Lines Matching refs:of
28 thus the usual procedure of adding a new set of methods was skipped,
30 nobody can be affected given the current state of this interface.
37 historically been a source of bugs. Furthermore, kernels ≥5.6 provide
41 of RDRAND has been removed. x86 systems ≥Broadwell that are running
47 rather than PCR 8. This improves usefulness of the measurements on
60 of pcap.
99 make the OS images independent of any machine ID, and ensure that the
101 but on the other hand means that multiple parallel installations of
107 value of the IMAGE_ID= or ID= field of /etc/os-release or another
112 that disambiguates the format of the entries in the /loader/entries/
113 directory (in order to discern them from incompatible uses of this
129 drop files there instead of writing them directly to the final
134 to override the sorting order of the entries in the boot menu. It is
136 with the default value of IMAGE_ID= or ID= fields from
140 * The sort order of boot entries has been updated: entries which have
143 version so that newest entries are towards the beginning of the list.
155 ID as selected via --entry-token= described above. The old name of
167 of activated home directories it manages (if the kernel and selected
171 is mapped almost fully, with the exception of the UID subrange used
188 context of the local system.
207 * The <version> tag used in the name of libsystemd-shared.so and
209 'shared-lib-tag'. Distributions may build subsequent versions of the
211 thus allowing multiple installations of those shared libraries to be
214 they were installed earlier or later than the appropriate version of
219 format instead of simple series of hex characters.
229 change events: the call checks internally whether the major/minor of
230 the device node and the "diskseq" (in case of block devices) match
236 * A new set of service monitor environment variables will be passed to
245 ExtensionImages=, but takes paths to directories, instead of
259 of 'oom-kill'. The number of times a service was killed is tallied
272 The new %d specifier resolves to the credentials directory of a
295 * PID 1 gained support for configuring the "pre-timeout" of watchdog
317 * Generators invoked by PID 1 will now have a couple of useful
325 detected and which type of hypervisor/container
338 picked up automatically. Automatic importing of system credentials
358 * The journal JSON export format has been added to listed of stable
395 an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
398 * udevadm info will show a couple of additional device fields in its
399 output, and will not apply a limited set of coloring to line types.
401 * udevadm info --tree will now show a tree of objects (i.e. devices and
404 * Block devices will now get a new set of device symlinks in
409 diskseq value. To be safe against races, the actual diskseq value of
426 "ip route" command. The manual configuration of [Route] Scope= is
446 address, the name of a local interface which must have the specified
454 Local= setting in .netdev files of corresponding L2TP interface.
470 enter a PIN when using TPM-based unlocking of a volume via the new
480 systemd-cryptenroll allowing selection of the credential algorithm to
495 firmware version of the system.
505 * The userdbctl tool will now show UID range information as part of the
506 list of known users.
510 invocations (instead of of the default /bin/bash).
608 available), or the combination of both (by default if a TPM2 chip
626 of architectures systemd supports. This includes platforms that do
633 a new set of partitions that may carry PKCS#7 signatures for Verity
636 can be tested against a set of cryptographic certificates. This is
653 is for: one of "initrd", "system" or "portable". This is useful to
663 This allows systemd-nspawn to boot images of non-native architectures
671 on devices that only have hardware for a subset of these keys. By
686 * The service manager will now re-execute on reception of the
693 with the default timeout configured in the hardware, instead of
712 This is based on the new BPF LSM of the Linux kernel. It provides an
725 only. This is useful to improve boot-time behavior of the system and
736 * A new per-unit set of conditions/asserts
743 * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
746 * The default maximum numbers of inodes have been raised from 64k to 1M
762 * The syntax of the service unit settings RuntimeDirectory=,
771 configuring rows/columns of the TTY device passed to
772 stdin/stdout/stderr of the service. This is useful to propagate TTY
777 only watches the main process of a service. By setting
785 * "Urlification" (generation of ESC sequences that generate clickable
792 trying to trigger a service that is skipped because of a Condition*=
793 not being satisfied. This matches the configuration and behaviour of
804 policies reliable, but of course do not provide the same level of
813 encrypted volumes that allows configuration of the maximum time to
821 with dm-integrity instead of dm-crypt/dm-verity.
825 the partition backing the /usr/ file system. A matching set of
831 return the DISKSEQ property of a device structure. The "disk
833 kernel that allows detecting reuse cycles of block devices, i.e. can
839 is automatically updated to the newest version when out of date. This
844 working with recent versions of Shim that require it to be present.
853 entails is up for the implementer to decide, the primary goal of the
859 time is noticed to be more than the specified time ahead of the
860 built-in epoch of systemd (which by default is the release timestamp
861 of systemd) it is assumed that the RTC is not working correctly, and
873 * systemd-analyze verify gained support for a pair of new --image= +
875 directory/image instead of on the host.
878 an explicitly specified unit name, independently of what the filename
886 analyzing unit files stored on disk instead of loaded units. It may
895 analysis and enforcement of security policies on unit files.
905 services, since a lot of the security-related settings are enabled
918 IP addresses outside of the configured IP pool range for the server.
922 control modes. It gained a number of further settings for tweaking
936 * The [IPv6AcceptRA] section of .network files gained support for a new
955 * The [IPv6AcceptRA] section of .network files now understands two new
975 * The [RoutingPolicyRule] section of .network file gained a new
978 * The IgnoreCarrierLoss= setting in the [Network] section of .network
982 * The [DHCPServer] section of .network file gained a new Router=
985 * The [CAKE] section of .network files gained various new settings
996 * systemd-networkd's handling of Endpoint= resolution for WireGuard
1021 * systemd-udevd's .link files may now configure a large variety of
1030 a '=' character and a value) the current value of the environment
1032 lookup the current value of $FOO in the environment, and pass it down
1037 to optionally suppress the effect of the sync()/fsync()/fdatasync()
1075 placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
1080 * systemd-boot will now paint the input cursor on its own instead of
1086 itself may be used in place of a Type #2 Unified Kernel. This is
1099 * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
1103 of the initrd environment. This is useful to implement trusted initrd
1109 specific to a single boot entry), or in one of the shared directories
1122 may be used to set the boot menu time-out of the boot loader (for all
1144 "frozen" upon first use and becomes independent of the actual
1160 assume the wrong layout. A particular example of how this may happen
1171 extension release file, it is accepted regardless of its name. This
1176 testing the built-in with the specified action (in place of the
1180 specific udev properties/values instead of all.
1183 types of signal analyzers (protocol analyzers, logic analyzers,
1188 about types of cameras (regular or infrared), and in which direction
1200 and similar which want to pin the schemes of certain distribution
1216 Journal files instead of just the local ones.
1219 directly linking, allowing users to easily opt-out of backtrace/metadata
1220 analysis of core files, and reduce image sizes when this is not needed.
1235 reduce the chance of accidental file system corruption in that case.
1241 * systemd-homed now makes use of UID mapped mounts for the home areas.
1246 mount logic of recent kernels. This makes migrating home areas
1252 a subdirectory of a CIFS share, instead of the top-level directory.
1265 * Additional mount options to use when mounting the file system of
1288 controlled via the new --auto-resize-mode= setting of homectl.
1313 configuration of a single command to invoke, this maybe used to
1319 instead of a path in the file system for referencing the inode to
1338 later, similarly to normal mount units that are part of
1346 example useful to turn off gettys inside of containers or similar
1367 OpenSSL instead of libgcrypt.
1384 regardless of configuration when its unit is restarted.
1393 filesystems that support COW. One benefit of this change is that
1405 * More of sd-journal's functions are now resistant against journal file
1413 this repository. It also contains the text of all applicable
1467 * When operating on disk images via the --image= switch of various
1483 there is one). This permits easy configuration of user passwords
1490 doesn't set any passwords as effect of the command line above if the
1496 used to initialize important system parameters on first boot of
1508 of the same name for systemd-tmpfiles, systemd-firstboot, and
1535 Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
1550 images when setting up the root filesystem of the service.
1569 * The "net_id" built-in of udev has been updated with three
1583 The new version of the net naming scheme is "v249". The previous
1603 logic has been updated to make use of this concept if available to
1618 of alternative client libraries. This documentation makes the support
1631 to the default NTA list of resolved, since DNSSEC is generally not
1634 * The CPUAffinity= setting of unit files now resolves "%" specifiers.
1673 new special value "none". If specified sockets of all address
1684 * The [Address] section of .network files now accepts a new
1686 the prefix route created as effect of the address configuration.
1688 gained matching settings for their prefix routes. (The option of the
1699 layer 3 network interfaces work out-of-the-box with systemd-networkd.
1712 of systemd-nspawn or other tools; and as opposed to explicit mounting
1714 automatically grown to the full size of the partition. If the file
1734 * A pair of service settings SocketBindAllow= + SocketBindDeny= have
1752 serialization of the host data it exposes. This is exposed via
1771 * The LogLevelMax= setting of unit files now applies not only to log
1797 systemd-homed has been updated to allow explicit configuration of the
1807 identity mapping of 65535 UIDs. This means the container UID 0 is
1814 more generic --private-user-ownership= switch that accepts one of
1816 and "off" is equivalent to the absence of the old switch. The value
1817 "map" uses the new UID mapping mounts of Linux 5.12 to map ownership
1818 of files and directories of the underlying image to the chosen UID
1822 instead of the old --private-user-chown. Effectively this means: if
1825 UID mapping mounts instead of recursive chown()ing, since it allows
1826 running containers off immutable images (since no modifications of
1831 finally, the last major drawback of user namespacing has been
1868 --merge, --file= that are equivalent to the same switches of
1869 journalctl, and permit exposing only the specified subset of the
1874 be configured directly it's only created as effect of an OnFailure=
1878 units that are members of a slice.
1880 * A pair of new dependency types between units PropagatesStopTo= +
1881 StopPropagatedFrom= has been added, that allows propagation of unit
1887 exists only as effect of the reverse OnSuccess=). It is similar to
1889 cleanly. This allows "chaining up" of services where one or more
1894 only as effect of Upholds=). This dependency type is a stronger form
1895 of Wants=: if a unit has an UpHolds= dependency on some other unit
1909 * The --echo switch of systemd-ask-password now optionally takes a
1915 suppressing output of a trailing newline character when writing the
1919 * New documentation has been added that describes the organization of
1928 RequiredBy= settings of the [Install] section of another template
1932 or the slice(s) it is part of, have a memory limit set via MemoryMax=/
1937 placed on itself or one of the slices it runs under, if the storage
1946 of a path matches the configured expectations, and remove it if not.
1949 specify which of the several available filesystem timestamps (access
1958 UplinkInterface= setting that permits configuration of the uplink
1961 * The WakeOnLan= setting in .link files now accepts a list of flags
1962 instead of a single one, to configure multiple wake-on-LAN policies.
1984 source of rfkill event on newer HP laptops. To have both backward and
2024 * A concept of system extension images is introduced. Such images may
2029 with the file system hierarchy of the host OS.
2044 file hierarchy of specific services, following the same rules and
2062 allows the implementation of a service to provide key information
2076 intended to allow customization by different variants of a
2079 * The environment block of the manager itself may be configured through
2085 * systemd-hostnamed now exports the default hostname and the source of
2091 pair of cleaned up, human readable strings describing the system's
2124 request synchronous processing of encryption/decryption IO.
2127 instead of the execve() system call when spawning processes. Using
2128 fexecve() closes a window between checking the security context of an
2156 * The tables of system calls in seccomp filters are now automatically
2174 mount namespace of a service (without restarting it). This is exposed
2182 noexec for parts of the file system.
2185 connection to the session bus of a specific user in a local container
2191 This will connect to the user bus of a user "lennart" in container
2198 simplify invocations of sd_bus_send(), taking only a single
2209 number of TX and RX queues to be configured.
2211 New [Link] TransmitQueueLength= setting allows the size of the TX
2216 the number of segments accepted in Generic Segment Offload.
2221 "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
2229 configuration switch (one of "blackhole, "unreachable", "prohibit").
2244 allows configuring how the UP state of an interface shall be managed,
2276 * The hardware database has been extended with a list of fingerprint
2301 effected was encrypted or not. Moreover the tool acquired a number of
2353 without any arguments (i.e. to import the full environment block of
2355 shell, which means that it'll inherit a bunch of variables which are
2357 to, and don't have any meaning in the global context of the system or
2362 directly calling the D-Bus API of the manager, should also push
2366 choice of Unicode characters: units in maintenance show a "○" symbol
2367 instead of the usual "●", failed units show "×", and services being
2387 * less 568 or newer is now required for the auto-paging logic of the
2389 used even if a pager is used, and older versions of less are not able
2405 keymap in advanced of it being installed. It is necessary to install
2411 for partitions, as in the vast majority of cases they contain none
2415 spawned processes to the PID of the process itself. This may be used
2423 object from stat(2) data of a device node, and sd_device_trigger() to
2424 write to the 'uevent' attribute of a device.
2430 * Units acquired a new property "Markers" that takes a list of zero,
2431 one or two of the following strings: "needs-reload" and
2439 * The sd_bus_message_read_strv() API call of sd-bus may now also be
2440 used to parse arrays of D-Bus signatures and D-Bus paths, in addition
2449 even if the root fs of the system is not itself a btrfs volume.
2459 * Intel SGX enclave device nodes (which expose a security feature of
2507 and propagate these new event types. The introduction of these new
2510 number of issues which we so far didn't address. We hoped the kernel
2516 is not fault of systemd or udev, but caused by an incompatible kernel
2531 tied to a *device* instead of a device *event* — unlike for example
2539 originating from earlier uevents/database updates of the same
2570 effect of "unbind" is not generically defined, devices should be
2585 this is not caused by systemd/udev changes, but result of a kernel
2598 majority of udev rule files known to us currently get this right,
2611 accumulate the correct and complete set of udev properties. udev rule
2623 latter it takes precedence over the former, similar to how most of
2630 packages' vendor versions of their PAM stack definitions from
2637 dlopen(): instead of regular dynamic library dependencies declared in
2642 distributions, as it allows minimizing the list of dependencies the
2643 systemd packages pull in, permitting building of more minimal OS
2644 images, while still making use of these "weak" dependencies should
2664 exiting the event loop (unlike the default behaviour of just
2673 a signed integer — as exit code of the event loop. Previously this
2680 tweaking the mount options for any file system mounted as effect of
2706 when operating on OS trees that do not have any of these four runtime
2712 but takes a disk image instead of a directory as argument. The
2725 of terminal colors when run on a suitable terminal, similarly to the
2735 moved to /usr/bin/, reflecting its updated status of an officially
2737 --mkdir switch which when combined with --mount has the effect of
2740 copying files and directories in and out of an OS image without the
2792 of all relevant types which may be used by the container payload as
2809 a sd_bus_error struct and a list of error names, and checks if the
2810 error matches one of these names. It's a convenience wrapper that is
2816 * Behaviour of system call filter allow lists has changed slightly:
2822 chance of triggering the right fallback code paths in client
2826 at the bottom of the output: system calls known during systemd build
2827 time but not included in any of the filter groups shown above, and
2842 added that expose the hidepid= and subset= mount options of procfs.
2843 All processes of the unit will only see processes in /proc that are
2868 sets a credential to the contents of a file (or data read from a
2915 modified to use this new interface instead of D-Bus. Using Varlink
2940 off the derivation of an implicit search domain by nss-dns for the
2945 * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
2947 "birth" time (btime) of a file in addition to the atime, mtime, and
2964 of a song or film), but is now primarily used in various embedded
2981 configuring the multicast membership entries of bridge devices in the
3009 * VXLAN tunnels may now be marked as independent of any underlying
3015 adjust the log level and target. All of systemd's long-running
3026 list of system calls that shall be logged about (audit).
3036 * In the final phase of shutdown, within the systemd-shutdown binary
3041 storage volumes during regular shutdown already (or in case of
3068 contention for selected parts of the unit hierarchy using the PSI
3083 at runtime, instead of using the built-in values selected during
3085 old systems. It's strongly recommended not to make use of this
3088 detail of the OS, and permits avoidable differences in deployments
3089 that create all kinds of problems in the long run.
3103 parameter of the luks.options= kernel command line option. The same
3107 * The "net_id" built-in of udev has been updated to ignore ACPI _SUN
3109 where the _SUN index is associated with the bridge instead of the
3132 special strings "@default", "@oneshot", "@current" in place of a boot
3142 session.slice (units that form the core of graphical session),
3204 KillMode=none, as this is generally an unsafe thing to make use of.
3212 * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
3215 container manager (or from PAM in case of the systemd --user
3219 allows configuration of the memory sections coredumps of the
3241 the verity data of the disk image supplied in --image=, if the image
3245 either a base64 encoded PKCS#7 signature of the root hash specified
3247 allows validation of the root hash against public keys available in
3279 the "short" hostname of the system, i.e. the hostname configured in
3295 of the "nobody" user is to own all files whose owner cannot be mapped
3302 and others) now have a size and inode limits applied (50% of RAM for
3303 /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
3307 * nss-mymachines lost support for resolution of users and groups, and
3308 now only does resolution of hostnames. This functionality is now
3321 on disk. Use "blockdev --setrw" to undo the effect of this, per
3325 added, which may be used to turn off automatic activation of swap
3330 result of the ConditionNeedsUpdate= and ConditionFirstBoot=
3340 the core file, systemd-coredump will use the effective uid and gid of
3347 * We provide a set of udev rules to enable auto-suspend on PCI and USB
3349 was distributed as a set of udev rules, but has now been replaced by
3350 by a set of hwdb entries (and a much shorter udev rule to take action
3351 if the device modalias matches one of the new hwdb entries).
3384 SubnetID= allows explicit configuration of the preferred subnet that
3422 which may be used to turn off use of the gateway information provided
3427 setting SendVendorOption= allowing configuration of additional vendor
3434 * systemd-networkd's [DHCPServer] section gained a new set of options
3445 VLANProtocol= in the [Bridge] section that allows configuration of
3449 of the .network files, to control the link group.
3474 will now show numerous additional fields of information about an
3481 the specified hostname. Additionally, in case of IPv6 addresses, an
3490 * systemd-nspawn's --resolv-conf= switch gained a number of new
3494 propagate other flavours of resolv.conf into the container (as
3510 being deprecated in favor of this option.
3516 * systemd-journald gained support for zstd compression of large fields
3541 because the PID of the sender changed this is indicated in the
3545 fields specified with --output-fields= instead of unconditionally
3546 MESSAGE=. This is useful to retrieve a very specific set of fields
3570 systemd-notify process' PID, or the one of the process invoking it.
3573 SetType() for temporarily updating the session type of an already
3586 instead of operating on actual block devices.
3592 instead of 0.
3604 now default to the directory or subvolume backends instead of the
3619 unlocking the home directory. If "list" is specified a brief table of
3638 instead of at installation time.
3643 /run/cryptsetup-keys.d/<volume>.key, if any of these files exist.
3655 started automatically as part of the desktop session.
3661 be used to initialize the /etc/kernel/cmdline file of the image. It
3686 now make use of this call implicitly, but this can be turned off again
3690 track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
3702 * The sd-bus API gained a number of convenience functions that take
3725 * Various D-Bus APIs of systemd daemons now have man pages that
3731 documentation regarding integration of homed/userdb functionality in
3744 has been extended by a set of environment variables that expose
3753 target of the service during runtime.
3756 dropped from version control. Please create a symlink to one of the
3804 Specifically, a set of partitions that must or may exist can be
3811 form, that on first boot are grown to the size of the underlying
3832 parameters that shall be applied to processes and sessions of the
3851 and other storage schemes are also supported. This solves a couple of
3853 particular when it comes to encryption. For further discussion of
3854 this, see the video of Lennart's talk at AllSystemsGo! 2019:
3866 log 'namespace' (whose name is specified via the instance part of the
3871 performance and increase isolation of applications, at the price of
3872 losing global message ordering. Each instance of journald has a
3873 separate set of configuration files, with possibly different disk
3878 sd_journal_open_namespace() for opening the log stream of a specific
3880 idle, which is useful in the context of log namespaces, as this means
3892 the presence of the /etc/initrd-release file.
3905 "quiet" has been changed to imply that instead of
3911 instead of PID numbers, which fixes a number of races and makes
3912 process supervision more robust and efficient. All of systemd's
3914 watching, with the exception of PID 1 itself, unfortunately. We hope
3944 * The PrefixRoute= setting in systemd-networkd's [Address] section of
3948 * The Gateway= setting of [Route] sections of .network files gained
3953 for the [RoutingPolicyRule] section of .network files to configure
3956 * The Type= match property of .link files has been generalized to
3966 in sd-bus vtables, causing any incoming and outgoing messages of
3970 contents of a message (or parts thereof) to standard output for
3987 encryption of volumes to YubiKeys. This is exposed in the new
3992 that the specified mount shall be pulled in by, in place of
3996 populated with most of the documentation included in the systemd
4006 AlternativeNamesPolicy= settings. Other components of systemd have
4009 alternative interface names for the host-facing side of container
4023 systemd --user per-user instance of the service manager.
4034 resolving a number of well-known UUIDs/128bit IDs, currently mostly
4058 * The [Match] section of .link and .network files now supports a new
4060 permanent MAC address of a network device even if a randomized MAC
4072 * systemd-logind will now validate access to the operation of changing
4085 fixed, which in turn exposed bugs in unit configuration of services
4159 * Unit files now support top level dropin directories of the form
4173 of the PAM session, for example for time-limited logins.
4181 exit timeout of 30s was too short for some large installations, where
4193 This replaces the externally maintained allow lists of all known
4206 use the CDROM cannot gain access to it, but carries a risk of
4211 addressing anymore. The creation of the route was unexpected and was
4264 * .network files may now match on SSID and BSSID of a wireless network,
4291 of the present time.
4299 * The default value of the WatchdogSec= setting used in systemd
4320 with the API of the same name in libc, which is not affected), the
4356 by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
4364 effect that any calling of an offending system call would terminate
4366 killing individual threads of unsuspecting processes is likely to
4375 of being killed when calling an offending system call). Note that
4390 the maximum number of allowed concurrent tasks was previously bounded
4400 subtree of the unit hierarchy.
4402 * Memory protection directives can now take a value of zero, allowing
4403 explicit opting out of a default value propagated by an ancestor.
4435 * The D-Bus "wire format" of the CPUAffinity= attribute is changed on
4443 "systemd-analyze dump" is changed to present CPU indices instead of
4458 - either define a new unit and make it a dependency of final.target
4499 IPEgressFilterPath= which allow configuration of a BPF program
4501 to apply to the IP packet ingress/egress path of all processes of a
4506 runtime or logs directories of a service while it is terminated. The
4510 * During the last phase of shutdown systemd will now automatically
4518 * If processes terminated during the last phase of shutdown do not exit
4556 * systemd-networkd's bridge FDB support now allows configuration of a
4562 option for configuring the maximum number of DHCP lease requests. It
4616 SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
4631 been renamed to LinkLayerAddress=, and it now allows configuration of
4634 * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
4639 * The order of entries is $PATH used by the user manager instance was
4650 detailed configuration of the IP configuration to keep in place.
4667 - "systemd-analyze unit-files" will print a list of all unit
4676 which may be used to securely change the brightness of a kernel
4703 * PID 1 may now show the unit name instead of the unit description
4725 before ExecStartPre= and either continue execution of the unit (for
4746 documentation first, since this comes with a couple of caveats.
4749 initialization of the kernel's entropy pool. Services that require
4797 * A new mailing list has been created for reporting of security issues:
4869 particular if it is part of local-fs.target, and any unit which
4876 configured with PIDFile= for processes of that service.
4899 created within the configured network namespace instead of the host
4929 jobs queued because of the requested operation is shown.
4932 (instead of 'degraded' or 'carrier') for interfaces which form a
4934 state used for the bond or bridge master interface when one of the
4948 for only one of the requested interfaces instead of all of them.
4970 contents of directory. This may be used to temporarily exclude
5005 features in the specification implemented, but since this a lot of
5011 --inaccessible=/Inaccessible= may be used to mask parts of the file
5022 --iterations= which may be used to show a maximum number of iterations
5039 * The behaviour of systemd-logind may now be modified with environment
5044 create a flag file in /run/systemd (when set to true), instead of
5046 of /run/systemd/reboot-to-firmware-setup,
5064 a different layout of the bootloader partitions (for example grub2).
5074 recommended after the first installation of systemd.
5077 is built on seccomp. When turned on creation of SUID/SGID files is
5085 unaffected. However, the security benefit of these two options is
5113 a suitable default will be selected automatically (one of C.UTF-8,
5163 security of most installations, it is technically a backwards
5174 parse backslashes inside quotes literally, matching the behaviour of
5238 target path of symlinks in .wants/ or .requires/ directories of other
5241 dependency of another unit, not honouring the priority of directories
5245 .wants/ or .requires/. The target paths of those symlinks are not
5251 and execve() of the main service binary to complete before proceeding
5253 propagates any errors in the preparation phase of service execution
5264 NOTE: with the next release 241 of systemd we intend to change the
5280 defaults and substantially increasing the number of simultaneous file
5286 failing abnormally when attempting to use it with select() (of
5291 kernels and allocating large numbers of them should be much cheaper
5293 want to take benefit of the increased limit have to "opt-in" into
5298 Which default hard limit is most appropriate is of course hard to
5305 allocations in these applications. Hopefully, the new default of 512K
5312 to the highest possible values, as separate accounting of file
5314 part of the memory accounting anyway. Thus, from the four limits on
5317 and keep only the latter two. A set of build-time options
5353 memory usage protection limit of processes invoked by the unit. This
5364 instance part of a unit name.
5382 new "append:…" parameters, for connecting STDOUT/STDERR of a service
5385 * The signal to use as last step of killing of unit processes is now
5389 Similarly, the signal used when aborting a program in case of a
5398 now also accept permille values with the '‰' suffix (instead of '%').
5400 * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for
5416 should substantially reduce the amount of entropy systemd requests
5427 shuffling of flows. The tunnel logic gained a new
5441 medium, and referenced from /etc/crypttab by the UUID of the file
5449 service the executed processes will now receive a set of environment
5450 variables containing the full paths of these directories.
5514 group/GID of the service manager runs as, similar to the existing
5520 logs out. This is useful to speed up repetitive re-connections of the
5538 exiting of the service manager, and are only useful in systemd --user
5541 * Unit files gained support for a pair of options
5546 * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service
5554 security and sand-boxing settings of services in order to determine an
5559 supported by the local kernel but not included in any of the defined
5585 the working directory of the service to start. A shortcut -d is
5586 equivalent, setting the working directory of the service to the
5587 current working directory of the invoking program. The new --shell
5588 (or just -S) option has been added for invoking the $SHELL of the
5627 pick a specific version of the naming scheme. This helps stabilizing
5638 newline separated lists of paths) in addition to the ones it already
5654 where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD)
5655 where device nodes cannot be created the effect of PrivateDevices= is
5746 SR-IOV virtual devices are now named based on the name of the parent
5747 interface, with a suffix of "v<N>", where <N> is the virtual device
5757 itself, but one of its parents does. Previously those devices were
5762 the unit. So, it is expected that the default behavior of
5801 which disabled sandboxing of systemd-udevd (specifically the
5815 of additional techniques for optimizing the initial latency caused by
5822 NOTE: This has a chance of breaking nss-ldap and similar NSS modules
5824 or related call: the dynamic allocation of the user ID for
5870 be used to turn off acquisition of new privileges system-wide
5885 * When hibernating, systemd will now inform the kernel of the image
5895 writing drop-ins easily that apply to a whole set of unit files at
5899 following a strict naming regime of beginning the unit file name with
5901 files to match this: %j and %J are replaced by the part of the unit
5910 * The ExecStart= lines of unit files are no longer required to
5926 to pick an alternative debugger instead of the default gdb.
5932 editor/viewer of your choice). Note that not all terminal emulators
5945 specific routes. It also gained support for configuration of the DHCP
5952 * networkd will now automatically make use of the kernel's route
5955 * udevd's .link files now support setting the number of receive and
5968 dump the contents of any configuration file, with all its matching
5972 system configuration file of systemd how it would be loaded by PID 1
5977 list of tmpfiles.d/ lines in place.
5979 * timedatectl gained three new verbs: "show" shows bus properties of
5981 synchronization state of systemd-timesyncd, and "show-timesync"
5982 shows bus properties of systemd-timesyncd.
5988 understood by systemd-timedated. It takes a colon-separated list of
5989 unit names of NTP client services. The list is used by
5999 affinity of the container payload. The new --resolv-conf= switch
6000 allows more detailed control of /etc/resolv.conf handling of the
6002 control of /etc/localtime handling of the container.
6005 list of all currently known VM and container environments.
6016 regular "short" mode, but displays the unit name instead of the
6027 * sd-bus gained a set of new calls:
6029 enable/disable the "floating" state of a bus slot object,
6090 primarily useful for services that do not use any of the other file
6141 that the negative impact of cgroup memory accounting on current
6145 other forms of resource accounting (CPU, IO, IP) remain off for now,
6155 from the upgrade scriptlets of individual packages now do nothing.
6157 once at the end of the transaction.
6169 disk (in case some of those files are owned by that user), while
6196 * The login shell of users created through sysusers.d may now be
6220 sd_bus_get_n_queued_write — may be used to check the number of
6227 systemd --user instance uses this call of the systemd --system
6234 * A new TemporaryFileSystem= setting can be used to mask out part of
6257 included separately in $PATH and various listings of executable
6259 the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
6264 the colour of "OK" status messages.
6266 * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
6267 PrivateNetwork=yes was buggy in previous versions of systemd. This
6301 slightly: previously, if an argument was specified for lines of this
6308 lines of this type only have an effect if the indicated files don't
6314 automatic clean-up of directories like /tmp based on
6319 place. Please speak up now, if you are aware of software that requires
6339 and gid= mount options string of the file system to mount.
6366 systemd-resolved have been updated to make use of this
6375 described above. Synthesizing of this message has to be requested
6384 a signal match asynchronously. All of systemd's own services have
6385 been updated to make use of these calls. Doing these operations
6386 asynchronously has two benefits: it reduces the risk of deadlocks in
6387 case of cyclic dependencies between bus services, and it speeds up
6393 and sd_bus_add_match_async() but instead of taking a D-Bus match
6397 sd_bus_message_set_sender() for setting the sender name of outgoing
6405 used this refers to the default event loop object of the calling
6410 to the default bus of the specified type of the calling thread. Here
6416 automatic closure of the file descriptor an IO event source watches
6424 internally. In order to simplify distribution-wide renames of the
6427 /etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534
6441 the current state of the service runtime watchdog, and optionally
6492 interpreted as the beginning of a specifier should be escaped by
6534 basic.target unit has been reached, instead of when the run queue ran
6556 set of journal fields to output in verbose and JSON output modes.
6559 RootDistanceMaxSec= for setting the maximum root distance of servers
6567 instead of doing it, and is currently supported by the shutdown and
6582 unit template name (i.e. a name in the form of 'foobar@.service',
6584 the escaped sysfs path of the device is automatically used as the
6592 now optionally takes a list of controllers (instead of a boolean, as
6598 process of the service may log at (i.e. anything with a lesser
6600 LogExtraFields= setting allows configuration of additional journal
6601 fields to attach to all log records generated by any of the unit's
6610 connect stdin/stdout/stderr of executed processes directly with a
6636 and outgoing interfaces of configured rules. systemd-networkd also
6646 store again, ahead of POLLHUP or POLLERR when they are removed
6651 requirements of systemd.
6670 * The systemd-resolve command line tool gained a new set of options
6711 communication with the outside. This generally improves security of
6725 from the user. Another option is to make use of glibc's nscd service
6730 implementation choices of nss-nis, i.e. whether it's a good idea
6746 which print the logging level and target of the system manager. They
6758 allows more detailed control of what to do with a runtime directory
6763 deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
6769 /var/lib, /var/cache, /var/log and /etc. By making use of them it is
6776 ConfigurationDirectoryMode= for configuring the access mode of these
6787 at a small price though: as much of the metadata is read
6791 out-of-date. Previously it could only be slightly newer than the log
6808 turning on a number of options suggested in RFC 7844. A new
6816 new Independent= boolean field for configuring tunnels independent of
6818 GroupForwardMask= option for configuration of propagation of link
6821 * The WakeOnLan= setting in .link files gained support for a number of
6831 implement a system call allow list instead of a deny list.
6837 services (for example to take benefit of dependency management,
6855 of systemd-nspawn (see above).
6872 locking down the chosen execution domain ("personality") of a service
6898 the service, and shown as part of "systemctl status" or "systemd-run
6902 IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
6903 for configuring a simple IP access control list for all sockets of
6906 services as well as groups of services (as defined by a slice unit),
6909 of the service unit, and apply to ingress as well as egress traffic.
6913 containing information about the consumed resources of this
6923 operation was enqueued instead of waiting for the operation to
6938 /var/log/btmp with access mode 0660 instead of 0600. It was owned by
6940 that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
6983 our plan to remove Automake in one of our next releases, so that
6986 of documentation around how to use Meson, the extremely brief
7001 for conditionalizing units based on the identity of the user/group
7005 [VXLAN] section of .network files, as well as a Priority= in
7008 gained support for configuration of GENEVE links, and IPv6 address
7020 implementation of RA.
7034 * systemd-resolved may now optionally use libidn2 instead of the libidn
7039 * "machinectl pull-tar" and related call may now do verification of
7045 is va_list equivalent of sd_bus_message_append().
7062 other components may be required to make use of this (for example
7063 Xorg has code to listen for stops of systemd-logind and terminate
7066 counterproductive and must be reverted in order for restarts of
7080 will now use its value as the machine ID instead of the machine ID
7125 "hybrid" setup of /sys/fs/cgroup is now pretty much identical to
7129 /sys/fs/cgroup/unified. This should provide a large degree of
7130 compatibility with "legacy" cgroups-v1, while taking benefit of the
7131 better management capabilities of cgroups-v2.
7134 via a set of kernel command line parameters (specifically:
7149 * Note one current limitation of "unified" and "hybrid" control group
7154 work when invoked from outside of any "systemd --user" service or
7189 (D)ump, show the state of the unit
7192 (i)nfo, show a short summary of the unit
7203 * Services of Type=notify require a READY=1 notification to be sent
7211 * The option MulticastDNS= of network configuration files has acquired
7213 names of remote hosts and reply to mDNS A and AAAA requests.
7216 ensure that all dependencies of type BindsTo= (when used in
7224 consisting of various file system related system calls. Group
7234 relevant due to the high amount of recently discovered namespacing
7258 * The various options in the [Match] section of .network files gained
7264 permitted runtime of the mount command.
7293 specifications relative to the end of a month by using "~" instead of
7300 configuring the maximum number of concurrent connections.
7308 scope of the application itself. (Internally this uses HMAC-SHA256 as
7355 style to "systemd-cryptsetup-generator", permitting automatic setup of
7356 Verity root partitions when systemd boots up. In order to make use of
7358 Specification, and the GPT partition ID of the root file system
7359 partition should be identical to the upper 128bit of the Verity root
7360 hash. The GPT partition ID of the Verity partition protecting it
7361 should be the lower 128bit of the Verity root hash. If the partition
7382 ID of each service.
7390 * Documentation has been added that lists all of systemd's low-level
7428 hostname of "fedora" on pristine installations.
7431 the control groups of a specific unit. Similar --user-unit= has been
7432 added for listing only the control groups of a specific user unit.
7438 daemon-reload and related calls) unless at least 16MiB of free space
7444 a disk image instead of plain directory. This logic reuses the same
7456 are of course in place in the host mount namespace anyway.
7461 different place. This option enables booting of ostree images
7470 of coredumps in reverse order.
7479 options, reminiscent of journalctl's options by the same name.
7485 * machinectl will now show the UID shift of local containers, if user
7498 * hostnamed has been updated to report a new chassis type of
7539 binaries we are aware of, however there may be exceptions, in
7544 the user or group of a service when that service exits.
7547 load and unload operations of kernel modules by a service. In
7551 whole file system tree with the exception of /dev, /proc, and /sys,
7555 modification of configuration files in /sys and /proc by a service.
7566 * Support for dynamically creating users for the lifetime of a service
7568 will be allocated from the range 61184…65519 for the lifetime of the
7588 will have its own view of the cgroup hierarchy. This new behaviour
7596 options. This controller requires out-of-tree patches for the kernel
7600 (i.e. dynamically at runtime via the bus API, instead of requiring
7620 * /efi will be used as the mount point of the EFI boot partition, if
7638 systemd.special(7) for a description of how those targets should be
7642 use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better
7649 contents of /proc/mountinfo and the command line of the process at
7650 the top of the process hierarchy (which is usually the init process
7651 of the container).
7657 /var/log/ directories inside of a container tree. This is similar to
7686 * The number of instances for socket-activated services originating
7688 MaxConnectionsPerSource=, extending the existing setting of
7702 [Link] section of .link files.
7707 section of .netdev files.
7711 and [IPv6AcceptRA] sections of .network files.
7714 systemd-networkd using the ARP=no setting in the [Link] section of
7719 encode information about the result and exit codes of the current
7734 default of SplitMode=uid.
7741 (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
7744 $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
7747 * "machinectl list" now shows the IP address of running containers in
7750 * "loginctl list" now shows the TTY of each session in the output.
7754 sd_bus_track_count_sender(). They permit usage of sd_bus_track peer
7763 * Bus clients of the service manager may now "pin" loaded units into
7775 expressions. Taking benefit of this, the new recommended
7793 services. Each runtime cycle of a service will get a new invocation
7795 run of the service uniquely and globally. A new invocation ID
7797 the invocation ID of a service along with any logged messages, thus
7798 making the invocation ID useful for matching the online runtime of a
7802 uniquely and globally identifies the runtime of each boot. The
7803 invocation ID of a service is passed to the service itself via an
7806 but instead of retrieving the bus path for a unit by its name
7821 systemd (i.e. the --user instance of systemd) has been stripped to
7826 using it only as rough template of what systemd itself needs. Note
7827 that this reduced fragment does not even include an invocation of
7830 option --with-pamconfdir=no to disable installation of the PAM
7838 file descriptor with stdin/stdout/stdout of an executed service. The
7842 * A number of journal settings may now be configured on the kernel
7859 skipping of specific units in user namespace environments.
7893 with an additional special character as first argument of the
7895 line it will be run with full privileges, regardless of User=,
7898 configuration of this concept for each executed command line
7905 specifications. The percentage is taken relative to the amount of
7906 physical memory in the system (or in case of containers, the assigned
7907 amount of memory). This allows scaling service resources neatly with
7908 the amount of RAM available on the system. Similarly, systemd-logind's
7913 value is taken relative to the configured maximum number of processes
7915 using this functionality. (Effectively this is an increase of 512 →
7926 applied to all kinds of file nodes, and not just directories, with
7927 the exception of symlinks. Specifically these settings may now be
7929 well as regular files. The old names of these settings remain
7934 of the service completed. This should help identifying services that
7937 processes killed at the end of each session due to this setting.
7942 the device and inode number of the file descriptor used for
7962 limited to subgroups of that group.
7967 changing-related system calls unavailable to a service. A number of
7970 concept. Accordingly, all of systemd's own, long-running services now
7978 service processes. This option has been enabled for all of systemd's
7988 of the container reports start-up completion to nspawn which then
7991 files has been added too. This functionality allows ordering of the
7992 start-up of multiple containers using the usual systemd ordering
8007 summary of the used DNS configuration with per-interface information
8040 * systemd-networkd's IPv6 Router Advertisement code now makes use of
8059 requesting the current iteration counter of the event loop. It starts
8063 file. It can be used in lieu of %systemd_requires in packages which
8072 been added to simplify packaging of generators.
8078 can be set to disable parsing of metadata and the creation
8079 of persistent symlinks for that device.
8084 * Much of the common code of the various systemd components is now
8095 * Configuration for "mkosi" is now part of the systemd
8135 passing "--with-default-dnssec=no" to "configure" (and of course,
8158 part of the user session scope unit (session-XX.scope) when the user
8160 setting in logind.conf, and the previous default of "no" is now
8166 and any service that should survive the end of any individual login
8172 After the user logs out of all sessions, user@.service will be
8183 InhibitorsMax=, both with a default of 8192. It will not register new
8212 gained support for configuring the multicast querier feature of
8230 when closing journal files, thus reducing impact of slow disk I/O on
8235 can be used to open journal files using file descriptors instead of
8243 suppress the hostname column in the family of "short" output modes.
8245 * systemd-ask-password now optionally skips printing of the password to
8255 only the contents of a specific unit property, without also printing
8257 of loginctl and machinectl that output "key=value" lists.
8265 revert to the vendor version of a unit file, in case local changes
8275 of the owners and the ACLs of all files and directories in a
8289 running. This allows easy connecting of multiple containers with a
8290 common link that implements an Ethernet broadcast domain. Each of
8292 may be referenced by any number of containers, but each container may
8293 only reference one of these "zones". On the lower level, this is
8306 rate of the socket unit.
8314 * Note that the effect of the PrivateDevices= unit file setting changed
8317 set. This (minor) change of behavior might cause some (exceptional)
8339 which creates a synchronization point for dependencies of the root
8375 set of new features, most prominently it may now act as a DNSSEC
8377 default, but is expected to be turned on by default in one of the
8380 service also gained a full set of D-Bus interfaces, including calls
8399 systemd-coredump@.service, instead of directly from the
8401 processing large coredumps can take up a substantial amount of
8402 resources and time, and this previously happened entirely outside of
8407 the rest of the system. Also note that the new logic will honour the
8408 RLIMIT_CORE setting of the crashed process, which now allows users
8421 * When the stacktrace is extracted from processes of system users, this
8424 processing coredumps of normal users this is done under the user ID
8425 of process that crashed, as before.) Packagers should take notice
8451 implements the special POSIX and Linux semantics of PID 1 regarding
8463 that are parents of it. This should make log output about devices
8476 * Most configurable timeouts in systemd now expect an argument of
8477 "infinity" to turn them off, instead of "0" as before. The semantics
8478 from now on is that a timeout of "0" means "now", and "infinity"
8488 release date of the systemd version in use, the clock is now set
8497 initrd, this part of the logic remains in timesyncd, and is not done
8504 that are specific to the full cgroup path of a task, which obsoletes
8506 legacy compatibility reasons. For a more in-depth description of the
8516 configuration of additional Linux process capabilities that are
8527 pointer to a pointer to the object to destroy, instead of just a
8530 construct. Internally, systemd has been a heavy user of this GCC
8532 now available to consumers of the library outside of systemd. Note
8535 LLVM versions of recent years support this extension.
8547 * The sd-event API now comes with a full set of man pages.
8549 * Older versions of systemd contained experimental support for
8551 was not compatible with the lz4 binary (due to API limitations of the
8557 micro-services focus doesn't fit into the machine image focus of
8558 importd, and quickly got out of date with the upstream dkr API.
8560 * Creation of the /run/lock/lockdev/ directory was dropped from
8568 and RebootArgument= have been moved from the [Service] section of
8598 * A number of properties previously only settable in unit
8609 possible to pass in a set of file descriptors to use as
8620 instead of the local timezone. Also, timestamps may now
8621 optionally be specified with sub-second accuracy. Both of
8635 instead of a subvolume (even on a btrfs file system) if the
8638 environments which are not aware of the concept of btrfs
8649 the base of 1024 (IEC). Similar, the time-related resource
8667 number of processes or tasks each user may own
8669 value set by default now, to 8192. Note that all of this
8671 enabled in the kernel. The general benefit of these changes
8673 certain amount of per-service fork() bomb protection.
8681 from PID1's environment block into the environment block of
8695 allows substantially larger numbers of queued
8696 datagrams. This should increase the capability of systemd to
8720 likely source of bugs. There's also a glibc bug pending,
8721 asking for removal of any reference to this obsolete file:
8746 files accordingly. Removal of these dependency types should
8747 only affect a negligible number of unit files in the wild.
8749 * Behaviour of networkd's IPForward= option changed
8757 per-interface control of this setting) and to minimize
8760 * In unit files the behaviour of %u, %U, %h, %s has
8762 to the various user database fields of the user that the
8763 systemd instance is running as, instead of the user
8765 effectively doesn't change much, as resolving of these
8767 of systemd, as we cannot do NSS lookups from PID 1. In the
8768 --user instance of systemd these specifiers where correctly
8771 hence useless. Moreover, even in the --user instance of
8776 credentials of the user invoking the manager (which in case
8777 of PID 1 is the root user).
8811 allows accounting the number of tasks in a cgroup and
8843 directory is set to the home directory of the user
8847 directory of the selected user by default.
8850 CrashChangeVT=, following our usual logic of not
8869 set of subdirectories mounted in from the real sysfs. This
8874 allows implementation of USB gadget services that are
8887 decoding of multiple identifier strings inside a D-Bus
8896 switch. If specified the requested operation will fail of no
8951 * Units of type ".socket" gained a new boolean setting
8964 files controlled by the number of files that shall remain,
8973 number of files in place.
9003 * The DHCP implementation of systemd-networkd gained a set of
9008 EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS
9014 of timezone information. It can be configured via the
9016 EmitTimezone=, and Timezone=. Transmission of timezone
9024 - The DHCP server improved on the stability of
9032 * The encapsulation limit of tunnels in systemd-networkd may
9034 modifying the maximum additional levels of encapsulation
9037 * systemd now supports the concept of user buses replacing
9061 of the next kernel releases. Therefore, it should not be
9066 safe. Because of this systemd-nspawn containers will get
9073 that encapsulates PID 1 of the system. It may be used to
9075 1 itself. PID 1 hence moved out of the root of the control
9080 count of processes is now recursively summed up by
9086 extended to allow creation of non-recursive bind mounts.
9089 sd_peer_get_cgroup() which return the control group path of
9090 a process or peer of a connected AF_UNIX socket. This
9094 * The "sd-event" event loop API of libsystemd now supports
9095 correct dequeuing of real-time signals, without losing
9104 accompany the image files or directories of containers, and
9124 the existing 'login' command of machinectl, but spawns the
9143 * sd-bus gained support for matches of type "arg0has=", that
9144 test for membership of strings in string arrays sent in bus
9147 * systemd-resolved now dumps the contents of its DNS and LLMNR
9148 caches to the logs on reception of the SIGUSR1 signal. This
9165 UtmpMode= allows configuration of how precisely systemd
9168 user sessions in the output of the "w", "who", "last" and
9220 * systemd-networkd gained a number of new configuration options.
9227 If enabled, the DSCP field of ip6 tunnels is copied into the
9230 - A set of boolean bridge configuration options were added.
9238 is true, networkd will use the configured hostname instead of the
9242 networkd will configure the IPv6 flow-label of the tunnel device
9252 * nss-mymachines now supports translating UIDs and GIDs of running
9291 * For the sake of fewer build-time dependencies and less code in the
9315 stable and have been added to the official interface of
9342 favor of calling an abstraction tool
9394 It is now managed as part of the Gnome project. Distributions
9403 CPU time of a service (the sum of what each process of the
9408 * Support for configuring alternative mappings of the old SysV
9420 automatically after 2 minutes of not being used. This should
9421 minimize the risk of ESP corruptions.
9432 distribution we are aware of shipped such old versions in a
9443 configuration dynamically to the link sense of other
9466 implementation of this behaviour was broken in v219 and has
9478 use of user namespacing available on recent Linux kernels.
9480 * systemd-nspawn may now be called as part of a shell pipeline
9486 signal to use when killing the init process of the container
9508 of v1 as before).
9560 replace libudev eventually. In fact, already much of libudev
9572 allows easy disabling of this logic, by masking the
9577 journal. This should improve readability of audit messages.
9626 * When any of systemd's tools copies files (for example due to
9631 specified a btrfs snapshot is taken of the container's root
9636 for starting a container off the root file system of the
9648 mounts are stacked, and the .mount unit is stopped all of
9652 * systemd now has an explicit notion of supported and
9683 make the functionality of importd available to the
9692 /var/lib/machines, along with some metadata about sizes of
9734 or --image= is now capable of searching for the container
9737 to make use of this, thus allowing it to be used for raw
9750 * systemd-nspawn will now mount most of the cgroupfs tree
9751 read-only into each container, with the exception of the
9779 on the number of fds a service can store in PID 1, and it
9792 now show the last 10 lines of log messages of the
9802 show the status of the session of the caller. Similar,
9809 $DISPLAY and $XAUTHORITY into the environment of the systemd
9827 or UDP posts of a container on the host. With this in place
9835 useful out-of-the-box. The systemd-nspawn@.service has been
9836 updated to make use of it too by default.
9843 * systemd-nspawn's --image= option is now capable of
9880 operation. Note that this kind of reboot will still unmount
9912 of multiple space-separated matches per item.
10006 systemd's library of light-weight networking protocols. This
10007 library will be used in a future version of networkd to
10018 the object trees of a specific service on the bus, or of all
10022 shows all interfaces and members of objects on the bus,
10055 * When a coredump is collected, a larger number of metadata
10059 chroot directory, /proc/$PID/status, and a list of open file
10068 files in /etc now also support a corresponding series of
10095 * networkd's .netdev files now provide a large set of
10115 "systemd-run" tool has been updated to make use of this for
10158 internal state of daemons and closes a race condition when
10168 supported, but is under the control of the user.
10198 single terminal on each session of the user marked as
10204 * The SELinux context of socket-activated services can be set
10220 age of SSDs. As none of the developers has been using
10222 maintain this component of systemd it has now been removed.
10228 * Docker containers are now detected as a separate type of
10251 access to various bus services, or even hide most of them
10281 * The $NOTIFY_SOCKET is now also passed to control processes of
10285 means at least version v2.25 of util-linux is required for
10297 message flag has been added for all of systemd's polkit
10300 many of PID1's privileged operations such as unit file
10304 placing the rebuilt hardware database in /usr instead of
10324 terminated with SIGABRT (instead of just SIGTERM), in order
10368 from. Lines of type "u" may now add an additional column
10371 information from STDIN instead of a file. This is useful for
10380 * A number of bus APIs of PID 1 now optionally consult polkit to
10387 deployment environment of the machine, as well as the
10388 location of the machine. hostnamectl has been updated with
10398 instead of glibc's own "nss-dns" to resolve hostnames via
10401 the glibc internal resolver systemd-resolved is aware of
10406 separate sets of domain names. systemd-resolved may acquire
10417 automatically resolves the names of all local registered
10447 of the link.
10453 3.17 memfd subsystem instead of the old kdbus-specific one.
10462 kernel has no understanding of DST and similar
10470 validation of unit files.
10472 * systemd-networkd gained support for a couple of additional
10504 implementation these days) no longer makes use of this, and
10505 instead pulls the data out of the journal on its own. Since
10516 * machinectl now shows the IP addresses of local containers,
10517 if it knows them, plus the interface name of the container.
10536 This has the benefit of no flushing secondary IP addresses
10573 * A directive for ensuring automatic clean-up of
10579 automatic clean-up of /var/cache/man will take place.
10585 after an offline update of /usr or a factory reset, on the
10589 will mark the two directories as fully updated. A number of
10590 service files have been added making use of this, to rebuild
10593 described above also makes use of this now. With this in
10612 .network files using settings of this section should be
10619 * networkd gained support for automatic allocation of address
10620 ranges for interfaces from a system-wide pool of
10622 number of interfaces with a single network configuration
10624 appropriate IP addresses to the veth links of a large number
10625 of nspawn instances.
10634 location of this file, since it shall actually describe the
10640 parsing of unknown mount options.
10648 pre-existing files of different types.
10665 that allows checking the overall state of the system, for
10689 stack trace of all core dumps taking place on the system,
10695 instead of storing them unconditionally in the journal. This
10698 and other parameters of systemd-coredump.
10703 recent entry instead of all entries. Also, as the tool is
10704 generally useful now the "systemd-" prefix of the binary
10720 * systemd-nspawn will now by default filter a couple of
10730 just a fix for one of the most obvious problems.
10733 contains a minimized, modernized version of the file system
10736 been added to query many of these paths for the local
10739 * Automatic time-based clean-up of $XDG_RUNTIME_DIR is no
10742 in particular since this now brings the lifecycle of this
10745 * systemd.pc now exports a number of additional directories,
10747 path for the primary architecture of the system), and a
10748 couple of drop-in directories.
10751 sysfs attribute, introduced in linux 3.15 instead of dev_id to
10752 distinguish between ports of the same PCI function. dev_id should
10756 * machined has been updated to export the OS version of a
10762 added. If configured to a set of exit signals or process
10764 daemon process exits with any of them, regardless of the
10795 executes events for the disk or any of its partitions.
10854 modifications of user data or system files from
10856 of systemd's long-running services, where appropriate.
10859 settings to set the owner user and group of AF_UNIX sockets
10867 of symlinks to create to file system sockets or FIFOs
10876 but /run is left). This also has the benefit of ensuring
10882 sd_notifyf(), but allow overriding of the source PID of
10884 useful to send notify messages on behalf of a different
10886 systemd-notify tool has been updated to make use of this
10922 substantial amount of legacy code from PID 1, following the
10924 of LSB/SysV init scripts nowadays.
10936 lines. So far, they have been non-globbing versions of the
10943 /run symlink and create a couple of structural
10956 particularly useful for making use of the automatic
10957 reconstruction of /var (see above), by passing --tmpfs=/var.
10972 instead. Distributions should probably deprecate usage of
11005 systems, even if it is not always correct. To make use of
11007 needs to be created on installation of systemd.
11009 * The queue "seqnum" interface of libudev has been disabled, as
11011 sequence numbers of devices go "missing" if the devices are
11012 part of a different namespace.
11015 a --recursive switch for showing units of these types also
11033 systemd-analyze makes use of this to properly display
11059 * machined gained a new API to query the IP addresses of
11064 sd-login APIs for querying the "primary" session of a
11065 user. The "primary" session of the user is elected from the
11080 of network configuration performed in some other way.
11092 match more closely the rules of other configuration settings
11119 the darkest setting or from the lowest 5% of the available
11120 range, depending on which is the larger value of both. This
11126 determine the class ("vm" or "container") of a machine
11131 to query the identity of the peer of a local AF_UNIX
11147 state (see above), if systemd runs inside of them.
11163 not common there), but still very useful to allow booting of
11166 * MAC addresses of interfaces created with nspawn's
11169 of the container.
11178 be turned off by using the RemoveIPC= switch of logind.conf.
11182 instead of /.
11184 * journald can now forward logged messages to the TTYs of all
11232 default AccuracySec= setting of .timer units.
11271 attack surface of services via exotic protocol stacks. This
11297 place, automatic discovery of partitions to mount following
11326 tracking the lifecycle of bus peers. Note that sd-bus.h is
11332 now individual tmpfs instances, which has the benefit of
11339 defaults to 10% of the available physical memory. This is no
11363 initialization of resource control properties (and others)
11395 set the AppArmor profile for the processes of a unit.
11406 machine due to a closed laptop lid. Instead of acting only
11409 power button is on the outside of the chassis so that it can
11427 * nspawn will now make use of the devices cgroup controller by
11428 default, and only permit creation of and access to the usual
11430 access to (but not creation of) the pty devices.
11446 allow-list an entire group of devices node majors at once, based on
11451 * sd-event learned a new "post" event source. Event sources of
11452 this type are triggered by the dispatching of any event
11453 source of a type that is not "post". This is useful for
11471 libsystemd-daemon.so do not make use of IFUNC
11501 via DHCP. It is capable of bringing up bridges, VLANs, and
11521 * Save/restore state of keyboard backlights in addition to
11536 * The configuration of network interface naming rules for
11538 setting in the [Link] section of .link files determines the
11539 priority of possible naming schemes (onboard, slot, MAC,
11540 path). The default value of this setting is determined by
11564 vtable array of its methods, signals and properties.
11568 as the precise format of these files is unclear, and
11569 nothing makes use of it.
11581 couple of features that direct epoll usage is lacking:
11582 prioritization of events, scales to large numbers of timer
11584 coalescing of timer events, exit handlers, watchdog
11589 around the route netlink interface of the kernel, similar in
11597 "systemd.restore_state=0|1". When set to "0", none of the
11619 useful for systemd-run because it enables queuing of jobs
11630 system of some kind.
11633 listing of installed timer units with the times they elapse
11641 mode to queue a job with. This is a more generic version of
11646 various default timeouts of units, as well as the default
11650 * PID1 will now export on the bus profile data of the security
11661 * The accuracy of timer units is now configurable with the new
11669 the original unit file of a unit, and concatenates the
11670 contents of additional "drop-in" unit file snippets, so that
11679 * All systemd daemons now make use of the watchdog logic so
11690 instances of systemd, and as special case for the root user.
11693 of the legend text.
11701 information of SDIO devices.
11708 short description of the connection parameters in the
11737 a copy of a good part of our code into each of these
11746 of this library (this is because it only consumes, never
11747 provides, services of/to other APIs). To make the transition
11753 * All of the kdbus logic and the new APIs "sd-bus.h",
11757 default. To make use of kdbus, you have to explicitly enable
11759 userspace API for all of this is considered stable yet. We
11762 that you are aware of the instability of the current
11769 one of the next releases, at the same time that we will
11774 this stage of development, it is only useful for testing kdbus
11778 runs with kdbus instead of dbus-daemon, with the above mentioned
11779 problem of missing the system policy enforcement. Also a future
11780 version of kdbus.ko or a newer systemd will not be compatible with
11782 one of them is updated.
11827 all remaining processes of the service.
11833 the shutdown logic of scope units. Also, scope units may now
11839 the access mode of these files, and warn about certain
11851 container to have its own set of system and user buses,
11852 independent of the host.
11876 results in registration of the unit service itself in
11877 systemd-machined, instead of a newly opened scope unit.
11883 switch then allows assigning the host side of this virtual
11893 session which encodes the desktop environment of it. This is
11895 multiple running sessions of itself easily.
11902 settings of the "less" pager. By default, these tools will
11907 * systemd's "seccomp" hook-up has been changed to make use of
11908 the libseccomp library instead of using its own
11914 allows configuration of a system error number to be returned
11915 on filtered system calls, instead of immediately killing the
11917 limit access to system calls of a particular architecture
11979 may be used to change the owner/group/access mode of a file
11997 from. This is useful to allow easy per-customer filtering of
12000 * systemd-journald will no longer adjust the group of journal
12011 logging clients of journald and might block on it, which
12054 retrieve the VT number of a session.
12056 * If the option "tries=0" is set for an entry of /etc/crypttab
12057 its passphrase is queried indefinitely instead of any
12058 maximum number of tries.
12106 also makes the otherwise hidden order of application of the
12108 pre-198 application order of sysctl knobs!)
12153 * "systemctl status" will now show the results of the
12154 condition checks (like ConditionPathExists= and similar) of
12155 the last start attempts of the unit. They are also logged to
12158 * "journalctl -b" may now be used to look for boot output of a
12168 of an FSS key.
12170 * Creation of "dead" device nodes has been moved from udev
12197 set of processes in the message metadata.
12210 specific mappings of scan to key codes, and force-release
12222 subslice of system.slice unless something else is explicitly
12223 configured. For example, instances of sshd@.service will now
12244 created out of pre-existing processes — instead of PID 1
12258 context of the work to move cgroup handling to a
12262 * There's a new concept of "transient" units. In contrast to
12271 * logind has been updated to make use of scope and slice units
12275 adding an instance of user@.service for the user into the
12278 for this by means of scope, service and slice units. Since
12280 the output of "systemctl" is now a lot more comprehensive.
12286 of meta information about the VMs/containers, and assign
12299 various runtime parameters of a unit. This is primarily
12307 while configuring a number of settings via the command
12310 queuing of execution jobs with time triggers from the
12363 of this information if all log messages regarding a specific
12402 objects any of the components systemd creates in the cgroup
12408 of userspace object names with kernel filenames. This work
12410 cgroup tree, in order to allow easy resource partitioning of
12416 * systemd-inhibit now shows the process name of processes that
12435 determines the slowest chain of units run during system
12476 * The output of 'systemctl list-jobs' got some polishing. The
12479 a list of kernel sockets systemd is listening on with the
12502 uniform separation of /system, /user and /machine for system
12509 name of the container/VM a specific process belongs to.
12549 processes. We will now print the name of these processes
12566 * systemd-cgtop now optionally shows summed up CPU times of
12570 runtime of the system. systemd-cgtop has also been updated
12573 * 'hostnamectl set-hostname' will now allow setting of FQDN
12576 * The formatting and parsing of time span values has been
12583 all time-related output of systemd.
12596 graphs of all the dependencies between only target units, or
12597 of all units that Avahi has dependencies with.
12611 consist of all read requests made in equidistant time
12612 intervals. This means instead of strictly reading read-ahead
12617 on operating systems that provide continuous builds of OS
12631 * Behaviour of PrivateTmp=, ReadWriteDirectories=,
12634 shared by all processes of a service (which means
12635 ExecStartPre= may now leave data in /tmp that ExecStart= of
12641 * By default, systemd will now set a couple of sysctl
12645 protection of the kernel is turned on. These settings should
12659 reliability in case of a crash. The synchronization delay
12672 to set sysfs attributes of a device.
12674 * The udev daemon now sets the default number of worker
12675 processes executed in parallel based on the number of available
12676 CPUs instead of the amount of available RAM. This is supposed
12678 parallelism for setups with 1000s of devices connected.
12692 * Configuration of unit files may now be extended via drop-in
12698 will load all these snippets and apply them on top of the
12711 * Most unit file settings which take lists of items can now be
12722 listing the dependencies of a unit recursively.
12735 administrator to easily adjust the resource usage of
12785 context of containers, hence we recommend compiling it out
12786 of the kernel or using audit=0. Hopefully this will be fixed
12817 unlocking the screens of all user sessions at once, similar
12821 * "loginctl seat-status" will now show the master device of a
12822 seat. (i.e. the device of a seat that needs to be around for
12827 configuration of files and directories (with wildcards) that
12845 instead of at the last moment, in order to optimize shutdown
12856 the rest of the package. It also has been updated to work
12866 the status of all active or failed units.
12874 * The Python API of systemd now gained a new module for
12894 to immediately jump to the end of the journal in the
12901 * A number of unit files to ease adoption of systemd in
12958 2013-*-1,5 11:12:13" which refers to 11:12:13 of the first
12959 or fifth day of any month of the year 2013, given that it is
12965 * udev now supports a number of different naming policies for
12967 of these policies is now the default. Please see this wiki
12974 boot in quite some detail. It is one of the best bootchart
12981 requirement of systemd-hostnamed since a long time, and
12986 * The read-ahead logic is now capable of properly detecting
12989 only capable of detecting this on traditional file systems
12997 replaced by the configured user name of the service.
13006 implementation of socket activated nspawn
13022 type of the system. This can be used to determine whether
13028 * A number of polkit actions are now bound together with "imply"
13034 AC power source is connected or not, of whether the system
13042 globbing, and can hence be used to easily read a number of
13049 a lot of the code is still accessible via explicit configure
13057 pieces of code locally from the git history.
13104 complexity (with n being the number of entries in the
13110 --update" after installation of hwdb data files. For
13121 rebuilt after installation of message catalog files. Use
13130 the underlying file system of a journal file is capable of
13145 "systemctl hybrid-sleep" to make use of this.
13149 request the screen lock on all local sessions, instead of
13155 * Socket units now gained support for configuration of the
13158 * timedatectl will now output the time of the last and next
13180 * "systemctl switch-root" is now capable of switching root
13221 downs of available match values when filtering. The bash
13222 completion of journalctl has been updated
13248 $MANAGERPID env var is set to the PID of systemd.
13251 in immediate termination of systemd.
13319 as easy log access for debugging of embedded devices. Right
13332 to enable the user to do some basic browsing of the
13334 screenshot of this app in its current state:
13371 built-in logic of determining this parameter from the file
13376 is now capable of enumerating graphics devices via udev in a
13381 removed entirely in one of the next releases.
13400 mount points too. (Previously, a bind mount of one file
13412 has the effect of making "journalctl -b" do the right thing
13430 nspawn makes use of this now and will actually reboot the
13437 call to determine the current disk usage of all journal
13451 APIs. More Python APIs for a number of selected APIs will
13455 various projects outside of systemd that provide bindings
13459 addition, PathChanged= and related directives of .path units
13498 that is to invoke the DE wrapped in an invocation of:
13529 above). /proc/kmsg is now exclusive property of classic
13541 made on the host OS below the root file system of the
13545 which provide cryptographical sealing of journal files so
13551 and SuccessExitStatus= which allow configuration of exit
13556 to check the integrity of the structure of journal files and
13557 (if Forward Secure Sealing is enabled) the contents of
13570 provision a large number of hosts which shall run slightly
13571 different sets of services.
13589 * "systemctl enable" may now be used to enable instances of
13597 the maximum number of iterations to run for. It also gained
13618 nicely out-of-the-box so that they receive new mounts from
13627 * Since systemd is a crucial part of the OS we will now
13628 default to a number of compiler switches that improve
13634 of individual time outs for the start and the stop phase of
13665 messages of two different boots.
13690 header data of journal files.
13694 based on SECCOMP Mode 2 of Linux 3.5.
13728 * systemd-tmpfiles now supports getting passed the basename of
13750 immediately flushing of runtime logs to /var if possible,
13751 resp. for triggering immediate rotation of the journal
13757 * XDG_RUNTIME_DIR now uses numeric UIDs instead of usernames.
13775 distributions to make use of these macros if possible. This
13814 * A couple of services gained "systemd-" prefixes in their
13835 * journalctl gained a new switch "-b" that lists log data of
13842 which allows configuration of where log data should go. This
13863 journald.conf. These options allow reducing the amount of
13875 * logind is now capable of (optionally) handling power and
13879 /usr/bin/avahi-daemon" to get all log output of a specific
13883 the capability bound set of usermode helpers of the kernel.
13900 udev though, will require the *build* of the systemd tree, but
13912 behind by forking them off of udev rules, are unconditionally cleaned
13939 of udev (which will be changed to LGPL2.1 eventually, too),
13947 suitable for a variety of uses. Soonishly Lennart will blog
13958 easier to explore the boot and the purpose of the various
13972 avoiding ugly interleaving of getty output and boot status
13976 globally reduce the set of capabilities for the
13982 globally change the defaults of the various resource limits
13986 systemd which allows easy testing of systemd builds in qemu
13990 of PID 1 anymore.
13993 /etc/fstab are out of date due to changes in fstab that
13997 already been updated to make use of this. With this in place
14012 * Read-ahead pack files now include the inode number of all
14015 packages which might result in changes of read-ahead
14021 of necessary blocks to pre-cache.
14042 components now have directories of their own.
14057 * Since udisks does not make use of /media anymore we are not
14082 * Support optional initialization of the machine ID from the
14094 * Extend the /etc/os-release format on request of the Debian
14112 * The various user visible bits of the journal now have man
14132 * Track class of PAM logins to distinguish greeters from
14167 libkmod directly, instead of modprobe. This means we do not
14177 * We now limit the set of capabilities of systemd-journald.
14221 owned by them, thus allow members of this group full access
14224 * The journal now stores the SELinux context of the logging
14299 of existing distributions.
14315 * Output of SysV services is now forwarded to both the console
14322 select the components of systemd they are interested in.
14332 of /usr/local by default.
14346 reloading of units together.