Compare commits

...

7 Commits

Author SHA1 Message Date
Adrian Vovk 80572c2cfc
Merge c2bd862838 into fed7857672 2024-11-07 02:41:03 +01:00
Yu Watanabe fed7857672 NEWS: fix typo
Follow-up for a6d7cc74d6.
2024-11-07 10:05:32 +09:00
Lennart Poettering c8d45ebfd6 update TODO 2024-11-06 22:19:01 +01:00
Lennart Poettering acc8bae0b3 NEWS: various cleanups 2024-11-06 22:18:55 +01:00
Lennart Poettering a6d7cc74d6 NEWS: various cleanups 2024-11-06 21:50:56 +01:00
Adrian Vovk c2bd862838
wip 2024-09-22 01:34:05 -04:00
Adrian Vovk e20db952e2
WIP repart varlink 2024-09-19 08:26:13 -04:00
6 changed files with 285 additions and 155 deletions

322
NEWS
View File

@ -103,37 +103,37 @@ CHANGES WITH 257 in spe:
libsystemd: libsystemd:
* systemd's JSON API is now available as public interface of libsystemd * systemd's JSON API is now available as public interface of
under the name "sd-json". The purpose of the library is to allow libsystemd, under the name "sd-json". The purpose of the library is
structures to be conveniently created in C code and serialized to to allow structures to be conveniently created in C code and
JSON, and for JSON to be conveniently deserialized into in-memory serialized to JSON, and for JSON to be conveniently deserialized into
structures, using callbacks to handle specific keys. Various data in-memory structures, using callbacks to handle specific
types like integers, floats, booleans, strings, UUIDs, base64-encoded keys. Various data types like integers, floats, booleans, strings,
and hex-encoded binary data, and arrays are supported natively. The UUIDs, base64-encoded and hex-encoded binary data, and arrays are
library has been part of systemd for a while as internal component, supported natively. The library has been part of systemd for a while
and now being made publicly available, too. On major user of sd-json as internal component, and is now made publicly available. One major
is the JSON interface sd-varlink (see below). Note that documentation user of sd-json is sd-varlink (see below). Note that the
on sd-json is very much incomplete for now, but the systemd codebase documentation of sd-json is very much incomplete for now, but the
should provide plenty code real-life code examples. systemd codebase provides plenty real-life code examples.
* libsystemd's Varlink IPC API is now available as part of libsystemd * systemd's Varlink IPC API is now available as part of libsystemd,
under the name "sd-varlink". This library is a C implementation of under the name "sd-varlink". This library is a C implementation of
the Varlink IPC system (https://varlink.org/) that has been adopted the Varlink IPC system (https://varlink.org/) that has been adopted
by systemd for various interfaces. It relies on the sd-json JSON by systemd for various interfaces. It relies on the sd-json JSON
component, see above. Note that documentation on sd-varlink is very component, see above. Note that the documentation of sd-varlink is
much incomplete for now, but the systemd codebase should provide very much incomplete for now, but the systemd codebase provides
plenty code real-life code examples. plenty real-life code examples.
* sd-bus gained a new call sd_bus_pending_method_calls() which returns * sd-bus gained a new call sd_bus_pending_method_calls() which returns
the number of currently open asynchronous method calls initiated on the number of currently open asynchronous method calls initiated on
this connection towards peers. this connection towards peers.
* sd-device gained a new call sd_device_monitor_is_running() that * sd-device gained a new call sd_device_monitor_is_running() that
returns whener the specified monitor object is already running. It returns whether the specified monitor object is already running. It
also gained sd_device_monitor_get_fd(), also gained sd_device_monitor_get_fd(),
sd_device_monitor_get_events(), sd_device_monitor_get_timeout() and sd_device_monitor_get_events(), sd_device_monitor_get_timeout() and
sd_device_monitor_receive() to permit sd-device to run on a foreign sd_device_monitor_receive() to permit sd-device to run on top of a
event loop implementation. It also gained foreign event loop implementation. It also gained
sd_device_get_driver_subsystem() which returns the subsystem of sd_device_get_driver_subsystem() which returns the subsystem of
driver objects. The new sd_device_get_device_id() call returns a driver objects. The new sd_device_get_device_id() call returns a
short string identifying the device record. short string identifying the device record.
@ -148,8 +148,9 @@ CHANGES WITH 257 in spe:
* Multipath TCP (MPTCP) is now supported as a socket protocol for * Multipath TCP (MPTCP) is now supported as a socket protocol for
.socket units. .socket units.
* New /etc/fstab option x-systemd.wants= creates "Wants" dependencies. * A new /etc/fstab option x-systemd.wants= creates "Wants="
(This is similar to the previously available x-systemd.requires=.) dependencies. (This is similar to the previously available
x-systemd.requires=.)
* The initialization of the system clock during boot and updates has * The initialization of the system clock during boot and updates has
been simplified: both PID 1 or systemd-timesyncd will pick the latest been simplified: both PID 1 or systemd-timesyncd will pick the latest
@ -161,17 +162,17 @@ CHANGES WITH 257 in spe:
shutdown, so that the user may use it to initiate a reboot if the shutdown, so that the user may use it to initiate a reboot if the
system freezes otherwise. system freezes otherwise.
* The new unit option PrivateUsers=identity can be used to request a * The new value "identity" for the unit setting PrivateUsers= may be
user namespace with an identity mapping for the first 65536 used to request a user namespace with an identity mapping for the
UIDs/GIDs. This is analogous to the systemd-nspawn's first 65536 UIDs/GIDs. This is analogous to the systemd-nspawn's
--private-users=identity. --private-users=identity.
* The new unit option PrivateTmp=disconnected can be used to specify * The new value "disconnected" for the unit setting PrivateTmp= may be
that a separate tmpfs instance should be used for /tmp/ and /var/tmp/ used to specify that a separate tmpfs instance should be used for
for the unit. /tmp/ and /var/tmp/ for the unit.
* The manager (and various other tools too) use pidfds in more places * The server manager (and various other tools too) use pidfds in more
to refer to processes. places to refer to processes.
* A build option -D link-executor-shared=false can be used to build * A build option -D link-executor-shared=false can be used to build
the systemd-executor binary (added in a previous release) in a way the systemd-executor binary (added in a previous release) in a way
@ -185,41 +186,41 @@ CHANGES WITH 257 in spe:
execute. execute.
* The systemd.machine_id= kernel command line parameter interpreted by * The systemd.machine_id= kernel command line parameter interpreted by
PID 1 now supports an additional special value: if "firmware" is PID 1 now supports an additional special value: if set to "firmware"
specified the machine ID is initialized from the SMBIOS/DeviceTree the machine ID is initialized from the SMBIOS/DeviceTree system
system UUID. (Previously this was already done in VM environments, UUID. (Previously this was already done automatically in VM
this extends the concept to any system, but only on explicit request environments, this extends the concept to any system, but only on
via this option.) explicit request via this option.)
* The ImportCredential= setting in service unit files now permits * The ImportCredential= setting in service unit files now permits
renaming credentials imported. renaming of credentials as they are imported.
* The RestartMode= gained a new "debug" setting. If specified and the * The RestartMode= setting gained a new "debug" value. If specified and
service fails so that it shall be restarted it is invoked in the service fails so that it shall be restarted it is invoked in
"debugging mode". Debugging mode means that the $DEBUG_INVOCATION "debugging mode". Debugging mode means that the $DEBUG_INVOCATION
environment variable will be set to "1" for the new environment variable will be set to "1" for the new
invocation. Moreover, any setting LogLevelMax= will be temporarily invocation. Moreover, any setting LogLevelMax= will be temporarily
changed to "debug" for the next invocation. This mode is useful to changed to "debug" for the next invocation. This mode is useful to
repeat invocation of tools if they fail but with additional logging automatically repeat invocation of tools in case they fail but with
or testing routines turned on. additional logging or testing routines enabled.
* A new service setting BindLogSockets= has been added that * A new service setting BindLogSockets= has been added that
controls whether the AF_UNIX sockets required for logging shall be controls whether the AF_UNIX sockets required for logging shall be
bind mounted to the mount sandbox allocated for the service. bind mounted to the mount sandbox allocated for the service.
* PID 1 will now optionally load a policy for the new Linux IPE LSM at * At early boot, PID 1 will now optionally load a policy for the new
boot. Linux IPE LSM.
* Transient services (StartTransientUnit() D-Bus method) may now * Transient services (as invoked by the StartTransientUnit() D-Bus
receive additional, arbitrary file descriptors to pass to executed method) may now receive additional, arbitrary file descriptors to
service processes on activation using the new ExtraFileDescriptor= pass to executed service processes during activation using the new
unit property. ExtraFileDescriptor= unit property.
* Calendar .timer units gained a new boolean DeferReactivation= * Calendar .timer units gained a new boolean DeferReactivation=
option. If enabled and the repetitive calendar timer elapses again option. If enabled and the repetitive calendar timer elapses again
while the service the timer activates is still running, immediate while the service the timer activates is still running, immediate
reactivation once it finishes is skipped, and the timer has to elapse reactivation of the service once it finishes is skipped, and the
again before the service is reactivated. timer has to elapse again before the service is reactivated.
* Generator processes invoked by the service manager will now receive a * Generator processes invoked by the service manager will now receive a
new environment variable $SYSTEMD_SOFT_REBOOTS_COUNT that indicates new environment variable $SYSTEMD_SOFT_REBOOTS_COUNT that indicates
@ -245,10 +246,10 @@ CHANGES WITH 257 in spe:
"strict" a new cgroup namespace is allocated for the service, and "strict" a new cgroup namespace is allocated for the service, and
cgroupfs is mounted read-only for the service. cgroupfs is mounted read-only for the service.
* The StateDirectory=, RuntimeDirectory=, CacheDirectory=, LogsDirectory=, * The StateDirectory=, RuntimeDirectory=, CacheDirectory=,
and ConfigurationDirectory= settings gained support for configuring the LogsDirectory=, and ConfigurationDirectory= settings gained support
respective directories as read-only, via a ':ro' flag that can be for configuring the respective directories as read-only, via a ':ro'
appended to each setting. flag that can be appended to each setting's value.
* When DynamicUser= is combined with * When DynamicUser= is combined with
StateDirectory=/RuntimeDirectory=/CacheDirectory=/LogsDirectory= and StateDirectory=/RuntimeDirectory=/CacheDirectory=/LogsDirectory= and
@ -258,15 +259,15 @@ CHANGES WITH 257 in spe:
chown()ing. chown()ing.
* A new service property PrivatePIDs= has been added that runs executed * A new service property PrivatePIDs= has been added that runs executed
processes as PID 1 - the init process - within their own PID namespace. processes as PID 1 - the init process - within their own PID
PrivatePIDs= also mounts /proc/ so only processes within the new PID namespace. PrivatePIDs= also mounts /proc/ so only processes within
namespace are visible. the new PID namespace are visible.
systemd-udevd: systemd-udevd:
* udev rules now set 'uaccess' for /dev/udmabuf, giving locally * udev rules now set 'uaccess' for /dev/udmabuf, giving locally
logged-in users access to the hardware. This is necessary to support logged-in users access to the hardware. This is useful in order to
IPMI cameras with libcamera. support IPMI cameras with libcamera.
* Serial port devices will no longer show up as systemd units, unless * Serial port devices will no longer show up as systemd units, unless
they have an IO port or memory assigned to them. This means that only they have an IO port or memory assigned to them. This means that only
@ -281,9 +282,9 @@ CHANGES WITH 257 in spe:
searched for both on the interface's parent device (as before) and searched for both on the interface's parent device (as before) and
the device itself (new). the device itself (new).
* Various USB hardware wallets have are now recognized by udev via a * Various USB hardware wallets are now recognized by udev via a .hwdb
.hwdb file, and get the ID_HARDWARE_WALLET= property set, which file, and get the ID_HARDWARE_WALLET= property set, which enables
enables "uaccess" for them, i.e. direct unprivileged access. "uaccess" for them, i.e. direct unprivileged access.
* udevadm info will now output the device ID string in lines prefixed * udevadm info will now output the device ID string in lines prefixed
with "J:", and the driver subsystem in lines prefixed with "B:". with "J:", and the driver subsystem in lines prefixed with "B:".
@ -293,8 +294,8 @@ CHANGES WITH 257 in spe:
systemd-logind: systemd-logind:
* New DesignatedMaintenanceTime= configuration option allows * New DesignatedMaintenanceTime= configuration option allows shutdowns
shutdowns to be automatically scheduled at the specified time. to be automatically scheduled at the specified time.
* logind now reacts to Ctrl-Alt-Shift-Esc being pressed. It will send * logind now reacts to Ctrl-Alt-Shift-Esc being pressed. It will send
out a org.freedesktop.login1.SecureAttentionKey signal, indicating a out a org.freedesktop.login1.SecureAttentionKey signal, indicating a
@ -308,8 +309,8 @@ CHANGES WITH 257 in spe:
session switches away. session switches away.
* systemd-logind now exposes two D-Bus properties CanLock and CanIdle * systemd-logind now exposes two D-Bus properties CanLock and CanIdle
for all sessions that indicate whether the session's class supports for all sessions. These properties indicate whether the session's
screen locking and idle detection. class supports screen locking and idleness detection.
* systemd-inhibit now allows interactive polkit authorization. It * systemd-inhibit now allows interactive polkit authorization. It
gained a --no-ask-password option to suppress it. gained a --no-ask-password option to suppress it.
@ -320,12 +321,13 @@ CHANGES WITH 257 in spe:
Machines started via the systemd-vmspawn@.service unit will now be Machines started via the systemd-vmspawn@.service unit will now be
registered with systemd-machined. registered with systemd-machined.
* systemd-machined gained a pretty complete set of Varlink interfaces * systemd-machined gained a pretty complete set of Varlink APIs
to its functionality as alternative to the existing D-Bus interface. exposing its functionality. This is an alternative to the
pre-existing D-Bus interface.
systemd-resolved: systemd-resolved:
* resolvconf command now supports '-p' switch. If specified, the * The resolvconf command now supports '-p' switch. If specified, the
interface will not be used as the default route for domain name interface will not be used as the default route for domain name
lookups. lookups.
@ -337,11 +339,11 @@ CHANGES WITH 257 in spe:
* IPv6 address labels can be configured in a new [IPv6AddressLabel] * IPv6 address labels can be configured in a new [IPv6AddressLabel]
section with Prefix= and Label= settings. section with Prefix= and Label= settings.
* 'networkctl edit' can now read the new contents from standard input * 'networkctl edit' can now read the new file contents from standard
with the new --stdin option. input with the new --stdin option.
* 'networkctl edit' and 'cat' now supports editing .netdev files by * 'networkctl edit' and 'cat' now support editing/showing .netdev files
link. 'networkctl cat' can also list all configuration files by link. 'networkctl cat' can also list all configuration files
associated with an interface at once with ':all'. associated with an interface at once with ':all'.
* networkctl gained a --no-ask-password option to suppress interactive * networkctl gained a --no-ask-password option to suppress interactive
@ -350,7 +352,7 @@ CHANGES WITH 257 in spe:
* "mac" has been added to the default AlternativeNamesPolicy= setting * "mac" has been added to the default AlternativeNamesPolicy= setting
for network links (via 99-default.link). This means "enx*" interface for network links (via 99-default.link). This means "enx*" interface
names will now be added to the list of alternative interface names by names will now be added to the list of alternative interface names by
default for all interfaces that have a MAC address assigned to them default, for all interfaces that have a MAC address assigned
by hardware. by hardware.
* networkd .netdev bridge devices gained a new setting FDBMaxLearned= * networkd .netdev bridge devices gained a new setting FDBMaxLearned=
@ -365,18 +367,18 @@ CHANGES WITH 257 in spe:
thus highlighting conflict of ownership/management of these knobs. thus highlighting conflict of ownership/management of these knobs.
* systemd-networkd will now make RFC9463 DNR fields available to * systemd-networkd will now make RFC9463 DNR fields available to
systemd-resolved, for automatic DoT configuration, and similar. systemd-resolved, for automatic DNS DoT configuration, and similar.
systemd-boot, systemd-stub, and related tools: systemd-boot, systemd-stub, and related tools:
* The EFI stub now supports loading of .ucode sections with microcode * The EFI stub now supports loading of .ucode sections with microcode
from PE add-on files. It now also supports loading .initrd sections from PE add-on files. It also now supports loading .initrd sections
from PE add-on files. from PE add-on files.
* A new .profile PE section type is now documented and supported in * A new .profile PE section type is now documented and supported in
systemd-measure, ukify, systemd-stub and systemd-boot. Those new systemd-measure, ukify, systemd-stub and systemd-boot. These new
sections allow multiple "profiles" to be stored together in the UKI, sections allow multiple "profiles" to be stored together in the UKI,
with .profile sections creating groupings of sections in the UKI, where each .profile section creates groupings of sections in the UKI,
allowing some sections to be shared and other sections like .cmdline allowing some sections to be shared and other sections like .cmdline
or .initrd unique to the profile. This may be used to provide a or .initrd unique to the profile. This may be used to provide a
single UKI that synthesizes multiple menu items in the boot menu (for single UKI that synthesizes multiple menu items in the boot menu (for
@ -389,10 +391,10 @@ CHANGES WITH 257 in spe:
can contain multiple .dtbauto sections, and the 'compatible' string can contain multiple .dtbauto sections, and the 'compatible' string
therein will be compared with the equivalent field in the DTB therein will be compared with the equivalent field in the DTB
provided by the firmware, if present. If absent, SMBIOS will be used provided by the firmware, if present. If absent, SMBIOS will be used
to calculate hardware IDs and compare them with the content of to calculate hardware IDs (CHIDs) and look them up in the content of
.hwids. This allows including multiple DTBs in a single UKI, with .hwids, hopefully revealing an fallback 'compatible' string. This
the bootloader automatically selecting the correct one for the allows including multiple DTBs in a single UKI, with systemd-stub
current hardware. automatically loading the correct one for the current hardware.
* ukify gained an --extend switch to import an existing UKI to * ukify gained an --extend switch to import an existing UKI to
be extended, and a --measure-base= switch to support measurement be extended, and a --measure-base= switch to support measurement
@ -405,25 +407,26 @@ CHANGES WITH 257 in spe:
* systemd-stub will report the partition UUID and image identifier its * systemd-stub will report the partition UUID and image identifier its
UKI executable is placed on separately from the data systemd-boot UKI executable is placed on separately from the data systemd-boot
provides about where to find its own executable. This is useful when provides about where to find its own executable, via EFI
systemd-boot and UKIs are placed on distinct partitions (i.e. ESP and variables. This is useful when systemd-boot and UKIs are placed on
XBOOTLDR). distinct partitions (i.e. ESP and XBOOTLDR).
* bootctl --print-loader-path and --print-stub-path that output the * bootctl gained new switches --print-loader-path and --print-stub-path
path to the boot loader or UKI used for the current boot. that output the path to the boot loader or UKI used for the current
boot.
* bootctl kernel-identify now supports identifying EFI add-ons. * bootctl kernel-identify now recognizes EFI add-ons.
* bootctl gained a --random-seed=yes|no option to control provisioning * bootctl gained a --random-seed=yes|no option to control provisioning
of the random seed file in ESP. (This is useful when producing an of the random seed file in the ESP. (This is useful when producing an
image that will be used multiple times.) image that will be used in multiple instances.)
* bootctl now optionally supports installing UEFI Secure Boot databases * bootctl now optionally supports installing UEFI Secure Boot databases
(ESLs) for systemd-boot to pick up and automatically enroll if the (i.e. db/dbx/… databases in ESL format) for systemd-boot to pick up
system is booted in Setup Mode. This is controlled via bootctl's new and automatically enroll if the system is booted in Setup Mode. This
--secure-boot-auto-enroll=yes switch (and some auxiliary ones). A is controlled via bootctl's new --secure-boot-auto-enroll=yes switch
certificate can be provided in DER format, and it is automatically (and some auxiliary ones). A certificate can be provided in DER
converted into an ESL, as needed. format, and is automatically converted into an ESL, as needed.
* bootctl, systemd-measure, systemd-repart when referencing signing * bootctl, systemd-measure, systemd-repart when referencing signing
keys on OpenSSL engines may now query for PINs and similar via keys on OpenSSL engines may now query for PINs and similar via
@ -431,9 +434,9 @@ CHANGES WITH 257 in spe:
caching and UI). caching and UI).
* A new systemd-sbsign tool has been added, that can be used to sign * A new systemd-sbsign tool has been added, that can be used to sign
EFI binaries (PE). This tool supports OpenSSL engines and providers, EFI binaries (PE) for Secure Boot. This tool supports OpenSSL engines
with pin caching support for PKCS11. ukify supports it as an and providers, with pin caching support for PKCS11. ukify supports it
alternative to sbsigntool and pesign. as an alternative to sbsigntool and pesign.
The journal: The journal:
@ -468,22 +471,22 @@ CHANGES WITH 257 in spe:
and AppStream metadata. and AppStream metadata.
* Transfer definitions for systemd-sysupdate are supposed to carry the * Transfer definitions for systemd-sysupdate are supposed to carry the
".transfer" suffix now, changing from ".conf". The latter is ".transfer" suffix now, changing from ".conf". The latter remains
supported for compatibility too, but it's recommended to rename all supported for compatibility, but it's recommended to rename all files
files reflecting this suffix change. reflecting this suffix change.
* systemd-sysupdate now supports a new ".feature" files that may be * systemd-sysupdate now supports new ".feature" files that may be
used in conjunction with ".transfer" files to group them together, and used in conjunction with ".transfer" files to group them together, and
allow them to be turned off or on, individually per group. allow them to be turned off or on, individually per group.
TPM & systemd-cryptsetup: TPM & systemd-cryptsetup:
* The 'tpm2' verb which lists usable TPM2 devices has been moved from * The 'has-tpm2' verb which reports whether TPM2 functionality is
systemd-creds to systemd-analyze. available has been moved from systemd-creds to systemd-analyze.
* systemd-tpm2-setup will gracefully handle TPMs that have a PIN set on * systemd-tpm2-setup will gracefully handle TPMs that have a PIN set on
the TPM, and not automatically set up a Storage Root Key (SRK) in the TPM, and not attempt to automatically set up a Storage Root Key
that case. (SRK) in that case.
* New crypttab option password-cache=yes|no|read-only can be used to * New crypttab option password-cache=yes|no|read-only can be used to
customize password caching. customize password caching.
@ -525,7 +528,7 @@ CHANGES WITH 257 in spe:
start the specified executable on the remote side, and communicate start the specified executable on the remote side, and communicate
with the remote process using the Varlink protocol. with the remote process using the Varlink protocol.
"ssh:" address specification has been renamed to "ssh-unix:" The "ssh:" address specification has been renamed to "ssh-unix:"
(reflecting the fact it is used to connect to a remote AF_UNIX socket (reflecting the fact it is used to connect to a remote AF_UNIX socket
via SSH). The old syntax is still supported for backwards via SSH). The old syntax is still supported for backwards
compatibility. compatibility.
@ -546,7 +549,8 @@ CHANGES WITH 257 in spe:
to enable internal compression in filesystems created offline. to enable internal compression in filesystems created offline.
* systemd-repart understands a new MakeSymlinks= option to create one * systemd-repart understands a new MakeSymlinks= option to create one
or more symlinks (each specified as a symlink name and target). or more symlinks (each specified as a symlink name and target) within
a newly formatted file system.
* systemd-repart gained a new SupplementFor= setting that allows * systemd-repart gained a new SupplementFor= setting that allows
allocating a partition only if some other existing partition cannot allocating a partition only if some other existing partition cannot
@ -559,15 +563,15 @@ CHANGES WITH 257 in spe:
systemd-ssh-proxy: systemd-ssh-proxy:
* systemd-ssh-proxy now also supports the "VSOCK MUX" protocol used by * systemd-ssh-proxy now also supports the AF_UNIX-based "VSOCK MUX"
CloudHypervisor/Firecracker to expose AF_VSOCK sockets of the VM on protocol used by CloudHypervisor/Firecracker to expose AF_VSOCK
the host. Or in other words: it's now possible to directly connect to sockets of the VM on the host. Or in other words: it's now possible
ssh via AF_VSOCK from hosts to VMs of these two hypervisors to directly connect to ssh via AF_VSOCK from hosts to VMs of these
(previously this was only supported for hypervisors which expose two hypervisors (previously this was only supported for hypervisors
AF_VSOCK on the host as AF_VSOCK, such as qemu). which expose AF_VSOCK on the host as AF_VSOCK, such as qemu).
* systemd-ssh-proxy can now reference local VMs by their name: connect * systemd-ssh-proxy can now reference local VMs by their name: connect
to any local VM "foobar" registered with machined via "ssh to any local VM "foobar" registered with systemd-machined via "ssh
machine/foobar" using the AF_VSOCK protocol. machine/foobar" using the AF_VSOCK protocol.
systemd-analyze: systemd-analyze:
@ -591,7 +595,6 @@ CHANGES WITH 257 in spe:
* 'busctl monitor' gained new options --limit-messages= and --timeout= * 'busctl monitor' gained new options --limit-messages= and --timeout=
to set the number of matches or limit the runtime of the command. to set the number of matches or limit the runtime of the command.
This is intended to be used in scripts.
* busctl now supports doing method calls with embedded unix file * busctl now supports doing method calls with embedded unix file
descriptors. descriptors.
@ -609,9 +612,9 @@ CHANGES WITH 257 in spe:
systemd-importd: systemd-importd:
* A new generator sytemd-import-generator has been added to * A new generator sytemd-import-generator has been added to synthesize
synthetisize image download jobs. This provides functionality similar image download jobs. This provides functionality similar to
to importctl, but configured via the kernel command line and system importctl, but is configured via the kernel command line and system
credentials. It may be used to automatically download sysext, credentials. It may be used to automatically download sysext,
confext, portable service, nspawn container or vmspawn VM images at confext, portable service, nspawn container or vmspawn VM images at
boot. boot.
@ -640,6 +643,32 @@ CHANGES WITH 257 in spe:
systemd-homed to allow users to change selected properties of their systemd-homed to allow users to change selected properties of their
own user records. own user records.
systemd-run & run0:
* run0 gained a new pair of settings --pty and --pipe that control
whether to invoke the specified binary on a freshly allocated pseudo
TTY, or whether to pass the client's STDIN/STDOUT/STDERR through
directly.
* run0 gained a new switch --shell-prompt-prefix= that permits passing
in a string to display on each shell prompt as prefix. If not
specified otherwise this will show a superhero emoji (🦸), in order
to visually communicate the temporarily elevated privileges a run0
session provides. This makes use of the $SHELL_PROMPT_PREFIX
environment variables mentioned below.
* systemd-run can output some of its runtime data in JSON format via
the new --json= option.
systemd-tmpfiles:
* systemd-tmpfiles --purge switch now requires specification of at
least one tmpfiles.d/ drop-in file.
* tmpfiles.d/ files gained a new '?' specifier for the 'L' line type to
create a symlink only if the source exists, and gracefully skip the
line otherwise.
Miscellaneous: Miscellaneous:
* systemctl now supports the --now option with the 'reenable' verb. * systemctl now supports the --now option with the 'reenable' verb.
@ -654,21 +683,13 @@ CHANGES WITH 257 in spe:
* localectl gained a -l/--full option to show output without * localectl gained a -l/--full option to show output without
ellipsization. ellipsization.
* systemd-run can output some data as JSON via the new --json= option.
* timedatectl now supports interactive polkit authorization. * timedatectl now supports interactive polkit authorization.
* systemd-tmpfiles --purge switch now requires specification of at
least one tmpfiles.d/ drop-in file.
* tmpfiles.d gained a new '?' specifier for the 'L' type to create a
symlink only if the source exists, and gracefully skip otherwise.
* The new Linux mseal(), listmount(), statmount() syscalls have been * The new Linux mseal(), listmount(), statmount() syscalls have been
added to relevant system call groups. added to relevant system call groups.
* The systemd-ask-password concept has been extended with a per-user * The systemd-ask-password logic has been extended with a per-user
concept, i.e. user programs may now ask for passwords via the same scope, i.e. user programs may now ask for passwords via the same
mechanism and the previously system-wide only mechanism. mechanism and the previously system-wide only mechanism.
* A new set of system/service credentials are added: * A new set of system/service credentials are added:
@ -681,17 +702,8 @@ CHANGES WITH 257 in spe:
useful to visually highlight the fact a specific shell prompt useful to visually highlight the fact a specific shell prompt
originates from a specific system, execution context or tool. These originates from a specific system, execution context or tool. These
credentials and environment variables are supposed to be generically credentials and environment variables are supposed to be generically
useful within and outside of the immediate systemd context. useful within and outside of the immediate systemd context. It is
also used by 'run0', see above.
* run0 gained a new pair of settings --pty and --pipe that control
whether to invoke the specified binary on a freshly allocated pseudo
TTY, or whether to pass the client's STDIN/STDOUT/STDERR through
directly. run0 also gained a new switch --shell-prompt-prefix= that
permits passing in a string to display on each shell prompt as
prefix. If not specified otherwise this will show a superman emoji
(🦸), in order to visually communicate the temporarily elevated
privileges a run0 session provides. This makes use of the
$SHELL_PROMPT_PREFIX environment variables mentioned above.
* New RELEASE_TYPE=, EXPERIMENT=, EXPERIMENT_URL= fields have been * New RELEASE_TYPE=, EXPERIMENT=, EXPERIMENT_URL= fields have been
defined for the /etc/os-release file. For example, defined for the /etc/os-release file. For example,
@ -718,28 +730,28 @@ CHANGES WITH 257 in spe:
https://github.com/microsoft/terminal/pull/8055 https://github.com/microsoft/terminal/pull/8055
https://conemu.github.io/en/AnsiEscapeCodes.html#ConEmu_specific_OSC https://conemu.github.io/en/AnsiEscapeCodes.html#ConEmu_specific_OSC
* systemd-sysusers is now able to create fully locked accounts. For * systemd-sysusers is now able to create fully locked user
compatibility it so far created accounts with a locked (i.e. invalid) accounts. For compatibility it so far created accounts with a locked
password, but not marked locked as a whole. With the new "!" modifier (i.e. invalid) password, but not marked locked as a whole. With the
for "u" lines, it is now possible to create fully locked new "!" modifier for "u" lines, it is now possible to create fully
accounts. The distinction between accounts with a locked password and locked accounts. The distinction between accounts with a locked
fully locked accounts is relevant when considering non-password forms password and fully locked accounts is relevant when considering
of authentication, i.e. SSH and such. It is strongly recommended to non-password forms of authentication, i.e. SSH and such. It is
make use of this new feature for almost all system accounts, since strongly recommended to make use of this new feature for almost all
they usually do not require (and should not permit) interactive system accounts, since they usually do not require (and should not
logins. All of systemd's own system users have been changed to be permit) interactive logins. All of systemd's own system users have
marked as fully locked. been changed to be marked as fully locked.
* systemd-coredump now supports a new EnterNamespace= option, which * systemd-coredump now supports a new EnterNamespace= option, which
defaults to off. If enabled systemd-coredump will access the mount defaults to off. If enabled systemd-coredump will access the mount
namespace of any crashed process to acquire debug symbol information, namespace of any crashed process to acquire debug symbol information,
in order to be able to symbolized backtraces. This option is useful in order to be able to symbolize backtraces. This option is useful to
to improve backtraces of processes of containerized improve backtraces of processes of containerized applications. (Note
applications. (Note that the host systemd-coredump preferably that the host systemd-coredump preferably dispatches coredump
dispatches coredump processing to the container itself, if it processing to the container itself, if it supports that. Only full-OS
supports that. Only full-OS containers which run systemd inside will containers which run systemd inside will support this however, in
support this however, in which case EnterNamespace= might be an other cases EnterNamespace= might be an suitable approach to acquire
alternative approach to acquire symbolized backtraces.) symbolized backtraces.)
Contributions from: A. Wilcox, Abderrahim Kitouni, Adrian Vovk, Contributions from: A. Wilcox, Abderrahim Kitouni, Adrian Vovk,
Alain Greppin, Allison Karlitskaya, Alyssa Ross, Anders Jonsson, Alain Greppin, Allison Karlitskaya, Alyssa Ross, Anders Jonsson,

6
TODO
View File

@ -129,6 +129,12 @@ Deprecations and removals:
Features: Features:
* machined: when registering a machine, also take a relative cgroup path,
relative to the machine's unit. This is useful when registering unpriv
machines, as they might sit down the cgroup tree, below a cgroup delegation
boundary. Then, install an inotify watch on that cgroup to track when the
machine's local cgroup goes down.
* resolved: report ttl in resolution replies if we know it. This data is useful * resolved: report ttl in resolution replies if we know it. This data is useful
for tools such as wireguard which want to periodically re-resolve DNS names, for tools such as wireguard which want to periodically re-resolve DNS names,
and might want to use the TTL has hint for that. and might want to use the TTL has hint for that.

View File

@ -79,6 +79,7 @@
#include "tpm2-util.h" #include "tpm2-util.h"
#include "user-util.h" #include "user-util.h"
#include "utf8.h" #include "utf8.h"
#include "varlink.h"
/* If not configured otherwise use a minimal partition size of 10M */ /* If not configured otherwise use a minimal partition size of 10M */
#define DEFAULT_MIN_SIZE (10ULL*1024ULL*1024ULL) #define DEFAULT_MIN_SIZE (10ULL*1024ULL*1024ULL)
@ -8882,6 +8883,9 @@ done:
} }
static int determine_auto_size(Context *c) { static int determine_auto_size(Context *c) {
// TODO: Add an argument to ignore any existing partitions, and ptables.
// To calculate how much bigger the disk would need to be to fit the image, or to determine how big
// the disk needs to be in the first place to fit the image
uint64_t sum; uint64_t sum;
assert(c); assert(c);

View File

@ -194,6 +194,7 @@ shared_sources = files(
'varlink-io.systemd.Resolve.Monitor.c', 'varlink-io.systemd.Resolve.Monitor.c',
'varlink-io.systemd.UserDatabase.c', 'varlink-io.systemd.UserDatabase.c',
'varlink-io.systemd.oom.c', 'varlink-io.systemd.oom.c',
'varlink-io.systemd.Repart.c',
'varlink-io.systemd.service.c', 'varlink-io.systemd.service.c',
'varlink-io.systemd.sysext.c', 'varlink-io.systemd.sysext.c',
'varlink-serialize.c', 'varlink-serialize.c',

View File

@ -0,0 +1,101 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "varlink-io.systemd.repart.h"
#include "sd-varlink-idl.h"
/* NOTE: This API was intentionally designed to be the minimum needed by known clients. With Varlink, you can
* always add more functionality, but removing functionality would be backwards incompatible. If
* something you need is missing, PRs implementing it will be welcome! */
static SD_VARLINK_DEFINE_ENUM_TYPE(
EmptyMode,
SD_VARLINK_FIELD_COMMENT("Refuse to operate on disks without an existing partition table"),
SD_VARLINK_DEFINE_ENUM_VALUE(refuse),
SD_VARLINK_FIELD_COMMENT("Create a new partition table if one doesn't already exist on disk"),
SD_VARLINK_DEFINE_ENUM_VALUE(allow),
SD_VARLINK_FIELD_COMMENT("Refuse to operate on disks with an existing partition table, and create a new table if none exists."),
SD_VARLINK_DEFINE_ENUM_VALUE(require),
SD_VARLINK_FIELD_COMMENT("Always create a new partition table, potentially overwriting an existing table. Use with great care, this has the effect of erasing the disk."),
SD_VARLINK_DEFINE_ENUM_VALUE(force),
SD_VARLINK_FIELD_COMMENT("Create a new loopback file of specified size at the specified device node path."),
SD_VARLINK_DEFINE_ENUM_VALUE(create));
static SD_VARLINK_DEFINE_METHOD(
Check,
SD_VARLINK_FIELD_COMMENT("The path to the target block device's node. The client should use the target's by-diskseq symlink if possible."),
SD_VARLINK_DEFINE_INPUT(node, SD_VARLINK_STRING, 0),
/* Known-missing: node isn't optional, since there's no reason for an OS installer to operate on its own host system */
SD_VARLINK_FIELD_COMMENT("Paths to folders containing static definition files to be used by the client. Note that this is NOT intended for dynamically-generated definitions created by code."),
SD_VARLINK_DEFINE_INPUT(definition_paths, SD_VARLINK_STRING, SD_VARLINK_ARRAY),
/* Known-missing: A field for code-generated definitions. This shouldn't be hard to impl,
* just tedious: you'd need to define a Varlink type for a Partition definition (following the
* format of the config file) and then implement the parsing for it. Also, then make definition_paths
* nullable. */
SD_VARLINK_FIELD_COMMENT("Controls how to handle disks that lack a partition table (i.e. are empty)."),
SD_VARLINK_DEFINE_INPUT_BY_TYPE(empty_mode, EmptyMode, 0),
/* Known-missing: Repart's copy_from functionality */
/* Known-missing: An output field describing what the partition layout would look like if the
* image were to be deployed. */);
static SD_VARLINK_DEFINE_ENUM_TYPE(
EmptyMode,
SD_VARLINK_FIELD_COMMENT("Refuse to operate on disks without an existing partition table"),
SD_VARLINK_DEFINE_ENUM_VALUE(refuse),
SD_VARLINK_FIELD_COMMENT("Create a new partition table if one doesn't already exist on disk"),
SD_VARLINK_DEFINE_ENUM_VALUE(allow),
SD_VARLINK_FIELD_COMMENT("Refuse to operate on disks with an existing partition table, and create a new table if none exists."),
SD_VARLINK_DEFINE_ENUM_VALUE(require),
SD_VARLINK_FIELD_COMMENT("Always create a new partition table, potentially overwriting an existing table. Use with great care, this has the effect of erasing the disk."),
SD_VARLINK_DEFINE_ENUM_VALUE(force),
SD_VARLINK_FIELD_COMMENT("Create a new loopback file of specified size at the specified device node path."),
SD_VARLINK_DEFINE_ENUM_VALUE(create));
static SD_VARLINK_DEFINE_STRUCT_TYPE(
PartitionProgress,
SD_VARLINK_FIELD_COMMENT("The current step being performed by the partitioner")
);
static SD_VARLINK_DEFINE_METHOD(
Partition,
/* Note: the inputs here are parsed through the same code paths as Check(), so make sure that
* the arguments that are shared would be parsed the same way. */
SD_VARLINK_FIELD_COMMENT("The path to the target block device's node. The client should use the target's by-diskseq symlink if possible."),
SD_VARLINK_DEFINE_INPUT(node, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("Paths to folders containing static definition files to be used by the client. Note that this is NOT intended for dynamically-generated definitions created by code."),
SD_VARLINK_DEFINE_INPUT(definition_paths, SD_VARLINK_STRING, SD_VARLINK_ARRAY),
/* Knowwn-missing: dynamic code-generated definitions. */
SD_VARLINK_FIELD_COMMENT("Controls how to handle disks that lack a partition table (i.e. are empty)."),
SD_VARLINK_DEFINE_INPUT_BY_TYPE(empty_mode, EmptyMode, 0),
SD_VARLINK_FIELD_COMMENT("Used to report progress information back to the client."),
SD_VARLINK_DEFINE_OUTPUT_BY_TYPE(progress, PartitionProgress, SD_VARLINK_NULLABLE)
/* Known-missing: An output field describing the final layout of the disk */);
static SD_VARLINK_DEFINE_ERROR(
DiskTooSmall,
SD_VARLINK_FIELD_COMMENT("The minimum required size of the disk to fit the specified image",
SD_VARLINK_DEFINE_FIELD(min_size, SD_VARLINK_INT, 0));
static SD_VARLINK_DEFINE_ERROR(
InsufficientFreeSpace,
SD_VARLINK_FIELD_COMMENT("An estimate of the amount of usable free space on disk. It's actually the size of the largest contiguous free area."),
SD_VARLINK_DEFINE_FIELD(estimated_free, SD_VARLINK_INT, 0),
SD_VARLINK_FIELD_COMMENT("The minimum required amount of free space to fit the image.",
SD_VARLINK_DEFINE_FIELD(min_required, SD_VARLINK_INT, 0));
SD_VARLINK_DEFINE_INTERFACE(
io_systemd_Repart,
"io.systemd.Repart",
SD_VARLINK_INTERFACE_COMMENT("APIs for declaratively re-partitioning disks. Most useful for OS installers. This API is intentionally designed to be the minimum necessary for known clients, so if you need some functionality that's missing PRs are welcome!");
SD_VARLINK_SYMBOL_COMMENT("Behaviors for disks that are completely empty (i.e. don't have a partition table yet)"),
&vl_type_EmptyMode,
SD_VARLINK_SYMBOL_COMMENT("Checks if an image will fit on a given target disk."),
&vl_method_Check,
SD_VARLINK_SYMBOL_COMMENT("Deploy an image onto a given target disk."),
&vl_method_Partition,
SD_VARLINK_SYMBOL_COMMENT("The target disk is too small to fit the partition table!"),
&vl_error_DiskTooSmall,
SD_VARLINK_SYMBOL_COMMENT(""),
&vl_error_WontFit);

View File

@ -0,0 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include "sd-varlink-idl.h"
extern const VarlinkInterface vl_interface_io_systemd_repart;