systemd System and Service Manager
+CHANGES WITH 232:
+
+ * The new RemoveIPC= option can be used to remove IPC objects owned by
+ the user or group of a service when that service exits.
+
+ * The new ProtectKernelModules= option can be used to disable explicit
+ load and unload operations of kernel modules by a service. In
+ addition access to /usr/lib/modules is removed if this option is set.
+
+ * ProtectSystem= option gained a new value "strict", which causes the
+ whole file system tree with the exception of /dev, /proc, and /sys,
+ to be remounted read-only for a service.
+
+ * The new ProtectKernelTunables= option can be used to disable
+ modification of configuration files in /sys and /proc by a service.
+ Various directories and files are remounted read-only, so access is
+ restricted even if the file permissions would allow it.
+
+ * The new ProtectControlGroups= option can be used to disable write
+ access by a service to /sys/fs/cgroup.
+
+ * Various systemd services have been hardened with
+ ProtectKernelTunables=yes, ProtectControlGroups=yes,
+ RestrictAddressFamilies=.
+
+ * Support for dynamically creating users for the lifetime of a service
+ has been added. If DynamicUser=yes is specified, user and group IDs
+ will be allocated from the range 61184..65519 for the lifetime of the
+ service. They can be resolved using the new nss-systemd.so NSS
+ module. The module must be enabled in /etc/nsswitch.conf. Services
+ started in this way have PrivateTmp= and RemoveIPC= enabled, so that
+ any resources allocated by the service will be cleaned up when the
+ service exits. They also have ProtectHome=read-only and
+ ProtectSystem=strict enabled, so they are not able to make any
+ permanent modifications to the system.
+
+ * The nss-systemd module also always resolves root and nobody, making
+ it possible to have no /etc/passwd or /etc/group files in minimal
+ container or chroot environments.
+
+ * Services may be started with their own user namespace using the new
+ boolean PrivateUsers= option. Only root, nobody, and the uid/gid
+ under which the service is running are mapped. All other users are
+ mapped to nobody.
+
+ * Support for the cgroup namespace has been added to systemd-nspawn. If
+ supported by kernel, the container system started by systemd-nspawn
+ will have its own view of the cgroup hierarchy. This new behaviour
+ can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable.
+
+ * The new MemorySwapMax= option can be used to limit the maximum swap
+ usage under the unified cgroup hierarchy.
+
+ * Support for the CPU controller in the unified cgroup hierarchy has
+ been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting=
+ options. This controller requires out-of-tree patches for the kernel
+ and the support is provisional.
+
+ * Mount and automount units may now be created transiently
+ (i.e. dynamically at runtime via the bus API, instead of requiring
+ unit files in the file system).
+
+ * systemd-mount is a new tool which may mount file systems – much like
+ mount(8), optionally pulling in additional dependencies through
+ transient .mount and .automount units. For example, this tool
+ automatically runs fsck on a backing block device before mounting,
+ and allows the automount logic to be used dynamically from the
+ command line for establishing mount points. This tool is particularly
+ useful when dealing with removable media, as it will ensure fsck is
+ run – if necessary – before the first access and that the file system
+ is quickly unmounted after each access by utilizing the automount
+ logic. This maximizes the chance that the file system on the
+ removable media stays in a clean state, and if it isn't in a clean
+ state is fixed automatically.
+
+ * LazyUnmount=yes option for mount units has been added to expose the
+ umount --lazy option. Similarly, ForceUnmount=yes exposes the --force
+ option.
+
+ * /efi will be used as the mount point of the EFI boot partition, if
+ the directory is present, and the mount point was not configured
+ through other means (e.g. fstab). If /efi directory does not exist,
+ /boot will be used as before. This makes it easier to automatically
+ mount the EFI partition on systems where /boot is used for something
+ else.
+
+ * When operating on GPT disk images for containers, systemd-nspawn will
+ now mount the ESP to /boot or /efi according to the same rules as PID
+ 1 running on a host. This allows tools like "bootctl" to operate
+ correctly within such containers, in order to make container images
+ bootable on physical systems.
+
+ * disk/by-id and disk/by-path symlinks are now created for NVMe drives.
+
+ * Two new user session targets have been added to support running
+ graphical sessions under the systemd --user instance:
+ graphical-session.target and graphical-session-pre.target. See
+ systemd.special(7) for a description of how those targets should be
+ used.
+
+ * The vconsole initialization code has been significantly reworked to
+ use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better
+ support unicode keymaps. Font and keymap configuration will now be
+ copied to all allocated virtual consoles.
+
+ * FreeBSD's bhyve virtualization is now detected.
+
+ * Information recorded in the journal for core dumps now includes the
+ contents of /proc/mountinfo and the command line of the process at
+ the top of the process hierarchy (which is usually the init process
+ of the container).
+
+ * systemd-journal-gatewayd learned the --directory= option to serve
+ files from the specified location.
+
+ * journalctl --root=… can be used to peruse the journal in the
+ /var/log/ directories inside of a container tree. This is similar to
+ the existing --machine= option, but does not require the container to
+ be active.
+
+ * The hardware database has been extended to support
+ ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify
+ trackball devices.
+
+ MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to
+ specify the click rate for mice which include a horizontal wheel with
+ a click rate that is different than the one for the vertical wheel.
+
+ * systemd-run gained a new --wait option that makes service execution
+ synchronous. (Specifically, the command will not return until the
+ specified service binary exited.)
+
+ * systemctl gained a new --wait option that causes the start command to
+ wait until the units being started have terminated again.
+
+ * A new journal output mode "short-full" has been added which displays
+ timestamps with abbreviated English day names and adds a timezone
+ suffix. Those timestamps include more information than the default
+ "short" output mode, and can be passed directly to journalctl's
+ --since= and --until= options.
+
+ * /etc/resolv.conf will be bind-mounted into containers started by
+ systemd-nspawn, if possible, so any changes to resolv.conf contents
+ are automatically propagated to the container.
+
+ * The number of instances for socket-activated services originating
+ from a single IP address can be limited with
+ MaxConnectionsPerSource=, extending the existing setting of
+ MaxConnections=.
+
+ * systemd-networkd gained support for vcan ("Virtual CAN") interface
+ configuration.
+
+ * .netdev and .network configuration can now be extended through
+ drop-ins.
+
+ * UDP Segmentation Offload, TCP Segmentation Offload, Generic
+ Segmentation Offload, Generic Receive Offload, Large Receive Offload
+ can be enabled and disabled using the new UDPSegmentationOffload=,
+ TCPSegmentationOffload=, GenericSegmentationOffload=,
+ GenericReceiveOffload=, LargeReceiveOffload= options in the
+ [Link] section of .link files.
+
+ * The Spanning Tree Protocol, Priority, Aging Time, and the Default
+ Port VLAN ID can be configured for bridge devices using the new STP=,
+ Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge]
+ section of .netdev files.
+
+ * The route table to which routes received over DHCP or RA should be
+ added can be configured with the new RouteTable= option in the [DHCP]
+ and [IPv6AcceptRA] sections of .network files.
+
+ * The Address Resolution Protocol can be disabled on links managed by
+ systemd-networkd using the ARP=no setting in the [Link] section of
+ .network files.
+
+ * New environment variables $SERVICE_RESULT, $EXIT_CODE and
+ $EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and
+ encode information about the result and exit codes of the current
+ service runtime cycle.
+
+ * systemd-sysctl will now configure kernel parameters in the order
+ they occur in the configuration files. This matches what sysctl
+ has been traditionally doing.
+
+ * kernel-install "plugins" that are executed to perform various
+ tasks after a new kernel is added and before an old one is removed
+ can now return a special value to terminate the procedure and
+ prevent any later plugins from running.
+
+ * Journald's SplitMode=login setting has been deprecated. It has been
+ removed from documentation, and its use is discouraged. In a future
+ release it will be completely removed, and made equivalent to current
+ default of SplitMode=uid.
+
+ * Storage=both option setting in /etc/systemd/coredump.conf has been
+ removed. With fast LZ4 compression storing the core dump twice is not
+ useful.
+
+ * The --share-system systemd-nspawn option has been replaced with an
+ (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
+ this functionality is discouraged. In addition the variables
+ $SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID,
+ $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
+ individual namespaces.
+
+ * "machinectl list" now shows the IP address of running containers in
+ the output, as well as OS release information.
+
+ * "loginctl list" now shows the TTY of each session in the output.
+
+ * sd-bus gained new API calls sd_bus_track_set_recursive(),
+ sd_bus_track_get_recursive(), sd_bus_track_count_name(),
+ sd_bus_track_count_sender(). They permit usage of sd_bus_track peer
+ tracking objects in a "recursive" mode, where a single client can be
+ counted multiple times, if it takes multiple references.
+
+ * sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
+ sd_bus_get_exit_on_disconnect(). They may be used to to make a
+ process using sd-bus automatically exit if the bus connection is
+ severed.
+
+ * Bus clients of the service manager may now "pin" loaded units into
+ memory, by taking an explicit reference on them. This is useful to
+ ensure the client can retrieve runtime data about the service even
+ after the service completed execution. Taking such a reference is
+ available only for privileged clients and should be helpful to watch
+ running services in a race-free manner, and in particular collect
+ information about exit statuses and results.
+
+ * The nss-resolve module has been changed to strictly return UNAVAIL
+ when communication via D-Bus with resolved failed, and NOTFOUND when
+ a lookup completed but was negative. This means it is now possible to
+ neatly configure fallbacks using nsswitch.conf result checking
+ expressions. Taking benefit of this, the new recommended
+ configuration line for the "hosts" entry in /etc/nsswitch.conf is:
+
+ hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname
+
+ * A new setting CtrlAltDelBurstAction= has been added to
+ /etc/systemd/system.conf which may be used to configure the precise
+ behaviour if the user on the console presses Ctrl-Alt-Del more often
+ than 7 times in 2s. Previously this would unconditionally result in
+ an expedited, immediate reboot. With this new setting the precise
+ operation may be configured in more detail, and also turned off
+ entirely.
+
+ * In .netdev files two new settings RemoteChecksumTx= and
+ RemoteChecksumRx= are now understood that permit configuring the
+ remote checksumming logic for VXLAN networks.
+
+ * The service manager learnt a new "invocation ID" concept for invoked
+ services. Each runtime cycle of a service will get a new invocation
+ ID (a 128bit random UUID) assigned that identifies the current
+ run of the service uniquely and globally. A new invocation ID
+ is generated each time a service starts up. The journal will store
+ the invocation ID of a service along with any logged messages, thus
+ making the invocation ID useful for matching the online runtime of a
+ service with the offline log data it generated in a safe way without
+ relying on synchronized timestamps. In many ways this new service
+ invocation ID concept is similar to the kernel's boot ID concept that
+ uniquely and globally identifies the runtime of each boot. The
+ invocation ID of a service is passed to the service itself via an
+ environment variable ($INVOCATION_ID). A new bus call
+ GetUnitByInvocationID() has been added that is similar to GetUnit()
+ but instead of retrieving the bus path for a unit by its name
+ retrieves it by its invocation ID. The returned path is valid only as
+ long as the passed invocation ID is current.
+
+ * systemd-resolved gained a new "DNSStubListener" setting in
+ resolved.conf. It either takes a boolean value or the special values
+ "udp" and "tcp", and configures whether to enable the stub DNS
+ listener on 127.0.0.53:53.
+
+ * IP addresses configured via networkd may now carry additional
+ configuration settings supported by the kernel. New options include:
+ HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=,
+ PrefixRoute=, AutoJoin=.
+
+ * The PAM configuration fragment file for "user@.service" shipped with
+ systemd (i.e. the --user instance of systemd) has been stripped to
+ the minimum necessary to make the system boot. Previously, it
+ contained Fedora-specific stanzas that did not apply to other
+ distributions. It is expected that downstream distributions add
+ additional configuration lines, matching their needs to this file,
+ using it only as rough template of what systemd itself needs. Note
+ that this reduced fragment does not even include an invocation of
+ pam_limits which most distributions probably want to add, even though
+ systemd itself does not need it. (There's also the new build time
+ option --with-pamconfdir=no to disable installation of the PAM
+ fragment entirely.)
+
+ * If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO
+ capability is now also dropped from its set (in addition to
+ CAP_SYS_MKNOD as before).
+
+ * In service unit files it is now possible to connect a specific named
+ file descriptor with stdin/stdout/stdout of an executed service. The
+ name may be specified in matching .socket units using the
+ FileDescriptorName= setting.
+
+ * A number of journal settings may now be configured on the kernel
+ command line. Specifically, the following options are now understood:
+ systemd.journald.max_level_console=,
+ systemd.journald.max_level_store=,
+ systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=,
+ systemd.journald.max_level_wall=.
+
+ * "systemctl is-enabled --full" will now show by which symlinks a unit
+ file is enabled in the unit dependency tree.
+
+ * Support for VeraCrypt encrypted partitions has been added to the
+ "cryptsetup" logic and /etc/crypttab.
+
+ * systemd-detect-virt gained support for a new --private-users switch
+ that checks whether the invoking processes are running inside a user
+ namespace. Similar, a new special value "private-users" for the
+ existing ConditionVirtualization= setting has been added, permitting
+ skipping of specific units in user namespace environments.
+
+ Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John,
+ Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin
+ Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner,
+ Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez,
+ Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick,
+ Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg,
+ Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric
+ Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang,
+ Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke,
+ Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan
+ Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker,
+ Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski,
+ Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering,
+ Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš
+ Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou,
+ Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej
+ Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy,
+ Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike
+ Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer,
+ Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny
+ Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant
+ Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit,
+ Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut
+ Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann
+ E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek, Zeal Jagannatha
+
+ — Santa Fe, 2016-11-03
+
+CHANGES WITH 231:
+
+ * In service units the various ExecXYZ= settings have been extended
+ with an additional special character as first argument of the
+ assigned value: if the character '+' is used the specified command
+ line it will be run with full privileges, regardless of User=,
+ Group=, CapabilityBoundingSet= and similar options. The effect is
+ similar to the existing PermissionsStartOnly= option, but allows
+ configuration of this concept for each executed command line
+ independently.
+
+ * Services may now alter the service watchdog timeout at runtime by
+ sending a WATCHDOG_USEC= message via sd_notify().
+
+ * MemoryLimit= and related unit settings now optionally take percentage
+ specifications. The percentage is taken relative to the amount of
+ physical memory in the system (or in case of containers, the assigned
+ amount of memory). This allows scaling service resources neatly with
+ the amount of RAM available on the system. Similarly, systemd-logind's
+ RuntimeDirectorySize= option now also optionally takes percentage
+ values.
+
+ * In similar fashion TasksMax= takes percentage values now, too. The
+ value is taken relative to the configured maximum number of processes
+ on the system. The per-service task maximum has been changed to 15%
+ using this functionality. (Effectively this is an increase of 512 →
+ 4915 for service units, given the kernel's default pid_max setting.)
+
+ * Calendar time specifications in .timer units now understand a ".."
+ syntax for time ranges. Example: "4..7:10" may now be used for
+ defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
+ 7:10am every day.
+
+ * The InaccessableDirectories=, ReadOnlyDirectories= and
+ ReadWriteDirectories= unit file settings have been renamed to
+ InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be
+ applied to all kinds of file nodes, and not just directories, with
+ the exception of symlinks. Specifically these settings may now be
+ used on block and character device nodes, UNIX sockets and FIFOS as
+ well as regular files. The old names of these settings remain
+ available for compatibility.
+
+ * systemd will now log about all service processes it kills forcibly
+ (using SIGKILL) because they remained after the clean shutdown phase
+ of the service completed. This should help identifying services that
+ shut down uncleanly. Moreover if KillUserProcesses= is enabled in
+ systemd-logind's configuration a similar log message is generated for
+ processes killed at the end of each session due to this setting.
+
+ * systemd will now set the $JOURNAL_STREAM environment variable for all
+ services whose stdout/stderr are connected to the Journal (which
+ effectively means by default: all services). The variable contains
+ the device and inode number of the file descriptor used for
+ stdout/stderr. This may be used by invoked programs to detect whether
+ their stdout/stderr is connected to the Journal, in which case they
+ can switch over to direct Journal communication, thus being able to
+ pass extended, structured metadata along with their log messages. As
+ one example, this is now used by glib's logging primitives.
+
+ * When using systemd's default tmp.mount unit for /tmp, the mount point
+ will now be established with the "nosuid" and "nodev" options. This
+ avoids privilege escalation attacks that put traps and exploits into
+ /tmp. However, this might cause problems if you e. g. put container
+ images or overlays into /tmp; if you need this, override tmp.mount's
+ "Options=" with a drop-in, or mount /tmp from /etc/fstab with your
+ desired options.
+
+ * systemd now supports the "memory" cgroup controller also on
+ cgroupsv2.
+
+ * The systemd-cgtop tool now optionally takes a control group path as
+ command line argument. If specified, the control group list shown is
+ limited to subgroups of that group.
+
+ * The SystemCallFilter= unit file setting gained support for
+ pre-defined, named system call filter sets. For example
+ SystemCallFilter=@clock is now an effective way to make all clock
+ changing-related system calls unavailable to a service. A number of
+ similar pre-defined groups are defined. Writing system call filters
+ for system services is simplified substantially with this new
+ concept. Accordingly, all of systemd's own, long-running services now
+ enable system call filtering based on this, by default.
+
+ * A new service setting MemoryDenyWriteExecute= has been added, taking
+ a boolean value. If turned on, a service may no longer create memory
+ mappings that are writable and executable at the same time. This
+ enhances security for services where this is enabled as it becomes
+ harder to dynamically write and then execute memory in exploited
+ service processes. This option has been enabled for all of systemd's
+ own long-running services.
+
+ * A new RestrictRealtime= service setting has been added, taking a
+ boolean argument. If set the service's processes may no longer
+ acquire realtime scheduling. This improves security as realtime
+ scheduling may otherwise be used to easily freeze the system.
+
+ * systemd-nspawn gained a new switch --notify-ready= taking a boolean
+ value. This may be used for requesting that the system manager inside
+ of the container reports start-up completion to nspawn which then
+ propagates this notification further to the service manager
+ supervising nspawn itself. A related option NotifyReady= in .nspawn
+ files has been added too. This functionality allows ordering of the
+ start-up of multiple containers using the usual systemd ordering
+ primitives.
+
+ * machinectl gained a new command "stop" that is an alias for
+ "terminate".
+
+ * systemd-resolved gained support for contacting DNS servers on
+ link-local IPv6 addresses.
+
+ * If systemd-resolved receives the SIGUSR2 signal it will now flush all
+ its caches. A method call for requesting the same operation has been
+ added to the bus API too, and is made available via "systemd-resolve
+ --flush-caches".
+
+ * systemd-resolve gained a new --status switch. If passed a brief
+ summary of the used DNS configuration with per-interface information
+ is shown.
+
+ * resolved.conf gained a new Cache= boolean option, defaulting to
+ on. If turned off local DNS caching is disabled. This comes with a
+ performance penalty in particular when DNSSEC is enabled. Note that
+ resolved disables its internal caching implicitly anyway, when the
+ configured DNS server is on a host-local IP address such as ::1 or
+ 127.0.0.1, thus automatically avoiding double local caching.
+
+ * systemd-resolved now listens on the local IP address 127.0.0.53:53
+ for DNS requests. This improves compatibility with local programs
+ that do not use the libc NSS or systemd-resolved's bus APIs for name
+ resolution. This minimal DNS service is only available to local
+ programs and does not implement the full DNS protocol, but enough to
+ cover local DNS clients. A new, static resolv.conf file, listing just
+ this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is
+ now recommended to make /etc/resolv.conf a symlink to this file in
+ order to route all DNS lookups to systemd-resolved, regardless if
+ done via NSS, the bus API or raw DNS packets. Note that this local
+ DNS service is not as fully featured as the libc NSS or
+ systemd-resolved's bus APIs. For example, as unicast DNS cannot be
+ used to deliver link-local address information (as this implies
+ sending a local interface index along), LLMNR/mDNS support via this
+ interface is severely restricted. It is thus strongly recommended for
+ all applications to use the libc NSS API or native systemd-resolved
+ bus API instead.
+
+ * systemd-networkd's bridge support learned a new setting
+ VLANFiltering= for controlling VLAN filtering. Moreover a new section
+ in .network files has been added for configuring VLAN bridging in
+ more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].
+
+ * systemd-networkd's IPv6 Router Advertisement code now makes use of
+ the DNSSL and RDNSS options. This means IPv6 DNS configuration may
+ now be acquired without relying on DHCPv6. Two new options
+ UseDomains= and UseDNS= have been added to configure this behaviour.
+
+ * systemd-networkd's IPv6AcceptRouterAdvertisements= option has been
+ renamed IPv6AcceptRA=, without altering its behaviour. The old
+ setting name remains available for compatibility reasons.
+
+ * The systemd-networkd VTI/VTI6 tunneling support gained new options
+ Key=, InputKey= and OutputKey=.
+
+ * systemd-networkd gained support for VRF ("Virtual Routing Function")
+ interface configuration.
+
+ * "systemctl edit" may now be used to create new unit files by
+ specifying the --force switch.
+
+ * sd-event gained a new function sd_event_get_iteration() for
+ requesting the current iteration counter of the event loop. It starts
+ at zero and is increased by one with each event loop iteration.
+
+ * A new rpm macro %systemd_ordering is provided by the macros.systemd
+ file. It can be used in lieu of %systemd_requires in packages which
+ don't use any systemd functionality and are intended to be installed
+ in minimal containers without systemd present. This macro provides
+ ordering dependencies to ensure that if the package is installed in
+ the same rpm transaction as systemd, systemd will be installed before
+ the scriptlets for the package are executed, allowing unit presets
+ to be handled.
+
+ New macros %_systemdgeneratordir and %_systemdusergeneratordir have
+ been added to simplify packaging of generators.
+
+ * The os-release file gained VERSION_CODENAME field for the
+ distribution nickname (e.g. VERSION_CODENAME=woody).
+
+ * New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1
+ can be set to disable parsing of metadata and the creation
+ of persistent symlinks for that device.
+
+ * The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess"
+ to make them available to logged-in users has been reverted.
+
+ * Much of the common code of the various systemd components is now
+ built into an internal shared library libsystemd-shared-231.so
+ (incorporating the systemd version number in the name, to be updated
+ with future releases) that the components link to. This should
+ decrease systemd footprint both in memory during runtime and on
+ disk. Note that the shared library is not for public use, and is
+ neither API not ABI stable, but is likely to change with every new
+ released update. Packagers need to make sure that binaries
+ linking to libsystemd-shared.so are updated in step with the
+ library.
+
+ * Configuration for "mkosi" is now part of the systemd
+ repository. mkosi is a tool to easily build legacy-free OS images,
+ and is available on github: https://github.com/systemd/mkosi. If
+ "mkosi" is invoked in the build tree a new raw OS image is generated
+ incorporating the systemd sources currently being worked on and a
+ clean, fresh distribution installation. The generated OS image may be
+ booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
+ UEFI PC. This functionality is particularly useful to easily test
+ local changes made to systemd in a pristine, defined environment. See
+ HACKING for details.
+
+ * configure learned the --with-support-url= option to specify the
+ distribution's bugtracker.
+
+ Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor
+ Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika
+ Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar
+ Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse,
+ Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David
+ Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias
+ Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler,
+ Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan
+ Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke
+ Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart
+ Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel
+ Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov,
+ Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz,
+ Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran,
+ Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier,
+ Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas
+ Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan,
+ Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič,
+ WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2016-07-25
+
+CHANGES WITH 230:
+
+ * DNSSEC is now turned on by default in systemd-resolved (in
+ "allow-downgrade" mode), but may be turned off during compile time by
+ passing "--with-default-dnssec=no" to "configure" (and of course,
+ during runtime with DNSSEC= in resolved.conf). We recommend
+ downstreams to leave this on at least during development cycles and
+ report any issues with the DNSSEC logic upstream. We are very
+ interested in collecting feedback about the DNSSEC validator and its
+ limitations in the wild. Note however, that DNSSEC support is
+ probably nothing downstreams should turn on in stable distros just
+ yet, as it might create incompatibilities with a few DNS servers and
+ networks. We tried hard to make sure we downgrade to non-DNSSEC mode
+ automatically whenever we detect such incompatible setups, but there
+ might be systems we do not cover yet. Hence: please help us testing
+ the DNSSEC code, leave this on where you can, report back, but then
+ again don't consider turning this on in your stable, LTS or
+ production release just yet. (Note that you have to enable
+ nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
+ and its DNSSEC mode for host name resolution from local
+ applications.)
+
+ * systemd-resolve conveniently resolves DANE records with the --tlsa
+ option and OPENPGPKEY records with the --openpgp option. It also
+ supports dumping raw DNS record data via the new --raw= switch.
+
+ * systemd-logind will now by default terminate user processes that are
+ part of the user session scope unit (session-XX.scope) when the user
+ logs out. This behavior is controlled by the KillUserProcesses=
+ setting in logind.conf, and the previous default of "no" is now
+ changed to "yes". This means that user sessions will be properly
+ cleaned up after, but additional steps are necessary to allow
+ intentionally long-running processes to survive logout.
+
+ While the user is logged in at least once, user@.service is running,
+ and any service that should survive the end of any individual login
+ session can be started at a user service or scope using systemd-run.
+ systemd-run(1) man page has been extended with an example which shows
+ how to run screen in a scope unit underneath user@.service. The same
+ command works for tmux.
+
+ After the user logs out of all sessions, user@.service will be
+ terminated too, by default, unless the user has "lingering" enabled.
+ To effectively allow users to run long-term tasks even if they are
+ logged out, lingering must be enabled for them. See loginctl(1) for
+ details. The default polkit policy was modified to allow users to
+ set lingering for themselves without authentication.
+
+ Previous defaults can be restored at compile time by the
+ --without-kill-user-processes option to "configure".
+
+ * systemd-logind gained new configuration settings SessionsMax= and
+ InhibitorsMax=, both with a default of 8192. It will not register new
+ user sessions or inhibitors above this limit.
+
+ * systemd-logind will now reload configuration on SIGHUP.
+
+ * The unified cgroup hierarchy added in Linux 4.5 is now supported.
+ Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
+ enable. Also, support for the "io" cgroup controller in the unified
+ hierarchy has been added, so that the "memory", "pids" and "io" are
+ now the controllers that are supported on the unified hierarchy.
+
+ WARNING: it is not possible to use previous systemd versions with
+ systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
+ is necessary to also update systemd in the initramfs if using the
+ unified hierarchy. An updated SELinux policy is also required.
+
+ * LLDP support has been extended, and both passive (receive-only) and
+ active (sender) modes are supported. Passive mode ("routers-only") is
+ enabled by default in systemd-networkd. Active LLDP mode is enabled
+ by default for containers on the internal network. The "networkctl
+ lldp" command may be used to list information gathered. "networkctl
+ status" will also show basic LLDP information on connected peers now.
+
+ * The IAID and DUID unique identifier sent in DHCP requests may now be
+ configured for the system and each .network file managed by
+ systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.
+
+ * systemd-networkd gained support for configuring proxy ARP support for
+ each interface, via the ProxyArp= setting in .network files. It also
+ gained support for configuring the multicast querier feature of
+ bridge devices, via the new MulticastQuerier= setting in .netdev
+ files. Similarly, snooping on the IGMP traffic can be controlled
+ via the new setting MulticastSnooping=.
+
+ A new setting PreferredLifetime= has been added for addresses
+ configured in .network file to configure the lifetime intended for an
+ address.
+
+ The systemd-networkd DHCP server gained the option EmitRouter=, which
+ defaults to yes, to configure whether the DHCP Option 3 (Router)
+ should be emitted.
+
+ * The testing tool /usr/lib/systemd/systemd-activate is renamed to
+ systemd-socket-activate and installed into /usr/bin. It is now fully
+ supported.
+
+ * systemd-journald now uses separate threads to flush changes to disk
+ when closing journal files, thus reducing impact of slow disk I/O on
+ logging performance.
+
+ * The sd-journal API gained two new calls
+ sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
+ can be used to open journal files using file descriptors instead of
+ file or directory paths. sd_journal_open_container() has been
+ deprecated, sd_journal_open_directory_fd() should be used instead
+ with the flag SD_JOURNAL_OS_ROOT.
+
+ * journalctl learned a new output mode "-o short-unix" that outputs log
+ lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
+ UTC). It also gained support for a new --no-hostname setting to
+ suppress the hostname column in the family of "short" output modes.
+
+ * systemd-ask-password now optionally skips printing of the password to
+ stdout with --no-output which can be useful in scripts.
+
+ * Framebuffer devices (/dev/fb*) and 3D printers and scanners
+ (devices tagged with ID_MAKER_TOOL) are now tagged with
+ "uaccess" and are available to logged in users.
+
+ * The DeviceAllow= unit setting now supports specifiers (with "%").
+
+ * "systemctl show" gained a new --value switch, which allows print a
+ only the contents of a specific unit property, without also printing
+ the property's name. Similar support was added to "show*" verbs
+ of loginctl and machinectl that output "key=value" lists.
+
+ * A new unit type "generated" was added for files dynamically generated
+ by generator tools. Similarly, a new unit type "transient" is used
+ for unit files created using the runtime API. "systemctl enable" will
+ refuse to operate on such files.
+
+ * A new command "systemctl revert" has been added that may be used to
+ revert to the vendor version of a unit file, in case local changes
+ have been made by adding drop-ins or overriding the unit file.
+
+ * "machinectl clean" gained a new verb to automatically remove all or
+ just hidden container images.
+
+ * systemd-tmpfiles gained support for a new line type "e" for emptying
+ directories, if they exist, without creating them if they don't.
+
+ * systemd-nspawn gained support for automatically patching the UID/GIDs
+ of the owners and the ACLs of all files and directories in a
+ container tree to match the UID/GID user namespacing range selected
+ for the container invocation. This mode is enabled via the new
+ --private-users-chown switch. It also gained support for
+ automatically choosing a free, previously unused UID/GID range when
+ starting a container, via the new --private-users=pick setting (which
+ implies --private-users-chown). Together, these options for the first
+ time make user namespacing for nspawn containers fully automatic and
+ thus deployable. The systemd-nspawn@.service template unit file has
+ been changed to use this functionality by default.
+
+ * systemd-nspawn gained a new --network-zone= switch, that allows
+ creating ad-hoc virtual Ethernet links between multiple containers,
+ that only exist as long as at least one container referencing them is
+ running. This allows easy connecting of multiple containers with a
+ common link that implements an Ethernet broadcast domain. Each of
+ these network "zones" may be named relatively freely by the user, and
+ may be referenced by any number of containers, but each container may
+ only reference one of these "zones". On the lower level, this is
+ implemented by an automatically managed bridge network interface for
+ each zone, that is created when the first container referencing its
+ zone is created and removed when the last one referencing its zone
+ terminates.
+
+ * The default start timeout may now be configured on the kernel command
+ line via systemd.default_timeout_start_sec=. It was already
+ configurable via the DefaultTimeoutStartSec= option in
+ /etc/systemd/system.conf.
+
+ * Socket units gained a new TriggerLimitIntervalSec= and
+ TriggerLimitBurst= setting to configure a limit on the activation
+ rate of the socket unit.
+
+ * The LimitNICE= setting now optionally takes normal UNIX nice values
+ in addition to the raw integer limit value. If the specified
+ parameter is prefixed with "+" or "-" and is in the range -20..19 the
+ value is understood as UNIX nice value. If not prefixed like this it
+ is understood as raw RLIMIT_NICE limit.
+
+ * Note that the effect of the PrivateDevices= unit file setting changed
+ slightly with this release: the per-device /dev file system will be
+ mounted read-only from this version on, and will have "noexec"
+ set. This (minor) change of behavior might cause some (exceptional)
+ legacy software to break, when PrivateDevices=yes is set for its
+ service. Please leave PrivateDevices= off if you run into problems
+ with this.
+
+ * systemd-bootchart has been split out to a separate repository:
+ https://github.com/systemd/systemd-bootchart
+
+ * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
+ merged into the kernel in its current form.
+
+ * The compatibility libraries libsystemd-daemon.so,
+ libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
+ which have been deprecated since systemd-209 have been removed along
+ with the corresponding pkg-config files. All symbols provided by
+ those libraries are provided by libsystemd.so.
+
+ * The Capabilities= unit file setting has been removed (it is ignored
+ for backwards compatibility). AmbientCapabilities= and
+ CapabilityBoundingSet= should be used instead.
+
+ * A new special target has been added, initrd-root-device.target,
+ which creates a synchronization point for dependencies of the root
+ device in early userspace. Initramfs builders must ensure that this
+ target is now included in early userspace.
+
+ Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
+ Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
+ Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
+ Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
+ Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
+ R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
+ Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
+ Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
+ Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
+ Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
+ John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
+ Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
+ Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
+ Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
+ Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
+ mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
+ Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
+ Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
+ Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
+ Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
+ Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
+ Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
+ Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
+ Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
+ Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
+ Jędrzejewski-Szmek
+
+ — Fairfax, 2016-05-21
+
+CHANGES WITH 229:
+
+ * The systemd-resolved DNS resolver service has gained a substantial
+ set of new features, most prominently it may now act as a DNSSEC
+ validating stub resolver. DNSSEC mode is currently turned off by
+ default, but is expected to be turned on by default in one of the
+ next releases. For now, we invite everybody to test the DNSSEC logic
+ by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The
+ service also gained a full set of D-Bus interfaces, including calls
+ to configure DNS and DNSSEC settings per link (for use by external
+ network management software). systemd-resolved and systemd-networkd
+ now distinguish between "search" and "routing" domains. The former
+ are used to qualify single-label names, the latter are used purely
+ for routing lookups within certain domains to specific links.
+ resolved now also synthesizes RRs for all entries from /etc/hosts.
+
+ * The systemd-resolve tool (which is a client utility for
+ systemd-resolved) has been improved considerably and is now fully
+ supported and documented. Hence it has moved from /usr/lib/systemd to
+ /usr/bin.
+
+ * /dev/disk/by-path/ symlink support has been (re-)added for virtio
+ devices.
+
+ * The coredump collection logic has been reworked: when a coredump is
+ collected it is now written to disk, compressed and processed
+ (including stacktrace extraction) from a new instantiated service
+ systemd-coredump@.service, instead of directly from the
+ /proc/sys/kernel/core_pattern hook we provide. This is beneficial as
+ processing large coredumps can take up a substantial amount of
+ resources and time, and this previously happened entirely outside of
+ systemd's service supervision. With the new logic the core_pattern
+ hook only does minimal metadata collection before passing off control
+ to the new instantiated service, which is configured with a time
+ limit, a nice level and other settings to minimize negative impact on
+ the rest of the system. Also note that the new logic will honour the
+ RLIMIT_CORE setting of the crashed process, which now allows users
+ and processes to turn off coredumping for their processes by setting
+ this limit.
+
+ * The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1
+ and all forked processes by default. Previously, PID 1 would leave
+ the setting at "0" for all processes, as set by the kernel. Note that
+ the resource limit traditionally has no effect on the generated
+ coredumps on the system if the /proc/sys/kernel/core_pattern hook
+ logic is used. Since the limit is now honoured (see above) its
+ default has been changed so that the coredumping logic is enabled by
+ default for all processes, while allowing specific opt-out.
+
+ * When the stacktrace is extracted from processes of system users, this
+ is now done as "systemd-coredump" user, in order to sandbox this
+ potentially security sensitive parsing operation. (Note that when
+ processing coredumps of normal users this is done under the user ID
+ of process that crashed, as before.) Packagers should take notice
+ that it is now necessary to create the "systemd-coredump" system user
+ and group at package installation time.
+
+ * The systemd-activate socket activation testing tool gained support
+ for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram
+ and --seqpacket switches. It also has been extended to support both
+ new-style and inetd-style file descriptor passing. Use the new
+ --inetd switch to request inetd-style file descriptor passing.
+
+ * Most systemd tools now honor a new $SYSTEMD_COLORS environment
+ variable, which takes a boolean value. If set to false, ANSI color
+ output is disabled in the tools even when run on a terminal that
+ supports it.
+
+ * The VXLAN support in networkd now supports two new settings
+ DestinationPort= and PortRange=.
+
+ * A new systemd.machine_id= kernel command line switch has been added,
+ that may be used to set the machine ID in /etc/machine-id if it is
+ not initialized yet. This command line option has no effect if the
+ file is already initialized.
+
+ * systemd-nspawn gained a new --as-pid2 switch that invokes any
+ specified command line as PID 2 rather than PID 1 in the
+ container. In this mode PID 1 is a minimal stub init process that
+ implements the special POSIX and Linux semantics of PID 1 regarding
+ signal and child process management. Note that this stub init process
+ is implemented in nspawn itself and requires no support from the
+ container image. This new logic is useful to support running
+ arbitrary commands in the container, as normal processes are
+ generally not prepared to run as PID 1.
+
+ * systemd-nspawn gained a new --chdir= switch for setting the current
+ working directory for the process started in the container.
+
+ * "journalctl /dev/sda" will now output all kernel log messages for
+ specified device from the current boot, in addition to all devices
+ that are parents of it. This should make log output about devices
+ pretty useful, as long as kernel drivers attach enough metadata to
+ the log messages. (The usual SATA drivers do.)
+
+ * The sd-journal API gained two new calls
+ sd_journal_has_runtime_files() and sd_journal_has_persistent_files()
+ that report whether log data from /run or /var has been found.
+
+ * journalctl gained a new switch "--fields" that prints all journal
+ record field names currently in use in the journal. This is backed
+ by two new sd-journal API calls sd_journal_enumerate_fields() and
+ sd_journal_restart_fields().
+
+ * Most configurable timeouts in systemd now expect an argument of
+ "infinity" to turn them off, instead of "0" as before. The semantics
+ from now on is that a timeout of "0" means "now", and "infinity"
+ means "never". To maintain backwards compatibility, "0" continues to
+ turn off previously existing timeout settings.
+
+ * "systemctl reload-or-try-restart" has been renamed to "systemctl
+ try-reload-or-restart" to clarify what it actually does: the "try"
+ logic applies to both reloading and restarting, not just restarting.
+ The old name continues to be accepted for compatibility.
+
+ * On boot-up, when PID 1 detects that the system clock is behind the
+ release date of the systemd version in use, the clock is now set
+ to the latter. Previously, this was already done in timesyncd, in order
+ to avoid running with clocks set to the various clock epochs such as
+ 1902, 1938 or 1970. With this change the logic is now done in PID 1
+ in addition to timesyncd during early boot-up, so that it is enforced
+ before the first process is spawned by systemd. Note that the logic
+ in timesyncd remains, as it is more comprehensive and ensures
+ clock monotonicity by maintaining a persistent timestamp file in
+ /var. Since /var is generally not available in earliest boot or the
+ initrd, this part of the logic remains in timesyncd, and is not done
+ by PID 1.
+
+ * Support for tweaking details in net_cls.class_id through the
+ NetClass= configuration directive has been removed, as the kernel
+ people have decided to deprecate that controller in cgroup v2.
+ Userspace tools such as nftables are moving over to setting rules
+ that are specific to the full cgroup path of a task, which obsoletes
+ these controllers anyway. The NetClass= directive is kept around for
+ legacy compatibility reasons. For a more in-depth description of the
+ kernel change, please refer to the respective upstream commit:
+
+ https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671
+
+ * A new service setting RuntimeMaxSec= has been added that may be used
+ to specify a maximum runtime for a service. If the timeout is hit, the
+ service is terminated and put into a failure state.
+
+ * A new service setting AmbientCapabilities= has been added. It allows
+ configuration of additional Linux process capabilities that are
+ passed to the activated processes. This is only available on very
+ recent kernels.
+
+ * The process resource limit settings in service units may now be used
+ to configure hard and soft limits individually.
+
+ * The various libsystemd APIs such as sd-bus or sd-event now publicly
+ expose support for gcc's __attribute__((cleanup())) C extension.
+ Specifically, for many object destructor functions alternative
+ versions have been added that have names suffixed with "p" and take a
+ pointer to a pointer to the object to destroy, instead of just a
+ pointer to the object itself. This is useful because these destructor
+ functions may be used directly as parameters to the cleanup
+ construct. Internally, systemd has been a heavy user of this GCC
+ extension for a long time, and with this change similar support is
+ now available to consumers of the library outside of systemd. Note
+ that by using this extension in your sources compatibility with old
+ and strictly ANSI compatible C compilers is lost. However, all gcc or
+ LLVM versions of recent years support this extension.
+
+ * Timer units gained support for a new setting RandomizedDelaySec= that
+ allows configuring some additional randomized delay to the configured
+ time. This is useful to spread out timer events to avoid load peaks in
+ clusters or larger setups.
+
+ * Calendar time specifications now support sub-second accuracy.
+
+ * Socket units now support listening on SCTP and UDP-lite protocol
+ sockets.
+
+ * The sd-event API now comes with a full set of man pages.
+
+ * Older versions of systemd contained experimental support for
+ compressing journal files and coredumps with the LZ4 compressor that
+ was not compatible with the lz4 binary (due to API limitations of the
+ lz4 library). This support has been removed; only support for files
+ compatible with the lz4 binary remains. This LZ4 logic is now
+ officially supported and no longer considered experimental.
+
+ * The dkr image import logic has been removed again from importd. dkr's
+ micro-services focus doesn't fit into the machine image focus of
+ importd, and quickly got out of date with the upstream dkr API.
+
+ * Creation of the /run/lock/lockdev/ directory was dropped from
+ tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have
+ been available for many years. If you still need this, you need to
+ create your own tmpfiles.d config file with:
+
+ d /run/lock/lockdev 0775 root lock -
+
+ Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander
+ Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov,
+ Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler,
+ Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan
+ Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack,
+ David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman,
+ Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen,
+ Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen,
+ Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub
+ Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek,
+ Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos,
+ lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel
+ Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer,
+ Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils
+ Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz,
+ Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant
+ Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel
+ Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito
+ Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek
+
+ — Berlin, 2016-02-11
+
CHANGES WITH 228:
* A number of properties previously only settable in unit
from PID1's environment block into the environment block of
the service.
+ * Timer units gained support for a new RemainAfterElapse=
+ setting which takes a boolean argument. It defaults to on,
+ exposing behaviour unchanged to previous releases. If set to
+ off, timer units are unloaded after they elapsed if they
+ cannot elapse again. This is particularly useful for
+ transient timer units, which shall not stay around longer
+ than until they first elapse.
+
* systemd will now bump the net.unix.max_dgram_qlen to 512 by
default now (the kernel default is 16). This is beneficial
for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it
https://sourceware.org/bugzilla/show_bug.cgi?id=19108
+ Note that only util-linux versions built with
+ --enable-libmount-force-mountinfo are supported.
+
* Support for the ".snapshot" unit type has been removed. This
feature turned out to be little useful and little used, and
has now been removed from the core and from systemctl.
--user instance of systemd these specifiers where correctly
resolved, but hardly made any sense, since the user instance
lacks privileges to do user switches anyway, and User= is
- hence useless. Morever, even in the --user instance of
+ hence useless. Moreover, even in the --user instance of
systemd behaviour was awkward as it would only take settings
from User= assignment placed before the specifier into
account. In order to unify and simplify the logic around
Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew
Jędrzejewski-Szmek
- -- Berlin, 2015-11-18
+ — Berlin, 2015-11-18
CHANGES WITH 227:
* Support for USB FunctionFS activation has been added. This
allows implementation of USB gadget services that are
activated as soon as they are requested, so that they don't
- have to run continously, similar to classic socket
+ have to run continuously, similar to classic socket
activation.
* The "systemctl exit" command now optionally takes an
* The RuntimeDirectory= setting now understands unit
specifiers like %i or %f.
- * A new (still internal) libary API sd-ipv4acd has been added,
+ * A new (still internal) library API sd-ipv4acd has been added,
that implements address conflict detection for IPv4. It's
based on code from sd-ipv4ll, and will be useful for
detecting DHCP address conflicts.
* systemd-networkd gained support for:
- - Setting the IPv6 Router Advertisment settings via
+ - Setting the IPv6 Router Advertisement settings via
IPv6AcceptRouterAdvertisements= in .network files.
- Configuring the HelloTimeSec=, MaxAgeSec= and
files controlled by the number of files that shall remain,
in addition to the already existing control by size and by
date. This is useful as journal interleaving performance
- degrades with too many seperate journal files, and allows
+ degrades with too many separate journal files, and allows
putting an effective limit on them. The new setting defaults
to 100, but this may be changed by setting SystemMaxFiles=
and RuntimeMaxFiles= in journald.conf. Also, the
Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich,
Zbigniew Jędrzejewski-Szmek, Марко М. Костић
- -- Berlin, 2015-10-07
+ — Berlin, 2015-10-07
CHANGES WITH 226:
available, systemd will fall back to the legacy cgroup
hierarchy setup, as before. Host system and containers can
mix and match legacy and unified hierarchies as they
- wish. nspawn understands the $UNIFIED_CROUP_HIERARCHY
+ wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY
environment variable to individually select the hierarchy to
use for executed containers. By default, nspawn will use the
unified hierarchy for the containers if the host uses the
Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel
Andersen, Tom Gundersen, Torstein Husebø
- -- Berlin, 2015-09-08
+ — Berlin, 2015-09-08
CHANGES WITH 225:
Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts,
WaLyong Cho, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2015-08-27
+ — Berlin, 2015-08-27
CHANGES WITH 224:
Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart
Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen
- -- Berlin, 2015-07-31
+ — Berlin, 2015-07-31
CHANGES WITH 223:
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo,
Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2015-07-29
+ — Berlin, 2015-07-29
CHANGES WITH 222:
Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2015-07-07
+ — Berlin, 2015-07-07
CHANGES WITH 221:
Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner
Fink, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2015-06-19
+ — Berlin, 2015-06-19
CHANGES WITH 220:
* systemd-nspawn gained a new --property= setting to set unit
properties for the container scope. This is useful for
- setting resource parameters (e.g "CPUShares=500") on
+ setting resource parameters (e.g. "CPUShares=500") on
containers started from the command line.
* systemd-nspawn gained a new --private-users= switch to make
Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will
Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2015-05-22
+ — Berlin, 2015-05-22
CHANGES WITH 219:
* machinectl is now able to clone container images
efficiently, if the underlying file system (btrfs) supports
- it, with the new "machinectl list-images" command. It also
+ it, with the new "machinectl clone" command. It also
gained commands for renaming and removing images, as well as
marking them read-only or read-write (supported also on
legacy file systems).
files.
* systemd now provides a way to store file descriptors
- per-service in PID 1.This is useful for daemons to ensure
+ per-service in PID 1. This is useful for daemons to ensure
that fds they require are not lost during a daemon
restart. The fds are passed to the daemon on the next
invocation in the same way socket activation fds are
Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland
Hoffmann, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2015-02-16
+ — Berlin, 2015-02-16
CHANGES WITH 218:
Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert
Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2014-12-10
+ — Berlin, 2014-12-10
CHANGES WITH 217:
Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew
Jędrzejewski-Szmek
- -- Berlin, 2014-10-28
+ — Berlin, 2014-10-28
CHANGES WITH 216:
Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut
Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2014-08-19
+ — Berlin, 2014-08-19
CHANGES WITH 215:
Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar
Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2014-07-03
+ — Berlin, 2014-07-03
CHANGES WITH 214:
time, the extended attribute calls have moved to glibc, and
libattr is thus unnecessary.
- * Virtualization detection works without priviliges now. This
+ * Virtualization detection works without privileges now. This
means the systemd-detect-virt binary no longer requires
CAP_SYS_PTRACE file capabilities, and our daemons can run
with fewer privileges.
Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew
Jędrzejewski-Szmek
- -- Berlin, 2014-06-11
+ — Berlin, 2014-06-11
CHANGES WITH 213:
Lindskog, WaLyong Cho, Will Woods, Zbigniew
Jędrzejewski-Szmek
- -- Beijing, 2014-05-28
+ — Beijing, 2014-05-28
CHANGES WITH 212:
Umut Tezduyar Lindskog, Wieland Hoffmann, Zbigniew
Jędrzejewski-Szmek
- -- Berlin, 2014-03-25
+ — Berlin, 2014-03-25
CHANGES WITH 211:
Gundersen, Umut Tezduyar Lindskog, Uoti Urpala, Zachary Cook,
Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2014-03-12
+ — Berlin, 2014-03-12
CHANGES WITH 210:
Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog,
Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2014-02-24
+ — Berlin, 2014-02-24
CHANGES WITH 209:
/usr/lib/net/links/99-default.link. Old
80-net-name-slot.rules udev configuration file has been
removed, so local configuration overriding this file should
- be adapated to override 99-default.link instead.
+ be adapted to override 99-default.link instead.
* When the User= switch is used in a unit file, also
initialize $SHELL= based on the user database entry.
Pavlín, Vincent Batts, WaLyong Cho, William Giokas, Yang
Zhiyong, Yin Kangkai, Yuxuan Shui, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2014-02-20
+ — Berlin, 2014-02-20
CHANGES WITH 208:
Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty,
Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2013-10-02
+ — Berlin, 2013-10-02
CHANGES WITH 207:
Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao,
William Giokas, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2013-09-13
+ — Berlin, 2013-09-13
CHANGES WITH 206:
* logind's device ACLs may now be applied to these "dead"
devices nodes too, thus finally allowing managed access to
- devices such as /dev/snd/sequencer whithout loading the
+ devices such as /dev/snd/sequencer without loading the
backing module right-away.
* A new RPM macro has been added that may be used to apply
Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William
Giokas, Zbigniew Jędrzejewski-Szmek
- -- Berlin, 2013-07-23
+ — Berlin, 2013-07-23
CHANGES WITH 205:
* Two new unit types have been introduced:
Scope units are very similar to service units, however, are
- created out of pre-existing processes -- instead of PID 1
+ created out of pre-existing processes — instead of PID 1
forking off the processes. By using scope units it is
possible for system services and applications to group their
own child processes (worker processes) in a powerful way
processes executed in parallel based on the number of available
CPUs instead of the amount of available RAM. This is supposed
to provide a more reliable default and limit a too aggressive
- paralellism for setups with 1000s of devices connected.
+ parallelism for setups with 1000s of devices connected.
Contributions from: Auke Kok, Colin Walters, Cristian
Rodríguez, Daniel Buch, Dave Reisner, Frederic Crozat, Hannes
presenting log data.
* systemctl will no longer show control group information for
- a unit if a the control group is empty anyway.
+ a unit if the control group is empty anyway.
* logind can now automatically suspend/hibernate/shutdown the
system on idle.
* We do not mount the "cpuset" controller anymore together with
"cpu" and "cpuacct", as "cpuset" groups generally cannot be
started if no parameters are assigned to it. "cpuset" hence
- broke code that assumed it it could create "cpu" groups and
+ broke code that assumed it could create "cpu" groups and
just start them.
* journalctl -f will now subscribe to terminal size changes,
* The SysV search path is no longer exported on the D-Bus
Manager object.
- * The Names= option is been removed from unit file parsing.
+ * The Names= option has been removed from unit file parsing.
* There's a new man page bootup(7) detailing the boot process.
about this in more detail.
* var-run.mount and var-lock.mount are no longer provided
- (which prevously bind mounted these directories to their new
+ (which previously bind mounted these directories to their new
places). Distributions which have not converted these
directories to symlinks should consider stealing these files
from git history and add them downstream.
* Many bugfixes for the journal, including endianness fixes and
ensuring that disk space enforcement works
- * sd-login.h is C++ comptaible again
+ * sd-login.h is C++ compatible again
* Extend the /etc/os-release format on request of the Debian
folks
* New man pages for all APIs from libsystemd-login.
- * The build tree got reorganized and a the build system is a
+ * The build tree got reorganized and the build system is a
lot more modular allowing embedded setups to specifically
select the components of systemd they are interested in.
~ianmdlvl / elogind.git / blobdiff