Mastodon Stories for systemd v258

https://fed.brid.gy/r/https://0pointer.net/blog/mastodon-stories-for-systemd-v258.html

I forgot to post a link list blog story for my mastodon series for #systemd258, but I have caught up now. If you haven't had a look yet, here's the list of mastodon posts:

https://0pointer.net/blog/mastodon-stories-for-systemd-v258.html

@pid_eins

Grats 👍
I have already marked the new hashtag as "following" 😃

#systemd258 #systemd259

The 55th episode of my #systemd258 series of posts is the last one btw. Today we tagged the final release 🍾🎉🎊🍰🎂✨, and our focus now moves to #systemd259. Hopefully we can speed up the release cycle this time, and switch to smaller but more frequent releases. Stay tuned for the 259 posts coming in a month or two.

5️⃣5️⃣ Here's the 55th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

Everybody loves eBPF, i.e. the Linux kernel's virtual machine for tracing, filtering, security mechanisms and a lot more. Many of the BPF concepts are tied to the cgroup hierarchy: you can pin a BPF program to a cgroup (and thus a service or container or so), and this will cause it to be applied to all processes running in that cgroup.

5️⃣4️⃣ Here's the 54th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

Since a longer time systemd has been providing support for DDIs, i.e. for GPT disk images that carry expressive GPT partition types for their partitions so that the GPT partition table alone is enough to know how to assemble things and where to mount what. The logic in systemd that processes the GPT information and assembles it is named "image dissection".

@pid_eins

All that's left IIRC is the ability for user mount units to function without requiring root permissions, which ain't working yet IIRC.

But great steps so far 👍

#systemd258

5️⃣3️⃣ Here's the 53rd post highlighting key new features of the upcoming v258 release of systemd. #systemd258

This is a short one, but a double feature, both about systemd's service credentials concept:

Firstly, encrypted credentials finally work fine now if you use LoadCredentialEncrypted= in a per-user unit. v257 added the concept of user-scoped encrypted credentials, but by mistake I didn't actually hook this up with LoadCredentialEncrypted=. This is addressed now.

5️⃣2️⃣ Here's the 52nd post highlighting key new features of the upcoming v258 release of systemd. #systemd258

PrivateUsers= is one of the many sandboxing knobs in service unit files. It configures a minimal user namespace for the service code to run in. So far you could set it to "self", which would set up the user namespace mapping for the service to map the root user and the service's user to itself, and leave everything else unmapped.

5️⃣1️⃣ Here's the 51st post highlighting key new features of the upcoming v258 release of systemd. #systemd258

For a long time systemd has supported the "ask-password" protocol that allows system components (i.e. non-interactive, low-level stuff) to query passwords and other secrets interactively, during boot and runtime. The original usecase was disk encryption: early during boot, in the initrd, we must query the user for a disk unlock passphrase, and only then can transition into the…

5️⃣0️⃣ Here's the 50th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

User namespaces are weird beasts: on one hand they are supposed to be something that you can acquire without privileges, but on the other hand if you want more than a single UID mapped into them, you need multiple UIDs, and that's a resource you cannot acquire without privs.

To deal with that multiple systems have been devised.

4️⃣9️⃣ Here's the 49th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

One of the key features of systemd from day 1 on is socket activation, i.e. a mechanism where systemd binds sockets on behalf of services, watches them and only activates the services themselves later, possibly only at the moment they are actively used.

This has various benefits, for example reduces ahead of time cost of running a large number of services (which improves boot times).

4️⃣8️⃣ Here's the 48th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

systemd-machined is a small service in systemd that can keep track of running VMs and full-OS containers, and provides various APIs via D-Bus to interact with them. It also integrates with NSS to do name resolution for these systems.

With v258 systemd-machined gained a pretty comprehensive set of new APIs, via Varlink.

4️⃣7️⃣ Here's the 47th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

In episode 38 of this series we talked about homectl's new commands to manage signing keys for user accounts.

There are two other new commands homectl gained in v258.

First of all there's "homectl adopt". You just pass a path to an existing *.home LUKS disk image, or a *.homedir home directory, and it will make it available locally for login (assuming it carries the…

4️⃣6️⃣ Here's the 46th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

The various ProtectXYZ= settings for service unit files allow locking services into sandboxes in a relatively fine grained fashion.

The ProtectHostname=yes option is one of these options: it locks the service into a "uts" namespace (which is a Linux kernel construct that disconnects the system hostname the service uses from the hostname the rest of the system sees).

4️⃣5️⃣ Here's the 45th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

The "feature" for today isn't strictly a feature. This series is supposed to be about features and features only, but today we'll focus on something else: the *removal* of a feature, not the addition of one.

Specifically, v258 is the first release of systemd where cgroupv1 support is gone, removed, dead, of the past, futschikato!

If you are still stuck in cgroupv1 land then v257 is the…

4️⃣4️⃣ Here's the 44th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

Back in episode 10 of this series we talked about about the new "url-uki" stanza in boot loader spec type 1 entries, which configures UKIs that are placed on a remote URL rather than stored locally in ESP/XBOOTLDR. This story already hinted that UEFI HTTP network boot of UKIs is actually a thing now.

Back in episode 35 we talked about booting into a DDI root fs…

4️⃣3️⃣ Here's the 43rd post highlighting key new features of the upcoming v258 release of systemd. #systemd258

Back in v257 we added support for RestartMode=debug: if used and a service is automatically restarted due to Restart= a special environment variable DEBUG_INVOCATION=1 is set for the new invocation. This is then supposed to enable special logic in the service code that generates additional debug logging and other behaviour.

Just one more RC bro, I swear bro just one more will fix it https://github.com/systemd/systemd/releases/tag/v258-rc3

#systemd #systemd258

4️⃣2️⃣ Here's the 42nd post highlighting key new features of the upcoming v258 release of systemd. #systemd258

Part of the protocol spoken between service processes and the service manager (if it is systemd, that is) are a number of environment variables. Specifically, $MAINPID and $MANAGERPID are two variables that have been part of the protocol for a long time: they contain the PID numbers of the main service process and of the service manager itself.