[lfs-book] [LFS Trac] #3958: systemd-231
trac at linuxfromscratch.org
Sat Jul 30 13:26:36 PDT 2016
Reporter: bdubbs@… | Owner: renodr
Type: task | Status: assigned
Priority: normal | Milestone: 7.10
Component: Book | Version: SVN
Severity: normal | Resolution:
Changes (by renodr):
* owner: lfs-book@… => renodr
* status: new => assigned
> New version
CHANGES WITH 231:
* In service units the various ExecXYZ= settings have been
with an additional special character as first argument of the
assigned value: if the character '+' is used the specified
line it will be run with full privileges, regardless of User=,
Group=, CapabilityBoundingSet= and similar options. The effect
similar to the existing PermissionsStartOnly= option, but allows
configuration of this concept for each executed command line
* Services may now alter the service watchdog timeout at runtime
sending a WATCHDOG_USEC= message via sd_notify().
* MemoryLimit= and related unit settings now optionally take
specifications. The percentage is taken relative to the amount
physical memory in the system (or in case of containers, the
amount of memory). This allows scaling service resources neatly
the amount of RAM available on the system. Similarly, systemd-
RuntimeDirectorySize= option now also optionally takes
* In similar fashion TasksMax= takes percentage values now, too.
value is taken relative to the configured maximum number of
on the system. The per-service task maximum has been changed to
using this functionality. (Effectively this is an increase of
4915 for service units, given the kernel's default pid_max
* Calendar time specifications in .timer units now understand a
syntax for time ranges. Example: "4..7:10" may now be used for
defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
7:10am every day.
* The InaccessableDirectories=, ReadOnlyDirectories= and
ReadWriteDirectories= unit file settings have been renamed to
InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may
applied to all kinds of file nodes, and not just directories,
the exception of symlinks. Specifically these settings may now
used on block and character device nodes, UNIX sockets and FIFOS
well as regular files. The old names of these settings remain
available for compatibility.
* systemd will now log about all service processes it kills
(using SIGKILL) because they remained after the clean shutdown
of the service completed. This should help identifying services
shut down uncleanly. Moreover if KillUserProcesses= is enabled
systemd-logind's configuration a similar log message is
processes killed at the end of each session due to this setting.
* systemd will now set the $JOURNAL_STREAM environment variable
services whose stdout/stderr are connected to the Journal (which
effectively means by default: all services). The variable
the device and inode number of the file descriptor used for
stdout/stderr. This may be used by invoked programs to detect
their stdout/stderr is connected to the Journal, in which case
can switch over to direct Journal communication, thus being able
pass extended, structured metadata along with their log
one example, this is now used by glib's logging primitives.
* When using systemd's default tmp.mount unit for /tmp, the mount
will now be established with the "nosuid" and "nodev" options.
avoids privilege escalation attacks that put traps and exploits
/tmp. However, this might cause problems if you e. g. put
images or overlays into /tmp; if you need this, override
"Options=" with a drop-in, or mount /tmp from /etc/fstab with
* systemd now supports the "memory" cgroup controller also on
* The systemd-cgtop tool now optionally takes a control group path
command line argument. If specified, the control group list
limited to subgroups of that group.
* The SystemCallFilter= unit file setting gained support for
pre-defined, named system call filter sets. For example
SystemCallFilter=@clock is now an effective way to make all
changing-related system calls unavailable to a service. A number
similar pre-defined groups are defined. Writing system call
for system services is simplified substantially with this new
concept. Accordingly, all of systemd's own, long-running
enable system call filtering based on this, by default.
* A new service setting MemoryDenyWriteExecute= has been added,
a boolean value. If turned on, a service may no longer create
mappings that are writable and executable at the same time. This
enhances security for services where this is enabled as it
harder to dynamically write and then execute memory in exploited
service processes. This option has been enabled for all of
own long-running services.
* A new RestrictRealtime= service setting has been added, taking a
boolean argument. If set the service's processes may no longer
acquire realtime scheduling. This improves security as realtime
scheduling may otherwise be used to easily freeze the system.
* systemd-nspawn gained a new switch --notify-ready= taking a
value. This may be used for requesting that the system manager
of the container reports start-up completion to nspawn which
propagates this notification further to the service manager
supervising nspawn itself. A related option NotifyReady= in
files has been added too. This functionality allows ordering of
start-up of multiple containers using the usual systemd ordering
* machinectl gained a new command "stop" that is an alias for
* systemd-resolved gained support for contacting DNS servers on
link-local IPv6 addresses.
* If systemd-resolved receives the SIGUSR2 signal it will now
its caches. A method call for requesting the same operation has
added to the bus API too, and is made available via "systemd-
* systemd-resolve gained a new --status switch. If passed a brief
summary of the used DNS configuration with per-interface
* resolved.conf gained a new Cache= boolean option, defaulting to
on. If turned off local DNS caching is disabled. This comes with
performance penalty in particular when DNSSEC is enabled. Note
resolved disables its internal caching implicitly anyway, when
configured DNS server is on a host-local IP address such as ::1
127.0.0.1, thus automatically avoiding double local caching.
* systemd-resolved now listens on the local IP address
for DNS requests. This improves compatibility with local
that do not use the libc NSS or systemd-resolved's bus APIs for
resolution. This minimal DNS service is only available to local
programs and does not implement the full DNS protocol, but
cover local DNS clients. A new, static resolv.conf file, listing
this DNS server is now shipped in /usr/lib/systemd/resolv.conf.
now recommended to make /etc/resolv.conf a symlink to this file
order to route all DNS lookups to systemd-resolved, regardless
done via NSS, the bus API or raw DNS packets. Note that this
DNS service is not as fully featured as the libc NSS or
systemd-resolved's bus APIs. For example, as unicast DNS cannot
used to deliver link-local address information (as this implies
sending a local interface index along), LLMNR/mDNS support via
interface is severely restricted. It is thus strongly
all applications to use the libc NSS API or native systemd-
bus API instead.
* systemd-networkd's bridge support learned a new setting
VLANFiltering= for controlling VLAN filtering. Moreover a new
in .network files has been added for configuring VLAN bridging
more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].
* systemd-networkd's IPv6 Router Advertisement code now makes use
the DNSSL and RDNSS options. This means IPv6 DNS configuration
now be acquired without relying on DHCPv6. Two new options
UseDomains= and UseDNS= have been added to configure this
* systemd-networkd's IPv6AcceptRouterAdvertisements= option has
renamed IPv6AcceptRA=, without altering its behaviour. The old
setting name remains available for compatibility reasons.
* The systemd-networkd VTI/VTI6 tunneling support gained new
Key=, InputKey= and OutputKey=.
* systemd-networkd gained support for VRF ("Virtual Routing
* "systemctl edit" may now be used to create new unit files by
specifying the --force switch.
* sd-event gained a new function sd_event_get_iteration() for
requesting the current iteration counter of the event loop. It
at zero and is increased by one with each event loop iteration.
* A new rpm macro %systemd_ordering is provided by the
file. It can be used in lieu of %systemd_requires in packages
don't use any systemd functionality and are intended to be
in minimal containers without systemd present. This macro
ordering dependecies to ensure that if the package is installed
the same rpm transaction as systemd, systemd will be installed
the scriptlets for the package are executed, allowing unit
to be handled.
New macros %_systemdgeneratordir and %_systemdusergeneratordir
been added to simplify packaging of generators.
* The os-release file gained VERSION_CODENAME field for the
distribution nickname (e.g. VERSION_CODENAME=woody).
* New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1
can be set to disable parsing of metadata and the creation
of persistent symlinks for that device.
* The v230 change to tag framebuffer devices (/dev/fb*) with
to make them available to logged-in users has been reverted.
* Much of the common code of the various systemd components is now
built into an internal shared library libsystemd-shared-231.so
(incorporating the systemd version number in the name, to be
with future releases) that the components link to. This should
decrease systemd footprint both in memory during runtime and on
disk. Note that the shared library is not for public use, and is
neither API not ABI stable, but is likely to change with every
released update. Packagers need to make sure that binaries
linking to libsystemd-shared.so are updated in step with the
* Configuration for "mkosi" is now part of the systemd
repository. mkosi is a tool to easily build legacy-free OS
and is available on github: https://github.com/systemd/mkosi. If
"mkosi" is invoked in the build tree a new raw OS image is
incorporating the systemd sources currently being worked on and
clean, fresh distribution installation. The generated OS image
booted up with "systemd-nspawn -b -i", qemu-kvm or on any
UEFI PC. This functionality is particularly useful to easily
local changes made to systemd in a pristine, defined
HACKING for details.
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/3958#comment:3>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
More information about the lfs-book