Environment=ONE='one' "TWO='two two' too" THREE=
ExecStart=/bin/python3 -c 'import sys;print(sys.argv)' $ONE $TWO $THREE
-* When systemctl --host is used, underlying ssh connection can remain open.
- bus_close does not kill children?
-
External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
Janitorial Clean-ups:
-* code cleanup: retire FOREACH_WORD_QUOTED, port to extract_first_word() loops instead.
- For example, most conf parsing callbacks should use it.
-
-* replace manual readdir() loops with FOREACH_DIRENT or FOREACH_DIRENT_ALL
-
* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
Features:
+* sort generated hwdb files alphabetically when we import them, so that git
+ diffs remain minimal (in particular: the OUI databases we import are not
+ sorted, and not stable)
+
+* set SystemCallArchitectures=native on all our services
+
+* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
+ the sd-journal logging socket, and, if the timeout is set to 0, sets
+ O_NONBLOCK on it. That way people can control if and when to block for
+ logging.
+
+* tighten sd_notify() MAINPID= checks a bit: don't accept foreign PIDs (i.e.
+ PIDs not managed by the service manager)
+
+* journald: when we recv a log datagram via the native or syslog transports,
+ search for the PID in the active stream connections, and let's make sure to
+ always process the datagrams before the streams. Then, cache client metadata
+ per stream in the stream object. This way we can somewhat fix the race with
+ quickly exiting processes which log as long as they had their own stream
+ connection...
+
+* hostnamed: populate form factor data from a new hwdb database, so that old
+ yogas can be recognized as "convertible" too, even if they predate the DMI
+ "convertible" form factor
+
+* Maybe add a small tool invoked early at boot, that adds in or resizes
+ partitions automatically, to be used when the media used is actually larger
+ than the image written onto it is.
+
+* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing
+ after all. Be strict however, only support the equivalent of nspawn's
+ --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such
+ as MAINPID.
+
+* change the dependency Set* objects in Unit structures to become Hashmap*, and
+ then store a bit mask who created a specific dependency: the source unit via
+ fragment configuration, the destination unit via fragment configuration, or
+ the source unit via udev rules (in case of .device units), or any combination
+ thereof. This information can then be used to flush out old udev-created
+ dependencies when the udev properties change, and eventually to implement a
+ "systemctl refresh" operation for reloading the configuration of individual
+ units without reloading the whole set.
+
+* Add ExecMonitor= setting. May be used multiple times. Forks off a process in
+ the service cgroup, which is supposed to monitor the service, and when it
+ exits the service is considered failed by its monitor.
+
+* track the per-service PAM process properly (i.e. as an additional control
+ process), so that it may be queried on the bus and everything.
+
+* add a new "debug" job mode, that is propagated to unit_start() and for
+ services results in two things: we raise SIGSTOP right before invoking
+ execve() and turn off watchdog support. Then, use that to implement
+ "systemd-gdb" for attaching to the start-up of any system service in its
+ natural habitat.
+
+* replace all canonicalize_file_name() invocations by chase_symlinks(), in
+ particulr those where a rootdir is relevant.
+
+* maybe introduce gpt auto discovery for /var/tmp?
+
+* set ProtectSystem=strict for all our usual services.
+
+* fix PrivateNetwork= so that we fall back gracefully on kernels lacking
+ namespacing support (similar for the other namespacing options)
+
+* maybe add gpt-partition-based user management: each user gets his own
+ LUKS-encrypted GPT partition with a new GPT type. A small nss module
+ enumerates users via udev partition enumeration. UIDs are assigned in a fixed
+ way: the partition index is added as offset to some fixed base uid. User name
+ is stored in GPT partition name. A PAM module authenticates the user via the
+ LUKS partition password. Benefits: strong per-user security, compatibility
+ with stateless/read-only/verity-enabled root. (other idea: do this based on
+ loopback files in /home, without GPT involvement)
+
+* gpt-auto logic: introduce support for discovering /var matching an image. For
+ that, use a partition type UUID that is hashed from the OS name (as encoded
+ in /etc/os-release), the architecture, and 4 new bits from the gpt flags
+ field of the root partition. This way can easily support multiple OS
+ installations on the same GPT partition table, without problems with
+ unmatched /var partitions.
+
+* gpt-auto logic: related to the above, maybe support a "secondary" root
+ partition, that is mounted to / and is writable, and where the actual root's
+ /usr is mounted into.
+
+* machined: add apis to query /etc/machine-info data of a container
+
+* .mount and .swap units: add Format=yes|no option that formats the partition before mounting/enabling it, implicitly
+
+* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
+
* drop nss-myhostname in favour of nss-resolve?
* drop internal dlopen() based nss-dns fallback in nss-resolve, and rely on the
* switch to ProtectSystem=strict for all our long-running services where that's possible
-* If RootDirectory= is used, mount /proc, /sys, /dev into it, if not mounted yet
-
* Permit masking specific netlink APIs with RestrictAddressFamily=
* nspawn: start UID allocation loop from hash of container name
* define gpt header bits to select volatility mode
-* nspawn: mount loopback filesystems with "discard"
-
* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
-* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls)
-
* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
* Add DataDirectory=, CacheDirectory= and LogDirectory= to match
RuntimeDirectory=, and create it as necessary when starting a service, owned by the right user.
-* Add BindDirectory= for allowing arbitrary, private bind mounts for services
-
-* Add RootImage= for mounting a disk image or file as root directory
-
-* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
-
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
* journalctl: make sure -f ends when the container indicated by -M terminates
* journald: sigbus API via a signal-handler safe function that people may call
from the SIGBUS handler
-* move specifier expansion from service_spawn() into load-fragment.c
-
* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
* resolved: when routing queries, make sure only look for the *longest* suffix...
* support empty /etc boots nicely:
- nspawn/gpt-generator: introduce new gpt partition type for /usr
- - fstab-generator: support systemd.volatile=yes|no|state on the kernel cmdline, too, similar to nspawn's --volatile=
* generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
* For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
they run added to the initial transaction and thus confuse Type=idle.
-* Run most system services with cgroupfs read-only and procfs with a more secure mode (doesn't work, since the hidepid= option is per-pid-namespace, not per-mount)
-
* add bus api to query unit file's X fields.
* gpt-auto-generator:
- - Support LUKS for root devices
- Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
- Make /home automount rather than mount?
* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
-* btrfs raid assembly: some .device jobs stay stuck in the queue
-
* man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
* load .d/*.conf dropins for device units
- man: maybe sort directives in man pages, and take sections from --help and apply them to man too
* systemctl:
- - systemctl list-jobs - show dependencies
- add systemctl switch to dump transaction without executing it
- Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
- "systemctl disable" on a static unit prints no message and does
- timer units should get the ability to trigger when:
o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET)
o DST changes
- - Support 2012-02~4 as syntax for specifying the fourth to last day of the month.
- Modulate timer frequency based on battery state
* add libsystemd-password or so to query passwords during boot using the password agent logic
* on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
-* make repeated alt-ctrl-del presses printing a dump, or even force a reboot without
- waiting for the timeout
+* make repeated alt-ctrl-del presses printing a dump
* hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ...
* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
* nspawn:
- - nspawn -x should support ephemeral instances of gpt images
- emulate /dev/kmsg using CUSE and turn off the syslog syscall
with seccomp. That should provide us with a useful log buffer that
systemd can log to during early boot, and disconnect container logs
- maybe make copying of /etc/resolv.conf optional, and skip it if --read-only
is used
+* dissect
+ - refuse mounting over a mount point
+ - automatically discover .roothash files in dissect, similarly to nspawn
+
* machined:
- add an API so that libvirt-lxc can inform us about network interfaces being
removed or added to an existing machine
- maybe introduce WantsMountsFor=? Usecase:
http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
- recreate systemd's D-Bus private socket file on SIGUSR2
- - GC unreferenced jobs (such as .device jobs)
- move PAM code into its own binary
- when we automatically restart a service, ensure we restart its rdeps, too.
- hide PAM options in fragment parser when compile time disabled
~ianmdlvl / elogind.git / blobdiff