Compare commits

..

No commits in common. "70e9d9a56c7a9387b445af1f887781bebdf75ae5" and "552cafaa86ad4aa48d8c01153211e80016a7fb55" have entirely different histories.

5 changed files with 7 additions and 97 deletions

80
NEWS
View File

@ -2,53 +2,6 @@ systemd System and Service Manager
CHANGES WITH 245 in spe:
* A new tool "systemd-repart" has been added, that operates as an
idempotent, robust, incremental, elastic and declarative
repartitioner. It takes inspiration from
systemd-tmpfiles/systemd-sysusers but applies the algorithmic
concepts to GPT partition tables. Specifically, a set of partitions
that must or may exist can be configured via drop-in files, and
during every boot the partition table on disk is compared with these
files, creating missing partitions or growing existing ones based on
configurable relative and absolute size constraints. The tool is
strictly incremental, i.e. does not delete, shrink or move
partitions, but only adds and grows them. The primary use-case is OS
images that shall ship in minimized form, with only a minimal boot
and root partition, that on first boot is grown to the size of the
underlying block device or augmented with additional partitions. For
example, the root partition could be extended to cover the whole
disk, or a swap or /home partitions could be added implicitly on
first boot. It also has uses on systems that use an A/B update scheme
to allow shipping minimal images with just the A set of partition,
and with the B set added on first boot. The tool is primarily
intended to be run in the initrd, shortly before transitioning into
the host OS, but also can be run after the transition took place. It
automatically discovers the disk backing the root file system, and
should hence not require any additional configuration besides the
partition definition drop-ins.
* A new component "userdb" has been added, along with a small daemon
"systemd-userdb.service" and a client tool "userdbctl". The framework
allows defining rich user and group records in a JSON format,
extending on the classic "struct passwd" and "struct group"
structures. Various components in systemd have been updated to
process records in this format, including systemd-logind and
pam-systemd. The user records are intended to be extensible, and
allow setting various resource management, security and runtime
parameters that shall be applied to processes and sessions of the
user as they log in. This facility is intended to allow associating
such metadata directly with user/group records so that they can be
produced, extended and consumed in unified form. We hope that
eventually frameworks such as sssd will generate records this way, so
that for the first time resource management and various other
per-user settings can be configured in LDAP directories and then
provided to systemd (specifically to systemd-logind and pam-system)
to enforce on log-in. For further details see:
https://systemd.io/USER_RECORD
https://systemd.io/GROUP_RECORD
https://systemd.io/USER_GROUP_API
* When systemd-tmpfiles copies a file tree using the 'C' line type it
will now implicitly label every copied file matching the SELinux
database.
@ -137,11 +90,6 @@ CHANGES WITH 245 in spe:
encryption of volumes to YubiKeys.This is exposed in the new
pkcs11-uri= option in /etc/crypttab.
* The /etc/fstab support in systemd now supports two new mount options
x-systemd.{required,wanted}-by=, for explicitly configuring the units
that the specified mount shall be pulled in by, in place of
the usual local-fs.target/remote-fs.target.
* The https://systemd.io/ web site has been relaunched, directly
populated with most of the documentation included in the systemd
repository. In particular, systemd acquired a new logo, thanks to
@ -170,20 +118,8 @@ CHANGES WITH 245 in spe:
be requested by selecting a different naming scheme than the v245
one, via the net.naming-scheme= kernel command line option.
* PrivateUsers= in service files now works in services run by the
systemd --user per-user instance of the service manager.
* A new per-service sandboxing option ProtectClock= has been added that
locks down write access to the system clock. It takes away device
node access to /dev/rtc as well as the system calls that allow to set
the system clock. It also removes the CAP_SYS_TIME and CAP_WAKE_ALARM
capabilities. Note that this option does not affect access to
auxiliary services that allow changing the clock, for example access
to systemd-timedated.
* The systemd-id128 tool gained a new "show" verb for listing or
resolving a number of well-known UUIDs/128bit IDs, currently mostly
GPT partition table types.
* PrivateUsers= now works in services run by the systemd --user
per-user instance of the service manager.
* The Discoverable Partitions Specification has been updated to support
/var and /var/tmp partition discovery. Support for this has been
@ -195,10 +131,6 @@ CHANGES WITH 245 in spe:
with the suggested enablement state based on the vendor preset files
for the respective units.
* "systemctl" gained a new option "--with-dependencies". If specified
commands such as "systemctl status" or "systemctl cat" will now show
all specified units along with all units they depend on.
* networkctl gained support for showing per-interface logs in its
"status" output.
@ -207,14 +139,6 @@ CHANGES WITH 245 in spe:
permanent MAC address of a network device even if a randomized MAC
address is used.
* systemd-logind will now validate access to the operation for changing
virtual terminals via a PolicyKit action. By default only users with
at least one session on a local VT will get access to the method call.
* When systemd sets up PAM sessions that invoked service processes shall
run in, the pam_setcred() API is now invoked, thus permitting PAM
modules to set additional credentials for the processes.
CHANGES WITH 244:

6
TODO
View File

@ -19,12 +19,6 @@ Janitorial Clean-ups:
Features:
* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
devices. (see: https://github.com/mjec/fido2-hmac-secret)
* systemd-gpt-auto should probably set x-systemd.growfs on the mounts it
creates
* homed/userdb: distuingish passwords and recovery keys in the records, since
we probably want to use different PBKDF algorithms/settings for them:
passwords have low entropy but recovery keys should have good entropy key

View File

@ -87,7 +87,7 @@ static int show_one(Table **table, const char *name, sd_id128_t uuid, bool first
} else {
if (!*table) {
*table = table_new("name", "id");
*table = table_new("name", "uuid");
if (!*table)
return log_oom();
table_set_width(*table, 0);

View File

@ -11,7 +11,6 @@
#include <security/pam_modutil.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <sys/sysmacros.h>
#include <sys/types.h>
#include <unistd.h>
@ -220,11 +219,10 @@ static int socket_from_display(const char *display, char **path) {
static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
union sockaddr_union sa = {};
_cleanup_free_ char *p = NULL, *sys_path = NULL, *tty = NULL;
_cleanup_free_ char *p = NULL, *tty = NULL;
_cleanup_close_ int fd = -1;
struct ucred ucred;
int v, r, salen;
dev_t display_ctty;
assert(display);
assert(vtnr);
@ -253,13 +251,7 @@ static int get_seat_from_display(const char *display, const char **seat, uint32_
if (r < 0)
return r;
r = get_ctty_devnr(ucred.pid, &display_ctty);
if (r < 0)
return r;
if (asprintf(&sys_path, "/sys/dev/char/%d:%d", major(display_ctty), minor(display_ctty)) < 0)
return -ENOMEM;
r = readlink_value(sys_path, &tty);
r = get_ctty(ucred.pid, NULL, &tty);
if (r < 0)
return r;

View File

@ -729,7 +729,7 @@ static void ipip_sit_init(NetDev *n) {
assert(t);
t->pmtudisc = true;
t->fou_encap_type = NETDEV_FOO_OVER_UDP_ENCAP_DIRECT;
t->fou_encap_type = FOU_ENCAP_DIRECT;
t->isatap = -1;
}
@ -771,7 +771,7 @@ static void gre_erspan_init(NetDev *n) {
t->pmtudisc = true;
t->gre_erspan_sequence = -1;
t->fou_encap_type = NETDEV_FOO_OVER_UDP_ENCAP_DIRECT;
t->fou_encap_type = FOU_ENCAP_DIRECT;
}
static void ip6gre_init(NetDev *n) {