[lfs-book] [LFS Trac] #3958: systemd-231

LFS Trac trac at linuxfromscratch.org
Sat Jul 30 13:26:36 PDT 2016


#3958: systemd-231
----------------------+-----------------------
 Reporter:  bdubbs@…  |       Owner:  renodr
     Type:  task      |      Status:  assigned
 Priority:  normal    |   Milestone:  7.10
Component:  Book      |     Version:  SVN
 Severity:  normal    |  Resolution:
 Keywords:            |
----------------------+-----------------------
Changes (by renodr):

 * owner:  lfs-book@… => renodr
 * status:  new => assigned


Old description:

> New version

New description:

 New version


 {{{
 CHANGES WITH 231:

         * In service units the various ExecXYZ= settings have been
 extended
           with an additional special character as first argument of the
           assigned value: if the character '+' is used the specified
 command
           line it will be run with full privileges, regardless of User=,
           Group=, CapabilityBoundingSet= and similar options. The effect
 is
           similar to the existing PermissionsStartOnly= option, but allows
           configuration of this concept for each executed command line
           independently.

         * Services may now alter the service watchdog timeout at runtime
 by
           sending a WATCHDOG_USEC= message via sd_notify().

         * MemoryLimit= and related unit settings now optionally take
 percentage
           specifications. The percentage is taken relative to the amount
 of
           physical memory in the system (or in case of containers, the
 assigned
           amount of memory). This allows scaling service resources neatly
 with
           the amount of RAM available on the system. Similarly, systemd-
 logind's
           RuntimeDirectorySize= option now also optionally takes
 percentage
           values.

         * In similar fashion TasksMax= takes percentage values now, too.
 The
           value is taken relative to the configured maximum number of
 processes
           on the system. The per-service task maximum has been changed to
 15%
           using this functionality. (Effectively this is an increase of
 512 →
           4915 for service units, given the kernel's default pid_max
 setting.)

         * Calendar time specifications in .timer units now understand a
 ".."
           syntax for time ranges. Example: "4..7:10" may now be used for
           defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
           7:10am every day.

         * The InaccessableDirectories=, ReadOnlyDirectories= and
           ReadWriteDirectories= unit file settings have been renamed to
           InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may
 now be
           applied to all kinds of file nodes, and not just directories,
 with
           the exception of symlinks. Specifically these settings may now
 be
           used on block and character device nodes, UNIX sockets and FIFOS
 as
           well as regular files. The old names of these settings remain
           available for compatibility.

         * systemd will now log about all service processes it kills
 forcibly
           (using SIGKILL) because they remained after the clean shutdown
 phase
           of the service completed. This should help identifying services
 that
           shut down uncleanly. Moreover if KillUserProcesses= is enabled
 in
           systemd-logind's configuration a similar log message is
 generated for
           processes killed at the end of each session due to this setting.

         * systemd will now set the $JOURNAL_STREAM environment variable
 for all
           services whose stdout/stderr are connected to the Journal (which
           effectively means by default: all services). The variable
 contains
           the device and inode number of the file descriptor used for
           stdout/stderr. This may be used by invoked programs to detect
 whether
           their stdout/stderr is connected to the Journal, in which case
 they
           can switch over to direct Journal communication, thus being able
 to
           pass extended, structured metadata along with their log
 messages. As
           one example, this is now used by glib's logging primitives.

         * When using systemd's default tmp.mount unit for /tmp, the mount
 point
           will now be established with the "nosuid" and "nodev" options.
 This
           avoids privilege escalation attacks that put traps and exploits
 into
           /tmp.  However, this might cause problems if you e. g. put
 container
           images or overlays into /tmp; if you need this, override
 tmp.mount's
           "Options=" with a drop-in, or mount /tmp from /etc/fstab with
 your
           desired options.

         * systemd now supports the "memory" cgroup controller also on
           cgroupsv2.

         * The systemd-cgtop tool now optionally takes a control group path
 as
           command line argument. If specified, the control group list
 shown is
           limited to subgroups of that group.

         * The SystemCallFilter= unit file setting gained support for
           pre-defined, named system call filter sets. For example
           SystemCallFilter=@clock is now an effective way to make all
 clock
           changing-related system calls unavailable to a service. A number
 of
           similar pre-defined groups are defined. Writing system call
 filters
           for system services is simplified substantially with this new
           concept. Accordingly, all of systemd's own, long-running
 services now
           enable system call filtering based on this, by default.

         * A new service setting MemoryDenyWriteExecute= has been added,
 taking
           a boolean value. If turned on, a service may no longer create
 memory
           mappings that are writable and executable at the same time. This
           enhances security for services where this is enabled as it
 becomes
           harder to dynamically write and then execute memory in exploited
           service processes. This option has been enabled for all of
 systemd's
           own long-running services.

         * A new RestrictRealtime= service setting has been added, taking a
           boolean argument. If set the service's processes may no longer
           acquire realtime scheduling. This improves security as realtime
           scheduling may otherwise be used to easily freeze the system.

         * systemd-nspawn gained a new switch --notify-ready= taking a
 boolean
           value. This may be used for requesting that the system manager
 inside
           of the container reports start-up completion to nspawn which
 then
           propagates this notification further to the service manager
           supervising nspawn itself. A related option NotifyReady= in
 .nspawn
           files has been added too. This functionality allows ordering of
 the
           start-up of multiple containers using the usual systemd ordering
           primitives.

         * machinectl gained a new command "stop" that is an alias for
           "terminate".

         * systemd-resolved gained support for contacting DNS servers on
           link-local IPv6 addresses.

         * If systemd-resolved receives the SIGUSR2 signal it will now
 flush all
           its caches. A method call for requesting the same operation has
 been
           added to the bus API too, and is made available via "systemd-
 resolve
           --flush-caches".

         * systemd-resolve gained a new --status switch. If passed a brief
           summary of the used DNS configuration with per-interface
 information
           is shown.

         * resolved.conf gained a new Cache= boolean option, defaulting to
           on. If turned off local DNS caching is disabled. This comes with
 a
           performance penalty in particular when DNSSEC is enabled. Note
 that
           resolved disables its internal caching implicitly anyway, when
 the
           configured DNS server is on a host-local IP address such as ::1
 or
           127.0.0.1, thus automatically avoiding double local caching.

         * systemd-resolved now listens on the local IP address
 127.0.0.53:53
           for DNS requests. This improves compatibility with local
 programs
           that do not use the libc NSS or systemd-resolved's bus APIs for
 name
           resolution. This minimal DNS service is only available to local
           programs and does not implement the full DNS protocol, but
 enough to
           cover local DNS clients. A new, static resolv.conf file, listing
 just
           this DNS server is now shipped in /usr/lib/systemd/resolv.conf.
 It is
           now recommended to make /etc/resolv.conf a symlink to this file
 in
           order to route all DNS lookups to systemd-resolved, regardless
 if
           done via NSS, the bus API or raw DNS packets. Note that this
 local
           DNS service is not as fully featured as the libc NSS or
           systemd-resolved's bus APIs. For example, as unicast DNS cannot
 be
           used to deliver link-local address information (as this implies
           sending a local interface index along), LLMNR/mDNS support via
 this
           interface is severely restricted. It is thus strongly
 recommended for
           all applications to use the libc NSS API or native systemd-
 resolved
           bus API instead.

         * systemd-networkd's bridge support learned a new setting
           VLANFiltering= for controlling VLAN filtering. Moreover a new
 section
           in .network files has been added for configuring VLAN bridging
 in
           more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].

         * systemd-networkd's IPv6 Router Advertisement code now makes use
 of
           the DNSSL and RDNSS options. This means IPv6 DNS configuration
 may
           now be acquired without relying on DHCPv6. Two new options
           UseDomains= and UseDNS= have been added to configure this
 behaviour.

         * systemd-networkd's IPv6AcceptRouterAdvertisements= option has
 been
           renamed IPv6AcceptRA=, without altering its behaviour. The old
           setting name remains available for compatibility reasons.

         * The systemd-networkd VTI/VTI6 tunneling support gained new
 options
           Key=, InputKey= and OutputKey=.

         * systemd-networkd gained support for VRF ("Virtual Routing
 Function")
           interface configuration.

         * "systemctl edit" may now be used to create new unit files by
           specifying the --force switch.

         * sd-event gained a new function sd_event_get_iteration() for
           requesting the current iteration counter of the event loop. It
 starts
           at zero and is increased by one with each event loop iteration.

         * A new rpm macro %systemd_ordering is provided by the
 macros.systemd
           file. It can be used in lieu of %systemd_requires in packages
 which
           don't use any systemd functionality and are intended to be
 installed
           in minimal containers without systemd present. This macro
 provides
           ordering dependecies to ensure that if the package is installed
 in
           the same rpm transaction as systemd, systemd will be installed
 before
           the scriptlets for the package are executed, allowing unit
 presets
           to be handled.

           New macros %_systemdgeneratordir and %_systemdusergeneratordir
 have
           been added to simplify packaging of generators.

         * The os-release file gained VERSION_CODENAME field for the
           distribution nickname (e.g. VERSION_CODENAME=woody).

         * New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1
           can be set to disable parsing of metadata and the creation
           of persistent symlinks for that device.

         * The v230 change to tag framebuffer devices (/dev/fb*) with
 "uaccess"
           to make them available to logged-in users has been reverted.

         * Much of the common code of the various systemd components is now
           built into an internal shared library libsystemd-shared-231.so
           (incorporating the systemd version number in the name, to be
 updated
           with future releases) that the components link to. This should
           decrease systemd footprint both in memory during runtime and on
           disk. Note that the shared library is not for public use, and is
           neither API not ABI stable, but is likely to change with every
 new
           released update. Packagers need to make sure that binaries
           linking to libsystemd-shared.so are updated in step with the
           library.

         * Configuration for "mkosi" is now part of the systemd
           repository. mkosi is a tool to easily build legacy-free OS
 images,
           and is available on github: https://github.com/systemd/mkosi. If
           "mkosi" is invoked in the build tree a new raw OS image is
 generated
           incorporating the systemd sources currently being worked on and
 a
           clean, fresh distribution installation. The generated OS image
 may be
           booted up with "systemd-nspawn -b -i", qemu-kvm or on any
 physcial
           UEFI PC. This functionality is particularly useful to easily
 test
           local changes made to systemd in a pristine, defined
 environment. See
           HACKING for details.

 }}}

--

--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/3958#comment:3>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.


More information about the lfs-book mailing list