systemd 253 Released With Ukify Tool, systemd-cryptenroll Unlocking Via FIDO2 Tokens
After going through several release candidates the past few weeks, systemd 253 has officially shipped today as the newest version of this init system and service manager for Linux systems.
Systemd 253 has a ton of changes in being the project's first feature release of 2023. Among the changes to find with systemd 253 include:
- A new tool with systemd 253 is the "ukify" tool to build, measure, and sign Unified Kernel Images (UKIs). The intent is for systemd ukify to replace functionality currently provided by "dracut --uefi" while providing more functionality as part of the new UKI / trusted boot philosophy.
- Initrd environments not on a temporary file-system are now supported.
- A new MemoryZSwapMax= option to configure the memory.zswap.max cgroup properties.
- Systemd scope units now support the OOMPolicy= option with login session scopes now defaulting to OOMPolicy=continue so they survive the OOM killer terminating some processes in the scope.
- The maximum rate at which daemon reloads are executed can now be controlled via the ReloadLimitIntervalSec= and ReloadLimitBurst= options.
- Systemd now executes generators in a "sandbox" mount namespace with most of the file-system being read-only and then just write access for output directories and a temporary /tmp mount point.
- A new unit type of Type=notify-reload where when a unit is reloaded via signal, the manager will wait until receiving a "READ=1" notification from the unit.
- A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can be used for overriding the mount units burst rate limiting for parsing /proc/self/mountinfo, with a default value of 5.
- Systemd-boot now passes its random seed directly to the kernel's RNG via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table.
- Systemd-boot can now be loaded from a direct kernel boot under QEMU, when embedded into the firmware, or other non-ESP scenarios.
- "systemctl kexec" now supports Xen.
- Various new options for systemd-dissect and systemd-repart.
- systemd-cryptenroll now supports unlocking via FIDO2 tokens.
- New Meson build-time configuration options of -Ddefault-timeout-sec= and -Ddefault-user-timeout-sec= to control the seconds for the default timeout of starting / stopping / aborting system and user units. This will make it easier for scenarios like Fedora Linux working to shorten its shutdown time by tightening up the defaults for shutting down of systemd services.
- systemd-boot adds a "if-safe" mode to perform UEFI Secure Boot automated certificate enrollment from the EFI System Partition (ESP) only if it is considered "safe" to do so. For this release it's deemed "safe" if running within a virtual machine.
- systemd-sysusers will now automatically create /etc if it is missing.
- A new setting of SuspendEstimationSec= to control the interval to measure the battery charge level as part of the system suspend-then-hibernate service.
- The default tmpfiles.d configuration will now automatically create the credentials storage directory of with the appropriate secure permissions.
- The DDI image dissection logic that is used by RootImage= in service unit files, the "--image=" switch in tools like systemd-nspawn, etc, will now only mount file-systems of types Btrfs, EXT4, XFS, EROFS, SquashFS or VFAT. This can be overrode using the $SYSTEMD_DISSECT_FILE_SYSTEMS environment variable but that supported list of file-systems is being based on being well supported and maintained in current kernels, particularly around security support and fixes.
- Service units have a new OpenFile= setting that can be used to open arbitrary files in the file-system or arbitrary AF_UNIX sockets while passing the open file descriptor to the invoked process via the FD passing protocol. The intention with this OpenFile functionality is for unprivileged services to access select files that have restrictive access modes.
Downloads and more details on systemd 253 via GitHub.