ProHoster > Blog > internet news > systemd system manager release 242

systemd system manager release 242

[: ru]

After two months of development submitted system manager release systemd 242. New features include support for L2TP tunnels, the ability to control the behavior of systemd-logind on restart via environment variables, support for extended XBOOTLDR boot partitions for mounting /boot, the ability to boot with the root partition in overlayfs, and a large number of new settings for different types of units.

Major changes:

  • systemd-networkd provides support for L2TP tunnels;
  • sd-boot and bootctl support XBOOTLDR (Extended Boot Loader) partitions that are mounted on /boot, in addition to ESP partitions that are mounted on /efi or /boot/efi. Kernels, settings, initrd and EFI images can now be loaded from both ESP and XBOOTLDR partitions. This change allows the use of the sd-boot bootloader in more conservative scenarios, when the bootloader itself is placed in the ESP, and the bootable kernels and their associated metadata are moved to a separate section;
  • Added the ability to boot with the "systemd.volatile=overlay" option passed to the kernel, which allows you to place the root partition in overlayfs and organize work on top of a read-only image of the root directory with changes written to a separate directory in tmpfs (changes in this configuration are lost after a restart) . By analogy, the "--volatile=overlay" option has been added to systemd-nspawn to use similar functionality in containers;
  • Added "--oci-bundle" option to systemd-nspawn to allow the use of runtime bundles to enable isolated running of containers that comply with the Open Container Initiative (OCI) specification. Support for various options described in the OCI specification is proposed for use on the command line and nspawn units, for example, the "--inaccessible" and "Inaccessible" settings can be used to exclude parts of the file system, and the "--console" options have been added to configure standard output streams and "—pipe";
  • Added ability to control systemd-logind behavior via environment variables: $SYSTEMD_REBOOT_ TO_FIRMWARE_SETUP,
    $SYSTEMD_REBOOT_ TO_BOOT_LOADER_MENU and
    $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. Using these variables, you can connect your own reboot process handlers (/run/systemd/reboot-to-firmware-setup, /run/systemd/reboot-to-boot-loader-menu and
    /run/systemd/reboot-to-boot-loader-entry) or disable them altogether (when set to false);

  • Added "--boot-load-menu=" options to "systemctl reboot" command and
    "--boot-loader-entry=", allowing you to select a specific boot menu item or boot mode after reboot;

  • Added a new sandbox isolation command "RestrictSUIDSGID=" that uses seccomp to prevent creation of files with SUID/SGID flags;
  • Implemented default restrictions "NoNewPrivileges" and "RestrictSUIDSGID" in services with enabled dynamic user ID generation ("DynamicUser");
  • The default MACAddressPolicy=persistent setting in .link files has been changed to cover more devices. Interfaces of network bridges, tunnels (tun, tap) and aggregated links (bond) do not identify themselves except by the name of the network interface, so this name is now used as the basis for binding MAC and IPv4 addresses. In addition, the "MACAddressPolicy=random" setting has been added, which can be used to bind MAC and IPv4 addresses to devices in random order;
  • ".device" unit files generated via systemd-fstab-generator no longer include the corresponding ".mount" units as dependencies in the "Wants=" section. Simply attaching a device no longer automatically launches a mount unit, but such units can still be launched for other reasons, such as as part of local-fs.target or as a dependency on other units that depend on local-fs.target;
  • Support for masks ("*", etc.) has been added to the "networkctl list/status/lldp" commands to filter out certain groups of network interfaces by part of their name;
  • The $PIDFILE environment variable is now set using the absolute path configured in services via the 'PIDFile=;
  • Added public Cloudflare servers (1.1.1.1) to the number of backup DNS servers used when the primary DNS is not explicitly defined. To override the list of backup DNS servers, you can use the "-Ddns-servers=" option;
  • When a USB Device Controller is detected, a new usb-gadget.target handler is automatically launched (when the system is running on a USB peripheral);
  • For unit files, the "CPUQuotaPeriodSec=" setting is implemented, which determines the time period relative to which the CPU time quota is measured, set through the "CPUQuota=" setting;
  • For unit files, the "ProtectHostname=" setting is implemented, which prohibits services from changing information about the host name, even if they have the appropriate permissions;
  • For unit-files, the "NetworkNamespacePath=" setting is implemented, which allows you to bind the namespace to services or socket-units by specifying the path to the namespace file in the /proc pseudo-FS;
  • Added the ability to disable the substitution of environment variables for processes launched using the "ExecStart=" setting by adding the ":" character before the start command;
  • For timers (.timer units), new flags "OnClockChange=" and
    "OnTimezoneChange=", with which you can control the call of the unit when changing the system time or time zone;

  • Added new settings "ConditionMemory=" and "ConditionCPUs=" that determine the conditions for calling a unit depending on the size of the memory and the number of CPU cores (for example, a resource-intensive service can only be started if the required amount of RAM is available);
  • A new time-set.target unit has been added that accepts the locally set system time, without the use of reconciliation with external exact time servers using the time-sync.target unit. The new unit can be used by services that need the precision of an unsynchronized local clock;
  • Added "--show-transaction" option to "systemctl start" and similar commands to display a summary of all jobs added to the queue due to the requested operation;
  • systemd-networkd has implemented a definition for a new state, 'enslaved', used instead of 'degraded' or 'carrier' for network interfaces that are part of aggregated links or network bridges. For primary interfaces, in case of problems with one of the compound links, the 'degraded-carrier' state has been added;
  • Added "IgnoreCarrierLoss=" option to .network units to save network settings in case of connection failure;
  • Through the “RequiredForOnline=” setting in .network units, you can now set the minimum allowable link state required to transfer the network interface to “online” and trigger the systemd-networkd-wait-online handler;
  • Added "--any" option to systemd-networkd-wait-online to wait for any of the specified network interfaces to be ready instead of all, and "--operational-state=" option to define the state of the link indicating that it is ready;
  • Added "UseAutonomousPrefix=" and "UseOnLinkPrefix=" settings to .network units that can be used to ignore prefixes when getting
    announcement from an IPv6 router (RA, Router Advertisement);

  • Added “MulticastFlood=”, “NeighborSuppression=” and “Learning=” settings to .network units to change the network bridge operation parameters, as well as the “TripleSampling=” setting to change the TRIPLE-SAMPLING mode of virtual CAN interfaces;
  • Added “PrivateKeyFile=” and “PresharedKeyFile=” settings to .netdev units, with which you can specify private and shared (PSK) keys for WireGuard VPN interfaces;
  • Added same-cpu-crypt and submit-from-crypt-cpus options to /etc/crypttab to control scheduler behavior when migrating encryption-related jobs between CPU cores;
  • systemd-tmpfiles provides processing of the lock file before performing operations in directories with temporary files, which allows you to disable the work of cleaning obsolete files for the duration of certain actions (for example, when unpacking a tar archive in / tmp, very old files can be opened that cannot be delete before the end of the action with them);
  • The “systemd-analyze cat-config” command provides the ability to analyze a configuration split into several files, for example, user and system presets, the contents of tmpfiles.d and sysusers.d, udev rules, etc.
  • Added "--cursor-file=" option to "journalctl" to specify file to load and save cursor position;
  • Added definition of ACRN hypervisor and WSL subsystem (Windows Subsystem for Linux) to systemd-detect-virt for subsequent branching using conditional operator "ConditionVirtualization";
  • Stopped creating symbolic links in /etc to systemd-networkd.service, systemd-networkd.socket, systemd-networkd.socket,
    systemd-resolved.service, remote-cryptsetup.target, remote-fs.target,
    systemd-networkd-wait-online.service and systemd-timesyncd.service. To create these files, you now need to run the “systemctl preset-all” command.

Sourceopennet.ru

[:in]

After two months of development submitted system manager release systemd 242. New features include support for L2TP tunnels, the ability to control the behavior of systemd-logind on restart via environment variables, support for extended XBOOTLDR boot partitions for mounting /boot, the ability to boot with the root partition in overlayfs, and a large number of new settings for different types of units.

Major changes:

  • systemd-networkd provides support for L2TP tunnels;
  • sd-boot and bootctl support XBOOTLDR (Extended Boot Loader) partitions that are mounted on /boot, in addition to ESP partitions that are mounted on /efi or /boot/efi. Kernels, settings, initrd and EFI images can now be loaded from both ESP and XBOOTLDR partitions. This change allows the use of the sd-boot bootloader in more conservative scenarios, when the bootloader itself is placed in the ESP, and the bootable kernels and their associated metadata are moved to a separate section;
  • Added the ability to boot with the "systemd.volatile=overlay" option passed to the kernel, which allows you to place the root partition in overlayfs and organize work on top of a read-only image of the root directory with changes written to a separate directory in tmpfs (changes in this configuration are lost after a restart) . By analogy, the "--volatile=overlay" option has been added to systemd-nspawn to use similar functionality in containers;
  • Added "--oci-bundle" option to systemd-nspawn to allow the use of runtime bundles to enable isolated running of containers that comply with the Open Container Initiative (OCI) specification. Support for various options described in the OCI specification is proposed for use on the command line and nspawn units, for example, the "--inaccessible" and "Inaccessible" settings can be used to exclude parts of the file system, and the "--console" options have been added to configure standard output streams and "—pipe";
  • Added ability to control systemd-logind behavior via environment variables: $SYSTEMD_REBOOT_ TO_FIRMWARE_SETUP,
    $SYSTEMD_REBOOT_ TO_BOOT_LOADER_MENU and
    $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. Using these variables, you can connect your own reboot process handlers (/run/systemd/reboot-to-firmware-setup, /run/systemd/reboot-to-boot-loader-menu and
    /run/systemd/reboot-to-boot-loader-entry) or disable them altogether (when set to false);

  • Added "--boot-load-menu=" options to "systemctl reboot" command and
    "--boot-loader-entry=", allowing you to select a specific boot menu item or boot mode after reboot;

  • Added a new sandbox isolation command "RestrictSUIDSGID=" that uses seccomp to prevent creation of files with SUID/SGID flags;
  • Implemented default restrictions "NoNewPrivileges" and "RestrictSUIDSGID" in services with enabled dynamic user ID generation ("DynamicUser");
  • The default MACAddressPolicy=persistent setting in .link files has been changed to cover more devices. Interfaces of network bridges, tunnels (tun, tap) and aggregated links (bond) do not identify themselves except by the name of the network interface, so this name is now used as the basis for binding MAC and IPv4 addresses. In addition, the "MACAddressPolicy=random" setting has been added, which can be used to bind MAC and IPv4 addresses to devices in random order;
  • ".device" unit files generated via systemd-fstab-generator no longer include the corresponding ".mount" units as dependencies in the "Wants=" section. Simply attaching a device no longer automatically launches a mount unit, but such units can still be launched for other reasons, such as as part of local-fs.target or as a dependency on other units that depend on local-fs.target;
  • Support for masks ("*", etc.) has been added to the "networkctl list/status/lldp" commands to filter out certain groups of network interfaces by part of their name;
  • The $PIDFILE environment variable is now set using the absolute path configured in services via the 'PIDFile=;
  • Added public Cloudflare servers (1.1.1.1) to the number of backup DNS servers used when the primary DNS is not explicitly defined. To override the list of backup DNS servers, you can use the "-Ddns-servers=" option;
  • When a USB Device Controller is detected, a new usb-gadget.target handler is automatically launched (when the system is running on a USB peripheral);
  • For unit files, the "CPUQuotaPeriodSec=" setting is implemented, which determines the time period relative to which the CPU time quota is measured, set through the "CPUQuota=" setting;
  • For unit files, the "ProtectHostname=" setting is implemented, which prohibits services from changing information about the host name, even if they have the appropriate permissions;
  • For unit-files, the "NetworkNamespacePath=" setting is implemented, which allows you to bind the namespace to services or socket-units by specifying the path to the namespace file in the /proc pseudo-FS;
  • Added the ability to disable the substitution of environment variables for processes launched using the "ExecStart=" setting by adding the ":" character before the start command;
  • For timers (.timer units), new flags "OnClockChange=" and
    "OnTimezoneChange=", with which you can control the call of the unit when changing the system time or time zone;

  • Added new settings "ConditionMemory=" and "ConditionCPUs=" that determine the conditions for calling a unit depending on the size of the memory and the number of CPU cores (for example, a resource-intensive service can only be started if the required amount of RAM is available);
  • A new time-set.target unit has been added that accepts the locally set system time, without the use of reconciliation with external exact time servers using the time-sync.target unit. The new unit can be used by services that need the precision of an unsynchronized local clock;
  • Added "--show-transaction" option to "systemctl start" and similar commands to display a summary of all jobs added to the queue due to the requested operation;
  • systemd-networkd has implemented a definition for a new state, 'enslaved', used instead of 'degraded' or 'carrier' for network interfaces that are part of aggregated links or network bridges. For primary interfaces, in case of problems with one of the compound links, the 'degraded-carrier' state has been added;
  • Added "IgnoreCarrierLoss=" option to .network units to save network settings in case of connection failure;
  • Through the “RequiredForOnline=” setting in .network units, you can now set the minimum allowable link state required to transfer the network interface to “online” and trigger the systemd-networkd-wait-online handler;
  • Added "--any" option to systemd-networkd-wait-online to wait for any of the specified network interfaces to be ready instead of all, and "--operational-state=" option to define the state of the link indicating that it is ready;
  • Added "UseAutonomousPrefix=" and "UseOnLinkPrefix=" settings to .network units that can be used to ignore prefixes when getting
    announcement from an IPv6 router (RA, Router Advertisement);

  • Added “MulticastFlood=”, “NeighborSuppression=” and “Learning=” settings to .network units to change the network bridge operation parameters, as well as the “TripleSampling=” setting to change the TRIPLE-SAMPLING mode of virtual CAN interfaces;
  • Added “PrivateKeyFile=” and “PresharedKeyFile=” settings to .netdev units, with which you can specify private and shared (PSK) keys for WireGuard VPN interfaces;
  • Added same-cpu-crypt and submit-from-crypt-cpus options to /etc/crypttab to control scheduler behavior when migrating encryption-related jobs between CPU cores;
  • systemd-tmpfiles provides processing of the lock file before performing operations in directories with temporary files, which allows you to disable the work of cleaning obsolete files for the duration of certain actions (for example, when unpacking a tar archive in / tmp, very old files can be opened that cannot be delete before the end of the action with them);
  • The “systemd-analyze cat-config” command provides the ability to analyze a configuration split into several files, for example, user and system presets, the contents of tmpfiles.d and sysusers.d, udev rules, etc.
  • Added "--cursor-file=" option to "journalctl" to specify file to load and save cursor position;
  • Added definition of ACRN hypervisor and WSL subsystem (Windows Subsystem for Linux) to systemd-detect-virt for subsequent branching using conditional operator "ConditionVirtualization";
  • Stopped creating symbolic links in /etc to systemd-networkd.service, systemd-networkd.socket, systemd-networkd.socket,
    systemd-resolved.service, remote-cryptsetup.target, remote-fs.target,
    systemd-networkd-wait-online.service and systemd-timesyncd.service. To create these files, you now need to run the “systemctl preset-all” command.

Source: opennet.ru

[:]

Add a comment