Announcement

Collapse
No announcement yet.

Systemd 211 Piles On More Changes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Systemd 211 Piles On More Changes

    Phoronix: Systemd 211 Piles On More Changes

    Not too long after systemd 210, the next systemd release is now available and with it comes plenty more changes...

    http://www.phoronix.com/vr.php?view=MTYyNzI

  • #2
    Originally posted by core: add new RestrictAddressFamilies= switch
    This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them.

    This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
    Hopefully it will gracefully fall back if a shipped systemD file that uses this is being used on a x86-32 platform.

    Comment


    • #3
      Originally posted by Rexilion View Post
      Hopefully it will gracefully fall back if a shipped systemD file that uses this is being used on a x86-32 platform.
      From what I understand, shouldn't the syscall be fixed to provide the same feature on x86_32 and x86_64 ?

      Comment


      • #4
        Originally posted by doom_Oo7 View Post
        From what I understand, shouldn't the syscall be fixed to provide the same feature on x86_32 and x86_64 ?
        Maybe, maybe not.

        But I guess this is how the decay of an architecture begins. On the other side, PaX + Grsecurity is much better on x86_32.

        Comment


        • #5
          It seems that now one can boot without an /etc/fstab file, systemd will automagically find the various partitions and mount them: https://plus.google.com/+LennartPoet...ts/5p1QuhdFtjN

          I do wonder how it would handle mount flags?

          Comment


          • #6
            Originally posted by Spittie View Post
            It seems that now one can boot without an /etc/fstab file, systemd will automagically find the various partitions and mount them: https://plus.google.com/+LennartPoet...ts/5p1QuhdFtjN

            I do wonder how it would handle mount flags?
            Yeah, have fun with that on a remote system when systemd does that wrong.

            Comment


            • #7
              Originally posted by Spittie View Post
              I do wonder how it would handle mount flags?
              I'm pretty sure it doesn't. That's what /etc/fstab is (still) for. (Or perhaps you can edit some unit files that mount the partitions.)

              Comment


              • #8
                Originally posted by GreatEmerald View Post
                I'm pretty sure it doesn't. That's what /etc/fstab is (still) for. (Or perhaps you can edit some unit files that mount the partitions.)
                That would be bad.

                So, place your bets: When will the mount utility be assimiled? 6 months? 1 year? 2 years?

                Comment


                • #9
                  Originally posted by Rexilion View Post
                  That would be bad.

                  So, place your bets: When will the mount utility be assimiled? 6 months? 1 year? 2 years?
                  One of the reasons behind that features is
                  This is important since Linux containers generally cannot manage their own block devices and rely on the container manager to set up all file systems correctly. Or to say this with different words: this will soon enable us to deploy and boot OS images created with generic installers like Anaconda without any change in container managers such as nspawn and libvirt-lxc. The disk images Anaconda generates will become truly portable between containerized and non-containerized setups!
                  That said, looks like if you have an fstab file it overrules the automagically behaviour. So for what you are complaining about?

                  Comment


                  • #10
                    Originally posted by Vim_User View Post
                    Yeah, have fun with that on a remote system when systemd does that wrong.
                    That makes no sense. On a remote system which isn't an appliance, any server admin can just rely on /etc/fstab and not use this feature at all.

                    Comment

                    Working...
                    X