You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

8575 lines
440 KiB

systemd System and Service Manager
CHANGES WITH 239 in spe:
builtin will name network interfaces differently than in previous
versions for virtual network interfaces created with SR-IOV and NPAR
and for devices where the PCI network controller device does not have
a slot number associated.
SR-IOV virtual devices are now named based on the name of the parent
interface, with a suffix of "v<N>", where <N> is the virtual device
number. Previously those virtual devices were named as if completely
The ninth and later NPAR virtual devices will be named following the
scheme used for the first eight NPAR partitions. Previously those
devices were not renamed and the kernel default (eth<n>) was used.
"net_id" will also generate names for PCI devices where the PCI
network controller device does not have an associated slot number
itself, but one of its parents does. Previously those devices were
not renamed and the kernel default (eth<n>) was used.
* AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
elogind.service. Since v235, IPAddressDeny=any has been set to
the unit. So, it is expected that the default behavior of
elogind is not changed. However, if distribution packagers or
administrators disabled or modified IPAddressDeny= setting by a
drop-in config file, then it may be necessary to update the file to
re-enable AF_INET and AF_INET6 to support network user name services,
e.g. NIS.
* When the RestrictNamespaces= unit property is specified multiple
times, then the specified types are merged now. Previously, only the
last assignment was used. So, if distribution packagers or
administrators modified the setting by a drop-in config file, then it
may be necessary to update the file.
* When OnFailure= is used in combination with Restart= on a service
unit, then the specified units will no longer be triggered on
failures that result in restarting. Previously, the specified units
would be activated each time the unit failed, even when the unit was
going to be restarted automatically. This behaviour contradicted the
documentation. With this release the code is adjusted to match the
* elogind-tmpfiles will now print a notice whenever it encounters
tmpfiles.d/ lines referencing the /var/run/ directory. It will
recommend reworking them to use the /run/ directory instead (for
which /var/run/ is simply a symlinked compatibility alias). This way
elogind-tmpfiles can properly detect line conflicts and merge lines
referencing the same file by two paths, without having to access
* systemctl disable/unmask/preset/preset-all cannot be used with
--runtime. Previously this was allowed, but resulted in unintuitive
behaviour that wasn't useful. systemctl disable/unmask will now undo
both runtime and persistent enablement/masking, i.e. it will remove
any relevant symlinks both in /run and /etc.
* Note that all long-running system services shipped with elogind will
now default to a system call whitelist (rather than a blacklist, as
before). In particular, elogind-udevd will now enforce one too. For
most cases this should be safe, however downstream distributions
which disabled sandboxing of elogind-udevd (specifically the
MountFlags= setting), might want to disable this security feature
too, as the default whitelisting will prohibit all mount, swap,
reboot and clock changing operations from udev rules.
* sd-boot acquired new loader configuration settings to optionally turn
off Windows and MacOS boot partition discovery as well as
reboot-into-firmware menu items. It is also able to pick a better
screen resolution for HiDPI systems, and now provides loader
configuration settings to change the resolution explicitly.
* The elogind-resolve tool has been renamed to resolvectl (it also
* elogind-resolved now supports DNS-over-TLS. It's still
turned off by default, use DNSOverTLS=opportunistic to turn it on in
resolved.conf. We intend to make this the default as soon as couple
of additional techniques for optimizing the initial latency caused by
establishing a TLS/TCP connection are implemented.
* elogind-resolved.service and elogind-networkd.service now set
DynamicUser=yes. The users elogind-resolve and elogind-network are
not created by elogind-sysusers.
remains available under the old name, for compatibility), and its
interface is now verb-based, similar in style to the other <xyz>ctl
tools, such as systemctl or loginctl.
* The resolvectl/elogind-resolve tool also provides 'resolvconf'
compatibility. It may be symlinked under the 'resolvconf' name, in
which case it will take arguments and input compatible with the
Debian and FreeBSD resolvconf tool.
* Support for suspend-then-hibernate has been added, i.e. a sleep mode
where the system initially suspends, and after a time-out resumes and
hibernates again.
* networkd's ClientIdentifier= now accepts a new option "duid-only". If
set the client will only send a DUID as client identifier.
* The nss-elogind glibc NSS module will now enumerate dynamic users and
groups in effect. Previously, it could resolve UIDs/GIDs to user
names/groups and vice versa, but did not support enumeration.
* journald's Compress= configuration setting now optionally accepts a
byte threshold value. All journal objects larger than this threshold
will be compressed, smaller ones will not. Previously this threshold
was not configurable and set to 512.
* A new system.conf setting NoNewPrivileges= is now available which may
be used to turn off acquisition of new privileges system-wide
(i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
for all its children). Note that turning this option on means setuid
binaries and file system capabilities lose their special powers.
While turning on this option is a big step towards a more secure
system, doing so is likely to break numerous pre-existing UNIX tools,
in particular su and sudo.
* A new service elogind-time-sync-wait.service has been added. If
enabled it will delay the unit at boot until time
synchronization has been received from the network. This
functionality is useful on systems lacking a local RTC or where it is
acceptable that the boot process shall be delayed by external network
* When hibernating, elogind will now inform the kernel of the image
write offset, on kernels new enough to support this. This means swap
files should work for hibernation now.
* When loading unit files, elogind will now look for drop-in unit files
extensions in additional places. Previously, for a unit file name
"foo-bar-baz.service" it would look for dropin files in
"foo-bar-baz.service.d/*.conf". Now, it will also look in
"foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
service name truncated after all inner dashes. This scheme allows
writing drop-ins easily that apply to a whole set of unit files at
once. It's particularly useful for mount and slice units (as their
naming is prefix based), but is also useful for service and other
units, for packages that install multiple unit files at once,
following a strict naming regime of beginning the unit file name with
the package's name. Two new specifiers are now supported in unit
files to match this: %j and %J are replaced by the part of the unit
name following the last dash.
* Unit files and other configuration files that support specifier
expansion now understand another two new specifiers: %T and %V will
resolve to /tmp and /var/tmp respectively, or whatever temporary
directory has been set for the calling user.
* The ExecStart= lines of unit files are no longer required to
reference absolute paths. If non-absolute paths are specified the
specified binary name is searched within the service manager's
built-in $PATH, which may be queried with 'elogind-path
search-binaries-default'. It's generally recommended to continue to
use absolute paths for all binaries specified in unit files.
* Units gained a new load state "bad-setting", which is used when a
unit file was loaded, but contained fatal errors which prevent it
from being started (for example, a service unit has been defined
lacking both ExecStart= and ExecStop= lines).
* coredumpctl's "gdb" verb has been renamed to "debug", in order to
support alternative debuggers, for example lldb. The old name
continues to be available however, for compatibility reasons. Use the
new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
to pick an alternative debugger instead of the default gdb.
* systemctl and the other tools will now output escape sequences that
generate proper clickable hyperlinks in various terminal emulators
where useful (for example, in the "systemctl status" output you can
now click on the unit file name to quickly open it in the
editor/viewer of your choice). Note that not all terminal emulators
support this functionality yet, but many do. Unfortunately, the
"less" pager doesn't support this yet, hence this functionality is
currently automatically turned off when a pager is started (which
happens quite often due to auto-paging). We hope to remove this
limitation as soon as "less" learns these escape sequences. This new
behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
environment variable. For details on these escape sequences see:
* networkd's .network files now support a new IPv6MTUBytes= option for
setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
option in the [Route] section to configure the MTU to use for
specific routes. It also gained support for configuration of the DHCP
"UserClass" option through the new UserClass= setting. It gained
three new options in the new [CAN] section for configuring CAN
networks. The MULTICAST and ALLMULTI interface flags may now be
controlled explicitly with the new Multicast= and AllMulticast=
* networkd will now automatically make use of the kernel's route
expiration feature, if it is available.
* udevd's .link files now support setting the number of receive and
transmit channels, using the RxChannels=, TxChannels=,
OtherChannels=, CombinedChannels= settings.
* Support for UDPSegmentationOffload= has been removed, given its
limited support in hardware, and waning software support.
* networkd's .netdev files now support creating "netdevsim" interfaces.
* PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
to query the unit belonging to a specific kernel control group.
* elogind-analyze gained a new verb "cat-config", which may be used to
dump the contents of any configuration file, with all its matching
drop-in files added in, and honouring the usual search and masking
logic applied to elogind configuration files. For example use
"elogind-analyze cat-config elogind/system.conf" to get the complete
system configuration file of elogind how it would be loaded by PID 1
itself. Similar to this, various tools such as elogind-tmpfiles or
elogind-sysusers, gained a new option "--cat-config", which does the
corresponding operation for their own configuration settings. For
example, "elogind-tmpfiles --cat-config" will now output the full
list of tmpfiles.d/ lines in place.
* timedatectl gained two new verbs "timesync-status" (to show the
current NTP synchronization state of elogind-timesyncd) and
"show-timesync" (to show bus properties of elogind-timesyncd).
* elogind-timesyncd gained a bus interface on which it exposes details
about its state.
* elogind-nspawn gained a new --rlimit= switch for setting initial
* A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
understood by elogind-timedated. It takes a colon-separated list of
unit names of NTP client services. The list is used by
"timedatectl set-ntp".
resource limits for the container payload. There's a new switch
--hostname= to explicitly override the container's hostname. A new
--no-new-privileges= switch may be used to control the
PR_SET_NO_NEW_PRIVS flag for the container payload. A new
--oom-score-adjust= switch controls the OOM scoring adjustment value
for the payload. The new --cpu-affinity= switch controls the CPU
affinity of the container payload. The new --resolv-conf= switch
allows more detailed control of /etc/resolv.conf handling of the
container. Similarly, the new --timezone= switch allows more detailed
control of /etc/localtime handling of the container.
* elogind-detect-virt gained a new --list switch, which will print a
list of all currently known VM and container environments.
* Support for "Portable Services" has been added, see
doc/ for details. Currently, the support is still
experimental, but this is expected to change soon. Reflecting this
experimental state, the "portablectl" binary is not installed into
/usr/bin yet. The binary has to be called with the full path
/usr/lib/elogind/portablectl instead.
* journalctl's and systemctl's -o switch now knows a new log output
mode "with-unit". The output it generates is very similar to the
regular "short" mode, but displays the unit name instead of the
syslog tag for each log line. Also, the date is shown with timezone
information. This mode is probably more useful than the classic
"short" output mode for most purposes, except where pixel-perfect
compatibility with classic /var/log/messages formatting is required.
* A new --dump-bus-properties switch has been added to the elogind
binary, which may be used to dump all supported D-Bus properties.
(Options which are still supported, but are deprecated, are *not*
* sd-bus gained a set of new calls:
sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
enable/disable the "floating" state of a bus slot object,
i.e. whether the slot object pins the bus it is allocated for into
memory or if the bus slot object gets disconnected when the bus goes
away. sd_bus_open_with_description(),
sd_bus_open_system_with_description() may be used to allocate bus
objects and set their description string already during allocation.
* sd-event gained support for watching inotify events from the event
loop, in an efficient way, sharing inotify handles between multiple
users. For this a new function sd_event_add_inotify() has been added.
* sd-event and sd-bus gained support for calling special user-supplied
destructor functions for userdata pointers associated with
sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
functions sd_bus_slot_set_destroy_callback,
sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
sd_event_source_get_destroy_callback have been added.
* The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.
* PID 1 will now automatically reschedule .timer units whenever the
local timezone changes. (They previously got rescheduled
automatically when the system clock changed.)
* New documentation has been added to document cgroups delegation,
portable services and the various code quality tools we have set up:
* pam_elogind will now look for PAM userdata fields elogind.memory_max,
elogind.tasks_max, elogind.cpu_weight, elogind.io_weight set by
earlier PAM modules. The data in these fields is used to initialize
the session scope's resource properties. Thus external PAM modules
may now configure per-session limits, for example sourced from
external user databases.
* socket units with Accept=yes will now maintain a "refused" counter in
addition to the existing "accepted" counter, counting connections
refused due to the enforced limits.
* The "elogind-path search-binaries-default" command may now be use to
query the default, built-in $PATH PID 1 will pass to the services it
* A new unit file setting PrivateMounts= has been added. It's a boolean
option. If enabled the unit's processes are invoked in their own file
system namespace. Note that this behaviour is also implied if any
other file system namespacing options (such as PrivateTmp=,
PrivateDevices=, ProtectSystem=, …) are used. This option is hence
primarily useful for services that do not use any of the other file
system namespacing options. One such service is elogind-udevd.service
wher this is now used by default.
* A new unit "" is added, which defines an
optional synchronization point for offline system updates, as
implemented by the pre-existing "" unit. It
allows ordering services before the service that executes the actual
update process in a generic way.
Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2018-06-XX
* The MemoryAccounting= unit property now defaults to on. After
discussions with the upstream control group maintainers we learnt
that the negative impact of cgroup memory accounting on current
kernels is finally relatively minimal, so that it should be safe to
enable this by default without affecting system performance. Besides
memory accounting only task accounting is turned on by default, all
other forms of resource accounting (CPU, IO, IP) remain off for now,
because it's not clear yet that their impact is small enough to move
from opt-in to opt-out. We recommend downstreams to leave memory
accounting on by default if kernel 4.14 or higher is primarily
used. On very resource constrained systems or when support for old
kernels is a necessity, -Dmemory-accounting-default=false can be used
to revert this change.
* rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
%udev_rules_update) and the journal catalog (%journal_catalog_update)
from the upgrade scriptlets of individual packages now do nothing.
Transfiletriggers have been added which will perform those updates
once at the end of the transaction.
Similar transfiletriggers have been added to execute any sysctl.d
and binfmt.d rules. Thus, it should be unnecessary to provide any
scriptlets to execute this configuration from package installation
* elogind-sysusers gained a mode where the configuration to execute is
specified on the command line, but this configuration is not executed
directly, but instead it is merged with the configuration on disk,
and the result is executed. This is useful for package installation
scripts which want to create the user before installing any files on
disk (in case some of those files are owned by that user), while
still allowing local admin overrides.
This functionality is exposed to rpm scriptlets through a new
%sysusers_create_package macro. Old %sysusers_create and
%sysusers_create_inline macros are deprecated.
A transfiletrigger for sysusers.d configuration is now installed,
which means that it should be unnecessary to call elogind-sysusers from
package installation scripts, unless the package installs any files
owned by those newly-created users, in which case
%sysusers_create_package should be used.
* Analogous change has been done for elogind-tmpfiles: it gained a mode
where the command-line configuration is merged with the configuration
on disk. This is exposed as the new %tmpfiles_create_package macro,
and %tmpfiles_create is deprecated. A transfiletrigger is installed
for tmpfiles.d, hence it should be unnecessary to call elogind-tmpfiles
from package installation scripts.
* sysusers.d configuration for a user may now also specify the group
number, in addition to the user number ("u username 123:456"), or
without the user number ("u username -:456").
* Configution items for elogind-sysusers can now be specified as
positional arguments when the new --inline switch is used.
* The login shell of users created through sysusers.d may now be
specified (previously, it was always /bin/sh for root and
/sbin/nologin for other users).
* elogind-analyze gained a new --global switch to look at global user
configuration. It also gained a unit-paths verb to list the unit load
paths that are compiled into elogind (which can be used with
--elogind, --user, or --global).
* udevadm trigger gained a new --settle/-w option to wait for any
triggered events to finish (but just those, and not any other events
which are triggered meanwhile).
* The action that elogind takes when the lid is closed and the
machine is connected to external power can now be configured using
HandleLidSwitchExternalPower= in logind.conf. Previously, this action
was determined by HandleLidSwitch=, and, for backwards compatibility,
is still is, if HandleLidSwitchExternalPower= is not explicitly set.
* journalctl will periodically call sd_journal_process() to make it
resilient against inotify queue overruns when journal files are
rotated very quickly.
* Two new functions in libelogind — sd_bus_get_n_queued_read and
sd_bus_get_n_queued_write — may be used to check the number of
pending bus messages.
* elogind gained a new
org.freedesktop.elogind1.Manager.AttachProcessesToUnit dbus call
which can be used to migrate foreign processes to scope and service
units. The primary user for this new API is elogind itself: the
elogind --user instance uses this call of the elogind --system
instance to migrate processes if it itself gets the request to
migrate processes and the kernel refuses this due to access
restrictions. Thanks to this "elogind-run --scope --user …" works
again in pure cgroups v2 environments when invoked from the user
session scope.
* A new TemporaryFileSystem= setting can be used to mask out part of
the real file system tree with tmpfs mounts. This may be combined
with BindPaths= and BindReadOnlyPaths= to hide files or directories
not relevant to the unit, while still allowing some paths lower in
the tree to be accessed.
ProtectHome=tmpfs may now be used to hide user home and runtime
directories from units, in a way that is mostly equivalent to
"TemporaryFileSystem=/home /run/user /root".
* Non-service units are now started with KeyringMode=shared by default.
This means that mount and swapon and other mount tools have access
to keys in the main keyring.
* /sys/fs/bpf is now mounted automatically.
* QNX virtualization is now detected by elogind-detect-virt and may
be used in ConditionVirtualization=.
* IPAccounting= may now be enabled also for slice units.
* A new -Dsplit-bin= build configuration switch may be used to specify
whether bin and sbin directories are merged, or if they should be
included separately in $PATH and various listings of executable
directories. The build configuration scripts will try to autodetect
the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
system, but distributions are encouraged to configure this
* A new -Dok-color= build configuration switch may be used to change
the colour of "OK" status messages.
* UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
PrivateNetwork=yes was buggy in previous versions of elogind. This
means that after the upgrade and daemon-reexec, any such units must
be restarted.
* INCOMPATIBILITY: as announced in the NEWS for 237, elogind-tmpfiles
will not exclude read-only files owned by root from cleanup.
Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)
— Warsaw, 2018-03-05
* Some keyboards come with a zoom see-saw or rocker which until now got
mapped to the Linux "zoomin/out" keys in hwdb. However, these
keycodes are not recognized by any major desktop. They now produce
Up/Down key events so that they can be used for scrolling.
* INCOMPATIBILITY: elogind-tmpfiles' "f" lines changed behaviour
slightly: previously, if an argument was specified for lines of this
type (i.e. the right-most column was set) this string was appended to
existing files each time elogind-tmpfiles was run. This behaviour was
different from what the documentation said, and not particularly
useful, as repeated elogind-tmpfiles invocations would not be
idempotent and grow such files without bounds. With this release
behaviour has been altered slightly, to match what the documentation
says: lines of this type only have an effect if the indicated files
don't exist yet, and only then the argument string is written to the
* FUTURE INCOMPATIBILITY: In elogind v238 we intend to slightly change
elogind-tmpfiles behaviour: previously, read-only files owned by root
were always excluded from the file "aging" algorithm (i.e. the
automatic clean-up of directories like /tmp based on
atime/mtime/ctime). We intend to drop this restriction, and age files
by default even when owned by root and read-only. This behaviour was
inherited from older tools, but there have been requests to remove
it, and it's not obvious why this restriction was made in the first
place. Please speak up now, if you are aware of software that reqires
this behaviour, otherwise we'll remove the restriction in v238.
* A new environment variable $SYSTEMD_OFFLINE is now understood by
systemctl. It takes a boolean argument. If on, systemctl assumes it
operates on an "offline" OS tree, and will not attempt to talk to the
service manager. Previously, this mode was implicitly enabled if a
chroot() environment was detected, and this new environment variable
now provides explicit control.
* .path and .socket units may now be created transiently, too.
Previously only service, mount, automount and timer units were
supported as transient units. The elogind-run tool has been updated
to expose this new functionality, you may hence use it now to bind
arbitrary commands to path or socket activation on-the-fly from the
command line. Moreover, almost all properties are now exposed for the
unit types that already supported transient operation.
* The elogind-mount command gained support for a new --owner= parameter
which takes a user name, which is then resolved and included in uid=
and gid= mount options string of the file system to mount.
* A new unit condition ConditionControlGroupController= has been added
that checks whether a specific cgroup controller is available.
* Unit files, udev's .link files, and elogind-networkd's .netdev and
.network files all gained support for a new condition
ConditionKernelVersion= for checking against specific kernel
* In elogind-networkd, the [IPVLAN] section in .netdev files gained
support for configuring device flags in the Flags= setting. In the
same files, the [Tunnel] section gained support for configuring
AllowLocalRemote=. The [Route] section in .network files gained
support for configuring InitialCongestionWindow=,
InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now
understands RapidCommit=.
* elogind-networkd's DHCPv6 support gained support for Prefix
* sd-bus gained support for a new "watch-bind" feature. When this
feature is enabled, an sd_bus connection may be set up to connect to
an AF_UNIX socket in the file system as soon as it is created. This
functionality is useful for writing early-boot services that
automatically connect to the system bus as soon as it is started,
without ugly time-based polling. elogind-networkd and
elogind-resolved have been updated to make use of this
functionality. busctl exposes this functionality in a new
--watch-bind= command line switch.
* sd-bus will now optionally synthesize a local "Connected" signal as
soon as a D-Bus connection is set up fully. This message mirrors the
already existing "Disconnected" signal which is synthesized when the
connection is terminated. This signal is generally useful but
particularly handy in combination with the "watch-bind" feature
described above. Synthesizing of this message has to be requested
explicitly through the new API call sd_bus_set_connected_signal(). In
addition a new call sd_bus_is_ready() has been added that checks
whether a connection is fully set up (i.e. between the "Connected" and
"Disconnected" signals).
* sd-bus gained two new calls sd_bus_request_name_async() and
sd_bus_release_name_async() for asynchronously registering bus
names. Similar, there is now sd_bus_add_match_async() for installing
a signal match asynchronously. All of elogind's own services have
been updated to make use of these calls. Doing these operations
asynchronously has two benefits: it reduces the risk of deadlocks in
case of cyclic dependencies between bus services, and it speeds up
service initialization since synchronization points for bus
round-trips are removed.
* sd-bus gained two new calls sd_bus_match_signal() and
sd_bus_match_signal_async(), which are similar to sd_bus_add_match()
and sd_bus_add_match_async() but instead of taking a D-Bus match
string take match fields as normal function parameters.
* sd-bus gained two new calls sd_bus_set_sender() and
sd_bus_message_set_sender() for setting the sender name of outgoing
messages (either for all outgoing messages or for just one specific
one). These calls are only useful in direct connections as on
brokered connections the broker fills in the sender anyway,
overwriting whatever the client filled in.
* sd-event gained a new pseudo-handle that may be specified on all API
calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When
used this refers to the default event loop object of the calling
thread. Note however that this does not implicitly allocate one —
which has to be done prior by using sd_event_default(). Similarly
sd-bus gained three new pseudo-handles SD_BUS_DEFAULT,
SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer
to the default bus of the specified type of the calling thread. Here
too this does not implicitly allocate bus connection objects, this
has to be done prior with sd_bus_default() and friends.
* sd-event gained a new call pair
sd_event_source_{get|set}_io_fd_own(). This may be used to request
automatic closure of the file descriptor an IO event source watches
when the event source is destroyed.
* elogind-networkd gained support for natively configuring WireGuard
* In previous versions elogind synthesized user records both for the
"nobody" (UID 65534) and "root" (UID 0) users in nss-elogind and
internally. In order to simplify distribution-wide renames of the
"nobody" user (like it is planned in Fedora: nfsnobody → nobody), a
new transitional flag file has been added: if
/etc/elogind/dont-synthesize-nobody exists synthesizing of the 65534
user and group record within the elogind codebase is disabled.
* elogind-notify gained a new --uid= option for selecting the source
user/UID to use for notification messages sent to the service
* journalctl gained a new --grep= option to list only entries in which
the message matches a certain pattern. By default matching is case
insensitive if the pattern is lowercase, and case sensitive
otherwise. Option --case-sensitive=yes|no can be used to override
this an specify case sensitivity or case insensitivity.
* There's now a "elogind-analyze service-watchdogs" command for printing
the current state of the service runtime watchdog, and optionally
enabling or disabling the per-service watchdogs system-wide if given a
boolean argument (i.e. the concept you configure in WatchdogSec=), for
debugging purposes. There's also a kernel command line option
elogind.service_watchdogs= for controlling the same.
* Two new "log-level" and "log-target" options for elogind-analyze were
added that merge the now deprecated get-log-level, set-log-level and
get-log-target, set-log-target pairs. The deprecated options are still
understood for backwards compatibility. The two new options print the
current value when no arguments are given, and set them when a
level/target is given as an argument.
* sysusers.d's "u" lines now optionally accept both a UID and a GID
specification, separated by a ":" character, in order to create users
where UID and GID do not match.
Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov,
Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman
Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton
Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov,
Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui,
Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian
Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander
Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen,
Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg
Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering,
Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt,
Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy,
Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał
Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf
Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer,
Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer,
Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani,
Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz
Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary
Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян
— Brno, 2018-01-28
* The modprobe.d/ drop-in for the bonding.ko kernel module introduced
in v235 has been extended to also set the dummy.ko module option
numdummies=0, preventing the kernel from automatically creating
dummy0. All dummy interfaces must now be explicitly created.
* Unknown '%' specifiers in configuration files are now rejected. This
applies to units and tmpfiles.d configuration. Any percent characters
that are followed by a letter or digit that are not supposed to be
interpreted as the beginning of a specifier should be escaped by
doubling ("%%"). (So "size=5%" is still accepted, as well as
"size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not
valid specifiers today.)
* systemd-resolved now maintains a new dynamic
/run/systemd/resolve/stub-resolv.conf compatibility file. It is
recommended to make /etc/resolv.conf a symlink to it. This file
points at the systemd-resolved stub DNS resolver and
includes dynamically acquired search domains, achieving more correct
DNS resolution by software that bypasses local DNS APIs such as NSS.
* The "uaccess" udev tag has been dropped from /dev/kvm and
/dev/dri/renderD*. These devices now have the 0666 permissions by
default (but this may be changed at build-time). /dev/dri/renderD*
will now be owned by the "render" group along with /dev/kfd.
* "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
systemd-journal-gatewayd.service and
systemd-journal-upload.service. This means "nss-systemd" must be
enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
services are resolved properly.
* In /etc/fstab two new mount options are now understood:
x-systemd.makefs and x-systemd.growfs. The former has the effect that
the configured file system is formatted before it is mounted, the
latter that the file system is resized to the full block device size
after it is mounted (i.e. if the file system is smaller than the
partition it resides on, it's grown). This is similar to the fsck
logic in /etc/fstab, and pulls in systemd-makefs@.service and
systemd-growfs@.service as necessary, similar to
systemd-fsck@.service. Resizing is currently only supported on ext4
and btrfs.
* In systemd-networkd, the IPv6 RA logic now optionally may announce
DNS server and domain information.
* Support for the LUKS2 on-disk format for encrypted partitions has
been added. This requires libcryptsetup2 during compilation and
* The systemd --user instance will now signal "readiness" when its unit has been reached, instead of when the run queue ran
empty for the first time.
* Tmpfiles.d with user configuration are now also supported.
systemd-tmpfiles gained a new --user switch, and snippets placed in
~/.config/user-tmpfiles.d/ and corresponding directories will be
executed by systemd-tmpfiles --user running in the new
systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service
running in the user session.
* Unit files and tmpfiles.d snippets learnt three new % specifiers:
%S resolves to the top-level state directory (/var/lib for the system
instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the
top-level cache directory (/var/cache for the system instance,
$XDG_CACHE_HOME for the user instance), %L resolves to the top-level
logs directory (/var/log for the system instance,
$XDG_CONFIG_HOME/log/ for the user instance). This matches the
existing %t specifier, that resolves to the top-level runtime
directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
user instance).
* journalctl learnt a new parameter --output-fields= for limiting the
set of journal fields to output in verbose and JSON output modes.
* systemd-timesyncd's configuration file gained a new option
RootDistanceMaxSec= for setting the maximum root distance of servers
it'll use, as well as the new options PollIntervalMinSec= and
PollIntervalMaxSec= to tweak the minimum and maximum poll interval.
* bootctl gained a new command "list" for listing all available boot
menu items on systems that follow the boot loader specification.
* systemctl gained a new --dry-run switch that shows what would be done
instead of doing it, and is currently supported by the shutdown and
sleep verbs.
* ConditionSecurity= can now detect the TOMOYO security module.
* Unit file [Install] sections are now also respected in unit drop-in
files. This is intended to be used by drop-ins under /usr/lib/.
* systemd-firstboot may now also set the initial keyboard mapping.
* Udev "changed" events for devices which are exposed as systemd
.device units are now propagated to units specified in
ReloadPropagatedFrom= as reload requests.
* If a udev device has a SYSTEMD_WANTS= property containing a systemd
unit template name (i.e. a name in the form of 'foobar@.service',
without the instance component between the '@' and - the '.'), then
the escaped sysfs path of the device is automatically used as the
* SystemCallFilter= in unit files has been extended so that an "errno"
can be specified individually for each system call. Example:
* The cgroup delegation logic has been substantially updated. Delegate=
now optionally takes a list of controllers (instead of a boolean, as
before), which lists the controllers to delegate at least.
* The networkd DHCPv6 client now implements the FQDN option (RFC 4704).
* A new LogLevelMax= setting configures the maximum log level any
process of the service may log at (i.e. anything with a lesser
priority than what is specified is automatically dropped). A new
LogExtraFields= setting allows configuration of additional journal
fields to attach to all log records generated by any of the unit's
* New StandardInputData= and StandardInputText= settings along with the
new option StandardInput=data may be used to configure textual or
binary data that shall be passed to the executed service process via
standard input, encoded in-line in the unit file.
* StandardInput=, StandardOutput= and StandardError= may now be used to
connect stdin/stdout/stderr of executed processes directly with a
file or AF_UNIX socket in the file system, using the new "file:" option.
* A new unit file option CollectMode= has been added, that allows
tweaking the garbage collection logic for units. It may be used to
tell systemd to garbage collect units that have failed automatically
(normally it only GCs units that exited successfully). systemd-run
and systemd-mount expose this new functionality with a new -G option.
* "machinectl bind" may now be used to bind mount non-directories
(i.e. regularfiles, devices, fifos, sockets).
* systemd-analyze gained a new verb "calendar" for validating and
testing calendar time specifications to use for OnCalendar= in timer
units. Besides validating the expression it will calculate the next
time the specified expression would elapse.
* In addition to the pre-existing FailureAction= unit file setting
there's now SuccessAction=, for configuring a shutdown action to
execute when a unit completes successfully. This is useful in
particular inside containers that shall terminate after some workload
has been completed. Also, both options are now supported for all unit
types, not just services.
* networkds's IP rule support gained two new options
IncomingInterface= and OutgoingInterface= for configuring the incoming
and outgoing interfaces of configured rules. systemd-networkd also
gained support for "vxcan" network devices.
* networkd gained a new setting RequiredForOnline=, taking a
boolean. If set, systemd-wait-online will take it into consideration
when determining that the system is up, otherwise it will ignore the
interface for this purpose.
* The sd_notify() protocol gained support for a new operation: with
FDSTOREREMOVE=1 file descriptors may be removed from the per-service
store again, ahead of POLLHUP or POLLERR when they are removed
* A new document doc/ has been added to the source tree,
that documents the UID/GID range and assignment assumptions and
requirements of systemd.
* The watchdog device PID 1 will ping may now be configured through the
WatchdogDevice= configuration file setting, or by setting the
systemd.watchdog_service= kernel commandline option.
* systemd-resolved's gained support for registering DNS-SD services on
the local network using MulticastDNS. Services may either be
registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or
the same dir below /run, /usr/lib), or through its D-Bus API.
* The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond
extend the effective start, runtime, and stop time. The service must
continue to send EXTEND_TIMEOUT_USEC within the period specified to
prevent the service manager from making the service as timedout.
* elogind-resolved's DNSSEC support gained support for RFC 8080
(Ed25519 keys and signatures).
* The elogind-resolve command line tool gained a new set of options
--set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=,
--set-nta= and --revert to configure per-interface DNS configuration
dynamically during runtime. It's useful for pushing DNS information
into elogind-resolved from DNS hook scripts that various interface
managing software supports (such as pppd).
* elogind-nspawn gained a new --network-namespace-path= command line
option, which may be used to make a container join an existing
network namespace, by specifying a path to a "netns" file.
Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini,
Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten
Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin
Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri
John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny
Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de
Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty,
Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef
Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars
Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel,
Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz
Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson,
Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala,
Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal
Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf
Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer,
Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran
Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant
Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem
Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich,
Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zeal Jagannatha
— Berlin, 2017-12-14
* INCOMPATIBILITY: systemd-logind.service and other long-running
services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
communication with the outside. This generally improves security of
the system, and is in almost all cases a safe and good choice, as
these services do not and should not provide any network-facing
functionality. However, systemd-logind uses the glibc NSS API to
query the user database. This creates problems on systems where NSS
is set up to directly consult network services for user database
lookups. In particular, this creates incompatibilities with the
"nss-nis" module, which attempts to directly contact the NIS/YP
network servers it is configured for, and will now consistently
fail. In such cases, it is possible to turn off IP sandboxing for
systemd-logind.service (set IPAddressDeny= in its [Service] section
to the empty string, via a .d/ unit file drop-in). Downstream
distributions might want to update their nss-nis packaging to include
such a drop-in snippet, accordingly, to hide this incompatibility
from the user. Another option is to make use of glibc's nscd service
to proxy such network requests through a privilege-separated, minimal
local caching daemon, or to switch to more modern technologies such
sssd, whose NSS hook-ups generally do not involve direct network
access. In general, we think it's definitely time to question the
implementation choices of nss-nis, i.e. whether it's a good idea
today to embed a network-facing loadable module into all local
processes that need to query the user database, including the most
trivial and benign ones, such as "ls". For more details about
IPAddressDeny= see below.
* A new modprobe.d drop-in is now shipped by default that sets the
bonding module option max_bonds=0. This overrides the kernel default,
to avoid conflicts and ambiguity as to whether or not bond0 should be
managed by systemd-networkd or not. This resolves multiple issues
with bond0 properties not being applied, when bond0 is configured
with systemd-networkd. Distributors may choose to not package this,
however in that case users will be prevented from correctly managing
bond0 interface using systemd-networkd.
* systemd-analyze gained new verbs "get-log-level" and "get-log-target"
which print the logging level and target of the system manager. They
complement the existing "set-log-level" and "set-log-target" verbs
used to change those values.
* journald.conf gained a new boolean setting ReadKMsg= which defaults
to on. If turned off kernel log messages will not be read by
systemd-journald or included in the logs. It also gained a new
setting LineMax= for configuring the maximum line length in
STDOUT/STDERR log streams. The new default for this value is 48K, up
from the previous hardcoded 2048.
* A new unit setting RuntimeDirectoryPreserve= has been added, which
allows more detailed control of what to do with a runtime directory
configured with RuntimeDirectory= (i.e. a directory below /run or
$XDG_RUNTIME_DIR) after a unit is stopped.
* The RuntimeDirectory= setting for units gained support for creating
deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
one top-level directory.
* Units gained new options StateDirectory=, CacheDirectory=,
LogsDirectory= and ConfigurationDirectory= which are closely related
to RuntimeDirectory= but manage per-service directories below
/var/lib, /var/cache, /var/log and /etc. By making use of them it is
possible to write unit files which when activated automatically gain
properly owned service specific directories in these locations, thus
making unit files self-contained and increasing compatibility with
stateless systems and factory reset where /etc or /var are
unpopulated at boot. Matching these new settings there's also
StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
ConfigurationDirectoryMode= for configuring the access mode of these
directories. These settings are particularly useful in combination
with DynamicUser=yes as they provide secure, properly-owned,
writable, and stateful locations for storage, excluded from the
sandbox that such services live in otherwise.
* Automake support has been removed from this release. systemd is now
* systemd-journald will now aggressively cache client metadata during
runtime, speeding up log write performance under pressure. This comes
at a small price though: as much of the metadata is read
asynchronously from /proc/ (and isn't implicitly attached to log
datagrams by the kernel, like UID/GID/PID/SELinux are) this means the
metadata stored alongside a log entry might be slightly
out-of-date. Previously it could only be slightly newer than the log
message. The time window is small however, and given that the kernel
is unlikely to be improved anytime soon in this regard, this appears
acceptable to us.
* nss-myhostname/systemd-resolved will now by default synthesize an
A/AAAA resource record for the "_gateway" hostname, pointing to the
current default IP gateway. Previously it did that for the "gateway"
name, hampering adoption, as some distributions wanted to leave that
host name open for local use. The old behaviour may still be
requested at build time.
* systemd-networkd's [Address] section in .network files gained a new
Scope= setting for configuring the IP address scope. The [Network]
section gained a new boolean setting ConfigureWithoutCarrier= that
tells systemd-networkd to ignore link sensing when configuring the
device. The [DHCP] section gained a new Anonymize= boolean option for
turning on a number of options suggested in RFC 7844. A new
[RoutingPolicyRule] section has been added for configuring the IP
routing policy. The [Route] section has gained support for a new
Type= setting which permits configuring
blackhole/unreachable/prohibit routes.
* The [VRF] section in .netdev files gained a new Table= setting for
configuring the routing table to use. The [Tunnel] section gained a
new Independent= boolean field for configuring tunnels independent of
an underlying network interface. The [Bridge] section gained a new
GroupForwardMask= option for configuration of propagation of link
local frames between bridge ports.
* The WakeOnLan= setting in .link files gained support for a number of
new modes. A new TCP6SegmentationOffload= setting has been added for
configuring TCP/IPv6 hardware segmentation offload.
* The IPv6 RA sender implementation may now optionally send out RDNSS
and RDNSSL records to supply DNS configuration to peers.
* systemd-nspawn gained support for a new --system-call-filter= command
line option for adding and removing entries in the default system
call filter it applies. Moreover systemd-nspawn has been changed to
implement a system call whitelist instead of a blacklist.
* systemd-run gained support for a new --pipe command line option. If
used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
are directly passed on to the activated transient service
executable. This allows invoking arbitrary processes as systemd
services (for example to take benefit of dependency management,
accounting management, resource management or log management that is
done automatically for services) — while still allowing them to be
integrated in a classic UNIX shell pipeline.
* When a service sends RELOAD=1 via sd_notify() and reload propagation
using ReloadPropagationTo= is configured, a reload is now propagated
to configured units. (Previously this was only done on explicitly
requested reloads, using "systemctl reload" or an equivalent
* For each service unit a restart counter is now kept: it is increased
each time the service is restarted due to Restart=, and may be
queried using "systemctl show -p NRestarts …".
* New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
@signal and @timer have been added, for usage with SystemCallFilter=
in unit files and the new --system-call-filter= command line option
of systemd-nspawn (see above).
* ExecStart= lines in unit files gained two new modifiers: when a
command line is prefixed with "!" the command will be executed as
configured, except for the credentials applied by
setuid()/setgid()/setgroups(). It is very similar to the pre-existing
"+", but does still apply namespacing options unlike "+". There's
also "!!" now, which is mostly identical, but becomes a NOP on
systems that support ambient capabilities. This is useful to write
unit files that work with ambient capabilities where possible but
automatically fall back to traditional privilege dropping mechanisms
on systems where this is not supported.
* ListenNetlink= settings in socket units now support RDMA netlink
* A new unit file setting LockPersonality= has been added which permits
locking down the chosen execution domain ("personality") of a service
during runtime.
* A new special target "" has been added, which is
ordered before all text logins, and may be used to order services
before textual logins acquire access to the console.
* systemd will now attempt to load the virtio-rng.ko kernel module very
early on if a VM environment supporting this is detected. This should
improve entropy during early boot in virtualized environments.
* A _netdev option is now supported in /etc/crypttab that operates in a
similar way as the same option in /etc/fstab: it permits configuring
encrypted devices that need to be ordered after the network is up.
Following this logic, two new special targets and have been
added that are to what and are to
* Service units gained a new UnsetEnvironment= setting which permits
unsetting specific environment variables for services that are
normally passed to it (for example in order to mask out locale
settings for specific services that can't deal with it).
* Units acquired a new boolean option IPAccounting=. When turned on, IP
traffic accounting (packet count as well as byte count) is done for
the service, and shown as part of "systemctl status" or "systemd-run
* Service units acquired two new options IPAddressAllow= and
IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
for configuring a simple IP access control list for all sockets of
the unit. These options are available also on .slice and .socket
units, permitting flexible access list configuration for individual
services as well as groups of services (as defined by a slice unit),
including system-wide. Note that IP ACLs configured this way are
enforced on every single IPv4 and IPv6 socket created by any process
of the service unit, and apply to ingress as well as egress traffic.
* If CPUAccounting= or IPAccounting= is turned on for a unit a new
structured log message is generated each time the unit is stopped,
containing information about the consumed resources of this
* A new setting KeyringMode= has been added to unit files, which may be
used to control how the kernel keyring is set up for executed
* "systemctl poweroff", "systemctl reboot", "systemctl halt",
"systemctl kexec" and "systemctl exit" are now always asynchronous in
behaviour (that is: these commands return immediately after the
operation was enqueued instead of waiting for the operation to
complete). Previously, "systemctl poweroff" and "systemctl reboot"
were asynchronous on systems using systemd-logind (i.e. almost
always, and like they were on sysvinit), and the other three commands
were unconditionally synchronous. With this release this is cleaned
up, and callers will see the same asynchronous behaviour on all
systems for all five operations.
* systemd-logind gained new Halt() and CanHalt() bus calls for halting
the system.
* .timer units now accept calendar specifications in other timezones
than UTC or the local timezone.
* The tmpfiles snippet var.conf has been changed to create
/var/log/btmp with access mode 0660 instead of 0600. It was owned by
the "utmp" group already, and it appears to be generally understood
that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
databases. Previously this was implemented correctly for all these
databases excepts btmp, which has been opened up like this now
too. Note that while the other databases are world-readable
(i.e. 0644), btmp is not and remains more restrictive.
* The systemd-resolve tool gained a new --reset-server-features
switch. When invoked like this systemd-resolved will forget
everything it learnt about the features supported by the configured
upstream DNS servers, and restarts the feature probing logic on the
next resolver look-up for them at the highest feature level
* The status dump systemd-resolved sends to the logs upon receiving
SIGUSR1 now also includes information about all DNS servers it is
configured to use, and the features levels it probed for them.
Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2017-10-06
* Meson is now supported as build system in addition to Automake. It is
our plan to remove Automake in one of our next releases, so that
Meson becomes our exclusive build system. Hence, please start using
the Meson build system in your downstream packaging. There's plenty
of documentation around how to use Meson, the extremely brief
./ && ./configure && make && sudo make install
meson build && ninja -C build && sudo ninja -C build install
* Unit files gained support for a new JobRunningTimeoutUSec= setting,
which permits configuring a timeout on the time a job is
running. This is particularly useful for setting timeouts on jobs for
.device units.
* Unit files gained two new options ConditionUser= and ConditionGroup=
for conditionalizing units based on the identity of the user/group
running a systemd user instance.
* systemd-networkd now understands a new FlowLabel= setting in the
[VXLAN] section of .network files, as well as a Priority= in
[Bridge], GVRP= + MVRP= + LooseBinding= + ReorderHeader= in [VLAN]
and GatewayOnlink= + IPv6Preference= + Protocol= in [Route]. It also
gained support for configuration of GENEVE links, and IPv6 address
labels. The [Network] section gained the new IPv6ProxyNDP= setting.
* .link files now understand a new Port= setting.
* systemd-networkd's DHCP support gained support for DHCP option 119
(domain search list).
* systemd-networkd gained support for serving IPv6 address ranges using
the Router Advertisement protocol. The new .network configuration
section [IPv6Prefix] may be used to configure the ranges to
serve. This is implemented based on a new, minimal, native server
implementation of RA.
* journalctl's --output= switch gained support for a new parameter
"short-iso-precise" for a mode where timestamps are shown as precise
ISO date values.
* systemd-udevd's "net_id" builtin may now generate stable network
interface names from IBM PowerVM VIO devices as well as ACPI platform
* MulticastDNS support in systemd-resolved may now be explicitly
enabled/disabled using the new MulticastDNS= configuration file
* systemd-resolved may now optionally use libidn2 instead of the libidn
for processing internationalized domain names. Support for libidn2
should be considered experimental and should not be enabled by
default yet.
* "machinectl pull-tar" and related call may now do verification of
downloaded images using SUSE-style .sha256 checksum files in addition
to the already existing support for validating using Ubuntu-style
SHA256SUMS files.
* sd-bus gained support for a new sd_bus_message_appendv() call which
is va_list equivalent of sd_bus_message_append().
* sd-boot gained support for validating images using SHIM/MOK.
* The SMACK code learnt support for "onlycap".
* systemd-mount --umount is now much smarter in figuring out how to
properly unmount a device given its mount or device path.
* The code to call libnss_dns as a fallback from libnss_resolve when
the communication with systemd-resolved fails was removed. This
fallback was redundant and interfered with the [!UNAVAIL=return]
suffix. See nss-resolve(8) for the recommended configuration.
* systemd-logind may now be restarted without losing state. It stores
the file descriptors for devices it manages in the system manager
using the FDSTORE= mechanism. Please note that further changes in
other components may be required to make use of this (for example
Xorg has code to listen for stops of systemd-logind and terminate
itself when logind is stopped or restarted, in order to avoid using
stale file descriptors for graphical devices, which is now
counterproductive and must be reverted in order for restarts of
systemd-logind to be safe. See
* All kernel install plugins are called with the environment variable
KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by
/etc/machine-id. If the file is missing or empty, the variable is
empty and BOOT_DIR_ABS is the path of a temporary directory which is
removed after all the plugins exit. So, if KERNEL_INSTALL_MACHINE_ID
is empty, all plugins should not put anything in BOOT_DIR_ABS.
Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert,
Benjamin Robin, Boucman, Charles Plessy, Chris Chiu, Chris Lamb,
Christian Brauner, Christian Hesse, Colin Walters, Daniel Drake,
Danielle Church, Daniel Molkentin, Daniel Rusek, Daniel Wang, Davide
Cavalca, David Herrmann, David Michael, Dax Kelson, Dimitri John
Ledkov, Djalal Harouni, Dušan Kazik, Elias Probst, Evgeny Vereshchagin,
Federico Di Pierro, Felipe Sateler, Felix Zhang, Franck Bui, Gary
Tierney, George McCollister, Giedrius Statkevičius, Hans de Goede,
hecke, Hendrik Westerberg, Hristo Venev, Ian Wienand, Insun Pyo, Ivan
Shapovalov, James Cowgill, James Hemsing, Janne Heß, Jan Synacek, Jason
Reeder, João Paulo Rechi Vita, John Paul Adrian Glaubitz, Jörg
Thalheim, Josef Andersson, Josef Gajdusek, Julian Mehne, Kai Krakow,
Krzysztof Jackiewicz, Lars Karlitski, Lennart Poettering, Lluís Gili,
Lucas Werkmeister, Lukáš Nykrýn, Łukasz Stelmach, Mantas Mikulėnas,
Marcin Bachry, Marcus Cooper, Mark Stosberg, Martin Pitt, Matija Skala,
Matt Clarkson, Matthew Garrett, Matthias Greiner, Matthijs van Duin,
Max Resch, Michael Biebl, Michal Koutný, Michal Sekletar, Michal
Soltys, Michal Suchanek, Mike Gilbert, Nate Clark, Nathaniel R. Lewis,
Neil Brown, Nikolai Kondrashov, Pascal S. de Kloe, Pat Riehecky, Patrik
Flykt, Paul Kocialkowski, Peter Hutterer, Philip Withnall, Piotr
Szydełko, Rafael Fontenelle, Ray Strode, Richard Maw, Roelf Wichertjes,
Ronny Chevalier, Sarang S. Dalal, Sjoerd Simons, slodki, Stefan
Schweter, Susant Sahani, Ted Wood, Thomas Blume, Thomas Haller, Thomas
H. P. Andersen, Timothée Ravier, Tobias Jungel, Tobias Stoeckmann, Tom
Gundersen, Tom Yan, Torstein Husebø, Umut Tezduyar Lindskog,
userwithuid, Vito Caputo, Waldemar Brodkorb, WaLyong Cho, Yu, Li-Yu,
Yusuke Nojima, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан
— Berlin, 2017-07-12
* The "hybrid" control group mode has been modified to improve
compatibility with "legacy" cgroups-v1 setups. Specifically, the
"hybrid" setup of /sys/fs/cgroup is now pretty much identical to
"legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named
cgroups-v1 hierarchy), the only externally visible change being that
the cgroups-v2 hierarchy is also mounted, to
/sys/fs/cgroup/unified. This should provide a large degree of
compatibility with "legacy" cgroups-v1, while taking benefit of the
better management capabilities of cgroups-v2.
* The default control group setup mode may be selected both a boot-time
via a set of kernel command line parameters (specifically:
systemd.unified_cgroup_hierarchy= and
systemd.legacy_systemd_cgroup_controller=), as well as a compile-time
default selected on the configure command line
(--with-default-hierarchy=). The upstream default is "hybrid"
(i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but
this will change in a future systemd version to be "unified" (pure
cgroups-v2 mode). The third option for the compile time option is
"legacy", to enter pure cgroups-v1 mode. We recommend downstream
distributions to default to "hybrid" mode for release distributions,
starting with v233. We recommend "unified" for development
distributions (specifically: distributions such as Fedora's rawhide)
as that's where things are headed in the long run. Use "legacy" for
greatest stability and compatibility only.
* Note one current limitation of "unified" and "hybrid" control group
setup modes: the kernel currently does not permit the systemd --user
instance (i.e. unprivileged code) to migrate processes between two
disconnected cgroup subtrees, even if both are managed and owned by
the user. This effectively means "systemd-run --user --scope" doesn't
work when invoked from outside of any "systemd --user" service or
scope. Specifically, it is not supported from session scopes. We are
working on fixing this in a future systemd version. (See #3388 for
further details about this.)
* DBus policy files are now installed into /usr rather than /etc. Make
sure your system has dbus >= 1.9.18 running before upgrading to this
version, or override the install path with --with-dbuspolicydir= .
* All python scripts shipped with systemd (specifically: the various
tests written in Python) now require Python 3.
* systemd unit tests can now run standalone (without the source or
build directories), and can be installed into /usr/lib/systemd/tests/
with 'make install-tests'.
* Note that from this version on, CONFIG_CRYPTO_USER_API_HASH,
CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the
* Support for the %c, %r, %R specifiers in unit files has been
removed. Specifiers are not supposed to be dependent on configuration
in the unit file itself (so that they resolve the same regardless
where used in the unit files), but these specifiers were influenced
by the Slice= option.
* The shell invoked by debug-shell.service now defaults to /bin/sh in
all cases. If distributions want to use a different shell for this
purpose (for example Fedora's /sbin/sushell) they need to specify
this explicitly at configure time using --with-debug-shell=.
* The confirmation spawn prompt has been reworked to offer the
following choices:
(c)ontinue, proceed without asking anymore
(D)ump, show the state of the unit
(f)ail, don't execute the command and pretend it failed
(i)nfo, show a short summary of the unit
(j)obs, show jobs that are in progress
(s)kip, don't execute the command and pretend it succeeded
(y)es, execute the command
The 'n' choice for the confirmation spawn prompt has been removed,
because its meaning was confusing.
The prompt may now also be redirected to an alternative console by
specifying the console as parameter to systemd.confirm_spawn=.
* Services of Type=notify require a READY=1 notification to be sent
during startup. If no such message is sent, the service now fails,
even if the main process exited with a successful exit code.
* Services that fail to start up correctly now always have their
ExecStopPost= commands executed. Previously, they'd enter "failed"
state directly, without executing these commands.
* The option MulticastDNS= of network configuration files has acquired
an actual implementation. With MulticastDNS=yes a host can resolve
names of remote hosts and reply to mDNS A and AAAA requests.
* When units are about to be started an additional check is now done to
ensure that all dependencies of type BindsTo= (when used in
combination with After=) have been started.
* systemd-analyze gained a new verb "syscall-filter" which shows which
system call groups are defined for the SystemCallFilter= unit file
setting, and which system calls they contain.
* A new system call filter group "@filesystem" has been added,
consisting of various file system related system calls. Group
"@reboot" has been added, covering reboot, kexec and shutdown related
calls. Finally, group "@swap" has been added covering swap
configuration related calls.
* A new unit file option RestrictNamespaces= has been added that may be
used to restrict access to the various process namespace types the
Linux kernel provides. Specifically, it may be used to take away the
right for a service unit to create additional file system, network,
user, and other namespaces. This sandboxing option is particularly
relevant due to the high amount of recently discovered namespacing
related vulnerabilities in the kernel.
* systemd-udev's .link files gained support for a new AutoNegotiation=
setting for configuring Ethernet auto-negotiation.
* systemd-networkd's .network files gained support for a new
ListenPort= setting in the [DHCP] section to explicitly configure the
UDP client port the DHCP client shall listen on.
* .network files gained a new Unmanaged= boolean setting for explicitly
excluding one or more interfaces from management by systemd-networkd.
* The systemd-networkd ProxyARP= option has been renamed to
IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been
renamed to ReduceARPProxy=. The old names continue to be available
for compatibility.
* systemd-networkd gained support for configuring IPv6 Proxy NDP
addresses via the new IPv6ProxyNDPAddress= .network file setting.
* systemd-networkd's bonding device support gained support for two new
configuration options ActiveSlave= and PrimarySlave=.
* The various options in the [Match] section of .network files gained
support for negative matching.
* New systemd-specific mount options are now understood in /etc/fstab:
x-systemd.mount-timeout= may be used to configure the maximum
permitted runtime of the mount command.
x-systemd.device-bound may be set to bind a mount point to its
backing device unit, in order to automatically remove a mount point
if its backing device is unplugged. This option may also be
configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property
on the block device, which is now automatically set for all CDROM
drives, so that mounted CDs are automatically unmounted when they are
removed from the drive.
x-systemd.after= and x-systemd.before= may be used to explicitly
order a mount after or before another unit or mount point.
* Enqueued start jobs for device units are now automatically garbage
collected if there are no jobs waiting for them anymore.
* systemctl list-jobs gained two new switches: with --after, for every
queued job the jobs it's waiting for are shown; with --before the
jobs which it's blocking are shown.
* systemd-nspawn gained support for ephemeral boots from disk images
(or in other words: --ephemeral and --image= may now be
combined). Moreover, ephemeral boots are now supported for normal
directories, even if the backing file system is not btrfs. Of course,
if the file system does not support file system snapshots or
reflinks, the initial copy operation will be relatively expensive, but
this should still be suitable for many use cases.
* Calendar time specifications in .timer units now support
specifications relative to the end of a month by using "~" instead of
"-" as separator between month and day. For example, "*-02~03" means
"the third last day in February". In addition a new syntax for
repeated events has been added using the "/" character. For example,
"9..17/2:00" means "every two hours from 9am to 5pm".
* systemd-socket-proxyd gained a new parameter --connections-max= for
configuring the maximum number of concurrent connections.
* sd-id128 gained a new API for generating unique IDs for the host in a
way that does not leak the machine ID. Specifically,
sd_id128_get_machine_app_specific() derives an ID based on the
machine ID a in well-defined, non-reversible, stable way. This is
useful whenever an identifier for the host is needed but where the
identifier shall not be useful to identify the system beyond the
scope of the application itself. (Internally this uses HMAC-SHA256 as
keyed hash function using the machine ID as input.)
* NotifyAccess= gained a new supported value "exec". When set
notifications are accepted from all processes systemd itself invoked,
including all control processes.
* .nspawn files gained support for defining overlay mounts using the
Overlay= and OverlayReadOnly= options. Previously this functionality
was only available on the systemd-nspawn command line.
* systemd-nspawn's --bind= and --overlay= options gained support for
bind/overlay mounts whose source lies within the container tree by
prefixing the source path with "+".
* systemd-nspawn's --bind= and --overlay= options gained support for
automatically allocating a temporary source directory in /var/tmp
that is removed when the container dies. Specifically, if the source
directory is specified as empty string this mechanism is selected. An
example usage is --overlay=+/var::/var, which creates an overlay
mount based on the original /var contained in the image, overlayed
with a temporary directory in the host's /var/tmp. This way changes
to /var are automatically flushed when the container shuts down.
* systemd-nspawn --image= option does now permit raw file system block
devices (in addition to images containing partition tables, as
* The disk image dissection logic in systemd-nspawn gained support for
automatically setting up LUKS encrypted as well as Verity protected
partitions. When a container is booted from an encrypted image the
passphrase is queried at start-up time. When a container with Verity
data is started, the root hash is search in a ".roothash" file
accompanying the disk image (alternatively, pass the root hash via
the new --root-hash= command line option).
* A new tool /usr/lib/systemd/systemd-dissect has been added that may
be used to dissect disk images the same way as systemd-nspawn does
it, following the Bootable Partition Specification. It may even be
used to mount disk images with complex partition setups (including
LUKS and Verity partitions) to a local host directory, in order to
inspect them. This tool is not considered public API (yet), and is
thus not installed into /usr/bin. Please do not rely on its
existence, since it might go away or be changed in later systemd
* A new generator "systemd-verity-generator" has been added, similar in
style to "systemd-cryptsetup-generator", permitting automatic setup of
Verity root partitions when systemd boots up. In order to make use of
this your partition setup should follow the Discoverable Partitions
Specification, and the GPT partition ID of the root file system
partition should be identical to the upper 128bit of the Verity root
hash. The GPT partition ID of the Verity partition protecting it
should be the lower 128bit of the Verity root hash. If the partition
image follows this model it is sufficient to specify a single
"roothash=" kernel command line argument to both configure which root
image and verity partition to use as well as the root hash for
it. Note that systemd-nspawn's Verity support follows the same
semantics, meaning that disk images with proper Verity data in place
may be booted in containers with systemd-nspawn as well as on
physical systems via the verity generator. Also note that the "mkosi"
tool available at has been updated
to generate Verity protected disk images following this scheme. In
fact, it has been updated to generate disk images that optionally
implement a complete UEFI SecureBoot trust chain, involving a signed
kernel and initrd image that incorporates such a root hash as well as
a Verity-enabled root partition.
* The hardware database (hwdb) udev supports has been updated to carry
accelerometer quirks.
* All system services are now run with a fresh kernel keyring set up
for them. The invocation ID is stored by default in it, thus
providing a safe, non-overridable way to determine the invocation
ID of each service.
* Service unit files gained new BindPaths= and BindReadOnlyPaths=
options for bind mounting arbitrary paths in a service-specific
way. When these options are used, arbitrary host or service files and
directories may be mounted to arbitrary locations in the service's
* Documentation has been added that lists all of systemd's low-level
environment variables:
* sd-daemon gained a new API sd_is_socket_sockaddr() for determining
whether a specific socket file descriptor matches a specified socket
* systemd-firstboot has been updated to check for the
systemd.firstboot= kernel command line option. It accepts a boolean
and when set to false the first boot questions are skipped.
* systemd-fstab-generator has been updated to check for the
systemd.volatile= kernel command line option, which either takes an
optional boolean parameter or the special value "state". If used the
system may be booted in a "volatile" boot mode. Specifically,
"systemd.volatile" is used, the root directory will be mounted as
tmpfs, and only /usr is mounted from the actual root file system. If
"systemd.volatile=state" is used, the root directory will be mounted
as usual, but /var is mounted as tmpfs. This concept provides similar
functionality as systemd-nspawn's --volatile= option, but provides it
on physical boots. Use this option for implementing stateless
systems, or testing systems with all state and/or configuration reset
to the defaults. (Note though that many distributions are not
prepared to boot up without a populated /etc or /var, though.)
* systemd-gpt-auto-generator gained support for LUKS encrypted root
partitions. Previously it only supported LUKS encrypted partitions
for all other uses, except for the root partition itself.
* Socket units gained support for listening on AF_VSOCK sockets for
communication in virtualized QEMU environments.
* The "configure" script gained a new option --with-fallback-hostname=
for specifying the fallback hostname to use if none is configured in
/etc/hostname. For example, by specifying
--with-fallback-hostname=fedora it is possible to default to a
hostname of "fedora" on pristine installations.
* systemd-cgls gained support for a new --unit= switch for listing only
the control groups of a specific unit. Similar --user-unit= has been
added for listing only the control groups of a specific user unit.
* systemd-mount gained a new --umount switch for unmounting a mount or
automount point (and all mount/automount points below it).
* systemd will now refuse full configuration reloads (via systemctl
daemon-reload and related calls) unless at least 16MiB of free space
are available in /run. This is a safety precaution in order to ensure
that generators can safely operate after the reload completed.
* A new unit file option RootImage= has been added, which has a similar
effect as RootDirectory= but mounts the service's root directory from
a disk image instead of plain directory. This logic reuses the same
image dissection and mount logic that systemd-nspawn already uses,
and hence supports any disk images systemd-nspawn supports, including
those following the Discoverable Partition Specification, as well as
Verity enabled images. This option enables systemd to run system
services directly off disk images acting as resource bundles,
possibly even including full integrity data.
* A new MountAPIVFS= unit file option has been added, taking a boolean
argument. If enabled /proc, /sys and /dev (collectively called the
"API VFS") will be mounted for the service. This is only relevant if
RootDirectory= or RootImage= is used for the service, as these mounts
are of course in place in the host mount namespace anyway.
* systemd-nspawn gained support for a new --pivot-root= switch. If
specified the root directory within the container image is pivoted to
the specified mount point, while the original root disk is moved to a
different place. This option enables booting of ostree images
directly with systemd-nspawn.
* The systemd build scripts will no longer complain if the NTP server
addresses are not changed from the defaults. Google now supports
these NTP servers officially. We still recommend downstreams to
properly register an NTP pool with the NTP pool project though.
* coredumpctl gained a new "--reverse" option for printing the list
of coredumps in reverse order.
* coredumpctl will now show additional information about truncated and
inaccessible coredumps, as well as coredumps that are still being
processed. It also gained a new --quiet switch for suppressing
additional informational message in its output.
* coredumpctl gained support for only showing coredumps newer and/or
older than specific timestamps, using the new --since= and --until=
options, reminiscent of journalctl's options by the same name.
* The systemd-coredump logic has been improved so that it may be reused
to collect backtraces in non-compiled languages, for example in
scripting languages such as Python.
* machinectl will now show the UID shift of local containers, if user
namespacing is enabled for them.
* systemd will now optionally run "environment generator" binaries at
configuration load time. They may be used to add environment
variables to the environment block passed to services invoked. One
user environment generator is shipped by default that sets up
environment variables based on files dropped into /etc/environment.d
and ~/.config/environment.d/.
* systemd-resolved now includes the new, recently published 2017 DNSSEC
root key (KSK).
* hostnamed has been updated to report a new chassis type of
"convertible" to cover "foldable" laptops that can both act as a
tablet and as a laptop, such as various Lenovo Yoga devices.
Contributions from: Adrián López, Alexander Galanin, Alexander
Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch
Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric
Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri,
Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner,
David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry
Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly,
Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn
Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter,
Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede,
Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan
Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen,
Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart
Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de
Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry,
Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de
Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal
Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak,
Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip
Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin
Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx,
Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi,
Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève,
Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor
Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar
Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb,
Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun,
YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр
— Berlin, 2017-03-01
* udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
RestrictAddressFamilies= enabled. These sandboxing options should
generally be compatible with the various external udev call-out
binaries we are aware of, however there may be exceptions, in
particular when exotic languages for these call-outs are used. In
this case, consider turning off these settings locally.
* The new RemoveIPC= option can be used to remove IPC objects owned by
the user or group of a service when that service exits.
* The new ProtectKernelModules= option can be used to disable explicit
load and unload operations of kernel modules by a service. In
addition access to /usr/lib/modules is removed if this option is set.
* ProtectSystem= option gained a new value "strict", which causes the
whole file system tree with the exception of /dev, /proc, and /sys,
to be remounted read-only for a service.
* The new ProtectKernelTunables= option can be used to disable
modification of configuration files in /sys and /proc by a service.
Various directories and files are remounted read-only, so access is
restricted even if the file permissions would allow it.
* The new ProtectControlGroups= option can be used to disable write
access by a service to /sys/fs/cgroup.
* Various systemd services have been hardened with
ProtectKernelTunables=yes, ProtectControlGroups=yes,
* Support for dynamically creating users for the lifetime of a service
has been added. If DynamicUser=yes is specified, user and group IDs
will be allocated from the range 61184..65519 for the lifetime of the
service. They can be resolved using the new NSS
module. The module must be enabled in /etc/nsswitch.conf. Services
started in this way have PrivateTmp= and RemoveIPC= enabled, so that
any resources allocated by the service will be cleaned up when the
service exits. They also have ProtectHome=read-only and
ProtectSystem=strict enabled, so they are not able to make any
permanent modifications to the system.
* The nss-systemd module also always resolves root and nobody, making
it possible to have no /etc/passwd or /etc/group files in minimal
container or chroot environments.
* Services may be started with their own user namespace using the new
boolean PrivateUsers= option. Only root, nobody, and the uid/gid
under which the service is running are mapped. All other users are
mapped to nobody.
* Support for the cgroup namespace has been added to systemd-nspawn. If
supported by kernel, the container system started by systemd-nspawn
will have its own view of the cgroup hierarchy. This new behaviour
can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable.
* The new MemorySwapMax= option can be used to limit the maximum swap
usage under the unified cgroup hierarchy.
* Support for the CPU controller in the unified cgroup hierarchy has
been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting=
options. This controller requires out-of-tree patches for the kernel
and the support is provisional.
* Mount and automount units may now be created transiently
(i.e. dynamically at runtime via the bus API, instead of requiring
unit files in the file system).
* systemd-mount is a new tool which may mount file systems – much like
mount(8), optionally pulling in additional dependencies through
transient .mount and .automount units. For example, this tool
automatically runs fsck on a backing block device before mounting,
and allows the automount logic to be used dynamically from the
command line for establishing mount points. This tool is particularly
useful when dealing with removable media, as it will ensure fsck is
run – if necessary – before the first access and that the file system
is quickly unmounted after each access by utilizing the automount
logic. This maximizes the chance that the file system on the
removable media stays in a clean state, and if it isn't in a clean
state is fixed automatically.
* LazyUnmount=yes option for mount units has been added to expose the
umount --lazy option. Similarly, ForceUnmount=yes exposes the --force
* /efi will be used as the mount point of the EFI boot partition, if
the directory is present, and the mount point was not configured
through other means (e.g. fstab). If /efi directory does not exist,
/boot will be used as before. This makes it easier to automatically
mount the EFI partition on systems where /boot is used for something
* When operating on GPT disk images for containers, systemd-nspawn will
now mount the ESP to /boot or /efi according to the same rules as PID
1 running on a host. This allows tools like "bootctl" to operate
correctly within such containers, in order to make container images
bootable on physical systems.
* disk/by-id and disk/by-path symlinks are now created for NVMe drives.
* Two new user session targets have been added to support running
graphical sessions under the systemd --user instance: and See
systemd.special(7) for a description of how those targets should be
* The vconsole initialization code has been significantly reworked to
use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better
support unicode keymaps. Font and keymap configuration will now be
copied to all allocated virtual consoles.
* FreeBSD's bhyve virtualization is now detected.
* Information recorded in the journal for core dumps now includes the
contents of /proc/mountinfo and the command line of the process at
the top of the process hierarchy (which is usually the init process
of the container).
* systemd-journal-gatewayd learned the --directory= option to serve
files from the specified location.
* journalctl --root=… can be used to peruse the journal in the
/var/log/ directories inside of a container tree. This is similar to
the existing --machine= option, but does not require the container to
be active.
* The hardware database has been extended to support
ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify
trackball devices.
MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to
specify the click rate for mice which include a horizontal wheel with
a click rate that is different than the one for the vertical wheel.
* systemd-run gained a new --wait option that makes service execution
synchronous. (Specifically, the command will not return until the
specified service binary exited.)
* systemctl gained a new --wait option that causes the start command to
wait until the units being started have terminated again.
* A new journal output mode "short-full" has been added which displays
timestamps with abbreviated English day names and adds a timezone
suffix. Those timestamps include more information than the default
"short" output mode, and can be passed directly to journalctl's
--since= and --until= options.
* /etc/resolv.conf will be bind-mounted into containers started by
systemd-nspawn, if possible, so any changes to resolv.conf contents
are automatically propagated to the container.
* The number of instances for socket-activated services originating
from a single IP address can be limited with
MaxConnectionsPerSource=, extending the existing setting of
* systemd-networkd gained support for vcan ("Virtual CAN") interface
* .netdev and .network configuration can now be extended through
* UDP Segmentation Offload, TCP Segmentation Offload, Generic
Segmentation Offload, Generic Receive Offload, Large Receive Offload
can be enabled and disabled using the new UDPSegmentationOffload=,
TCPSegmentationOffload=, GenericSegmentationOffload=,
GenericReceiveOffload=, LargeReceiveOffload= options in the
[Link] section of .link files.
* The Spanning Tree Protocol, Priority, Aging Time, and the Default
Port VLAN ID can be configured for bridge devices using the new STP=,
Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge]
section of .netdev files.
* The route table to which routes received over DHCP or RA should be
added can be configured with the new RouteTable= option in the [DHCP]
and [IPv6AcceptRA] sections of .network files.
* The Address Resolution Protocol can be disabled on links managed by
systemd-networkd using the ARP=no setting in the [Link] section of
.network files.
* New environment variables $SERVICE_RESULT, $EXIT_CODE and
$EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and
encode information about the result and exit codes of the current
service runtime cycle.
* systemd-sysctl will now configure kernel parameters in the order
they occur in the configuration files. This matches what sysctl
has been traditionally doing.
* kernel-install "plugins" that are executed to perform various
tasks after a new kernel is added and before an old one is removed
can now return a special value to terminate the procedure and
prevent any later plugins from running.
* Journald's SplitMode=login setting has been deprecated. It has been
removed from documentation, and its use is discouraged. In a future
release it will be completely removed, and made equivalent to current
default of SplitMode=uid.
* Storage=both option setting in /etc/systemd/coredump.conf has been
removed. With fast LZ4 compression storing the core dump twice is not
* The --share-system systemd-nspawn option has been replaced with an
(undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
this functionality is discouraged. In addition the variables
$SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
individual namespaces.
* "machinectl list" now shows the IP address of running containers in
the output, as well as OS release information.
* "loginctl list" now shows the TTY of each session in the output.
* sd-bus gained new API calls sd_bus_track_set_recursive(),
sd_bus_track_get_recursive(), sd_bus_track_count_name(),
sd_bus_track_count_sender(). They permit usage of sd_bus_track peer
tracking objects in a "recursive" mode, where a single client can be
counted multiple times, if it takes multiple references.
* sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
sd_bus_get_exit_on_disconnect(). They may be used to make a
process using sd-bus automatically exit if the bus connection is
* Bus clients of the service manager may now "pin" loaded units into
memory, by taking an explicit reference on them. This is useful to
ensure the client can retrieve runtime data about the service even
after the service completed execution. Taking such a reference is
available only for privileged clients and should be helpful to watch
running services in a race-free manner, and in particular collect
information about exit statuses and results.
* The nss-resolve module has been changed to strictly return UNAVAIL
when communication via D-Bus with resolved failed, and NOTFOUND when
a lookup completed but was negative. This means it is now possible to
neatly configure fallbacks using nsswitch.conf result checking
expressions. Taking benefit of this, the new recommended
configuration line for the "hosts" entry in /etc/nsswitch.conf is:
hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
* A new setting CtrlAltDelBurstAction= has been added to
/etc/systemd/system.conf which may be used to configure the precise
behaviour if the user on the console presses Ctrl-Alt-Del more often
than 7 times in 2s. Previously this would unconditionally result in
an expedited, immediate reboot. With this new setting the precise
operation may be configured in more detail, and also turned off
* In .netdev files two new settings RemoteChecksumTx= and
RemoteChecksumRx= are now understood that permit configuring the
remote checksumming logic for VXLAN networks.
* The service manager learnt a new "invocation ID" concept for invoked
services. Each runtime cycle of a service will get a new invocation
ID (a 128bit random UUID) assigned that identifies the current
run of the service uniquely and globally. A new invocation ID
is generated each time a service starts up. The journal will store
the invocation ID of a service along with any logged messages, thus
making the invocation ID useful for matching the online runtime of a
service with the offline log data it generated in a safe way without
relying on synchronized timestamps. In many ways this new service
invocation ID concept is similar to the kernel's boot ID concept that
uniquely and globally identifies the runtime of each boot. The
invocation ID of a service is passed to the service itself via an
environment variable ($INVOCATION_ID). A new bus call
GetUnitByInvocationID() has been added that is similar to GetUnit()
but instead of retrieving the bus path for a unit by its name
retrieves it by its invocation ID. The returned path is valid only as
long as the passed invocation ID is current.
* systemd-resolved gained a new "DNSStubListener" setting in
resolved.conf. It either takes a boolean value or the special values
"udp" and "tcp", and configures whether to enable the stub DNS
listener on
* IP addresses configured via networkd may now carry additional
configuration settings supported by the kernel. New options include:
HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=,
PrefixRoute=, AutoJoin=.
* The PAM configuration fragment file for "user@.service" shipped with
systemd (i.e. the --user instance of systemd) has been stripped to
the minimum necessary to make the system boot. Previously, it
contained Fedora-specific stanzas that did not apply to other
distributions. It is expected that downstream distributions add
additional configuration lines, matching their needs to this file,
using it only as rough template of what systemd itself needs. Note
that this reduced fragment does not even include an invocation of
pam_limits which most distributions probably want to add, even though
systemd itself does not need it. (There's also the new build time
option --with-pamconfdir=no to disable installation of the PAM
fragment entirely.)
* If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO
capability is now also dropped from its set (in addition to
CAP_SYS_MKNOD as before).
* In service unit files it is now possible to connect a specific named
file descriptor with stdin/stdout/stdout of an executed service. The
name may be specified in matching .socket units using the
FileDescriptorName= setting.
* A number of journal settings may now be configured on the kernel
command line. Specifically, the following options are now understood:
systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=,
* "systemctl is-enabled --full" will now show by which symlinks a unit
file is enabled in the unit dependency tree.
* Support for VeraCrypt encrypted partitions has been added to the
"cryptsetup" logic and /etc/crypttab.
* systemd-detect-virt gained support for a new --private-users switch
that checks whether the invoking processes are running inside a user
namespace. Similar, a new special value "private-users" for the
existing ConditionVirtualization= setting has been added, permitting
skipping of specific units in user namespace environments.
Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John,
Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin
Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner,
Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez,
Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick,
Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg,
Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric
Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang,
Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke,
Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan
Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker,
Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski,
Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering,
Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš
Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou,
Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej
Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy,
Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike
Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer,
Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny
Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant
Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit,
Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut
Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann
E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew
Jędrzejewski-Szmek, Zeal Jagannatha
— Santa Fe, 2016-11-03
* In service units the various ExecXYZ= settings have been extended
with an additional special character as first argument of the
assigned value: if the character '+' is used the specified command
line it will be run with full privileges, regardless of User=,
Group=, CapabilityBoundingSet= and similar options. The effect is
similar to the existing PermissionsStartOnly= option, but allows
configuration of this concept for each executed command line
* Services may now alter the service watchdog timeout at runtime by
sending a WATCHDOG_USEC= message via sd_notify().
* MemoryLimit= and related unit settings now optionally take percentage
specifications. The percentage is taken relative to the amount of
physical memory in the system (or in case of containers, the assigned
amount of memory). This allows scaling service resources neatly with
the amount of RAM available on the system. Similarly, systemd-logind's
RuntimeDirectorySize= option now also optionally takes percentage
* In similar fashion TasksMax= takes percentage values now, too. The
value is taken relative to the configured maximum number of processes
on the system. The per-service task maximum has been changed to 15%
using this functionality. (Effectively this is an increase of 512 →
4915 for service units, given the kernel's default pid_max setting.)
* Calendar time specifications in .timer units now understand a ".."
syntax for time ranges. Example: "4..7:10" may now be used for
defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
7:10am every day.
* The InaccessableDirectories=, ReadOnlyDirectories= and
ReadWriteDirectories= unit file settings have been renamed to
InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be
applied to all kinds of file nodes, and not just directories, with
the exception of symlinks. Specifically these settings may now be
used on block and character device nodes, UNIX sockets and FIFOS as
well as regular files. The old names of these settings remain
available for compatibility.
* systemd will now log about all service processes it kills forcibly
(using SIGKILL) because they remained after the clean shutdown phase
of the service completed. This should help identifying services that
shut down uncleanly. Moreover if KillUserProcesses= is enabled in
systemd-logind's configuration a similar log message is generated for
processes killed at the end of each session due to this setting.
* systemd will now set the $JOURNAL_STREAM environment variable for all
services whose stdout/stderr are connected to the Journal (which
effectively means by default: all services). The variable contains
the device and inode number of the file descriptor used for
stdout/stderr. This may be used by invoked programs to detect whether
their stdout/stderr is connected to the Journal, in which case they
can switch over to direct Journal communication, thus being able to
pass extended, structured metadata along with their log messages. As
one example, this is now used by glib's logging primitives.
* When using systemd's default tmp.mount unit for /tmp, the mount point
will now be established with the "nosuid" and "nodev" options. This
avoids privilege escalation attacks that put traps and exploits into
/tmp. However, this might cause problems if you e. g. put container
images or overlays into /tmp; if you need this, override tmp.mount's
"Options=" with a drop-in, or mount /tmp from /etc/fstab with your
desired options.
* systemd now supports the "memory" cgroup controller also on
* The systemd-cgtop tool now optionally takes a control group path as
command line argument. If specified, the control group list shown is
limited to subgroups of that group.
* The SystemCallFilter= unit file setting gained support for
pre-defined, named system call filter sets. For example
SystemCallFilter=@clock is now an effective way to make all clock
changing-related system calls unavailable to a service. A number of
similar pre-defined groups are defined. Writing system call filters
for system services is simplified substantially with this new
concept. Accordingly, all of systemd's own, long-running services now
enable system call filtering based on this, by default.
* A new service setting MemoryDenyWriteExecute= has been added, taking
a boolean value. If turned on, a service may no longer create memory
mappings that are writable and executable at the same time. This
enhances security for services where this is enabled as it becomes
harder to dynamically write and then execute memory in exploited
service processes. This option has been enabled for all of systemd's
own long-running services.
* A new RestrictRealtime= service setting has been added, taking a
boolean argument. If set the service's processes may no longer
acquire realtime scheduling. This improves security as realtime
scheduling may otherwise be used to easily freeze the system.
* systemd-nspawn gained a new switch --notify-ready= taking a boolean
value. This may be used for requesting that the system manager inside
of the container reports start-up completion to nspawn which then
propagates this notification further to the service manager
supervising nspawn itself. A related option NotifyReady= in .nspawn
files has been added too. This functionality allows ordering of the
start-up of multiple containers using the usual systemd ordering
* machinectl gained a new command "stop" that is an alias for
* systemd-resolved gained support for contacting DNS servers on
link-local IPv6 addresses.
* If systemd-resolved receives the SIGUSR2 signal it will now flush all
its caches. A method call for requesting the same operation has been
added to the bus API too, and is made available via "systemd-resolve
* systemd-resolve gained a new --status switch. If passed a brief
summary of the used DNS configuration with per-interface information
is shown.
* resolved.conf gained a new Cache= boolean option, defaulting to
on. If turned off local DNS caching is disabled. This comes with a
performance penalty in particular when DNSSEC is enabled. Note that
resolved disables its internal caching implicitly anyway, when the
configured DNS server is on a host-local IP address such as ::1 or, thus automatically avoiding double local caching.
* systemd-resolved now listens on the local IP address
for DNS requests. This improves compatibility with local programs
that do not use the libc NSS or systemd-resolved's bus APIs for name
resolution. This minimal DNS service is only available to local
programs and does not implement the full DNS protocol, but enough to
cover local DNS clients. A new, static resolv.conf file, listing just
this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is
now recommended to make /etc/resolv.conf a symlink to this file in
order to route all DNS lookups to systemd-resolved, regardless if
done via NSS, the bus API or raw DNS packets. Note that this local
DNS service is not as fully featured as the libc NSS or
systemd-resolved's bus APIs. For example, as unicast DNS cannot be
used to deliver link-local address information (as this implies
sending a local interface index along), LLMNR/mDNS support via this
interface is severely restricted. It is thus strongly recommended for
all applications to use the libc NSS API or native systemd-resolved
bus API instead.
* systemd-networkd's bridge support learned a new setting
VLANFiltering= for controlling VLAN filtering. Moreover a new section
in .network files has been added for configuring VLAN bridging in
more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].
* systemd-networkd's IPv6 Router Advertisement code now makes use of
the DNSSL and RDNSS options. This means IPv6 DNS configuration may
now be acquired without relying on DHCPv6. Two new options
UseDomains= and UseDNS= have been added to configure this behaviour.
* systemd-networkd's IPv6AcceptRouterAdvertisements= option has been
renamed IPv6AcceptRA=, without altering its behaviour. The old
setting name remains available for compatibility reasons.
* The systemd-networkd VTI/VTI6 tunneling support gained new options
Key=, InputKey= and OutputKey=.
* systemd-networkd gained support for VRF ("Virtual Routing Function")
interface configuration.
* "systemctl edit" may now be used to create new unit files by
specifying the --force switch.
* sd-event gained a new function sd_event_get_iteration() for
requesting the current iteration counter of the event loop. It starts
at zero and is increased by one with each event loop iteration.
* A new rpm macro %systemd_ordering is provided by the macros.systemd
file. It can be used in lieu of %systemd_requires in packages which
don't use any systemd functionality and are intended to be installed
in minimal containers without systemd present. This macro provides
ordering dependencies to ensure that if the package is installed in
the same rpm transaction as systemd, systemd will be installed before
the scriptlets for the package are executed, allowing unit presets
to be handled.
New macros %_systemdgeneratordir and %_systemdusergeneratordir have
been added to simplify packaging of generators.
* The os-release file gained VERSION_CODENAME field for the
distribution nickname (e.g. VERSION_CODENAME=woody).
can be set to disable parsing of metadata and the creation
of persistent symlinks for that device.
* The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess"
to make them available to logged-in users has been reverted.
* Much of the common code of the various systemd components is now
built into an internal shared library
(incorporating the systemd version number in the name, to be updated
with future releases) that the components link to. This should
decrease systemd footprint both in memory during runtime and on
disk. Note that the shared library is not for public use, and is
neither API nor ABI stable, but is likely to change with every new
released update. Packagers need to make sure that binaries
linking to are updated in step with the
* Configuration for "mkosi" is now part of the systemd
repository. mkosi is a tool to easily build legacy-free OS images,
and is available on github: If
"mkosi" is invoked in the build tree a new raw OS image is generated
incorporating the systemd sources currently being worked on and a
clean, fresh distribution installation. The generated OS image may be
booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
UEFI PC. This functionality is particularly useful to easily test
local changes made to systemd in a pristine, defined environment. See
doc/HACKING for details.
* configure learned the --with-support-url= option to specify the
distribution's bugtracker.
Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor
Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika
Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar
Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse,
Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David
Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias
Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler,
Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan
Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke
Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart
Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel
Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov,
Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz,
Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran,
Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier,
Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas
Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan,
Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič,
WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek
— Berlin, 2016-07-25
* DNSSEC is now turned on by default in systemd-resolved (in
"allow-downgrade" mode), but may be turned off during compile time by
passing "--with-default-dnssec=no" to "configure" (and of course,
during runtime with DNSSEC= in resolved.conf). We recommend
downstreams to leave this on at least during development cycles and
report any issues with the DNSSEC logic upstream. We are very
interested in collecting feedback about the DNSSEC validator and its
limitations in the wild. Note however, that DNSSEC support is
probably nothing downstreams should turn on in stable distros just
yet, as it might create incompatibilities with a few DNS servers and
networks. We tried hard to make sure we downgrade to non-DNSSEC mode
automatically whenever we detect such incompatible setups, but there
might be systems we do not cover yet. Hence: please help us testing
the DNSSEC code, leave this on where you can, report back, but then
again don't consider turning this on in your stable, LTS or
production release just yet. (Note that you have to enable
nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
and its DNSSEC mode for host name resolution from local
* systemd-resolve conveniently resolves DANE records with the --tlsa
option and OPENPGPKEY records with the --openpgp option. It also
supports dumping raw DNS record data via the new --raw= switch.
* systemd-logind will now by default terminate user processes that are
part of the user session scope unit (session-XX.scope) when the user
logs out. This behavior is controlled by the KillUserProcesses=
setting in logind.conf, and the previous default of "no" is now
changed to "yes". This means that user sessions will be properly
cleaned up after, but additional steps are necessary to allow
intentionally long-running processes to survive logout.
While the user is logged in at least once, user@.service is running,
and any service that should survive the end of any individual login
session can be started at a user service or scope using systemd-run.
systemd-run(1) man page has been extended with an example which shows
how to run screen in a scope unit underneath user@.service. The same
command works for tmux.
After the user logs out of all sessions, user@.service will be
terminated too, by default, unless the user has "lingering" enabled.
To effectively allow users to run long-term tasks even if they are
logged out, lingering must be enabled for them. See loginctl(1) for
details. The default polkit policy was modified to allow users to
set lingering for themselves without authentication.
Previous defaults can be restored at compile time by the
--without-kill-user-processes option to "configure".
* systemd-logind gained new configuration settings SessionsMax= and
InhibitorsMax=, both with a default of 8192. It will not register new
user sessions or inhibitors above this limit.
* systemd-logind will now reload configuration on SIGHUP.
* The unified cgroup hierarchy added in Linux 4.5 is now supported.
Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
enable. Also, support for the "io" cgroup controller in the unified
hierarchy has been added, so that the "memory", "pids" and "io" are
now the controllers that are supported on the unified hierarchy.
WARNING: it is not possible to use previous systemd versions with
systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
is necessary to also update systemd in the initramfs if using the
unified hierarchy. An updated SELinux policy is also required.
* LLDP support has been extended, and both passive (receive-only) and
active (sender) modes are supported. Passive mode ("routers-only") is
enabled by default in systemd-networkd. Active LLDP mode is enabled
by default for containers on the internal network. The "networkctl
lldp" command may be used to list information gathered. "networkctl
status" will also show basic LLDP information on connected peers now.
* The IAID and DUID unique identifier sent in DHCP requests may now be
configured for the system and each .network file managed by
systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.
* systemd-networkd gained support for configuring proxy ARP support for
each interface, via the ProxyArp= setting in .network files. It also
gained support for configuring the multicast querier feature of
bridge devices, via the new MulticastQuerier= setting in .netdev
files. Similarly, snooping on the IGMP traffic can be controlled
via the new setting MulticastSnooping=.
A new setting PreferredLifetime= has been added for addresses
configured in .network file to configure the lifetime intended for an
The systemd-networkd DHCP server gained the option EmitRouter=, which
defaults to yes, to configure whether the DHCP Option 3 (Router)
should be emitted.
* The testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
* systemd-journald now uses separate threads to flush changes to disk
when closing journal files, thus reducing impact of slow disk I/O on
logging performance.
* The sd-journal API gained two new calls
sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
can be used to open journal files using file descriptors instead of
file or directory paths. sd_journal_open_container() has been
deprecated, sd_journal_open_directory_fd() should be used instead
with the flag SD_JOURNAL_OS_ROOT.
* journalctl learned a new output mode "-o short-unix" that outputs log
lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
UTC). It also gained support for a new --no-hostname setting to
suppress the hostname column in the family of "short" output modes.
* systemd-ask-password now optionally skips printing of the password to
stdout with --no-output which can be useful in scripts.
* Framebuffer devices (/dev/fb*) and 3D printers and scanners
(devices tagged with ID_MAKER_TOOL) are now tagged with
"uaccess" and are available to logged in users.
* The DeviceAllow= unit setting now supports specifiers (with "%").
* "systemctl show" gained a new --value switch, which allows print a
only the contents of a specific unit property, without also printing
the property's name. Similar support was added to "show*" verbs
of loginctl and machinectl that output "key=value" lists.
* A new unit type "generated" was added for files dynamically generated
by generator tools. Similarly, a new unit type "transient" is used
for unit files created using the runtime API. "systemctl enable" will
refuse to operate on such files.
* A new command "systemctl revert" has been added that may be used to
revert to the vendor version of a unit file, in case local changes
have been made by adding drop-ins or overriding the unit file.
* "machinectl clean" gained a new verb to automatically remove all or
just hidden container images.
* systemd-tmpfiles gained support for a new line type "e" for emptying
directories, if they exist, without creating them if they don't.
* systemd-nspawn gained support for automatically patching the UID/GIDs
of the owners and the ACLs of all files and directories in a
container tree to match the UID/GID user namespacing range selected
for the container invocation. This mode is enabled via the new
--private-users-chown switch. It also gained support for
automatically choosing a free, previously unused UID/GID range when
starting a container, via the new --private-users=pick setting (which
implies --private-users-chown). Together, these options for the first
time make user namespacing for nspawn containers fully automatic and
thus deployable. The systemd-nspawn@.service template unit file has
been changed to use this functionality by default.
* systemd-nspawn gained a new --network-zone= switch, that allows
creating ad-hoc virtual Ethernet links between multiple containers,
that only exist as long as at least one container referencing them is
running. This allows easy connecting of multiple containers with a
common link that implements an Ethernet broadcast domain. Each of
these network "zones" may be named relatively freely by the user, and
may be referenced by any number of containers, but each container may
only reference one of these "zones". On the lower level, this is
implemented by an automatically managed bridge network interface for
each zone, that is created when the first container referencing its
zone is created and removed when the last one referencing its zone
* The default start timeout may now be configured on the kernel command
line via systemd.default_timeout_start_sec=. It was already
configurable via the DefaultTimeoutStartSec= option in
* Socket units gained a new TriggerLimitIntervalSec= and
TriggerLimitBurst= setting to configure a limit on the activation
rate of the socket unit.
* The LimitNICE= setting now optionally takes normal UNIX nice values
in addition to the raw integer limit value. If the specified
parameter is prefixed with "+" or "-" and is in the range -20..19 the
value is understood as UNIX nice value. If not prefixed like this it
is understood as raw RLIMIT_NICE limit.
* Note that the effect of the PrivateDevices= unit file setting changed
slightly with this release: the per-device /dev file system will be
mounted read-only from this version on, and will have "noexec"
set. This (minor) change of behavior might cause some (exceptional)
legacy software to break, when PrivateDevices=yes is set for its
service. Please leave PrivateDevices= off if you run into problems
with this.
* systemd-bootchart has been split out to a separate repository:
* systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
merged into the kernel in its current form.
* The compatibility libraries,,, and
which have been deprecated since systemd-209 have been removed along
with the corresponding pkg-config files. All symbols provided by
those libraries are provided by
* The Capabilities= unit file setting has been removed (it is ignored
for backwards compatibility). AmbientCapabilities= and
CapabilityBoundingSet= should be used instead.
* A new special target has been added,,
which creates a synchronization point for dependencies of the root
device in early userspace. Initramfs builders must ensure that this
target is now included in early userspace.
Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
— Fairfax, 2016-05-21
* The systemd-resolved DNS resolver service has gained a substantial
set of new features, most prominently it may now act as a DNSSEC
validating stub resolver. DNSSEC mode is currently turned off by
default, but is expected to be turned on by default in one of the
next releases. For now, we invite everybody to test the DNSSEC logic
by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The
service also gained a full set of D-Bus interfaces, including calls
to configure DNS and DNSSEC settings per link (for use by external
network management software). systemd-resolved and systemd-networkd
now distinguish between "search" and "routing" domains. The former
are used to qualify single-label names, the latter are used purely
for routing lookups within certain domains to specific links.
resolved now also synthesizes RRs for all entries from /etc/hosts.
* The systemd-resolve tool (which is a client utility for
systemd-resolved) has been improved considerably and is now fully
supported and documented. Hence it has moved from /usr/lib/systemd to
* /dev/disk/by-path/ symlink support has been (re-)added for virtio
* The coredump collection logic has been reworked: when a coredump is
collected it is now written to disk, compressed and processed
(including stacktrace extraction) from a new instantiated service
systemd-coredump@.service, instead of directly from the
/proc/sys/kernel/core_pattern hook we provide. This is beneficial as
processing large coredumps can take up a substantial amount of
resources and time, and this previously happened entirely outside of
systemd's service supervision. With the new logic the core_pattern
hook only does minimal metadata collection before passing off control
to the new instantiated service, which is configured with a time
limit, a nice level and other settings to minimize negative impact on
the rest of the system. Also note that the new logic will honour the
RLIMIT_CORE setting of the crashed process, which now allows users
and processes to turn off coredumping for their processes by setting
this limit.
* The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1
and all forked processes by default. Previously, PID 1 would leave
the setting at "0" for all processes, as set by the kernel. Note that
the resource limit traditionally has no effect on the generated
coredumps on the system if the /proc/sys/kernel/core_pattern hook
logic is used. Since the limit is now honoured (see above) its
default has been changed so that the coredumping logic is enabled by
default for all processes, while allowing specific opt-out.
* When the stacktrace is extracted from processes of system users, this
is now done as "systemd-coredump" user, in order to sandbox this
potentially security sensitive parsing operation. (Note that when
processing coredumps of normal users this is done under the user ID
of process that crashed, as before.) Packagers should take notice
that it is now necessary to create the "systemd-coredump" system user
and group at package installation time.
* The systemd-activate socket activation testing tool gained support
for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram
and --seqpacket switches. It also has been extended to support both
new-style and inetd-style file descriptor passing. Use the new
--inetd switch to request inetd-style file descriptor passing.
* Most systemd tools now honor a new $SYSTEMD_COLORS environment
variable, which takes a boolean value. If set to false, ANSI color
output is disabled in the tools even when run on a terminal that
supports it.
* The VXLAN support in networkd now supports two new settings
DestinationPort= and PortRange=.
* A new systemd.machine_id= kernel command line switch has been added,
that may be used to set the machine ID in /etc/machine-id if it is
not initialized yet. This command line option has no effect if the
file is already initialized.
* systemd-nspawn gained a new --as-pid2 switch that invokes any
specified command line as PID 2 rather than PID 1 in the
container. In this mode PID 1 is a minimal stub init process that
implements the special POSIX and Linux semantics of PID 1 regarding
signal and child process management. Note that this stub init process
is implemented in nspawn itself and requires no support from the
container image. This new logic is useful to support running
arbitrary commands in the container, as normal processes are
generally not prepared to run as PID 1.
* systemd-nspawn gained a new --chdir= switch for setting the current
working directory for the process started in the container.
* "journalctl /dev/sda" will now output all kernel log messages for
specified device from the current boot, in addition to all devices
that are parents of it. This should make log output about devices
pretty useful, as long as kernel drivers attach enough metadata to
the log messages. (The usual SATA drivers do.)
* The sd-journal API gained two new calls
sd_journal_has_runtime_files() and sd_journal_has_persistent_files()
that report whether log data from /run or /var has been found.
* journalctl gained a new switch "--fields" that prints all journal
record field names currently in use in the journal. This is backed
by two new sd-journal API calls sd_journal_enumerate_fields() and
* Most configurable timeouts in systemd now expect an argument of
"infinity" to turn them off, instead of "0" as before. The semantics
from now on is that a timeout of "0" means "now", and "infinity"
means "never". To maintain backwards compatibility, "0" continues to
turn off previously existing timeout settings.
* "systemctl reload-or-try-restart" has been renamed to "systemctl
try-reload-or-restart" to clarify what it actually does: the "try"
logic applies to both reloading and restarting, not just restarting.
The old name continues to be accepted for compatibility.
* On boot-up, when PID 1 detects that the system clock is behind the
release date of the systemd version in use, the clock is now set
to the latter. Previously, this was already done in timesyncd, in order
to avoid running with clocks set to the various clock epochs such as
1902, 1938 or 1970. With this change the logic is now done in PID 1
in addition to timesyncd during early boot-up, so that it is enforced
before the first process is spawned by systemd. Note that the logic
in timesyncd remains, as it is more comprehensive and ensures
clock monotonicity by maintaining a persistent timestamp file in
/var. Since /var is generally not available in earliest boot or the
initrd, this part of the logic remains in timesyncd, and is not done
by PID 1.
* Support for tweaking details in net_cls.class_id through the
NetClass= configuration directive has been removed, as the kernel
people have decided to deprecate that controller in cgroup v2.
Userspace tools such as nftables are moving over to setting rules
that are specific to the full cgroup path of a task, which obsoletes
these controllers anyway. The NetClass= directive is kept around for
legacy compatibility reasons. For a more in-depth description of the
kernel change, please refer to the respective upstream commit:
* A new service setting RuntimeMaxSec= has been added that may be used
to specify a maximum runtime for a service. If the timeout is hit, the
service is terminated and put into a failure state.
* A new service setting AmbientCapabilities= has been added. It allows
configuration of additional Linux process capabilities that are
passed to the activated processes. This is only available on very
recent kernels.
* The process resource limit settings in service units may now be used
to configure hard and soft limits individually.
* The various libsystemd APIs such as sd-bus or sd-event now publicly
expose support for gcc's __attribute__((cleanup())) C extension.
Specifically, for many object destructor functions alternative
versions have been added that have names suffixed with "p" and take a
pointer to a pointer to the object to destroy, instead of just a
pointer to the object itself. This is useful because these destructor
functions may be used directly as parameters to the cleanup
construct. Internally, systemd has been a heavy user of this GCC
extension for a long time, and with this change similar support is
now available to consumers of the library outside of systemd. Note
that by using this extension in your sources compatibility with old
and strictly ANSI compatible C compilers is lost. However, all gcc or
LLVM versions of recent years support this extension.
* Timer units gained support for a new setting RandomizedDelaySec= that
allows configuring some additional randomized delay to the configured
time. This is useful to spread out timer events to avoid load peaks in
clusters or larger setups.
* Calendar time specifications now support sub-second accuracy.
* Socket units now support listening on SCTP and UDP-lite protocol
* The sd-event API now comes with a full set of man pages.
* Older versions of systemd contained experimental support for
compressing journal files and coredumps with the LZ4 compressor that
was not compatible with the lz4 binary (due to API limitations of the
lz4 library). This support has been removed; only support for files
compatible with the lz4 binary remains. This LZ4 logic is now
officially supported and no longer considered experimental.
* The dkr image import logic has been removed again from importd. dkr's
micro-services focus doesn't fit into the machine image focus of
importd, and quickly got out of date with the upstream dkr API.
* Creation of the /run/lock/lockdev/ directory was dropped from
tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have
been available for many years. If you still need this, you need to
create your own tmpfiles.d config file with:
d /run/lock/lockdev 0775 root lock -
* The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction=
and RebootArgument= have been moved from the [Service] section of
unit files to [Unit], and they are now supported on all unit types,
not just service units. Of course, elogind will continue to
understand these settings also at the old location, in order to
maintain compatibility.
Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander
Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov,
Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler,
Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan
Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack,
David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman,
Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen,
Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen,
Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub
Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek,
Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos,
lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel
Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer,
Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils
Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz,
Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant
Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito
Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
— Berlin, 2016-02-11
* A number of properties previously only settable in unit
files are now also available as properties to set when
creating transient units programmatically via the bus, as it
is exposed with systemd-run's --property=
setting. Specifically, these are: SyslogIdentifier=,
SyslogLevelPrefix=, TimerSlackNSec=, OOMScoreAdjust=,
EnvironmentFile=, ReadWriteDirectories=,
ReadOnlyDirectories=, InaccessibleDirectories=,
ProtectSystem=, ProtectHome=, RuntimeDirectory=.
* When creating transient services via the bus API it is now
possible to pass in a set of file descriptors to use as
STDIN/STDOUT/STDERR for the invoked process.
* Slice units may now be created transiently via the bus APIs,
similar to the way service and scope units may already be
created transiently.
* Wherever systemd expects a calendar timestamp specification
(like in journalctl's --since= and --until= switches) UTC
timestamps are now supported. Timestamps suffixed with "UTC"
are now considered to be in Universal Time Coordinated
instead of the local timezone. Also, timestamps may now
optionally be specified with sub-second accuracy. Both of
these additions also apply to recurring calendar event
specification, such as OnCalendar= in timer units.
* journalctl gained a new "--sync" switch that asks the
journal daemon to write all so far unwritten log messages to
disk and sync the files, before returning.
* systemd-tmpfiles learned two new line types "q" and "Q" that
operate like "v", but also set up a basic btrfs quota
hierarchy when used on a btrfs file system with quota
* tmpfiles' "v", "q" and "Q" will now create a plain directory
instead of a subvolume (even on a btrfs file system) if the
root directory is a plain directory, and not a
subvolume. This should simplify things with certain chroot()
environments which are not aware of the concept of btrfs
* systemd-detect-virt gained a new --chroot switch to detect
whether execution takes place in a chroot() environment.
* CPUAffinity= now takes CPU index ranges in addition to
individual indexes.
* The various memory-related resource limit settings (such as
LimitAS=) now understand the usual K, M, G, ... suffixes to
the base of 1024 (IEC). Similar, the time-related resource
limit settings understand the usual min, h, day, ...
suffixes now.
* There's a new system.conf setting DefaultTasksMax= to
control the default TasksMax= setting for services and
scopes running on the system. (TasksMax= is the primary
setting that exposes the "pids" cgroup controller on systemd
and was introduced in the previous systemd release.) The
setting now defaults to 512, which means services that are
not explicitly configured otherwise will only be able to
create 512 processes or threads at maximum, from this
version on. Note that this means that thread- or
process-heavy services might need to be reconfigured to set
TasksMax= to a higher value. It is sufficient to set
TasksMax= in these specific unit files to a higher value, or
even "infinity". Similar, there's now a logind.conf setting
UserTasksMax= that defaults to 4096 and limits the total
number of processes or tasks each user may own
concurrently. nspawn containers also have the TasksMax=
value set by default now, to 8192. Note that all of this
only has an effect if the "pids" cgroup controller is
enabled in the kernel. The general benefit of these changes
should be a more robust and safer system, that provides a
certain amount of per-service fork() bomb protection.
* systemd-nspawn gained the new --network-veth-extra= switch
to define additional and arbitrarily-named virtual Ethernet
links between the host and the container.
* A new service execution setting PassEnvironment= has been
added that allows importing select environment variables
from PID1's environment block into the environment block of
the service.
* Timer units gained support for a new RemainAfterElapse=
setting which takes a boolean argument. It defaults to on,
exposing behaviour unchanged to previous releases. If set to
off, timer units are unloaded after they elapsed if they
cannot elapse again. This is particularly useful for
transient timer units, which shall not stay around longer
than until they first elapse.
* systemd will now bump the net.unix.max_dgram_qlen to 512 by
default now (the kernel default is 16). This is beneficial
for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it
allows substantially larger numbers of queued
datagrams. This should increase the capability of systemd to
parallelize boot-up, as logging and sd_notify() are unlikely
to stall execution anymore. If you need to change the value
from the new defaults, use the usual sysctl.d/ snippets.
* The compression framing format used by the journal or
coredump processing has changed to be in line with what the
official LZ4 tools generate. LZ4 compression support in
systemd was considered unsupported previously, as the format
was not compatible with the normal tools. With this release
this has changed now, and it is hence safe for downstream
distributions to turn it on. While not compressing as well
as the XZ, LZ4 is substantially faster, which makes
it a good default choice for the compression logic in the
journal and in coredump handling.
* Any reference to /etc/mtab has been dropped from
systemd. The file has been obsolete since a while, but
systemd refused to work on systems where it was incorrectly
set up (it should be a symlink or non-existent). Please make
sure to update to util-linux 2.27.1 or newer in conjunction
with this systemd release, which also drops any reference to
/etc/mtab. If you maintain a distribution make sure that no
software you package still references it, as this is a
likely source of bugs. There's also a glibc bug pending,
asking for removal of any reference to this obsolete file:
Note that only util-linux versions built with
--enable-libmount-force-mountinfo are supported.
* Support for the ".snapshot" unit type has been removed. This
feature turned out to be little useful and little used, and
has now been removed from the core and from systemctl.
* The dependency types RequiresOverridable= and
RequisiteOverridable= have been removed from systemd. They
have been used only very sparingly to our knowledge and
other options that provide a similar effect (such as
systemctl --mode=ignore-dependencies) are much more useful
and commonly used. Moreover, they were only half-way
implemented as the option to control behaviour regarding
these dependencies was never added to systemctl. By removing
these dependency types the execution engine becomes a bit
simpler. Unit files that use these dependencies should be
changed to use the non-Overridable dependency types
instead. In fact, when parsing unit files with these
options, that's what systemd will automatically convert them
too, but it will also warn, asking users to fix the unit
files accordingly. Removal of these dependency types should
only affect a negligible number of unit files in the wild.
* Behaviour of networkd's IPForward= option changed
(again). It will no longer maintain a per-interface setting,
but propagate one way from interfaces where this is enabled
to the global kernel setting. The global setting will be
enabled when requested by a network that is set up, but
never be disabled again. This change was made to make sure
IPv4 and IPv6 behaviour regarding packet forwarding is
similar (as the Linux IPv6 stack does not support
per-interface control of this setting) and to minimize
* In unit files the behaviour of %u, %U, %h, %s has
changed. These specifiers will now unconditionally resolve
to the various user database fields of the user that the
systemd instance is running as, instead of the user
configured in the specific unit via User=. Note that this
effectively doesn't change much, as resolving of these
specifiers was already turned off in the --system instance
of systemd, as we cannot do NSS lookups from PID 1. In the
--user instance of systemd these specifiers where correctly
resolved, but hardly made any sense, since the user instance
lacks privileges to do user switches anyway, and User= is
hence useless. Moreover, even in the --user instance of
systemd behaviour was awkward as it would only take settings
from User= assignment placed before the specifier into
account. In order to unify and simplify the logic around
this the specifiers will now always resolve to the
credentials of the user invoking the manager (which in case
of PID 1 is the root user).
Contributions from: Andrew Jones, Beniamino Galvani, Boyuan
Yang, Daniel Machon, Daniel Mack, David Herrmann, David
Reynolds, David Strauss, Dongsu Park, Evgeny Vereshchagin,
Felipe Sateler, Filipe Brandenburger, Franck Bui, Hristo
Venev, Iago López Galeiras, Jan Engelhardt, Jan Janssen, Jan
Synacek, Jesus Ornelas Aguayo, Karel Zak, kayrus, Kay Sievers,
Lennart Poettering, Liu Yuan Yuan, Mantas Mikulėnas, Marcel
Holtmann, Marcin Bachry, Marcos Alano, Marcos Mello, Mark
Theunissen, Martin Pitt, Michael Marineau, Michael Olbrich,
Michal Schmidt, Michal Sekletar, Mirco Tischler, Nick Owens,
Nicolas Cornu, Patrik Flykt, Peter Hutterer, reverendhomer,
Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Shawn Landden,
Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen,
Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew
— Berlin, 2015-11-18
* systemd now depends on util-linux v2.27. More specifically,
the newly added mount monitor feature in libmount now
replaces systemd's former own implementation.
* libmount mandates /etc/mtab not to be regular file, and
systemd now enforces this condition at early boot.
/etc/mtab has been deprecated and warned about for a very
long time, so systems running systemd should already have
stopped having this file around as anything else than a
symlink to /proc/self/mounts.
* Support for the "pids" cgroup controller has been added. It
allows accounting the number of tasks in a cgroup and
enforcing limits on it. This adds two new setting
TasksAccounting= and TasksMax= to each unit, as well as a
global option DefaultTasksAccounting=.
* Support for the "net_cls" cgroup controller has been added.
It allows assigning a net class ID to each task in the
cgroup, which can then be used in firewall rules and traffic
shaping configurations. Note that the kernel netfilter net
class code does not currently work reliably for ingress
packets on unestablished sockets.
This adds a new config directive called NetClass= to CGroup
enabled units. Allowed values are positive numbers for fixed
assignments and "auto" for picking a free value
* 'systemctl is-system-running' now returns 'offline' if the
system is not booted with systemd. This command can now be
used as a substitute for 'systemd-notify --booted'.
* Watchdog timeouts have been increased to 3 minutes for all
in-tree service files. Apparently, disk IO issues are more
frequent than we hoped, and user reported >1 minute waiting
for disk IO.
* 'machine-id-commit' functionality has been merged into
'machine-id-setup --commit'. The separate binary has been
* The WorkingDirectory= directive in unit files may now be set
to the special value '~'. In this case, the working
directory is set to the home directory of the user
configured in User=.
* "machinectl shell" will now open the shell in the home
directory of the selected user by default.
* The CrashChVT= configuration file setting is renamed to
CrashChangeVT=, following our usual logic of not
abbreviating unnecessarily. The old directive is still
supported for compat reasons. Also, this directive now takes
an integer value between 1 and 63, or a boolean value. The
formerly supported '-1' value for disabling stays around for
compat reasons.
* The PrivateTmp=, PrivateDevices=, PrivateNetwork=,
NoNewPrivileges=, TTYPath=, WorkingDirectory= and
RootDirectory= properties can now be set for transient
* The systemd-analyze tool gained a new "set-log-target" verb
to change the logging target the system manager logs to
dynamically during runtime. This is similar to how
"systemd-analyze set-log-level" already changes the log
* In nspawn /sys is now mounted as tmpfs, with only a selected
set of subdirectories mounted in from the real sysfs. This
enhances security slightly, and is useful for ensuring user
namespaces work correctly.
* Support for USB FunctionFS activation has been added. This
allows implementation of USB gadget services that are
activated as soon as they are requested, so that they don't
have to run continuously, similar to classic socket
* The "systemctl exit" command now optionally takes an
additional parameter that sets the exit code to return from
the systemd manager when exiting. This is only relevant when
running the systemd user instance, or when running the
system instance in a container.
* sd-bus gained the new API calls sd_bus_path_encode_many()
and sd_bus_path_decode_many() that allow easy encoding and
decoding of multiple identifier strings inside a D-Bus
object path. Another new call sd_bus_default_flush_close()
has been added to flush and close per-thread default
* systemd-cgtop gained support for a -M/--machine= switch to
show the control groups within a certain container only.
* "systemctl kill" gained support for an optional --fail
switch. If specified the requested operation will fail of no
processes have been killed, because the unit had no
processes attached, or similar.
* A new systemd.crash_reboot=1 kernel command line option has
been added that triggers a reboot after crashing. This can
also be set through CrashReboot= in systemd.conf.
* The RuntimeDirectory= setting now understands unit
specifiers like %i or %f.
* A new (still internal) library API sd-ipv4acd has been added,
that implements address conflict detection for IPv4. It's
based on code from sd-ipv4ll, and will be useful for
detecting DHCP address conflicts.
* File descriptors passed during socket activation may now be
named. A new API sd_listen_fds_with_names() is added to
access the names. The default names may be overridden,
either in the .socket file using the FileDescriptorName=
parameter, or by passing FDNAME= when storing the file
descriptors using sd_notify().
* systemd-networkd gained support for:
- Setting the IPv6 Router Advertisement settings via
IPv6AcceptRouterAdvertisements= in .network files.
- Configuring the HelloTimeSec=, MaxAgeSec= and
ForwardDelaySec= bridge parameters in .netdev files.
- Configuring PreferredSource= for static routes in
.network files.
* The "ask-password" framework used to query for LUKS harddisk
passwords or SSL passwords during boot gained support for
caching passwords in the kernel keyring, if it is
available. This makes sure that the user only has to type in
a passphrase once if there are multiple objects to unlock
with the same one. Previously, such password caching was
available only when Plymouth was used; this moves the
caching logic into the systemd codebase itself. The
"systemd-ask-password" utility gained a new --keyname=
switch to control which kernel keyring key to use for
caching a password in. This functionality is also useful for
enabling display managers such as gdm to automatically
unlock the user's GNOME keyring if its passphrase, the
user's password and the harddisk password are the same, if
gdm-autologin is used.
* When downloading tar or raw images using "machinectl
pull-tar" or "machinectl pull-raw", a matching ".nspawn"
file is now also downloaded, if it is available and stored
next to the image file.
* Units of type ".socket" gained a new boolean setting
Writable= which is only useful in conjunction with
ListenSpecial=. If true, enables opening the specified
special file in O_RDWR mode rather than O_RDONLY mode.
* systemd-rfkill has been reworked to become a singleton
service that is activated through /dev/rfkill on each rfkill
state change and saves the settings to disk. This way,
systemd-rfkill is now compatible with devices that exist
only intermittendly, and even restores state if the previous
system shutdown was abrupt rather than clean.
* The journal daemon gained support for vacuuming old journal
files controlled by the number of files that shall remain,
in addition to the already existing control by size and by
date. This is useful as journal interleaving performance
degrades with too many separate journal files, and allows
putting an effective limit on them. The new setting defaults
to 100, but this may be changed by setting SystemMaxFiles=
and RuntimeMaxFiles= in journald.conf. Also, the
"journalctl" tool gained the new --vacuum-files= switch to
manually vacuum journal files to leave only the specified
number of files in place.
* udev will now create /dev/disk/by-path links for ATA devices
on kernels where that is supported.
* Galician, Serbian, Turkish and Korean translations were added.
Contributions from: Aaro Koskinen, Alban Crequy, Beniamino
Galvani, Benjamin Robin, Branislav Blaskovic, Chen-Han Hsiao
(Stanley), Daniel Buch, Daniel Machon, Daniel Mack, David
Herrmann, David Milburn, doubleodoug, Evgeny Vereshchagin,
Felipe Franciosi, Filipe Brandenburger, Fran Dieguez, Gabriel
de Perthuis, Georg Müller, Hans de Goede, Hendrik Brueckner,
Ivan Shapovalov, Jacob Keller, Jan Engelhardt, Jan Janssen,
Jan Synacek, Jens Kuske, Karel Zak, Kay Sievers, Krzesimir
Nowak, Krzysztof Kotlenga, Lars Uebernickel, Lennart
Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski,
Marcel Holtmann, Marius Thesing, Martin Pitt, Michael Biebl,
Michael Gebetsroither, Michal Schmidt, Michal Sekletar, Mike
Gilbert, Muhammet Kara, nazgul77, Nicolas Cornu, NoXPhasma,
Olof Johansson, Patrik Flykt, Pawel Szewczyk, reverendhomer,
Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Susant Sahani,
Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich,
Zbigniew Jędrzejewski-Szmek, Марко М. Костић
— Berlin, 2015-10-07
* The DHCP implementation of systemd-networkd gained a set of
new features:
- The DHCP server now supports emitting DNS and NTP
information. It may be enabled and configured via
EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS
and NTP information is enabled, but no servers are
configured, the corresponding uplink information (if there
is any) is propagated.
- Server and client now support transmission and reception
of timezone information. It can be configured via the
newly introduced network options UseTimezone=,
EmitTimezone=, and Timezone=. Transmission of timezone
information is enabled between host and containers by
default now: the container will change its local timezone
to what the host has set.
- Lease timeouts can now be configured via
MaxLeaseTimeSec= and DefaultLeaseTimeSec=.
- The DHCP server improved on the stability of
leases. Clients are more likely to get the same lease
information back, even if the server loses state.
- The DHCP server supports two new configuration options to
control the lease address pool metrics, PoolOffset= and
* The encapsulation limit of tunnels in systemd-networkd may
now be configured via 'EncapsulationLimit='. It allows
modifying the maximum additional levels of encapsulation
that are permitted to be prepended to a packet.
* systemd now supports the concept of user buses replacing
session buses, if used with dbus-1.10 (and enabled via dbus
--enable-user-session). It previously only supported this on
kdbus-enabled systems, and this release expands this to
'dbus-daemon' systems.
* systemd-networkd now supports predictable interface names
for virtio devices.
* systemd now optionally supports the new Linux kernel
"unified" control group hierarchy. If enabled via the kernel
command-line option 'systemd.unified_cgroup_hierarchy=1',
systemd will try to mount the unified cgroup hierarchy
directly on /sys/fs/cgroup. If not enabled, or not
available, systemd will fall back to the legacy cgroup
hierarchy setup, as before. Host system and containers can
mix and match legacy and unified hierarchies as they
wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY
environment variable to individually select the hierarchy to
use for executed containers. By default, nspawn will use the
unified hierarchy for the containers if the host uses the
unified hierarchy, and the legacy hierarchy otherwise.
Please note that at this point the unified hierarchy is an
experimental kernel feature and is likely to change in one
of the next kernel releases. Therefore, it should not be
enabled by default in downstream distributions yet. The
minimum required kernel version for the unified hierarchy to
work is 4.2. Note that when the unified hierarchy is used
for the first time delegated access to controllers is
safe. Because of this systemd-nspawn containers will get
access to controllers now, as will systemd user
sessions. This means containers and user sessions may now