Systemd 251 rc1 lançado para Linux

O gerenciador de sistema e serviços Systemd versão 251 rc1 é lançado com dezenas de correções e novidades, confira.



Systemd


systemd é um gerenciador de sistema e serviços para Linux. Fornece alta capacidade de paralelização, utiliza ativação via D-Bus e soquete para iniciar serviços, oferece inicialização de daemons sob demanda, acompanha os processos usando grupos de controle do Linux, mantém pontos de montagem e automontagem e implementa uma elaborada lógica de controle de serviço baseada em dependência transacional.
systemd é compatível com scripts de inicialização SysV e LSB e pode trabalhar como um substituto para o sysvinit. 

 


Systemd 251 rc1

O primeiro RC do systemd 251 conta com uma grande atualização, contendo muitas mudanças, com os destaques para as novidades.

reboot-for-bitlocker - Implementa a inicialização do Microsoft Windows a partir do sd-boot de uma maneira que primeiro reinicialize o sistema, para redefinir o TPM PCR. Isso melhora a compatibilidade com o uso do TPM do BitLocker, pois o Os PCRs gravarão apenas o processo de inicialização do Windows e não o sd-boot em si, retendo assim as medições de PCR que não envolvem sd-boot.

systemd-sysupdate - Tem a função de procurar, baixa e instala atualizações de estilo A/B para o host de instalação em si, ou imagens de contêiner, imagens de serviço portáteis, e outros bens.

No quadro abaixo você pode ler o grande log completo.

 

The minimum kernel version required has been bumped from 3.13 to 3.15, and CLOCK_BOOTTIME is now assumed to always exist. C11 with GNU extensions (aka "gnu11") is now used to build our components. Public API headers are still restricted to ISO C89. In v250, a systemd-networkd feature that automatically configures routes to addresses specified in AllowedIPs= was added and enabled by default. However, this causes network connectivity issues in many existing setups. Hence, it has been disabled by default since systemd-stable 250.3. The feature can still be used by explicitly configuring RouteTable= setting in .netdev files. Jobs started via StartUnitWithFlags() will no longer return 'skipped' when a Condition*= check does not succeed, restoring the JobRemoved signal to the behaviour it had before v250. The org.freedesktop.portable1 methods GetMetadataWithExtensions() and GetImageMetadataWithExtensions() have been fixed to provide an extra return parameter, containing the actual extension release metadata. The current implementation was judged to be broken and unusable, and thus the usual procedure of adding a new set of methods was skipped, and backward compatibility broken instead on the assumption that nobody can be affected given the current state of this interface. All kernels supported by systemd mix RDRAND (or similar) into the entropy pool at early boot. This means that on those systems, even if /dev/urandom is not yet initialized, it still returns bytes that that are at least as high quality as RDRAND. For that reason, we no longer have reason to invoke RDRAND from systemd itself, which has historically been a source of bugs. Furthermore, kernels ≥5.6 provide the getrandom(GRND_INSECURE) interface for returning random bytes before the entropy pool is initialized without warning into kmsg, which is what we attempt to use if available. systemd's direct usage of RDRAND has been removed. x86 systems ≥Broadwell that are running an older kernel may experience kmsg warnings that were not seen with 250. For newer kernels, non-x86 systems, or older x86 systems, there should be no visible changes. sd-boot will now measure the kernel command line into TPM PCR 12 rather than PCR 8. This improves usefulness of the measurements on systems where sd-boot is chainloaded from Grub. Grub measures all commands its executes into PCR 8, which makes it very hard to use reasonably, hence separate ourselves from that and use PCR 12 instead, which is what certain Ubuntu editions already do. To retain compatibility with systems running older systemd systems a new meson option 'efi-tpm-pcr-compat' has been added (which defaults to false). If enabled, the measurement is done twice: into the new-style PCR 12 and the old-style PCR 8. It's strongly advised to migrate all users to PCR 12 for this purpose in the long run, as we intend to remove this compatibility feature in two year's time. busctl capture now writes output in the newer pcapng format instead of pcap. An udev rule that imported hwdb matches for USB devices with lowercase hexadecimal vendor/product ID digits was added in systemd 250. This has been reverted, since uppercase hexadecimal digits are supposed to be used, and we already had a rule that with the appropriate match. Users might need to adjust their local hwdb entries. arch_prctl(2) has been moved to the @default set in the syscall filters (as exposed via the SystemCallFilter= setting in service unit files). It is apparently used by the linker now. Changes in the Boot Loader Specification, kernel-install and sd-boot: kernel-install's and bootctl's Boot Loader Specification Type #1 entry generation logic has been reworked. The user may now pick explicitly by which "token" string to name the installation's boot entries, via the new /etc/kernel/entry-token file or the new --entry-token= switch to bootctl. By default — as before — the entries are named after the local machine ID. However, in "golden image" environments, where the machine ID shall be initialized on first boot (as opposed to at installation time before first boot) the machine ID will not be available at build time. In this case the --entry-token= switch to bootctl (or the /etc/kernel/entry-token file) may be used to override the "token" for the entries, for example the IMAGE_ID= or ID= fields from /etc/os-release. This will make the OS images independent of any machine ID, and ensure that the images will not carry any identifiable information before first boot, but on the other hand means that multiple parallel installations of the very same image on the same disk cannot be supported. Summary: if you are building golden images that shall acquire identity information exclusively on first boot, make sure to both remove /etc/machine-id and to write /etc/kernel/entry-token to the value of the IMAGE_ID= or ID= field of /etc/os-release or another suitable identifier before deploying the image. The Boot Loader Specification has been extended with /loader/entries.srel file located in the EFI System Partition (ESP) that disambiguates the format of the entries in the /loader/entries/ directory (in order to discern them from incompatible uses of this directory by other projects). For entries that follow the Specification, the string "type1" is stored in this file. bootctl will now write this file automatically when installing the systemd-boot boot loader. kernel-install supports a new initrd_generator= setting in /etc/kernel/install.conf, that is exported as $KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This allows choosing different initrd generators. kernel-install will now create a "staging area" (an initially-empty directory to gather files for a Boot Loader Specification Type #1 entry). The path to this directory is exported as $KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should drop files there instead of writing them directly to the final location. kernel-install will move them when all files have been prepared successfully. New option sort-key= has been added to the Boot Loader Specification to override the sorting order of the entries in the boot menu. It is read by sd-boot and bootctl, and will be written by kernel-install, with the default value of IMAGE_ID= or ID= fields from os-release. Together, this means that on multiboot installations, entries should be grouped and sorted in a predictable way. The sort order of boot entries has been updated: entries which have the new field sort-key= are sorted by it first, and all entries without it are ordered later. After that, entries are sorted by version so that newest entries are towards the beginning of the list. The kernel-install tool gained a new 'inspect' verb which shows the paths and other settings used. sd-boot can now optionally beep when the menu is shown and menu entries are selected, which can be useful on machines without a working display. (Controllable via a loader.conf setting.) The --make-machine-id-directory= switch to bootctl has been replaced by --make-entry-directory=, given that the entry directory is not necessarily named after the machine ID, but after some other suitable ID as selected via --entry-token= described above. The old name of the option is still understood to maximize compatibility. 'bootctl list' gained support for a new --json= switch to output boot menu entries in JSON format. Changes in systemd-homed: Starting with v250 systemd-homed uses UID/GID mapping on the mounts of activated home directories it manages (if the kernel and selected file systems support it). So far it mapped three UID ranges: the range from 0…60000, the user's own UID, and the range 60514…65534, leaving everything else unmapped (in other words, the 16bit UID range is mapped almost fully, with the exception of the UID subrange used for systemd-homed users, with one exception: the user's own UID). Unmapped UIDs may not be used for file ownership in the home directory — any chown() attempts with them will fail. With this release a fourth range is added to these mappings: 524288…1879048191. This range is the UID range intended for container uses, see https://systemd.io/UIDS-GIDS. This range may be used for container managers that place container OS trees in the home directory (which is a questionable approach, for quota, permission, SUID handling and network file system compatibility reasons, but nonetheless apparently commonplace). Note that this mapping is mapped 1:1 in a pass-through fashion, i.e. the UID assignments from the range are not managed or mapped by systemd-homed, and must be managed with other mechanisms, in the context of the local system. Typically, a better approach to user namespacing in relevant container managers would be to leave container OS trees on disk at UID offset 0, but then map them to a dynamically allocated runtime UID range via another UID mount map at container invocation time. That way user namespace UID ranges become strictly a runtime concept, and do not leak into persistent file systems, persistent user databases or persistent configuration, thus greatly simplifying handling, and improving compatibility with home directories intended to be portable like the ones managed by systemd-homed. Changes in shared libraries: A new libsystemd-core-.so private shared library is installed under /usr/lib/systemd/system, mirroring the existing libsystemd-shared-.so library. This allows the total installation size to be reduced by binary code reuse. The tag used in the name of libsystemd-shared.so and libsystemd-core.so can be configured via the meson option 'shared-lib-tag'. Distributions may build subsequent versions of the systemd package with unique tags (e.g. the full package version), thus allowing multiple installations of those shared libraries to be available at the same time. This is intended to fix an issue where programs that link to those libraries would fail to execute because they were installed earlier or later than the appropriate version of the library. The sd-id128 API gained a new call sd_id128_to_uuid_string() that is similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID format instead of simple series of hex characters. Changes in PID1, systemctl, and systemd-oomd: A new set of service monitor environment variables will be passed to OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the handler unit as OnFailure=/OnSuccess=. The variables are: $MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS, $MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single handler needs to watch multiple units, use a templated handler. A new ExtensionDirectories= setting in service unit files allows system extensions to be loaded from a directory. (It is similar to ExtensionImages=, but takes paths to directories, instead of disk image files.) 'portablectl attach --extension=' now also accepts directory paths. The user.delegate and user.invocation_id extended attributes on cgroups are used in addition to trusted.delegate and trusted.invocation_id. The latter pair requires privileges to set, but the former doesn't and can be also set by the unprivileged user manager. (Only supported on kernels ≥5.6.) Units that were killed by systemd-oomd will now have a service result of 'oom-kill'. The number of times a service was killed is tallied in the 'user.oomd_ooms' extended attribute. The OOMPolicy= unit file setting is now also honoured by systemd-oomd. In unit files the new %y/%Y specifiers can be used to refer to normalized unit file path, which is particularly useful for symlinked unit files. The new %R specifier resolves to the pretty hostname (i.e. PRETTY_HOSTNAME= from /etc/machine-info). The new %d specifier resolves to the credentials directory of a service (same as $CREDENTIALS_DIRECTORY). The RootDirectory=, MountAPIVFS=, ExtensionDirectories=, Capabilities=, ProtectHome=, *Directory=, TemporaryFileSystem=, PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=, PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=, ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=, MountFlags= service settings now also work in unprivileged user services, i.e. those run by the user's --user service manager, as long as user namespaces are enabled on the system. Services with Restart=always and a failing ExecCondition= will no longer be restarted, to bring ExecCondition= behaviour in line with Condition*= settings. LoadCredential= now accepts a directory as the argument; all files from the directory will be loaded as credentials. A new D-Bus property ControlGroupId is now exposed on service units, that encapsulates the service's numeric cgroup ID that newer kernels assign to each cgroup. PID 1 gained support for configuring the "pre-timeout" of watchdog devices and the associated governor, via the new RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration options in /etc/systemd/system.conf. systemctl's --timestamp= option gained a new choice "unix", to show timestamp as unix times, i.e. seconds since 1970, Jan 1st. 'systemctl enable' and similar commands will now create relative symlinks in .wants/ and .requires/ and for aliases. Most of the time systemd itself doesn't care, but absolute symlinks were causing wrong behaviour in case of aliases to linked unit files. The change was necessary to fix this aspect. Absolute links are interpreted as before, and it is still possible to create them via other means. Changes in systemd-journald: The journal JSON export format has been added to listed of stable interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/). journalctl --list-boots now supports JSON output and the --reverse option. Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and updated, BUILDING_IMAGES is new: https://systemd.io/JOURNAL_EXPORT_FORMATS https://systemd.io/BUILDING_IMAGES Changes in udev: Two new hwdb files have been added. One lists "handhelds" (PDAs, calculators, etc.), the other AV production devices (DJ tables, keypads, etc.) that should accessible to the seat owner user by default. udevadm trigger gained a new --prioritized-subsystem= option to process certain subsystems (and all their parent devices) earlier. systemd-udev-trigger.service now uses this new option to trigger block and TPM devices first, hopefully making the boot a bit faster. udevadm trigger now implements --type=all, --initialized-match, --initialized-nomatch to trigger both subsystems and devices, only already-initialized devices, and only devices which haven't been initialized yet, respectively. .link files gained support for setting MDI/MID-X on a link. .link files gained support for [Match] Firmware= setting to match on the device firmware description string. By mistake, it was previously only supported in .network files. .link files gained support for [Link] SR-IOVVirtualFunctions= setting and [SR-IOV] section to configure SR-IOV virtual functions. Changes in systemd-networkd: The default scope for unicast routes configured through [Route] section is changed to "link", to make the behavior consistent with "ip route" command. The manual configuration of [Route] Scope= is still honored. A new unit systemd-networkd-wait-online@.service has been added that can be used to wait for a specific network interface to be up. systemd-networkd gained a new [Bridge] Isolated=true|false setting that configures the eponymous kernel attribute on the bridge. .netdev files now can be used to create virtual WLAN devices, and configure various settings on them, via the [WLAN] section. .link/.network files gained support for [Match] Kind= setting to match on device kind ("bond", "bridge", "gre", "tun", "veth", etc.) This value is also shown by 'networkctl status'. The Local= setting in .netdev files for various virtual network devices gained support for specifying, in addition to the network address, the name of a local interface which must have the specified address. systemd-networkd gained a new [Tunnel] External= setting in .netdev files, to configure tunnels in external mode (a.k.a. collect metadata mode). [Network] L2TP= setting was removed. Please use interface specifier in Local= setting in .netdev files of corresponding L2TP interface. New [DHCPServer] BootServerName=, BootServerAddress=, and BootFilename= settings can be used to configure the server address, server name, and file name sent in the DHCP packet (e.g. to configure PXE boot). Changes in systemd-resolved: systemd-resolved is started earlier (in sysinit.target), so it available earlier and will also be started in the initrd if installed there. Changes in disk encryption: systemd-cryptenroll can now control whether to require the user to enter a PIN when using TPM-based unlocking of a volume via the new --tpm2-with-pin= option. Option tpm2-pin= can be used in /etc/crypttab. When unlocking devices via TPM, TPM2 parameter encryption is now used, to ensure that communication between CPU and discrete TPM chips cannot be eavesdropped to acquire disk encryption keys. Changes in systemd-hostnamed: HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info to override the values gleaned from the hwdb. A ID_CHASSIS property can be set in the hwdb (for the DMI device /sys/class/dmi/id) to override the chassis that is reported by hostnamed. hostnamed's D-Bus interface gained a new method GetHardwareSerial() for reading the hardware serial number, as reportd by DMI. Changes in other components: /etc/locale.conf is now populated through tmpfiles.d factory /etc/ handling with the values that were configured during systemd build (if /etc/locale.conf has not been created through some other mechanism). This means that /etc/locale.conf should always have reasonable contents and we avoid a potential mismatch in defaults. The userdbctl tool will now show UID range information as part of the list of known users. A new build-time configuration setting default-user-shell= can be used to set the default shell for user records and nspawn shell invocations (instead of of the default /bin/bash).

 

Fonte

Comentários

Você precisa ver isso

Todos os arquivos do blog

Mostrar mais