ProHoster > Blog > internet news > systemd system manager release 243

systemd system manager release 243

After five months of development submitted system manager release systemd 243. Among the innovations, we can note the integration into PID 1 of the out-of-memory handler in the system, support for attaching own BPF programs to filter the traffic of units, numerous new options for systemd-networkd, a mode for monitoring the bandwidth of network interfaces, enabling by default on 64-bit systems 22-bit PIDs instead of 16-bits, move to unified cgroups hierarchy, included in systemd-network-generator.

Major changes:

  • Added recognition of out-of-memory signals generated by the kernel (Out-Of-Memory, OOM) to the PID 1 handler to put units that have reached the limit in memory consumption into a special state with the option of forcing them to terminate or stop;
  • New parameters IPIngressFilterPath and
    IPEgressFilterPath, which allow you to connect BPF programs with arbitrary handlers to filter incoming and outgoing IP packets generated by processes associated with this unit. The proposed features allow you to create a kind of firewalls for systemd services. An example of writing a simple network filter based on BPF;

  • Added "clean" command to systemctl utility to remove cache, runtime files, status information and log directories;
  • Added support for MACsec, nlmon, IPVTAP, and Xfrm network interfaces to systemd-networkd;
  • systemd-networkd implements a separate configuration of the DHCPv4 and DHCPv6 stacks through the "[DHCPv4]" and "[DHCPv6]" sections in the configuration file. Added option RoutesToDNS to add a separate route to the DNS server specified in the parameters received from the DHCP server (so that traffic to DNS is sent through the same link as the main route received from DHCP). New options added for DHCPv4: MaxAttempts - maximum number of requests to obtain an address, BlackList - black list of DHCP servers, SendRelease - enable sending DHCP RELEASE messages when a session ends;
  • New commands have been added to the systemd-analyze utility:
    • "systemd-analyze timestamp" - parsing and converting time;
    • "systemd-analyze timespan" - parsing and converting time spans;
    • "systemd-analyze condition" - parsing and testing ConditionXYZ expressions;
    • "systemd-analyze exit-status" - parsing and converting exit codes from numbers to names and vice versa;
    • "systemd-analyze unit-files" - lists all file paths for units and unit aliases.
  • Options SuccessExitStatus, RestartPreventExitStatus and
    RestartForceExitStatus now support not only numeric return codes, but also their text identifiers (eg "DATAERR"). You can view the list of binding codes to identifiers through the β€œsytemd-analyze exit-status” command;

  • The β€œdelete” command has been added to the networkctl utility to remove virtual network devices, as well as the β€œ-stats” option to display device statistics;
  • Added SpeedMeter and SpeedMeterIntervalSec settings to networkd.conf to periodically measure the throughput of network interfaces. The statistics obtained from the measurement results can be viewed in the output of the 'networkctl status' command;
  • Added new systemd-network-generator utility to generate files
    .network, .netdev and .link based on the IP settings passed at startup via the Linux kernel command line in the Dracut settings format;

  • The value of sysctl "kernel.pid_max" on 64-bit systems is now set by default to 4194304 (22-bit PIDs instead of 16-bits), which reduces the likelihood of collisions when assigning PIDs, increases the limit on the number of simultaneously running processes, and has a positive effect on security. Potentially, the change could lead to compatibility issues, but in practice, such problems have not yet been reported;
  • By default, at the build stage, the transition to the unified cgroups-v2 hierarchy ("-Ddefault-hierarchy=unified") was made. Previously, the hybrid mode was set by default ("-Ddefault-hierarchy=hybrid");
  • The behavior of the system call filter (SystemCallFilter) has been changed, which, in the case of a forbidden system call, now terminates the entire process, and not individual threads (thread), since the termination of individual threads could lead to unpredictable problems. This change is only valid if you have a Linux kernel 4.14+ and libseccomp 2.4.0+;
  • Unprivileged programs are given the ability to send ICMP Echo (ping) packets by setting sysctl "net.ipv4.ping_group_range" for the entire range of groups (for all processes);
  • To speed up the build process, generation of man manuals is stopped by default (to build full documentation, you need to use the "-Dman=true" or "-Dhtml=true" option for manuals in html format). To make browsing the documentation easier, two scripts are included, build/man/man and build/man/html, to generate and preview the manuals of interest;
  • To process domain names with characters of national alphabets, the libidn2 library is used by default (to return libidn, use the β€œ-Dlibidn=true” option);
  • Support for the /usr/sbin/halt.local executable file, which provided functionality that was not widely distributed in distributions, has been discontinued. To organize the launch of commands at shutdown, it is recommended to use scripts in /usr/lib/systemd/system-shutdown/ or define a new unit dependent on final.target;
  • At the last stage of shutdown, systemd now automatically increases the logging level in sysctl "kernel.printk", which solves the problem with displaying events in the log that occurred in the late stages of shutdown, when the regular logging daemons have already been completed;
  • In journalctl and other utilities that display logs, warnings are highlighted in yellow, and audit records are highlighted in blue to visually highlight them from the crowd;
  • In the $PATH environment variable, the path to bin/ now comes before the path to sbin/, i.e. if there are identical names of executable files in both directories, the file from bin/ will be executed;
  • systemd-logind provides a SetBrightness() call to safely change screen brightness on a per-session basis;
  • Added "--wait-for-initialization" flag to "udevadm info" command to wait for device initialization to complete;
  • During system boot, the PID 1 handler now displays the names of the units, instead of a line with their description. To return past behavior, you can use the StatusUnitFormat option in /etc/systemd/system.conf or the systemd.status_unit_format kernel option;
  • Added option KExecWatchdogSec to /etc/systemd/system.conf for watchdog in PID 1 to specify timeout for restart using kexec. Old setting
    ShutdownWatchdogSec renamed to RebootWatchdogSec and defines a timeout for jobs during shutdown or normal restart;

  • New option added for services Exec Condition, which allows you to specify commands that will be executed before ExecStartPre. Based on the error code returned by the command, a decision is made about the further execution of the unit - if code 0 is returned, the launch of the unit continues, if from 1 to 254 it is silently completed without marking the occurrence of a failure, if 255 is completed with a marking of the occurrence of a failure;
  • Added a new service systemd-pstore.service to retrieve data from sys/fs/pstore/ and save it to /var/lib/pstore for further analysis;
  • New commands have been added to the timedatectl utility to configure NTP settings for systemd-timesyncd in relation to network interfaces;
  • Stop showing non-UTF-8 locales in "localectl list-locales" command;
  • Implemented ignoring of variable assignment errors in sysctl.d/ files if the variable name begins with the "-" character;
  • Service systemd-random-seed.service is now fully responsible for initializing the entropy pool of the Linux kernel pseudo-random number generator. Services that require a properly initialized /dev/urandom should start after systemd-random-seed.service;
  • The systemd-boot bootloader has the option of maintaining seed file with a random sequence in the EFI System Partition (ESP);
  • New commands "bootctl random-seed" have been added to the bootctl utility to generate a seed file in ESP and "bootctl is-installed" to check the installation of the systemd-boot bootloader. Bootctl also provides warnings about incorrectly configured boot entries (for example, when the kernel image is deleted, but the entry for booting it is left);
  • Provided automatic selection of the swap partition when the system enters sleep mode. A partition is selected depending on the priority configured for it, and in the case of identical priorities, the amount of free space;
  • Added the keyfile-timeout option to /etc/crypttab to set how long the device with the encryption key waits before prompting for a password to access the encrypted partition;
  • Added IOWeight option to set I/O weight for BFQ scheduler;
  • systemd-resolved added 'strict' mode of operation for DNS-over-TLS and implemented the ability to cache only positive DNS responses ("Cache no-negative" in resolved.conf);
  • For VXLAN, a GenericProtocolExtension option has been added to systemd-networkd to enable VXLAN protocol extensions. For VXLAN and GENEVE, the IPDoNotFragment option has been added to set the no fragmentation flag for outgoing packets;
  • In systemd-networkd, in the β€œ[Route]” section, the FastOpenNoCookie option has appeared to enable the TCP Fast Open (TFO - RFC 7413) fast connection mechanism in relation to individual routes, as well as the TTLPropagate option to configure TTL LSP (Label Switched Path ). The "Type" option provides support for local, broadcast, anycast, multicast, any and xresolve routing modes;
  • systemd-networkd provides a DefaultRouteOnDevice option in the "[Network]" section to automatically configure a default route for a given network device;
  • Added ProxyARP options to systemd-networkd for network bridges and
    ProxyARPWifi to configure proxy ARP behavior, MulticastRouter to set routing parameters in multicast mode, MulticastIGMPVersion to change IGMP (Internet Group Management Protocol) version for multicast;

  • Systemd-networkd added Local, Peer and PeerPort options for FooOverUDP tunnels to configure local and remote IP addresses and network port number. Added VnetHeader option for TUN tunnels to configure GSO (Generic Segment Offload) support;
  • In systemd-networkd, in the .network and .link files, in the [Match] section, a Property option has appeared, which allows you to determine devices by properties specific to them in udev;
  • Added an AssignToLoopback option to systemd-networkd for tunnels to control whether the end of the tunnel is bound to the "lo" loopback device;
  • systemd-networkd automatically activates the IPv6 stack if it is blocked via sysctl disable_ipv6 - IPv6 is activated if IPv6 settings (static or DHCPv6) are defined for the network interface, otherwise the already set sysctl value does not change;
  • In .network files, the CriticalConnection setting has been replaced with the KeepConfiguration option, which provides more means to define situations ("yes", "static", "dhcp-on-stop", "dhcp") in which systemd-networkd should not touch existing connections when startup;
  • Vulnerability fixed CVE-2019-15718, caused by the lack of access control to the systemd-resolved D-Bus interface. The issue allows an unprivileged user to perform operations that only administrators can perform, such as changing DNS settings and directing DNS queries to a dummy server;
  • Vulnerability fixed CVE-2019-9619related to not enabling pam_systemd for non-interactive sessions, which allows active session spoofing.

Source: opennet.ru

Add a comment