systemd system manager release 253

After three and a half months of development, the release of the systemd system manager 253 is presented.

Among the changes in the new release:

• The 'ukify' utility is included to assemble, verify and generate signatures for unified kernel images (UKI, Unified Kernel Image), combining a handler for loading the kernel from UEFI (UEFI boot stub), a Linux kernel image and a system environment loaded into memory initrd used for initial initialization at the stage before mounting the root FS. The utility replaces the functionality previously provided by the 'dracut --uefi' command and extends it with features for automatically calculating offsets in PE files, initrd merging, signing kernel embeds, creating combined images with sbsign, heuristics for determining kernel uname, image verification with splash screen and adding signed PCR policies generated by the systemd-measure utility.
• Added support for non-memory initrd environments that use overlayfs instead of tmpfs. For such environments, systemd does not delete all files in the initrd after a root file system switchover.
• The “OpenFile” parameter has been added to services to open arbitrary files in the FS (or connect to Unix sockets) and pass the file descriptors associated with them to the running process (for example, when you need to organize access to a file for an unprivileged service without changing file access rights) .
• In systemd-cryptenroll, when registering new keys, it is possible to unlock encrypted partitions using FIDO2 tokens (--unlock-fido2-device) without the need to enter a password. Stores a user-specified PIN with a salt to make brute force determination more difficult.
• Added ReloadLimitIntervalSec and ReloadLimitBurst settings, as well as kernel command line options (systemd.reload_limit_interval_sec and /systemd.reload_limit_burst) to limit background process restart rate.
• For units, the "MemoryZSwapMax" option is implemented to set the memory.zswap.max property, which determines the maximum zswap size.
• For units, the "LogFilterPatterns" option is implemented, which allows you to set regular expressions to filter information output to the log (can be used to exclude certain output or save only certain data).
• Scope units now support the "OOMPolicy" setting to set the behavior when trying to preempt when out of memory (login sessions are set to OOMPolicy=continue so that the OOM killer does not force them to end).
• A new service type is defined, "Type=notify-reload", which extends the "Type=notify" type with the ability to wait for the restart signal processing (SIGHUP) to complete. The systemd-networkd.service, systemd-udevd.service and systemd-logind services have been moved to the new type.
• udev uses a new network device naming scheme, which differs in that ID_NET_NAME_PATH is now set for non-PCI bus-bound USB devices to provide more predictable naming. The '-=' operator has been implemented for SYMLINK variables, leaving symbolic links unconfigured if a rule for adding them was previously defined.
• Systemd-boot reworked seeding for kernel pseudo-random number generators and for the disk backend. Added support for loading the kernel not only from the ESP (EFI System Partition), for example, from the firmware or directly for QEMU. Provided parsing of SMBIOS parameters to determine the launch in a virtualization environment. Implemented a new 'if-safe' mode where the certificate for UEFI Secure Boot is loaded from ESP only if it is considered safe (running in a virtual machine).
• The bootctl utility implements system token generation on all EFI systems except virtualization environments. Added 'kernel-identify' and 'kernel-inspect' commands to display kernel image type and information about command line options and kernel version, 'unlink' to remove file associated with first boot record type, 'cleanup' to remove all files from directory "entry-token" in ESP and XBOOTLDR, not associated with the first type of boot entries. Processing of the KERNEL_INSTALL_CONF_ROOT variable is provided.
• The 'systemctl list-dependencies' command now handles the '--type' and '--state' options, and the 'systemctl kexec' command adds support for environments based on the Xen hypervisor.
• Support for the SocketPriority and QuickAck options, RouteMetric=high|medium|low, has been added to the .network files in the [DHCPv4] section.
• systemd-repart added "--include-partitions", "--exclude-partitions", and "--defer-partitions" options to filter partitions by UUID type, which, for example, allows building images in which one partition is built from the contents of another partition . Also added the "--sector-size" option to specify the sector size used when creating the partition. Added support for FS generation erofs. The Minimize setting implements processing of the "best" value to select the smallest possible image size.
• systemd-journal-remote allows the MaxUse, KeepFree, MaxFileSize and MaxFiles settings to limit disk space consumption.
• Added support to systemd-cryptsetup to send proactive requests to FIDO2 tokens to determine their presence before authentication.
• Added new parameters tpm2-measure-bank and tpm2-measure-pcr to crypttab.
• The systemd-gpt-auto-generator implements mounting of ESP and XBOOTLDR partitions in the "noexec, nosuid, nodev" modes, and also added accounting for the rootfstype and rootflags parameters passed via the kernel command line.
• systemd-resolved provides the ability to configure resolver options by specifying the nameserver, domain, network.dns, and network.search_domains options on the kernel command line.
• The "systemd-analyze plot" command added the ability to output in JSON format when specifying the "--json" flag. New options "--table" and "--no-legend" have also been added to control the output.
• In 2023, it is planned to stop supporting cgroups v1 and separate directory hierarchies (when /usr is mounted separately from the root, or /bin and /usr/bin, /lib and /usr/lib directories are separated).

Source: opennet.ru