ProHoster > Blog > internet news > systemd system manager release 257

systemd system manager release 257

After six months of development, the release of the system manager systemd 257 is presented. Key changes: new utilities systemd-sbsign and systemd-keyutil, support for MPTCP when activated via socket, initial support for building with the Musl C library, the updatectl utility for managing the installation of updates via systemd-sysupdate, the ability to run services in separate PID namespaces, protection against accidental file deletion when using "systemd-tmpfiles --purge".

Among the changes in the new release:

  • A new utility systemd-sbsign has been added for digitally signing executable files in the PE (Portable Executable) format, intended for use when booting in EFI Secure Boot mode. The engines and providers provided by the OpenSSL library can be used to generate the signature. Systemd-sbsign can be used as an alternative to the sbsigntool and pesign applications in the ukify utility when generating universal kernel images UKI (Unified Kernel Image), which combine in one file a bootloader for UEFI (UEFI boot stub), a Linux kernel image, and an initrd system environment loaded into memory.
  • A new utility systemd-keyutil has been added, which implements various operations on private keys and X.509 certificates. For example, systemd-keyutil can be used to check the ability to load private keys and certificates, as well as extract public keys from them in PEM format.
  • In the ".socket" units used to ensure the operation of the socket activation mechanism (starting processes when trying to establish a network connection), support is implemented for MPTCP (Multipath TCP), an extension of the TCP protocol for organizing the operation of a TCP connection with the delivery of packets simultaneously along several routes through different network interfaces bound to different IP addresses.
  • The package includes changes required for building using the standard Musl C library.
  • The various systemd components that display progress indicators (e.g. systemd-repart, systemd-sysupdate/updatectl, and importctl) now support ANSI sequences to animate progress. Such sequences are currently only supported in the Windows Terminal (it is expected that this feature will eventually be ported to Linux terminal emulators).
  • The capabilities of the systemd-sysupdate component, used to automatically detect, download and install updates using an atomic mechanism for replacing partitions, files or directories (two independent partitions/files/directories are used, one of which contains the current working resource, and the other one is where the next update is installed, after which the partitions/files/directories are swapped). In practice, systemd-sysupdate is already used in GNOME OS.

    In addition to the systemd-sysupdate process, a service of the same name has been added, allowing the use of D-Bus to manage system updates by an unprivileged user. A new utility, updatectl, has also been included to manage the service. The "--offline" flag has been added to systemd-sysupdate to prohibit downloading metadata over the network and use only versions already downloaded to the local system. Support for output in JSON format has been added for all commands.

  • A new property "PrivatePIDs" has been implemented for services, which can be used to organize the launch of processes with PID 1 (init process) in a separate process identifier space (PID namespace). In the environment created for the launched process, only processes from the namespace created for it will be visible.
  • Support for case-insensitive matching has been added to udev rules (e.g. 'ATTR{foo}==i»abcd»'). Udev now allows unprivileged local users to access the /dev/udmabuf device ("uaccess"), which is necessary for working with IPMI cameras via libcamera. udev now recognizes various USB hardware crypto wallets and sets the ID_HARDWARE_WALLET property for them, allowing them to be set to "uaccess" for unprivileged users.
  • New fields RELEASE_TYPE, EXPERIMENT, and EXPERIMENT_URL have been added to the /etc/os-release file. "RELEASE_TYPE" can be "experimental", "development", "stable", and "lts" to distinguish stable versions from development and experimental builds. The EXPERIMENT and EXPERIMENT_URL parameters are intended to clarify the nature of the experimental build.
  • The run0 utility, developed as a replacement for the sudo program, has been updated with the "--shell-prompt-prefix" option, which specifies the prefix string for the command shell prompt. By default, the prefix is ​​the emoji "🦸" to visually highlight a session with elevated privileges.
  • In systemd-tmpfiles, to avoid accidentally deleting the wrong files, the "--purge" option now only applies to settings in tmpfiles.d/ that have the "$" flag explicitly set. The "--purge" operation also now requires at least one file from the tmpfiles.d/ directory to be specified. A '?' flag has been added for lines of type 'L', which will only create a symbolic link if the target file exists.
  • The service manager and related utilities have continued to migrate the process tracking code to use PIDFD instead of PID. A PIDFD is associated with a specific process and does not change, while a PID can be assigned to another process after the current process associated with that PID has terminated.
  • For services, the ability to specify the value "debug" in the "RestartMode" parameter has been implemented, in which case the restart of a failed service will be performed with debug mode enabled (the environment variable DEBUG_INVOCATION=1 is set), and the LogLevelMax value will be temporarily increased to the debug level.
  • The PID 1 handler implements the ability to load rules for the IPE (Integrity Policy Enforcement) LSM module, which define the integrity policy for the entire system (which operations are allowed and how the authenticity of components should be verified).
  • The "DeferReactivation" option has been added to the ".timer" unit files, allowing you to skip the next timer activation if the service has not yet completed its execution since the last activation.
  • The PrivateUsers unit file parameter now allows you to specify an "identity" value to enable user ID mapping when creating a user namespace.
  • Added support for the "disconnected" value to the PrivateTmp unit file parameter, which will cause separate tmpfs instances to be used for the /tmp/ and /var/tmp/ directories.
  • The ProtectControlGroups unit file parameter now supports the new modes "private" and "strict", which when set create a new cgroup namespace for the service and mount cgroupfs. When the "strict" option is set, cgroupfs is mounted in read-only mode.
  • The StateDirectory, RuntimeDirectory, CacheDirectory, LogsDirectory, and ConfigurationDirectory parameters now allow the use of the ':ro' flag to restrict access to the corresponding directories to read-only mode.
  • Added support for a "firmware" value to the kernel command line parameter "systemd.machine_id", which will cause the machine ID to be calculated based on the UUID from SMBIOS/DeviceTree.
  • Added support for the mseal(), listmount(), and statmount() system calls introduced in recent Linux kernel releases.
  • The resolvectl, timedatectl, and systemd-inhibit utilities have been updated to support interactive authorization using Polkit.
  • The systemctl utility has been updated to support the "--now" flag in the "reenable" command.
  • The systemd-mount utility has a "--json" option for output in JSON format (for example, when specified together with "--list-devices" a list of devices will be output in JSON format).
  • The "localectl" utility has been updated with "-l" and "--full" options to disable truncation of long lines in output.
  • The HibernateOnACPower option has been added to sleep.conf, allowing you to delay switching to sleep mode until the device is disconnected from the stationary power source.
  • In systemd-sysusers, the "u" strings now support the "!" modifier, which can be used to create completely locked user accounts (previously, an incorrect password was used to lock a user, which, for example, did not result in a lock when authenticating using keys in SSH).
  • The "EnterNamespace" option has been added to systemd-coredump, which provides access to the mount point space of any abnormally terminated processes to obtain their debug symbols. In practice, this option can be useful for organizing a backtrace of core files from applications running in isolated containers.
  • In systemd-logind, the Ctrl-Alt-Shift-Esc combination is now processed to send the org.freedesktop.login1.SecureAttentionKey signal to user environment components with a request to display the secure login dialog. The "DesignatedMaintenanceTime" setting has been implemented to automatically schedule shutdown at a specified time. By analogy with support for DRM and evdev devices, support has been added for configuring access for unprivileged users to hidraw devices (game controllers and joysticks).
  • systemd-machined now supports unprivileged client logins. virtual machines and containers. Access to systemd-machined functionality is provided via the Varlink API, in addition to D-Bus.
  • A new section "[IPv6AddressLabel]" has been added to the networkd.conf configuration file to configure labels and prefixes for IPv6 addresses
  • The 'networkctl edit' command now has the "--stdin" option to get file contents from the standard stream. The 'networkctl edit' and 'networkctl cat' commands now support editing and displaying .netdev files by specifying a network interface. The "--no-ask-password" option has been added to disable interactive authentication.
  • The ukify, bootctl, systemd-keyutil, systemd-measure, systemd-repart, and systemd-sbsign utilities now have a "--certificate-source" option to load an X.509 certificate via the OpenSSL provider instead of loading it directly from a file.
  • systemd-boot now supports using the volume keys to navigate up and down in the boot menu, which can be useful on devices such as smartphones. The bootctl utility now supports installing the UEFI Secure Boot database in ESL format (db/dbx/…) for systemd-boot.
  • Added "--list-invocation" option to journalctl to show a list of unit invocations and "--invocation" ("-I") option to show logs related to a specific invocation only.
  • systemd-nspawn now supports unprivileged use of FUSE (Filesystem in Userspace) in containers. Using the "--bind-user" option ensures that the user's SSH keys, required for SSH access, are forwarded to the container.
  • libsystemd has a new API "sd-json" that uses the JSON format, and an API "sd-varlink" that uses the Varlink IPC.
  • The recommended base kernel version has been raised to release 5.4, which was released in 2019. Next year, support for older kernels is planned to be dropped and release 5.4 will be the minimum supported base version.
  • Support for cgroups v1 has been deprecated and is disabled by default (to enable, specify SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 on the kernel command line in addition to enabling it in systemd settings). The next release of systemd 258 is planned to completely remove code related to cgroups v1. systemd 258 is also planned to remove support for System V service scripts.

Source: opennet.ru

Add a comment