- The --purge switch of systemd-tmpfiles (which was added in v256) has been reworked: it will now only apply to tmpfiles.d/ lines marked with the new “$” flag. This is an incompatible change, and means any tmpfiles.d/ files which shall be used together with --purge need to be updated accordingly. This change has been made to make it harder to accidentally delete too many files when using --purge incorrectly.
- The systemd-creds ‘cat’ verb now expects base64-encoded encrypted credentials as input, for consistency with the ‘decrypt’ verb and the LoadCredentialEncrypted= service setting. Previously it could only read raw, unencoded binary data.
- Support for automatic flushing of the nscd user/group database caches has been dropped.
- The FileDescriptorName= setting for socket units is now honored by Accept=yes sockets too, where it was previously silently ignored and “connection” was used unconditionally.
- systemd-logind now always obeys block inhibitor locks, where previously it ignored locks taken by the caller or when the caller was root. A privileged caller can always close the other sessions, remove the inhibitor locks, or use --force or --check-inhibitors=no to ignore the inhibitors. This change thus doesn’t affect security, since everything that was possible before at a given privilege level is still possible, but it should make the inhibitor logic easier to use and understand, and also help avoiding accidental reboots and shutdowns. New ‘block-weak’ inhibitor modes were added, if taken they will make the inhibitor lock work as in the previous versions. Inhibitor locks can also be taken by remote users (subject to polkit policy).
- systemd-nspawn will now mount the unified cgroup hierarchy into a container if no systemd installation is found in a container’s root filesystem. $SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=0 can be used to override this behavior.
- /dev/disk/by-id/nvme-* block device symlinks without an NVMe namespace identifier are now fixed to namespace 1 of the device. If no namespace 1 exists for a device no such symlink is created. Previously, these symlinks would point to an unspecified namespace, and thus not be strictly stable references to multi-namespace NVMe devices. These un-namespaced symlinks are mostly obsolete, users and applications should always use the ones with encoded namespace information instead. This change should not affect too many systems, because most NVMe devices only know a namespace 1 by default.
- Support for cgroup v1 (‘legacy’ and ‘hybrid’ hierarchies) is now considered obsolete and systemd by default will ignore configuration that enables them. To forcibly reenable cgroup v1 support, SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must additionally be set on the kernel command line.
You must log in or # to comment.