Continuing with a predictable development cycle, after 4 months of development it was unveiled the launch of the new version of systemd 248.
In this new version se provides image support for expanding directories system, the utility systemd-cryptenroll, as well as the ability to unlock LUKS2 using TPM2 chips and FIDO2 tokens, launch drives in an isolated IPC identifier space, and much more.
Main new features of systemd 248
In this new version the concept of system extension images was implemented, which can be used to expand the directory hierarchy and add additional files at runtimes, even if the specified directories are mounted read-only. When a system extension image is mounted, its content is overlaid in the hierarchy using OverlayFS.
Another change that stands out is that se has proposed a new utility systemd-sysext to connect, disconnect, view and update images system extensions, plus the systemd-sysext.service service has been added to automatically mount already installed images at boot time. For units, the ExtensionImages configuration is implemented, which can be used to link system extension images to the FS namespace hierarchy of individual isolated services.
Systemd-cryptsetup adds the ability to extract the URI from the PKCS # 11 token and the encrypted key from the LUKS2 metadata header in JSON format, which allows the open information of the encrypted device to be integrated into the device itself without involving external files, in addition provides support for unlocking LUKS2 encrypted partitions using TPM2 chips and FIDO2 tokens, in addition to the previously supported PKCS # 11 tokens. Loading libfido2 is done via dlopen (), i.e. availability is checked on the fly, not as a hard-coded dependency.
Also, in systemd 248 systemd-networkd has added support for the BATMAN mesh protocol («Better Approach To Mobile Adhoc Networking), which allows you to create decentralized networks, each node where it connects through neighboring nodes.
It is also highlighted that the implementation of the early response mechanism to forgetfulness has been stabilized on the systemd-oomd system, as well as the DefaultMemoryPressureDurationSec option to set the time to wait for the release of resources before affecting a drive. Systemd-oomd uses the PSI (Pressure Stall Information) kernel subsystem and allows to detect the appearance of delays due to lack of resources and selectively shutting down resource-intensive processes at a stage where the system is not yet in a critical state and does not begin to heavily trim the cache and move data to the swap partition.
Added PrivateIPC parameter, who allows you to configure the launch of processes in an isolated IPC space in a unit file with its own identifiers and message queue. To connect a drive to an already created IPC identifier space, the IPCNamespacePath option is provided.
While for the available kernels, the automatic generation of system call tables was implemented for seccomp filters.
Of the other changes that stand out:
- The systemd-distribu utility has added the ability to activate encrypted partitions using TPM2 chips, for example, to create an encrypted / var partition on first boot.
- Added the systemd-cryptenroll utility to bind TPM2, FIDO2, and PKCS # 11 tokens to LUKS partitions, as well as to unpin and view tokens, bind spare keys, and set an access password.
- ExecPaths and NoExecPaths settings were added to apply the noexec flag to specific parts of the file system.
- Added a kernel command line parameter - "root = tmpfs", which allows the root partition to be mounted to temporary storage located in RAM using Tmpfs.
- A block with exposed environment variables can now be configured through the new ManagerEnvironment option in system.conf or user.conf, not just through the kernel command line and unit file settings.
- At compile time, you can use the fexecve () system call instead of execve () to start processes to reduce the delay between checking the security context and applying it.