+CHANGES WITH 218:
+
+ * If compiled with --enable-xkbcommon, systemd-localed will
+ verify x11 keymap settings by compiling the given keymap. It
+ will spew out warnings if the compilation fails. This
+ requires libxkbcommon to be installed.
+
+CHANGES WITH 217:
+
+ * journalctl gained the new options -t/--identifier= to match
+ on the syslog identifier (aka "tag"), as well as --utc to
+ show log timestamps in the UTC timezone. journalctl now also
+ accepts -n/--lines=all to disable line capping in a pager.
+
+ * journalctl gained a new switch, --flush, that synchronously
+ flushes logs from /run/log/journal to /var/log/journal if
+ persistent storage is enabled. systemd-journal-flush.service
+ now waits until the operation is complete.
+
+ * Services can notify the manager before they start a reload
+ (by sending RELOADING=1) or shutdown (by sending
+ STOPPING=1). This allows the manager to track and show the
+ internal state of daemons and closes a race condition when
+ the process is still running but has closed its D-Bus
+ connection.
+
+ * Services with Type=oneshot do not have to have any ExecStart
+ commands anymore.
+
+ * User units are now loaded also from
+ $XDG_RUNTIME_DIR/systemd/user/. This is similar to the
+ /run/systemd/user directory that was already previously
+ supported, but is under the control of the user.
+
+ * Job timeouts (i.e. time-outs on the time a job that is
+ queued stays in the run queue) can now optionally result in
+ immediate reboot or power-off actions (JobTimeoutAction= and
+ JobTimeoutRebootArgument=). This is useful on ".target"
+ units, to limit the maximum time a target remains
+ undispatched in the run queue, and to trigger an emergency
+ operation in such a case. This is now used by default to
+ turn off the system if boot-up (as defined by everything in
+ basic.target) hangs and does not complete for at least
+ 15min. Also, if power-off or reboot hang for at least 30min
+ an immediate power-off/reboot operation is triggered. This
+ functionality is particularly useful to increase reliability
+ on embedded devices, but also on laptops which might
+ accidentally get powered on when carried in a backpack and
+ whose boot stays stuck in a hard disk encryption passphrase
+ question.
+
+ * systemd-logind can be configured to also handle lid switch
+ events even when the machine is docked or multiple displays
+ are attached (HandleLidSwitchDocked= option).
+
+ * A helper binary and a service have been added which can be
+ used to resume from hibernation in the initramfs. A
+ generator will parse the resume= option on the kernel
+ command line to trigger resume.
+
+ * A user console daemon systemd-consoled has been
+ added. Currently, it is a preview, and will so far open a
+ single terminal on each session of the user marked as
+ Desktop=systemd-console.
+
+ * Route metrics can be specified for DHCP routes added by
+ systemd-networkd.
+
+ * The SELinux context of socket-activated services can be set
+ from the information provided by the networking stack
+ (SELinuxContextFromNet= option).
+
+ * Userspace firmware loading support has been removed and
+ the minimum supported kernel version is thus bumped to 3.7.
+
+ * Timeout for udev workers has been increased from 1 to 3
+ minutes, but a warning will be printed after 1 minute to
+ help diagnose kernel modules that take a long time to load.
+
+ * Udev rules can now remove tags on devices with TAG-="foobar".
+
+ * systemd's readahead implementation has been removed. In many
+ circumstances it didn't give expected benefits even for
+ rotational disk drives and was becoming less relevant in the
+ age of SSDs. As none of the developers has been using
+ rotating media anymore, and nobody stepped up to actively
+ maintain this component of systemd it has now been removed.
+
+ * Swap units can use Options= to specify discard options.
+ Discard options specified for swaps in /etc/fstab are now
+ respected.
+
+ * Docker containers are now detected as a separate type of
+ virtualization.
+
+ * The Password Agent protocol gained support for queries where
+ the user input is shown, useful e.g. for user names.
+ systemd-ask-password gained a new --echo option to turn that
+ on.
+
+ * The default sysctl.d/ snippets will now set:
+
+ net.core.default_qdisc = fq_codel
+
+ This selects Fair Queuing Controlled Delay as the default
+ queuing discipline for network interfaces. fq_codel helps
+ fight the network bufferbloat problem. It is believed to be
+ a good default with no tuning required for most workloads.
+ Downstream distributions may override this choice. On 10Gbit
+ servers that do not do forwarding, "fq" may perform better.
+ Systems without a good clocksource should use "pfifo_fast".
+
+ * If kdbus is enabled during build a new option BusPolicy= is
+ available for service units, that allows locking all service
+ processes into a stricter bus policy, in order to limit
+ access to various bus services, or even hide most of them
+ from the service's view entirely.
+
+ * networkctl will now show the .network and .link file
+ networkd has applied to a specific interface.
+
+ * sd-login gained a new API call sd_session_get_desktop() to
+ query which desktop environment has been selected for a
+ session.
+
+ * UNIX utmp support is now compile-time optional to support
+ legacy-free systems.
+
+ * systemctl gained two new commands "add-wants" and
+ "add-requires" for pulling in units from specific targets
+ easily.
+
+ * If the word "rescue" is specified on the kernel command line
+ the system will now boot into rescue mode (aka
+ rescue.target), which was previously available only by
+ specifying "1" or "systemd.unit=rescue.target" on the kernel
+ command line. This new kernel command line option nicely
+ mirrors the already existing "emergency" kernel command line
+ option.
+
+ * New kernel command line options mount.usr=, mount.usrflags=,
+ mount.usrfstype= have been added that match root=, rootflags=,
+ rootfstype= but allow mounting a specific file system to
+ /usr.
+
+ * The $NOTIFY_SOCKET is now also passed to control processes of
+ services, not only the main process.
+
+ * This version reenables support for fsck's -l switch. This
+ means at least version v2.25 of util-linux is required for
+ operation, otherwise dead-locks on device nodes may
+ occur. Again: you need to update util-linux to at least
+ v2.25 when updating systemd to v217.
+
+ * The "multi-seat-x" tool has been removed from systemd, as
+ its functionality has been integrated into X servers 1.16,
+ and the tool is hence redundant. It is recommended to update
+ display managers invoking this tool to simply invoke X
+ directly from now on, again.
+
+ * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
+ message flag has been added for all of systemd's PolicyKit
+ authenticated method calls has been added. In particular
+ this now allows optional interactive authorization via
+ PolicyKit for many of PID1's privileged operations such as
+ unit file enabling and disabling.
+
+ * "udevadm hwdb --update" learnt a new switch "--usr" for
+ placing the rebuilt hardware database in /usr instead of
+ /etc. When used only hardware database entries stored in
+ /usr will be used, and any user database entries in /etc are
+ ignored. This functionality is useful for vendors to ship a
+ pre-built database on systems where local configuration is
+ unnecessary or unlikely.
+
+ * Calendar time specifications in .timer units now also
+ understand the strings "semi-annually", "quarterly" and
+ "minutely" as shortcuts (in addition to the preexisting
+ "anually", "hourly", ...).
+
+ * systemd-tmpfiles will now correctly create files in /dev
+ at boot which are marked for creation only at boot. It is
+ recommended to always create static device nodes with 'c!'
+ and 'b!', so that they are created only at boot and not
+ overwritten at runtime.
+
+ * When the watchdog logic is used for a service (WatchdogSec=)
+ and the watchdog timeout is hit the service will now be
+ terminated with SIGABRT (instead of just SIGTERM), in order
+ to make sure a proper coredump and backtrace is
+ generated. This ensures that hanging services will result in
+ similar coredump/backtrace behaviour as services that hit a
+ segmentation fault.
+
+ Contributions from: Andreas Henriksson, Andrei Borzenkov,
+ Angus Gibson, Ansgar Burchardt, Ben Wolsieffer, Brandon L.
+ Black, Christian Hesse, Cristian Rodríguez, Daniel Buch,
+ Daniele Medri, Daniel Mack, Dan Williams, Dave Reisner, David
+ Herrmann, David Sommerseth, David Strauss, Emil Renner
+ Berthing, Eric Cook, Evangelos Foutras, Filipe Brandenburger,
+ Gustavo Sverzut Barbieri, Hans de Goede, Harald Hoyer, Hristo
+ Venev, Hugo Grostabussiat, Ivan Shapovalov, Jan Janssen, Jan
+ Synacek, Jonathan Liu, Juho Son, Karel Zak, Kay Sievers, Klaus
+ Purer, Koen Kooi, Lennart Poettering, Lukas Nykryn, Lukasz
+ Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann,
+ Marius Tessmann, Marko Myllynen, Martin Pitt, Michael Biebl,
+ Michael Marineau, Michael Olbrich, Michael Scherer, Michal
+ Schmidt, Michal Sekletar, Miroslav Lichvar, Patrik Flykt,
+ Philippe De Swert, Piotr Drąg, Rahul Sundaram, Richard
+ Weinberger, Robert Milasan, Ronny Chevalier, Ruben Kerkhof,
+ Santiago Vila, Sergey Ptashnick, Simon McVittie, Sjoerd
+ Simons, Stefan Brüns, Steven Allen, Steven Noonan, Susant
+ Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen,
+ Timofey Titovets, Tobias Hunger, Tom Gundersen, Torstein
+ Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew
+ Jędrzejewski-Szmek.
+
+ -- Berlin, 2014-10-28
+
+CHANGES WITH 216:
+
+ * timedated no longer reads NTP implementation unit names from
+ /usr/lib/systemd/ntp-units.d/*.list. Alternative NTP
+ implementations should add a
+
+ Conflicts=systemd-timesyncd.service
+
+ to their unit files to take over and replace systemd's NTP
+ default functionality.
+
+ * systemd-sysusers gained a new line type "r" for configuring
+ which UID/GID ranges to allocate system users/groups
+ from. Lines of type "u" may now add an additional column
+ that specifies the home directory for the system user to be
+ created. Also, systemd-sysusers may now optionally read user
+ information from STDIN instead of a file. This is useful for
+ invoking it from RPM preinst scriptlets that need to create
+ users before the first RPM file is installed since these
+ files might need to be owned by them. A new
+ %sysusers_create_inline RPM macro has been introduced to do
+ just that. systemd-sysusers now updates the shadow files as
+ well as the user/group databases, which should enhance
+ compatibility with certain tools like grpck.
+
+ * A number of bus APIs of PID 1 now optionally consult
+ PolicyKit to permit access for otherwise unprivileged
+ clients under certain conditions. Note that this currently
+ doesn't support interactive authentication yet, but this is
+ expected to be added eventually, too.
+
+ * /etc/machine-info now has new fields for configuring the
+ deployment environment of the machine, as well as the
+ location of the machine. hostnamectl has been updated with
+ new command to update these fields.
+
+ * systemd-timesyncd has been updated to automatically acquire
+ NTP server information from systemd-networkd, which might
+ have been discovered via DHCP.
+
+ * systemd-resolved now includes a caching DNS stub resolver
+ and a complete LLMNR name resolution implementation. A new
+ NSS module "nss-resolve" has been added which can be used
+ instead of glibc's own "nss-dns" to resolve hostnames via
+ systemd-resolved. Hostnames, addresses and arbitrary RRs may
+ be resolved via systemd-resolved D-Bus APIs. In contrast to
+ the glibc internal resolver systemd-resolved is aware of
+ multi-homed system, and keeps DNS server and caches separate
+ and per-interface. Queries are sent simultaneously on all
+ interfaces that have DNS servers configured, in order to
+ properly handle VPNs and local LANs which might resolve
+ separate sets of domain names. systemd-resolved may acquire
+ DNS server information from systemd-networkd automatically,
+ which in turn might have discovered them via DHCP. A tool
+ "systemd-resolve-host" has been added that may be used to
+ query the DNS logic in resolved. systemd-resolved implements
+ IDNA and automatically uses IDNA or UTF-8 encoding depending
+ on whether classic DNS or LLMNR is used as transport. In the
+ next releases we intend to add a DNSSEC and mDNS/DNS-SD
+ implementation to systemd-resolved.
+
+ * A new NSS module nss-mymachines has been added, that
+ automatically resolves the names of all local registered
+ containers to their respective IP addresses.
+
+ * A new client tool "networkctl" for systemd-networkd has been
+ added. It currently is entirely passive and will query
+ networking configuration from udev, rtnetlink and networkd,
+ and present it to the user in a very friendly
+ way. Eventually, we hope to extend it to become a full
+ control utility for networkd.
+
+ * .socket units gained a new DeferAcceptSec= setting that
+ controls the kernels' TCP_DEFER_ACCEPT sockopt for
+ TCP. Similar, support for controlling TCP keep-alive
+ settings has been added (KeepAliveTimeSec=,
+ KeepAliveIntervalSec=, KeepAliveProbes=). Also, support for
+ turning off Nagle's algorithm on TCP has been added
+ (NoDelay=).
+
+ * logind learned a new session type "web", for use in projects
+ like Cockpit which register web clients as PAM sessions.
+
+ * timer units with at least one OnCalendar= setting will now
+ be started only after timer-sync.target has been
+ reached. This way they will not elapse before the system
+ clock has been corrected by a local NTP client or
+ similar. This is particular useful on RTC-less embedded
+ machines, that come up with an invalid system clock.
+
+ * systemd-nspawn's --network-veth= switch should now result in
+ stable MAC addresses for both the outer and the inner side
+ of the link.
+
+ * systemd-nspawn gained a new --volatile= switch for running
+ container instances with /etc or /var unpopulated.
+
+ * The kdbus client code has been updated to use the new Linux
+ 3.17 memfd subsystem instead of the old kdbus-specific one.
+
+ * systemd-networkd's DHCP client and server now support
+ FORCERENEW. There are also new configuration options to
+ configure the vendor client identifier and broadcast mode
+ for DHCP.
+
+ * systemd will no longer inform the kernel about the current
+ timezone, as this is necessarily incorrect and racy as the
+ kernel has no understanding of DST and similar
+ concepts. This hence means FAT timestamps will be always
+ considered UTC, similar to what Android is already
+ doing. Also, when the RTC is configured to the local time
+ (rather than UTC) systemd will never synchronize back to it,
+ as this might confuse Windows at a later boot.
+
+ * systemd-analyze gained a new command "verify" for offline
+ validation of unit files.
+
+ * systemd-networkd gained support for a couple of additional
+ settings for bonding networking setups. Also, the metric for
+ statically configured routes may now be configured. For
+ network interfaces where this is appropriate the peer IP
+ address may now be configured.
+
+ * systemd-networkd's DHCP client will no longer request
+ broadcasting by default, as this tripped up some networks.
+ For hardware where broadcast is required the feature should
+ be switched back on using RequestBroadcast=yes.
+
+ * systemd-networkd will now set up IPv4LL addresses (when
+ enabled) even if DHCP is configured successfully.
+
+ * udev will now default to respect network device names given
+ by the kernel when the kernel indicates that these are
+ predictable. This behavior can be tweaked by changing
+ NamePolicy= in the relevant .link file.
+
+ * A new library systemd-terminal has been added that
+ implements full TTY stream parsing and rendering. This
+ library is supposed to be used later on for implementing a
+ full userspace VT subsystem, replacing the current kernel
+ implementation.
+
+ * A new tool systemd-journal-upload has been added to push
+ journal data to a remote system running
+ systemd-journal-remote.
+
+ * journald will no longer forward all local data to another
+ running syslog daemon. This change has been made because
+ rsyslog (which appears to be the most commonly used syslog
+ implementation these days) no longer makes use of this, and
+ instead pulls the data out of the journal on its own. Since
+ forwarding the messages to a non-existent syslog server is
+ more expensive than we assumed we have now turned this
+ off. If you run a syslog server that is not a recent rsyslog
+ version, you have to turn this option on again
+ (ForwardToSyslog= in journald.conf).
+
+ * journald now optionally supports the LZ4 compressor for
+ larger journal fields. This compressor should perform much
+ better than XZ which was the previous default.
+
+ * machinectl now shows the IP addresses of local containers,
+ if it knows them, plus the interface name of the container.
+
+ * A new tool "systemd-escape" has been added that makes it
+ easy to escape strings to build unit names and similar.
+
+ * sd_notify() messages may now include a new ERRNO= field
+ which is parsed and collected by systemd and shown among the
+ "systemctl status" output for a service.
+
+ * A new component "systemd-firstboot" has been added that
+ queries the most basic systemd information (timezone,
+ hostname, root password) interactively on first
+ boot. Alternatively it may also be used to provision these
+ things offline on OS images installed into directories.
+
+ * The default sysctl.d/ snippets will now set
+
+ net.ipv4.conf.default.promote_secondaries=1
+
+ This has the benefit of no flushing secondary IP addresses
+ when primary addresses are removed.
+
+ Contributions from: Ansgar Burchardt, Bastien Nocera, Colin
+ Walters, Dan Dedrick, Daniel Buch, Daniel Korostil, Daniel
+ Mack, Dan Williams, Dave Reisner, David Herrmann, Denis
+ Kenzior, Eelco Dolstra, Eric Cook, Hannes Reinecke, Harald
+ Hoyer, Hong Shick Pak, Hui Wang, Jean-André Santoni, Jóhann
+ B. Guðmundsson, Jon Severinsson, Karel Zak, Kay Sievers, Kevin
+ Wells, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas,
+ Marc-Antoine Perennou, Martin Pitt, Michael Biebl, Michael
+ Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar,
+ Miguel Angel Ajo, Mike Gilbert, Olivier Brunel, Robert
+ Schiele, Ronny Chevalier, Simon McVittie, Sjoerd Simons, Stef
+ Walter, Steven Noonan, Susant Sahani, Tanu Kaskinen, Thomas
+ Blume, Thomas Hindoe Paaboel Andersen, Timofey Titovets,
+ Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut
+ Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek
+
+ -- Berlin, 2014-08-19
+
+CHANGES WITH 215:
+
+ * A new tool systemd-sysusers has been added. This tool
+ creates system users and groups in /etc/passwd and
+ /etc/group, based on static declarative system user/group
+ definitions in /usr/lib/sysusers.d/. This is useful to
+ enable factory resets and volatile systems that boot up with
+ an empty /etc directory, and thus need system users and
+ groups created during early boot. systemd now also ships
+ with two default sysusers.d/ files for the most basic
+ users and groups systemd and the core operating system
+ require.
+
+ * A new tmpfiles snippet has been added that rebuilds the
+ essential files in /etc on boot, should they be missing.
+
+ * A directive for ensuring automatic clean-up of
+ /var/cache/man/ has been removed from the default
+ configuration. This line should now be shipped by the man
+ implementation. The necessary change has been made to the
+ man-db implementation. Note that you need to update your man
+ implementation to one that ships this line, otherwise no
+ automatic clean-up of /var/cache/man will take place.
+
+ * A new condition ConditionNeedsUpdate= has been added that
+ may conditionalize services to only run when /etc or /var
+ are "older" than the vendor operating system resources in
+ /usr. This is useful for reconstructing or updating /etc
+ after an offline update of /usr or a factory reset, on the
+ next reboot. Services that want to run once after such an
+ update or reset should use this condition and order
+ themselves before the new systemd-update-done.service, which
+ will mark the two directories as fully updated. A number of
+ service files have been added making use of this, to rebuild
+ the udev hardware database, the journald message catalog and
+ dynamic loader cache (ldconfig). The systemd-sysusers tool
+ described above also makes use of this now. With this in
+ place it is now possible to start up a minimal operating
+ system with /etc empty cleanly. For more information on the
+ concepts involved see this recent blog story:
+
+ http://0pointer.de/blog/projects/stateless.html
+
+ * A new system group "input" has been introduced, and all
+ input device nodes get this group assigned. This is useful
+ for system-level software to get access to input devices. It
+ complements what is already done for "audio" and "video".
+
+ * systemd-networkd learnt minimal DHCPv4 server support in
+ addition to the existing DHCPv4 client support. It also
+ learnt DHCPv6 client and IPv6 Router Solicitation client
+ support. The DHCPv4 client gained support for static routes
+ passed in from the server. Note that the [DHCPv4] section
+ known in older systemd-networkd versions has been renamed to
+ [DHCP] and is now also used by the DHCPv6 client. Existing
+ .network files using settings of this section should be
+ updated, though compatibility is maintained. Optionally, the
+ client hostname may now be sent to the DHCP server.
+
+ * networkd gained support for vxlan virtual networks as well
+ as tun/tap and dummy devices.
+
+ * networkd gained support for automatic allocation of address
+ ranges for interfaces from a system-wide pool of
+ addresses. This is useful for dynamically managing a large
+ number of interfaces with a single network configuration
+ file. In particular this is useful to easily assign
+ appropriate IP addresses to the veth links of a large number
+ of nspawn instances.
+
+ * RPM macros for processing sysusers, sysctl and binfmt
+ drop-in snippets at package installation time have been
+ added.
+
+ * The /etc/os-release file should now be placed in
+ /usr/lib/os-release. The old location is automatically
+ created as symlink. /usr/lib is the more appropriate
+ location of this file, since it shall actually describe the
+ vendor operating system shipped in /usr, and not the
+ configuration stored in /etc.
+
+ * .mount units gained a new boolean SloppyOptions= setting
+ that maps to mount(8)'s -s option which enables permissive
+ parsing of unknown mount options.
+
+ * tmpfiles learnt a new "L+" directive which creates a symlink
+ but (unlike "L") deletes a pre-existing file first, should
+ it already exist and not already be the correct
+ symlink. Similar, "b+", "c+" and "p+" directives have been
+ added as well, which create block and character devices, as
+ well as fifos in the filesystem, possibly removing any
+ pre-existing files of different types.
+
+ * For tmpfiles' "L", "L+", "C" and "C+" directives the final
+ 'argument' field (which so far specified the source to
+ symlink/copy the files from) is now optional. If omitted the
+ same file os copied from /usr/share/factory/ suffixed by the
+ full destination path. This is useful for populating /etc
+ with essential files, by copying them from vendor defaults
+ shipped in /usr/share/factory/etc.
+
+ * A new command "systemctl preset-all" has been added that
+ applies the service preset settings to all installed unit
+ files. A new switch --preset-mode= has been added that
+ controls whether only enable or only disable operations
+ shall be executed.
+
+ * A new command "systemctl is-system-running" has been added
+ that allows checking the overall state of the system, for
+ example whether it is fully up and running.
+
+ * When the system boots up with an empty /etc, the equivalent
+ to "systemctl preset-all" is executed during early boot, to
+ make sure all default services are enabled after a factory
+ reset.
+
+ * systemd now contains a minimal preset file that enables the
+ most basic services systemd ships by default.
+
+ * Unit files' [Install] section gained a new DefaultInstance=
+ field for defining the default instance to create if a
+ template unit is enabled with no instance specified.
+
+ * A new passive target cryptsetup-pre.target has been added
+ that may be used by services that need to make they run and
+ finish before the first LUKS cryptographic device is set up.
+
+ * The /dev/loop-control and /dev/btrfs-control device nodes
+ are now owned by the "disk" group by default, opening up
+ access to this group.
+
+ * systemd-coredump will now automatically generate a
+ stack trace of all core dumps taking place on the system,
+ based on elfutils' libdw library. This stack trace is logged
+ to the journal.
+
+ * systemd-coredump may now optionally store coredumps directly
+ on disk (in /var/lib/systemd/coredump, possibly compressed),
+ instead of storing them unconditionally in the journal. This
+ mode is the new default. A new configuration file
+ /etc/systemd/coredump.conf has been added to configure this
+ and other parameters of systemd-coredump.
+
+ * coredumpctl gained a new "info" verb to show details about a
+ specific coredump. A new switch "-1" has also been added
+ that makes sure to only show information about the most
+ recent entry instead of all entries. Also, as the tool is
+ generally useful now the "systemd-" prefix of the binary
+ name has been removed. Distributions that want to maintain
+ compatibility with the old name should add a symlink from
+ the old name to the new name.
+
+ * journald's SplitMode= now defaults to "uid". This makes sure
+ that unprivileged users can access their own coredumps with
+ coredumpctl without restrictions.
+
+ * New kernel command line options "systemd.wants=" (for
+ pulling an additional unit during boot), "systemd.mask="
+ (for masking a specific unit for the boot), and
+ "systemd.debug-shell" (for enabling the debug shell on tty9)
+ have been added. This is implemented in the new generator
+ "systemd-debug-generator".
+
+ * systemd-nspawn will now by default filter a couple of
+ syscalls for containers, among them those required for
+ kernel module loading, direct x86 IO port access, swap
+ management, and kexec. Most importantly though
+ open_by_handle_at() is now prohibited for containers,
+ closing a hole similar to a recently discussed vulnerability
+ in docker regarding access to files on file hierarchies the
+ container should normally not have access to. Note that for
+ nspawn we generally make no security claims anyway (and
+ this is explicitly documented in the man page), so this is
+ just a fix for one of the most obvious problems.
+
+ * A new man page file-hierarchy(7) has been added that
+ contains a minimized, modernized version of the file system
+ layout systemd expects, similar in style to the FHS
+ specification or hier(5). A new tool systemd-path(1) has
+ been added to query many of these paths for the local
+ machine and user.
+
+ * Automatic time-based clean-up of $XDG_RUNTIME_DIR is no
+ longer done. Since the directory now has a per-user size
+ limit, and is cleaned on logout this appears unnecessary,
+ in particular since this now brings the lifecycle of this
+ directory closer in line with how IPC objects are handled.
+
+ * systemd.pc now exports a number of additional directories,
+ including $libdir (which is useful to identify the library
+ path for the primary architecture of the system), and a
+ couple of drop-in directories.
+
+ * udev's predictable network interface names now use the dev_port
+ sysfs attribute, introduced in linux 3.15 instead of dev_id to
+ distinguish between ports of the same PCI function. dev_id should
+ only be used for ports using the same HW address, hence the need
+ for dev_port.
+
+ * machined has been updated to export the OS version of a
+ container (read from /etc/os-release and
+ /usr/lib/os-release) on the bus. This is now shown in
+ "machinectl status" for a machine.
+
+ * A new service setting RestartForceExitStatus= has been
+ added. If configured to a set of exit signals or process
+ return values, the service will be restarted when the main
+ daemon process exits with any of them, regardless of the
+ Restart= setting.
+
+ * systemctl's -H switch for connecting to remote systemd
+ machines has been extended so that it may be used to
+ directly connect to a specific container on the
+ host. "systemctl -H root@foobar:waldi" will now connect as
+ user "root" to host "foobar", and then proceed directly to
+ the container named "waldi". Note that currently you have to
+ authenticate as user "root" for this to work, as entering
+ containers is a privileged operation.
+
+ Contributions from: Andreas Henriksson, Benjamin Steinwender,
+ Carl Schaefer, Christian Hesse, Colin Ian King, Cristian
+ Rodríguez, Daniel Mack, Dave Reisner, David Herrmann, Eugene
+ Yakubovich, Filipe Brandenburger, Frederic Crozat, Hristo
+ Venev, Jan Engelhardt, Jonathan Boulle, Kay Sievers, Lennart
+ Poettering, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine
+ Perennou, Marcel Holtmann, Michael Marineau, Michael Olbrich,
+ Michał Bartoszkiewicz, Michal Sekletar, Patrik Flykt, Ronan Le
+ Martret, Ronny Chevalier, Ruediger Oertel, Steven Noonan,
+ Susant Sahani, Thadeu Lima de Souza Cascardo, Thomas Hindoe
+ Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar
+ Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek
+
+ -- Berlin, 2014-07-03
+