systemd 259-rc1 Released With Musl libc Support, New run0 "Empower" Mode
([systemd] 3 Hours Ago
systemd 259)
- Reference: 0001592679
- News link: https://www.phoronix.com/news/systemd-259-rc1
- Source link:
Released a short time ago was systemd 259-rc1 as the first test release toward this next version of this dominant Linux init system and service manager.
Some of the systemd 259 feature highlights include:
- Merged just today prior to the rc1 release was [1]experimental support for using musl libc as an alternative to the GNU C Library (glibc).
- systemd's service manager Varlink IPC implementation has been extended and exposes a lot more capabilities now.
- New OOMKills and ManagedOOMKills properties exposed to systemd service units to count the number of process kills made by the kernel or systemd-oomd.
- systemd-udevd and systemd-repart will re-read partition tables on block devices in a more graceful and incremental manner.
- systemd-boot now supports log levels.
- Linux audit support, PAM support, libacl, libblkid, libseccomp, libselinux, and libmount all now have their support implemented via dlopen() rather than regular dynamic linking to help reduce the footprint within containers.
- systemd-modules-load will now load configured kernel modules in parallel.
- systemd-integrity-setup now supports HMAC-SHA256, PHMAC-SHA256, and PHMAC-SHA512.
- systemd's run0 gained a "--empower" switch to invoke a new session with elevated privileges without switching to the root user. The run0 "--empower" mode is further described as:
"run0 gained a new --empower switch. It will invoke a new session with elevated privileges – without switching to the root user. Specifically, it sets the full ambient capabilities mask (including CAP_SYS_ADMIN), which ensures that privileged system calls will typically be permitted. Moreover, it adds the session processes to the new "empower" system group, which is respected by polkit and allows privileged access to most polkit actions. This provides a much less invasive way to acquire privileges, as it will not change $HOME or the UID and hence risk creation of files owned by the wrong UID in the user's home. (Note that --empower might not work in all cases, as many programs still do access checks purely based on the UID, without Linux process capabilities or polkit policies having any effect on them.)"
- The default storage mode for the systemd journal is now "persistent" rather than "auto".
- systemd-boot and systemd-stub support for TPM 1.2 is now removed with focusing on only TPM 2.0 due to better security.
Meanwhile planned for systemd 260 is the removal of System V service scripts and to require Linux 5.10+ (but recommending Linux 5.14+) and other incompatible changes abound.
Downloads and more details on today's systemd 259-rc1 release via [2]GitHub .
[1] https://www.phoronix.com/news/systemd-musl-libc
[2] https://github.com/systemd/systemd/releases/tag/v259-rc1
Some of the systemd 259 feature highlights include:
- Merged just today prior to the rc1 release was [1]experimental support for using musl libc as an alternative to the GNU C Library (glibc).
- systemd's service manager Varlink IPC implementation has been extended and exposes a lot more capabilities now.
- New OOMKills and ManagedOOMKills properties exposed to systemd service units to count the number of process kills made by the kernel or systemd-oomd.
- systemd-udevd and systemd-repart will re-read partition tables on block devices in a more graceful and incremental manner.
- systemd-boot now supports log levels.
- Linux audit support, PAM support, libacl, libblkid, libseccomp, libselinux, and libmount all now have their support implemented via dlopen() rather than regular dynamic linking to help reduce the footprint within containers.
- systemd-modules-load will now load configured kernel modules in parallel.
- systemd-integrity-setup now supports HMAC-SHA256, PHMAC-SHA256, and PHMAC-SHA512.
- systemd's run0 gained a "--empower" switch to invoke a new session with elevated privileges without switching to the root user. The run0 "--empower" mode is further described as:
"run0 gained a new --empower switch. It will invoke a new session with elevated privileges – without switching to the root user. Specifically, it sets the full ambient capabilities mask (including CAP_SYS_ADMIN), which ensures that privileged system calls will typically be permitted. Moreover, it adds the session processes to the new "empower" system group, which is respected by polkit and allows privileged access to most polkit actions. This provides a much less invasive way to acquire privileges, as it will not change $HOME or the UID and hence risk creation of files owned by the wrong UID in the user's home. (Note that --empower might not work in all cases, as many programs still do access checks purely based on the UID, without Linux process capabilities or polkit policies having any effect on them.)"
- The default storage mode for the systemd journal is now "persistent" rather than "auto".
- systemd-boot and systemd-stub support for TPM 1.2 is now removed with focusing on only TPM 2.0 due to better security.
Meanwhile planned for systemd 260 is the removal of System V service scripts and to require Linux 5.10+ (but recommending Linux 5.14+) and other incompatible changes abound.
Downloads and more details on today's systemd 259-rc1 release via [2]GitHub .
[1] https://www.phoronix.com/news/systemd-musl-libc
[2] https://github.com/systemd/systemd/releases/tag/v259-rc1