systemd is a set of system administration daemons, libraries, and tools designed as a central configuration and administration platform for interfacing with the system kernel.
After five months of development the release of the new version of systemd 252 was announced, version in which the key change in the new version was the integration of support for a modernized boot process, which allows verifying not only the kernel and bootloader, but also the components of the underlying system environment using digital signatures.
The proposed method involves the use of a UKI unified kernel image (Unified kernel image) on load, which combines a driver for loading the kernel from UEFI (UEFI boot stub), a Linux kernel image, and the initrd system environment loaded into memory, used for initial initialization in the previous stage to the FS root mount.
In particular, the benefits systemd-cryptsetup, systemd-cryptenroll and systemd-creds have been adapted to use this information, so you can ensure that the encrypted disk partitions are bound to a digitally signed kernel (in this case, access to the encrypted partition is provided only if the UKI image has passed digital signature based verification). in the parameters placed in the TPM).
In addition, the systemd-pcrphase utility is included, which allows you to control the binding of various boot stages to parameters placed in memory by cryptoprocessors that support the TPM 2.0 specification (for example, you can make the partition decryption key LUKS2 is available only in the initrd image and block access to it on subsequent downloads).
Main new features of systemd 252
Other changes that stand out in systemd 252, is that se made sure the default locale is C.UTF-8 if no other locale is specified in the configuration.
In addition to it in systemd 252 also implemented the ability to perform a full service preset operation ("systemctl preset") during the first boot. Enabling presets at boot time requires a build with the "-Dfirst-boot-full-preset" option, but it is planned to be enabled by default in future releases.
In user management units use the CPU resource controller, which made it possible to ensure that the CPUWeight setting is applied to all slice units used to partition the system into slices (app.slice, background.slice, session.slice) to isolate resources between different user services, competing for CPU resources. CPUWeight also supports an "idle" value to trigger the proper lease mode.
On the other hand, in the initialization process (PID 1), added the ability to import credentials from SMBIOS fields (Type 11, "OEM provider chains") as well as defining them via qemu_fwcfg, which simplifies provisioning credentials to virtual machines and eliminates the need for third-party tools like cloud -init and ignition.
During shutdown, the logic for unmounting virtual file systems (proc, sys) was changed, and information about processes blocking file system unmounting is saved to the log.
The sd bootloader has added the ability to boot in mixed mode, running a 64-bit Linux kernel from 32-bit UEFI firmware. Added experimental ability to automatically apply SecureBoot keys from files located on ESP (EFI System Partition).
Added new options to bootctl utility “–all-architectures” to install binaries for all supported EFI architectures, «–root=” and “–image=» to work with a directory or disk image, «--install-source=» to define the font to install, «--efi-boot-option-description=» to control the names of boot entries.
Of the other changes that stand out from systemd 252:
- systemd-nspawn allows the use of relative file paths in the “–bind=” and “–overlay=” options. Added support for the 'rootidmap' option to the "–bind=" option to bind the root user ID on the container to the owner of the mounted directory on the host side.
- systemd-resolved uses the OpenSSL package as the encryption backend by default (gnutls support is retained as an option). Unsupported DNSSEC algorithms are now treated as insecure instead of returning an error (SERVFAIL).
- systemd-sysusers, systemd-tmpfiles, and systemd-sysctl implement the ability to pass configuration through the credential storage mechanism.
- Added 'compare versions' command to systemd-analyze to compare strings with version numbers (similar to 'rpmdev-vercmp' and 'dpkg –compare-versions').
- Added the ability to filter drives by mask to the 'systemd-analyze dump' command.
- When choosing a multi-stage sleep mode (sleep then hibernate, hibernate after hibernate), the time spent in standby mode is now selected based on the remaining battery life forecast.
- An instant transition to sleep mode is made when there is less than 5% battery charge.
It is also worth mentioning that in 2024, systemd plans to stop supporting the cgroup v1 resource capping mechanism, deprecated in version 248 of systemd. Administrators are advised to take care of moving services linked to cgroup v1 to cgroup v2 in advance.
The key difference between cgroups v2 and v1 is the use of a common cgroups hierarchy for all resource types, rather than separate hierarchies for CPU resource allocation, memory management, and I/O. Separate hierarchies lead to difficulties in organizing the interaction between drivers and additional kernel resource costs when applying rules for a named process in different hierarchies.
In the second half of 2023, it is planned to stop supporting split directory hierarchies, when /usr is mounted separately from root, or /bin and /usr/bin, /lib and /usr/lib directories are separated.
more garbage from lennart..
The guy is an employee…and he is a good employee…he complies perfectly with his employer.