ProHoster > Blog > internet news > systemd system manager release 246

systemd system manager release 246

After five months of development submitted system manager release systemd 246. The new release includes support for freezing units, the ability to verify the root disk image using a digital signature, support for log compression and core dumps using the ZSTD algorithm, the ability to unlock portable home directories using FIDO2 tokens, support for unlocking Microsoft BitLocker partitions via /etc/ crypttab, BlackList has been renamed to DenyList.

All changes:

  • Added support for the freezer resource controller based on cgroups v2, with which you can stop processes and temporarily free up some resources (CPU, I/O, and potentially even memory) to perform other tasks. Freezing and defrosting of units is controlled using the new “systemctl freeze” command or via D-Bus.
  • Added support for verifying the root disk image using a digital signature. Verification is performed using new settings in service units: RootHash (root hash for verifying the disk image specified through the RootImage option) and RootHashSignature (digital signature in PKCS#7 format for the root hash).
  • The PID 1 handler has the ability to automatically load precompiled AppArmor rules (/etc/apparmor/earlypolicy) at the initial stage of loading.
  • Added new unit file settings: ConditionPathIsEncrypted and AssertPathIsEncrypted to check if the specified path is located on a block device that uses encryption (dm-crypt/LUKS), ConditionEnvironment and AssertEnvironment to check environment variables (for example, those set by PAM or when setting up containers).
  • For *.mount units, the ReadWriteOnly setting has been implemented, which prohibits mounting a partition in read-only mode if it was not possible to mount it for reading and writing. In /etc/fstab this mode is configured using the “x-systemd.rw-only” option.
  • For *.socket units, a PassPacketInfo setting has been added, which enables the kernel to add additional metadata for each packet read from the socket (enables the IP_PKTINFO, IPV6_RECVPKTINFO and NETLINK_PKTINFO modes for the socket).
  • For services (*.service units), CoredumpFilter settings are proposed (defines memory sections that should be included in core dumps) and
    TimeoutStartFailureMode/TimeoutStopFailureMode (defines the behavior (SIGTERM, SIGABRT or SIGKILL) when a timeout occurs when starting or stopping a service).

  • Most options now support hexadecimal values ​​specified using the "0x" prefix.
  • In various command line parameters and configuration files related to setting up keys or certificates, it is possible to specify the path to unix sockets (AF_UNIX) for transferring keys and certificates through calls to IPC services when it is not desirable to place certificates on unencrypted disk storage.
  • Added support for six new specifiers that can be used in units, tmpfiles.d/, sysusers.d/ and other configuration files: %a for substituting the current architecture, %o/%w/%B/%W for substituting fields with identifiers from /etc/os-release and %l for short hostname substitution.
  • Unit files no longer support the “.include” syntax, which was deprecated 6 years ago.
  • The StandardError and StandardOutput settings no longer support the values ​​“syslog” and “syslog-console”, which will be automatically converted to “journal” and “journal+console”.
  • For automatically created tmpfs-based mount points (/tmp, /run, /dev/shm, etc.), limits on the size and number of inodes are provided, corresponding to 50% of the RAM size for /tmp and /dev/shm, and 10% of RAM for everyone else.
  • Added new kernel command line options: systemd.hostname to set the hostname at the initial boot stage, udev.blockdev_read_only to limit all block devices associated with physical drives to read-only mode (you can use the "blockdev --setrw" command to selectively cancel), systemd .swap to disable automatic activation of the swap partition, systemd.clock-usec to set the system clock in microseconds, systemd.condition-needs-update and systemd.condition-first-boot to override the ConditionNeedsUpdate and ConditionFirstBoot checks.
  • By default, sysctl fs.suid_dumpable is set to 2 (“suidsafe”), which allows saving core dumps for processes with the suid flag.
  • The file /usr/lib/udev/hwdb.d/60-autosuspend.hwdb was borrowed into the hardware database from ChromiumOS, which includes information about PCI and USB devices that support automatic sleep mode.
  • A ManageForeignRoutes setting has been added to networkd.conf, when enabled, systemd-networkd will begin to manage all routes configured by other utilities.
  • A “[SR-IOV]” section has been added to .network files for configuring network devices that support SR-IOV (Single Root I/O Virtualization).
  • In systemd-networkd, the IPv4AcceptLocal setting has been added to the “[Network]” section to allow packets arriving with a local source address to be received on the network interface.
  • systemd-networkd has added the ability to configure HTB traffic prioritization disciplines through the [HierarchyTokenBucket] and
    [HierarchyTokenBucketClass], "pfifo" via [PFIFO], "GRED" via [GenericRandomEarlyDetection], "SFB" via [StochasticFairBlue], "cake"
    via [CAKE], "PIE" via [PIE], "DRR" via [DeficitRoundRobinScheduler] and
    [DeficitRoundRobinSchedulerClass], "BFIFO" via [BFIFO],
    "PFIFOHeadDrop" via [PFIFOHeadDrop], "PFIFOFast" via [PFIFOFast], "HHF"
    via [HeavyHitterFilter], "ETS" via [EnhancedTransmissionSelection],
    "QFQ" via [QuickFairQueueing] and [QuickFairQueueingClass].

  • In systemd-networkd, a UseGateway setting has been added to the [DHCPv4] section to disable the use of gateway information obtained via DHCP.
  • In systemd-networkd, in the [DHCPv4] and [DHCPServer] sections, a SendVendorOption setting has been added for installing and processing additional vendor options.
  • systemd-networkd implements a new set of EmitPOP3/POP3, EmitSMTP/SMTP and EmitLPR/LPR options in the [DHCPServer] section to add information about POP3, SMTP and LPR servers.
  • In systemd-networkd, in the .netdev files in the [Bridge] section, a VLANProtocol setting has been added to select the VLAN protocol to use.
  • In systemd-networkd, in .network files in the [Link] section, the Group setting is implemented to manage a group of links.
  • BlackList settings have been renamed to DenyList (preserving old name handling for backwards compatibility).
  • Systemd-networkd has added a large portion of settings related to IPv6 and DHCPv6.
  • Added “forcerenew” command to networkctl to force all address bindings to be updated (lease).
  • In systemd-resolved, in the DNS configuration, it became possible to specify the port number and host name for DNS-over-TLS certificate verification. The DNS-over-TLS implementation has added support for SNI checking.
  • Systemd-resolved now has the ability to configure redirection of single-label DNS names (single-label, from one host name).
  • systemd-journald provides support for using the zstd algorithm to compress large fields in journals. Work has been done to protect against collisions in hash tables used in journals.
  • Clickable URLs with links to documentation have been added to journalctl when displaying log messages.
  • Added an Audit setting to journald.conf to control whether auditing is enabled during systemd-journald initialization.
  • Systemd-coredump now has the ability to compress core dumps using the zstd algorithm.
  • Added UUID setting to systemd-repart to assign a UUID to the created partition.
  • The systemd-homed service, which provides management of portable home directories, has added the ability to unlock home directories using FIDO2 tokens. The LUKS partition encryption backend has added support for automatically returning empty file system blocks when a session ends. Added protection against double encryption of data if it is determined that the /home partition on the system is already encrypted.
  • Added settings to /etc/crypttab: “keyfile-erase” to delete a key after use and “try-empty-password” to attempt to unlock a partition with an empty password before prompting the user for a password (useful for installing encrypted images with a password assigned after the first boot , not during installation).
  • systemd-cryptsetup adds support for unlocking Microsoft BitLocker partitions at boot time using /etc/crypttab. Also added the ability to read
    keys for automatically unlocking partitions from the files /etc/cryptsetup-keys.d/ .key and /run/cryptsetup-keys.d/ .key.

  • Added systemd-xdg-autostart-generator to create unit files from .desktop autostart files.
  • Added "reboot-to-firmware" command to "bootctl".
  • Added options to systemd-firstboot: "--image" to specify the disk image to boot, "--kernel-command-line" to initialize the /etc/kernel/cmdline file, "--root-password-hashed" to specify the root password hash, and "--delete-root-password" to delete the root password.

Source: opennet.ru

Add a comment