X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=NEWS;h=557774dc1fb535cbd594da489fb4106d32853067;hp=1b3bc2b65b805b75c5999520d568646b96f265aa;hb=1405bef3f1f204fdee001e1d002a8e91a56ef0d3;hpb=e9c1ea9de87d4d508ac38ce87a2fa56e7529a91a;ds=sidebyside diff --git a/NEWS b/NEWS index 1b3bc2b65..557774dc1 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,432 @@ systemd System and Service Manager +CHANGES WITH 208: + + * logind has gained support for facilitating privileged input + and drm device access for unprivileged clients. This work is + useful to allow Wayland display servers (and similar + programs, such as kmscon) to run under the user's ID and + access input and drm devices which are normally + protected. When this is used (and the kernel is new enough) + logind will "mute" IO on the file descriptors passed to + Wayland as long as it is in the background and "unmute" it + if it returns into the foreground. This allows secure + session switching without allowing background sessions to + eavesdrop on input and display data. This also introduces + session switching support if VT support is turned off in the + kernel, and on seats that are not seat0. + + * A new kernel command line option luks.options= is understood + now which allows specifiying LUKS options for usage for LUKS + encrypted partitions specified with luks.uuid=. + + * tmpfiles.d(5) snippets may now use specifier expansion in + path names. More specifically %m, %b, %H, %v, are now + replaced by the local machine id, boot id, hostname, and + kernel version number. + + * A new tmpfiles.d(5) command "m" has been introduced which + may be used to change the owner/group/access mode of a file + or directory if it exists, but do nothing if it doesn't. + + * This release removes high-level support for the + MemorySoftLimit= cgroup setting. The underlying kernel + cgroup attribute memory.soft_limit= is currently badly + designed and likely to be removed from the kernel API in its + current form, hence we shouldn't expose it for now. + + * The memory.use_hierarchy cgroup attribute is now enabled for + all cgroups systemd creates in the memory cgroup + hierarchy. This option is likely to be come the built-in + default in the kernel anyway, and the non-hierarchial mode + never made much sense in the intrinsically hierarchial + cgroup system. + + * A new field _SYSTEMD_SLICE= is logged along with all journal + messages containing the slice a message was generated + from. This is useful to allow easy per-customer filtering of + logs among other things. + + * systemd-journald will no longer adjust the group of journal + files it creates to the "systemd-journal" group. Instead we + rely on the journal directory to be owned by the + "systemd-journal" group, and its setgid bit set, so that the + kernel file system layer will automatically enforce that + journal files inherit this group assignment. The reason for + this change is that we cannot allow NSS look-ups from + journald which would be necessary to resolve + "systemd-journal" to a numeric GID, because this might + create deadlocks if NSS involves synchronous queries to + other daemons (such as nscd, or sssd) which in turn are + logging clients of journald and might block on it, which + would then dead lock. A tmpfiles.d(5) snippet included in + systemd will make sure the setgid bit and group are + properly set on the journal directory if it exists on every + boot. However, we recommend adjusting it manually after + upgrades too (or from RPM scriptlets), so that the change is + not delayed until next reboot. + + * Backlight and random seed files in /var/lib/ have moved into + the /var/lib/systemd/ directory, in order to centralize all + systemd generated files in one directory. + + * Boot time performance measurements (as displayed by + "systemd-analyze" for example) will now read ACPI 5.0 FPDT + performance information if that's available to determine how + much time BIOS and boot loader initialization required. With + a sufficiently new BIOS you hence no longer need to boot + with Gummiboot to get access to such information. + + Contributions from: Andrey Borzenkov, Chen Jie, Colin Walters, + Cristian Rodríguez, Dave Reisner, David Herrmann, David + Mackey, David Strauss, Eelco Dolstra, Evan Callicoat, Gao + feng, Harald Hoyer, Jimmie Tauriainen, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt, + Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty, + Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek + + -- Berlin, 2013-10-02 + +CHANGES WITH 207: + + * The Restart= option for services now understands a new + on-watchdog setting, which will restart the service + automatically if the service stops sending out watchdog keep + alive messages (as configured with WatchdogSec=). + + * The getty generator (which is responsible for bringing up a + getty on configured serial consoles) will no longer only + start a getty on the primary kernel console but on all + others, too. This makes the order in which console= is + specified on the kernel command line less important. + + * libsystemd-logind gained a new sd_session_get_vt() call to + retrieve the VT number of a session. + + * If the option "tries=0" is set for an entry of /etc/crypttab + its passphrase is queried indefinitely instead of any + maximum number of tries. + + * If a service with a configure PID file terminates its PID + file will now be removed automatically if it still exists + afterwards. This should put an end to stale PID files. + + * systemd-run will now also take relative binary path names + for execution and no longer insists on absolute paths. + + * InaccessibleDirectories= and ReadOnlyDirectories= now take + paths that are optionally prefixed with "-" to indicate that + it should not be considered a failure if they don't exist. + + * journalctl -o (and similar commands) now understands a new + output mode "short-precise", it is similar to "short" but + shows timestamps with usec accuracy. + + * The option "discard" (as known from Debian) is now + synonymous to "allow-discards" in /etc/crypttab. In fact, + "discard" is preferred now (since it is easier to remember + and type). + + * Some licensing clean-ups were made, so that more code is now + LGPL-2.1 licensed than before. + + * A minimal tool to save/restore the display backlight + brightness across reboots has been added. It will store the + backlight setting as late as possible at shutdown, and + restore it as early as possible during reboot. + + * A logic to automatically discover and enable home and swap + partitions on GPT disks has been added. With this in place + /etc/fstab becomes optional for many setups as systemd can + discover certain partitions located on the root disk + automatically. Home partitions are recognized under their + GPT type ID 933ac7e12eb44f13b8440e14e2aef915. Swap + partitions are recognized under their GPT type ID + 0657fd6da4ab43c484e50933c84b4f4f. + + * systemd will no longer pass any environment from the kernel + or initrd to system services. If you want to set an + environment for all services, do so via the kernel command + line systemd.setenv= assignment. + + * The systemd-sysctl tool no longer natively reads the file + /etc/sysctl.conf. If desired, the file should be symlinked + from /etc/sysctl.d/99-sysctl.conf. Apart from providing + legacy support by a symlink rather than built-in code, it + also makes the otherwise hidden order of application of the + different files visible. (Note that this partly reverts to a + pre-198 application order of sysctl knobs!) + + * The "systemctl set-log-level" and "systemctl dump" commands + have been moved to systemd-analyze. + + * systemd-run learned the new --remain-after-exit switch, + which causes the scope unit not to be cleaned up + automatically after the process terminated. + + * tmpfiles learned a new --exclude-prefix= switch to exclude + certain paths from operation. + + * journald will now automatically flush all messages to disk + as soon as a message of the log priorities CRIT, ALERT or + EMERG is received. + + Contributions from: Andrew Cook, Brandon Philips, Christian + Hesse, Christoph Junghans, Colin Walters, Daniel Schaal, + Daniel Wallace, Dave Reisner, David Herrmann, Gao feng, George + McCollister, Giovanni Campagna, Hannes Reinecke, Harald Hoyer, + Herczeg Zsolt, Holger Hans Peter Freyther, Jan Engelhardt, + Jesper Larsen, Kay Sievers, Khem Raj, Lennart Poettering, + Lukas Nykryn, Maciej Wereski, Mantas Mikulėnas, Marcel + Holtmann, Martin Pitt, Michael Biebl, Michael Marineau, + Michael Scherer, Michael Stapelberg, Michal Sekletar, Michał + Górny, Olivier Brunel, Ondrej Balaz, Ronny Chevalier, Shawn + Landden, Steven Hiscocks, Thomas Bächler, Thomas Hindoe + Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao, + William Giokas, Zbigniew Jędrzejewski-Szmek + + -- Berlin, 2013-09-13 + +CHANGES WITH 206: + + * The documentation has been updated to cover the various new + concepts introduced with 205. + + * Unit files now understand the new %v specifier which + resolves to the kernel version string as returned by "uname + -r". + + * systemctl now supports filtering the unit list output by + load state, active state and sub state, using the new + --state= parameter. + + * "systemctl status" will now show the results of the + condition checks (like ConditionPathExists= and similar) of + the last start attempts of the unit. They are also logged to + the journal. + + * "journalctl -b" may now be used to look for boot output of a + specific boot. Try "journalctl -b -1" for the previous boot, + but the syntax is substantially more powerful. + + * "journalctl --show-cursor" has been added which prints the + cursor string the last shown log line. This may then be used + with the new "journalctl --after-cursor=" switch to continue + browsing logs from that point on. + + * "journalctl --force" may now be used to force regeneration + of an FSS key. + + * Creation of "dead" device nodes has been moved from udev + into kmod and tmpfiles. Previously, udev would read the kmod + databases to pre-generate dead device nodes based on meta + information contained in kernel modules, so that these would + be auto-loaded on access rather then at boot. As this + doesn't really have much to do with the exposing actual + kernel devices to userspace this has always been slightly + alien in the udev codebase. Following the new scheme kmod + will now generate a runtime snippet for tmpfiles from the + module meta information and it now is tmpfiles' job to the + create the nodes. This also allows overriding access and + other parameters for the nodes using the usual tmpfiles + facilities. As side effect this allows us to remove the + CAP_SYS_MKNOD capability bit from udevd entirely. + + * logind's device ACLs may now be applied to these "dead" + devices nodes too, thus finally allowing managed access to + devices such as /dev/snd/sequencer whithout loading the + backing module right-away. + + * A new RPM macro has been added that may be used to apply + tmpfiles configuration during package installation. + + * systemd-detect-virt and ConditionVirtualization= now can + detect User-Mode-Linux machines (UML). + + * journald will now implicitly log the effective capabilities + set of processes in the message metadata. + + * systemd-cryptsetup has gained support for TrueCrypt volumes. + + * The initrd interface has been simplified (more specifically, + support for passing performance data via environment + variables and fsck results via files in /run has been + removed). These features were non-essential, and are + nowadays available in a much nicer way by having systemd in + the initrd serialize its state and have the hosts systemd + deserialize it again. + + * The udev "keymap" data files and tools to apply keyboard + specific mappings of scan to key codes, and force-release + scan code lists have been entirely replaced by a udev + "keyboard" builtin and a hwdb data file. + + * systemd will now honour the kernel's "quiet" command line + argument also during late shutdown, resulting in a + completely silent shutdown when used. + + * There's now an option to control the SO_REUSEPORT socket + option in .socket units. + + * Instance units will now automatically get a per-template + subslice of system.slice unless something else is explicitly + configured. For example, instances of sshd@.service will now + implicitly be placed in system-sshd.slice rather than + system.slice as before. + + * Test coverage support may now be enabled at build time. + + Contributions from: Dave Reisner, Frederic Crozat, Harald + Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jan + Janssen, Jason St. John, Jesper Larsen, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Maciej Wereski, Martin Pitt, Michael + Olbrich, Ramkumar Ramachandra, Ross Lagerwall, Shawn Landden, + Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William + Giokas, Zbigniew Jędrzejewski-Szmek + + -- Berlin, 2013-07-23 + +CHANGES WITH 205: + + * Two new unit types have been introduced: + + Scope units are very similar to service units, however, are + created out of pre-existing processes -- instead of PID 1 + forking off the processes. By using scope units it is + possible for system services and applications to group their + own child processes (worker processes) in a powerful way + which then maybe used to organize them, or kill them + together, or apply resource limits on them. + + Slice units may be used to partition system resources in an + hierarchial fashion and then assign other units to them. By + default there are now three slices: system.slice (for all + system services), user.slice (for all user sessions), + machine.slice (for VMs and containers). + + Slices and scopes have been introduced primarily in + context of the work to move cgroup handling to a + single-writer scheme, where only PID 1 + creates/removes/manages cgroups. + + * There's a new concept of "transient" units. In contrast to + normal units these units are created via an API at runtime, + not from configuration from disk. More specifically this + means it is now possible to run arbitrary programs as + independent services, with all execution parameters passed + in via bus APIs rather than read from disk. Transient units + make systemd substantially more dynamic then it ever was, + and useful as a general batch manager. + + * logind has been updated to make use of scope and slice units + for managing user sessions. As a user logs in he will get + his own private slice unit, to which all sessions are added + as scope units. We also added support for automatically + adding an instance of user@.service for the user into the + slice. Effectively logind will no longer create cgroup + hierarchies on its own now, it will defer entirely to PID 1 + for this by means of scope, service and slice units. Since + user sessions this way become entities managed by PID 1 + the output of "systemctl" is now a lot more comprehensive. + + * A new mini-daemon "systemd-machined" has been added which + may be used by virtualization managers to register local + VMs/containers. nspawn has been updated accordingly, and + libvirt will be updated shortly. machined will collect a bit + of meta information about the VMs/containers, and assign + them their own scope unit (see above). The collected + meta-data is then made available via the "machinectl" tool, + and exposed in "ps" and similar tools. machined/machinectl + is compile-time optional. + + * As discussed earlier, the low-level cgroup configuration + options ControlGroup=, ControlGroupModify=, + ControlGroupPersistent=, ControlGroupAttribute= have been + removed. Please use high-level attribute settings instead as + well as slice units. + + * A new bus call SetUnitProperties() has been added to alter + various runtime parameters of a unit. This is primarily + useful to alter cgroup parameters dynamically in a nice way, + but will be extended later on to make more properties + modifiable at runtime. systemctl gained a new set-properties + command that wraps this call. + + * A new tool "systemd-run" has been added which can be used to + run arbitrary command lines as transient services or scopes, + while configuring a number of settings via the command + line. This tool is currently very basic, however already + very useful. We plan to extend this tool to even allow + queuing of execution jobs with time triggers from the + command line, similar in fashion to "at". + + * nspawn will now inform the user explicitly that kernels with + audit enabled break containers, and suggest the user to turn + off audit. + + * Support for detecting the IMA and AppArmor security + frameworks with ConditionSecurity= has been added. + + * journalctl gained a new "-k" switch for showing only kernel + messages, mimicking dmesg output; in addition to "--user" + and "--system" switches for showing only user's own logs + and system logs. + + * systemd-delta can now show information about drop-in + snippets extending unit files. + + * libsystemd-bus has been substantially updated but is still + not available as public API. + + * systemd will now look for the "debug" argument on the kernel + command line and enable debug logging, similar to + "systemd.log_level=debug" already did before. + + * "systemctl set-default", "systemctl get-default" has been + added to configure the default.target symlink, which + controls what to boot into by default. + + * "systemctl set-log-level" has been added as a convenient + way to raise and lower systemd logging threshold. + + * "systemd-analyze plot" will now show the time the various + generators needed for execution, as well as information + about the unit file loading. + + * libsystemd-journal gained a new sd_journal_open_files() call + for opening specific journal files. journactl also gained a + new switch to expose this new functionality. Previously we + only supported opening all files from a directory, or all + files from the system, as opening individual files only is + racy due to journal file rotation. + + * systemd gained the new DefaultEnvironment= setting in + /etc/systemd/system.conf to set environment variables for + all services. + + * If a privileged process logs a journal message with the + OBJECT_PID= field set, then journald will automatically + augment this with additional OBJECT_UID=, OBJECT_GID=, + OBJECT_COMM=, OBJECT_EXE=, ... fields. This is useful if + system services want to log events about specific client + processes. journactl/systemctl has been updated to make use + of this information if all log messages regarding a specific + unit is requested. + + Contributions from: Auke Kok, Chengwei Yang, Colin Walters, + Cristian Rodríguez, Daniel Albers, Daniel Wallace, Dave + Reisner, David Coppa, David King, David Strauss, Eelco + Dolstra, Gabriel de Perthuis, Harald Hoyer, Jan Alexander + Steffens, Jan Engelhardt, Jan Janssen, Jason St. John, Johan + Heikkilä, Karel Zak, Karol Lewandowski, Kay Sievers, Lennart + Poettering, Lukas Nykryn, Mantas Mikulėnas, Marius Vollmer, + Martin Pitt, Michael Biebl, Michael Olbrich, Michael Tremer, + Michal Schmidt, Michał Bartoszkiewicz, Nirbheek Chauhan, + Pierre Neidhardt, Ross Burton, Ross Lagerwall, Sean McGovern, + Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar, + Václav Pavlín, Zachary Cook, Zbigniew Jędrzejewski-Szmek, + Łukasz Stelmach, 장동준 + CHANGES WITH 204: * The Python bindings gained some minimal support for the APIs