Opened 2 years ago

Closed 2 years ago

#4841 closed task (fixed)


Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: normal Milestone: 11.0
Component: Book Version: SVN
Severity: normal Keywords:


New version.

Change History (5)

comment:1 by Bruce Dubbs, 2 years ago

Milestone: 10.211.0

Milestone renamed

comment:2 by Douglas R. Reno, 2 years ago

Owner: changed from lfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 2 years ago


        * A concept of system extension images is introduced. Such images may
          be used to extend the /usr/ and /opt/ directory hierarchies at
          runtime with additional files (even if the file system is read-only).
          When a system extension image is activated, its /usr/ and /opt/
          hierarchies and os-release information are combined via overlayfs
          with the file system hierarchy of the host OS.

          A new systemd-sysext tool can be used to merge, unmerge, list, and
          refresh system extension hierarchies. See

          The systemd-sysext.service automatically merges installed system
          extensions during boot (before, but not in very early
          boot, since various file systems have to be mounted first).

          The SYSEXT_LEVEL= field in os-release(5) may be used to specify the
          supported system extension level.

        * A new ExtensionImages= unit setting can be used to apply the same
          system extension image concept from systemd-sysext to the namespaced
          file hierarchy of specific services, following the same rules and

        * Support for a new special "root=tmpfs" kernel command-line option has
          been added. When specified, a tmpfs is mounted on /, and mount.usr=
          should be used to point to the operating system implementation.

        * A new configuration file /etc/veritytab may be used to configure
          dm-verity integrity protection for block devices. Each line is in the
          format "volume-name data-device hash-device roothash options",
          similar to /etc/crypttab.

        * A new kernel command-line option systemd.verity.root_options= may be
          used to configure dm-verity behaviour for the root device.

        * The key file specified in /etc/crypttab (the third field) may now
          refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
          acquired by connecting to that socket and reading from it. This
          allows the implementation of a service to provide key information
          dynamically, at the moment when it is needed.

        * When the hostname is set explicitly to "localhost", systemd-hostnamed
          will respect this. Previously such a setting would be mostly silently
          ignored. The goal is to honour configuration as specified by the

        * The fallback hostname that will be used by the system manager and
          systemd-hostnamed can now be configured in two new ways: by setting
          DEFAULT_HOSTNAME= in os-release(5), or by setting
          $SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can
          also be configured during compilation. The environment variable is
          intended for testing and local overrides, the os-release(5) field is
          intended to allow customization by different variants of a
          distribution that share the same compiled packages.

        * The environment block of the manager itself may be configured through
          a new ManagerEnvironment= setting in system.conf or user.conf. This
          complements existing ways to set the environment block (the kernel
          command line for the system manager, the inherited environment and
          user@.service unit file settings for the user manager).

        * systemd-hostnamed now exports the default hostname and the source of
          the configured hostname ("static", "transient", or "default") as
          D-Bus properties.

        * systemd-hostnamed now exports the "HardwareVendor" and
          "HardwareModel" D-Bus properties, which are supposed to contain a
          pair of cleaned up, human readable strings describing the system's
          vendor and model. It's typically sourced from the firmware's DMI
          tables, but may be augmented from a new hwdb database. hostnamectl
          shows this in the status output.

        * Support has been added to systemd-cryptsetup for extracting the
          PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
          metadata header. This allows the information how to open the
          encrypted device to be embedded directly in the device and obviates
          the need for configuration in an external file.

        * systemd-cryptsetup gained support for unlocking LUKS2 volumes using
          TPM2 hardware, as well as FIDO2 security tokens (in addition to the
          pre-existing support for PKCS#11 security tokens).

        * systemd-repart may enroll encrypted partitions using TPM2
          hardware. This may be useful for example to create an encrypted /var
          partition bound to the machine on first boot.

        * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
          and PKCS#11 security tokens to LUKS volumes, list and destroy
          them. See:

          It also supports enrolling "recovery keys" and regular passphrases.

        * The libfido2 dependency is now based on dlopen(), so that the library
          is used at runtime when installed, but is not a hard runtime

        * systemd-cryptsetup gained support for two new options in
          /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
          request synchronous processing of encryption/decryption IO.

        * The manager may be configured at compile time to use the fexecve()
          instead of the execve() system call when spawning processes. Using
          fexecve() closes a window between checking the security context of an
          executable and spawning it, but unfortunately the kernel displays
          stale information in the process' "comm" field, which impacts ps
          output and such.

        * The configuration option -Dcompat-gateway-hostname has been dropped.
          "_gateway" is now the only supported name.

        * The ConditionSecurity=tpm2 unit file setting may be used to check if
          the system has at least one TPM2 (tpmrm class) device.

        * A new ConditionCPUFeature= has been added that may be used to
          conditionalize units based on CPU features. For example,
          ConditionCPUFeature=rdrand will condition a unit so that it is only
          run when the system CPU supports the RDRAND opcode.

        * The existing ConditionControlGroupController= setting has been
          extended with two new values "v1" and "v2". "v2" means that the
          unified v2 cgroup hierarchy is used, and "v1" means that legacy v1
          hierarchy or the hybrid hierarchy are used.

        * A new PrivateIPC= setting on a unit file allows executed processes to
          be moved into a private IPC namespace, with separate System V IPC
          identifiers and POSIX message queues.

          A new IPCNamespacePath= allows the unit to be joined to an existing
          IPC namespace.

        * The tables of system calls in seccomp filters are now automatically
          generated from kernel lists exported on

          The following architectures should now have complete lists:
          alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32,
          powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32.

        * The MountAPIVFS= service file setting now additionally mounts a tmpfs
          on /run/ if it is not already a mount point. A writable /run/ has
          always been a requirement for a functioning system, but this was not
          guaranteed when using a read-only image.

          Users can always specify BindPaths= or InaccessiblePaths= as
          overrides, and they will take precedence. If the host's root mount
          point is used, there is no change in behaviour.

        * New bind mounts and file system image mounts may be injected into the
          mount namespace of a service (without restarting it). This is exposed
          respectively as 'systemctl bind <unit> <path>…' and
          'systemctl mount-image <unit> <image>…'.

        * The StandardOutput= and StandardError= settings can now specify files
          to be truncated for output (as "truncate:<path>").

        * The ExecPaths= and NoExecPaths= settings may be used to specify
          noexec for parts of the file system.

        * sd-bus has a new function sd_bus_open_user_machine() to open a
          connection to the session bus of a specific user in a local container
          or on the local host. This is exposed in the existing -M switch to
          systemctl and similar tools:

              systemctl --user -M lennart@foobar start foo

          This will connect to the user bus of a user "lennart" in container
          "foobar". If no container name is specified, the specified user on
          the host itself is connected to

              systemctl --user -M lennart@ start quux

        * sd-bus also gained a convenience function sd_bus_message_send() to
          simplify invocations of sd_bus_send(), taking only a single
          parameter: the message to send.

        * sd-event allows rate limits to be set on event sources, for dealing
          with high-priority event sources that might starve out others. See
          the new man page sd_event_source_set_ratelimit(3) for details.

        * files gained a [Link] Promiscuous= switch, which allows
          the device to be raised in promiscuous mode.

          New [Link] TransmitQueues= and ReceiveQueues= settings allow the
          number of TX and RX queues to be configured.

          New [Link] TransmitQueueLength= setting allows the size of the TX
          queue to be configured.

          New [Link] GenericSegmentOffloadMaxBytes= and
          GenericSegmentOffloadMaxSegments= allow capping the packet size and
          the number of segments accepted in Generic Segment Offload.

        * systemd-networkd gained support for the "B.A.T.M.A.N. advanced"
          wireless routing protocol that operates on ISO/OSI Layer 2 only and
          uses ethernet frames to route/bridge packets. This encompasses a new
          "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
          new settings in .netdev files, and a new BatmanAdvanced= setting in
          .network files.

        * files gained a [Network] RouteTable= configuration
          switch to select the routing policy table.

 files gained a [RoutingPolicyRule] Type=
          configuration switch (one of "blackhole, "unreachable", "prohibit").

 files gained a [IPv6AcceptRA] RouteDenyList= and
          RouteAllowList= settings to ignore/accept route advertisements from
          routers matching specified prefixes. The DenyList= setting has been
          renamed to PrefixDenyList= and a new PrefixAllowList= option has been

 files gained a [DHCPv6] UseAddress= setting to
          optionally ignore the address provided in the lease.

 files gained a [DHCPv6PrefixDelegation]
          ManageTemporaryAddress= switch.

 files gained a new ActivationPolicy= setting which
          allows configuring how the UP state of an interface shall be managed,
          i.e. whether the interface is always upped, always downed, or may be
          upped/downed by the user using "ip link set dev".

        * The default for the Broadcast= setting in .network files has slightly
          changed: the broadcast address will not be configured for wireguard

        * systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
          EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
          configuration options for VLAN packet handling.

        * udev rules may now set log_level= option. This allows debug logs to
          be enabled for select events, e.g. just for a specific subsystem or
          even a single device.

        * udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
          DATA_PREPARED_ID properties for block devices with ISO9660 file

        * udev now exports decoded DMI information about installed memory slots
          as device properties under the /sys/class/dmi/id/ pseudo device.

        * /dev/ is not mounted noexec anymore. This didn't provide any
          significant security benefits and would conflict with the executable
          mappings used with /dev/sgx device nodes. The previous behaviour can
          be restored for individual services with NoExecPaths=/dev (or by allow-
          listing and excluding /dev from ExecPaths=).

        * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
          and /dev/vhost-net are owned by the kvm group.

        * The hardware database has been extended with a list of fingerprint
          readers that correctly support USB auto-suspend using data from

        * systemd-resolved can now answer DNSSEC questions through the stub
          resolver interface in a way that allows local clients to do DNSSEC
          validation themselves. For a question with DO+CD set, it'll proxy the
          DNS query and respond with a mostly unmodified packet received from
          the upstream server.

        * systemd-resolved learnt a new boolean option CacheFromLocalhost= in
          resolved.conf. If true the service will provide caching even for DNS
          lookups made to an upstream DNS server on the
          addresses. By default (and when the option is false) systemd-resolved
          will not cache such lookups, in order to avoid duplicate local
          caching, under the assumption the local upstream server caches

        * systemd-resolved now implements RFC5001 NSID in its local DNS
          stub. This may be used by local clients to determine whether they are
          talking to the DNS resolver stub or a different DNS server.

        * When resolving host names and other records resolvectl will now
          report where the data was acquired from (i.e. the local cache, the
          network, locally synthesized, …) and whether the network traffic it
          effected was encrypted or not. Moreover the tool acquired a number of
          new options --cache=, --synthesize=, --network=, --zone=,
          --trust-anchor=, --validate= that take booleans and may be used to
          tweak a lookup, i.e. whether it may be answered from cached
          information, locally synthesized information, information acquired
          through the network, the local mDNS/LLMNR zone, the DNSSEC trust
          anchor, and whether DNSSEC validation shall be executed for the

        * systemd-nspawn gained a new --ambient-capability= setting
          (AmbientCapability= in .nspawn files) to configure ambient
          capabilities passed to the container payload.

        * systemd-nspawn gained the ability to configure the firewall using the
          nftables subsystem (in addition to the existing iptables
          support). Similarly, systemd-networkd's IPMasquerade= option now
          supports nftables as back-end, too. In both cases NAT on IPv6 is now
          supported too, in addition to IPv4 (the iptables back-end still is

          "IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before,
          retains its meaning, but has been deprecated. Please switch to either
          "ivp4" or "both" (if covering IPv6 is desired).

        * systemd-importd will now download .verity and .roothash.p7s files
          along with the machine image (as exposed via machinectl pull-raw).

        * systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
          setting to configure the time a unit's cgroup needs to exceed memory
          pressure limits before action will be taken, and a new
          ManagedOOMPreference=none|avoid|omit setting to avoid killing certain

          systemd-oomd is now considered fully supported (the usual
          backwards-compatiblity promises apply). Swap is not required for
          operation, but it is still recommended.

        * systemd-timesyncd gained a new ConnectionRetrySec= setting which
          configures the retry delay when trying to contact servers.

        * systemd-stdio-bridge gained --system/--user options to connect to the
          system bus (previous default) or the user session bus.

        * systemd-localed may now call locale-gen to generate missing locales
          on-demand (UTF-8-only). This improves integration with Debian-based
          distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.

        * systemctl --check-inhibitors=true may now be used to obey inhibitors
          even when invoked non-interactively. The old --ignore-inhibitors
          switch is now deprecated and replaced by --check-inhibitors=false.

        * systemctl import-environment will now emit a warning when called
          without any arguments (i.e. to import the full environment block of
          the called program). This command will usually be invoked from a
          shell, which means that it'll inherit a bunch of variables which are
          specific to that shell, and usually to the TTY the shell is connected
          to, and don't have any meaning in the global context of the system or
          user service manager. Instead, only specific variables should be
          imported into the manager environment block.

          Similarly, programs which update the manager environment block by
          directly calling the D-Bus API of the manager, should also push
          specific variables, and not the full inherited environment.

        * systemctl's status output now shows unit state with a more careful
          choice of Unicode characters: units in maintenance show a "○" symbol
          instead of the usual "●", failed units show "×", and services being
          reloaded "↻".

        * coredumpctl gained a --debugger-arguments= switch to pass arguments
          to the debugger. It also gained support for showing coredump info in
          a simple JSON format.

        * systemctl/loginctl/machinectl's --signal= option now accept a special
          value "list", which may be used to show a brief table with known
          process signals and their numbers.

        * networkctl now shows the link activation policy in status.

        * Various tools gained --pager/--no-pager/--json= switches to
          enable/disable the pager and provide JSON output.

        * Various tools now accept two new values for the SYSTEMD_COLORS
          environment variable: "16" and "256", to configure how many terminal
          colors are used in output.

        * less 568 or newer is now required for the auto-paging logic of the
          various tools. Hyperlink ANSI sequences in terminal output are now
          used even if a pager is used, and older versions of less are not able
          to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
          disable this output again.

        * Builds with support for separate / and /usr/ hierarchies ("split-usr"
          builds, non-merged-usr builds) are now officially deprecated. A
          warning is emitted during build. Support is slated to be removed in
          about a year (when the Debian Bookworm release development starts).

        * Systems with the legacy cgroup v1 hierarchy are now marked as
          "tainted", to make it clearer that using the legacy hierarchy is not

        * systemd-localed will now refuse to configure a keymap which is not
          installed in the file system. This is intended as a bug fix, but
          could break cases where systemd-localed was used to configure the
          keymap in advanced of it being installed. It is necessary to install
          the keymap file first.

        * The main git development branch has been renamed to 'main'.

        * mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
          for partitions, as in the vast majority of cases they contain none
          and are used internally by the bootloader (eg: uboot).

        * systemd will now set the $SYSTEMD_EXEC_PID environment variable for
          spawned processes to the PID of the process itself. This may be used
          by programs for detecting whether they were forked off by the service
          manager itself or are a process forked off further down the tree.

        * The sd-device API gained four new calls: sd_device_get_action() to
          determine the uevent add/remove/change/… action the device object has
          been seen for, sd_device_get_seqno() to determine the uevent sequence
          number, sd_device_new_from_stat_rdev() to allocate a new sd_device
          object from stat(2) data of a device node, and sd_device_trigger() to
          write to the 'uevent' attribute of a device.

        * For most tools the --no-legend= switch has been replaced by
          --legend=no and --legend=yes, to force whether tables are shown with

        * Units acquired a new property "Markers" that takes a list of zero,
          one or two of the following strings: "needs-reload" and
          "needs-restart". These markers may be set via "systemctl
          set-property". Once a marker is set, "systemctl reload-or-restart
          --marked" may be invoked to execute the operation the units are
          marked for. This is useful for package managers that want to mark
          units for restart/reload while updating, but effect the actual
          operations at a later step at once.

        * The sd_bus_message_read_strv() API call of sd-bus may now also be
          used to parse arrays of D-Bus signatures and D-Bus paths, in addition
          to regular strings.

        * bootctl will now report whether the UEFI firmware used a TPM2 device
          and measured the boot process into it.

        * systemd-tmpfiles learnt support for a new environment variable
          $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
          the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
          even if the root fs of the system is not itself a btrfs volume.

        * systemd-detect-virt/ConditionVirtualization= will now explicitly
          detect Docker/Podman environments where possible. Moreover, they
          should be able to generically detect any container manager as long as
          it assigns the container a cgroup.

        * portablectl gained a new "reattach" verb for detaching/reattaching a
          portable service image, useful for updating images on-the-fly.

        * Intel SGX enclave device nodes (which expose a security feature of
          newer Intel CPUs) will now be owned by a new system group "sgx".

comment:4 by Douglas R. Reno, 2 years ago

The patch for systemd-248's FTBFS with meson-0.57.2 and Linux-5.11 is already in the repo as "systemd-248-upstream_fixes-1.patch" - thank you Xi!

systemd-oomd will be UID/GID 81.

Xi already made a man-pages tarball for me. I've uploaded it to both anduin and gimli, and put it in the proper spots

comment:5 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.