diff options
| -rw-r--r-- | .mailmap | 11 | ||||
| -rw-r--r-- | Makefile.am | 6 | ||||
| -rw-r--r-- | NEWS | 321 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | src/systemctl/systemctl.c | 4 | 
5 files changed, 334 insertions, 10 deletions
| @@ -89,3 +89,14 @@ Eric Cook <llua@users.noreply.github.com>  Lukáš Nykrýn <lnykryn@redhat.com>  Heikki Kemppainen <heikki.kemppainen@nokia.com>  Hendrik Brueckner <hbrueckner@users.noreply.github.com> +Alexandros Frantzis <alexandros.frantzis@canonical.com> +Alexander Kochetkov <al.kochet@gmail.com> +Fionn Cleary <clearyf@tcd.ie> +Michel Kraus <github@demonsphere.de> <27o@users.noreply.github.com> +Charles (Chas) Williams <ciwillia@brocade.com> +Emil Soleyman <emil@soleyman.com> +Dmitry Khlebnikov <dmitry.khlebnikov@rea-group.com> <galaxy4public@users.noreply.github.com> +Antoine Eiche <lewo@abesis.fr> +Gianluca Boiano <morf3089@gmail.com> +Paolo Giangrandi <paolo@luccalug.it> +Karl Kraus <karl.kraus@tum.de> <laqueray@gmail.com> diff --git a/Makefile.am b/Makefile.am index 2f53ae8b22..292f63c408 100644 --- a/Makefile.am +++ b/Makefile.am @@ -39,12 +39,12 @@ SUBDIRS = . po  .PRECIOUS: $(TEST_SUITE_LOG) Makefile  LIBUDEV_CURRENT=7 -LIBUDEV_REVISION=5 +LIBUDEV_REVISION=6  LIBUDEV_AGE=6 -LIBSYSTEMD_CURRENT=17 +LIBSYSTEMD_CURRENT=18  LIBSYSTEMD_REVISION=0 -LIBSYSTEMD_AGE=17 +LIBSYSTEMD_AGE=18  # Dirs of external packages  dbuspolicydir=@dbuspolicydir@ @@ -2,6 +2,8 @@ systemd System and Service Manager  CHANGES WITH 233 in spe +        [ LIST FAR FROM COMPLETE YET ] +          * DBus policy files are now installed into /usr rather than /etc. Make            sure your system has dbus >= 1.9.18 running before upgrading to this            version, or override the install path with --with-dbuspolicydir= . @@ -26,19 +28,330 @@ CHANGES WITH 233 in spe            The 'n' choice for the confirmation spawn prompt has been removed,            because its meaning was confusing. +          The prompt may now also be redirected to an alternative console by +          specifying the console as parameter to systemd.confirm_spawn=. +          * Services of Type=notify require a READY=1 notification to be sent            during startup. If no such message is sent, the service now fails,            even if the main process exited with a successful exit code. -        * The option MulticastDNS= of network configuration files has got -          actual implementation. With MulticastDNS=yes a host can resolve -          names of remote hosts and to reply to mDNS's A and AAAA requests -          from the hosts. +        * The option MulticastDNS= of network configuration files has acquire +          and actual implementation. With MulticastDNS=yes a host can resolve +          names of remote hosts and to reply to mDNS's A and AAAA requests from +          the hosts.          * When units are about to be started an additional check is now done to            ensure that all dependencies of type BindsTo= (when used in            combination with After=) have been started. +        * systemd-analyze gained a new verb "syscall-filter" which shows which +          system call groups are defined for the SystemCallFilter= unit file +          setting, and which system calls they precisely contain. + +        * A new system call filter group "@filesystem" has been added, +          consisting of various file system related system calls. A group +          "@reboot" has been added, covering reboot, kexec and shutdown related +          calls. Finally, a group "@swap" has been added covering swap +          configuration related calls. + +        * A new unit file option RestrictNamespaces= has been added that may be +          used to restrict access to the various process namespace types the +          Linux kernel provides. Specifically, it may be used to take away the +          right for specific service units to create additional file system, +          networking, user, and other namespaces. This sandboxing option is +          particularly relevant due to the high amount of recently discovered +          namespacing related vulnerabilities in the kernel. + +        * .link gained support for a new AutoNegotiation= setting for +          configuring Ethernet auto-negotiation. + +        * systemd-networkd's .network files gained support for a new +          ListenPort= setting in the [DHCP] section to explicitly configure the +          UDP client port the DHCP client shall listen on. + +        * New systemd-specific mount options are now understood in /etc/fstab: + +          x-systemd.mount-timeout= may be used to configure the maximum +          permitted runtime of the mount command. + +          x-systemd.device-bound may be set to bind a mount point to its +          backing device unit, in order to automatically remove a mount point +          if its backing device is unplugged. This option may also be +          configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property +          on the block device, which is now automatically set for all CDROM +          drives, so that mounted CDs are automatically unmounted when they are +          removed from the drive. + +          x-systemd.after= and x-systemd.before= may be use to explicitly order +          a mount after or before another unit or mount point. + +        * Enqueued start jobs for device units are now automatically garbage +          collected if there are no jobs waiting for them anymore. + +        * systemctl list-jobs gained two new switches: --after and +          --before. When specified for all queued jobs it is shown which other +          queued jobs are waiting for it, or the job is waiting for. + +        * systemd-nspawn gained support for ephemeral boots from disk images +          (or in other words: --ephemeral and --image= may now be +          combined). Moreover, ephemeral boots are now supported for normal +          directories, even if the backing file system is not btrfs. Of course, +          if the used file system does not support file system snapshots or +          reflinks the initial copy operation will be relatively expensive, but +          this should still be suitable for many usecases. + +        * Calendar time specifications in .timer units now support +          specifications relative to the end of a month by using "~" instead of +          "-" as separator between month and day. For example, "*-02~03" means +          "The third last day in February". In addition a new syntax for +          repeated events has been added using the "/" character. For example, +          "9..17/2:00" means "every two hours from 9am to 5pm". + +        * systemd-socket-proxyd gained a new parameter --connections-max= for +          configuring the maximum number of concurrent connections. + +        * All python scripts shipped with systemd (specifically: the various +          tests written in Python) now require Python 3. + +        * sd-id128 gained a new API for generating unique IDs for the host, +          that do not leak the machine ID. Specifically, +          sd_id128_get_machine_app_specific() derives an ID based on the +          machine ID in well-defined, non-reversible, stable way. This is +          useful whenever an identifier for the host is needed but where the +          identifier shall not be useful to identify the system beyond the +          scope of the application itself. (Internally this uses HMAC-SHA256 as +          keyed hash function using the machine ID as input.) + +        * NotifyAccess= gained a new supported value "exec". When set +          notifications are accepted from all processes systemd itself invoked, +          including all control processes. + +        * .nspawn files gained support for defining overlay mounts using the +          Overlay= and OverlayReadOnly= options. Previously this functionality +          was only available on the systemd-nspawn command line. + +        * systemd-nspawn's --bind= and --overlay= options gained support for +          bind/overlay mounts whose source lies within the container tree by +          prefixing the source path with "+". + +        * systemd-nspawn's --bind= and --overlay= options gained support for +          automatically allocating a temporary source directory in /var/tmp +          that is removed when the container dies. Specifically, if the source +          directory is specified as empty string this mechanism is selected. An +          example usage is --overlay=+/var::/var, which creates an overlay +          mount based on the original /var contained in the image, overlayed +          with a temporary directory in the host's /var/tmp. This way changes +          to /var are automatically flushed when the container shuts down. + +        * .network files gained a new Unmanaged= boolean setting for explicitly +          excluding one or more interfaces from management by systemd-networkd. + +        * systemd-nspawn's disk image dissection code has been updated. Among +          other things it's not permitted to pass raw file system block devices +          to the --image= option (in addition to images containing partition +          tables, as before). + +        * The disk image dissection logic in systemd-nspawn gained support for +          automatically setting up LUKS encrypted as well as Verity protected +          partitions. When a container is booted from an encrypted image the +          passphrase is queried at start-up time. When a container with Verity +          data is started, the root hash is search in a ".roothash" file +          accompanying the disk image (alternatively, pass the root hash via +          the new --root-hash= command line option). + +        * A new tool /usr/lib/systemd/systemd-dissect has been added that may +          be used to dissect disk images the same way as systemd-nspawn does +          it, following the Bootable Partition Specification. It may even be +          used to mount disk images with complex partition setups (including +          LUKS and Verity partitions) to a local host directory, in order to +          inspect them. This tool is not considered public API (yet), and is +          thus not installed into /usr/bin. Please do not rely on its +          existance, since it might go away or be changed in later systemd +          versions. + +        * A new generator "systemd-verity-generator" has been added, similar in +          style to "systemd-cryptsetup-generator" permitting automatic setup of +          Verity root partitions when systemd boots up. In order to make use of +          this your partition setup should follow the Discoverable Partitions +          Specification, and the GPT partition ID of the root file system +          partition should be identical to the upper 128bit of the Verity root +          hash. The GPT partition ID of the Verity partition protecting it +          should be the lower 128bit of the Verity root hash. If the partition +          image follows this model it is sufficient to specify a single +          "roothash=" kernel command line argument to both configure which root +          image and verity partition to use as well as the root hash for +          it. Note that systemd-nspawn's Verity support follows the same +          semantics, meaning that disk images with proper Verity data in place +          may be booted in containers with systemd-nspawn as well as on +          physical systems via the verity generator. Also note that the "mkosi" +          tool available at https://github.com/systemd/mkosi has been updated +          to generate Verity protected disk images following this scheme. In +          fact, it has been updated to generate disk images that optionally +          implement a complete UEFI SecureBoot trust chain, involving a signed +          kernel and initrd image that incorporates such a root hash as well as +          a Verity-enabled root partition. + +        * Support for the %c, %r, %R specifiers in unit files has been +          removed. Specifiers are not supposed to be dependent on configuration +          of unit files themselves (so that they resolve to the same regardless +          where used in the unit files), but these options were due to the +          existence of the Slice= option. + +        * The various options in the [Match] section of .network files gained +          support for negative matching. + +        * The hardware database (hwdb) udev supports has been updated to carry +          accelerometer quirks. + +        * All system services are now run with a fresh kernel keyring set up +          for them. The invocation ID is stored by default in it, thus +          providing a safe, non-overridable way to determine the invocation +          ID of each service. + +        * Service unit files gained new BindPaths= and BindReadOnlyPaths= +          options for bind mounting arbitrary paths in a service-specific +          way. When these options are used, arbitrary host or service files and +          directories may be mounted to arbitrary locations in the service's +          view. + +        * Documentation has been added that lists all of systemd's low-level +          environment variables: + +          https://github.com/systemd/systemd/blob/master/ENVIRONMENT.md + +        * sd-daemon gained a new API sd_is_socket_sockaddr() for determining +          whether a specific socket file descriptor matches a specified socket +          address. + +        * systemd-firstboot has been updated to check for the +          systemd.firstboot= kernel command line option. It accepts a boolean +          and when set to false the first boot questions are skipped. + +        * The systemd-networkd ProxyARP= option has been renamed to +          IPV4ProxyARP=.  Similar, VXLAN-specific option ARPProxy= has been +          renamed to ReduceARPProxy=. The old names continue to be available +          for compatibility. + +        * systemd-networkd's bonding device support gained support for two new +          configuration options ActiveSlave= and PrimarySlave=. + +        * systemd-fstab-generator has been updated to check for the +          systemd.volatile= kernel command line option, which either takes a +          boolean parameter or the special value "state". If used the system +          may be booted in a "volatile" boot mode. Specifically, +          systemd.volatile=yes is used, the root directory will be mounted as +          tmpfs, and only /usr is mounted from the actual root file system. If +          systemd.volatile=state is used, the root directory will be mounted as +          usual, but /var is mounted as tmpfs. This concept provides similar +          functionality as systemd-nspawn's --volatile= option, but provides it +          on physical boots. Use this option for implementing stateless +          systems, or testing systems with all state and/or configuration reset +          to the defaults. (Note though that many distributions are not +          prepared to boot up without a populated /etc or /var, though) + +        * systemd-gpt-auto-generator gained support for LUKS encrypted root +          partitions. Previously it only supported LUKS encrypted partitions +          for all other uses, except for the root partition itself. + +        * Socket units gained support for listening on AF_VSOCK sockets for +          communication in virtualized QEMU environments. + +        * The "configure" script gained a new option --with-fallback-hostname= +          for specifying the fallback hostname to use if none is configured in +          /etc/hostname. For example, by specifying +          --with-fallback-hostname=fedora it is possible to default to a +          hostname of "fedora" when the user didn't specify anything +          explicitly. + +        * systemd-cgls gained support for a new --unit= switch for listing only +          the control groups of a specific unit. Similar --user-unit= has been +          added for listing only the control groups of a specific user unit. + +        * systemd-mount gained a new --umount switch for unmounting a mount or +          automount point (and all mount/automount points below it). + +        * systemd will now refuse full configuration reloads (via systemctl +          daemon-reload and related calls) unless at least 16MiB of free space +          are available in /run. This is a safety precaution in order to ensure +          that generators can safely operate after the reload completed. + +        * A new unit file option RootImage= has been added, which has a similar +          effect as RootDirectory= but mounts the service's root directory from +          a disk image instead of plain directory. This logic reuses the same +          image dissection and mount logic that systemd-nspawn already uses, +          and hence supports any disk images systemd-nspawn supports, including +          those following the Discoverable Partition Specification, as well as +          Verity enabled images. This option enables systemd to run system +          services directly off disk images acting as resource bundles, +          possibly even including full integrity data. + +        * A new MountAPIVFS= unit file option has been added, taking a boolean +          argument. If enabled /proc, /sys and /proc (collectively called the +          "API VFS") will be mounted for the service. This is only relevant if +          RootDirectory= or RootImage= is used for the service, as these mounts +          are of course in place in the host mount namespace anyway. + +        * systemd-nspawn gained support for a new --pivot-root= switch. If +          specified the root directory within the container image is pivoted to +          the specified mount point, while the original root disk is moved to a +          different place. This option enables booting of ostree images +          directly with systemd-nspawn. + +        * systemd-networkd gained support for configuring IPv6 Proxy NDP +          addresses via the new IPv6ProxyNDPAddress= .network file setting. + +        * The systemd build scripts will no longer complain if the NTP server +          addresses are not changed from the defaults. Google is now supporting +          these NTP servers officially. We still recommend downstreams to +          properly register an NTP pool with the NTP pool project though. + +        * coredumpctl gained new new "--reverse" option for printing the list +          of coredumps in reverse order. + +        * The systemd-coredump logic has been improved so that it may be reused +          for collecting backtraces in non-compiled languages, for example in +          scripting languages such as Python. + +        * machinectl will now show the UID shift of local containers, if user +          namespacing is enabled for them. + +        * systemd will not optionally run "environment generator" binaries at +          configuration load time. They may be used to add environment +          variables to the environment block passed to services invoked. One +          user environment generator is shipped by default, that sets up +          environment variables based on files dropped into +          ~/.config/environment.d/. + +        Contributions from: Adrián López, Alexander Galanin, Alexander +        Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch +        Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric +        Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri, +        Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner, +        David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry +        Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly, +        Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn +        Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter, +        Gianluca Boiano, Graeme Lawes, Hans de Goede, Harald Hoyer, Ian +        Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan Synacek, Jason +        Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen, Karl Kraus, +        Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart Poettering, +        Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de Vries, Maks +        Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry, Mark +        Stosberg, Martin Ejdestig, Martin Pitt, micah, Michael Biebl, Michael +        Shields, Michal Schmidt, Michal Sekletar, Michel Kraus, Mike Gilbert, +        Mirza Krak, Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter +        Körner, Philip Withnall, Piotr Drąg, Ray Strode, Reverend Homer, +        Rike-Benjamin Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan +        Bilovol, sammynx, Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, +        Stefan Hajnoczi, Stefan Schweter, Susant Sahani, Sylvain Plantefève, +        Taylor Smock, Thomas Blume, Thomas H. P. Andersen, Tobias Stoeckmann, +        Tom Gundersen, Torstein Husebø, Viktar Vaŭčkievič, Viktor Mihajlovski, +        Waldemar Brodkorb, Walter Garcia-Fontes, Wim de With, Yassine +        Imounachen, Yi EungJun, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, +        Александр Тихонов + +        — Santa Fe, 2017-02-XX +  CHANGES WITH 232:          * The new RemoveIPC= option can be used to remove IPC objects owned by diff --git a/configure.ac b/configure.ac index b55d7d9f3b..0e7bd1b76b 100644 --- a/configure.ac +++ b/configure.ac @@ -20,7 +20,7 @@  AC_PREREQ([2.64])  AC_INIT([systemd], -        [232], +        [233],          [http://github.com/systemd/systemd/issues],          [systemd],          [http://www.freedesktop.org/wiki/Software/systemd]) diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c index c2af46d4ee..157a46865f 100644 --- a/src/systemctl/systemctl.c +++ b/src/systemctl/systemctl.c @@ -7330,7 +7330,7 @@ static int systemctl_parse_argv(int argc, char *argv[]) {                  case 't': {                          if (isempty(optarg)) { -                                log_error("--type requires arguments."); +                                log_error("--type= requires arguments.");                                  return -EINVAL;                          } @@ -7570,7 +7570,7 @@ static int systemctl_parse_argv(int argc, char *argv[]) {                  case ARG_STATE: {                          if (isempty(optarg)) { -                                log_error("--state requires arguments."); +                                log_error("--state= requires arguments.");                                  return -EINVAL;                          } | 
