After three months of development system manager release . In the new release, new components systemd-homed and systemd-repart are added, support for portable user profiles in JSON format is included, the ability to define namespaces in systemd-journald is provided, and support for the “pidfd” mechanism is added. Completely redesigned , which collects most of the available documentation and proposes a new logo.
All :
- Added service , which provides management of portable home directories, delivered in the form of a mounted image file, the data in which is encrypted. Systemd-homed allows you to create self-contained environments for user data that can be transferred between different systems without worrying about identifier synchronization and confidentiality. User credentials are tied to the home directory rather than system settings—a profile in the format is used instead of /etc/passwd, /etc/group and /etc/shadow . For more details, see systemd-homed.
- Added systemd-homed companion component "” (“systemd-userdb”), which translates UNIX/glibc NSS accounts into JSON records and provides a unified Varlink API for querying and iterating over records. The JSON profile associated with the home directory specifies the parameters required for the user's work, including username, password hash, encryption keys, quotas, and provisioned resources. The profile can be certified with a digital signature stored on an external Yubikey token. To manage profiles, the “userdbctl” utility is proposed. Support for JSON profiles has been added to various systemd components, including systemd-logind and pam-systemd, allowing users of portable directories to authenticate, log in, set environment variables, create a session, set limits, etc. In the future, it is expected that the sssd framework will be able to generate JSON profiles with user settings stored in LDAP.
- A new utility “systemd-repart” has been added, designed to repartition disk partition tables in GPT format. The partition structure is defined in declarative form through files that describe which partitions should or can exist. At each boot, the actual partition table is compared with these files, after which the missing partitions are added or, if the relative or absolute size defined in the settings does not match, the size of the existing ones is increased. Only incremental changes are allowed, i.e. deleting and reducing the size is not possible, partitions can only be added and enlarged.
The utility is designed to be launched from the initrd and automatically detects the disk on which the root partition is located, which does not require additional configuration, except for files with the definition of changes.In practice, systemd-repart can be useful for operating system images that may initially be shipped in a minimal form, and after the first boot can be expanded to the size of the existing block device or supplemented with additional partitions (for example, the root partition can be expanded to cover the entire disk or after the first boot create a swap partition or /home). Another use would be configurations with two rotating partitions - only the first partition might be supplied initially, and the second one would be created on first boot.
- It is now possible to launch multiple instances of systemd-journald, each of which keeps logs in its own namespace. In addition to the main systemd-journald.service, the .service directory offers a template for creating additional instances bound to their namespaces using the “LogNamespace” directive. Each log namespace is served by a separate background process with its own set of settings and limits. The proposed feature may be useful for load balancing with a large volume of logs or for enhancing application isolation. Added "--namespace" option to journalctl to limit the query to the specified namespace only.
- Systemd-udevd and other systemd components have added support for a mechanism for assigning alternative names to network interfaces, allowing multiple names to be used simultaneously for one interface. The name can be up to 128 characters (previously, the network interface name was limited to 16 characters). By default, systemd-udevd now assigns each network interface all variant names generated by supported naming schemes. This behavior can be changed through the new AlternativeName and AlternativeNamesPolicy settings in .link files. systemd-nspawn implements the generation of alternative names with the full container name for veth links created on the host side.
- Added support for the Linux kernel subsystem "pidfd" to the sd-event.h API to handle the situation of PID reuse (pidfd is associated with a specific process and does not change, while a PID can be associated with another process after the current process associated with it exits this PID). All systemd components except PID 1 have been converted to use pidfds if the subsystem is supported by the current kernel.
- systemd-logind provides access checks for the virtual terminal change operation via PolicyKit. By default, permissions to change the active terminal are granted only to users who have initiated a session on the local virtual terminal at least once.
- To make it easier to create initrd images with systemd, the PID 1 handler now detects whether the initrd is being used and in this case automatically loads initrd.target instead of default.target. With this approach, the initrd and main system images can differ only in the presence of the /etc/initrd-release file.
- Added a new kernel command line parameter - "systemd.cpu_affinity", equivalent to the CPUAffinity option in /etc/systemd/system.conf and allowing you to configure the CPU affinity mask for PID 1 and other processes.
- Enabled reloading of SELinux database along with restarting PID 1 via commands like "systemctl daemon-reload".
- The “systemd.show-status=error” setting has been added to the PID 1 handler; when set, only error messages and significant loading delays are displayed on the console.
- systemd-sysusers added support for creating users with a primary group name that is different from the user name.
- systemd-growfs introduces support for XFS partition expansion via the x-systemd.growfs mount option in /etc/fstab, in addition to previously supported partition expansion with Ext4 and Btrfs.
- Added x-initrd.attach option to /etc/crypttab to define an encrypted partition already unlocked at the initrd stage.
- systemd-cryptsetup has added support (option pkcs11-uri in /etc/crypttab) for unlocking encrypted partitions using PKCS#11 smartcards, for example for attaching partition encryption to YubiKeys.
- New mount options "x-systemd.required-by" and "x-systemd.wanted-by" have been added to /etc/fstab to explicitly configure units that define mount operations to be called instead of local-fs.target and remote-fs .target.
- A new service sandboxing option has been added - ProtectClock, which limits writing to the system clock (access is blocked at the level of /dev/rtc, system calls and CAP_SYS_TIME/CAP_WAKE_ALARM permissions).
- To specification and systemd-gpt-auto-generator added partition detection
/var and /var/tmp. - In “systemctl list-unit-files”, when displaying a list of units, a new column has appeared that reflects the enable state offered in the manufacturer’s presets for this type of unit.
- An option “—with-dependencies” has been added to “systemctl”, when installed, commands like “systemctl status” and “systemctl cat” will display not only all corresponding units, but also the units on which they depend.
- In systemd-networkd, the qdisc configuration has added the ability to configure the TBF (Token Bucket Filter), SFQ (Stochastic Fairness Queuing), CoDel (Controlled-Delay Active Queue Management) and FQ (Fair Queue) parameters.
- systemd-networkd added support for IFB network devices ().
- Systemd-networkd implements the MultiPathRoute parameter in the [Route] section to configure multi-path routes.
- In systemd-networkd for the DHCPv4 client, the SendDecline option has been added, when specified, after receiving a DHCP response with an address, a duplicate address check is performed and if an address conflict is detected, the issued address is rejected. The RouteMTUBytes option has also been added to the DHCPv4 client, allowing you to determine the MTU size for routes generated from IP address bindings (leases).
- The PrefixRoute setting in the [Address] section of .network files has been deprecated. It was replaced by the “AddPrefixRoute” setting, which has the opposite meaning.
- In .network files, support for the new value “_dhcp” has been added to the Gateway setting in the “[Route]” section, when set, a static route is selected based on the gateway configured via DHCP.
- Settings have appeared in the .network files in the “[RoutingPolicyRule]” section
User and SuppressPrefixLength to specify source routing based on UID ranges and prefix size. - In networkctl, the “status” command provides the ability to display logs in relation to each network interface.
- systemd-networkd-wait-online adds support for setting the maximum time to wait for an interface to become operational and to wait for an interface to go down.
- Stopped processing .link and .network files with an empty or commented out “[Match]” section.
- In the .link and .network files, in the “[Match]” section, a “PermanentMACAddress” setting has been added to check the permanent MAC address of devices in the case of using a generated random MAC.
- The “[TrafficControlQueueingDiscipline]” section in .network files has been renamed to “[NetworkEmulator]”, and the “NetworkEmulator” prefix has been removed from the names of associated settings.
- systemd-resolved for DNS-over-TLS adds support for SNI checking.
Source: opennet.ru