Releases: systemd/systemd
Releases · systemd/systemd
systemd v258~rc4
CHANGES WITH 258 in spe:
Incompatible changes:
* Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) has been
removed. cgroup v2 ('unified' hierarchy) will always be mounted
during system bootup and systemd-nspawn container initialization.
* The minimum kernel baseline version has been bumped to v5.4 (released
in 2019), with the recommended version now going up to v5.7. Consult
the README file for a list of required kernel APIs.
* The default access mode of tty/pts device nodes has been changed to
0600, which was 0620 in the older releases, due to general security
concerns about terminals being written to by other users. To restore
the old default access mode, use the '-Dtty-mode=0620' meson build
option. (This effectively means "mesg n" is now the default, rather
than "mesg y", see mesg(1) man page for help.)
* ACLs for device nodes requested by "uaccess" udev tag are now always
applied/updated by systemd-udevd through "uaccess" udev builtin, and
systemd-logind no longer applies/updates ACLs but triggers "change"
uevents to make systemd-udevd apply/update ACLs. Hence, the "uaccess"
udev tag should be set not only on "add" action but also on "change"
action, and it is highly recommended that the rule is applied all
actions except for "remove" action.
Recommended example:
ACTION!="remove", SUBSYSTEM=="hidraw", TAG+="uaccess"
The following example does not work since v258:
ACTION=="add", SUBSYSTEM=="hidraw", TAG+="uaccess"
* systemd-run's --expand-environment= switch, which was disabled
by default when combined with --scope, has been changed to be
enabled by default. This brings cmdline expansion of transient
scopes on par with services.
* systemd-logind PAM sessions that previously were automatically
determined to be of class "background", and which are owned by root
or system accounts, will now automatically be set to class
"background-light" instead. PAM sessions that previously were
automatically determined to be of class "user", and which are owned
by non-root system users, will now automatically be set to class
"user-light" instead. This effectively means that cron jobs or FTP
sessions (i.e. all PAM sessions that have no TTY assigned and neither
are graphical) for system users no longer pull in a service manager
by default. This behaviour can be changed by explicitly setting the
session class (for example via the class= parameter to
pam_systemd.so, or by setting the XDG_SESSION_CLASS environment
variable as input for the service's PAM stack). This change does not
affect graphical sessions, nor does it affect regular users. This is
an incompatible change of sorts, since per-user services will
typically not be available for such PAM sessions of system users.
* systemd-udevd ignores OWNER=/GROUP= settings with a non-system
user/group specified in udev rules files, to avoid device nodes being
owned by a non-system user/group. It is recommended to check udev
rules files with 'udevadm verify' and/or 'udevadm test' commands if
the specified user/group in OWNER=/GROUP= are valid.
Similarly, systemd-networkd refuses User=/Group= settings with a
non-system user/group specified in .netdev files for Tun/Tap
interfaces.
* systemd-cryptenroll, systemd-repart and systemd-creds no longer
default to locking TPM2 enrollments to the current, literal value of
PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
firmware. This change reflects the fact that nowadays SecureBoot
policies are updated (at least) as frequently as firmware code
(simply because SecureBoot policy updates are typically managed by
fwupd these days). The new default PCR mask for new TPM2 enrollments
is thus empty by default. It is recommended to use managed
systemd-pcrlock policies for binding to PCR 7 instead (as well as
combining such policies with signed policies for PCR 11). Or in other
words, it's recommended to make more use of the logic behind the
--tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-pcrlock=
switches of the mentioned tools in place of --tpm2-pcrs=.
* Support for the SystemdOptions EFI variable has been removed.
* Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
(deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
and '-Dnscd=' (deprecated in v257) have been removed.
* OpenSSL is now the only supported cryptography backend for
systemd-resolved and systemd-importd, and support for gnutls and
gcrypt has been removed. Hence, 'gnutls' setting for the
'-Ddns-over-tls=' meson option has been deprecated. Also, the
'-Dcryptolib=' meson option has been deprecated. They will be removed
in a future release.
* systemd-logind's session tracking, which used to be performed via a
FIFO installed in the client, now uses PIDFDs. The file descriptor
returned by CreateSession() and related calls is therefore unused.
Moreover, the exit of the session leader process will immediately
cause the session to be stopped.
* To work around limitations of X11's keyboard handling systemd's
keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
mapped the microphone mute and touchpad on/off/toggle keys to the
function keys F20, F21, F22, F23 instead of their correct key codes.
This key code mangling has been removed from udev.
To maintain compatibility with X11 applications that rely on the old
function key code mappings, this mangling has now been added to the
relevant X11 keyboard driver modules. In order to ensure these keys
continue to work, update to xf86-input-evdev >= 2.11.0 and
xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
* The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() has
been removed, which was deprecated since v257.
* systemd-networkd previously emitted the machine ID as chassis ID
through LLDP protocol, but now emits a deterministic ID,
cryptographically derived from the machine ID as chassis ID. If you
want to use the previous behavior, please set
SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
systemd-networkd.
* Support for the !! command line prefix on ExecStart= lines (and
related) has been removed, and if specified will be ignored. The
concept was supposed to provide compatibility with kernels that
predated the introduction of "ambient" process capabilities. However,
the kernel baseline of the systemd project is now far beyond any
kernels that lacked support for it, hence the prefix serves no
purpose anymore.
* The default keyring for systemd-importd and related tools, shipped
in /usr/lib/systemd/, has been renamed from import-pubring.gpg to
import-pubring.pgp, as it is supported by other PGP tools as well as
GPG. The local keyring /etc/systemd/import-pubring.gpg is still parsed
if present, to preserve backward compatibility.
* Normally, per-user encrypted credentials are decrypted via the the
systemd-creds.socket Varlink service, while the per-system ones are
directly encrypted within the execution context of the intended
service (which hence typically required access to /dev/tpmrm0). This
has been changed: units that enable either PrivateDevices= or use
DeviceAllow=/DevicePolicy= (and thus restrict access to device nodes)
will now also make use of the systemd-creds.socket Varlink
functionality, and will not attempt to decrypt the credentials
in-process (and attempt to try to talk to the TPM for that).
Previously, encrypted credentials for per-system services were
incompatible with PrivateDevices= and resulted in automatic extension
of the DeviceAllow= list. The latter behaviour has been removed.
* The command 'journalctl --follow' now exits with success on
SIGTERM/SIGINT and when the pipe it is writing to is disconnected.
* Support for System V style system state control has been removed:
- The /dev/initctl device node has been removed.
- The initctl, runlevel, and telinit commands have been removed.
- Support for system state control via the init command (e.g.
'init 3') has been removed.
- The units runlevel[0-6].target have been removed.
- The concept of runlevels has been removed, so runlevel transitions
are no longer recorded in the utmp/wtmp databases.
* Support for traditional /forcefsck and /fastboot files to control
execution mode of fsck on boot has been removed from systemd-fsck. To
control the mode, please use the fsck.mode= kernel command line option
or newly introduced fsck.mode credential.
* Support for traditional /forcequotacheck file to control execution
mode of quotacheck on boot has been removed from systemd-quo...
systemd v257.9
systemd-stable v257.9
systemd v258~rc3
CHANGES WITH 258 in spe:
Incompatible changes:
* Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) has been
removed. cgroup v2 ('unified' hierarchy) will always be mounted
during system bootup and systemd-nspawn container initialization.
* The minimum kernel baseline version has been bumped to v5.4 (released
in 2019), with the recommended version now going up to v5.7. Consult
the README file for a list of required kernel APIs.
* The default access mode of tty/pts device nodes has been changed to
0600, which was 0620 in the older releases, due to general security
concerns about terminals being written to by other users. To restore
the old default access mode, use the '-Dtty-mode=0620' meson build
option. (This effectively means "mesg n" is now the default, rather
than "mesg y", see mesg(1) man page for help.)
* systemd-run's --expand-environment= switch, which was disabled
by default when combined with --scope, has been changed to be
enabled by default. This brings cmdline expansion of transient
scopes on par with services.
* systemd-logind PAM sessions that previously were automatically
determined to be of class "background", and which are owned by root
or system accounts, will now automatically be set to class
"background-light" instead. PAM sessions that previously were
automatically determined to be of class "user", and which are owned
by non-root system users, will now automatically be set to class
"user-light" instead. This effectively means that cron jobs or FTP
sessions (i.e. all PAM sessions that have no TTY assigned and neither
are graphical) for system users no longer pull in a service manager
by default. This behaviour can be changed by explicitly setting the
session class (for example via the class= parameter to
pam_systemd.so, or by setting the XDG_SESSION_CLASS environment
variable as input for the service's PAM stack). This change does not
affect graphical sessions, nor does it affect regular users. This is
an incompatible change of sorts, since per-user services will
typically not be available for such PAM sessions of system users.
* systemd-udevd ignores OWNER=/GROUP= settings with a non-system
user/group specified in udev rules files, to avoid device nodes being
owned by a non-system user/group. It is recommended to check udev
rules files with 'udevadm verify' and/or 'udevadm test' commands if
the specified user/group in OWNER=/GROUP= are valid.
Similarly, systemd-networkd refuses User=/Group= settings with a
non-system user/group specified in .netdev files for Tun/Tap
interfaces.
* systemd-cryptenroll, systemd-repart and systemd-creds no longer
default to locking TPM2 enrollments to the current, literal value of
PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
firmware. This change reflects the fact that nowadays SecureBoot
policies are updated (at least) as frequently as firmware code
(simply because SecureBoot policy updates are typically managed by
fwupd these days). The new default PCR mask for new TPM2 enrollments
is thus empty by default. It is recommended to use managed
systemd-pcrlock policies for binding to PCR 7 instead (as well as
combining such policies with signed policies for PCR 11). Or in other
words, it's recommended to make more use of the logic behind the
--tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-pcrlock=
switches of the mentioned tools in place of --tpm2-pcrs=.
* Support for the SystemdOptions EFI variable has been removed.
* Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
(deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
and '-Dnscd=' (deprecated in v257) have been removed.
* OpenSSL is now the only supported cryptography backend for
systemd-resolved and systemd-importd, and support for gnutls and
gcrypt has been removed. Hence, 'gnutls' setting for the
'-Ddns-over-tls=' meson option has been deprecated. Also, the
'-Dcryptolib=' meson option has been deprecated. They will be removed
in a future release.
* systemd-logind's session tracking, which used to be performed via a
FIFO installed in the client, now uses PIDFDs. The file descriptor
returned by CreateSession() and related calls is therefore unused.
Moreover, the exit of the session leader process will immediately
cause the session to be stopped.
* To work around limitations of X11's keyboard handling systemd's
keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
mapped the microphone mute and touchpad on/off/toggle keys to the
function keys F20, F21, F22, F23 instead of their correct key codes.
This key code mangling has been removed from udev.
To maintain compatibility with X11 applications that rely on the old
function key code mappings, this mangling has now been added to the
relevant X11 keyboard driver modules. In order to ensure these keys
continue to work, update to xf86-input-evdev >= 2.11.0 and
xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
* The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() has
been removed, which was deprecated since v257.
* systemd-networkd previously emitted the machine ID as chassis ID
through LLDP protocol, but now emits a deterministic ID,
cryptographically derived from the machine ID as chassis ID. If you
want to use the previous behavior, please set
SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
systemd-networkd.
* Support for the !! command line prefix on ExecStart= lines (and
related) has been removed, and if specified will be ignored. The
concept was supposed to provide compatibility with kernels that
predated the introduction of "ambient" process capabilities. However,
the kernel baseline of the systemd project is now far beyond any
kernels that lacked support for it, hence the prefix serves no
purpose anymore.
* The default keyring for systemd-importd and related tools, shipped
in /usr/lib/systemd/, has been renamed from import-pubring.gpg to
import-pubring.pgp, as it is supported by other PGP tools as well as
GPG. The local keyring /etc/systemd/import-pubring.gpg is still parsed
if present, to preserve backward compatibility.
* Normally, per-user encrypted credentials are decrypted via the the
systemd-creds.socket Varlink service, while the per-system ones are
directly encrypted within the execution context of the intended
service (which hence typically required access to /dev/tpmrm0). This
has been changed: units that enable either PrivateDevices= or use
DeviceAllow=/DevicePolicy= (and thus restrict access to device nodes)
will now also make use of the systemd-creds.socket Varlink
functionality, and will not attempt to decrypt the credentials
in-process (and attempt to try to talk to the TPM for that).
Previously, encrypted credentials for per-system services were
incompatible with PrivateDevices= and resulted in automatic extension
of the DeviceAllow= list. The latter behaviour has been removed.
* The command 'journalctl --follow' now exits with success on
SIGTERM/SIGINT and when the pipe it is writing to is disconnected.
* Support for System V style system state control has been removed:
- The /dev/initctl device node has been removed.
- The initctl, runlevel, and telinit commands have been removed.
- Support for system state control via the init command (e.g.
'init 3') has been removed.
- The units runlevel[0-6].target have been removed.
- The concept of runlevels has been removed, so runlevel transitions
are no longer recorded in the utmp/wtmp databases.
* Support for traditional /forcefsck and /fastboot files to control
execution mode of fsck on boot has been removed from systemd-fsck. To
control the mode, please use the fsck.mode= kernel command line option
or newly introduced fsck.mode credential.
* Support for traditional /forcequotacheck file to control execution
mode of quotacheck on boot has been removed from systemd-quotacheck.
To control the mode, please use the quotacheck.mode= kernel command
line option of newly introduced quotacheck.mode credential.
Announcements of Future Feature Removals:
* Support for System V service scripts is deprecated and will be
removed in v259. Please make sure to update your software *now* to
include a native systemd unit file instead of a legacy System V
script to retain compatibility with future systemd releases.
* Support for systemd-repart's FactoryReset EFI variable has been
deprecated and support for it will be removed in v260. Use the newer,
more generic FactoryResetRequest variable instead, which can be
...
systemd v257.8
systemd-stable v257.8
systemd v258-rc2
CHANGES WITH 258 in spe:
Incompatible changes:
* Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) has been
removed. cgroup v2 ('unified' hierarchy) will always be mounted
during system bootup and systemd-nspawn container initialization.
* The minimum kernel baseline version has been bumped to v5.4 (released
in 2019), with the recommended version now going up to v5.7. Consult
the README file for a list of required kernel APIs.
* The default access mode of tty/pts device nodes has been changed to
0600, which was 0620 in the older releases, due to general security
concerns about terminals being written to by other users. To restore
the old default access mode, use the '-Dtty-mode=0620' meson build
option. (This effectively means "mesg n" is now the default, rather
than "mesg y", see mesg(1) man page for help.)
* systemd-run's --expand-environment= switch, which was disabled
by default when combined with --scope, has been changed to be
enabled by default. This brings cmdline expansion of transient
scopes on par with services.
* systemd-logind PAM sessions that previously were automatically
determined to be of class "background", and which are owned by root
or system accounts, will now automatically be set to class
"background-light" instead. PAM sessions that previously were
automatically determined to be of class "user", and which are owned
by non-root system users, will now automatically be set to class
"user-light" instead. This effectively means that cron jobs or FTP
sessions (i.e. all PAM sessions that have no TTY assigned and neither
are graphical) for system users no longer pull in a service manager
by default. This behaviour can be changed by explicitly setting the
session class (for example via the class= parameter to
pam_systemd.so, or by setting the XDG_SESSION_CLASS environment
variable as input for the service's PAM stack). This change does not
affect graphical sessions, nor does it affect regular users. This is
an incompatible change of sorts, since per-user services will
typically not be available for such PAM sessions of system users.
* systemd-udevd ignores OWNER=/GROUP= settings with a non-system
user/group specified in udev rules files, to avoid device nodes being
owned by a non-system user/group. It is recommended to check udev
rules files with 'udevadm verify' and/or 'udevadm test' commands if
the specified user/group in OWNER=/GROUP= are valid.
Similarly, systemd-networkd refuses User=/Group= settings with a
non-system user/group specified in .netdev files for Tun/Tap
interfaces.
* systemd-cryptenroll, systemd-repart and systemd-creds no longer
default to locking TPM2 enrollments to the current, literal value of
PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
firmware. This change reflects the fact that nowadays SecureBoot
policies are updated (at least) as frequently as firmware code
(simply because SecureBoot policy updates are typically managed by
fwupd these days). The new default PCR mask for new TPM2 enrollments
is thus empty by default. It is recommended to use managed
systemd-pcrlock policies for binding to PCR 7 instead (as well as
combining such policies with signed policies for PCR 11). Or in other
words, it's recommended to make more use of the logic behind the
--tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-pcrlock=
switches of the mentioned tools in place of --tpm2-pcrs=.
* Support for the SystemdOptions EFI variable has been removed.
* Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
(deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
and '-Dnscd=' (deprecated in v257) have been removed.
* OpenSSL is now the only supported cryptography backend for
systemd-resolved and systemd-importd, and support for gnutls and
gcrypt has been removed. Hence, 'gnutls' setting for the
'-Ddns-over-tls=' meson option has been deprecated. Also, the
'-Dcryptolib=' meson option has been deprecated. They will be removed
in a future release.
* systemd-logind's session tracking, which used to be performed via a
FIFO installed in the client, now uses PIDFDs. The file descriptor
returned by CreateSession() and related calls is therefore unused.
Moreover, the exit of the session leader process will immediately
cause the session to be stopped.
* To work around limitations of X11's keyboard handling systemd's
keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
mapped the microphone mute and touchpad on/off/toggle keys to the
function keys F20, F21, F22, F23 instead of their correct key codes.
This key code mangling has been removed from udev.
To maintain compatibility with X11 applications that rely on the old
function key code mappings, this mangling has now been added to the
relevant X11 keyboard driver modules. In order to ensure these keys
continue to work, update to xf86-input-evdev >= 2.11.0 and
xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
* The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() has
been removed, which was deprecated since v257.
* systemd-networkd previously emitted the machine ID as chassis ID
through LLDP protocol, but now emits a deterministic ID,
cryptographically derived from the machine ID as chassis ID. If you
want to use the previous behavior, please set
SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
systemd-networkd.
* Support for the !! command line prefix on ExecStart= lines (and
related) has been removed, and if specified will be ignored. The
concept was supposed to provide compatibility with kernels that
predated the introduction of "ambient" process capabilities. However,
the kernel baseline of the systemd project is now far beyond any
kernels that lacked support for it, hence the prefix serves no
purpose anymore.
* The default keyring for systemd-importd and related tools, shipped
in /usr/lib/systemd/, has been renamed from import-pubring.gpg to
import-pubring.pgp, as it is supported by other PGP tools as well as
GPG. The local keyring /etc/systemd/import-pubring.gpg is still parsed
if present, to preserve backward compatibility.
* Normally, per-user encrypted credentials are decrypted via the the
systemd-creds.socket Varlink service, while the per-system ones are
directly encrypted within the execution context of the intended
service (which hence typically required access to /dev/tpmrm0). This
has been changed: units that enable either PrivateDevices= or use
DeviceAllow=/DevicePolicy= (and thus restrict access to device nodes)
will now also make use of the systemd-creds.socket Varlink
functionality, and will not attempt to decrypt the credentials
in-process (and attempt to try to talk to the TPM for that).
Previously, encrypted credentials for per-system services were
incompatible with PrivateDevices= and resulted in automatic extension
of the DeviceAllow= list. The latter behaviour has been removed.
* The command 'journalctl --follow' now exits with success on
SIGTERM/SIGINT and when the pipe it is writing to is disconnected.
* Support for System V style system state control has been removed:
- The /dev/initctl device node has been removed.
- The initctl, runlevel, and telinit commands have been removed.
- Support for system state control via the init command (e.g.
'init 3') has been removed.
- The units runlevel[0-6].target have been removed.
- The concept of runlevels has been removed, so runlevel transitions
are no longer recorded in the utmp/wtmp databases.
* Support for traditional /forcefsck and /fastboot files to control
execution mode of fsck on boot has been removed from systemd-fsck. To
control the mode, please use the fsck.mode= kernel command line option
or newly introduced fsck.mode credential.
* Support for traditional /forcequotacheck file to control execution
mode of quotacheck on boot has been removed from systemd-quotacheck.
To control the mode, please use the quotacheck.mode= kernel command
line option of newly introduced quotacheck.mode credential.
Announcements of Future Feature Removals:
* Support for System V service scripts is deprecated and will be
removed in v259. Please make sure to update your software *now* to
include a native systemd unit file instead of a legacy System V
script to retain compatibility with future systemd releases.
* Support for systemd-repart's FactoryReset EFI variable has been
deprecated and support for it will be removed in v260. Use the newer,
more generic FactoryResetRequest variable instead, which can be
...
systemd v258-rc1
CHANGES WITH 258 in spe:
Incompatible changes:
* Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) has been
removed. cgroup v2 ('unified' hierarchy) will always be mounted
during system bootup and systemd-nspawn container initialization.
* The minimum kernel baseline version has been bumped to v5.4 (released
in 2019), with the recommended version now going up to v5.7. Consult
the README file for a list of required kernel APIs.
* The default access mode of tty/pts device nodes has been changed to
0600, which was 0620 in the older releases, due to general security
concerns about terminals being written to by other users. To restore
the old default access mode, use the '-Dtty-mode=0620' meson build
option. (This effectively means "mesg n" is now the default, rather
than "mesg y", see mesg(1) man page for help.)
* systemd-run's --expand-environment= switch, which was disabled
by default when combined with --scope, has been changed to be
enabled by default. This brings cmdline expansion of transient
scopes on par with services.
* systemd-logind PAM sessions that previously were automatically
determined to be of class "background", and which are owned by root
or system accounts, will now automatically be set to class
"background-light" instead. PAM sessions that previously were
automatically determined to be of class "user", and which are owned
by non-root system users, will now automatically be set to class
"user-light" instead. This effectively means that cron jobs or FTP
sessions (i.e. all PAM sessions that have no TTY assigned and neither
are graphical) for system users no longer pull in a service manager
by default. This behaviour can be changed by explicitly setting the
session class (for example via the class= parameter to
pam_systemd.so, or by setting the XDG_SESSION_CLASS environment
variable as input for the service's PAM stack). This change does not
affect graphical sessions, nor does it affect regular users. This is
an incompatible change of sorts, since per-user services will
typically not be available for such PAM sessions of system users.
* systemd-udevd ignores OWNER=/GROUP= settings with a non-system
user/group specified in udev rules files, to avoid device nodes being
owned by a non-system user/group. It is recommended to check udev
rules files with 'udevadm verify' and/or 'udevadm test' commands if
the specified user/group in OWNER=/GROUP= are valid.
Similarly, systemd-networkd refuses User=/Group= settings with a
non-system user/group specified in .netdev files for Tun/Tap
interfaces.
* systemd-cryptenroll, systemd-repart and systemd-creds no longer
default to locking TPM2 enrollments to the current, literal value of
PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
firmware. This change reflects the fact that nowadays SecureBoot
policies are updated (at least) as frequently as firmware code
(simply because SecureBoot policy updates are typically managed by
fwupd these days). The new default PCR mask for new TPM2 enrollments
is thus empty by default. It is recommended to use managed
systemd-pcrlock policies for binding to PCR 7 instead (as well as
combining such policies with signed policies for PCR 11). Or in other
words, it's recommended to make more use of the logic behind the
--tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-pcrlock=
switches of the mentioned tools in place of --tpm2-pcrs=.
* Support for the SystemdOptions EFI variable has been removed.
* Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
(deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
and '-Dnscd=' (deprecated in v257) have been removed.
* OpenSSL is now the only supported cryptography backend for
systemd-resolved and systemd-importd, and support for gnutls and
gcrypt has been removed. Hence, 'gnutls' setting for the
'-Ddns-over-tls=' meson option has been deprecated. Also, the
'-Dcryptolib=' meson option has been deprecated. They will be removed
in a future release.
* systemd-logind's session tracking, which used to be performed via a
FIFO installed in the client, now uses PIDFDs. The file descriptor
returned by CreateSession() and related calls is therefore unused.
Moreover, the exit of the session leader process will immediately
cause the session to be stopped.
* To work around limitations of X11's keyboard handling systemd's
keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
mapped the microphone mute and touchpad on/off/toggle keys to the
function keys F20, F21, F22, F23 instead of their correct key codes.
This key code mangling has been removed from udev.
To maintain compatibility with X11 applications that rely on the old
function key code mappings, this mangling has now been added to the
relevant X11 keyboard driver modules. In order to ensure these keys
continue to work, update to xf86-input-evdev >= 2.11.0 and
xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
* The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() has
been removed, which was deprecated since v257.
* systemd-networkd now supports configuring the timeout for IPv4
Duplicate Address Detection via a new setting
IPv4DuplicateAddressDetectionTimeoutSec=. The default timeout value
has been changed from 7 seconds to 200 milliseconds.
* systemd-networkd previously emitted the machine ID as chassis ID
through LLDP protocol, but now emits a deterministic ID,
cryptographically derived from the machine ID as chassis ID. If you
want to use the previous behavior, please set
SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
systemd-networkd.
* Support for the !! command line prefix on ExecStart= lines (and
related) has been removed, and if specified will be ignored. The
concept was supposed to provide compatibility with kernels that
predated the introduction of "ambient" process capabilities. However,
the kernel baseline of the systemd project is now far beyond any
kernels that lacked support for it, hence the prefix serves no
purpose anymore.
* The default keyring for systemd-importd and related tools, shipped
in /usr/lib/systemd/, has been renamed from import-pubring.gpg to
import-pubring.pgp, as it is supported by other PGP tools as well as
GPG. The local keyring /etc/systemd/import-pubring.gpg is still parsed
if present, to preserve backward compatibility.
* Normally, per-user encrypted credentials are decrypted via the the
systemd-creds.socket Varlink service, while the per-system ones are
directly encrypted within the execution context of the intended
service (which hence typically required access to /dev/tpmrm0). This
has been changed: units that enable either PrivateDevices= or use
DeviceAllow=/DevicePolicy= (and thus restrict access to device nodes)
will now also make use of the systemd-creds.socket Varlink
functionality, and will not attempt to decrypt the credentials
in-process (and attempt to try to talk to the TPM for
that). Previously, encrypted credentials for per-system services were
incompatible with PrivateDevices= and resulted in automatic extension
of the DeviceAllow= list. The latter behaviour has been removed.
* The command 'journalctl --follow' now exits with success on
SIGTERM/SIGINT and when the pipe it is writing to is disconnected.
* Support for System V style system state control has been removed:
- The /dev/initctl device node has been removed.
- The initctl, runlevel, and telinit commands have been removed.
- Support for system state control via the init command (e.g.
'init 3') has been removed.
- The units runlevel[0-6].target have been removed.
- The concept of runlevels has been removed, so runlevel transitions
are no longer recorded in the utmp/wtmp databases.
* Support for traditional /forcefsck and /fastboot files to control
execution mode of fsck on boot has been removed from systemd-fsck. To
control the mode, please use the fsck.mode= kernel command line option
or newly introduced fsck.mode credential.
* Support for traditional /forcequotacheck file to control execution
mode of quotacheck on boot has been removed from systemd-quotacheck.
To control the mode, please use the quotacheck.mode= kernel command
line option of newly introduced quotacheck.mode credential.
Announcements of Future Feature Removals:
* Support for System V service scripts is deprecated and will be
removed in v259. Please make sure to update your software
*now* to include a native systemd unit file instead of a legacy
System V script to retain compa...
systemd v257.7
systemd-stable v257.7
systemd v256.17
systemd-stable v256.17
systemd v257.6
systemd v256.16
systemd-stable v256.16