X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=TODO;h=3cf4ce393c6d7b832f28e0820631622c7e1f8def;hp=fac9ccf0edb2b8ee61b7dad056895acdec2ec3a4;hb=f5a6d04aa9c060b07d3c794dc286d454aa7c2f70;hpb=c6edc23d5f8a483e93a891bf7eb76b5f4caf2fb4 diff --git a/TODO b/TODO index fac9ccf0e..3cf4ce393 100644 --- a/TODO +++ b/TODO @@ -12,9 +12,6 @@ Bugfixes: Environment=ONE='one' "TWO='two two' too" THREE= ExecStart=/bin/python3 -c 'import sys;print(sys.argv)' $ONE $TWO $THREE -* When systemctl --host is used, underlying ssh connection can remain open. - bus_close does not kill children? - External: * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. @@ -23,38 +20,171 @@ External: Janitorial Clean-ups: -* code cleanup: retire FOREACH_WORD_QUOTED, port to extract_first_word() loops instead +* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again -* replace manual readdir() loops with FOREACH_DIRENT or FOREACH_DIRENT_ALL +Features: -* Get rid of the last strerror() invocations in favour of %m and strerror_r() +* sort generated hwdb files alphabetically when we import them, so that git + diffs remain minimal (in particular: the OUI databases we import are not + sorted, and not stable) -* Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again +* set SystemCallArchitectures=native on all our services -Features: +* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for + the sd-journal logging socket, and, if the timeout is set to 0, sets + O_NONBLOCK on it. That way people can control if and when to block for + logging. + +* tighten sd_notify() MAINPID= checks a bit: don't accept foreign PIDs (i.e. + PIDs not managed by the service manager) + +* journald: when we recv a log datagram via the native or syslog transports, + search for the PID in the active stream connections, and let's make sure to + always process the datagrams before the streams. Then, cache client metadata + per stream in the stream object. This way we can somewhat fix the race with + quickly exiting processes which log as long as they had their own stream + connection... + +* hostnamed: populate form factor data from a new hwdb database, so that old + yogas can be recognized as "convertible" too, even if they predate the DMI + "convertible" form factor + +* Maybe add a small tool invoked early at boot, that adds in or resizes + partitions automatically, to be used when the media used is actually larger + than the image written onto it is. + +* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing + after all. Be strict however, only support the equivalent of nspawn's + --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such + as MAINPID. + +* change the dependency Set* objects in Unit structures to become Hashmap*, and + then store a bit mask who created a specific dependency: the source unit via + fragment configuration, the destination unit via fragment configuration, or + the source unit via udev rules (in case of .device units), or any combination + thereof. This information can then be used to flush out old udev-created + dependencies when the udev properties change, and eventually to implement a + "systemctl refresh" operation for reloading the configuration of individual + units without reloading the whole set. + +* Add ExecMonitor= setting. May be used multiple times. Forks off a process in + the service cgroup, which is supposed to monitor the service, and when it + exits the service is considered failed by its monitor. + +* track the per-service PAM process properly (i.e. as an additional control + process), so that it may be queried on the bus and everything. + +* add a new "debug" job mode, that is propagated to unit_start() and for + services results in two things: we raise SIGSTOP right before invoking + execve() and turn off watchdog support. Then, use that to implement + "systemd-gdb" for attaching to the start-up of any system service in its + natural habitat. + +* replace all canonicalize_file_name() invocations by chase_symlinks(), in + particulr those where a rootdir is relevant. + +* maybe introduce gpt auto discovery for /var/tmp? + +* set ProtectSystem=strict for all our usual services. + +* fix PrivateNetwork= so that we fall back gracefully on kernels lacking + namespacing support (similar for the other namespacing options) + +* maybe add gpt-partition-based user management: each user gets his own + LUKS-encrypted GPT partition with a new GPT type. A small nss module + enumerates users via udev partition enumeration. UIDs are assigned in a fixed + way: the partition index is added as offset to some fixed base uid. User name + is stored in GPT partition name. A PAM module authenticates the user via the + LUKS partition password. Benefits: strong per-user security, compatibility + with stateless/read-only/verity-enabled root. (other idea: do this based on + loopback files in /home, without GPT involvement) + +* gpt-auto logic: introduce support for discovering /var matching an image. For + that, use a partition type UUID that is hashed from the OS name (as encoded + in /etc/os-release), the architecture, and 4 new bits from the gpt flags + field of the root partition. This way can easily support multiple OS + installations on the same GPT partition table, without problems with + unmatched /var partitions. + +* gpt-auto logic: related to the above, maybe support a "secondary" root + partition, that is mounted to / and is writable, and where the actual root's + /usr is mounted into. + +* machined: add apis to query /etc/machine-info data of a container + +* .mount and .swap units: add Format=yes|no option that formats the partition before mounting/enabling it, implicitly + +* gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file + +* drop nss-myhostname in favour of nss-resolve? + +* drop internal dlopen() based nss-dns fallback in nss-resolve, and rely on the + external nsswitch.conf based one + +* add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and + then use that for the setting used in user@.service. It should be understood + relative to the configured default value. + +* on cgroupsv2 add DelegateControllers=, to pick the precise cgroup controllers to delegate + +* in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us -* make sure bash completion uses journalctl --fields to get fields list +* enable LockMLOCK to take a percentage value relative to physical memory -* use phyical_memory() to allow MemoryLimit= configuration based on available system memory +* switch to ProtectSystem=strict for all our long-running services where that's possible + +* Permit masking specific netlink APIs with RestrictAddressFamily= + +* nspawn: start UID allocation loop from hash of container name + +* nspawn: support that /proc, /sys/, /dev are pre-mounted + +* define gpt header bits to select volatility mode * ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc -* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) +* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) -* ProtectDevices= should also take iopl/ioperm/pciaccess away +* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) * ProtectKeyRing= to take keyring calls away -* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone) +* RemoveKeyRing= to remove all keyring entries of the specified user + +* ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill + on PID 1 with the relevant signals, and makes relevant files in /sys and + /proc (such as the sysrq stuff) unavailable -* IAID field must move from [Link] to [DHCP] section in .network files +* DeviceAllow= should also generate seccomp filters for mknod() + +* Add DataDirectory=, CacheDirectory= and LogDirectory= to match + RuntimeDirectory=, and create it as necessary when starting a service, owned by the right user. * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things * journalctl: make sure -f ends when the container indicated by -M terminates +* mount: automatically search for "main" partition of an image has multiple + partitions + +* expose the "privileged" flag of ExecCommand on the bus, and open it up to + transient units + +* in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, + find a way to map the User=/Group= of the service to the right name. This way + a user/group for a service only has to exist on the host for the right + mapping to work. + +* allow attaching additional journald log fields to cgroups + +* add bus API for creating unit files in /etc, reusing the code for transient units + +* add bus API to remove unit files from /etc + +* add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) + * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the kernel doesn't support linkat() that replaces existing files, currently) @@ -63,19 +193,12 @@ Features: * transient units: don't bother with actually setting unit properties, we reload the unit file anyway -* make sure resolved can be restarted without losing pushed-in dns config - * journald: sigbus API via a signal-handler safe function that people may call from the SIGBUS handler -* when using UTF8, ellipsize with "…" rather than "...", so that we can show more contents before truncating - -* move specifier expansion from service_spawn() into load-fragment.c - * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown -* resolved: maybe, after all, implement local listening for DNS packets on port - 127.0.0.53:53. +* resolved: when routing queries, make sure only look for the *longest* suffix... * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle @@ -84,8 +207,6 @@ Features: * add systemctl stop --job-mode=triggering that follows TRIGGERED_BY deps and adds them to the same transaction -* Maybe add a way how users can "pin" units into memory, so that they are not subject to automatic GC? - * PID1: find a way how we can reload unit file configuration for specific units only, without reloading the whole of systemd @@ -101,8 +222,6 @@ Features: * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) -* consider throwing a warning if a service declares it wants to be "Before=" a .device unit. - * there's probably something wrong with having user mounts below /sys, as we have for debugfs. for exmaple, src/core/mount.c handles mounts prefixed with /sys generally special. @@ -110,14 +229,12 @@ Features: * man: document that unless you use StandardError=null the shell >/dev/stderr won't work in shell scripts in services -* install: include generator dirs in unit file search paths - * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date * mounting and unmounting mount points manually with different source - devices will result in collected collected on all devices used. + devices will result in collected on all devices used. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030225.html * add a job mode that will fail if a transaction would mean stopping @@ -142,7 +259,7 @@ Features: * implement a per-service firewall based on net_cls * Port various tools to make use of verbs.[ch], where applicable: busctl, - bootctl, coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl + coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl * hostnamectl: show root image uuid @@ -159,7 +276,7 @@ Features: * synchronize console access with BSD locks: http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html -* as soon as we have kdbus, and sender timestamps, revisit coalescing multiple parallel daemon reloads: +* as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html * in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column @@ -192,19 +309,13 @@ Features: * systemctl: if some operation fails, show log output? -* systemctl edit: -- allow creation of units from scratch -- use equvalent of cat() to insert existing config as a comment, prepended with #. +* systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #. Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc. * exponential backoff in timesyncd when we cannot reach a server * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM -* extract_many_words() should probably be used by a lot of code that - currently uses FOREACH_WORD and friends. For example, most conf - parsing callbacks should use it. - * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share.... * systemd.show_status= should probably have a mode where only failed @@ -222,8 +333,8 @@ Features: - resolved should optionally register additional per-interface LLMNR names, so that for the container case we can establish the same name (maybe "host") for referencing the server, everywhere. - - enable DNSSEC by default - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) + - hook up resolved with machined-based address resolution * refcounting in sd-resolve is borked @@ -233,7 +344,6 @@ Features: * support empty /etc boots nicely: - nspawn/gpt-generator: introduce new gpt partition type for /usr - - fstab-generator: support systemd.volatile=yes|no|state on the kernel cmdline, too, similar to nspawn's --volatile= * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. @@ -246,12 +356,9 @@ Features: * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services they run added to the initial transaction and thus confuse Type=idle. -* Run most system services with cgroupfs read-only and procfs with a more secure mode (doesn't work, since the hidepid= option is per-pid-namespace, not per-mount) - * add bus api to query unit file's X fields. * gpt-auto-generator: - - Support LUKS for root devices - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap? - Make /home automount rather than mount? @@ -261,9 +368,6 @@ Features: * MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). -* "busctl status" works only as root on dbus1, since we cannot read - /proc/$PID/exe - * implement Distribute= in socket units to allow running multiple service instances processing the listening socket, and open this up for ReusePort= @@ -274,8 +378,6 @@ Features: and passes this back to PID1 via SCM_RIGHTS. This also could be used to allow Chown/chgrp on sockets without requiring NSS in PID 1. -* New service property: maximum CPU runtime for a service - * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls should SIGSTOP all unit processes in a loop until all processes of @@ -312,11 +414,7 @@ Features: error. Currently, we just ignore it and read the unit from the search path anyway. -* refuse boot if /etc/os-release is missing or /etc/machine-id cannot be set up - -* btrfs raid assembly: some .device jobs stay stuck in the queue - -* make sure gdm does not use multi-user-x but the new default X configuration file, and then remove multi-user-x from systemd +* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. @@ -465,7 +563,6 @@ Features: message that works, but alraedy after a short tiemout - check if we can make journalctl by default use --follow mode inside of less if called without args? - maybe add API to send pairs of iovecs via sd_journal_send - - journal: when writing journal auto-rotate if time jumps backwards - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access - journactl: support negative filtering, i.e. FOOBAR!="waldo", and !FOOBAR for events without FOOBAR. @@ -536,7 +633,6 @@ Features: - man: maybe sort directives in man pages, and take sections from --help and apply them to man too * systemctl: - - systemctl list-jobs - show dependencies - add systemctl switch to dump transaction without executing it - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done - "systemctl disable" on a static unit prints no message and does @@ -547,7 +643,7 @@ Features: - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? - systemctl: "Journal has been rotated since unit was started." message is misleading - better error message if you run systemctl without systemd running - - systemctl status output should should include list of triggering units and their status + - systemctl status output should include list of triggering units and their status * unit install: - "systemctl mask" should find all names by which a unit is accessible @@ -557,8 +653,6 @@ Features: - timer units should get the ability to trigger when: o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET) o DST changes - - Support 2012-02~4 as syntax for specifying the fourth to last day of the month. - - calendarspec: support value ranges with ".." notation. Example: 2013-4..8-1 - Modulate timer frequency based on battery state * add libsystemd-password or so to query passwords during boot using the password agent logic @@ -567,18 +661,13 @@ Features: * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel -* make repeated alt-ctrl-del presses printing a dump, or even force a reboot without - waiting for the timeout +* make repeated alt-ctrl-del presses printing a dump * hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ... * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not * nspawn: - - to allow "linking" of nspawn containers, extend --network-bridge= so - that it can dynamically create bridge interfaces that are refcounted - by the containers on them. For each group of containers to link together - - nspawn -x should support ephemeral instances of gpt images - emulate /dev/kmsg using CUSE and turn off the syslog syscall with seccomp. That should provide us with a useful log buffer that systemd can log to during early boot, and disconnect container logs @@ -586,8 +675,6 @@ Features: - as soon as networkd has a bus interface, hook up --network-interface=, --network-bridge= with networkd, to trigger netdev creation should an interface be missing - - don't copy /etc/resolv.conf from host into container unless we are in - shared-network mode - a nice way to boot up without machine id set, so that it is set at boot automatically for supporting --ephemeral. Maybe hash the host machine id together with the machine name to generate the machine id for the container @@ -603,9 +690,11 @@ Features: - maybe make copying of /etc/resolv.conf optional, and skip it if --read-only is used +* dissect + - refuse mounting over a mount point + - automatically discover .roothash files in dissect, similarly to nspawn + * machined: - - "machinectl list" should probably show columns for OS version and IP - addresses - add an API so that libvirt-lxc can inform us about network interfaces being removed or added to an existing machine - "machinectl migrate" or similar to copy a container from or to a @@ -655,7 +744,7 @@ Features: * coredump: - save coredump in Windows/Mozilla minidump format - - move PID 1 segfaults to /var/lib/systemd/coredump? + - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) @@ -719,10 +808,8 @@ Features: - maybe introduce WantsMountsFor=? Usecase: http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html - recreate systemd's D-Bus private socket file on SIGUSR2 - - GC unreferenced jobs (such as .device jobs) - move PAM code into its own binary - when we automatically restart a service, ensure we restart its rdeps, too. - - for services: do not set $HOME in services unless requested - hide PAM options in fragment parser when compile time disabled - Support --test based on current system state - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). @@ -772,7 +859,6 @@ Features: - add reduced [Link] support to .network files - add Scope= parsing option for [Network] - properly handle routerless dhcp leases - - add more attribute support for SIT tunnel - work with non-Ethernet devices - add support for more bond options - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? @@ -789,7 +875,6 @@ Features: support Name=foo*|bar*|baz ? - duplicate address check for static IPs (like ARPCHECK in network-scripts) - allow DUID/IAID to be customized, see issue #394. - - support configuration option for TSO (tcp segmentation offload) - whenever uplink info changes, make DHCP server send out FORCERENEW * networkd-wait-online: @@ -811,6 +896,7 @@ Features: or interface down - some servers don't do rapid commit without a filled in IA_NA, verify this behavior + - RouteTable= ? External: