- New MulticastFlood=, NeighborSuppression=, and Learning= .network file settings may be used to tweak bridge behaviour.
- The new TripleSampling= option in .network files may be used to configure CAN triple sampling.
- A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be used to point to private or preshared key for a WireGuard interface.
- /etc/crypttab now supports the same-cpu-crypt and submit-from-crypt-cpus options to tweak encryption work scheduling details.
- systemd-tmpfiles will now take a BSD file lock before operating on a contents of directory. This may be used to temporarily exclude directories from aging by taking the same lock (useful for example when extracting a tarball into /tmp or /var/tmp as a privileged user, which might create files with really old timestamps, which nevertheless should not be deleted). For further details, see:
- systemd-tmpfiles' h line type gained support for the FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5), controlling project quota inheritance.
- sd-boot and bootctl now implement support for an Extended Boot Loader (XBOOTLDR) partition, that is intended to be mounted to /boot, in addition to the ESP partition mounted to /efi or /boot/efi. Configuration file fragments, kernels, initrds and other EFI images to boot will be loaded from both the ESP and XBOOTLDR partitions. The XBOOTLDR partition was previously described by the Boot Loader Specification, but implementation was missing in sd-boot. Support for this concept allows using the sd-boot boot loader in more conservative scenarios where the boot loader itself is placed in the ESP but the kernels to boot (and their metadata) in a separate partition.
- A system may now be booted with systemd.volatile=overlay on the kernel command line, which causes the root file system to be set up an overlayfs mount combining the root-only root directory with a writable tmpfs. In this setup, the underlying root device is not modified, and any changes are lost at reboot.
- Similar, systemd-nspawn can now boot containers with a volatile overlayfs root with the new --volatile=overlay switch.
- systemd-nspawn can now consume OCI runtime bundles using a new--oci-bundle= option. This implementation is fully usable, with most features in the specification implemented, but since this a lot of new code and functionality, this feature should most likely not be used in production yet.
- systemd-nspawn now supports various options described by the OCI runtime specification on the command-line and in .nspawn files:--inaccessible=/Inaccessible= may be used to mask parts of the file system tree, --console=/--pipe may be used to configure how standard input, output, and error are set up.
- busctl learned the `emit` verb to generate D-Bus signals.
- systemd-analyze cat-config may be used to gather and display configuration spread over multiple files, for example system and user presets, tmpfiles.d, sysusers.d, udev rules, etc.
- systemd-analyze calendar now takes an optional new parameter--iterations= which may be used to show a maximum number of iterations the specified expression will elapse next.
- The sd-bus C API gained support for naming method parameters in the introspection data.
- systemd-logind gained D-Bus APIs to specify the "reboot parameter" the reboot() system call expects.
- journalctl learnt a new --cursor-file= option that points to a file from which a cursor should be loaded in the beginning and to which the updated cursor should be stored at the end.
- ACRN hypervisor and Windows Subsystem for Linux (WSL) are now detected by systemd-detect-virt (and may also be used in ConditionVirtualization=).
- The behaviour of systemd-logind may now be modified with environment
variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP, $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either skip the relevant operation completely (when set to false), or to create a flag file in /run/systemd (when set to true), instead of actually commencing the real operation when requested. The presence of /run/systemd/reboot-to-firmware-setup, /run/systemd/reboot-to-boot-loader-menu, and /run/systemd/reboot-to-boot-loader-entry, may be used by alternative boot loader implementations to replace some steps logind performs during reboot with their own operations.
- systemctl can be used to request a reboot into the boot loader menu or a specific boot loader entry with the new --boot-load-menu= and--boot-loader-entry= options to a reboot command. (This requires a boot loader that supports this, for example sd-boot.)
- kernel-install will no longer unconditionally create the output directory (e.g. /efi/
This makes it easier to use kernel-install with plugins which support a different layout of the bootloader partitions (for example grub2).
- During package installation (with `ninja install`), we would create symlinks for systemd-networkd.service, systemd-networkd.socket, systemd-resolved.service, remote-cryptsetup.target, remote-fs.target, systemd-networkd-wait-online.service, and systemd-timesyncd.service in /etc, as if `systemctl enable` was called for those units, to make the system usable immediately after installation. Now this is not done anymore, and instead calling `systemctl preset-all` is recommended after the first installation of systemd.
- A new boolean sandboxing option RestrictSUIDSGID= has been added that is built on seccomp. When turned on creation of SUID/SGID files is prohibited.
- The NoNewPrivileges= and the new RestrictSUIDSGID= options are now implied if DynamicUser= is turned on for a service. This hardens these services, so that they neither can benefit from nor create SUID/SGID executables. This is a minor compatibility breakage, given that when DynamicUser= was first introduced SUID/SGID behaviour was unaffected. However, the security benefit of these two options is substantial, and the setting is still relatively new, hence we opted to make it mandatory for services with dynamic users.
1e5d2d6564 NEWS: update contributors and date
NEWS | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)