ProHoster > Blog > internet news > systemd system manager release 249

systemd system manager release 249

After three months of development, the release of the system manager systemd 249 is presented. The new release provides the ability to define users/groups in JSON format, stabilizes the Journal protocol, simplifies the organization of loading successive disk partitions, adds the ability to link BPF programs to services, and implements identifier mapping users in mounted partitions, a large portion of new network settings and opportunities for launching containers are offered.

Major changes:

  • The Journal protocol is documented and can be used in clients in place of the syslog protocol for local delivery of log records. The Journal protocol has been implemented for a long time and is already used in some client libraries, however, its official support has only just been announced.
  • Userdb and nss-systemd provide support for reading additional user definitions located in the /etc/userdb/, /run/userdb/, /run/host/userdb/ and /usr/lib/userdb/ directories, specified in JSON format. It is noted that this feature will provide an additional mechanism for creating users in the system, providing it with full integration with NSS and /etc/shadow. JSON support for user/group entries will also allow various resource management and other settings to be attached to users that pam_systemd and systemd-logind recognize.
  • nss-systemd provides synthesis of user/group entries in /etc/shadow using hashed passwords from systemd-homed.
  • A mechanism has been implemented that simplifies the organization of updates using disk partitions that replace each other (one partition is active, and the second is spare - the update is copied to the spare partition, after which it becomes active). If there are two root or /usr partitions in the disk image, and udev has not detected the presence of the 'root=' parameter, or is processing disk images specified via the "--image" option in the systemd-nspawn and systemd-dissect utilities, the boot partition may be calculated by comparing GPT labels (assuming the GPT label mentions the version number of the partition's contents and systemd will select the partition with the more recent changes).
  • A BPFProgram setting has been added to the service files, with which you can organize the loading of BPF programs into the kernel and manage them with binding to specific systemd services.
  • Systemd-fstab-generator and systemd-repart add the ability to boot from disks that only have a /usr partition and no root partition (the root partition will be generated by systemd-repart during the first boot).
  • In systemd-nspawn, the "--private-user-chown" option has been replaced by the more generic "--private-user-ownership" option, which can accept "chown" values ​​as the equivalent of "--private-user-chown", "off" to disable old setting, "map" to map user IDs on mounted filesystems and "auto" to select "map" if the required functionality is present in the kernel (5.12+) or fall back to a recursive call to "chown" otherwise. Using mapping, you can map one user's files on a mounted foreign partition to another user on the current system, making it easier to share files between different users. In the systemd-homed portable home directory mechanism, mapping will allow users to move their home directories to external media and use them on different computers that do not have the same user ID layout.
  • In systemd-nspawn, the "--private-user" option can now use the value "identity" to directly reflect user IDs when setting up a user namespace, i.e. UID 0 and UID 1 in the container will be reflected in UID 0 and UID 1 on the host side, to reduce attack vectors (the container will only receive process capabilities in its namespace).
  • The “--bind-user” option has been added to systemd-nspawn to forward a user account existing in the host environment to the container (the home directory is mounted into the container, a user/group entry is added, and UID mapping is performed between the container and the host environment).
  • Added support for requesting set passwords to systemd-ask-password and systemd-sysusers (passwd.hashed-password. and passwd.plaintext-password. ) using the mechanism introduced in systemd 247 to securely transfer sensitive data using intermediate files in a separate directory. By default, credentials are accepted from the process with PID1, which receives them, for example, from the container management manager, which allows you to configure the user password on first boot.
  • systemd-firstboot adds support for using the secure transfer of sensitive data mechanism to query various system parameters, which can be used to initialize system settings when first booting a container image that does not have the necessary settings in the /etc directory.
  • The PID 1 process ensures that both the unit name and description are displayed during boot. You can change the output via the “StatusUnitFormat=combined” parameter in system.conf or the kernel command line option “systemd.status-unit-format=combined”
  • The "--image" option has been added to the systemd-machine-id-setup and systemd-repart utilities to transfer a file with a machine id to a disk image or to increase the size of a disk image.
  • A MakeDirectories parameter has been added to the partition configuration file used by the systemd-repart utility, which can be used to create arbitrary directories in the created file system before being reflected in the partition table (for example, to create directories for mount points in the root partition so that you can immediately mount the partition in read-only mode). To control GPT flags in created sections, the corresponding Flags, ReadOnly and NoAuto parameters have been added. The CopyBlocks parameter has a value of “auto” to automatically select the current boot partition as the source when copying blocks (for example, when you need to transfer your own root partition to new media).
  • GPT implements the “grow-file-system” flag, which is similar to the x-systemd.growfs mount option and provides automatic expansion of the FS size to the boundaries of the block device if the FS size is smaller than the partition. The flag is applicable to Ext3, XFS and Btrfs file systems, and can be applied to automatically detected partitions. The flag is enabled by default for writable partitions automatically created via systemd-repart. The GrowFileSystem option has been added to configure the flag in systemd-repart.
  • The /etc/os-release file provides support for new IMAGE_VERSION and IMAGE_ID variables to determine the version and ID of atomically updated images. The %M and %A specifiers are proposed to substitute specified values ​​into various commands.
  • The “--extension” parameter has been added to the portablectl utility to activate portable system extension images (for example, through them you can distribute images with additional services integrated into the root partition).
  • The systemd-coredump utility provides the extraction of ELF build-id information when generating a core dump of a process, which can be useful for determining which package a failing process belongs to if information about the name and version of deb or rpm packages was built into the ELF files.
  • A new hardware base for FireWire (IEEE 1394) devices has been added to udev.
  • In udev, three changes have been added to the “net_id” network interface name selection scheme that violate backward compatibility: incorrect characters in interface names are now replaced with “_”; PCI hotplug slot names for s390 systems are processed in hexadecimal form; The use of up to 65535 built-in PCI devices is allowed (previously numbers above 16383 were blocked).
  • systemd-resolved adds the “home.arpa” domain to the NTA (Negative Trust Anchors) list, which is recommended for local home networks, but not used in DNSSEC.
  • The CPUAffinity parameter provides parsing of the “%” specifiers.
  • A ManageForeignRoutingPolicyRules parameter has been added to .network files, which can be used to exclude systemd-networkd from processing third-party routing policies.
  • The RequiredFamilyForOnline parameter has been added to the “.network” files to determine the presence of an IPv4 or IPv6 address as a sign that the network interface is in the “online” state. Networkctl provides a display of the “online” status for each link.
  • Added OutgoingInterface parameter to .network files to define outgoing interfaces when configuring network bridges.
  • A Group parameter has been added to “.network” files, allowing you to configure a Multipath group for entries in the “[NextHop]” section.
  • Added options "-4" and "-6" to systemd-network-wait-online to limit connection waits to IPv4 or IPv6 only.
  • A RelayTarget parameter has been added to the DHCP server settings, which switches the server to DHCP Ralay mode. For additional configuration of the DHCP relay, the RelayAgentCircuitId and RelayAgentRemoteId options are offered.
  • The ServerAddress parameter has been added to the DHCP server, allowing you to explicitly set the server IP address (otherwise the address is selected automatically).
  • The DHCP server implements the [DHCPServerStaticLease] section, which allows you to configure static address bindings (DHCP leases), specifying fixed IP bindings to MAC addresses and vice versa.
  • The RestrictAddressFamilies setting supports the “none” value, which means that the service will not have access to sockets of any address family.
  • In the “.network” files in the [Address], [DHCPv6PrefixDelegation] and [IPv6Prefix] sections, support for the RouteMetric setting is implemented, which allows you to specify the metric for the route prefix created for the specified address.
  • nss-myhostname and systemd-resolved provide synthesis of DNS records with addresses for hosts with a special name “_outbound”, for which a local IP is always issued, chosen in accordance with the default routes used for outgoing connections.
  • In .network files, in the “[DHCPv4]” section, a default active RoutesToNTP setting has been added, which requires adding a separate route through the current network interface to access the NTP server address obtained for this interface using DHCP (similar to DNS, the setting allows you to guarantee that traffic to the NTP server will be routed through the interface through which this address was received).
  • Added SocketBindAllow and SocketBindDeny settings to control access to sockets bound to the current service.
  • For unit files, a conditional setting called ConditionFirmware has been implemented, which allows you to create checks that evaluate firmware functions, such as work on UEFI and device.tree systems, as well as check compatibility with certain device-tree capabilities.
  • Implemented the ConditionOSRelease option to check fields in the /etc/os-release file. When defining conditions for checking field values, the operators “=”, “!=”, “<“, “<=”, “>=”, “>” are acceptable.
  • In the hostnamectl utility, commands like “get-xyz” and “set-xyz” are freed from the “get” and “set” prefixes, for example, instead of “hostnamectl get-hostname” and “hostnamectl “set-hostname” you can use the command “hostnamectl hostname” ”, the assignment of a value in which is determined by specifying an additional argument (“hostnamectl hostname value”). Support for older commands has been retained to ensure compatibility.
  • The systemd-detect-virt utility and the ConditionVirtualization setting ensure correct identification of Amazon EC2 environments.
  • The LogLevelMax setting in unit files now applies not only to log messages generated by the service, but also to PID 1 process messages that mention the service.
  • Provided the ability to include SBAT (UEFI Secure Boot Advanced Targeting) data in systemd-boot EFI PE files.
  • /etc/crypttab implements new options “headless” and “password-echo” - the first allows you to skip all operations associated with interactively prompting for passwords and PINs from the user, and the second allows you to configure the method for displaying password input (show nothing, show character by character and display asterisks). The “--echo” option has been added to systemd-ask-password for similar purposes.
  • systemd-cryptenroll, systemd-cryptsetup, and systemd-homed have expanded support for unlocking encrypted LUKS2 partitions using FIDO2 tokens. Added new options “--fido2-with-user-presence”, “--fido2-with-user-verification” and “-fido2-with-client-pin” to control user physical presence verification, verification and the need to enter a PIN code.
  • Added “--user”, “--system”, “--merge” and “--file” options to systemd-journal-gatewayd, similar to the journalctl options.
  • In addition to direct dependencies between units specified through the OnFailure and Slice parameters, support for implicit inverse dependencies OnFailureOf and SliceOf has been added, which can be useful, for example, for determining all units included in slice.
  • Added new types of dependencies between units: OnSuccess and OnSuccessOf (the opposite of OnFailure, called upon successful completion); PropagatesStopTo and StopPropagatedFrom (allow you to propagate a unit's stop event to another unit); Upholds and UpheldBy (alternative to Restart).
  • The systemd-ask-password utility now has a “--emoji” option to control the appearance of the padlock symbol (🔐) in the password input line.
  • Added documentation on systemd source tree structure.
  • For units, a MemoryAvailable property has been added, showing how much memory the unit has left before reaching the limit set through the MemoryMax, MemoryHigh or MemoryAvailable parameters.

Source: opennet.ru

Add a comment