#4298: systemd-239
----------------------+-----------------------
Reporter: bdubbs@… | Owner: renodr
Type: task | Status: assigned
Priority: normal | Milestone: 8.3
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
----------------------+-----------------------
Comment (by renodr):
{{{
CHANGES WITH 239:
* NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's
"net_id"
builtin will name network interfaces differently than in
previous
versions for virtual network interfaces created with SR-IOV and
NPAR
and for devices where the PCI network controller device does not
have
a slot number associated.
SR-IOV virtual devices are now named based on the name of the
parent
interface, with a suffix of "v<N>", where <N> is the virtual
device
number. Previously those virtual devices were named as if
completely
independent.
The ninth and later NPAR virtual devices will be named following
the
scheme used for the first eight NPAR partitions. Previously
those
devices were not renamed and the kernel default (eth<n>) was
used.
"net_id" will also generate names for PCI devices where the PCI
network controller device does not have an associated slot
number
itself, but one of its parents does. Previously those devices
were
not renamed and the kernel default (eth<n>) was used.
* AF_INET and AF_INET6 are dropped from RestrictAddressFamilies=
in
systemd-logind.service. Since v235, IPAddressDeny=any has been
set to
the unit. So, it is expected that the default behavior of
systemd-logind is not changed. However, if distribution
packagers or
administrators disabled or modified IPAddressDeny= setting by a
drop-in config file, then it may be necessary to update the file
to
re-enable AF_INET and AF_INET6 to support network user name
services,
e.g. NIS.
* When the RestrictNamespaces= unit property is specified multiple
times, then the specified types are merged now. Previously, only
the
last assignment was used. So, if distribution packagers or
administrators modified the setting by a drop-in config file,
then it
may be necessary to update the file.
* When OnFailure= is used in combination with Restart= on a
service
unit, then the specified units will no longer be triggered on
failures that result in restarting. Previously, the specified
units
would be activated each time the unit failed, even when the unit
was
going to be restarted automatically. This behaviour contradicted
the
documentation. With this release the code is adjusted to match
the
documentation.
* systemd-tmpfiles will now print a notice whenever it encounters
tmpfiles.d/ lines referencing the /var/run/ directory. It will
recommend reworking them to use the /run/ directory instead (for
which /var/run/ is simply a symlinked compatibility alias). This
way
systemd-tmpfiles can properly detect line conflicts and merge
lines
referencing the same file by two paths, without having to access
them.
* systemctl disable/unmask/preset/preset-all cannot be used with
--runtime. Previously this was allowed, but resulted in
unintuitive
behaviour that wasn't useful. systemctl disable/unmask will now
undo
both runtime and persistent enablement/masking, i.e. it will
remove
any relevant symlinks both in /run and /etc.
* Note that all long-running system services shipped with systemd
will
now default to a system call whitelist (rather than a blacklist,
as
before). In particular, systemd-udevd will now enforce one too.
For
most cases this should be safe, however downstream distributions
which disabled sandboxing of systemd-udevd (specifically the
MountFlags= setting), might want to disable this security
feature
too, as the default whitelisting will prohibit all mount, swap,
reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally
turn
off Windows and MacOS boot partition discovery as well as
reboot-into-firmware menu items. It is also able to pick a
better
screen resolution for HiDPI systems, and now provides loader
configuration settings to change the resolution explicitly.
* systemd-resolved now supports DNS-over-TLS. It's still
turned off by default, use DNSOverTLS=opportunistic to turn it
on in
resolved.conf. We intend to make this the default as soon as
couple
of additional techniques for optimizing the initial latency
caused by
establishing a TLS/TCP connection are implemented.
* systemd-resolved.service and systemd-networkd.service now set
DynamicUser=yes. The users systemd-resolve and systemd-network
are
not created by systemd-sysusers.
* The systemd-resolve tool has been renamed to resolvectl (it also
remains available under the old name, for compatibility), and
its
interface is now verb-based, similar in style to the other
<xyz>ctl
tools, such as systemctl or loginctl.
* The resolvectl/systemd-resolve tool also provides 'resolvconf'
compatibility. It may be symlinked under the 'resolvconf' name,
in
which case it will take arguments and input compatible with the
Debian and FreeBSD resolvconf tool.
* Support for suspend-then-hibernate has been added, i.e. a sleep
mode
where the system initially suspends, and after a time-out
resumes and
hibernates again.
* networkd's ClientIdentifier= now accepts a new option "duid-
only". If
set the client will only send a DUID as client identifier.
* The nss-systemd glibc NSS module will now enumerate dynamic
users and
groups in effect. Previously, it could resolve UIDs/GIDs to user
names/groups and vice versa, but did not support enumeration.
* journald's Compress= configuration setting now optionally
accepts a
byte threshold value. All journal objects larger than this
threshold
will be compressed, smaller ones will not. Previously this
threshold
was not configurable and set to 512.
* A new system.conf setting NoNewPrivileges= is now available
which may
be used to turn off acquisition of new privileges system-wide
(i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus
also
for all its children). Note that turning this option on means
setuid
binaries and file system capabilities lose their special powers.
While turning on this option is a big step towards a more secure
system, doing so is likely to break numerous pre-existing UNIX
tools,
in particular su and sudo.
* A new service systemd-time-sync-wait.service has been added. If
enabled it will delay the time-sync.target unit at boot until
time
synchronization has been received from the network. This
functionality is useful on systems lacking a local RTC or where
it is
acceptable that the boot process shall be delayed by external
network
services.
* When hibernating, systemd will now inform the kernel of the
image
write offset, on kernels new enough to support this. This means
swap
files should work for hibernation now.
* When loading unit files, systemd will now look for drop-in unit
files
extensions in additional places. Previously, for a unit file
name
"foo-bar-baz.service" it would look for dropin files in
"foo-bar-baz.service.d/*.conf". Now, it will also look in
"foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
service name truncated after all inner dashes. This scheme
allows
writing drop-ins easily that apply to a whole set of unit files
at
once. It's particularly useful for mount and slice units (as
their
naming is prefix based), but is also useful for service and
other
units, for packages that install multiple unit files at once,
following a strict naming regime of beginning the unit file name
with
the package's name. Two new specifiers are now supported in unit
files to match this: %j and %J are replaced by the part of the
unit
name following the last dash.
* Unit files and other configuration files that support specifier
expansion now understand another three new specifiers: %T and %V
will
resolve to /tmp and /var/tmp respectively, or whatever temporary
directory has been set for the calling user. %E will expand to
either
/etc (for system units) or $XDG_CONFIG_HOME (for user units).
* The ExecStart= lines of unit files are no longer required to
reference absolute paths. If non-absolute paths are specified
the
specified binary name is searched within the service manager's
built-in $PATH, which may be queried with 'systemd-path
search-binaries-default'. It's generally recommended to continue
to
use absolute paths for all binaries specified in unit files.
* Units gained a new load state "bad-setting", which is used when
a
unit file was loaded, but contained fatal errors which prevent
it
from being started (for example, a service unit has been defined
lacking both ExecStart= and ExecStop= lines).
* coredumpctl's "gdb" verb has been renamed to "debug", in order
to
support alternative debuggers, for example lldb. The old name
continues to be available however, for compatibility reasons.
Use the
new --debugger= switch or the $SYSTEMD_DEBUGGER environment
variable
to pick an alternative debugger instead of the default gdb.
* systemctl and the other tools will now output escape sequences
that
generate proper clickable hyperlinks in various terminal
emulators
where useful (for example, in the "systemctl status" output you
can
now click on the unit file name to quickly open it in the
editor/viewer of your choice). Note that not all terminal
emulators
support this functionality yet, but many do. Unfortunately, the
"less" pager doesn't support this yet, hence this functionality
is
currently automatically turned off when a pager is started
(which
happens quite often due to auto-paging). We hope to remove this
limitation as soon as "less" learns these escape sequences. This
new
behaviour may also be turned off explicitly with the
$SYSTEMD_URLIFY
environment variable. For details on these escape sequences see:
https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda
* networkd's .network files now support a new IPv6MTUBytes= option
for
setting the MTU used by IPv6 explicitly as well as a new
MTUBytes=
option in the [Route] section to configure the MTU to use for
specific routes. It also gained support for configuration of the
DHCP
"UserClass" option through the new UserClass= setting. It gained
three new options in the new [CAN] section for configuring CAN
networks. The MULTICAST and ALLMULTI interface flags may now be
controlled explicitly with the new Multicast= and AllMulticast=
settings.
* networkd will now automatically make use of the kernel's route
expiration feature, if it is available.
* udevd's .link files now support setting the number of receive
and
transmit channels, using the RxChannels=, TxChannels=,
OtherChannels=, CombinedChannels= settings.
* Support for UDPSegmentationOffload= has been removed, given its
limited support in hardware, and waning software support.
* networkd's .netdev files now support creating "netdevsim"
interfaces.
* PID 1 learnt a new bus call GetUnitByControlGroup() which may be
used
to query the unit belonging to a specific kernel control group.
* systemd-analyze gained a new verb "cat-config", which may be
used to
dump the contents of any configuration file, with all its
matching
drop-in files added in, and honouring the usual search and
masking
logic applied to systemd configuration files. For example use
"systemd-analyze cat-config systemd/system.conf" to get the
complete
system configuration file of systemd how it would be loaded by
PID 1
itself. Similar to this, various tools such as systemd-tmpfiles
or
systemd-sysusers, gained a new option "--cat-config", which does
the
corresponding operation for their own configuration settings.
For
example, "systemd-tmpfiles --cat-config" will now output the
full
list of tmpfiles.d/ lines in place.
* timedatectl gained three new verbs: "show" shows bus properties
of
systemd-timedated, "timesync-status" shows the current NTP
synchronization state of systemd-timesyncd, and "show-timesync"
shows bus properties of systemd-timesyncd.
* systemd-timesyncd gained a bus interface on which it exposes
details
about its state.
* A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is
now
understood by systemd-timedated. It takes a colon-separated list
of
unit names of NTP client services. The list is used by
"timedatectl set-ntp".
* systemd-nspawn gained a new --rlimit= switch for setting initial
resource limits for the container payload. There's a new switch
--hostname= to explicitly override the container's hostname. A
new
--no-new-privileges= switch may be used to control the
PR_SET_NO_NEW_PRIVS flag for the container payload. A new
--oom-score-adjust= switch controls the OOM scoring adjustment
value
for the payload. The new --cpu-affinity= switch controls the CPU
affinity of the container payload. The new --resolv-conf= switch
allows more detailed control of /etc/resolv.conf handling of the
container. Similarly, the new --timezone= switch allows more
detailed
control of /etc/localtime handling of the container.
* systemd-detect-virt gained a new --list switch, which will print
a
list of all currently known VM and container environments.
* Support for "Portable Services" has been added, see
doc/PORTABLE_SERVICES.md for details. Currently, the support is
still
experimental, but this is expected to change soon. Reflecting
this
experimental state, the "portablectl" binary is not installed
into
/usr/bin yet. The binary has to be called with the full path
/usr/lib/systemd/portablectl instead.
* journalctl's and systemctl's -o switch now knows a new log
output
mode "with-unit". The output it generates is very similar to the
regular "short" mode, but displays the unit name instead of the
syslog tag for each log line. Also, the date is shown with
timezone
information. This mode is probably more useful than the classic
"short" output mode for most purposes, except where pixel-
perfect
compatibility with classic /var/log/messages formatting is
required.
* A new --dump-bus-properties switch has been added to the systemd
binary, which may be used to dump all supported D-Bus
properties.
(Options which are still supported, but are deprecated, are
*not*
shown.)
* sd-bus gained a set of new calls:
sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be
used to
enable/disable the "floating" state of a bus slot object,
i.e. whether the slot object pins the bus it is allocated for
into
memory or if the bus slot object gets disconnected when the bus
goes
away. sd_bus_open_with_description(),
sd_bus_open_user_with_description(),
sd_bus_open_system_with_description() may be used to allocate
bus
objects and set their description string already during
allocation.
* sd-event gained support for watching inotify events from the
event
loop, in an efficient way, sharing inotify handles between
multiple
users. For this a new function sd_event_add_inotify() has been
added.
* sd-event and sd-bus gained support for calling special user-
supplied
destructor functions for userdata pointers associated with
sd_event_source, sd_bus_slot, and sd_bus_track objects. For this
new
functions sd_bus_slot_set_destroy_callback,
sd_bus_slot_get_destroy_callback,
sd_bus_track_set_destroy_callback,
sd_bus_track_get_destroy_callback,
sd_event_source_set_destroy_callback,
sd_event_source_get_destroy_callback have been added.
* The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.
* PID 1 will now automatically reschedule .timer units whenever
the
local timezone changes. (They previously got rescheduled
automatically when the system clock changed.)
* New documentation has been added to document cgroups delegation,
portable services and the various code quality tools we have set
up:
https://github.com/systemd/systemd/blob/master/doc/CGROUP_DELEGATION.md
https://github.com/systemd/systemd/blob/master/doc/PORTABLE_SERVICES.md
https://github.com/systemd/systemd/blob/master/doc/CODE_QUALITY.md
* The Boot Loader Specification has been added to the source tree.
https://github.com/systemd/systemd/blob/master/doc/BOOT_LOADER_SPECIFICATION.md
While moving it into our source tree we have updated it and
further
changes are now accepted through the usual github PR workflow.
* pam_systemd will now look for PAM userdata fields
systemd.memory_max,
systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
earlier PAM modules. The data in these fields is used to
initialize
the session scope's resource properties. Thus external PAM
modules
may now configure per-session limits, for example sourced from
external user databases.
* socket units with Accept=yes will now maintain a "refused"
counter in
addition to the existing "accepted" counter, counting
connections
refused due to the enforced limits.
* The "systemd-path search-binaries-default" command may now be
use to
query the default, built-in $PATH PID 1 will pass to the
services it
manages.
* A new unit file setting PrivateMounts= has been added. It's a
boolean
option. If enabled the unit's processes are invoked in their own
file
system namespace. Note that this behaviour is also implied if
any
other file system namespacing options (such as PrivateTmp=,
PrivateDevices=, ProtectSystem=, …) are used. This option is
hence
primarily useful for services that do not use any of the other
file
system namespacing options. One such service is systemd-
udevd.service
wher this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is
true
when the system is booted in UEFI "secure mode".
* A new unit "system-update-pre.target" is added, which defines an
optional synchronization point for offline system updates, as
implemented by the pre-existing "system-update.target" unit. It
allows ordering services before the service that executes the
actual
update process in a generic way.
Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout,
Brian
J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian
Brauner,
Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao,
Daniel
Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas,
Emil
Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem
Jover,
guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique
Dante de
Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan
Shapovalov,
Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared
Kazimir,
Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi
Ricky
Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard
König,
Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck,
Mathieu
Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian
Ott,
Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný,
Michal
Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan
Pässler,
Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz,
Paride
Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A.
Bigot,
Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de
Araujo,
Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van
Mourik,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2018-06-22
}}}
Almost ready to commit this. Then onto BLFS!
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4298#comment:2>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
