forked from systemd/systemd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
5044 lines (4049 loc) · 243 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
systemd System and Service Manager
CHANGES WITH 221:
* The sd-bus.h and sd-event.h APIs have now been declared
stable and have been added to the official interface of
libsystemd.so. sd-bus implements an alternative D-Bus client
library, that is relatively easy to use, very efficient and
supports both classic D-Bus as well as kdbus as transport
backend. sd-event is a generic event loop abstraction that
is built around Linux epoll, but adds features such as event
prioritization or efficient timer handling. Both APIs are good
choices for C programs looking for a bus and/or event loop
implementation that is minimal and does not have to be
portable to other kernels.
* kdbus support is no longer compile-time optional. It is now
always built-in. However, it can still be disabled at
runtime using the kdbus=0 kernel command line setting, and
that setting may be changed to default to off, by specifying
--disable-kdbus at build-time. Note though that the kernel
command line setting has no effect if the kdbus.ko kernel
module is not installed, in which case kdbus is (obviously)
also disabled. We encourage all downstream distributions to
begin testing kdbus by adding it to the kernel images in the
development distributions, and leaving kdbus support in
systemd enabled.
* The minimal required util-linux version has been bumped to
2.26.
* Support for chkconfig (--enable-chkconfig) was removed in
favor of calling an abstraction tool
/lib/systemd/systemd-sysv-install. This needs to be
implemented for your distribution. See "SYSV INIT.D SCRIPTS"
in README for details.
* If there's a systemd unit and a SysV init script for the
same service name, and the user executes "systemctl enable"
for it (or a related call), then this will now enable both
(or execute the related operation on both), not just the
unit.
* The libudev API documentation has been converted from gtkdoc
into man pages.
* gudev has been removed from the systemd tree, it is now an
external project.
* The systemd-cgtop tool learnt a new --raw switch to generate
"raw" (machine parsable) output.
* networkd's IPForwarding= .network file setting learnt the
new setting "kernel", which ensures that networkd does not
change the IP forwarding sysctl from the default kernel
state.
* The systemd-logind bus API now exposes a new boolean
property "Docked" that reports whether logind considers the
system "docked", i.e. connected to a docking station or not.
Contributions from: Alex Crawford, Andreas Pokorny, Andrei
Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez,
Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann,
David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed
Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario,
Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek,
Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang,
Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart
Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario
Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich,
Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes,
Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip
Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani,
Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner
Fink, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-06-19
CHANGES WITH 220:
* The gudev library has been extracted into a separate repository
available at: https://git.gnome.org/browse/libgudev/
It is now managed as part of the Gnome project. Distributions
are recommended to pass --disable-gudev to systemd and use
gudev from the Gnome project instead. gudev is still included
in systemd, for now. It will be removed soon, though. Please
also see the announcement-thread on systemd-devel:
http://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html
* systemd now exposes a CPUUsageNSec= property for each
service unit on the bus, that contains the overall consumed
CPU time of a service (the sum of what each process of the
service consumed). This value is only available if
CPUAccounting= is turned on for a service, and is then shown
in the "systemctl status" output.
* Support for configuring alternative mappings of the old SysV
runlevels to systemd targets has been removed. They are now
hardcoded in a way that runlevels 2, 3, 4 all map to
multi-user.target and 5 to graphical.target (which
previously was already the default behaviour).
* The auto-mounter logic gained support for mount point
expiry, using a new TimeoutIdleSec= setting in .automount
units. (Also available as x-systemd.idle-timeout= in /etc/fstab).
* The EFI System Partition (ESP) as mounted to /boot by
systemd-efi-boot-generator will now be unmounted
automatically after 2 minutes of not being used. This should
minimize the risk of ESP corruptions.
* New /etc/fstab options x-systemd.requires= and
x-systemd.requires-mounts-for= are now supported to express
additional dependencies for mounts. This is useful for
journalling file systems that support external journal
devices or overlay file systems that require underlying file
systems to be mounted.
* systemd does not support direct live-upgrades (via systemctl
daemon-reexec) from versions older than v44 anymore. As no
distribution we are aware of shipped such old versions in a
stable release this should not be problematic.
* When systemd forks off a new per-connection service instance
it will now set the $REMOTE_ADDR environment variable to the
remote IP address, and $REMOTE_PORT environment variable to
the remote IP port. This behaviour is similar to the
corresponding environment variables defined by CGI.
* systemd-networkd gained support for uplink failure
detection. The BindCarrier= option allows binding interface
configuration dynamically to the link sense of other
interfaces. This is useful to achieve behaviour like in
network switches.
* systemd-networkd gained support for configuring the DHCP
client identifier to use when requesting leases.
* systemd-networkd now has a per-network UseNTP= option to
configure whether NTP server information acquired via DHCP
is passed on to services like systemd-timesyncd.
* systemd-networkd gained support for vti6 tunnels.
* Note that systemd-networkd manages the sysctl variable
/proc/sys/net/ipv[46]/conf/*/forwarding for each interface
it is configured for since v219. The variable controls IP
forwarding, and is a per-interface alternative to the global
/proc/sys/net/ipv[46]/ip_forward. This setting is
configurable in the IPForward= option, which defaults to
"no". This means if networkd is used for an interface it is
no longer sufficient to set the global sysctl option to turn
on IP forwarding! Instead, the .network file option
IPForward= needs to be turned on! Note that the
implementation of this behaviour was broken in v219 and has
been fixed in v220.
* Many bonding and vxlan options are now configurable in
systemd-networkd.
* systemd-nspawn gained a new --property= setting to set unit
properties for the container scope. This is useful for
setting resource parameters (e.g "CPUShares=500") on
containers started from the command line.
* systemd-nspawn gained a new --private-users= switch to make
use of user namespacing available on recent Linux kernels.
* systemd-nspawn may now be called as part of a shell pipeline
in which case the pipes used for stdin and stdout are passed
directly to the process invoked in the container, without
indirection via a pseudo tty.
* systemd-nspawn gained a new switch to control the UNIX
signal to use when killing the init process of the container
when shutting down.
* systemd-nspawn gained a new --overlay= switch for mounting
overlay file systems into the container using the new kernel
overlayfs support.
* When a container image is imported via systemd-importd and
the host file system is not btrfs, a loopback block device
file is created in /var/lib/machines.raw with a btrfs file
system inside. It is then mounted to /var/lib/machines to
enable btrfs features for container management. The loopback
file and btrfs file system is grown as needed when container
images are imported via systemd-importd.
* systemd-machined/systemd-importd gained support for btrfs
quota, to enforce container disk space limits on disk. This
is exposed in "machinectl set-limit".
* systemd-importd now can import containers from local .tar,
.raw and .qcow2 images, and export them to .tar and .raw. It
can also import dkr v2 images now from the network (on top
of v1 as before).
* systemd-importd gained support for verifying downloaded
images with gpg2 (previously only gpg1 was supported).
* systemd-machined, systemd-logind, systemd: most bus calls
are now accessible to unprivileged processes via
PolicyKit. Also, systemd-logind will now allow users to kill
their own sessions without further privileges or
authorization.
* systemd-shutdownd has been removed. This service was
previously responsible for implementing scheduled shutdowns
as exposed in /usr/bin/shutdown's time parameter. This
functionality has now been moved into systemd-logind and is
accessible via a bus interface.
* "systemctl reboot" gained a new switch --firmware-setup that
can be used to reboot into the EFI firmware setup, if that
is available. systemd-logind now exposes an API on the bus
to trigger such reboots, in case graphical desktop UIs want
to cover this functionality.
* "systemctl enable", "systemctl disable" and "systemctl mask"
now support a new "--now" switch. If specified the units
that are enabled will also be started, and the ones
disabled/masked also stopped.
* The Gummiboot EFI boot loader tool has been merged into
systemd, and renamed to "systemd-boot". The bootctl tool has been
updated to support systemd-boot.
* An EFI kernel stub has been added that may be used to create
kernel EFI binaries that contain not only the actual kernel,
but also an initrd, boot splash, command line and OS release
information. This combined binary can then be signed as a
single image, so that the firmware can verify it all in one
step. systemd-boot has special support for EFI binaries created
like this and can extract OS release information from them
and show them in the boot menu. This functionality is useful
to implement cryptographically verified boot schemes.
* Optional support has been added to systemd-fsck to pass
fsck's progress report to an AF_UNIX socket in the file
system.
* udev will no longer create device symlinks for all block
devices by default. A blacklist for excluding special block
devices from this logic has been turned into a whitelist
that requires picking block devices explicitly that require
device symlinks.
* A new (currently still internal) API sd-device.h has been
added to libsystemd. This modernized API is supposed to
replace libudev eventually. In fact, already much of libudev
is now just a wrapper around sd-device.h.
* A new hwdb database for storing metadata about pointing
stick devices has been added.
* systemd-tmpfiles gained support for setting file attributes
similar to the "chattr" tool with new 'h' and 'H' lines.
* systemd-journald will no longer unconditionally set the
btrfs NOCOW flag on new journal files. This is instead done
with tmpfiles snippet using the new 'h' line type. This
allows easy disabling of this logic, by masking the
journal-nocow.conf tmpfiles file.
* systemd-journald will now translate audit message types to
human readable identifiers when writing them to the
journal. This should improve readability of audit messages.
* The LUKS logic gained support for the offset= and skip=
options in /etc/crypttab, as previously implemented by
Debian.
* /usr/lib/os-release gained a new optional field VARIANT= for
distributions that support multiple variants (such as a
desktop edition, a server edition, ...)
Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel,
Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž
Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian
Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel
Mack, Daniel Mustieles, daurnimator, Davide Bettio, David
Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov,
Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke,
Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López
Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan
Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John
Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay
Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas
De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz
Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel
Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett,
Michael Biebl, Michael Marineau, Michael Olbrich, Michal
Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik
Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter
Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny
Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick,
Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker,
Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas
Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will
Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-05-22
CHANGES WITH 219:
* Introduce a new API "sd-hwdb.h" for querying the hardware
metadata database. With this minimal interface one can query
and enumerate the udev hwdb, decoupled from the old libudev
library. libudev's interface for this is now only a wrapper
around sd-hwdb. A new tool systemd-hwdb has been added to
interface with and update the database.
* When any of systemd's tools copies files (for example due to
tmpfiles' C lines) a btrfs reflink will attempted first,
before bytewise copying is done.
* systemd-nspawn gained a new --ephemeral switch. When
specified a btrfs snapshot is taken of the container's root
directory, and immediately removed when the container
terminates again. Thus, a container can be started whose
changes never alter the container's root directory, and are
lost on container termination. This switch can also be used
for starting a container off the root file system of the
host without affecting the host OS. This switch is only
available on btrfs file systems.
* systemd-nspawn gained a new --template= switch. It takes the
path to a container tree to use as template for the tree
specified via --directory=, should that directory be
missing. This allows instantiating containers dynamically,
on first run. This switch is only available on btrfs file
systems.
* When a .mount unit refers to a mount point on which multiple
mounts are stacked, and the .mount unit is stopped all of
the stacked mount points will now be unmounted until no
mount point remains.
* systemd now has an explicit notion of supported and
unsupported unit types. Jobs enqueued for unsupported unit
types will now fail with an "unsupported" error code. More
specifically .swap, .automount and .device units are not
supported in containers, .busname units are not supported on
non-kdbus systems. .swap and .automount are also not
supported if their respective kernel compile time options
are disabled.
* machinectl gained support for two new "copy-from" and
"copy-to" commands for copying files from a running
container to the host or vice versa.
* machinectl gained support for a new "bind" command to bind
mount host directories into local containers. This is
currently only supported for nspawn containers.
* networkd gained support for configuring bridge forwarding
database entries (fdb) from .network files.
* A new tiny daemon "systemd-importd" has been added that can
download container images in tar, raw, qcow2 or dkr formats,
and make them available locally in /var/lib/machines, so
that they can run as nspawn containers. The daemon can GPG
verify the downloads (not supported for dkr, since it has no
provisions for verifying downloads). It will transparently
decompress bz2, xz, gzip compressed downloads if necessary,
and restore sparse files on disk. The daemon uses privilege
separation to ensure the actual download logic runs with
fewer privileges than the deamon itself. machinectl has
gained new commands "pull-tar", "pull-raw" and "pull-dkr" to
make the functionality of importd available to the
user. With this in place the Fedora and Ubuntu "Cloud"
images can be downloaded and booted as containers unmodified
(the Fedora images lack the appropriate GPG signature files
currently, so they cannot be verified, but this will change
soon, hopefully). Note that downloading images is currently
only fully supported on btrfs.
* machinectl is now able to list container images found in
/var/lib/machines, along with some metadata about sizes of
disk and similar. If the directory is located on btrfs and
quota is enabled, this includes quota display. A new command
"image-status" has been added that shows additional
information about images.
* machinectl is now able to clone container images
efficiently, if the underlying file system (btrfs) supports
it, with the new "machinectl list-images" command. It also
gained commands for renaming and removing images, as well as
marking them read-only or read-write (supported also on
legacy file systems).
* networkd gained support for collecting LLDP network
announcements, from hardware that supports this. This is
shown in networkctl output.
* systemd-run gained support for a new -t (--pty) switch for
invoking a binary on a pty whose input and output is
connected to the invoking terminal. This allows executing
processes as system services while interactively
communicating with them via the terminal. Most interestingly
this is supported across container boundaries. Invoking
"systemd-run -t /bin/bash" is an alternative to running a
full login session, the difference being that the former
will not register a session, nor go through the PAM session
setup.
* tmpfiles gained support for a new "v" line type for creating
btrfs subvolumes. If the underlying file system is a legacy
file system, this automatically degrades to creating a
normal directory. Among others /var/lib/machines is now
created like this at boot, should it be missing.
* The directory /var/lib/containers/ has been deprecated and
been replaced by /var/lib/machines. The term "machines" has
been used in the systemd context as generic term for both
VMs and containers, and hence appears more appropriate for
this, as the directory can also contain raw images bootable
via qemu/kvm.
* systemd-nspawn when invoked with -M but without --directory=
or --image= is now capable of searching for the container
root directory, subvolume or disk image automatically, in
/var/lib/machines. [email protected] has been updated
to make use of this, thus allowing it to be used for raw
disk images, too.
* A new machines.target unit has been introduced that is
supposed to group all containers/VMs invoked as services on
the system. [email protected] has been updated to
integrate with that.
* machinectl gained a new "start" command, for invoking a
container as a service. "machinectl start foo" is mostly
equivalent to "systemctl start [email protected]",
but handles escaping in a nicer way.
* systemd-nspawn will now mount most of the cgroupfs tree
read-only into each container, with the exception of the
container's own subtree in the name=systemd hierarchy.
* journald now sets the special FS_NOCOW file flag for its
journal files. This should improve performance on btrfs, by
avoiding heavy fragmentation when journald's write-pattern
is used on COW file systems. It degrades btrfs' data
integrity guarantees for the files to the same levels as for
ext3/ext4 however. This should be OK though as journald does
its own data integrity checks and all its objects are
checksummed on disk. Also, journald should handle btrfs disk
full events a lot more gracefully now, by processing SIGBUS
errors, and not relying on fallocate() anymore.
* When journald detects that journal files it is writing to
have been deleted it will immediately start new journal
files.
* systemd now provides a way to store file descriptors
per-service in PID 1.This is useful for daemons to ensure
that fds they require are not lost during a daemon
restart. The fds are passed to the deamon on the next
invocation in the same way socket activation fds are
passed. This is now used by journald to ensure that the
various sockets connected to all the system's stdout/stderr
are not lost when journald is restarted. File descriptors
may be stored in PID 1 via the sd_pid_notify_with_fds() API,
an extension to sd_notify(). Note that a limit is enforced
on the number of fds a service can store in PID 1, and it
defaults to 0, so that no fds may be stored, unless this is
explicitly turned on.
* The default TERM variable to use for units connected to a
terminal, when no other value is explicitly is set is now
vt220 rather than vt102. This should be fairly safe still,
but allows PgUp/PgDn work.
* The /etc/crypttab option header= as known from Debian is now
supported.
* "loginctl user-status" and "loginctl session-status" will
now show the last 10 lines of log messages of the
user/session following the status output. Similar,
"machinectl status" will show the last 10 log lines
associated with a virtual machine or container
service. (Note that this is usually not the log messages
done in the VM/container itself, but simply what the
container manager logs. For nspawn this includes all console
output however.)
* "loginctl session-status" without further argument will now
show the status of the session of the caller. Similar,
"lock-session", "unlock-session", "activate",
"enable-linger", "disable-linger" may now be called without
session/user parameter in which case they apply to the
caller's session/user.
* An X11 session scriptlet is now shipped that uploads
$DISPLAY and $XAUTHORITY into the environment of the systemd
--user daemon if a session begins. This should improve
compatibility with X11 enabled applications run as systemd
user services.
* Generators are now subject to masking via /etc and /run, the
same way as unit files.
* networkd .network files gained support for configuring
per-link IPv4/IPv6 packet forwarding as well as IPv4
masquerading. This is by default turned on for veth links to
containers, as registered by systemd-nspawn. This means that
nspawn containers run with --network-veth will now get
automatic routed access to the host's networks without any
further configuration or setup, as long as networkd runs on
the host.
* systemd-nspawn gained the --port= (-p) switch to expose TCP
or UDP posts of a container on the host. With this in place
it is possible to run containers with private veth links
(--network-veth), and have their functionality exposed on
the host as if their services were running directly on the
host.
* systemd-nspawn's --network-veth switch now gained a short
version "-n", since with the changes above it is now truly
useful out-of-the-box. The [email protected] has been
updated to make use of it too by default.
* systemd-nspawn will now maintain a per-image R/W lock, to
ensure that the same image is not started more than once
writable. (It's OK to run an image multiple times
simultaneously in read-only mode.)
* systemd-nspawn's --image= option is now capable of
dissecting and booting MBR and GPT disk images that contain
only a single active Linux partition. Previously it
supported only GPT disk images with proper GPT type
IDs. This allows running cloud images from major
distributions directly with systemd-nspawn, without
modification.
* In addition to collecting mouse dpi data in the udev
hardware database, there's now support for collecting angle
information for mouse scroll wheels. The database is
supposed to guarantee similar scrolling behavior on mice
that it knows about. There's also support for collecting
information about Touchpad types.
* udev's input_id built-in will now also collect touch screen
dimension data and attach it to probed devices.
* /etc/os-release gained support for a Distribution Privacy
Policy link field.
* networkd gained support for creating "ipvlan", "gretap",
"ip6gre", "ip6gretap" and "ip6tnl" network devices.
* systemd-tmpfiles gained support for "a" lines for setting
ACLs on files.
* systemd-nspawn will now mount /tmp in the container to
tmpfs, automatically.
* systemd now exposes the memory.usage_in_bytes cgroup
attribute and shows it for each service in the "systemctl
status" output, if available.
* When the user presses Ctrl-Alt-Del more than 7x within 2s an
immediate reboot is triggered. This useful if shutdown is
hung and is unable to complete, to expedite the
operation. Note that this kind of reboot will still unmount
all file systems, and hence should not result in fsck being
run on next reboot.
* A .device unit for an optical block device will now be
considered active only when a medium is in the drive. Also,
mount units are now bound to their backing devices thus
triggering automatic unmounting when devices become
unavailable. With this in place systemd will now
automatically unmount left-over mounts when a CD-ROM is
ejected or an USB stick is yanked from the system.
* networkd-wait-online now has support for waiting for
specific interfaces only (with globbing), and for giving up
after a configurable timeout.
* networkd now exits when idle. It will be automatically
restarted as soon as interfaces show up, are removed or
change state. networkd will stay around as long as there is
at least one DHCP state machine or similar around, that keep
it non-idle.
* networkd may now configure IPv6 link-local addressing in
addition to IPv4 link-local addressing.
* The IPv6 "token" for use in SLAAC may now be configured for
each .network interface in networkd.
* Routes configured with networkd may now be assigned a scope
in .network files.
* networkd's [Match] sections now support globbing and lists
of multiple space-separated matches per item.
Contributions from: Alban Crequy, Alin Rauta, Andrey Chaser,
Bastien Nocera, Bruno Bottazzini, Carlos Garnacho, Carlos
Morata Castillo, Chris Atkinson, Chris J. Arges, Christian
Kirbach, Christian Seiler, Christoph Brill, Colin Guthrie,
Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack,
Dave Reisner, David Herrmann, Djalal Harouni, Erik Auerswald,
Filipe Brandenburger, Frank Theile, Gabor Kelemen, Gabriel de
Perthuis, Harald Hoyer, Hui Wang, Ivan Shapovalov, Jan
Engelhardt, Jan Synacek, Jay Faulkner, Johannes Hölzl, Jonas
Ådahl, Jonathan Boulle, Josef Andersson, Kay Sievers, Ken
Werner, Lennart Poettering, Lucas De Marchi, Lukas Märdian,
Lukas Nykryn, Lukasz Skalski, Luke Shumaker, Mantas Mikulėnas,
Manuel Mendez, Marcel Holtmann, Marc Schmitzer, Marko
Myllynen, Martin Pitt, Maxim Mikityanskiy, Michael Biebl,
Michael Marineau, Michael Olbrich, Michal Schmidt, Mindaugas
Baranauskas, Moez Bouhlel, Naveen Kumar, Patrik Flykt, Paul
Martin, Peter Hutterer, Peter Mattern, Philippe De Swert,
Piotr Drąg, Rafael Ferreira, Rami Rosen, Robert Milasan, Ronny
Chevalier, Sangjung Woo, Sebastien Bacher, Sergey Ptashnick,
Shawn Landden, Stéphane Graber, Susant Sahani, Sylvain
Plantefève, Thomas Hindoe Paaboel Andersen, Tim JP, Tom
Gundersen, Topi Miettinen, Torstein Husebø, Umut Tezduyar
Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland
Hoffmann, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2015-02-16
CHANGES WITH 218:
* When querying unit file enablement status (for example via
"systemctl is-enabled"), a new state "indirect" is now known
which indicates that a unit might not be enabled itself, but
another unit listed in its Alias= setting might be.
* Similar to the various existing ConditionXYZ= settings for
units there are now matching AssertXYZ= settings. While
failing conditions cause a unit to be skipped, but its job
to succeed, failing assertions declared like this will cause
a unit start operation and its job to fail.
* hostnamed now knows a new chassis type "embedded".
* systemctl gained a new "edit" command. When used on a unit
file this allows extending unit files with .d/ drop-in
configuration snippets or editing the full file (after
copying it from /usr/lib to /etc). This will invoke the
user's editor (as configured with $EDITOR), and reload the
modified configuration after editing.
* "systemctl status" now shows the suggested enablement state
for a unit, as declared in the (usually vendor-supplied)
system preset files.
* nss-myhostname will now resolve the single-label host name
"gateway" to the locally configured default IP routing
gateways, ordered by their metrics. This assigns a stable
name to the used gateways, regardless which ones are
currently configured. Note that the name will only be
resolved after all other name sources (if nss-myhostname is
configured properly) and should hence not negatively impact
systems that use the single-label host name "gateway" in
other contexts.
* systemd-inhibit now allows filtering by mode when listing
inhibitors.
* Scope and service units gained a new "Delegate" boolean
property, which when set allows processes running inside the
unit to further partition resources. This is primarily
useful for systemd user instances as well as container
managers.
* journald will now pick up audit messages directly from
the kernel, and log them like any other log message. The
audit fields are split up and fully indexed. This means that
journalctl in many ways is now a (nicer!) alternative to
ausearch, the traditional audit client. Note that this
implements only a minimal audit client, if you want the
special audit modes like reboot-on-log-overflow, please use
the traditional auditd instead, which can be used in
parallel to journald.
* The ConditionSecurity= unit file option now understands the
special string "audit" to check whether auditing is
available.
* journalctl gained two new commands --vacuum-size= and
--vacuum-time= to delete old journal files until the
remaining ones take up no more the specified size on disk,
or are not older than the specified time.
* A new, native PPPoE library has been added to sd-network,
systemd's library of light-weight networking protocols. This
library will be used in a future version of networkd to
enable PPPoE communication without an external pppd daemon.
* The busctl tool now understands a new "capture" verb that
works similar to "monitor", but writes a packet capture
trace to STDOUT that can be redirected to a file which is
compatible with libcap's capture file format. This can then
be loaded in Wireshark and similar tools to inspect bus
communication.
* The busctl tool now understands a new "tree" verb that shows
the object trees of a specific service on the bus, or of all
services.
* The busctl tool now understands a new "introspect" verb that
shows all interfaces and members of objects on the bus,
including their signature and values. This is particularly
useful to get more information about bus objects shown by
the new "busctl tree" command.
* The busctl tool now understands new verbs "call",
"set-property" and "get-property" for invoking bus method
calls, setting and getting bus object properties in a
friendly way.
* busctl gained a new --augment-creds= argument that controls
whether the tool shall augment credential information it
gets from the bus with data from /proc, in a possibly
race-ful way.
* nspawn's --link-journal= switch gained two new values
"try-guest" and "try-host" that work like "guest" and
"host", but do not fail if the host has no persistent
journalling enabled. -j is now equivalent to
--link-journal=try-guest.
* macvlan network devices created by nspawn will now have
stable MAC addresses.
* A new SmackProcessLabel= unit setting has been added, which
controls the SMACK security label processes forked off by
the respective unit shall use.
* If compiled with --enable-xkbcommon, systemd-localed will
verify x11 keymap settings by compiling the given keymap. It
will spew out warnings if the compilation fails. This
requires libxkbcommon to be installed.
* When a coredump is collected a larger number of metadata
fields is now collected and included in the journal records
created for it. More specifically control group membership,
environment variables, memory maps, working directory,
chroot directory, /proc/$PID/status, and a list of open file
descriptors is now stored in the log entry.
* The udev hwdb now contains DPI information for mice. For
details see:
http://who-t.blogspot.de/2014/12/building-a-dpi-database-for-mice.html
* All systemd programs that read standalone configuration
files in /etc now also support a corresponding series of
.conf.d configuration directories in /etc/, /run/,
/usr/local/lib/, /usr/lib/, and (if configured with
--enable-split-usr) /lib/. In particular, the following
configuration files now have corresponding configuration
directories: system.conf user.conf, logind.conf,
journald.conf, sleep.conf, bootchart.conf, coredump.conf,
resolved.conf, timesyncd.conf, journal-remote.conf, and
journal-upload.conf. Note that distributions should use the
configuration directories in /usr/lib/; the directories in
/etc/ are reserved for the system administrator.
* systemd-rfkill will no longer take the rfkill device name
into account when storing rfkill state on disk, as the name
might be dynamically assigned and not stable. Instead, the
ID_PATH udev variable combined with the rfkill type (wlan,
bluetooth, ...) is used.
* A new service systemd-machine-id-commit.service has been
added. When used on systems where /etc is read-only during
boot, and /etc/machine-id is not initialized (but an empty
file), this service will copy the temporary machine ID
created as replacement into /etc after the system is fully
booted up. This is useful for systems that are freshly
installed with a non-initialized machine ID, but should get
a fixed machine ID for subsequent boots.
* networkd's .netdev files now provide a large set of
configuration parameters for VXLAN devices. Similar, the
bridge port cost parameter is now configurable in .network
files. There's also new support for configuring IP source
routing. networkd .link files gained support for a new
OriginalName= match that is useful to match against the
original interface name the kernel assigned. .network files
may include MTU= and MACAddress= fields for altering the MTU
and MAC address while being connected to a specific network
interface.
* The LUKS logic gained supported for configuring
UUID-specific key files. There's also new support for naming
LUKS device from the kernel command line, using the new
luks.name= argument.
* Timer units may now be transiently created via the bus API
(this was previously already available for scope and service
units). In addition it is now possible to create multiple
transient units at the same time with a single bus call. The
"systemd-run" tool has been updated to make use of this for
running commands on a specified time, in at(1)-style.
* tmpfiles gained support for "t" lines, for assigning
extended attributes to files. Among other uses this may be
used to assign SMACK labels to files.
Contributions from: Alin Rauta, Alison Chaiken, Andrej
Manduch, Bastien Nocera, Chris Atkinson, Chris Leech, Chris
Mayo, Colin Guthrie, Colin Walters, Cristian Rodríguez,
Daniele Medri, Daniel Mack, Dan Williams, Dan Winship, Dave
Reisner, David Herrmann, Didier Roche, Felipe Sateler, Gavin
Li, Hans de Goede, Harald Hoyer, Iago López Galeiras, Ivan
Shapovalov, Jakub Filak, Jan Janssen, Jan Synacek, Joe
Lawrence, Josh Triplett, Kay Sievers, Lennart Poettering,
Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Mantas
Mikulėnas, Marcel Holtmann, Martin Pitt, Maurizio Lombardi,
Michael Biebl, Michael Chapman, Michael Marineau, Michal
Schmidt, Michal Sekletar, Olivier Brunel, Patrik Flykt, Peter
Hutterer, Przemyslaw Kedzierski, Rami Rosen, Ray Strode,
Richard Schütz, Richard W.M. Jones, Ronny Chevalier, Ross
Lagerwall, Sean Young, Stanisław Pitucha, Susant Sahani,
Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert
Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek
-- Berlin, 2014-12-10
CHANGES WITH 217:
* journalctl gained the new options -t/--identifier= to match
on the syslog identifier (aka "tag"), as well as --utc to
show log timestamps in the UTC timezone. journalctl now also
accepts -n/--lines=all to disable line capping in a pager.
* journalctl gained a new switch, --flush, that synchronously
flushes logs from /run/log/journal to /var/log/journal if
persistent storage is enabled. systemd-journal-flush.service
now waits until the operation is complete.
* Services can notify the manager before they start a reload
(by sending RELOADING=1) or shutdown (by sending
STOPPING=1). This allows the manager to track and show the
internal state of daemons and closes a race condition when
the process is still running but has closed its D-Bus
connection.
* Services with Type=oneshot do not have to have any ExecStart
commands anymore.
* User units are now loaded also from
$XDG_RUNTIME_DIR/systemd/user/. This is similar to the
/run/systemd/user directory that was already previously
supported, but is under the control of the user.
* Job timeouts (i.e. time-outs on the time a job that is
queued stays in the run queue) can now optionally result in
immediate reboot or power-off actions (JobTimeoutAction= and
JobTimeoutRebootArgument=). This is useful on ".target"
units, to limit the maximum time a target remains
undispatched in the run queue, and to trigger an emergency
operation in such a case. This is now used by default to
turn off the system if boot-up (as defined by everything in
basic.target) hangs and does not complete for at least
15min. Also, if power-off or reboot hang for at least 30min
an immediate power-off/reboot operation is triggered. This
functionality is particularly useful to increase reliability
on embedded devices, but also on laptops which might
accidentally get powered on when carried in a backpack and
whose boot stays stuck in a hard disk encryption passphrase
question.
* systemd-logind can be configured to also handle lid switch
events even when the machine is docked or multiple displays
are attached (HandleLidSwitchDocked= option).
* A helper binary and a service have been added which can be
used to resume from hibernation in the initramfs. A
generator will parse the resume= option on the kernel
command line to trigger resume.
* A user console daemon systemd-consoled has been
added. Currently, it is a preview, and will so far open a
single terminal on each session of the user marked as
Desktop=systemd-console.
* Route metrics can be specified for DHCP routes added by
systemd-networkd.
* The SELinux context of socket-activated services can be set
from the information provided by the networking stack
(SELinuxContextFromNet= option).
* Userspace firmware loading support has been removed and
the minimum supported kernel version is thus bumped to 3.7.
* Timeout for udev workers has been increased from 1 to 3
minutes, but a warning will be printed after 1 minute to
help diagnose kernel modules that take a long time to load.
* Udev rules can now remove tags on devices with TAG-="foobar".
* systemd's readahead implementation has been removed. In many
circumstances it didn't give expected benefits even for
rotational disk drives and was becoming less relevant in the
age of SSDs. As none of the developers has been using
rotating media anymore, and nobody stepped up to actively
maintain this component of systemd it has now been removed.
* Swap units can use Options= to specify discard options.
Discard options specified for swaps in /etc/fstab are now
respected.
* Docker containers are now detected as a separate type of
virtualization.
* The Password Agent protocol gained support for queries where
the user input is shown, useful e.g. for user names.
systemd-ask-password gained a new --echo option to turn that
on.
* The default sysctl.d/ snippets will now set:
net.core.default_qdisc = fq_codel
This selects Fair Queuing Controlled Delay as the default
queuing discipline for network interfaces. fq_codel helps
fight the network bufferbloat problem. It is believed to be
a good default with no tuning required for most workloads.
Downstream distributions may override this choice. On 10Gbit
servers that do not do forwarding, "fq" may perform better.
Systems without a good clocksource should use "pfifo_fast".
* If kdbus is enabled during build a new option BusPolicy= is
available for service units, that allows locking all service
processes into a stricter bus policy, in order to limit
access to various bus services, or even hide most of them
from the service's view entirely.
* networkctl will now show the .network and .link file
networkd has applied to a specific interface.
* sd-login gained a new API call sd_session_get_desktop() to
query which desktop environment has been selected for a
session.
* UNIX utmp support is now compile-time optional to support
legacy-free systems.
* systemctl gained two new commands "add-wants" and
"add-requires" for pulling in units from specific targets
easily.
* If the word "rescue" is specified on the kernel command line
the system will now boot into rescue mode (aka
rescue.target), which was previously available only by
specifying "1" or "systemd.unit=rescue.target" on the kernel
command line. This new kernel command line option nicely
mirrors the already existing "emergency" kernel command line
option.
* New kernel command line options mount.usr=, mount.usrflags=,
mount.usrfstype= have been added that match root=, rootflags=,
rootfstype= but allow mounting a specific file system to
/usr.
* The $NOTIFY_SOCKET is now also passed to control processes of
services, not only the main process.
* This version reenables support for fsck's -l switch. This
means at least version v2.25 of util-linux is required for
operation, otherwise dead-locks on device nodes may
occur. Again: you need to update util-linux to at least
v2.25 when updating systemd to v217.
* The "multi-seat-x" tool has been removed from systemd, as
its functionality has been integrated into X servers 1.16,
and the tool is hence redundant. It is recommended to update
display managers invoking this tool to simply invoke X
directly from now on, again.
* Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
message flag has been added for all of systemd's PolicyKit
authenticated method calls has been added. In particular
this now allows optional interactive authorization via
PolicyKit for many of PID1's privileged operations such as
unit file enabling and disabling.
* "udevadm hwdb --update" learnt a new switch "--usr" for
placing the rebuilt hardware database in /usr instead of
/etc. When used only hardware database entries stored in
/usr will be used, and any user database entries in /etc are
ignored. This functionality is useful for vendors to ship a