systemd 250 Released With A Huge Number Of New Features, Improvements
Systemd 250 has a lot in store that has accumulated over the past half-year. Following the release candidates the past few weeks, systemd 250 formally shipped this afternoon.
Among the many changes to find with systemd 250 are:
- Support for encrypted and authenticated credentials. This can be a key stored on /var/ or a TPM2 chip on the system whereby credentials will be automatically decrypted when the service is started. There is also a new tool called systemd-creds for dealing with the credentials. This can be used for SSL certificates, passwords, and other similar data.
- Expanding the GPT Discoverable Partitions Specification with support for root and /usr/ partitions on the majority of architectures supported by systemd, among other changes.
- Systemd-logind has new settings for long presses to the power, reboot, or suspend keys on the system. The long press (greater than 5 second) presses to those buttons can now be configured for logind if wanting to manipulate the behavior.
- A new per-service setting of RestrictFileSystems= for restricting the file-systems a service can access based on their type.
- Services also have a new setting RestrictNetworkInterfaces= for restricting access of services to specific network interfaces.
- The default maximum number of inodes has been raised from 64k to 1M for /dev and from 400k to 1M for /tmp.
- The per-user service manager now supports communicating with systemd-oomd for learning of out-of-memory kill information.
- Various TPM 2.0 trusted platform module support improvements.
- Support for activating dm-integrity volumes at boot using a new /etc/integritytab file.
- New hardware databases for signal analyzers and cameras. The camera hardware database keeps track whether cameras point forward/backward and of different types such as infrared.
- A new unit systemd-boot-update.service is added for when using sd-boot loader to ensure the boot-loader remains up-to-date and automatically propagated from OS tree information in /usr.
- Easier support for migrating home directories between systems when running systemd-homed. Systemd-homed now is using UID mapped mounts on supported kernels/file-systems where files are now internally owned by "nobody" and then mapped to the UID used locally on the system via the UID mapped mounts interface. This improves migrating home directories between systems by no longer having to recursively chown files.
- Systemd-homed now defaults to using Btrfs Zstd compression for home areas, following Fedora's recent decision to do so.
- Initial support for the LoongArch architecture.
- Systemd-journald now re-enables copy-on-write for archived journal files on supported file-systems.
- Introducing KERNEL_INSTALL_MACHINE_ID= support within /etc/machine-info. This value will be preferred over any /etc/machine-id value.
- Support for loading credentials from /loader/credentials/*.cred for credentials like SSH keys, rootfs encryption keys, dm-integrity keys, etc. These are intended for credentials that are not kernel/initrd-specific and thus should be loaded with any kernel image.
- A proper BCD (Boot Configuration Data) parser for Microsoft Windows' boot data used since Windows Vista.
- The systemd network-generator now supports link6 network configurations for having IPv6 link-local connectivity.
- Allowing statically linked builds for bootctl and systemd-bless-boot using the new "-Dlink-boot-shared=false" option. Adding this support was driven by CentOS/RHEL 9 having a full systemd stack except for bootctl/systemd-bless-boot.
- Hole punching improvements for the systemd journal.
- systemd-network-generator is now enabled by default.
Systemd 250 is a very big release with the above-mentioned items just being what caught my attention. See the NEWS file for the lengthy list of changes with systemd 250. Those rolling their own systemd builds can grab the fresh sources from GitHub.