ProHoster > Blog > internet news > systemd system manager release 248

systemd system manager release 248

After four months of development, the release of the systemd 248 system manager is presented. The new release provides image support for expanding system directories, the /etc/veritytab configuration file, the systemd-cryptenroll utility, unlocking LUKS2 using TPM2 chips and FIDO2 tokens, running units in an isolated IPC identifier space, BATMAN protocol for mesh networks, nftables backend for systemd-nspawn. Stabilized systemd-oomd.

Major changes:

  • Implemented the concept of System Extension images, which can be used to expand the /usr/ and /opt/ directory hierarchy and add additional files at run time, even if those directories are mounted read-only. When you mount a system extension image, its contents are overlaid on the /usr/ and /opt/ hierarchy using OverlayFS.

    A new utility, systemd-sysext, has been proposed to mount, unmount, view, and update system extension images. The systemd-sysext.service service has been added to automatically mount already installed images at boot time. Added "SYSEXT_LEVEL=" parameter to os-release file to define the level of supported system extensions.

  • For units, the ExtensionImages setting is implemented, which can be used to bind system extension images to the FS namespace hierarchy of individual isolated services.
  • Added configuration file /etc/veritytab to configure block-level data verification using the dm-verity module. The file format is similar to /etc/crypttab - "partition_name device_for_data device_for_hashes_option_root_check_hash". Added the systemd.verity.root_options kernel command line option to customize the behavior of dm-verity for the root device.
  • systemd-cryptsetup added the ability to extract the PKCS#11 token URI and encrypted key from the LUKS2 metadata header in JSON format, allowing the encrypted device's open information to be integrated into the device itself without involving external files.
  • systemd-cryptsetup provides support for unlocking LUKS2 encrypted partitions using TPM2 chips and FIDO2 tokens, in addition to the previously supported PKCS#11 tokens. Loading libfido2 is done via dlopen(), i.e. presence is checked on the fly, not in the form of a hard-wired dependency.
  • Added new options "no-write-workqueue" and "no-read-workqueue" to /etc/crypttab for systemd-cryptsetup to enable synchronous processing of I/O related to encryption and decryption.
  • Added the ability to enable encrypted partitions using TPM2 chips to the systemd-repart utility, for example to create an encrypted /var partition on first boot.
  • The systemd-cryptenroll utility has been added to bind TPM2, FIDO2 and PKCS#11 tokens to LUKS partitions, as well as to unpin and view tokens, bind spare keys and set an access password.
  • The PrivateIPC parameter has been added, which allows you to configure the launch of processes in an isolated IPC space with their own separate identifiers and message queue in a unit file. To connect a unit to an already created IPC identifier space, the IPCNamespacePath option is proposed.
  • Added ExecPaths and NoExecPaths settings that allow you to apply the noexec flag to certain parts of the file system.
  • systemd-networkd adds support for the BATMAN ("Better Approach To Mobile Adhoc Networking") mesh protocol, which allows you to create decentralized networks, each node in which is connected through neighboring nodes. The [BatmanAdvanced] section in .netdev , the BatmanAdvanced option in .network files, and the new device type "batadv" are proposed for configuration.
  • The systemd-oomd systemd-oomd early response mechanism implementation has been stabilized. Added DefaultMemoryPressureDurationSec option to set the time to wait for a resource to be released before affecting the unit. Systemd-oomd uses the PSI (Pressure Stall Information) kernel subsystem and allows you to detect the onset of delays due to lack of resources and selectively shut down resource-intensive processes at a stage when the system is not yet in a critical state and does not begin to intensively cut the cache and force out data into swap partition.
  • Added a kernel command line parameter - "root=tmpfs", which allows you to mount the root partition in temporary storage allocated in RAM using Tmpfs.
  • The option in /etc/crypttab that defines the key file can now point to sockets of type AF_UNIX and SOCK_STREAM. The key in this case must be given when connecting to the socket, which, for example, can be used to create services that dynamically give keys.
  • The fallback hostname for use by the system manager and systemd-hostnamed can now be set in two ways: via the DEFAULT_HOSTNAME setting in os-release and via the $SYSTEMD_DEFAULT_HOSTNAME environment variable. systemd-hostnamed also handles "localhost" in a hostname and adds the ability to export the hostname, "HardwareVendor" and "HardwareModel" properties via DBus.
  • The environment variable block can now be configured through the new ManagerEnvironment option in system.conf or user.conf, and not just through the kernel command line and unit file settings.
  • It is now possible at compile time to use the fexecve() system call instead of execve() to start processes to reduce the delay between checking the security context and applying it.
  • For unit files, new condition operations ConditionSecurity=tpm2 and ConditionCPUFeature have been added to check for the presence of TPM2 devices and individual CPU features (for example, ConditionCPUFeature=rrand can be used to check if a processor supports the RDRAND operation).
  • For available kernels, automatic generation of system call tables for seccomp filters has been implemented.
  • Added the ability to substitute new mount bindings (bind mounts) into existing mount namespaces of services without restarting services. The substitution is performed by the commands 'systemctl bind …' and 'systemctl mount-image …'.
  • Support for specifying paths in the form "truncate:" has been added to the StandardOutput and StandardError settings. Β» for cleaning before use.
  • Added the ability to establish a connection with a session of a given user inside a local container to sd-bus. For example "systemctl --user -M lennart@ start quux".
  • The following parameters are implemented in the systemd.link files in the [Link] section:
    • Promiscuous - allows you to put the device into "promiscuous" mode to process all network packets, including those not addressed to the current system;
    • TransmitQueues and ReceiveQueues for setting the number of TX and RX queues;
    • TransmitQueueLength to set the TX queue size; GenericSegmentOffloadMaxBytes and GenericSegmentOffloadMaxSegment to set limits for applying GRO (Generic Receive Offload) technology.
  • New settings added to systemd.network files:
    • [Network] RouteTable to select a routing table;
    • [RoutingPolicyRule] Type for the type of routing ("blackhole", "unreachable", "prohibit");
    • [IPv6AcceptRA] RouteDenyList and RouteAllowList for allowed and denied lists of route advertisements;
    • [DHCPv6] UseAddres to ignore DHCP issued address;
    • [DHCPv6PrefixDelegation] ManageTemporaryAddress;
    • ActivationPolicy to define the interface's activity policy (always keep the state UP or DOWN, or allow the user to change states with "ip link set dev").
  • Added [VLAN] Protocol, IngressQOSMaps, EgressQOSMaps, and [MACVLAN] BroadcastMulticastQueueLength options to systemd.netdev files to configure how VLAN packets are handled.
  • Stopped mounting the /dev/ directory in noexec mode because it conflicts when using the executable flag with /dev/sgx files. To return the old behavior, you can use the NoExecPaths=/dev setting.
  • The permissions on the /dev/vsock file have been changed to 0o666, and the /dev/vhost-vsock and /dev/vhost-net files have been moved to the kvm group.
  • The hardware ID database has been expanded with USB fingerprint readers that correctly support hibernation.
  • systemd-resolved added support for issuing answers to DNSSEC queries through a stub resolver. Local clients can perform DNSSEC validation on themselves, while external clients are proxied unchanged to the parent DNS server.
  • An option CacheFromLocalhost has been added to resolved.conf, when set, systemd-resolved will use caching even for queries to the DNS server at 127.0.0.1 (caching of such queries is disabled by default to avoid double caching).
  • systemd-resolved adds support for RFC-5001 NSIDs in the local DNS resolver to allow clients to distinguish between interactions with the local resolver and another DNS server.
  • The resolvectl utility implements the ability to display information about the source of data (local cache, network request, local handler response) and apply encryption when transferring data. The --cache, --synthesize, --network, --zone, --trust-anchor, and --validate options are offered to control the name resolution process.
  • systemd-nspawn added support for nftables firewall configuration in addition to existing iptables support. Added the ability to use an nftables-based backend in the IPMasquerade setting in systemd-networkd.
  • Added support to systemd-localed to call locale-gen to generate missing locales.
  • Added --pager/ --no-pager/ --json= options to various utilities to enable/disable paging and JSON output. Added the ability to set the number of colors used in the terminal through the environment variable SYSTEMD_COLORS ("16" or "256").
  • Deprecated assembly with separate directory hierarchies (split / and /usr) and support for cgroup v1.
  • The master branch in Git has been renamed from 'master' to 'main'.

Source: opennet.ru

Add a comment