Compare commits
7 Commits
552cafaa86
...
70e9d9a56c
Author | SHA1 | Date |
---|---|---|
Lennart Poettering | 70e9d9a56c | |
Yu Watanabe | a44956c94a | |
Lennart Poettering | 97cd52c1b5 | |
Lennart Poettering | d200253ba5 | |
Topi Miettinen | e21d90606a | |
Lennart Poettering | 72d43d09cc | |
Lennart Poettering | 6841019567 |
80
NEWS
80
NEWS
|
@ -2,6 +2,53 @@ systemd System and Service Manager
|
||||||
|
|
||||||
CHANGES WITH 245 in spe:
|
CHANGES WITH 245 in spe:
|
||||||
|
|
||||||
|
* A new tool "systemd-repart" has been added, that operates as an
|
||||||
|
idempotent, robust, incremental, elastic and declarative
|
||||||
|
repartitioner. It takes inspiration from
|
||||||
|
systemd-tmpfiles/systemd-sysusers but applies the algorithmic
|
||||||
|
concepts to GPT partition tables. Specifically, a set of partitions
|
||||||
|
that must or may exist can be configured via drop-in files, and
|
||||||
|
during every boot the partition table on disk is compared with these
|
||||||
|
files, creating missing partitions or growing existing ones based on
|
||||||
|
configurable relative and absolute size constraints. The tool is
|
||||||
|
strictly incremental, i.e. does not delete, shrink or move
|
||||||
|
partitions, but only adds and grows them. The primary use-case is OS
|
||||||
|
images that shall ship in minimized form, with only a minimal boot
|
||||||
|
and root partition, that on first boot is grown to the size of the
|
||||||
|
underlying block device or augmented with additional partitions. For
|
||||||
|
example, the root partition could be extended to cover the whole
|
||||||
|
disk, or a swap or /home partitions could be added implicitly on
|
||||||
|
first boot. It also has uses on systems that use an A/B update scheme
|
||||||
|
to allow shipping minimal images with just the A set of partition,
|
||||||
|
and with the B set added on first boot. The tool is primarily
|
||||||
|
intended to be run in the initrd, shortly before transitioning into
|
||||||
|
the host OS, but also can be run after the transition took place. It
|
||||||
|
automatically discovers the disk backing the root file system, and
|
||||||
|
should hence not require any additional configuration besides the
|
||||||
|
partition definition drop-ins.
|
||||||
|
|
||||||
|
* A new component "userdb" has been added, along with a small daemon
|
||||||
|
"systemd-userdb.service" and a client tool "userdbctl". The framework
|
||||||
|
allows defining rich user and group records in a JSON format,
|
||||||
|
extending on the classic "struct passwd" and "struct group"
|
||||||
|
structures. Various components in systemd have been updated to
|
||||||
|
process records in this format, including systemd-logind and
|
||||||
|
pam-systemd. The user records are intended to be extensible, and
|
||||||
|
allow setting various resource management, security and runtime
|
||||||
|
parameters that shall be applied to processes and sessions of the
|
||||||
|
user as they log in. This facility is intended to allow associating
|
||||||
|
such metadata directly with user/group records so that they can be
|
||||||
|
produced, extended and consumed in unified form. We hope that
|
||||||
|
eventually frameworks such as sssd will generate records this way, so
|
||||||
|
that for the first time resource management and various other
|
||||||
|
per-user settings can be configured in LDAP directories and then
|
||||||
|
provided to systemd (specifically to systemd-logind and pam-system)
|
||||||
|
to enforce on log-in. For further details see:
|
||||||
|
|
||||||
|
https://systemd.io/USER_RECORD
|
||||||
|
https://systemd.io/GROUP_RECORD
|
||||||
|
https://systemd.io/USER_GROUP_API
|
||||||
|
|
||||||
* When systemd-tmpfiles copies a file tree using the 'C' line type it
|
* When systemd-tmpfiles copies a file tree using the 'C' line type it
|
||||||
will now implicitly label every copied file matching the SELinux
|
will now implicitly label every copied file matching the SELinux
|
||||||
database.
|
database.
|
||||||
|
@ -90,6 +137,11 @@ CHANGES WITH 245 in spe:
|
||||||
encryption of volumes to YubiKeys.This is exposed in the new
|
encryption of volumes to YubiKeys.This is exposed in the new
|
||||||
pkcs11-uri= option in /etc/crypttab.
|
pkcs11-uri= option in /etc/crypttab.
|
||||||
|
|
||||||
|
* The /etc/fstab support in systemd now supports two new mount options
|
||||||
|
x-systemd.{required,wanted}-by=, for explicitly configuring the units
|
||||||
|
that the specified mount shall be pulled in by, in place of
|
||||||
|
the usual local-fs.target/remote-fs.target.
|
||||||
|
|
||||||
* The https://systemd.io/ web site has been relaunched, directly
|
* The https://systemd.io/ web site has been relaunched, directly
|
||||||
populated with most of the documentation included in the systemd
|
populated with most of the documentation included in the systemd
|
||||||
repository. In particular, systemd acquired a new logo, thanks to
|
repository. In particular, systemd acquired a new logo, thanks to
|
||||||
|
@ -118,8 +170,20 @@ CHANGES WITH 245 in spe:
|
||||||
be requested by selecting a different naming scheme than the v245
|
be requested by selecting a different naming scheme than the v245
|
||||||
one, via the net.naming-scheme= kernel command line option.
|
one, via the net.naming-scheme= kernel command line option.
|
||||||
|
|
||||||
* PrivateUsers= now works in services run by the systemd --user
|
* PrivateUsers= in service files now works in services run by the
|
||||||
per-user instance of the service manager.
|
systemd --user per-user instance of the service manager.
|
||||||
|
|
||||||
|
* A new per-service sandboxing option ProtectClock= has been added that
|
||||||
|
locks down write access to the system clock. It takes away device
|
||||||
|
node access to /dev/rtc as well as the system calls that allow to set
|
||||||
|
the system clock. It also removes the CAP_SYS_TIME and CAP_WAKE_ALARM
|
||||||
|
capabilities. Note that this option does not affect access to
|
||||||
|
auxiliary services that allow changing the clock, for example access
|
||||||
|
to systemd-timedated.
|
||||||
|
|
||||||
|
* The systemd-id128 tool gained a new "show" verb for listing or
|
||||||
|
resolving a number of well-known UUIDs/128bit IDs, currently mostly
|
||||||
|
GPT partition table types.
|
||||||
|
|
||||||
* The Discoverable Partitions Specification has been updated to support
|
* The Discoverable Partitions Specification has been updated to support
|
||||||
/var and /var/tmp partition discovery. Support for this has been
|
/var and /var/tmp partition discovery. Support for this has been
|
||||||
|
@ -131,6 +195,10 @@ CHANGES WITH 245 in spe:
|
||||||
with the suggested enablement state based on the vendor preset files
|
with the suggested enablement state based on the vendor preset files
|
||||||
for the respective units.
|
for the respective units.
|
||||||
|
|
||||||
|
* "systemctl" gained a new option "--with-dependencies". If specified
|
||||||
|
commands such as "systemctl status" or "systemctl cat" will now show
|
||||||
|
all specified units along with all units they depend on.
|
||||||
|
|
||||||
* networkctl gained support for showing per-interface logs in its
|
* networkctl gained support for showing per-interface logs in its
|
||||||
"status" output.
|
"status" output.
|
||||||
|
|
||||||
|
@ -139,6 +207,14 @@ CHANGES WITH 245 in spe:
|
||||||
permanent MAC address of a network device even if a randomized MAC
|
permanent MAC address of a network device even if a randomized MAC
|
||||||
address is used.
|
address is used.
|
||||||
|
|
||||||
|
* systemd-logind will now validate access to the operation for changing
|
||||||
|
virtual terminals via a PolicyKit action. By default only users with
|
||||||
|
at least one session on a local VT will get access to the method call.
|
||||||
|
|
||||||
|
* When systemd sets up PAM sessions that invoked service processes shall
|
||||||
|
run in, the pam_setcred() API is now invoked, thus permitting PAM
|
||||||
|
modules to set additional credentials for the processes.
|
||||||
|
|
||||||
…
|
…
|
||||||
|
|
||||||
CHANGES WITH 244:
|
CHANGES WITH 244:
|
||||||
|
|
6
TODO
6
TODO
|
@ -19,6 +19,12 @@ Janitorial Clean-ups:
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
|
||||||
|
devices. (see: https://github.com/mjec/fido2-hmac-secret)
|
||||||
|
|
||||||
|
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
|
||||||
|
creates
|
||||||
|
|
||||||
* homed/userdb: distuingish passwords and recovery keys in the records, since
|
* homed/userdb: distuingish passwords and recovery keys in the records, since
|
||||||
we probably want to use different PBKDF algorithms/settings for them:
|
we probably want to use different PBKDF algorithms/settings for them:
|
||||||
passwords have low entropy but recovery keys should have good entropy key
|
passwords have low entropy but recovery keys should have good entropy key
|
||||||
|
|
|
@ -87,7 +87,7 @@ static int show_one(Table **table, const char *name, sd_id128_t uuid, bool first
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
if (!*table) {
|
if (!*table) {
|
||||||
*table = table_new("name", "uuid");
|
*table = table_new("name", "id");
|
||||||
if (!*table)
|
if (!*table)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
table_set_width(*table, 0);
|
table_set_width(*table, 0);
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
#include <security/pam_modutil.h>
|
#include <security/pam_modutil.h>
|
||||||
#include <sys/file.h>
|
#include <sys/file.h>
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
|
#include <sys/sysmacros.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
@ -219,10 +220,11 @@ static int socket_from_display(const char *display, char **path) {
|
||||||
|
|
||||||
static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
|
static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
|
||||||
union sockaddr_union sa = {};
|
union sockaddr_union sa = {};
|
||||||
_cleanup_free_ char *p = NULL, *tty = NULL;
|
_cleanup_free_ char *p = NULL, *sys_path = NULL, *tty = NULL;
|
||||||
_cleanup_close_ int fd = -1;
|
_cleanup_close_ int fd = -1;
|
||||||
struct ucred ucred;
|
struct ucred ucred;
|
||||||
int v, r, salen;
|
int v, r, salen;
|
||||||
|
dev_t display_ctty;
|
||||||
|
|
||||||
assert(display);
|
assert(display);
|
||||||
assert(vtnr);
|
assert(vtnr);
|
||||||
|
@ -251,7 +253,13 @@ static int get_seat_from_display(const char *display, const char **seat, uint32_
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = get_ctty(ucred.pid, NULL, &tty);
|
r = get_ctty_devnr(ucred.pid, &display_ctty);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (asprintf(&sys_path, "/sys/dev/char/%d:%d", major(display_ctty), minor(display_ctty)) < 0)
|
||||||
|
return -ENOMEM;
|
||||||
|
r = readlink_value(sys_path, &tty);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|
|
@ -729,7 +729,7 @@ static void ipip_sit_init(NetDev *n) {
|
||||||
assert(t);
|
assert(t);
|
||||||
|
|
||||||
t->pmtudisc = true;
|
t->pmtudisc = true;
|
||||||
t->fou_encap_type = FOU_ENCAP_DIRECT;
|
t->fou_encap_type = NETDEV_FOO_OVER_UDP_ENCAP_DIRECT;
|
||||||
t->isatap = -1;
|
t->isatap = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -771,7 +771,7 @@ static void gre_erspan_init(NetDev *n) {
|
||||||
|
|
||||||
t->pmtudisc = true;
|
t->pmtudisc = true;
|
||||||
t->gre_erspan_sequence = -1;
|
t->gre_erspan_sequence = -1;
|
||||||
t->fou_encap_type = FOU_ENCAP_DIRECT;
|
t->fou_encap_type = NETDEV_FOO_OVER_UDP_ENCAP_DIRECT;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void ip6gre_init(NetDev *n) {
|
static void ip6gre_init(NetDev *n) {
|
||||||
|
|
Loading…
Reference in New Issue