ProHoster > Blog > internet news > systemd system manager release 250

systemd system manager release 250

After five months of development, the release of the system manager systemd 250 was presented. The new release introduced the ability to store credentials in encrypted form, implemented verification of automatically detected GPT partitions using a digital signature, improved information about the causes of delays when starting services, and added options for limiting service access to certain file systems and network interfaces, support for partition integrity monitoring using the dm-integrity module is provided, and support for sd-boot auto-update is added.

Major changes:

  • Added support for encrypted and authenticated credentials, which can be useful for securely storing sensitive materials such as SSL keys and access passwords. Decryption of credentials is performed only when necessary and in connection with the local installation or equipment. Data is encrypted automatically using symmetric encryption algorithms, the key for which can be located in the file system, in the TPM2 chip, or using a combination scheme. When the service starts, the credentials are automatically decrypted and become available to the service in its normal form. To work with encrypted credentials, the 'systemd-creds' utility has been added, and the LoadCredentialEncrypted and SetCredentialEncrypted settings have been proposed for services.
  • sd-stub, the EFI executable that allows EFI firmware to load the Linux kernel, now supports booting the kernel using the LINUX_EFI_INITRD_MEDIA_GUID EFI protocol. Also added to sd-stub is the ability to package credentials and sysext files into a cpio archive and transfer this archive to the kernel along with the initrd (additional files are placed in the /.extra/ directory). This feature allows you to use a verifiable immutable initrd environment, complemented by sysexts and encrypted authentication data.
  • The Discoverable Partitions specification has been significantly expanded, providing tools for identifying, mounting and activating system partitions using GPT (GUID Partition Tables). Compared to previous releases, the specification now supports the root partition and /usr partition for most architectures, including platforms that do not use UEFI.

    Discoverable Partitions also adds support for partitions whose integrity is verified by the dm-verity module using PKCS#7 digital signatures, making it easier to create fully authenticated disk images. Verification support is integrated into various utilities that manipulate disk images, including systemd-nspawn, systemd-sysext, systemd-dissect, RootImage services, systemd-tmpfiles, and systemd-sysusers.

  • For units that take a long time to start or stop, in addition to displaying an animated progress bar, it is possible to display status information that allows you to understand what exactly is happening with the service at the moment and which service the system manager is currently waiting for to complete.
  • Added the DefaultOOMScoreAdjust parameter to /etc/systemd/system.conf and /etc/systemd/user.conf, which allows you to adjust the OOM-killer threshold for low memory, applicable to processes that systemd starts for the system and users. By default, the weight of system services is higher than that of user services, i.e. When there is insufficient memory, the probability of termination of user services is higher than that of system ones.
  • Added the RestrictFileSystems setting, which allows you to restrict services' access to certain types of file systems. To view the available file systems types, you can use the “systemd-analyze filesystems” command. By analogy, the RestrictNetworkInterfaces option has been implemented, which allows you to restrict access to certain network interfaces. The implementation is based on the BPF LSM module, which restricts the access of a group of processes to kernel objects.
  • Added a new /etc/integritytab configuration file and systemd-integritysetup utility that configure the dm-integrity module to control data integrity at the sector level, for example, to guarantee the immutability of encrypted data (Authenticated Encryption, ensures that a data block has not been modified in a roundabout way) . The format of the /etc/integritytab file is similar to the /etc/crypttab and /etc/veritytab files, except that dm-integrity is used instead of dm-crypt and dm-verity.
  • A new unit file systemd-boot-update.service has been added, when activated and the sd-boot bootloader is installed, systemd will automatically update the version of the sd-boot bootloader, keeping the bootloader code always up to date. sd-boot itself is now built by default with support for the SBAT (UEFI Secure Boot Advanced Targeting) mechanism, which solves problems with certificate revocation for UEFI Secure Boot. In addition, sd-boot provides the ability to parse Microsoft Windows boot settings to correctly generate the names of boot partitions with Windows and display the Windows version.

    sd-boot also provides the ability to define a color scheme at build time. During the boot process, added support for changing the screen resolution by pressing the “r” key. Added hotkey “f” to go to the firmware configuration interface. Added a mode to automatically boot the system corresponding to the menu item selected during the last boot. Added the ability to automatically load EFI drivers located in the /EFI/systemd/drivers/ directory in the ESP (EFI System Partition) section.

  • A new unit file factory-reset.target is included, which is processed in systemd-logind in a similar way to the reboot, poweroff, suspend and hibernate operations, and is used to create handlers for performing a factory reset.
  • The systemd-resolved process now creates an additional listening socket at 127.0.0.54 in addition to 127.0.0.53. Requests arriving at 127.0.0.54 are always redirected to an upstream DNS server and are not processed locally.
  • Provided the ability to build systemd-importd and systemd-resolved with the OpenSSL library instead of libgcrypt.
  • Added initial support for the LoongArch architecture used in Loongson processors.
  • systemd-gpt-auto-generator provides the ability to automatically configure system-defined swap partitions encrypted by the LUKS2 subsystem.
  • The GPT image parsing code used in systemd-nspawn, systemd-dissect, and similar utilities implements the ability to decode images for other architectures, allowing systemd-nspawn to be used to run images on emulators of other architectures.
  • When inspecting disk images, systemd-dissect now displays information about the purpose of the partition, such as suitability for booting via UEFI or running in a container.
  • The “SYSEXT_SCOPE” field has been added to the system-extension.d/ files, allowing you to indicate the scope of the system image - “initrd”, “system” or “portable”.
  • A “PORTABLE_PREFIXES” field has been added to the os-release file, which can be used in portable images to determine supported unit file prefixes.
  • systemd-logind introduces new settings HandlePowerKeyLongPress, HandleRebootKeyLongPress, HandleSuspendKeyLongPress and HandleHibernateKeyLongPress, which can be used to determine what happens when certain keys are held down for more than 5 seconds (for example, pressing the Suspend key quickly can be configured to go into standby mode, and when held down, it will go to sleep) .
  • For units, the StartupAllowedCPUs and StartupAllowedMemoryNodes settings are implemented, which differ from similar settings without the Startup prefix in that they are applied only at the boot and shutdown stage, which allows you to set other resource restrictions during boot.
  • Added [Condition|Assert][Memory|CPU|IO]Pressure checks that allow unit activation to be skipped or failed if the PSI mechanism detects a heavy load on memory, CPU, and I/O in the system.
  • The default maximum inode limit has been increased for the /dev partition from 64k to 1M, and for the /tmp partition from 400k to 1M.
  • An ExecSearchPath setting has been proposed for services, which makes it possible to change the path for searching for executable files launched through settings like ExecStart.
  • Added the RuntimeRandomizedExtraSec setting, which allows you to introduce random deviations into the RuntimeMaxSec timeout, which limits the execution time of a unit.
  • The syntax of the RuntimeDirectory, StateDirectory, CacheDirectory and LogsDirectory settings has been expanded, in which by specifying an additional value separated by a colon, you can now organize the creation of a symbolic link to a given directory for organizing access along several paths.
  • For services, TTYRows and TTYColumns settings are offered to set the number of rows and columns in the TTY device.
  • Added the ExitType setting, which allows you to change the logic for determining the end of a service. By default, systemd only monitors the death of the main process, but if ExitType=cgroup is set, the system manager will wait for the last process in the cgroup to complete.
  • systemd-cryptsetup's implementation of TPM2/FIDO2/PKCS11 support is now also built as a cryptsetup plugin, allowing the normal cryptsetup command to be used to unlock an encrypted partition.
  • The TPM2 handler in systemd-cryptsetup/systemd-cryptsetup adds support for RSA primary keys in addition to ECC keys to improve compatibility with non-ECC chips.
  • The token-timeout option has been added to /etc/crypttab, which allows you to define the maximum time to wait for a PKCS#11/FIDO2 token connection, after which you will be prompted to enter a password or recovery key.
  • systemd-timesyncd implements the SaveIntervalSec setting, which allows you to periodically save the current system time to disk, for example, to implement a monotonic clock on systems without an RTC.
  • Options have been added to the systemd-analyze utility: “--image” and “--root” for checking unit files inside a given image or root directory, “--recursive-errors” for taking into account dependent units when an error is detected, “--offline” for checking separately unit files saved to disk, “—json” for output in JSON format, “—quiet” to disable unimportant messages, “—profile” to bind to a portable profile. Also added is the inspect-elf command for parsing core files in ELF format and the ability to check unit files with a given unit name, regardless of whether this name matches the file name.
  • systemd-networkd has expanded support for the Controller Area Network (CAN) bus. Added settings to control CAN modes: Loopback, OneShot, PresumeAck and ClassicDataLengthCode. Added TimeQuantaNSec, PropagationSegment, PhaseBufferSegment1, PhaseBufferSegment2, SyncJumpWidth, DataTimeQuantaNSec, DataPropagationSegment, DataPhaseBufferSegment1, DataPhaseBufferSegment2 and DataSyncJumpWidth options to the [CAN] section of .network files to control bit synchronization of the CAN interface.
  • Systemd-networkd has added a Label option for the DHCPv4 client, which allows you to configure the address label used when configuring IPv4 addresses.
  • systemd-udevd for "ethtool" implements support for special "max" values ​​that set the buffer size to the maximum value supported by the hardware.
  • In .link files for systemd-udevd you can now configure various parameters for combining network adapters and connecting hardware handlers (offload).
  • systemd-networkd offers new .network files by default: 80-container-vb.network to define network bridges created when running systemd-nspawn with the “--network-bridge” or “--network-zone” options; 80-6rd-tunnel.network to define tunnels that are automatically created when receiving a DHCP response with the 6RD option.
  • Systemd-networkd and systemd-udevd have added support for IP forwarding over InfiniBand interfaces, for which the “[IPoIB]” section has been added to the systemd.netdev files, and processing of the “ipoib” value has been implemented in the Kind setting.
  • systemd-networkd provides automatic route configuration for addresses specified in the AllowedIPs parameter, which can be configured through the RouteTable and RouteMetric parameters in the [WireGuard] and [WireGuardPeer] sections.
  • systemd-networkd provides automatic generation of non-changing MAC addresses for the batadv and bridge interfaces. To disable this behavior, you can specify MACAddress=none in .netdev files.
  • A WakeOnLanPassword setting has been added to .link files in the “[Link]” section to determine the password when WoL is running in “SecureOn” mode.
  • Added AutoRateIngress, CompensationMode, FlowIsolationMode, NAT, MPUBytes, PriorityQueueingPreset, FirewallMark, Wash, SplitGSO and UseRawPacketSize settings to the “[CAKE]” section of .network files to define the parameters of the CAKE (Common Applications Kept Enhanced) network queue management mechanism.
  • Added an IgnoreCarrierLoss setting to the "[Network]" section of .network files, allowing you to determine how long to wait before reacting to a loss of carrier signal.
  • Systemd-nspawn, homectl, machinectl and systemd-run have extended the syntax of the "--setenv" parameter - if only the variable name is specified (without "="), the value will be taken from the corresponding environment variable (for example, when specifying "--setenv=FOO" the value will be taken from the $FOO environment variable and used in the environment variable of the same name set in the container).
  • systemd-nspawn has added a "--suppress-sync" option to disable sync()/fsync()/fdatasync() system calls when creating a container (useful when speed is a priority and preserving build artifacts in case of failure is not important, since they can be re-created at any time).
  • A new hwdb database has been added, which includes various types of signal analyzers (multimeters, protocol analyzers, oscilloscopes, etc.). Information about cameras in hwdb has been expanded with a field with information about the type of camera (regular or infrared) and lens placement (front or rear).
  • Enabled generation of non-changing network interface names for netfront devices used in Xen.
  • The analysis of core files by the systemd-coredump utility based on the libdw/libelf libraries is now performed in a separate process, isolated in a sandbox environment.
  • systemd-importd has added support for the environment variables $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA, $SYSTEMD_IMPORT_SYNC, with which you can disable the generation of Btrfs subpartitions, as well as configure quotas and disk synchronization.
  • In systemd-journald, on file systems that support copy-on-write mode, COW mode is re-enabled for archived journals, allowing them to be compressed using Btrfs.
  • systemd-journald implements deduplication of identical fields in a single message, which is performed at the stage before placing the message in the journal.
  • Added "--show" option to shutdown command to display scheduled shutdown.

Source: opennet.ru

Add a comment