1️⃣6️⃣ Here's the 16th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
Since a while systemd has included the "userdb" subsystem, that extends the classic ~1983 "struct passwd" (as returned by getpwnam()) in a powerful, modernized way. While userdb's user records are a true superset of POSIX'/Linux' struct passwd, the retain the basic concepts: one can query a record by its UID or by its username, and gets a record back.
1️⃣5️⃣ Here's the 15th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
In v257 we extended systemd-stub so that the UKI it is placed in can carry multiple Devicetree blobs, and that it can match the host's hardware against these blobs, and pass the right, matching one to the invoked kernel. The matching is based on Devicetree "compatible" strings, as well as SMBIOS metadata.
1️⃣4️⃣ Here's the 14th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
The concept of system credentials has existed since a while in systemd. It allows parameterizing the system (and the services running on it) in a secure and hierarchical way. You can pass them into containers and into VMs, for example via SMBIOS Type #11 vendor strings. While the transport is low-level and firmware compatible, they can reasonably only be consumed in userspace.
1️⃣3️⃣ Here's the 13th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
One of systemd-resolved's fundamental jobs is to maintain per-interface and global DNS configuration (as well as per-delegate configuration, as described earlier in this series). We always provided D-Bus APIs to query the current state of this, and "resolvectl" to a large degree is just a wrapper around that.
1️⃣2️⃣ Here's the 12th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
I believe a fundamental aspect of OS security must be a secure way to return the OS into a well-defined, secure state if a compromise has been identified.
Fending of an attacker is one thing, accepting that it might happen anyway and that you can recover from that in a reasonable way is another. And that's the case not only if you think about "cattle" style installs…
1️⃣1️⃣ Here's the 11th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
Sometimes, when debugging the early boot process of Linux userspace it's useful to acquire a shell at various points of progress, and delaying further boot-up until that shell has exited.
The dracut initrd generator has supported a concept for this for a longer time: the rd.break= kernel command line option defines a bunch of "breakpoints" that give you just that during the initrd phase.
1️⃣0️⃣ Here's the 10th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
In datacenter setups as well as for local test infrastructure it's very useful to network boot systems, so that they read their boot files not from a local hard disk but from some networked server.
In a modern UEFI world this is taken care of by HTTP boot: the UEFI firmware natively implements HTTP, can acquire either a single EFI program via that, or a disk image, and boot into that.
Lennart should migrate to an instance with a character limit that's much higher than 500.
#systemd258
9️⃣ Here's the 9th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
Most Linux folks probably spend much of their day in their terminal emulator. Such emulators ultimately reimplement in software what dedicated hardware terminals did in the 1980's and before. While the protocol terminals speak didn't change much in its most basic concepts, various extensions have been added over the years to integrate terminal emulators better with the windowing…
8️⃣ Here's the 8th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
Since a long time systemd has had the ConditionHost= unit file setting, which allows limiting execution of a unit to a specific host. As argument it takes either a hostname (with shell-style globbing, nicely aligning with the question mark logic in /etc/hostname, as in the 5th episode of this season of this series), or a machine ID (i.e. /etc/machine-id) specification.
7️⃣ Here's the 7th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
systemd is at its most basic a service manager, i.e. it runs programs, in a resource managed, security sandboxed way, properly ordered, and starts the system that way and keeps it running.
The focus for this kind of service management is really on services that are started no matter what, regardless of the resources available, because the underlying assumption…
6️⃣ Here's the 6th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
The concept of /tmp/ has been a constant source of local security vulnerabilities, mostly in form of a local DoS: /tmp/ is a shared namespace and less than perfect programs create files under guessable names there, which evil programs can then use to DoS them.
This has been like this since time began and /tmp/ was invented.
5️⃣ Here's the 5th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
On modern Linux systems the persistent hostname is configured in /etc/hostname. Linux people treating their devices like pets tend to come up with nice, imaginative names for their hosts.
But this doesn't scale: if you have a large number of devices to manage (i.e. "cattle") then you typically want something more automatic: the hostnames used should follow some specific pattern, …
4️⃣ Here's the 4th post highlighting key new features of the upcoming v258 release of systemd. #systemd258
One key Linux technology container runtimes rely on are user namespaces ("userns"). These essentially virtualize the UID/GID range so that each container can have their own set of UIDs/GIDs, that map to individual, distinct subsets of the host's UIDs/GIDs. Given that UIDs/GIDs are the most fundamental of UNIX's security credentials, userns are a pretty essential to security of containers.
3️⃣ Here's the 3rd post highlighting key new features of the upcoming v258 release of systemd. #systemd258
systemd-resolved is a local DNS cache, widely deployed on Linux systems. What makes it different from older solutions is that it manages DNS settings primarily as a per network interface setting, instead of a per system setting. This reflects today's world better where systems tend to be connected to multiple networks at different times (or continously), instead of…
2️⃣ Here's the 2nd post highlighting key new features of the upcoming v258 release of systemd. #systemd258
On UNIX systems every user registered on a local user owns a private directory: the "home" directory, where the user's configuration and data is saved and stored. In systemd there's systemd-homed which can manage that home directory securely, encrypted with a key that is provided at login time.
In most cases having a single home directory for each user is enough.
It's that time again! The systemd v258 release is coming closer. Let's restart the "what's new" series of posts for this iteration! Hence:
1️⃣ Here's the 1st post highlighting key new features of the upcoming v258 release of systemd. #systemd258
As most of you probably know "systemctl start" is how you manually start a systemd unit. Starting a unit can fail, and systemd tracks that for you and tells you this. When you encounter such a failure the next thing you'd typically do…
Here's a blog story with links and very brief summaries of all those #systemd257 stories on Mastodon:
https://0pointer.net/blog/announcing-systemd-v257.html
Enjoy! And stay tuned for #systemd258!
And that's it! After 37 installments I think I covered pretty much all the bigger things in the NEWS file with a story.
Of course, there's a lot more in this release. For the full list, consult our NEWS file:
https://github.com/systemd/systemd/blob/70bae7648f2c18010187c9cf20093155eaa26029/NEWS
Stay tuned so that you won't miss out on the #systemd258 series when the time comes for the next release!
