systemd-254 (and udev from it)

[Xi Ruoyao]

New release.

[Xi Ruoyao]

Announcements of Future Feature Removals and Incompatible Changes:

• The next release (v255) will remove support for split-usr (/usr/ mounted separately during late boot, instead of being mounted by the initrd before switching to the rootfs) and unmerged-usr (parallel directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more details, see: ​https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

• We intend to remove cgroup v1 support from a systemd release after the end of 2023. If you run services that make explicit use of cgroup v1 features (i.e. the "legacy hierarchy" with separate hierarchies for each controller), please implement compatibility with cgroup v2 (i.e. the "unified hierarchy") sooner rather than later. Most of Linux userspace has been ported over already.

• Support for System V service scripts is now deprecated and will be removed in a future release. Please make sure to update your software *now* to include a native systemd unit file instead of a legacy System V script to retain compatibility with future systemd releases.

• Support for the SystemdOptions EFI variable is deprecated. 'bootctl systemd-efi-options' will emit a warning when used. It seems that this feature is little-used and it is better to use alternative approaches like credentials and confexts. The plan is to drop support altogether at a later point, but this might be revisited based on user feedback.

• EnvironmentFile= now treats the line following a comment line trailing with escape as a non comment line. For details, see: ​https://github.com/systemd/systemd/issues/27975

• Behaviour of sandboxing options for the per-user service manager units has changed. They now imply PrivateUsers=yes, which means user namespaces will be implicitly enabled when a sandboxing option is enabled in a user unit. Enabling user namespaces has the drawback that system users will no longer be visible (and processes/files will appear as owned by 'nobody') in the user unit.

By definition a sandboxed user unit should run with reduced privileges, so impact should be small. This will remove a great source of confusion that has been reported by users over the years, due to how these options require an extra setting to be manually enabled when used in the per-user service manager, which is not needed in the system service manager. For more details, see: ​https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html

• systemd-run's switch --expand-environment= which currently is disabled by default when combined with --scope, will be changed in a future release to be enabled by default.

Security Relevant Changes:

• pam_systemd will now by default pass the CAP_WAKE_ALARM ambient process capability to invoked session processes of regular users on local seats (as well as to systemd --user), unless configured otherwise via data from JSON user records, or via the PAM module's parameter list. This is useful in order allow desktop tools such as GNOME's Alarm Clock application to set a timer for CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A per-user service unit file may thus use AmbientCapability= to pass the capability to invoked processes. Note that this capability is relatively narrow in focus (in particular compared to other process capabilities such as CAP_SYS_ADMIN) and we already — by default — permit more impactful operations such as system suspend to local users.

Service Manager:

• "Startup" memory settings are now supported. Previously IO and CPU settings were already supported via StartupCPUWeight= and similar. The same logic has been added for the various per-unit memory settings StartupMemoryMax= and related.

• The service manager gained support for enqueuing POSIX signals to services that carry an additional integer value, exposing the sigqueue() system call. This is accessible via new D-Bus calls org.freedesktop.systemd1.Manager.QueueSignalUnit() and org.freedesktop.systemd1.Unit.QueueSignal(), as well as in systemctl via the new --kill-value= option.

• systemctl gained a new "list-paths" verb, which shows all currently active .path units, similarly to how "systemctl list-timers" shows active timers, and "systemctl list-sockets" shows active sockets.

• systemctl gained a new --when= switch which is honoured by the various forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows scheduling these operations by time, similar in fashion to how this has been supported by SysV shutdown.

• If MemoryDenyWriteExecute= is enabled for a service and the kernel supports the new PR_SET_MDWE prctl() call, it is used instead of the seccomp()-based system call filter to achieve the same effect.

• A new set of kernel command line options is now understood: systemd.tty.term.<name>=, systemd.tty.rows.<name>=, systemd.tty.columns.<name>= allow configuring the TTY type and dimensions for the tty specified via <name>. When systemd invokes a service on a tty (via TTYName=) it will look for these and configure the TTY accordingly. This is particularly useful in VM environments to propagate host terminal settings into the appropriate TTYs of the guest.

• A new RootEphemeral= setting is now understood in service units. It takes a boolean argument. If enabled for services that use RootImage= or RootDirectory= an ephemeral copy of the disk image or directory tree is made when the service is started. It is removed automatically when the service is stopped. That ephemeral copy is made using btrfs/xfs reflinks or btrfs snapshots, if available.

• The service activation logic gained new settings RestartSteps= and RestartMaxDelaySec= which allow exponentially-growing restart intervals for Restart=.

• The service activation logic gained a new setting RestartMode= which can be set to 'direct' to skip the inactive/failed states when restarting, so that dependent units are not notified until the service converges to a final (successful or failed) state. For example, this means that OnSuccess=/OnFailure= units will not be triggered until the service state has converged.

• PID 1 will now automatically load the virtio_console kernel module during early initialization if running in a suitable VM. This is done so that early-boot logging can be written to the console if available.

• Similarly, virtio-vsock support is loaded early in suitable VM environments. PID 1 will send sd_notify() notifications via AF_VSOCK to the VMM if configured, thus loading this early is beneficial.

• A new verb "fdstore" has been added to systemd-analyze to show the current contents of the file descriptor store of a unit. This is backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by the service manager.

• The service manager will now set a new $FDSTORE environment variable when invoking processes for services that have the file descriptor store enabled.

• A new service option FileDescriptorStorePreserve= has been added that allows tuning the life-cycle of the per-service file descriptor store. If set to "yes", the entries in the fd store are retained even after the service has been fully stopped.

• The "systemctl clean" command may now be used to clear the fdstore of a service.

• Unit *.preset files gained a new directive "ignore", in addition to the existing "enable" and "disable". As the name suggests, matching units are left unchanged, i.e. neither enabled nor disabled.

• Service units gained a new setting DelegateSubgroup=. It takes the name of a sub-cgroup to place any processes the service manager forks off in. Previously, the service manager would place all service processes directly in the top-level cgroup it created for the service. This usually meant that main process in a service with delegation enabled would first have to create a subgroup and move itself down into it, in order to not conflict with the "no processes in inner cgroups" rule of cgroup v2. With this option, this step is now handled by PID 1.

• The service manager will now look for .upholds/ directories, similarly to the existing support for .wants/ and .requires/ directories. Symlinks in this directory result in Upholds= dependencies.

The [Install] section of unit files gained support for a new UpheldBy= directive to generate .upholds/ symlinks automatically when a unit is enabled.

• The service manager now supports a new kernel command line option systemd.default_device_timeout_sec=, which may be used to override the default timeout for .device units.

• A new "soft-reboot" mechanism has been added to the service manager. A "soft reboot" is similar to a regular reboot, except that it affects userspace only: the service manager shuts down any running services and other units, then optionally switches into a new root file system (mounted to /run/nextroot/), and then passes control to a systemd instance in the new file system which then starts the system up again. The kernel is not rebooted and neither is the hardware, firmware or boot loader. This provides a fast, lightweight mechanism to quickly reset or update userspace, without the latency that a full system reset involves. Moreover, open file descriptors may be passed across the soft reboot into the new system where they will be passed back to the originating services. This allows pinning resources across the reboot, thus minimizing grey-out time further. This new reboot mechanism is accessible via the new "systemctl soft-reboot" command.

• Services using RootDirectory= or RootImage= will now have read-only access to a copy of the host's os-release file under /run/host/os-release, which will be kept up-to-date on 'soft-reboot'. This was already the case for Portable Services, and the feature has now been extended to all services that do not run off the host's root filesystem.

• A new service setting MemoryKSM= has been added to enable kernel same-page merging individually for services.

• A new service setting ImportCredentials= has been added that augments LoadCredential= and LoadCredentialEncrypted= and searches for credentials to import from the system, and supports globbing.

• A new job mode "restart-dependencies" has been added to the service manager (exposed via systemctl --job-mode=). It is only valid when used with "start" jobs, and has the effect that the "start" job will be propagated as "restart" jobs to currently running units that have a BindsTo= or Requires= dependency on the started unit.

• A new verb "whoami" has been added to "systemctl" which determines as part of which unit the command is being invoked. It writes the unit name to standard output. If one or more PIDs are specified reports the unit names the processes referenced by the PIDs belong to.

• The system and service credential logic has been improved: there's now a clearly defined place where system provisioning tools running in the initrd can place credentials that will be imported into the system's set of credentials during the initrd → host transition: the /run/credentials/@initrd/ directory. Once the credentials placed there are imported into the system credential set they are deleted from this directory, and the directory itself is deleted afterwards too.

• A new kernel command line option systemd.set_credential_binary= has been added, that is similar to the pre-existing systemd.set_credential= but accepts arbitrary binary credential data, encoded in Base64. Note that the kernel command line is not a recommend way to transfer credentials into a system, since it is world-readable from userspace.

• The default machine ID to use may now be configured via the system.machine_id system credential. It will only be used if no machine ID was set yet on the host.

• On Linux kernel 6.4 and newer system and service credentials will now be placed in a tmpfs instance that has the "noswap" mount option set. Previously, a "ramfs" instance was used. By switching to tmpfs ACL support and overall size limits can now be enforced, without compromising on security, as the memory is never paged out either way.

• The service manager now can detect when it is running in a 'Confidential Virtual Machine', and a corresponding 'cvm' value is now accepted by ConditionSecurity= for units that want to conditionalize themselves on this. systemd-detect-virt gained new 'cvm' and '--list-cvm' switches to respectively perform the detection or list all known flavours of confidential VM, depending on the vendor. The manager will publish a 'ConfidentialVirtualization' D-Bus property, and will also set a SYSTEMD_CONFIDENTIAL_VIRTUALIZATION= environment variable for unit generators. Finally, udev rules can match on a new 'cvm' key that will be set when in a confidential VM. Additionally, when running in a 'Confidential Virtual Machine', SMBIOS strings and QEMU's fw_cfg protocol will not be used to import credentials and kernel command line parameters by the system manager, systemd-boot and systemd-stub, because the hypervisor is considered untrusted in this particular setting.

Journal:

• The sd-journal API gained a new call sd_journal_get_seqnum() to retrieve the current log record's sequence number and sequence number ID, which allows applications to order records the same way as journal does internally. The sequence number is now also exported in the JSON and "export" output of the journal.

• journalctl gained a new switch --truncate-newline. If specified multi-line log records will be truncated at the first newline, i.e. only the first line of each log message will be shown.

• systemd-journal-upload gained support for --namespace=, similar to the switch of the same name of journalctl.

systemd-repart:

• systemd-repart's drop-in files gained a new ExcludeFiles= option which may be used to exclude certain files from the effect of CopyFiles=.

• systemd-repart's Verity support now implements the Minimize= setting to minimize the size of the resulting partition.

• systemd-repart gained a new --offline= switch, which may be used to control whether images shall be built "online" or "offline", i.e. whether to make use of kernel facilities such as loopback block devices and device mapper or not.

• If systemd-repart is told to populate a newly created ESP or XBOOTLDR partition with some files, it will now default to VFAT rather than ext4.

• systemd-repart gained a new --architecture= switch. If specified, the per-architecture GPT partition types (i.e. the root and /usr/ partitions) configured in the partition drop-in files are automatically adjusted to match the specified CPU architecture, in order to simplify cross-architecture DDI building.

• systemd-repart will now default to a minimum size of 300MB for XFS filesystems if no size parameter is specified. This matches what the XFS tools (xfsprogs) can support.

systemd-boot, systemd-stub, ukify, bootctl, kernel-install:

• gnu-efi is no longer required to build systemd-boot and systemd-stub. Instead, pyelftools is now needed, and it will be used to perform the ELF -> PE relocations at build time.

• bootctl gained a new switch --print-root-device/-R that prints the block device the root file system is backed by. If specified twice, it returns the whole disk block device (as opposed to partition block device) the root file system is on. It's useful for invocations such as "cfdisk $(bootctl -RR)" to quickly show the partition table of the running OS.

• systemd-stub will now look for the SMBIOS Type 1 field "io.systemd.stub.kernel-cmdline-extra" and append its value to the kernel command line it invokes. This is useful for VMMs such as qemu to pass additional kernel command lines into the system even when booting via full UEFI. The contents of the field are measured into TPM PCR 12.

• The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new value "auto". With this value, a kernel will be automatically analyzed, and if it qualifies as UKI, it will be installed as if the setting was to set to "uki", otherwise as "bls".

• systemd-stub can now optionally load UEFI PE "add-on" images that may contain additional kernel command line information. These "add-ons" superficially look like a regular UEFI executable, and are expected to be signed via SecureBoot/shim. However, they do not actually contain code, but instead a subset of the PE sections that UKIs support. They are supposed to provide a way to extend UKIs with additional resources in a secure and authenticated way. Currently, only the .cmdline PE section may be used in add-ons, in which case any specified string is appended to the command line embedded into the UKI itself. A new 'addon<EFI-ARCH>.efi.stub' is now provided that can be used to trivially create addons, via 'ukify' or 'objcopy'. In the future we expect other sections to be made extensible like this as well.

• ukify has been updated to allow building these UEFI PE "add-on" images, using the new 'addon<EFI-ARCH>.efi.stub'.

• ukify gained a new "genkey" verb for generating a set of of key pairs to sign UKIs and their PCR data with.

• ukify now accepts SBAT information to place in the .sbat PE section of UKIs and addons. If a UKI is built the SBAT information from the inner kernel is merged with any SBAT information associated with systemd-stub and the SBAT data specified on the ukify command line.

• The kernel-install script has been rewritten in C, and reuses much of the infrastructure of existing tools such as bootctl. It also gained --esp-path= and --boot-path= options to override the path to the ESP, and the $BOOT partition. Options --make-entry-directory= and --entry-token= have been added as well, similar to bootctl's options of the same name.

• A new kernel-install plugin 60-ukify has been added which will combine kernel/initrd locally into a UKI and optionally sign them with a local key. This may be used to switch to UKI mode even on systems where a local kernel or initrd is used. (Typically UKIs are built and signed by the vendor.)

• The ukify tool now supports "pesign" in addition to the pre-existing "sbsign" for signing UKIs.

• systemd-measure and systemd-stub now look for the .uname PE section that should contain the kernel's "uname -r" string.

• systemd-measure and ukify now calculate expected PCR hashes for a UKI "offline", i.e. without access to a TPM (physical or software-emulated).

Memory Pressure & Control:

• The sd-event API gained new calls sd_event_add_memory_pressure(), sd_event_source_set_memory_pressure_type(), sd_event_source_set_memory_pressure_period() to create and configure an event source that is called whenever the OS signals memory pressure. Another call sd_event_trim_memory() is provided that compacts the process' memory use by releasing allocated but unused malloc() memory back to the kernel. Services can also provide their own custom callback to do memory trimming. This should improve system behaviour under memory pressure, as on Linux traditionally provided no mechanism to return process memory back to the kernel if the kernel was under memory pressure. This makes use of the kernel's PSI interface. Most long-running services in systemd have been hooked up with this, and in particular systems with low memory should benefit from this.

• Service units gained new settings MemoryPressureWatch= and MemoryPressureThresholdSec= to configure the PSI memory pressure logic individually. If these options are used, the $MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment variables will be set for the invoked processes to inform them about the requested memory pressure behaviour. (This is used by the aforementioned sd-events API additions, if set.)

• systemd-analyze gained a new "malloc" verb that shows the output generated by glibc's malloc_info() on services that support it. Right now, only the service manager has been updated accordingly. This call requires privileges.

User & Session Management:

• The sd-login API gained a new call sd_session_get_username() to return the user name of the owner of a login session. It also gained a new call sd_session_get_start_time() to retrieve the time the login session started. A new call sd_session_get_leader() has been added to return the PID of the "leader" process of a session. A new call sd_uid_get_login_time() returns the time since the specified user has most recently been continuously logged in with at least one session.

• JSON user records gained a new set of fields capabilityAmbientSet and capabilityBoundingSet which contain a list of POSIX capabilities to set for the logged in users in the ambient and bounding sets, respectively. homectl gained the ability to configure these two sets for users via --capability-bounding-set=/--capability-ambient-set=.

• pam_systemd learnt two new module options default-capability-bounding-set= and default-capability-ambient-set=, which configure the default bounding sets for users as they are logging in, if the JSON user record doesn't specify this explicitly (see above). The built-in default for the ambient set now contains the CAP_WAKE_ALARM, thus allowing regular users who may log in locally to resume from a system suspend via a timer.

• The Session D-Bus objects systemd-logind gained a new SetTTY() method call to update the TTY of a session after it has been allocated. This is useful for SSH sessions which are typically allocated first, and for which a TTY is added later.

• The sd-login API gained a new call sd_pid_notifyf_with_fds() which combines the various other sd_pid_notify() flavours into one: takes a format string, an overriding PID, and a set of file descriptors to send. It also gained a new call sd_pid_notify_barrier() call which is equivalent to sd_notify_barrier() but allows the originating PID to be specified.

• "loginctl list-users" and "loginctl list-sessions" will now show the state of each logged in user/session in their tabular output. It will also show the current idle state of sessions.

DDIs:

• systemd-dissect will now show the intended CPU architecture of an inspected DDI.

• systemd-dissect will now install itself as mount helper for the "ddi" pseudo-file system type. This means you may now mount DDIs directly via /bin/mount or /etc/fstab, making full use of embedded Verity information and all other DDI features.

Example: mount -t ddi myimage.raw /some/where

• The systemd-dissect tool gained the new switches --attach/--detach to attach/detach a DDI to a loopback block device without mounting it. It will automatically derive the right sector size from the image and set up Verity and similar, but not mount the file systems in it.

• When systemd-gpt-auto-generator or the DDI mounting logic mount an ESP or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now implied. Given that these file systems are typically untrusted, this should make mounting them automatically have less of a security impact.

• All tools that parse DDIs (such as systemd-nspawn, systemd-dissect, systemd-tmpfiles, …) now understand a new switch --image-policy= which takes a string encoding image dissection policy. With this mechanism automatic discovery and use of specific partition types and the cryptographic requirements on the partitions (Verity, LUKS, …) can be restricted, permitting better control of the exposed attack surfaces when mounting disk images. systemd-gpt-auto-generator will honour such an image policy too, configurable via the systemd.image_policy= kernel command line option. Unit files gained the RootImagePolicy=, MountImagePolicy= and ExtensionImagePolicy= to configure the same for disk images a service runs off.

• systemd-analyze gained a new verb "image-policy" to validate and parse image policy strings.

• systemd-dissect gained support for a new --validate switch to superficially validate DDI structure, and check whether a specific image policy allows the DDI.

• systemd-dissect gained support for a new --mtree-hash switch to optionally disable calculating mtree hashes, which can be slow on large images.

• systemd-dissect --copy-to, --copy-from, --list and --mtree switches are now able to operate on directories too, other than images.

Network Management:

• networkd's GENEVE support as gained a new .network option InheritInnerProtocol=.

• The [Tunnel] section in .netdev files has gained a new setting IgnoreDontFragment for controlling the IPv4 "DF" flag of datagrams.

• A new global IPv6PrivacyExtensions= setting has been added that selects the default value of the per-network setting of the same name.

• The predictable network interface naming logic will now include SR-IOV-R "representor" information in network interface names.

• The DHCPv4 + DHCPv6 + IPv6 RA logic in networkd gained support for the RFC8910 captive portal option.

Device Management:

• udevadm gained the new "verify" verb for validating udev rules files offline.

• udev gained a new tool "iocost" that can be used to configure QoS IO cost data based on hwdb information onto suitable block devices. Also see ​https://github.com/iocost-benchmark/iocost-benchmarks.

TPM2 Support + Disk Encryption & Authentication:

• systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK ("Storage Root Key") as first step in the TPM2, and then use that for binding FDE to, if TPM2 support is used. This matches recommendations of TCG (see ​https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf)

• systemd-cryptenroll and other tools that take TPM2 PCR parameters now understand textual identifiers for these PCRs.

• systemd-veritysetup + /etc/veritytab gained support for a series of new options: hash-offset=, superblock=, format=, data-block-size=, hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=, fec-offset=, fec-roots= to configure various aspects of a Verity volume.

• systemd-cryptsetup + /etc/crypttab gained support for a new veracrypt-pim= option for setting the Personal Iteration Multiplier of veracrypt volumes.

• systemd-integritysetup + /etc/integritytab gained support for a new mode= setting for controlling the dm-integrity mode (journal, bitmap, direct) for the volume.

• systemd-analyze gained a new verb "pcrs" that shows the known TPM PCR registers, their symbolic names and current values.

systemd-tmpfiles:

• The ACL support in tmpfiles.d/ has been updated: if an uppercase "X" access right is specified this is equivalent to "x" but only if the inode in question already has the executable bit set for at least some user/group. Otherwise the "x" bit will be turned off.

• tmpfiles.d/'s C line type now understands a new modifier "+": a line with C+ will result in a "merge" copy, i.e. all files of the source tree are copied into the target tree, even if that tree already exists, resulting in a combined tree of files already present in the target tree and those copied in.

• systemd-tmpfiles gained a new --graceful switch. If specified lines with unknown users/groups will silently be skipped.

systemd-notify:

• systemd-notify gained two new options --fd= and --fdname= for sending arbitrary file descriptors to the service manager (while specifying an explicit name for it).

• systemd-notify gained a new --exec switch, which makes it execute the specified command line after sending the requested messages. This is useful for sending out READY=1 first, and then continuing invocation without changing process ID, so that the tool can be nicely used within an ExecStart= line of a unit file that uses Type=ready.

sd-event + sd-bus APIs:

• The sd-event API gained a new call sd_event_source_leave_ratelimit() which may be used to explicitly end a rate-limit state an event source might be in, resetting all rate limiting counters.

• When the sd-bus library is used to make connections to AF_UNIX D-Bus sockets, it will now encode the "description" set via sd_bus_set_description() into the source socket address. It will also look for this information when accepting a connection. This is useful to track individual D-Bus connections on a D-Bus broker for debug purposes.

systemd-resolved:

• systemd-resolved gained a new resolved.conf setting StateRetentionSec= which may be used to retain cached DNS records even after their nominal TTL, and use them in case upstream DNS servers cannot be reached. This can be sued to make name resolution more resilient in case of network problems.

• resolvectl gained a new verb "show-cache" to show the current cache contents of systemd-resolved. This verb communicates with the systemd-resolved daemon and requires privileges.

Other:

• Meson >= 0.60.0 is now required to build systemd.

• The default keymap to apply may now be chosen at build-time via the new -Ddefault-keymap= meson option.

• Most of systemd's long-running services now have a generic handler of the SIGRTMIN+18 signal handler which executes various operations depending on the sigqueue() parameter sent along. For example, values 0x100…0x107 allow changing the maximum log level of such services. 0x200…0x203 allow changing the log target of such services. 0x300 make the services trim their memory similarly to the automatic PSI-triggered action, see above. 0x301 make the services output their malloc_info() data to the logs.

• machinectl gained new "edit" and "cat" verbs for editing .nspawn files, inspired by systemctl's verbs of the same name which edit unit files. Similarly, networkctl gained the same verbs for editing .network, .netdev, .link files.

• A new syscall filter group "@sandbox" has been added that contains syscalls for sandboxing system calls such as those for seccomp and Landlock.

• New documentation has been added:

​https://systemd.io/COREDUMP ​https://systemd.io/MEMORY_PRESSURE smbios-type-11(7)

• systemd-firstboot gained a new --reset option. If specified, the settings in /etc/ it knows how to initialize are reset.

• systemd-sysext is now a multi-call binary and is also installed under the systemd-confext alias name (via a symlink). When invoked that way it will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a powerful, atomic, secure configuration management of sorts, that locally can merge configuration from multiple confext configuration images into a single immutable tree.

• The --network-macvlan=, --network-ipvlan=, --network-interface= switches of systemd-nspawn may now optionally take the intended network interface inside the container.

• All our programs will now send an sd_notify() message with their exit status in the EXIT_STATUS= field when exiting, using the usual protocol, including PID 1. This is useful for VMMs and container managers to collect an exit status from a system as it shuts down, as set via "systemctl exit …". This is particularly useful in test cases and similar, as invocations via a VM can now nicely propagate an exit status to the host, similar to local processes.

• systemd-run gained a new switch --expand-environment=no to disable server-side environment variable expansion in specified command lines. Expansion defaults to enabled for all execution types except --scope, where it defaults to off (and prints a warning) for backward compatibility reasons. --scope will be flipped to default enabled too in a future release, so if you are using --scope and passing a '$' character in the payload you should start explicitly using --expand-environment=yes/no according to the use case.

• The systemd-system-update-generator has been updated to also look for the special flag file /etc/system-update in addition to the existing support for /system-update to decide whether to enter system update mode.

• The /dev/hugepages/ file system is now mounted with nosuid + nodev mount options by default.

• systemd-fstab-generator now understands two new kernel command line options systemd.mount-extra= and systemd.swap-extra=, which configure additional mounts or swaps in a format similar to /etc/fstab. 'fsck' will be ran on these block devices, like it already happens for 'root='. It also now supports the new fstab.extra and fstab.extra.initrd credentials that may contain additional /etc/fstab lines to apply at boot.

• systemd-getty-generator now understands two new credentials getty.ttys.container and getty.ttys.serial. These credentials may contain a list of TTY devices – one per line – to instantiate container-getty@.service and serial-getty@.service on.

• The getty/serial-getty/container-getty units now import the 'agetty.*' and 'login.*' credentials, which are consumed by the 'login' and 'agetty' programs starting from util-linux v2.40.

• systemd-sysupdate's sysupdate.d/ drop-ins gained a new setting PathRelativeTo=, which can be set to "esp", "xbootldr", "boot", in which case the Path= setting is taken relative to the ESP or XBOOTLDR partitions, rather than the system's root directory /. The relevant directories are automatically discovered.

• The systemd-ac-power tool gained a new switch --low, which reports whether the battery charge is considered "low", similar to how the s2h suspend logic checks this state to decide whether to enter system suspend or hibernation.

• The /etc/os-release file can now have two new optional fields VENDOR_NAME= and VENDOR_URL= to carry information about the vendor of the OS.

• When the system hibernates, information about the device and offset used is now written to a non-volatile EFI variable. On next boot the system will attempt to resume from the location indicated in this EFI variable. This should make hibernation a lot more robust, while requiring no manual configuration of the resume location.

• The $XDG_STATE_HOME environment variable (added in more recent versions of the XDG basedir specification) is now honoured to implement the StateDirectory= setting in user services.

• A new component "systemd-battery-check" has been added. It may run during early boot (usually in the initrd), and checks the battery charge level of the system. In case the charge level is very low the user is notified (graphically via Plymouth – if available – as well as in text form on the console), and the system is turned off after a 10s delay. The feature can be disabled by passing systemd.battery-check=0 through the kernel command line.

• The 'passwdqc' library is now supported as an alternative to the 'pwquality' library and it can be selected at build time.

[Xi Ruoyao]

I've updated my system to systemd-254 and it's working fine.

I'll try updating udev in the VM.

[Xi Ruoyao]

For udev, we'll need CONFIG_PSI in the kernel configuration and set MEMORY_PRESSURE_WATCH=/proc/pressure/memory in the udev bootscript. Or udevd will produce a warning "Failed to allocate memory pressure watch".

[Xi Ruoyao]

Replying to Xi Ruoyao:

For udev, we'll need CONFIG_PSI in the kernel configuration and set MEMORY_PRESSURE_WATCH=/proc/pressure/memory in the udev bootscript. Or udevd will produce a warning "Failed to allocate memory pressure watch".

Nope. This causes the boot process to hang.

The correct solution is setting CONFIG_PSI=y, CONFIG_MEMCG=y and mount cgroup2 file system in mountvirtfs script.

[Xi Ruoyao]

man pages at ​https://anduin.linuxfromscratch.org/LFS/systemd-man-pages-254.tar.xz.

[Marty Jack]

I've also updated to systemd-254 and it's working with no issues observed to date.

The gnu-efi dependency is replaced by pyelftools.

I have /boot that has the EFI partition mounted as always. There is a new directory /efi that has mounted

systemd-1 on /efi type autofs (rw,relatime,fd=38,pgrp=1,timeout=120,minproto=5,maxproto=5,direct,pipe_ino=1084)

[Bruce Dubbs]

Fixed at commit 6de383a26215753a2b0a6d2dba6956ecfd786a90

Update udev-lfs tarball to remove obsolete
           cdrom rules and references to ISDN devices.
    Update to wheel-0.41.0 (Python Module).
    Update to tar-1.35.
    Update to systemd-254.
    Update to meson-1.2.0.
    Update to linux-6.4.7.
    Update to gcc-13.2.0.
    Update to file-5.45.

[Bruce Dubbs]

Milestone renamed