You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

8588 lines
441 KiB

systemd System and Service Manager
builtin will name network interfaces differently than in previous
versions for virtual network interfaces created with SR-IOV and NPAR
and for devices where the PCI network controller device does not have
a slot number associated.
SR-IOV virtual devices are now named based on the name of the parent
interface, with a suffix of "v<N>", where <N> is the virtual device
number. Previously those virtual devices were named as if completely
The ninth and later NPAR virtual devices will be named following the
scheme used for the first eight NPAR partitions. Previously those
devices were not renamed and the kernel default (eth<n>) was used.
"net_id" will also generate names for PCI devices where the PCI
network controller device does not have an associated slot number
itself, but one of its parents does. Previously those devices were
not renamed and the kernel default (eth<n>) was used.
* AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
elogind.service. Since v235, IPAddressDeny=any has been set to
the unit. So, it is expected that the default behavior of
elogind is not changed. However, if distribution packagers or
administrators disabled or modified IPAddressDeny= setting by a
drop-in config file, then it may be necessary to update the file to
re-enable AF_INET and AF_INET6 to support network user name services,
e.g. NIS.
* When the RestrictNamespaces= unit property is specified multiple
times, then the specified types are merged now. Previously, only the
last assignment was used. So, if distribution packagers or
administrators modified the setting by a drop-in config file, then it
may be necessary to update the file.
* When OnFailure= is used in combination with Restart= on a service
unit, then the specified units will no longer be triggered on
failures that result in restarting. Previously, the specified units
would be activated each time the unit failed, even when the unit was
going to be restarted automatically. This behaviour contradicted the
documentation. With this release the code is adjusted to match the
* elogind-tmpfiles will now print a notice whenever it encounters
tmpfiles.d/ lines referencing the /var/run/ directory. It will
recommend reworking them to use the /run/ directory instead (for
which /var/run/ is simply a symlinked compatibility alias). This way
elogind-tmpfiles can properly detect line conflicts and merge lines
referencing the same file by two paths, without having to access
* systemctl disable/unmask/preset/preset-all cannot be used with
--runtime. Previously this was allowed, but resulted in unintuitive
behaviour that wasn't useful. systemctl disable/unmask will now undo
both runtime and persistent enablement/masking, i.e. it will remove
any relevant symlinks both in /run and /etc.
4 years ago
* Note that all long-running system services shipped with elogind will
now default to a system call whitelist (rather than a blacklist, as
before). In particular, elogind-udevd will now enforce one too. For
most cases this should be safe, however downstream distributions
which disabled sandboxing of elogind-udevd (specifically the
MountFlags= setting), might want to disable this security feature
too, as the default whitelisting will prohibit all mount, swap,
reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally turn
off Windows and MacOS boot partition discovery as well as
reboot-into-firmware menu items. It is also able to pick a better
screen resolution for HiDPI systems, and now provides loader
configuration settings to change the resolution explicitly.
* The elogind-resolve tool has been renamed to resolvectl (it also
* elogind-resolved now supports DNS-over-TLS. It's still
turned off by default, use DNSOverTLS=opportunistic to turn it on in
resolved.conf. We intend to make this the default as soon as couple
of additional techniques for optimizing the initial latency caused by
establishing a TLS/TCP connection are implemented.
* elogind-resolved.service and elogind-networkd.service now set
DynamicUser=yes. The users elogind-resolve and elogind-network are
not created by elogind-sysusers.
remains available under the old name, for compatibility), and its
interface is now verb-based, similar in style to the other <xyz>ctl
tools, such as systemctl or loginctl.
* The resolvectl/elogind-resolve tool also provides 'resolvconf'
compatibility. It may be symlinked under the 'resolvconf' name, in
which case it will take arguments and input compatible with the
Debian and FreeBSD resolvconf tool.
* Support for suspend-then-hibernate has been added, i.e. a sleep mode
where the system initially suspends, and after a time-out resumes and
hibernates again.
* networkd's ClientIdentifier= now accepts a new option "duid-only". If
set the client will only send a DUID as client identifier.
* The nss-elogind glibc NSS module will now enumerate dynamic users and
groups in effect. Previously, it could resolve UIDs/GIDs to user
names/groups and vice versa, but did not support enumeration.
* journald's Compress= configuration setting now optionally accepts a
byte threshold value. All journal objects larger than this threshold
will be compressed, smaller ones will not. Previously this threshold
was not configurable and set to 512.
* A new system.conf setting NoNewPrivileges= is now available which may
be used to turn off acquisition of new privileges system-wide
(i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
for all its children). Note that turning this option on means setuid
binaries and file system capabilities lose their special powers.
While turning on this option is a big step towards a more secure
system, doing so is likely to break numerous pre-existing UNIX tools,
in particular su and sudo.
* A new service elogind-time-sync-wait.service has been added. If
enabled it will delay the unit at boot until time
4 years ago
synchronization has been received from the network. This
functionality is useful on systems lacking a local RTC or where it is
acceptable that the boot process shall be delayed by external network
* When hibernating, elogind will now inform the kernel of the image
write offset, on kernels new enough to support this. This means swap
files should work for hibernation now.
* When loading unit files, elogind will now look for drop-in unit files
extensions in additional places. Previously, for a unit file name
"foo-bar-baz.service" it would look for dropin files in
"foo-bar-baz.service.d/*.conf". Now, it will also look in
"foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
service name truncated after all inner dashes. This scheme allows
writing drop-ins easily that apply to a whole set of unit files at
once. It's particularly useful for mount and slice units (as their
naming is prefix based), but is also useful for service and other
units, for packages that install multiple unit files at once,
following a strict naming regime of beginning the unit file name with
the package's name. Two new specifiers are now supported in unit
files to match this: %j and %J are replaced by the part of the unit
name following the last dash.
* Unit files and other configuration files that support specifier
4 years ago
expansion now understand another three new specifiers: %T and %V will
resolve to /tmp and /var/tmp respectively, or whatever temporary
4 years ago
directory has been set for the calling user. %E will expand to either
/etc (for system units) or $XDG_CONFIG_HOME (for user units).
* The ExecStart= lines of unit files are no longer required to
reference absolute paths. If non-absolute paths are specified the
specified binary name is searched within the service manager's
built-in $PATH, which may be queried with 'elogind-path
search-binaries-default'. It's generally recommended to continue to
use absolute paths for all binaries specified in unit files.
* Units gained a new load state "bad-setting", which is used when a
unit file was loaded, but contained fatal errors which prevent it
from being started (for example, a service unit has been defined
lacking both ExecStart= and ExecStop= lines).
* coredumpctl's "gdb" verb has been renamed to "debug", in order to
support alternative debuggers, for example lldb. The old name
continues to be available however, for compatibility reasons. Use the
new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
to pick an alternative debugger instead of the default gdb.
* systemctl and the other tools will now output escape sequences that
generate proper clickable hyperlinks in various terminal emulators
where useful (for example, in the "systemctl status" output you can
now click on the unit file name to quickly open it in the
editor/viewer of your choice). Note that not all terminal emulators
support this functionality yet, but many do. Unfortunately, the
"less" pager doesn't support this yet, hence this functionality is
currently automatically turned off when a pager is started (which
happens quite often due to auto-paging). We hope to remove this
limitation as soon as "less" learns these escape sequences. This new
behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
environment variable. For details on these escape sequences see:
* networkd's .network files now support a new IPv6MTUBytes= option for
setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
option in the [Route] section to configure the MTU to use for
specific routes. It also gained support for configuration of the DHCP
"UserClass" option through the new UserClass= setting. It gained
three new options in the new [CAN] section for configuring CAN
networks. The MULTICAST and ALLMULTI interface flags may now be
controlled explicitly with the new Multicast= and AllMulticast=
* networkd will now automatically make use of the kernel's route
expiration feature, if it is available.
* udevd's .link files now support setting the number of receive and
transmit channels, using the RxChannels=, TxChannels=,
OtherChannels=, CombinedChannels= settings.
* Support for UDPSegmentationOffload= has been removed, given its
limited support in hardware, and waning software support.
* networkd's .netdev files now support creating "netdevsim" interfaces.
* PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
to query the unit belonging to a specific kernel control group.
* elogind-analyze gained a new verb "cat-config", which may be used to
dump the contents of any configuration file, with all its matching
drop-in files added in, and honouring the usual search and masking
logic applied to elogind configuration files. For example use
"elogind-analyze cat-config elogind/system.conf" to get the complete
system configuration file of elogind how it would be loaded by PID 1
itself. Similar to this, various tools such as elogind-tmpfiles or
elogind-sysusers, gained a new option "--cat-config", which does the
corresponding operation for their own configuration settings. For
example, "elogind-tmpfiles --cat-config" will now output the full
list of tmpfiles.d/ lines in place.
* timedatectl gained three new verbs: "show" shows bus properties of
elogind-timedated, "timesync-status" shows the current NTP
synchronization state of elogind-timesyncd, and "show-timesync"
shows bus properties of elogind-timesyncd.
* elogind-timesyncd gained a bus interface on which it exposes details
about its state.
* elogind-nspawn gained a new --rlimit= switch for setting initial
* A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
understood by elogind-timedated. It takes a colon-separated list of
unit names of NTP client services. The list is used by
"timedatectl set-ntp".
resource limits for the container payload. There's a new switch
--hostname= to explicitly override the container's hostname. A new
--no-new-privileges= switch may be used to control the
PR_SET_NO_NEW_PRIVS flag for the container payload. A new
--oom-score-adjust= switch controls the OOM scoring adjustment value
for the payload. The new --cpu-affinity= switch controls the CPU
affinity of the container payload. The new --resolv-conf= switch
allows more detailed control of /etc/resolv.conf handling of the
container. Similarly, the new --timezone= switch allows more detailed
control of /etc/localtime handling of the container.
* elogind-detect-virt gained a new --list switch, which will print a
list of all currently known VM and container environments.
* Support for "Portable Services" has been added, see
doc/ for details. Currently, the support is still
experimental, but this is expected to change soon. Reflecting this
experimental state, the "portablectl" binary is not installed into
/usr/bin yet. The binary has to be called with the full path
/usr/lib/elogind/portablectl instead.
* journalctl's and systemctl's -o switch now knows a new log output
mode "with-unit". The output it generates is very similar to the
regular "short" mode, but displays the unit name instead of the
syslog tag for each log line. Also, the date is shown with timezone
information. This mode is probably more useful than the classic
"short" output mode for most purposes, except where pixel-perfect
compatibility with classic /var/log/messages formatting is required.
* A new --dump-bus-properties switch has been added to the elogind
binary, which may be used to dump all supported D-Bus properties.
(Options which are still supported, but are deprecated, are *not*
* sd-bus gained a set of new calls:
sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
enable/disable the "floating" state of a bus slot object,
i.e. whether the slot object pins the bus it is allocated for into
memory or if the bus slot object gets disconnected when the bus goes
away. sd_bus_open_with_description(),
sd_bus_open_system_with_description() may be used to allocate bus
objects and set their description string already during allocation.
* sd-event gained support for watching inotify events from the event
loop, in an efficient way, sharing inotify handles between multiple
users. For this a new function sd_event_add_inotify() has been added.
* sd-event and sd-bus gained support for calling special user-supplied
destructor functions for userdata pointers associated with
sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
functions sd_bus_slot_set_destroy_callback,
sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
sd_event_source_get_destroy_callback have been added.
* The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.
* PID 1 will now automatically reschedule .timer units whenever the
local timezone changes. (They previously got rescheduled
automatically when the system clock changed.)
* New documentation has been added to document cgroups delegation,
portable services and the various code quality tools we have set up:
* The Boot Loader Specification has been added to the source tree.
While moving it into our source tree we have updated it and further
changes are now accepted through the usual github PR workflow.
* pam_elogind will now look for PAM userdata fields elogind.memory_max,
elogind.tasks_max, elogind.cpu_weight, elogind.io_weight set by
earlier PAM modules. The data in these fields is used to initialize
the session scope's resource properties. Thus external PAM modules
may now configure per-session limits, for example sourced from
external user databases.
* socket units with Accept=yes will now maintain a "refused" counter in
addition to the existing "accepted" counter, counting connections
refused due to the enforced limits.
* The "elogind-path search-binaries-default" command may now be use to
query the default, built-in $PATH PID 1 will pass to the services it
* A new unit file setting PrivateMounts= has been added. It's a boolean
option. If enabled the unit's processes are invoked in their own file
system namespace. Note that this behaviour is also implied if any
other file system namespacing options (such as PrivateTmp=,
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is elogind-udevd.service
wher this is now used by default.
* ConditionSecurity= gained a new value "uefi-secureboot" that is true
when the system is booted in UEFI "secure mode".
* A new unit "" is added, which defines an
optional synchronization point for offline system updates, as
implemented by the pre-existing "" unit. It
allows ordering services before the service that executes the actual
update process in a generic way.
Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2018-06-22
* The MemoryAccounting= unit property now defaults to on. After
discussions with the upstream control group maintainers we learnt
that the negative impact of cgroup memory accounting on current
kernels is finally relatively minimal, so that it should be safe to
enable this by default without affecting system performance. Besides
memory accounting only task accounting is turned on by default, all
other forms of resource accounting (CPU, IO, IP) remain off for now,
because it's not clear yet that their impact is small enough to move
from opt-in to opt-out. We recommend downstreams to leave memory
accounting on by default if kernel 4.14 or higher is primarily
used. On very resource constrained systems or when support for old
kernels is a necessity, -Dmemory-accounting-default=false can be used
to revert this change.
* rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
%udev_rules_update) and the journal catalog (%journal_catalog_update)
from the upgrade scriptlets of individual packages now do nothing.
Transfiletriggers have been added which will perform those updates
once at the end of the transaction.
Similar transfiletriggers have been added to execute any sysctl.d
and binfmt.d rules. Thus, it should be unnecessary to provide any
scriptlets to execute this configuration from package installation
* elogind-sysusers gained a mode where the configuration to execute is
specified on the command line, but this configuration is not executed
directly, but instead it is merged with the configuration on disk,
and the result is executed. This is useful for package installation
scripts which want to create the user before installing any files on
disk (in case some of those files are owned by that user), while
still allowing local admin overrides.
This functionality is exposed to rpm scriptlets through a new
%sysusers_create_package macro. Old %sysusers_create and
%sysusers_create_inline macros are deprecated.
A transfiletrigger for sysusers.d configuration is now installed,
which means that it should be unnecessary to call elogind-sysusers from
package installation scripts, unless the package installs any files
owned by those newly-created users, in which case
%sysusers_create_package should be used.
* Analogous change has been done for elogind-tmpfiles: it gained a mode
where the command-line configuration is merged with the configuration
on disk. This is exposed as the new %tmpfiles_create_package macro,
and %tmpfiles_create is deprecated. A transfiletrigger is installed
for tmpfiles.d, hence it should be unnecessary to call elogind-tmpfiles
from package installation scripts.
* sysusers.d configuration for a user may now also specify the group
number, in addition to the user number ("u username 123:456"), or
without the user number ("u username -:456").
* Configution items for elogind-sysusers can now be specified as
positional arguments when the new --inline switch is used.
* The login shell of users created through sysusers.d may now be
specified (previously, it was always /bin/sh for root and
/sbin/nologin for other users).
* elogind-analyze gained a new --global switch to look at global user
configuration. It also gained a unit-paths verb to list the unit load
paths that are compiled into elogind (which can be used with
--elogind, --user, or --global).
* udevadm trigger gained a new --settle/-w option to wait for any
triggered events to finish (but just those, and not any other events
which are triggered meanwhile).
* The action that elogind takes when the lid is closed and the
machine is connected to external power can now be configured using
HandleLidSwitchExternalPower= in logind.conf. Previously, this action
was determined by HandleLidSwitch=, and, for backwards compatibility,
is still is, if HandleLidSwitchExternalPower= is not explicitly set.
* journalctl will periodically call sd_journal_process() to make it
resilient against inotify queue overruns when journal files are
rotated very quickly.
* Two new functions in libelogind — sd_bus_get_n_queued_read and
sd_bus_get_n_queued_write — may be used to check the number of
pending bus messages.
* elogind gained a new
org.freedesktop.elogind1.Manager.AttachProcessesToUnit dbus call
which can be used to migrate foreign processes to scope and service
units. The primary user for this new API is elogind itself: the
elogind --user instance uses this call of the elogind --system
instance to migrate processes if it itself gets the request to
migrate processes and the kernel refuses this due to access
restrictions. Thanks to this "elogind-run --scope --user …" works
again in pure cgroups v2 environments when invoked from the user
session scope.
* A new TemporaryFileSystem= setting can be used to mask out part of
the real file system tree with tmpfs mounts. This may be combined
with BindPaths= and BindReadOnlyPaths= to hide files or directories
not relevant to the unit, while still allowing some paths lower in
the tree to be accessed.
ProtectHome=tmpfs may now be used to hide user home and runtime
directories from units, in a way that is mostly equivalent to
"TemporaryFileSystem=/home /run/user /root".
* Non-service units are now started with KeyringMode=shared by default.
This means that mount and swapon and other mount tools have access
to keys in the main keyring.
* /sys/fs/bpf is now mounted automatically.
* QNX virtualization is now detected by elogind-detect-virt and may
be used in ConditionVirtualization=.
* IPAccounting= may now be enabled also for slice units.
* A new -Dsplit-bin= build configuration switch may be used to specify
whether bin and sbin directories are merged, or if they should be
included separately in $PATH and various listings of executable
directories. The build configuration scripts will try to autodetect
the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
system, but distributions are encouraged to configure this
* A new -Dok-color= build configuration switch may be used to change
the colour of "OK" status messages.
* UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
PrivateNetwork=yes was buggy in previous versions of elogind. This
means that after the upgrade and daemon-reexec, any such units must
be restarted.
* INCOMPATIBILITY: as announced in the NEWS for 237, elogind-tmpfiles
will not exclude read-only files owned by root from cleanup.
Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)
— Warsaw, 2018-03-05
* Some keyboards come with a zoom see-saw or rocker which until now got
mapped to the Linux "zoomin/out" keys in hwdb. However, these
keycodes are not recognized by any major desktop. They now produce
Up/Down key events so that they can be used for scrolling.
* INCOMPATIBILITY: elogind-tmpfiles' "f" lines changed behaviour
slightly: previously, if an argument was specified for lines of this
type (i.e. the right-most column was set) this string was appended to
existing files each time elogind-tmpfiles was run. This behaviour was
different from what the documentation said, and not particularly
useful, as repeated elogind-tmpfiles invocations would not be
idempotent and grow such files without bounds. With this release
behaviour has been altered slightly, to match what the documentation
says: lines of this type only have an effect if the indicated files
don't exist yet, and only then the argument string is written to the
* FUTURE INCOMPATIBILITY: In elogind v238 we intend to slightly change
elogind-tmpfiles behaviour: previously, read-only files owned by root
were always excluded from the file "aging" algorithm (i.e. the
automatic clean-up of directories like /tmp based on
atime/mtime/ctime). We intend to drop this restriction, and age files
by default even when owned by root and read-only. This behaviour was
inherited from older tools, but there have been requests to remove
it, and it's not obvious why this restriction was made in the first
place. Please speak up now, if you are aware of software that reqires
this behaviour, otherwise we'll remove the restriction in v238.
* A new environment variable $SYSTEMD_OFFLINE is now understood by
systemctl. It takes a boolean argument. If on, systemctl assumes it
operates on an "offline" OS tree, and will not attempt to talk to the
service manager. Previously, this mode was implicitly enabled if a
chroot() environment was detected, and this new environment variable
now provides explicit control.
* .path and .socket units may now be created transiently, too.
Previously only service, mount, automount and timer units were
supported as transient units. The elogind-run tool has been updated
to expose this new functionality, you may hence use it now to bind
arbitrary commands to path or socket activation on-the-fly from the
command line. Moreover, almost all properties are now exposed for the
unit types that already supported transient operation.
* The elogind-mount command gained support for a new --owner= parameter
which takes a user name, which is then resolved and included in uid=
and gid= mount options string of the file system to mount.
* A new unit condition ConditionControlGroupController= has been added
that checks whether a specific cgroup controller is available.
* Unit files, udev's .link files, and elogind-networkd's .netdev and
.network files all gained support for a new condition
ConditionKernelVersion= for checking against specific kernel
* In elogind-networkd, the [IPVLAN] section in .netdev files gained
support for configuring device flags in the Flags= setting. In the
same files, the [Tunnel] section gained support for configuring
AllowLocalRemote=. The [Route] section in .network files gained
support for configuring InitialCongestionWindow=,
InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now
understands RapidCommit=.
* elogind-networkd's DHCPv6 support gained support for Prefix
* sd-bus gained support for a new "watch-bind" feature. When this
feature is enabled, an sd_bus connection may be set up to connect to
an AF_UNIX socket in the file system as soon as it is created. This
functionality is useful for writing early-boot services that
automatically connect to the system bus as soon as it is started,
without ugly time-based polling. elogind-networkd and
elogind-resolved have been updated to make use of this
functionality. busctl exposes this functionality in a new
--watch-bind= command line switch.
* sd-bus will now optionally synthesize a local "Connected" signal as
soon as a D-Bus connection is set up fully. This message mirrors the
already existing "Disconnected" signal which is synthesized when the
connection is terminated. This signal is generally useful but
particularly handy in combination with the "watch-bind" feature
described above. Synthesizing of this message has to be requested
explicitly through the new API call sd_bus_set_connected_signal(). In
addition a new call sd_bus_is_ready() has been added that checks
4 years ago
whether a connection is fully set up (i.e. between the "Connected" and
"Disconnected" signals).
* sd-bus gained two new calls sd_bus_request_name_async() and
sd_bus_release_name_async() for asynchronously registering bus
names. Similar, there is now sd_bus_add_match_async() for installing
a signal match asynchronously. All of elogind's own services have
been updated to make use of these calls. Doing these operations
asynchronously has two benefits: it reduces the risk of deadlocks in
case of cyclic dependencies between bus services, and it speeds up
service initialization since synchronization points for bus
round-trips are removed.
* sd-bus gained two new calls sd_bus_match_signal() and
sd_bus_match_signal_async(), which are similar to sd_bus_add_match()
and sd_bus_add_match_async() but instead of taking a D-Bus match
string take match fields as normal function parameters.
* sd-bus gained two new calls sd_bus_set_sender() and
sd_bus_message_set_sender() for setting the sender name of outgoing
messages (either for all outgoing messages or for just one specific
one). These calls are only useful in direct connections as on
brokered connections the broker fills in the sender anyway,
overwriting whatever the client filled in.
* sd-event gained a new pseudo-handle that may be specified on all API
calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When
used this refers to the default event loop object of the calling
thread. Note however that this does not implicitly allocate one —
which has to be done prior by using sd_event_default(). Similarly
sd-bus gained three new pseudo-handles SD_BUS_DEFAULT,
SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer
to the default bus of the specified type of the calling thread. Here
too this does not implicitly allocate bus connection objects, this
has to be done prior with sd_bus_default() and friends.
* sd-event gained a new call pair
sd_event_source_{get|set}_io_fd_own(). This may be used to request
automatic closure of the file descriptor an IO event source watches
when the event source is destroyed.
* elogind-networkd gained support for natively configuring WireGuard
* In previous versions elogind synthesized user records both for the
"nobody" (UID 65534) and "root" (UID 0) users in nss-elogind and
internally. In order to simplify distribution-wide renames of the
"nobody" user (like it is planned in Fedora: nfsnobody → nobody), a
new transitional flag file has been added: if
/etc/elogind/dont-synthesize-nobody exists synthesizing of the 65534
user and group record within the elogind codebase is disabled.
* elogind-notify gained a new --uid= option for selecting the source
user/UID to use for notification messages sent to the service
* journalctl gained a new --grep= option to list only entries in which
the message matches a certain pattern. By default matching is case
insensitive if the pattern is lowercase, and case sensitive
otherwise. Option --case-sensitive=yes|no can be used to override
this an specify case sensitivity or case insensitivity.
* There's now a "elogind-analyze service-watchdogs" command for printing
the current state of the service runtime watchdog, and optionally
enabling or disabling the per-service watchdogs system-wide if given a
boolean argument (i.e. the concept you configure in WatchdogSec=), for
debugging purposes. There's also a kernel command line option
elogind.service_watchdogs= for controlling the same.
* Two new "log-level" and "log-target" options for elogind-analyze were
4 years ago
added that merge the now deprecated get-log-level, set-log-level and
get-log-target, set-log-target pairs. The deprecated options are still
understood for backwards compatibility. The two new options print the
current value when no arguments are given, and set them when a
level/target is given as an argument.
* sysusers.d's "u" lines now optionally accept both a UID and a GID
specification, separated by a ":" character, in order to create users
where UID and GID do not match.
Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov,
Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman
Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton
Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov,
Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui,
Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian
Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander
Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen,
Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg
Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering,
Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt,
Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy,
Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał
Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf
Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer,
Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer,
Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani,
Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz
Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary
Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян
— Brno, 2018-01-28
* The modprobe.d/ drop-in for the bonding.ko kernel module introduced
in v235 has been extended to also set the dummy.ko module option
numdummies=0, preventing the kernel from automatically creating
dummy0. All dummy interfaces must now be explicitly created.
* Unknown '%' specifiers in configuration files are now rejected. This
applies to units and tmpfiles.d configuration. Any percent characters
that are followed by a letter or digit that are not supposed to be
interpreted as the beginning of a specifier should be escaped by
doubling ("%%"). (So "size=5%" is still accepted, as well as
"size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not
valid specifiers today.)
* systemd-resolved now maintains a new dynamic
/run/systemd/resolve/stub-resolv.conf compatibility file. It is
recommended to make /etc/resolv.conf a symlink to it. This file
points at the systemd-resolved stub DNS resolver and
includes dynamically acquired search domains, achieving more correct
DNS resolution by software that bypasses local DNS APIs such as NSS.
* The "uaccess" udev tag has been dropped from /dev/kvm and
/dev/dri/renderD*. These devices now have the 0666 permissions by
default (but this may be changed at build-time). /dev/dri/renderD*
will now be owned by the "render" group along with /dev/kfd.
* "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
systemd-journal-gatewayd.service and
systemd-journal-upload.service. This means "nss-systemd" must be
enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
services are resolved properly.
* In /etc/fstab two new mount options are now understood:
x-systemd.makefs and x-systemd.growfs. The former has the effect that
the configured file system is formatted before it is mounted, the
latter that the file system is resized to the full block device size
after it is mounted (i.e. if the file system is smaller than the
partition it resides on, it's grown). This is similar to the fsck
logic in /etc/fstab, and pulls in systemd-makefs@.service and
systemd-growfs@.service as necessary, similar to
systemd-fsck@.service. Resizing is currently only supported on ext4
and btrfs.
* In systemd-networkd, the IPv6 RA logic now optionally may announce
DNS server and domain information.
* Support for the LUKS2 on-disk format for encrypted partitions has
been added. This requires libcryptsetup2 during compilation and
* The systemd --user instance will now signal "readiness" when its unit has been reached, instead of when the run queue ran
empty for the first time.
* Tmpfiles.d with user configuration are now also supported.
systemd-tmpfiles gained a new --user switch, and snippets placed in
~/.config/user-tmpfiles.d/ and corresponding directories will be
executed by systemd-tmpfiles --user running in the new
systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service
running in the user session.
* Unit files and tmpfiles.d snippets learnt three new % specifiers:
%S resolves to the top-level state directory (/var/lib for the system
instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the
top-level cache directory (/var/cache for the system instance,
$XDG_CACHE_HOME for the user instance), %L resolves to the top-level
logs directory (/var/log for the system instance,
$XDG_CONFIG_HOME/log/ for the user instance). This matches the
existing %t specifier, that resolves to the top-level runtime
directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
user instance).
* journalctl learnt a new parameter --output-fields= for limiting the
set of journal fields to output in verbose and JSON output modes.
* systemd-timesyncd's configuration file gained a new option
RootDistanceMaxSec= for setting the maximum root distance of servers
it'll use, as well as the new options PollIntervalMinSec= and
PollIntervalMaxSec= to tweak the minimum and maximum poll interval.
* bootctl gained a new command "list" for listing all available boot
menu items on systems that follow the boot loader specification.
* systemctl gained a new --dry-run switch that shows what would be done
instead of doing it, and is currently supported by the shutdown and
sleep verbs.
* ConditionSecurity= can now detect the TOMOYO security module.
* Unit file [Install] sections are now also respected in unit drop-in
files. This is intended to be used by drop-ins under /usr/lib/.
* systemd-firstboot may now also set the initial keyboard mapping.
* Udev "changed" events for devices which are exposed as systemd
.device units are now propagated to units specified in
ReloadPropagatedFrom= as reload requests.
* If a udev device has a SYSTEMD_WANTS= property containing a systemd
unit template name (i.e. a name in the form of 'foobar@.service',
without the instance component between the '@' and - the '.'), then
the escaped sysfs path of the device is automatically used as the
* SystemCallFilter= in unit files has been extended so that an "errno"
can be specified individually for each system call. Example:
* The cgroup delegation logic has been substantially updated. Delegate=
now optionally takes a list of controllers (instead of a boolean, as
before), which lists the controllers to delegate at least.
* The networkd DHCPv6 client now implements the FQDN option (RFC 4704).
* A new LogLevelMax= setting configures the maximum log level any
process of the service may log at (i.e. anything with a lesser
priority than what is specified is automatically dropped). A new
LogExtraFields= setting allows configuration of additional journal
fields to attach to all log records generated by any of the unit's
* New StandardInputData= and StandardInputText= settings along with the
new option StandardInput=data may be used to configure textual or
binary data that shall be passed to the executed service process via
standard input, encoded in-line in the unit file.
* StandardInput=, StandardOutput= and StandardError= may now be used to
connect stdin/stdout/stderr of executed processes directly with a
file or AF_UNIX socket in the file system, using the new "file:" option.
* A new unit file option CollectMode= has been added, that allows
tweaking the garbage collection logic for units. It may be used to
tell systemd to garbage collect units that have failed automatically
(normally it only GCs units that exited successfully). systemd-run
and systemd-mount expose this new functionality with a new -G option.
* "machinectl bind" may now be used to bind mount non-directories
(i.e. regularfiles, devices, fifos, sockets).
* systemd-analyze gained a new verb "calendar" for validating and
testing calendar time specifications to use for OnCalendar= in timer
units. Besides validating the expression it will calculate the next
time the specified expression would elapse.
* In addition to the pre-existing FailureAction= unit file setting
there's now SuccessAction=, for configuring a shutdown action to
execute when a unit completes successfully. This is useful in
particular inside containers that shall terminate after some workload
has been completed. Also, both options are now supported for all unit
types, not just services.
* networkds's IP rule support gained two new options
IncomingInterface= and OutgoingInterface= for configuring the incoming
and outgoing interfaces of configured rules. systemd-networkd also
gained support for "vxcan" network devices.
* networkd gained a new setting RequiredForOnline=, taking a
boolean. If set, systemd-wait-online will take it into consideration
when determining that the system is up, otherwise it will ignore the
interface for this purpose.
* The sd_notify() protocol gained support for a new operation: with
FDSTOREREMOVE=1 file descriptors may be removed from the per-service
store again, ahead of POLLHUP or POLLERR when they are removed
* A new document doc/ has been added to the source tree,
that documents the UID/GID range and assignment assumptions and
requirements of systemd.
* The watchdog device PID 1 will ping may now be configured through the
WatchdogDevice= configuration file setting, or by setting the
systemd.watchdog_service= kernel commandline option.
* systemd-resolved's gained support for registering DNS-SD services on
the local network using MulticastDNS. Services may either be
registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or
the same dir below /run, /usr/lib), or through its D-Bus API.
* The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond
extend the effective start, runtime, and stop time. The service must
continue to send EXTEND_TIMEOUT_USEC within the period specified to
prevent the service manager from making the service as timedout.
* elogind-resolved's DNSSEC support gained support for RFC 8080
(Ed25519 keys and signatures).
* The elogind-resolve command line tool gained a new set of options
--set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=,
--set-nta= and --revert to configure per-interface DNS configuration
dynamically during runtime. It's useful for pushing DNS information
into elogind-resolved from DNS hook scripts that various interface
managing software supports (such as pppd).
* elogind-nspawn gained a new --network-namespace-path= command line
option, which may be used to make a container join an existing
network namespace, by specifying a path to a "netns" file.
Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini,
Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten
Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin
Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri
John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny
Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de
Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty,
Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef
Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars
Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel,
Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz
Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson,
Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala,
Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal
Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf
Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer,
Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran
Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant
Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem
Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich,
Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zeal Jagannatha
— Berlin, 2017-12-14
* INCOMPATIBILITY: systemd-logind.service and other long-running
services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
communication with the outside. This generally improves security of
the system, and is in almost all cases a safe and good choice, as
these services do not and should not provide any network-facing
functionality. However, systemd-logind uses the glibc NSS API to
query the user database. This creates problems on systems where NSS
is set up to directly consult network services for user database
lookups. In particular, this creates incompatibilities with the
"nss-nis" module, which attempts to directly contact the NIS/YP
network servers it is configured for, and will now consistently
fail. In such cases, it is possible to turn off IP sandboxing for
systemd-logind.service (set IPAddressDeny= in its [Service] section
to the empty string, via a .d/ unit file drop-in). Downstream
distributions might want to update their nss-nis packaging to include
such a drop-in snippet, accordingly, to hide this incompatibility
from the user. Another option is to make use of glibc's nscd service
to proxy such network requests through a privilege-separated, minimal
local caching daemon, or to switch to more modern technologies such
sssd, whose NSS hook-ups generally do not involve direct network
access. In general, we think it's definitely time to question the
implementation choices of nss-nis, i.e. whether it's a good idea
today to embed a network-facing loadable module into all local
processes that need to query the user database, including the most
trivial and benign ones, such as "ls". For more details about
IPAddressDeny= see below.
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
managed by systemd-networkd or not. This resolves multiple issues
with bond0 properties not being applied, when bond0 is configured
with systemd-networkd. Distributors may choose to not package this,
however in that case users will be prevented from correctly managing
bond0 interface using systemd-networkd.
* systemd-analyze gained new verbs "get-log-level" and "get-log-target"
which print the logging level and target of the system manager. They
complement the existing "set-log-level" and "set-log-target" verbs
used to change those values.
* journald.conf gained a new boolean setting ReadKMsg= which defaults
to on. If turned off kernel log messages will not be read by
systemd-journald or included in the logs. It also gained a new
setting LineMax= for configuring the maximum line length in
STDOUT/STDERR log streams. The new default for this value is 48K, up
from the previous hardcoded 2048.
* A new unit setting RuntimeDirectoryPreserve= has been added, which
allows more detailed control of what to do with a runtime directory
configured with RuntimeDirectory= (i.e. a directory below /run or
$XDG_RUNTIME_DIR) after a unit is stopped.