systemd 256 released

🎆 A new, official systemd release has just 🎉 been 🎊 tagged 🍾. Please download the tarball here:

        https://github.com/systemd/systemd/archive/v256.tar.gz

Changes since the previous release:

        Announcements of Future Feature Removals and Incompatible Changes:

        * Support for automatic flushing of the nscd user/group database caches
          will be dropped in a future release.

        * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now
          considered obsolete and systemd by default will refuse to boot under
          it. To forcibly reenable cgroup v1 support,
          SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command
          line. The meson option 'default-hierarchy=' is also deprecated, i.e.
          only cgroup v2 ('unified' hierarchy) can be selected as build-time
          default.

        * Support for System V service scripts is deprecated and will be
          removed in a future release. Please make sure to update your software
          *now* to include a native systemd unit file instead of a legacy
          System V script to retain compatibility with future systemd releases.

        * Support for the SystemdOptions EFI variable is deprecated.
          'bootctl systemd-efi-options' will emit a warning when used. It seems
          that this feature is little-used and it is better to use alternative
          approaches like credentials and confexts. The plan is to drop support
          altogether at a later point, but this might be revisited based on
          user feedback.

        * systemd-run's switch --expand-environment= which currently is disabled
          by default when combined with --scope, will be changed in a future
          release to be enabled by default.

        * Previously, systemd-networkd did not explicitly remove any bridge
          VLAN IDs assigned on bridge master and ports. Since version 256, if a
          .network file for an interface has at least one valid setting in the
          [BridgeVLAN] section, then all assigned VLAN IDs on the interface
          that are not configured in the .network file are removed.

        * IPForward= setting in .network file is deprecated and replaced with
          IPv4Forwarding= and IPv6Forwarding= settings. These new settings are
          supported both in .network file and networkd.conf. If specified in a
          .network file, they control corresponding per-link settings. If
          specified in networkd.conf, they control corresponding global
          settings. Note, previously IPv6SendRA= and IPMasquerade= implied
          IPForward=, but now they imply the new per-link settings. One of the
          simplest ways to migrate configurations, that worked as a router with
          the previous version, is enabling both IPv4Forwarding= and
          IPv6Forwarding= in networkd.conf. See systemd.network(5) and
          networkd.conf(5) for more details.

        * systemd-gpt-auto-generator will stop generating units for ESP or
          XBOOTLDR partitions if it finds mount entries for or below the /boot/
          or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
          from interfering with systems where the ESP is explicitly configured
          to be mounted at some path, for example /boot/efi/ (this type of
          setup is obsolete, but still commonly found).

        * The behavior of systemd-sleep and systemd-homed has been updated to
          freeze user sessions when entering the various sleep modes or when
          locking a homed-managed home area. This is known to cause issues with
          the proprietary NVIDIA drivers. Packagers of the NVIDIA proprietary
          drivers may want to add drop-in configuration files that set
          SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=false for systemd-suspend.service
          and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for
          systemd-homed.service.

        * systemd-tmpfiles and systemd-sysusers, when given a relative
          configuration file path (with at least one directory separator '/'),
          will open the file directly, instead of searching for the given
          partial path in the standard locations. The old mode wasn't useful
          because tmpfiles.d/ and sysusers.d/ configuration has a flat
          structure with no subdirectories under the standard locations and
          this change makes it easier to work with local files with those
          tools.

        * systemd-tmpfiles now properly applies nested configuration to 'R' and
          'D' stanzas. For example, with the combination of 'R /foo' and 'x
          /foo/bar', /foo/bar will now be excluded from removal.

        * systemd.crash_reboot and related settings are deprecated in favor of
          systemd.crash_action=.

        General Changes and New Features:

        * Various programs will now attempt to load the main configuration file
          from locations below /usr/lib/, /usr/local/lib/, and /run/, not just
          below /etc/. For example, systemd-logind will look for
          /etc/systemd/logind.conf, /run/systemd/logind.conf,
          /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,
          and use the first file that is found.  This means that the search
          logic for the main config file and for drop-ins is now the same.

          Similarly, kernel-install will look for the config files in
          /usr/lib/kernel/ and the other search locations, and now also
          supports drop-ins.

          systemd-udevd now supports drop-ins for udev.conf.

        * A new 'systemd-vpick' binary has been added. It implements the new
          vpick protocol, where a "*.v/" directory may contain multiple files
          which have versions (following the UAPI version format specification)
          embedded in the file name. The files are ordered by version and
          the newest one is selected.

          systemd-nspawn --image=/--directory=, systemd-dissect,
          systemd-portabled, and the RootDirectory=, RootImage=,
          ExtensionImages=, and ExtensionDirectories= settings for units now
          support the vpick protocol and allow the latest version to be
          selected automatically if a "*.v/" directory is specified as the
          source.

        * Encrypted service credentials can now be made accessible to
          unprivileged users. systemd-creds gained new options --user/--uid=
          for encrypting/decrypting a credential for a specific user.

        * New command-line tool 'importctl' to download, import, and export
          disk images via systemd-importd is added with the following verbs:
          pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar,
          export-raw, list-transfers, and cancel-transfer. This functionality
          was previously available in "machinectl", where it was used
          exclusively for machine images. The new "importctl" generalizes this
          for sysext, confext, and portable service images.

        * The systemd sources may now be compiled cleanly with all OpenSSL 3.0
          deprecations removed, including the OpenSSL engine logic turned off.

        Service Management:

        * New system manager setting ProtectSystem= has been added. It is
          analogous to the unit setting, but applies to the whole system. It is
          enabled by default in the initrd.

          Note that this means that code executed in the initrd cannot naively
          expect to be able to write to /usr/ during boot. This affects
          dracut <= 101, which wrote "hooks" to /lib/dracut/hooks/. See
          https://github.com/dracut-ng/dracut-ng/commit/a45048b80c2...

        * New unit setting WantsMountsFor= has been added. It is analogous to
          RequiresMountsFor=, but creates a Wants= dependency instead of
          Requires=. This new logic is now used in various places where mounts
          were added as dependencies for other settings (WorkingDirectory=-…,
          PrivateTmp=yes, cryptsetup lines with 'nofail').

        * New unit setting MemoryZSwapWriteback= can be used to control the new
          memory.zswap.writeback cgroup knob added in kernel 6.8.

        * The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope()
          D-Bus method to devolve some processes from a service into a new
          scope. This new scope will remain running, even when the original
          service unit is restarted or stopped. This allows a service unit to
          split out some worker processes which need to continue running.
          Control group properties of the new scope are copied from the
          originating unit, so various limits are retained.

        * Units now expose properties EffectiveMemoryMax=,
          EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the
          most stringent limit systemd is aware of for the given unit.

        * A new unit file specifier %D expands to $XDG_DATA_HOME (for user
          services) or /usr/share/ (for system services).

        * AllowedCPUs= now supports specifier expansion.

        * What= setting in .mount and .swap units now accepts fstab-style
          identifiers, for example UUID=… or LABEL=….

        * RestrictNetworkInterfaces= now supports alternative network interface
          names.

        * PAMName= now implies SetLoginEnvironment=yes.

        * systemd.firstboot=no can be used on the kernel command-line to
          disable interactive queries, but allow other first boot configuration
          to happen based on credentials.

        * The system's hostname can be configured via the systemd.hostname
          system credential.

        * The systemd binary will no longer chainload sysvinit's "telinit"
          binary when called under the init/telinit name on a system that isn't
          booted with systemd. This previously has been supported to make sure
          a distribution that has both init systems installed can reasonably
          switch from one to the other via a simple reboot. Distributions
          apparently have lost interest in this, and the functionality has not
          been supported on the primary distribution this was still intended
          for a long time, and hence has been removed now.

        * A new concept called "capsules" has been introduced. "Capsules" wrap
          additional per-user service managers, whose users are transient and
          are only defined as long as the service manager is running. (This is
          implemented via DynamicUser=1), allowing a user manager to be used to
          manager a group of processes without needing to create an actual user
          account. These service managers run with home directories of
          /var/lib/capsules/<capsule-name> and can contain regular services and
          other units. A capsule is started via a simple "systemctl start
          capsule@<name>.service". See the capsule@.service(5) man page for
          further details.

          Various systemd tools (including, and most importantly, systemctl and
          systemd-run) have been updated to interact with capsules via the new
          "--capsule="/"-C" switch.

        * .socket units gained a new setting PassFileDescriptorsToExec=, taking
          a boolean value. If set to true the file descriptors the socket unit
          encapsulates are passed to the ExecStartPost=, ExecStopPre=,
          ExecStopPost= using the usual $LISTEN_FDS interface. This may be used
          for doing additional initializations on the sockets once they are
          allocated. (For example, to install an additional eBPF program on
          them).

        * The .socket setting MaxConnectionsPerSource= (which so far put a
          limit on concurrent connections per IP in Accept=yes socket units),
          now also has an effect on AF_UNIX sockets: it will put a limit on the
          number of simultaneous connections from the same source UID (as
          determined via SO_PEERCRED). This is useful for implementing IPC
          services in a simple Accept=yes mode.

        * The service manager will now maintain a counter of soft reboot cycles
          the system went through. It may be queried via the D-Bus APIs.

        * systemd's execution logic now supports the new pidfd_spawn() API
          introduced by glibc 2.39, which allows us to invoke a subprocess in a
          target cgroup and get a pidfd back in a single operation.

        * systemd/PID 1 will now send an additional sd_notify() message to its
          supervising VMM or container manager reporting the selected hostname
          ("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at
          boot. Moreover, the service manager will send additional sd_notify()
          messages ("X_SYSTEMD_UNIT_ACTIVE=") whenever a target unit is
          reached. This can be used by VMMs/container managers to schedule
          access to the system precisely. For example, the moment a system
          reports "ssh-access.target" being reached a VMM/container manager
          knows it can now connect to the system via SSH. Finally, a new
          sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment
          PID 1 has successfully completed installation of its various UNIX
          process signal handlers (i.e. the moment where SIGRTMIN+4 sent to
          PID 1 will start to have the effect of shutting down the system
          cleanly). X_SYSTEMD_SHUTDOWN= is sent shortly before the system shuts
          down, and carries a string identifying the type of shutdown,
          i.e. "poweroff", "halt", "reboot". X_SYSTEMD_REBOOT_PARAMETER= is
          sent at the same time and carries the string passed to "systemctl
          --reboot-argument=" if there was one.

        * New D-Bus properties ExecMainHandoffTimestamp and
          ExecMainHandoffTimestampMonotonic are now published by services
          units. This timestamp is taken as the very last operation before
          handing off control to invoked binaries. This information is
          available for other unit types that fork off processes (i.e. mount,
          swap, socket units), but currently only via "systemd-analyze dump".

        * An additional timestamp is now taken by the service manager when a
          system shutdown operation is initiated. It can be queried via D-Bus
          during the shutdown phase. It's passed to the following service
          manager invocation on soft reboots, which will then use it to log the
          overall "grey-out" time of the soft reboot operation, i.e. the time
          when the shutdown began until the system is fully up again.

        * "systemctl status" will now display the invocation ID in its usual
          output, i.e. the 128bit ID uniquely assigned to the current runtime
          cycle of the unit. The ID has been supported for a long time, but is
          now more prominently displayed, as it is a very useful handle to a
          specific invocation of a service.

        * systemd now generates a new "taint" string "unmerged-bin" for systems
          that have /usr/bin/ and /usr/sbin/ separate. It's generally
          recommended to make the latter a symlink to the former these days.

        * A new systemd.crash_action= kernel command line option has been added
          that configures what to do after the system manager (PID 1) crashes.
          This can also be configured through CrashAction= in systemd.conf.

        * "systemctl kill" now supports --wait which will make the command wait
          until the signalled services terminate.

        Journal:

        * systemd-journald can now forward journal entries to a socket
          (AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be
          specified in journald.conf via a new option ForwardToSocket= or via
          the 'journald.forward_to_socket' credential. Log records are sent in
          the Journal Export Format. A related setting MaxLevelSocket= has been
          added to control the maximum log levels for the messages sent to this
          socket.

        * systemd-journald now also reads the journal.storage credential when
          determining where to store journal files.

        * systemd-vmspawn gained a new --forward-journal= option to forward the
          virtual machine's journal entries to the host. This is done over a
          AF_VSOCK socket, i.e. it does not require networking in the guest.

        * journalctl gained option '-i' as a shortcut for --file=.

        * journalctl gained a new -T/--exclude-identifier= option to filter
          out certain syslog identifiers.

        * journalctl gained a new --list-namespaces option.

        * systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets
          (so it can be used to receive entries forwarded by systemd-journald).

        * systemd-journal-gatewayd allows restricting the time range of
          retrieved entries with a new "realtime=[<since>]:[<until>]" URL
          parameter.

        * systemd-cat gained a new option --namespace= to specify the target
          journal namespace to which the output shall be connected.

        * systemd-bsod gained a new option --tty= to specify the output TTY

        Device Management:

        * /dev/ now contains symlinks that combine by-path and by-{label,uuid}
          information:

              /dev/disk/by-path/<path>/by-<label|uuid|…>/<label|uuid|…>

          This allows distinguishing partitions with identical contents on
          multiple storage devices. This is useful, for example, when copying
          raw disk contents between devices.

        * systemd-udevd now creates persistent /dev/media/by-path/ symlinks for
          media controllers. For example, the uvcvideo driver may create
          /dev/media0 which will be linked as
          /dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller.

        * A new unit systemd-udev-load-credentials.service has been added
          to pick up udev.conf drop-ins and udev rules from credentials.

        * An allowlist/denylist may be specified to filter which sysfs
          attributes are used when crafting network interface names. Those
          lists are stored as hwdb entries
            ID_NET_NAME_ALLOW_<sysfsattr>=0|1
          and
            ID_NET_NAME_ALLOW=0|1.

          The goal is to avoid unexpected changes to interface names when the
          kernel is updated and new sysfs attributes become visible.

        * A new unit tpm2.target has been added to provide a synchronization
          point for units which expect the TPM hardware to be available. A new
          generator "systemd-tpm2-generator" has been added that will insert
          this target whenever it detects that the firmware has initialized a
          TPM, but Linux hasn't loaded a driver for it yet.

        * systemd-backlight now properly supports numbered devices which the
          kernel creates to avoid collisions in the leds subsystem.

        * systemd-hwdb update operation can be disabled with a new environment
          variable SYSTEMD_HWDB_UPDATE_BYPASS=1.

        systemd-hostnamed:

        * systemd-hostnamed now exposes the machine ID and boot ID via
          D-Bus. It also exposes the hosts AF_VSOCK CID, if available.

        * systemd-hostnamed now provides a basic Varlink interface.

        * systemd-hostnamed exports the full data in os-release(5) and
          machine-info(5) via D-Bus and Varlink.

        * hostnamectl now shows the system's product UUID and hardware serial
          number if known.

        Network Management:

        * systemd-networkd now provides a basic Varlink interface.

        * systemd-networkd's ARP proxy support gained a new option to configure
          a private VLAN variant of the proxy ARP supported by the kernel under
          the name IPv4ProxyARPPrivateVLAN=.

        * systemd-networkd now exports the NamespaceId and NamespaceNSID
          properties via D-Bus and Varlink. (which expose the inode and NSID of
          the network namespace the networkd instance manages)

        * systemd-networkd now supports IPv6RetransmissionTimeSec= and
          UseRetransmissionTime= settings in .network files to configure
          retransmission time for IPv6 neighbor solicitation messages.

        * networkctl gained new verbs 'mask' and 'unmask' for masking networkd
          configuration files such as .network files.

        * 'networkctl edit --runtime' allows editing volatile configuration
          under /run/systemd/network/.

        * The implementation behind TTLPropagate= network setting has been
          removed and the setting is now ignored.

        * systemd-network-generator will now pick up .netdev/.link/.network/
          networkd.conf configuration from system credentials.

        * systemd-networkd will now pick up wireguard secrets from
          credentials.

        * systemd-networkd's Varlink API now supports enumerating LLDP peers.

        * .link files now support new Property=, ImportProperty=,
          UnsetProperty= fields for setting udev properties on a link.

        * The various .link files that systemd ships for interfaces that are
          supposed to be managed by systemd-networkd only now carry a
          ID_NET_MANAGED_BY=io.systemd.Network udev property ensuring that
          other network management solutions honouring this udev property do
          not come into conflict with networkd, trying to manage these
          interfaces.

        * .link files now support a new ReceivePacketSteeringCPUMask= setting
          for configuring which CPUs to steer incoming packets to.

        * The [Network] section in .network files gained a new setting
          UseDomains=, which is a single generic knob for controlling the
          settings of the same name in the [DHCPv4], [DHCPv6] and
          [IPv6AcceptRA].

        * The 99-default.link file we ship by default (that defines the policy
          for all network devices to which no other .link file applies) now
          lists "mac" among AlternativeNamesPolicy=. This means that network
          interfaces will now by default gain an additional MAC-address based
          alternative device name. (i.e. enx…)

        systemd-nspawn:

        * systemd-nspawn now provides a /run/systemd/nspawn/unix-export/
          directory where the container payload can expose AF_UNIX sockets to
          allow them to be accessed from outside.

        * systemd-nspawn will tint the terminal background for containers in a
          blueish color. This can be controller with the new --background=
          switch or the new $SYSTEMD_TINT_BACKGROUND environment variable.

        * systemd-nspawn gained support for the 'owneridmap' option for --bind=
          mounts to map the target directory owner from inside the container to
          the owner of the directory bound from the host filesystem.

        * systemd-nspawn now supports moving Wi-Fi network devices into a
          container, just like other network interfaces.

        systemd-resolved:

        * systemd-resolved now reads RFC 8914 EDE error codes provided by
          upstream DNS services.

        * systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS
          records, as well as RFC 2915 NAPTR records.

        * resolvectl gained a new option --relax-single-label= to allow
          querying single-label hostnames via unicast DNS on a per-query basis.

        * systemd-resolved's Varlink IPC interface now supports resolving
          DNS-SD services as well as an API for resolving raw DNS RRs.

        * systemd-resolved's .dnssd DNS_SD service description files now
          support DNS-SD "subtypes" via the new SubType= setting.

        * systemd-resolved's configuration may now be reloaded without
          restarting the service. (i.e. "systemctl reload systemd-resolved" is
          now supported)

        SSH Integration:

        * An sshd config drop-in to allow ssh keys acquired via userdbctl (for
          example expose by homed accounts) to be used for authorization of
          incoming SSH connections.

        * A small new unit generator "systemd-ssh-generator" has been added. It
          checks if the sshd binary is installed. If so, it binds it via
          per-connection socket activation to various sockets depending on the
          execution context:

            • If the system is run in a VM providing AF_VSOCK support, it
              automatically binds sshd to AF_VSOCK port 22.

            • If the system is invoked as a full-OS container and the container
              manager pre-mounts a directory /run/host/unix-export/, it will
              bind sshd to an AF_UNIX socket /run/host/unix-export/ssh. The
              idea is the container manager bind mounts the directory to an
              appropriate place on the host as well, so that the AF_UNIX socket
              may be used to easily connect from the host to the container.

            • sshd is also bound to an AF_UNIX socket
              /run/ssh-unix-local/socket, which may be to use ssh/sftp in a
              "sudo"-like fashion to access resources of other local users.

            • Via the kernel command line option "systemd.ssh_listen=" and the
              system credential "ssh.listen" sshd may be bound to additional,
              explicitly configured options, including AF_INET/AF_INET6 ports.

          In particular the first two mechanisms should make dealing with local
          VMs and full OS containers a lot easier, as SSH connections will
          *just* *work* from the host – even if no networking is available
          whatsoever.

          systemd-ssh-generator optionally generates a per-connection
          socket activation service file wrapping sshd. This is only done if
          the distribution does not provide one on its own under the name
          "sshd@.service". The generated unit only works correctly if the SSH
          privilege separation ("privsep") directory exists. Unfortunately
          distributions vary wildly where they place this directory. An
          incomprehensive list:

            • /usr/share/empty.sshd/  (new fedora)
            • /var/empty/
            • /var/empty/sshd/
            • /run/sshd/              (debian/ubuntu?)

          If the SSH privsep directory is placed below /var/ or /run/ care
          needs to be taken that the directory is created automatically at boot
          if needed, since these directories possibly or always come up
          empty. This can be done via a tmpfiles.d/ drop-in. You may use the
          "sshdprivsepdir" meson option provided by systemd to configure the
          directory, in case you want systemd to create the directory as needed
          automatically, if your distribution does not cover this natively.

          Recommendations to distributions, in order to make things just work:

            • Please provide a per-connection SSH service file under the name
              "sshd@.service".

            • Please move the SSH privsep dir into /usr/ (so that it is truly
              immutable on image-based operating systems, is strictly under
              package manager control, and never requires recreation if the
              system boots up with an empty /run/ or /var/).

            • As an extension of this: please consider following Fedora's lead
              here, and use /usr/share/empty.sshd/ to minimize needless
              differences between distributions.

            • If your distribution insists on placing the directory in /var/ or
              /run/ then please at least provide a tmpfiles.d/ drop-in to
              recreate it automatically at boot, so that the sshd binary just
              works, regardless in which context it is called.

        * A small tool "systemd-ssh-proxy" has been added, which is supposed to
          act as counterpart to "systemd-ssh-generator". It's a small plug-in
          for the SSH client (via ProxyCommand/ProxyUseFdpass) to allow it to
          connect to AF_VSOCK or AF_UNIX sockets. Example: "ssh vsock/4711"
          connects to a local VM with cid 4711, or "ssh
          unix/run/ssh-unix-local/socket" to connect to the local host via the
          AF_UNIX socket /run/ssh-unix-local/socket.

        systemd-boot and systemd-stub and Related Tools:

        * TPM 1.2 PCR measurement support has been removed from systemd-stub.
          TPM 1.2 is obsolete and – due to the (by today's standards) weak
          cryptographic algorithms it only supports – does not actually provide
          the security benefits it's supposed to provide. Given that the rest
          of systemd's codebase never supported TPM 1.2, the support has now
          been removed from systemd-stub as well.

        * systemd-stub will now measure its payload via the new EFI
          Confidential Computing APIs (CC), in addition to the pre-existing
          measurements to TPM.

        * confexts are loaded by systemd-stub from the ESP as well.

        * kernel-install gained support for --root= for the 'list' verb.

        * bootctl now provides a basic Varlink interface and can be run as a
          daemon via a template unit.

        * systemd-measure gained new options --certificate=, --private-key=,
          and --private-key-source= to allow using OpenSSL's "engines" or
          "providers" as the signing mechanism to use when creating signed
          TPM2 PCR measurement values.

        * ukify gained support for signing of PCR signatures via OpenSSL's
          engines and providers.

        * ukify now supports zboot kernels.

        * systemd-boot now supports passing additional kernel command line
          switches to invoked kernels via an SMBIOS Type #11 string
          "io.systemd.boot.kernel-cmdline-extra". This is similar to the
          pre-existing support for this in systemd-stub, but also applies to
          Type #1 Boot Loader Specification Entries.

        * systemd-boot's automatic SecureBoot enrollment support gained support
          for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
          supported). It also now supports UEFI "Custom" and "Audit" modes.

        * The pcrlock policy is saved in an unencrypted credential file
          "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
          /loader/credentials/ directory. It will be picked up at boot by
          systemd-stub and passed to the initrd, where it can be used to unlock
          the root file system.

        * systemd-pcrlock gained an --entry-token= option to configure the
          entry-token.

        * systemd-pcrlock now provides a basic Varlink interface and can be run
          as a daemon via a template unit.

        * systemd-pcrlock's TPM nvindex access policy has been modified, this
          means that previous pcrlock policies stored in nvindexes are
          invalidated. They must be removed (systemd-pcrlock remove-policy) and
          recreated (systemd-pcrlock make-policy). For the time being
          systemd-pcrlock remains an experimental feature, but it is expected
          to become stable in the next release, i.e. v257.

        * systemd-pcrlock's --recovery-pin= switch now takes three values:
          "hide", "show", "query". If "show" is selected the automatically
          generated recovery PIN is shown to the user. If "query" is selected
          then the PIN is queried from the user.

        * sd-stub gained support for the new ".ucode" PE section in UKIs, that
          may contain CPU microcode data. When control is handed over to the
          Linux kernel this data is prepended to the set of initrds passed.

        systemd-run/run0:

        * systemd-run is now a multi-call binary. When invoked as 'run0', it
          provides as interface similar to 'sudo', with all arguments starting
          at the first non-option parameter being treated the command to invoke
          as root. Unlike 'sudo' and similar tools, it does not make use of
          setuid binaries or other privilege escalation methods, but instead
          runs the specified command as a transient unit, which is started by
          the system service manager, so privileges are dropped, rather than
          gained, thus implementing a much more robust and safe security
          model. As usual, authorization is managed via Polkit.

        * systemd-run/run0 will now tint the terminal background on supported
          terminals: in a reddish tone when invoking a root service, in a
          yellowish tone otherwise. This may be controlled and turned off via
          the new --background= switch or the new $SYSTEMD_TINT_BACKGROUND
          environment variable.

        * systemd-run gained a new option '--ignore-failure' to suppress
          command failures.

        Command-line tools:

        * 'systemctl edit --stdin' allows creation of unit files and drop-ins
          with contents supplied via standard input. This is useful when creating
          configuration programmatically; the tool takes care of figuring out
          the file name, creating any directories, and reloading the manager
          afterwards.

        * 'systemctl disable --now' and 'systemctl mask --now' now work
          correctly with template units.

        * 'systemd-analyze architectures' lists known CPU architectures.

        * 'systemd-analyze --json=…' is supported for 'architectures',
          'capability', 'exit-status'.

        * 'systemd-tmpfiles --purge' will purge (remove) all files and
          directories created via tmpfiles.d configuration.

        * systemd-id128 gained new options --no-pager, --no-legend, and
          -j/--json=.

        * hostnamectl gained '-j' as shortcut for '--json=pretty' or
          '--json=short'.

        * loginctl now supports -j/--json=.

        * resolvectl now supports -j/--json= for --type=.

        * systemd-tmpfiles gained a new option --dry-run to print what would be
          done without actually taking action.

        * varlinkctl gained a new --collect switch to collect all responses of
          a method call that supports multiple replies and turns it into a
          single JSON array.

        * systemd-dissect gained a new --make-archive option to generate an
          archive file (tar.gz and similar) from a disk image.

        systemd-vmspawn:

        * systemd-vmspawn gained a new --firmware= option to configure or list
          firmware definitions for Qemu, a new --tpm= option to enable or
          disable the use of a software TPM, a new --linux= option to specify a
          kernel binary for direct kernel boot, a new --initrd= option to
          specify an initrd for direct kernel boot, a new -D/--directory option
          to use a plain directory as the root file system, a new
          --private-users option similar to the one in systemd-nspawn, new
          options --bind= and --bind-ro= to bind part of the host's file system
          hierarchy into the guest, a new --extra-drive= option to attach
          additional storage, and -n/--network-tap/--network-user-mode to
          configure networking.

        * A new systemd-vmspawn@.service can be used to launch systemd-vmspawn
          as a service.

        * systemd-vmspawn gained the new --console= and --background= switches
          that control how to interact with the VM. As before, by default an
          interactive terminal interface is provided, but now with a background
          tinted with a greenish hue.

        * systemd-vmspawn can now register its VMs with systemd-machined,
          controlled via the --register= switch.

        * machinectl's start command (and related) can now invoke images either
          as containers via `systemd-nspawn` (switch is --runner=nspawn, the
          default) or as VMs via `systemd-vmspawn` (switch is --runner=vmspawn,
          or short -V).

        * systemd-vmspawn now supports two switches --pass-ssh-key= and
          --ssh-key-type= to optionally set up transient SSH keys to pass to the
          invoked VMs in order to be able to SSH into them once booted.

        * systemd-vmspawn will now enable various "HyperV enlightenments" and
          the "VM Generation ID" on the VMs.

        * A new environment variable $SYSTEMD_VMSPAWN_QEMU_EXTRA may carry
          additional qemu command line options to pass to qemu.

        * systemd-machined gained a new GetMachineSSHInfo() D-Bus method that is
          used by systemd-vmspawn to fetch the information needed to ssh into the
          machine.

        * systemd-machined gained a new Varlink interface that is used by
          systemd-vmspawn to register machines with additional information and
          metadata.

        systemd-repart:

        * systemd-repart gained new options --generate-fstab= and
          --generate-crypttab= to write out fstab and crypttab files matching the
          generated partitions.

        * systemd-repart gained a new option --private-key-source= to allow
          using OpenSSL's "engines" or "providers" as the signing mechanism to
          use when creating verity signature partitions.

        * systemd-repart gained a new DefaultSubvolume= setting in repart.d/
          drop-ins that allow configuring the default btrfs subvolume for newly
          formatted btrfs file systems.

        Libraries:

        * libsystemd gained new call sd_bus_creds_new_from_pidfd() to get a
          credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to
          retrieve the pidfd from a credentials object.

        * sd-bus' credentials logic will now also acquire peer's UNIX group
          lists and peer's pidfd if supported and requested.

        * RPM macro %_kernel_install_dir has been added with the path
          to the directory for kernel-install plugins.

        * The liblz4, libzstd, liblzma, libkmod, libgcrypt dependencies have
          been changed from regular shared library dependencies into dlopen()
          based ones.

          Note that this means that those libraries might not be automatically
          pulled in when ELF dependencies are resolved. In particular lack of
          libkmod might cause problems with boot. This affects dracut <= 101,
          see https://github.com/dracut-ng/dracut-ng/commit/04b362d7132...

        * systemd ELF binaries that use libraries via dlopen() are now built with
          a new ELF header note section, following a new specification defined at
          docs/ELF_DLOPEN_METADATA.md, that provides information about which
          sonames are loaded and used if found at runtime. This allows tools and
          packagers to programmatically discover the list of optional
          dependencies used by all systemd ELF binaries. A parser with packaging
          integration tools is available at
          https://github.com/systemd/package-notes

        * The sd-journal API gained a new call
          sd_journal_stream_fd_with_namespace() which is just like
          sd_journal_stream_fd() but creates a log stream targeted at a
          specific log namespace.

        * The sd-id128 API gained a new API call
          sd_id128_get_invocation_app_specific() for acquiring an app-specific
          ID that is derived from the service invocation ID.

        * The sd-event API gained a new API call
          sd_event_source_get_inotify_path() that returns the file system path
          an inotify event source was created for.

        systemd-cryptsetup/systemd-cryptenroll:

        * The device node argument to systemd-cryptenroll is now optional. If
          omitted it will be derived automatically from the backing block
          device of /var/ (which quite likely is the same as the root file
          system, hence effectively means if you don't specify things otherwise
          the tool will now default to enrolling a key into the root file
          system's LUKS device).

        * systemd-cryptenroll can now enroll directly with a PKCS11 public key
          (instead of a certificate).

        * systemd-cryptsetup/systemd-cryptenroll now may lock a disk against a
          PKCS#11 provided EC key (before it only supported RSA).

        * systemd-cryptsetup gained support for crypttab option
          link-volume-key= to link the volume key into the kernel keyring when
          the volume is opened.

        * systemd-cryptenroll will no longer enable Dictionary Attack
          Protection (i.e. turn on NO_DA) for TPM enrollments that do not
          involve a PIN. DA should not be necessary in that case (since key
          entropy is high enough to make this unnecessary), but risks
          accidental lock-out in case of unexpected PCR changes.

        * systemd-cryptenroll now supports enrolling a new slot while unlocking
          the old slot via TPM2 (previously unlocking only worked via password
          or FIDO2).

        Documentation:

        * The remaining documentation that was on
          https://freedesktop.org/wiki/Software/systemd/ has been moved to
          https://systemd.io/.

        * A new text describing the VM integration interfaces of systemd has
          been added:

          https://systemd.io/VM_INTERFACE

        * The sd_notify() man page has gained examples with C and Python code
          that shows how to implement the interface in those languages without
          involving libsystemd.

        systemd-homed, systemd-logind, systemd-userdbd:

        * systemd-homed now supports unlocking of home directories when logging
          in via SSH. Previously home directories needed to be unlocked before
          an SSH login is attempted.

        * JSON User Records have been extended with a separate public storage
          area called "User Record Blob Directories". This is intended to store
          the user's background image, avatar picture, and other similar items
          which are too large to fit into the User Record itself.

          systemd-homed, userdbctl, and homectl gained support for blob
          directories. homectl gained --avatar= and --login-background= to
          control two specific items of the blob directories.

        * A new "additionalLanguages" field has been added to JSON user records
          (as supported by systemd-homed and systemd-userdbd), which is closely
          related to the pre-existing "preferredLanguage", and allows
          specifying multiple additional languages for the user account. It is
          used to initialize the $LANGUAGES environment variable when used.

        * A new pair of "preferredSessionType" and "preferredSessionLauncher"
          fields have been added to JSON user records, that may be used to
          control which kind of desktop session to preferable activate on
          logins of the user.

        * homectl gained a new verb 'firstboot', and a new
          systemd-homed-firstboot.service unit uses this verb to create users
          in a first boot environment, either from system credentials or by
          querying interactively.

        * systemd-logind now supports a new "background-light" session class
          which does not pull in the user@.service unit. This is intended in
          particular for lighter weight per-user cron jobs which do require any
          per-user service manager to be around.

        * The per-user service manager will now be tracked as a distinct "manager"
          session type among logind sessions of each user.

        * homectl now supports an --offline mode, by which certain account
          properties can be changed without unlocking the home directory.

        * systemd-logind gained a new
          org.freedesktop.login1.Manager.ListSessionsEx() method that provides
          additional metadata compared to ListSessions(). loginctl makes use of
          this to list additional fields in list-sessions.

        * systemd-logind gained a new org.freedesktop.login1.Manager.Sleep()
          method that automatically redirects to SuspendThenHibernate(),
          Suspend(), HybridSleep(), or Hibernate(), depending on what is
          supported and configured, a new configuration setting SleepOperation=,
          and an accompanying helper method
          org.freedesktop.login1.Manager.CanSleep() and property
          org.freedesktop.login1.Manager.SleepOperation.

          'systemctl sleep' calls the new method to automatically put the
          machine to sleep in the most appropriate way.

        Credential Management:

        * systemd-creds now provides a Varlink IPC API for encrypting and
          decrypting credentials.

        * systemd-creds' "tpm2-absent" key selection has been renamed to
          "null", since that's what it actually does: "encrypt" and "sign"
          with a fixed null key. --with-key=null should only be used in very
          specific cases, as it provides zero integrity or confidentiality
          protections. (i.e. it's only safe to use as fallback in environments
          lacking both a TPM and access to the root fs to use the host
          encryption key, or when integrity is provided some other way.)

        * systemd-creds gained a new switch --allow-null. If specified, the
          "decrypt" verb will decode encrypted credentials that use the "null"
          key (by default this is refused, since using the "null" key defeats
          the authenticated encryption normally done).

        Suspend & Hibernate:

        * The sleep.conf configuration file gained a new MemorySleepMode=
          setting for configuring the sleep mode in more detail.

        * A tiny new service systemd-hibernate-clear.service has been added
          which clears hibernation information from the HibernateLocation EFI
          variable, in case the resume device is gone. Normally, this variable
          is supposed to be cleaned up by the code that initiates the resume
          from hibernation image. But when the device is missing and that code
          doesn't run, this service will now do the necessary work, ensuring
          that no outdated hibernation image information remains on subsequent
          boots.

        Unprivileged User Namespaces & Mounts:

        * A small new service systemd-nsresourced.service has been added. It
          provides a Varlink IPC API that assigns a free, transiently allocated
          64K UID/GID range to an uninitialized user namespace a client
          provides. It may be used to implement unprivileged container managers
          and other programs that need dynamic user ID ranges. It also provides
          interfaces to then delegate mount file descriptors, control groups
          and network interfaces to user namespaces set up this way.

        * A small new service systemd-mountfsd.service has been added. It
          provides a Varlink IPC API for mounting DDI images, and returning a set
          of mount file descriptors for it. If a user namespace fd is provided
          as input, then the mounts are registered with the user namespace. To
          ensure trust in the image it must provide Verity information (or
          alternatively interactive polkit authentication is required).

        * The systemd-dissect tool now can access DDIs fully unprivileged by
          using systemd-nsresourced/systemd-mountfsd.

        * If the service manager runs unprivileged (i.e. systemd --user) it now
          supports RootImage= for accessing DDI images, also implemented via
          the systemd-nsresourced/systemd-mountfsd.

        * systemd-nspawn may now operate without privileges, if a suitable DDI
          is provided via --image=, again implemented via
          systemd-nsresourced/systemd-mountfsd.

        Other:

        * timedatectl and machinectl gained option '-P', an alias for
          '--value --property=…'.

        * Various tools that pretty-print config files will now highlight
          configuration directives.

        * varlinkctl gained support for the "ssh:" transport. This requires
          OpenSSH 9.4 or newer.

        * systemd-sysext gained support for enabling system extensions in
          mutable fashion, where a writeable upperdir is stored under
          /var/lib/extensions.mutable/, and a new --mutable= option to
          configure this behaviour. An "ephemeral" mode is not also supported
          where the mutable layer is configured to be a tmpfs that is
          automatically released when the system extensions are reattached.

        * Coredumps are now retained for two weeks by default (instead of three
          days, as before).

        * portablectl --copy= parameter gained a new 'mixed' argument, that will
          result in resources owned by the OS (e.g.: portable profiles) to be linked
          but resources owned by the portable image (e.g.: the unit files and the
          images themselves) to be copied.

        * systemd will now register MIME types for various of its file types
          (e.g. journal files, DDIs, encrypted credentials …) via the XDG
          shared-mime-info infrastructure. (Files of these types will thus be
          recognized as their own thing in desktop file managers such as GNOME
          Files.)

        * systemd-dissect will now show the detected sector size of a given DDI
          in its default output.

        * systemd-portabled now generates recognizable structured log messages
          whenever a portable service is attached or detached.

        * Verity signature checking in userspace (i.e. checking against
          /etc/verity.d/ keys) when activating DDIs can now be turned on/off
          via a kernel command line option systemd.allow_userspace_verity= and
          an environment variable SYSTEMD_ALLOW_USERSPACE_VERITY=.

        * ext4/xfs file system quota handling has been reworked, so that
          quotacheck and quotaon are now invoked as per-file-system templated
          services (as opposed to single system-wide singletons), similar in
          style to the fsck, growfs, pcrfs logic. This means file systems with
          quota enabled can now be reasonably enabled at runtime of the system,
          not just at boot.

        * "systemd-analyze dot" will now also show BindsTo= dependencies.

        * systemd-debug-generator gained the ability add in arbitrary units
          based on them being passed in via system credentials.

        * A new kernel command-line option systemd.default_debug_tty= can be
          used to specify the TTY for the debug shell, independently of
          enabling or disabling it.

        * portablectl gained a new --clean switch that clears a portable
          service's data (cache, logs, state, runtime, fdstore) when detaching
          it.

        Contributions from: A S Alam, AKHIL KUMAR,
        Abraham Samuel Adekunle, Adrian Vovk, Adrian Wannenmacher,
        Alan Liang, Alberto Planas, Alexander Zavyalov, Anders Jonsson,
        Andika Triwidada, Andres Beltran, Andrew Sayers,
        Antonio Alvarez Feijoo, Arian van Putten, Arthur Zamarin,
        Artur Pak, AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann,
        Black-Hole1, Bryan Jacobs, Burak Gerz, Carlos Garnacho,
        Chandra Pratap, Chris Hofstaedtler, Chris Packham, Chris Simons,
        Christian Göttsche, Christian Wesselhoeft, Clayton Craft,
        Colin Geniet, Colin Walters, Colin Watson, Costa Tsaousis,
        Cristian Rodríguez, Daan De Meyer, Damien Challet, Dan Streetman,
        Daniel Winzen, Daniele Medri, David Seifert, David Tardon,
        David Venhoek, Diego Viola, Dionna Amalie Glaze,
        Dmitry Konishchev, Dmitry V. Levin, Edson Juliano Drosdeck,
        Eisuke Kawashima, Eli Schwartz, Emanuele Giuseppe Esposito,
        Eric Daigle, Evgeny Vereshchagin, Felix Riemann,
        Fernando Fernandez Mancera, Florian Fainelli, Florian Schmaus,
        Franck Bui, Frantisek Sumsal, Friedrich Altheide,
        Gabríel Arthúr Pétursson, Gaël Donval, Georges Basile Stavracas Neto,
        Gerd Hoffmann, GNOME Foundation, Guido Leenders,
        Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald Brinkmann,
        Heinrich Schuchardt, Helmut Grohne, Henry Li, Heran Yang,
        Holger Assmann, Ivan Kruglov, Ivan Shapovalov, Jakub Sitnicki,
        James Muir, Jan Engelhardt, Jan Macku, Jarne Förster, Jeff King,
        Jian-Hong Pan, JmbFountain, Joakim Nohlgård, Jonathan Conder,
        Julius Alexandre, Jörg Behrmann, Kai Lueke, Kamil Szczęk,
        KayJay7, Keian, Kirk, Kristian Klausen, Krzesimir Nowak,
        Lain "Fearyncess" Yang, Lars Ellenberg, Lennart Poettering,
        Leonard, Luca Boccassi, Lucas Salles, Ludwig Nussel,
        Lukáš Nykrýn, Luna Jernberg, Luxiter, Maanya Goenka,
        Maciej S. Szmigiero, Mariano Giménez, Markus Merklinger,
        Martin Ivicic, Martin Srebotnjak, Martin Trigaux, Martin Wilck,
        Mathias Lang, Matt Layher, Matt Muggeridge, Matteo Croce,
        Matthias Lisin, Max Gautier, Max Staudt, MaxHearnden,
        Michael Biebl, Michal Koutný, Michal Sekletár, Michał Kopeć,
        Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, Moritz Sanft,
        MrSmör, Nandakumar Raghavan, Nicholas Little, Nick Cao,
        Nick Rosbrook, Nicolas Bouchinet, Norbert Lange,
        Ole Peder Brandtzæg, Ondrej Kozina, Oğuz Ersen,
        Pablo Méndez Hernández, Pierre GRASSER, Piotr Drąg, QuonXF,
        Radoslav Kolev, Rafaël Kooi, Raito Bezarius, Rasmus Villemoes,
        Reid Wahl, Renjaya Raga Zenta, Richard Maw, Roland Hieber,
        Ronan Pigott, Rose, Ross Burton, Saliba-san, Sam Leonard,
        Samuel BF, Sarvajith Adyanthaya, Scrambled 777,
        Sebastian Pucilowski, Sergei Zhmylev, Sergey A, Shulhan,
        SidhuRupinder, Simon Fowler, Skia, Sludge, Stuart Hayhurst,
        Susant Sahani, Takashi Sakamoto, Temuri Doghonadze, Thayne McCombs,
        Thilo Fromm, Thomas Blume, Tiago Rocha Cunha, Timo Rothenpieler,
        TobiPeterG, Tobias Fleig, Tomáš Pecka, Topi Miettinen,
        Tycho Andersen, Unique-Usman, Usman Akinyemi, Vasiliy Kovalev,
        Vasiliy Stelmachenok, Victor Berchet, Vishal Chillara Srinivas,
        Vitaly Kuznetsov, Vito Caputo, Vladimir Stoiakin, Werner Sembach,
        Will Springer, Winterhuman, Xiaotian Wu, Yu Watanabe,
        Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek, Zmyeir, anphir,
        aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti, drewbug,
        hanjinpeng, hfavisado, hulkoba, hydrargyrum, ksaleem, mburucuyapy,
        medusalix, mille-feuille, mkubiak, mooo, msizanoen, networkException,
        nl6720, r-vdp, runiq, sam-leonard-ct, samuelvw01, sharad3001, spdfnet,
        sushmbha, wangyuhang, zeroskyx, zzywysm, İ. Ensar Gülşen,
        Łukasz Stelmach, Štěpán Němec, 我超厉害, 김인수

        — Edinburgh, 2024-06-11