X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=TODO;h=3cf4ce393c6d7b832f28e0820631622c7e1f8def;hp=acac4e31cc130cd90d5d6750257529b1f842d1b8;hb=4a25d32f7ac0fa7c15dc5ef7cdb98866b051ba70;hpb=1cf3c30c0787f941b0f6d0b11ab504ddee3b0b8f diff --git a/TODO b/TODO index acac4e31c..3cf4ce393 100644 --- a/TODO +++ b/TODO @@ -1,13 +1,3 @@ -Fixes needed before 217: - -* sd_session_get_desktop() yells at me? - -* remove Discard= in .mount units and replace it by Options=, to prepare for later swapon fix - -* verify that both resolved and timesyncd work OK without networkd around - -* push out allow-interactive-auth flag into dbus spec - Bugfixes: * Should systemctl status \* work on all unit types, not just .service? @@ -16,213 +6,367 @@ Bugfixes: automount points even when the original .automount file did not exist anymore. Only the .mount unit was still around. -* properly handle .mount unit state tracking when two mount points are stacked one on top of another on the exact same mount point. - -* ExecStart with unicode characters fails in strv_split_quoted: +* ExecStart with unicode characters fails in strv_split_extract: [Service] Environment=ONE='one' "TWO='two two' too" THREE= ExecStart=/bin/python3 -c 'import sys;print(sys.argv)' $ONE $TWO $THREE -* MEMORY return code is overloaded for syntax errors in the commandline. - str_split_quoted() should return a real return code, so spawn_child can - report the failure properly. - External: + * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. -* Fedora: post FPC ticket to move add %tmpfiles_create to the packaging guidelines +* wiki: update journal format documentation for lz4 additions -* Fedora: move kernel image to /usr/lib/modules/, kernel-install will take care of populating /boot +Janitorial Clean-ups: -* Fedora: remove /etc/resolv.conf tmpfiles hack +* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again -* wiki: update journal format documentation for lz4 additions +Features: -* When lz4 gets an API for lz4 command output, make use of it to - compress coredumps in a way compatible with /usr/bin/lz4. +* sort generated hwdb files alphabetically when we import them, so that git + diffs remain minimal (in particular: the OUI databases we import are not + sorted, and not stable) -Features: +* set SystemCallArchitectures=native on all our services -* journald: allow per-priority and per-service retention times when rotating/vacuuming +* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for + the sd-journal logging socket, and, if the timeout is set to 0, sets + O_NONBLOCK on it. That way people can control if and when to block for + logging. -* introduce systemd-timesync-wait.service or so to sync on an NTP fix? +* tighten sd_notify() MAINPID= checks a bit: don't accept foreign PIDs (i.e. + PIDs not managed by the service manager) -* systemd --user should issue sd_notify() upon reaching basic.target, not on becoming idle +* journald: when we recv a log datagram via the native or syslog transports, + search for the PID in the active stream connections, and let's make sure to + always process the datagrams before the streams. Then, cache client metadata + per stream in the stream object. This way we can somewhat fix the race with + quickly exiting processes which log as long as they had their own stream + connection... -* configure.ac pretends dbus was optional but actually hardcodes use of dbus' pkg-config file to determine various dbus dirs such as policy and activation dirs +* hostnamed: populate form factor data from a new hwdb database, so that old + yogas can be recognized as "convertible" too, even if they predate the DMI + "convertible" form factor -* consider showing the unit names during boot up in the status output, not just the unit descriptions +* Maybe add a small tool invoked early at boot, that adds in or resizes + partitions automatically, to be used when the media used is actually larger + than the image written onto it is. -* send SIGABRT when a service watchdog is triggered, by default, so that we acquire a backtrace of the hang. +* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing + after all. Be strict however, only support the equivalent of nspawn's + --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such + as MAINPID. -* dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? +* change the dependency Set* objects in Unit structures to become Hashmap*, and + then store a bit mask who created a specific dependency: the source unit via + fragment configuration, the destination unit via fragment configuration, or + the source unit via udev rules (in case of .device units), or any combination + thereof. This information can then be used to flush out old udev-created + dependencies when the udev properties change, and eventually to implement a + "systemctl refresh" operation for reloading the configuration of individual + units without reloading the whole set. -* maybe allow timer units with an empty Units= setting, so that they - can be used for resuming the system but nothing else. +* Add ExecMonitor= setting. May be used multiple times. Forks off a process in + the service cgroup, which is supposed to monitor the service, and when it + exits the service is considered failed by its monitor. -* what to do about udev db binary stability for apps? +* track the per-service PAM process properly (i.e. as an additional control + process), so that it may be queried on the bus and everything. -* maybe provide an API to allow migration of foreign PIDs into existing scopes. +* add a new "debug" job mode, that is propagated to unit_start() and for + services results in two things: we raise SIGSTOP right before invoking + execve() and turn off watchdog support. Then, use that to implement + "systemd-gdb" for attaching to the start-up of any system service in its + natural habitat. -* kdbus: maybe rename "connection name" concept to something that doesn't reuse the word "name"? +* replace all canonicalize_file_name() invocations by chase_symlinks(), in + particulr those where a rootdir is relevant. -* PID 1 doesn't apply nspawns devices cgroup policy +* maybe introduce gpt auto discovery for /var/tmp? -* rework journal-send.c to use memfds for large blobs if they are available instead of unlinked files in /tmp. Also, if we detect that the kernel knows memfds, refuse anything but sealed memfds. +* set ProtectSystem=strict for all our usual services. -* maybe support a new very "soft" reboot mode, that simply kills all processes, disassembles everything, flushes /run and sysvipc, and then reexecs systemd again +* fix PrivateNetwork= so that we fall back gracefully on kernels lacking + namespacing support (similar for the other namespacing options) -* man: document that corrupted journal files is nothing to act on +* maybe add gpt-partition-based user management: each user gets his own + LUKS-encrypted GPT partition with a new GPT type. A small nss module + enumerates users via udev partition enumeration. UIDs are assigned in a fixed + way: the partition index is added as offset to some fixed base uid. User name + is stored in GPT partition name. A PAM module authenticates the user via the + LUKS partition password. Benefits: strong per-user security, compatibility + with stateless/read-only/verity-enabled root. (other idea: do this based on + loopback files in /home, without GPT involvement) -* bus-proxy: when passing messages from kdbus, make sure we properly - handle the case where a large number of fds is appended that we - cannot pass into sendmsg() of the AF_UNIX sokcet (which only accepts - 253 messages) +* gpt-auto logic: introduce support for discovering /var matching an image. For + that, use a partition type UUID that is hashed from the OS name (as encoded + in /etc/os-release), the architecture, and 4 new bits from the gpt flags + field of the root partition. This way can easily support multiple OS + installations on the same GPT partition table, without problems with + unmatched /var partitions. -* busctl: add a pcap writer, using LINKTYPE_DBUS/231 +* gpt-auto logic: related to the above, maybe support a "secondary" root + partition, that is mounted to / and is writable, and where the actual root's + /usr is mounted into. -* man: maybe use the word "inspect" rather than "introspect"? +* machined: add apis to query /etc/machine-info data of a container -* introduce machines.target to order after all nspawn instances +* .mount and .swap units: add Format=yes|no option that formats the partition before mounting/enabling it, implicitly -* systemd-nspawn@.service should fail if some nspawn arg is invalid, with Type=notify +* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file -* "machinectl list" should probably show columns for OS version and IP addresses +* drop nss-myhostname in favour of nss-resolve? -* systemctl: if it fails, show log output? +* drop internal dlopen() based nss-dns fallback in nss-resolve, and rely on the + external nsswitch.conf based one -* maybe add "systemctl edit" that copies unit files from /usr/lib/systemd/system to /etc/systemd/system and invokes vim on them +* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and + then use that for the setting used in user@.service. It should be understood + relative to the configured default value. -* dbus: add new message hdr field for allowing interactive auth, write spec for it. update dbus spec to mandate that unknown flags *must* be ignored... +* on cgroupsv2 add DelegateControllers=, to pick the precise cgroup controllers to delegate -* maybe introduce AssertXYZ= similar to ConditionXYZ= that causes a unit to fail (instead of skipping it) if some condition is not true... +* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us -* refcounting in sd-resolve is borked +* enable LockMLOCK to take a percentage value relative to physical memory -* exponential backoff in timesyncd and resolved when we cannot reach a server +* switch to ProtectSystem=strict for all our long-running services where that's possible -* journald: make use of uid-range.h to managed uid ranges to split - journals in. +* Permit masking specific netlink APIs with RestrictAddressFamily= -* tmpfiles: port to unquote_many_words(), similar to sysusers +* nspawn: start UID allocation loop from hash of container name -* unquote_many_words() should probably be used by a lot of code that - currently uses FOREACH_WORD and friends. For example, most conf - parsing callbacks should use it. +* nspawn: support that /proc, /sys/, /dev are pre-mounted -* logind: make the Suspend()/Hibernate() bus calls wait for the for - the job to be completed. before returning, so that clients can wait - for "systemctl suspend" to finish to know when the suspending is - complete. +* define gpt header bits to select volatility mode -* merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share.... +* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files + +* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc + +* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) + +* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) + +* ProtectKeyRing= to take keyring calls away + +* RemoveKeyRing= to remove all keyring entries of the specified user + +* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill + on PID 1 with the relevant signals, and makes relevant files in /sys and + /proc (such as the sysrq stuff) unavailable + +* DeviceAllow= should also generate seccomp filters for mknod() + +* Add DataDirectory=, CacheDirectory= and LogDirectory= to match + RuntimeDirectory=, and create it as necessary when starting a service, owned by the right user. + +* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things + +* journalctl: make sure -f ends when the container indicated by -M terminates + +* mount: automatically search for "main" partition of an image has multiple + partitions + +* expose the "privileged" flag of ExecCommand on the bus, and open it up to + transient units + +* in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, + find a way to map the User=/Group= of the service to the right name. This way + a user/group for a service only has to exist on the host for the right + mapping to work. + +* allow attaching additional journald log fields to cgroups + +* add bus API for creating unit files in /etc, reusing the code for transient units + +* add bus API to remove unit files from /etc + +* add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) + +* rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the + kernel doesn't support linkat() that replaces existing files, currently) + +* check if DeviceAllow= should split first, resolve specifiers later + +* transient units: don't bother with actually setting unit properties, we + reload the unit file anyway + +* journald: sigbus API via a signal-handler safe function that people may call + from the SIGBUS handler -* journald: allows specification of UID range for splitting up journal files +* optionally, also require WATCHDOG=1 notifications during service start-up and shutdown + +* resolved: when routing queries, make sure only look for the *longest* suffix... + +* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it + in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle + +* cache sd_event_now() result from before the first iteration... + +* add systemctl stop --job-mode=triggering that follows TRIGGERED_BY deps and adds them to the same transaction + +* PID1: find a way how we can reload unit file configuration for + specific units only, without reloading the whole of systemd + +* add an explicit parser for LimitRTPRIO= that verifies + the specified range and generates sane error messages for incorrect + specifications. + +* do something about "/control" subcgroups in the unified cgroup hierarchy + +* when we detect that there are waiting jobs but no running jobs, do something + +* push CPUAffinity= also into the "cpuset" cgroup controller (only after the cpuset controller got ported to the unified hierarchy) + +* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) + +* there's probably something wrong with having user mounts below /sys, + as we have for debugfs. for exmaple, src/core/mount.c handles mounts + prefixed with /sys generally special. + http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html + +* man: document that unless you use StandardError=null the shell >/dev/stderr won't work in shell scripts in services + +* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline + +* docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date + +* mounting and unmounting mount points manually with different source + devices will result in collected on all devices used. + http://lists.freedesktop.org/archives/systemd-devel/2015-April/030225.html + +* add a job mode that will fail if a transaction would mean stopping + running units. Use this in timedated to manage the NTP service + state. + http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html + +* Maybe add support for the equivalent of "ethtool advertise" to .link files? + http://lists.freedesktop.org/archives/systemd-devel/2015-April/030112.html + +* The udev blkid built-in should expose a property that reflects + whether media was sensed in USB CF/SD card readers. This should then + be used to control SYSTEMD_READY=1/0 so that USB card readers aren't + picked up by systemd unless they contain a medium. This would mirror + the behaviour we already have for CD drives. + +* networkd/udev: implement SR_IOV configuration in .link files: + http://lists.freedesktop.org/archives/systemd-devel/2015-January/027451.html + +* Rework systemctl's GetAll property parsing to use the generic bus_map_all_properties() API + +* implement a per-service firewall based on net_cls + +* Port various tools to make use of verbs.[ch], where applicable: busctl, + coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl + +* hostnamectl: show root image uuid + +* sysfs set api in libudev is not const + +* Find a solution for SMACK capabilities stuff: + http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html + +* "systemctl preset-all" should probably order the unit files it + operates on lexicographically before starting to work, in order to + ensure deterministic behaviour if two unit files conflict (like DMs + do, for example) + +* synchronize console access with BSD locks: + http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html + +* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: + http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html + +* in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column + +* figure out when we can use the coarse timers + +* add "systemctl start -v foobar.service" that shows logs of a service + while the start command runs. This is non-trivial to do without + races though, since we should flush out all journal messages before + returning from the "systemctl stop". + +* firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists + +* maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment= + +* introduce systemd-timesync-wait.service or so to sync on an NTP fix? + +* systemd --user should issue sd_notify() upon reaching basic.target, not on becoming idle + +* consider showing the unit names during boot up in the status output, not just the unit descriptions + +* maybe allow timer units with an empty Units= setting, so that they + can be used for resuming the system but nothing else. + +* what to do about udev db binary stability for apps? (raw access is not an option) + +* maybe provide an API to allow migration of foreign PIDs into existing scopes. + +* man: maybe use the word "inspect" rather than "introspect"? + +* systemctl: if some operation fails, show log output? + +* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #. + Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc. + +* exponential backoff in timesyncd when we cannot reach a server + +* timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM + +* merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share.... * systemd.show_status= should probably have a mode where only failed units are shown. -* networkd: - - add LLDP client side support - - the DHCP lease data (such as NTP/DNS) is still made available when - a carrier is lost on a link. It should be removed instantly. - - .network setting that allows overriding of the hostname to send to the dhcp server - http://lists.freedesktop.org/archives/systemd-devel/2014-July/021550.html - - expose in the API the following bits: - - option 15, domain name and/or option 119, search list - - option 12, host name and/or option 81, fqdn - - option 100, 101, timezone - - option 123, 144, geolocation - - option 252, configure http proxy (PAC/wpad) - - networkd's dhcp server should transparently pass on the DNS and - NTP server list it got from user configuration and its dhcp client - to clients. It should also pass on its own timezone information. - - provide a way to define a per-network interface default metric value - for all routes to it. possibly a second default for DHCP routes. - - allow Name= to be specified repeatedly in the [Match] section. Maybe also - support Name=foo*|bar*|baz ? +* add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL + (throughout the codebase, not only PID1) * resolved: - - put networkd events and rtnl events at a higher priority, so that - we always process them before we process client requests - - DNSSEC - - use base64 for key presentation? - - add display of private key types (http://tools.ietf.org/html/rfc4034#appendix-A.1.1)? - - add nice formatting of DNS timestamps - - DNS - - search paths - mDNS/DNS-SD + - service registration + - service/domain/types browsing - avahi compat - DNS-SD service registration from socket units - - edns0 - - dname - - cname on PTR (?) - -* Ignore .busname units on classic D-Bus boots, systemd-resolved cannot be started on kdbus - without the active policy and should get a Wants=org.freedesktop.resolve1.busname to - pull-in the policy. + - resolved should optionally register additional per-interface LLMNR + names, so that for the container case we can establish the same name + (maybe "host") for referencing the server, everywhere. + - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) + - hook up resolved with machined-based address resolution -* Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely +* refcounting in sd-resolve is borked * Add a new verb "systemctl top" -* logind: allow users to kill or lock their own sessions - * add new gpt type for btrfs volumes * support empty /etc boots nicely: - nspawn/gpt-generator: introduce new gpt partition type for /usr - - fstab-generator: support systemd.volatile=yes|no|state on the kernel cmdline, too, similar to nspawn's --volatile= - - fstab-generator: add support for usr= in addition to root= on the kernel cmdline * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. -* support setting empty environment variables with Environment= and EnvironmentFile= - -* timer units: actually add extra delays to timer units with high AccuracySec values, don't start them already when we are awake... - * a way for container managers to turn off getty starting via $container_headless= or so... * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit -* journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so... - * mount_cgroup_controllers(): symlinks need to get the label applied * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services they run added to the initial transaction and thus confuse Type=idle. -* Run most system services with cgroupfs read-only and procfs with a more secure mode (doesn't work, since the hidepid= option is per-pid-namespace, not per-mount) - -* sd-event: generate a failure of a default event loop is executed out-of-thread - -* expose "Locked" property on logind sesison objects - * add bus api to query unit file's X fields. -* consider adding RuntimeDirectoryUser= + RuntimeDirectoryGroup= - -* sd-event: define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... - * gpt-auto-generator: - - Support LUKS for root devices - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap? - Make /home automount rather than mount? -* improve journalctl performance by loading journal files - lazily. Encode just enough information in the file name, so that we - do not have to open it to know that it is not interesting for us, for - the most common operations. - * add generator that pulls in systemd-network from containers when CAP_NET_ADMIN is set, more than the loopback device is defined, even when it is otherwise off -* MessageQueueMessageSize= and RLimitFSIZE= (and suchlike) should use parse_iec_size(). - -* "busctl status" works only as root on dbus1, since we cannot read - /proc/$PID/exe +* MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). * implement Distribute= in socket units to allow running multiple service instances processing the listening socket, and open this up @@ -234,8 +378,6 @@ Features: and passes this back to PID1 via SCM_RIGHTS. This also could be used to allow Chown/chgrp on sockets without requiring NSS in PID 1. -* New service property: maximum CPU and wallclock runtime for a service - * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls should SIGSTOP all unit processes in a loop until all processes of @@ -243,9 +385,6 @@ Features: desktop UIs such as gnome-shell to freeze apps that are not visible on screen, not unlike how job control works on the shell -* completions: - - manager property enumeration was broken when systemd moved to /usr/lib/ - * cgroups: - implement per-slice CPUFairScheduling=1 switch - handle jointly mounted controllers correctly @@ -256,7 +395,6 @@ Features: the hierarchies of child processes * transient units: - - allow creating auxiliary units with the same call - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt - ensure scope units may be started only a single time @@ -264,14 +402,10 @@ Features: * when we detect low battery and no AC on boot, show pretty splash and refuse boot -* machined, localed: when we try to kill an empty cgroup, generate an ESRCH error over the bus - * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 -* unify dispatch table in systemctl_main() and friends - * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs @@ -280,15 +414,7 @@ Features: error. Currently, we just ignore it and read the unit from the search path anyway. -* refuse boot if /etc/os-release is missing or /etc/machine-id cannot be set up - -* given that logind now lets PID 1 do all nasty work, we can - probably reduce the capability set it retains substantially. - (we need CAP_SYS_ADMIN for drmSetMaster(), so maybe not worth it) - -* btrfs raid assembly: some .device jobs stay stuck in the queue - -* make sure gdm does not use multi-user-x but the new default X configuration file, and then remove multi-user-x from systemd +* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. @@ -298,12 +424,13 @@ Features: ReadOnlyDirectories=... for whitelisting files for a service. * sd-bus: - - when kdbus does not take our message without memfds, try again with memfds - - systemd-bus-proxyd needs to enforce good old XML policy - - allow updating attach flags during runtime - - pid1: peek into activating message when activating a service - - introduce sd_bus_emit_object_added()/sd_bus_emit_object_removed() that automatically includes the build-in interfaces in the list + - EBADSLT handling + - GetAllProperties() on a non-existing object does not result in a failure currently + - kdbus: process fd=-1 for incoming msgs - port to sd-resolve for connecting to TCP dbus servers + - kdbus: maybe add controlling tty metadata fields + - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself + - when kdbus does not take our message without memfds, try again with memfds - see if we can drop more message validation on the sending side - add API to clone sd_bus_message objects - make AddMatch calls on dbus1 transports async? @@ -313,18 +440,18 @@ Features: - kdbus mapping - NameLost/NameAcquired obsolete - GVariant - - "const" properties (posted) - path escaping - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now - test bloom filter generation indexes + - kdbus: introduce a concept of "send-only" connections + - kdbus: add counter for refused unicast messages that is passed out via the RECV ioctl. SImilar to the counter for dropped multicast messages we already have. * sd-event - allow multiple signal handlers per signal? - document chaining of signal handler for SIGCHLD and child handlers - -* in the final killing spree, detect processes from the root directory, and - complain loudly if they have argv[0][0] == '@' set. - https://bugzilla.redhat.com/show_bug.cgi?id=961044 + - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... + - generate a failure of a default event loop is executed out-of-thread + - maybe add support for inotify events * investigate endianness issues of UUID vs. GUID @@ -337,8 +464,6 @@ Features: * maybe add a generator that looks for "systemd.run=" on the kernel cmdline for container usercases... -* timedatectl: print a nicer message when enabling ntp fails because ntpd/chrony are not installed - * cgtop: make cgtop useful in a container * test/: @@ -355,9 +480,6 @@ Features: * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) -* after all byte-wise realloc() is slow, even on glibc, so i guess we - need manual exponential loops after all - * BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify that the boot loader should be installed to the ESP. Define a way how an installer can figure out whether a BLS compliant boot loader @@ -370,18 +492,12 @@ Features: * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() -* journal-or-kmsg is currently broken? See reverted commit 4a01181e460686d8b4a543b1dfa7f77c9e3c5ab8. - -* remove any syslog support from log.c -- we probably cannot do this before split-off udev is gone for good +* remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good * shutdown logging: store to EFI var, and store to USB stick? -* write UI tool that pops up emergency messages from the journal as notification - * think about window-manager-run-as-user-service problem: exit 0 → activate shutdown.target; exit != 0 → restart service -* use "log level" rather than "log priority" everywhere - * merge unit_kill_common() and unit_kill_context() * introduce ExecCondition= in services @@ -393,11 +509,6 @@ Features: * maybe do not install getty@tty1.service symlink in /etc but in /usr? -* re-enable "make check" for gtk-doc (broken for unknown reason) - -* fstab: add new mount option x-systemd-after=/foobar/waldo to allow manual dependencies to other mount points - https://bugzilla.redhat.com/show_bug.cgi?id=812826 - * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units. @@ -415,44 +526,58 @@ Features: any session we should probably just become a NOP, since that's usually not a real user session but just some system code that just needs setuid(). + - logind: make the Suspend()/Hibernate() bus calls wait for the for + the job to be completed. before returning, so that clients can wait + for "systemctl suspend" to finish to know when the suspending is + complete. + - logind: when the power button is pressed short, just popup a + logout dialog. If it is pressed for 1s, do the usual + shutdown. Inspiration are Macs here. + - expose "Locked" property on logind sesison objects + - given that logind now lets PID 1 do all nasty work, we can + probably reduce the capability set it retains substantially. + (we need CAP_SYS_ADMIN for drmSetMaster(), so maybe not worth it) + - expose orientation sensors and tablet mode through logind + - maybe allow configuration of the StopTimeout for session scopes + - rename session scope so that it includes the UID. THat way + the session scope can be arranged freely in slices and we don't have + make assumptions about their slice anymore. + - follow PropertiesChanged state more closely, to deal with quick logouts and + relogins * exec: when deinitializating a tty device fix the perms and group, too, not only when initializing. Set access mode/gid to 0620/tty. * service: watchdog logic: for testing purposes allow ping, but do not require pong * journal: + - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields - import and delete pstore filesystem content at startup - journald: also get thread ID from client, plus thread name - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups - add API to close/reopen/get fd for journal client fd in libsystemd-journal. - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively? - declare the local journal protocol stable in the wiki interface chart - - journal: reuse XZ context - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg - journald: when dropping msgs due to ratelimit make sure to write "dropped %u messages" not only when we are about to print the next message that works, but alraedy after a short tiemout - check if we can make journalctl by default use --follow mode inside of less if called without args? - maybe add API to send pairs of iovecs via sd_journal_send - - journal: when writing journal auto-rotate if time jumps backwards - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access - journactl: support negative filtering, i.e. FOOBAR!="waldo", and !FOOBAR for events without FOOBAR. - - journal: send out marker messages every now and then, and immediately sync with fdatasync() afterwards, in order to have hourly guaranteed syncs. + - journal: store timestamp of journal_file_set_offline() int he header, + so it is possible to display when the file was last synced. - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. - journal: find a way to allow dropping history early, based on priority, other rules - journal: When used on NFS, check payload hashes - - journald: check whether it is OK if the client can still modify delivered journal entries - - journal live copy, based on libneon (client) and libmicrohttpd (server) - journald: add kernel cmdline option to disable ratelimiting for debug purposes - refuse taking lower-case variable names in sd_journal_send() and friends. - journald: we currently rotate only after MaxUse+MaxFilesize has been reached. - journal: deal nicely with byte-by-byte copied files, especially regards header - - journal: store euid in journal if it differs from uid - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit - Replace utmp, wtmp, btmp, and lastlog completely with journal - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax? - - tmpfiles: when applying ownership to /run/log/journal, also do this for the journal fails contained in it - when a kernel driver logs in a tight loop, we should ratelimit that too. - journald: optionally, log debug messages to /run but everything else to /var - journald: when we drop syslog messages because the syslog socket is @@ -463,6 +588,35 @@ Features: boot, and causes the journal to be moved back to /run on shutdown, so that we do not keep /var busy. This needs to happen synchronously, hence doing this via signals is not going to work. + - optionally support running journald from the command line for testing purposes in external projects + - journald: allow per-priority and per-service retention times when rotating/vacuuming + - journald: make use of uid-range.h to managed uid ranges to split + journals in. + - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so... + - improve journalctl performance by loading journal files + lazily. Encode just enough information in the file name, so that we + do not have to open it to know that it is not interesting for us, for + the most common operations. + - journal-or-kmsg is currently broken? See reverted + commit 4a01181e460686d8b4a543b1dfa7f77c9e3c5ab8. + - man: document that corrupted journal files is nothing to act on + - rework journald sigbus stuff to use mutex + - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our + services that run under their own user ids, and use User= (but only + in a world where userns is ubiquitous since otherwise we cannot + invoke those daemons on the host AND in a container anymore). Also, + if LimitNPROC= is used without User= we should warn and refuse + operation. + - journalctl --verify: don't show files that are currently being + written to as FAIL, but instead show that their are being written to. + - add journalctl -H that talks via ssh to a remote peer and passes through + binary logs data + - add a version of --merge which also merges /var/log/journal/remote + - log accumulated resource usage after each service invocation + - journalctl: -m should access container journals directly by enumerating + them via machined, and also watch containers coming and going. + Benefit: nspawn --ephemeral would start working nicely with the journal. + - assign MESSAGE_ID to log messages about failed services * document: - document that deps in [Unit] sections ignore Alias= fields in @@ -475,12 +629,10 @@ Features: - document systemd-journal-flush.service properly - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] - man: document the very specific env the shutdown drop-in tools live in - - man: extend runlevel(8) to mention that runlevels suck, and are dead. Maybe add runlevel(7) with a note about that too - man: add more examples to man pages - man: maybe sort directives in man pages, and take sections from --help and apply them to man too * systemctl: - - systemctl list-jobs - show dependencies - add systemctl switch to dump transaction without executing it - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done - "systemctl disable" on a static unit prints no message and does @@ -490,57 +642,76 @@ Features: - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? - systemctl: "Journal has been rotated since unit was started." message is misleading - - support "systemctl stop foobar@.service" to stop all units matching a certain template - - Something is wrong with symlink handling of "autovt@.service" in "systemctl list-unit-files" - better error message if you run systemctl without systemd running - - systemctl status output should should include list of triggering units and their status + - systemctl status output should include list of triggering units and their status * unit install: - "systemctl mask" should find all names by which a unit is accessible (i.e. by scanning for symlinks to it) and link them all to /dev/null - - systemctl list-unit-files should list generated files (and probably with a new state "generated" for them, or so) * timer units: - timer units should get the ability to trigger when: o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET) o DST changes - - Support 2012-02~4 as syntax for specifying the fourth to last day of the month. - - calendarspec: support value ranges with ".." notation. Example: 2013-4..8-1 - - when parsing calendar timestamps support the UTC timezone (even if we will not support arbitrary timezone specs, support UTC itself certainly makes sense), also support syntaxes such as +0200 - Modulate timer frequency based on battery state -* update the kernel's TZ (sys_tz) when DST changes - -* sync down the system time to the RTC when: - - CLOCK_REALTIME makes jumps (the user explicitely requested a time set) - - DST/timezone changes && ntp is active && RTC-in-localtime (never do it without ntp) - This takes care of syncing ntpdate updates to the RTC, and DST updates for localtime - mode, it will never touch the RTC if the no reliable time source is active or the - user did not request anything like it. - * add libsystemd-password or so to query passwords during boot using the password agent logic -* If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). - -* fedup: add --unit to systemctl switch-root somehow -* fedup: do not delete initrd on switch-root -* fedup: generator - * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel -* make repeated alt-ctrl-del presses printing a dump, or even force a reboot without - waiting for the timeout +* make repeated alt-ctrl-del presses printing a dump * hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ... * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not * nspawn: - - bind mount read-only the cgroup tree higher than nspawn - - refuses to boot containers without /etc/machine-id (OK?), and with empty /etc/machine-id (not OK). - - support taking a btrfs snapshot at startup and dropping it afterwards + - emulate /dev/kmsg using CUSE and turn off the syslog syscall + with seccomp. That should provide us with a useful log buffer that + systemd can log to during early boot, and disconnect container logs + from the kernel's logs. + - as soon as networkd has a bus interface, hook up --network-interface=, + --network-bridge= with networkd, to trigger netdev creation should an + interface be missing + - a nice way to boot up without machine id set, so that it is set at boot + automatically for supporting --ephemeral. Maybe hash the host machine id + together with the machine name to generate the machine id for the container + - fix logic always print a final newline on output. + https://github.com/systemd/systemd/pull/272#issuecomment-113153176 + - should optionally support receiving WATCHDOG=1 messages from its payload + PID 1... + - should send out sd_notify("WATCHDOG=1") messages + - optionally automatically add FORWARD rules to iptables whenever nspawn is + running, remove them when shut down. + - Improve error message when --bind= is used on a non-existing source + directory + - maybe make copying of /etc/resolv.conf optional, and skip it if --read-only + is used + +* dissect + - refuse mounting over a mount point + - automatically discover .roothash files in dissect, similarly to nspawn + +* machined: + - add an API so that libvirt-lxc can inform us about network interfaces being + removed or added to an existing machine + - "machinectl migrate" or similar to copy a container from or to a + difference host, via ssh + - introduce systemd-nspawn-ephemeral@.service, and hook it into + "machinectl start" with a new --ephemeral switch + - "machinectl status" should also show internal logs of the container in + question + - "machinectl list-images" should show os-release data, as well as + machine-info data (including deployment level) + - "machinectl history" + - "machinectl diff" + - "machinectl commit" that takes a writable snapshot of a tree, invokes a + shell in it, and marks it read-only after use + +* importd: + - generate a nice warning if mkfs.btrfs is missing * cryptsetup: - cryptsetup-generator: allow specification of passwords in crypttab itself @@ -551,55 +722,14 @@ Features: * hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it https://bugs.freedesktop.org/show_bug.cgi?id=54712 -* after deserializing sockets in socket.c we should reapply sockopts and things - -* make timer units go away after they elapsed - -* come up with a nice way to write queue/read_ahead_kb for a block device without interfering with readahead - -* move PID 1 segfaults to /var/lib/systemd/coredump? - * create /sbin/init symlinks from the build system -* allow writing multiple conditions in unit files on one line - * MountFlags=shared acts as MountFlags=slave right now. -* drop PID 1 reloading, only do reexecing (difficult: Reload() - currently is properly synchronous, Reexec() is weird, because we - cannot delay the response properly until we are back, so instead of - being properly synchronous we just keep open the fd and close it - when done. That means clients do not get a successful method reply, - but much rather a disconnect on success. - * properly handle loop back mounts via fstab, especially regards to fsck/passno * initialize the hostname from the fs label of /, if /etc/hostname does not exist? -* rename "userspace" to "core-os" - -* load-fragment: when loading a unit file via a chain of symlinks - verify that it is not masked via any of the names traversed. - -* introduce Type=pid-file - -* change Requires=basic.target to RequisiteOverride=basic.target - -* when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr - -* automount: implement expire: - - set superblock timeout AUTOFS_DEV_IOCTL_TIMEOUT_CMD - - periodically run AUTOFS_DEV_IOCTL_EXPIRE_CMD - - every timeout/4 (original autofs logic) - - blocking, needs a thread - - run until -EAGAIN - - receive expire packet on pipe if kernel tells the timeout is over - - call umount - - answer expire packet on pipe with AUTOFS_DEV_IOCTL_{READY,FAIL}_CMD - - AUTOFS_DEV_IOCTL_EXPIRE_CMD returns - -* ExecOnFailure=/usr/bin/foo - * udev: - move to LGPL - kill scsi_id @@ -608,15 +738,13 @@ Features: * when a service has the same env var set twice we actually store it twice and return that in systemctl show -p... We should only show the last setting -* introduce mix of BindTo and Requisite - * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ -* default unix qlen is too small (10). bump sysctl? add sockopt? - -* save coredump in Windows/Mozilla minidump format +* coredump: + - save coredump in Windows/Mozilla minidump format + - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) @@ -625,29 +753,16 @@ Features: * be able to specify a forced restart of service A where service B depends on, in case B needs to be auto-respawned? -* when a bus name of a service disappears from the bus make sure to queue further activation requests - * tmpfiles: - apply "x" on "D" too (see patch from William Douglas) - -* for services: do not set $HOME in services unless requested - -* hide PAM options in fragment parser when compile time disabled - -* when we automatically restart a service, ensure we restart its rdeps, too. - -* allow Type=simple with PIDFile= - https://bugzilla.redhat.com/show_bug.cgi?id=723942 - -* move PAM code into its own binary - -* implement Register= switch in .socket units to enable registration - in Avahi, RPC and other socket registration services. + - replace F with f+. + - instead of ignoring unknown fields, reject them. + - creating new directories/subvolumes/fifos/device nodes + should not follow symlinks. None of the other adjustment or creation + calls follow symlinks. * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early -* add ReloadSignal= for configuring a reload signal to use - * verify that the AF_UNIX sockets of a service in the fs still exist when we start a service in order to avoid confusion when a user assumes starting a service is enough to make it accessible @@ -657,15 +772,6 @@ Features: * and a dbus call to generate target from current state -* readahead: - - drop /.readahead on bigger upgrades with yum - - move readahead files into /var (look for them with .path units?) - - readahead: use BTRFS_IOC_DEFRAG_RANGE instead of BTRFS_IOC_DEFRAG ioctl, with START_IO - - readahead: when bumping /sys readahead variable save mtime and compare later to detect changes - - readahead: make use of EXT4_IOC_MOVE_EXT, as used by http://e4rat.sourceforge.net/ - -* GC unreferenced jobs (such as .device jobs) - * write blog stories about: - hwdb: what belongs into it, lsusb - enabling dbus services @@ -673,7 +779,6 @@ Features: - how to make changes to sysctl and sysfs attributes - remote access - how to pass throw-away units to systemd, or dynamically change properties of existing units - - how to integrate cgconfig and suchlike with systemd - testing with Harald's awesome test kit - auto-restart - how to develop against journal browsing APIs @@ -687,32 +792,55 @@ Features: - instantiated apache, dovecot and so on - hooking a script into various stages of shutdown/rearly booot -* allow port=0 in .socket units - -* recreate systemd's D-Bus private socket file on SIGUSR2 - -* Support --test based on current system state - * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support. -* maybe introduce ExecRestartPre= - * dot output for --test showing the 'initial transaction' * fingerprint.target, wireless.target, gps.target, netdevice.target -* drop cap bounding set in readahead and other services - -* systemd-python: - - figure out a simple way to wait for journal events in a way that - works with ^C - - add documentation to systemd.daemon - -* bootchart: - - plot per-process IO utilization - - group processes based on service association (cgroups) - - document initcall_debug - - kernel cmdline "bootchart" option for simplicity? +* pid1: + - .timer units should optionally support CLOCK_BOOTTIME in addition to CLOCK_MONOTONIC + - When logging about multiple units (stopping BoundTo units, conflicts, etc.), + log both units as UNIT=, so that journalctl -u triggers on both. + - generate better errors when people try to set transient properties + that are not supported... + http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html + - maybe introduce WantsMountsFor=? Usecase: + http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html + - recreate systemd's D-Bus private socket file on SIGUSR2 + - move PAM code into its own binary + - when we automatically restart a service, ensure we restart its rdeps, too. + - hide PAM options in fragment parser when compile time disabled + - Support --test based on current system state + - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). + - after deserializing sockets in socket.c we should reapply sockopts and things + - drop PID 1 reloading, only do reexecing (difficult: Reload() + currently is properly synchronous, Reexec() is weird, because we + cannot delay the response properly until we are back, so instead of + being properly synchronous we just keep open the fd and close it + when done. That means clients do not get a successful method reply, + but much rather a disconnect on success. + - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr + - when a bus name of a service disappears from the bus make sure to queue further activation requests + +* unit files: + - allow port=0 in .socket units + - maybe introduce ExecRestartPre= + - add ReloadSignal= for configuring a reload signal to use + - implement Register= switch in .socket units to enable registration + in Avahi, RPC and other socket registration services. + - allow Type=simple with PIDFile= + https://bugzilla.redhat.com/show_bug.cgi?id=723942 + - allow writing multiple conditions in unit files on one line + - load-fragment: when loading a unit file via a chain of symlinks + verify that it is not masked via any of the names traversed. + - introduce Type=pid-file + - ExecOnFailure=/usr/bin/foo + - introduce mix of BindTo and Requisite + - add a concept of RemainAfterExit= to scope units + - Set NoNewPrivileges= on all of our own services, where that makes sense + - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely + - consider adding RuntimeDirectoryUser= + RuntimeDirectoryGroup= * udev-link-config: - Make sure ID_PATH is always exported and complete for @@ -731,25 +859,36 @@ Features: - add reduced [Link] support to .network files - add Scope= parsing option for [Network] - properly handle routerless dhcp leases - - add more attribute support for SIT tunnel - - work with non-ethernet devices + - work with non-Ethernet devices - add support for more bond options + - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? + - the DHCP lease data (such as NTP/DNS) is still made available when + a carrier is lost on a link. It should be removed instantly. + - expose in the API the following bits: + - option 15, domain name and/or option 119, search list + - option 12, host name and/or option 81, fqdn + - option 123, 144, geolocation + - option 252, configure http proxy (PAC/wpad) + - provide a way to define a per-network interface default metric value + for all routes to it. possibly a second default for DHCP routes. + - allow Name= to be specified repeatedly in the [Match] section. Maybe also + support Name=foo*|bar*|baz ? + - duplicate address check for static IPs (like ARPCHECK in network-scripts) + - allow DUID/IAID to be customized, see issue #394. + - whenever uplink info changes, make DHCP server send out FORCERENEW * networkd-wait-online: - make operstates to wait for configurable? * dhcp: - figure out how much we can increase Maximum Message Size - - export timezone information - support RFC4702 (pass FQDN) * dhcp6: - add functions to set previously stored IPv6 addresses on startup and get them at shutdown; store them in client->ia_na - write more test cases - - implement and do duplicate address detection, see rfc 4862, 5.4. - implement reconfigure support, see 5.3., 15.11. and 22.20. - - implement information request, see 1.2. and 18.1.5. - implement support for temporary adressess (IA_TA) - implement dhcpv6 authentication - investigate the usefulness of Confirm messages; i.e. are there any @@ -757,6 +896,7 @@ Features: or interface down - some servers don't do rapid commit without a filled in IA_NA, verify this behavior + - RouteTable= ? External: @@ -774,12 +914,8 @@ External: * drop accountsservice's StandardOutput=syslog and Type=dbus fields -* dbus upstream still refers to dbus.target and should not - * dbus: in fedora, make /var/lib/dbus/machine-id a symlink to /etc/machine-id -* add "# export SYSTEMD_PAGER=" to bash login - * /usr/bin/service should actually show the new command line * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= @@ -812,7 +948,3 @@ Regularly: * use secure_getenv() instead of getenv() where appropriate * link up selected blog stories from man pages and unit files Documentation= fields - -Scheduled for removal or fixing: - -* xxxOverridable dependencies (probably: fix)