Language Selection

English French German Italian Portuguese Spanish

Systemd Conquers Home Directories

Filed under
Linux
  • systemd 245 released
    A new, official systemd release has just been tagged. Please download the tarball here:
    
            https://github.com/systemd/systemd/archive/v245.tar.gz
    
    Changes since the previous release:
    
            * A new tool "systemd-repart" has been added, that operates as an
              idempotent declarative repartitioner for GPT partition tables.
              Specifically, a set of partitions that must or may exist can be
              configured via drop-in files, and during every boot the partition
              table on disk is compared with these files, creating missing
              partitions or growing existing ones based on configurable relative
              and absolute size constraints. The tool is strictly incremental,
              i.e. does not delete, shrink or move partitions, but only adds and
              grows them. The primary use-case is OS images that ship in minimized
              form, that on first boot are grown to the size of the underlying
              block device or augmented with additional partitions. For example,
              the root partition could be extended to cover the whole disk, or a
              swap or /home partitions could be added on first boot. It can also be
              used for systems that use an A/B update scheme but ship images with
              just the A partition, with B added on first boot. The tool is
              primarily intended to be run in the initrd, shortly before
              transitioning into the host OS, but can also be run after the
              transition took place. It automatically discovers the disk backing
              the root file system, and should hence not require any additional
              configuration besides the partition definition drop-ins. If no
              configuration drop-ins are present, no action is taken.
    
            * A new component "userdb" has been added, along with a small daemon
              "systemd-userdb.service" and a client tool "userdbctl". The framework
              allows defining rich user and group records in a JSON format,
              extending on the classic "struct passwd" and "struct group"
              structures. Various components in systemd have been updated to
              process records in this format, including systemd-logind and
              pam-systemd. The user records are intended to be extensible, and
              allow setting various resource management, security and runtime
              parameters that shall be applied to processes and sessions of the
              user as they log in. This facility is intended to allow associating
              such metadata directly with user/group records so that they can be
              produced, extended and consumed in unified form. We hope that
              eventually frameworks such as sssd will generate records this way, so
              that for the first time resource management and various other
              per-user settings can be configured in LDAP directories and then
              provided to systemd (specifically to systemd-logind and pam-system)
              to apply on login. For further details see:
    
              https://systemd.io/USER_RECORD
              https://systemd.io/GROUP_RECORD
              https://systemd.io/USER_GROUP_API
    
            * A small new service systemd-homed.service has been added, that may be
              used to securely manage home directories with built-in encryption.
              The complete user record data is unified with the home directory,
              thus making home directories naturally migratable. Its primary
              back-end is based on LUKS volumes, but fscrypt, plain directories,
              and other storage schemes are also supported. This solves a couple of
              problems we saw with traditional ways to manage home directories, in
              particular when it comes to encryption. For further discussion of
              this, see the video of Lennart's talk at AllSystemsGo! 2019:
    
              https://media.ccc.de/v/ASG2019-164-reinventing-home-direc...
    
              For further details about the format and expectations on home
              directories this new daemon makes, see:
    
              https://systemd.io/HOME_DIRECTORY
    
            * systemd-journald is now multi-instantiable. In addition to the main
              instance systemd-journald.service there's now a template unit
              systemd-journald@.service, with each instance defining a new named
              log 'namespace' (whose name is specified via the instance part of the
              unit name). A new unit file setting LogNamespace= has been added,
              taking such a namespace name, that assigns services to the specified
              log namespaces. As each log namespace is serviced by its own
              independent journal daemon, this functionality may be used to improve
              performance and increase isolation of applications, at the price of
              losing global message ordering. Each instance of journald has a
              separate set of configuration files, with possibly different disk
              usage limitations and other settings.
    
              journalctl now takes a new option --namespace= to show logs from a
              specific log namespace. The sd-journal.h API gained
              sd_journal_open_namespace() for opening the log stream of a specific
              log namespace. systemd-journald also gained the ability to exit on
              idle, which is useful in the context of log namespaces, as this means
              log daemons for log namespaces can be activated automatically on
              demand and will stop automatically when no longer used, minimizing
              resource usage.
    
            * When systemd-tmpfiles copies a file tree using the 'C' line type it
              will now label every copied file according to the SELinux database.
    
            * When systemd/PID 1 detects it is used in the initrd it will now boot
              into initrd.target rather than default.target by default. This should
              make it simpler to build initrds with systemd as for many cases the
              only difference between a host OS image and an initrd image now is
              the presence of the /etc/initrd-release file.
    
            * A new kernel command line option systemd.cpu_affinity= is now
              understood. It's equivalent to the CPUAffinity= option in
              /etc/systemd/system.conf and allows setting the CPU mask for PID 1
              itself and the default for all other processes.
    
            * When systemd/PID 1 is reloaded (with systemctl daemon-reload or
              equivalent), the SELinux database is now reloaded, ensuring that
              sockets and other file system objects are generated taking the new
              database into account.
    
            * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and
              "quiet" has been changed to imply that instead of
              "systemd.show-status=auto". In this mode, only messages about errors
              and significant delays in boot are shown on the console.
    
            * The sd-event.h API gained native support for the new Linux "pidfd"
              concept. This permits watching processes using file descriptors
              instead of PID numbers, which fixes a number of races and makes
              process supervision more robust and efficient. All of systemd's
              components will now use pidfds if the kernel supports it for process
              watching, with the exception of PID 1 itself, unfortunately. We hope
              to move PID 1 to exclusively using pidfds too eventually, but this
              requires some more kernel work first. (Background: PID 1 watches
              processes using waitid() with the P_ALL flag, and that does not play
              together nicely with pidfds yet.)
    
            * Closely related to this, the sd-event.h API gained two new calls
              sd_event_source_send_child_signal() (for sending a signal to a
              watched process) and sd_event_source_get_child_process_own() (for
              marking a process so that it is killed automatically whenever the
              event source watching it is freed).
    
            * systemd-networkd gained support for configuring Token Bucket Filter
              (TBF) parameters in its qdisc configuration support. Similarly,
              support for Stochastic Fairness Queuing (SFQ), Controlled-Delay
              Active Queue Management (CoDel), and Fair Queue (FQ) has been added.
    
            * systemd-networkd gained support for Intermediate Functional Block
              (IFB) network devices.
    
            * systemd-networkd gained support for configuring multi-path IP routes,
              using the new MultiPathRoute= setting in the [Route] section.
    
            * systemd-networkd's DHCPv4 client has been updated to support a new
              SendDecline= option. If enabled, duplicate address detection is done
              after a DHCP offer is received from the server. If a conflict is
              detected, the address is declined. The DHCPv4 client also gained
              support for a new RouteMTUBytes= setting that allows to configure the
              MTU size to be used for routes generated from DHCPv4 leases.
    
            * The PrefixRoute= setting in systemd-networkd's [Address] section of
              .network files has been deprecated, and replaced by AddPrefixRoute=,
              with its sense inverted.
    
            * The Gateway= setting of [Route] sections of .network files gained
              support for a special new value "_dhcp". If set, the configured
              static route uses the gateway host configured via DHCP.
    
            * New User= and SuppressPrefixLength= settings have been implemented
              for the [RoutingPolicyRule] section of .network files to configure
              source routing based on UID ranges and prefix length, respectively.
    
            * sd-bus gained a new API call sd_bus_message_sensitive() that marks a
              D-Bus message object as "sensitive". Those objects are erased from
              memory when they are freed. This concept is intended to be used for
              messages that contain security sensitive data. A new flag
              SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods
              in sd-bus vtables, causing any incoming and outgoing messages of
              those methods to be implicitly marked as "sensitive".
    
            * sd-bus gained a new API call sd_bus_message_dump() for dumping the
              contents of a message (or parts thereof) to standard output for
              debugging purposes.
    
            * systemd-sysusers gained support for creating users with the primary
              group named differently than the user.
    
            * systemd-resolved's DNS-over-TLS support gained SNI validation.
    
            * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
              gained support for growing XFS partitions. Previously it supported
              only ext4 and btrfs partitions.
    
            * The support for /etc/crypttab gained a new x-initrd.attach option. If
              set, the specified encrypted volume is unlocked already in the
              initrd. This concept corresponds to the x-initrd.mount option in
              /etc/fstab.
    
            * systemd-cryptsetup gained native support for unlocking encrypted
              volumes utilizing PKCS#11 smartcards, i.e. for example to bind
              encryption of volumes to YubiKeys. This is exposed in the new
              pkcs11-uri= option in /etc/crypttab.
    
            * The /etc/fstab support in systemd now supports two new mount options
              x-systemd.{required,wanted}-by=, for explicitly configuring the units
              that the specified mount shall be pulled in by, in place of
              the usual local-fs.target/remote-fs.target.
    
            * The https://systemd.io/ web site has been relaunched, directly
              populated with most of the documentation included in the systemd
              repository. systemd also acquired a new logo, thanks to Tobias
              Bernard.
    
            * systemd-udevd gained support for managing "alternative" network
              interface names, as supported by new Linux kernels. For the first
              time this permits assigning multiple (and longer!) names to a network
              interface. systemd-udevd will now by default assign the names
              generated via all supported naming schemes to each interface. This
              may be further tweaked with .link files and the AlternativeName= and
              AlternativeNamesPolicy= settings. Other components of systemd have
              been updated to support the new alternative names wherever
              appropriate. For example, systemd-nspawn will now generate
              alternative interface names for the host-facing side of container
              veth links based on the full container name without truncation.
    
            * systemd-nspawn interface naming logic has been updated in another way
              too: if the main interface name (i.e. as opposed to new-style
              "alternative" names) based on the container name is truncated, a
              simple hashing scheme is used to give different interface names to
              multiple containers whose names all begin with the same prefix. Since
              this changes the primary interface names pointing to containers if
              truncation happens, the old scheme may still be requested by
              selecting an older naming scheme, via the net.naming-scheme= kernel
              command line option.
    
            * PrivateUsers= in service files now works in services run by the
              systemd --user per-user instance of the service manager.
    
            * A new per-service sandboxing option ProtectClock= has been added that
              locks down write access to the system clock. It takes away device
              node access to /dev/rtc as well as the system calls that set the
              system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities.
              Note that this option does not affect access to auxiliary services
              that allow changing the clock, for example access to
              systemd-timedated.
    
            * The systemd-id128 tool gained a new "show" verb for listing or
              resolving a number of well-known UUIDs/128bit IDs, currently mostly
              GPT partition table types.
    
            * The Discoverable Partitions Specification has been updated to support
              /var and /var/tmp partition discovery. Support for this has been
              added to systemd-gpt-auto-generator. For details see:
    
              https://systemd.io/DISCOVERABLE_PARTITIONS
    
            * "systemctl list-unit-files" has been updated to show a new column
              with the suggested enablement state based on the vendor preset files
              for the respective units.
    
            * "systemctl" gained a new option "--with-dependencies". If specified
              commands such as "systemctl status" or "systemctl cat" will now show
              all specified units along with all units they depend on.
    
            * networkctl gained support for showing per-interface logs in its
              "status" output.
    
            * systemd-networkd-wait-online gained support for specifying the maximum
              operational state to wait for, and to wait for interfaces to
              disappear.
    
            * The [Match] section of .link and .network files now supports a new
              option PermanentMACAddress= which may be used to check against the
              permanent MAC address of a network device even if a randomized MAC
              address is used.
    
            * The [TrafficControlQueueingDiscipline] section in .network files has
              been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix
              dropped from the individual setting names.
    
            * Any .link and .network files that have an empty [Match] section (this
              also includes empty and commented-out files) will now be
              rejected. systemd-udev and systemd-networkd started warning about
              such files in version 243.
    
            * systemd-logind will now validate access to the operation of changing
              the virtual terminal via a PolicyKit action. By default, only users
              with at least one session on a local VT are granted permission.
    
            * When systemd sets up PAM sessions that invoked service processes
              shall run in, the pam_setcred() API is now invoked, thus permitting
              PAM modules to set additional credentials for the processes.
    
            * portablectl attach/detach verbs now accept --now and --enable options
              to combine attachment with enablement and invocation, or detachment
              with stopping and disablement.
    
            Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
            Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
            Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles
            (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt,
            Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek,
            Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David
            Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin,
            ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck
            Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem
            Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain
            Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin
            Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming,
            Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca
            Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew
            Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike
            Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange,
            Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa
            Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard,
            Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain
            Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas
            Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser,
            Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland
            Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri
            Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu
            DONG
    
            – Warsaw, 2020-03-06
    
  • Systemd 245 Enables Secure Management of Home Directories

    The systemd 245 init system for Linux-based operating systems is now available for download and it’s a major release that adds new features and enhancements.

    As you probably already heard, systemd 245 is the first version of the controversial init system to ship with systemd-homed.service, a new feature that enables secure management of /home directories with built-in encryption.

    Not only this feature addresses some old issues with the traditional ways of managing home directories, but it also unifies the entire user record data with the home directory. This means that /home directories can now be easily migrated. systemd-homed supports both LUKS and fscrypt disk encryption standards.

  • Systemd 245 Released - First Version Including Systemd-Homed

    Systemd 245 RC2 was released just earlier this week while now it has been succeeded by the stable release of systemd 245.

    Most notable with systemd 245 is the introduction of systemd-homed that reimagines/modernizes Linux home directory handling with better password and encryption support, more self-containment / portability to allow more easily migratable home directories, and other features. It will be interesting to see the adoption of systemd-homed by Linux distributions moving forward.

  • systemd 245 released

    Systemd 245 is out. As usual, the list of new features is long; perhaps the one that has gained the most attention is systemd-homed...

    There is also a new database for holding user and group data and a systemd-repart tool for the management of partitions on storage-devices at boot time.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.