File: NEWS

package info (click to toggle)
systemd-udeb 259-1
links: PTS, VCS
area: main
in suites: forky, sid
size: 104,120 kB
sloc: ansic: 726,480; xml: 121,118; python: 35,852; sh: 33,447; cpp: 946; awk: 102; makefile: 89; lisp: 13; sed: 1
file content (21130 lines) | stat: -rw-r--r-- 1,147,344 bytes
parent folder | download | duplicates (2)
systemd System and Service Manager

CHANGES WITH 259:

        Announcements of Future Feature Removals and Incompatible Changes:

        * Support for System V service scripts is deprecated and will be
          removed in v260. Please make sure to update your software *now* to
          include a native systemd unit file instead of a legacy System V
          script to retain compatibility with future systemd releases.
          Following components will be removed:

          * systemd-rc-local-generator,
          * systemd-sysv-generator,
          * systemd-sysv-install (hook for systemctl enable/disable/is-enabled).

        * Required minimum versions of following components are planned to be
          raised in v260:

          * Linux kernel >= 5.10 (recommended >= 5.14),
          * glibc >= 2.34,
          * libxcrypt >= 4.4.0 (libcrypt in glibc will be no longer supported),
          * util-linux >= 2.37,
          * elfutils >= 0.177,
          * openssl >= 3.0.0,
          * cryptsetup >= 2.4.0,
          * libseccomp >= 2.4.0,
          * python >= 3.9.0.

        * The parsing of RootImageOptions= and the mount image parameters of
          ExtensionImages= and MountImages= will be changed in the next version
          so that the last duplicated definition for a given partition wins and
          is applied, rather than the first, to keep these options coherent with
          other unit settings.

        Feature Removals and Incompatible Changes:

        * The cgroup2 file system is now mounted with the
          "memory_hugetlb_accounting" mount option, supported since kernel 6.6.
          This means that HugeTLB memory usage is now counted towards the
          cgroup’s overall memory usage for the memory controller.

        * The default storage mode for the journal is now 'persistent'.
          Previously, the default was 'auto', so the presence or lack of
          /var/log/journal determined the default storage mode, if no
          overriding configuration was provided. The default can be changed
          with -Djournal-storage-default=.

        * systemd-networkd and systemd-nspawn no longer support creating NAT
          rules via iptables/libiptc APIs; only nftables is now supported.

        * systemd-boot's and systemd-stub's support for TPM 1.2 has been
          removed (only TPM 2.0 supported is retained). The security value of
          TPM 1.2 support is questionable in 2025, and because we never
          supported it in userspace, it was always quite incomplete to the
          point of uselessness.

        * The image dissection logic will now enforce the VFAT file system type
          for XBOOTLDR partitions, similar to how it already does this for the
          ESP. This is done for security, since both the ESP and XBOOTLDR must
          be directly firmware-accessible and thus cannot by protected by
          cryptographic means. Thus it is essential to not mount arbitrarily
          complex file systems on them. This restriction only applies if
          automatic dissection is used. If other file system types shall be
          used for XBOOTLDR (not recommended) this can be achieved via explicit
          /etc/fstab entries.

        * systemd-machined will now expose "hidden" disk images as read-only by
          default (hidden images are those whose name begins with a dot). They
          were already used to retain a pristine copy of the downloaded image,
          while modifications were made to a 2nd, local writable copy of the
          image. Hence, effectively they were read-only already, and this is
          now official.

        * The LUKS volume label string set by systemd-repart no longer defaults
          to the literal same as the partition and file system label, but is
          prefixed with "luks-". This is done so that on LUKS enabled images a
          conflict between /dev/disk/by-label/ symlinks is removed, as this
          symlink is generated both for file system and LUKS superblock
          labels. There's a new VolumeLabel= setting for partitions that can be
          used to explicitly choose a LUKS superblock label, which can be used
          to explicitly revert to the old naming, if required.

        Service manager/PID1:

        * The service manager's Varlink IPC has been extended considerably. It
          now exposes service execution settings and more. Its Unit.List() call
          now can filter by cgroup or invocation ID.

        * The service manager now exposes Reload() and Reexecute() Varlink IPC
          calls, mirroring the calls of the same name accessible via D-Bus.

        * The $LISTEN_FDS protocol has been extended to support pidfd inode
          IDs. The $LISTEN_PID environment variable is now augmented with a new
          $LISTEN_PIDFDID environment variable which contains the inode ID of
          the pidfd of the indicated process. This removes any ambiguity
          regarding PID recycling: a process which verified that $LISTEN_PID
          points to its own PID can now also verify the pidfd inode ID, which
          does not recycle IDs.

        * The log message made when a service exits will now show the
          wallclock time the service took in addition to the previously shown
          CPU time.

        * A new pair of properties OOMKills and ManagedOOMKills are now exposed
          on service units (and other unit types that spawn processes) that
          count the number of process kills made by the kernel or systemd-oomd.

        * The service manager gained support for a new
          RootDirectoryFileDescriptor= property when creating transient service
          units. It is similar to RootDirectory= but takes a file descriptor
          rather than a path to the new root directory to use.

        * The service manager now supports a new UserNamespacePath= setting
          which mirrors the existing IPCNamespacePath= and
          NetworkNamespacePath= options, but applies to Linux user namespaces.

        * The service manager gained a new ExecReloadPost= setting to configure
          commands to execute after reloading of the configuration of the
          service has completed.

        * Service manager job activation transactions now get a per-system
          unique 64-bit numeric ID assigned. This ID is logged as an additional
          log field for in messages related to the transaction.

        * The service manager now keeps track of transactions with ordering
          cycles and exposes them in the TransactionsWithOrderingCycle D-Bus
          property.

        systemd-sysext/systemd-confext:

        * systemd-sysext and systemd-confext now support configuration files
          /etc/systemd/systemd-sysext.conf and /etc/systemd/systemd-confext.conf,
          which can be used to configure mutability or the image policy to
          apply to DDI images.

        * systemd-sysext's and systemd-confext's --mutable= switch now accepts
          a new value "help" for listing available mutability modes.

        * systemd-sysext now supports configuring additional overlayfs mount
          settings via the $SYSTEMD_SYSEXT_OVERLAYFS_MOUNT_OPTIONS environment
          variable. Similarly systemd-confext now supports
          $SYSTEMD_CONFEXT_OVERLAYFS_MOUNT_OPTIONS.

        systemd-vmspawn/systemd-nspawn:

        * systemd-vmspawn will now initialize the "serial" fields of block
          devices attached to VMs to the filename of the file backing them on
          the host. This makes it very easy to reference the right media in
          case many block devices from files are attached to the same VM via
          the /dev/disk/by-id/… links in the VM.

        * systemd-nspawn's .nspawn file gained support for a new NamespacePath=
          setting in the [Network] section which takes a path to a network
          namespace inode, and which ensures the container is run inside that
          when booted. (This was previously only available via a command line
          switch.)

        * systemd-vmspawn gained two new switches
          --bind-user=/--bind-user-shell= which mirror the switches of the same
          name in systemd-nspawn, and allow sharing a user account from the host
          inside the VM in a simple one-step operation.

        * systemd-vmspawn and systemd-nspawn gained a new --bind-user-group=
          switch to add a user bound via --bind-user= to the specified group
          (useful in particular for the 'wheel' or 'empower' groups).

        * systemd-vmspawn now configures RSA4096 support in the vTPM, if swtpm
          supports it.

        * systemd-vmspawn now enables qemu guest agent via the
          org.qemu.guest_agent.0 protocol when started with --console=gui.

        systemd-repart:

        * repart.d/ drop-ins gained support for a new TPM2PCRs= setting, which
          can be used to configure the set of TPM2 PCRs to bind disk encryption
          to, in case TPM2-bound encryption is used. This was previously only
          settable via the systemd-repart command line. Similarly, KeyFile= has
          been added to configure a binary LUKS key file to use.

        * systemd-repart's functionality is now accessible via Varlink IPC.

        * systemd-repart may now be invoked with a device node path specified
          as "-". Instead of operating on a block device this will just
          determine the minimum block device size required to apply the defined
          partitions and exit.

        * systemd-repart gained two new switches --defer-partitions-empty=yes
          and --defer-partitions-factory-reset=yes which are similar to
          --defer-partitions= but instead of expecting a list of partitions to
          defer will defer all partitions marked via Format=empty or
          FactoryReset=yes. This functionality is useful for installers, as
          partitions marked empty or marked for factory reset should typically
          be left out at install time, but not on first boot.

        * The Subvolumes= values in repart.d/ drop-ins may now be suffixed with
          :nodatacow, in order to create subvolumes with data Copy-on-Write
          disabled.

        systemd-udevd:

        * systemd-udevd rules gained support for OPTIONS="dump-json" to dump
          the current event status in JSON format. This generates output
          similar to "udevadm test --json=short".

        * The net_id builtin for systemd-udevd now can generate predictable
          interface names for Wifi devices on DeviceTree systems.

        * systemd-udevd and systemd-repart will now reread partition tables on
          block devices in a more graceful, incremental fashion. Specifically,
          they no longer use the kernel BLKRRPART ioctl() which removes all
          in-memory partition objects loaded into the kernel and then recreates
          them as new objects. Instead they will use the BLKPG ioctl() to make
          minimal changes, and individually add, remove, or grow modified
          partitions, avoiding removal/re-adding where the partitions were left
          unmodified on disk. This should greatly improve behaviour on systems
          that make modifications to partition tables on disk while using them.

        * A new udev property ID_BLOCK_SUBSYSTEM is now exposed on block devices
          reporting a short identifier for the subsystem a block device belongs
          to. This only applies to block devices not connected to a regular bus,
          i.e. virtual block devices such as loopback, DM, MD, or zram.

        * systemd-udevd will now generate /dev/gpio/by-id/… symlinks for GPIO
          devices.

        systemd-homed/homectl:

        * homectl's --recovery-key= option may now be used with the "update"
          command to add recovery keys to existing user accounts. Previously,
          recovery keys could only be configured during initial user creation.

        * Two new --prompt-shell= and --prompt-groups= options have been added
          to homectl to control whether to query the user interactively for a
          login shell and supplementary groups memberships when interactive
          firstboot operation is requested. The invocation in
          systemd-homed-firstboot.service now turns both off by default.

        systemd-boot/systemd-stub:

        * systemd-boot now supports log levels. The level may be set via
          log-level= in loader.conf and via the SMBIOS Type 11 field
          'io.systemd.boot.loglevel='.

        * systemd-boot's loader.conf file gained support for configuring the
          SecureBoot key enrollment time-out via
          secure-boot-enroll-timeout-sec=.

        * Boot Loader Specification Type #1 entries now support a "profile"
          field which may be used to explicitly select a profile in
          multi-profile UKIs invoked via the "uki" field.

        sd-varlink/varlinkctl:

        * sd-varlink's sd_varlink_set_relative_timeout() call will now reset
          the timeout to the default if 0 is passed.

        * sd-varlink's sd_varlink_server_new() call learned two new flags
          SD_VARLINK_SERVER_HANDLE_SIGTERM + SD_VARLINK_SERVER_HANDLE_SIGINT,
          which are honoured by sd_varlink_server_loop_auto() and will cause it
          to exit processing cleanly once SIGTERM/SIGINT are received.

        * varlinkctl in --more mode will now send a READY=1 sd_notify() message
          once it receives the first reply. This is useful for tools or scripts
          that wrap it (and implement the $NOTIFY_SOCKET protocol) to know when
          a first confirmation of success is received.

        * sd-varlink gained a new sd_varlink_is_connected() call which reports
          whether a Varlink connection is currently connected.

        Shared library dependencies:

        * Linux audit support is now implemented via dlopen() rather than
          regular dynamic library linking. This means the dependency is now
          weak, which is useful to reduce footprint inside of containers and
          such, where Linux audit doesn't really work anyway.

        * Similarly PAM support is now implemented via dlopen() too (except for
          the PAM modules pam_systemd + pam_systemd_home + pam_systemd_loadkey,
          which are loaded by PAM and hence need PAM anyway to operate).

        * Similarly, libacl support is now implemented via dlopen().

        * Similarly, libblkid support is now implemented via dlopen().

        * Similarly, libseccomp support is now implemented via dlopen().

        * Similarly, libselinux support is now implemented via dlopen().

        * Similarly, libmount support is now implemented via dlopen(). Note,
          that libmount still must be installed in order to invoke the service
          manager itself. However, libsystemd.so no longer requires it, and
          neither do various ways to invoke the systemd service manager binary
          short of using it to manage a system.

        * systemd no longer links against libcap at all. The simple system call
          wrappers and other APIs it provides have been reimplemented directly
          in systemd, which reduced the codebase and the dependency tree.

        systemd-machined/systemd-importd:

        * systemd-machined gained support for RegisterMachineEx() +
          CreateMachineEx() method calls which operate like their counterparts
          without "Ex", but take a number of additional parameters, similar to
          what is already supported via the equivalent functionality in the
          Varlink APIs of systemd-machined. Most importantly, they support
          PIDFDs instead of PIDs.

        * systemd-machined may now also run in a per-user instance, in addition
          to the per-system instance. systemd-vmspawn and systemd-nspawn have
          been updated to register their invocations with both the calling
          user's instance of systemd-machined and the system one, if
          permissions allow it. machinectl now accepts --user and --system
          switches that control which daemon instance to operate on.
          systemd-ssh-proxy now will query both instances for the AF_VSOCK CID.

        * systemd-machined implements a resolve hook now, so that the names of
          local containers and VMs can be resolved locally to their respective
          IP addresses.

        * systemd-importd's tar extraction logic has been reimplemented based
          on libarchive, replacing the previous implementation calling GNU tar.
          This completes work begun earlier which already ported
          systemd-importd's tar generation.

        * systemd-importd now may also be run as a per-user service, in
          addition to the existing per-system instance. It will place the
          downloaded images in ~/.local/state/machines/ and similar
          directories. importctl gained --user/--system switches to control
          which instance to talk to.

        systemd-firstboot:

        * systemd-firstboot's and homectl's interactive boot-time interface
          have been updated to show a colored bar at the top and bottom of the
          screen, whose color can be configured via /etc/os-release. The bar
          can be disabled via the new --chrome= switches to both tools.

        * systemd-firstboot's and homectl's interactive boot-time interface
          will now temporarily mute the kernel's and PID1's own console output
          while running, in order to not mix the tool's own output with the
          other sources. This logic can be controlled via the new
          --mute-console= switches to both tools. This is implemented via a new
          systemd-mute-console component (which provides a simple Varlink
          interface).

        * systemd-firstboot gained a new switch --prompt-keymap-auto. When
          specified, the tool will interactively query the user for a keymap
          when running on a real local VT console (i.e. on a user device where
          the keymap would actually be respected), but not if invoked on other
          TTYs (such as a serial port, hypervisor console, SSH, …), where the
          keymap setting would have no effect anyway. The invocation in
          systemd-firstboot.service now uses this.

        systemd-creds:

        * systemd-creds's Varlink IPC API now supports a new "withKey"
          parameter on the Encrypt() method call, for selecting what to bind
          the encryption to precisely, matching the --with-key= switch on the
          command line.

        * systemd-creds now allow explicit control of whether to accept
          encryption with a NULL key when decrypting, via the --allow-null and
          --refuse-null switches. Previously only the former existed, but null
          keys were also accepted if UEFI SecureBoot was reported off. This
          automatism is retained, but only if neither of the two switches are
          specified. The systemd-creds Varlink IPC API learned similar
          parameters on the Decrypt() call.

        systemd-networkd:

        * systemd-networkd's DHCP sever support gained two settings EmitDomain=
          and Domain= for controlling whether leases handed out should report a
          domain, and which. It also gained a per-static lease Hostname=
          setting for the hostname of the client.

        * systemd-networkd now exposes a Describe() method call to show network
          interface properties.

        * systemd-networkd now implements a resolve hook for its internal DHCP
          server, so that the hostnames tracked in DHCP leases can be resolved
          locally. This is now enabled by default for the DHCP server running
          on the host side of local systemd-nspawn or systemd-vmspawn networks.

        systemd-resolved:

        * systemd-resolved gained a new Varlink IPC method call
          DumpDNSConfiguration() which returns the full DNS configuration in
          one reply. This is exposed by resolvectl --json=.

        * systemd-resolved now allows local, privileged services to hook into
          local name resolution requests. For that a new directory
          /run/systemd/resolve.hook/ has been introduced. Any privileged local
          service can bind an AF_UNIX Varlink socket there, and implement the
          simple io.systemd.Resolve.Hook Varlink API on it. If so it will
          receive a method call on it for each name resolution request, which
          it can then reply to. It can reply positively, deny the request or
          let the regular request handling take place.

        * DNS0 has been removed from the default fallback DNS server list of
          systemd-resolved, since it ceased operations.

        TPM2 infrastructure:

        * systemd-pcrlock no longer locks to PCR 12 by default, since its own
          policy description typically ends up in there, as it is passed into a
          UKI via a credential, and such credentials are measured into PCR 12.

        * The TPM2 infrastructure gained support for additional PCRs
          implemented via TPM2 NV Indexes in TPM2_NT_EXTEND mode. These
          additional PCRs are called "NvPCRs" in our documentation (even though
          they are very much volatile, much like the value of TPM2_NT_EXTEND NV
          indexes, from which we inherit the confusing nomenclature). By
          introducing NvPCRs the scarcity of PCRs is addressed, which allows us
          to measure more resources later without affecting the definition and
          current use of the scarce regular PCRs. Note that NvPCRs have
          different semantics than PCRs: they are not available pre-userspace
          (i.e. initrd userspace creates them and initializes them), including
          in the pre-kernel firmware world; moreover, they require an explicit
          "anchor" initialization of a privileged per-system secret (in order
          to prevent attackers from removing/recreating the backing NV indexes
          to reset them). This makes them predictable only if the result of the
          anchor measurement is known ahead of time, which will differ on each
          installed system. Initialization of defined NvPCRs is done in
          systemd-tpm2-setup.service in the initrd. Information about the
          initialization of NvPCRs is measured into PCR 9, and finalized by a
          separator measurement. The NV index base handle is configurable at
          build time via the "tpm2-nvpcr-base" meson setting. It currently
          defaults to a value the TCG has shown intent to assign to Linux, but
          this has not officially been done yet. systemd-pcrextend and its
          Varlink APIs have been extended to optionally measure into an NvPCR
          instead of a classic PCR.

        * A new service systemd-pcrproduct.service is added which is similar to
          systemd-pcrmachine.service but instead of the machine ID
          (i.e. /etc/machined-id) measures the product ID (as reported by SMBIOS
          or Devicetree). It uses a new NvPCR called "hardware" for this.

        * systemd-pcrlock has been updated to generate CEL event log data
          covering NvPCRs too.

        systemd-analyze:

        * systemd-analyze gained a new verb "dlopen-metadata" which can show
          the dlopen() weak dependency metadata of an ELF binary that declares
          that.

        * A new verb "nvpcrs" has been added to systemd-analyze, which lists
          NvPCRs with their names and values, similar to the existing "pcrs"
          operation which does the same for classic PCRs.

        systemd-run/run0:

        * run0 gained a new --empower switch. It will invoke a new session with
          elevated privileges – without switching to the root user.
          Specifically, it sets the full ambient capabilities mask (including
          CAP_SYS_ADMIN), which ensures that privileged system calls will
          typically be permitted. Moreover, it adds the session processes to
          the new "empower" system group, which is respected by polkit and
          allows privileged access to most polkit actions. This provides a much
          less invasive way to acquire privileges, as it will not change $HOME
          or the UID and hence risk creation of files owned by the wrong UID in
          the user's home. (Note that --empower might not work in all cases, as
          many programs still do access checks purely based on the UID, without
          Linux process capabilities or polkit policies having any effect on
          them.)

        * systemd-run gained support for --root-directory= to invoke the service
          in the specified root directory. It also gained --same-root-dir (with
          a short switch -R) for invoking the new service in the same root
          directory as the caller's. --same-root-dir has also been added to run0.

        sd-event:

        * sd-event's sd_event_add_child() and sd_event_add_child_pidfd() calls
          now support the WNOWAIT flag which tells sd-event to not reap the
          child process.

        * sd-event gained two new calls sd_event_set_exit_on_idle() and
          sd_event_get_exit_on_idle(), which enable automatic exit from the
          event loop if no enabled (non-exit) event sources remain.

        Other:

        * User records gained a new UUID field, and the userdbctl tool gained
          the ability to search for user records by UUID, via the new --uuid=
          switch. The userdb Varlink API has been extended to allow server-side
          searches for UUIDs.

        * systemd-sysctl gained a new --inline switch, similar to the switch of
          the same name systemd-sysusers already supports.

        * systemd-cryptsetup has been updated to understand a new
          tpm2-measure-keyslot-nvpcr= option which takes an NvPCR name to
          measure information about the used LUKS keyslot into.
          systemd-gpt-auto-generator now uses this for a new "cryptsetup"
          NvPCR.

        * systemd will now ignore configuration file drop-ins suffixed with
          ".ignore" in most places, similar to how it already ignores files
          with suffixes such as ".rpmsave". Unlike those suffixes, ".ignore" is
          package manager agnostic.

        * systemd-modules-load will now load configured kernel modules in
          parallel.

        * systemd-integrity-setup now supports HMAC-SHA256, PHMAC-SHA256,
          PHMAC-SHA512.

        * systemd-stdio-bridge gained a new --quiet option.

        * systemd-mountfsd's MountImage() call gained support for explicitly
          controlling whether to share dm-verity volumes between images that
          have the same root hashes. It also learned support for setting up
          bare file system images with separate Verity data files and
          signatures.

        * journalctl learned a new short switch "-W" for the existing long
          switch "--no-hostname".

        * system-alloc-{uid,gid}-min are now exported in systemd.pc.

        * Incomplete support for musl libc is now available by setting the
          "libc" meson option to "musl". Note that systemd compiled with musl
          has various limitations: since NSS or equivalent functionality is not
          available, nss-systemd, nss-resolve, DynamicUser=, systemd-homed,
          systemd-userdbd, the foreign UID ID, unprivileged systemd-nspawn,
          systemd-nsresourced, and so on will not work. Also, the usual memory
          pressure behaviour of long-running systemd services has no effect on
          musl. We also implemented a bunch of shims and workarounds to
          support compiling and running with musl. Caveat emptor.

          This support for musl is provided without a promise of continued
          support in future releases. We'll make the decision based on the
          amount of work required to maintain the compatibility layer in
          systemd, how many musl-specific bugs are reported, and feedback on
          the desirability of this effort provided by users and distributions.

        Contributions from: 0x06, Abílio Costa, Alan Brady, Alberto Planas,
        Aleksandr Mezin, Alexandru Tocar, Alexis-Emmanuel Haeringer,
        Allison Karlitskaya, Andreas Schneider, Andrew Halaney,
        Anton Tiurin, Antonio Alvarez Feijoo, Antonio Álvarez Feijoo,
        Arian van Putten, Armin Brauns, Armin Wolf, Bastian Almendras,
        Charlie Le, Chen Qi, Chris Down, Christian Hesse,
        Christoph Anton Mitterer, Colin Walters, Craig McLure,
        Daan De Meyer, Daniel Brackenbury, Daniel Foster, Daniel Hast,
        Daniel Rusek, Danilo Spinella, David Santamaría Rogado,
        David Tardon, Dimitri John Ledkov, Dr. David Alan Gilbert,
        Duy Nguyen Van, Emanuele Giuseppe Esposito, Emil Renner Berthing,
        Eric Curtin, Erin Shepherd, Evgeny Vereshchagin,
        Fco. Javier F. Serrador, Felix Pehla, Fletcher Woodruff, Florian,
        Francesco Valla, Franck Bui, Frantisek Sumsal, Gero Schwäricke,
        Goffredo Baroncelli, Govind Venugopal, Guido Günther, Haiyue Wang,
        Hans de Goede, Henri Aunin, Igor Opaniuk, Ingo Franzki, Itxaka,
        Ivan Kruglov, Jelle van der Waa, Jeremy Kerr, Jesse Guo,
        Jim Spentzos, Joshua Krusell, João Rodrigues, Justin Kromlinger,
        Jörg Behrmann, Kai Lueke, Kai Wohlfahrt, Le_Futuriste,
        Lennart Poettering, Luca Boccassi, Lucas Adriano Salles,
        Lukáš Nykrýn, Lukáš Zaoral, Managor, Mantas Mikulėnas,
        Marc-Antoine Riou, Marcel Leismann, Marcos Alano, Marien Zwart,
        Markus Boehme, Martin Hundebøll, Martin Srebotnjak, Masanari Iida,
        Matteo Croce, Maximilian Bosch, Michal Sekletár, Mike Gilbert,
        Mike Yuan, Miroslav Lichvar, Moisticules, Morgan, Natalie Vock,
        Nick Labich, Nick Rosbrook, Nils K, Osama Abdelkader, Oğuz Ersen,
        Pascal Bachor, Pasquale van Heumen, Pavel Borecki, Peter Hutterer,
        Philip Withnall, Pranay Pawar, Priit Jõerüüt, Quentin Deslandes,
        QuickSwift315490, Rafael Fontenelle, Rebecca Cran, Ricardo Salveti,
        Ronan Pigott, Ryan Brue, Sebastian Gross, Septatrix, Simon Barth,
        Stephanie Wilde-Hobbs, Taylan Kammer, Temuri Doghonadze,
        Thomas Blume, Thomas Mühlbacher, Tobias Heider, Vivian Wang,
        Xarblu, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, anthisfan, cvlc12,
        dgengtek, dramforever, gvenugo3, helpvisa, huyubiao, jouyouyun, jsks,
        kanitha chim, lumingzh, n0099, ners, nkraetzschmar, nl6720, q66,
        theSillywhat, val4oss, 雪叶

        — Edinburgh, 2025/12/17

CHANGES WITH 258:

        Incompatible changes:

        * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) has been
          removed. cgroup v2 ('unified' hierarchy) will always be mounted
          during system bootup and systemd-nspawn container initialization.

        * The minimum kernel baseline version has been bumped to v5.4 (released
          in 2019), with the recommended version now going up to v5.7. Consult
          the README file for a list of required kernel APIs.

        * The default access mode of tty/pts device nodes has been changed to
          0600, which was 0620 in the older releases, due to general security
          concerns about terminals being written to by other users. To restore
          the old default access mode, use the '-Dtty-mode=0620' meson build
          option. (This effectively means "mesg n" is now the default, rather
          than "mesg y", see mesg(1) man page for help.)

        * ACLs for device nodes requested by "uaccess" udev tag are now always
          applied/updated by systemd-udevd through "uaccess" udev builtin, and
          systemd-logind no longer applies/updates ACLs but triggers "change"
          uevents to make systemd-udevd apply/update ACLs. Hence, the "uaccess"
          udev tag should be set not only on "add" action but also on "change"
          action, and it is highly recommended that the rule is applied all
          actions except for "remove" action.
          Recommended example:
              ACTION!="remove", SUBSYSTEM=="hidraw", TAG+="uaccess"
          The following example does not work since v258:
              ACTION=="add", SUBSYSTEM=="hidraw", TAG+="uaccess"
          Udev rules files setting the "uaccess" tag need to have a file name
          starting with a number smaller than 73 to be applied.

        * systemd-run's --expand-environment= switch, which was disabled
          by default when combined with --scope, has been changed to be
          enabled by default. This brings cmdline expansion of transient
          scopes on par with services.

        * systemd-logind PAM sessions that previously were automatically
          determined to be of class "background", and which are owned by root
          or system accounts, will now automatically be set to class
          "background-light" instead. PAM sessions that previously were
          automatically determined to be of class "user", and which are owned
          by non-root system users, will now automatically be set to class
          "user-light" instead. This effectively means that cron jobs or FTP
          sessions (i.e. all PAM sessions that have no TTY assigned and neither
          are graphical) for system users no longer pull in a service manager
          by default. This behaviour can be changed by explicitly setting the
          session class (for example via the class= parameter to
          pam_systemd.so, or by setting the XDG_SESSION_CLASS environment
          variable as input for the service's PAM stack). This change does not
          affect graphical sessions, nor does it affect regular users. This is
          an incompatible change of sorts, since per-user services will
          typically not be available for such PAM sessions of system users.

        * systemd-udevd ignores OWNER=/GROUP= settings with a non-system
          user/group specified in udev rules files, to avoid device nodes being
          owned by a non-system user/group. It is recommended to check udev
          rules files with 'udevadm verify' and/or 'udevadm test' commands if
          the specified user/group in OWNER=/GROUP= are valid.
          Similarly, systemd-networkd refuses User=/Group= settings with a
          non-system user/group specified in .netdev files for Tun/Tap
          interfaces.

        * systemd-cryptenroll, systemd-repart and systemd-creds no longer
          default to locking TPM2 enrollments to the current, literal value of
          PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
          firmware. This change reflects the fact that nowadays SecureBoot
          policies are updated (at least) as frequently as firmware code
          (simply because SecureBoot policy updates are typically managed by
          fwupd these days). The new default PCR mask for new TPM2 enrollments
          is thus empty by default. It is recommended to use managed
          systemd-pcrlock policies for binding to PCR 7 instead (as well as
          combining such policies with signed policies for PCR 11). Or in other
          words, it's recommended to make more use of the logic behind the
          --tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-pcrlock=
          switches of the mentioned tools in place of --tpm2-pcrs=.

        * Support for the SystemdOptions EFI variable has been removed.

        * Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
          (deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
          and '-Dnscd=' (deprecated in v257) have been removed.

        * OpenSSL is now the only supported cryptography backend for
          systemd-resolved and systemd-importd, and support for gnutls and
          gcrypt has been removed. Hence, 'gnutls' setting for the
          '-Ddns-over-tls=' meson option has been deprecated. Also, the
          '-Dcryptolib=' meson option has been deprecated. They will be removed
          in a future release.

        * systemd-logind's session tracking, which used to be performed via a
          FIFO installed in the client, now uses PIDFDs. The file descriptor
          returned by CreateSession() and related calls is therefore unused.
          Moreover, the exit of the session leader process will immediately
          cause the session to be stopped.

        * To work around limitations of X11's keyboard handling systemd's
          keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
          mapped the microphone mute and touchpad on/off/toggle keys to the
          function keys F20, F21, F22, F23 instead of their correct key codes.
          This key code mangling has been removed from udev.

          To maintain compatibility with X11 applications that rely on the old
          function key code mappings, this mangling has now been added to the
          relevant X11 keyboard driver modules. In order to ensure these keys
          continue to work, update to xf86-input-evdev >= 2.11.0 and
          xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.

        * The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() has
          been removed, which was deprecated since v257.

        * systemd-networkd previously emitted the machine ID as chassis ID
          through LLDP protocol, but now emits a deterministic ID,
          cryptographically derived from the machine ID as chassis ID. If you
          want to use the previous behavior, please set
          SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
          systemd-networkd.

        * Support for the !! command line prefix on ExecStart= lines (and
          related) has been removed, and if specified will be ignored. The
          concept was supposed to provide compatibility with kernels that
          predated the introduction of "ambient" process capabilities. However,
          the kernel baseline of the systemd project is now far beyond any
          kernels that lacked support for it, hence the prefix serves no
          purpose anymore.

        * The default keyring for systemd-importd and related tools, shipped
          in /usr/lib/systemd/, has been renamed from import-pubring.gpg to
          import-pubring.pgp, as it is supported by other PGP tools as well as
          GPG. The local keyring /etc/systemd/import-pubring.gpg is still parsed
          if present, to preserve backward compatibility.

        * Normally, per-user encrypted credentials are decrypted via the the
          systemd-creds.socket Varlink service, while the per-system ones are
          directly encrypted within the execution context of the intended
          service (which hence typically required access to /dev/tpmrm0). This
          has been changed: units that enable either PrivateDevices= or use
          DeviceAllow=/DevicePolicy= (and thus restrict access to device nodes)
          will now also make use of the systemd-creds.socket Varlink
          functionality, and will not attempt to decrypt the credentials
          in-process (and attempt to try to talk to the TPM for that).
          Previously, encrypted credentials for per-system services were
          incompatible with PrivateDevices= and resulted in automatic extension
          of the DeviceAllow= list. The latter behaviour has been removed.

        * The command 'journalctl --follow' now exits with success on
          SIGTERM/SIGINT and when the pipe it is writing to is disconnected.

        * Support for System V style system state control has been removed:
          - The /dev/initctl device node has been removed.
          - The initctl, runlevel, and telinit commands have been removed.
          - Support for system state control via the init command (e.g.
            'init 3') has been removed.
          - The units runlevel[0-6].target have been removed.
          - The concept of runlevels has been removed, so runlevel transitions
            are no longer recorded in the utmp/wtmp databases.

        * Support for traditional /forcefsck and /fastboot files to control
          execution mode of fsck on boot has been removed from systemd-fsck. To
          control the mode, please use the fsck.mode= kernel command line option
          or newly introduced fsck.mode credential.

        * Support for traditional /forcequotacheck file to control execution
          mode of quotacheck on boot has been removed from systemd-quotacheck.
          To control the mode, please use the quotacheck.mode= kernel command
          line option of newly introduced quotacheck.mode credential.

        * systemd-stub v258 requires ukify v257.9 or v258 or newer when
          building a UKI. Due to an incompatible change necessary in order to
          fix a bug related to embedding a .sbat section larger than 512 bytes,
          ukify v257.8 or older will not be able to use systemd-stub v258 or
          newer.

        Announcements of Future Feature Removals:

        * (postponed to v260) Support for System V service scripts is deprecated
          and will be removed in v259. Please make sure to update your software
          *now* to include a native systemd unit file instead of a legacy System
          V script to retain compatibility with future systemd releases.

        * Support for the legacy /run/lock/ directory is deprecated and will be
          removed in v259. Any software that still needs access to this legacy
          directory is encouraged to ship their own tmpfiles.d configuration to
          set it up according to their needs. In general, services should store
          their lock files in RuntimeDirectory=/$RUNTIME_DIRECTORY, and software
          directly executed by users should use $XDG_RUNTIME_DIR. Software
          working with specific devices (e.g. serial port devices) should flock
          the device directly rather than creating a separate lock file.

        * Support for systemd-repart's FactoryReset EFI variable has been
          deprecated and support for it will be removed in v260. Use the newer,
          more generic FactoryResetRequest variable instead, which can be
          managed by "systemd-factory-reset request" and "systemd-factory-reset
          complete".

        * The meson option '-Dintegration-tests=' has been deprecated, and will
          be removed in a future release.

        * The legacy iptables support through libiptc will be removed in v259.
          Only nftables backend will be supported by systemd-networkd and
          systemd-nspawn since v259.

        * (postponed to v260) Required minimum versions of following components
          are planned to be raised in the next release:

          * Linux kernel >= 5.10 (recommended >= 5.14),
          * glibc >= 2.34,
          * libxcrypt >= 4.4.0 (libcrypt in glibc will be no longer supported),
          * util-linux >= 2.37,
          * elfutils >= 0.177,
          * openssl >= 3.0.0,
          * cryptsetup >= 2.4.0,
          * libfido2 >= 1.5.0,
          * libseccomp >= 2.4.0,
          * python >= 3.9.0.

          Please provide feedback on systemd-devel if this would cause problems.

        Service manager/PID1:

        * The PrivateUsers= unit setting now accepts a new value "full", which
          is similar to "identity", but maps the whole 32bit UID range instead
          of just the first 2¹⁶.

        * The ProtectHostname= unit setting now accepts a new value "private",
          which is similar to "yes", but allows the unit's processes to
          modify the hostname. Since a UTC namespace is allocated for the unit
          this hostname change remains local to the unit, and does not affect
          the system as a whole. Optionally, the "private" string may be
          suffixed by a colon and a literal hostname specification, which is
          then used to initialize the hostname of the namespace to.

        * .mount units now also support systemd credentials
          (i.e. SetCredential=/LoadCredential=/ImportCredential= and related
          settings). Previously this was available for service units only.

        * A new unit file condition ConditionKernelModuleLoaded= has been added
          that may be used to check if a certain kernel module is already
          loaded (or built into the kernel). This is used to shortcut
          modprobe@.service instances, reducing redundant explicit modprobe
          invocations at boot to cover for kernels that have various subsystems
          built-in, while still providing support for kernels that have those
          subsystems built as loadable modules.

        * Encrypted systemd service credentials are now available for user
          services too, including if locked to TPM. Previously, they could only
          be used for system services.

        * Services instantiated for Accept=yes socket units will now include
          the Linux socket cookie (SO_COOKIE) in the instance name, as well as
          the PIDFD inode ID for the peer (the latter is only available for
          AF_UNIX sockets). This should make it easier to match specific
          service instances to the connections and peers they are associated
          with.

        * The security rules enforced by the per-unit AttachProcesses() bus API
          call have been relaxed a bit: unprivileged clients may now use the
          call on arbitrary processes which run in any user namespace owned by
          the client's UID. Previously, a stricter rule applied that required
          the UIDs of the process to move and of the client to match exactly.

        * A new per-unit RemoveSubgroup() D-Bus API call has been added that
          makes the service manager attempt to remove a sub-cgroup of units
          with cgroup delegation enabled. This is useful for unprivileged user
          namespace operation, where subgroups might be owned by user IDs that
          do not match the user ID the unit was delegated to, as is typical in
          user namespace scenarios. Per-user service managers will use this new
          call provided by the per-system service manager to clean up user
          units that contain cgroups owned by user namespace UIDs.

        * .mount units gained support for a special x-systemd.graceful-option=
          pseudo-mount option, which may be used to list additional mount
          options that shall be used for the mount when it is established,
          under the condition the local kernel supports them. If the local
          kernel does not, they are automatically removed from the option
          string. This only works for kernel-level mount options, not for those
          implemented in userspace. This is useful for various purposes, for
          example to include "usrquota" for tmpfs mount options where that's
          supported.

        * Per-user quota is now enabled on /dev/shm/ and /tmp/ (the latter only
          if backed by tmpfs).

        * If PAMName= is used for a service and the PAM session prompts for a
          password, it will now be queried via the systemd-ask-password
          logic. Previously the prompt would simply be denied, typically causing
          the PAM session (and thus service activation) to fail. One effect of
          this change is that when lingering is enabled for a systemd-homed
          user the user's password will now be prompted at boot to unlock the
          user's home directory in order to be able to start the per-user
          service manager early, as requested.

        * The $MAINPID and $MANAGERPID environment variables we pass to
          processes executed for service units are now paired with new
          environment variables $MAINPIDFDID and $MANAGERPIDFDID. These new
          environment variables contain the numeric inode ID of the pidfd for
          the relevant process. As these 64bit IDs are unique for all processes
          of a specific Linux boot they can be used to race-freely reference a
          process, unlike the PID which is subject to races by recycling.

        * So far the ConditionHost= condition matched against the local host
          name and machine UUID. It now also matches against the local product
          ID of the system (as provided by SMBIOS/DMI) and the boot ID.

        * A new setting DelegateNamespaces= for units has been added, which
          controls which type of Linux namespaces to delegate to the invoked
          unit processes. This primarily controls if the listed namespace types
          shall be owned by the host user namespace, or by the private user
          namespace of the unit. In the former case services cannot modify the
          relevant namespaces since they don't own it, in the latter case they
          can.

        * If the service manager receives a RESTART_RESET=1 sd_notify() message
          from a service, it will now reset the automatic restart counter it
          maintains for the service. This is useful to give services control
          over RestartMaxDelaySec=/RestartSteps= progress.

        * The /etc/hostname file may now include question mark characters
          ("?"), which when read will be initialized by hexadecimal digits
          hashed from the machine ID. This is useful when managing a fleet of
          devices that each shall have a valid and distinct hostname, generated
          in a predictable fashion. Example: if /etc/hostname contains
          "foobar-????-????" each booted system will end up with a hostname
          such as "foobar-7aaf-846c" or similar.

        * ConditionKernelVersion= has been replaced by a more generic
          ConditionVersion= setting, that can check the versions of more key
          components of the OS, besides the kernel. Initially, that's systemd's
          and glibc's versions. The older setting remains supported for
          compatibility.

        * Slice units gained new ConcurrencySoftMax= and ConcurrencyHardMax=
          settings which control how many concurrent units may be active and
          queued for the slice at the same time. If more services are queued
          for a slice than the soft limit, they won't be dispatched until the
          concurrency falls below the limit again, but they remain in the job
          queue. If more services are queued than the hard limit the jobs will
          fail. This introduces a powerful job execution mechanism to systemd,
          with strong resource management, and support for hierarchial job
          pools (by means of slices).

        * ExecStart= lines (and the other ExecXYZ= lines) now support a new '|'
          prefix that causes the command line to be invoked via a shell.

        * A basic Varlink API is now implemented in the service manager that
          can be used to determine its current state, and list units and their
          states.

        * Processes invoked via the .socket Accept=yes logic will now get an
          environment variable $SO_COOKIE that contains the Linux socket
          cookie (which otherwise can be acquired via getsockopt()) of the
          connection socket, formatted in decimal.

        * When a service's configuration is reloaded (via "systemctl reload" or
          an equivalent operation), any confext images for the services are
          also reloaded.

        * A new RandomizedOffsetSec= setting has been added to .timer units
          which allows configured of a randomized but stable time offset for
          when the timer shall elapse.

        * Whenever a TTY is initialized by the service manager, an attempt is
          made to read the terminfo identifier from it via DCS sequences, as
          part of the regular ANSI sequence initialization scheme. The
          identifier is used to initialize $TERM. This is not done if $TERM is
          already set from some other sources. Note that the DCS sequence for
          this is widely supported, but not universal (at this point VTE-based
          terminal emulators lack the necessary support). This functionality
          should be particularly useful on serial TTYs as $TERM information
          will likely be initialized to a useful value instead of a badly
          guessed default of vt220.

        * .socket units gained a new PassPIDFD= setting that controls the new
          SO_PASSPIDFD socket option for AF_UNIX socket. There's also a new
          setting AcceptFileDescriptors= that controls the new SO_PASSRIGHTS.

        * A new job type "lenient" has been added, that is similar to the
          existing "fail" job mode, and which will fail the submitted
          transaction immediately if it would stop any currently running unit.

        * .socket units gained a new pair of settings DeferTrigger= and
          DeferTriggerMaxSec= which modify triggering behaviour of the
          socket. When used this will cause the triggered unit to be enqueued
          with the new "lenient" job mode, and if the submission of the
          transaction fails it is later retried to be submitted (up to a
          configurable timeout), whenever a unit is stopped.

        * The "preset" logic has been extended so that there are now three
          preset directories: one that declares the default enablement state
          for per-system services run on the host, one for per-user services,
          and – now new – one for per-system services that are run in the
          initrd. This reflects the fact that in many cases services that shall
          be enabled by default on the host should not be enabled by default in
          the initrd, or vice versa. Note that while the regular per-system
          preset policy defaults to enabled, the one for the initrd defaults to
          disabled.

        * There are now new per-service settings
          StateDirectoryQuota=/StateDirectoryAccounting=,
          CacheDirectoryQuota=/CacheDirectoryAccounting=,
          LogsDirectoryQuota=/LogsDirectoryAccounting= which allow doing
          per-unit quota of the indicated per-unit directories. This is
          implemented via project quota, as supported by xfs and ext4. This
          does not support btrfs, currently. If quota accounting is enabled
          this information is shown in the usual "systemctl status" output.

        * The service manager gained a new KillUnitSubgroup() syscall which may
          be used to send a signal to a sub-control group of the unit's control
          group. systemctl kill gained a new --kill-subgroup= switch to make
          this available from the shell.

        * A new PrivateBPF= switch has been added for unit files, which may be
          used to mount a private bpffs instance for the unit's processes.

        * Four new options added to mount the bpffs with the delegate options:
          BPFDelegateCommands= BPFDelegateMaps=
          BPFDelegatePrograms= BPFDelegateAttachments=
          These allow an unprivileged container to use some BPF functionalities.
          See also https://lwn.net/Articles/947173/

        * New user manager services systemd-nspawn@.service and
          systemd-vmspawn@.service and a machines.target unit to manage them
          have been added.

        systemd-journald & journal-remote:

        * journalctl's --setup-keys command now supports JSON output.

        * HTTP compression negotiation has been added to journal-upload and
          journal-remote.

        * journal-remote/journal-upload now support inserting additional HTTP
          fields into their requests, via the Header= configuration file setting.

        * journalctl gained a new --synchronize-on-exit=yes switch. If
          specified in combination with --follow and the journalctl process
          receives SIGINT (for example because the user hits Ctrl-C), a
          synchronization request is enqueued to systemd-journald, and log
          output continues until it completes. Or in other words, when this
          option is used any log output submitted before the SIGINT is
          guaranteed to be shown before journactl exits.

        * systemd-journald's Synchronize() Varlink call has been reworked so
          that it no longer returns only once the logging subsystem has become
          completely idle, but already when all messages queued before the call
          was initiated are definitely written to disk. Effectively this means
          that the call is now guaranteed to complete in bounded time, even
          though it's slightly weaker in effect.

        * Many of systemd-journald's Varlink calls (such as the aforementioned
          Synchronize()) are now available to unprivileged clients.

        systemd-udevd & systemd-hwdb:

        * A new udev property ID_NET_BRING_UP_BEFORE_JOINING_BRIDGE= is now
          supported that may be set on network interface devices (via hwdb),
          and tells systemd-networkd to bring the interface up before joining
          it to a bridge device.

        * A new udev property ID_NET_NAME_INCLUDE_DOMAIN= is now supported that
          may be set on network interface devices (via hwdb), that indicates
          that the automatic network device naming logic should suppress
          inclusion of the PCI domain in the naming scheme. This is used for
          Azure MANA devices.

        * A new udev property ID_AV_LIGHTS= has been defined that may be set on
          USB controlled A/V lights. Devices marked like this (via hwdb) will
          have the uaccess logic enabled, i.e. they will be associated with a
          seat and unprivileged users will get access to them.

        * udevadm's trigger command gained a switch --include-parents. If
          specified udevadm will not just trigger all devices matching whatever
          is specified otherwise on the command line, but also all parent
          devices of these devices.

        * systemd-udevd now provides a Varlink interface with various runtime
          and lifecycle operations. It mostly replaces the previous private,
          undocumented "control" IPC API spoken between udevadm and
          systemd-udevd.

        * .link files gained two new knobs ReceiveFCS= (which controls whether
          to pass the Frame Check Sequence value up the stack) and ReceiveAll=
          (which controls whether to accept damaged Ethernet frames). It also
          gained a knob PartialGenericSegmentationOffload= for controlling
          Partial GSO support.

        * 'udevadm info/trigger/test/test-builtin' commands now also take device
          IDs to specify devices.

        * udevadm test gained a new "--verbose" switch for generating
          additional debug output for the test.

        * The OPTIONS= udev expression now supports the new "dump" value, which
          will result in the current event's status to be logged at the moment
          the expression is processed. This is useful for debugging udev rules.

        * A new kernel command line option udev.trace= has been added that
          allows enabling udev's tracing logic while booting an OS. udevadm
          control gained a new --trace= switch to change the same setting at
          runtime.

        * udevadm test gained a new --extra-rules-dir= switch which may be
          used to look for udev rules in additional directories for testing
          purposes.

        * udevadm gained a new "cat" command for showing the contents of
          installed rules files.

        * udev will now create /dev/input/by-{id,path}/* style symlinks for
          hidraw devices too. (Previously these would be created for other
          input device types only.)

        * *.link files gained support for configuring various Energy Efficient
          Ethernet (EEE) settings in a new [EnergyEfficientEthernet] section.

        * udevadm test gained a new --json= switch for generating JSON output.

        * A new udev builtin "factory_reset" has been added that simply reports
          if the system is currently booted in factory reset mode. This can be
          used by udev rules that determine the location of the root file
          system, in order to decide whether to expect that a root file already
          exists or still needs to be created/formatted/encrypted.

        * The "blkid" builtin of udev has been changed to determine the host
          root file system by looking for the used ESP/XBOOTLDR only while
          running in the initrd. When running after the initrd→host transition
          it now just uses the root file system already mounted to /. Of
          course, usually this should have the same results, but there are
          situations thinkable where the ESP is on one disk and the root fs on
          another, and we better not second guess this once we transitioned
          onto the root file system.

        * A new udev builtin "dissect_image" has been added that uses the usual
          DDI image dissection code to identify partitions and their use and
          relationships. This is used by new udev rules to generate a set of
          symlinks in /dev/disk/by-designator/ that point to the various
          discovered partitions by their designator.

        * Android debug USB interfaces (ADB DbC, ADB, Fastboot) are now
          automatically marked for unprivileged access, generically via a new
          ID_DEBUG_APPLIANCE= udev property. Or in other words, running "adb"
          again your Android phone connected via USB, set to debug mode should
          just work without any additional rules.

        * A new standard group "clock" has been introduced that is now used by
          default for PTP and RTC device nodes in /dev/.

        systemd-networkd:

        * systemd-networkd now supports configuring the timeout for IPv4
          Duplicate Address Detection via a new setting
          IPv4DuplicateAddressDetectionTimeoutSec=. The default timeout value
          has been changed from 7 seconds to 200 milliseconds.

        * systemd-networkd gained support for IPv6 SIP, i.e. DHCPv6 options
          SD_DHCP6_OPTION_SIP_SERVER_DOMAIN_NAME (21) and
          SD_DHCP6_OPTION_SIP_SERVER_ADDRESS (22), controlled by a new UseSIP=
          option in the [DHCPv6] section.

        * A new MPLSRouting= setting in the [Network] section in .network files
          can be used to control whether Multi-Protocol Label Switching is
          enabled on an interface.

        * A system-wide default for ClientIdentifier= may now be set in
          networkd.conf. (Previously this had to be configured individually in
          each .network file.)

        * PersistLeases= setting in [DHCPServer] section now also accepts
          "runtime", to make the DHCP server saves and loads bound leases on
          the runtime storage.

        * A new Preference= setting has been added to the [IPv6RoutePrefix]
          section to configure the route preference field.

        * New LinkLocalLearning=, Locked=, MACAuthenticationBypass=,
          VLANTunnel= settings have been added the [Bridge] section of .network
          files.

        * .netdev files gained new External=/VNIFilter= settings in [VXLAN]
          section.

        * .netdev files can now configure HSR/SRP network devices too, via a
          new [HSR] section.

        * The LLDP client will now pick up the VLAN Id from LLDP data. The LLDP
          sender will now send this field on VLAN devices.

        * The DHCPv4 client in systemd-networkd now also supports BOOTP (via a
          new BOOTP= setting).

        * The Local= setting in [Tunnel] section gained a new "dhcp_pd" value
          to allow setting the local address based on dhcp-pd addresses.

        sd-varlink & sd-json:

        * An API call sd_varlink_reset_fds() has been added that undoes the
          effect of sd_varlink_push_fd() (the API for submitting file
          descriptors to send along with a method call), without actually
          sending a Varlink message.

        * An API call sd_varlink_server_listen_name() has been added that is
          just like sd_varlink_server_listen_auto() but takes one additional
          parameter: the file descriptor name (in the sense of $LISTEN_FDNAMES)
          to look for, instead of "varlink". This is useful for services that
          implement multiple Varlink services on distinct sockets and shall be
          activatable through either.

        * A pair of API calls sd_json_variant_type_from_string() and
          sd_json_variant_type_to_string() have been added that may be used to
          convert the JSON variant type identifier into a string representation
          and back.

        * A pair of API calls sd_varlink_get_input_fd() and
          sd_varlink_get_output_fd() have been added that allow querying the
          connection file descriptors individually for each direction, in case
          two distinct file descriptors are used (for example in stdin/stdout
          scenarios).

        * A new API call sd_varlink_get_current_method() has been added which
          reports the method call name currently being processed.

        * Two new flags SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT and
          SD_VARLINK_SERVER_ALLOW_FD_PASSING_OUTPUT have been defined, which
          may be passed to sd_varlink_server_new(), and ensure that any
          connections associated with the server instance are automatically
          created with file descriptor passing enabled for input or output.

        * The "io.systemd.System" fallback Varlink errors that sd-varlink
          generates for Linux 'errno' style error numbers now carry both the
          numeric value (as before) and the symbolic name (i.e. "ENOENT"),
          ensuring that the error remains somewhat portable (as the numeric
          values are Linux and possibly architecture-specific).

        * The generic "io.systemd.service" Varlink service that various of our
          long-running services implement, gained a new GetEnvironment() call
          that returns the current environment block of the service's main
          process. In addition, this service interface has been implemented in
          many more long-running services.

        * A new sd-varlink call sd_varlink_get_description() has been added
          that returns the string previously set via
          sd_varlink_set_description().

        * A new sd-varlink API call sd_varlink_get_n_fds() has been added that
          returns the number of pending incoming file descriptors on the
          current message.

        * A new flag SD_VARLINK_SERVER_MODE_MKDIR_0755 may now be ORed into the
          mode parameter of sd_varlink_server_listen_address(). If specified
          then any leading directories in the provided AF_UNIX socket path are
          automatically created with an 0755 access mode, should they be
          missing.

        * sd_varlink_idl_parse() and sd_varlink_interface_free() have been
          added to sd-varlink, which can be used to parse Varlink IDL data.

        varlinkctl:

        * varlinkctl gained a new --exec switch. When used a command line of a
          command to execute once a Varlink method call reply has been received
          may be specified. The command will receive the method call reply on
          standard input in JSON format, and any passed file descriptors via
          the $LISTEN_FDS protocol. This is useful for invoking method calls
          that return file descriptors from shell scripts.

        * varlinkctl gained a new --push-fd= switch which may be used to issue
          a Varlink method call and send along one or more file descriptors on
          transports that support it (i.e. AF_UNIX).

        sd-device:

        * A new API call sd_device_enumerator_add_all_parents() has been added
          that may be used to include all parent devices of otherwise matching
          devices in the enumeration.

        * A new API call sd_device_get_sysattr_value_with_size() has been added
          that returns a sysfs attribute file in binary form along with its
          size.

        systemd-logind:

        * A new configuration knob WallMessages= has been added to logind.conf,
          which may be used to control whether wall(1) style messages shall be
          sent to all consoles when the system goes down.

        * A new pseudo session class "none" has been defined. This may be used
          with the class= parameter of pam_systemd.so (and some other places)
          to disable allocation of a systemd-logind session for a specific
          session. Note that this is not a recommended mode of operation, as
          such "ghost" sessions will not be properly accounted for, and are
          excluded from the per-user/per-session resource accounting.

        * Two new session classes "user-light"/"user-early-light" have been
          added, that are just like the regular "user"/"user-early" session
          classes, but differ in one way: they do not cause activation of the
          per-user service manager. These new session classes are now used for
          logins of non-regular users which are used in a non-interactive way.

        * The pidfd inode ID of a session's leader process is now exposed as
          D-Bus property for session objects, in addition to the PID. The inode
          ID is a 64bit unique identifier for a process that is not vulnerable
          to recycling issues.

        systemd-resolved:

        * When issuing parallel A and AAAA lookups for the same domain name,
          and one succeeds quickly, we'll now shorten the timeout for the
          other. This should improve behaviour with DNS servers whose IPv6
          support is flaky and reply to A quickly but not at all to AAAA.

        * The "Monitor" Varlink IPC API of systemd-resolved now gained support
          for a new SubscribeDNSConfiguration() call that enables subscription
          to any DNS configuration changes, as they happen.

        * systemd-networkd-wait-online gained a new --dns switch that ensures
          that not only network connectivity is available, but also DNS
          configuration is established in systemd-resolved, making use of the
          new, aforementioned Varlink interface.

        * resolved.conf gained a new setting RefuseRecordTypes= which takes a
          list of RR types for which to refuse lookup attempts. This may be
          used to for example block A or AAAA lookups on IPv4- or IPv6-only
          hosts.

        * A new DNS "delegate zone" concept has been introduced, which are
          additional lookup scopes (on top of the existing per-interface and
          the one global scope so far supported in resolved), which carry one
          or more DNS server addresses and a DNS search/routing domain. It
          allows routing requests to specific domains to specific servers.
          Delegate zones can be configured via drop-ins below
          /etc/systemd/dns-delegate.d/*.dns-delegate.

        * "resolvectl query -t sshfp" will now decode the returned RR
          information, and show the cryptographic algorithms by name instead of
          number.

        * The search domains hard cap has been bumped from 256 to 1024, in order
          to accommodate complex network setups.

        systemd-hostnamed:

        * The system hardware's serial number may now be read from DeviceTree
          too, in addition to the existing SMBIOS/DMI based logic.

        * New properties for the Chassis Asset Tag, the hardware SKU, and the
          hardware version are now provided (backed by SMBIOS/DMI).

        * hostnamed also exposes properties now for the image ID and image
          version (this is very useful on image-based systems).

        systemd-stub, systemd-boot & bootctl:

        * UEFI firmware images may now be embedded in UKIs (in an ".efifw" PE
          section), for use in bring-your-own-firmware scenarios in
          Confidential Computing. The firmware is matched via CHIDs to the
          local invoking VM, in a fashion conceptually close to the DeviceTree
          selection already available since v257. If a suitable firmware image
          is found at boot, and the system's firmware version does not match it,
          the update is applied and the system is rebooted. If the firmware
          matches, boot proceeds as usual.

        * When systemd-stub is invoked through a network boot provided UKI, it
          will now query the source URL and write it to the LoaderDeviceURL EFI
          variable. This may then be used by Linux userspace to look for
          further resources (such as a root disk image) at the same location.

        * systemd-boot now understands two new Boot Loader Specification Type #1
          stanzas: "uki" and "uki-url", which is very similar to "efi" and
          "linux", and references an UKI, the latter on a remote HTTP/HTTPS
          server. The latter is particularly relevant for implementing a fully
          UKI based boot process, but with network provided UKI images.

        * systemd-boot now looks for the special SMBIOS Type #11 vendor strings
          io.systemd.boot.entries-extra=, and synthesizes additional boot menu
          entries from the provided data. This is useful with systemd-vmspawn's
          --smbios11= switch, see below.

        * systemd-stub now defaults to a minimum of 120 available PE sections,
          instead of the previous default of 30. This reflects the fact that
          multi-profile UKI typically require a lot more sections than
          traditional single-profile UKIs. Note that this is just a
          compile-time default, downstream distributions might choose to raise
          this further – in particular on ARM systems where many Devicetree
          blobs shall be embedded into an UKI.

        * systemd-boot's loader.conf configuration file gained a new
          "reboot-on-error" setting which controls what to do if booting a
          selected entry fails, i.e. whether to reboot or just show the menu
          again.

        * bootctl's --no-variables switch has been replaced by
          --variables=yes/no. By setting --variables=yes modification of EFI
          variables can be forced now in environments where we'd previously
          automatically turn this off (e.g. in choot() contexts).

        * bootctl's --graceful is now implicitly enabled when running in a
          chroot, to ease integration in packaging scriptlets.

        * systemd-stub gained support for a couple of "extension" CHIDs, that
          are not part of the Microsoft's original spec, and which include EDID
          display identification information in the hash. This may be used to
          match Devicetree blobs in UKIs. "systemd-analyze chid" has been
          updated to support these extension CHIDs, too. (They are clearly
          marked as extensions CHIDs, to emphasize they are systemd's own
          invention, and not based on the Windows CHID spec.)

        * systemd-boot's loader.conf configuration file gained a new
          secure-boot-enroll-action setting which controls the action to take
          once automatic Secure Boot keys have been enrolled, i.e. whether to
          reboot or whether to shut down the system.

        * Userspace may set a new LoaderSysFail EFI variable. It is used by
          systemd-boot: when set and the system firmware reports some kind of
          system failure (for now this is pretty much only about failed
          firmware updates), systemd-boot will use the specified entry instead
          of following the usual fallback entry selection logic. bootctl gained
          a new "set-sysfail" verb to set this variable.

        * systemd-boot will now set LoaderTpm2ActivePcrBanks EFI variable to
          let the userspace know which TPM2 PCR banks are available. This is
          more reliable then trying to figure this out through sysfs.

        * systemd-stub will now also load global sysexts and confexts from
          ESP/loader/extensions/*.{sysext,confext}.raw.

        systemd-nsresourced & systemd-mountfsd:

        * When a new user namespace is registered and a name for it must be
          supplied, this name may now optionally be mangled automatically so
          that it follows the naming rules for namespaces employed. This makes
          it easier to provide suitable identifiers to the service, without any
          client-side preparations or clean-ups, and thus ensures allocation of
          a userns can ultimately "just work".

        * A special, fixed UID/GID range has been defined called the "foreign"
          UID/GID range. It's intended to be used to persistently own
          bootable OS/container images on disk (i.e. OS trees that use a
          UID/GID assignments not local to the host, but "foreign", i.e. they
          have their own /etc/passwd + /etc/group table or similar database),
          so that they can be mapped to other user namespace UID/GID ranges at
          runtime through ID-mapped mounts.

        * systemd-mountfsd gained a new IPC call accessible to unprivileged
          clients for acquiring an ID-mapped mount for any OS/container
          directory tree which is itself owned by the foreign UID/GID range,
          and has a parent directory owned by the caller's UID. This means the
          systemd-nsresourced/systemd-mountfsd combination is now suitable for
          running unprivileged containers both from a disk image and from a
          directory tree.

        * When activating a DDI via mountfsd's MountImage() call the returned
          data will now include the literal path to attach each returned path
          to, to simplify implementation of clients.

        * systemd-nsresourced gained an API for allocating a network TAP device
          to associate with a user namespaces. This can be used by unprivileged
          VMMs, to acquire IP networking. The network interface associated with
          the TAP device comes with a matching .link and .network file, so that
          systemd-networkd will set up IP routing (with masquerading) on it
          automatically.

        * systemd-nsresourced will now always ask polkit for authorization of
          its operations, even if they are supposed to be accessible to
          unprivileged clients, so that the PK policy has the last word.

        * systemd-nsresourced gained a new API call MakeDirectory(), which
          creates a new directory, owned by the foreign UID range. It's
          supposed to be used in conjunction with MountDirectory() for creating
          and populating new container trees within user/$HOME context.

        systemd-nspawn:

        * Support for unprivileged invocation of container images stored in
          plain directories has been added, using the new IPC APIs provided by
          "systemd-mountfsd", see above.

        * systemd-nspawn's --private-users= switch now supports a new value
          "managed", which will ensure allocation of a userns via
          systemd-nsresourced, even if run privileged.

        * If systemd-nspawn is used interactively, two new special key
          sequences can be used to trigger an immediate clean shutdown or
          reboot of the container with systemd running as PID 1: '^]^]p' for
          shutdown and '^]^]r' for reboot. This is in addition to the
          previously supported '^]^]^]' which triggers immediate shutdown
          without going through the usual shutdown logic.

        * systemd-nspawn will now invoke the TTY password agent if invoked
          interactively and without privileges. This makes sure unprivileged
          containers start to work even when no other polkit agent is currently
          running for the user. The usual --no-ask-password switch is now also
          available in systemd-nspawn to disable this.

        * systemd-nspawn gained a new --bind-user-shell= switch which allows to
          tweak the shell field of users bound into a container with
          --bind-user=….

        systemd-vmspawn:

        * A new --smbios11= switch may be used to pass an SMBIOS Type #11
          vendor string easily into the booted process. This has various uses,
          one of them is to add additional menu entries to systemd-boot for a
          specific invocation. Example:

          --smbios11=io.systemd.boot.entries-extra:particleos-current.conf=$'title ParticleOS Current\nuki-url http://example.com/somedir/uki.efi'

        * A new switch --grow-image= has been added taking a size in bytes. If
          specified, the image booted into is grown to the specified size if
          found to be smaller.

        * systemd-vmspawn supports unprivileged networking now, using
          systemd-nsresourced's new API to acquire a TAP network device
          unprivileged.

        * systemd-vmspawn now supports --slice and --property= settings,
          matching systemd-nspawn.

        * A new --tpm-state= setting allows precise control of TPM state
          persistency.

        * A new --notify-ready= setting can be used to specify whether to
          expect a READY=1 notification from the guest.

        systemd-machined:

        * systemd-machined now provides a comprehensive Varlink IPC API.

        * The pidfd inode ID of a machine's leader process is now exposed as
          D-Bus property for machine objects, in addition to the PID. The inode
          ID is a 64bit unique identifier for a process that is not vulnerable
          to recycling issues.

        * A new "org.freedesktop.machine1.register-machine" polkit action is
          used when checking for privileges to register a machine. Previously,
          "org.freedesktop.machine1.create-machine" was used for creation and
          registration operations.

        * systemd-machined now also tracks the "supervisor" process of a
          machine, i.e. the host process that manages the payload. This
          information is exposed through the Supervisor/SupervisorPIDFDId D-Bus
          properties and "supervisor"/supervisorProcessId" varlink properties.

        systemd-measure, ukify, systemd-keyutil, systemd-sbsign:

        * systemd-measure gained a new "policy-digest" verb. It's a lot like
          "sign" but instead of calculating the right TPM policy digest for a
          specific UKI to sign and then signing it, it leaves the latter step
          out. This is useful to implement offline signing of the policy digest
          of UKIS. ukify gained a --policy-digest option that exposes this
          logic.

        * ukify gained a new --sign-profile= switch for signing a specific UKI
          profile (to support multi-profile UKIs).

        * ukify gained a pair of --join-pcrsig= and --pcrsig= options which is
          useful for offline signing TPM PCR policies, as it allows inserting
          pre-prepared PCR signature blobs into a UKI.

        * ukify gained a new --pcr-certificate= switch that takes the path to
          an X.509 certificate to use in place of a PEM public key, as provided
          via the existing --pcr-public=.

        * systemd-keyutil gained a new verb "pkcs7" which can be used to
          convert between PKCS#1 and PKCS#7 signatures. The --content= switch
          may be used to generate inline signatures (as opposed to the default
          of detached signatures). It also gained a new --hash-algorithm=
          switch to select the hash algorithm for signatures.

        * systemd-sbsign learnt support for offline SecureBoot signing via
          --prepare-offline-signing, --signed-data=, --signed-data-signature=.

        TPM2:

        * A new PCR phase string is now measured into PCR 11 when storage
          target mode is entered, ensuring that access to TPM key material can
          be taken away, once storage target mode is activated.

        * Similarly, a new string is measured when booting into factory reset
          mode.

        * A new service systemd-tpm2-clear.service has been introduced that can
          be used to request clearing of the local TPM on next reboot. It comes
          with a kernel command line option systemd.tpm2_allow_clear= that
          controls its effect. The unit is hooked into the generic
          factory-reset.target unit, so that it can do its thing when a factory
          reset is requested.

        * If systemd-pcrextend (i.e. the tool making the various userspace TPM
          PCR measurements) fails to do its thing, an immediate reboot is now
          triggered, ensuring that somehow making PCR extensions fails cannot
          be used to gain access to TPM objects to which access should have
          been blocked already via PCR measurements.

        * systemd-pcrlock gained a new "is-supported" verb that determines
          whether local TPM and system provide all necessary functionality for
          systemd-pcrlock to work. It does a superset of the checks
          "systemd-analyze has-tpm2" does, and additionally ensures that the
          TPM supports PolicyAuthorizeNV and SHA-256.

        systemd-userdbd & systemd-homed:

        * User records now support a new field "aliases" that may list
          additional names the user record shall be accessible under. Any
          string listed in the "aliases" array may be used wherever and
          whenever the primary name may be used too, for example when logging
          in. systemd-homed and in particular homectl have been updated to
          support configuration of such alias names.

        * If a user record has an initialized "realm" field, then the record
          may now be referenced via the primary user name or any alias name,
          suffixed with "@" and the realm, too.

        * User records gained new fields tmpLimit, tmpLimitScale, devShmLimit,
          devShmLimitScale which enforce quota on /tmp/ and /dev/shm/ at login
          time, either in absolute or in relative values. These values default
          to 80% for regular users, ensuring that a single user cannot easily
          DoS a local system by taking away all disk space in /tmp/. The
          homectl tool has been updated to make these new fields configurable.

        * The userdb Varlink interface has been extended to support server-side
          filtering by UID/GID min/max, fuzzy name matching and user
          disposition. Previously this was supported by the userdbctl
          client-side only. With this, userdb providers may now optionally
          implement this server-side too in order to optimize the lookups.

        * User records now support a concept of home "areas",
          i.e. subdirectories of the primary $HOME directory that a user can
          log into. This is useful to maintain separate development
          environments or configuration contexts, but within the ownership of
          the same user. Support for this is implemented in systemd-homed, but
          is conceptually open to other backends, too.

          New home areas can be created via "mkdir -p ~/Areas/ && cp /etc/skel
          ~/Areas/foo", or removed by "rm -rf ~/Areas/foo". Whenever prompted
          for login and a user name is requested, it is possible to enter a
          username suffixed by "%" and the area name in order to log into the
          specified area of the user. (e.g. "bar%foo"). Effectively this
          ensures that $HOME and $XDG_RUNTIME_DIR include the area choice after
          login. Note that at this moment it's not possible to log into a full
          graphical session with this, since we'd have to start a per-area user
          service manager for that, and we currently do not do this. But we
          hope to provide this in one of the next releases. In order to
          implement all this user records gained a new "defaultArea" field,
          which is configurable with homectl's --default-area= switch.

        * An explicit MIME type application/x.systemd-home is now used for all
          LUKS *.home files managed by systemd.

        * userdbctl gained a new switch --from-file=. If used the tool will not
          look up a user or group record from the system's user database but
          instead read it from the specified JSON file, and then present it in
          the usual, human-readable fashion.

        * systemd-homed gained D-Bus API calls for listing, adding, removing and
          showing use record signing keys.

        * homectl gained the verbs "list-signing-keys", "get-signing-key",
          "add-signing-key", "remove-signing-key" and a switch
          --key-name=. These may be used to easily make a single home directory
          usable on multiple systems. A system credential
          home.add-signing-key.* has been added that allows provisioning such
          user record signing keys at boot.

        * homectl gained a new switch "--dry-run" which can be used when
          registering/creating users, and which will show the user record data
          before it's submitted to systemd-homed. The tool will then terminate
          before the submission.

        * User/group records' perMachine section now support negative matches
          too (i.e. for settings that apply to all systems but some selected
          few).

        * systemd-homed gained a bus API call AdoptHome() for "adopting" a
          .home file or .homedir directory from a foreign system
          locally. homectl added a verb "adopt" exposing the new call. Together
          with the signing key management functionality described above it
          makes it very easy to migrate homes between systems.

        * systemd-homed gained two new bus API calls RegisterHome() and
          UnregisterHome() for registering a home locally by providing just the
          user record, without any logic to actually create the home directory.
          homectl gained "register" and "unregister" verbs exposing this. This
          is useful for registering network user accounts locally, i.e. where
          some foreign user record and home directory already exists on some
          server, and just need to be registered locally. This can be used to
          make a local systemd-homed home directory securely accessible from
          some other system:

          $ homectl update lennart --ssh-authorized-keys=… -N \
              --storage=cifs --cifs-service="//$HOSTNAME/lennart"
          $ homectl get-signing-key |
              ssh targetsystem homectl add-signing-key --key-name="$HOSTNAME".public
          $ homectl inspect -E lennart |
              ssh targetsystem homectl register -
          $ ssh lennart@targetsystem

          There's also a new system credential 'home.register.*' that causes
          registration for the provided user record automatically at boot.

        * homectl gained a new switch --seize= taking a boolean argument. If
          true when used together with the "create" or "register" verbs any
          cryptographic signature information is stripped from the user record,
          taking over the user record for local ownership. This switch is
          useful when migrating a home directory to a different host, without
          retaining the relationship to the originating host.

        * homectl gained a new --match= switch which allows to generate
          accounts with perMachine matching sections.

        * userdbctl gained a new verb "load-credentials", with a service unit
          systemd-userdb-load-credentials.service which invokes it. When
          invoked this command will look for any passed credentials named
          userdb.user.* or userdb.group.*. These credentials may contain
          user/group records in JSON format. They will be copied into
          /run/userdb/ (where static userdb JSON records can be placed), with
          the appropriate symlink from the UID/GID added in, as any membership
          relationships between user/groups replicated as .membership files. Or
          in other words: it's very easy to provision a complete user/group
          record in an invoked system, by providing the user/group JSON record
          as system credential. Note that these credentials are unrelated to
          similar credentials supported by systemd-homed. "userdb
          load-credentials" creates "static" user records via drop-in files in
          /run/userdb/ (and thus covers system users and suchlike) while
          systemd-homed creates only systemd-homed managed use (i.e. only
          regular users).

        * User/group records gained a new "uuid" field that may be used to
          place an identifying UUID in the record.

        systemd-run and run0:

        * run0 gained a new --lightweight= switch which controls whether to
          pull in a service manager for the target session (i.e. this
          ultimately chooses between the "user"/"user-early" session class on
          one hand or the "user-light"/"user-early-light" session class on the
          other, see above).

        * systemd-run gained a new --job-mode= switch for controlling the job
          mode when enqueuing the start job for the transient unit. This is
          similar to the switch of the same name of "systemctl start".

        * run0 gained a new --area= switch for directly entering a specific
          home area (see above).

        * systemd-run/run0 gained a new --pty-late switch that is just like
          --pty but sets up TTY forwarding only once the unit is fully
          activated. This is relevant for avoiding TTY ownership collisions between
          the TTY forwarding and potential password queries using the
          systemd-ask-password infrastructure. run0 now defaults to this mode for
          interactive operations.

        * The --chdir= switch now accepts the special value '~' to force
          changing into the target user's home directory.

        * run0 gained a new --via-shell switch that ensures any specified
          command is invoked via the target user's shell instead of directly.

        DDI support & systemd-dissect:

        * systemd-dissect gained a new --loop-ref-auto switch which initializes
          the --look-ref= field from a suitable string derived from the DDI
          filename.

        * systemd-dissect's --attach command now supports a new --quiet switch
          that suppressed output of the loopback device node path that is
          usually shown.

        * A generic service template systemd-loop@.service has been added that
          wraps "systemd-dissect --attach", and attaches a disk image whose
          path is encoded in the instance identifier of the unit to a new
          loopback block device. This may be used to attach arbitrary disk
          images to loopback devices at boot.

        * There's now a per-user counterpart of /var/lib/machines/ defined as
          ~/.local/state/machines/. Various tools such as systemd-nspawn +
          systemd-vmspawn now will search this directory when looking for a
          disk image, when invoked in unprivileged user context.
          systemd-dissect's --discover command may now be combined with --user
          or --system to choose in which of the directory scopes to look for
          images.

        * systemd-dissect gained a new --all switch. If specified the tool will
          not just discover DDIs (i.e. disk images) but also images stored in
          regular directories.

        * systemd-dissect gained a new "--shift" switch for recursively
          re-chown()ing a directory tree from one set of UID/GIDs to another.
          This may be used to shift a tree from the base-0-UID range to the
          foreign UID range or back.

        * systemd-dissect gained new --usr-hash= and --usr-hash-sig= options,
          that are similar to the existing --root-hash=/--root-hash-sig=
          options, but for the /usr/ partition. This allows the root hash of
          the /usr/ Verity volume and its signature to be specified.

        * When dissecting/mounting a DDI disk image, and no Verity root hash or
          signature is provided, suitable values are now automatically
          discovered from the image itself.

        * systemd-gpt-auto-generator now understands root=dissect and
          mount.usr=dissect as kernel command line options that explicitly
          request the full blown DDI dissector to be used to discover the root
          and /usr/ file system, including automatic Verity root hash and
          signature discovery, automatic handling of versioning, image policy
          enforcement and filtering and so on.

        * The DDI dissection logic now understands a concept of partition
          "filtering". A partition filter is simply a per-designator globbing
          pattern to match the partition labels against. This may be used
          support parallel installations of multiple operating systems on the
          same disk, where each OS names its partitions with a specific prefix
          or similar. systemd-dissect gained a new --image-filter= switch to
          configure this filter. The new "dissect_image" udev plugin and
          systemd-gpt-auto-generator now understand the new
          systemd.image_filter= kernel command line switch configuring this
          filter for the system.

        systemd-importd & importctl:

        * systemd-pull/importctl now supports ASCII armored (*.asc) GPG signatures.

        * The systemd.pull= and rd.systemd.pull= kernel command line switches
          (which may be used to automatically download a VM, container, confext,
          or sysext at boot) now understand a new flag "blockdev". When
          specified the downloaded image is attached to a loopback block device
          after download. This may be used to boot directly into a disk image
          downloaded via HTTP via a kernel command line like this:

          rd.systemd.pull=raw,machine,verify=no,blockdev:image:https://192.168.100.1:8081/image.raw \
              root=/dev/disk/by-loop-ref/image.raw-part2

        * systemd.pull=/rd.systemd.pull= also gained support for a new flag
          "bootorigin". If specified and if the system was network booted
          through systemd-stub (which now sets the LoaderDeviceURL EFI
          variable, see above), the URL to boot from is now automatically
          formed from the UKI network boot URL with a new suffix. Example:

          rd.systemd.pull=raw,machine,verify=no,blockdev,bootorigin:rootdisk:image.raw.xz \
              root=/dev/disk/by-loop-ref/rootdisk.raw-part2

        * The systemd.pull=/rd.systemd.pull= switches now also support a new
          flag "runtime=", taking a boolean argument. If true the downloaded
          image is placed below the /run/ hierarchy instead of /var/. It
          defaults to true for rd.systemd.pull= (i.e. for downloads made in the
          initrd), and false for systemd.pull= (i.e. for those made after the
          initrd→host transition).

        * New generic target units imports-pre.target and imports.target have
          been introduced that are ordered before and after all downloads.

        * systemd-importd gained support for downloading images compressed with
          zstd now, too. (In addition to .xz, .gz and .bz2.)

        Factory Reset:

        * A new tool systemd-factory-reset has been added that may be used to
          request or cancel a factory reset request for the next reboot. It is
          also accessible via its own Varlink API.

        * A new target unit factory-reset-now.target has been added that
          executes an immediate factory reset. (Previously factory-reset.target
          existed already that requested it for next reboot).

        * A new kernel command line option systemd.factory_reset= has been
          added for explicitly requesting a factory reset. (Implemented via a
          new systemd-factory-reset-generator)

        * A new document explaining the factory reset logic in detail has been
          added. It is available online here:

          https://systemd.io/FACTORY_RESET

        systemd-repart:

        * systemd-repart gained a new switch --join-signature= for supporting
          offline Verity signing.

        * systemd-repart gained a new switch --append-fstab= for controlling
          how to write or append automatically generated /etc/fstab entries.

        * CopyFiles= lines can now contain an "fsverity=copy" flag to preserve
          the fs-verity status of the source files when populating the
          filesystem.

        * systemd-repart has been updated to automatically generate the
          extended attributes systemd-validatefs@.service understands (see
          below), for all partitions it recognizes. Controllable via the
          AddValidateFS= partition setting (which defaults to true).

        * repart.d/ drop-ins gained a new setting FileSystemSectorSize= which
          allows configuring the sector size that file systems for newly
          formatted file systems explicitly.

        * systemd-repart will now enforce a minimum size for ESP/XBOOTLDR
          partitions of 100M (on 512b sector drives) or 260M (on 4K sector
          drives), in accordance to the requirements for these kind of
          partitions.

        * The Format= setting in repart.d/ files gained support for a special
          value "empty". This is a shortcut to set up an empty partition and
          set the partition label to "_empty", and set the "NoAuto" GPT
          flag. The former is useful as systemd-sysupdate recognizes empty
          partitions that way, the latter is useful to ensure that the
          partition is not automatically made used of as is, on any OS that
          supports GPT.

        systemd-analyze:

        * systemd-analyze gained a new "chid" verb, which shows the "Computer
          Hardware IDs" (CHIDs) of the local system. This is useful for
          preparing CHID-to-DeviceTree mappings when building UKIs.

        * systemd-analyze gained a new "transient-settings" verb, which shows
          all unit settings one can configure dynamically via the
          "--property="/"-p" switch when invoking transient units.

        * systemd-analyze gained a new "unit-shell" verb that invokes an
          interactive shell inside the namespaces of the main process
          of a specified unit. This is useful for debugging unit sandboxes, and
          getting an idea how things look like from the "inside" of a service.

        * systemd-analyze gained a new "unit-gdb" verb to attach a debugger
          to a unit.

        Other:

        * systemd-ask-password now provides a small Varlink API to
          interactively query the user for a password using the usual agent
          logic. This makes it easier for external programs (for example
          daemons) to query for boot-time passwords and similar, using
          systemd's infrastructure.

        * The logging logic in systemd's codebase now implements the
          DEBUG_INVOCATION= interface added to service management in v257. Or
          in other words: the RestartMode=debug setting may now be added for
          any of systemd's own service and has the intended effect of enabling
          debug logging if it gets automatically restarted.

        * The "package note" specification ELF binaries has been extended to
          cover PE binaries (i.e. UEFI binaries), too.

        * New kernel command line parameters systemd.break= and
          rd.systemd.break= have been introduced that insert interactive (as
          in: shell prompt) "breakpoints" into the boot process at various
          locations, in order to simplify debugging. For now four breakpoints
          are defined: "pre-udev", "pre-basic", "pre-mount",
          "pre-switch-root". Similar functionality has previously existed in
          the Dracut initrd generator, but is generalized with this new
          concept, and extended to the post-switch-root boot phases.

        * The systemd-path tool now learnt new paths for the per-system and
          per-user credential store.

        * A new tool systemd-pty-forward has been added that allocates a pseudo
          TTY ("PTY") and invokes a process on it, forwarding any output to the
          TTY it is invoked on. It can optionally apply background coloring and
          suchlike, and is mostly just a separate tool that makes the PTY
          forwarding logic used in systemd-nspawn, systemd-vmspawn, run0
          available separately.

        * systemd-oomd can now reload its configuration at runtime, following
          the usual protocols.

        * systemd-detect & ConditionVirtualization= now recognize the "Arm
          Confidential Compute Architecture" (cca) confidential virtualization.

        * systemd-detect-virt now correctly distinguishes between bare-metal
          and virtualized machines in Google Compute Engine, and will not
          report the former as virtualized.

        * systemd-sysusers now generates Linux audit records when it adds
          system users.

        * systemd-firstboot's interactive prompts for locale or keymaps now
          support tab completion.

        * systemd-mount gained support for a new --canonicalize= switch that
          may be used to turn off client-side path canonicalization before
          trying to unmount some path.

        * systemd-notify gained a new --fork switch which inverts the role that
          systemd-notify plays in the sd_notify() protocol: instead of sending
          out notification messages, it will listen for them, forking off a
          command that is expected to send them. Once READY=1 is received
          systemd-notify will exit, leaving the child running. This is useful
          for correctly forking off processes that implement the sd_notify()
          protocol from shell scripts.

        * systemd-fstab-generator now supports a root=bind:… syntax for
          creating bind mounts for the root file system. This is useful for
          booting into tarballs downloaded at boot. As an example, consider a
          kernel command line like this:

          rd.systemd.pull=tar,machine,verify=no:root:http://192.168.100.1:8081/image.tar root=bind:/run/machines/root ip=any

        * libapparmor is now loaded via dlopen() instead of using direct shared
          library linking. This allows downstream distributions to provide AA
          support as a runtime option instead of making the AA userspace a
          mandatory dependency.

        * A new generic remote-integritysetup.target unit has been added that
          matches remote-veritysetup.target and remote-cryptsetup.target's role
          for remote block devices, but for dm-integrity devices.

        * A new document about finding boot components and the root disk of the
          OS has been added. It's available online here:

          https://systemd.io/ROOTFS_DISCOVERY

        * Whenever any systemd tool begins or ends a new TTY context (i.e. takes
          over a TTY for some time) a new OSC sequence is now emitted, with
          various details about the context. This new OSC sequence can be
          interpreted by terminal emulators to visualize the context/source TTY
          output originates from or to show various kinds of metadata for
          it. The OSC sequence is specified in this document:

          https://systemd.io/OSC_CONTEXT

          Contexts are generated for systemd-nspawn/systemd-vmspawn boots, for
          run0 or systemd-run sessions, whenever PAM TTY sessions start or end,
          and when shell command executions start and end. Metadata sent along
          contains hostname, machine ID, boot ID, exit status, unit information
          and more.

        * If PID 1 makes up a suitable $TERM for a TTY it activates a service
          on (in case there are no other hints on how to choose it) it will now
          also set $COLORTERM=truecolor. Moreover, if $COLORTERM or $NO_COLOR
          are set on the kernel cmdline we'll now import them into PID1's
          environment block, just like $TERM itself. Moreover, systemd-nspawn
          and run0 will now propagate $COLORTERM and $NO_COLOR from the calling
          to the target environment, if set, just like $TERM is already
          handled. Or to say this with different words: the triplet of $TERM,
          $COLORTERM, $NO_COLOR is now processed jointly and in similar ways,
          wherever appropriate.

        * systemd-update-done gained a new --root= switch to operate in
          "offline" mode on a specific file system tree.

        * A new template service systemd-validatefs@.service has been added
          that can validate usage of file systems. Specifically, it will look
          for certain extended attributes stored on the top-level directory
          inode of the mount, which may encode various constraints on use of
          the file system. For example, it may encode a directory path the file
          system must be mounted to, a GPT type UUID that must be used for the
          partition the file system is located in and more. This provides
          protection in case GPT auto-discovery is used to discover the mounts,
          but essential metadata outside of the file system itself has been
          tampered with. This operates under the assumption that the extended
          attributes on the root inode of the file system are protected by
          dm-verity or dm-crypt/dm-integrity, even if the GPT metadata has no
          equivalent cryptographic protection. If a file system carries these
          extended attributes but they do not match the current use and
          location of the file system an immediate reboot is triggered.

        * systemd-gpt-auto-generator now understands a new mount option
          x-systemd.validatefs for /etc/fstab entries. If specified an instance
          of systemd-validatefs@.service is automatically pulled in by the
          relevant mount.

        * systemd-fstab-auto-generator and systemd-gpt-auto-generator now
          understand root=off on the kernel command line which may be used to
          turn off any automatic or non-automatic mounting of the root file
          system. This is useful in scenarios where a boot process shall never
          transition from initrd context into host context.

        * systemd-ssh-proxy now supports an alternative syntax for connecting
          to SSH-over-AF_VSOCK, in order to support scp and rsync better: "scp
          foo.txt vsock%4711:" should work now. (The pre-existing syntax used
          "/" instead of "%" as separator, which is ambiguous in scp/rsync
          context even if not for ssh itself.)

        * "systemctl start" and related verbs now support a new --verbose
          mode. If specified the live log output of the units operated on is
          shown as long as the operation lasts.

        * sd-bus: a new API call sd_bus_message_dump_json() returns a JSON
          representation of a D-Bus message.

        * sd-daemon: a new call sd_pidfd_get_inode_id() has been added
          for acquiring the unique inode ID of a pidfd, coupling the
          $MAINPIDFDID/$MANAGERPIDFDID and session/machine leader pidfd IDs
          exposed as described above.

        * systemd-coredump will now attach a new COREDUMP_DUMPABLE= journal
          field to all coredumps indicating the "dumpable" per-process flag (as
          settable via PR_SET_DUMPABLE) at the moment the coredump took
          place. It will also add a new journal field COREDUMP_BY_PIDFD= that
          indicates whether the coredump was acquired via a stable pidfd to the
          process.

        * systemd-sysext (and portable services with sysexts applied) will now
          take the os-release "ID_LIKE=" field into account when validating that
          a sysext images is compatible with the underlying image. Previously
          it would only check "ID=".

        * A new UID range has been defined for "greeters", i.e. graphical login
          prompt UIs that shall be security isolated from each other. This is
          supposed to be used by graphical display managers (specifically:
          gdm), to ensure that it is harder to exploit the UI sessions used to
          prompt the user for login credentials, in order to gain access to the
          prompts of other users.

        * systemd-socket-activate gained a new --now switch which ensures the
          specified binary is immediately invoked, and not delayed until a
          connection comes in.

        * systemd-ssh-generator will now generate the AF_VSOCK ssh listener
          .socket unit, so that a tiny new helper "systemd-ssh-issue" is
          invoked when the socket is bound, that generates a drop-in file
          /run/issue.d/50-ssh-vsock.issue that is shown by "login" and other
          subsystems at login time. The file reports the AF_VSOCK CID of the
          system, along with very brief information how to connect to the
          system via ssh-over-AF_VSOCK. Or in other words: if the system is
          booted up in an AF_VSOCK capable VM the console login screen shown
          once boot-up is complete will tell you how to connect to the system
          via SSH, if that's available.

        * systemd-fsck gained fsck.mode and fsck.repair credentials support to
          control the execution mode of fsck.

        * systemd-quotacheck gained quotacheck.mode credential support to
          control the execution mode of quotacheck.

        Contributions from: 16mc1r, A. Wilcox, Aaron Rogers,
        Abderrahim Kitouni, Adam Williamson, Adrian Vovk, Ahmad Fatoum,
        Alberto Planas, Alex, Alex Xu (Hello71), Alexander Bruy,
        Alexander Krabler, Alexander Kurtz, Alexander Shopov,
        Alexander Stepchenko, Allison Karlitskaya, Aman Verma,
        Américo Monteiro, Andika Triwidada, AndreFerreiraMsc,
        Andreas Henriksson, Andreas Schneider, Andreas Stührk, Andres Beltran,
        Andrew Sayers, Andrii Chubatiuk, André Monteiro, Andy Shevchenko,
        Ani Sinha, Anthony Avina, Anthony Messina, Anton Ryzhov, Anton Tiurin,
        Antonio Alvarez Feijoo, Arian van Putten, Arkadiusz Bokowy, Arnaudv6,
        AsciiWolf, Avram Dorfman, Bastien Nocera, Beniamino Galvani,
        Brett Holman, Busayo Dada, ButterflyOfFire, Carlo Teubner, Chris Grant,
        Chris Hofstaedtler, Chris Mayo, Christian Glombek, Christian Hesse,
        Christopher Head, Colin Foster, Cosima Neidahl, Craig McLure,
        Daan De Meyer, Dai MIKURUBE, Dan McGregor, Dan Streetman,
        Daniel Foster, Daniel Rusek, Daniil, David C. Manuelda, David Härdeman,
        David Rheinsberg, David Tardon, DeKoile, Debarshi Ray, Deli Zhang,
        Devilish Spirits, Dimitri John Ledkov, Duncan Overbruck, Dusty Mabe,
        Eaterminer, Eisuke Kawashima, Emilio Sepulveda, Emir SARI,
        Emmanuel Ferdman, Enrico Tagliavini, Erik Larsson, Erin Shepherd,
        Ettore Atalan, Fabian Möller, Fabian Vogt, Fco. Javier F. Serrador,
        Federico Giovanardi, Felix Pehla, Fleuria, Florian Schmaus, Franck Bui,
        Frantisek Sumsal, Frede Braendstrup, Gabríel Arthúr Pétursson,
        Gavin Li, George Tsiamasiotis, Graham Clinch, Grimmauld, H A, Hang Li,
        Harrison Vanderbyl, Hendrik Wolff, Henri Aunin, Igor Opaniuk, Itxaka,
        Ivan Kruglov, Ivan Trubach, Jack Wu, Jacob McNamee, James Hilliard,
        Jan Engelhardt, Jan Fooken, Jan Kalabza, Jan Macku, Jan Vaclav,
        Jan Čermák, Jared Baur, Jaroslav Škarvada, Jasmine Andrever-Wright,
        Javier Francisco, Jelle van der Waa, Jeremy Linton, Jesper Nilsson,
        Jesse Guo, Jim Spentzos, Joaquim Monteiro, Joey Holtzman,
        John Rinehart, Jonas Gorski, Jordan Petridis, Jose Ortuno,
        Josh Triplett, Jules Lamur, Justinas Kairys, Jörg Behrmann,
        Kamil Páral, Katariina Lounento, Kevin P. Fleming, Khem Raj, KidGrimes,
        Kurt Borja, Lennart Poettering, Li Tian, Lin Jian, Linus Heckemann,
        Lorenzo Arena, Louis Sautier, LuK1337, Luca Boccassi,
        Lucas Adriano Salles, Luke Yeager, Lukáš Nykrýn, Luna Jernberg,
        Léane GRASSER, Marco Trevisan (Treviño), Marcos Alano,
        Mario Limonciello, Markus Kurz, Martin Homuth-Rosemann,
        Martin Hundebøll, Martin Srebotnjak, Martin Wilck, Mate Kukri,
        Matteo Croce, Matthew Schwartz, Matthias Gerstner, Matthias Lisin,
        Matthieu Baerts (NGI0), Matthieu LAURENT, MaxHearnden,
        Michael Catanzaro, Michael Ferrari, Michael Limiero, Michael Olbrich,
        Michal Koutný, Michal Sekletár, Michał Moczulski, Mike Yuan,
        Miroslav Lichvar, Morten Hauke Solvang,
        Muhammad Nuzaihan Bin Kamal Luddin, Myrrh Periwinkle, Nathan,
        NetSysFire, Nick Labich, Nick Owens, Nick Rosbrook, Nils K,
        Noel Georgi, Nuno Sá, Oliver Schramm, Paul Fertser, Pavithra Barithaya,
        Philip Freeman, Philip Withnall, Piotr Drąg, Pontus Lundkvist, Raura,
        Ricky Tigg, RocketDev, Ronan Pigott, Rostislav Lastochkin,
        Rudi Heitbaum, Ryan Blue, Ryan Thompson, Ryan Wilson, Salim B,
        Salvatore Cocuzza, Sam James, Sam Leonard, Samuel Dionne-Riel,
        Sea-Eun Lee, Septatrix, Sergey A, Shubhendra Kushwaha, Silvio Knizek,
        Solar Designer, SoloSaravanan, Sonia Zorba, Soumyadeep Ghosh,
        Stefan Hansson, Stefan Herbrechtsmeier, Steve Ramage,
        Temuri Doghonadze, TheHillBright, Thomas Hebb, Thorsten Kukuk,
        Tim Crawford, Tim Small, Tim Vangehugten, Tobias Heider,
        Tobias Klauser, Todd C. Miller, Tommi Rantala, Tommy Unger, Trollimpo,
        Ubuntu, Valentin David, Valentin Hăloiu, Vasiliy Kovalev,
        Vishal Chillara Srinivas, Vishwanath Chandapur, Vitaly Kuznetsov,
        Volodymyr Shkriabets, Vyacheslav Yurkov, Werner Sembach, Y T,
        Yaping Li, Yu Watanabe, ZIHCO, Zbigniew Jędrzejewski-Szmek,
        andrejpodzimek, anonymix007, anthisfan, cvlc12, damnkiwi6120, davjav,
        fishears, hanjinpeng, haxibami, herbrechtsmeier, honjow, hsu zangmen,
        igo95862, jane400, jinyaoguo, joo es, kanitha chim, keentux, kmeaw,
        luc-salles, madroach, maia x., msizanoen, naly zzwd, nkraetzschmar,
        nl6720, novenary, peelz, persmule, richfifeg, ssoss, tim tom, tuxmainy,
        tytan652, val4oss, ver4a, victor-ok, vlefebvre, wrvsrx, wtmpx,
        xinpeng wang, z z, Дамјан Георгиевски, наб, 铝箔, 김인수

        — Edinburgh, 2025/09/17

CHANGES WITH 257:

        Incompatible changes:

        * The --purge switch of systemd-tmpfiles (which was added in v256) has
          been reworked: it will now only apply to tmpfiles.d/ lines marked
          with the new "$" flag. This is an incompatible change, and means any
          tmpfiles.d/ files which shall be used together with --purge need to
          be updated accordingly. This change has been made to make it harder
          to accidentally delete too many files when using --purge incorrectly.

        * The systemd-creds 'cat' verb now expects base64-encoded encrypted
          credentials as input, for consistency with the 'decrypt' verb and the
          LoadCredentialEncrypted= service setting. Previously it could only
          read raw, unencoded binary data.

        * Support for automatic flushing of the nscd user/group database caches
          has been dropped.

        * The FileDescriptorName= setting for socket units is now honored by
          Accept=yes sockets too, where it was previously silently ignored and
          "connection" was used unconditionally.

        * systemd-logind now always obeys block inhibitor locks, where previously
          it ignored locks taken by the caller or when the caller was root. A
          privileged caller can always close the other sessions, remove the
          inhibitor locks, or use --force or --check-inhibitors=no to ignore the
          inhibitors. This change thus doesn't affect security, since everything
          that was possible before at a given privilege level is still possible,
          but it should make the inhibitor logic easier to use and understand,
          and also help avoiding accidental reboots and shutdowns. New 'block-weak'
          inhibitor modes were added, if taken they will make the inhibitor lock
          work as in the previous versions. Inhibitor locks can also be taken by
          remote users (subject to polkit policy).

        * systemd-nspawn will now mount the unified cgroup hierarchy into a
          container if no systemd installation is found in a container's root
          filesystem. $SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=0 can be used to override
          this behavior.

        * /dev/disk/by-id/nvme-* block device symlinks without an NVMe
          namespace identifier are now fixed to namespace 1 of the device. If
          no namespace 1 exists for a device no such symlink is
          created. Previously, these symlinks would point to an unspecified
          namespace, and thus not be strictly stable references to
          multi-namespace NVMe devices. These un-namespaced symlinks are mostly
          obsolete, users and applications should always use the ones with
          encoded namespace information instead. This change should not affect
          too many systems, because most NVMe devices only know a namespace 1
          by default.

        * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now
          considered obsolete and systemd by default will ignore configuration
          that enables them. To forcibly reenable cgroup v1 support,
          SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must additionally be set on the
          kernel command line.

       Announcements of Future Feature Removals:

        * The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() is
          deprecated because accounting data and such cannot be reasonably
          migrated between cgroups. It is likely to be fully removed in a
          future release (reach out if you have use cases).

        * The recommended kernel baseline version has been bumped to v5.4
          (released in 2019). Expect limited testing on older kernel versions,
          where "old-kernel" taint flag would also be set. Support for them
          will be phased out in a future release in 2025, i.e. we expect to bump
          the minimum baseline to v5.4 then too.

        * The complete removal of support for cgroup v1 ('legacy' and 'hybrid'
          hierarchies) is scheduled for v258.

        * Support for System V service scripts is deprecated and will be
          removed in v258. Please make sure to update your software
          *now* to include a native systemd unit file instead of a legacy
          System V script to retain compatibility with future systemd releases.

        * To work around limitations of X11's keyboard handling systemd's
          keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
          mapped the microphone mute and touchpad on/off/toggle keys to the
          function keys F20, F21, F22, F23 instead of their correct key codes.
          This key code mangling will be removed in the next systemd release.
          To maintain compatibility with X11 applications that rely on the old
          function key code mappings, this mangling has now been moved to the
          relevant X11 keyboard driver modules. In order to ensure these keys
          continue to work, update to xf86-input-evdev >= 2.11.0 and
          xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.

        * Support for the SystemdOptions EFI variable is deprecated.
          'bootctl systemd-efi-options' will emit a warning when used. It seems
          that this feature is little-used and it is better to use alternative
          approaches like credentials and confexts. The plan is to drop support
          altogether at a later point, but this might be revisited based on
          user feedback.

        * systemd-run's switch --expand-environment= which currently is disabled
          by default when combined with --scope, will be changed in a future
          release to be enabled by default.

        libsystemd:

        * systemd's JSON API is now available as public interface of
          libsystemd, under the name "sd-json". The purpose of the library is
          to allow structures to be conveniently created in C code and
          serialized to JSON, and for JSON to be conveniently deserialized into
          in-memory structures, using callbacks to handle specific
          keys. Various data types like integers, floats, booleans, strings,
          UUIDs, base64-encoded and hex-encoded binary data, and arrays are
          supported natively. The library has been part of systemd for a while
          as internal component, and is now made publicly available. One major
          user of sd-json is sd-varlink (see below). Note that the
          documentation of sd-json is very much incomplete for now, but the
          systemd codebase provides plenty real-life code examples.

        * systemd's Varlink IPC API is now available as part of libsystemd,
          under the name "sd-varlink". This library is a C implementation of
          the Varlink IPC system (https://varlink.org/) that has been adopted
          by systemd for various interfaces. It relies on the sd-json JSON
          component, see above. Note that the documentation of sd-varlink is
          very much incomplete for now, but the systemd codebase provides
          plenty real-life code examples.

        * sd-bus gained a new call sd_bus_pending_method_calls() which returns
          the number of currently open asynchronous method calls initiated on
          this connection towards peers.

        * sd-device gained a new call sd_device_monitor_is_running() that
          returns whether the specified monitor object is already running. It
          also gained sd_device_monitor_get_fd(),
          sd_device_monitor_get_events(), sd_device_monitor_get_timeout() and
          sd_device_monitor_receive() to permit sd-device to run on top of a
          foreign event loop implementation. It also gained
          sd_device_get_driver_subsystem() which returns the subsystem of
          driver objects. The new sd_device_get_device_id() call returns a
          short string identifying the device record.

        System and Service Management:

        * The environment variable $REMOTE_ADDR is now set when using
          per-connection socket activation for AF_UNIX stream sockets. It
          contains the AF_UNIX peer address of the connection. (Previously the
          environment variable was only set for IP sockets.)

        * Multipath TCP (MPTCP) is now supported as a socket protocol for
          .socket units.

        * A new /etc/fstab option x-systemd.wants= creates "Wants="
          dependencies.  (This is similar to the previously available
          x-systemd.requires=.)

        * The initialization of the system clock during boot and updates has
          been simplified: both PID 1 or systemd-timesyncd will pick the latest
          minimum time as indicated by the compiled-in epoch,
          /usr/lib/clock-epoch, and /var/lib/systemd/timesync/clock. See
          systemd(1) for an detailed updated description.

        * The kernel's Ctrl-Alt-Delete handling is re-enabled during late
          shutdown, so that the user may use it to initiate a reboot if the
          system freezes otherwise.

        * The new value "identity" for the unit setting PrivateUsers= may be
          used to request a user namespace with an identity mapping for the
          first 65536 UIDs/GIDs.  This is analogous to the systemd-nspawn's
          --private-users=identity.

        * The new value "disconnected" for the unit setting PrivateTmp= may be
          used to specify that a separate tmpfs instance should be used for
          /tmp/ and /var/tmp/ for the unit.

        * The server manager (and various other tools too) use pidfds in more
          places to refer to processes.

        * A build option -D link-executor-shared=false can be used to build
          the systemd-executor binary (added in a previous release) in a way
          where it does not link to shared libsystemd-shared-….so library.
          PID1 holds a reference to the executor binary that was on disk when
          the manager was started or restarted, but the shared libraries it is
          linked to are not loaded until the executor binary needs to be used.
          This partial static linking is a workaround for the issue where,
          during upgrades, the old libsystemd-shared-….so may have already
          been removed and the pinned executor binary will just fail to
          execute.

        * The systemd.machine_id= kernel command line parameter interpreted by
          PID 1 now supports an additional special value: if set to "firmware"
          the machine ID is initialized from the SMBIOS/DeviceTree system
          UUID. (Previously this was already done automatically in VM
          environments, this extends the concept to any system, but only on
          explicit request via this option.)

        * The ImportCredential= setting in service unit files now permits
          renaming of credentials as they are imported.

        * The RestartMode= setting gained a new "debug" value. If specified and
          the service fails so that it shall be restarted it is invoked in
          "debugging mode". Debugging mode means that the $DEBUG_INVOCATION
          environment variable will be set to "1" for the new
          invocation. Moreover, any setting LogLevelMax= will be temporarily
          changed to "debug" for the next invocation. This mode is useful to
          automatically repeat invocation of tools in case they fail – but with
          additional logging or testing routines enabled.

        * A new service setting BindLogSockets= has been added that
          controls whether the AF_UNIX sockets required for logging shall be
          bind mounted to the mount sandbox allocated for the service.

        * At early boot, PID 1 will now optionally load a policy for the new
          Linux IPE LSM.

        * Transient services (as invoked by the StartTransientUnit() D-Bus
          method) may now receive additional, arbitrary file descriptors to
          pass to executed service processes during activation using the new
          ExtraFileDescriptor= unit property.

        * Calendar .timer units gained a new boolean DeferReactivation=
          option. If enabled and the repetitive calendar timer elapses again
          while the service the timer activates is still running, immediate
          reactivation of the service once it finishes is skipped, and the
          timer has to elapse again before the service is reactivated.

        * Generator processes invoked by the service manager will now receive a
          new environment variable $SYSTEMD_SOFT_REBOOTS_COUNT that indicates
          how many times the system has been soft-rebooted since the kernel
          initialized.

        * A new service property ManagedOOMMemoryPressureDurationSec= has been
          added that complements the existing
          ManagedOOMMemoryPressureDurationLimit= and specifies the PSI
          measurement interval for the specific unit.

        * The sd_notify() protocol has been extended to allow changing the main
          PID of a process by providing a pidfd of the new main process, or by
          specifying the pidfd inode number. Previously this was only supported
          by specifying the classic UNIX PID, which of course is racy.

        * The SocketUser=/SocketGroup= settings of .socket units are now also
          applied to POSIX message queues.

        * The ProtectControlGroups= unit file setting now supports two
          additional values: if set to "private" a new cgroup namespace is
          allocated for the service and cgroupfs mounted accordingly; if set to
          "strict" a new cgroup namespace is allocated for the service, and
          cgroupfs is mounted read-only for the service.

        * The StateDirectory=, RuntimeDirectory=, CacheDirectory=,
          LogsDirectory=, and ConfigurationDirectory= settings gained support
          for configuring the respective directories as read-only, via a ':ro'
          flag that can be appended to each setting's value.

        * When DynamicUser= is combined with
          StateDirectory=/RuntimeDirectory=/CacheDirectory=/LogsDirectory= and
          ID mapped mounts are available on the referenced path, the data in
          there is now preferably made available by establishing ID mapped from
          the "nobody" user to the dynamic user, rather than via recursive
          chown()ing.

        * A new service property PrivatePIDs= has been added that runs executed
          processes as PID 1 - the init process - within their own PID
          namespace.  PrivatePIDs= also mounts /proc/ so only processes within
          the new PID namespace are visible.

        systemd-udevd:

        * udev rules now set 'uaccess' for /dev/udmabuf, giving locally
          logged-in users access to the hardware. This is useful in order to
          support IPMI cameras with libcamera.

        * Serial port devices will no longer show up as systemd units, unless
          they have an IO port or memory assigned to them. This means that only
          serial ports that actually exist should show up as .device units now.

        * mtd devices (i.e. certain kinds of flash memory devices) will now
          show up as .device units in systemd.

        * The firmware_node/sun sysfs attribute will now be used (if available)
          for naming slot-based network interfaces, i.e. ID_NET_NAME_SLOT.
          Moreover the interface aliases specified in DeviceTree are now
          searched for both on the interface's parent device (as before) and
          the device itself (new).

        * Various USB hardware wallets are now recognized by udev via a .hwdb
          file, and get the ID_HARDWARE_WALLET= property set, which enables
          "uaccess" for them, i.e. direct unprivileged access.

        * udevadm info will now output the device ID string in lines prefixed
          with "J:", and the driver subsystem in lines prefixed with "B:".

        * udev rules files now support case-insensitive attribute matching
          (e.g. ATTR{foo}==i"abcd")

        systemd-logind:

        * New DesignatedMaintenanceTime= configuration option allows shutdowns
          to be automatically scheduled at the specified time.

        * logind now reacts to Ctrl-Alt-Shift-Esc being pressed. It will send
          out a org.freedesktop.login1.SecureAttentionKey signal, indicating a
          request by the user for the system to display a secure login dialog.
          The handling of SAK can be suppressed in logind configuration.

        * logind now supports handing off session-managed access to hidraw
          devices via its D-Bus APIs, the same way it already supports that for
          DRM and evdev input devices. This permits unprivileged clients to get
          hidraw fds for a device, that are automatically suspended when the
          session switches away.

        * systemd-logind now exposes two D-Bus properties CanLock and CanIdle
          for all sessions. These properties indicate whether the session's
          class supports screen locking and idleness detection.

        * systemd-inhibit now allows interactive polkit authorization. It
          gained a --no-ask-password option to suppress it.

        systemd-machined:

        * Unprivileged clients are now allowed to register VMs and containers.
          Machines started via the systemd-vmspawn@.service unit will now be
          registered with systemd-machined.

        * systemd-machined gained a pretty complete set of Varlink APIs
          exposing its functionality. This is an alternative to the
          pre-existing D-Bus interface.

        systemd-resolved and resolvectl:

        * The resolvconf command now supports '-p' switch. If specified, the
          interface will not be used as the default route for domain name
          lookups.

        * resolvectl now enables interactive polkit authorization. It gained a
          --no-ask-password option to suppress it.

        * systemd-resolved now implements continuous mDNS querying as per
          RFC6762 §5.2. Clients can subscribe to the notification stream using
          varlink.

        systemd-networkd and networkctl:

        * IPv6 address labels can be also configured in a new [IPv6AddressLabel]
          section with Prefix= and Label= settings in networkd.conf. Please see
          networkd.conf(5) for more details.

        * 'networkctl edit' can now read the new file contents from standard
          input with the new --stdin option.

        * 'networkctl edit' and 'cat' now support editing/showing .netdev files
          by link. 'networkctl cat' can also list all configuration files
          associated with an interface at once with ':all'.

        * networkctl gained a --no-ask-password option to suppress interactive
          polkit authorization.

        * "mac" has been added to the default AlternativeNamesPolicy= setting
          for network links (via 99-default.link). This means "enx*" interface
          names will now be added to the list of alternative interface names by
          default, for all interfaces that have a MAC address assigned
          by hardware.

        * networkd .netdev bridge devices gained a new setting FDBMaxLearned=
          for setting a limit on the number of dynamically learned FDB entries.

        * networkd .network files for bridge devices now support Layer 2 (in
          addition to the pre-existing Layer 3) MDB entries, via
          MulticastGroupAddress=.

        * systemd-networkd will now log when per-network sysctls belonging to
          network interfaces managed by it are changed outside of networkd,
          thus highlighting conflict of ownership/management of these knobs.

        * systemd-networkd will now make RFC9463 DNR fields available to
          systemd-resolved, for automatic DNS DoT configuration, and similar.

        * The "dhcp" and "dhcp-on-stop" values for KeepConfiguration= setting in
          .network file are replaced with "dynamic" and "dynamic-on-stop",
          respectively. When specified, systemd-networkd will preserve all
          dynamic configurations via DHCPv4, DHCPv6, NDISC, and IPv4LL with
          ACD, while previously only DHCPv4 configurations were kept. Also,
          when systemd-networkd is restarted, regardless of the setting, these
          dynamic configurations are unconditionally kept. So, systemd-networkd
          can be restarted without disturbing ongoing connections.

        * systemd-networkd now updates traffic control configuration without
          clearing existing settings. Thus, those settings can be updated by
          editing relevant .network files and triggering 'networkctl reload'.

        * systemd-networkd now gracefully updates netdev settings specified in
          .netdev files when 'networkctl reload' is called. Previously, if the
          relevant interfaces existed, new settings would not be applied. Now,
          new settings will be applied if possible. Some settings cannot be
          updated after a netdev is configured, e.g. VLAN ID can be only
          specified on creation. To change such settings, user needs to remove
          existing interfaces, and invoke 'networkctl reload' or restart
          systemd-networkd.

        systemd-boot, systemd-stub, and related tools:

        * The EFI stub now supports loading of .ucode sections with microcode
          from PE add-on files. It also now supports loading .initrd sections
          from PE add-on files.

        * A new .profile PE section type is now documented and supported in
          systemd-measure, ukify, systemd-stub and systemd-boot. These new
          sections allow multiple "profiles" to be stored together in the UKI,
          where each .profile section creates groupings of sections in the UKI,
          allowing some sections to be shared and other sections like .cmdline
          or .initrd unique to the profile. This may be used to provide a
          single UKI that synthesizes multiple menu items in the boot menu (for
          example, a regular one to boot, plus a debugging one, or a factory
          reset one, and so on – which only differ in kernel command line, but
          nothing else).

        * New .dtbauto and .hwids sections are now documented and supported in
          systemd-measure, ukify, systemd-stub, and systemd-boot. A single UKI
          can contain multiple .dtbauto sections, and the 'compatible' string
          therein will be compared with the equivalent field in the DTB
          provided by the firmware, if present. If absent, SMBIOS will be used
          to calculate hardware IDs (CHIDs) and look them up in the content of
          .hwids, hopefully revealing an fallback 'compatible' string. This
          allows including multiple DTBs in a single UKI, with systemd-stub
          automatically loading the correct one for the current hardware.

        * ukify gained an --extend switch to import an existing UKI to
          be extended, and a --measure-base= switch to support measurement
          of multi-profile UKIs.

        * ukify gained a --certificate-provider switch to use an OpenSSL
          provider to load the certificate used to sign artifacts, instead of
          having to provide the path to a file on disk.

        * bootctl, systemd-keyutil, systemd-measure, systemd-repart, and
          systemd-sbsign gained a new --certificate-source switch that allows
          loading the X.509 certificate from an OpenSSL provider instead of a
          file system path.

        * systemd-boot's menu will now react to volume up/down rocker presses
          the same way as to arrow up/down presses: they move the menu item up
          or down. This is useful on device form factors that have only a
          volume rocker but no arrow keys (e.g. phones).

        * systemd-stub will report the partition UUID and image identifier its
          UKI executable is placed on separately from the data systemd-boot
          provides about where to find its own executable, via EFI
          variables. This is useful when systemd-boot and UKIs are placed on
          distinct partitions (i.e. ESP and XBOOTLDR).

        * bootctl gained new switches --print-loader-path and --print-stub-path
          that output the path to the boot loader or UKI used for the current
          boot.

        * bootctl kernel-identify now recognizes EFI add-ons.

        * bootctl gained a --random-seed=yes|no option to control provisioning
          of the random seed file in the ESP. (This is useful when producing an
          image that will be used in multiple instances.)

        * bootctl now optionally supports installing UEFI Secure Boot databases
          (i.e. db/dbx/…  databases in ESL format) for systemd-boot to pick up
          and automatically enroll if the system is booted in Setup Mode. This
          is controlled via bootctl's new --secure-boot-auto-enroll=yes switch
          (and some auxiliary ones). A certificate can be provided in DER
          format, and is automatically converted into an ESL, as needed.

        * bootctl, systemd-measure, systemd-repart when referencing signing
          keys on OpenSSL engines may now query for PINs and similar via
          systemd's native systemd-ask-password logic (and take benefit of its
          caching and UI).

        * A new systemd-sbsign tool has been added, that can be used to sign
          EFI binaries (PE) for Secure Boot. This tool supports OpenSSL engines
          and providers, with pin caching support for PKCS11. ukify supports it
          as an alternative to sbsigntool and pesign.

        * A new systemd-keyutil tool has been added, that can be used to perform
          various operations on private keys and X.509 certificates.

        The journal:

        * journalctl can now list invocations of a unit with the
          --list-invocation options and show logs for a specific invocation
          with the new --invocation/-I option. (This is analogous to the
          --list-boots/--boot/-b options.)

        systemd-sysupdate and related tools:

        * systemd-sysupdated has been added as system service, allowing
          unprivileged clients to update the system via D-Bus calls. Note that
          for now the systemd-sysupdated API is considered experimental, and is
          not considered stable yet.

          A new updatectl command-line tool can be used to control the
          service.

        * systemd-sysupdate gained a new --offline option to force it to
          operate locally. This is useful when listing locally installed
          versions.

        * systemd-sysupdate gained a new --transfer-source= option to set the
          directory to which transfer sources configured with
          PathRelativeTo=explicit will be interpreted.

        * systemd-sysupdate now reports download progress via sd_notify().

        * systemd-sysupdate now supports output in JSON mode for all commands.

        * systemd-sysupdate definitions may now carry references to ChangeLog
          and AppStream metadata.

        * Transfer definitions for systemd-sysupdate are supposed to carry the
          ".transfer" suffix now, changing from ".conf". The latter remains
          supported for compatibility, but it's recommended to rename all files
          reflecting this suffix change.

        * systemd-sysupdate now supports new ".feature" files that may be
          used in conjunction with ".transfer" files to group them together, and
          allow them to be turned off or on, individually per group.

        TPM & systemd-cryptsetup:

        * The 'has-tpm2' verb which reports whether TPM2 functionality is
          available has been moved from systemd-creds to systemd-analyze.

        * systemd-tpm2-setup will gracefully handle TPMs that have a PIN set on
          the TPM, and not attempt to automatically set up a Storage Root Key
          (SRK) in that case.

        * New crypttab option password-cache=yes|no|read-only can be used to
          customize password caching.

        * New crypttab options fido2-pin=, fido2-up=, fido2-uv= can be used to
          enable/disable the PIN query, User Presence check, and User
          Verification.

        * systemd-cryptenroll gained new options --fido2-salt-file= and
          --fido2-parameters-in-header= to simplify manual enrollment of FIDO2
          tokens.

        * systemd-cryptenroll, systemd-repart, and systemd-storagetm gained a
          new --list-devices option to list appropriate candidate block
          devices.

        * systemd-cryptenroll/systemd-cryptsetup now support combined signed
          PCR policies and local systemd-pcrlock policies for unlocking a
          disk. Or in other words, it's now possible to bind unlocking of a
          local disk to a specific OS vendor *and* a locally managed set of
          measurements describing the local system.

        varlinkctl:

        * varlinkctl gained a new verb 'list-methods' to show a list of
          methods implemented by a service.

        * varlinkctl gained a --quiet/-q option to suppress method call
          replies.

        * varlinkctl gained a --graceful= option to suppress specific Varlink
          errors, and treat them as success.

        * varlinkctl gained a --timeout= option to limit how long the
          invocation can take.

        * varlinkctl allows remote invocations over ssh, via the new
          "ssh-exec:" address specification. It'll make an ssh connection,
          start the specified executable on the remote side, and communicate
          with the remote process using the Varlink protocol.

          The "ssh:" address specification has been renamed to "ssh-unix:"
          (reflecting the fact it is used to connect to a remote AF_UNIX socket
          via SSH). The old syntax is still supported for backwards
          compatibility.

        * varlinkctl's 'introspect' verb no longer requires specification of an
          interface name. If none is specified all interfaces exposed by the
          service are shown. Moreover, more than one interface name may be
          specified now, in which case all specified ones are displayed.

        systemd-repart:

        * systemd-repart's CopyBlocks= directive can now use a character device
          as source (in addition to previously supported regular files and
          block devices). This is useful for initializing a partition from
          /dev/urandom or similar.

        * systemd-repart gained new Compression= and CompressionLevel= settings
          to enable internal compression in filesystems created offline.

        * systemd-repart understands a new MakeSymlinks= option to create one
          or more symlinks (each specified as a symlink name and target) within
          a newly formatted file system.

        * systemd-repart gained a new SupplementFor= setting that allows
          allocating a partition only if some other existing partition cannot
          be adjusted to match the constraints defined for it. This is useful
          to generate an XBOOTLDR partition if and only if an ESP already
          exists that is too small for the required constraints.

        * The default size of verity hash partitions is now automatically
          derived from SizeMaxBytes= of the data partition it is protecting.

        systemd-ssh-proxy:

        * systemd-ssh-proxy now also supports the AF_UNIX-based "VSOCK MUX"
          protocol used by CloudHypervisor/Firecracker to expose AF_VSOCK
          sockets of the VM on the host. Or in other words: it's now possible
          to directly connect to ssh via AF_VSOCK from hosts to VMs of these
          two hypervisors (previously this was only supported for hypervisors
          which expose AF_VSOCK on the host as AF_VSOCK, such as qemu).

        * systemd-ssh-proxy can now reference local VMs by their name: connect
          to any local VM "foobar" registered with systemd-machined via "ssh
          machine/foobar" using the AF_VSOCK protocol.

        systemd-analyze:

        * systemd-analyze will now show the SMBIOS #11 vendor strings set for
          the machine with a new 'smbios11' verb.

        * systemd-analyze gained a new --instance= option that can be used to
          provide an instance name to analyze multiple templates instantiated
          with the same instance name.

        * systemd-analyze's "capability" verb now gained a new --mask
          parameter. If specified a numeric capbality mask can be specified
          which is decoded for its contained capabilities.

        * systemd-analyze's "plot" verb gained two new settings: --scale-svg=
          allows the X axis of the split to be stritched by a factor. If
          --detailed is specified activation timestamps are shown in the plot.

        busctl:

        * 'busctl monitor' gained new options --limit-messages= and --timeout=
          to set the number of matches or limit the runtime of the command.

        * busctl now supports doing method calls with embedded unix file
          descriptors.

        * busctl acquired a new "wait" command to wait for a specific signal to
          arrive.

        systemd-nspawn:

        * systemd-nspawn --bind-user= will now propagate the bound user's SSH
          public key (if included in the user record) into the container,
          ensuring that any such bound user is directly accessible via ssh.

        * systemd-nspawn now supports unprivileged FUSE inside containers.

        systemd-importd:

        * A new generator sytemd-import-generator has been added to synthesize
          image download jobs. This provides functionality similar to
          importctl, but is configured via the kernel command line and system
          credentials. It may be used to automatically download sysext,
          confext, portable service, nspawn container or vmspawn VM images at
          boot.

        * systemd-importd now provides a Varlink IPC interface, in addition to
          its existing D-Bus IPC interface.

        * The individual import/export tools will now display a nice progress
          bar when downloading files.

        systemd-userdb & systemd-homed:

        * userdbctl gained a pair of switches --uid-min= and --uid-max= to
          filter the UID/GID range of the listed users or groups. It also
          gained a new switch --disposition= to filter them by disposition
          (i.e. show only system users or only regular users, and so on). It
          also gained a new switch --fuzzy that permits a "fuzzy" search for a
          user, i.e. doing a substring and string distance search, and looking
          into the real name field of the user and other similar fields. It
          gained a new switch --boundaries=no for disabling display of the
          UID/GID range boundaries in its output.

        * User records learnt a new set of fields that may list field names
          that may be changed by the user themselves without requiring
          administrator authentication. This new field is honoured by
          systemd-homed to allow users to change selected properties of their
          own user records.

        systemd-run & run0:

        * run0 gained a new pair of settings --pty and --pipe that control
          whether to invoke the specified binary on a freshly allocated pseudo
          TTY, or whether to pass the client's STDIN/STDOUT/STDERR through
          directly.

        * run0 gained a new switch --shell-prompt-prefix= that permits passing
          in a string to display on each shell prompt as prefix. If not
          specified otherwise this will show a superhero emoji (🦸), in order
          to visually communicate the temporarily elevated privileges a run0
          session provides. This makes use of the $SHELL_PROMPT_PREFIX
          environment variables mentioned below.

        * systemd-run can output some of its runtime data in JSON format via
          the new --json= option.

        systemd-tmpfiles:

        * systemd-tmpfiles --purge switch now requires specification of at
          least one tmpfiles.d/ drop-in file.

        * tmpfiles.d/ files gained a new '?' specifier for the 'L' line type to
          create a symlink only if the source exists, and gracefully skip the
          line otherwise.

        Miscellaneous:

        * systemctl now supports the --now option with the 'reenable' verb.

        * systemd-mount can now output JSON with a new --json= switch, for use
          with --list-devices. It also shows the "diskseq" property in the
          block device list.

        * systemd-id128 gained a new 'var-partition-uuid' verb to calculate
          the DPS UUID for /var/ keyed by the local machine-id.

        * localectl gained a -l/--full option to show output without
          ellipsization.

        * timedatectl now supports interactive polkit authorization.

        * The new Linux mseal(), listmount(), statmount() syscalls have been
          added to relevant system call groups.

        * The systemd-ask-password logic has been extended with a per-user
          scope, i.e. user programs may now ask for passwords via the same
          mechanism and the previously system-wide only mechanism.

        * A new set of system/service credentials are added:
          shell.prompt.prefix, shell.prompt.suffix and shell.welcome. At login
          time these are propagated into the $SHELL_PROMPT_PREFIX,
          $SHELL_PROMPT_SUFFIX, $SHELL_PROMPT_WELCOME environment
          variables. These in turn are included in the shell prompt of
          interactive shells and shown at login time, via
          /etc/profile.d/70-systemd-shell-extra.sh. This functionality is
          useful to visually highlight the fact a specific shell prompt
          originates from a specific system, execution context or tool. These
          credentials and environment variables are supposed to be generically
          useful within and outside of the immediate systemd context. It is
          also used by 'run0', see above.

        * New RELEASE_TYPE=, EXPERIMENT=, EXPERIMENT_URL= fields have been
          defined for the /etc/os-release file. For example,
          "RELEASE_TYPE=development|stable|lts" can be used to indicate various
          stages of the release life cycle, and "RELEASE_TYPE=experimental" can
          indicate experimental builds, with the EXPERIMENT= field providing a
          human-readable description of the nature of the experiment.

        * A new sleep.conf HibernateOnACPower= option has been added, which
          when disabled will suppress hibernation in suspend-then-hibernate
          mode until the system is disconnected from a power source.

        * A bunch of patches to ease building against musl have been merged.

        * The various components that display progress bars
          (i.e. systemd-repart, systemd-sysupdate/updatectl, importctl), will
          now also issue the ANSI sequences for progress reports that Windows
          Terminal understands. Most Linux terminals currently do not support
          this sequence (and ignore it), but hopefully this will change one
          day. The progress information is used to display a nice progress
          animation in the terminal tab and icon. For details about the ANSI
          sequence and its effects, see:

          https://github.com/microsoft/terminal/pull/8055
          https://conemu.github.io/en/AnsiEscapeCodes.html#ConEmu_specific_OSC

        * systemd-sysusers is now able to create fully locked user
          accounts. For compatibility it so far created accounts with a locked
          (i.e. invalid) password, but not marked locked as a whole. With the
          new "!" modifier for "u" lines, it is now possible to create fully
          locked accounts. The distinction between accounts with a locked
          password and fully locked accounts is relevant when considering
          non-password forms of authentication, i.e. SSH and such. It is
          strongly recommended to make use of this new feature for almost all
          system accounts, since they usually do not require (and should not
          permit) interactive logins. All of systemd's own system users have
          been changed to be marked as fully locked.

        * systemd-coredump now supports a new EnterNamespace= option, which
          defaults to off. If enabled systemd-coredump will access the mount
          namespace of any crashed process to acquire debug symbol information,
          in order to be able to symbolize backtraces. This option is useful to
          improve backtraces of processes of containerized applications. (Note
          that the host systemd-coredump preferably dispatches coredump
          processing to the container itself, if it supports that. Only full-OS
          containers which run systemd inside will support this however, in
          other cases EnterNamespace= might be an suitable approach to acquire
          symbolized backtraces.)

        Special thanks to Nick Owens for bringing attention to and testing
        fixes for issue #34516.

        Contributions from: 12paper, A. Wilcox, Abderrahim Kitouni,
        Adrian Vovk, Alain Greppin, Allison Karlitskaya, Alyssa Ross,
        Anders Jonsson, Andika Triwidada, Andreas Schwab, Andres Beltran,
        Ani Sinha, Anouk Ceyssens, Anselm Schueler, Anton Golubev,
        Antonio Alvarez Feijoo, Arian van Putten, Arnaud Patard,
        Arthur Shau, Bastien Nocera, Benjamin ROBIN, Brenton Simpson,
        Bryan Gurney, ButterflyOfFire, Carlo Teubner, Celeste Liu,
        Chen Guanqiao, Chen Qi, Chengen Du, Christian Hesse,
        Christoph Anton Mitterer, Colin Foster, Collin L,
        Cristian Rodríguez, Daan De Meyer, Dan Nicholson, Daniel Dawson,
        Daniel Martinez, Daniel P. Berrangé, Daniel Rusek,
        Darsey Litzenberger, David Joaquín Shourabi Porcel,
        David Michael, David Rheinsberg, David Tardon, Davide Cavalca,
        Derek J. Clark, Diego Viola, Dimitrys Meliates, Diogo Ivo,
        Dmytro Markevych, DocNITE, Dominique Martinet,
        Dr. David Alan Gilbert, Edson Juliano Drosdeck, Erik Sjölund,
        Etienne Champetier, Etienne Cordonnier, Ettore Atalan,
        Eugeny Shcheglov, Excited-bore, Fabian Vogt, Federico Giovanardi,
        Filip Lewiński, Florian Schmaus, Franck Bui, Frantisek Sumsal,
        Fábio Rodrigues Ribeiro, Gabriel Elyas, Gaël PORTAY,
        Geraldo S. Simião Kutz, Giovanni Baratta, Greg Heartsfield,
        Gregor Herburger, Gregory Arenius, GwynBleidD, Göran Uddeborg,
        Hans de Goede, Helmut Grohne, Henry Chen, Ian Abbott, Integral,
        Ivan Kruglov, Ivan Shapovalov, James Coglan, James Hilliard,
        James Muir, Jason Yundt, Jeffrey Bosboom, Jian Zhang,
        Jiri Grönroos, Johannes Schneider, John A. Leuenhagen,
        Jose Ignacio Tornos Martinez, JoseskVolpe, Joshua Grisham,
        Jörg Behrmann, Kai-Chuan Hsieh, Kamil Szczęk, Karel Zak,
        Kornilios Kourtis, Kuntal Majumder, Lennart Poettering,
        Lidong Zhong, Luca Boccassi, Lucas Adriano Salles,
        Lucas Werkmeister, Ludwig Nussel, Luke T. Shumaker,
        Lukáš Nykrýn, Luna Jernberg, Léane GRASSER, Maanya Goenka,
        Mantas Mikulėnas, Marc Reisner, Marcel Hellwig, Marco Tomaschett,
        Marin Kresic, Marius Hoch, Martin Srebotnjak, Martin Wilck,
        Mary Strodl, Matteo Croce, Matthias Lisin, Matthias Schiffer,
        Matthieu Baerts (NGI0), Matthieu CHARETTE,
        Mauri de Souza Meneguzzo, Maximilian Wilhelm, Merlin Jehli,
        Michael Ferrari, Michal Koutný, Michal Sekletár, Michał Górny,
        Michele Dionisio, Michiel, Mickaël Salaün, Mike Gilbert,
        Mike Yuan, MkKvcs, Nick Cao, Nick Rosbrook, Nils K, Nova840,
        Oğuz Ersen, Pavel Borecki, PavlNekrasov, Peter Hutterer,
        Peter Rajnoha, Piotr Drąg, Raphaël Mélotte, Renan Guilherme,
        Renjaya Raga Zenta, Ricky Tigg, Riku, Robin Lee, Ronan Pigott,
        Ryan Wilson, Sam James, Sascha Mester, Sean Rhodes,
        Sebastian Gross, Septatrix, Sergey A, ShreyasMahangade,
        Simon Pilkington, Skye Chappelle, Steve Traylen, Stuart Hayhurst,
        SuhailAhmedVelorum, Susant Sahani, Takeo Kondo, Temuri Doghonadze,
        Thomas Blume, Thorsten Kukuk, Thorsten Scherer, Tobias Fleig,
        Tobias Zimmermann, Tom Coldrick, Tom Yan, Tomas Bzatek,
        Topi Miettinen, Tristan F.-R., Uday Shankar, Valentin David,
        Vasiliy Kovalev, Vitaly Kuznetsov, Vito Caputo, Vladimir Panteleev,
        Vursc, Will Fancher, WilliButz, Winterhuman, Xeonacid, Xuanjun Wen,
        Yanqing Jing, Yaron Shahrabani, Yu Watanabe, Yuri Chornoivan,
        ZHANG Yuntian, Zbigniew Jędrzejewski-Szmek, Zhou Qiankang,
        andre4ik3, anonymix007, bryango, chayleaf, chenjiayi, csp5me, cvlc12,
        fwfy, gerblesh, hugo303, jan@neighbourhood.ie, jauge-technica,
        lumingzh, maia x., marginaldev, migleeson, nerdopolis, oldherl,
        pyfisch, q66, rajmohan r, reDBo0n, rhellstrom, rindeal, samuelvw01,
        sinus-x, tfg13, vdovhanych, xujing, Łukasz Stelmach,
        Štěpán Němec, Дамјан Георгиевски, 白一百

        — Edinburgh, 2024-12-10

CHANGES WITH 256:

        Announcements of Future Feature Removals and Incompatible Changes:

        * Support for automatic flushing of the nscd user/group database caches
          will be dropped in a future release.

        * Support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now
          considered obsolete and systemd by default will refuse to boot under
          it. To forcibly reenable cgroup v1 support,
          SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command
          line. The meson option '-Ddefault-hierarchy=' is also deprecated, and
          only cgroup v2 ('unified' hierarchy) can be selected as the build-time
          default.

        * Support for System V service scripts is deprecated and will be
          removed in a future release. Please make sure to update your software
          *now* to include a native systemd unit file instead of a legacy
          System V script to retain compatibility with future systemd releases.

        * Support for the SystemdOptions EFI variable is deprecated.
          'bootctl systemd-efi-options' will emit a warning when used. It seems
          that this feature is little-used and it is better to use alternative
          approaches like credentials and confexts. The plan is to drop support
          altogether at a later point, but this might be revisited based on
          user feedback.

        * systemd-run's switch --expand-environment= which currently is disabled
          by default when combined with --scope, will be changed in a future
          release to be enabled by default.

        * Previously, systemd-networkd did not explicitly remove any bridge
          VLAN IDs assigned on bridge master and ports. Since version 256, if a
          .network file for an interface has at least one valid setting in the
          [BridgeVLAN] section, then all assigned VLAN IDs on the interface
          that are not configured in the .network file are removed.

        * IPForward= setting in .network file is deprecated and replaced with
          IPv4Forwarding= and IPv6Forwarding= settings. These new settings are
          supported both in .network file and networkd.conf. If specified in a
          .network file, they control corresponding per-link settings. If
          specified in networkd.conf, they control corresponding global
          settings. Note, previously IPv6SendRA= and IPMasquerade= implied
          IPForward=, but now they imply the new per-link settings. One of the
          simplest ways to migrate configurations, that worked as a router with
          the previous version, is enabling both IPv4Forwarding= and
          IPv6Forwarding= in networkd.conf. See systemd.network(5) and
          networkd.conf(5) for more details.

        * systemd-gpt-auto-generator will stop generating units for ESP or
          XBOOTLDR partitions if it finds mount entries for or below the /boot/
          or /efi/ hierarchies in /etc/fstab. This is to prevent the generator
          from interfering with systems where the ESP is explicitly configured
          to be mounted at some path, for example /boot/efi/ (this type of
          setup is obsolete, but still commonly found).

        * The behavior of systemd-sleep and systemd-homed has been updated to
          freeze user sessions when entering the various sleep modes or when
          locking a homed-managed home area. This is known to cause issues with
          the proprietary NVIDIA drivers. Packagers of the NVIDIA proprietary
          drivers may want to add drop-in configuration files that set
          SYSTEMD_SLEEP_FREEZE_USER_SESSIONS=false for systemd-suspend.service
          and related services, and SYSTEMD_HOME_LOCK_FREEZE_SESSION=false for
          systemd-homed.service.

        * systemd-tmpfiles and systemd-sysusers, when given a relative
          configuration file path (with at least one directory separator '/'),
          will open the file directly, instead of searching for the given
          partial path in the standard locations. The old mode wasn't useful
          because tmpfiles.d/ and sysusers.d/ configuration has a flat
          structure with no subdirectories under the standard locations and
          this change makes it easier to work with local files with those
          tools.

        * systemd-tmpfiles now properly applies nested configuration to 'R' and
          'D' stanzas. For example, with the combination of 'R /foo' and 'x
          /foo/bar', /foo/bar will now be excluded from removal.

        * systemd.crash_reboot and related settings are deprecated in favor of
          systemd.crash_action=.

        * Stable releases for version v256 and newer will now be pushed in the
          main repository. The systemd-stable repository will be used for existing
          stable branches (v255-stable and lower), and when they reach EOL it will
          be archived.

        General Changes and New Features:

        * Various programs will now attempt to load the main configuration file
          from locations below /usr/lib/, /usr/local/lib/, and /run/, not just
          below /etc/. For example, systemd-logind will look for
          /etc/systemd/logind.conf, /run/systemd/logind.conf,
          /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,
          and use the first file that is found.  This means that the search
          logic for the main config file and for drop-ins is now the same.

          Similarly, kernel-install will look for the config files in
          /usr/lib/kernel/ and the other search locations, and now also
          supports drop-ins.

          systemd-udevd now supports drop-ins for udev.conf.

        * A new 'systemd-vpick' binary has been added. It implements the new
          vpick protocol, where a "*.v/" directory may contain multiple files
          which have versions (following the UAPI version format specification)
          embedded in the file name. The files are ordered by version and
          the newest one is selected.

          systemd-nspawn --image=/--directory=, systemd-dissect,
          systemd-portabled, and the RootDirectory=, RootImage=,
          ExtensionImages=, and ExtensionDirectories= settings for units now
          support the vpick protocol and allow the latest version to be
          selected automatically if a "*.v/" directory is specified as the
          source.

        * Encrypted service credentials can now be made accessible to
          unprivileged users. systemd-creds gained new options --user/--uid=
          for encrypting/decrypting a credential for a specific user.

        * New command-line tool 'importctl' to download, import, and export
          disk images via systemd-importd is added with the following verbs:
          pull-tar, pull-raw, import-tar, import-raw, import-fs, export-tar,
          export-raw, list-transfers, and cancel-transfer. This functionality
          was previously available in "machinectl", where it was used
          exclusively for machine images. The new "importctl" generalizes this
          for sysext, confext, and portable service images.

        * The systemd sources may now be compiled cleanly with all OpenSSL 3.0
          deprecations removed, including the OpenSSL engine logic turned off.

        Service Management:

        * New system manager setting ProtectSystem= has been added. It is
          analogous to the unit setting, but applies to the whole system. It is
          enabled by default in the initrd.

          Note that this means that code executed in the initrd cannot naively
          expect to be able to write to /usr/ during boot. This affects
          dracut <= 101, which wrote "hooks" to /lib/dracut/hooks/. See
          https://github.com/dracut-ng/dracut-ng/commit/a45048b80c27ee5a45a380.

        * New unit setting WantsMountsFor= has been added. It is analogous to
          RequiresMountsFor=, but creates a Wants= dependency instead of
          Requires=. This new logic is now used in various places where mounts
          were added as dependencies for other settings (WorkingDirectory=-…,
          PrivateTmp=yes, cryptsetup lines with 'nofail').

        * New unit setting MemoryZSwapWriteback= can be used to control the new
          memory.zswap.writeback cgroup knob added in kernel 6.8.

        * The manager gained a org.freedesktop.systemd1.StartAuxiliaryScope()
          D-Bus method to devolve some processes from a service into a new
          scope. This new scope will remain running, even when the original
          service unit is restarted or stopped. This allows a service unit to
          split out some worker processes which need to continue running.
          Control group properties of the new scope are copied from the
          originating unit, so various limits are retained.

        * Units now expose properties EffectiveMemoryMax=,
          EffectiveMemoryHigh=, and EffectiveTasksMax=, which report the
          most stringent limit systemd is aware of for the given unit.

        * A new unit file specifier %D expands to $XDG_DATA_HOME (for user
          services) or /usr/share/ (for system services).

        * AllowedCPUs= now supports specifier expansion.

        * What= setting in .mount and .swap units now accepts fstab-style
          identifiers, for example UUID=… or LABEL=….

        * RestrictNetworkInterfaces= now supports alternative network interface
          names.

        * PAMName= now implies SetLoginEnvironment=yes.

        * systemd.firstboot=no can be used on the kernel command-line to
          disable interactive queries, but allow other first boot configuration
          to happen based on credentials.

        * The system's hostname can be configured via the systemd.hostname
          system credential.

        * The systemd binary will no longer chainload sysvinit's "telinit"
          binary when called under the init/telinit name on a system that isn't
          booted with systemd. This previously has been supported to make sure
          a distribution that has both init systems installed can reasonably
          switch from one to the other via a simple reboot. Distributions
          apparently have lost interest in this, and the functionality has not
          been supported on the primary distribution this was still intended
          for a long time, and hence has been removed now.

        * A new concept called "capsules" has been introduced. "Capsules" wrap
          additional per-user service managers, whose users are transient and
          are only defined as long as the service manager is running. (This is
          implemented via DynamicUser=1), allowing a user manager to be used to
          manage a group of processes without needing to create an actual user
          account. These service managers run with home directories of
          /var/lib/capsules/<capsule-name> and can contain regular services and
          other units. A capsule is started via a simple "systemctl start
          capsule@<name>.service". See the capsule@.service(5) man page for
          further details.

          Various systemd tools (including, and most importantly, systemctl and
          systemd-run) have been updated to interact with capsules via the new
          "--capsule="/"-C" switch.

        * .socket units gained a new setting PassFileDescriptorsToExec=, taking
          a boolean value. If set to true the file descriptors the socket unit
          encapsulates are passed to the ExecStartPost=, ExecStopPre=,
          ExecStopPost= using the usual $LISTEN_FDS interface. This may be used
          for doing additional initializations on the sockets once they are
          allocated. (For example, to install an additional eBPF program on
          them).

        * The .socket setting MaxConnectionsPerSource= (which so far put a
          limit on concurrent connections per IP in Accept=yes socket units),
          now also has an effect on AF_UNIX sockets: it will put a limit on the
          number of simultaneous connections from the same source UID (as
          determined via SO_PEERCRED). This is useful for implementing IPC
          services in a simple Accept=yes mode.

        * The service manager will now maintain a counter of soft reboot cycles
          the system went through. It may be queried via the D-Bus APIs.

        * systemd's execution logic now supports the new pidfd_spawn() API
          introduced by glibc 2.39, which allows us to invoke a subprocess in a
          target cgroup and get a pidfd back in a single operation.

        * systemd/PID 1 will now send an additional sd_notify() message to its
          supervising VMM or container manager reporting the selected hostname
          ("X_SYSTEMD_HOSTNAME=") and machine ID ("X_SYSTEMD_MACHINE_ID=") at
          boot. Moreover, the service manager will send additional sd_notify()
          messages ("X_SYSTEMD_UNIT_ACTIVE=") whenever a target unit is
          reached. This can be used by VMMs/container managers to schedule
          access to the system precisely. For example, the moment a system
          reports "ssh-access.target" being reached a VMM/container manager
          knows it can now connect to the system via SSH. Finally, a new
          sd_notify() message ("X_SYSTEMD_SIGNALS_LEVEL=2") is sent the moment
          PID 1 has successfully completed installation of its various UNIX
          process signal handlers (i.e. the moment where SIGRTMIN+4 sent to
          PID 1 will start to have the effect of shutting down the system
          cleanly). X_SYSTEMD_SHUTDOWN= is sent shortly before the system shuts
          down, and carries a string identifying the type of shutdown,
          i.e. "poweroff", "halt", "reboot". X_SYSTEMD_REBOOT_PARAMETER= is
          sent at the same time and carries the string passed to "systemctl
          --reboot-argument=" if there was one.

        * New D-Bus properties ExecMainHandoffTimestamp and
          ExecMainHandoffTimestampMonotonic are now published by services
          units. This timestamp is taken as the very last operation before
          handing off control to invoked binaries. This information is
          available for other unit types that fork off processes (i.e. mount,
          swap, socket units), but currently only via "systemd-analyze dump".

        * An additional timestamp is now taken by the service manager when a
          system shutdown operation is initiated. It can be queried via D-Bus
          during the shutdown phase. It's passed to the following service
          manager invocation on soft reboots, which will then use it to log the
          overall "grey-out" time of the soft reboot operation, i.e. the time
          when the shutdown began until the system is fully up again.

        * "systemctl status" will now display the invocation ID in its usual
          output, i.e. the 128bit ID uniquely assigned to the current runtime
          cycle of the unit. The ID has been supported for a long time, but is
          now more prominently displayed, as it is a very useful handle to a
          specific invocation of a service.

        * systemd now generates a new "taint" string "unmerged-bin" for systems
          that have /usr/bin/ and /usr/sbin/ separate. It's generally
          recommended to make the latter a symlink to the former these days.

        * A new systemd.crash_action= kernel command line option has been added
          that configures what to do after the system manager (PID 1) crashes.
          This can also be configured through CrashAction= in systemd.conf.

        * "systemctl kill" now supports --wait which will make the command wait
          until the signalled services terminate.

        Journal:

        * systemd-journald can now forward journal entries to a socket
          (AF_INET, AF_INET6, AF_UNIX, or AF_VSOCK). The socket can be
          specified in journald.conf via a new option ForwardToSocket= or via
          the 'journald.forward_to_socket' credential. Log records are sent in
          the Journal Export Format. A related setting MaxLevelSocket= has been
          added to control the maximum log levels for the messages sent to this
          socket.

        * systemd-journald now also reads the journal.storage credential when
          determining where to store journal files.

        * systemd-vmspawn gained a new --forward-journal= option to forward the
          virtual machine's journal entries to the host. This is done over a
          AF_VSOCK socket, i.e. it does not require networking in the guest.

        * journalctl gained option '-i' as a shortcut for --file=.

        * journalctl gained a new -T/--exclude-identifier= option to filter
          out certain syslog identifiers.

        * journalctl gained a new --list-namespaces option.

        * systemd-journal-remote now also accepts AF_VSOCK and AF_UNIX sockets
          (so it can be used to receive entries forwarded by systemd-journald).

        * systemd-journal-gatewayd allows restricting the time range of
          retrieved entries with a new "realtime=[<since>]:[<until>]" URL
          parameter.

        * systemd-cat gained a new option --namespace= to specify the target
          journal namespace to which the output shall be connected.

        * systemd-bsod gained a new option --tty= to specify the output TTY

        Device Management:

        * /dev/ now contains symlinks that combine by-path and by-{label,uuid}
          information:

              /dev/disk/by-path/<path>/by-<label|uuid|…>/<label|uuid|…>

          This allows distinguishing partitions with identical contents on
          multiple storage devices. This is useful, for example, when copying
          raw disk contents between devices.

        * systemd-udevd now creates persistent /dev/media/by-path/ symlinks for
          media controllers. For example, the uvcvideo driver may create
          /dev/media0 which will be linked as
          /dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller.

        * A new unit systemd-udev-load-credentials.service has been added
          to pick up udev.conf drop-ins and udev rules from credentials.

        * 'udevadm test' and 'udevadm test-builtin' commands now do not change
          any settings; sysfs attributes, sysctls, udev database and so on.
          E.g. 'udevadm test-builtin net_setup_link /sys/class/net/INTERFACE'
          does not change any interface settings, but only prints which .link
          file matches the interface. So, even privileged users can safely
          invoke the commands.

        * An allowlist/denylist may be specified to filter which sysfs
          attributes are used when crafting network interface names. Those
          lists are stored as hwdb entries
            ID_NET_NAME_ALLOW_<sysfsattr>=0|1
          and
            ID_NET_NAME_ALLOW=0|1.

          The goal is to avoid unexpected changes to interface names when the
          kernel is updated and new sysfs attributes become visible.

        * A new unit tpm2.target has been added to provide a synchronization
          point for units which expect the TPM hardware to be available. A new
          generator "systemd-tpm2-generator" has been added that will insert
          this target whenever it detects that the firmware has initialized a
          TPM, but Linux hasn't loaded a driver for it yet.

        * systemd-backlight now properly supports numbered devices which the
          kernel creates to avoid collisions in the leds subsystem.

        * systemd-hwdb update operation can be disabled with a new environment
          variable SYSTEMD_HWDB_UPDATE_BYPASS=1.

        systemd-hostnamed:

        * systemd-hostnamed now exposes the machine ID and boot ID via
          D-Bus. It also exposes the hosts AF_VSOCK CID, if available.

        * systemd-hostnamed now provides a basic Varlink interface.

        * systemd-hostnamed exports the full data in os-release(5) and
          machine-info(5) via D-Bus and Varlink.

        * hostnamectl now shows the system's product UUID and hardware serial
          number if known.

        Network Management:

        * systemd-networkd now provides a basic Varlink interface.

        * systemd-networkd's ARP proxy support gained a new option to configure
          a private VLAN variant of the proxy ARP supported by the kernel under
          the name IPv4ProxyARPPrivateVLAN=.

        * systemd-networkd now exports the NamespaceId and NamespaceNSID
          properties via D-Bus and Varlink. (which expose the inode and NSID of
          the network namespace the networkd instance manages)

        * systemd-networkd now supports IPv6RetransmissionTimeSec= and
          UseRetransmissionTime= settings in .network files to configure
          retransmission time for IPv6 neighbor solicitation messages.

        * networkctl gained new verbs 'mask' and 'unmask' for masking networkd
          configuration files such as .network files.

        * 'networkctl edit --runtime' allows editing volatile configuration
          under /run/systemd/network/.

        * The implementation behind TTLPropagate= network setting has been
          removed and the setting is now ignored.

        * systemd-network-generator will now pick up .netdev/.link/.network/
          networkd.conf configuration from system credentials.

        * systemd-networkd will now pick up wireguard secrets from
          credentials.

        * systemd-networkd's Varlink API now supports enumerating LLDP peers.

        * .link files now support new Property=, ImportProperty=,
          UnsetProperty= fields for setting udev properties on a link.

        * The various .link files that systemd ships for interfaces that are
          supposed to be managed by systemd-networkd only now carry a
          ID_NET_MANAGED_BY=io.systemd.Network udev property ensuring that
          other network management solutions honouring this udev property do
          not come into conflict with networkd, trying to manage these
          interfaces.

        * .link files now support a new ReceivePacketSteeringCPUMask= setting
          for configuring which CPUs to steer incoming packets to.

        * The [Network] section in .network files gained a new setting
          UseDomains=, which is a single generic knob for controlling the
          settings of the same name in the [DHCPv4], [DHCPv6] and
          [IPv6AcceptRA].

        * The 99-default.link file we ship by default (that defines the policy
          for all network devices to which no other .link file applies) now
          lists "mac" among AlternativeNamesPolicy=. This means that network
          interfaces will now by default gain an additional MAC-address based
          alternative device name. (i.e. enx…)

        systemd-nspawn:

        * systemd-nspawn now provides a /run/systemd/nspawn/unix-export/
          directory where the container payload can expose AF_UNIX sockets to
          allow them to be accessed from outside.

        * systemd-nspawn will tint the terminal background for containers in a
          blueish color. This can be controller with the new --background=
          switch or the new $SYSTEMD_TINT_BACKGROUND environment variable.

        * systemd-nspawn gained support for the 'owneridmap' option for --bind=
          mounts to map the target directory owner from inside the container to
          the owner of the directory bound from the host filesystem.

        * systemd-nspawn now supports moving Wi-Fi network devices into a
          container, just like other network interfaces.

        systemd-resolved:

        * systemd-resolved now reads RFC 8914 EDE error codes provided by
          upstream DNS services.

        * systemd-resolved and resolvectl now support RFC 9460 SVCB and HTTPS
          records, as well as RFC 2915 NAPTR records.

        * resolvectl gained a new option --relax-single-label= to allow
          querying single-label hostnames via unicast DNS on a per-query basis.

        * systemd-resolved's Varlink IPC interface now supports resolving
          DNS-SD services as well as an API for resolving raw DNS RRs.

        * systemd-resolved's .dnssd DNS_SD service description files now
          support DNS-SD "subtypes" via the new SubType= setting.

        * systemd-resolved's configuration may now be reloaded without
          restarting the service. (i.e. "systemctl reload systemd-resolved" is
          now supported)

        SSH Integration:

        * An sshd_config drop-in to allow ssh keys acquired via userdbctl (for
          example expose by homed accounts) to be used for authorization of
          incoming SSH connections. This uses the AuthorizedKeysCommand stanza
          of sshd_config. Note that sshd only allows a single command to be
          configured this way, hence this drop-in might conflict with other
          uses of the logic. It is possible to chainload another, similar tool
          of another subsystem via the --chain switch of userdbctl, to support
          both in parallel. See the "INTEGRATION WITH SSH" section in
          userdbctl(1) for details on this. Our recommendation how to combine
          other subsystem's use of the SSH authorized keys logic with systemd's
          userbctl functionality however is to implement the APIs described
          here: https://systemd.io/USER_GROUP_API – in that case this newly
          added sshd_config integration would just work and do the right thing
          for all backends.

        * A small new unit generator "systemd-ssh-generator" has been added. It
          checks if the sshd binary is installed. If so, it binds it via
          per-connection socket activation to various sockets depending on the
          execution context:

            • If the system is run in a VM providing AF_VSOCK support, it
              automatically binds sshd to AF_VSOCK port 22.

            • If the system is invoked as a full-OS container and the container
              manager pre-mounts a directory /run/host/unix-export/, it will
              bind sshd to an AF_UNIX socket /run/host/unix-export/ssh. The
              idea is the container manager bind mounts the directory to an
              appropriate place on the host as well, so that the AF_UNIX socket
              may be used to easily connect from the host to the container.

            • sshd is also bound to an AF_UNIX socket
              /run/ssh-unix-local/socket, which may be to use ssh/sftp in a
              "sudo"-like fashion to access resources of other local users.

            • Via the kernel command line option "systemd.ssh_listen=" and the
              system credential "ssh.listen" sshd may be bound to additional,
              explicitly configured options, including AF_INET/AF_INET6 ports.

          In particular the first two mechanisms should make dealing with local
          VMs and full OS containers a lot easier, as SSH connections will
          *just* *work* from the host – even if no networking is available
          whatsoever.

          systemd-ssh-generator optionally generates a per-connection
          socket activation service file wrapping sshd. This is only done if
          the distribution does not provide one on its own under the name
          "sshd@.service". The generated unit only works correctly if the SSH
          privilege separation ("privsep") directory exists. Unfortunately
          distributions vary wildly where they place this directory. An
          incomprehensive list:

            • /usr/share/empty.sshd/  (new fedora)
            • /var/empty/
            • /var/empty/sshd/
            • /run/sshd/              (debian/ubuntu?)

          If the SSH privsep directory is placed below /var/ or /run/ care
          needs to be taken that the directory is created automatically at boot
          if needed, since these directories possibly or always come up
          empty. This can be done via a tmpfiles.d/ drop-in. You may use the
          "sshdprivsepdir" meson option provided by systemd to configure the
          directory, in case you want systemd to create the directory as needed
          automatically, if your distribution does not cover this natively.

          Recommendations to distributions, in order to make things just work:

            • Please provide a per-connection SSH service file under the name
              "sshd@.service".

            • Please move the SSH privsep dir into /usr/ (so that it is truly
              immutable on image-based operating systems, is strictly under
              package manager control, and never requires recreation if the
              system boots up with an empty /run/ or /var/).

            • As an extension of this: please consider following Fedora's lead
              here, and use /usr/share/empty.sshd/ to minimize needless
              differences between distributions.

            • If your distribution insists on placing the directory in /var/ or
              /run/ then please at least provide a tmpfiles.d/ drop-in to
              recreate it automatically at boot, so that the sshd binary just
              works, regardless in which context it is called.

        * A small tool "systemd-ssh-proxy" has been added, which is supposed to
          act as counterpart to "systemd-ssh-generator". It's a small plug-in
          for the SSH client (via ProxyCommand/ProxyUseFdpass) to allow it to
          connect to AF_VSOCK or AF_UNIX sockets. Example: "ssh vsock/4711"
          connects to a local VM with cid 4711, or "ssh
          unix/run/ssh-unix-local/socket" to connect to the local host via the
          AF_UNIX socket /run/ssh-unix-local/socket.

        systemd-boot and systemd-stub and Related Tools:

        * TPM 1.2 PCR measurement support has been removed from systemd-stub.
          TPM 1.2 is obsolete and – due to the (by today's standards) weak
          cryptographic algorithms it only supports – does not actually provide
          the security benefits it's supposed to provide. Given that the rest
          of systemd's codebase never supported TPM 1.2, the support has now
          been removed from systemd-stub as well.

        * systemd-stub will now measure its payload via the new EFI
          Confidential Computing APIs (CC), in addition to the pre-existing
          measurements to TPM.

        * confexts are loaded by systemd-stub from the ESP as well.

        * kernel-install gained support for --root= for the 'list' verb.

        * bootctl now provides a basic Varlink interface and can be run as a
          daemon via a template unit.

        * systemd-measure gained new options --certificate=, --private-key=,
          and --private-key-source= to allow using OpenSSL's "engines" or
          "providers" as the signing mechanism to use when creating signed
          TPM2 PCR measurement values.

        * ukify gained support for signing of PCR signatures via OpenSSL's
          engines and providers.

        * ukify now supports zboot kernels.

        * systemd-boot now supports passing additional kernel command line
          switches to invoked kernels via an SMBIOS Type #11 string
          "io.systemd.boot.kernel-cmdline-extra". This is similar to the
          pre-existing support for this in systemd-stub, but also applies to
          Type #1 Boot Loader Specification Entries.

        * systemd-boot's automatic SecureBoot enrollment support gained support
          for enrolling "dbx" too (Previously, only db/KEK/PK enrollment was
          supported). It also now supports UEFI "Custom" and "Audit" modes.

        * The pcrlock policy is saved in an unencrypted credential file
          "pcrlock.<entry-token>.cred" under XBOOTLDR/ESP in the
          /loader/credentials/ directory. It will be picked up at boot by
          systemd-stub and passed to the initrd, where it can be used to unlock
          the root file system.

        * systemd-pcrlock gained an --entry-token= option to configure the
          entry-token.

        * systemd-pcrlock now provides a basic Varlink interface and can be run
          as a daemon via a template unit.

        * systemd-pcrlock's TPM nvindex access policy has been modified, this
          means that previous pcrlock policies stored in nvindexes are
          invalidated. They must be removed (systemd-pcrlock remove-policy) and
          recreated (systemd-pcrlock make-policy). For the time being
          systemd-pcrlock remains an experimental feature, but it is expected
          to become stable in the next release, i.e. v257.

        * systemd-pcrlock's --recovery-pin= switch now takes three values:
          "hide", "show", "query". If "show" is selected the automatically
          generated recovery PIN is shown to the user. If "query" is selected
          then the PIN is queried from the user.

        * sd-stub gained support for the new ".ucode" PE section in UKIs, that
          may contain CPU microcode data. When control is handed over to the
          Linux kernel this data is prepended to the set of initrds passed.

        systemd-run/run0:

        * systemd-run is now a multi-call binary. When invoked as 'run0', it
          provides as interface similar to 'sudo', with all arguments starting
          at the first non-option parameter being treated the command to invoke
          as root. Unlike 'sudo' and similar tools, it does not make use of
          setuid binaries or other privilege escalation methods, but instead
          runs the specified command as a transient unit, which is started by
          the system service manager, so privileges are dropped, rather than
          gained, thus implementing a much more robust and safe security
          model. As usual, authorization is managed via Polkit.

        * systemd-run/run0 will now tint the terminal background on supported
          terminals: in a reddish tone when invoking a root service, in a
          yellowish tone otherwise. This may be controlled and turned off via
          the new --background= switch or the new $SYSTEMD_TINT_BACKGROUND
          environment variable.

        * systemd-run gained a new option '--ignore-failure' to suppress
          command failures.

        Command-line tools:

        * 'systemctl edit --stdin' allows creation of unit files and drop-ins
          with contents supplied via standard input. This is useful when creating
          configuration programmatically; the tool takes care of figuring out
          the file name, creating any directories, and reloading the manager
          afterwards.

        * 'systemctl disable --now' and 'systemctl mask --now' now work
          correctly with template units.

        * 'systemd-analyze architectures' lists known CPU architectures.

        * 'systemd-analyze --json=…' is supported for 'architectures',
          'capability', 'exit-status'.

        * 'systemd-tmpfiles --purge' will purge (remove) all files and
          directories created via tmpfiles.d configuration.

        * systemd-id128 gained new options --no-pager, --no-legend, and
          -j/--json=.

        * hostnamectl gained '-j' as shortcut for '--json=pretty' or
          '--json=short'.

        * loginctl now supports -j/--json=.

        * resolvectl now supports -j/--json= for --type=.

        * systemd-tmpfiles gained a new option --dry-run to print what would be
          done without actually taking action.

        * varlinkctl gained a new --collect switch to collect all responses of
          a method call that supports multiple replies and turns it into a
          single JSON array.

        * systemd-dissect gained a new --make-archive option to generate an
          archive file (tar.gz and similar) from a disk image.

        systemd-vmspawn:

        * systemd-vmspawn gained a new --firmware= option to configure or list
          firmware definitions for Qemu, a new --tpm= option to enable or
          disable the use of a software TPM, a new --linux= option to specify a
          kernel binary for direct kernel boot, a new --initrd= option to
          specify an initrd for direct kernel boot, a new -D/--directory option
          to use a plain directory as the root file system, a new
          --private-users option similar to the one in systemd-nspawn, new
          options --bind= and --bind-ro= to bind part of the host's file system
          hierarchy into the guest, a new --extra-drive= option to attach
          additional storage, and -n/--network-tap/--network-user-mode to
          configure networking.

        * A new systemd-vmspawn@.service can be used to launch systemd-vmspawn
          as a service.

        * systemd-vmspawn gained the new --console= and --background= switches
          that control how to interact with the VM. As before, by default an
          interactive terminal interface is provided, but now with a background
          tinted with a greenish hue.

        * systemd-vmspawn can now register its VMs with systemd-machined,
          controlled via the --register= switch.

        * machinectl's start command (and related) can now invoke images either
          as containers via systemd-nspawn (specified as '--runner=nspawn', the
          default) or as VMs via systemd-vmspawn (specified as
          '--runner=vmspawn' or '-V').

        * systemd-vmspawn now supports two switches --pass-ssh-key= and
          --ssh-key-type= to optionally set up transient SSH keys to pass to the
          invoked VMs in order to be able to SSH into them once booted.

        * systemd-vmspawn will now enable various "HyperV enlightenments" and
          the "VM Generation ID" on the VMs.

        * A new environment variable $SYSTEMD_VMSPAWN_QEMU_EXTRA may carry
          additional qemu command line options to pass to qemu.

        * systemd-machined gained a new GetMachineSSHInfo() D-Bus method that is
          used by systemd-vmspawn to fetch the information needed to ssh into the
          machine.

        * systemd-machined gained a new Varlink interface that is used by
          systemd-vmspawn to register machines with additional information and
          metadata.

        systemd-repart:

        * systemd-repart gained new options --generate-fstab= and
          --generate-crypttab= to write out fstab and crypttab files matching the
          generated partitions.

        * systemd-repart gained a new option --private-key-source= to allow
          using OpenSSL's "engines" or "providers" as the signing mechanism to
          use when creating verity signature partitions.

        * systemd-repart gained a new DefaultSubvolume= setting in repart.d/
          drop-ins that allow configuring the default btrfs subvolume for newly
          formatted btrfs file systems.

        Libraries:

        * libsystemd gained new call sd_bus_creds_new_from_pidfd() to get a
          credentials object for a pidfd and sd_bus_creds_get_pidfd_dup() to
          retrieve the pidfd from a credentials object.

        * sd-bus' credentials logic will now also acquire peer's UNIX group
          lists and peer's pidfd if supported and requested.

        * RPM macro %_kernel_install_dir has been added with the path
          to the directory for kernel-install plugins.

        * The liblz4, libzstd, liblzma, libkmod, libgcrypt dependencies have
          been changed from regular shared library dependencies into dlopen()
          based ones.

          Note that this means that those libraries might not be automatically
          pulled in when ELF dependencies are resolved. In particular lack of
          libkmod might cause problems with boot. This affects dracut <= 101,
          see https://github.com/dracut-ng/dracut-ng/commit/04b362d713235459cf.

        * systemd ELF binaries that use libraries via dlopen() are now built with
          a new ELF header note section, following a new specification defined at
          docs/ELF_DLOPEN_METADATA.md, that provides information about which
          sonames are loaded and used if found at runtime. This allows tools and
          packagers to programmatically discover the list of optional
          dependencies used by all systemd ELF binaries. A parser with packaging
          integration tools is available at
          https://github.com/systemd/package-notes

        * The sd-journal API gained a new call
          sd_journal_stream_fd_with_namespace() which is just like
          sd_journal_stream_fd() but creates a log stream targeted at a
          specific log namespace.

        * The sd-id128 API gained a new API call
          sd_id128_get_invocation_app_specific() for acquiring an app-specific
          ID that is derived from the service invocation ID.

        * The sd-event API gained a new API call
          sd_event_source_get_inotify_path() that returns the file system path
          an inotify event source was created for.

        systemd-cryptsetup/systemd-cryptenroll:

        * The device node argument to systemd-cryptenroll is now optional. If
          omitted it will be derived automatically from the backing block
          device of /var/ (which quite likely is the same as the root file
          system, hence effectively means if you don't specify things otherwise
          the tool will now default to enrolling a key into the root file
          system's LUKS device).

        * systemd-cryptenroll can now enroll directly with a PKCS11 public key
          (instead of a certificate).

        * systemd-cryptsetup/systemd-cryptenroll now may lock a disk against a
          PKCS#11 provided EC key (before it only supported RSA).

        * systemd-cryptsetup gained support for crypttab option
          link-volume-key= to link the volume key into the kernel keyring when
          the volume is opened.

        * systemd-cryptenroll will no longer enable Dictionary Attack
          Protection (i.e. turn on NO_DA) for TPM enrollments that do not
          involve a PIN. DA should not be necessary in that case (since key
          entropy is high enough to make this unnecessary), but risks
          accidental lock-out in case of unexpected PCR changes.

        * systemd-cryptenroll now supports enrolling a new slot while unlocking
          the old slot via TPM2 (previously unlocking only worked via password
          or FIDO2).

        Documentation:

        * The remaining documentation that was on
          https://freedesktop.org/wiki/Software/systemd/ has been moved to
          https://systemd.io/.

        * A new text describing the VM integration interfaces of systemd has
          been added:

          https://systemd.io/VM_INTERFACE

        * The sd_notify() man page has gained examples with C and Python code
          that shows how to implement the interface in those languages without
          involving libsystemd.

        systemd-homed, systemd-logind, systemd-userdbd:

        * systemd-homed now supports unlocking of home directories when logging
          in via SSH. Previously home directories needed to be unlocked before
          an SSH login is attempted.

        * JSON User Records have been extended with a separate public storage
          area called "User Record Blob Directories". This is intended to store
          the user's background image, avatar picture, and other similar items
          which are too large to fit into the User Record itself.

          systemd-homed, userdbctl, and homectl gained support for blob
          directories. homectl gained --avatar= and --login-background= to
          control two specific items of the blob directories.

        * A new "additionalLanguages" field has been added to JSON user records
          (as supported by systemd-homed and systemd-userdbd), which is closely
          related to the pre-existing "preferredLanguage", and allows
          specifying multiple additional languages for the user account. It is
          used to initialize the $LANGUAGES environment variable when used.

        * A new pair of "preferredSessionType" and "preferredSessionLauncher"
          fields have been added to JSON user records, that may be used to
          control which kind of desktop session to preferable activate on
          logins of the user.

        * homectl gained a new verb 'firstboot', and a new
          systemd-homed-firstboot.service unit uses this verb to create users
          in a first boot environment, either from system credentials or by
          querying interactively.

        * systemd-logind now supports a new "background-light" session class
          which does not pull in the user@.service unit. This is intended in
          particular for lighter weight per-user cron jobs which do require any
          per-user service manager to be around.

        * The per-user service manager will now be tracked as a distinct "manager"
          session type among logind sessions of each user.

        * homectl now supports an --offline mode, by which certain account
          properties can be changed without unlocking the home directory.

        * systemd-logind gained a new
          org.freedesktop.login1.Manager.ListSessionsEx() method that provides
          additional metadata compared to ListSessions(). loginctl makes use of
          this to list additional fields in list-sessions.

        * systemd-logind gained a new org.freedesktop.login1.Manager.Sleep()
          method that automatically redirects to SuspendThenHibernate(),
          Suspend(), HybridSleep(), or Hibernate(), depending on what is
          supported and configured, a new configuration setting SleepOperation=,
          and an accompanying helper method
          org.freedesktop.login1.Manager.CanSleep() and property
          org.freedesktop.login1.Manager.SleepOperation.

          'systemctl sleep' calls the new method to automatically put the
          machine to sleep in the most appropriate way.

        Credential Management:

        * systemd-creds now provides a Varlink IPC API for encrypting and
          decrypting credentials.

        * systemd-creds' "tpm2-absent" key selection has been renamed to
          "null", since that's what it actually does: "encrypt" and "sign"
          with a fixed null key. --with-key=null should only be used in very
          specific cases, as it provides zero integrity or confidentiality
          protections. (i.e. it's only safe to use as fallback in environments
          lacking both a TPM and access to the root fs to use the host
          encryption key, or when integrity is provided some other way.)

        * systemd-creds gained a new switch --allow-null. If specified, the
          "decrypt" verb will decode encrypted credentials that use the "null"
          key (by default this is refused, since using the "null" key defeats
          the authenticated encryption normally done).

        Suspend & Hibernate:

        * The sleep.conf configuration file gained a new MemorySleepMode=
          setting for configuring the sleep mode in more detail.

        * A tiny new service systemd-hibernate-clear.service has been added
          which clears hibernation information from the HibernateLocation EFI
          variable, in case the resume device is gone. Normally, this variable
          is supposed to be cleaned up by the code that initiates the resume
          from hibernation image. But when the device is missing and that code
          doesn't run, this service will now do the necessary work, ensuring
          that no outdated hibernation image information remains on subsequent
          boots.

        Unprivileged User Namespaces & Mounts:

        * A small new service systemd-nsresourced.service has been added. It
          provides a Varlink IPC API that assigns a free, transiently allocated
          64K UID/GID range to an uninitialized user namespace a client
          provides. It may be used to implement unprivileged container managers
          and other programs that need dynamic user ID ranges. It also provides
          interfaces to then delegate mount file descriptors, control groups
          and network interfaces to user namespaces set up this way.

        * A small new service systemd-mountfsd.service has been added. It
          provides a Varlink IPC API for mounting DDI images, and returning a set
          of mount file descriptors for it. If a user namespace fd is provided
          as input, then the mounts are registered with the user namespace. To
          ensure trust in the image it must provide Verity information (or
          alternatively interactive polkit authentication is required).

        * The systemd-dissect tool now can access DDIs fully unprivileged by
          using systemd-nsresourced/systemd-mountfsd.

        * If the service manager runs unprivileged (i.e. systemd --user) it now
          supports RootImage= for accessing DDI images, also implemented via
          the systemd-nsresourced/systemd-mountfsd.

        * systemd-nspawn may now operate without privileges, if a suitable DDI
          is provided via --image=, again implemented via
          systemd-nsresourced/systemd-mountfsd.

        Other:

        * timedatectl and machinectl gained option '-P', an alias for
          '--value --property=…'.

        * Various tools that pretty-print config files will now highlight
          configuration directives.

        * varlinkctl gained support for the "ssh:" transport. This requires
          OpenSSH 9.4 or newer.

        * systemd-sysext gained support for enabling system extensions in
          mutable fashion, where a writeable upperdir is stored under
          /var/lib/extensions.mutable/, and a new --mutable= option to
          configure this behaviour. An "ephemeral" mode is not also supported
          where the mutable layer is configured to be a tmpfs that is
          automatically released when the system extensions are reattached.

        * Coredumps are now retained for two weeks by default (instead of three
          days, as before).

        * portablectl --copy= parameter gained a new 'mixed' argument, that will
          result in resources owned by the OS (e.g.: portable profiles) to be linked
          but resources owned by the portable image (e.g.: the unit files and the
          images themselves) to be copied.

        * systemd will now register MIME types for various of its file types
          (e.g. journal files, DDIs, encrypted credentials …) via the XDG
          shared-mime-info infrastructure. (Files of these types will thus be
          recognized as their own thing in desktop file managers such as GNOME
          Files.)

        * systemd-dissect will now show the detected sector size of a given DDI
          in its default output.

        * systemd-portabled now generates recognizable structured log messages
          whenever a portable service is attached or detached.

        * Verity signature checking in userspace (i.e. checking against
          /etc/verity.d/ keys) when activating DDIs can now be turned on/off
          via a kernel command line option systemd.allow_userspace_verity= and
          an environment variable SYSTEMD_ALLOW_USERSPACE_VERITY=.

        * ext4/xfs file system quota handling has been reworked, so that
          quotacheck and quotaon are now invoked as per-file-system templated
          services (as opposed to single system-wide singletons), similar in
          style to the fsck, growfs, pcrfs logic. This means file systems with
          quota enabled can now be reasonably enabled at runtime of the system,
          not just at boot.

        * "systemd-analyze dot" will now also show BindsTo= dependencies.

        * systemd-debug-generator gained the ability add in arbitrary units
          based on them being passed in via system credentials.

        * A new kernel command-line option systemd.default_debug_tty= can be
          used to specify the TTY for the debug shell, independently of
          enabling or disabling it.

        * portablectl gained a new --clean switch that clears a portable
          service's data (cache, logs, state, runtime, fdstore) when detaching
          it.

        Contributions from: A S Alam, AKHIL KUMAR,
        Abraham Samuel Adekunle, Adrian Vovk, Adrian Wannenmacher,
        Alan Liang, Alberto Planas, Alexander Zavyalov, Anders Jonsson,
        Andika Triwidada, Andres Beltran, Andrew Sayers,
        Antonio Alvarez Feijoo, Arian van Putten, Arthur Zamarin,
        Artur Pak, AtariDreams, Benjamin Franzke, Bernhard M. Wiedemann,
        Black-Hole1, Bryan Jacobs, Burak Gerz, Carlos Garnacho,
        Chandra Pratap, Chris Hofstaedtler, Chris Packham, Chris Simons,
        Christian Göttsche, Christian Wesselhoeft, Clayton Craft,
        Colin Geniet, Colin Walters, Colin Watson, Costa Tsaousis,
        Cristian Rodríguez, Daan De Meyer, Damien Challet, Dan Streetman,
        Daniel Winzen, Daniele Medri, David Seifert, David Tardon,
        David Venhoek, Diego Viola, Dionna Amalie Glaze,
        Dmitry Konishchev, Dmitry V. Levin, Edson Juliano Drosdeck,
        Eisuke Kawashima, Eli Schwartz, Emanuele Giuseppe Esposito,
        Eric Daigle, Evgeny Vereshchagin, Felix Riemann,
        Fernando Fernandez Mancera, Florian Fainelli, Florian Schmaus,
        Franck Bui, Frantisek Sumsal, Friedrich Altheide,
        Gabríel Arthúr Pétursson, Gaël Donval, Georges Basile Stavracas Neto,
        Gerd Hoffmann, GNOME Foundation, Guido Leenders,
        Guilhem Lettron, Göran Uddeborg, Hans de Goede, Harald Brinkmann,
        Heinrich Schuchardt, Helmut Grohne, Henry Li, Heran Yang,
        Holger Assmann, Ivan Kruglov, Ivan Shapovalov, Jakub Sitnicki,
        James Muir, Jan Engelhardt, Jan Macku, Jarne Förster, Jeff King,
        Jian-Hong Pan, JmbFountain, Joakim Nohlgård, Jonathan Conder,
        Julius Alexandre, Jörg Behrmann, Kai Lueke, Kamil Szczęk,
        KayJay7, Keian, Kirk, Kristian Klausen, Krzesimir Nowak,
        Lain "Fearyncess" Yang, Lars Ellenberg, Lennart Poettering,
        Leonard, Luca Boccassi, Lucas Salles, Ludwig Nussel,
        Lukáš Nykrýn, Luna Jernberg, Luxiter, Maanya Goenka,
        Maciej S. Szmigiero, Mariano Giménez, Markus Merklinger,
        Martin Ivicic, Martin Srebotnjak, Martin Trigaux, Martin Wilck,
        Mathias Lang, Matt Layher, Matt Muggeridge, Matteo Croce,
        Matthias Lisin, Max Gautier, Max Staudt, MaxHearnden,
        Michael Biebl, Michal Koutný, Michal Sekletár, Michał Kopeć,
        Mike Gilbert, Mike Yuan, Mikko Ylinen, MkfsSion, Moritz Sanft,
        MrSmör, Nandakumar Raghavan, Nicholas Little, Nick Cao,
        Nick Rosbrook, Nicolas Bouchinet, Norbert Lange,
        Ole Peder Brandtzæg, Ondrej Kozina, Oğuz Ersen,
        Pablo Méndez Hernández, Pierre GRASSER, Piotr Drąg, QuonXF,
        Radoslav Kolev, Rafaël Kooi, Raito Bezarius, Rasmus Villemoes,
        Reid Wahl, Renjaya Raga Zenta, Richard Maw, Roland Hieber,
        Ronan Pigott, Rose, Ross Burton, Saliba-san, Sam Leonard,
        Samuel BF, Sarvajith Adyanthaya, Scrambled 777,
        Sebastian Pucilowski, Sergei Zhmylev, Sergey A, Shulhan,
        SidhuRupinder, Simon Fowler, Skia, Sludge, Stuart Hayhurst,
        Susant Sahani, Takashi Sakamoto, Temuri Doghonadze, Thayne McCombs,
        Thilo Fromm, Thomas Blume, Tiago Rocha Cunha, Timo Rothenpieler,
        TobiPeterG, Tobias Fleig, Tomáš Pecka, Topi Miettinen,
        Tycho Andersen, Unique-Usman, Usman Akinyemi, Vasiliy Kovalev,
        Vasiliy Stelmachenok, Victor Berchet, Vishal Chillara Srinivas,
        Vitaly Kuznetsov, Vito Caputo, Vladimir Stoiakin, Werner Sembach,
        Will Springer, Winterhuman, Xiaotian Wu, Yu Watanabe,
        Yuri Chornoivan, Zbigniew Jędrzejewski-Szmek, Zmyeir, anphir,
        aslepykh, chenjiayi, cpackham-atlnz, cunshunxia, djantti, drewbug,
        hanjinpeng, hfavisado, hulkoba, hydrargyrum, ksaleem, mburucuyapy,
        medusalix, mille-feuille, mkubiak, mooo, msizanoen, networkException,
        nl6720, r-vdp, runiq, sam-leonard-ct, samuelvw01, sharad3001, spdfnet,
        sushmbha, wangyuhang, zeroskyx, zzywysm, İ. Ensar Gülşen,
        Łukasz Stelmach, Štěpán Němec, 我超厉害, 김인수

        — Edinburgh, 2024-06-11

CHANGES WITH 255:

        Announcements of Future Feature Removals and Incompatible Changes:

        * Support for split-usr (/usr/ mounted separately during late boot,
          instead of being mounted by the initrd before switching to the rootfs)
          and unmerged-usr (parallel directories /bin/ and /usr/bin/, /lib/ and
          /usr/lib/, …) has been removed. For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

        * We intend to remove cgroup v1 support from a systemd release after
          the end of 2023. If you run services that make explicit use of
          cgroup v1 features (i.e. the "legacy hierarchy" with separate
          hierarchies for each controller), please implement compatibility with
          cgroup v2 (i.e. the "unified hierarchy") sooner rather than later.
          Most of Linux userspace has been ported over already.

        * Support for System V service scripts is now deprecated and will be
          removed in a future release. Please make sure to update your software
          *now* to include a native systemd unit file instead of a legacy
          System V script to retain compatibility with future systemd releases.

        * Support for the SystemdOptions EFI variable is deprecated.
          'bootctl systemd-efi-options' will emit a warning when used. It seems
          that this feature is little-used and it is better to use alternative
          approaches like credentials and confexts. The plan is to drop support
          altogether at a later point, but this might be revisited based on
          user feedback.

        * systemd-run's switch --expand-environment= which currently is disabled
          by default when combined with --scope, will be changed in a future
          release to be enabled by default.

        * "systemctl switch-root" is now restricted to initrd transitions only.

          Transitions between real systems should be done with
          "systemctl soft-reboot" instead.

        * The "ip=off" and "ip=none" kernel command line options interpreted by
          systemd-network-generator will now result in IPv6RA + link-local
          addressing being disabled, too. Previously DHCP was turned off, but
          IPv6RA and IPv6 link-local addressing was left enabled.

        * The NAMING_BRIDGE_MULTIFUNCTION_SLOT naming scheme has been deprecated
          and is now disabled.

        * SuspendMode=, HibernateState= and HybridSleepState= in the [Sleep]
          section of systemd-sleep.conf are now deprecated and have no effect.
          They did not (and could not) take any value other than the respective
          default. HybridSleepMode= is also deprecated, and will now always use
          the 'suspend' disk mode.

        Service Manager:

        * The way services are spawned has been overhauled. Previously, a
          process was forked that shared all of the manager's memory (via
          copy-on-write) while doing all the required setup (e.g.: mount
          namespaces, CGroup configuration, etc.) before exec'ing the target
          executable. This was problematic for various reasons: several glibc
          APIs were called that are not supposed to be used after a fork but
          before an exec, copy-on-write meant that if either process (the
          manager or the child) touched a memory page a copy was triggered, and
          also the memory footprint of the child process was that of the
          manager, but with the memory limits of the service. From this version
          onward, the new process is spawned using CLONE_VM and CLONE_VFORK
          semantics via posix_spawn(3), and it immediately execs a new internal
          binary, systemd-executor, that receives the configuration to apply
          via memfd, and sets up the process before exec'ing the target
          executable. The systemd-executor binary is pinned by file descriptor
          by each manager instance (system and users), and the reference is
          updated on daemon-reexec - it is thus important to reexec all running
          manager instances when the systemd-executor and/or libsystemd*
          libraries are updated on the filesystem.

        * Most of the internal process tracking is being changed to use PIDFDs
          instead of PIDs when the kernel supports it, to improve robustness
          and reliability.

        * A new option SurviveFinalKillSignal= can be used to configure the
          unit to be skipped in the final SIGTERM/SIGKILL spree on shutdown.
          This is part of the required configuration to let a unit's processes
          survive a soft-reboot operation.

        * System extension images (sysext) can now set
          EXTENSION_RELOAD_MANAGER=1 in their extension-release files to
          automatically reload the service manager (PID 1) when
          merging/refreshing/unmerging on boot. Generally, while this can be
          used to ship services in system extension images it's recommended to
          do that via portable services instead.

        * The ExtensionImages= and ExtensionDirectories= options now support
          confexts images/directories.

        * A new option CoredumpReceive= can be set for service and scope units,
          together with Delegate=yes, to make systemd-coredump on the host
          forward core files from processes crashing inside the delegated
          CGroup subtree to systemd-coredump running in the container. This new
          option is by default used by systemd-nspawn containers that use the
          "--boot" switch.

        * A new ConditionSecurity=measured-uki option is now available, to ensure
          a unit can only run when the system has been booted from a measured UKI.

        * MemoryAvailable= now considers physical memory if there are no CGroup
          memory limits set anywhere in the tree.

        * The $USER environment variable is now always set for services, while
          previously it was only set if User= was specified. A new option
          SetLoginEnvironment= is now supported to determine whether to also set
          $HOME, $LOGNAME, and $SHELL.

        * Socket units now support a new pair of
          PollLimitBurst=/PollLimitInterval= options to configure a limit on
          how often polling events on the file descriptors backing this unit
          will be considered within a time window.

        * Scope units can now be created using PIDFDs instead of PIDs to select
          the processes they should include.

        * Sending SIGRTMIN+18 with 0x500 as sigqueue() value will now cause the
          manager to dump the list of currently pending jobs.

        * If the kernel supports MOVE_MOUNT_BENEATH, the systemctl and
          machinectl bind and mount-image verbs will now cause the new mount to
          replace the old mount (if any), instead of overmounting it.

        * Units now have MemoryPeak, MemorySwapPeak, MemorySwapCurrent and
          MemoryZSwapCurrent properties, which respectively contain the values
          of the cgroup v2's memory.peak, memory.swap.peak, memory.swap.current
          and memory.zswap.current properties. This information is also shown in
          "systemctl status" output, if available.

        TPM2 Support + Disk Encryption & Authentication:

        * systemd-cryptenroll now allows specifying a PCR bank and explicit hash
          value in the --tpm2-pcrs= option.

        * systemd-cryptenroll now allows specifying a TPM2 key handle (nv
          index) to be used instead of the default SRK via the new
          --tpm2-seal-key-handle= option.

        * systemd-cryptenroll now allows TPM2 enrollment using only a TPM2
          public key (in TPM2B_PUBLIC format) – without access to the TPM2
          device itself – which enables offline sealing of LUKS images for a
          specific TPM2 chip, as long as the SRK public key is known. Pass the
          public to the tool via the new --tpm2-device-key= switch.

        * systemd-cryptsetup is now installed in /usr/bin/ and is no longer an
          internal-only executable.

        * The TPM2 Storage Root Key will now be set up, if not already present,
          by a new systemd-tpm2-setup.service early boot service. The SRK will
          be stored in PEM format and TPM2_PUBLIC format (the latter is useful
          for systemd-cryptenroll --tpm2-device-key=, as mentioned above) for
          easier access. A new "srk" verb has been added to systemd-analyze to
          allow extracting it on demand if it is already set up.

        * The internal systemd-pcrphase executable has been renamed to
          systemd-pcrextend.

        * The systemd-pcrextend tool gained a new --pcr= switch to override
          which PCR to measure into.

        * systemd-pcrextend now exposes a Varlink interface at
          io.systemd.PCRExtend that can be used to do measurements and event
          logging on demand.

        * TPM measurements are now also written to an event log at
          /run/log/systemd/tpm2-measure.log, using a derivative of the TCG
          Canonical Event Log format. Previously we'd only log them to the
          journal, where they however were subject to rotation and similar.

        * A new component "systemd-pcrlock" has been added that allows managing
          local TPM2 PCR policies for PCRs 0-7 and similar, which are hard to
          predict by the OS vendor because of the inherently local nature of
          what measurements they contain, such as firmware versions of the
          system and extension cards and suchlike. pcrlock can predict PCR
          measurements ahead of time based on various inputs, such as the local
          TPM2 event log, GPT partition tables, PE binaries, UKI kernels, and
          various other things. It can then pre-calculate a TPM2 policy from
          this, which it stores in an TPM2 NV index. TPM2 objects (such as disk
          encryption keys) can be locked against this NV index, so that they
          are locked against a specific combination of system firmware and
          state. Alternatives for each component are supported to allowlist
          multiple kernel versions or boot loader version simultaneously
          without losing access to the disk encryption keys. The tool can also
          be used to analyze and validate the local TPM2 event log.
          systemd-cryptsetup, systemd-cryptenroll, systemd-repart have all been
          updated to support such policies. There's currently no support for
          locking the system's root disk against a pcrlock policy, this will be
          added soon. Moreover, it is currently not possible to combine a
          pcrlock policy with a signed PCR policy. This component is
          experimental and its public interface is subject to change.

        systemd-boot, systemd-stub, ukify, bootctl, kernel-install:

        * bootctl will now show whether the system was booted from a UKI in its
          status output.

        * systemd-boot and systemd-stub now use different project keys in their
          respective SBAT sections, so that they can be revoked individually if
          needed.

        * systemd-boot will no longer load unverified DeviceTree blobs when UEFI
          SecureBoot is enabled. For more details see:
          https://github.com/systemd/systemd/security/advisories/GHSA-6m6p-rjcq-334c

        * systemd-boot gained new hotkeys to reboot and power off the system
          from the boot menu ("B" and "O"). If the "auto-poweroff" and
          "auto-reboot" options in loader.conf are set these entries are also
          shown as menu items (which is useful on devices lacking a regular
          keyboard).

        * systemd-boot gained a new configuration value "menu-disabled" for the
          set-timeout option, to allow completely disabling the boot menu,
          including the hotkey.

        * systemd-boot will now measure the content of loader.conf in TPM2
          PCR 5.

        * systemd-stub will now concatenate the content of all kernel
          command-line addons before measuring them in TPM2 PCR 12, in a single
          measurement, instead of measuring them individually.

        * systemd-stub will now measure and load DeviceTree Blob addons, which
          are searched and loaded following the same model as the existing
          kernel command-line addons.

        * systemd-stub will now ignore unauthenticated kernel command line options
          passed from systemd-boot when running inside Confidential VMs with UEFI
          SecureBoot enabled.

        * systemd-stub will now load a DeviceTree blob even if the firmware did
          not load any beforehand (e.g.: for ACPI systems).

        * ukify is no longer considered experimental, and now ships in /usr/bin/.

        * ukify gained a new verb inspect to describe the sections of a UKI and
          print the contents of the well-known sections.

        * ukify gained a new verb genkey to generate a set of key pairs for
          signing UKIs and their PCR data.

        * The 90-loaderentry kernel-install hook now supports installing device
          trees.

        * kernel-install now supports the --json=, --root=, --image=, and
          --image-policy= options for the inspect verb.

        * kernel-install now supports new list and add-all verbs. The former
          lists all installed kernel images (if those are available in
          /usr/lib/modules/). The latter will install all the kernels it can
          find to the ESP.

        systemd-repart:

        * A new option --copy-from= has been added that synthesizes partition
          definitions from the given image, which are then applied by the
          systemd-repart algorithm.

        * A new option --copy-source= has been added, which can be used to specify
          a directory to which CopyFiles= is considered relative to.

        * New --make-ddi=confext, --make-ddi=sysext, and --make-ddi=portable
          options have been added to make it easier to generate these types of
          DDIs, without having to provide repart.d definitions for them.

        * The dm-verity salt and UUID will now be derived from the specified
          seed value.

        * New VerityDataBlockSizeBytes= and VerityHashBlockSizeBytes= can now be
          configured in repart.d/ configuration files.

        * A new Subvolumes= setting is now supported in repart.d/ configuration
          files, to indicate which directories in the target partition should be
          btrfs subvolumes.

        * A new --tpm2-device-key= option can be used to lock a disk against a
          specific TPM2 public key. This matches the same switch the
          systemd-cryptenroll tool now supports (see above).

        Journal:

        * The journalctl --lines= parameter now accepts +N to show the oldest N
          entries instead of the newest.

        * journald now ensures that sealing happens once per epoch, and sets a
          new compatibility flag to distinguish old journal files that were
          created before this change, for backward compatibility.

        Device Management:

        * udev will now create symlinks to loopback block devices in the
          /dev/disk/by-loop-ref/ directory that are based on the .lo_file_name
          string field selected during allocation. The systemd-dissect tool and
          the util-linux losetup command now supports a complementing new switch
          --loop-ref= for selecting the string. This means a loopback block
          device may now be allocated under a caller-chosen reference and can
          subsequently be referenced without first having to look up the block
          device name the caller ended up with.

        * udev also creates symlinks to loopback block devices in the
          /dev/disk/by-loop-inode/ directory based on the .st_dev/st_ino fields
          of the inode attached to the loopback block device. This means that
          attaching a file to a loopback device will implicitly make a handle
          available to be found via that file's inode information.

        * udevadm info gained support for JSON output via a new --json= flag, and
          for filtering output using the same mechanism that udevadm trigger
          already implements.

        * The predictable network interface naming logic is extended to include
          the SR-IOV-R "representor" information in network interface names.
          This feature was intended for v254, but even though the code was
          merged, the part that actually enabled the feature was forgotten.
          It is now enabled by default and is part of the new "v255" naming
          scheme.

        * A new hwdb/rules file has been added that sets the
          ID_NET_AUTO_LINK_LOCAL_ONLY=1 udev property on all network interfaces
          that should usually only be configured with link-local addressing
          (IPv4LL + IPv6LL), i.e. for PC-to-PC cables ("laplink") or
          Thunderbolt networking. systemd-networkd and NetworkManager (soon)
          will make use of this information to apply an appropriate network
          configuration by default.

        * The ID_NET_DRIVER property on network interfaces is now set
          relatively early in the udev rule set so that other rules may rely on
          its use. This is implemented in a new "net-driver" udev built-in.

        Network Management:

        * The "duid-only" option for DHCPv4 client's ClientIdentifier= setting
          is now dropped, as it never worked, hence it should not be used by
          anyone.

        * The 'prefixstable' ipv6 address generation mode now considers the SSID
          when generating stable addresses, so that a different stable address
          is used when roaming between wireless networks. If you already use
          'prefixstable' addresses with wireless networks, the stable address
          will be changed by the update.

        * The DHCPv4 client gained a RapidCommit option, true by default, which
          enables RFC4039 Rapid Commit behavior to obtain a lease in a
          simplified 2-message exchange instead of the typical 4-message
          exchange, if also supported by the DHCP server.

        * The DHCPv4 client gained new InitialCongestionWindow= and
          InitialAdvertisedReceiveWindow= options for route configurations.

        * The DHCPv4 client gained a new RequestAddress= option that allows
          to send a preferred IP address in the initial DHCPDISCOVER message.

        * The DHCPv4 server and client gained support for IPv6-only mode
          (RFC8925).

        * The SendHostname= and Hostname= options are now available for the
          DHCPv6 client, independently of the DHCPv4= option, so that these
          configuration values can be set independently for each client.

        * The DHCPv4 and DHCPv6 client state can now be queried via D-Bus,
          including lease information.

        * The DHCPv6 client can now be configured to use a custom DUID type.

        * .network files gained a new IPv4ReversePathFilter= setting in the
          [Network] section, to control sysctl's rp_filter setting.

        * .network files gaiend a new HopLimit= setting in the [Route] section,
          to configure a per-route hop limit.

        * .network files gained a new TCPRetransmissionTimeoutSec= setting in
          the [Route] section, to configure a per-route TCP retransmission
          timeout.

        * A new directive NFTSet= provides a method for integrating network
          configuration into firewall rules with NFT sets. The benefit of using
          this setting is that static network configuration or dynamically
          obtained network addresses can be used in firewall rules with the
          indirection of NFT set types.

        * The [IPv6AcceptRA] section supports the following new options:
          UsePREF64=, UseHopLimit=, UseICMP6RateLimit=, and NFTSet=.

        * The [IPv6SendRA] section supports the following new options:
          RetransmitSec=, HopLimit=, HomeAgent=, HomeAgentLifetimeSec=, and
          HomeAgentPreference=.

        * A new [IPv6PREF64Prefix] set of options, containing Prefix= and
          LifetimeSec=, has been introduced to append pref64 options in router
          advertisements (RFC8781).

        * The network generator now configures the interfaces with only
          link-local addressing if "ip=link-local" is specified on the kernel
          command line.

        * The prefix of the configuration files generated by the network
          generator from the kernel command line is now prefixed with '70-',
          to make them have higher precedence over the default configuration
          files.

        * Added a new -Ddefault-network=BOOL meson option, that causes more
          .network files to be installed as enabled by default. These configuration
          files will which match generic setups, e.g. 89-ethernet.network matches
          all Ethernet interfaces and enables both DHCPv4 and DHCPv6 clients.

        * If a ID_NET_MANAGED_BY= udev property is set on a network device and
          it is any other string than "io.systemd.Network" then networkd will
          not manage this device. This may be used to allow multiple network
          management services to run in parallel and assign ownership of
          specific devices explicitly. NetworkManager will soon implement a
          similar logic.

        * .network files gained a new MulticastIGMPVersion= setting in the
          [Network] section, to control sysctl's
          /proc/sys/net/ipv4/conf/INTERFACE/force_igmp_version setting.

        systemctl:

        * systemctl is-failed now checks the system state if no unit is
          specified.

        * systemctl will now automatically soft-reboot if a new root file system
          is found under /run/nextroot/ when a reboot operation is invoked.

        Login management:

        * Wall messages now work even when utmp support is disabled, using
          systemd-logind to query the necessary information.

        * systemd-logind now sends a new PrepareForShutdownWithMetadata D-Bus
          signal before shutdown/reboot/soft-reboot that includes additional
          information compared to the PrepareForShutdown signal. Currently the
          additional information is the type of operation that is about to be
          executed.

        Hibernation & Suspend:

        * The kernel and OS versions will no longer be checked on resume from
          hibernation.

        * Hibernation into swap files backed by btrfs is now supported.
          (Previously this was supported only for other file systems.)

        Other:

        * A new systemd-vmspawn tool has been added, that aims to provide for VMs
          the same interfaces and functionality that systemd-nspawn provides for
          containers. For now it supports QEMU as a backend, and exposes some of
          its options to the user. This component is experimental and its public
          interface is subject to change.

        * "systemd-analyze plot" has gained tooltips on each unit name with
          related-unit information in its svg output, such as Before=,
          Requires=, and similar properties.

        * A new varlinkctl tool has been added to allow interfacing with
          Varlink services, and introspection has been added to all such
          services. This component is experimental and its public interface is
          subject to change.

        * systemd-sysext and systemd-confext now expose a Varlink service
          at io.systemd.sysext.

        * portable services now accept confexts as extensions.

        * systemd-sysupdate now accepts directories in the MatchPattern= option.

        * systemd-run will now output the invocation ID of the launched
          transient unit and its peak memory usage.

        * systemd-analyze, systemd-tmpfiles, systemd-sysusers, systemd-sysctl,
          and systemd-binfmt gained a new --tldr option that can be used instead
          of --cat-config to suppress uninteresting configuration lines, such as
          comments and whitespace.

        * resolvectl gained a new "show-server-state" command that shows
          current statistics of the resolver. This is backed by a new
          DumpStatistics() Varlink method provided by systemd-resolved.

        * systemd-timesyncd will now emit a D-Bus signal when the LinkNTPServers
          property changes.

        * vconsole now supports KEYMAP=@kernel for preserving the kernel keymap
          as-is.

        * seccomp now supports the LoongArch64 architecture.

        * seccomp may now be enabled for services running as a non-root User=
          without NoNewPrivileges=yes.

        * systemd-id128 now supports a new -P option to show only values. The
          combination of -P and --app options is also supported.

        * A new pam_systemd_loadkey.so PAM module is now available, which will
          automatically fetch the passphrase used by cryptsetup to unlock the
          root file system and set it as the PAM authtok. This enables, among
          other things, configuring auto-unlock of the GNOME Keyring / KDE
          Wallet when autologin is configured.

        * Many meson options now use the 'feature' type, which means they
          take enabled/disabled/auto as values.

        * A new meson option -Dconfigfiledir= can be used to change where
          configuration files with default values are installed to.

        * Options and verbs in man pages are now tagged with the version they
          were first introduced in.

        * A new component "systemd-storagetm" has been added, which exposes all
          local block devices as NVMe-TCP devices, fully automatically. It's
          hooked into a new target unit storage-target-mode.target that is
          suppsoed to be booted into via
          rd.systemd.unit=storage-target-mode.target on the kernel command
          line. This is intended to be used for installers and debugging to
          quickly get access to the local disk. It's inspired by MacOS "target
          disk mode". This component is experimental and its public interface is
          subject to change.

        * A new component "systemd-bsod" has been added, which can show logged
          error messages full screen, if they have a log level of LOG_EMERG log
          level. This component is experimental and its public interface is
          subject to change.

        * The systemd-dissect tool's --with command will now set the
          $SYSTEMD_DISSECT_DEVICE environment variable to the block device it
          operates on for the invoked process.

        * The systemd-mount tool gained a new --tmpfs switch for mounting a new
          'tmpfs' instance. This is useful since it does so via .mount units
          and thus can be executed remotely or in containers.

        * The various tools in systemd that take "verbs" (such as systemctl,
          loginctl, machinectl, …) now will suggest a close verb name in case
          the user specified an unrecognized one.

        * libsystemd now exports a new function sd_id128_get_app_specific()
          that generates "app-specific" 128bit IDs from any ID. It's similar to
          sd_id128_get_machine_app_specific() and
          sd_id128_get_boot_app_specific() but takes the ID to base calculation
          on as input. This new functionality is also exposed in the
          systemd-id128 tool where you can now combine --app= with 'show'.

        * All tools that parse timestamps now can also parse RFC3339 style
          timestamps that include the "T" and Z" characters.

        * New documentation has been added:

          https://systemd.io/FILE_DESCRIPTOR_STORE
          https://systemd.io/TPM2_PCR_MEASUREMENTS
          https://systemd.io/MOUNT_REQUIREMENTS

        * The codebase now recognizes the suffix .confext.raw and .sysext.raw
          as alternative to the .raw suffix generally accepted for DDIs. It is
          recommended to name configuration extensions and system extensions
          with such suffixes, to indicate their purpose in the name.

        * The sd-device API gained a new function
          sd_device_enumerator_add_match_property_required() which allows
          configuring matches on properties that are strictly required. This is
          different from the existing sd_device_enumerator_add_match_property()
          matches of which one needs to apply.

        * The MAC address the veth side of an nspawn container shall get
          assigned may now be controlled via the $SYSTEMD_NSPAWN_NETWORK_MAC
          environment variable.

        * The libiptc dependency is now implemented via dlopen(), so that tools
          such as networkd and nspawn no longer have a hard dependency on the
          shared library when compiled with support for libiptc.

        * New rpm macros have been added: %systemd_user_daemon_reexec does
          daemon-reexec for all user managers, and %systemd_postun_with_reload
          and %systemd_user_postun_with_reload do a reload for system and user
          units on upgrades.

        * coredumpctl now propagates SIGTERM to the debugger process.

        Contributions from: 김인수, Abderrahim Kitouni, Adam Goldman,
        Adam Williamson, Alexandre Peixoto Ferreira, Alex Hudspith,
        Alvin Alvarado, André Paiusco, Antonio Alvarez Feijoo,
        Anton Lundin, Arian van Putten, Arseny Maslennikov, Arthur Shau,
        Balázs Úr, beh_10257, Benjamin Peterson, Bertrand Jacquin,
        Brian Norris, Charles Lee, Cheng-Chia Tseng, Chris Patterson,
        Christian Hergert, Christian Hesse, Christian Kirbach,
        Clayton Craft, commondservice, cunshunxia, Curtis Klein, cvlc12,
        Daan De Meyer, Daniele Medri, Daniel P. Berrangé, Daniel Rusek,
        Daniel Thompson, Dan Nicholson, Dan Streetman, David Rheinsberg,
        David Santamaría Rogado, David Tardon, dependabot[bot],
        Diego Viola, Dmitry V. Levin, Emanuele Giuseppe Esposito,
        Emil Renner Berthing, Emil Velikov, Etienne Dechamps, Fabian Vogt,
        felixdoerre, Felix Dörre, Florian Schmaus, Franck Bui,
        Frantisek Sumsal, G2-Games, Gioele Barabucci, Hugo Carvalho,
        huyubiao, Iago López Galeiras, IllusionMan1212, Jade Lovelace,
        janana, Jan Janssen, Jan Kuparinen, Jan Macku, Jeremy Fleischman,
        Jin Liu, jjimbo137, Joerg Behrmann, Johannes Segitz, Jordan Rome,
        Jordan Williams, Julien Malka, Juno Computers, Khem Raj, khm,
        Kingbom Dou, Kiran Vemula, Krzesimir Nowak, Laszlo Gombos,
        Lennart Poettering, linuxlion, Luca Boccassi, Lucas Adriano Salles,
        Lukas, Lukáš Nykrýn, Maanya Goenka, Maarten, Malte Poll,
        Marc Pervaz Boocha, Martin Beneš, Martin Joerg, Martin Wilck,
        Mathieu Tortuyaux, Matthias Schiffer, Maxim Mikityanskiy,
        Max Kellermann, Michael A Cassaniti, Michael Biebl, Michael Kuhn,
        Michael Vasseur, Michal Koutný, Michal Sekletár, Mike Yuan,
        Milton D. Miller II, mordner, msizanoen, NAHO, Nandakumar Raghavan,
        Neil Wilson, Nick Rosbrook, Nils K, NRK, Oğuz Ersen,
        Omojola Joshua, onenowy, Paul Meyer, Paymon MARANDI, pelaufer,
        Peter Hutterer, PhylLu, Pierre GRASSER, Piotr Drąg, Priit Laes,
        Rahil Bhimjiani, Raito Bezarius, Raul Cheleguini, Reto Schneider,
        Richard Maw, Robby Red, RoepLuke, Roland Hieber, Roland Singer,
        Ronan Pigott, Sam James, Sam Leonard, Sergey A, Susant Sahani,
        Sven Joachim, Tad Fisher, Takashi Sakamoto, Thorsten Kukuk, Tj,
        Tomasz Świątek, Topi Miettinen, Valentin David,
        Valentin Lefebvre, Victor Westerhuis, Vincent Haupert,
        Vishal Chillara Srinivas, Vito Caputo, Warren, Weblate,
        Xiaotian Wu, xinpeng wang, Yaron Shahrabani, Yo-Jung Lin,
        Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zeroskyx,
        Дамјан Георгиевски, наб

        — Edinburgh, 2023-12-06

CHANGES WITH 254:

        Announcements of Future Feature Removals and Incompatible Changes:

        * The next release (v255) will remove support for split-usr (/usr/
          mounted separately during late boot, instead of being mounted by the
          initrd before switching to the rootfs) and unmerged-usr (parallel
          directories /bin/ and /usr/bin/, /lib/ and /usr/lib/, …). For more
          details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

        * We intend to remove cgroup v1 support from a systemd release after
          the end of 2023. If you run services that make explicit use of
          cgroup v1 features (i.e. the "legacy hierarchy" with separate
          hierarchies for each controller), please implement compatibility with
          cgroup v2 (i.e. the "unified hierarchy") sooner rather than later.
          Most of Linux userspace has been ported over already.

        * Support for System V service scripts is now deprecated and will be
          removed in a future release. Please make sure to update your software
          *now* to include a native systemd unit file instead of a legacy
          System V script to retain compatibility with future systemd releases.

        * Support for the SystemdOptions EFI variable is deprecated.
          'bootctl systemd-efi-options' will emit a warning when used. It seems
          that this feature is little-used and it is better to use alternative
          approaches like credentials and confexts. The plan is to drop support
          altogether at a later point, but this might be revisited based on
          user feedback.

        * EnvironmentFile= now treats the line following a comment line
          trailing with escape as a non comment line. For details, see:
          https://github.com/systemd/systemd/issues/27975

        * PrivateNetwork=yes and NetworkNamespacePath= now imply
          PrivateMounts=yes unless PrivateMounts=no is explicitly specified.

        * Behaviour of sandboxing options for the per-user service manager
          units has changed. They now imply PrivateUsers=yes, which means user
          namespaces will be implicitly enabled when a sandboxing option is
          enabled in a user unit. Enabling user namespaces has the drawback
          that system users will no longer be visible (and processes/files will
          appear as owned by 'nobody') in the user unit.

          By definition a sandboxed user unit should run with reduced
          privileges, so impact should be small. This will remove a great
          source of confusion that has been reported by users over the years,
          due to how these options require an extra setting to be manually
          enabled when used in the per-user service manager, which is not
          needed in the system service manager. For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html

        * systemd-run's switch --expand-environment= which currently is disabled
          by default when combined with --scope, will be changed in a future
          release to be enabled by default.

        Security Relevant Changes:

        * pam_systemd will now by default pass the CAP_WAKE_ALARM ambient
          process capability to invoked session processes of regular users on
          local seats (as well as to systemd --user), unless configured
          otherwise via data from JSON user records, or via the PAM module's
          parameter list. This is useful in order allow desktop tools such as
          GNOME's Alarm Clock application to set a timer for
          CLOCK_REALTIME_ALARM that wakes up the system when it elapses. A
          per-user service unit file may thus use AmbientCapability= to pass
          the capability to invoked processes. Note that this capability is
          relatively narrow in focus (in particular compared to other process
          capabilities such as CAP_SYS_ADMIN) and we already — by default —
          permit more impactful operations such as system suspend to local
          users.

        Service Manager:

        * Memory limits that apply while the unit is activating are now
          supported. Previously IO and CPU settings were already supported via
          StartupCPUWeight= and similar. The same logic has been added for the
          various manager and unit memory settings (DefaultStartupMemoryLow=,
          StartupMemoryLow=, StartupMemoryHigh=, StartupMemoryMax=,
          StartupMemorySwapMax=, StartupMemoryZSwapMax=).

        * The service manager gained support for enqueuing POSIX signals to
          services that carry an additional integer value, exposing the
          sigqueue() system call. This is accessible via new D-Bus calls
          org.freedesktop.systemd1.Manager.QueueSignalUnit() and
          org.freedesktop.systemd1.Unit.QueueSignal(), as well as in systemctl
          via the new --kill-value= option.

        * systemctl gained a new "list-paths" verb, which shows all currently
          active .path units, similarly to how "systemctl list-timers" shows
          active timers, and "systemctl list-sockets" shows active sockets.

        * systemctl gained a new --when= switch which is honoured by the various
          forms of shutdown (i.e. reboot, kexec, poweroff, halt) and allows
          scheduling these operations by time, similar in fashion to how this
          has been supported by SysV shutdown.

        * If MemoryDenyWriteExecute= is enabled for a service and the kernel
          supports the new PR_SET_MDWE prctl() call, it is used instead of the
          seccomp()-based system call filter to achieve the same effect.

        * A new set of kernel command line options is now understood:
          systemd.tty.term.<name>=, systemd.tty.rows.<name>=,
          systemd.tty.columns.<name>= allow configuring the TTY type and
          dimensions for the tty specified via <name>. When systemd invokes a
          service on a tty (via TTYName=) it will look for these and configure
          the TTY accordingly. This is particularly useful in VM environments
          to propagate host terminal settings into the appropriate TTYs of the
          guest.

        * A new RootEphemeral= setting is now understood in service units. It
          takes a boolean argument. If enabled for services that use RootImage=
          or RootDirectory= an ephemeral copy of the disk image or directory
          tree is made when the service is started. It is removed automatically
          when the service is stopped. That ephemeral copy is made using
          btrfs/xfs reflinks or btrfs snapshots, if available.

        * The service activation logic gained new settings RestartSteps= and
          RestartMaxDelaySec= which allow exponentially-growing restart
          intervals for Restart=.

        * The service activation logic gained a new setting RestartMode= which
          can be set to 'direct' to skip the inactive/failed states when
          restarting, so that dependent units are not notified until the service
          converges to a final (successful or failed) state. For example, this
          means that OnSuccess=/OnFailure= units will not be triggered until the
          service state has converged.

        * PID 1 will now automatically load the virtio_console kernel module
          during early initialization if running in a suitable VM. This is done
          so that early-boot logging can be written to the console if available.

        * Similarly, virtio-vsock support is loaded early in suitable VM
          environments. PID 1 will send sd_notify() notifications via AF_VSOCK
          to the VMM if configured, thus loading this early is beneficial.

        * A new verb "fdstore" has been added to systemd-analyze to show the
          current contents of the file descriptor store of a unit. This is
          backed by a new D-Bus call DumpUnitFileDescriptorStore() provided by
          the service manager.

        * The service manager will now set a new $FDSTORE environment variable
          when invoking processes for services that have the file descriptor
          store enabled.

        * A new service option FileDescriptorStorePreserve= has been added that
          allows tuning the lifecycle of the per-service file descriptor store.
          If set to "yes", the entries in the fd store are retained even after
          the service has been fully stopped.

        * The "systemctl clean" command may now be used to clear the fdstore of
          a service.

        * Unit *.preset files gained a new directive "ignore", in addition to
          the existing "enable" and "disable". As the name suggests, matching
          units are left unchanged, i.e. neither enabled nor disabled.

        * Service units gained a new setting DelegateSubgroup=. It takes the
          name of a sub-cgroup to place any processes the service manager forks
          off in. Previously, the service manager would place all service
          processes directly in the top-level cgroup it created for the
          service. This usually meant that main process in a service with
          delegation enabled would first have to create a subgroup and move
          itself down into it, in order to not conflict with the "no processes
          in inner cgroups" rule of cgroup v2. With this option, this step is
          now handled by PID 1.

        * The service manager will now look for .upholds/ directories,
          similarly to the existing support for .wants/ and .requires/
          directories. Symlinks in this directory result in Upholds=
          dependencies.

          The [Install] section of unit files gained support for a new
          UpheldBy= directive to generate .upholds/ symlinks automatically when
          a unit is enabled.

        * The service manager now supports a new kernel command line option
          systemd.default_device_timeout_sec=, which may be used to override
          the default timeout for .device units.

        * A new "soft-reboot" mechanism has been added to the service manager.
          A "soft reboot" is similar to a regular reboot, except that it
          affects userspace only: the service manager shuts down any running
          services and other units, then optionally switches into a new root
          file system (mounted to /run/nextroot/), and then passes control to a
          systemd instance in the new file system which then starts the system
          up again. The kernel is not rebooted and neither is the hardware,
          firmware or boot loader. This provides a fast, lightweight mechanism
          to quickly reset or update userspace, without the latency that a full
          system reset involves. Moreover, open file descriptors may be passed
          across the soft reboot into the new system where they will be passed
          back to the originating services. This allows pinning resources
          across the reboot, thus minimizing grey-out time further. This new
          reboot mechanism is accessible via the new "systemctl soft-reboot"
          command.

        * Services using RootDirectory= or RootImage= will now have read-only
          access to a copy of the host's os-release file under
          /run/host/os-release, which will be kept up-to-date on 'soft-reboot'.
          This was already the case for Portable Services, and the feature has
          now been extended to all services that do not run off the host's
          root filesystem.

        * A new service setting MemoryKSM= has been added to enable kernel
          same-page merging individually for services.

        * A new service setting ImportCredentials= has been added that augments
          LoadCredential= and LoadCredentialEncrypted= and searches for
          credentials to import from the system, and supports globbing.

        * A new job mode "restart-dependencies" has been added to the service
          manager (exposed via systemctl --job-mode=). It is only valid when
          used with "start" jobs, and has the effect that the "start" job will
          be propagated as "restart" jobs to currently running units that have
          a BindsTo= or Requires= dependency on the started unit.

        * A new verb "whoami" has been added to "systemctl" which determines as
          part of which unit the command is being invoked. It writes the unit
          name to standard output. If one or more PIDs are specified reports
          the unit names the processes referenced by the PIDs belong to.

        * The system and service credential logic has been improved: there's
          now a clearly defined place where system provisioning tools running
          in the initrd can place credentials that will be imported into the
          system's set of credentials during the initrd → host transition: the
          /run/credentials/@initrd/ directory. Once the credentials placed
          there are imported into the system credential set they are deleted
          from this directory, and the directory itself is deleted afterwards
          too.

        * A new kernel command line option systemd.set_credential_binary= has
          been added, that is similar to the pre-existing
          systemd.set_credential= but accepts arbitrary binary credential data,
          encoded in Base64. Note that the kernel command line is not a
          recommend way to transfer credentials into a system, since it is
          world-readable from userspace.

        * The default machine ID to use may now be configured via the
          system.machine_id system credential. It will only be used if no
          machine ID was set yet on the host.

        * On Linux kernel 6.4 and newer system and service credentials will now
          be placed in a tmpfs instance that has the "noswap" mount option
          set. Previously, a "ramfs" instance was used. By switching to tmpfs
          ACL support and overall size limits can now be enforced, without
          compromising on security, as the memory is never paged out either
          way.

        * The service manager now can detect when it is running in a
          'Confidential Virtual Machine', and a corresponding 'cvm' value is now
          accepted by ConditionSecurity= for units that want to conditionalize
          themselves on this. systemd-detect-virt gained new 'cvm' and
          '--list-cvm' switches to respectively perform the detection or list
          all known flavours of confidential VM, depending on the vendor. The
          manager will publish a 'ConfidentialVirtualization' D-Bus property,
          and will also set a SYSTEMD_CONFIDENTIAL_VIRTUALIZATION= environment
          variable for unit generators. Finally, udev rules can match on a new
          'cvm' key that will be set when in a confidential VM.
          Additionally, when running in a 'Confidential Virtual Machine', SMBIOS
          strings and QEMU's fw_cfg protocol will not be used to import
          credentials and kernel command line parameters by the system manager,
          systemd-boot and systemd-stub, because the hypervisor is considered
          untrusted in this particular setting.

        Journal:

        * The sd-journal API gained a new call sd_journal_get_seqnum() to
          retrieve the current log record's sequence number and sequence number
          ID, which allows applications to order records the same way as
          journal does internally. The sequence number is now also exported in
          the JSON and "export" output of the journal.

        * journalctl gained a new switch --truncate-newline. If specified
          multi-line log records will be truncated at the first newline,
          i.e. only the first line of each log message will be shown.

        * systemd-journal-upload gained support for --namespace=, similar to
          the switch of the same name of journalctl.

        systemd-repart:

        * systemd-repart's drop-in files gained a new ExcludeFiles= option which
          may be used to exclude certain files from the effect of CopyFiles=.

        * systemd-repart's Verity support now implements the Minimize= setting
          to minimize the size of the resulting partition.

        * systemd-repart gained a new --offline= switch, which may be used to
          control whether images shall be built "online" or "offline",
          i.e. whether to make use of kernel facilities such as loopback block
          devices and device mapper or not.

        * If systemd-repart is told to populate a newly created ESP or XBOOTLDR
          partition with some files, it will now default to VFAT rather than
          ext4.

        * systemd-repart gained a new --architecture= switch. If specified, the
          per-architecture GPT partition types (i.e. the root and /usr/
          partitions) configured in the partition drop-in files are
          automatically adjusted to match the specified CPU architecture, in
          order to simplify cross-architecture DDI building.

        * systemd-repart will now default to a minimum size of 300MB for XFS
          filesystems if no size parameter is specified. This matches what the
          XFS tools (xfsprogs) can support.

        systemd-boot, systemd-stub, ukify, bootctl, kernel-install:

        * gnu-efi is no longer required to build systemd-boot and systemd-stub.
          Instead, pyelftools is now needed, and it will be used to perform the
          ELF -> PE relocations at build time.

        * bootctl gained a new switch --print-root-device/-R that prints the
          block device the root file system is backed by. If specified twice,
          it returns the whole disk block device (as opposed to partition block
          device) the root file system is on. It's useful for invocations such
          as "cfdisk $(bootctl -RR)" to quickly show the partition table of the
          running OS.

        * systemd-stub will now look for the SMBIOS Type 1 field
          "io.systemd.stub.kernel-cmdline-extra" and append its value to the
          kernel command line it invokes. This is useful for VMMs such as qemu
          to pass additional kernel command lines into the system even when
          booting via full UEFI. The contents of the field are measured into
          TPM PCR 12.

        * The KERNEL_INSTALL_LAYOUT= setting for kernel-install gained a new
          value "auto". With this value, a kernel will be automatically
          analyzed, and if it qualifies as UKI, it will be installed as if the
          setting was to set to "uki", otherwise as "bls".

        * systemd-stub can now optionally load UEFI PE "add-on" images that may
          contain additional kernel command line information. These "add-ons"
          superficially look like a regular UEFI executable, and are expected
          to be signed via SecureBoot/shim. However, they do not actually
          contain code, but instead a subset of the PE sections that UKIs
          support. They are supposed to provide a way to extend UKIs with
          additional resources in a secure and authenticated way. Currently,
          only the .cmdline PE section may be used in add-ons, in which case
          any specified string is appended to the command line embedded into
          the UKI itself. A new 'addon<EFI-ARCH>.efi.stub' is now provided that
          can be used to trivially create addons, via 'ukify' or 'objcopy'. In
          the future we expect other sections to be made extensible like this as
          well.

        * ukify has been updated to allow building these UEFI PE "add-on"
          images, using the new 'addon<EFI-ARCH>.efi.stub'.

        * ukify now accepts SBAT information to place in the .sbat PE section
          of UKIs and addons. If a UKI is built the SBAT information from the
          inner kernel is merged with any SBAT information associated with
          systemd-stub and the SBAT data specified on the ukify command line.

        * The kernel-install script has been rewritten in C, and reuses much of
          the infrastructure of existing tools such as bootctl. It also gained
          --esp-path= and --boot-path= options to override the path to the ESP,
          and the $BOOT partition. Options --make-entry-directory= and
          --entry-token= have been added as well, similar to bootctl's options
          of the same name.

        * A new kernel-install plugin 60-ukify has been added which will
          combine kernel/initrd locally into a UKI and optionally sign them
          with a local key. This may be used to switch to UKI mode even on
          systems where a local kernel or initrd is used. (Typically UKIs are
          built and signed by the vendor.)

        * The ukify tool now supports "pesign" in addition to the pre-existing
          "sbsign" for signing UKIs.

        * systemd-measure and systemd-stub now look for the .uname PE section
          that should contain the kernel's "uname -r" string.

        * systemd-measure and ukify now calculate expected PCR hashes for a UKI
          "offline", i.e. without access to a TPM (physical or
          software-emulated).

        Memory Pressure & Control:

        * The sd-event API gained new calls sd_event_add_memory_pressure(),
          sd_event_source_set_memory_pressure_type(),
          sd_event_source_set_memory_pressure_period() to create and configure
          an event source that is called whenever the OS signals memory
          pressure. Another call sd_event_trim_memory() is provided that
          compacts the process' memory use by releasing allocated but unused
          malloc() memory back to the kernel. Services can also provide their
          own custom callback to do memory trimming. This should improve system
          behaviour under memory pressure, as on Linux traditionally provided
          no mechanism to return process memory back to the kernel if the
          kernel was under memory pressure. This makes use of the kernel's PSI
          interface. Most long-running services in systemd have been hooked up
          with this, and in particular systems with low memory should benefit
          from this.

        * Service units gained new settings MemoryPressureWatch= and
          MemoryPressureThresholdSec= to configure the PSI memory pressure
          logic individually. If these options are used, the
          $MEMORY_PRESSURE_WATCH and $MEMORY_PRESSURE_WRITE environment
          variables will be set for the invoked processes to inform them about
          the requested memory pressure behaviour. (This is used by the
          aforementioned sd-events API additions, if set.)

        * systemd-analyze gained a new "malloc" verb that shows the output
          generated by glibc's malloc_info() on services that support it. Right
          now, only the service manager has been updated accordingly. This
          call requires privileges.

        User & Session Management:

        * The sd-login API gained a new call sd_session_get_username() to
          return the user name of the owner of a login session. It also gained
          a new call sd_session_get_start_time() to retrieve the time the login
          session started. A new call sd_session_get_leader() has been added to
          return the PID of the "leader" process of a session. A new call
          sd_uid_get_login_time() returns the time since the specified user has
          most recently been continuously logged in with at least one session.

        * JSON user records gained a new set of fields capabilityAmbientSet and
          capabilityBoundingSet which contain a list of POSIX capabilities to
          set for the logged in users in the ambient and bounding sets,
          respectively. homectl gained the ability to configure these two sets
          for users via --capability-bounding-set=/--capability-ambient-set=.

        * pam_systemd learnt two new module options
          default-capability-bounding-set= and default-capability-ambient-set=,
          which configure the default bounding sets for users as they are
          logging in, if the JSON user record doesn't specify this explicitly
          (see above). The built-in default for the ambient set now contains
          the CAP_WAKE_ALARM, thus allowing regular users who may log in
          locally to resume from a system suspend via a timer.

        * The Session D-Bus objects systemd-logind gained a new SetTTY() method
          call to update the TTY of a session after it has been allocated. This
          is useful for SSH sessions which are typically allocated first, and
          for which a TTY is added later.

        * The sd-login API gained a new call sd_pid_notifyf_with_fds() which
          combines the various other sd_pid_notify() flavours into one: takes a
          format string, an overriding PID, and a set of file descriptors to
          send. It also gained a new call sd_pid_notify_barrier() call which is
          equivalent to sd_notify_barrier() but allows the originating PID to
          be specified.

        * "loginctl list-users" and "loginctl list-sessions" will now show the
          state of each logged in user/session in their tabular output. It will
          also show the current idle state of sessions.

        DDIs:

        * systemd-dissect will now show the intended CPU architecture of an
          inspected DDI.

        * systemd-dissect will now install itself as mount helper for the "ddi"
          pseudo-file system type. This means you may now mount DDIs directly
          via /bin/mount or /etc/fstab, making full use of embedded Verity
          information and all other DDI features.

          Example: mount -t ddi myimage.raw /some/where

        * The systemd-dissect tool gained the new switches --attach/--detach to
          attach/detach a DDI to a loopback block device without mounting it.
          It will automatically derive the right sector size from the image
          and set up Verity and similar, but not mount the file systems in it.

        * When systemd-gpt-auto-generator or the DDI mounting logic mount an
          ESP or XBOOTLDR partition the MS_NOSYMFOLLOW mount option is now
          implied. Given that these file systems are typically untrusted, this
          should make mounting them automatically have less of a security
          impact.

        * All tools that parse DDIs (such as systemd-nspawn, systemd-dissect,
          systemd-tmpfiles, …) now understand a new switch --image-policy= which
          takes a string encoding image dissection policy. With this mechanism
          automatic discovery and use of specific partition types and the
          cryptographic requirements on the partitions (Verity, LUKS, …) can be
          restricted, permitting better control of the exposed attack surfaces
          when mounting disk images. systemd-gpt-auto-generator will honour such
          an image policy too, configurable via the systemd.image_policy= kernel
          command line option. Unit files gained the RootImagePolicy=,
          MountImagePolicy= and ExtensionImagePolicy= to configure the same for
          disk images a service runs off.

        * systemd-analyze gained a new verb "image-policy" to validate and
          parse image policy strings.

        * systemd-dissect gained support for a new --validate switch to
          superficially validate DDI structure, and check whether a specific
          image policy allows the DDI.

        * systemd-dissect gained support for a new --mtree-hash switch to
          optionally disable calculating mtree hashes, which can be slow on
          large images.

        * systemd-dissect --copy-to, --copy-from, --list and --mtree switches
          are now able to operate on directories too, other than images.

        Network Management:

        * networkd's GENEVE support as gained a new .network option
          InheritInnerProtocol=.

        * The [Tunnel] section in .netdev files has gained a new setting
          IgnoreDontFragment for controlling the IPv4 "DF" flag of datagrams.

        * A new global IPv6PrivacyExtensions= setting has been added that
          selects the default value of the per-network setting of the same
          name.

        * The predictable network interface naming logic was extended to
          include SR-IOV-R "representor" information in network interface
          names. Unfortunately, this feature was not enabled by default and can
          only be enabled at compilation time by setting
          -Ddefault-net-naming-scheme=v254.

        * The DHCPv4 + DHCPv6 + IPv6 RA logic in networkd gained support for
          the RFC8910 captive portal option.

        Device Management:

        * udevadm gained the new "verify" verb for validating udev rules files
          offline.

        * udev gained a new tool "iocost" that can be used to configure QoS IO
          cost data based on hwdb information onto suitable block devices. Also
          see https://github.com/iocost-benchmark/iocost-benchmarks.

        TPM2 Support + Disk Encryption & Authentication:

        * systemd-cryptenroll/systemd-cryptsetup will now install a TPM2 SRK
          ("Storage Root Key") as first step in the TPM2, and then use that
          for binding FDE to, if TPM2 support is used. This matches
          recommendations of TCG (see
          https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf)

        * systemd-cryptenroll and other tools that take TPM2 PCR parameters now
          understand textual identifiers for these PCRs.

        * systemd-veritysetup + /etc/veritytab gained support for a series of
          new options: hash-offset=, superblock=, format=, data-block-size=,
          hash-block-size=, data-blocks=, salt=, uuid=, hash=, fec-device=,
          fec-offset=, fec-roots= to configure various aspects of a Verity
          volume.

        * systemd-cryptsetup + /etc/crypttab gained support for a new
          veracrypt-pim= option for setting the Personal Iteration Multiplier
          of veracrypt volumes.

        * systemd-integritysetup + /etc/integritytab gained support for a new
          mode= setting for controlling the dm-integrity mode (journal, bitmap,
          direct) for the volume.

        * systemd-analyze gained a new verb "pcrs" that shows the known TPM PCR
          registers, their symbolic names and current values.

        systemd-tmpfiles:

        * The ACL support in tmpfiles.d/ has been updated: if an uppercase "X"
          access right is specified this is equivalent to "x" but only if the
          inode in question already has the executable bit set for at least
          some user/group. Otherwise the "x" bit will be turned off.

        * tmpfiles.d/'s C line type now understands a new modifier "+": a line
          with C+ will result in a "merge" copy, i.e. all files of the source
          tree are copied into the target tree, even if that tree already
          exists, resulting in a combined tree of files already present in the
          target tree and those copied in.

        * systemd-tmpfiles gained a new --graceful switch. If specified lines
          with unknown users/groups will silently be skipped.

        systemd-notify:

        * systemd-notify gained two new options --fd= and --fdname= for sending
          arbitrary file descriptors to the service manager (while specifying an
          explicit name for it).

        * systemd-notify gained a new --exec switch, which makes it execute the
          specified command line after sending the requested messages. This is
          useful for sending out READY=1 first, and then continuing invocation
          without changing process ID, so that the tool can be nicely used
          within an ExecStart= line of a unit file that uses Type=notify.

        sd-event + sd-bus APIs:

        * The sd-event API gained a new call sd_event_source_leave_ratelimit()
          which may be used to explicitly end a rate-limit state an event
          source might be in, resetting all rate limiting counters.

        * When the sd-bus library is used to make connections to AF_UNIX D-Bus
          sockets, it will now encode the "description" set via
          sd_bus_set_description() into the source socket address. It will also
          look for this information when accepting a connection. This is useful
          to track individual D-Bus connections on a D-Bus broker for debug
          purposes.

        systemd-resolved:

        * systemd-resolved gained a new resolved.conf setting
          StateRetentionSec= which may be used to retain cached DNS records
          even after their nominal TTL, and use them in case upstream DNS
          servers cannot be reached. This can be used to make name resolution
          more resilient in case of network problems.

        * resolvectl gained a new verb "show-cache" to show the current cache
          contents of systemd-resolved. This verb communicates with the
          systemd-resolved daemon and requires privileges.

        Other:

        * Meson >= 0.60.0 is now required to build systemd.

        * The default keymap to apply may now be chosen at build-time via the
          new -Ddefault-keymap= meson option.

        * Most of systemd's long-running services now have a generic handler of
          the SIGRTMIN+18 signal handler which executes various operations
          depending on the sigqueue() parameter sent along. For example, values
          0x100…0x107 allow changing the maximum log level of such
          services. 0x200…0x203 allow changing the log target of such
          services. 0x300 make the services trim their memory similarly to the
          automatic PSI-triggered action, see above. 0x301 make the services
          output their malloc_info() data to the logs.

        * machinectl gained new "edit" and "cat" verbs for editing .nspawn
          files, inspired by systemctl's verbs of the same name which edit unit
          files. Similarly, networkctl gained the same verbs for editing
          .network, .netdev, .link files.

        * A new syscall filter group "@sandbox" has been added that contains
          syscalls for sandboxing system calls such as those for seccomp and
          Landlock.

        * New documentation has been added:

          https://systemd.io/COREDUMP
          https://systemd.io/MEMORY_PRESSURE
          smbios-type-11(7)

        * systemd-firstboot gained a new --reset option. If specified, the
          settings in /etc/ it knows how to initialize are reset.

        * systemd-sysext is now a multi-call binary and is also installed under
          the systemd-confext alias name (via a symlink). When invoked that way
          it will operate on /etc/ instead of /usr/ + /opt/. It thus becomes a
          powerful, atomic, secure configuration management of sorts, that
          locally can merge configuration from multiple confext configuration
          images into a single immutable tree.

        * The --network-macvlan=, --network-ipvlan=, --network-interface=
          switches of systemd-nspawn may now optionally take the intended
          network interface inside the container.

        * All our programs will now send an sd_notify() message with their exit
          status in the EXIT_STATUS= field when exiting, using the usual
          protocol, including PID 1. This is useful for VMMs and container
          managers to collect an exit status from a system as it shuts down, as
          set via "systemctl exit …". This is particularly useful in test cases
          and similar, as invocations via a VM can now nicely propagate an exit
          status to the host, similar to local processes.

        * systemd-run gained a new switch --expand-environment=no to disable
          server-side environment variable expansion in specified command
          lines. Expansion defaults to enabled for all execution types except
          --scope, where it defaults to off (and prints a warning) for backward
          compatibility reasons. --scope will be flipped to enabled by default
          too in a future release. If you are using --scope and passing a '$'
          character in the payload you should start explicitly using
          --expand-environment=yes/no according to the use case.

        * The systemd-system-update-generator has been updated to also look for
          the special flag file /etc/system-update in addition to the existing
          support for /system-update to decide whether to enter system update
          mode.

        * The /dev/hugepages/ file system is now mounted with nosuid + nodev
          mount options by default.

        * systemd-fstab-generator now understands two new kernel command line
          options systemd.mount-extra= and systemd.swap-extra=, which configure
          additional mounts or swaps in a format similar to /etc/fstab. 'fsck'
          will be ran on these block devices, like it already happens for
          'root='. It also now supports the new fstab.extra and
          fstab.extra.initrd credentials that may contain additional /etc/fstab
          lines to apply at boot.

        * systemd-getty-generator now understands two new credentials
          getty.ttys.container and getty.ttys.serial. These credentials may
          contain a list of TTY devices – one per line – to instantiate
          container-getty@.service and serial-getty@.service on.

        * The getty/serial-getty/container-getty units now import the 'agetty.*'
          and 'login.*' credentials, which are consumed by the 'login' and
          'agetty' programs starting from util-linux v2.40.

        * systemd-sysupdate's sysupdate.d/ drop-ins gained a new setting
          PathRelativeTo=, which can be set to "esp", "xbootldr", "boot", in
          which case the Path= setting is taken relative to the ESP or XBOOTLDR
          partitions, rather than the system's root directory /. The relevant
          directories are automatically discovered.

        * The systemd-ac-power tool gained a new switch --low, which reports
          whether the battery charge is considered "low", similar to how the
          s2h suspend logic checks this state to decide whether to enter system
          suspend or hibernation.

        * The /etc/os-release file can now have two new optional fields
          VENDOR_NAME= and VENDOR_URL= to carry information about the vendor of
          the OS.

        * When the system hibernates, information about the device and offset
          used is now written to a non-volatile EFI variable. On next boot the
          system will attempt to resume from the location indicated in this EFI
          variable. This should make hibernation a lot more robust, while
          requiring no manual configuration of the resume location.

        * The $XDG_STATE_HOME environment variable (added in more recent
          versions of the XDG basedir specification) is now honoured to
          implement the StateDirectory= setting in user services.

        * A new component "systemd-battery-check" has been added. It may run
          during early boot (usually in the initrd), and checks the battery
          charge level of the system. In case the charge level is very low the
          user is notified (graphically via Plymouth – if available – as well
          as in text form on the console), and the system is turned off after a
          10s delay. The feature can be disabled by passing
          systemd.battery_check=0 through the kernel command line.

        * The 'passwdqc' library is now supported as an alternative to the
          'pwquality' library and can be selected at build time.

        Contributions from: 김인수, 07416, Addison Snelling, Adrian Vovk,
        Aidan Dang, Alexander Krabler, Alfred Klomp, Anatoli Babenia,
        Andrei Stepanov, Andrew Baxter, Antonio Alvarez Feijoo,
        Arian van Putten, Arthur Shau, A S Alam,
        Asier Sarasua Garmendia, Balló György, Bastien Nocera,
        Benjamin Herrenschmidt, Benjamin Raison, Bill Peterson,
        Brad Fitzpatrick, Brett Holman, bri, Chen Qi, Chitoku,
        Christian Hesse, Christoph Anton Mitterer, Christopher Gurnee,
        Colin Walters, Cornelius Hoffmann, Cristian Rodríguez, cunshunxia,
        cvlc12, Cyril Roelandt, Daan De Meyer, Daniele Medri,
        Daniel P. Berrangé, Daniel Rusek, Dan Streetman, David Edmundson,
        David Schroeder, David Tardon, dependabot[bot],
        Dimitri John Ledkov, Dmitrii Fomchenkov, Dmitry V. Levin, dmkUK,
        Dominique Martinet, don bright, drosdeck, Edson Juliano Drosdeck,
        Egor Ignatov, EinBaum, Emanuele Giuseppe Esposito, Eric Curtin,
        Erik Sjölund, Evgeny Vereshchagin, Florian Klink, Franck Bui,
        François Rigault, Fran Diéguez, Franklin Yu, Frantisek Sumsal,
        Fuminobu TAKEYAMA, Gaël PORTAY, Gerd Hoffmann, Gertalitec,
        Gibeom Gwon, Gustavo Noronha Silva, Hannu Lounento,
        Hans de Goede, Haochen Tong, HATAYAMA Daisuke, Henrik Holst,
        Hoe Hao Cheng, Igor Tsiglyar, Ivan Vecera, James Hilliard,
        Jan Engelhardt, Jan Janssen, Jan Luebbe, Jan Macku, Janne Sirén,
        jcg, Jeidnx, Joan Bruguera, Joerg Behrmann, jonathanmetzman,
        Jordan Rome, Josef Miegl, Joshua Goins, Joyce, Joyce Brum,
        Juno Computers, Kai Lueke, Kevin P. Fleming, Kiran Vemula, Klaus,
        Klaus Zipfel, Lawrence Thorpe, Lennart Poettering, licunlong,
        Lily Foster, Luca Boccassi, Ludwig Nussel, Luna Jernberg,
        maanyagoenka, Maanya Goenka, Maksim Kliazovich, Malte Poll,
        Marko Korhonen, Masatake YAMATO, Mateusz Poliwczak, Matt Johnston,
        Miao Wang, Micah Abbott, Michael A Cassaniti, Michal Koutný,
        Michal Sekletár, Mike Yuan, mooo, Morten Linderud, msizanoen,
        Nick Rosbrook, nikstur, Olivier Gayot, Omojola Joshua,
        Paolo Velati, Paul Barker, Pavel Borecki, Petr Menšík,
        Philipp Kern, Philip Withnall, Piotr Drąg, Quintin Hill,
        Rene Hollander, Richard Phibel, Robert Meijers, Robert Scheck,
        Roger Gammans, Romain Geissler, Ronan Pigott, Russell Harmon,
        saikat0511, Samanta Navarro, Sam James, Sam Morris,
        Simon Braunschmidt, Sjoerd Simons, Sorah Fukumori,
        Stanislaw Gruszka, Stefan Roesch, Steven Luo, Steve Ramage,
        Susant Sahani, taniishkaaa, Tanishka, Temuri Doghonadze,
        Thierry Martin, Thomas Blume, Thomas Genty, Thomas Weißschuh,
        Thorsten Kukuk, Times-Z, Tobias Powalowski, tofylion,
        Topi Miettinen, Uwe Kleine-König, Velislav Ivanov,
        Vitaly Kuznetsov, Vít Zikmund, Weblate, Will Fancher,
        William Roberts, Winterhuman, Wolfgang Müller, Xeonacid,
        Xiaotian Wu, Xi Ruoyao, Yuri Chornoivan, Yu Watanabe, Yuxiang Zhu,
        Zbigniew Jędrzejewski-Szmek, zhmylove, ZjYwMj,
        Дамјан Георгиевски, наб

        — Edinburgh, 2023-07-28

CHANGES WITH 253:

        Announcements of Future Feature Removals and Incompatible Changes:

        * We intend to remove cgroup v1 support from systemd release after the
          end of 2023. If you run services that make explicit use of cgroup v1
          features (i.e. the "legacy hierarchy" with separate hierarchies for
          each controller), please implement compatibility with cgroup v2 (i.e.
          the "unified hierarchy") sooner rather than later. Most of Linux
          userspace has been ported over already.

        * We intend to remove support for split-usr (/usr mounted separately
          during boot) and unmerged-usr (parallel directories /bin and
          /usr/bin, /lib and /usr/lib, etc). This will happen in the second
          half of 2023, in the first release that falls into that time window.
          For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

        * We intend to change behaviour w.r.t. units of the per-user service
          manager and sandboxing options, so that they work without having to
          manually enable PrivateUsers= as well, which is not required for
          system units. To make this work, we will implicitly enable user
          namespaces (PrivateUsers=yes) when a sandboxing option is enabled in a
          user unit. The drawback is that system users will no longer be visible
          (and appear as 'nobody') to the user unit when a sandboxing option is
          enabled. By definition a sandboxed user unit should run with reduced
          privileges, so impact should be small. This will remove a great source
          of confusion that has been reported by users over the years, due to
          how these options require an extra setting to be manually enabled when
          used in the per-user service manager, as opposed as to the system
          service manager. We plan to enable this change in the next release
          later this year. For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-December/048682.html

        Deprecations and incompatible changes:

        * systemctl will now warn when invoked without /proc/ mounted
          (e.g. when invoked after chroot() into an directory tree without the
          API mount points like /proc/ being set up.)  Operation in such an
          environment is not fully supported.

        * The return value of 'systemctl is-active|is-enabled|is-failed' for
          unknown units is changed: previously 1 or 3 were returned, but now 4
          (EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) is used as documented.

        * 'udevadm hwdb' subcommand is deprecated and will emit a warning.
          systemd-hwdb (added in 2014) should be used instead.

        * 'bootctl --json' now outputs a single JSON array, instead of a stream
          of newline-separated JSON objects.

        * Udev rules in 60-evdev.rules have been changed to load hwdb
          properties for all modalias patterns. Previously only the first
          matching pattern was used. This could change what properties are
          assigned if the user has more and less specific patterns that could
          match the same device, but it is expected that the change will have
          no effect for most users.

        * systemd-networkd-wait-online exits successfully when all interfaces
          are ready or unmanaged. Previously, if neither '--any' nor
          '--interface=' options were used, at least one interface had to be in
          configured state. This change allows the case where systemd-networkd
          is enabled, but no interfaces are configured, to be handled
          gracefully. It may occur in particular when a different network
          manager is also enabled and used.

        * Some compatibility helpers were dropped: EmergencyAction= in the user
          manager, as well as measuring kernel command line into PCR 8 in
          systemd-stub, along with the -Defi-tpm-pcr-compat compile-time
          option.

        * The '-Dupdate-helper-user-timeout=' build-time option has been
          renamed to '-Dupdate-helper-user-timeout-sec=', and now takes an
          integer as parameter instead of a string.

        * The DDI image dissection logic (which backs RootImage= in service
          unit files, the --image= switch in various tools such as
          systemd-nspawn, as well as systemd-dissect) will now only mount file
          systems of types btrfs, ext4, xfs, erofs, squashfs, vfat. This list
          can be overridden via the $SYSTEMD_DISSECT_FILE_SYSTEMS environment
          variable. These file systems are fairly well supported and maintained
          in current kernels, while others are usually more niche, exotic or
          legacy and thus typically do not receive the same level of security
          support and fixes.

        * The default per-link multicast DNS mode is changed to "yes"
          (that was previously "no"). As the default global multicast DNS mode
          has been "yes" (but can be changed by the build option), now the
          multicast DNS is enabled on all links by default. You can disable the
          multicast DNS on all links by setting MulticastDNS= in resolved.conf,
          or on an interface by calling "resolvectl mdns INTERFACE no".

        New components:

        * A tool 'ukify' tool to build, measure, and sign Unified Kernel Images
          (UKIs) has been added. This replaces functionality provided by
          'dracut --uefi' and extends it with automatic calculation of PE file
          offsets, insertion of signed PCR policies generated by
          systemd-measure, support for initrd concatenation, signing of the
          embedded Linux image and the combined image with sbsign, and
          heuristics to autodetect the kernel uname and verify the splash
          image.

        Changes in systemd and units:

        * A new service type Type=notify-reload is defined. When such a unit is
          reloaded a UNIX process signal (typically SIGHUP) is sent to the main
          service process. The manager will then wait until it receives a
          "RELOADING=1" followed by a "READY=1" notification from the unit as
          response (via sd_notify()). Otherwise, this type is the same as
          Type=notify. A new setting ReloadSignal= may be used to change the
          signal to send from the default of SIGHUP.

          user@.service, systemd-networkd.service, systemd-udevd.service, and
          systemd-logind have been updated to this type.

        * Initrd environments which are not on a pure memory file system (e.g.
          overlayfs combination as opposed to tmpfs) are now supported. With
          this change, during the initrd → host transition ("switch root")
          systemd will erase all files of the initrd only when the initrd is
          backed by a memory file system such as tmpfs.

        * New per-unit MemoryZSwapMax= option has been added to configure
          memory.zswap.max cgroup properties (the maximum amount of zswap
          used).

        * A new LogFilterPatterns= option has been added for units. It may be
          used to specify accept/deny regular expressions for log messages
          generated by the unit, that shall be enforced by systemd-journald.
          Rejected messages are neither stored in the journal nor forwarded.
          This option may be used to suppress noisy or uninteresting messages
          from units.

        * The manager has a new
          org.freedesktop.systemd1.Manager.GetUnitByPIDFD() D-Bus method to
          query process ownership via a PIDFD, which is more resilient against
          PID recycling issues.

        * Scope units now support OOMPolicy=. Login session scopes default to
          OOMPolicy=continue, allowing login scopes to survive the OOM killer
          terminating some processes in the scope.

        * systemd-fstab-generator now supports x-systemd.makefs option for
          /sysroot/ (in the initrd).

        * The maximum rate at which daemon reloads are executed can now be
          limited with the new ReloadLimitIntervalSec=/ReloadLimitBurst=
          options. (Or the equivalent on the kernel command line:
          systemd.reload_limit_interval_sec=/systemd.reload_limit_burst=). In
          addition, systemd now logs the originating unit and PID when a reload
          request is received over D-Bus.

        * When enabling a swap device systemd will now reinitialize the device
          when the page size of the swap space does not match the page size of
          the running kernel. Note that this requires the 'swapon' utility to
          provide the '--fixpgsz' option, as implemented by util-linux, and it
          is not supported by busybox at the time of writing.

        * systemd now executes generator programs in a mount namespace
          "sandbox" with most of the file system read-only and write access
          restricted to the output directories, and with a temporary /tmp/
          mount provided. This provides a safeguard against programming errors
          in the generators, but also fixes here-docs in shells, which
          previously didn't work in early boot when /tmp/ wasn't available
          yet. (This feature has no security implications, because the code is
          still privileged and can trivially exit the sandbox.)

        * The system manager will now parse a new "vmm.notify_socket"
          system credential, which may be supplied to a VM via SMBIOS. If
          found, the manager will send a "READY=1" notification on the
          specified socket after boot is complete. This allows readiness
          notification to be sent from a VM guest to the VM host over a VSOCK
          socket.

        * The sample PAM configuration file for systemd-user@.service now
          includes a call to pam_namespace. This puts children of user@.service
          in the expected namespace. (Many distributions replace their file
          with something custom, so this change has limited effect.)

        * A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST
          can be used to override the mount units burst late limit for
          parsing '/proc/self/mountinfo', which was introduced in v249.
          Defaults to 5.

        * Drop-ins for init.scope changing control group resource limits are
          now applied, while they were previously ignored.

        * New build-time configuration options '-Ddefault-timeout-sec=' and
          '-Ddefault-user-timeout-sec=' have been added, to let distributions
          choose the default timeout for starting/stopping/aborting system and
          user units respectively.

        * Service units gained a new setting OpenFile= which may be used to
          open arbitrary files in the file system (or connect to arbitrary
          AF_UNIX sockets in the file system), and pass the open file
          descriptor to the invoked process via the usual file descriptor
          passing protocol. This is useful to give unprivileged services access
          to select files which have restrictive access modes that would
          normally not allow this. It's also useful in case RootDirectory= or
          RootImage= is used to allow access to files from the host environment
          (which is after all not visible from the service if these two options
          are used.)

        Changes in udev:

        * The new net naming scheme "v253" has been introduced. In the new
          scheme, ID_NET_NAME_PATH is also set for USB devices not connected via
          a PCI bus. This extends the coverage of predictable interface names
          in some embedded systems.

          The "amba" bus path is now included in ID_NET_NAME_PATH, resulting in
          a more informative path on some embedded systems.

        * Partition block devices will now also get symlinks in
          /dev/disk/by-diskseq/<seq>-part<n>, which may be used to reference
          block device nodes via the kernel's "diskseq" value. Previously those
          symlinks were only created for the main block device.

        * A new operator '-=' is supported for SYMLINK variables. This allows
          symlinks to be unconfigured even if an earlier rule added them.

        * 'udevadm --trigger --settle' now also works for network devices
          that are being renamed.

        Changes in sd-boot, bootctl, and the Boot Loader Specification:

        * systemd-boot now passes its random seed directly to the kernel's RNG
          via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table, which
          means the RNG gets seeded very early in boot before userspace has
          started.

        * systemd-boot will pass a disk-backed random seed – even when secure
          boot is enabled – if it can additionally get a random seed from EFI
          itself (via EFI's RNG protocol), or a prior seed in
          LINUX_EFI_RANDOM_SEED_TABLE_GUID from a preceding bootloader.

        * systemd-boot-system-token.service was renamed to
          systemd-boot-random-seed.service and extended to always save a random
          seed to ESP on every boot when a compatible boot loader is used. This
          allows a refreshed random seed to be used in the boot loader.

        * systemd-boot handles various seed inputs using a domain- and
          field-separated hashing scheme.

        * systemd-boot's 'random-seed-mode' option has been removed. A system
          token is now always required to be present for random seeds to be
          used.

        * systemd-boot now supports being loaded from other locations than the
          ESP, for example for direct kernel boot under QEMU or when embedded
          into the firmware.

        * systemd-boot now parses SMBIOS information to detect
          virtualization. This information is used to skip some warnings which
          are not useful in a VM and to conditionalize other aspects of
          behaviour.

        * systemd-boot now supports a new 'if-safe' mode that will perform UEFI
          Secure Boot automated certificate enrollment from the ESP only if it
          is considered 'safe' to do so. At the moment 'safe' means running in
          a virtual machine.

        * systemd-stub now processes random seeds in the same way as
          systemd-boot already does, in case a unified kernel image is being
          used from a different bootloader than systemd-boot, or without any
          boot load at all.

        * bootctl will now generate a system token on all EFI systems, even
          virtualized ones, and is activated in the case that the system token
          is missing from either sd-boot and sd-stub booted systems.

        * bootctl now implements two new verbs: 'kernel-identify' prints the
          type of a kernel image file, and 'kernel-inspect' provides
          information about the embedded command line and kernel version of
          UKIs.

        * bootctl now honours $KERNEL_INSTALL_CONF_ROOT with the same meaning
          as for kernel-install.

        * The JSON output of "bootctl list" will now contain two more fields:
          isDefault and isSelected are boolean fields set to true on the
          default and currently booted boot menu entries.

        * bootctl gained a new verb "unlink" for removing a boot loader entry
          type #1 file from disk in a safe and robust way.

        * bootctl also gained a new verb "cleanup" that automatically removes
          all files from the ESP's and XBOOTLDR's "entry-token" directory, that
          is not referenced anymore by any installed Type #1 boot loader
          specification entry. This is particularly useful in environments where
          a large number of entries reference the same or partly the same
          resources (for example, for snapshot-based setups).

        Changes in kernel-install:

        * A new "installation layout" can be configured as layout=uki. With
          this setting, a Boot Loader Specification Type#1 entry will not be
          created. Instead, a new kernel-install plugin 90-uki-copy.install
          will copy any .efi files from the staging area into the boot
          partition. A plugin to generate the UKI .efi file must be provided
          separately.

        Changes in systemctl:

        * 'systemctl reboot' has dropped support for accepting a positional
          argument as the argument to the reboot(2) syscall. Please use the
          --reboot-argument= option instead.

        * 'systemctl disable' will now warn when called on units without
          install information. A new --no-warn option has been added that
          silences this warning.

        * New option '--drop-in=' can be used to tell 'systemctl edit' the name
          of the drop-in to edit. (Previously, 'override.conf' was always
          used.)

        * 'systemctl list-dependencies' now respects --type= and --state=.

        * 'systemctl kexec' now supports XEN VMM environments.

        * 'systemctl edit' will now tell the invoked editor to jump into the
          first line with actual unit file data, skipping over synthesized
          comments.

        Changes in systemd-networkd and related tools:

        * The [DHCPv4] section in .network file gained new SocketPriority=
          setting that assigns the Linux socket priority used by the DHCPv4 raw
          socket. This may be used in conjunction with the
          EgressQOSMaps=setting in [VLAN] section of .netdev file to send the
          desired ethernet 802.1Q frame priority for DHCPv4 initial
          packets. This cannot be achieved with netfilter mangle tables because
          of the raw socket bypass.

        * The [DHCPv4] and [IPv6AcceptRA] sections in .network file gained a
          new QuickAck= boolean setting that enables the TCP quick ACK mode for
          the routes configured by the acquired DHCPv4 lease or received router
          advertisements (RAs).

        * The RouteMetric= option (for DHCPv4, DHCPv6, and IPv6 advertised
          routes) now accepts three values, for high, medium, and low preference
          of the router (which can be set with the RouterPreference=) setting.

        * systemd-networkd-wait-online now supports matching via alternative
          interface names.

        * The [DHCPv6] section in .network file gained new SendRelease=
          setting which enables the DHCPv6 client to send release when
          it stops. This is the analog of the [DHCPv4] SendRelease= setting.
          It is enabled by default.

        * If the Address= setting in [Network] or [Address] sections in .network
          specified without its prefix length, then now systemd-networkd assumes
          /32 for IPv4 or /128 for IPv6 addresses.

        * networkctl shows network and link file dropins in status output.

        Changes in systemd-dissect:

        * systemd-dissect gained a new option --list, to print the paths of
          all files and directories in a DDI.

        * systemd-dissect gained a new option --mtree, to generate a file
          manifest compatible with BSD mtree(5) of a DDI

        * systemd-dissect gained a new option --with, to execute a command with
          the specified DDI temporarily mounted and used as working
          directory. This is for example useful to convert a DDI to "tar"
          simply by running it within a "systemd-dissect --with" invocation.

        * systemd-dissect gained a new option --discover, to search for
          Discoverable Disk Images (DDIs) in well-known directories of the
          system. This will list machine, portable service and system extension
          disk images.

        * systemd-dissect now understands 2nd stage initrd images stored as a
          Discoverable Disk Image (DDI).

        * systemd-dissect will now display the main UUID of GPT DDIs (i.e. the
          disk UUID stored in the GPT header) among the other data it can show.

        * systemd-dissect gained a new --in-memory switch to operate on an
          in-memory copy of the specified DDI file. This is useful to access a
          DDI with write access without persisting any changes. It's also
          useful for accessing a DDI without keeping the originating file
          system busy.

        * The DDI dissection logic will now automatically detect the intended
          sector size of disk images stored in files, based on the GPT
          partition table arrangement. Loopback block devices for such DDIs
          will then be configured automatically for the right sector size. This
          is useful to make dealing with modern 4K sector size DDIs fully
          automatic. The systemd-dissect tool will now show the detected sector
          size among the other DDI information in its output.

        Changes in systemd-repart:

        * systemd-repart gained new options --include-partitions= and
          --exclude-partitions= to filter operation on partitions by type UUID.
          This allows systemd-repart to be used to build images in which the
          type of one partition is set based on the contents of another
          partition (for example when the boot partition shall include a verity
          hash of the root partition).

        * systemd-repart also gained a --defer-partitions= option that is
          similar to --exclude-partitions=, but the size of the partition is
          still taken into account when sizing partitions, but without
          populating it.

        * systemd-repart gained a new --sector-size= option to specify what
          sector size should be used when an image is created.

        * systemd-repart now supports generating erofs file systems via
          CopyFiles= (a read-only file system similar to squashfs).

        * The Minimize= option was extended to accept "best" (which means the
          most minimal image possible, but may require multiple attempts) and
          "guess" (which means a reasonably small image).

        * The systemd-growfs binary now comes with a regular unit file template
          systemd-growfs@.service which can be instantiated directly for any
          desired file system. (Previously, the unit was generated dynamically
          by various generators, but no regular unit file template was
          available.)

        Changes in journal tools:

        * Various systemd tools will append extra fields to log messages when
          in debug mode, or when SYSTEMD_ENABLE_LOG_CONTEXT=1 is set. Currently
          this includes information about D-Bus messages when sd-bus is used,
          e.g. DBUS_SENDER=, DBUS_DESTINATION=, and DBUS_PATH=, and information
          about devices when sd-device is used, e.g. DEVNAME= and DRIVER=.
          Details of what is logged and when are subject to change.

        * The systemd-journald-audit.socket can now be disabled via the usual
          "systemctl disable" mechanism to stop collection of audit
          messages. Please note that it is not enabled statically anymore and
          must be handled by the preset/enablement logic in package
          installation scripts.

        * New options MaxUse=, KeepFree=, MaxFileSize=, and MaxFiles= can
          be used to curtail disk use by systemd-journal-remote. This is
          similar to the options supported by systemd-journald.

        Changes in systemd-cryptenroll, systemd-cryptsetup, and related
        components:

        * When enrolling new keys systemd-cryptenroll now supports unlocking
          via FIDO2 tokens (option --unlock-fido2-device=). Previously, a
          password was strictly required to be specified.

        * systemd-cryptsetup now supports pre-flight requests for FIDO2 tokens
          (except for tokens with user verification, UV) to identify tokens
          before authentication. Multiple FIDO2 tokens can now be enrolled at
          the same time, and systemd-cryptsetup will automatically select one
          that corresponds to one of the available LUKS key slots.

        * systemd-cryptsetup now supports new options tpm2-measure-bank= and
          tpm2-measure-pcr= in crypttab(5). These allow specifying the TPM2 PCR
          bank and number into which the volume key should be measured. This is
          automatically enabled for the encrypted root volume discovered and
          activated by systemd-gpt-auto-generator.

        * systemd-gpt-auto-generator mounts the ESP and XBOOTLDR partitions with
          "noexec,nosuid,nodev".

        * systemd-gpt-auto-generator will now honour the rootfstype= and
          rootflags= kernel command line switches for root file systems it
          discovers, to match behaviour in case an explicit root fs is
          specified via root=.

        * systemd-pcrphase gained new options --machine-id and --file-system=
          to measure the machine-id and mount point information into PCR 15.
          New service unit files systemd-pcrmachine.service and
          systemd-pcrfs@.service have been added that invoke the tool with
          these switches during early boot.

        * systemd-pcrphase gained a --graceful switch will make it exit cleanly
          with a success exit code even if no TPM device is detected.

        * systemd-cryptenroll now stores the user-supplied PIN with a salt,
          making it harder to brute-force.

        Changes in other tools:

        * systemd-homed gained support for luksPbkdfForceIterations (the
          intended number of iterations for the PBKDF operation on LUKS).

        * Environment variables $SYSTEMD_HOME_MKFS_OPTIONS_BTRFS,
          $SYSTEMD_HOME_MKFS_OPTIONS_EXT4, and $SYSTEMD_HOME_MKFS_OPTIONS_XFS
          may now be used to specify additional arguments for mkfs when
          systemd-homed formats a file system.

        * systemd-hostnamed now exports the contents of
          /sys/class/dmi/id/bios_vendor and /sys/class/dmi/id/bios_date via two
          new D-Bus properties: FirmwareVendor and FirmwareDate. This allows
          unprivileged code to access those values.

          systemd-hostnamed also exports the SUPPORT_END= field from
          os-release(5) as OperatingSystemSupportEnd. hostnamectl make uses of
          this to show the status of the installed system.

        * systemd-measure gained an --append= option to sign multiple phase
          paths with different signing keys. This allows secrets to be
          accessible only in certain parts of the boot sequence. Note that
          'ukify' provides similar functionality in a more accessible form.

        * systemd-timesyncd will now write a structured log message with
          MESSAGE_ID set to SD_MESSAGE_TIME_BUMP when it bumps the clock based
          on a on-disk timestamp, similarly to what it did when reaching
          synchronization via NTP.

        * systemd-timesyncd will now update the on-disk timestamp file on each
          boot at least once, making it more likely that the system time
          increases in subsequent boots.

        * systemd-vconsole-setup gained support for system/service credentials:
          vconsole.keymap/vconsole.keymap_toggle and
          vconsole.font/vconsole.font_map/vconsole.font_unimap are analogous
          the similarly-named options in vconsole.conf.

        * systemd-localed will now save the XKB keyboard configuration to
          /etc/vconsole.conf, and also read it from there with a higher
          preference than the /etc/X11/xorg.conf.d/00-keyboard.conf config
          file. Previously, this information was stored in the former file in
          converted form, and only in latter file in the original form. Tools
          which want to access keyboard configuration can now do so from a
          standard location.

        * systemd-resolved gained support for configuring the nameservers and
          search domains via kernel command line (nameserver=, domain=) and
          credentials (network.dns, network.search_domains).

        * systemd-resolved will now synthesize host names for the DNS stub
          addresses it supports. Specifically when "_localdnsstub" is resolved,
          127.0.0.53 is returned, and if "_localdnsproxy" is resolved
          127.0.0.54 is returned.

        * systemd-notify will now send a "RELOADING=1" notification when called
          with --reloading, and "STOPPING=1" when called with --stopping. This
          can be used to implement notifications from units where it's easier
          to call a program than to use the sd-daemon library.

        * systemd-analyze's 'plot' command can now output its information in
          JSON, controlled via the --json= switch. Also, new --table, and
          --no-legend options have been added.

        * 'machinectl enable' will now automatically enable machines.target
          unit in addition to adding the machine unit to the target.

          Similarly, 'machinectl start|stop' gained a --now option to enable or
          disable the machine unit when starting or stopping it.

        * systemd-sysusers will now create /etc/ if it is missing.

        * systemd-sleep 'HibernateDelaySec=' setting is changed back to
          pre-v252's behaviour, and a new 'SuspendEstimationSec=' setting is
          added to provide the new initial value for the new automated battery
          estimation functionality. If 'HibernateDelaySec=' is set to any value,
          the automated estimate (and thus the automated hibernation on low
          battery to avoid data loss) functionality will be disabled.

        * Default tmpfiles.d/ configuration will now automatically create
          credentials storage directory '/etc/credstore/' with the appropriate,
          secure permissions. If '/run/credstore/' exists, its permissions will
          be fixed too in case they are not correct.

        Changes in libsystemd and shared code:

        * sd-bus gained new convenience functions sd_bus_emit_signal_to(),
          sd_bus_emit_signal_tov(), and sd_bus_message_new_signal_to().

        * sd-id128 functions now return -EUCLEAN (instead of -EIO) when the
          128-bit ID in files such as /etc/machine-id has an invalid
          format. They also accept NULL as output parameter in more places,
          which is useful when the caller only wants to validate the inputs and
          does not need the output value.

        * sd-login gained new functions sd_pidfd_get_session(),
          sd_pidfd_get_owner_uid(), sd_pidfd_get_unit(),
          sd_pidfd_get_user_unit(), sd_pidfd_get_slice(),
          sd_pidfd_get_user_slice(), sd_pidfd_get_machine_name(), and
          sd_pidfd_get_cgroup(), that are analogous to sd_pid_get_*(),
          but accept a PIDFD instead of a PID.

        * sd-path (and systemd-path) now export four new paths:
          SD_PATH_SYSTEMD_SYSTEM_ENVIRONMENT_GENERATOR,
          SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR,
          SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR, and
          SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR,

        * sd_notify() now supports AF_VSOCK as transport for notification
          messages (in addition to the existing AF_UNIX support). This is
          enabled if $NOTIFY_SOCKET is set in a "vsock:CID:port" format.

        * Detection of chroot() environments now works if /proc/ is not
          mounted. This affects systemd-detect-virt --chroot, but also means
          that systemd tools will silently skip various operations in such an
          environment.

        * "Lockheed Martin Hardened Security for Intel Processors" (HS SRE)
          virtualization is now detected.

        Changes in the build system:

        * Standalone variants of systemd-repart and systemd-shutdown may now be
          built (if -Dstandalone=true).

        * systemd-ac-power has been moved from /usr/lib/ to /usr/bin/, to, for
          example, allow scripts to conditionalize execution on AC power
          supply.

        * The libp11kit library is now loaded through dlopen(3).

        Changes in the documentation:

        * Specifications that are not closely tied to systemd have moved to
          https://uapi-group.org/specifications/: the Boot Loader Specification
          and the Discoverable Partitions Specification.

        Contributions from: 김인수, 13r0ck, Aidan Dang, Alberto Planas,
        Alvin Šipraga, Andika Triwidada, AndyChi, angus-p, Anita Zhang,
        Antonio Alvarez Feijoo, Arsen Arsenović, asavah, Benjamin Fogle,
        Benjamin Tissoires, berenddeschouwer, BerndAdameit,
        Bernd Steinhauser, blutch112, cake03, Callum Farmer, Carlo Teubner,
        Charles Hardin, chris, Christian Brauner, Christian Göttsche,
        Cristian Rodríguez, Daan De Meyer, Dan Streetman, DaPigGuy,
        Darrell Kavanagh, David Tardon, dependabot[bot], Dirk Su,
        Dmitry V. Levin, drosdeck, Edson Juliano Drosdeck, edupont,
        Eric DeVolder, Erik Moqvist, Evgeny Vereshchagin, Fabian Gurtner,
        Felix Riemann, Franck Bui, Frantisek Sumsal, Geert Lorang,
        Gerd Hoffmann, Gio, Hannoskaj, Hans de Goede, Hugo Carvalho,
        igo95862, Ilya Leoshkevich, Ivan Shapovalov, Jacek Migacz,
        Jade Lovelace, Jan Engelhardt, Jan Janssen, Jan Macku, January,
        Jason A. Donenfeld, jcg, Jean-Tiare Le Bigot, Jelle van der Waa,
        Jeremy Linton, Jian Zhang, Jiayi Chen, Jia Zhang, Joerg Behrmann,
        Jörg Thalheim, Joshua Goins, joshuazivkovic, Joshua Zivkovic,
        Kai-Chuan Hsieh, Khem Raj, Koba Ko, Lennart Poettering, lichao,
        Li kunyu, Luca Boccassi, Luca BRUNO, Ludwig Nussel,
        Łukasz Stelmach, Lycowolf, marcel151, Marcus Schäfer, Marek Vasut,
        Mark Laws, Michael Biebl, Michał Kotyla, Michal Koutný,
        Michal Sekletár, Mike Gilbert, Mike Yuan, MkfsSion, ml,
        msizanoen1, mvzlb, MVZ Ludwigsburg, Neil Moore, Nick Rosbrook,
        noodlejetski, Pasha Vorobyev, Peter Cai, p-fpv, Phaedrus Leeds,
        Philipp Jungkamp, Quentin Deslandes, Raul Tambre, Ray Strode,
        reuben olinsky, Richard E. van der Luit, Richard Phibel,
        Ricky Tigg, Robin Humble, rogg, Rudi Heitbaum, Sam James,
        Samuel Cabrero, Samuel Thibault, Siddhesh Poyarekar, Simon Brand,
        Space Meyer, Spindle Security, Steve Ramage, Takashi Sakamoto,
        Thomas Haller, Tonći Galić, Topi Miettinen, Torsten Hilbrich,
        Tuetuopay, uerdogan, Ulrich Ölmann, Valentin David,
        Vitaly Kuznetsov, Vito Caputo, Waltibaba, Will Fancher,
        William Roberts, wouter bolsterlee, Youfu Zhang, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски,
        наб

        — Warsaw, 2023-02-15

CHANGES WITH 252 🎃:

        Announcements of Future Feature Removals:

        * We intend to remove cgroup v1 support from systemd release after the
          end of 2023. If you run services that make explicit use of cgroup v1
          features (i.e. the "legacy hierarchy" with separate hierarchies for
          each controller), please implement compatibility with cgroup v2 (i.e.
          the "unified hierarchy") sooner rather than later. Most of Linux
          userspace has been ported over already.

        * We intend to remove support for split-usr (/usr mounted separately
          during boot) and unmerged-usr (parallel directories /bin and
          /usr/bin, /lib and /usr/lib, etc). This will happen in the second
          half of 2023, in the first release that falls into that time window.
          For more details, see:
          https://lists.freedesktop.org/archives/systemd-devel/2022-September/048352.html

        Compatibility Breaks:

        * ConditionKernelVersion= checks that use the '=' or '!=' operators
          will now do simple string comparisons (instead of version comparisons
          à la stverscmp()). Version comparisons are still done for the
          ordering operators '<', '>', '<=', '>='. Moreover, if no operator is
          specified, a shell-style glob match is now done. This creates a minor
          incompatibility compared to older systemd versions when the '*', '?',
          '[', ']' characters are used, as these will now match as shell globs
          instead of literally. Given that kernel version strings typically do
          not include these characters we expect little breakage through this
          change.

        * The service manager will now read the SELinux label used for SELinux
          access checks from the unit file at the time it loads the file.
          Previously, the label would be read at the moment of the access
          check, which was problematic since at that time the unit file might
          already have been updated or removed.

        New Features:

        * systemd-measure is a new tool for calculating and signing expected
          TPM2 PCR values for a given unified kernel image (UKI) booted via
          sd-stub. The public key used for the signature and the signed
          expected PCR information can be embedded inside the UKI. This
          information can be extracted from the UKI by external tools and code
          in the image itself and is made available to userspace in the booted
          kernel.

          systemd-cryptsetup, systemd-cryptenroll, and systemd-creds have been
          updated to make use of this information if available in the booted
          kernel: when locking an encrypted volume/credential to the TPM
          systemd-cryptenroll/systemd-creds will use the public key to bind the
          volume/credential to any kernel that carries PCR information signed
          by the same key pair. When unlocking such volumes/credentials
          systemd-cryptsetup/systemd-creds will use the signature embedded in
          the booted UKI to gain access.

          Binding TPM-based disk encryption to public keys/signatures of PCR
          values — instead of literal PCR values — addresses the inherent
          "brittleness" of traditional PCR-bound TPM disk encryption schemes:
          disks remain accessible even if the UKI is updated, without any TPM
          specific preparation during the OS update — as long as each UKI
          carries the necessary PCR signature information.

          Net effect: if you boot a properly prepared kernel, TPM-bound disk
          encryption now defaults to be locked to kernels which carry PCR
          signatures from the same key pair. Example: if a hypothetical distro
          FooOS prepares its UKIs like this, TPM-based disk encryption is now –
          by default – bound to only FooOS kernels, and encrypted volumes bound
          to the TPM cannot be unlocked on kernels from other sources. (But do
          note this behaviour requires preparation/enabling in the UKI, and of
          course users can always enroll non-TPM ways to unlock the volume.)

        * systemd-pcrphase is a new tool that is invoked at six places during
          system runtime, and measures additional words into TPM2 PCR 11, to
          mark milestones of the boot process. This allows binding access to
          specific TPM2-encrypted secrets to specific phases of the boot
          process. (Example: LUKS2 disk encryption key only accessible in the
          initrd, but not later.)

        Changes in systemd itself, i.e. the manager and units

        * The cpu controller is delegated to user manager units by default, and
          CPUWeight= settings are applied to the top-level user slice units
          (app.slice, background.slice, session.slice). This provides a degree
          of resource isolation between different user services competing for
          the CPU.

        * Systemd can optionally do a full preset in the "first boot" condition
          (instead of just enable-only). This behaviour is controlled by the
          compile-time option -Dfirst-boot-full-preset. Right now it defaults
          to 'false', but the plan is to switch it to 'true' for the subsequent
          release.

        * Drop-ins are now allowed for transient units too.

        * Systemd will set the taint flag 'support-ended' if it detects that
          the OS image is past its end-of-support date. This date is declared
          in a new /etc/os-release field SUPPORT_END= described below.

        * Two new settings ConditionCredential= and AssertCredential= can be
          used to skip or fail units if a certain system credential is not
          provided.

        * ConditionMemory= accepts size suffixes (K, M, G, T, …).

        * DefaultSmackProcessLabel= can be used in system.conf and user.conf to
          specify the SMACK security label to use when not specified in a unit
          file.

        * DefaultDeviceTimeoutSec= can be used in system.conf and user.conf to
          specify the default timeout when waiting for device units to
          activate.

        * C.UTF-8 is used as the default locale if nothing else has been
          configured.

        * [Condition|Assert]Firmware= have been extended to support certain
          SMBIOS fields. For example

            ConditionFirmware=smbios-field(board_name = "Custom Board")

          conditionalizes the unit to run only when
          /sys/class/dmi/id/board_name contains "Custom Board" (without the
          quotes).

        * ConditionFirstBoot= now correctly evaluates as true only during the
          boot phase of the first boot. A unit executed later, after booting
          has completed, will no longer evaluate this condition as true.

        * Socket units will now create sockets in the SELinuxContext= of the
          associated service unit, if any.

        * Boot phase transitions (start initrd → exit initrd → boot complete →
          shutdown) will be measured into TPM2 PCR 11, so that secrets can be
          bound to a specific runtime phase. E.g.: a LUKS encryption key can be
          unsealed only in the initrd.

        * Service credentials (i.e. SetCredential=/LoadCredential=/…) will now
          also be provided to ExecStartPre= processes.

        * Various units are now correctly ordered against
          initrd-switch-root.target where previously a conflict without
          ordering was configured. A stop job for those units would be queued,
          but without the ordering it could be executed only after
          initrd-switch-root.service, leading to units not being restarted in
          the host system as expected.

        * In order to fully support the IPMI watchdog driver, which has not yet
          been ported to the new common watchdog device interface,
          /dev/watchdog0 will be tried first and systemd will silently fallback
          to /dev/watchdog if it is not found.

        * New watchdog-related D-Bus properties are now published by systemd:
          WatchdogDevice, WatchdogLastPingTimestamp,
          WatchdogLastPingTimestampMonotonic.

        * At shutdown, API virtual files systems (proc, sys, etc.) will be
          unmounted lazily.

        * At shutdown, systemd will now log about processes blocking unmounting
          of file systems.

        * A new meson build option 'clock-valid-range-usec-max' was added to
          allow disabling system time correction if RTC returns a timestamp far
          in the future.

        * Propagated restart jobs will no longer be discarded while a unit is
          activating.

        * PID 1 will now import system credentials from SMBIOS Type 11 fields
          ("OEM vendor strings"), in addition to qemu_fwcfg. This provides a
          simple, fast and generic path for supplying credentials to a VM,
          without involving external tools such as cloud-init/ignition.

        * The CPUWeight= setting of unit files now accepts a new special value
          "idle", which configures "idle" level scheduling for the unit.

        * Service processes that are activated due to a .timer or .path unit
          triggering will now receive information about this via environment
          variables. Note that this is information is lossy, as activation
          might be coalesced and only one of the activating triggers will be
          reported. This is hence more suited for debugging or tracing rather
          than for behaviour decisions.

        * The riscv_flush_icache(2) system call has been added to the list of
          system calls allowed by default when SystemCallFilter= is used.

        * The selinux context derived from the target executable, instead of
          'init_t' used for the manager itself, is now used when creating
          listening sockets for units that specify SELinuxContextFromNet=yes.

        Changes in sd-boot, bootctl, and the Boot Loader Specification:

        * The Boot Loader Specification has been cleaned up and clarified.
          Various corner cases in version string comparisons have been fixed
          (e.g. comparisons for empty strings). Boot counting is now part of
          the main specification.

        * New PCRs measurements are performed during boot: PCR 11 for the
          kernel+initrd combo, PCR 13 for any sysext images. If a measurement
          took place this is now reported to userspace via the new
          StubPcrKernelImage and StubPcrInitRDSysExts EFI variables.

        * As before, systemd-stub will measure kernel parameters and system
          credentials into PCR 12. It will now report this fact via the
          StubPcrKernelParameters EFI variable to userspace.

        * The UEFI monotonic boot counter is now included in the updated random
          seed file maintained by sd-boot, providing some additional entropy.

        * sd-stub will use LoadImage/StartImage to execute the kernel, instead
          of arranging the image manually and jumping to the kernel entry
          point. sd-stub also installs a temporary UEFI SecurityOverride to
          allow the (unsigned) nested image to be booted. This is safe because
          the outer (signed) stub+kernel binary must have been verified before
          the stub was executed.

        * Booting in EFI mixed mode (a 64-bit kernel over 32-bit UEFI firmware)
          is now supported by sd-boot.

        * bootctl gained a bunch of new options: --all-architectures to install
          binaries for all supported EFI architectures, --root= and --image=
          options to operate on a directory or disk image, and
          --install-source= to specify the source for binaries to install,
          --efi-boot-option-description= to control the name of the boot entry.

        * The sd-boot stub exports a StubFeatures flag, which is used by
          bootctl to show features supported by the stub that was used to boot.

        * The PE section offsets that are used by tools that assemble unified
          kernel images have historically been hard-coded. This may lead to
          overlapping PE sections which may break on boot. The UKI will now try
          to detect and warn about this.

          Any tools that assemble UKIs must update to calculate these offsets
          dynamically. Future sd-stub versions may use offsets that will not
          work with the currently used set of hard-coded offsets!

        * sd-stub now accepts (and passes to the initrd and then to the full
          OS) new PE sections '.pcrsig' and '.pcrkey' that can be used to embed
          signatures of expected PCR values, to allow sealing secrets via the
          TPM2 against pre-calculated PCR measurements.

        Changes in the hardware database:

        * 'systemd-hwdb query' now supports the --root= option.

        Changes in systemctl:

        * systemctl now supports --state= and --type= options for the 'show'
          and 'status' verbs.

        * systemctl gained a new verb 'list-automounts' to list automount
          points.

        * systemctl gained support for a new --image= switch to be able to
          operate on the specified disk image (similar to the existing --root=
          which operates relative to some directory).

        Changes in systemd-networkd:

        * networkd can set Linux NetLabel labels for integration with the
          network control in security modules via a new NetLabel= option.

        * The RapidCommit= is (re-)introduced to enable faster configuration
          via DHCPv6 (RFC 3315).

        * networkd gained a new option TCPCongestionControlAlgorithm= that
          allows setting a per-route TCP algorithm.

        * networkd gained a new option KeepFileDescriptor= to allow keeping a
          reference (file descriptor) open on TUN/TAP interfaces, which is
          useful to avoid link flaps while the underlying service providing the
          interface is being serviced.

        * RouteTable= now also accepts route table names.

        Changes in systemd-nspawn:

        * The --bind= and --overlay= options now support relative paths.

        * The --bind= option now supports a 'rootidmap' value, which will
          use id-mapped mounts to map the root user inside the container to the
          owner of the mounted directory on the host.

        Changes in systemd-resolved:

        * systemd-resolved now persists DNSOverTLS in its state file too. This
          fixes a problem when used in combination with NetworkManager, which
          sends the setting only once, causing it to be lost if resolved was
          restarted at any point.

        * systemd-resolved now exposes a Varlink socket at
          /run/systemd/resolve/io.systemd.Resolve.Monitor, accessible only for
          root. Processed DNS requests in a JSON format will be published to
          any clients connected to this socket.

          resolvectl gained a 'monitor' verb to make use of this.

        * systemd-resolved now treats unsupported DNSSEC algorithms as INSECURE
          instead of returning SERVFAIL, as per RFC:
          https://datatracker.ietf.org/doc/html/rfc6840#section-5.2

        * OpenSSL is the default crypto backend for systemd-resolved. (gnutls
          is still supported.)

        Changes in libsystemd and other libraries:

        * libsystemd now exports sd_bus_error_setfv() (a convenience function
          for setting bus errors), sd_id128_string_equal (a convenience
          function for 128-bit ID string comparisons), and
          sd_bus_message_read_strv_extend() (a function to incrementally read
          string arrays).

        * libsystemd now exports sd_device_get_child_first()/_next() as a
          high-level interface for enumerating child devices. It also supports
          sd_device_new_child() for opening a child device given a device
          object.

        * libsystemd now exports sd_device_monitor_set()/get_description()
          which allow setting a custom description that will be used in log
          messages by sd_device_monitor*.

        * Private shared libraries (libsystemd-shared-nnn.so,
          libsystemd-core-nnn.so) are now installed into arch-specific
          directories to allow multi-arch installs.

        * A new sd-gpt.h header is now published, listing GUIDs from the
          Discoverable Partitions specification. For more details see:
          https://systemd.io/DISCOVERABLE_PARTITIONS/

        * A new function sd_hwdb_new_from_path() has been added to open a hwdb
          database given an explicit path to the file.

        * The signal number argument to sd_event_add_signal() now can now be
          ORed with the SD_EVENT_SIGNAL_PROCMASK flag, causing sigprocmask() to
          be automatically invoked to block the specified signal. This is
          useful to simplify invocations as the caller doesn't have to do this
          manually.

        * A new convenience call sd_event_set_signal_exit() has been added to
          sd-event to set up signal handling so that the event loop
          automatically terminates cleanly on SIGTERM/SIGINT.

        Changes in other components:

        * systemd-sysusers, systemd-tmpfiles, and systemd-sysctl configuration
          can now be provided via the credential mechanism.

        * systemd-analyze gained a new verb 'compare-versions' that implements
          comparisons for versions strings (similarly to 'rpmdev-vercmp' and
          'dpkg --compare-versions').

        * 'systemd-analyze dump' is extended to accept glob patterns for unit
          names to limit the output to matching units.

        * tmpfiles.d/ lines can read file contents to write from a credential.
          The new modifier char '^' is used to specify that the argument is a
          credential name. This mechanism is used to automatically populate
          /etc/motd, /etc/issue, and /etc/hosts from credentials.

        * tmpfiles.d/ may now be configured to avoid changing uid/gid/mode of
          an inode if the specification is prefixed with ':' and the inode
          already exists.

        * Default tmpfiles.d/ configuration now carries a line to automatically
          use an 'ssh.authorized_keys.root' credential if provided to set up
          the SSH authorized_keys file for the root user.

        * systemd-tmpfiles will now gracefully handle absent source of "C" copy
          lines.

        * tmpfiles.d/ F/w lines now optionally permit encoding of the payload
          in base64. This is useful to write arbitrary binary data into files.

        * The pkgconfig and rpm macros files now export the directory for user
          units as 'user_tmpfiles_dir' and '%_user_tmpfilesdir'.

        * Detection of Apple Virtualization and detection of Parallels and
          KubeVirt virtualization on non-x86 archs have been added.

        * os-release gained a new field SUPPORT_END=YYYY-MM-DD to inform the
          user when their system will become unsupported.

        * When performing suspend-then-hibernate, the system will estimate the
          discharge rate and use that to set the delay until hibernation and
          hibernate immediately instead of suspending when running from a
          battery and the capacity is below 5%.

        * systemd-sysctl gained a --strict option to fail when a sysctl
          setting is unknown to the kernel.

        * machinectl supports --force for the 'copy-to' and 'copy-from'
          verbs.

        * coredumpctl gained the --root and --image options to look for journal
          files under the specified root directory, image, or block device.

        * 'journalctl -o' and similar commands now implement a new output mode
          "short-delta". It is similar to "short-monotonic", but also shows the
          time delta between subsequent messages.

        * journalctl now respects the --quiet flag when verifying consistency
          of journal files.

        * Journal log messages gained a new implicit field _RUNTIME_SCOPE= that
          will indicate whether a message was logged in the 'initrd' phase or
          in the 'system' phase of the boot process.

        * Journal files gained a new compatibility flag
          'HEADER_INCOMPATIBLE_COMPACT'. Files with this flag implement changes
          to the storage format that allow reducing size on disk. As with other
          compatibility flags, older journalctl versions will not be able to
          read journal files using this new format. The environment variable
          'SYSTEMD_JOURNAL_COMPACT=0' can be passed to systemd-journald to
          disable this functionality. It is enabled by default.

        * systemd-run's --working-directory= switch now works when used in
          combination with --scope.

        * portablectl gained a --force flag to skip certain sanity checks. This
          is implemented using new flags accepted by systemd-portabled for the
          *WithExtensions() D-Bus methods: SD_SYSTEMD_PORTABLE_FORCE_ATTACH
          flag now means that the attach/detach checks whether the units are
          already present and running will be skipped. Similarly,
          SD_SYSTEMD_PORTABLE_FORCE_SYSEXT flag means that the check whether
          image name matches the name declared inside of the image will be
          skipped. Callers must be sure to do those checks themselves if
          appropriate.

        * systemd-portabled will now use the original filename to check
          extension-release.NAME for correctness, in case it is passed a
          symlink.

        * systemd-portabled now uses PrivateTmp=yes in the 'trusted' profile
          too.

        * sysext's extension-release files now support '_any' as a special
          value for the ID= field, to allow distribution-independent extensions
          (e.g.: fully statically compiled binaries, scripts). It also gained
          support for a new ARCHITECTURE= field that may be used to explicitly
          restrict an image to hosts of a specific architecture.

        * systemd-repart now supports creating squashfs partitions. This
          requires mksquashfs from squashfs-tools.

        * systemd-repart gained a --split flag to also generate split
          artifacts, i.e. a separate file for each partition. This is useful in
          conjunction with systemd-sysupdate or other tools, or to generate
          split dm-verity artifacts.

        * systemd-repart is now able to generate dm-verity partitions, including
          signatures.

        * systemd-repart can now set a partition UUID to zero, allowing it to
          be filled in later, such as when using verity partitions.

        * systemd-repart now supports drop-ins for its configuration files.

        * Package metadata logged by systemd-coredump in the system journal is
          now more compact.

        * xdg-autostart-service now expands 'tilde' characters in Exec lines.

        * systemd-oomd now automatically links against libatomic, if available.

        * systemd-oomd now sends out a 'Killed' D-Bus signal when a cgroup is
          killed.

        * scope units now also provide oom-kill status.

        * systemd-pstore will now try to load only the efi_pstore kernel module
          before running, ensuring that pstore can be used.

        * systemd-logind gained a new StopIdleSessionSec= option to stop an idle
          session after a preconfigure timeout.

        * systemd-homed will now wait up to 30 seconds for workers to terminate,
          rather than indefinitely.

        * homectl gained a new '--luks-sector-size=' flag that allows users to
          select the preferred LUKS sector size. Must be a power of 2 between 512
          and 4096. systemd-userdbd records gained a corresponding field.

        * systemd-sysusers will now respect the 'SOURCE_DATE_EPOCH' environment
          variable when generating the 'sp_lstchg' field, to ensure an image
          build can be reproducible.

        * 'udevadm wait' will now listen to kernel uevents too when called with
          --initialized=no.

        * When naming network devices udev will now consult the DeviceTree
          "alias" fields for the device.

        * systemd-udev will now create infiniband/by-path and
          infiniband/by-ibdev links for Infiniband verbs devices.

        * systemd-udev-trigger.service will now also prioritize input devices.

        * ConditionACPower= and systemd-ac-power will now assume the system is
          running on AC power if no battery can be found.

        * All features and tools using the TPM2 will now communicate with it
          using a bind key. Beforehand, the tpm2 support used encrypted sessions
          by creating a primary key that was used to encrypt traffic. This
          creates a problem as the key created for encrypting the traffic could
          be faked by an active interposer on the bus. In cases when a pin is
          used, a bind key will be used. The pin is used as the auth value for
          the seal key, aka the disk encryption key, and that auth value will be
          used in the session establishment. An attacker would need the pin
          value to create the secure session and thus an active interposer
          without the pin cannot interpose on TPM2 traffic.

        * systemd-growfs no longer requires udev to run.

        * systemd-backlight now will better support systems with multiple
          graphic cards.

        * systemd-cryptsetup's keyfile-timeout= option now also works when a
          device is used as a keyfile.

        * systemd-cryptenroll gained a new --unlock-key-file= option to get the
          unlocking key from a key file (instead of prompting the user). Note
          that this is the key for unlocking the volume in order to be able to
          enroll a new key, but it is not the key that is enrolled.

        * systemd-dissect gained a new --umount switch that will safely and
          synchronously unmount all partitions of an image previously mounted
          with 'systemd-dissect --mount'.

        * When using gcrypt, all systemd tools and services will now configure
          it to prefer the OS random number generator if present.

        * All example code shipped with documentation has been relicensed from CC0
          to MIT-0.

        * Unit tests will no longer fail when running on a system without
          /etc/machine-id.

        Experimental features:

        * BPF programs can now be compiled with bpf-gcc (requires libbpf >= 1.0
          and bpftool >= 7.0).

        * sd-boot can automatically enroll SecureBoot keys from files found on
          the ESP. This enrollment can be either automatic ('force' mode) or
          controlled by the user ('manual' mode). It is sufficient to place the
          SecureBoot keys in the right place in the ESP and they will be picked
          up by sd-boot and shown in the boot menu.

        * The mkosi config in systemd gained support for automatically
          compiling a kernel with the configuration appropriate for testing
          systemd. This may be useful when developing or testing systemd in
          tandem with the kernel.

        Contributions from: 김인수, Adam Williamson, adrian5, Aidan Dang,
        Akihiko Odaki, Alban Bedel, Albert Mikaelyan, Aleksey Vasenev,
        Alexander Graf, Alexander Shopov, Alexander Wilson,
        Alper Nebi Yasak, anarcat, Anders Jonsson, Andre Kalb,
        Andrew Stone, Andrey Albershteyn, Anita Zhang, Ansgar Burchardt,
        Antonio Alvarez Feijoo, Arnaud Ferraris, Aryan singh, asavah,
        Avamander, Avram Lubkin, Balázs Meskó, Bastien Nocera,
        Benjamin Franzke, BerndAdameit, bin456789, Celeste Liu,
        Chih-Hsuan Yen, Christian Brauner, Christian Göttsche,
        Christian Hesse, Clyde Byrd III, codefiles, Colin Walters,
        Cristian Rodríguez, Daan De Meyer, Daniel Braunwarth,
        Daniel Rusek, Dan Streetman, Darsey Litzenberger, David Edmundson,
        David Jaša, David Rheinsberg, David Seifert, David Tardon,
        dependabot[bot], Devendra Tewari, Dominique Martinet, drosdeck,
        Edson Juliano Drosdeck, Eduard Tolosa, eggfly, Einsler Lee,
        Elias Probst, Eli Schwartz, Evgeny Vereshchagin, exploide, Fei Li,
        Foster Snowhill, Franck Bui, Frank Dana, Frantisek Sumsal,
        Gerd Hoffmann, Gio, Goffredo Baroncelli, gtwang01,
        Guillaume W. Bres, H A, Hans de Goede, Heinrich Schuchardt,
        Hugo Carvalho, i-do-cpp, igo95862, j00512545, Jacek Migacz,
        Jade Bilkey, James Hilliard, Jan B, Janis Goldschmidt,
        Jan Janssen, Jan Kuparinen, Jan Luebbe, Jan Macku,
        Jason A. Donenfeld, Javkhlanbayar Khongorzul, Jeremy Soller,
        JeroenHD, jiangchuangang, João Loureiro,
        Joaquín Ignacio Aramendía, Jochen Sprickerhof,
        Johannes Schauer Marin Rodrigues, Jonas Kümmerlin,
        Jonas Witschel, Jonathan Kang, Jonathan Lebon, Joost Heitbrink,
        Jörg Thalheim, josh-gordon-fb, Joyce, Kai Lueke, lastkrick,
        Lennart Poettering, Leon M. George, licunlong, Li kunyu,
        LockBlock-dev, Loïc Collignon, Lubomir Rintel, Luca Boccassi,
        Luca BRUNO, Ludwig Nussel, Łukasz Stelmach, Maccraft123,
        Marc Kleine-Budde, Marius Vollmer, Martin Wilck, matoro,
        Matthias Lisin, Max Gautier, Maxim Mikityanskiy, Michael Biebl,
        Michal Koutný, Michal Sekletár, Michal Stanke, Mike Gilbert,
        Mitchell Freiderich, msizanoen1, Nick Rosbrook, nl6720, Oğuz Ersen,
        Oleg Solovyov, Olga Smirnova, Pablo Ceballos, Pavel Zhukov,
        Phaedrus Leeds, Philipp Gortan, Piotr Drąg, Pyfisch,
        Quentin Deslandes, Rahil Bhimjiani, Rene Hollander, Richard Huang,
        Richard Phibel, Rudi Heitbaum, Sam James, Sarah Brofeldt,
        Sean Anderson, Sebastian Scheibner, Shreenidhi Shedi,
        Sonali Srivastava, Steve Ramage, Suraj Krishnan, Swapnil Devesh,
        Takashi Sakamoto, Ted X. Toth, Temuri Doghonadze, Thomas Blume,
        Thomas Haller, Thomas Hebb, Tomáš Hnyk, Tomasz Paweł Gajc,
        Topi Miettinen, Ulrich Ölmann, undef, Uriel Corfa,
        Victor Westerhuis, Vincent Dagonneau, Vishal Chillara Srinivas,
        Vito Caputo, Weblate, Wenchao Hao, William Roberts, williamsumendap,
        wineway, xiaoyang, Yuri Chornoivan, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Zhaofeng Li, наб

        – The Great Beyond, 2022-10-31 👻

CHANGES WITH 251:

        Backwards-incompatible changes:

        * The minimum kernel version required has been bumped from 3.13 to 4.15,
          and CLOCK_BOOTTIME is now assumed to always exist.

        * C11 with GNU extensions (aka "gnu11") is now used to build our
          components. Public API headers are still restricted to ISO C89.

        * In v250, a systemd-networkd feature that automatically configures
          routes to addresses specified in AllowedIPs= was added and enabled by
          default. However, this causes network connectivity issues in many
          existing setups. Hence, it has been disabled by default since
          systemd-stable 250.3. The feature can still be used by explicitly
          configuring RouteTable= setting in .netdev files.

        * Jobs started via StartUnitWithFlags() will no longer return 'skipped'
          when a Condition*= check does not succeed, restoring the JobRemoved
          signal to the behaviour it had before v250.

        * The org.freedesktop.portable1 methods GetMetadataWithExtensions() and
          GetImageMetadataWithExtensions() have been fixed to provide an extra
          return parameter, containing the actual extension release metadata.
          The current implementation was judged to be broken and unusable, and
          thus the usual procedure of adding a new set of methods was skipped,
          and backward compatibility broken instead on the assumption that
          nobody can be affected given the current state of this interface.

        * All kernels supported by systemd mix bytes returned by RDRAND (or
          similar) into the entropy pool at early boot. This means that on
          those systems, even if /dev/urandom is not yet initialized, it still
          returns bytes that are of at least RDRAND quality. For that reason,
          we no longer have reason to invoke RDRAND from systemd itself, which
          has historically been a source of bugs. Furthermore, kernels ≥5.6
          provide the getrandom(GRND_INSECURE) interface for returning random
          bytes before the entropy pool is initialized without warning into
          kmsg, which is what we attempt to use if available. systemd's direct
          usage of RDRAND has been removed. x86 systems ≥Broadwell that are
          running an older kernel may experience kmsg warnings that were not
          seen with 250. For newer kernels, non-x86 systems, or older x86
          systems, there should be no visible changes.

        * sd-boot will now measure the kernel command line into TPM PCR 12
          rather than PCR 8. This improves usefulness of the measurements on
          systems where sd-boot is chainloaded from Grub. Grub measures all
          commands its executes into PCR 8, which makes it very hard to use
          reasonably, hence separate ourselves from that and use PCR 12
          instead, which is what certain Ubuntu editions already do. To retain
          compatibility with systems running older systemd systems a new meson
          option 'efi-tpm-pcr-compat' has been added (which defaults to false).
          If enabled, the measurement is done twice: into the new-style PCR 12
          *and* the old-style PCR 8. It's strongly advised to migrate all users
          to PCR 12 for this purpose in the long run, as we intend to remove
          this compatibility feature in two years' time.

        * busctl capture now writes output in the newer pcapng format instead
          of pcap.

        * A udev rule that imported hwdb matches for USB devices with lowercase
          hexadecimal vendor/product ID digits was added in systemd 250. This
          has been reverted, since uppercase hexadecimal digits are supposed to
          be used, and we already had a rule with the appropriate match.

          Users might need to adjust their local hwdb entries.

        * arch_prctl(2) has been moved to the @default set in the syscall filters
          (as exposed via the SystemCallFilter= setting in service unit files).
          It is apparently used by the linker now.

        * The tmpfiles entries that create the /run/systemd/netif directory and
          its subdirectories were moved from tmpfiles.d/systemd.conf to
          tmpfiles.d/systemd-network.conf.

          Users might need to adjust their files that override tmpfiles.d/systemd.conf
          to account for this change.

        * The requirement for Portable Services images to contain a well-formed
          os-release file (i.e.: contain at least an ID field) is now enforced.
          This applies to base images and extensions, and also to systemd-sysext.

        Changes in the Boot Loader Specification, kernel-install and sd-boot:

        * kernel-install's and bootctl's Boot Loader Specification Type #1
          entry generation logic has been reworked. The user may now pick
          explicitly by which "token" string to name the installation's boot
          entries, via the new /etc/kernel/entry-token file or the new
          --entry-token= switch to bootctl. By default — as before — the
          entries are named after the local machine ID. However, in "golden
          image" environments, where the machine ID shall be initialized on
          first boot (as opposed to at installation time before first boot) the
          machine ID will not be available at build time. In this case the
          --entry-token= switch to bootctl (or the /etc/kernel/entry-token
          file) may be used to override the "token" for the entries, for
          example the IMAGE_ID= or ID= fields from /etc/os-release. This will
          make the OS images independent of any machine ID, and ensure that the
          images will not carry any identifiable information before first boot,
          but on the other hand means that multiple parallel installations of
          the very same image on the same disk cannot be supported.

          Summary: if you are building golden images that shall acquire
          identity information exclusively on first boot, make sure to both
          remove /etc/machine-id *and* to write /etc/kernel/entry-token to the
          value of the IMAGE_ID= or ID= field of /etc/os-release or another
          suitable identifier before deploying the image.

        * The Boot Loader Specification has been extended with
          /loader/entries.srel file located in the EFI System Partition (ESP)
          that disambiguates the format of the entries in the /loader/entries/
          directory (in order to discern them from incompatible uses of this
          directory by other projects). For entries that follow the
          Specification, the string "type1" is stored in this file.

          bootctl will now write this file automatically when installing the
          systemd-boot boot loader.

        * kernel-install supports a new initrd_generator= setting in
          /etc/kernel/install.conf, that is exported as
          $KERNEL_INSTALL_INITRD_GENERATOR to kernel-install plugins. This
          allows choosing different initrd generators.

        * kernel-install will now create a "staging area" (an initially-empty
          directory to gather files for a Boot Loader Specification Type #1
          entry). The path to this directory is exported as
          $KERNEL_INSTALL_STAGING_AREA to kernel-install plugins, which should
          drop files there instead of writing them directly to the final
          location. kernel-install will move them when all files have been
          prepared successfully.

        * New option sort-key= has been added to the Boot Loader Specification
          to override the sorting order of the entries in the boot menu. It is
          read by sd-boot and bootctl, and will be written by kernel-install,
          with the default value of IMAGE_ID= or ID= fields from
          os-release. Together, this means that on multiboot installations,
          entries should be grouped and sorted in a predictable way.

        * The sort order of boot entries has been updated: entries which have
          the new field sort-key= are sorted by it first, and all entries
          without it are ordered later. After that, entries are sorted by
          version so that newest entries are towards the beginning of the list.

        * The kernel-install tool gained a new 'inspect' verb which shows the
          paths and other settings used.

        * sd-boot can now optionally beep when the menu is shown and menu
          entries are selected, which can be useful on machines without a
          working display. (Controllable via a loader.conf setting.)

        * The --make-machine-id-directory= switch to bootctl has been replaced
          by --make-entry-directory=, given that the entry directory is not
          necessarily named after the machine ID, but after some other suitable
          ID as selected via --entry-token= described above. The old name of
          the option is still understood to maximize compatibility.

        * 'bootctl list' gained support for a new --json= switch to output boot
          menu entries in JSON format.

        * 'bootctl is-installed' now supports the --graceful, and various verbs
          omit output with the new option --quiet.

        Changes in systemd-homed:

        * Starting with v250 systemd-homed uses UID/GID mapping on the mounts
          of activated home directories it manages (if the kernel and selected
          file systems support it). So far it mapped three UID ranges: the
          range from 0…60000, the user's own UID, and the range 60514…65534,
          leaving everything else unmapped (in other words, the 16-bit UID range
          is mapped almost fully, with the exception of the UID subrange used
          for systemd-homed users, with one exception: the user's own UID).
          Unmapped UIDs may not be used for file ownership in the home
          directory — any chown() attempts with them will fail. With this
          release a fourth range is added to these mappings:
          524288…1879048191. This range is the UID range intended for container
          uses, see:

                  https://systemd.io/UIDS-GIDS

          This range may be used for container managers that place container OS
          trees in the home directory (which is a questionable approach, for
          quota, permission, SUID handling and network file system
          compatibility reasons, but nonetheless apparently commonplace). Note
          that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
          UID assignments from the range are not managed or mapped by
          systemd-homed, and must be managed with other mechanisms, in the
          context of the local system.

          Typically, a better approach to user namespacing in relevant
          container managers would be to leave container OS trees on disk at
          UID offset 0, but then map them to a dynamically allocated runtime
          UID range via another UID mount map at container invocation
          time. That way user namespace UID ranges become strictly a runtime
          concept, and do not leak into persistent file systems, persistent
          user databases or persistent configuration, thus greatly simplifying
          handling, and improving compatibility with home directories intended
          to be portable like the ones managed by systemd-homed.

        Changes in shared libraries:

        * A new libsystemd-core-<version>.so private shared library is
          installed under /usr/lib/systemd/system, mirroring the existing
          libsystemd-shared-<version>.so library. This allows the total
          installation size to be reduced by binary code reuse.

        * The <version> tag used in the name of libsystemd-shared.so and
          libsystemd-core.so can be configured via the meson option
          'shared-lib-tag'. Distributions may build subsequent versions of the
          systemd package with unique tags (e.g. the full package version),
          thus allowing multiple installations of those shared libraries to be
          available at the same time. This is intended to fix an issue where
          programs that link to those libraries would fail to execute because
          they were installed earlier or later than the appropriate version of
          the library.

        * The sd-id128 API gained a new call sd_id128_to_uuid_string() that is
          similar to sd_id128_to_string() but formats the ID in RFC 4122 UUID
          format instead of as a simple series of hex characters.

        * The sd-device API gained two new calls sd_device_new_from_devname()
          and sd_device_new_from_path() which permit allocating an sd_device
          object from a device node name or file system path.

        * sd-device also gained a new call sd_device_open() which will open the
          device node associated with a device for which an sd_device object
          has been allocated. The call is supposed to address races around
          device nodes being removed/recycled due to hotplug events, or media
          change events: the call checks internally whether the major/minor of
          the device node and the "diskseq" (in case of block devices) match
          with the metadata loaded in the sd_device object, thus ensuring that
          the device once opened really matches the provided sd_device object.

        Changes in PID1, systemctl, and systemd-oomd:

        * A new set of service monitor environment variables will be passed to
          OnFailure=/OnSuccess= handlers, but only if exactly one unit lists the
          handler unit as OnFailure=/OnSuccess=. The variables are:
          $MONITOR_SERVICE_RESULT, $MONITOR_EXIT_CODE, $MONITOR_EXIT_STATUS,
          $MONITOR_INVOCATION_ID and $MONITOR_UNIT. For cases when a single
          handler needs to watch multiple units, use a templated handler.

        * A new ExtensionDirectories= setting in service unit files allows
          system extensions to be loaded from a directory. (It is similar to
          ExtensionImages=, but takes paths to directories, instead of
          disk image files.)

          'portablectl attach --extension=' now also accepts directory paths.

        * The user.delegate and user.invocation_id extended attributes on
          cgroups are used in addition to trusted.delegate and
          trusted.invocation_id. The latter pair requires privileges to set,
          but the former doesn't and can be also set by the unprivileged user
          manager.

          (Only supported on kernels ≥5.6.)

        * Units that were killed by systemd-oomd will now have a service result
          of 'oom-kill'. The number of times a service was killed is tallied
          in the 'user.oomd_ooms' extended attribute.

          The OOMPolicy= unit file setting is now also honoured by
          systemd-oomd.

        * In unit files the new %y/%Y specifiers can be used to refer to
          normalized unit file path, which is particularly useful for symlinked
          unit files.

          The new %q specifier resolves to the pretty hostname
          (i.e. PRETTY_HOSTNAME= from /etc/machine-info).

          The new %d specifier resolves to the credentials directory of a
          service (same as $CREDENTIALS_DIRECTORY).

        * The RootDirectory=, MountAPIVFS=, ExtensionDirectories=,
          *Capabilities*=, ProtectHome=, *Directory=, TemporaryFileSystem=,
          PrivateTmp=, PrivateDevices=, PrivateNetwork=, NetworkNamespacePath=,
          PrivateIPC=, IPCNamespacePath=, PrivateUsers=, ProtectClock=,
          ProtectKernelTunables=, ProtectKernelModules=, ProtectKernelLogs=,
          MountFlags= service settings now also work in unprivileged user
          services, i.e. those run by the user's --user service manager, as long
          as user namespaces are enabled on the system.

        * Services with Restart=always and a failing ExecCondition= will no
          longer be restarted, to bring ExecCondition= behaviour in line with
          Condition*= settings.

        * LoadCredential= now accepts a directory as the argument; all files
          from the directory will be loaded as credentials.

        * A new D-Bus property ControlGroupId is now exposed on service units,
          that encapsulates the service's numeric cgroup ID that newer kernels
          assign to each cgroup.

        * PID 1 gained support for configuring the "pre-timeout" of watchdog
          devices and the associated governor, via the new
          RuntimeWatchdogPreSec= and RuntimeWatchdogPreGovernor= configuration
          options in /etc/systemd/system.conf.

        * systemctl's --timestamp= option gained a new choice "unix", to show
          timestamp as unix times, i.e. seconds since 1970, Jan 1st.

        * A new "taint" flag named "old-kernel" is introduced which is set when
          the kernel systemd runs on is older then the current baseline version
          (see above). The flag is shown in "systemctl status" output.

        * Two additional taint flags "short-uid-range" and "short-gid-range"
          have been added as well, which are set when systemd notices it is run
          within a userns namespace that does not define the full 0…65535 UID
          range

        * A new "unmerged-usr" taint flag has been added that is set whenever
          running on systems where /bin/ + /sbin/ are *not* symlinks to their
          counterparts in /usr/, i.e. on systems where the /usr/-merge has not
          been completed.

        * Generators invoked by PID 1 will now have a couple of useful
          environment variables set describing the execution context a
          bit. $SYSTEMD_SCOPE encodes whether the generator is called from the
          system service manager, or from the per-user service
          manager. $SYSTEMD_IN_INITRD encodes whether the generator is invoked
          in initrd context or on the host. $SYSTEMD_FIRST_BOOT encodes whether
          systemd considers the current boot to be a "first"
          boot. $SYSTEMD_VIRTUALIZATION encode whether virtualization is
          detected and which type of hypervisor/container
          manager. $SYSTEMD_ARCHITECTURE indicates which architecture the
          kernel is built for.

        * PID 1 will now automatically pick up system credentials from qemu's
          fw_cfg interface, thus allowing passing arbitrary data into VM
          systems similar to how this is already supported for passing them
          into systemd-nspawn containers. Credentials may now also be passed in
          via the new kernel command line option "systemd.set_credential="
          (note that kernel command line options are world-readable during
          runtime, and only useful for credentials that require no
          confidentiality). The credentials that can be passed to unified
          kernels that use the systemd-stub UEFI stub are now similarly
          picked up automatically. Automatic importing of system credentials
          this way can be turned off via the new
          "systemd.import_credentials=no" kernel command line option.

        * LoadCredential= will now automatically look for credentials in the
          /etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
          the argument is not an absolute path. Similarly,
          LoadCredentialEncrypted= will check the same directories plus
          /etc/credstore.encrypted/, /run/credstore.encrypted/ and
          /usr/lib/credstore.encrypted/. The idea is to use those directories
          as the system-wide location for credentials that services should pick
          up automatically.

        * System and service credentials are described in great detail in a new
          document:

          https://systemd.io/CREDENTIALS

        Changes in systemd-journald:

        * The journal JSON export format has been added to listed of stable
          interfaces (https://systemd.io/PORTABILITY_AND_STABILITY/).

        * journalctl --list-boots now supports JSON output and the --reverse option.

        * Under docs/: JOURNAL_EXPORT_FORMATS was imported from the wiki and
          updated, BUILDING_IMAGES is new:

          https://systemd.io/JOURNAL_EXPORT_FORMATS
          https://systemd.io/BUILDING_IMAGES

        Changes in udev:

        * Two new hwdb files have been added. One lists "handhelds" (PDAs,
          calculators, etc.), the other AV production devices (DJ tables,
          keypads, etc.) that should accessible to the seat owner user by
          default.

        * udevadm trigger gained a new --prioritized-subsystem= option to
          process certain subsystems (and all their parent devices) earlier.

          systemd-udev-trigger.service now uses this new option to trigger
          block and TPM devices first, hopefully making the boot a bit faster.

        * udevadm trigger now implements --type=all, --initialized-match,
          --initialized-nomatch to trigger both subsystems and devices, only
          already-initialized devices, and only devices which haven't been
          initialized yet, respectively.

        * udevadm gained a new "wait" command for safely waiting for a specific
          device to show up in the udev device database. This is useful in
          scripts that asynchronously allocate a block device (e.g. through
          repartitioning, or allocating a loopback device or similar) and need
          to synchronize on the creation to complete.

        * udevadm gained a new "lock" command for locking one or more block
          devices while formatting it or writing a partition table to it. It is
          an implementation of https://systemd.io/BLOCK_DEVICE_LOCKING and
          usable in scripts dealing with block devices.

        * udevadm info will show a couple of additional device fields in its
          output, and will not apply a limited set of coloring to line types.

        * udevadm info --tree will now show a tree of objects (i.e. devices and
          suchlike) in the /sys/ hierarchy.

        * Block devices will now get a new set of device symlinks in
          /dev/disk/by-diskseq/<nr>, which may be used to reference block
          device nodes via the kernel's "diskseq" value. Note that this does
          not guarantee that opening a device by a symlink like this will
          guarantee that the opened device actually matches the specified
          diskseq value. To be safe against races, the actual diskseq value of
          the opened device (BLKGETDISKSEQ ioctl()) must still be compred with
          the one in the symlink path.

        * .link files gained support for setting MDI/MID-X on a link.

        * .link files gained support for [Match] Firmware= setting to match on
          the device firmware description string. By mistake, it was previously
          only supported in .network files.

        * .link files gained support for [Link] SR-IOVVirtualFunctions= setting
          and [SR-IOV] section to configure SR-IOV virtual functions.

        Changes in systemd-networkd:

        * The default scope for unicast routes configured through [Route]
          section is changed to "link", to make the behavior consistent with
          "ip route" command. The manual configuration of [Route] Scope= is
          still honored.

        * A new unit systemd-networkd-wait-online@<interface>.service has been
          added that can be used to wait for a specific network interface to be
          up.

        * systemd-networkd gained a new [Bridge] Isolated=true|false setting
          that configures the eponymous kernel attribute on the bridge.

        * .netdev files now can be used to create virtual WLAN devices, and
          configure various settings on them, via the [WLAN] section.

        * .link/.network files gained support for [Match] Kind= setting to match
          on device kind ("bond", "bridge", "gre", "tun", "veth", etc.)

          This value is also shown by 'networkctl status'.

        * The Local= setting in .netdev files for various virtual network
          devices gained support for specifying, in addition to the network
          address, the name of a local interface which must have the specified
          address.

        * systemd-networkd gained a new [Tunnel] External= setting in .netdev
          files, to configure tunnels in external mode (a.k.a. collect metadata
          mode).

        * [Network] L2TP= setting was removed. Please use interface specifier in
          Local= setting in .netdev files of corresponding L2TP interface.

        * New [DHCPServer] BootServerName=, BootServerAddress=, and
          BootFilename= settings can be used to configure the server address,
          server name, and file name sent in the DHCP packet (e.g. to configure
          PXE boot).

        Changes in systemd-resolved:

        * systemd-resolved is started earlier (in sysinit.target), so it
          available earlier and will also be started in the initrd if installed
          there.

        Changes in disk encryption:

        * systemd-cryptenroll can now control whether to require the user to
          enter a PIN when using TPM-based unlocking of a volume via the new
          --tpm2-with-pin= option.

          Option tpm2-pin= can be used in /etc/crypttab.

        * When unlocking devices via TPM, TPM2 parameter encryption is now
          used, to ensure that communication between CPU and discrete TPM chips
          cannot be eavesdropped to acquire disk encryption keys.

        * A new switch --fido2-credential-algorithm= has been added to
          systemd-cryptenroll allowing selection of the credential algorithm to
          use when binding encryption to FIDO2 tokens.

        Changes in systemd-hostnamed:

        * HARDWARE_VENDOR= and HARDWARE_MODEL= can be set in /etc/machine-info
          to override the values gleaned from the hwdb.

        * A ID_CHASSIS property can be set in the hwdb (for the DMI device
          /sys/class/dmi/id) to override the chassis that is reported by
          hostnamed.

        * hostnamed's D-Bus interface gained a new method GetHardwareSerial()
          for reading the hardware serial number, as reported by DMI. It also
          exposes a new method D-Bus property FirmwareVersion that encode the
          firmware version of the system.

        Changes in other components:

        * /etc/locale.conf is now populated through tmpfiles.d factory /etc/
          handling with the values that were configured during systemd build
          (if /etc/locale.conf has not been created through some other
          mechanism). This means that /etc/locale.conf should always have
          reasonable contents and we avoid a potential mismatch in defaults.

        * The userdbctl tool will now show UID range information as part of the
          list of known users.

        * A new build-time configuration setting default-user-shell= can be
          used to set the default shell for user records and nspawn shell
          invocations (instead of the default /bin/bash).

        * systemd-timesyncd now provides a D-Bus API for receiving NTP server
          information dynamically at runtime via IPC.

        * The systemd-creds tool gained a new "has-tpm2" verb, which reports
          whether a functioning TPM2 infrastructure is available, i.e. if
          firmware, kernel driver and systemd all have TPM2 support enabled and
          a device found.

        * The systemd-creds tool gained support for generating encrypted
          credentials that are using an empty encryption key. While this
          provides no integrity nor confidentiality it's useful to implement
          codeflows that work the same on TPM-ful and TPM2-less systems. The
          service manager will only accept credentials "encrypted" that way if
          a TPM2 device cannot be detected, to ensure that credentials
          "encrypted" like that cannot be used to trick TPM2 systems.

        * When deciding whether to colorize output, all systemd programs now
          also check $COLORTERM (in addition to $NO_COLOR, $SYSTEMD_COLORS, and
          $TERM).

        * Meson's new install_tag feature is now in use for several components,
          allowing to build and install select binaries only: pam, nss, devel
          (pkg-config files), systemd-boot, libsystemd, libudev. Example:
           $ meson build systemd-boot
           $ meson install --tags systemd-boot --no-rebuild
          https://mesonbuild.com/Installing.html#installation-tags

        * A new build configuration option has been added, to allow selecting the
          default compression algorithm used by systemd-journald and systemd-coredump.
          This allows to build-in support for decompressing all supported formats,
          but choose a specific one for compression. E.g.:
           $ meson -Ddefault-compression=xz

        Experimental features:

        * sd-boot gained a new *experimental* setting "reboot-for-bitlocker" in
          loader.conf that implements booting Microsoft Windows from the
          sd-boot in a way that first reboots the system, to reset the TPM
          PCRs. This improves compatibility with BitLocker's TPM use, as the
          PCRs will only record the Windows boot process, and not sd-boot
          itself, thus retaining the PCR measurements not involving sd-boot.
          Note that this feature is experimental for now, and is likely going
          to be generalized and renamed in a future release, without retaining
          compatibility with the current implementation.

        * A new systemd-sysupdate component has been added that automatically
          discovers, downloads, and installs A/B-style updates for the host
          installation itself, or container images, portable service images,
          and other assets. See the new systemd-sysupdate man page for updates.

        Contributions from: 4piu, Adam Williamson, adrian5, Albert Brox,
        AlexCatze, Alex Henrie, Alfonso Sánchez-Beato, Alice S,
        Alvin Šipraga, amarjargal, Amarjargal, Andrea Pappacoda,
        Andreas Rammhold, Andy Chi, Anita Zhang, Antonio Alvarez Feijoo,
        Arfrever Frehtes Taifersar Arahesis, ash, Bastien Nocera, Be,
        bearhoney, Ben Efros, Benjamin Berg, Benjamin Franzke,
        Brett Holman, Christian Brauner, Clyde Byrd III, Curtis Klein,
        Daan De Meyer, Daniele Medri, Daniel Mack, Danilo Krummrich,
        David, David Bond, Davide Cavalca, David Tardon, davijosw,
        dependabot[bot], Donald Chan, Dorian Clay, Eduard Tolosa,
        Elias Probst, Eli Schwartz, Erik Sjölund, Evgeny Vereshchagin,
        Federico Ceratto, Franck Bui, Frantisek Sumsal, Gaël PORTAY,
        Georges Basile Stavracas Neto, Gibeom Gwon, Goffredo Baroncelli,
        Grigori Goronzy, Hans de Goede, Heiko Becker, Hugo Carvalho,
        Jakob Lell, James Hilliard, Jan Janssen, Jason A. Donenfeld,
        Joan Bruguera, Joerie de Gram, Josh Triplett, Julia Kartseva,
        Kazuo Moriwaka, Khem Raj, ksa678491784, Lance, Lan Tian,
        Laura Barcziova, Lennart Poettering, Leviticoh, licunlong,
        Lidong Zhong, lincoln auster, Lubomir Rintel, Luca Boccassi,
        Luca BRUNO, lucagoc, Ludwig Nussel, Marcel Hellwig, march1993,
        Marco Scardovi, Mario Limonciello, Mariusz Tkaczyk,
        Markus Weippert, Martin, Martin Liska, Martin Wilck, Matija Skala,
        Matthew Blythe, Matthias Lisin, Matthijs van Duin, Matt Walton,
        Max Gautier, Michael Biebl, Michael Olbrich, Michal Koutný,
        Michal Sekletár, Mike Gilbert, MkfsSion, Morten Linderud,
        Nick Rosbrook, Nikolai Grigoriev, Nikolai Kostrigin,
        Nishal Kulkarni, Noel Kuntze, Pablo Ceballos, Peter Hutterer,
        Peter Morrow, Pigmy-penguin, Piotr Drąg, prumian, Richard Neill,
        Rike-Benjamin Schuppner, rodin-ia, Romain Naour, Ruben Kerkhof,
        Ryan Hendrickson, Santa Wiryaman, Sebastian Pucilowski, Seth Falco,
        Simon Ellmann, Sonali Srivastava, Stefan Seering,
        Stephen Hemminger, tawefogo, techtino, Temuri Doghonadze,
        Thomas Batten, Thomas Haller, Thomas Weißschuh, Tobias Stoeckmann,
        Tomasz Pala, Tyson Whitehead, Vishal Chillara Srinivas,
        Vivien Didelot, w30023233, wangyuhang, Weblate, Xiaotian Wu,
        yangmingtai, YmrDtnJu, Yonathan Randolph, Yutsuten, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, наб

        — Edinburgh, 2022-05-21

CHANGES WITH 250:

        * Support for encrypted and authenticated credentials has been added.
          This extends the credential logic introduced with v247 to support
          non-interactive symmetric encryption and authentication, based on a
          key that is stored on the /var/ file system or in the TPM2 chip (if
          available), or the combination of both (by default if a TPM2 chip
          exists the combination is used, otherwise the /var/ key only). The
          credentials are automatically decrypted at the moment a service is
          started, and are made accessible to the service itself in unencrypted
          form. A new tool 'systemd-creds' encrypts credentials for this
          purpose, and two new service file settings LoadCredentialEncrypted=
          and SetCredentialEncrypted= configure such credentials.

          This feature is useful to store sensitive material such as SSL
          certificates, passwords and similar securely at rest and only decrypt
          them when needed, and in a way that is tied to the local OS
          installation or hardware.

        * systemd-gpt-auto-generator can now automatically set up discoverable
          LUKS2 encrypted swap partitions.

        * The GPT Discoverable Partitions Specification has been substantially
          extended with support for root and /usr/ partitions for the majority
          of architectures systemd supports. This includes platforms that do
          not natively support UEFI, because even though GPT is specified under
          UEFI umbrella, it is useful on other systems too. Specifically,
          systemd-nspawn, systemd-sysext, systemd-gpt-auto-generator and
          Portable Services use the concept without requiring UEFI.

        * The GPT Discoverable Partitions Specifications has been extended with
          a new set of partitions that may carry PKCS#7 signatures for Verity
          partitions, encoded in a simple JSON format. This implements a simple
          mechanism for building disk images that are fully authenticated and
          can be tested against a set of cryptographic certificates. This is
          now implemented for the various systemd tools that can operate with
          disk images, such as systemd-nspawn, systemd-sysext, systemd-dissect,
          Portable services/RootImage=, systemd-tmpfiles, and systemd-sysusers.
          The PKCS#7 signatures are passed to the kernel (where they are
          checked against certificates from the kernel keyring), or can be
          verified against certificates provided in userspace (via a simple
          drop-in file mechanism).

        * systemd-dissect's inspection logic will now report for which uses a
          disk image is intended. Specifically, it will display whether an
          image is suitable for booting on UEFI or in a container (using
          systemd-nspawn's --image= switch), whether it can be used as portable
          service, or attached as system extension.

        * The system-extension.d/ drop-in files now support a new field
          SYSEXT_SCOPE= that may encode which purpose a system extension image
          is for: one of "initrd", "system" or "portable". This is useful to
          make images more self-descriptive, and to ensure system extensions
          cannot be attached in the wrong contexts.

        * The os-release file learnt a new PORTABLE_PREFIXES= field which may
          be used in portable service images to indicate which unit prefixes
          are supported.

        * The GPT image dissection logic in systemd-nspawn/systemd-dissect/…
          now is able to decode images for non-native architectures as well.
          This allows systemd-nspawn to boot images of non-native architectures
          if the corresponding user mode emulator is installed and
          systemd-binfmtd is running.

        * systemd-logind gained new settings HandlePowerKeyLongPress=,
          HandleRebootKeyLongPress=, HandleSuspendKeyLongPress= and
          HandleHibernateKeyLongPress= which may be used to configure actions
          when the relevant keys are pressed for more than 5s. This is useful
          on devices that only have hardware for a subset of these keys. By
          default, if the reboot key is pressed long the poweroff operation is
          now triggered, and when the suspend key is pressed long the hibernate
          operation is triggered. Long pressing the other two keys currently
          does not trigger any operation by default.

        * When showing unit status updates on the console during boot and
          shutdown, and a service is slow to start so that the cylon animation
          is shown, the most recent sd_notify() STATUS= text is now shown as
          well. Services may use this to make the boot/shutdown output easier
          to understand, and to indicate what precisely a service that is slow
          to start or stop is waiting for. In particular, the per-user service
          manager instance now reports what it is doing and which service it is
          waiting for this way to the system service manager.

        * The service manager will now re-execute on reception of the
          SIGRTMIN+25 signal. It previously already did that on SIGTERM — but
          only when running as PID 1. There was no signal to request this when
          running as per-user service manager, i.e. as any other PID than 1.
          SIGRTMIN+25 works for both system and user managers.

        * The hardware watchdog logic in PID 1 gained support for operating
          with the default timeout configured in the hardware, instead of
          insisting on re-configuring it. Set RuntimeWatchdogSec=default to
          request this behavior.

        * A new kernel command line option systemd.watchdog_sec= is now
          understood which may be used to override the hardware watchdog
          timeout for the boot.

        * A new setting DefaultOOMScoreAdjust= is now supported in
          /etc/systemd/system.conf and /etc/systemd/user.conf. It may be used
          to set the default process OOM score adjustment value for processes
          started by the service manager. For per-user service managers this
          now defaults to 100, but for per-system service managers is left as
          is. This means that by default now services forked off the user
          service manager are more likely to be killed by the OOM killer than
          system services or the managers themselves.

        * A new per-service setting RestrictFileSystems= as been added that
          restricts the file systems a service has access to by their type.
          This is based on the new BPF LSM of the Linux kernel. It provides an
          effective way to make certain API file systems unavailable to
          services (and thus minimizing attack surface). A new command
          "systemd-analyze filesystems" has been added that lists all known
          file system types (and how they are grouped together under useful
          group handles).

        * Services now support a new setting RestrictNetworkInterfaces= for
          restricting access to specific network interfaces.

        * Service unit files gained new settings StartupAllowedCPUs= and
          StartupAllowedMemoryNodes=. These are similar to their counterparts
          without the "Startup" prefix and apply during the boot process
          only. This is useful to improve boot-time behavior of the system and
          assign resources differently during boot than during regular
          runtime. This is similar to the preexisting StartupCPUWeight=
          vs. CPUWeight.

        * Related to this: the various StartupXYZ= settings
          (i.e. StartupCPUWeight=, StartupAllowedCPUs=, …) are now also applied
          during shutdown. The settings not prefixed with "Startup" hence apply
          during regular runtime, and those that are prefixed like that apply
          during boot and shutdown.

        * A new per-unit set of conditions/asserts
          [Condition|Assert][Memory|CPU|IO]Pressure= have been added to make a
          unit skip/fail activation if the system's (or a slice's) memory/cpu/io
          pressure is above the configured threshold, using the kernel PSI
          feature. For more details see systemd.unit(5) and
          https://docs.kernel.org/accounting/psi.html

        * The combination of ProcSubset=pid and ProtectKernelTunables=yes and/or
          ProtectKernelLogs=yes can now be used.

        * The default maximum numbers of inodes have been raised from 64k to 1M
          for /dev/, and from 400k to 1M for /tmp/.

        * The per-user service manager learnt support for communicating with
          systemd-oomd to acquire OOM kill information.

        * A new service setting ExecSearchPath= has been added that allows
          changing the search path for executables for services. It affects
          where we look for the binaries specified in ExecStart= and similar,
          and the specified directories are also added the $PATH environment
          variable passed to invoked processes.

        * A new setting RuntimeRandomizedExtraSec= has been added for service
          and scope units that allows extending the runtime timeout as
          configured by RuntimeMaxSec= with a randomized amount.

        * The syntax of the service unit settings RuntimeDirectory=,
          StateDirectory=, CacheDirectory=, LogsDirectory= has been extended:
          if the specified value is now suffixed with a colon, followed by
          another filename, the latter will be created as symbolic link to the
          specified directory. This allows creating these service directories
          together with alias symlinks to make them available under multiple
          names.

        * Service unit files gained two new settings TTYRows=/TTYColumns= for
          configuring rows/columns of the TTY device passed to
          stdin/stdout/stderr of the service. This is useful to propagate TTY
          dimensions to a virtual machine.

        * A new service unit file setting ExitType= has been added that
          specifies when to assume a service has exited. By default systemd
          only watches the main process of a service. By setting
          ExitType=cgroup it can be told to wait for the last process in a
          cgroup instead.

        * Automount unit files gained a new setting ExtraOptions= that can be
          used to configure additional mount options to pass to the kernel when
          mounting the autofs instance.

        * "Urlification" (generation of ESC sequences that generate clickable
          hyperlinks in modern terminals) may now be turned off altogether
          during build-time.

        * Path units gained new TriggerLimitBurst= and TriggerLimitIntervalSec=
          settings that default to 200 and 2 s respectively. The ratelimit
          ensures that a path unit cannot cause PID1 to busy-loop when it is
          trying to trigger a service that is skipped because of a Condition*=
          not being satisfied. This matches the configuration and behaviour of
          socket units.

        * The TPM2/FIDO2/PKCS11 support in systemd-cryptsetup is now also built
          as a plug-in for cryptsetup. This means the plain cryptsetup command
          may now be used to unlock volumes set up this way.

        * The TPM2 logic in cryptsetup will now automatically detect systems
          where the TPM2 chip advertises SHA256 PCR banks but the firmware only
          updates the SHA1 banks. In such a case PCR policies will be
          automatically bound to the latter, not the former. This makes the PCR
          policies reliable, but of course do not provide the same level of
          trust as SHA256 banks.

        * The TPM2 logic in systemd-cryptsetup/systemd-cryptsetup now supports
          RSA primary keys in addition to ECC, improving compatibility with
          TPM2 chips that do not support ECC. RSA keys are much slower to use
          than ECC, and hence are only used if ECC is not available.

        * /etc/crypttab gained support for a new token-timeout= setting for
          encrypted volumes that allows configuration of the maximum time to
          wait for PKCS#11/FIDO2 tokens to be plugged in. If the time elapses
          the logic will query the user for a regular passphrase/recovery key
          instead.

        * Support for activating dm-integrity volumes at boot via a new file
          /etc/integritytab and the tool systemd-integritysetup have been
          added. This is similar to /etc/crypttab and /etc/veritytab, but deals
          with dm-integrity instead of dm-crypt/dm-verity.

        * The systemd-veritysetup-generator now understands a new usrhash=
          kernel command line option for specifying the Verity root hash for
          the partition backing the /usr/ file system. A matching set of
          systemd.verity_usr_* kernel command line options has been added as
          well. These all work similar to the corresponding options for the
          root partition.

        * The sd-device API gained a new API call sd_device_get_diskseq() to
          return the DISKSEQ property of a device structure. The "disk
          sequence" concept is a new feature recently introduced to the Linux
          kernel that allows detecting reuse cycles of block devices, i.e. can
          be used to recognize when loopback block devices are reused for a
          different purpose or CD-ROM drives get their media changed.

        * A new unit systemd-boot-update.service has been added. If enabled
          (the default) and the sd-boot loader is detected to be installed, it
          is automatically updated to the newest version when out of date. This
          is useful to ensure the boot loader remains up-to-date, and updates
          automatically propagate from the OS tree in /usr/.

        * sd-boot will now build with SBAT by default in order to facilitate
          working with recent versions of Shim that require it to be present.

        * sd-boot can now parse Microsoft Windows' Boot Configuration Data.
          This is used to robustly generate boot entry titles for Windows.

        * A new generic target unit factory-reset.target has been added. It is
          hooked into systemd-logind similar in fashion to
          reboot/poweroff/suspend/hibernate, and is supposed to be used to
          initiate a factory reset operation. What precisely this operation
          entails is up for the implementer to decide, the primary goal of the
          new unit is provide a framework where to plug in the implementation
          and how to trigger it.

        * A new meson build-time option 'clock-valid-range-usec-max' has been
          added which takes a time in µs and defaults to 15 years. If the RTC
          time is noticed to be more than the specified time ahead of the
          built-in epoch of systemd (which by default is the release timestamp
          of systemd) it is assumed that the RTC is not working correctly, and
          the RTC is reset to the epoch. (It already is reset to the epoch when
          noticed to be before it.) This should increase the chance that time
          doesn't accidentally jump too far ahead due to faulty hardware or
          batteries.

        * A new setting SaveIntervalSec= has been added to systemd-timesyncd,
          which may be used to automatically save the current system time to
          disk in regular intervals. This is useful to maintain a roughly
          monotonic clock even without RTC hardware and with some robustness
          against abnormal system shutdown.

        * systemd-analyze verify gained support for a pair of new --image= +
          --root= switches for verifying units below a specific root
          directory/image instead of on the host.

        * systemd-analyze verify gained support for verifying unit files under
          an explicitly specified unit name, independently of what the filename
          actually is.

        * systemd-analyze verify gained a new switch --recursive-errors= which
          controls whether to only fail on errors found in the specified units
          or recursively any dependent units.

        * systemd-analyze security now supports a new --offline mode for
          analyzing unit files stored on disk instead of loaded units. It may
          be combined with --root=/--image to analyze unit files under a root
          directory or disk image. It also learnt a new --threshold= parameter
          for specifying an exposure level threshold: if the exposure level
          exceeds the specified value the call will fail. It also gained a new
          --security-policy= switch for configuring security policies to
          enforce on the units. A policy is a JSON file that lists which tests
          shall be weighted how much to determine the overall exposure
          level. Altogether these new features are useful for fully automatic
          analysis and enforcement of security policies on unit files.

        * systemd-analyze security gain a new --json= switch for JSON output.

        * systemd-analyze learnt a new --quiet switch for reducing
          non-essential output. It's honored by the "dot", "syscall-filter",
          "filesystems" commands.

        * systemd-analyze security gained a --profile= option that can be used
          to take into account a portable profile when analyzing portable
          services, since a lot of the security-related settings are enabled
          through them.

        * systemd-analyze learnt a new inspect-elf verb that parses ELF core
          files, binaries and executables and prints metadata information,
          including the build-id and other info described on:
          https://systemd.io/COREDUMP_PACKAGE_METADATA/

        * .network files gained a new UplinkInterface= in the [IPv6SendRA]
          section, for automatically propagating DNS settings from other
          interfaces.

        * The static lease DHCP server logic in systemd-networkd may now serve
          IP addresses outside of the configured IP pool range for the server.

        * CAN support in systemd-networkd gained four new settings Loopback=,
          OneShot=, PresumeACK=, ClassicDataLengthCode= for tweaking CAN
          control modes. It gained a number of further settings for tweaking
          CAN timing quanta.

        * The [CAN] section in .network file gained new TimeQuantaNSec=,
          PropagationSegment=, PhaseBufferSegment1=, PhaseBufferSegment2=,
          SyncJumpWidth=, DataTimeQuantaNSec=, DataPropagationSegment=,
          DataPhaseBufferSegment1=, DataPhaseBufferSegment2=, and
          DataSyncJumpWidth= settings to control bit-timing processed by the
          CAN interface.

        * DHCPv4 client support in systemd-networkd learnt a new Label= option
          for configuring the address label to apply to configure IPv4
          addresses.

        * The [IPv6AcceptRA] section of .network files gained support for a new
          UseMTU= setting that may be used to control whether to apply the
          announced MTU settings to the local interface.

        * The [DHCPv4] section in .network file gained a new Use6RD= boolean
          setting to control whether the DHCPv4 client request and process the
          DHCP 6RD option.

        * The [DHCPv6PrefixDelegation] section in .network file is renamed to
          [DHCPPrefixDelegation], as now the prefix delegation is also supported
          with DHCPv4 protocol by enabling the Use6RD= setting.

        * The [DHCPPrefixDelegation] section in .network file gained a new
          setting UplinkInterface= to specify the upstream interface.

        * The [DHCPv6] section in .network file gained a new setting
          UseDelegatedPrefix= to control whether the delegated prefixes will be
          propagated to the downstream interfaces.

        * The [IPv6AcceptRA] section of .network files now understands two new
          settings UseGateway=/UseRoutePrefix= for explicitly configuring
          whether to use the relevant fields from the IPv6 Router Advertisement
          records.

        * The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
          has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
          settings in the [DHCPv6] section and the DHCPv6Client= setting in the
          [IPv6AcceptRA] section to control when the DHCPv6 client is started
          and how the delegated prefixes are handled by the DHCPv6 client.

        * The IPv6Token= section in the [Network] section is deprecated, and
          the [IPv6AcceptRA] section gained the Token= setting for its
          replacement. The [IPv6Prefix] section also gained the Token= setting.
          The Token= setting gained 'eui64' mode to explicitly configure an
          address with the EUI64 algorithm based on the interface MAC address.
          The 'prefixstable' mode can now optionally take a secret key. The
          Token= setting in the [DHCPPrefixDelegation] section now supports all
          algorithms supported by the same settings in the other sections.

        * The [RoutingPolicyRule] section of .network file gained a new
          SuppressInterfaceGroup= setting.

        * The IgnoreCarrierLoss= setting in the [Network] section of .network
          files now allows a duration to be specified, controlling how long to
          wait before reacting to carrier loss.

        * The [DHCPServer] section of .network file gained a new Router=
          setting to specify the router address.

        * The [CAKE] section of .network files gained various new settings
          AutoRateIngress=, CompensationMode=, FlowIsolationMode=, NAT=,
          MPUBytes=, PriorityQueueingPreset=, FirewallMark=, Wash=, SplitGSO=,
          and UseRawPacketSize= for configuring CAKE.

        * systemd-networkd now ships with new default .network files:
          80-container-vb.network which matches host-side network bridge device
          created by systemd-nspawn's --network-bridge or --network-zone
          switch, and 80-6rd-tunnel.network which matches automatically created
          sit tunnel with 6rd prefix when the DHCP 6RD option is received.

        * systemd-networkd's handling of Endpoint= resolution for WireGuard
          interfaces has been improved.

        * systemd-networkd will now automatically configure routes to addresses
          specified in AllowedIPs=. This feature can be controlled via
          RouteTable= and RouteMetric= settings in [WireGuard] or
          [WireGuardPeer] sections.

        * systemd-networkd will now once again automatically generate persistent
          MAC addresses for batadv and bridge interfaces. Users can disable this
          by using MACAddress=none in .netdev files.

        * systemd-networkd and systemd-udevd now support IP over InfiniBand
          interfaces. The Kind= setting in .netdev file accepts "ipoib". And
          systemd.netdev files gained the [IPoIB] section.

        * systemd-networkd and systemd-udevd now support net.ifname_policy=
          option on the kernel command-line. This is implemented through the
          systemd-network-generator service that automatically generates
          appropriate .link, .network, and .netdev files.

        * The various systemd-udevd "ethtool" buffer settings now understand
          the special value "max" to configure the buffers to the maximum the
          hardware supports.

        * systemd-udevd's .link files may now configure a large variety of
          NIC coalescing settings, plus more hardware offload settings.

        * .link files gained a new WakeOnLanPassword= setting in the [Link]
          section that allows to specify a WoL "SecureOn" password on hardware
          that supports this.

        * systemd-nspawn's --setenv= switch now supports an additional syntax:
          if only a variable name is specified (i.e. without being suffixed by
          a '=' character and a value) the current value of the environment
          variable is propagated to the container. e.g. --setenv=FOO will
          lookup the current value of $FOO in the environment, and pass it down
          to the container. Similar behavior has been added to homectl's,
          machinectl's and systemd-run's --setenv= switch.

        * systemd-nspawn gained a new switch --suppress-sync= which may be used
          to optionally suppress the effect of the sync()/fsync()/fdatasync()
          system calls for the container payload. This is useful for build
          system environments where safety against abnormal system shutdown is
          not essential as all build artifacts can be regenerated any time, but
          the performance win is beneficial.

        * systemd-nspawn will now raise the RLIMIT_NOFILE hard limit to the
          same value that PID 1 uses for most forked off processes.

        * systemd-nspawn's --bind=/--bind-ro= switches now optionally take
          uidmap/nouidmap options as last parameter. If "uidmap" is used the
          bind mounts are created with UID mapping taking place that ensures
          the host's file ownerships are mapped 1:1 to container file
          ownerships, even if user namespacing is used. This way
          files/directories bound into containers will no longer show up as
          owned by the nobody user as they typically did if no special care was
          taken to shift them manually.

        * When discovering Windows installations sd-boot will now attempt to
          show the Windows version.

        * The color scheme to use in sd-boot may now be configured at
          build-time.

        * sd-boot gained the ability to change screen resolution during
          boot-time, by hitting the "r" key. This will cycle through available
          resolutions and save the last selection.

        * sd-boot learnt a new hotkey "f". When pressed the system will enter
          firmware setup. This is useful in environments where it is difficult
          to hit the right keys early enough to enter the firmware, and works
          on any firmware regardless which key it natively uses.

        * sd-boot gained support for automatically booting into the menu item
          selected on the last boot (using the "@saved" identifier for menu
          items).

        * sd-boot gained support for automatically loading all EFI drivers
          placed in the /EFI/systemd/drivers/ subdirectory of the EFI System
          Partition (ESP). These drivers are loaded before the menu entries are
          loaded. This is useful e.g. to load additional file system drivers
          for the XBOOTLDR partition.

        * systemd-boot will now paint the input cursor on its own instead of
          relying on the firmware to do so, increasing compatibility with broken
          firmware that doesn't make the cursor reasonably visible.

        * sd-boot now embeds a .osrel PE section like we expect from Boot
          Loader Specification Type #2 Unified Kernels. This means sd-boot
          itself may be used in place of a Type #2 Unified Kernel. This is
          useful for debugging purposes as it allows chain-loading one a
          (development) sd-boot instance from another.

        * sd-boot now supports a new "devicetree" field in Boot Loader
          Specification Type #1 entries: if configured the specified device
          tree file is installed before the kernel is invoked. This is useful
          for installing/applying new devicetree files without updating the
          kernel image.

        * Similarly, sd-stub now can read devicetree data from a PE section
          ".dtb" and apply it before invoking the kernel.

        * sd-stub (the EFI stub that can be glued in front of a Linux kernel)
          gained the ability to pick up credentials and sysext files, wrap them
          in a cpio archive, and pass as an additional initrd to the invoked
          Linux kernel, in effect placing those files in the /.extra/ directory
          of the initrd environment. This is useful to implement trusted initrd
          environments which are fully authenticated but still can be extended
          (via sysexts) and parameterized (via encrypted/authenticated
          credentials, see above).

          Credentials can be located next to the kernel image file (credentials
          specific to a single boot entry), or in one of the shared directories
          (credentials applicable to multiple boot entries).

        * sd-stub now comes with a full man page, that explains its feature set
          and how to combine a kernel image, an initrd and the stub to build a
          complete EFI unified kernel image, implementing Boot Loader
          Specification Type #2.

        * sd-stub may now provide the initrd to the executed kernel via the
          LINUX_EFI_INITRD_MEDIA_GUID EFI protocol, adding compatibility for
          non-x86 architectures.

        * bootctl learnt new set-timeout and set-timeout-oneshot commands that
          may be used to set the boot menu timeout of the boot loader (for all
          or just the subsequent boot).

        * bootctl and kernel-install will now read variables
          KERNEL_INSTALL_LAYOUT= from /etc/machine-info and layout= from
          /etc/kernel/install.conf. When set, it specifies the layout to use
          for installation directories on the boot partition, so that tools
          don't need to guess it based on the already-existing directories. The
          only value that is defined natively is "bls", corresponding to the
          layout specified in
          https://systemd.io/BOOT_LOADER_SPECIFICATION/. Plugins for
          kernel-install that implement a different layout can declare other
          values for this variable.

          'bootctl install' will now write KERNEL_INSTALL_LAYOUT=bls, on the
          assumption that if the user installed sd-boot to the ESP, they intend
          to use the entry layout understood by sd-boot. It'll also write
          KERNEL_INSTALL_MACHINE_ID= if it creates any directories using the ID
          (and it wasn't specified in the config file yet). Similarly,
          kernel-install will now write KERNEL_INSTALL_MACHINE_ID= (if it
          wasn't specified in the config file yet). Effectively, those changes
          mean that the machine-id used for boot loader entry installation is
          "frozen" upon first use and becomes independent of the actual
          machine-id.

          Configuring KERNEL_INSTALL_MACHINE_ID fixes the following problem:
          images created for distribution ("golden images") are built with no
          machine-id, so that a unique machine-id can be created on the first
          boot. But those images may contain boot loader entries with the
          machine-id used during build included in paths. Using a "frozen"
          value allows unambiguously identifying entries that match the
          specific installation, while still permitting parallel installations
          without conflict.

          Configuring KERNEL_INSTALL_LAYOUT obviates the need for
          kernel-install to guess the installation layout. This fixes the
          problem where a (possibly empty) directory in the boot partition is
          created from a different layout causing kernel-install plugins to
          assume the wrong layout. A particular example of how this may happen
          is the grub2 package in Fedora which includes directories under /boot
          directly in its file list. Various other packages pull in grub2 as a
          dependency, so it may be installed even if unused, breaking
          installations that use the bls layout.

        * bootctl and systemd-bless-boot can now be linked statically.

        * systemd-sysext now optionally doesn't insist on extension-release.d/
          files being placed in the image under the image's file name. If the
          file system xattr user.extension-release.strict is set on the
          extension release file, it is accepted regardless of its name. This
          relaxes security restrictions a bit, as system extension may be
          attached under a wrong name this way.

        * udevadm's test-builtin command learnt a new --action= switch for
          testing the built-in with the specified action (in place of the
          default 'add').

        * udevadm info gained new switches --property=/--value for showing only
          specific udev properties/values instead of all.

        * A new hwdb database has been added that contains matches for various
          types of signal analyzers (protocol analyzers, logic analyzers,
          oscilloscopes, multimeters, bench power supplies, etc.) that should
          be accessible to regular users.

        * A new hwdb database entry has been added that carries information
          about types of cameras (regular or infrared), and in which direction
          they point (front or back).

        * A new rule to allow console users access to rfkill by default has been
          added to hwdb.

        * Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
          now also owned by the system group "sgx".

        * A new build-time meson option "extra-net-naming-schemes=" has been
          added to define additional naming schemes for udev's network
          interface naming logic. This is useful for enterprise distributions
          and similar which want to pin the schemes of certain distribution
          releases under a specific name and previously had to patch the
          sources to introduce new named schemes.

        * The predictable naming logic for network interfaces has been extended
          to generate stable names from Xen netfront device information.

        * hostnamed's chassis property can now be sourced from chassis-type
          field encoded in devicetree (in addition to the existing DMI
          support).

        * systemd-cgls now optionally displays cgroup IDs and extended
          attributes for each cgroup. (Controllable via the new --xattr= +
          --cgroup-id= switches.)

        * coredumpctl gained a new --all switch for operating on all
          Journal files instead of just the local ones.

        * systemd-coredump will now use libdw/libelf via dlopen() rather than
          directly linking, allowing users to easily opt-out of backtrace/metadata
          analysis of core files, and reduce image sizes when this is not needed.

        * systemd-coredump will now analyze core files with libdw/libelf in a
          forked, sandboxed process.

        * systemd-homed will now try to unmount an activate home area in
          regular intervals once the user logged out fully. Previously this was
          attempted exactly once but if the home directory was busy for some
          reason it was not tried again.

        * systemd-homed's LUKS2 home area backend will now create a BSD file
          system lock on the image file while the home area is active
          (i.e. mounted). If a home area is found to be locked, logins are
          politely refused. This should improve behavior when using home areas
          images that are accessible via the network from multiple clients, and
          reduce the chance of accidental file system corruption in that case.

        * Optionally, systemd-homed will now drop the kernel buffer cache once
          a user has fully logged out, configurable via the new --drop-caches=
          homectl switch.

        * systemd-homed now makes use of UID mapped mounts for the home areas.
          If the kernel and used file system support it, files are now
          internally owned by the "nobody" user (i.e. the user typically used
          for indicating "this ownership is not mapped"), and dynamically
          mapped to the UID used locally on the system via the UID mapping
          mount logic of recent kernels. This makes migrating home areas
          between different systems cheaper because recursively chown()ing file
          system trees is no longer necessary.

        * systemd-homed's CIFS backend now optionally supports CIFS service
          names with a directory suffix, in order to place home directories in
          a subdirectory of a CIFS share, instead of the top-level directory.

        * systemd-homed's CIFS backend gained support for specifying additional
          mount options in the JSON user record (cifsExtraMountOptions field,
          and --cifs-extra-mount-options= homectl switch). This is for example
          useful for configuring mount options such as "noserverino" that some
          SMB3 services require (use that to run a homed home directory from a
          FritzBox SMB3 share this way).

        * systemd-homed will now default to btrfs' zstd compression for home
          areas. This is inspired by Fedora's recent decision to switch to zstd
          by default.

        * Additional mount options to use when mounting the file system of
          LUKS2 volumes in systemd-homed has been added. Via the
          $SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, $SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
          $SYSTEMD_HOME_MOUNT_OPTIONS_XFS environment variables to
          systemd-homed or via the luksExtraMountOptions user record JSON
          property. (Exposed via homectl --luks-extra-mount-options)

        * homectl's resize command now takes the special size specifications
          "min" and "max" to shrink/grow the home area to the minimum/maximum
          size possible, taking disk usage/space constraints and file system
          limitations into account. Resizing is now generally graceful: the
          logic will try to get as close to the specified size as possible, but
          not consider it a failure if the request couldn't be fulfilled
          precisely.

        * systemd-homed gained the ability to automatically shrink home areas
          on logout to their minimal size and grow them again on next
          login. This ensures that while inactive, a home area only takes up
          the minimal space necessary, but once activated, it provides
          sufficient space for the user's needs. This behavior is only
          supported if btrfs is used as file system inside the home area
          (because only for btrfs online growing/shrinking is implemented in
          the kernel). This behavior is now enabled by default, but may be
          controlled via the new --auto-resize-mode= setting of homectl.

        * systemd-homed gained support for automatically re-balancing free disk
          space among active home areas, in case the LUKS2 backends are used,
          and no explicit disk size was requested. This way disk space is
          automatically managed and home areas resized in regular intervals and
          manual resizing when disk space becomes scarce should not be
          necessary anymore. This behavior is only supported if btrfs is used
          within the home areas (as only then online shrinking and growing is
          supported), and may be configured via the new rebalanceWeight JSON
          user record field (as exposed via the new --rebalance-weight= homectl
          setting). Re-balancing is mostly automatic, but can also be requested
          explicitly via "homectl rebalance", which is synchronous, and thus
          may be used to wait until the rebalance run is complete.

        * userdbctl gained a --json= switch for configured the JSON formatting
          to use when outputting user or group records.

        * userdbctl gained a new --multiplexer= switch for explicitly
          configuring whether to use the systemd-userdbd server side user
          record resolution logic.

        * userdbctl's ssh-authorized-keys command learnt a new --chain switch,
          for chaining up another command to execute after completing the
          look-up. Since the OpenSSH's AuthorizedKeysCommand only allows
          configuration of a single command to invoke, this maybe used to
          invoke multiple: first userdbctl's own implementation, and then any
          other also configured in the command line.

        * The sd-event API gained a new function sd_event_add_inotify_fd() that
          is similar to sd_event_add_inotify() but accepts a file descriptor
          instead of a path in the file system for referencing the inode to
          watch.

        * The sd-event API gained a new function
          sd_event_source_set_ratelimit_expire_callback() that may be used to
          define a callback function that is called whenever an event source
          leaves the rate limiting phase.

        * New documentation has been added explaining which steps are necessary
          to port systemd to a new architecture:

          https://systemd.io/PORTING_TO_NEW_ARCHITECTURES

        * The x-systemd.makefs option in /etc/fstab now explicitly supports
          ext2, ext3, and f2fs file systems.

        * Mount units and units generated from /etc/fstab entries with 'noauto'
          are now ordered the same as other units. Effectively, they will be
          started earlier (if something actually pulled them in) and stopped
          later, similarly to normal mount units that are part of
          fs-local.target. This change should be invisible to users, but
          should prevent those units from being stopped too early during
          shutdown.

        * The systemd-getty-generator now honors a new kernel command line
          argument systemd.getty_auto= and a new environment variable
          $SYSTEMD_GETTY_AUTO that allows turning it off at boot. This is for
          example useful to turn off gettys inside of containers or similar
          environments.

        * systemd-resolved now listens on a second DNS stub address: 127.0.0.54
          (in addition to 127.0.0.53, as before). If DNS requests are sent to
          this address they are propagated in "bypass" mode only, i.e. are
          almost not processed locally, but mostly forwarded as-is to the
          current upstream DNS servers. This provides a stable DNS server
          address that proxies all requests dynamically to the right upstream
          DNS servers even if these dynamically change. This stub does not do
          mDNS/LLMNR resolution. However, it will translate look-ups to
          DNS-over-TLS if necessary. This new stub is particularly useful in
          container/VM environments, or for tethering setups: use DNAT to
          redirect traffic to any IP address to this stub.

        * systemd-importd now honors new environment variables
          $SYSTEMD_IMPORT_BTRFS_SUBVOL, $SYSTEMD_IMPORT_BTRFS_QUOTA,
          $SYSTEMD_IMPORT_SYNC, which may be used disable btrfs subvolume
          generation, btrfs quota setup and disk synchronization.

        * systemd-importd and systemd-resolved can now be optionally built with
          OpenSSL instead of libgcrypt.

        * systemd-repart no longer requires OpenSSL.

        * systemd-sysusers will no longer create the redundant 'nobody' group
          by default, as the 'nobody' user is already created with an
          appropriate primary group.

        * If a unit uses RuntimeMaxSec, systemctl show will now display it.

        * systemctl show-environment gained support for --output=json.

        * pam_systemd will now first try to use the X11 abstract socket, and
          fallback to the socket file in /tmp/.X11-unix/ only if that does not
          work.

        * systemd-journald will no longer go back to volatile storage
          regardless of configuration when its unit is restarted.

        * Initial support for the LoongArch architecture has been added (system
          call lists, GPT partition table UUIDs, etc).

        * systemd-journald's own logging messages are now also logged to the
          journal itself when systemd-journald logs to /dev/kmsg.

        * systemd-journald now re-enables COW for archived journal files on
          filesystems that support COW. One benefit of this change is that
          archived journal files will now get compressed on btrfs filesystems
          that have compression enabled.

        * systemd-journald now deduplicates fields in a single log message
          before adding it to the journal. In archived journal files, it will
          also punch holes for unused parts and truncate the file as
          appropriate, leading to reductions in disk usage.

        * journalctl --verify was extended with more informative error
          messages.

        * More of sd-journal's functions are now resistant against journal file
          corruption.

        * The shutdown command learnt a new option --show, to display the
          scheduled shutdown.

        * A LICENSES/ directory is now included in the git tree. It contains a
          README.md file that explains the licenses used by source files in
          this repository. It also contains the text of all applicable
          licenses as they appear on spdx.org.

        Contributions from: Aakash Singh, acsfer, Adolfo Jayme Barrientos,
        Adrian Vovk, Albert Brox, Alberto Mardegan, Alexander Kanavin,
        alexlzhu, Alfonso Sánchez-Beato, Alvin Šipraga, Alyssa Ross,
        Amir Omidi, Anatol Pomozov, Andika Triwidada, Andreas Rammhold,
        Andreas Valder, Andrej Lajovic, Andrew Soutar, Andrew Stone, Andy Chi,
        Anita Zhang, Anssi Hannula, Antonio Alvarez Feijoo,
        Antony Deepak Thomas, Arnaud Ferraris, Arvid E. Picciani,
        Bastien Nocera, Benjamin Berg, Benjamin Herrenschmidt, Ben Stockett,
        Bogdan Seniuc, Boqun Feng, Carl Lei, chlorophyll-zz, Chris Packham,
        Christian Brauner, Christian Göttsche, Christian Wehrli,
        Christoph Anton Mitterer, Cristian Rodríguez, Daan De Meyer,
        Daniel Maixner, Dann Frazier, Dan Streetman, Davide Cavalca,
        David Seifert, David Tardon, dependabot[bot], Dimitri John Ledkov,
        Dimitri Papadopoulos, Dimitry Ishenko, Dmitry Khlebnikov,
        Dominique Martinet, duament, Egor, Egor Ignatov, Emil Renner Berthing,
        Emily Gonyer, Ettore Atalan, Evgeny Vereshchagin, Florian Klink,
        Franck Bui, Frantisek Sumsal, Geass-LL, Gibeom Gwon, GnunuX,
        Gogo Gogsi, gregzuro, Greg Zuro, Gustavo Costa, Hans de Goede,
        Hela Basa, Henri Chain, hikigaya58, Hugo Carvalho,
        Hugo Osvaldo Barrera, Iago Lopez Galeiras, Iago López Galeiras,
        I-dont-need-name, igo95862, Jack Dähn, James Hilliard, Jan Janssen,
        Jan Kuparinen, Jan Macku, Jan Palus, Jarkko Sakkinen, Jayce Fayne,
        jiangchuangang, jlempen, John Lindgren, Jonas Dreßler, Jonas Jelten,
        Jonas Witschel, Joris Hartog, José Expósito, Julia Kartseva,
        Kai-Heng Feng, Kai Wohlfahrt, Kay Siver Bø, KennthStailey,
        Kevin Kuehler, Kevin Orr, Khem Raj, Kristian Klausen, Kyle Laker,
        lainahai, LaserEyess, Lennart Poettering, Lia Lenckowski, longpanda,
        Luca Boccassi, Luca BRUNO, Ludwig Nussel, Lukas Senionis,
        Maanya Goenka, Maciek Borzecki, Marcel Menzel, Marco Scardovi,
        Marcus Harrison, Mark Boudreau, Matthijs van Duin, Mauricio Vásquez,
        Maxime de Roucy, Max Resch, MertsA, Michael Biebl, Michael Catanzaro,
        Michal Koutný, Michal Sekletár, Miika Karanki, Mike Gilbert,
        Milo Turner, ml, monosans, Nacho Barrientos, nassir90, Nishal Kulkarni,
        nl6720, Ondrej Kozina, Paulo Neves, Pavel Březina, pedro martelletto,
        Peter Hutterer, Peter Morrow, Piotr Drąg, Rasmus Villemoes, ratijas,
        Raul Tambre, rene, Riccardo Schirone, Robert-L-Turner, Robert Scheck,
        Ross Jennings, saikat0511, Scott Lamb, Scott Worley,
        Sergei Trofimovich, Sho Iizuka, Slava Bacherikov, Slimane Selyan Amiri,
        StefanBruens, Steven Siloti, svonohr, Taiki Sugawara, Takashi Sakamoto,
        Takuro Onoue, Thomas Blume, Thomas Haller, Thomas Mühlbacher,
        Tianlu Shao, Toke Høiland-Jørgensen, Tom Yan, Tony Asleson,
        Topi Miettinen, Ulrich Ölmann, Urs Ritzmann, Vincent Bernat,
        Vito Caputo, Vladimir Panteleev, WANG Xuerui, Wind/owZ, Wu Xiaotian,
        xdavidwu, Xiaotian Wu, xujing, yangmingtai, Yao Wei, Yao Wei (魏銘廷),
        Yegor Alexeyev, Yu Watanabe, Zbigniew Jędrzejewski-Szmek,
        Дамјан Георгиевски, наб

        — Warsaw, 2021-12-23

CHANGES WITH 249:

        * When operating on disk images via the --image= switch of various
          tools (such as systemd-nspawn or systemd-dissect), or when udev finds
          no 'root=' parameter on the kernel command line, and multiple
          suitable root or /usr/ partitions exist in the image, then a simple
          comparison inspired by strverscmp() is done on the GPT partition
          label, and the newest partition is picked. This permits a simple and
          generic whole-file-system A/B update logic where new operating system
          versions are dropped into partitions whose label is then updated with
          a matching version identifier.

        * systemd-sysusers now supports querying the passwords to set for the
          users it creates via the "credentials" logic introduced in v247: the
          passwd.hashed-password.<user> and passwd.plaintext-password.<user>
          credentials are consulted for the password to use (either in UNIX
          hashed form, or literally). By default these credentials are inherited
          down from PID1 (which in turn imports it from a container manager if
          there is one). This permits easy configuration of user passwords
          during first boot. Example:

          # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo

          Note that systemd-sysusers operates in purely additive mode: it
          executes no operation if the declared users already exist, and hence
          doesn't set any passwords as effect of the command line above if the
          specified root user exists already in the image. (Note that
          --volatile=yes ensures it doesn't, though.)

        * systemd-firstboot now also supports querying various system
          parameters via the credential subsystems. Thus, as above this may be
          used to initialize important system parameters on first boot of
          previously unprovisioned images (i.e. images with a mostly empty
          /etc/).

        * PID 1 may now show both the unit name and the unit description
          strings in its status output during boot. This may be configured with
          StatusUnitFormat=combined in system.conf or
          systemd.status-unit-format=combined on the kernel command line.

        * The systemd-machine-id-setup tool now supports a --image= switch for
          provisioning a machine ID file into an OS disk image, similar to how
          --root= operates on an OS file tree. This matches the existing switch
          of the same name for systemd-tmpfiles, systemd-firstboot, and
          systemd-sysusers tools.

        * Similarly, systemd-repart gained support for the --image= switch too.
          In combination with the existing --size= option, this makes the tool
          particularly useful for easily growing disk images in a single
          invocation, following the declarative rules included in the image
          itself.

        * systemd-repart's partition configuration files gained support for a
          new switch MakeDirectories= which may be used to create arbitrary
          directories inside file systems that are created, before registering
          them in the partition table. This is useful in particular for root
          partitions to create mount point directories for other partitions
          included in the image. For example, a disk image that contains a
          root, /home/, and /var/ partitions, may set MakeDirectories=yes to
          create /home/ and /var/ as empty directories in the root file system
          on its creation, so that the resulting image can be mounted
          immediately, even in read-only mode.

        * systemd-repart's CopyBlocks= setting gained support for the special
          value "auto". If used, a suitable matching partition on the booted OS
          is found as source to copy blocks from. This is useful when
          implementing replicating installers, that are booted from one medium
          and then stream their own root partition onto the target medium.

        * systemd-repart's partition configuration files gained support for a
          Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
          GPT partition flags for the created partitions: this is useful for
          marking newly created partitions as read-only, or as not being
          subject for automatic mounting from creation on.

        * The /etc/os-release file has been extended with two new (optional)
          variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
          information for OS images that are updated comprehensively and
          atomically as one image. Two new specifiers %M, %A now resolve to
          these two fields in the various configuration options that resolve
          specifiers.

        * portablectl gained a new switch --extension= for enabling portable
          service images with extensions that follow the extension image
          concept introduced with v248, and thus allows layering multiple
          images when setting up the root filesystem of the service.

        * systemd-coredump will now extract ELF build-id information from
          processes dumping core and include it in the coredump report.
          Moreover, it will look for ELF .note.package sections with
          distribution packaging meta-information about the crashing process.
          This is useful to directly embed the rpm or deb (or any other)
          package name and version in ELF files, making it easy to match
          coredump reports with the specific package for which the software was
          compiled. This is particularly useful on environments with ELF files
          from multiple vendors, different distributions and versions, as is
          common today in our containerized and sand-boxed world. For further
          information, see:

          https://systemd.io/COREDUMP_PACKAGE_METADATA

        * A new udev hardware database has been added for FireWire devices
          (IEEE 1394).

        * The "net_id" built-in of udev has been updated with three
          backwards-incompatible changes:

          - PCI hotplug slot names on s390 systems are now parsed as
            hexadecimal numbers. They were incorrectly parsed as decimal
            previously, or ignored if the name was not a valid decimal
            number.

          - PCI onboard indices up to 65535 are allowed. Previously, numbers
            above 16383 were rejected. This primarily impacts s390 systems,
            where values up to 65535 are used.

          - Invalid characters in interface names are replaced with "_".

          The new version of the net naming scheme is "v249". The previous
          scheme can be selected via the "net.naming_scheme=v247" kernel
          command line parameter.

        * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
          NULL bus object, for which they will return false. Or in other words,
          an unallocated bus connection is neither ready nor open.

        * The sd-device API acquired a new API function
          sd_device_get_usec_initialized() that returns the monotonic time when
          the udev device first appeared in the database.

        * sd-device gained a new APIs sd_device_trigger_with_uuid() and
          sd_device_get_trigger_uuid(). The former is similar to
          sd_device_trigger() but returns a randomly generated UUID that is
          associated with the synthetic uevent generated by the call. This UUID
          may be read from the sd_device object a monitor eventually receives,
          via the sd_device_get_trigger_uuid(). This interface requires kernel
          4.13 or above to work, and allows tracking a synthetic uevent through
          the entire device management stack. The "udevadm trigger --settle"
          logic has been updated to make use of this concept if available to
          wait precisely for the uevents it generates. "udevadm trigger" also
          gained a new parameter --uuid that prints the UUID for each generated
          uevent.

        * sd-device also gained new APIs sd_device_new_from_ifname() and
          sd_device_new_from_ifindex() for allocating an sd-device object for
          the specified network interface. The former accepts an interface name
          (either a primary or an alternative name), the latter an interface
          index.

        * The native Journal protocol has been documented. Clients may talk
          this as alternative to the classic BSD syslog protocol for locally
          delivering log records to the Journal. The protocol has been stable
          for a long time and in fact been implemented already in a variety
          of alternative client libraries. This documentation makes the support
          for that official:

          https://systemd.io/JOURNAL_NATIVE_PROTOCOL

        * A new BPFProgram= setting has been added to service files. It may be
          set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
          file, or a bind mount or symlink to one. This may be used to upload
          and manage BPF programs externally and then hook arbitrary systemd
          services into them.

        * The "home.arpa" domain that has been officially declared as the
          choice for domain for local home networks per RFC 8375 has been added
          to the default NTA list of resolved, since DNSSEC is generally not
          available on private domains.

        * The CPUAffinity= setting of unit files now resolves "%" specifiers.

        * A new ManageForeignRoutingPolicyRules= setting has been added to
          .network files which may be used to exclude foreign-created routing
          policy rules from systemd-networkd management.

        * systemd-network-wait-online gained two new switches -4 and -6 that
          may be used to tweak whether to wait for only IPv4 or only IPv6
          connectivity.

        * .network files gained a new RequiredFamilyForOnline= setting to
          fine-tune whether to require an IPv4 or IPv6 address in order to
          consider an interface "online".

        * networkctl will now show an over-all "online" state in the per-link
          information.

        * In .network files a new OutgoingInterface= setting has been added to
          specify the output interface in bridge FDB setups.

        * In .network files the Multipath group ID may now be configured for
          [NextHop] entries, via the new Group= setting.

        * The DHCP server logic configured in .network files gained a new
          setting RelayTarget= that turns the server into a DHCP server relay.
          The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
          to further tweak the DHCP relay behaviour.

        * The DHCP server logic also gained a new ServerAddress= setting in
          .network files that explicitly specifies the server IP address to
          use. If not specified, the address is determined automatically, as
          before.

        * The DHCP server logic in systemd-networkd gained support for static
          DHCP leases, configurable via the [DHCPServerStaticLease]
          section. This allows explicitly mapping specific MAC addresses to
          fixed IP addresses and vice versa.

        * The RestrictAddressFamilies= setting in service files now supports a
          new special value "none". If specified sockets of all address
          families will be made unavailable to services configured that way.

        * systemd-fstab-generator and systemd-repart have been updated to
          support booting from disks that carry only a /usr/ partition but no
          root partition yet, and where systemd-repart can add it in on the
          first boot. This is useful for implementing systems that ship with a
          single /usr/ file system, and whose root file system shall be set up
          and formatted on a LUKS-encrypted volume whose key is generated
          locally (and possibly enrolled in the TPM) during the first boot.

        * The [Address] section of .network files now accepts a new
          RouteMetric= setting that configures the routing metric to use for
          the prefix route created as effect of the address configuration.
          Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
          gained matching settings for their prefix routes. (The option of the
          same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
          it conceptually belongs there; the old option is still understood for
          compatibility.)

        * The DHCPv6 IAID and DUID are now explicitly configurable in .network
          files.

        * A new udev property ID_NET_DHCP_BROADCAST on network interface
          devices is now honoured by systemd-networkd, controlling whether to
          issue DHCP offers via broadcasting. This is used to ensure that s390
          layer 3 network interfaces work out-of-the-box with systemd-networkd.

        * nss-myhostname and systemd-resolved will now synthesize address
          records for a new special hostname "_outbound". The name will always
          resolve to the local IP addresses most likely used for outbound
          connections towards the default routes. On multi-homed hosts this is
          useful to have a stable handle referring to "the" local IP address
          that matters most, to the point where this is defined.

        * The Discoverable Partition Specification has been updated with a new
          GPT partition flag "grow-file-system" defined for its partition
          types. Whenever partitions with this flag set are automatically
          mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
          of systemd-nspawn or other tools; and as opposed to explicit mounting
          via /etc/fstab), the file system within the partition is
          automatically grown to the full size of the partition. If the file
          system size already matches the partition size this flag has no
          effect. Previously, this functionality has been available via the
          explicit x-systemd.growfs mount option, and this new flag extends
          this to automatically discovered mounts. A new GrowFileSystem=
          setting has been added to systemd-repart drop-in files that allows
          configuring this partition flag. This new flag defaults to on for
          partitions automatically created by systemd-repart, except if they
          are marked read-only. See the specification for further details:

          https://systemd.io/DISCOVERABLE_PARTITIONS

        * .network files gained a new setting RoutesToNTP= in the [DHCPv4]
          section. If enabled (which is the default), and an NTP server address
          is acquired through a DHCP lease on this interface an explicit route
          to this address is created on this interface to ensure that NTP
          traffic to the NTP server acquired on an interface is also routed
          through that interface. The pre-existing RoutesToDNS= setting that
          implements the same for DNS servers is now enabled by default.

        * A pair of service settings SocketBindAllow= + SocketBindDeny= have
          been added that may be used to restrict the network interfaces
          sockets created by the service may be bound to. This is implemented
          via BPF.

        * A new ConditionFirmware= setting has been added to unit files to
          conditionalize on certain firmware features. At the moment it may
          check whether running on a UEFI system, a device.tree system, or if
          the system is compatible with some specified device-tree feature.

        * A new ConditionOSRelease= setting has been added to unit files to
          check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
          operators may be used to check if some field has some specific value
          or do an alphanumerical comparison. Equality comparisons are useful
          for fields like ID, but relative comparisons for fields like
          VERSION_ID or IMAGE_VERSION.

        * hostnamed gained a new Describe() D-Bus method that returns a JSON
          serialization of the host data it exposes. This is exposed via
          "hostnamectl --json=" to acquire a host identity description in JSON.
          It's our intention to add a similar features to most services and
          objects systemd manages, in order to simplify integration with
          program code that can consume JSON.

        * Similarly, networkd gained a Describe() method on its Manager and
          Link bus objects. This is exposed via "networkctl --json=".

        * hostnamectl's various "get-xyz"/"set-xyz" verb pairs
          (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
          been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
          that is used both to get the value (when no argument is given), and
          to set the value (when an argument is specified). The old names
          continue to be supported for compatibility.

        * systemd-detect-virt and ConditionVirtualization= are now able to
          correctly identify Amazon EC2 environments.

        * The LogLevelMax= setting of unit files now applies not only to log
          messages generated *by* the service, but also to log messages
          generated *about* the service by PID 1. To suppress logs concerning a
          specific service comprehensively, set this option to a high log
          level.

        * bootctl gained support for a new --make-machine-id-directory= switch
          that allows precise control on whether to create the top-level
          per-machine directory in the boot partition that typically contains
          Type 1 boot loader entries.

        * During build SBAT data to include in the systemd-boot EFI PE binaries
          may be specified now.

        * /etc/crypttab learnt a new option "headless". If specified any
          requests to query the user interactively for passwords or PINs will
          be skipped. This is useful on systems that are headless, i.e. where
          an interactive user is generally not present.

        * /etc/crypttab also learnt a new option "password-echo=" that allows
          configuring whether the encryption password prompt shall echo the
          typed password and if so, do so literally or via asterisks. (The
          default is the same behaviour as before: provide echo feedback via
          asterisks.)

        * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
          systemd-homed has been updated to allow explicit configuration of the
          "user presence" and "user verification" checks, as well as whether a
          PIN is required for authentication, via the new switches
          --fido2-with-user-presence=, --fido2-with-user-verification=,
          --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
          features are available, and may be enabled or disabled depends on the
          used FIDO2 token.

        * systemd-nspawn's --private-user= switch now accepts the special value
          "identity" which configures a user namespacing environment with an
          identity mapping of 65535 UIDs. This means the container UID 0 is
          mapped to the host UID 0, and the UID 1 to host UID 1. On first look
          this doesn't appear to be useful, however it does reduce the attack
          surface a bit, since the resulting container will possess process
          capabilities only within its namespace and not on the host.

        * systemd-nspawn's --private-user-chown switch has been replaced by a
          more generic --private-user-ownership= switch that accepts one of
          three values: "chown" is equivalent to the old --private-user-chown,
          and "off" is equivalent to the absence of the old switch. The value
          "map" uses the new UID mapping mounts of Linux 5.12 to map ownership
          of files and directories of the underlying image to the chosen UID
          range for the container. "auto" is equivalent to "map" if UID mapping
          mount are supported, otherwise it is equivalent to "chown". The short
          -U switch systemd-nspawn now implies --private-user-ownership=auto
          instead of the old --private-user-chown. Effectively this means: if
          the backing file system supports UID mapping mounts the feature is
          now used by default if -U is used. Generally, it's a good idea to use
          UID mapping mounts instead of recursive chown()ing, since it allows
          running containers off immutable images (since no modifications of
          the images need to take place), and share images between multiple
          instances. Moreover, the recursive chown()ing operation is slow and
          can be avoided. Conceptually it's also a good thing if transient UID
          range uses do not leak into persistent file ownership anymore. TLDR:
          finally, the last major drawback of user namespacing has been
          removed, and -U should always be used (unless you use btrfs, where
          UID mapped mounts do not exist; or your container actually needs
          privileges on the host).

        * nss-systemd now synthesizes user and group shadow records in addition
          to the main user and group records. Thus, hashed passwords managed by
          systemd-homed are now accessible via the shadow database.

        * The userdb logic (and thus nss-systemd, and so on) now read
          additional user/group definitions in JSON format from the drop-in
          directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
          /usr/lib/userdb/. This is a simple and powerful mechanism for making
          additional users available to the system, with full integration into
          NSS including the shadow databases. Since the full JSON user/group
          record format is supported this may also be used to define users with
          resource management settings and other runtime settings that
          pam_systemd and systemd-logind enforce at login.

        * The userdbctl tool gained two new switches --with-dropin= and
          --with-varlink= which can be used to fine-tune the sources used for
          user database lookups.

        * systemd-nspawn gained a new switch --bind-user= for binding a host
          user account into the container. This does three things: the user's
          home directory is bind mounted from the host into the container,
          below the /run/userdb/home/ hierarchy. A free UID is picked in the
          container, and a user namespacing UID mapping to the host user's UID
          installed. And finally, a minimal JSON user and group record (along
          with its hashed password) is dropped into /run/host/userdb/. These
          records are picked up automatically by the userdb drop-in logic
          describe above, and allow the user to login with the same password as
          on the host. Effectively this means: if host and container run new
          enough systemd versions making a host user available to the container
          is trivially simple.

        * systemd-journal-gatewayd now supports the switches --user, --system,
          --merge, --file= that are equivalent to the same switches of
          journalctl, and permit exposing only the specified subset of the
          Journal records.

        * The OnFailure= dependency between units is now augmented with a
          implicit reverse dependency OnFailureOf= (this new dependency cannot
          be configured directly it's only created as effect of an OnFailure=
          dependency in the reverse order — it's visible in "systemctl show"
          however). Similar, Slice= now has an reverse dependency SliceOf=,
          that is also not configurable directly, but useful to determine all
          units that are members of a slice.

        * A pair of new dependency types between units PropagatesStopTo= +
          StopPropagatedFrom= has been added, that allows propagation of unit
          stop events between two units. It operates similar to the existing
          PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.

        * A new dependency type OnSuccess= has been added (plus the reverse
          dependency OnSuccessOf=, which cannot be configured directly, but
          exists only as effect of the reverse OnSuccess=). It is similar to
          OnFailure=, but triggers in the opposite case: when a service exits
          cleanly. This allows "chaining up" of services where one or more
          services are started once another service has successfully completed.

        * A new dependency type Upholds= has been added (plus the reverse
          dependency UpheldBy=, which cannot be configured directly, but exists
          only as effect of Upholds=). This dependency type is a stronger form
          of Wants=: if a unit has an UpHolds= dependency on some other unit
          and the former is active then the latter is started whenever it is
          found inactive (and no job is queued for it). This is an alternative
          to Restart= inside service units, but less configurable, and the
          request to uphold a unit is not encoded in the unit itself but in
          another unit that intends to uphold it.

        * The systemd-ask-password tool now also supports reading passwords
          from the credentials subsystem, via the new --credential= switch.

        * The systemd-ask-password tool learnt a new switch --emoji= which may
          be used to explicit control whether the lock and key emoji (🔐) is
          shown in the password prompt on suitable TTYs.

        * The --echo switch of systemd-ask-password now optionally takes a
          parameter that controls character echo. It may either show asterisks
          (default, as before), turn echo off entirely, or echo the typed
          characters literally.

        * The systemd-ask-password tool also gained a new -n switch for
          suppressing output of a trailing newline character when writing the
          acquired password to standard output, similar to /bin/echo's -n
          switch.

        * New documentation has been added that describes the organization of
          the systemd source code tree:

          https://systemd.io/ARCHITECTURE

        * Units using ConditionNeedsUpdate= will no longer be activated in
          the initrd.

        * It is now possible to list a template unit in the WantedBy= or
          RequiredBy= settings of the [Install] section of another template
          unit, which will be instantiated using the same instance name.

        * A new MemoryAvailable property is available for units. If the unit,
          or the slices it is part of, have a memory limit set via MemoryMax=/
          MemoryHigh=, MemoryAvailable will indicate how much more memory the
          unit can claim before hitting the limits.

        * systemd-coredump will now try to stay below the cgroup memory limit
          placed on itself or one of the slices it runs under, if the storage
          area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
          since files written on such filesystems count toward the cgroup memory
          limit. If there is not enough available memory in such cases to store
          the core file uncompressed, systemd-coredump will skip to compressed
          storage directly (if enabled) and it will avoid analyzing the core file
          to print backtrace and metadata in the journal.

        * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
          of a path matches the configured expectations, and remove it if not.

        * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
          specify which of the several available filesystem timestamps (access
          time, birth time, change time, modification time) to look at when
          deciding whether a path has aged enough to be cleaned.

        * A new IPv6StableSecretAddress= setting has been added to .network
          files, which takes an IPv6 address to use as secret for IPv6 address
          generation.

        * The [DHCPServer] logic in .network files gained support for a new
          UplinkInterface= setting that permits configuration of the uplink
          interface name to propagate DHCP lease information from.

        * The WakeOnLan= setting in .link files now accepts a list of flags
          instead of a single one, to configure multiple wake-on-LAN policies.

        * User-space defined tracepoints (USDT) have been added to udev at
          strategic locations. This is useful for tracing udev behaviour and
          performance with bpftrace and similar tools.

        * systemd-journald-upload gained a new NetworkTimeoutSec= option for
          setting a network timeout time.

        * If a system service is running in a new mount namespace (RootDirectory=
          and friends), all file systems will be mounted with MS_NOSUID by
          default, unless the system is running with SELinux enabled.

        * When enumerating time zones the timedatectl tool will now consult the
          'tzdata.zi' file shipped by the IANA time zone database package, in
          addition to 'zone1970.tab', as before. This makes sure time zone
          aliases are now correctly supported. Some distributions so far did
          not install this additional file, most do however. If you
          distribution does not install it yet, it might make sense to change
          that.

        * Intel HID rfkill event is no longer masked, since it's the only
          source of rfkill event on newer HP laptops. To have both backward and
          forward compatibility, userspace daemon needs to debounce duplicated
          events in a short time window.

        Contributions from: Aakash Singh, adrian5, Albert Brox,
        Alexander Sverdlin, Alexander Tsoy, Alexey Rubtsov, alexlzhu,
        Allen Webb, Alvin Šipraga, Alyssa Ross, Anders Wenhaug,
        Andrea Pappacoda, Anita Zhang, asavah, Balint Reczey, Bertrand Jacquin,
        borna-blazevic, caoxia2008cxx, Carlo Teubner, Christian Göttsche,
        Christian Hesse, Daniel Schaefer, Dan Streetman,
        David Santamaría Rogado, David Tardon, Deepak Rawat, dgcampea,
        Dimitri John Ledkov, ei-ke, Emilio Herrera, Emil Renner Berthing,
        Eric Cook, Flos Lonicerae, Franck Bui, Francois Gervais,
        Frantisek Sumsal, Gibeom Gwon, gitm0, Hamish Moffatt, Hans de Goede,
        Harsh Barsaiyan, Henri Chain, Hristo Venev, Icenowy Zheng, Igor Zhbanov,
        imayoda, Jakub Warczarek, James Buren, Jan Janssen, Jan Macku,
        Jan Synacek, Jason Francis, Jayanth Ananthapadmanaban, Jeremy Szu,
        Jérôme Carretero, Jesse Stricker, jiangchuangang, Joerg Behrmann,
        Jóhann B. Guðmundsson, Jörg Deckert, Jörg Thalheim, Juergen Hoetzel,
        Julia Kartseva, Kai-Heng Feng, Khem Raj, KoyamaSohei, laineantti,
        Lennart Poettering, LetzteInstanz, Luca Adrian L, Luca Boccassi,
        Lucas Magasweran, Mantas Mikulėnas, Marco Antonio Mauro, Mark Wielaard,
        Masahiro Matsuya, Matt Johnston, Michael Catanzaro, Michal Koutný,
        Michal Sekletár, Mike Crowe, Mike Kazantsev, Milan, milaq,
        Miroslav Suchý, Morten Linderud, nerdopolis, nl6720, Noah Meyerhans,
        Oleg Popov, Olle Lundberg, Ondrej Kozina, Paweł Marciniak, Perry.Yuan,
        Peter Hutterer, Peter Kjellerstedt, Peter Morrow, Phaedrus Leeds,
        plattrap, qhill, Raul Tambre, Roman Beranek, Roshan Shariff,
        Ryan Hendrickson, Samuel BF, scootergrisen, Sebastian Blunt,
        Seong-ho Cho, Sergey Bugaev, Sevan Janiyan, Sibo Dong, simmon,
        Simon Watts, Srinidhi Kaushik, Štěpán Němec, Steve Bonds, Susant Sahani,
        sverdlin, syyhao1994, Takashi Sakamoto, Topi Miettinen, tramsay,
        Trent Piepho, Uwe Kleine-König, Viktor Mihajlovski, Vincent Dechenaux,
        Vito Caputo, William A. Kennington III, Yangyang Shen, Yegor Alexeyev,
        Yi Gao, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, zsien, наб

        — Edinburgh, 2021-07-07

CHANGES WITH 248:

        * A concept of system extension images is introduced. Such images may
          be used to extend the /usr/ and /opt/ directory hierarchies at
          runtime with additional files (even if the file system is read-only).
          When a system extension image is activated, its /usr/ and /opt/
          hierarchies and os-release information are combined via overlayfs
          with the file system hierarchy of the host OS.

          A new systemd-sysext tool can be used to merge, unmerge, list, and
          refresh system extension hierarchies. See
          https://www.freedesktop.org/software/systemd/man/systemd-sysext.html.

          The systemd-sysext.service automatically merges installed system
          extensions during boot (before basic.target, but not in very early
          boot, since various file systems have to be mounted first).

          The SYSEXT_LEVEL= field in os-release(5) may be used to specify the
          supported system extension level.

        * A new ExtensionImages= unit setting can be used to apply the same
          system extension image concept from systemd-sysext to the namespaced
          file hierarchy of specific services, following the same rules and
          constraints.

        * Support for a new special "root=tmpfs" kernel command-line option has
          been added. When specified, a tmpfs is mounted on /, and mount.usr=
          should be used to point to the operating system implementation.

        * A new configuration file /etc/veritytab may be used to configure
          dm-verity integrity protection for block devices. Each line is in the
          format "volume-name data-device hash-device roothash options",
          similar to /etc/crypttab.

        * A new kernel command-line option systemd.verity.root_options= may be
          used to configure dm-verity behaviour for the root device.

        * The key file specified in /etc/crypttab (the third field) may now
          refer to an AF_UNIX/SOCK_STREAM socket in the file system. The key is
          acquired by connecting to that socket and reading from it. This
          allows the implementation of a service to provide key information
          dynamically, at the moment when it is needed.

        * When the hostname is set explicitly to "localhost", systemd-hostnamed
          will respect this. Previously such a setting would be mostly silently
          ignored. The goal is to honour configuration as specified by the
          user.

        * The fallback hostname that will be used by the system manager and
          systemd-hostnamed can now be configured in two new ways: by setting
          DEFAULT_HOSTNAME= in os-release(5), or by setting
          $SYSTEMD_DEFAULT_HOSTNAME in the environment block. As before, it can
          also be configured during compilation. The environment variable is
          intended for testing and local overrides, the os-release(5) field is
          intended to allow customization by different variants of a
          distribution that share the same compiled packages.

        * The environment block of the manager itself may be configured through
          a new ManagerEnvironment= setting in system.conf or user.conf. This
          complements existing ways to set the environment block (the kernel
          command line for the system manager, the inherited environment and
          user@.service unit file settings for the user manager).

        * systemd-hostnamed now exports the default hostname and the source of
          the configured hostname ("static", "transient", or "default") as
          D-Bus properties.

        * systemd-hostnamed now exports the "HardwareVendor" and
          "HardwareModel" D-Bus properties, which are supposed to contain a
          pair of cleaned up, human-readable strings describing the system's
          vendor and model. It's typically sourced from the firmware's DMI
          tables, but may be augmented from a new hwdb database. hostnamectl
          shows this in the status output.

        * Support has been added to systemd-cryptsetup for extracting the
          PKCS#11 token URI and encrypted key from the LUKS2 JSON embedded
          metadata header. This allows the information how to open the
          encrypted device to be embedded directly in the device and obviates
          the need for configuration in an external file.

        * systemd-cryptsetup gained support for unlocking LUKS2 volumes using
          TPM2 hardware, as well as FIDO2 security tokens (in addition to the
          pre-existing support for PKCS#11 security tokens).

        * systemd-repart may enroll encrypted partitions using TPM2
          hardware. This may be useful for example to create an encrypted /var
          partition bound to the machine on first boot.

        * A new systemd-cryptenroll tool has been added to enroll TPM2, FIDO2
          and PKCS#11 security tokens to LUKS volumes, list and destroy
          them. See:

          https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

          It also supports enrolling "recovery keys" and regular passphrases.

        * The libfido2 dependency is now based on dlopen(), so that the library
          is used at runtime when installed, but is not a hard runtime
          dependency.

        * systemd-cryptsetup gained support for two new options in
          /etc/crypttab: "no-write-workqueue" and "no-read-workqueue" which
          request synchronous processing of encryption/decryption IO.

        * The manager may be configured at compile time to use the fexecve()
          instead of the execve() system call when spawning processes. Using
          fexecve() closes a window between checking the security context of an
          executable and spawning it, but unfortunately the kernel displays
          stale information in the process' "comm" field, which impacts ps
          output and such.

        * The configuration option -Dcompat-gateway-hostname has been dropped.
          "_gateway" is now the only supported name.

        * The ConditionSecurity=tpm2 unit file setting may be used to check if
          the system has at least one TPM2 (tpmrm class) device.

        * A new ConditionCPUFeature= has been added that may be used to
          conditionalize units based on CPU features. For example,
          ConditionCPUFeature=rdrand will condition a unit so that it is only
          run when the system CPU supports the RDRAND opcode.

        * The existing ConditionControlGroupController= setting has been
          extended with two new values "v1" and "v2". "v2" means that the
          unified v2 cgroup hierarchy is used, and "v1" means that legacy v1
          hierarchy or the hybrid hierarchy are used.

        * A new PrivateIPC= setting on a unit file allows executed processes to
          be moved into a private IPC namespace, with separate System V IPC
          identifiers and POSIX message queues.

          A new IPCNamespacePath= allows the unit to be joined to an existing
          IPC namespace.

        * The tables of system calls in seccomp filters are now automatically
          generated from kernel lists exported on
          https://fedora.juszkiewicz.com.pl/syscalls.html.

          The following architectures should now have complete lists:
          alpha, arc, arm64, arm, i386, ia64, m68k, mips64n32, mips64, mipso32,
          powerpc, powerpc64, s390, s390x, tilegx, sparc, x86_64, x32.

        * The MountAPIVFS= service file setting now additionally mounts a tmpfs
          on /run/ if it is not already a mount point. A writable /run/ has
          always been a requirement for a functioning system, but this was not
          guaranteed when using a read-only image.

          Users can always specify BindPaths= or InaccessiblePaths= as
          overrides, and they will take precedence. If the host's root mount
          point is used, there is no change in behaviour.

        * New bind mounts and file system image mounts may be injected into the
          mount namespace of a service (without restarting it). This is exposed
          respectively as 'systemctl bind <unit> <path>…' and
          'systemctl mount-image <unit> <image>…'.

        * The StandardOutput= and StandardError= settings can now specify files
          to be truncated for output (as "truncate:<path>").

        * The ExecPaths= and NoExecPaths= settings may be used to specify
          noexec for parts of the file system.

        * sd-bus has a new function sd_bus_open_user_machine() to open a
          connection to the session bus of a specific user in a local container
          or on the local host. This is exposed in the existing -M switch to
          systemctl and similar tools:

              systemctl --user -M lennart@foobar start foo

          This will connect to the user bus of a user "lennart" in container
          "foobar". If no container name is specified, the specified user on
          the host itself is connected to

              systemctl --user -M lennart@ start quux

        * sd-bus also gained a convenience function sd_bus_message_send() to
          simplify invocations of sd_bus_send(), taking only a single
          parameter: the message to send.

        * sd-event allows rate limits to be set on event sources, for dealing
          with high-priority event sources that might starve out others. See
          the new man page sd_event_source_set_ratelimit(3) for details.

        * systemd.link files gained a [Link] Promiscuous= switch, which allows
          the device to be raised in promiscuous mode.

          New [Link] TransmitQueues= and ReceiveQueues= settings allow the
          number of TX and RX queues to be configured.

          New [Link] TransmitQueueLength= setting allows the size of the TX
          queue to be configured.

          New [Link] GenericSegmentOffloadMaxBytes= and
          GenericSegmentOffloadMaxSegments= allow capping the packet size and
          the number of segments accepted in Generic Segment Offload.

        * systemd-networkd gained support for the "B.A.T.M.A.N. advanced"
          wireless routing protocol that operates on ISO/OSI Layer 2 only and
          uses ethernet frames to route/bridge packets. This encompasses a new
          "batadv" netdev Type=, a new [BatmanAdvanced] section with a bunch of
          new settings in .netdev files, and a new BatmanAdvanced= setting in
          .network files.

        * systemd.network files gained a [Network] RouteTable= configuration
          switch to select the routing policy table.

          systemd.network files gained a [RoutingPolicyRule] Type=
          configuration switch (one of "blackhole, "unreachable", "prohibit").

          systemd.network files gained a [IPv6AcceptRA] RouteDenyList= and
          RouteAllowList= settings to ignore/accept route advertisements from
          routers matching specified prefixes. The DenyList= setting has been
          renamed to PrefixDenyList= and a new PrefixAllowList= option has been
          added.

          systemd.network files gained a [DHCPv6] UseAddress= setting to
          optionally ignore the address provided in the lease.

          systemd.network files gained a [DHCPv6PrefixDelegation]
          ManageTemporaryAddress= switch.

          systemd.network files gained a new ActivationPolicy= setting which
          allows configuring how the UP state of an interface shall be managed,
          i.e. whether the interface is always upped, always downed, or may be
          upped/downed by the user using "ip link set dev".

        * The default for the Broadcast= setting in .network files has slightly
          changed: the broadcast address will not be configured for wireguard
          devices.

        * systemd.netdev files gained a [VLAN] Protocol=, IngressQOSMaps=,
          EgressQOSMaps=, and [MACVLAN] BroadcastMulticastQueueLength=
          configuration options for VLAN packet handling.

        * udev rules may now set log_level= option. This allows debug logs to
          be enabled for select events, e.g. just for a specific subsystem or
          even a single device.

        * udev now exports the VOLUME_ID, LOGICAL_VOLUME_ID, VOLUME_SET_ID, and
          DATA_PREPARED_ID properties for block devices with ISO9660 file
          systems.

        * udev now exports decoded DMI information about installed memory slots
          as device properties under the /sys/class/dmi/id/ pseudo device.

        * /dev/ is not mounted noexec anymore. This didn't provide any
          significant security benefits and would conflict with the executable
          mappings used with /dev/sgx device nodes. The previous behaviour can
          be restored for individual services with NoExecPaths=/dev (or by allow-
          listing and excluding /dev from ExecPaths=).

        * Permissions for /dev/vsock are now set to 0o666, and /dev/vhost-vsock
          and /dev/vhost-net are owned by the kvm group.

        * The hardware database has been extended with a list of fingerprint
          readers that correctly support USB auto-suspend using data from
          libfprint.

        * systemd-resolved can now answer DNSSEC questions through the stub
          resolver interface in a way that allows local clients to do DNSSEC
          validation themselves. For a question with DO+CD set, it'll proxy the
          DNS query and respond with a mostly unmodified packet received from
          the upstream server.

        * systemd-resolved learnt a new boolean option CacheFromLocalhost= in
          resolved.conf. If true the service will provide caching even for DNS
          lookups made to an upstream DNS server on the 127.0.0.1/::1
          addresses. By default (and when the option is false) systemd-resolved
          will not cache such lookups, in order to avoid duplicate local
          caching, under the assumption the local upstream server caches
          anyway.

        * systemd-resolved now implements RFC5001 NSID in its local DNS
          stub. This may be used by local clients to determine whether they are
          talking to the DNS resolver stub or a different DNS server.

        * When resolving host names and other records resolvectl will now
          report where the data was acquired from (i.e. the local cache, the
          network, locally synthesized, …) and whether the network traffic it
          affected was encrypted or not. Moreover the tool acquired a number of
          new options --cache=, --synthesize=, --network=, --zone=,
          --trust-anchor=, --validate= that take booleans and may be used to
          tweak a lookup, i.e. whether it may be answered from cached
          information, locally synthesized information, information acquired
          through the network, the local mDNS/LLMNR zone, the DNSSEC trust
          anchor, and whether DNSSEC validation shall be executed for the
          lookup.

        * systemd-nspawn gained a new --ambient-capability= setting
          (AmbientCapability= in .nspawn files) to configure ambient
          capabilities passed to the container payload.

        * systemd-nspawn gained the ability to configure the firewall using the
          nftables subsystem (in addition to the existing iptables support).
          Similarly, systemd-networkd's IPMasquerade= option now supports
          nftables as back-end, too. In both cases NAT on IPv6 is now supported
          too, in addition to IPv4 (the iptables back-end still is IPv4-only).

          "IPMasquerade=yes", which was the same as "IPMasquerade=ipv4" before,
          retains its meaning, but has been deprecated. Please switch to either
          "ivp4" or "both" (if covering IPv6 is desired).

        * systemd-importd will now download .verity and .roothash.p7s files
          along with the machine image (as exposed via machinectl pull-raw).

        * systemd-oomd now gained a new DefaultMemoryPressureDurationSec=
          setting to configure the time a unit's cgroup needs to exceed memory
          pressure limits before action will be taken, and a new
          ManagedOOMPreference=none|avoid|omit setting to avoid killing certain
          units.

          systemd-oomd is now considered fully supported (the usual
          backwards-compatibility promises apply). Swap is not required for
          operation, but it is still recommended.

        * systemd-timesyncd gained a new ConnectionRetrySec= setting which
          configures the retry delay when trying to contact servers.

        * systemd-stdio-bridge gained --system/--user options to connect to the
          system bus (previous default) or the user session bus.

        * systemd-localed may now call locale-gen to generate missing locales
          on-demand (UTF-8-only). This improves integration with Debian-based
          distributions (Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.

        * systemctl --check-inhibitors=true may now be used to obey inhibitors
          even when invoked non-interactively. The old --ignore-inhibitors
          switch is now deprecated and replaced by --check-inhibitors=false.

        * systemctl import-environment will now emit a warning when called
          without any arguments (i.e. to import the full environment block of
          the called program). This command will usually be invoked from a
          shell, which means that it'll inherit a bunch of variables which are
          specific to that shell, and usually to the TTY the shell is connected
          to, and don't have any meaning in the global context of the system or
          user service manager. Instead, only specific variables should be
          imported into the manager environment block.

          Similarly, programs which update the manager environment block by
          directly calling the D-Bus API of the manager, should also push
          specific variables, and not the full inherited environment.

        * systemctl's status output now shows unit state with a more careful
          choice of Unicode characters: units in maintenance show a "○" symbol
          instead of the usual "●", failed units show "×", and services being
          reloaded "↻".

        * coredumpctl gained a --debugger-arguments= switch to pass arguments
          to the debugger. It also gained support for showing coredump info in
          a simple JSON format.

        * systemctl/loginctl/machinectl's --signal= option now accept a special
          value "list", which may be used to show a brief table with known
          process signals and their numbers.

        * networkctl now shows the link activation policy in status.

        * Various tools gained --pager/--no-pager/--json= switches to
          enable/disable the pager and provide JSON output.

        * Various tools now accept two new values for the SYSTEMD_COLORS
          environment variable: "16" and "256", to configure how many terminal
          colors are used in output.

        * less 568 or newer is now required for the auto-paging logic of the
          various tools. Hyperlink ANSI sequences in terminal output are now
          used even if a pager is used, and older versions of less are not able
          to display these sequences correctly. SYSTEMD_URLIFY=0 may be used to
          disable this output again.

        * Builds with support for separate / and /usr/ hierarchies ("split-usr"
          builds, non-merged-usr builds) are now officially deprecated. A
          warning is emitted during build. Support is slated to be removed in
          about a year (when the Debian Bookworm release development starts).

        * Systems with the legacy cgroup v1 hierarchy are now marked as
          "tainted", to make it clearer that using the legacy hierarchy is not
          recommended.

        * systemd-localed will now refuse to configure a keymap which is not
          installed in the file system. This is intended as a bug fix, but
          could break cases where systemd-localed was used to configure the
          keymap in advanced of it being installed. It is necessary to install
          the keymap file first.

        * The main git development branch has been renamed to 'main'.

        * mmcblk[0-9]boot[0-9] devices will no longer be probed automatically
          for partitions, as in the vast majority of cases they contain none
          and are used internally by the bootloader (eg: uboot).

        * systemd will now set the $SYSTEMD_EXEC_PID environment variable for
          spawned processes to the PID of the process itself. This may be used
          by programs for detecting whether they were forked off by the service
          manager itself or are a process forked off further down the tree.

        * The sd-device API gained four new calls: sd_device_get_action() to
          determine the uevent add/remove/change/… action the device object has
          been seen for, sd_device_get_seqno() to determine the uevent sequence
          number, sd_device_new_from_stat_rdev() to allocate a new sd_device
          object from stat(2) data of a device node, and sd_device_trigger() to
          write to the 'uevent' attribute of a device.

        * For most tools the --no-legend= switch has been replaced by
          --legend=no and --legend=yes, to force whether tables are shown with
          headers/legends.

        * Units acquired a new property "Markers" that takes a list of zero,
          one or two of the following strings: "needs-reload" and
          "needs-restart". These markers may be set via "systemctl
          set-property". Once a marker is set, "systemctl reload-or-restart
          --marked" may be invoked to execute the operation the units are
          marked for. This is useful for package managers that want to mark
          units for restart/reload while updating, but affect the actual
          operations at a later step at once.

        * The sd_bus_message_read_strv() API call of sd-bus may now also be
          used to parse arrays of D-Bus signatures and D-Bus paths, in addition
          to regular strings.

        * bootctl will now report whether the UEFI firmware used a TPM2 device
          and measured the boot process into it.

        * systemd-tmpfiles learnt support for a new environment variable
          $SYSTEMD_TMPFILES_FORCE_SUBVOL which takes a boolean value. If true
          the v/q/Q lines in tmpfiles.d/ snippets will create btrfs subvolumes
          even if the root fs of the system is not itself a btrfs volume.

        * systemd-detect-virt/ConditionVirtualization= will now explicitly
          detect Docker/Podman environments where possible. Moreover, they
          should be able to generically detect any container manager as long as
          it assigns the container a cgroup.

        * portablectl gained a new "reattach" verb for detaching/reattaching a
          portable service image, useful for updating images on-the-fly.

        * Intel SGX enclave device nodes (which expose a security feature of
          newer Intel CPUs) will now be owned by a new system group "sgx".

        Contributions from: Adam Nielsen, Adrian Vovk, AJ Jordan, Alan Perry,
        Alastair Pharo, Alexander Batischev, Ali Abdallah, Andrew Balmos,
        Anita Zhang, Annika Wickert, Ansgar Burchardt, Antonio Terceiro,
        Antonius Frie, Ardy, Arian van Putten, Ariel Fermani, Arnaud T,
        A S Alam, Bastien Nocera, Benjamin Berg, Benjamin Robin, Björn Daase,
        caoxia, Carlo Wood, Charles Lee, ChopperRob, chri2, Christian Ehrhardt,
        Christian Hesse, Christopher Obbard, clayton craft, corvusnix, cprn,
        Daan De Meyer, Daniele Medri, Daniel Rusek, Dan Sanders, Dan Streetman,
        Darren Ng, David Edmundson, David Tardon, Deepak Rawat, Devon Pringle,
        Dmitry Borodaenko, dropsignal, Einsler Lee, Endre Szabo,
        Evgeny Vereshchagin, Fabian Affolter, Fangrui Song, Felipe Borges,
        feliperodriguesfr, Felix Stupp, Florian Hülsmann, Florian Klink,
        Florian Westphal, Franck Bui, Frantisek Sumsal, Gablegritule,
        Gaël PORTAY, Gaurav, Giedrius Statkevičius, Greg Depoire-Ferrer,
        Gustavo Costa, Hans de Goede, Hela Basa, heretoenhance, hide,
        Iago López Galeiras, igo95862, Ilya Dmitrichenko, Jameer Pathan,
        Jan Tojnar, Jiehong, Jinyuan Si, Joerg Behrmann, John Slade,
        Jonathan G. Underwood, Jonathan McDowell, Josh Triplett, Joshua Watt,
        Julia Cartwright, Julien Humbert, Kairui Song, Karel Zak,
        Kevin Backhouse, Kevin P. Fleming, Khem Raj, Konomi, krissgjeng,
        l4gfcm, Lajos Veres, Lennart Poettering, Lincoln Ramsay, Luca Boccassi,
        Luca BRUNO, Lucas Werkmeister, Luka Kudra, Luna Jernberg,
        Marc-André Lureau, Martin Wilck, Matthias Klumpp, Matt Turner,
        Michael Gisbers, Michael Marley, Michael Trapp, Michal Fabik,
        Michał Kopeć, Michal Koutný, Michal Sekletár, Michele Guerini Rocco,
        Mike Gilbert, milovlad, moson-mo, Nick, nihilix-melix, Oğuz Ersen,
        Ondrej Mosnacek, pali, Pavel Hrdina, Pavel Sapezhko, Perry Yuan,
        Peter Hutterer, Pierre Dubouilh, Piotr Drąg, Pjotr Vertaalt,
        Richard Laager, RussianNeuroMancer, Sam Lunt, Sebastiaan van Stijn,
        Sergey Bugaev, shenyangyang4, simmon, Simonas Kazlauskas,
        Slimane Selyan Amiri, Stefan Agner, Steve Ramage, Susant Sahani,
        Sven Mueller, Tad Fisher, Takashi Iwai, Thomas Haller, Tom Shield,
        Topi Miettinen, Torsten Hilbrich, tpgxyz, Tyler Hicks, ulf-f,
        Ulrich Ölmann, Vincent Pelletier, Vinnie Magro, Vito Caputo, Vlad,
        walbit-de, Whired Planck, wouter bolsterlee, Xℹ Ruoyao, Yangyang Shen,
        Yuri Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek,
        Zmicer Turok, Дамјан Георгиевски

        — Berlin, 2021-03-30

CHANGES WITH 247:

        * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents
          "bind" and "unbind" to the Linux device model. When this kernel
          change was made, systemd-udevd was only minimally updated to handle
          and propagate these new event types. The introduction of these new
          uevents (which are typically generated for USB devices and devices
          needing a firmware upload before being functional) resulted in a
          number of issues which we so far didn't address. We hoped the kernel
          maintainers would themselves address these issues in some form, but
          that did not happen. To handle them properly, many (if not most) udev
          rules files shipped in various packages need updating, and so do many
          programs that monitor or enumerate devices with libudev or sd-device,
          or otherwise process uevents. Please note that this incompatibility
          is not fault of systemd or udev, but caused by an incompatible kernel
          change that happened back in Linux 4.14, but is becoming more and
          more visible as the new uevents are generated by more kernel drivers.

          To minimize issues resulting from this kernel change (but not avoid
          them entirely) starting with systemd-udevd 247 the udev "tags"
          concept (which is a concept for marking and filtering devices during
          enumeration and monitoring) has been reworked: udev tags are now
          "sticky", meaning that once a tag is assigned to a device it will not
          be removed from the device again until the device itself is removed
          (i.e. unplugged). This makes sure that any application monitoring
          devices that match a specific tag is guaranteed to both see uevents
          where the device starts being relevant, and those where it stops
          being relevant (the latter now regularly happening due to the new
          "unbind" uevent type). The udev tags concept is hence now a concept
          tied to a *device* instead of a device *event* — unlike for example
          udev properties whose lifecycle (as before) is generally tied to a
          device event, meaning that the previously determined properties are
          forgotten whenever a new uevent is processed.

          With the newly redefined udev tags concept, sometimes it's necessary
          to determine which tags are the ones applied by the most recent
          uevent/database update, in order to discern them from those
          originating from earlier uevents/database updates of the same
          device. To accommodate for this a new automatic property CURRENT_TAGS
          has been added that works similar to the existing TAGS property but
          only lists tags set by the most recent uevent/database
          update. Similarly, the libudev/sd-device API has been updated with
          new functions to enumerate these 'current' tags, in addition to the
          existing APIs that now enumerate the 'sticky' ones.

          To properly handle "bind"/"unbind" on Linux 4.14 and newer it is
          essential that all udev rules files and applications are updated to
          handle the new events. Specifically:

          • All rule files that currently use a header guard similar to
            ACTION!="add|change",GOTO="xyz_end" should be updated to use
            ACTION=="remove",GOTO="xyz_end" instead, so that the
            properties/tags they add are also applied whenever "bind" (or
            "unbind") is seen. (This is most important for all physical device
            types — those for which "bind" and "unbind" are currently
            generated, for all other device types this change is still
            recommended but not as important — but certainly prepares for
            future kernel uevent type additions).

          • Similarly, all code monitoring devices that contains an 'if' branch
            discerning the "add" + "change" uevent actions from all other
            uevents actions (i.e. considering devices only relevant after "add"
            or "change", and irrelevant on all other events) should be reworked
            to instead negatively check for "remove" only (i.e. considering
            devices relevant after all event types, except for "remove", which
            invalidates the device). Note that this also means that devices
            should be considered relevant on "unbind", even though conceptually
            this — in some form — invalidates the device. Since the precise
            effect of "unbind" is not generically defined, devices should be
            considered relevant even after "unbind", however I/O errors
            accessing the device should then be handled gracefully.

          • Any code that uses device tags for deciding whether a device is
            relevant or not most likely needs to be updated to use the new
            udev_device_has_current_tag() API (or sd_device_has_current_tag()
            in case sd-device is used), to check whether the tag is set at the
            moment an uevent is seen (as opposed to the existing
            udev_device_has_tag() API which checks if the tag ever existed on
            the device, following the API concept redefinition explained
            above).

          We are very sorry for this breakage and the requirement to update
          packages using these interfaces. We'd again like to underline that
          this is not caused by systemd/udev changes, but result of a kernel
          behaviour change.

        * UPCOMING INCOMPATIBILITY: So far most downstream distribution
          packages have not retriggered devices once the udev package (or any
          auxiliary package installing additional udev rules) is updated. We
          intend to work with major distributions to change this, so that
          "udevadm trigger -c change" is issued on such upgrades, ensuring that
          the updated ruleset is applied to the devices already discovered, so
          that (asynchronously) after the upgrade completed the udev database
          is consistent with the updated rule set. This means udev rules must
          be ready to be retriggered with a "change" action any time, and
          result in correct and complete udev database entries. While the
          majority of udev rule files known to us currently get this right,
          some don't. Specifically, there are udev rules files included in
          various packages that only set udev properties on the "add" action,
          but do not handle the "change" action. If a device matching those
          rules is retriggered with the "change" action (as is intended here)
          it would suddenly lose the relevant properties. This always has been
          problematic, but as soon as all udev devices are triggered on relevant
          package upgrades this will become particularly so. It is strongly
          recommended to fix offending rules so that they can handle a "change"
          action at any time, and acquire all necessary udev properties even
          then. Or in other words: the header guard mentioned above
          (ACTION=="remove",GOTO="xyz_end") is the correct approach to handle
          this, as it makes sure rules are rerun on "change" correctly, and
          accumulate the correct and complete set of udev properties. udev rule
          definitions that cannot handle "change" events being triggered at
          arbitrary times should be considered buggy.

        * The MountAPIVFS= service file setting now defaults to on if
          RootImage= and RootDirectory= are used, which means that with those
          two settings /proc/, /sys/ and /dev/ are automatically properly set
          up for services. Previous behaviour may be restored by explicitly
          setting MountAPIVFS=off.

        * Since PAM 1.2.0 (2015) configuration snippets may be placed in
          /usr/lib/pam.d/ in addition to /etc/pam.d/. If a file exists in the
          latter it takes precedence over the former, similar to how most of
          systemd's own configuration is handled. Given that PAM stack
          definitions are primarily put together by OS vendors/distributions
          (though possibly overridden by users), this systemd release moves its
          own PAM stack configuration for the "systemd-user" PAM service (i.e.
          for the PAM session invoked by the per-user user@.service instance)
          from /etc/pam.d/ to /usr/lib/pam.d/. We recommend moving all
          packages' vendor versions of their PAM stack definitions from
          /etc/pam.d/ to /usr/lib/pam.d/, but if such OS-wide migration is not
          desired the location to which systemd installs its PAM stack
          configuration may be changed via the -Dpamconfdir Meson option.

        * The runtime dependencies on libqrencode, libpcre2, libidn/libidn2,
          libpwquality and libcryptsetup have been changed to be based on
          dlopen(): instead of regular dynamic library dependencies declared in
          the binary ELF headers, these libraries are now loaded on demand
          only, if they are available. If the libraries cannot be found the
          relevant operations will fail gracefully, or a suitable fallback
          logic is chosen. This is supposed to be useful for general purpose
          distributions, as it allows minimizing the list of dependencies the
          systemd packages pull in, permitting building of more minimal OS
          images, while still making use of these "weak" dependencies should
          they be installed. Since many package managers automatically
          synthesize package dependencies from ELF shared library dependencies,
          some additional manual packaging work has to be done now to replace
          those (slightly downgraded from "required" to "recommended" or
          whatever is conceptually suitable for the package manager). Note that
          this change does not alter build-time behaviour: as before the
          build-time dependencies have to be installed during build, even if
          they now are optional during runtime.

        * sd-event.h gained a new call sd_event_add_time_relative() for
          installing timers relative to the current time. This is mostly a
          convenience wrapper around the pre-existing sd_event_add_time() call
          which installs absolute timers.

        * sd-event event sources may now be placed in a new "exit-on-failure"
          mode, which may be controlled via the new
          sd_event_source_get_exit_on_failure() and
          sd_event_source_set_exit_on_failure() functions. If enabled, any
          failure returned by the event source handler functions will result in
          exiting the event loop (unlike the default behaviour of just
          disabling the event source but continuing with the event loop). This
          feature is useful to set for all event sources that define "primary"
          program behaviour (where failure should be fatal) in contrast to
          "auxiliary" behaviour (where failure should remain local).

        * Most event source types sd-event supports now accept a NULL handler
          function, in which case the event loop is exited once the event
          source is to be dispatched, using the userdata pointer — converted to
          a signed integer — as exit code of the event loop. Previously this
          was supported for IO and signal event sources already. Exit event
          sources still do not support this (simply because it makes little
          sense there, as the event loop is already exiting when they are
          dispatched).

        * A new per-unit setting RootImageOptions= has been added which allows
          tweaking the mount options for any file system mounted as effect of
          the RootImage= setting.

        * Another new per-unit setting MountImages= has been added, that allows
          mounting additional disk images into the file system tree accessible
          to the service.

        * Timer units gained a new FixedRandomDelay= boolean setting. If
          enabled, the random delay configured with RandomizedDelaySec= is
          selected in a way that is stable on a given system (though still
          different for different units).

        * Socket units gained a new setting Timestamping= that takes "us", "ns"
          or "off". This controls the SO_TIMESTAMP/SO_TIMESTAMPNS socket
          options.

        * systemd-repart now generates JSON output when requested with the new
          --json= switch.

        * systemd-machined's OpenMachineShell() bus call will now pass
          additional policy metadata data fields to the PolicyKit
          authentication request.

        * systemd-tmpfiles gained a new -E switch, which is equivalent to
          --exclude-prefix=/dev --exclude-prefix=/proc --exclude=/run
          --exclude=/sys. It's particularly useful in combination with --root=,
          when operating on OS trees that do not have any of these four runtime
          directories mounted, as this means no files below these subtrees are
          created or modified, since those mount points should probably remain
          empty.

        * systemd-tmpfiles gained a new --image= switch which is like --root=,
          but takes a disk image instead of a directory as argument. The
          specified disk image is mounted inside a temporary mount namespace
          and the tmpfiles.d/ drop-ins stored in the image are executed and
          applied to the image. systemd-sysusers similarly gained a new
          --image= switch, that allows the sysusers.d/ drop-ins stored in the
          image to be applied onto the image.

        * Similarly, the journalctl command also gained an --image= switch,
          which is a quick one-step solution to look at the log data included
          in OS disk images.

        * journalctl's --output=cat option (which outputs the log content
          without any metadata, just the pure text messages) will now make use
          of terminal colors when run on a suitable terminal, similarly to the
          other output modes.

        * JSON group records now support a "description" string that may be
          used to add a human-readable textual description to such groups. This
          is supposed to match the user's GECOS field which traditionally
          didn't have a counterpart for group records.

        * The "systemd-dissect" tool that may be used to inspect OS disk images
          and that was previously installed to /usr/lib/systemd/ has now been
          moved to /usr/bin/, reflecting its updated status of an officially
          supported tool with a stable interface. It gained support for a new
          --mkdir switch which when combined with --mount has the effect of
          creating the directory to mount the image to if it is missing
          first. It also gained two new commands --copy-from and --copy-to for
          copying files and directories in and out of an OS image without the
          need to manually mount it. It also acquired support for a new option
          --json= to generate JSON output when inspecting an OS image.

        * The cgroup2 file system is now mounted with the
          "memory_recursiveprot" mount option, supported since kernel 5.7. This
          means that the MemoryLow= and MemoryMin= unit file settings now apply
          recursively to whole subtrees.

        * systemd-homed now defaults to using the btrfs file system — if
          available — when creating home directories in LUKS volumes. This may
          be changed with the DefaultFileSystemType= setting in homed.conf.
          It's now the default file system in various major distributions and
          has the major benefit for homed that it can be grown and shrunk while
          mounted, unlike the other contenders ext4 and xfs, which can both be
          grown online, but not shrunk (in fact xfs is the technically most
          limited option here, as it cannot be shrunk at all).

        * JSON user records managed by systemd-homed gained support for
          "recovery keys". These are basically secondary passphrases that can
          unlock user accounts/home directories. They are computer-generated
          rather than user-chosen, and typically have greater entropy.
          homectl's --recovery-key= option may be used to add a recovery key to
          a user account. The generated recovery key is displayed as a QR code,
          so that it can be scanned to be kept in a safe place. This feature is
          particularly useful in combination with systemd-homed's support for
          FIDO2 or PKCS#11 authentication, as a secure fallback in case the
          security tokens are lost. Recovery keys may be entered wherever the
          system asks for a password.

        * systemd-homed now maintains a "dirty" flag for each LUKS encrypted
          home directory which indicates that a home directory has not been
          deactivated cleanly when offline. This flag is useful to identify
          home directories for which the offline discard logic did not run when
          offlining, and where it would be a good idea to log in again to catch
          up.

        * systemctl gained a new parameter --timestamp= which may be used to
          change the style in which timestamps are output, i.e. whether to show
          them in local timezone or UTC, or whether to show µs granularity.

        * Alibaba's "pouch" container manager is now detected by
          systemd-detect-virt, ConditionVirtualization= and similar
          constructs. Similar, they now also recognize IBM PowerVM machine
          virtualization.

        * systemd-nspawn has been reworked to use the /run/host/incoming/ as
          place to use for propagating external mounts into the
          container. Similarly /run/host/notify is now used as the socket path
          for container payloads to communicate with the container manager
          using sd_notify(). The container manager now uses the
          /run/host/inaccessible/ directory to place "inaccessible" file nodes
          of all relevant types which may be used by the container payload as
          bind mount source to over-mount inodes to make them inaccessible.
          /run/host/container-manager will now be initialized with the same
          string as the $container environment variable passed to the
          container's PID 1. /run/host/container-uuid will be initialized with
          the same string as $container_uuid. This means the /run/host/
          hierarchy is now the primary way to make host resources available to
          the container. The Container Interface documents these new files and
          directories:

          https://systemd.io/CONTAINER_INTERFACE

        * Support for the "ConditionNull=" unit file condition has been
          deprecated and undocumented for 6 years. systemd started to warn
          about its use 1.5 years ago. It has now been removed entirely.

        * sd-bus.h gained a new API call sd_bus_error_has_names(), which takes
          a sd_bus_error struct and a list of error names, and checks if the
          error matches one of these names. It's a convenience wrapper that is
          useful in cases where multiple errors shall be handled the same way.

        * A new system call filter list "@known" has been added, that contains
          all system calls known at the time systemd was built.

        * Behaviour of system call filter allow lists has changed slightly:
          system calls that are contained in @known will result in EPERM by
          default, while those not contained in it result in ENOSYS. This
          should improve compatibility because known system calls will thus be
          communicated as prohibited, while unknown (and thus newer ones) will
          be communicated as not implemented, which hopefully has the greatest
          chance of triggering the right fallback code paths in client
          applications.

        * "systemd-analyze syscall-filter" will now show two separate sections
          at the bottom of the output: system calls known during systemd build
          time but not included in any of the filter groups shown above, and
          system calls defined on the local kernel but known during systemd
          build time.

        * If the $SYSTEMD_LOG_SECCOMP=1 environment variable is set for
          systemd-nspawn all system call filter violations will be logged by
          the kernel (audit). This is useful for tracking down system calls
          invoked by container payloads that are prohibited by the container's
          system call filter policy.

        * If the $SYSTEMD_SECCOMP=0 environment variable is set for
          systemd-nspawn (and other programs that use seccomp) all seccomp
          filtering is turned off.

        * Two new unit file settings ProtectProc= and ProcSubset= have been
          added that expose the hidepid= and subset= mount options of procfs.
          All processes of the unit will only see processes in /proc that are
          are owned by the unit's user. This is an important new sandboxing
          option that is recommended to be set on all system services. All
          long-running system services that are included in systemd itself set
          this option now. This option is only supported on kernel 5.8 and
          above, since the hidepid= option supported on older kernels was not a
          per-mount option but actually applied to the whole PID namespace.

        * Socket units gained a new boolean setting FlushPending=. If enabled
          all pending socket data/connections are flushed whenever the socket
          unit enters the "listening" state, i.e. after the associated service
          exited.

        * The unit file setting NUMAMask= gained a new "all" value: when used,
          all existing NUMA nodes are added to the NUMA mask.

        * A new "credentials" logic has been added to system services. This is
          a simple mechanism to pass privileged data to services in a safe and
          secure way. It's supposed to be used to pass per-service secret data
          such as passwords or cryptographic keys but also associated less
          private information such as user names, certificates, and similar to
          system services. Each credential is identified by a short user-chosen
          name and may contain arbitrary binary data. Two new unit file
          settings have been added: SetCredential= and LoadCredential=. The
          former allows setting a credential to a literal string, the latter
          sets a credential to the contents of a file (or data read from a
          user-chosen AF_UNIX stream socket). Credentials are passed to the
          service via a special credentials directory, one file for each
          credential. The path to the credentials directory is passed in a new
          $CREDENTIALS_DIRECTORY environment variable. Since the credentials
          are passed in the file system they may be easily referenced in
          ExecStart= command lines too, thus no explicit support for the
          credentials logic in daemons is required (though ideally daemons
          would look for the bits they need in $CREDENTIALS_DIRECTORY
          themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
          backed by unswappable memory if privileges allow it, immutable if
          privileges allow it, is accessible only to the service's UID, and is
          automatically destroyed when the service stops.

        * systemd-nspawn supports the same credentials logic. It can both
          consume credentials passed to it via the aforementioned
          $CREDENTIALS_DIRECTORY protocol as well as pass these credentials on
          to its payload. The service manager/PID 1 has been updated to match
          this: it can also accept credentials from the container manager that
          invokes it (in fact: any process that invokes it), and passes them on
          to its services. Thus, credentials can be propagated recursively down
          the tree: from a system's service manager to a systemd-nspawn
          service, to the service manager that runs as container payload and to
          the service it runs below. Credentials may also be added on the
          systemd-nspawn command line, using new --set-credential= and
          --load-credential= command line switches that match the
          aforementioned service settings.

        * systemd-repart gained new settings Format=, Encrypt=, CopyFiles= in
          the partition drop-ins which may be used to format/LUKS
          encrypt/populate any created partitions. The partitions are
          encrypted/formatted/populated before they are registered in the
          partition table, so that they appear atomically: either the
          partitions do not exist yet or they exist fully encrypted, formatted,
          and populated — there is no time window where they are
          "half-initialized". Thus the system is robust to abrupt shutdown: if
          the tool is terminated half-way during its operations on next boot it
          will start from the beginning.

        * systemd-repart's --size= operation gained a new "auto" value. If
          specified, and operating on a loopback file it is automatically sized
          to the minimal size the size constraints permit. This is useful to
          use "systemd-repart" as an image builder for minimally sized images.

        * systemd-resolved now gained a third IPC interface for requesting name
          resolution: besides D-Bus and local DNS to 127.0.0.53 a Varlink
          interface is now supported. The nss-resolve NSS module has been
          modified to use this new interface instead of D-Bus. Using Varlink
          has a major benefit over D-Bus: it works without a broker service,
          and thus already during earliest boot, before the dbus daemon has
          been started. This means name resolution via systemd-resolved now
          works at the same time systemd-networkd operates: from earliest boot
          on, including in the initrd.

        * systemd-resolved gained support for a new DNSStubListenerExtra=
          configuration file setting which may be used to specify additional IP
          addresses the built-in DNS stub shall listen on, in addition to the
          main one on 127.0.0.53:53.

        * Name lookups issued via systemd-resolved's D-Bus and Varlink
          interfaces (and thus also via glibc NSS if nss-resolve is used) will
          now honour a trailing dot in the hostname: if specified the search
          path logic is turned off. Thus "resolvectl query foo." is now
          equivalent to "resolvectl query --search=off foo.".

        * systemd-resolved gained a new D-Bus property "ResolvConfMode" that
          exposes how /etc/resolv.conf is currently managed: by resolved (and
          in which mode if so) or another subsystem. "resolvctl" will display
          this property in its status output.

        * The resolv.conf snippets systemd-resolved provides will now set "."
          as the search domain if no other search domain is known. This turns
          off the derivation of an implicit search domain by nss-dns for the
          hostname, when the hostname is set to an FQDN. This change is done to
          make nss-dns using resolv.conf provided by systemd-resolved behave
          more similarly to nss-resolve.

        * systemd-tmpfiles' file "aging" logic (i.e. the automatic clean-up of
          /tmp/ and /var/tmp/ based on file timestamps) now looks at the
          "birth" time (btime) of a file in addition to the atime, mtime, and
          ctime.

        * systemd-analyze gained a new verb "capability" that lists all known
          capabilities by the systemd build and by the kernel.

        * If a file /usr/lib/clock-epoch exists, PID 1 will read its mtime and
          advance the system clock to it at boot if it is noticed to be before
          that time. Previously, PID 1 would only advance the time to an epoch
          time that is set during build-time. With this new file OS builders
          can change this epoch timestamp on individual OS images without
          having to rebuild systemd.

        * systemd-logind will now listen to the KEY_RESTART key from the Linux
          input layer and reboot the system if it is pressed, similarly to how
          it already handles KEY_POWER, KEY_SUSPEND or KEY_SLEEP. KEY_RESTART
          was originally defined in the Multimedia context (to restart playback
          of a song or film), but is now primarily used in various embedded
          devices for "Reboot" buttons. Accordingly, systemd-logind will now
          honour it as such. This may configured in more detail via the new
          HandleRebootKey= and RebootKeyIgnoreInhibited=.

        * systemd-nspawn/systemd-machined will now reconstruct hardlinks when
          copying OS trees, for example in "systemd-nspawn --ephemeral",
          "systemd-nspawn --template=", "machinectl clone" and similar. This is
          useful when operating with OSTree images, which use hardlinks heavily
          throughout, and where such copies previously resulting in "exploding"
          hardlinks.

        * systemd-nspawn's --console= setting gained support for a new
          "autopipe" value, which is identical to "interactive" when invoked on
          a TTY, and "pipe" otherwise.

        * systemd-networkd's .network files gained support for explicitly
          configuring the multicast membership entries of bridge devices in the
          [BridgeMDB] section. It also gained support for the PIE queuing
          discipline in the [FlowQueuePIE] sections.

        * systemd-networkd's .netdev files may now be used to create "BareUDP"
          tunnels, configured in the new [BareUDP] setting.

        * systemd-networkd's Gateway= setting in .network files now accepts the
          special values "_dhcp4" and "_ipv6ra" to configure additional,
          locally defined, explicit routes to the gateway acquired via DHCP or
          IPv6 Router Advertisements. The old setting "_dhcp" is deprecated,
          but still accepted for backwards compatibility.

        * systemd-networkd's [IPv6PrefixDelegation] section and
          IPv6PrefixDelegation= options have been renamed as [IPv6SendRA] and
          IPv6SendRA= (the old names are still accepted for backwards
          compatibility).

        * systemd-networkd's .network files gained the DHCPv6PrefixDelegation=
          boolean setting in [Network] section. If enabled, the delegated prefix
          gained by another link will be configured, and an address within the
          prefix will be assigned.

        * systemd-networkd's .network files gained the Announce= boolean setting
          in [DHCPv6PrefixDelegation] section. When enabled, the delegated
          prefix will be announced through IPv6 router advertisement (IPv6 RA).
          The setting is enabled by default.

        * VXLAN tunnels may now be marked as independent of any underlying
          network interface via the new Independent= boolean setting.

        * systemctl gained support for two new verbs: "service-log-level" and
          "service-log-target" may be used on services that implement the
          generic org.freedesktop.LogControl1 D-Bus interface to dynamically
          adjust the log level and target. All of systemd's long-running
          services support this now, but ideally all system services would
          implement this interface to make the system more uniformly
          debuggable.

        * The SystemCallErrorNumber= unit file setting now accepts the new
          "kill" and "log" actions, in addition to arbitrary error number
          specifications as before. If "kill" the processes are killed on the
          event, if "log" the offending system call is audit logged.

        * A new SystemCallLog= unit file setting has been added that accepts a
          list of system calls that shall be logged about (audit).

        * The OS image dissection logic (as used by RootImage= in unit files or
          systemd-nspawn's --image= switch) has gained support for identifying
          and mounting explicit /usr/ partitions, which are now defined in the
          discoverable partition specification. This should be useful for
          environments where the root file system is
          generated/formatted/populated dynamically on first boot and combined
          with an immutable /usr/ tree that is supplied by the vendor.

        * In the final phase of shutdown, within the systemd-shutdown binary
          we'll now try to detach MD devices (i.e software RAID) in addition to
          loopback block devices and DM devices as before. This is supposed to
          be a safety net only, in order to increase robustness if things go
          wrong. Storage subsystems are expected to properly detach their
          storage volumes during regular shutdown already (or in case of
          storage backing the root file system: in the initrd hook we return to
          later).

        * If the SYSTEMD_LOG_TID environment variable is set all systemd tools
          will now log the thread ID in their log output. This is useful when
          working with heavily threaded programs.

        * If the SYSTEMD_RDRAND environment variable is set to "0", systemd will
          not use the RDRAND CPU instruction. This is useful in environments
          such as replay debuggers where non-deterministic behaviour is not
          desirable.

        * The autopaging logic in systemd's various tools (such as systemctl)
          has been updated to turn on "secure" mode in "less"
          (i.e. $LESSECURE=1) if execution in a "sudo" environment is
          detected. This disables invoking external programs from the pager,
          via the pipe logic. This behaviour may be overridden via the new
          $SYSTEMD_PAGERSECURE environment variable.

        * Units which have resource limits (.service, .mount, .swap, .slice,
          .socket, and .slice) gained new configuration settings
          ManagedOOMSwap=, ManagedOOMMemoryPressure=, and
          ManagedOOMMemoryPressureLimitPercent= that specify resource pressure
          limits and optional action taken by systemd-oomd.

        * A new service systemd-oomd has been added. It monitors resource
          contention for selected parts of the unit hierarchy using the PSI
          information reported by the kernel, and kills processes when memory
          or swap pressure is above configured limits. This service is only
          enabled by default in developer mode (see below) and should be
          considered a preview in this release. Behaviour details and option
          names are subject to change without the usual backwards-compatibility
          promises.

        * A new helper oomctl has been added to introspect systemd-oomd state.
          It is only enabled by default in developer mode and should be
          considered a preview without the usual backwards-compatibility
          promises.

        * New meson option -Dcompat-mutable-uid-boundaries= has been added. If
          enabled, systemd reads the system UID boundaries from /etc/login.defs
          at runtime, instead of using the built-in values selected during
          build. This is an option to improve compatibility for upgrades from
          old systems. It's strongly recommended not to make use of this
          functionality on new systems (or even enable it during build), as it
          makes something runtime-configurable that is mostly an implementation
          detail of the OS, and permits avoidable differences in deployments
          that create all kinds of problems in the long run.

        * New meson option '-Dmode=developer|release' has been added. When
          'developer', additional checks and features are enabled that are
          relevant during upstream development, e.g. verification that
          semi-automatically-generated documentation has been properly updated
          following API changes. Those checks are considered hints for
          developers and are not actionable in downstream builds. In addition,
          extra features that are not ready for general consumption may be
          enabled in developer mode. It is thus recommended to set
          '-Dmode=release' in end-user and distro builds.

        * systemd-cryptsetup gained support for processing detached LUKS
          headers specified on the kernel command line via the header=
          parameter of the luks.options= kernel command line option. The same
          device/path syntax as for key files is supported for header files
          like this.

        * The "net_id" built-in of udev has been updated to ignore ACPI _SUN
          slot index data for devices that are connected through a PCI bridge
          where the _SUN index is associated with the bridge instead of the
          network device itself. Previously this would create ambiguous device
          naming if multiple network interfaces were connected to the same PCI
          bridge. Since this is a naming scheme incompatibility on systems that
          possess hardware like this it has been introduced as new naming
          scheme "v247". The previous scheme can be selected via the
          "net.naming_scheme=v245" kernel command line parameter.

        * ConditionFirstBoot= semantics have been modified to be safe towards
          abnormal system power-off during first boot. Specifically, the
          "systemd-machine-id-commit.service" service now acts as boot
          milestone indicating when the first boot process is sufficiently
          complete in order to not consider the next following boot also a
          first boot. If the system is reset before this unit is reached the
          first time, the next boot will still be considered a first boot; once
          it has been reached, no further boots will be considered a first
          boot. The "first-boot-complete.target" unit now acts as official hook
          point to order against this. If a service shall be run on every boot
          until the first boot fully succeeds it may thus be ordered before
          this target unit (and pull it in) and carry ConditionFirstBoot=
          appropriately.

        * bootctl's set-default and set-oneshot commands now accept the three
          special strings "@default", "@oneshot", "@current" in place of a boot
          entry id. These strings are resolved to the current default and
          oneshot boot loader entry, as well as the currently booted one. Thus
          a command "bootctl set-default @current" may be used to make the
          currently boot menu item the new default for all subsequent boots.

        * "systemctl edit" has been updated to show the original effective unit
          contents in commented form in the text editor.

        * Units in user mode are now segregated into three new slices:
          session.slice (units that form the core of graphical session),
          app.slice ("normal" user applications), and background.slice
          (low-priority tasks). Unless otherwise configured, user units are
          placed in app.slice. The plan is to add resource limits and
          protections for the different slices in the future.

        * New GPT partition types for RISCV32/64 for the root and /usr
          partitions, and their associated Verity partitions have been defined,
          and are now understood by systemd-gpt-auto-generator, and the OS
          image dissection logic.

        Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
        Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
        Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,
        Beniamino Galvani, Benjamin Berg, Bjørn Mork, brainrom, Chandradeep
        Dey, Charles Lee, Chris Down, Christian Göttsche, Christof Efkemann,
        Christoph Ruegge, Clemens Gruber, Daan De Meyer, Daniele Medri, Daniel
        Mack, Daniel Rusek, Dan Streetman, David Tardon, Dimitri John Ledkov,
        Dmitry Borodaenko, Elias Probst, Elisei Roca, ErrantSpore, Etienne
        Doms, Fabrice Fontaine, fangxiuning, Felix Riemann, Florian Klink,
        Franck Bui, Frantisek Sumsal, fwSmit, George Rawlinson, germanztz,
        Gibeom Gwon, Glen Whitney, Gogo Gogsi, Göran Uddeborg, Grant Mathews,
        Hans de Goede, Hans Ulrich Niedermann, Haochen Tong, Harald Seiler,
        huangyong, Hubert Kario, igo95862, Ikey Doherty, Insun Pyo, Jan Chren,
        Jan Schlüter, Jérémy Nouhaud, Jian-Hong Pan, Joerg Behrmann, Jonathan
        Lebon, Jörg Thalheim, Josh Brobst, Juergen Hoetzel, Julien Humbert,
        Kai-Chuan Hsieh, Kairui Song, Kamil Dudka, Kir Kolyshkin, Kristijan
        Gjoshev, Kyle Huey, Kyle Russell, Lee Whalen, Lennart Poettering,
        lichangze, Luca Boccassi, Lucas Werkmeister, Luca Weiss, Marc
        Kleine-Budde, Marco Wang, Martin Wilck, Marti Raudsepp, masmullin2000,
        Máté Pozsgay, Matt Fenwick, Michael Biebl, Michael Scherer, Michal
        Koutný, Michal Sekletár, Michal Suchanek, Mikael Szreder, Milo
        Casagrande, mirabilos, Mitsuha_QuQ, mog422, Muhammet Kara, Nazar
        Vinnichuk, Nicholas Narsing, Nicolas Fella, Njibhu, nl6720, Oğuz Ersen,
        Olivier Le Moal, Ondrej Kozina, onlybugreports, Pass Automated Testing
        Suite, Pat Coulthard, Pavel Sapezhko, Pedro Ruiz, perry_yuan, Peter
        Hutterer, Phaedrus Leeds, PhoenixDiscord, Piotr Drąg, Plan C,
        Purushottam choudhary, Rasmus Villemoes, Renaud Métrich, Robert Marko,
        Roman Beranek, Ronan Pigott, Roy Chen (陳彥廷), RussianNeuroMancer,
        Samanta Navarro, Samuel BF, scootergrisen, Sorin Ionescu, Steve Dodd,
        Susant Sahani, Timo Rothenpieler, Tobias Hunger, Tobias Kaufmann, Topi
        Miettinen, vanou, Vito Caputo, Weblate, Wen Yang, Whired Planck,
        williamvds, Yu, Li-Yu, Yuri Chornoivan, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zmicer Turok, Дамјан Георгиевски

        – Warsaw, 2020-11-26

CHANGES WITH 246:

        * The service manager gained basic support for cgroup v2 freezer. Units
          can now be suspended or resumed either using new systemctl verbs,
          freeze and thaw respectively, or via D-Bus.

        * PID 1 may now automatically load pre-compiled AppArmor policies from
          /etc/apparmor/earlypolicy during early boot.

        * The CPUAffinity= setting in service unit files now supports a new
          special value "numa" that causes the CPU affinity masked to be set
          based on the NUMA mask.

        * systemd will now log about all left-over processes remaining in a
          unit when the unit is stopped. It will now warn about services using
          KillMode=none, as this is generally an unsafe thing to make use of.

        * Two new unit file settings
          ConditionPathIsEncrypted=/AssertPathIsEncrypted= have been
          added. They may be used to check whether a specific file system path
          resides on a block device that is encrypted on the block level
          (i.e. using dm-crypt/LUKS).

        * Another pair of new settings ConditionEnvironment=/AssertEnvironment=
          has been added that may be used for simple environment checks. This
          is particularly useful when passing in environment variables from a
          container manager (or from PAM in case of the systemd --user
          instance).

        * .service unit files now accept a new setting CoredumpFilter= which
          allows configuration of the memory sections coredumps of the
          service's processes shall include.

        * .mount units gained a new ReadWriteOnly= boolean option. If set
          it will not be attempted to mount a file system read-only if mounting
          in read-write mode doesn't succeed. An option x-systemd.rw-only is
          available in /etc/fstab to control the same.

        * .socket units gained a new boolean setting PassPacketInfo=. If
          enabled, the kernel will attach additional per-packet metadata to all
          packets read from the socket, as an ancillary message. This controls
          the IP_PKTINFO, IPV6_RECVPKTINFO, NETLINK_PKTINFO socket options,
          depending on socket type.

        * .service units gained a new setting RootHash= which may be used to
          specify the root hash for verity enabled disk images which are
          specified in RootImage=. RootVerity= may be used to specify a path to
          the Verity data matching a RootImage= file system. (The latter is
          only useful for images that do not contain the Verity data embedded
          into the same image that carries a GPT partition table following the
          Discoverable Partition Specification). Similarly, systemd-nspawn
          gained a new switch --verity-data= that takes a path to a file with
          the verity data of the disk image supplied in --image=, if the image
          doesn't contain the verity data itself.

        * .service units gained a new setting RootHashSignature= which takes
          either a base64 encoded PKCS#7 signature of the root hash specified
          with RootHash=, or a path to a file to read the signature from. This
          allows validation of the root hash against public keys available in
          the kernel keyring, and is only supported on recent kernels
          (>= 5.4)/libcryptsetup (>= 2.30). A similar switch has been added to
          systemd-nspawn and systemd-dissect (--root-hash-sig=). Support for
          this mechanism has also been added to systemd-veritysetup.

        * .service unit files gained two new options
          TimeoutStartFailureMode=/TimeoutStopFailureMode= that may be used to
          tune behaviour if a start or stop timeout is hit, i.e. whether to
          terminate the service with SIGTERM, SIGABRT or SIGKILL.

        * Most options in systemd that accept hexadecimal values prefixed with
          0x in additional to the usual decimal notation now also support octal
          notation when the 0o prefix is used and binary notation if the 0b
          prefix is used.

        * Various command line parameters and configuration file settings that
          configure key or certificate files now optionally take paths to
          AF_UNIX sockets in the file system. If configured that way a stream
          connection is made to the socket and the required data read from
          it. This is a simple and natural extension to the existing regular
          file logic, and permits other software to provide keys or
          certificates via simple IPC services, for example when unencrypted
          storage on disk is not desired. Specifically, systemd-networkd's
          Wireguard and MACSEC key file settings as well as
          systemd-journal-gatewayd's and systemd-journal-remote's PEM
          key/certificate parameters support this now.

        * Unit files, tmpfiles.d/ snippets, sysusers.d/ snippets and other
          configuration files that support specifier expansion learnt six new
          specifiers: %a resolves to the current architecture, %o/%w/%B/%W
          resolve to the various ID fields from /etc/os-release, %l resolves to
          the "short" hostname of the system, i.e. the hostname configured in
          the kernel truncated at the first dot.

        * Support for the .include syntax in unit files has been removed. The
          concept has been obsolete for 6 years and we started warning about
          its pending removal 2 years ago (also see NEWS file below). It's
          finally gone now.

        * StandardError= and StandardOutput= in unit files no longer support
          the "syslog" and "syslog-console" switches. They were long removed
          from the documentation, but will now result in warnings when used,
          and be converted to "journal" and "journal+console" automatically.

        * If the service setting User= is set to the "nobody" user, a warning
          message is now written to the logs (but the value is nonetheless
          accepted). Setting User=nobody is unsafe, since the primary purpose
          of the "nobody" user is to own all files whose owner cannot be mapped
          locally. It's in particular used by the NFS subsystem and in user
          namespacing. By running a service under this user's UID it might get
          read and even write access to all these otherwise unmappable files,
          which is quite likely a major security problem.

        * tmpfs mounts automatically created by systemd (/tmp, /run, /dev/shm,
          and others) now have a size and inode limits applied (50% of RAM for
          /tmp and /dev/shm, 10% of RAM for other mounts, etc.). Please note
          that the implicit kernel default is 50% too, so there is no change
          in the size limit for /tmp and /dev/shm.

        * nss-mymachines lost support for resolution of users and groups, and
          now only does resolution of hostnames. This functionality is now
          provided by nss-systemd. Thus, the 'mymachines' entry should be
          removed from the 'passwd:' and 'group:' lines in /etc/nsswitch.conf
          (and 'systemd' added if it is not already there).

        * A new kernel command line option systemd.hostname= has been added
          that allows controlling the hostname that is initialized early during
          boot.

        * A kernel command line option "udev.blockdev_read_only" has been
          added. If specified all hardware block devices that show up are
          immediately marked as read-only by udev. This option is useful for
          making sure that a specific boot under no circumstances modifies data
          on disk. Use "blockdev --setrw" to undo the effect of this, per
          device.

        * A new boolean kernel command line option systemd.swap= has been
          added, which may be used to turn off automatic activation of swap
          devices listed in /etc/fstab.

        * New kernel command line options systemd.condition_needs_update= and
          systemd.condition_first_boot= have been added, which override the
          result of the ConditionNeedsUpdate= and ConditionFirstBoot=
          conditions.

        * A new kernel command line option systemd.clock_usec= has been added
          that allows setting the system clock to the specified time in µs
          since Jan 1st, 1970 early during boot. This is in particular useful
          in order to make test cases more reliable.

        * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
          systemd-coredump to save core files for suid processes. When saving
          the core file, systemd-coredump will use the effective uid and gid of
          the process that faulted.

        * The /sys/module/kernel/parameters/crash_kexec_post_notifiers file is
          now automatically set to "Y" at boot, in order to enable pstore
          generation for collection with systemd-pstore.

        * We provide a set of udev rules to enable auto-suspend on PCI and USB
          devices that were tested to correctly support it. Previously, this
          was distributed as a set of udev rules, but has now been replaced by
          by a set of hwdb entries (and a much shorter udev rule to take action
          if the device modalias matches one of the new hwdb entries).

          As before, entries are periodically imported from the database
          maintained by the ChromiumOS project. If you have a device that
          supports auto-suspend correctly and where it should be enabled by
          default, please submit a patch that adds it to the database (see
          /usr/lib/udev/hwdb.d/60-autosuspend.hwdb).

        * systemd-udevd gained the new configuration option timeout_signal= as well
          as a corresponding kernel command line option udev.timeout_signal=.
          The option can be used to configure the UNIX signal that the main
          daemon sends to the worker processes on timeout. Setting the signal
          to SIGABRT is useful for debugging.

        * .link files managed by systemd-udevd gained options RxFlowControl=,
          TxFlowControl=, AutoNegotiationFlowControl= in the [Link] section, in
          order to configure various flow control parameters. They also gained
          RxMiniBufferSize= and RxJumboBufferSize= in order to configure jumbo
          frame ring buffer sizes.

        * networkd.conf gained a new boolean setting ManageForeignRoutes=. If
          enabled systemd-networkd manages all routes configured by other tools.

        * .network files managed by systemd-networkd gained a new section
          [SR-IOV], in order to configure SR-IOV capable network devices.

        * systemd-networkd's [IPv6Prefix] section in .network files gained a
          new boolean setting Assign=. If enabled an address from the prefix is
          automatically assigned to the interface.

        * systemd-networkd gained a new section [DHCPv6PrefixDelegation] which
          controls delegated prefixes assigned by DHCPv6 client. The section
          has three settings: SubnetID=, Assign=, and Token=. The setting
          SubnetID= allows explicit configuration of the preferred subnet that
          systemd-networkd's Prefix Delegation logic assigns to interfaces. If
          Assign= is enabled (which is the default) an address from any acquired
          delegated prefix is automatically chosen and assigned to the
          interface. The setting Token= specifies an optional address generation
          mode for Assign=.

        * systemd-networkd's [Network] section gained a new setting
          IPv4AcceptLocal=. If enabled the interface accepts packets with local
          source addresses.

        * systemd-networkd gained support for configuring the HTB queuing
          discipline in the [HierarchyTokenBucket] and
          [HierarchyTokenBucketClass] sections. Similar the "pfifo" qdisc may
          be configured in the [PFIFO] section, "GRED" in
          [GenericRandomEarlyDetection], "SFB" in [StochasticFairBlue], "cake"
          in [CAKE], "PIE" in [PIE], "DRR" in [DeficitRoundRobinScheduler] and
          [DeficitRoundRobinSchedulerClass], "BFIFO" in [BFIFO],
          "PFIFOHeadDrop" in [PFIFOHeadDrop], "PFIFOFast" in [PFIFOFast], "HHF"
          in [HeavyHitterFilter], "ETS" in [EnhancedTransmissionSelection] and
          "QFQ" in [QuickFairQueueing] and [QuickFairQueueingClass].

        * systemd-networkd gained support for a new Termination= setting in the
          [CAN] section for configuring the termination resistor. It also
          gained a new ListenOnly= setting for controlling whether to only
          listen on CAN interfaces, without interfering with traffic otherwise
          (which is useful for debugging/monitoring CAN network
          traffic). DataBitRate=, DataSamplePoint=, FDMode=, FDNonISO= have
          been added to configure various CAN-FD aspects.

        * systemd-networkd's [DHCPv6] section gained a new option WithoutRA=.
          When enabled, DHCPv6 will be attempted right-away without requiring an
          Router Advertisement packet suggesting it first (i.e. without the 'M'
          or 'O' flags set). The [IPv6AcceptRA] section gained a boolean option
          DHCPv6Client= that may be used to turn off the DHCPv6 client even if
          the RA packets suggest it.

        * systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
          which may be used to turn off use of the gateway information provided
          by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
          used to configure how to process leases that lack a lifetime option.

        * systemd-networkd's [DHCPv4] and [DHCPServer] sections gained a new
          setting SendVendorOption= allowing configuration of additional vendor
          options to send in the DHCP requests/responses. The [DHCPv6] section
          gained a new SendOption= setting for sending arbitrary DHCP
          options. RequestOptions= has been added to request arbitrary options
          from the server. UserClass= has been added to set the DHCP user class
          field.

        * systemd-networkd's [DHCPServer] section gained a new set of options
          EmitPOP3=/POP3=, EmitSMTP=/SMTP=, EmitLPR=/LPR= for including server
          information about these three protocols in the DHCP lease. It also
          gained support for including "MUD" URLs ("Manufacturer Usage
          Description"). Support for "MUD" URLs was also added to the LLDP
          stack, configurable in the [LLDP] section in .network files.

        * The Mode= settings in [MACVLAN] and [MACVTAP] now support 'source'
          mode. Also, the sections now support a new setting SourceMACAddress=.

        * systemd-networkd's .netdev files now support a new setting
          VLANProtocol= in the [Bridge] section that allows configuration of
          the VLAN protocol to use.

        * systemd-networkd supports a new Group= setting in the [Link] section
          of the .network files, to control the link group.

        * systemd-networkd's [Network] section gained a new
          IPv6LinkLocalAddressGenerationMode= setting, which specifies how IPv6
          link local address is generated.

        * A new default .network file is now shipped that matches TUN/TAP
          devices that begin with "vt-" in their name. Such interfaces will
          have IP routing onto the host links set up automatically. This is
          supposed to be used by VM managers to trivially acquire a network
          interface which is fully set up for host communication, simply by
          carefully picking an interface name to use.

        * systemd-networkd's [DHCPv6] section gained a new setting RouteMetric=
          which sets the route priority for routes specified by the DHCP server.

        * systemd-networkd's [DHCPv6] section gained a new setting VendorClass=
          which configures the vendor class information sent to DHCP server.

        * The BlackList= settings in .network files' [DHCPv4] and
          [IPv6AcceptRA] sections have been renamed DenyList=. The old names
          are still understood to provide compatibility.

        * networkctl gained the new "forcerenew" command for forcing all DHCP
          server clients to renew their lease. The interface "status" output
          will now show numerous additional fields of information about an
          interface. There are new "up" and "down" commands to bring specific
          interfaces up or down.

        * systemd-resolved's DNS= configuration option now optionally accepts a
          port number (after ":") and a host name (after "#"). When the host
          name is specified, the DNS-over-TLS certificate is validated to match
          the specified hostname. Additionally, in case of IPv6 addresses, an
          interface may be specified (after "%").

        * systemd-resolved may be configured to forward single-label DNS names.
          This is not standard-conformant, but may make sense in setups where
          public DNS servers are not used.

        * systemd-resolved's DNS-over-TLS support gained SNI validation.

        * systemd-nspawn's --resolv-conf= switch gained a number of new
          supported values. Specifically, options starting with "replace-" are
          like those prefixed "copy-" but replace any existing resolv.conf
          file. And options ending in "-uplink" and "-stub" can now be used to
          propagate other flavours of resolv.conf into the container (as
          defined by systemd-resolved).

        * The various programs included in systemd can now optionally output
          their log messages on stderr prefixed with a timestamp, controlled by
          the $SYSTEMD_LOG_TIME environment variable.

        * systemctl gained a new "-P" switch that is a shortcut for "--value
          --property=…".

        * "systemctl list-units" and "systemctl list-machines" no longer hide
          their first output column with --no-legend. To hide the first column,
          use --plain.

        * "systemctl reboot" takes the option "--reboot-argument=".
          The optional positional argument to "systemctl reboot" is now
          being deprecated in favor of this option.

        * systemd-run gained a new switch --slice-inherit. If specified the
          unit it generates is placed in the same slice as the systemd-run
          process itself.

        * systemd-journald gained support for zstd compression of large fields
          in journal files. The hash tables in journal files have been hardened
          against hash collisions. This is an incompatible change and means
          that journal files created with new systemd versions are not readable
          with old versions. If the $SYSTEMD_JOURNAL_KEYED_HASH boolean
          environment variable for systemd-journald.service is set to 0 this
          new hardening functionality may be turned off, so that generated
          journal files remain compatible with older journalctl
          implementations.

        * journalctl will now include a clickable link in the default output for
          each log message for which a URL with further documentation is
          known. This is only supported on terminal emulators that support
          clickable hyperlinks, and is turned off if a pager is used (since
          "less" still doesn't support hyperlinks,
          unfortunately). Documentation URLs may be included in log messages
          either by including a DOCUMENTATION= journal field in it, or by
          associating a journal message catalog entry with the log message's
          MESSAGE_ID, which then carries a "Documentation:" tag.

        * journald.conf gained a new boolean setting Audit= that may be used to
          control whether systemd-journald will enable audit during
          initialization.

        * when systemd-journald's log stream is broken up into multiple lines
          because the PID of the sender changed this is indicated in the
          generated log records via the _LINE_BREAK=pid-change field.

        * journalctl's "-o cat" output mode will now show one or more journal
          fields specified with --output-fields= instead of unconditionally
          MESSAGE=. This is useful to retrieve a very specific set of fields
          without any decoration.

        * The sd-journal.h API gained two new functions:
          sd_journal_enumerate_available_unique() and
          sd_journal_enumerate_available_data() that operate like their
          counterparts that lack the _available_ in the name, but skip items
          that cannot be read and processed by the local implementation
          (i.e. are compressed in an unsupported format or such),

        * coredumpctl gained a new --file= switch, matching the same one in
          journalctl: a specific journal file may be specified to read the
          coredump data from.

        * coredumps collected by systemd-coredump may now be compressed using
          the zstd algorithm.

        * systemd-binfmt gained a new switch --unregister for unregistering all
          registered entries at once. This is now invoked automatically at
          shutdown, so that binary formats registered with the "F" flag will
          not block clean file system unmounting.

        * systemd-notify's --pid= switch gained new values: "parent", "self",
          "auto" for controlling which PID to send to the service manager: the
          systemd-notify process' PID, or the one of the process invoking it.

        * systemd-logind's Session bus object learnt a new method call
          SetType() for temporarily updating the session type of an already
          allocated session. This is useful for upgrading tty sessions to
          graphical ones once a compositor is invoked.

        * systemd-socket-proxy gained a new switch --exit-idle-time= for
          configuring an exit-on-idle time.

        * systemd-repart's --empty= setting gained a new value "create". If
          specified a new empty regular disk image file is created under the
          specified name. Its size may be specified with the new --size=
          option. The latter is also supported without the "create" mode, in
          order to grow existing disk image files to the specified size. These
          two new options are useful when creating or manipulating disk images
          instead of operating on actual block devices.

        * systemd-repart drop-ins now support a new UUID= setting to control
          the UUID to assign to a newly created partition.

        * systemd-repart's SizeMin= per-partition parameter now defaults to 10M
          instead of 0.

        * systemd-repart's Label= setting now support the usual, simple
          specifier expansion.

        * systemd-homed's LUKS backend gained the ability to discard empty file
          system blocks automatically when the user logs out. This is enabled
          by default to ensure that home directories take minimal space when
          logged out but get full size guarantees when logged in. This may be
          controlled with the new --luks-offline-discard= switch to homectl.

        * If systemd-homed detects that /home/ is encrypted as a whole it will
          now default to the directory or subvolume backends instead of the
          LUKS backend, in order to avoid double encryption. The default
          storage and file system may now be configured explicitly, too, via
          the new /etc/systemd/homed.conf configuration file.

        * systemd-homed now supports unlocking home directories with FIDO2
          security tokens that support the 'hmac-secret' extension, in addition
          to the existing support for PKCS#11 security token unlocking
          support. Note that many recent hardware security tokens support both
          interfaces. The FIDO2 support is accessible via homectl's
          --fido2-device= option.

        * homectl's --pkcs11-uri= setting now accepts two special parameters:
          if "auto" is specified and only one suitable PKCS#11 security token
          is plugged in, its URL is automatically determined and enrolled for
          unlocking the home directory. If "list" is specified a brief table of
          suitable PKCS#11 security tokens is shown. Similar, the new
          --fido2-device= option also supports these two special values, for
          automatically selecting and listing suitable FIDO2 devices.

        * The /etc/crypttab tmp option now optionally takes an argument
          selecting the file system to use. Moreover, the default is now
          changed from ext2 to ext4.

        * There's a new /etc/crypttab option "keyfile-erase". If specified the
          key file listed in the same line is removed after use, regardless if
          volume activation was successful or not. This is useful if the key
          file is only acquired transiently at runtime and shall be erased
          before the system continues to boot.

        * There's also a new /etc/crypttab option "try-empty-password". If
          specified, before asking the user for a password it is attempted to
          unlock the volume with an empty password. This is useful for
          installing encrypted images whose password shall be set on first boot
          instead of at installation time.

        * systemd-cryptsetup will now attempt to load the keys to unlock
          volumes with automatically from files in
          /etc/cryptsetup-keys.d/<volume>.key and
          /run/cryptsetup-keys.d/<volume>.key, if any of these files exist.

        * systemd-cryptsetup may now activate Microsoft BitLocker volumes via
          /etc/crypttab, during boot.

        * logind.conf gained a new RuntimeDirectoryInodesMax= setting to
          control the inode limit for the per-user $XDG_RUNTIME_DIR tmpfs
          instance.

        * A new generator systemd-xdg-autostart-generator has been added. It
          generates systemd unit files from XDG autostart .desktop files, and
          may be used to let the systemd user instance manage services that are
          started automatically as part of the desktop session.

        * "bootctl" gained a new verb "reboot-to-firmware" that may be used
          to query and change the firmware's 'Reboot Into Firmware Interface'
          setup flag.

        * systemd-firstboot gained a new switch --kernel-command-line= that may
          be used to initialize the /etc/kernel/cmdline file of the image. It
          also gained a new switch --root-password-hashed= which is like
          --root-password= but accepts a pre-hashed UNIX password as
          argument. The new option --delete-root-password may be used to unset
          any password for the root user (dangerous!). The --root-shell= switch
          may be used to control the shell to use for the root account. A new
          --force option may be used to override any already set settings with
          the parameters specified on the command line (by default, the tool
          will not override what has already been set before, i.e. is purely
          incremental).

        * systemd-firstboot gained support for a new --image= switch, which is
          similar to --root= but accepts the path to a disk image file, on
          which it then operates.

        * A new sd-path.h API has been added to libsystemd. It provides a
          simple API for retrieving various search paths and primary
          directories for various resources.

        * A new call sd_notify_barrier() has been added to the sd-daemon.h
          API. The call will block until all previously sent sd_notify()
          messages have been processed by the service manager. This is useful
          to remove races caused by a process already having disappeared at the
          time a notification message is processed by the service manager,
          making correct attribution impossible. The systemd-notify tool will
          now make use of this call implicitly, but this can be turned off again
          via the new --no-block switch.

        * When sending a file descriptor (fd) to the service manager to keep
          track of, using the sd_notify() mechanism, a new parameter FDPOLL=0
          may be specified. If passed the service manager will refrain from
          poll()ing on the file descriptor. Traditionally (and when the
          parameter is not specified), the service manager will poll it for
          POLLHUP or POLLERR events, and immediately close the fds in that
          case.

        * The service manager (PID1) gained a new D-Bus method call
          SetShowStatus() which may be used to control whether it shall show
          boot-time status output on the console. This method has a similar
          effect to sending SIGRTMIN+20/SIGRTMIN+21 to PID 1.

        * The sd-bus API gained a number of convenience functions that take
          va_list arguments rather than "...". For example, there's now
          sd_bus_call_methodv() to match sd_bus_call_method(). Those calls make
          it easier to build wrappers that accept variadic arguments and want
          to pass a ready va_list structure to sd-bus.

        * sd-bus vtable entries can have a new SD_BUS_VTABLE_ABSOLUTE_OFFSET
          flag which alters how the userdata pointer to pass to the callbacks
          is determined. When the flag is set, the offset field is converted
          as-is into a pointer, without adding it to the object pointer the
          vtable is associated with.

        * sd-bus now exposes four new functions:
          sd_bus_interface_name_is_valid() + sd_bus_service_name_is_valid() +
          sd_bus_member_name_is_valid() + sd_bus_object_path_is_valid() will
          validate strings to check if they qualify as various D-Bus concepts.

        * The sd-bus API gained the SD_BUS_METHOD_WITH_ARGS(),
          SD_BUS_METHOD_WITH_ARGS_OFFSET() and SD_BUS_SIGNAL_WITH_ARGS() macros
          that simplify adding argument names to D-Bus methods and signals.

        * The man pages for the sd-bus and sd-hwdb APIs have been completed.

        * Various D-Bus APIs of systemd daemons now have man pages that
          document the methods, signals and properties.

        * The expectations on user/group name syntax are now documented in
          detail; documentation on how classic home directories may be
          converted into home directories managed by homed has been added;
          documentation regarding integration of homed/userdb functionality in
          desktops has been added:

              https://systemd.io/USER_NAMES
              https://systemd.io/CONVERTING_TO_HOMED
              https://systemd.io/USERDB_AND_DESKTOPS

        * Documentation for the on-disk Journal file format has been updated
          and has now moved to:

              https://systemd.io/JOURNAL_FILE_FORMAT

        * The interface for containers (https://systemd.io/CONTAINER_INTERFACE)
          has been extended by a set of environment variables that expose
          select fields from the host's os-release file to the container
          payload. Similarly, host's os-release files can be mounted into the
          container underneath /run/host. Together, those mechanisms provide a
          standardized way to expose information about the host to the
          container payload. Both interfaces are implemented in systemd-nspawn.

        * All D-Bus services shipped in systemd now implement the generic
          LogControl1 D-Bus API which allows clients to change log level +
          target of the service during runtime.

        * Only relevant for developers: the mkosi.default symlink has been
          dropped from version control. Please create a symlink to one of the
          distribution-specific defaults in .mkosi/ based on your preference.

        Contributions from: 24bisquitz, Adam Nielsen, Alan Perry, Alexander
        Malafeev, Amitanand.Chikorde, Alin Popa, Alvin Šipraga, Amos Bird,
        Andreas Rammhold, AndreRH, Andrew Doran, Anita Zhang, Ankit Jain,
        antznin, Arnaud Ferraris, Arthur Moraes do Lago, Arusekk, Balaji
        Punnuru, Balint Reczey, Bastien Nocera, bemarek, Benjamin Berg,
        Benjamin Dahlhoff, Benjamin Robin, Chris Down, Chris Kerr, Christian
        Göttsche, Christian Hesse, Christian Oder, Ciprian Hacman, Clinton Roy,
        codicodi, Corey Hinshaw, Daan De Meyer, Dana Olson, Dan Callaghan,
        Daniel Fullmer, Daniel Rusek, Dan Streetman, Dave Reisner, David
        Edmundson, David Wood, Denis Pronin, Diego Escalante Urrelo, Dimitri
        John Ledkov, dolphrundgren, duguxy, Einsler Lee, Elisei Roca, Emmanuel
        Garette, Eric Anderson, Eric DeVolder, Evgeny Vereshchagin,
        ExtinctFire, fangxiuning, Ferran Pallarès Roca, Filipe Brandenburger,
        Filippo Falezza, Finn, Florian Klink, Florian Mayer, Franck Bui,
        Frantisek Sumsal, gaurav, Georg Müller, Gergely Polonkai, Giedrius
        Statkevičius, Gigadoc2, gogogogi, Gaurav Singh, gzjsgdsb, Hans de
        Goede, Haochen Tong, ianhi, ignapk, Jakov Smolic, James T. Lee, Jan
        Janssen, Jan Klötzke, Jan Palus, Jay Burger, Jeremy Cline, Jérémy
        Rosen, Jian-Hong Pan, Jiri Slaby, Joel Shapiro, Joerg Behrmann, Jörg
        Thalheim, Jouke Witteveen, Kai-Heng Feng, Kenny Levinsen, Kevin
        Kuehler, Kumar Kartikeya Dwivedi, layderv, laydervus, Lénaïc Huard,
        Lennart Poettering, Lidong Zhong, Luca Boccassi, Luca BRUNO, Lucas
        Werkmeister, Lukas Klingsbo, Lukáš Nykrýn, Łukasz Stelmach, Maciej
        S. Szmigiero, MadMcCrow, Marc-André Lureau, Marcel Holtmann, Marc
        Kleine-Budde, Martin Hundebøll, Matthew Leeds, Matt Ranostay, Maxim
        Fomin, MaxVerevkin, Michael Biebl, Michael Chapman, Michael Gubbels,
        Michael Marley, Michał Bartoszkiewicz, Michal Koutný, Michal Sekletár,
        Mike Gilbert, Mike Kazantsev, Mikhail Novosyolov, ml, Motiejus Jakštys,
        nabijaczleweli, nerdopolis, Niccolò Maggioni, Niklas Hambüchen, Norbert
        Lange, Paul Cercueil, pelzvieh, Peter Hutterer, Piero La Terza, Pieter
        Lexis, Piotr Drąg, Rafael Fontenelle, Richard Petri, Ronan Pigott, Ross
        Lagerwall, Rubens Figueiredo, satmandu, Sean-StarLabs, Sebastian
        Jennen, sterlinghughes, Surhud More, Susant Sahani, szb512, Thomas
        Haller, Tobias Hunger, Tom, Tomáš Pospíšek, Tomer Shechner, Tom Hughes,
        Topi Miettinen, Tudor Roman, Uwe Kleine-König, Valery0xff, Vito Caputo,
        Vladimir Panteleev, Vladyslav Tronko, Wen Yang, Yegor Vialov, Yigal
        Korman, Yi Gao, YmrDtnJu, Yuri Chornoivan, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zhu Li, Дамјан Георгиевски, наб

        – Warsaw, 2020-07-30

CHANGES WITH 245:

        * A new tool "systemd-repart" has been added, that operates as an
          idempotent declarative repartitioner for GPT partition tables.
          Specifically, a set of partitions that must or may exist can be
          configured via drop-in files, and during every boot the partition
          table on disk is compared with these files, creating missing
          partitions or growing existing ones based on configurable relative
          and absolute size constraints. The tool is strictly incremental,
          i.e. does not delete, shrink or move partitions, but only adds and
          grows them. The primary use-case is OS images that ship in minimized
          form, that on first boot are grown to the size of the underlying
          block device or augmented with additional partitions. For example,
          the root partition could be extended to cover the whole disk, or a
          swap or /home partitions could be added on first boot. It can also be
          used for systems that use an A/B update scheme but ship images with
          just the A partition, with B added on first boot. The tool is
          primarily intended to be run in the initrd, shortly before
          transitioning into the host OS, but can also be run after the
          transition took place. It automatically discovers the disk backing
          the root file system, and should hence not require any additional
          configuration besides the partition definition drop-ins. If no
          configuration drop-ins are present, no action is taken.

        * A new component "userdb" has been added, along with a small daemon
          "systemd-userdbd.service" and a client tool "userdbctl". The framework
          allows defining rich user and group records in a JSON format,
          extending on the classic "struct passwd" and "struct group"
          structures. Various components in systemd have been updated to
          process records in this format, including systemd-logind and
          pam-systemd. The user records are intended to be extensible, and
          allow setting various resource management, security and runtime
          parameters that shall be applied to processes and sessions of the
          user as they log in. This facility is intended to allow associating
          such metadata directly with user/group records so that they can be
          produced, extended and consumed in unified form. We hope that
          eventually frameworks such as sssd will generate records this way, so
          that for the first time resource management and various other
          per-user settings can be configured in LDAP directories and then
          provided to systemd (specifically to systemd-logind and pam-system)
          to apply on login. For further details see:

          https://systemd.io/USER_RECORD
          https://systemd.io/GROUP_RECORD
          https://systemd.io/USER_GROUP_API

        * A small new service systemd-homed.service has been added, that may be
          used to securely manage home directories with built-in encryption.
          The complete user record data is unified with the home directory,
          thus making home directories naturally migratable. Its primary
          back-end is based on LUKS volumes, but fscrypt, plain directories,
          and other storage schemes are also supported. This solves a couple of
          problems we saw with traditional ways to manage home directories, in
          particular when it comes to encryption. For further discussion of
          this, see the video of Lennart's talk at AllSystemsGo! 2019:

          https://media.ccc.de/v/ASG2019-164-reinventing-home-directories

          For further details about the format and expectations on home
          directories this new daemon makes, see:

          https://systemd.io/HOME_DIRECTORY

        * systemd-journald is now multi-instantiable. In addition to the main
          instance systemd-journald.service there's now a template unit
          systemd-journald@.service, with each instance defining a new named
          log 'namespace' (whose name is specified via the instance part of the
          unit name). A new unit file setting LogNamespace= has been added,
          taking such a namespace name, that assigns services to the specified
          log namespaces. As each log namespace is serviced by its own
          independent journal daemon, this functionality may be used to improve
          performance and increase isolation of applications, at the price of
          losing global message ordering. Each instance of journald has a
          separate set of configuration files, with possibly different disk
          usage limitations and other settings.

          journalctl now takes a new option --namespace= to show logs from a
          specific log namespace. The sd-journal.h API gained
          sd_journal_open_namespace() for opening the log stream of a specific
          log namespace. systemd-journald also gained the ability to exit on
          idle, which is useful in the context of log namespaces, as this means
          log daemons for log namespaces can be activated automatically on
          demand and will stop automatically when no longer used, minimizing
          resource usage.

        * When systemd-tmpfiles copies a file tree using the 'C' line type it
          will now label every copied file according to the SELinux database.

        * When systemd/PID 1 detects it is used in the initrd it will now boot
          into initrd.target rather than default.target by default. This should
          make it simpler to build initrds with systemd as for many cases the
          only difference between a host OS image and an initrd image now is
          the presence of the /etc/initrd-release file.

        * A new kernel command line option systemd.cpu_affinity= is now
          understood. It's equivalent to the CPUAffinity= option in
          /etc/systemd/system.conf and allows setting the CPU mask for PID 1
          itself and the default for all other processes.

        * When systemd/PID 1 is reloaded (with systemctl daemon-reload or
          equivalent), the SELinux database is now reloaded, ensuring that
          sockets and other file system objects are generated taking the new
          database into account.

        * systemd/PID 1 accepts a new "systemd.show-status=error" setting, and
          "quiet" has been changed to imply that instead of
          "systemd.show-status=auto". In this mode, only messages about errors
          and significant delays in boot are shown on the console.

        * The sd-event.h API gained native support for the new Linux "pidfd"
          concept. This permits watching processes using file descriptors
          instead of PID numbers, which fixes a number of races and makes
          process supervision more robust and efficient. All of systemd's
          components will now use pidfds if the kernel supports it for process
          watching, with the exception of PID 1 itself, unfortunately. We hope
          to move PID 1 to exclusively using pidfds too eventually, but this
          requires some more kernel work first. (Background: PID 1 watches
          processes using waitid() with the P_ALL flag, and that does not play
          together nicely with pidfds yet.)

        * Closely related to this, the sd-event.h API gained two new calls
          sd_event_source_send_child_signal() (for sending a signal to a
          watched process) and sd_event_source_get_child_process_own() (for
          marking a process so that it is killed automatically whenever the
          event source watching it is freed).

        * systemd-networkd gained support for configuring Token Bucket Filter
          (TBF) parameters in its qdisc configuration support. Similarly,
          support for Stochastic Fairness Queuing (SFQ), Controlled-Delay
          Active Queue Management (CoDel), and Fair Queue (FQ) has been added.

        * systemd-networkd gained support for Intermediate Functional Block
          (IFB) network devices.

        * systemd-networkd gained support for configuring multi-path IP routes,
          using the new MultiPathRoute= setting in the [Route] section.

        * systemd-networkd's DHCPv4 client has been updated to support a new
          SendDecline= option. If enabled, duplicate address detection is done
          after a DHCP offer is received from the server. If a conflict is
          detected, the address is declined. The DHCPv4 client also gained
          support for a new RouteMTUBytes= setting that allows to configure the
          MTU size to be used for routes generated from DHCPv4 leases.

        * The PrefixRoute= setting in systemd-networkd's [Address] section of
          .network files has been deprecated, and replaced by AddPrefixRoute=,
          with its sense inverted.

        * The Gateway= setting of [Route] sections of .network files gained
          support for a special new value "_dhcp". If set, the configured
          static route uses the gateway host configured via DHCP.

        * New User= and SuppressPrefixLength= settings have been implemented
          for the [RoutingPolicyRule] section of .network files to configure
          source routing based on UID ranges and prefix length, respectively.

        * The Type= match property of .link files has been generalized to
          always match the device type shown by 'networkctl status', even for
          devices where udev does not set DEVTYPE=. This allows e.g. Type=ether
          to be used.

        * sd-bus gained a new API call sd_bus_message_sensitive() that marks a
          D-Bus message object as "sensitive". Those objects are erased from
          memory when they are freed. This concept is intended to be used for
          messages that contain security sensitive data. A new flag
          SD_BUS_VTABLE_SENSITIVE has been introduced as well to mark methods
          in sd-bus vtables, causing any incoming and outgoing messages of
          those methods to be implicitly marked as "sensitive".

        * sd-bus gained a new API call sd_bus_message_dump() for dumping the
          contents of a message (or parts thereof) to standard output for
          debugging purposes.

        * systemd-sysusers gained support for creating users with the primary
          group named differently than the user.

        * systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
          gained support for growing XFS partitions. Previously it supported
          only ext4 and btrfs partitions.

        * The support for /etc/crypttab gained a new x-initrd.attach option. If
          set, the specified encrypted volume is unlocked already in the
          initrd. This concept corresponds to the x-initrd.mount option in
          /etc/fstab.

        * systemd-cryptsetup gained native support for unlocking encrypted
          volumes utilizing PKCS#11 smartcards, i.e. for example to bind
          encryption of volumes to YubiKeys. This is exposed in the new
          pkcs11-uri= option in /etc/crypttab.

        * The /etc/fstab support in systemd now supports two new mount options
          x-systemd.{required,wanted}-by=, for explicitly configuring the units
          that the specified mount shall be pulled in by, in place of
          the usual local-fs.target/remote-fs.target.

        * The https://systemd.io/ web site has been relaunched, directly
          populated with most of the documentation included in the systemd
          repository. systemd also acquired a new logo, thanks to Tobias
          Bernard.

        * systemd-udevd gained support for managing "alternative" network
          interface names, as supported by new Linux kernels. For the first
          time this permits assigning multiple (and longer!) names to a network
          interface. systemd-udevd will now by default assign the names
          generated via all supported naming schemes to each interface. This
          may be further tweaked with .link files and the AlternativeName= and
          AlternativeNamesPolicy= settings. Other components of systemd have
          been updated to support the new alternative names wherever
          appropriate. For example, systemd-nspawn will now generate
          alternative interface names for the host-facing side of container
          veth links based on the full container name without truncation.

        * systemd-nspawn interface naming logic has been updated in another way
          too: if the main interface name (i.e. as opposed to new-style
          "alternative" names) based on the container name is truncated, a
          simple hashing scheme is used to give different interface names to
          multiple containers whose names all begin with the same prefix. Since
          this changes the primary interface names pointing to containers if
          truncation happens, the old scheme may still be requested by
          selecting an older naming scheme, via the net.naming_scheme= kernel
          command line option.

        * PrivateUsers= in service files now works in services run by the
          systemd --user per-user instance of the service manager.

        * A new per-service sandboxing option ProtectClock= has been added that
          locks down write access to the system clock. It takes away device
          node access to /dev/rtc as well as the system calls that set the
          system clock and the CAP_SYS_TIME and CAP_WAKE_ALARM capabilities.
          Note that this option does not affect access to auxiliary services
          that allow changing the clock, for example access to
          systemd-timedated.

        * The systemd-id128 tool gained a new "show" verb for listing or
          resolving a number of well-known UUIDs/128-bit IDs, currently mostly
          GPT partition table types.

        * The Discoverable Partitions Specification has been updated to support
          /var and /var/tmp partition discovery. Support for this has been
          added to systemd-gpt-auto-generator. For details see:

          https://systemd.io/DISCOVERABLE_PARTITIONS

        * "systemctl list-unit-files" has been updated to show a new column
          with the suggested enablement state based on the vendor preset files
          for the respective units.

        * "systemctl" gained a new option "--with-dependencies". If specified
          commands such as "systemctl status" or "systemctl cat" will now show
          all specified units along with all units they depend on.

        * networkctl gained support for showing per-interface logs in its
          "status" output.

        * systemd-networkd-wait-online gained support for specifying the maximum
          operational state to wait for, and to wait for interfaces to
          disappear.

        * The [Match] section of .link and .network files now supports a new
          option PermanentMACAddress= which may be used to check against the
          permanent MAC address of a network device even if a randomized MAC
          address is used.

        * The [TrafficControlQueueingDiscipline] section in .network files has
          been renamed to [NetworkEmulator] with the "NetworkEmulator" prefix
          dropped from the individual setting names.

        * Any .link and .network files that have an empty [Match] section (this
          also includes empty and commented-out files) will now be
          rejected. systemd-udev and systemd-networkd started warning about
          such files in version 243.

        * systemd-logind will now validate access to the operation of changing
          the virtual terminal via a polkit action. By default, only users
          with at least one session on a local VT are granted permission.

        * When systemd sets up PAM sessions that invoked service processes
          shall run in, the pam_setcred() API is now invoked, thus permitting
          PAM modules to set additional credentials for the processes.

        * portablectl attach/detach verbs now accept --now and --enable options
          to combine attachment with enablement and invocation, or detachment
          with stopping and disablement.

        * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was
          fixed, which in turn exposed bugs in unit configuration of services
          which have Type=oneshot and should only run once, but do not have
          RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot
          service may be started again after exiting successfully, for example
          as a dependency in another transaction. Affected services included
          some internal systemd services (most notably
          systemd-vconsole-setup.service, which was updated to have
          RemainAfterExit=yes), and plymouth-start.service. Please ensure that
          plymouth has been suitably updated or patched before upgrading to
          this systemd release. See
          https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some
          additional discussion.

        Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
        Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
        Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles
        (Chas) Williams, cheese1, Chris Down, Chris Murphy, Christian Ehrhardt,
        Christian Göttsche, cvoinf, Daan De Meyer, Daniele Medri, Daniel Rusek,
        Daniel Shahaf, Dann Frazier, Dan Streetman, Dariusz Gadomski, David
        Michael, Dimitri John Ledkov, Emmanuel Bourg, Evgeny Vereshchagin,
        ezst036, Felipe Sateler, Filipe Brandenburger, Florian Klink, Franck
        Bui, Fran Dieguez, Frantisek Sumsal, Greg "GothAck" Miell, Guilhem
        Lettron, Guillaume Douézan-Grard, Hans de Goede, HATAYAMA Daisuke, Iain
        Lane, James Buren, Jan Alexander Steffens (heftig), Jérémy Rosen, Jin
        Park, Jun'ichi Nomura, Kai Krakow, Kevin Kuehler, Kevin P. Fleming,
        Lennart Poettering, Leonid Bloch, Leonid Evdokimov, lothrond, Luca
        Boccassi, Lukas K, Lynn Kirby, Mario Limonciello, Mark Deneen, Matthew
        Leeds, Michael Biebl, Michal Koutný, Michal Sekletár, Mike Auty, Mike
        Gilbert, mtron, nabijaczleweli, Naïm Favier, Nate Jones, Norbert Lange,
        Oliver Giles, Paul Davey, Paul Menzel, Peter Hutterer, Piotr Drąg, Rafa
        Couto, Raphael, rhn, Robert Scheck, Rocka, Romain Naour, Ryan Attard,
        Sascha Dewald, Shengjing Zhu, Slava Kardakov, Spencer Michaels, Sylvain
        Plantefeve, Stanislav Angelovič, Susant Sahani, Thomas Haller, Thomas
        Schmitt, Timo Schlüßler, Timo Wilken, Tobias Bernard, Tobias Klauser,
        Tobias Stoeckmann, Topi Miettinen, tsia, WataruMatsuoka, Wieland
        Hoffmann, Wilhelm Schuster, Will Fleming, xduugu, Yong Cong Sin, Yuri
        Chornoivan, Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zeyu
        DONG

        – Warsaw, 2020-03-06

CHANGES WITH 244:

        * Support for the cpuset cgroups v2 controller has been added.
          Processes may be restricted to specific CPUs using the new
          AllowedCPUs= setting, and to specific memory NUMA nodes using the new
          AllowedMemoryNodes= setting.

        * The signal used in restart jobs (as opposed to e.g. stop jobs) may
          now be configured using a new RestartKillSignal= setting. This
          allows units which signals to request termination to implement
          different behaviour when stopping in preparation for a restart.

        * "systemctl clean" may now be used also for socket, mount, and swap
          units.

        * systemd will also read configuration options from the EFI variable
          SystemdOptions. This may be used to configure systemd behaviour when
          modifying the kernel command line is inconvenient, but configuration
          on disk is read too late, for example for the options related to
          cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
          set the EFI variable.

        * systemd will now disable printk ratelimits in early boot. This should
          allow us to capture more logs from the early boot phase where normal
          storage is not available and the kernel ring buffer is used for
          logging. Configuration on the kernel command line has higher priority
          and overrides the systemd setting.

          systemd programs which log to /dev/kmsg directly use internal
          ratelimits to prevent runaway logging. (Normally this is only used
          during early boot, so in practice this change has very little
          effect.)

        * Unit files now support top level dropin directories of the form
          <unit_type>.d/ (e.g. service.d/) that may be used to add configuration
          that affects all corresponding unit files.

        * systemctl gained support for 'stop --job-mode=triggering' which will
          stop the specified unit and any units which could trigger it.

        * Unit status display now includes units triggering and triggered by
          the unit being shown.

        * The RuntimeMaxSec= setting is now supported by scopes, not just
          .service units. This is particularly useful for PAM sessions which
          create a scope unit for the user login. systemd.runtime_max_sec=
          setting may used with the pam_systemd module to limit the duration
          of the PAM session, for example for time-limited logins.

        * A new @pkey system call group is now defined to make it easier to
          allow-list memory protection syscalls for containers and services
          which need to use them.

        * systemd-udevd: removed the 30s timeout for killing stale workers on
          exit. systemd-udevd now waits for workers to finish. The hard-coded
          exit timeout of 30s was too short for some large installations, where
          driver initialization could be prematurely interrupted during initrd
          processing if the root file system had been mounted and init was
          preparing to switch root. If udevd is run without systemd and workers
          are hanging while udevd receives an exit signal, udevd will now exit
          when udev.event_timeout is reached for the last hanging worker. With
          systemd, the exit timeout can additionally be configured using
          TimeoutStopSec= in systemd-udevd.service.

        * udev now provides a program (fido_id) that identifies FIDO CTAP1
          ("U2F")/CTAP2 security tokens based on the usage declared in their
          report and descriptor and outputs suitable environment variables.
          This replaces the externally maintained allow lists of all known
          security tokens that were used previously.

        * Automatically generated autosuspend udev rules for allow-listed
          devices have been imported from the Chromium OS project. This should
          improve power saving with many more devices.

        * udev gained a new "CONST{key}=value" setting that allows matching
          against system-wide constants without forking a helper binary.
          Currently "arch" and "virt" keys are supported.

        * udev now opens CDROMs in non-exclusive mode when querying their
          capabilities. This should fix issues where other programs trying to
          use the CDROM cannot gain access to it, but carries a risk of
          interfering with programs writing to the disk, if they did not open
          the device in exclusive mode as they should.

        * systemd-networkd does not create a default route for IPv4 link local
          addressing anymore. The creation of the route was unexpected and was
          breaking routing in various cases, but people who rely on it being
          created implicitly will need to adjust. Such a route may be requested
          with DefaultRouteOnDevice=yes.

          Similarly, systemd-networkd will not assign a link-local IPv6 address
          when IPv6 link-local routing is not enabled.

        * Receive and transmit buffers may now be configured on links with
          the new RxBufferSize= and TxBufferSize= settings.

        * systemd-networkd may now advertise additional IPv6 routes. A new
          [IPv6RoutePrefix] section with Route= and LifetimeSec= options is
          now supported.

        * systemd-networkd may now configure "next hop" routes using the
          [NextHop] section and Gateway= and Id= settings.

        * systemd-networkd will now retain DHCP config on restarts by default
          (but this may be overridden using the KeepConfiguration= setting).
          The default for SendRelease= has been changed to true.

        * The DHCPv4 client now uses the OPTION_INFORMATION_REFRESH_TIME option
          received from the server.

          The client will use the received SIP server list if UseSIP=yes is
          set.

          The client may be configured to request specific options from the
          server using a new RequestOptions= setting.

          The client may be configured to send arbitrary options to the server
          using a new SendOption= setting.

          A new IPServiceType= setting has been added to configure the "IP
          service type" value used by the client.

        * The DHCPv6 client learnt a new PrefixDelegationHint= option to
          request prefix hints in the DHCPv6 solicitation.

        * The DHCPv4 server may be configured to send arbitrary options using
          a new SendOption= setting.

        * The DHCPv4 server may now be configured to emit SIP server list using
          the new EmitSIP= and SIP= settings.

        * systemd-networkd and networkctl may now renew DHCP leases on demand.
          networkctl has a new 'networkctl renew' verb.

        * systemd-networkd may now reconfigure links on demand. networkctl
          gained two new verbs: "reload" will reload the configuration, and
          "reconfigure DEVICE…" will reconfigure one or more devices.

        * .network files may now match on SSID and BSSID of a wireless network,
          i.e. the access point name and hardware address using the new SSID=
          and BSSID= options. networkctl will display the current SSID and
          BSSID for wireless links.

          .network files may also match on the wireless network type using the
          new WLANInterfaceType= option.

        * systemd-networkd now includes default configuration that enables
          link-local addressing when connected to an ad-hoc wireless network.

        * systemd-networkd may configure the Traffic Control queueing
          disciplines in the kernel using the new
          [TrafficControlQueueingDiscipline] section and Parent=,
          NetworkEmulatorDelaySec=, NetworkEmulatorDelayJitterSec=,
          NetworkEmulatorPacketLimit=, NetworkEmulatorLossRate=,
          NetworkEmulatorDuplicateRate= settings.

        * systemd-tmpfiles gained a new w+ setting to append to files.

        * systemd-analyze dump will now report when the memory configuration in
          the kernel does not match what systemd has configured (usually,
          because some external program has modified the kernel configuration
          on its own).

        * systemd-analyze gained a new --base-time= switch instructs the
          'calendar' verb to resolve times relative to that timestamp instead
          of the present time.

        * journalctl --update-catalog now produces deterministic output (making
          reproducible image builds easier).

        * A new devicetree-overlay setting is now documented in the Boot Loader
          Specification.

        * The default value of the WatchdogSec= setting used in systemd
          services (the ones bundled with the project itself) may be set at
          configuration time using the -Dservice-watchdog= setting. If set to
          empty, the watchdogs will be disabled.

        * systemd-resolved validates IP addresses in certificates now when GnuTLS
          is being used.

        * libcryptsetup >= 2.0.1 is now required.

        * A configuration option -Duser-path= may be used to override the $PATH
          used by the user service manager. The default is again to use the same
          path as the system manager.

        * The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
          outputting the 128-bit IDs in UUID format (i.e. in the "canonical
          representation").

        * Service units gained a new sandboxing option ProtectKernelLogs= which
          makes sure the program cannot get direct access to the kernel log
          buffer anymore, i.e. the syslog() system call (not to be confused
          with the API of the same name in libc, which is not affected), the
          /proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
          inaccessible to the service. It's recommended to enable this setting
          for all services that should not be able to read from or write to the
          kernel log buffer, which are probably almost all.

        Contributions from: Aaron Plattner, Alcaro, Anita Zhang, Balint Reczey,
        Bastien Nocera, Baybal Ni, Benjamin Bouvier, Benjamin Gilbert, Carlo
        Teubner, cbzxt, Chen Qi, Chris Down, Christian Rebischke, Claudio
        Zumbo, ClydeByrdIII, crashfistfight, Cyprien Laplace, Daniel Edgecumbe,
        Daniel Gorbea, Daniel Rusek, Daniel Stuart, Dan Streetman, David
        Pedersen, David Tardon, Dimitri John Ledkov, Dominique Martinet, Donald
        A. Cupp Jr, Evgeny Vereshchagin, Fabian Henneke, Filipe Brandenburger,
        Franck Bui, Frantisek Sumsal, Georg Müller, Hans de Goede, Haochen
        Tong, HATAYAMA Daisuke, Iwan Timmer, Jan Janssen, Jan Kundrát, Jan
        Synacek, Jan Tojnar, Jay Strict, Jérémy Rosen, Jóhann B. Guðmundsson,
        Jonas Jelten, Jonas Thelemann, Justin Trudell, J. Xing, Kai-Heng Feng,
        Kenneth D'souza, Kevin Becker, Kevin Kuehler, Lennart Poettering,
        Léonard Gérard, Lorenz Bauer, Luca Boccassi, Maciej Stanczew, Mario
        Limonciello, Marko Myllynen, Mark Stosberg, Martin Wilck, matthiasroos,
        Michael Biebl, Michael Olbrich, Michael Tretter, Michal Sekletar,
        Michal Sekletár, Michal Suchanek, Mike Gilbert, Mike Kazantsev, Nicolas
        Douma, nikolas, Norbert Lange, pan93412, Pascal de Bruijn, Paul Menzel,
        Pavel Hrdina, Peter Wu, Philip Withnall, Piotr Drąg, Rafael Fontenelle,
        Renaud Métrich, Riccardo Schirone, RoadrunnerWMC, Ronan Pigott, Ryan
        Attard, Sebastian Wick, Serge, Siddharth Chandrasekara, Steve Ramage,
        Steve Traylen, Susant Sahani, Thibault Nélis, Tim Teichmann, Tom
        Fitzhenry, Tommy J, Torsten Hilbrich, Vito Caputo, ypf791, Yu Watanabe,
        Zach Smith, Zbigniew Jędrzejewski-Szmek

        – Warsaw, 2019-11-29

CHANGES WITH 243:

        * This release enables unprivileged programs (i.e. requiring neither
          setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
          by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
          kernel for the whole UNIX group range, i.e. all processes. This
          change should be reasonably safe, as the kernel support for it was
          specifically implemented to allow safe access to ICMP Echo for
          processes lacking any privileges. If this is not desirable, it can be
          disabled again by setting the parameter to "1 0".

        * Previously, filters defined with SystemCallFilter= would have the
          effect that any calling of an offending system call would terminate
          the calling thread. This behaviour never made much sense, since
          killing individual threads of unsuspecting processes is likely to
          create more problems than it solves. With this release the default
          action changed from killing the thread to killing the whole
          process. For this to work correctly both a kernel version (>= 4.14)
          and a libseccomp version (>= 2.4.0) supporting this new seccomp
          action is required. If an older kernel or libseccomp is used the old
          behaviour continues to be used. This change does not affect any
          services that have no system call filters defined, or that use
          SystemCallErrorNumber= (and thus see EPERM or another error instead
          of being killed when calling an offending system call). Note that
          systemd documentation always claimed that the whole process is
          killed. With this change behaviour is thus adjusted to match the
          documentation.

        * On 64 bit systems, the "kernel.pid_max" sysctl is now bumped to
          4194304 by default, i.e. the full 22bit range the kernel allows, up
          from the old 16-bit range. This should improve security and
          robustness, as PID collisions are made less likely (though certainly
          still possible). There are rumours this might create compatibility
          problems, though at this moment no practical ones are known to
          us. Downstream distributions are hence advised to undo this change in
          their builds if they are concerned about maximum compatibility, but
          for everybody else we recommend leaving the value bumped. Besides
          improving security and robustness this should also simplify things as
          the maximum number of allowed concurrent tasks was previously bounded
          by both "kernel.pid_max" and "kernel.threads-max" and now effectively
          only a single knob is left ("kernel.threads-max"). There have been
          concerns that usability is affected by this change because larger PID
          numbers are harder to type, but we believe the change from 5 digits
          to 7 digits doesn't hamper usability.

        * MemoryLow= and MemoryMin= gained hierarchy-aware counterparts,
          DefaultMemoryLow= and DefaultMemoryMin=, which can be used to
          hierarchically set default memory protection values for a particular
          subtree of the unit hierarchy.

        * Memory protection directives can now take a value of zero, allowing
          explicit opting out of a default value propagated by an ancestor.

        * systemd now defaults to the "unified" cgroup hierarchy setup during
          build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
          default. Previously, -Ddefault-hierarchy=hybrid was the default. This
          change reflects the fact that cgroupsv2 support has matured
          substantially in both systemd and in the kernel, and is clearly the
          way forward. Downstream production distributions might want to
          continue to use -Ddefault-hierarchy=hybrid (or even =legacy) for
          their builds as unfortunately the popular container managers have not
          caught up with the kernel API changes.

        * Man pages are not built by default anymore (html pages were already
          disabled by default), to make development builds quicker. When
          building systemd for a full installation with documentation, meson
          should be called with -Dman=true and/or -Dhtml=true as appropriate.
          The default was changed based on the assumption that quick one-off or
          repeated development builds are much more common than full optimized
          builds for installation, and people need to pass various other
          options to when doing "proper" builds anyway, so the gain from making
          development builds quicker is bigger than the one time disruption for
          packagers.

          Two scripts are created in the *build* directory to generate and
          preview man and html pages on demand, e.g.:

          build/man/man systemctl
          build/man/html systemd.index

        * libidn2 is used by default if both libidn2 and libidn are installed.
          Please use -Dlibidn=true if libidn is preferred.

        * The D-Bus "wire format" of the CPUAffinity= attribute is changed on
          big-endian machines. Before, bytes were written and read in native
          machine order as exposed by the native libc __cpu_mask interface.
          Now, little-endian order is always used (CPUs 0–7 are described by
          bits 0–7 in byte 0, CPUs 8–15 are described by byte 1, and so on).
          This change fixes D-Bus calls that cross endianness boundary.

          The presentation format used for CPUAffinity= by "systemctl show" and
          "systemd-analyze dump" is changed to present CPU indices instead of
          the raw __cpu_mask bitmask. For example, CPUAffinity=0-1 would be
          shown as CPUAffinity=03000000000000000000000000000… (on
          little-endian) or CPUAffinity=00000000000000300000000000000… (on
          64-bit big-endian), and is now shown as CPUAffinity=0-1, matching the
          input format. The maximum integer that will be printed in the new
          format is 8191 (four digits), while the old format always used a very
          long number (with the length varying by architecture), so they can be
          unambiguously distinguished.

        * /usr/sbin/halt.local is no longer supported. Implementation in
          distributions was inconsistent and it seems this functionality was
          very rarely used.

          To replace this functionality, users should:
          - either define a new unit and make it a dependency of final.target
            (systemctl add-wants final.target my-halt-local.service)
          - or move the shutdown script to /usr/lib/systemd/system-shutdown/
            and ensure that it accepts "halt", "poweroff", "reboot", and
            "kexec" as an argument, see the description in systemd-shutdown(8).

        * When a [Match] section in .link or .network file is empty (contains
          no match patterns), a warning will be emitted. Please add any "match
          all" pattern instead, e.g. OriginalName=* or Name=* in case all
          interfaces should really be matched.

        * A new setting NUMAPolicy= may be used to set process memory
          allocation policy. This setting can be specified in
          /etc/systemd/system.conf and hence will set the default policy for
          PID1. The default policy can be overridden on a per-service
          basis. The related setting NUMAMask= is used to specify NUMA node
          mask that should be associated with the selected policy.

        * PID 1 will now listen to Out-Of-Memory (OOM) events the kernel
          generates when processes it manages are reaching their memory limits,
          and will place their units in a special state, and optionally kill or
          stop the whole unit.

        * The service manager will now expose bus properties for the IO
          resources used by units. This information is also shown in "systemctl
          status" now (for services that have IOAccounting=yes set). Moreover,
          the IO accounting data is included in the resource log message
          generated whenever a unit stops.

        * Units may now configure an explicit timeout to wait for when killed
          with SIGABRT, for example when a service watchdog is hit. Previously,
          the regular TimeoutStopSec= timeout was applied in this case too —
          now a separate timeout may be set using TimeoutAbortSec=.

        * Services may now send a special WATCHDOG=trigger message with
          sd_notify() to trigger an immediate "watchdog missed" event, and thus
          trigger service termination. This is useful both for testing watchdog
          handling, but also for defining error paths in services, that shall
          be handled the same way as watchdog events.

        * There are two new per-unit settings IPIngressFilterPath= and
          IPEgressFilterPath= which allow configuration of a BPF program
          (usually by specifying a path to a program uploaded to /sys/fs/bpf/)
          to apply to the IP packet ingress/egress path of all processes of a
          unit. This is useful to allow running systemd services with BPF
          programs set up externally.

        * systemctl gained a new "clean" verb for removing the state, cache,
          runtime or logs directories of a service while it is terminated. The
          new verb may also be used to remove the state maintained on disk for
          timer units that have Persistent= configured.

        * During the last phase of shutdown systemd will now automatically
          increase the log level configured in the "kernel.printk" sysctl so
          that any relevant loggable events happening during late shutdown are
          made visible. Previously, loggable events happening so late during
          shutdown were generally lost if the "kernel.printk" sysctl was set to
          high thresholds, as regular logging daemons are terminated at that
          time and thus nothing is written to disk.

        * If processes terminated during the last phase of shutdown do not exit
          quickly systemd will now show their names after a short time, to make
          debugging easier. After a longer timeout they are forcibly killed,
          as before.

        * journalctl (and the other tools that display logs) will now highlight
          warnings in yellow (previously, both LOG_NOTICE and LOG_WARNING where
          shown in bright bold, now only LOG_NOTICE is). Moreover, audit logs
          are now shown in blue color, to separate them visually from regular
          logs. References to configuration files are now turned into clickable
          links on terminals that support that.

        * systemd-journald will now stop logging to /var/log/journal during
          shutdown when /var/ is on a separate mount, so that it can be
          unmounted safely during shutdown.

        * systemd-resolved gained support for a new 'strict' DNS-over-TLS mode.

        * systemd-resolved "Cache=" configuration option in resolved.conf has
          been extended to also accept the 'no-negative' value. Previously,
          only a boolean option was allowed (yes/no), having yes as the
          default. If this option is set to 'no-negative', negative answers are
          not cached while the old cache heuristics are used positive answers.
          The default remains unchanged.

        * The predictable naming scheme for network devices now supports
          generating predictable names for "netdevsim" devices.

          Moreover, the "en" prefix was dropped from the ID_NET_NAME_ONBOARD
          udev property.

          Those two changes form a new net.naming_scheme= entry.  Distributions
          which want to preserve naming stability may want to set the
          -Ddefault-net-naming-scheme= configuration option.

        * systemd-networkd now supports MACsec, nlmon, IPVTAP and Xfrm
          interfaces natively.

        * systemd-networkd's bridge FDB support now allows configuration of a
          destination address for each entry (Destination=), as well as the
          VXLAN VNI (VNI=), as well as an option to declare what an entry is
          associated with (AssociatedWith=).

        * systemd-networkd's DHCPv4 support now understands a new MaxAttempts=
          option for configuring the maximum number of DHCP lease requests. It
          also learnt a new BlackList= option for deny-listing DHCP servers (a
          similar setting has also been added to the IPv6 RA client), as well
          as a SendRelease= option for configuring whether to send a DHCP
          RELEASE message when terminating.

        * systemd-networkd's DHCPv4 and DHCPv6 stacks can now be configured
          separately in the [DHCPv4] and [DHCPv6] sections.

        * systemd-networkd's DHCP support will now optionally create an
          implicit host route to the DNS server specified in the DHCP lease, in
          addition to the routes listed explicitly in the lease. This should
          ensure that in multi-homed systems DNS traffic leaves the systems on
          the interface that acquired the DNS server information even if other
          routes such as default routes exist. This behaviour may be turned on
          with the new RoutesToDNS= option.

        * systemd-networkd's VXLAN support gained a new option
          GenericProtocolExtension= for enabling VXLAN Generic Protocol
          Extension support, as well as IPDoNotFragment= for setting the IP
          "Don't fragment" bit on outgoing packets. A similar option has been
          added to the GENEVE support.

        * In systemd-networkd's [Route] section you may now configure
          FastOpenNoCookie= for configuring per-route TCP fast-open support, as
          well as TTLPropagate= for configuring Label Switched Path (LSP) TTL
          propagation. The Type= setting now supports local, broadcast,
          anycast, multicast, any, xresolve routes, too.

        * systemd-networkd's [Network] section learnt a new option
          DefaultRouteOnDevice= for automatically configuring a default route
          onto the network device.

        * systemd-networkd's bridging support gained two new options ProxyARP=
          and ProxyARPWifi= for configuring proxy ARP behaviour as well as
          MulticastRouter= for configuring multicast routing behaviour. A new
          option MulticastIGMPVersion= may be used to change bridge's multicast
          Internet Group Management Protocol (IGMP) version.

        * systemd-networkd's FooOverUDP support gained the ability to configure
          local and peer IP addresses via Local= and Peer=. A new option
          PeerPort= may be used to configure the peer's IP port.

        * systemd-networkd's TUN support gained a new setting VnetHeader= for
          tweaking Generic Segment Offload support.

        * The address family for policy rules may be specified using the new
          Family= option in the [RoutingPolicyRule] section.

        * networkctl gained a new "delete" command for removing virtual network
          devices, as well as a new "--stats" switch for showing device
          statistics.

        * networkd.conf gained a new setting SpeedMeter= and
          SpeedMeterIntervalSec=, to measure bitrate of network interfaces. The
          measured speed may be shown by 'networkctl status'.

        * "networkctl status" now displays MTU and queue lengths, and more
          detailed information about VXLAN and bridge devices.

        * systemd-networkd's .network and .link files gained a new Property=
          setting in the [Match] section, to match against devices with
          specific udev properties.

        * systemd-networkd's tunnel support gained a new option
          AssignToLoopback= for selecting whether to use the loopback device
          "lo" as underlying device.

        * systemd-networkd's MACAddress= setting in the [Neighbor] section has
          been renamed to LinkLayerAddress=, and it now allows configuration of
          IP addresses, too.

        * systemd-networkd's handling of the kernel's disable_ipv6 sysctl is
          simplified: systemd-networkd will disable the sysctl (enable IPv6) if
          IPv6 configuration (static or DHCPv6) was found for a given
          interface. It will not touch the sysctl otherwise.

        * The order of entries is $PATH used by the user manager instance was
          changed to put bin/ entries before the corresponding sbin/ entries.
          It is recommended to not rely on this order, and only ever have one
          binary with a given name in the system paths under /usr.

        * A new tool systemd-network-generator has been added that may generate
          .network, .netdev and .link files from IP configuration specified on
          the kernel command line in the format used by Dracut.

        * The CriticalConnection= setting in .network files is now deprecated,
          and replaced by a new KeepConfiguration= setting which allows more
          detailed configuration of the IP configuration to keep in place.

        * systemd-analyze gained a few new verbs:

          - "systemd-analyze timestamp" parses and converts timestamps. This is
            similar to the existing "systemd-analyze calendar" command which
            does the same for recurring calendar events.

          - "systemd-analyze timespan" parses and converts timespans (i.e.
            durations as opposed to points in time).

          - "systemd-analyze condition" will parse and test ConditionXYZ=
            expressions.

          - "systemd-analyze exit-status" will parse and convert exit status
            codes to their names and back.

          - "systemd-analyze unit-files" will print a list of all unit
            file paths and unit aliases.

        * SuccessExitStatus=, RestartPreventExitStatus=, and
          RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
          is equivalent to "65"). Those exit status name mappings may be
          displayed with the systemd-analyze exit-status verb describe above.

        * systemd-logind now exposes a per-session SetBrightness() bus call,
          which may be used to securely change the brightness of a kernel
          brightness device, if it belongs to the session's seat. By using this
          call unprivileged clients can make changes to "backlight" and "leds"
          devices securely with strict requirements on session membership.
          Desktop environments may use this to generically make brightness
          changes to such devices without shipping private SUID binaries or
          udev rules for that purpose.

        * "udevadm info" gained a --wait-for-initialization switch to wait for
          a device to be initialized.

        * systemd-hibernate-resume-generator will now look for resumeflags= on
          the kernel command line, which is similar to rootflags= and may be
          used to configure device timeout for the hibernation device.

        * sd-event learnt a new API call sd_event_source_disable_unref() for
          disabling and unref'ing an event source in a single function. A
          related call sd_event_source_disable_unrefp() has been added for use
          with gcc's cleanup extension.

        * The sd-id128.h public API gained a new definition
          SD_ID128_UUID_FORMAT_STR for formatting a 128-bit ID in UUID format
          with printf().

        * "busctl introspect" gained a new switch --xml-interface for dumping
          XML introspection data unmodified.

        * PID 1 may now show the unit name instead of the unit description
          string in its status output during boot. This may be configured in
          the StatusUnitFormat= setting in /etc/systemd/system.conf or the
          kernel command line option systemd.status_unit_format=.

        * PID 1 now understands a new option KExecWatchdogSec= in
          /etc/systemd/system.conf to set a watchdog timeout for kexec reboots.
          Previously watchdog functionality was only available for regular
          reboots. The new setting defaults to off, because we don't know in
          the general case if the watchdog will be reset after kexec (some
          drivers do reset it, but not all), and the new userspace might not be
          configured to handle the watchdog.

          Moreover, the old ShutdownWatchdogSec= setting has been renamed to
          RebootWatchdogSec= to more clearly communicate what it is about. The
          old name is still accepted for compatibility.

        * The systemd.debug_shell kernel command line option now optionally
          takes a tty name to spawn the debug shell on, which allows a
          different tty to be selected than the built-in default.

        * Service units gained a new ExecCondition= setting which will run
          before ExecStartPre= and either continue execution of the unit (for
          clean exit codes), stop execution without marking the unit failed
          (for exit codes 1 through 254), or stop execution and fail the unit
          (for exit code 255 or abnormal termination).

        * A new service systemd-pstore.service has been added that pulls data
          from /sys/fs/pstore/ and saves it to /var/lib/pstore for later
          review.

        * timedatectl gained new verbs for configuring per-interface NTP
          service configuration for systemd-timesyncd.

        * "localectl list-locales" won't list non-UTF-8 locales anymore. It's
          2019. (You can set non-UTF-8 locales though, if you know their name.)

        * If variable assignments in sysctl.d/ files are prefixed with "-" any
          failures to apply them are now ignored.

        * systemd-random-seed.service now optionally credits entropy when
          applying the seed to the system. Set $SYSTEMD_RANDOM_SEED_CREDIT to
          true for the service to enable this behaviour, but please consult the
          documentation first, since this comes with a couple of caveats.

        * systemd-random-seed.service is now a synchronization point for full
          initialization of the kernel's entropy pool. Services that require
          /dev/urandom to be correctly initialized should be ordered after this
          service.

        * The systemd-boot boot loader has been updated to optionally maintain
          a random seed file in the EFI System Partition (ESP). During the boot
          phase, this random seed is read and updated with a new seed
          cryptographically derived from it. Another derived seed is passed to
          the OS. The latter seed is then credited to the kernel's entropy pool
          very early during userspace initialization (from PID 1). This allows
          systems to boot up with a fully initialized kernel entropy pool from
          earliest boot on, and thus entirely removes all entropy pool
          initialization delays from systems using systemd-boot. Special care
          is taken to ensure different seeds are derived on system images
          replicated to multiple systems. "bootctl status" will show whether
          a seed was received from the boot loader.

        * bootctl gained two new verbs:

          - "bootctl random-seed" will generate the file in ESP and an EFI
            variable to allow a random seed to be passed to the OS as described
            above.

          - "bootctl is-installed" checks whether systemd-boot is currently
            installed.

        * bootctl will warn if it detects that boot entries are misconfigured
          (for example if the kernel image was removed without purging the
          bootloader entry).

        * A new document has been added describing systemd's use and support
          for the kernel's entropy pool subsystem:

          https://systemd.io/RANDOM_SEEDS

        * When the system is hibernated the swap device to write the
          hibernation image to is now automatically picked from all available
          swap devices, preferring the swap device with the highest configured
          priority over all others, and picking the device with the most free
          space if there are multiple devices with the highest priority.

        * /etc/crypttab support has learnt a new keyfile-timeout= per-device
          option that permits selecting the timeout how long to wait for a
          device with an encryption key before asking for the password.

        * IOWeight= has learnt to properly set the IO weight when using the
          BFQ scheduler officially found in kernels 5.0+.

        * A new mailing list has been created for reporting of security issues:
          systemd-security@redhat.com. For mode details, see
          https://systemd.io/CONTRIBUTING#security-vulnerability-reports.

        Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
        Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
        Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris
        Chiu, Chris Down, Christian Göttsche, Christian Kellner, Clinton Roy,
        Connor Reeder, Daniel Black, Daniel Lublin, Daniele Medri, Dan
        Streetman, Dave Reisner, Dave Ross, David Art, David Tardon, Debarshi
        Ray, Dimitri John Ledkov, Dominick Grift, Donald Buczek, Douglas
        Christman, Eric DeVolder, EtherGraf, Evgeny Vereshchagin, Feldwor,
        Felix Riemann, Florian Dollinger, Francesco Pennica, Franck Bui,
        Frantisek Sumsal, Franz Pletz, frederik, Hans de Goede, Iago López
        Galeiras, Insun Pyo, Ivan Shapovalov, Iwan Timmer, Jack, Jakob
        Unterwurzacher, Jan Chren, Jan Klötzke, Jan Losinski, Jan Pokorný, Jan
        Synacek, Jan-Michael Brummer, Jeka Pats, Jeremy Soller, Jérémy Rosen,
        Jiri Pirko, Joe Lin, Joerg Behrmann, Joe Richey, Jóhann B. Guðmundsson,
        Johannes Christ, Johannes Schmitz, Jonathan Rouleau, Jorge Niedbalski,
        Jörg Thalheim, Kai Krakow, Kai Lüke, Karel Zak, Kashyap Chamarthy,
        Krayushkin Konstantin, Lennart Poettering, Lubomir Rintel, Luca
        Boccassi, Luís Ferreira, Marc-André Lureau, Markus Felten, Martin Pitt,
        Matthew Leeds, Mattias Jernberg, Michael Biebl, Michael Olbrich,
        Michael Prokop, Michael Stapelberg, Michael Zhivich, Michal Koutný,
        Michal Sekletar, Mike Gilbert, Milan Broz, Miroslav Lichvar, mpe85,
        Mr-Foo, Network Silence, Oliver Harley, pan93412, Paul Menzel, pEJipE,
        Peter A. Bigot, Philip Withnall, Piotr Drąg, Rafael Fontenelle, Robert
        Scheck, Roberto Santalla, Ronan Pigott, root, RussianNeuroMancer,
        Sebastian Jennen, shinygold, Shreyas Behera, Simon Schricker, Susant
        Sahani, Thadeu Lima de Souza Cascardo, Theo Ouzhinski, Thiebaud
        Weksteen, Thomas Haller, Thomas Weißschuh, Tomas Mraz, Tommi Rantala,
        Topi Miettinen, VD-Lycos, ven, Vladimir Yerilov, Wieland Hoffmann,
        William A. Kennington III, William Wold, Xi Ruoyao, Yuri Chornoivan,
        Yu Watanabe, Zach Smith, Zbigniew Jędrzejewski-Szmek, Zhang Xianwei

        – Camerino, 2019-09-03

CHANGES WITH 242:

        * In .link files, MACAddressPolicy=persistent (the default) is changed
          to cover more devices. For devices like bridges, tun, tap, bond, and
          similar interfaces that do not have other identifying information,
          the interface name is used as the basis for persistent seed for MAC
          and IPv4LL addresses. The way that devices that were handled
          previously is not changed, and this change is about covering more
          devices then previously by the "persistent" policy.

          MACAddressPolicy=random may be used to force randomized MACs and
          IPv4LL addresses for a device if desired.

          Hint: the log output from udev (at debug level) was enhanced to
          clarify what policy is followed and which attributes are used.
          'SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>'
          may be used to view this.

          Hint: if a bridge interface is created without any slaves, and gains
          a slave later, then now the bridge does not inherit slave's MAC.
          To inherit slave's MAC, for example, create the following file:
          ```
          # /etc/systemd/network/98-bridge-inherit-mac.link
          [Match]
          Type=bridge

          [Link]
          MACAddressPolicy=none
          ```

        * The .device units generated by systemd-fstab-generator and other
          generators do not automatically pull in the corresponding .mount unit
          as a Wants= dependency. This means that simply plugging in the device
          will not cause the mount unit to be started automatically. But please
          note that the mount unit may be started for other reasons, in
          particular if it is part of local-fs.target, and any unit which
          (transitively) depends on local-fs.target is started.

        * networkctl list/status/lldp now accept globbing wildcards for network
          interface names to match against all existing interfaces.

        * The $PIDFILE environment variable is set to point the absolute path
          configured with PIDFile= for processes of that service.

        * The fallback DNS server list was augmented with Cloudflare public DNS
          servers. Use '-Ddns-servers=' to set a different fallback.

        * A new special target usb-gadget.target will be started automatically
          when a USB Device Controller is detected (which means that the system
          is a USB peripheral).

        * A new unit setting CPUQuotaPeriodSec= assigns the time period
          relatively to which the CPU time quota specified by CPUQuota= is
          measured.

        * A new unit setting ProtectHostname= may be used to prevent services
          from modifying hostname information (even if they otherwise would
          have privileges to do so).

        * A new unit setting NetworkNamespacePath= may be used to specify a
          namespace for service or socket units through a path referring to a
          Linux network namespace pseudo-file.

        * The PrivateNetwork= setting and JoinsNamespaceOf= dependencies now
          have an effect on .socket units: when used the listening socket is
          created within the configured network namespace instead of the host
          namespace.

        * ExecStart= command lines in unit files may now be prefixed with ':'
          in which case environment variable substitution is
          disabled. (Supported for the other ExecXYZ= settings, too.)

        * .timer units gained two new boolean settings OnClockChange= and
          OnTimezoneChange= which may be used to also trigger a unit when the
          system clock is changed or the local timezone is
          modified. systemd-run has been updated to make these options easily
          accessible from the command line for transient timers.

        * Two new conditions for units have been added: ConditionMemory= may be
          used to conditionalize a unit based on installed system
          RAM. ConditionCPUs= may be used to conditionalize a unit based on
          installed CPU cores.

        * The @default system call filter group understood by SystemCallFilter=
          has been updated to include the new rseq() system call introduced in
          kernel 4.15.

        * A new time-set.target has been added that indicates that the system
          time has been set from a local source (possibly imprecise). The
          existing time-sync.target is stronger and indicates that the time has
          been synchronized with a precise external source. Services where
          approximate time is sufficient should use the new target.

        * "systemctl start" (and related commands) learnt a new
          --show-transaction option. If specified brief information about all
          jobs queued because of the requested operation is shown.

        * systemd-networkd recognizes a new operation state 'enslaved', used
          (instead of 'degraded' or 'carrier') for interfaces which form a
          bridge, bond, or similar, and an new 'degraded-carrier' operational
          state used for the bond or bridge master interface when one of the
          enslaved devices is not operational.

        * .network files learnt the new IgnoreCarrierLoss= option for leaving
          networks configured even if the carrier is lost.

        * The RequiredForOnline= setting in .network files may now specify a
          minimum operational state required for the interface to be considered
          "online" by systemd-networkd-wait-online. Related to this
          systemd-networkd-wait-online gained a new option --operational-state=
          to configure the same, and its --interface= option was updated to
          optionally also take an operational state specific for an interface.

        * systemd-networkd-wait-online gained a new setting --any for waiting
          for only one of the requested interfaces instead of all of them.

        * systemd-networkd now implements L2TP tunnels.

        * Two new .network settings UseAutonomousPrefix= and UseOnLinkPrefix=
          may be used to cause autonomous and onlink prefixes received in IPv6
          Router Advertisements to be ignored.

        * New MulticastFlood=, NeighborSuppression=, and Learning= .network
          file settings may be used to tweak bridge behaviour.

        * The new TripleSampling= option in .network files may be used to
          configure CAN triple sampling.

        * A new .netdev settings PrivateKeyFile= and PresharedKeyFile= may be
          used to point to private or preshared key for a WireGuard interface.

        * /etc/crypttab now supports the same-cpu-crypt and
          submit-from-crypt-cpus options to tweak encryption work scheduling
          details.

        * systemd-tmpfiles will now take a BSD file lock before operating on a
          contents of directory. This may be used to temporarily exclude
          directories from aging by taking the same lock (useful for example
          when extracting a tarball into /tmp or /var/tmp as a privileged user,
          which might create files with really old timestamps, which
          nevertheless should not be deleted). For further details, see:

          https://systemd.io/TEMPORARY_DIRECTORIES

        * systemd-tmpfiles' h line type gained support for the
          FS_PROJINHERIT_FL ('P') file attribute (introduced in kernel 4.5),
          controlling project quota inheritance.

        * sd-boot and bootctl now implement support for an Extended Boot Loader
          (XBOOTLDR) partition, that is intended to be mounted to /boot, in
          addition to the ESP partition mounted to /efi or /boot/efi.
          Configuration file fragments, kernels, initrds and other EFI images
          to boot will be loaded from both the ESP and XBOOTLDR partitions.
          The XBOOTLDR partition was previously described by the Boot Loader
          Specification, but implementation was missing in sd-boot. Support for
          this concept allows using the sd-boot boot loader in more
          conservative scenarios where the boot loader itself is placed in the
          ESP but the kernels to boot (and their metadata) in a separate
          partition.

        * A system may now be booted with systemd.volatile=overlay on the
          kernel command line, which causes the root file system to be set up
          an overlayfs mount combining the root-only root directory with a
          writable tmpfs. In this setup, the underlying root device is not
          modified, and any changes are lost at reboot.

        * Similar, systemd-nspawn can now boot containers with a volatile
          overlayfs root with the new --volatile=overlay switch.

        * systemd-nspawn can now consume OCI runtime bundles using a new
          --oci-bundle= option. This implementation is fully usable, with most
          features in the specification implemented, but since this a lot of
          new code and functionality, this feature should most likely not
          be used in production yet.

        * systemd-nspawn now supports various options described by the OCI
          runtime specification on the command-line and in .nspawn files:
          --inaccessible=/Inaccessible= may be used to mask parts of the file
          system tree, --console=/--pipe may be used to configure how standard
          input, output, and error are set up.

        * busctl learned the 'emit' verb to generate D-Bus signals.

        * systemd-analyze cat-config may be used to gather and display
          configuration spread over multiple files, for example system and user
          presets, tmpfiles.d, sysusers.d, udev rules, etc.

        * systemd-analyze calendar now takes an optional new parameter
          --iterations= which may be used to show a maximum number of iterations
          the specified expression will elapse next.

        * The sd-bus C API gained support for naming method parameters in the
          introspection data.

        * systemd-logind gained D-Bus APIs to specify the "reboot parameter"
          the reboot() system call expects.

        * journalctl learnt a new --cursor-file= option that points to a file
          from which a cursor should be loaded in the beginning and to which
          the updated cursor should be stored at the end.

        * ACRN hypervisor and Windows Subsystem for Linux (WSL) are now
          detected by systemd-detect-virt (and may also be used in
          ConditionVirtualization=).

        * The behaviour of systemd-logind may now be modified with environment
          variables $SYSTEMD_REBOOT_TO_FIRMWARE_SETUP,
          $SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU, and
          $SYSTEMD_REBOOT_TO_BOOT_LOADER_ENTRY. They cause logind to either
          skip the relevant operation completely (when set to false), or to
          create a flag file in /run/systemd (when set to true), instead of
          actually commencing the real operation when requested. The presence
          of /run/systemd/reboot-to-firmware-setup,
          /run/systemd/reboot-to-boot-loader-menu, and
          /run/systemd/reboot-to-boot-loader-entry, may be used by alternative
          boot loader implementations to replace some steps logind performs
          during reboot with their own operations.

        * systemctl can be used to request a reboot into the boot loader menu
          or a specific boot loader entry with the new --boot-load-menu= and
          --boot-loader-entry= options to a reboot command. (This requires a
          boot loader that supports this, for example sd-boot.)

        * kernel-install will no longer unconditionally create the output
          directory (e.g. /efi/<machine-id>/<kernel-version>) for boot loader
          snippets, but will do only if the machine-specific parent directory
          (i.e. /efi/<machine-id>/) already exists. bootctl has been modified
          to create this parent directory during sd-boot installation.

          This makes it easier to use kernel-install with plugins which support
          a different layout of the bootloader partitions (for example grub2).

        * During package installation (with 'ninja install'), we would create
          symlinks for getty@tty1.service, systemd-networkd.service,
          systemd-networkd.socket, systemd-resolved.service,
          remote-cryptsetup.target, remote-fs.target,
          systemd-networkd-wait-online.service, and systemd-timesyncd.service
          in /etc, as if 'systemctl enable' was called for those units, to make
          the system usable immediately after installation. Now this is not
          done anymore, and instead calling 'systemctl preset-all' is
          recommended after the first installation of systemd.

        * A new boolean sandboxing option RestrictSUIDSGID= has been added that
          is built on seccomp. When turned on creation of SUID/SGID files is
          prohibited.

        * The NoNewPrivileges= and the new RestrictSUIDSGID= options are now
          implied if DynamicUser= is turned on for a service. This hardens
          these services, so that they neither can benefit from nor create
          SUID/SGID executables. This is a minor compatibility breakage, given
          that when DynamicUser= was first introduced SUID/SGID behaviour was
          unaffected. However, the security benefit of these two options is
          substantial, and the setting is still relatively new, hence we opted
          to make it mandatory for services with dynamic users.

        Contributions from: Adam Jackson, Alexander Tsoy, Andrey Yashkin,
        Andrzej Pietrasiewicz, Anita Zhang, Balint Reczey, Beniamino Galvani,
        Ben Iofel, Benjamin Berg, Benjamin Dahlhoff, Chris, Chris Morin,
        Christopher Wong, Claudius Ellsel, Clemens Gruber, dana, Daniel Black,
        Davide Cavalca, David Michael, David Rheinsberg, emersion, Evgeny
        Vereshchagin, Filipe Brandenburger, Franck Bui, Frantisek Sumsal,
        Giacinto Cifelli, Hans de Goede, Hugo Kindel, Ignat Korchagin, Insun
        Pyo, Jan Engelhardt, Jonas Dorel, Jonathan Lebon, Jonathon Kowalski,
        Jörg Sommer, Jörg Thalheim, Jussi Pakkanen, Kai-Heng Feng, Lennart
        Poettering, Lubomir Rintel, Luís Ferreira, Martin Pitt, Matthias
        Klumpp, Michael Biebl, Michael Niewöhner, Michael Olbrich, Michal
        Sekletar, Mike Lothian, Paul Menzel, Piotr Drąg, Riccardo Schirone,
        Robin Elvedi, Roman Kulikov, Ronald Tschalär, Ross Burton, Ryan
        Gonzalez, Sebastian Krzyszkowiak, Stephane Chazelas, StKob, Susant
        Sahani, Sylvain Plantefève, Szabolcs Fruhwald, Taro Yamada, Theo
        Ouzhinski, Thomas Haller, Tobias Jungel, Tom Yan, Tony Asleson, Topi
        Miettinen, unixsysadmin, Van Laser, Vesa Jääskeläinen, Yu, Li-Yu,
        Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Warsaw, 2019-04-11

CHANGES WITH 241:

        * The default locale can now be configured at compile time. Otherwise,
          a suitable default will be selected automatically (one of C.UTF-8,
          en_US.UTF-8, and C).

        * The version string shown by systemd and other tools now includes the
          git commit hash when built from git. An override may be specified
          during compilation, which is intended to be used by distributions to
          include the package release information.

        * systemd-cat can now filter standard input and standard error streams
          for different syslog priorities using the new --stderr-priority=
          option.

        * systemd-journald and systemd-journal-remote reject entries which
          contain too many fields (CVE-2018-16865) and set limits on the
          process' command line length (CVE-2018-16864).

        * $DBUS_SESSION_BUS_ADDRESS environment variable is set by pam_systemd
          again.

        * A new network device NamePolicy "keep" is implemented for link files,
          and used by default in 99-default.link (the fallback configuration
          provided by systemd). With this policy, if the network device name
          was already set by userspace, the device will not be renamed again.
          This matches the naming scheme that was implemented before
          systemd-240. If naming-scheme < 240 is specified, the "keep" policy
          is also enabled by default, even if not specified. Effectively, this
          means that if naming-scheme >= 240 is specified, network devices will
          be renamed according to the configuration, even if they have been
          renamed already, if "keep" is not specified as the naming policy in
          the .link file. The 99-default.link file provided by systemd includes
          "keep" for backwards compatibility, but it is recommended for user
          installed .link files to *not* include it.

          The "kernel" policy, which keeps kernel names declared to be
          "persistent", now works again as documented.

        * kernel-install script now optionally takes the paths to one or more
          initrd files, and passes them to all plugins.

        * The mincore() system call has been dropped from the @system-service
          system call filter group, as it is pretty exotic and may potentially
          used for side-channel attacks.

        * -fPIE is dropped from compiler and linker options. Please specify
          -Db_pie=true option to meson to build position-independent
          executables. Note that the meson option is supported since meson-0.49.

        * The fs.protected_regular and fs.protected_fifos sysctls, which were
          added in Linux 4.19 to make some data spoofing attacks harder, are
          now enabled by default. While this will hopefully improve the
          security of most installations, it is technically a backwards
          incompatible change; to disable these sysctls again, place the
          following lines in /etc/sysctl.d/60-protected.conf or a similar file:

              fs.protected_regular = 0
              fs.protected_fifos = 0

          Note that the similar hardlink and symlink protection has been
          enabled since v199, and may be disabled likewise.

        * The files read from the EnvironmentFile= setting in unit files now
          parse backslashes inside quotes literally, matching the behaviour of
          POSIX shells.

        * udevadm trigger, udevadm control, udevadm settle and udevadm monitor
          now automatically become NOPs when run in a chroot() environment.

        * The tmpfiles.d/ "C" line type will now copy directory trees not only
          when the destination is so far missing, but also if it already exists
          as a directory and is empty. This is useful to cater for systems
          where directory trees are put together from multiple separate mount
          points but otherwise empty.

        * A new function sd_bus_close_unref() (and the associated
          sd_bus_close_unrefp()) has been added to libsystemd, that combines
          sd_bus_close() and sd_bus_unref() in one.

        * udevadm control learnt a new option for --ping for testing whether a
          systemd-udevd instance is running and reacting.

        * udevadm trigger learnt a new option for --wait-daemon for waiting
          systemd-udevd daemon to be initialized.

        Contributions from: Aaron Plattner, Alberts Muktupāvels, Alex Mayer,
        Ayman Bagabas, Beniamino Galvani, Burt P, Chris Down, Chris Lamb, Chris
        Morin, Christian Hesse, Claudius Ellsel, dana, Daniel Axtens, Daniele
        Medri, Dave Reisner, David Santamaría Rogado, Diego Canuhe, Dimitri
        John Ledkov, Evgeny Vereshchagin, Fabrice Fontaine, Filipe
        Brandenburger, Franck Bui, Frantisek Sumsal, govwin, Hans de Goede,
        James Hilliard, Jan Engelhardt, Jani Uusitalo, Jan Janssen, Jan
        Synacek, Jonathan McDowell, Jonathan Roemer, Jonathon Kowalski, Joost
        Heitbrink, Jörg Thalheim, Lance, Lennart Poettering, Louis Taylor,
        Lucas Werkmeister, Mantas Mikulėnas, Marc-Antoine Perennou,
        marvelousblack, Michael Biebl, Michael Sloan, Michal Sekletar, Mike
        Auty, Mike Gilbert, Mikhail Kasimov, Neil Brown, Niklas Hambüchen,
        Patrick Williams, Paul Seyfert, Peter Hutterer, Philip Withnall, Roger
        James, Ronnie P. Thomas, Ryan Gonzalez, Sam Morris, Stephan Edel,
        Stephan Gerhold, Susant Sahani, Taro Yamada, Thomas Haller, Topi
        Miettinen, YiFei Zhu, YmrDtnJu, YunQiang Su, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, zsergeant77, Дамјан Георгиевски

        — Berlin, 2019-02-14

CHANGES WITH 240:

        * NoNewPrivileges=yes has been set for all long-running services
          implemented by systemd. Previously, this was problematic due to
          SELinux (as this would also prohibit the transition from PID1's label
          to the service's label). This restriction has since been lifted, but
          an SELinux policy update is required.
          (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)

        * DynamicUser=yes is dropped from systemd-networkd.service,
          systemd-resolved.service and systemd-timesyncd.service, which was
          enabled in v239 for systemd-networkd.service and systemd-resolved.service,
          and since v236 for systemd-timesyncd.service. The users and groups
          systemd-network, systemd-resolve and systemd-timesync are created
          by systemd-sysusers again. Distributors or system administrators
          may need to create these users and groups if they not exist (or need
          to re-enable DynamicUser= for those units) while upgrading systemd.
          Also, the clock file for systemd-timesyncd may need to move from
          /var/lib/private/systemd/timesync/clock to /var/lib/systemd/timesync/clock.

        * When unit files are loaded from disk, previously systemd would
          sometimes (depending on the unit loading order) load units from the
          target path of symlinks in .wants/ or .requires/ directories of other
          units. This meant that unit could be loaded from different paths
          depending on whether the unit was requested explicitly or as a
          dependency of another unit, not honouring the priority of directories
          in search path. It also meant that it was possible to successfully
          load and start units which are not found in the unit search path, as
          long as they were requested as a dependency and linked to from
          .wants/ or .requires/. The target paths of those symlinks are not
          used for loading units anymore and the unit file must be found in
          the search path.

        * A new service type has been added: Type=exec. It's very similar to
          Type=simple but ensures the service manager will wait for both fork()
          and execve() of the main service binary to complete before proceeding
          with follow-up units. This is primarily useful so that the manager
          propagates any errors in the preparation phase of service execution
          back to the job that requested the unit to be started. For example,
          consider a service that has ExecStart= set to a file system binary
          that doesn't exist. With Type=simple starting the unit would be
          considered instantly successful, as only fork() has to complete
          successfully and the manager does not wait for execve(), and hence
          its failure is seen "too late". With the new Type=exec service type
          starting the unit will fail, as the manager will wait for the
          execve() and notice its failure, which is then propagated back to the
          start job.

          NOTE: with the next release 241 of systemd we intend to change the
          systemd-run tool to default to Type=exec for transient services
          started by it. This should be mostly safe, but in specific corner
          cases might result in problems, as the systemd-run tool will then
          block on NSS calls (such as user name look-ups due to User=) done
          between the fork() and execve(), which under specific circumstances
          might cause problems. It is recommended to specify "-p Type=simple"
          explicitly in the few cases where this applies. For regular,
          non-transient services (i.e. those defined with unit files on disk)
          we will continue to default to Type=simple.

        * The Linux kernel's current default RLIMIT_NOFILE resource limit for
          userspace processes is set to 1024 (soft) and 4096
          (hard). Previously, systemd passed this on unmodified to all
          processes it forked off. With this systemd release the hard limit
          systemd passes on is increased to 512K, overriding the kernel's
          defaults and substantially increasing the number of simultaneous file
          descriptors unprivileged userspace processes can allocate. Note that
          the soft limit remains at 1024 for compatibility reasons: the
          traditional UNIX select() call cannot deal with file descriptors >=
          1024 and increasing the soft limit globally might thus result in
          programs unexpectedly allocating a high file descriptor and thus
          failing abnormally when attempting to use it with select() (of
          course, programs shouldn't use select() anymore, and prefer
          poll()/epoll, but the call unfortunately remains undeservedly popular
          at this time). This change reflects the fact that file descriptor
          handling in the Linux kernel has been optimized in more recent
          kernels and allocating large numbers of them should be much cheaper
          both in memory and in performance than it used to be. Programs that
          want to take benefit of the increased limit have to "opt-in" into
          high file descriptors explicitly by raising their soft limit. Of
          course, when they do that they must acknowledge that they cannot use
          select() anymore (and neither can any shared library they use — or
          any shared library used by any shared library they use and so on).
          Which default hard limit is most appropriate is of course hard to
          decide. However, given reports that ~300K file descriptors are used
          in real-life applications we believe 512K is sufficiently high as new
          default for now. Note that there are also reports that using very
          high hard limits (e.g. 1G) is problematic: some software allocates
          large arrays with one element for each potential file descriptor
          (Java, …) — a high hard limit thus triggers excessively large memory
          allocations in these applications. Hopefully, the new default of 512K
          is a good middle ground: higher than what real-life applications
          currently need, and low enough for avoid triggering excessively large
          allocations in problematic software. (And yes, somebody should fix
          Java.)

        * The fs.nr_open and fs.file-max sysctls are now automatically bumped
          to the highest possible values, as separate accounting of file
          descriptors is no longer necessary, as memcg tracks them correctly as
          part of the memory accounting anyway. Thus, from the four limits on
          file descriptors currently enforced (fs.file-max, fs.nr_open,
          RLIMIT_NOFILE hard, RLIMIT_NOFILE soft) we turn off the first two,
          and keep only the latter two. A set of build-time options
          (-Dbump-proc-sys-fs-file-max=false and -Dbump-proc-sys-fs-nr-open=false)
          has been added to revert this change in behaviour, which might be
          an option for systems that turn off memcg in the kernel.

        * When no /etc/locale.conf file exists (and hence no locale settings
          are in place), systemd will now use the "C.UTF-8" locale by default,
          and set LANG= to it. This locale is supported by various
          distributions including Fedora, with clear indications that upstream
          glibc is going to make it available too. This locale enables UTF-8
          mode by default, which appears appropriate for 2018.

        * The "net.ipv4.conf.all.rp_filter" sysctl will now be set to 2 by
          default. This effectively switches the RFC3704 Reverse Path filtering
          from Strict mode to Loose mode. This is more appropriate for hosts
          that have multiple links with routes to the same networks (e.g.
          a client with a Wi-Fi and Ethernet both connected to the internet).

          Consult the kernel documentation for details on this sysctl:
          https://docs.kernel.org/networking/ip-sysctl.html

        * The v239 change to turn on "net.ipv4.tcp_ecn" by default has been
          reverted.

        * CPUAccounting=yes no longer enables the CPU controller when using
          kernel 4.15+ and the unified cgroup hierarchy, as required accounting
          statistics are now provided independently from the CPU controller.

        * Support for disabling a particular cgroup controller within a sub-tree
          has been added through the DisableControllers= directive.

        * cgroup_no_v1=all on the kernel command line now also implies
          using the unified cgroup hierarchy, unless one explicitly passes
          systemd.unified_cgroup_hierarchy=0 on the kernel command line.

        * The new "MemoryMin=" unit file property may now be used to set the
          memory usage protection limit of processes invoked by the unit. This
          controls the cgroup v2 memory.min attribute. Similarly, the new
          "IODeviceLatencyTargetSec=" property has been added, wrapping the new
          cgroup v2 io.latency cgroup property for configuring per-service I/O
          latency.

        * systemd now supports the cgroup v2 devices BPF logic, as counterpart
          to the cgroup v1 "devices" cgroup controller.

        * systemd-escape now is able to combine --unescape with --template. It
          also learnt a new option --instance for extracting and unescaping the
          instance part of a unit name.

        * sd-bus now provides the sd_bus_message_readv() which is similar to
          sd_bus_message_read() but takes a va_list object. The pair
          sd_bus_set_method_call_timeout() and sd_bus_get_method_call_timeout()
          has been added for configuring the default method call timeout to
          use. sd_bus_error_move() may be used to efficiently move the contents
          from one sd_bus_error structure to another, invalidating the
          source. sd_bus_set_close_on_exit() and sd_bus_get_close_on_exit() may
          be used to control whether a bus connection object is automatically
          flushed when an sd-event loop is exited.

        * When processing classic BSD syslog log messages, journald will now
          save the original time-stamp string supplied in the new
          SYSLOG_TIMESTAMP= journal field. This permits consumers to
          reconstruct the original BSD syslog message more correctly.

        * StandardOutput=/StandardError= in service files gained support for
          new "append:…" parameters, for connecting STDOUT/STDERR of a service
          to a file, and appending to it.

        * The signal to use as last step of killing of unit processes is now
          configurable. Previously it was hard-coded to SIGKILL, which may now
          be overridden with the new KillSignal= setting. Note that this is the
          signal used when regular termination (i.e. SIGTERM) does not suffice.
          Similarly, the signal used when aborting a program in case of a
          watchdog timeout may now be configured too (WatchdogSignal=).

        * The XDG_SESSION_DESKTOP environment variable may now be configured in
          the pam_systemd argument line, using the new desktop= switch. This is
          useful to initialize it properly from a display manager without
          having to touch C code.

        * Most configuration options that previously accepted percentage values
          now also accept permille values with the '‰' suffix (instead of '%').

        * systemd-resolved may now optionally use OpenSSL instead of GnuTLS for
          DNS-over-TLS.

        * systemd-resolved's configuration file resolved.conf gained a new
          option ReadEtcHosts= which may be used to turn off processing and
          honoring /etc/hosts entries.

        * The "--wait" switch may now be passed to "systemctl
          is-system-running", in which case the tool will synchronously wait
          until the system finished start-up.

        * hostnamed gained a new bus call to determine the DMI product UUID.

        * On x86-64 systemd will now prefer using the RDRAND processor
          instruction over /dev/urandom whenever it requires randomness that
          neither has to be crypto-grade nor should be reproducible. This
          should substantially reduce the amount of entropy systemd requests
          from the kernel during initialization on such systems, though not
          reduce it to zero. (Why not zero? systemd still needs to allocate
          UUIDs and such uniquely, which require high-quality randomness.)

        * networkd gained support for Foo-Over-UDP, ERSPAN and ISATAP
          tunnels. It also gained a new option ForceDHCPv6PDOtherInformation=
          for forcing the "Other Information" bit in IPv6 RA messages. The
          bonding logic gained four new options AdActorSystemPriority=,
          AdUserPortKey=, AdActorSystem= for configuring various 802.3ad
          aspects, and DynamicTransmitLoadBalancing= for enabling dynamic
          shuffling of flows. The tunnel logic gained a new
          IPv6RapidDeploymentPrefix= option for configuring IPv6 Rapid
          Deployment. The policy rule logic gained four new options IPProtocol=,
          SourcePort= and DestinationPort=, InvertRule=. The bridge logic gained
          support for the MulticastToUnicast= option. networkd also gained
          support for configuring static IPv4 ARP or IPv6 neighbor entries.

        * .preset files (as read by 'systemctl preset') may now be used to
          instantiate services.

        * /etc/crypttab now understands the sector-size= option to configure
          the sector size for an encrypted partition.

        * Key material for encrypted disks may now be placed on a formatted
          medium, and referenced from /etc/crypttab by the UUID of the file
          system, followed by "=" suffixed by the path to the key file.

        * The "collect" udev component has been removed without replacement, as
          it is neither used nor maintained.

        * When the RuntimeDirectory=, StateDirectory=, CacheDirectory=,
          LogsDirectory=, ConfigurationDirectory= settings are used in a
          service the executed processes will now receive a set of environment
          variables containing the full paths of these directories.
          Specifically, RUNTIME_DIRECTORY=, STATE_DIRECTORY, CACHE_DIRECTORY,
          LOGS_DIRECTORY, CONFIGURATION_DIRECTORY are now set if these options
          are used. Note that these options may be used multiple times per
          service in which case the resulting paths will be concatenated and
          separated by colons.

        * Predictable interface naming has been extended to cover InfiniBand
          NICs. They will be exposed with an "ib" prefix.

        * tmpfiles.d/ line types may now be suffixed with a '-' character, in
          which case the respective line failing is ignored.

        * .link files may now be used to configure the equivalent to the
          "ethtool advertise" commands.

        * The sd-device.h and sd-hwdb.h APIs are now exported, as an
          alternative to libudev.h. Previously, the latter was just an internal
          wrapper around the former, but now these two APIs are exposed
          directly.

        * sd-id128.h gained a new function sd_id128_get_boot_app_specific()
          which calculates an app-specific boot ID similar to how
          sd_id128_get_machine_app_specific() generates an app-specific machine
          ID.

        * A new tool systemd-id128 has been added that can be used to determine
          and generate various 128-bit IDs.

        * /etc/os-release gained two new standardized fields DOCUMENTATION_URL=
          and LOGO=.

        * systemd-hibernate-resume-generator will now honor the "noresume"
          kernel command line option, in which case it will bypass resuming
          from any hibernated image.

        * The systemd-sleep.conf configuration file gained new options
          AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=,
          AllowHybridSleep= for prohibiting specific sleep modes even if the
          kernel exports them.

        * portablectl is now officially supported and has thus moved to
          /usr/bin/.

        * bootctl learnt the two new commands "set-default" and "set-oneshot"
          for setting the default boot loader item to boot to (either
          persistently or only for the next boot). This is currently only
          compatible with sd-boot, but may be implemented on other boot loaders
          too, that follow the boot loader interface. The updated interface is
          now documented here:

          https://systemd.io/BOOT_LOADER_INTERFACE

        * A new kernel command line option systemd.early_core_pattern= is now
          understood which may be used to influence the core_pattern PID 1
          installs during early boot.

        * busctl learnt two new options -j and --json= for outputting method
          call replies, properties and monitoring output in JSON.

        * journalctl's JSON output now supports simple ANSI coloring as well as
          a new "json-seq" mode for generating RFC7464 output.

        * Unit files now support the %g/%G specifiers that resolve to the UNIX
          group/GID of the service manager runs as, similar to the existing
          %u/%U specifiers that resolve to the UNIX user/UID.

        * systemd-logind learnt a new global configuration option
          UserStopDelaySec= that may be set in logind.conf. It specifies how
          long the systemd --user instance shall remain started after a user
          logs out. This is useful to speed up repetitive re-connections of the
          same user, as it means the user's service manager doesn't have to be
          stopped/restarted on each iteration, but can be reused between
          subsequent options. This setting defaults to 10s. systemd-logind also
          exports two new properties on its Manager D-Bus objects indicating
          whether the system's lid is currently closed, and whether the system
          is on AC power.

        * systemd gained support for a generic boot counting logic, which
          generically permits automatic reverting to older boot loader entries
          if newer updated ones don't work. The boot loader side is implemented
          in sd-boot, but is kept open for other boot loaders too. For details
          see:

          https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT

        * The SuccessAction=/FailureAction= unit file settings now learnt two
          new parameters: "exit" and "exit-force", which result in immediate
          exiting of the service manager, and are only useful in systemd --user
          and container environments.

        * Unit files gained support for a pair of options
          FailureActionExitStatus=/SuccessActionExitStatus= for configuring the
          exit status to use as service manager exit status when
          SuccessAction=/FailureAction= is set to exit or exit-force.

        * A pair of LogRateLimitIntervalSec=/LogRateLimitBurst= per-service
          options may now be used to configure the log rate limiting applied by
          journald per-service.

        * systemd-analyze gained a new verb "timespan" for parsing and
          normalizing time span values (i.e. strings like "5min 7s 8us").

        * systemd-analyze also gained a new verb "security" for analyzing the
          security and sand-boxing settings of services in order to determine an
          "exposure level" for them, indicating whether a service would benefit
          from more sand-boxing options turned on for them.

        * "systemd-analyze syscall-filter" will now also show system calls
          supported by the local kernel but not included in any of the defined
          groups.

        * .nspawn files now understand the Ephemeral= setting, matching the
          --ephemeral command line switch.

        * sd-event gained the new APIs sd_event_source_get_floating() and
          sd_event_source_set_floating() for controlling whether a specific
          event source is "floating", i.e. destroyed along with the even loop
          object itself.

        * Unit objects on D-Bus gained a new "Refs" property that lists all
          clients that currently have a reference on the unit (to ensure it is
          not unloaded).

        * The JoinControllers= option in system.conf is no longer supported, as
          it didn't work correctly, is hard to support properly, is legacy (as
          the concept only exists on cgroup v1) and apparently wasn't used.

        * Journal messages that are generated whenever a unit enters the failed
          state are now tagged with a unique MESSAGE_ID. Similarly, messages
          generated whenever a service process exits are now made recognizable,
          too. A tagged message is also emitted whenever a unit enters the
          "dead" state on success.

        * systemd-run gained a new switch --working-directory= for configuring
          the working directory of the service to start. A shortcut -d is
          equivalent, setting the working directory of the service to the
          current working directory of the invoking program. The new --shell
          (or just -S) option has been added for invoking the $SHELL of the
          caller as a service, and implies --pty --same-dir --wait --collect
          --service-type=exec. Or in other words, "systemd-run -S" is now the
          quickest way to quickly get an interactive in a fully clean and
          well-defined system service context.

        * machinectl gained a new verb "import-fs" for importing an OS tree
          from a directory. Moreover, when a directory or tarball is imported
          and single top-level directory found with the OS itself below the OS
          tree is automatically mangled and moved one level up.

        * systemd-importd will no longer set up an implicit btrfs loop-back
          file system on /var/lib/machines. If one is already set up, it will
          continue to be used.

        * A new generator "systemd-run-generator" has been added. It will
          synthesize a unit from one or more program command lines included in
          the kernel command line. This is very useful in container managers
          for example:

          # systemd-nspawn -i someimage.raw -b systemd.run='"some command line"'

          This will run "systemd-nspawn" on an image, invoke the specified
          command line and immediately shut down the container again, returning
          the command line's exit code.

        * The block device locking logic is now documented:

          https://systemd.io/BLOCK_DEVICE_LOCKING

        * loginctl and machinectl now optionally output the various tables in
          JSON using the --output= switch. It is our intention to add similar
          support to systemctl and all other commands.

        * udevadm's query and trigger verb now optionally take a .device unit
          name as argument.

        * systemd-udevd's network naming logic now understands a new
          net.naming_scheme= kernel command line switch, which may be used to
          pick a specific version of the naming scheme. This helps stabilizing
          interface names even as systemd/udev are updated and the naming logic
          is improved.

        * sd-id128.h learnt two new auxiliary helpers: sd_id128_is_allf() and
          SD_ID128_ALLF to test if a 128-bit ID is set to all 0xFF bytes, and to
          initialize one to all 0xFF.

        * After loading the SELinux policy systemd will now recursively relabel
          all files and directories listed in
          /run/systemd/relabel-extra.d/*.relabel (which should be simple
          newline separated lists of paths) in addition to the ones it already
          implicitly relabels in /run, /dev and /sys. After the relabelling is
          completed the *.relabel files (and /run/systemd/relabel-extra.d/) are
          removed. This is useful to permit initrds (i.e. code running before
          the SELinux policy is in effect) to generate files in the host
          filesystem safely and ensure that the correct label is applied during
          the transition to the host OS.

        * KERNEL API BREAKAGE: Linux kernel 4.18 changed behaviour regarding
          mknod() handling in user namespaces. Previously mknod() would always
          fail with EPERM in user namespaces. Since 4.18 mknod() will succeed
          but device nodes generated that way cannot be opened, and attempts to
          open them result in EPERM. This breaks the "graceful fallback" logic
          in systemd's PrivateDevices= sand-boxing option. This option is
          implemented defensively, so that when systemd detects it runs in a
          restricted environment (such as a user namespace, or an environment
          where mknod() is blocked through seccomp or absence of CAP_SYS_MKNOD)
          where device nodes cannot be created the effect of PrivateDevices= is
          bypassed (following the logic that 2nd-level sand-boxing is not
          essential if the system systemd runs in is itself already sand-boxed
          as a whole). This logic breaks with 4.18 in container managers where
          user namespacing is used: suddenly PrivateDevices= succeeds setting
          up a private /dev/ file system containing devices nodes — but when
          these are opened they don't work.

          At this point it is recommended that container managers utilizing
          user namespaces that intend to run systemd in the payload explicitly
          block mknod() with seccomp or similar, so that the graceful fallback
          logic works again.

          We are very sorry for the breakage and the requirement to change
          container configurations for newer kernels. It's purely caused by an
          incompatible kernel change. The relevant kernel developers have been
          notified about this userspace breakage quickly, but they chose to
          ignore it.

        * PermissionsStartOnly= setting is deprecated (but is still supported
          for backwards compatibility). The same functionality is provided by
          the more flexible "+", "!", and "!!" prefixes to ExecStart= and other
          commands.

        * $DBUS_SESSION_BUS_ADDRESS environment variable is not set by
          pam_systemd anymore.

        * The naming scheme for network devices was changed to always rename
          devices, even if they were already renamed by userspace. The "kernel"
          policy was changed to only apply as a fallback, if no other naming
          policy took effect.

        * The requirements to build systemd is bumped to meson-0.46 and
          python-3.5.

        Contributions from: afg, Alan Jenkins, Aleksei Timofeyev, Alexander
        Filippov, Alexander Kurtz, Alexey Bogdanenko, Andreas Henriksson,
        Andrew Jorgensen, Anita Zhang, apnix-uk, Arkan49, Arseny Maslennikov,
        asavah, Asbjørn Apeland, aszlig, Bastien Nocera, Ben Boeckel, Benedikt
        Morbach, Benjamin Berg, Bruce Zhang, Carlo Caione, Cedric Viou, Chen
        Qi, Chris Chiu, Chris Down, Chris Morin, Christian Rebischke, Claudius
        Ellsel, Colin Guthrie, dana, Daniel, Daniele Medri, Daniel Kahn
        Gillmor, Daniel Rusek, Daniel van Vugt, Dariusz Gadomski, Dave Reisner,
        David Anderson, Davide Cavalca, David Leeds, David Malcolm, David
        Strauss, David Tardon, Dimitri John Ledkov, Dmitry Torokhov, dj-kaktus,
        Dongsu Park, Elias Probst, Emil Soleyman, Erik Kooistra, Ervin Peters,
        Evgeni Golov, Evgeny Vereshchagin, Fabrice Fontaine, Faheel Ahmad,
        Faizal Luthfi, Felix Yan, Filipe Brandenburger, Franck Bui, Frank
        Schaefer, Frantisek Sumsal, Gautier Husson, Gianluca Boiano, Giuseppe
        Scrivano, glitsj16, Hans de Goede, Harald Hoyer, Harry Mallon, Harshit
        Jain, Helmut Grohne, Henry Tung, Hui Yiqun, imayoda, Insun Pyo, Iwan
        Timmer, Jan Janssen, Jan Pokorný, Jan Synacek, Jason A. Donenfeld,
        javitoom, Jérémy Nouhaud, Jeremy Su, Jiuyang Liu, João Paulo Rechi
        Vita, Joe Hershberger, Joe Rayhawk, Joerg Behrmann, Joerg Steffens,
        Jonas Dorel, Jon Ringle, Josh Soref, Julian Andres Klode, Jun Bo Bi,
        Jürg Billeter, Keith Busch, Khem Raj, Kirill Marinushkin, Larry
        Bernstone, Lennart Poettering, Lion Yang, Li Song, Lorenz
        Hübschle-Schneider, Lubomir Rintel, Lucas Werkmeister, Ludwin Janvier,
        Lukáš Nykrýn, Luke Shumaker, mal, Marc-Antoine Perennou, Marcin
        Skarbek, Marco Trevisan (Treviño), Marian Cepok, Mario Hros, Marko
        Myllynen, Markus Grimm, Martin Pitt, Martin Sobotka, Martin Wilck,
        Mathieu Trudel-Lapierre, Matthew Leeds, Michael Biebl, Michael Olbrich,
        Michael 'pbone' Pobega, Michael Scherer, Michal Koutný, Michal
        Sekletar, Michal Soltys, Mike Gilbert, Mike Palmer, Muhammet Kara, Neal
        Gompa, Neil Brown, Network Silence, Niklas Tibbling, Nikolas Nyby,
        Nogisaka Sadata, Oliver Smith, Patrik Flykt, Pavel Hrdina, Paweł
        Szewczyk, Peter Hutterer, Piotr Drąg, Ray Strode, Reinhold Mueller,
        Renaud Métrich, Roman Gushchin, Ronny Chevalier, Rubén Suárez Alvarez,
        Ruixin Bao, RussianNeuroMancer, Ryutaroh Matsumoto, Saleem Rashid, Sam
        Morris, Samuel Morris, Sandy Carter, scootergrisen, Sébastien Bacher,
        Sergey Ptashnick, Shawn Landden, Shengyao Xue, Shih-Yuan Lee
        (FourDollars), Silvio Knizek, Sjoerd Simons, Stasiek Michalski, Stephen
        Gallagher, Steven Allen, Steve Ramage, Susant Sahani, Sven Joachim,
        Sylvain Plantefève, Tanu Kaskinen, Tejun Heo, Thiago Macieira, Thomas
        Blume, Thomas Haller, Thomas H. P. Andersen, Tim Ruffing, TJ, Tobias
        Jungel, Todd Walton, Tommi Rantala, Tomsod M, Tony Novak, Tore
        Anderson, Trevonn, Victor Laskurain, Victor Tapia, Violet Halo, Vojtech
        Trefny, welaq, William A. Kennington III, William Douglas, Wyatt Ward,
        Xiang Fan, Xi Ruoyao, Xuanwo, Yann E. Morin, YmrDtnJu, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Zhang Xianwei, Zsolt Dollenstein

        — Warsaw, 2018-12-21

CHANGES WITH 239:

        * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
          builtin will name network interfaces differently than in previous
          versions for virtual network interfaces created with SR-IOV and NPAR
          and for devices where the PCI network controller device does not have
          a slot number associated.

          SR-IOV virtual devices are now named based on the name of the parent
          interface, with a suffix of "v<N>", where <N> is the virtual device
          number. Previously those virtual devices were named as if completely
          independent.

          The ninth and later NPAR virtual devices will be named following the
          scheme used for the first eight NPAR partitions. Previously those
          devices were not renamed and the kernel default (eth<n>) was used.

          "net_id" will also generate names for PCI devices where the PCI
          network controller device does not have an associated slot number
          itself, but one of its parents does. Previously those devices were
          not renamed and the kernel default (eth<n>) was used.

        * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
          systemd-logind.service. Since v235, IPAddressDeny=any has been set to
          the unit. So, it is expected that the default behavior of
          systemd-logind is not changed. However, if distribution packagers or
          administrators disabled or modified IPAddressDeny= setting by a
          drop-in config file, then it may be necessary to update the file to
          re-enable AF_INET and AF_INET6 to support network user name services,
          e.g. NIS.

        * When the RestrictNamespaces= unit property is specified multiple
          times, then the specified types are merged now. Previously, only the
          last assignment was used. So, if distribution packagers or
          administrators modified the setting by a drop-in config file, then it
          may be necessary to update the file.

        * When OnFailure= is used in combination with Restart= on a service
          unit, then the specified units will no longer be triggered on
          failures that result in restarting. Previously, the specified units
          would be activated each time the unit failed, even when the unit was
          going to be restarted automatically. This behaviour contradicted the
          documentation. With this release the code is adjusted to match the
          documentation.

        * systemd-tmpfiles will now print a notice whenever it encounters
          tmpfiles.d/ lines referencing the /var/run/ directory. It will
          recommend reworking them to use the /run/ directory instead (for
          which /var/run/ is simply a symlinked compatibility alias). This way
          systemd-tmpfiles can properly detect line conflicts and merge lines
          referencing the same file by two paths, without having to access
          them.

        * systemctl disable/unmask/preset/preset-all cannot be used with
          --runtime. Previously this was allowed, but resulted in unintuitive
          behaviour that wasn't useful. systemctl disable/unmask will now undo
          both runtime and persistent enablement/masking, i.e. it will remove
          any relevant symlinks both in /run and /etc.

        * Note that all long-running system services shipped with systemd will
          now default to a system call allow list (rather than a deny list, as
          before). In particular, systemd-udevd will now enforce one too. For
          most cases this should be safe, however downstream distributions
          which disabled sandboxing of systemd-udevd (specifically the
          MountFlags= setting), might want to disable this security feature
          too, as the default allow-listing will prohibit all mount, swap,
          reboot and clock changing operations from udev rules.

        * sd-boot acquired new loader configuration settings to optionally turn
          off Windows and MacOS boot partition discovery as well as
          reboot-into-firmware menu items. It is also able to pick a better
          screen resolution for HiDPI systems, and now provides loader
          configuration settings to change the resolution explicitly.

        * systemd-resolved now supports DNS-over-TLS. It's still
          turned off by default, use DNSOverTLS=opportunistic to turn it on in
          resolved.conf. We intend to make this the default as soon as couple
          of additional techniques for optimizing the initial latency caused by
          establishing a TLS/TCP connection are implemented.

        * systemd-resolved.service and systemd-networkd.service now set
          DynamicUser=yes. The users systemd-resolve and systemd-network are
          not created by systemd-sysusers anymore.

          NOTE: This has a chance of breaking nss-ldap and similar NSS modules
          that embed a network facing module into any process using getpwuid()
          or related call: the dynamic allocation of the user ID for
          systemd-resolved.service means the service manager has to check NSS
          if the user name is already taken when forking off the service. Since
          the user in the common case won't be defined in /etc/passwd the
          lookup is likely to trigger nss-ldap which in turn might use NSS to
          ask systemd-resolved for hostname lookups. This will hence result in
          a deadlock: a user name lookup in order to start
          systemd-resolved.service will result in a hostname lookup for which
          systemd-resolved.service needs to be started already. There are
          multiple ways to work around this problem: pre-allocate the
          "systemd-resolve" user on such systems, so that nss-ldap won't be
          triggered; or use a different NSS package that doesn't do networking
          in-process but provides a local asynchronous name cache; or configure
          the NSS package to avoid lookups for UIDs in the range between the
          values returned by the commands
          'pkg-config systemd --variable=dynamicuidmin' and
          'pkg-config systemd --variable=dynamicuidmax', so that it does not
          consider itself authoritative for the same UID range systemd
          allocates dynamic users from.

        * The systemd-resolve tool has been renamed to resolvectl (it also
          remains available under the old name, for compatibility), and its
          interface is now verb-based, similar in style to the other <xyz>ctl
          tools, such as systemctl or loginctl.

        * The resolvectl/systemd-resolve tool also provides 'resolvconf'
          compatibility. It may be symlinked under the 'resolvconf' name, in
          which case it will take arguments and input compatible with the
          Debian and FreeBSD resolvconf tool.

        * Support for suspend-then-hibernate has been added, i.e. a sleep mode
          where the system initially suspends, and after a timeout resumes and
          hibernates again.

        * networkd's ClientIdentifier= now accepts a new option "duid-only". If
          set the client will only send a DUID as client identifier. (EDIT: the
          option was broken, and was dropped in v255.)

        * The nss-systemd glibc NSS module will now enumerate dynamic users and
          groups in effect. Previously, it could resolve UIDs/GIDs to user
          names/groups and vice versa, but did not support enumeration.

        * journald's Compress= configuration setting now optionally accepts a
          byte threshold value. All journal objects larger than this threshold
          will be compressed, smaller ones will not. Previously this threshold
          was not configurable and set to 512.

        * A new system.conf setting NoNewPrivileges= is now available which may
          be used to turn off acquisition of new privileges system-wide
          (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
          for all its children). Note that turning this option on means setuid
          binaries and file system capabilities lose their special powers.
          While turning on this option is a big step towards a more secure
          system, doing so is likely to break numerous pre-existing UNIX tools,
          in particular su and sudo.

        * A new service systemd-time-sync-wait.service has been added. If
          enabled it will delay the time-sync.target unit at boot until time
          synchronization has been received from the network. This
          functionality is useful on systems lacking a local RTC or where it is
          acceptable that the boot process shall be delayed by external network
          services.

        * When hibernating, systemd will now inform the kernel of the image
          write offset, on kernels new enough to support this. This means swap
          files should work for hibernation now.

        * When loading unit files, systemd will now look for drop-in unit files
          extensions in additional places. Previously, for a unit file name
          "foo-bar-baz.service" it would look for dropin files in
          "foo-bar-baz.service.d/*.conf". Now, it will also look in
          "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
          service name truncated after all inner dashes. This scheme allows
          writing drop-ins easily that apply to a whole set of unit files at
          once. It's particularly useful for mount and slice units (as their
          naming is prefix based), but is also useful for service and other
          units, for packages that install multiple unit files at once,
          following a strict naming regime of beginning the unit file name with
          the package's name. Two new specifiers are now supported in unit
          files to match this: %j and %J are replaced by the part of the unit
          name following the last dash.

        * Unit files and other configuration files that support specifier
          expansion now understand another three new specifiers: %T and %V will
          resolve to /tmp and /var/tmp respectively, or whatever temporary
          directory has been set for the calling user. %E will expand to either
          /etc (for system units) or $XDG_CONFIG_HOME (for user units).

        * The ExecStart= lines of unit files are no longer required to
          reference absolute paths. If non-absolute paths are specified the
          specified binary name is searched within the service manager's
          built-in $PATH, which may be queried with 'systemd-path
          search-binaries-default'. It's generally recommended to continue to
          use absolute paths for all binaries specified in unit files.

        * Units gained a new load state "bad-setting", which is used when a
          unit file was loaded, but contained fatal errors which prevent it
          from being started (for example, a service unit has been defined
          lacking both ExecStart= and ExecStop= lines).

        * coredumpctl's "gdb" verb has been renamed to "debug", in order to
          support alternative debuggers, for example lldb. The old name
          continues to be available however, for compatibility reasons. Use the
          new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
          to pick an alternative debugger instead of the default gdb.

        * systemctl and the other tools will now output escape sequences that
          generate proper clickable hyperlinks in various terminal emulators
          where useful (for example, in the "systemctl status" output you can
          now click on the unit file name to quickly open it in the
          editor/viewer of your choice). Note that not all terminal emulators
          support this functionality yet, but many do. Unfortunately, the
          "less" pager doesn't support this yet, hence this functionality is
          currently automatically turned off when a pager is started (which
          happens quite often due to auto-paging). We hope to remove this
          limitation as soon as "less" learns these escape sequences. This new
          behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
          environment variable. For details on these escape sequences see:
          https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda

        * networkd's .network files now support a new IPv6MTUBytes= option for
          setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
          option in the [Route] section to configure the MTU to use for
          specific routes. It also gained support for configuration of the DHCP
          "UserClass" option through the new UserClass= setting. It gained
          three new options in the new [CAN] section for configuring CAN
          networks. The MULTICAST and ALLMULTI interface flags may now be
          controlled explicitly with the new Multicast= and AllMulticast=
          settings.

        * networkd will now automatically make use of the kernel's route
          expiration feature, if it is available.

        * udevd's .link files now support setting the number of receive and
          transmit channels, using the RxChannels=, TxChannels=,
          OtherChannels=, CombinedChannels= settings.

        * Support for UDPSegmentationOffload= has been removed, given its
          limited support in hardware, and waning software support.

        * networkd's .netdev files now support creating "netdevsim" interfaces.

        * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
          to query the unit belonging to a specific kernel control group.

        * systemd-analyze gained a new verb "cat-config", which may be used to
          dump the contents of any configuration file, with all its matching
          drop-in files added in, and honouring the usual search and masking
          logic applied to systemd configuration files. For example use
          "systemd-analyze cat-config systemd/system.conf" to get the complete
          system configuration file of systemd how it would be loaded by PID 1
          itself. Similar to this, various tools such as systemd-tmpfiles or
          systemd-sysusers, gained a new option "--cat-config", which does the
          corresponding operation for their own configuration settings. For
          example, "systemd-tmpfiles --cat-config" will now output the full
          list of tmpfiles.d/ lines in place.

        * timedatectl gained three new verbs: "show" shows bus properties of
          systemd-timedated, "timesync-status" shows the current NTP
          synchronization state of systemd-timesyncd, and "show-timesync"
          shows bus properties of systemd-timesyncd.

        * systemd-timesyncd gained a bus interface on which it exposes details
          about its state.

        * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
          understood by systemd-timedated. It takes a colon-separated list of
          unit names of NTP client services. The list is used by
          "timedatectl set-ntp".

        * systemd-nspawn gained a new --rlimit= switch for setting initial
          resource limits for the container payload. There's a new switch
          --hostname= to explicitly override the container's hostname. A new
          --no-new-privileges= switch may be used to control the
          PR_SET_NO_NEW_PRIVS flag for the container payload. A new
          --oom-score-adjust= switch controls the OOM scoring adjustment value
          for the payload. The new --cpu-affinity= switch controls the CPU
          affinity of the container payload. The new --resolv-conf= switch
          allows more detailed control of /etc/resolv.conf handling of the
          container. Similarly, the new --timezone= switch allows more detailed
          control of /etc/localtime handling of the container.

        * systemd-detect-virt gained a new --list switch, which will print a
          list of all currently known VM and container environments.

        * Support for "Portable Services" has been added, see
          doc/PORTABLE_SERVICES.md for details. Currently, the support is still
          experimental, but this is expected to change soon. Reflecting this
          experimental state, the "portablectl" binary is not installed into
          /usr/bin yet. The binary has to be called with the full path
          /usr/lib/systemd/portablectl instead.

        * journalctl's and systemctl's -o switch now knows a new log output
          mode "with-unit". The output it generates is very similar to the
          regular "short" mode, but displays the unit name instead of the
          syslog tag for each log line. Also, the date is shown with timezone
          information. This mode is probably more useful than the classic
          "short" output mode for most purposes, except where pixel-perfect
          compatibility with classic /var/log/messages formatting is required.

        * A new --dump-bus-properties switch has been added to the systemd
          binary, which may be used to dump all supported D-Bus properties.
          (Options which are still supported, but are deprecated, are *not*
          shown.)

        * sd-bus gained a set of new calls:
          sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
          enable/disable the "floating" state of a bus slot object,
          i.e. whether the slot object pins the bus it is allocated for into
          memory or if the bus slot object gets disconnected when the bus goes
          away. sd_bus_open_with_description(),
          sd_bus_open_user_with_description(),
          sd_bus_open_system_with_description() may be used to allocate bus
          objects and set their description string already during allocation.

        * sd-event gained support for watching inotify events from the event
          loop, in an efficient way, sharing inotify handles between multiple
          users. For this a new function sd_event_add_inotify() has been added.

        * sd-event and sd-bus gained support for calling special user-supplied
          destructor functions for userdata pointers associated with
          sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
          functions sd_bus_slot_set_destroy_callback,
          sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
          sd_bus_track_get_destroy_callback,
          sd_event_source_set_destroy_callback,
          sd_event_source_get_destroy_callback have been added.

        * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.

        * PID 1 will now automatically reschedule .timer units whenever the
          local timezone changes. (They previously got rescheduled
          automatically when the system clock changed.)

        * New documentation has been added to document cgroups delegation,
          portable services and the various code quality tools we have set up:

          https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md
          https://github.com/systemd/systemd/blob/master/docs/PORTABLE_SERVICES.md
          https://github.com/systemd/systemd/blob/master/docs/CODE_QUALITY.md

        * The Boot Loader Specification has been added to the source tree.

          https://github.com/systemd/systemd/blob/master/docs/BOOT_LOADER_SPECIFICATION.md

          While moving it into our source tree we have updated it and further
          changes are now accepted through the usual github PR workflow.

        * pam_systemd will now look for PAM userdata fields systemd.memory_max,
          systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
          earlier PAM modules. The data in these fields is used to initialize
          the session scope's resource properties. Thus external PAM modules
          may now configure per-session limits, for example sourced from
          external user databases.

        * socket units with Accept=yes will now maintain a "refused" counter in
          addition to the existing "accepted" counter, counting connections
          refused due to the enforced limits.

        * The "systemd-path search-binaries-default" command may now be use to
          query the default, built-in $PATH PID 1 will pass to the services it
          manages.

        * A new unit file setting PrivateMounts= has been added. It's a boolean
          option. If enabled the unit's processes are invoked in their own file
          system namespace. Note that this behaviour is also implied if any
          other file system namespacing options (such as PrivateTmp=,
          PrivateDevices=, ProtectSystem=, …) are used. This option is hence
          primarily useful for services that do not use any of the other file
          system namespacing options. One such service is systemd-udevd.service
          where this is now used by default.

        * ConditionSecurity= gained a new value "uefi-secureboot" that is true
          when the system is booted in UEFI "secure mode".

        * A new unit "system-update-pre.target" is added, which defines an
          optional synchronization point for offline system updates, as
          implemented by the pre-existing "system-update.target" unit. It
          allows ordering services before the service that executes the actual
          update process in a generic way.

        * Systemd now emits warnings whenever .include syntax is used.

        Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
        Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
        J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
        Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
        Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
        Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
        Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
        Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
        guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
        Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
        Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
        Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
        Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
        Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
        Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
        Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
        Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
        Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
        Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
        Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
        Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
        Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
        Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
        Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
        Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
        Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
        Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
        Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
        Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2018-06-22

CHANGES WITH 238:

        * The MemoryAccounting= unit property now defaults to on. After
          discussions with the upstream control group maintainers we learnt
          that the negative impact of cgroup memory accounting on current
          kernels is finally relatively minimal, so that it should be safe to
          enable this by default without affecting system performance. Besides
          memory accounting only task accounting is turned on by default, all
          other forms of resource accounting (CPU, IO, IP) remain off for now,
          because it's not clear yet that their impact is small enough to move
          from opt-in to opt-out. We recommend downstreams to leave memory
          accounting on by default if kernel 4.14 or higher is primarily
          used. On very resource constrained systems or when support for old
          kernels is a necessity, -Dmemory-accounting-default=false can be used
          to revert this change.

        * rpm scriptlets to update the udev hwdb and rules (%udev_hwdb_update,
          %udev_rules_update) and the journal catalog (%journal_catalog_update)
          from the upgrade scriptlets of individual packages now do nothing.
          Transfiletriggers have been added which will perform those updates
          once at the end of the transaction.

          Similar transfiletriggers have been added to execute any sysctl.d
          and binfmt.d rules. Thus, it should be unnecessary to provide any
          scriptlets to execute this configuration from package installation
          scripts.

        * systemd-sysusers gained a mode where the configuration to execute is
          specified on the command line, but this configuration is not executed
          directly, but instead it is merged with the configuration on disk,
          and the result is executed. This is useful for package installation
          scripts which want to create the user before installing any files on
          disk (in case some of those files are owned by that user), while
          still allowing local admin overrides.

          This functionality is exposed to rpm scriptlets through a new
          %sysusers_create_package macro. Old %sysusers_create and
          %sysusers_create_inline macros are deprecated.

          A transfiletrigger for sysusers.d configuration is now installed,
          which means that it should be unnecessary to call systemd-sysusers from
          package installation scripts, unless the package installs any files
          owned by those newly-created users, in which case
          %sysusers_create_package should be used.

        * Analogous change has been done for systemd-tmpfiles: it gained a mode
          where the command-line configuration is merged with the configuration
          on disk. This is exposed as the new %tmpfiles_create_package macro,
          and %tmpfiles_create is deprecated. A transfiletrigger is installed
          for tmpfiles.d, hence it should be unnecessary to call systemd-tmpfiles
          from package installation scripts.

        * sysusers.d configuration for a user may now also specify the group
          number, in addition to the user number ("u username 123:456"), or
          without the user number ("u username -:456").

        * Configution items for systemd-sysusers can now be specified as
          positional arguments when the new --inline switch is used.

        * The login shell of users created through sysusers.d may now be
          specified (previously, it was always /bin/sh for root and
          /sbin/nologin for other users).

        * systemd-analyze gained a new --global switch to look at global user
          configuration. It also gained a unit-paths verb to list the unit load
          paths that are compiled into systemd (which can be used with
          --systemd, --user, or --global).

        * udevadm trigger gained a new --settle/-w option to wait for any
          triggered events to finish (but just those, and not any other events
          which are triggered meanwhile).

        * The action that systemd-logind takes when the lid is closed and the
          machine is connected to external power can now be configured using
          HandleLidSwitchExternalPower= in logind.conf. Previously, this action
          was determined by HandleLidSwitch=, and, for backwards compatibility,
          is still is, if HandleLidSwitchExternalPower= is not explicitly set.

        * journalctl will periodically call sd_journal_process() to make it
          resilient against inotify queue overruns when journal files are
          rotated very quickly.

        * Two new functions in libsystemd — sd_bus_get_n_queued_read and
          sd_bus_get_n_queued_write — may be used to check the number of
          pending bus messages.

        * systemd gained a new
          org.freedesktop.systemd1.Manager.AttachProcessesToUnit dbus call
          which can be used to migrate foreign processes to scope and service
          units. The primary user for this new API is systemd itself: the
          systemd --user instance uses this call of the systemd --system
          instance to migrate processes if it itself gets the request to
          migrate processes and the kernel refuses this due to access
          restrictions. Thanks to this "systemd-run --scope --user …" works
          again in pure cgroup v2 environments when invoked from the user
          session scope.

        * A new TemporaryFileSystem= setting can be used to mask out part of
          the real file system tree with tmpfs mounts. This may be combined
          with BindPaths= and BindReadOnlyPaths= to hide files or directories
          not relevant to the unit, while still allowing some paths lower in
          the tree to be accessed.

          ProtectHome=tmpfs may now be used to hide user home and runtime
          directories from units, in a way that is mostly equivalent to
          "TemporaryFileSystem=/home /run/user /root".

        * Non-service units are now started with KeyringMode=shared by default.
          This means that mount and swapon and other mount tools have access
          to keys in the main keyring.

        * /sys/fs/bpf is now mounted automatically.

        * QNX virtualization is now detected by systemd-detect-virt and may
          be used in ConditionVirtualization=.

        * IPAccounting= may now be enabled also for slice units.

        * A new -Dsplit-bin= build configuration switch may be used to specify
          whether bin and sbin directories are merged, or if they should be
          included separately in $PATH and various listings of executable
          directories. The build configuration scripts will try to autodetect
          the proper values of -Dsplit-usr= and -Dsplit-bin= based on build
          system, but distributions are encouraged to configure this
          explicitly.

        * A new -Dok-color= build configuration switch may be used to change
          the colour of "OK" status messages.

        * UPGRADE ISSUE: serialization of units using JoinsNamespaceOf= with
          PrivateNetwork=yes was buggy in previous versions of systemd. This
          means that after the upgrade and daemon-reexec, any such units must
          be restarted.

        * INCOMPATIBILITY: as announced in the NEWS for 237, systemd-tmpfiles
          will not exclude read-only files owned by root from cleanup.

        Contributions from: Alan Jenkins, Alexander F Rødseth, Alexis Jeandet,
        Andika Triwidada, Andrei Gherzan, Ansgar Burchardt, antizealot1337,
        Batuhan Osman Taşkaya, Beniamino Galvani, Bill Yodlowsky, Caio Marcelo
        de Oliveira Filho, CuBiC, Daniele Medri, Daniel Mouritzen, Daniel
        Rusek, Davide Cavalca, Dimitri John Ledkov, Douglas Christman, Evgeny
        Vereshchagin, Faalagorn, Filipe Brandenburger, Franck Bui, futpib,
        Giacomo Longo, Gunnar Hjalmarsson, Hans de Goede, Hermann Gausterer,
        Iago López Galeiras, Jakub Filak, Jan Synacek, Jason A. Donenfeld,
        Javier Martinez Canillas, Jérémy Rosen, Lennart Poettering, Lucas
        Werkmeister, Mao Huang, Marco Gulino, Michael Biebl, Michael Vogt,
        MilhouseVH, Neal Gompa (ニール・ゴンパ), Oleander Reis, Olof Mogren,
        Patrick Uiterwijk, Peter Hutterer, Peter Portante, Piotr Drąg, Robert
        Antoni Buj Gelonch, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
        Fowler, SjonHortensius, snorreflorre, Susant Sahani, Sylvain
        Plantefève, Thomas Blume, Thomas Haller, Vito Caputo, Yu Watanabe,
        Zbigniew Jędrzejewski-Szmek, Марко М. Костић (Marko M. Kostić)

        — Warsaw, 2018-03-05

CHANGES WITH 237:

        * Some keyboards come with a zoom see-saw or rocker which until now got
          mapped to the Linux "zoomin/out" keys in hwdb. However, these
          keycodes are not recognized by any major desktop. They now produce
          Up/Down key events so that they can be used for scrolling.

        * INCOMPATIBILITY: systemd-tmpfiles' "f" lines changed behaviour
          slightly: previously, if an argument was specified for lines of this
          type (i.e. the right-most column was set) this string was appended to
          existing files each time systemd-tmpfiles was run. This behaviour was
          different from what the documentation said, and not particularly
          useful, as repeated systemd-tmpfiles invocations would not be
          idempotent and grow such files without bounds. With this release
          behaviour has been altered to match what the documentation says:
          lines of this type only have an effect if the indicated files don't
          exist yet, and only then the argument string is written to the file.

        * FUTURE INCOMPATIBILITY: In systemd v238 we intend to slightly change
          systemd-tmpfiles behaviour: previously, read-only files owned by root
          were always excluded from the file "aging" algorithm (i.e. the
          automatic clean-up of directories like /tmp based on
          atime/mtime/ctime). We intend to drop this restriction, and age files
          by default even when owned by root and read-only. This behaviour was
          inherited from older tools, but there have been requests to remove
          it, and it's not obvious why this restriction was made in the first
          place. Please speak up now, if you are aware of software that requires
          this behaviour, otherwise we'll remove the restriction in v238.

        * A new environment variable $SYSTEMD_OFFLINE is now understood by
          systemctl. It takes a boolean argument. If on, systemctl assumes it
          operates on an "offline" OS tree, and will not attempt to talk to the
          service manager. Previously, this mode was implicitly enabled if a
          chroot() environment was detected, and this new environment variable
          now provides explicit control.

        * .path and .socket units may now be created transiently, too.
          Previously only service, mount, automount and timer units were
          supported as transient units. The systemd-run tool has been updated
          to expose this new functionality, you may hence use it now to bind
          arbitrary commands to path or socket activation on-the-fly from the
          command line. Moreover, almost all properties are now exposed for the
          unit types that already supported transient operation.

        * The systemd-mount command gained support for a new --owner= parameter
          which takes a user name, which is then resolved and included in uid=
          and gid= mount options string of the file system to mount.

        * A new unit condition ConditionControlGroupController= has been added
          that checks whether a specific cgroup controller is available.

        * Unit files, udev's .link files, and systemd-networkd's .netdev and
          .network files all gained support for a new condition
          ConditionKernelVersion= for checking against specific kernel
          versions.

        * In systemd-networkd, the [IPVLAN] section in .netdev files gained
          support for configuring device flags in the Flags= setting. In the
          same files, the [Tunnel] section gained support for configuring
          AllowLocalRemote=. The [Route] section in .network files gained
          support for configuring InitialCongestionWindow=,
          InitialAdvertisedReceiveWindow= and QuickAck=. The [DHCP] section now
          understands RapidCommit=.

        * systemd-networkd's DHCPv6 support gained support for Prefix
          Delegation.

        * sd-bus gained support for a new "watch-bind" feature. When this
          feature is enabled, an sd_bus connection may be set up to connect to
          an AF_UNIX socket in the file system as soon as it is created. This
          functionality is useful for writing early-boot services that
          automatically connect to the system bus as soon as it is started,
          without ugly time-based polling. systemd-networkd and
          systemd-resolved have been updated to make use of this
          functionality. busctl exposes this functionality in a new
          --watch-bind= command line switch.

        * sd-bus will now optionally synthesize a local "Connected" signal as
          soon as a D-Bus connection is set up fully. This message mirrors the
          already existing "Disconnected" signal which is synthesized when the
          connection is terminated. This signal is generally useful but
          particularly handy in combination with the "watch-bind" feature
          described above. Synthesizing of this message has to be requested
          explicitly through the new API call sd_bus_set_connected_signal(). In
          addition a new call sd_bus_is_ready() has been added that checks
          whether a connection is fully set up (i.e. between the "Connected" and
          "Disconnected" signals).

        * sd-bus gained two new calls sd_bus_request_name_async() and
          sd_bus_release_name_async() for asynchronously registering bus
          names. Similar, there is now sd_bus_add_match_async() for installing
          a signal match asynchronously. All of systemd's own services have
          been updated to make use of these calls. Doing these operations
          asynchronously has two benefits: it reduces the risk of deadlocks in
          case of cyclic dependencies between bus services, and it speeds up
          service initialization since synchronization points for bus
          round-trips are removed.

        * sd-bus gained two new calls sd_bus_match_signal() and
          sd_bus_match_signal_async(), which are similar to sd_bus_add_match()
          and sd_bus_add_match_async() but instead of taking a D-Bus match
          string take match fields as normal function parameters.

        * sd-bus gained two new calls sd_bus_set_sender() and
          sd_bus_message_set_sender() for setting the sender name of outgoing
          messages (either for all outgoing messages or for just one specific
          one). These calls are only useful in direct connections as on
          brokered connections the broker fills in the sender anyway,
          overwriting whatever the client filled in.

        * sd-event gained a new pseudo-handle that may be specified on all API
          calls where an "sd_event*" object is expected: SD_EVENT_DEFAULT. When
          used this refers to the default event loop object of the calling
          thread. Note however that this does not implicitly allocate one —
          which has to be done prior by using sd_event_default(). Similarly
          sd-bus gained three new pseudo-handles SD_BUS_DEFAULT,
          SD_BUS_DEFAULT_USER, SD_BUS_DEFAULT_SYSTEM that may be used to refer
          to the default bus of the specified type of the calling thread. Here
          too this does not implicitly allocate bus connection objects, this
          has to be done prior with sd_bus_default() and friends.

        * sd-event gained a new call pair
          sd_event_source_{get|set}_io_fd_own(). This may be used to request
          automatic closure of the file descriptor an IO event source watches
          when the event source is destroyed.

        * systemd-networkd gained support for natively configuring WireGuard
          connections.

        * In previous versions systemd synthesized user records both for the
          "nobody" (UID 65534) and "root" (UID 0) users in nss-systemd and
          internally. In order to simplify distribution-wide renames of the
          "nobody" user (like it is planned in Fedora: nfsnobody → nobody), a
          new transitional flag file has been added: if
          /etc/systemd/dont-synthesize-nobody exists synthesizing of the 65534
          user and group record within the systemd codebase is disabled.

        * systemd-notify gained a new --uid= option for selecting the source
          user/UID to use for notification messages sent to the service
          manager.

        * journalctl gained a new --grep= option to list only entries in which
          the message matches a certain pattern. By default matching is case
          insensitive if the pattern is lowercase, and case sensitive
          otherwise. Option --case-sensitive=yes|no can be used to override
          this an specify case sensitivity or case insensitivity.

        * There's now a "systemd-analyze service-watchdogs" command for printing
          the current state of the service runtime watchdog, and optionally
          enabling or disabling the per-service watchdogs system-wide if given a
          boolean argument (i.e. the concept you configure in WatchdogSec=), for
          debugging purposes. There's also a kernel command line option
          systemd.service_watchdogs= for controlling the same.

        * Two new "log-level" and "log-target" options for systemd-analyze were
          added that merge the now deprecated get-log-level, set-log-level and
          get-log-target, set-log-target pairs. The deprecated options are still
          understood for backwards compatibility. The two new options print the
          current value when no arguments are given, and set them when a
          level/target is given as an argument.

        * sysusers.d's "u" lines now optionally accept both a UID and a GID
          specification, separated by a ":" character, in order to create users
          where UID and GID do not match.

        Contributions from: Adam Duskett, Alan Jenkins, Alexander Kuleshov,
        Alexis Deruelle, Andrew Jeddeloh, Armin Widegreen, Batuhan Osman
        Taşkaya, Björn Esser, bleep_blop, Bruce A. Johnson, Chris Down, Clinton
        Roy, Colin Walters, Daniel Rusek, Dimitri John Ledkov, Dmitry Rozhkov,
        Evgeny Vereshchagin, Ewout van Mansom, Felipe Sateler, Franck Bui,
        Frantisek Sumsal, George Gaydarov, Gianluca Boiano, Hans-Christian
        Noren Egtvedt, Hans de Goede, Henrik Grindal Bakken, Jan Alexander
        Steffens, Jan Klötzke, Jason A. Donenfeld, jdkbx, Jérémy Rosen,
        Jerónimo Borque, John Lin, John Paul Herold, Jonathan Rudenberg, Jörg
        Thalheim, Ken (Bitsko) MacLeod, Larry Bernstone, Lennart Poettering,
        Lucas Werkmeister, Maciej S. Szmigiero, Marek Čermák, Martin Pitt,
        Mathieu Malaterre, Matthew Thode, Matthias-Christian Ott, Max Harmathy,
        Michael Biebl, Michael Vogt, Michal Koutný, Michal Sekletar, Michał
        Szczepański, Mike Gilbert, Nathaniel McCallum, Nicolas Chauvet, Olaf
        Hering, Olivier Schwander, Patrik Flykt, Paul Cercueil, Peter Hutterer,
        Piotr Drąg, Raphael Vogelgsang, Reverend Homer, Robert Kolchmeyer,
        Samuel Dionne-Riel, Sergey Ptashnick, Shawn Landden, Susant Sahani,
        Sylvain Plantefève, Thomas H. P. Andersen, Thomas Huth, Tomasz
        Bachorski, Vladislav Vishnyakov, Wieland Hoffmann, Yu Watanabe, Zachary
        Winnerman, Zbigniew Jędrzejewski-Szmek, Дамјан Георгиевски, Дилян
        Палаузов

        — Brno, 2018-01-28

CHANGES WITH 236:

        * The modprobe.d/ drop-in for the bonding.ko kernel module introduced
          in v235 has been extended to also set the dummy.ko module option
          numdummies=0, preventing the kernel from automatically creating
          dummy0. All dummy interfaces must now be explicitly created.

        * Unknown '%' specifiers in configuration files are now rejected. This
          applies to units and tmpfiles.d configuration. Any percent characters
          that are followed by a letter or digit that are not supposed to be
          interpreted as the beginning of a specifier should be escaped by
          doubling ("%%").  (So "size=5%" is still accepted, as well as
          "size=5%,foo=bar", but not "LABEL=x%y%z" since %y and %z are not
          valid specifiers today.)

        * systemd-resolved now maintains a new dynamic
          /run/systemd/resolve/stub-resolv.conf compatibility file. It is
          recommended to make /etc/resolv.conf a symlink to it. This file
          points at the systemd-resolved stub DNS 127.0.0.53 resolver and
          includes dynamically acquired search domains, achieving more correct
          DNS resolution by software that bypasses local DNS APIs such as NSS.

        * The "uaccess" udev tag has been dropped from /dev/kvm and
          /dev/dri/renderD*.  These devices now have the 0666 permissions by
          default (but this may be changed at build-time). /dev/dri/renderD*
          will now be owned by the "render" group along with /dev/kfd.

        * "DynamicUser=yes" has been enabled for systemd-timesyncd.service,
          systemd-journal-gatewayd.service and
          systemd-journal-upload.service. This means "nss-systemd" must be
          enabled in /etc/nsswitch.conf to ensure the UIDs assigned to these
          services are resolved properly.

        * In /etc/fstab two new mount options are now understood:
          x-systemd.makefs and x-systemd.growfs. The former has the effect that
          the configured file system is formatted before it is mounted, the
          latter that the file system is resized to the full block device size
          after it is mounted (i.e. if the file system is smaller than the
          partition it resides on, it's grown). This is similar to the fsck
          logic in /etc/fstab, and pulls in systemd-makefs@.service and
          systemd-growfs@.service as necessary, similar to
          systemd-fsck@.service. Resizing is currently only supported on ext4
          and btrfs.

        * In systemd-networkd, the IPv6 RA logic now optionally may announce
          DNS server and domain information.

        * Support for the LUKS2 on-disk format for encrypted partitions has
          been added. This requires libcryptsetup2 during compilation and
          runtime.

        * The systemd --user instance will now signal "readiness" when its
          basic.target unit has been reached, instead of when the run queue ran
          empty for the first time.

        * Tmpfiles.d with user configuration are now also supported.
          systemd-tmpfiles gained a new --user switch, and snippets placed in
          ~/.config/user-tmpfiles.d/ and corresponding directories will be
          executed by systemd-tmpfiles --user running in the new
          systemd-tmpfiles-setup.service and systemd-tmpfiles-clean.service
          running in the user session.

        * Unit files and tmpfiles.d snippets learnt three new % specifiers:
          %S resolves to the top-level state directory (/var/lib for the system
          instance, $XDG_CONFIG_HOME for the user instance), %C resolves to the
          top-level cache directory (/var/cache for the system instance,
          $XDG_CACHE_HOME for the user instance), %L resolves to the top-level
          logs directory (/var/log for the system instance,
          $XDG_CONFIG_HOME/log/ for the user instance). This matches the
          existing %t specifier, that resolves to the top-level runtime
          directory (/run for the system instance, and $XDG_RUNTIME_DIR for the
          user instance).

        * journalctl learnt a new parameter --output-fields= for limiting the
          set of journal fields to output in verbose and JSON output modes.

        * systemd-timesyncd's configuration file gained a new option
          RootDistanceMaxSec= for setting the maximum root distance of servers
          it'll use, as well as the new options PollIntervalMinSec= and
          PollIntervalMaxSec= to tweak the minimum and maximum poll interval.

        * bootctl gained a new command "list" for listing all available boot
          menu items on systems that follow the boot loader specification.

        * systemctl gained a new --dry-run switch that shows what would be done
          instead of doing it, and is currently supported by the shutdown and
          sleep verbs.

        * ConditionSecurity= can now detect the TOMOYO security module.

        * Unit file [Install] sections are now also respected in unit drop-in
          files. This is intended to be used by drop-ins under /usr/lib/.

        * systemd-firstboot may now also set the initial keyboard mapping.

        * Udev "changed" events for devices which are exposed as systemd
          .device units are now propagated to units specified in
          ReloadPropagatedFrom= as reload requests.

        * If a udev device has a SYSTEMD_WANTS= property containing a systemd
          unit template name (i.e. a name in the form of 'foobar@.service',
          without the instance component between the '@' and - the '.'), then
          the escaped sysfs path of the device is automatically used as the
          instance.

        * SystemCallFilter= in unit files has been extended so that an "errno"
          can be specified individually for each system call. Example:
          SystemCallFilter=~uname:EILSEQ.

        * The cgroup delegation logic has been substantially updated. Delegate=
          now optionally takes a list of controllers (instead of a boolean, as
          before), which lists the controllers to delegate at least.

        * The networkd DHCPv6 client now implements the FQDN option (RFC 4704).

        * A new LogLevelMax= setting configures the maximum log level any
          process of the service may log at (i.e. anything with a lesser
          priority than what is specified is automatically dropped). A new
          LogExtraFields= setting allows configuration of additional journal
          fields to attach to all log records generated by any of the unit's
          processes.

        * New StandardInputData= and StandardInputText= settings along with the
          new option StandardInput=data may be used to configure textual or
          binary data that shall be passed to the executed service process via
          standard input, encoded in-line in the unit file.

        * StandardInput=, StandardOutput= and StandardError= may now be used to
          connect stdin/stdout/stderr of executed processes directly with a
          file or AF_UNIX socket in the file system, using the new "file:" option.

        * A new unit file option CollectMode= has been added, that allows
          tweaking the garbage collection logic for units. It may be used to
          tell systemd to garbage collect units that have failed automatically
          (normally it only GCs units that exited successfully). systemd-run
          and systemd-mount expose this new functionality with a new -G option.

        * "machinectl bind" may now be used to bind mount non-directories
          (i.e. regularfiles, devices, fifos, sockets).

        * systemd-analyze gained a new verb "calendar" for validating and
          testing calendar time specifications to use for OnCalendar= in timer
          units. Besides validating the expression it will calculate the next
          time the specified expression would elapse.

        * In addition to the pre-existing FailureAction= unit file setting
          there's now SuccessAction=, for configuring a shutdown action to
          execute when a unit completes successfully. This is useful in
          particular inside containers that shall terminate after some workload
          has been completed. Also, both options are now supported for all unit
          types, not just services.

        * networkds's IP rule support gained two new options
          IncomingInterface= and OutgoingInterface= for configuring the incoming
          and outgoing interfaces of configured rules. systemd-networkd also
          gained support for "vxcan" network devices.

        * networkd gained a new setting RequiredForOnline=, taking a
          boolean. If set, systemd-wait-online will take it into consideration
          when determining that the system is up, otherwise it will ignore the
          interface for this purpose.

        * The sd_notify() protocol gained support for a new operation: with
          FDSTOREREMOVE=1 file descriptors may be removed from the per-service
          store again, ahead of POLLHUP or POLLERR when they are removed
          anyway.

        * A new document doc/UIDS-GIDS.md has been added to the source tree,
          that documents the UID/GID range and assignment assumptions and
          requirements of systemd.

        * The watchdog device PID 1 will ping may now be configured through the
          WatchdogDevice= configuration file setting, or by setting the
          systemd.watchdog_service= kernel command line option.

        * systemd-resolved's gained support for registering DNS-SD services on
          the local network using MulticastDNS. Services may either be
          registered by dropping in a .dnssd file in /etc/systemd/dnssd/ (or
          the same dir below /run, /usr/lib), or through its D-Bus API.

        * The sd_notify() protocol can now with EXTEND_TIMEOUT_USEC=microsecond
          extend the effective start, runtime, and stop time. The service must
          continue to send EXTEND_TIMEOUT_USEC within the period specified to
          prevent the service manager from making the service as timedout.

        * systemd-resolved's DNSSEC support gained support for RFC 8080
          (Ed25519 keys and signatures).

        * The systemd-resolve command line tool gained a new set of options
          --set-dns=, --set-domain=, --set-llmnr=, --set-mdns=, --set-dnssec=,
          --set-nta= and --revert to configure per-interface DNS configuration
          dynamically during runtime. It's useful for pushing DNS information
          into systemd-resolved from DNS hook scripts that various interface
          managing software supports (such as pppd).

        * systemd-nspawn gained a new --network-namespace-path= command line
          option, which may be used to make a container join an existing
          network namespace, by specifying a path to a "netns" file.

        Contributions from: Alan Jenkins, Alan Robertson, Alessandro Ghedini,
        Andrew Jeddeloh, Antonio Rojas, Ari, asavah, bleep_blop, Carsten
        Strotmann, Christian Brauner, Christian Hesse, Clinton Roy, Collin
        Eggert, Cong Wang, Daniel Black, Daniel Lockyer, Daniel Rusek, Dimitri
        John Ledkov, Dmitry Rozhkov, Dongsu Park, Edward A. James, Evgeny
        Vereshchagin, Florian Klink, Franck Bui, Gwendal Grignou, Hans de
        Goede, Harald Hoyer, Hristo Venev, Iago López Galeiras, Ikey Doherty,
        Jakub Wilk, Jérémy Rosen, Jiahui Xie, John Lin, José Bollo, Josef
        Andersson, juga0, Krzysztof Nowicki, Kyle Walker, Lars Karlitski, Lars
        Kellogg-Stedman, Lauri Tirkkonen, Lennart Poettering, Lubomir Rintel,
        Luca Bruno, Lucas Werkmeister, Lukáš Nykrýn, Lukáš Říha, Lukasz
        Rubaszewski, Maciej S. Szmigiero, Mantas Mikulėnas, Marcus Folkesson,
        Martin Steuer, Mathieu Trudel-Lapierre, Matija Skala,
        Matthias-Christian Ott, Max Resch, Michael Biebl, Michael Vogt, Michal
        Koutný, Michal Sekletar, Mike Gilbert, Muhammet Kara, Neil Brown, Olaf
        Hering, Ondrej Kozina, Patrik Flykt, Patryk Kocielnik, Peter Hutterer,
        Piotr Drąg, Razvan Cojocaru, Robin McCorkell, Roland Hieber, Saran
        Tunyasuvunakool, Sergey Ptashnick, Shawn Landden, Shuang Liu, Simon
        Arlott, Simon Peeters, Stanislav Angelovič, Stefan Agner, Susant
        Sahani, Sylvain Plantefève, Thomas Blume, Thomas Haller, Tiago Salem
        Herrmann, Tinu Weber, Tom Stellard, Topi Miettinen, Torsten Hilbrich,
        Vito Caputo, Vladislav Vishnyakov, WaLyong Cho, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zeal Jagannatha

        — Berlin, 2017-12-14

CHANGES WITH 235:

        * INCOMPATIBILITY: systemd-logind.service and other long-running
          services now run inside an IPv4/IPv6 sandbox, prohibiting them any IP
          communication with the outside. This generally improves security of
          the system, and is in almost all cases a safe and good choice, as
          these services do not and should not provide any network-facing
          functionality. However, systemd-logind uses the glibc NSS API to
          query the user database. This creates problems on systems where NSS
          is set up to directly consult network services for user database
          lookups. In particular, this creates incompatibilities with the
          "nss-nis" module, which attempts to directly contact the NIS/YP
          network servers it is configured for, and will now consistently
          fail. In such cases, it is possible to turn off IP sandboxing for
          systemd-logind.service (set IPAddressDeny= in its [Service] section
          to the empty string, via a .d/ unit file drop-in). Downstream
          distributions might want to update their nss-nis packaging to include
          such a drop-in snippet, accordingly, to hide this incompatibility
          from the user. Another option is to make use of glibc's nscd service
          to proxy such network requests through a privilege-separated, minimal
          local caching daemon, or to switch to more modern technologies such
          sssd, whose NSS hook-ups generally do not involve direct network
          access. In general, we think it's definitely time to question the
          implementation choices of nss-nis, i.e. whether it's a good idea
          today to embed a network-facing loadable module into all local
          processes that need to query the user database, including the most
          trivial and benign ones, such as "ls". For more details about
          IPAddressDeny= see below.

        * A new modprobe.d drop-in is now shipped by default that sets the
          bonding module option max_bonds=0. This overrides the kernel default,
          to avoid conflicts and ambiguity as to whether or not bond0 should be
          managed by systemd-networkd or not. This resolves multiple issues
          with bond0 properties not being applied, when bond0 is configured
          with systemd-networkd. Distributors may choose to not package this,
          however in that case users will be prevented from correctly managing
          bond0 interface using systemd-networkd.

        * systemd-analyze gained new verbs "get-log-level" and "get-log-target"
          which print the logging level and target of the system manager. They
          complement the existing "set-log-level" and "set-log-target" verbs
          used to change those values.

        * journald.conf gained a new boolean setting ReadKMsg= which defaults
          to on. If turned off kernel log messages will not be read by
          systemd-journald or included in the logs. It also gained a new
          setting LineMax= for configuring the maximum line length in
          STDOUT/STDERR log streams. The new default for this value is 48K, up
          from the previous hardcoded 2048.

        * A new unit setting RuntimeDirectoryPreserve= has been added, which
          allows more detailed control of what to do with a runtime directory
          configured with RuntimeDirectory= (i.e. a directory below /run or
          $XDG_RUNTIME_DIR) after a unit is stopped.

        * The RuntimeDirectory= setting for units gained support for creating
          deeper subdirectories below /run or $XDG_RUNTIME_DIR, instead of just
          one top-level directory.

        * Units gained new options StateDirectory=, CacheDirectory=,
          LogsDirectory= and ConfigurationDirectory= which are closely related
          to RuntimeDirectory= but manage per-service directories below
          /var/lib, /var/cache, /var/log and /etc. By making use of them it is
          possible to write unit files which when activated automatically gain
          properly owned service specific directories in these locations, thus
          making unit files self-contained and increasing compatibility with
          stateless systems and factory reset where /etc or /var are
          unpopulated at boot. Matching these new settings there's also
          StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode=,
          ConfigurationDirectoryMode= for configuring the access mode of these
          directories. These settings are particularly useful in combination
          with DynamicUser=yes as they provide secure, properly-owned,
          writable, and stateful locations for storage, excluded from the
          sandbox that such services live in otherwise.

        * Automake support has been removed from this release. systemd is now
          Meson-only.

        * systemd-journald will now aggressively cache client metadata during
          runtime, speeding up log write performance under pressure. This comes
          at a small price though: as much of the metadata is read
          asynchronously from /proc/ (and isn't implicitly attached to log
          datagrams by the kernel, like UID/GID/PID/SELinux are) this means the
          metadata stored alongside a log entry might be slightly
          out-of-date. Previously it could only be slightly newer than the log
          message. The time window is small however, and given that the kernel
          is unlikely to be improved anytime soon in this regard, this appears
          acceptable to us.

        * nss-myhostname/systemd-resolved will now by default synthesize an
          A/AAAA resource record for the "_gateway" hostname, pointing to the
          current default IP gateway. Previously it did that for the "gateway"
          name, hampering adoption, as some distributions wanted to leave that
          hostname open for local use. The old behaviour may still be
          requested at build time.

        * systemd-networkd's [Address] section in .network files gained a new
          Scope= setting for configuring the IP address scope. The [Network]
          section gained a new boolean setting ConfigureWithoutCarrier= that
          tells systemd-networkd to ignore link sensing when configuring the
          device. The [DHCP] section gained a new Anonymize= boolean option for
          turning on a number of options suggested in RFC 7844. A new
          [RoutingPolicyRule] section has been added for configuring the IP
          routing policy. The [Route] section has gained support for a new
          Type= setting which permits configuring
          blackhole/unreachable/prohibit routes.

        * The [VRF] section in .netdev files gained a new Table= setting for
          configuring the routing table to use. The [Tunnel] section gained a
          new Independent= boolean field for configuring tunnels independent of
          an underlying network interface. The [Bridge] section gained a new
          GroupForwardMask= option for configuration of propagation of link
          local frames between bridge ports.

        * The WakeOnLan= setting in .link files gained support for a number of
          new modes. A new TCP6SegmentationOffload= setting has been added for
          configuring TCP/IPv6 hardware segmentation offload.

        * The IPv6 RA sender implementation may now optionally send out RDNSS
          and RDNSSL records to supply DNS configuration to peers.

        * systemd-nspawn gained support for a new --system-call-filter= command
          line option for adding and removing entries in the default system
          call filter it applies. Moreover systemd-nspawn has been changed to
          implement a system call allow list instead of a deny list.

        * systemd-run gained support for a new --pipe command line option. If
          used the STDIN/STDOUT/STDERR file descriptors passed to systemd-run
          are directly passed on to the activated transient service
          executable. This allows invoking arbitrary processes as systemd
          services (for example to take benefit of dependency management,
          accounting management, resource management or log management that is
          done automatically for services) — while still allowing them to be
          integrated in a classic UNIX shell pipeline.

        * When a service sends RELOAD=1 via sd_notify() and reload propagation
          using ReloadPropagationTo= is configured, a reload is now propagated
          to configured units. (Previously this was only done on explicitly
          requested reloads, using "systemctl reload" or an equivalent
          command.)

        * For each service unit a restart counter is now kept: it is increased
          each time the service is restarted due to Restart=, and may be
          queried using "systemctl show -p NRestarts …".

        * New system call filter groups @aio, @sync, @chown, @setuid, @memlock,
          @signal and @timer have been added, for usage with SystemCallFilter=
          in unit files and the new --system-call-filter= command line option
          of systemd-nspawn (see above).

        * ExecStart= lines in unit files gained two new modifiers: when a
          command line is prefixed with "!" the command will be executed as
          configured, except for the credentials applied by
          setuid()/setgid()/setgroups(). It is very similar to the pre-existing
          "+", but does still apply namespacing options unlike "+". There's
          also "!!" now, which is mostly identical, but becomes a NOP on
          systems that support ambient capabilities. This is useful to write
          unit files that work with ambient capabilities where possible but
          automatically fall back to traditional privilege dropping mechanisms
          on systems where this is not supported.

        * ListenNetlink= settings in socket units now support RDMA netlink
          sockets.

        * A new unit file setting LockPersonality= has been added which permits
          locking down the chosen execution domain ("personality") of a service
          during runtime.

        * A new special target "getty-pre.target" has been added, which is
          ordered before all text logins, and may be used to order services
          before textual logins acquire access to the console.

        * systemd will now attempt to load the virtio-rng.ko kernel module very
          early on if a VM environment supporting this is detected. This should
          improve entropy during early boot in virtualized environments.

        * A _netdev option is now supported in /etc/crypttab that operates in a
          similar way as the same option in /etc/fstab: it permits configuring
          encrypted devices that need to be ordered after the network is up.
          Following this logic, two new special targets
          remote-cryptsetup-pre.target and remote-cryptsetup.target have been
          added that are to cryptsetup.target what remote-fs.target and
          remote-fs-pre.target are to local-fs.target.

        * Service units gained a new UnsetEnvironment= setting which permits
          unsetting specific environment variables for services that are
          normally passed to it (for example in order to mask out locale
          settings for specific services that can't deal with it).

        * Units acquired a new boolean option IPAccounting=. When turned on, IP
          traffic accounting (packet count as well as byte count) is done for
          the service, and shown as part of "systemctl status" or "systemd-run
          --wait".

        * Service units acquired two new options IPAddressAllow= and
          IPAddressDeny=, taking a list of IPv4 or IPv6 addresses and masks,
          for configuring a simple IP access control list for all sockets of
          the unit. These options are available also on .slice and .socket
          units, permitting flexible access list configuration for individual
          services as well as groups of services (as defined by a slice unit),
          including system-wide. Note that IP ACLs configured this way are
          enforced on every single IPv4 and IPv6 socket created by any process
          of the service unit, and apply to ingress as well as egress traffic.

        * If CPUAccounting= or IPAccounting= is turned on for a unit a new
          structured log message is generated each time the unit is stopped,
          containing information about the consumed resources of this
          invocation.

        * A new setting KeyringMode= has been added to unit files, which may be
          used to control how the kernel keyring is set up for executed
          processes.

        * "systemctl poweroff", "systemctl reboot", "systemctl halt",
          "systemctl kexec" and "systemctl exit" are now always asynchronous in
          behaviour (that is: these commands return immediately after the
          operation was enqueued instead of waiting for the operation to
          complete). Previously, "systemctl poweroff" and "systemctl reboot"
          were asynchronous on systems using systemd-logind (i.e. almost
          always, and like they were on sysvinit), and the other three commands
          were unconditionally synchronous. With this release this is cleaned
          up, and callers will see the same asynchronous behaviour on all
          systems for all five operations.

        * systemd-logind gained new Halt() and CanHalt() bus calls for halting
          the system.

        * .timer units now accept calendar specifications in other timezones
          than UTC or the local timezone.

        * The tmpfiles snippet var.conf has been changed to create
          /var/log/btmp with access mode 0660 instead of 0600. It was owned by
          the "utmp" group already, and it appears to be generally understood
          that members of "utmp" can modify/flush the utmp/wtmp/lastlog/btmp
          databases. Previously this was implemented correctly for all these
          databases excepts btmp, which has been opened up like this now
          too. Note that while the other databases are world-readable
          (i.e. 0644), btmp is not and remains more restrictive.

        * The systemd-resolve tool gained a new --reset-server-features
          switch. When invoked like this systemd-resolved will forget
          everything it learnt about the features supported by the configured
          upstream DNS servers, and restarts the feature probing logic on the
          next resolver look-up for them at the highest feature level
          again.

        * The status dump systemd-resolved sends to the logs upon receiving
          SIGUSR1 now also includes information about all DNS servers it is
          configured to use, and the features levels it probed for them.

        Contributions from: Abdó Roig-Maranges, Alan Jenkins, Alexander
        Kuleshov, Andreas Rammhold, Andrew Jeddeloh, Andrew Soutar, Ansgar
        Burchardt, Beniamino Galvani, Benjamin Berg, Benjamin Robin, Charles
        Huber, Christian Hesse, Daniel Berrange, Daniel Kahn Gillmor, Daniel
        Mack, Daniel Rusek, Daniel Șerbănescu, Davide Cavalca, Dimitri John
        Ledkov, Diogo Pereira, Djalal Harouni, Dmitriy Geels, Dmitry Torokhov,
        ettavolt, Evgeny Vereshchagin, Fabio Kung, Felipe Sateler, Franck Bui,
        Hans de Goede, Harald Hoyer, Insun Pyo, Ivan Kurnosov, Ivan Shapovalov,
        Jakub Wilk, Jan Synacek, Jason Gunthorpe, Jeremy Bicha, Jérémy Rosen,
        John Lin, jonasBoss, Jonathan Lebon, Jonathan Teh, Jon Ringle, Jörg
        Thalheim, Jouke Witteveen, juga0, Justin Capella, Justin Michaud,
        Kai-Heng Feng, Lennart Poettering, Lion Yang, Luca Bruno, Lucas
        Werkmeister, Lukáš Nykrýn, Marcel Hollerbach, Marcus Lundblad, Martin
        Pitt, Michael Biebl, Michael Grzeschik, Michal Sekletar, Mike Gilbert,
        Neil Brown, Nicolas Iooss, Patrik Flykt, pEJipE, Piotr Drąg, Russell
        Stuart, S. Fan, Shengyao Xue, Stefan Pietsch, Susant Sahani, Tejun Heo,
        Thomas Miller, Thomas Sailer, Tobias Hunger, Tomasz Pala, Tom
        Gundersen, Tommi Rantala, Topi Miettinen, Torstein Husebø, userwithuid,
        Vasilis Liaskovitis, Vito Caputo, WaLyong Cho, William Douglas, Xiang
        Fan, Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2017-10-06

CHANGES WITH 234:

        * Meson is now supported as build system in addition to Automake. It is
          our plan to remove Automake in one of our next releases, so that
          Meson becomes our exclusive build system. Hence, please start using
          the Meson build system in your downstream packaging. There's plenty
          of documentation around how to use Meson, the extremely brief
          summary:

              ./autogen.sh && ./configure && make && sudo make install

          becomes:

              meson build && ninja -C build && sudo ninja -C build install

        * Unit files gained support for a new JobRunningTimeoutUSec= setting,
          which permits configuring a timeout on the time a job is
          running. This is particularly useful for setting timeouts on jobs for
          .device units.

        * Unit files gained two new options ConditionUser= and ConditionGroup=
          for conditionalizing units based on the identity of the user/group
          running a systemd user instance.

        * systemd-networkd now understands a new FlowLabel= setting in the
          [VXLAN] section of .network files, as well as a Priority= in
          [Bridge], GVRP= + MVRP= + LooseBinding= + ReorderHeader= in [VLAN]
          and GatewayOnlink= + IPv6Preference= + Protocol= in [Route]. It also
          gained support for configuration of GENEVE links, and IPv6 address
          labels. The [Network] section gained the new IPv6ProxyNDP= setting.

        * .link files now understand a new Port= setting.

        * systemd-networkd's DHCP support gained support for DHCP option 119
          (domain search list).

        * systemd-networkd gained support for serving IPv6 address ranges using
          the Router Advertisement protocol. The new .network configuration
          section [IPv6Prefix] may be used to configure the ranges to
          serve. This is implemented based on a new, minimal, native server
          implementation of RA.

        * journalctl's --output= switch gained support for a new parameter
          "short-iso-precise" for a mode where timestamps are shown as precise
          ISO date values.

        * systemd-udevd's "net_id" builtin may now generate stable network
          interface names from IBM PowerVM VIO devices as well as ACPI platform
          devices.

        * MulticastDNS support in systemd-resolved may now be explicitly
          enabled/disabled using the new MulticastDNS= configuration file
          option.

        * systemd-resolved may now optionally use libidn2 instead of the libidn
          for processing internationalized domain names. Support for libidn2
          should be considered experimental and should not be enabled by
          default yet.

        * "machinectl pull-tar" and related call may now do verification of
          downloaded images using SUSE-style .sha256 checksum files in addition
          to the already existing support for validating using Ubuntu-style
          SHA256SUMS files.

        * sd-bus gained support for a new sd_bus_message_appendv() call which
          is va_list equivalent of sd_bus_message_append().

        * sd-boot gained support for validating images using SHIM/MOK.

        * The SMACK code learnt support for "onlycap".

        * systemd-mount --umount is now much smarter in figuring out how to
          properly unmount a device given its mount or device path.

        * The code to call libnss_dns as a fallback from libnss_resolve when
          the communication with systemd-resolved fails was removed. This
          fallback was redundant and interfered with the [!UNAVAIL=return]
          suffix. See nss-resolve(8) for the recommended configuration.

        * systemd-logind may now be restarted without losing state. It stores
          the file descriptors for devices it manages in the system manager
          using the FDSTORE= mechanism. Please note that further changes in
          other components may be required to make use of this (for example
          Xorg has code to listen for stops of systemd-logind and terminate
          itself when logind is stopped or restarted, in order to avoid using
          stale file descriptors for graphical devices, which is now
          counterproductive and must be reverted in order for restarts of
          systemd-logind to be safe. See
          https://cgit.freedesktop.org/xorg/xserver/commit/?id=dc48bd653c7e101.)

        * All kernel-install plugins are called with the environment variable
          KERNEL_INSTALL_MACHINE_ID which is set to the machine ID given by
          /etc/machine-id. If the machine ID could not be determined,
          $KERNEL_INSTALL_MACHINE_ID will be empty. Plugins should not put
          anything in the entry directory (passed as the second argument) if
          $KERNEL_INSTALL_MACHINE_ID is empty. For backwards compatibility, a
          temporary directory is passed as the entry directory and removed
          after all the plugins exit.

        * If KERNEL_INSTALL_MACHINE_ID is set in /etc/machine-info, kernel-install
          will now use its value as the machine ID instead of the machine ID
          from /etc/machine-id. If KERNEL_INSTALL_MACHINE_ID isn't set in
          /etc/machine-info and no machine ID is set in /etc/machine-id,
          kernel-install will try to store the current machine ID there as
          KERNEL_INSTALL_MACHINE_ID. If there is no machine ID, kernel-install
          will generate a new UUID, store it in /etc/machine-info as
          KERNEL_INSTALL_MACHINE_ID and use it as the machine ID.

        Contributions from: Adrian Heine né Lang, Aggelos Avgerinos, Alexander
        Kurtz, Alexandros Frantzis, Alexey Brodkin, Alex Lu, Amir Pakdel, Amir
        Yalon, Anchor Cat, Anthony Parsons, Bastien Nocera, Benjamin Gilbert,
        Benjamin Robin, Boucman, Charles Plessy, Chris Chiu, Chris Lamb,
        Christian Brauner, Christian Hesse, Colin Walters, Daniel Drake,
        Danielle Church, Daniel Molkentin, Daniel Rusek, Daniel Wang, Davide
        Cavalca, David Herrmann, David Michael, Dax Kelson, Dimitri John
        Ledkov, Djalal Harouni, Dušan Kazik, Elias Probst, Evgeny Vereshchagin,
        Federico Di Pierro, Felipe Sateler, Felix Zhang, Franck Bui, Gary
        Tierney, George McCollister, Giedrius Statkevičius, Hans de Goede,
        hecke, Hendrik Westerberg, Hristo Venev, Ian Wienand, Insun Pyo, Ivan
        Shapovalov, James Cowgill, James Hemsing, Janne Heß, Jan Synacek, Jason
        Reeder, João Paulo Rechi Vita, John Paul Adrian Glaubitz, Jörg
        Thalheim, Josef Andersson, Josef Gajdusek, Julian Mehne, Kai Krakow,
        Krzysztof Jackiewicz, Lars Karlitski, Lennart Poettering, Lluís Gili,
        Lucas Werkmeister, Lukáš Nykrýn, Łukasz Stelmach, Mantas Mikulėnas,
        Marcin Bachry, Marcus Cooper, Mark Stosberg, Martin Pitt, Matija Skala,
        Matt Clarkson, Matthew Garrett, Matthias Greiner, Matthijs van Duin,
        Max Resch, Michael Biebl, Michal Koutný, Michal Sekletar, Michal
        Soltys, Michal Suchanek, Mike Gilbert, Nate Clark, Nathaniel R. Lewis,
        Neil Brown, Nikolai Kondrashov, Pascal S. de Kloe, Pat Riehecky, Patrik
        Flykt, Paul Kocialkowski, Peter Hutterer, Philip Withnall, Piotr
        Szydełko, Rafael Fontenelle, Ray Strode, Richard Maw, Roelf Wichertjes,
        Ronny Chevalier, Sarang S. Dalal, Sjoerd Simons, slodki, Stefan
        Schweter, Susant Sahani, Ted Wood, Thomas Blume, Thomas Haller, Thomas
        H. P. Andersen, Timothée Ravier, Tobias Jungel, Tobias Stoeckmann, Tom
        Gundersen, Tom Yan, Torstein Husebø, Umut Tezduyar Lindskog,
        userwithuid, Vito Caputo, Waldemar Brodkorb, WaLyong Cho, Yu, Li-Yu,
        Yusuke Nojima, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Дамјан
        Георгиевски

        — Berlin, 2017-07-12

CHANGES WITH 233:

        * The "hybrid" control group mode has been modified to improve
          compatibility with "legacy" cgroups-v1 setups. Specifically, the
          "hybrid" setup of /sys/fs/cgroup is now pretty much identical to
          "legacy" (including /sys/fs/cgroup/systemd as "name=systemd" named
          cgroups-v1 hierarchy), the only externally visible change being that
          the cgroups-v2 hierarchy is also mounted, to
          /sys/fs/cgroup/unified. This should provide a large degree of
          compatibility with "legacy" cgroups-v1, while taking benefit of the
          better management capabilities of cgroups-v2.

        * The default control group setup mode may be selected both a boot-time
          via a set of kernel command line parameters (specifically:
          systemd.unified_cgroup_hierarchy= and
          systemd.legacy_systemd_cgroup_controller=), as well as a compile-time
          default selected on the configure command line
          (--with-default-hierarchy=). The upstream default is "hybrid"
          (i.e. the cgroups-v1 + cgroups-v2 mixture discussed above) now, but
          this will change in a future systemd version to be "unified" (pure
          cgroups-v2 mode). The third option for the compile time option is
          "legacy", to enter pure cgroups-v1 mode. We recommend downstream
          distributions to default to "hybrid" mode for release distributions,
          starting with v233. We recommend "unified" for development
          distributions (specifically: distributions such as Fedora's rawhide)
          as that's where things are headed in the long run. Use "legacy" for
          greatest stability and compatibility only.

        * Note one current limitation of "unified" and "hybrid" control group
          setup modes: the kernel currently does not permit the systemd --user
          instance (i.e. unprivileged code) to migrate processes between two
          disconnected cgroup subtrees, even if both are managed and owned by
          the user. This effectively means "systemd-run --user --scope" doesn't
          work when invoked from outside of any "systemd --user" service or
          scope. Specifically, it is not supported from session scopes. We are
          working on fixing this in a future systemd version. (See #3388 for
          further details about this.)

        * DBus policy files are now installed into /usr rather than /etc. Make
          sure your system has dbus >= 1.9.18 running before upgrading to this
          version, or override the install path with --with-dbuspolicydir= .

        * All python scripts shipped with systemd (specifically: the various
          tests written in Python) now require Python 3.

        * systemd unit tests can now run standalone (without the source or
          build directories), and can be installed into /usr/lib/systemd/tests/
          with 'make install-tests'.

        * Note that from this version on, CONFIG_CRYPTO_USER_API_HASH,
          CONFIG_CRYPTO_HMAC and CONFIG_CRYPTO_SHA256 need to be enabled in the
          kernel.

        * Support for the %c, %r, %R specifiers in unit files has been
          removed. Specifiers are not supposed to be dependent on configuration
          in the unit file itself (so that they resolve the same regardless
          where used in the unit files), but these specifiers were influenced
          by the Slice= option.

        * The shell invoked by debug-shell.service now defaults to /bin/sh in
          all cases. If distributions want to use a different shell for this
          purpose (for example Fedora's /sbin/sushell) they need to specify
          this explicitly at configure time using --with-debug-shell=.

        * The confirmation spawn prompt has been reworked to offer the
          following choices:

           (c)ontinue, proceed without asking anymore
           (D)ump, show the state of the unit
           (f)ail, don't execute the command and pretend it failed
           (h)elp
           (i)nfo, show a short summary of the unit
           (j)obs, show jobs that are in progress
           (s)kip, don't execute the command and pretend it succeeded
           (y)es, execute the command

          The 'n' choice for the confirmation spawn prompt has been removed,
          because its meaning was confusing.

          The prompt may now also be redirected to an alternative console by
          specifying the console as parameter to systemd.confirm_spawn=.

        * Services of Type=notify require a READY=1 notification to be sent
          during startup. If no such message is sent, the service now fails,
          even if the main process exited with a successful exit code.

        * Services that fail to start up correctly now always have their
          ExecStopPost= commands executed. Previously, they'd enter "failed"
          state directly, without executing these commands.

        * The option MulticastDNS= of network configuration files has acquired
          an actual implementation. With MulticastDNS=yes a host can resolve
          names of remote hosts and reply to mDNS A and AAAA requests.

        * When units are about to be started an additional check is now done to
          ensure that all dependencies of type BindsTo= (when used in
          combination with After=) have been started.

        * systemd-analyze gained a new verb "syscall-filter" which shows which
          system call groups are defined for the SystemCallFilter= unit file
          setting, and which system calls they contain.

        * A new system call filter group "@filesystem" has been added,
          consisting of various file system related system calls. Group
          "@reboot" has been added, covering reboot, kexec and shutdown related
          calls. Finally, group "@swap" has been added covering swap
          configuration related calls.

        * A new unit file option RestrictNamespaces= has been added that may be
          used to restrict access to the various process namespace types the
          Linux kernel provides. Specifically, it may be used to take away the
          right for a service unit to create additional file system, network,
          user, and other namespaces. This sandboxing option is particularly
          relevant due to the high amount of recently discovered namespacing
          related vulnerabilities in the kernel.

        * systemd-udev's .link files gained support for a new AutoNegotiation=
          setting for configuring Ethernet auto-negotiation.

        * systemd-networkd's .network files gained support for a new
          ListenPort= setting in the [DHCP] section to explicitly configure the
          UDP client port the DHCP client shall listen on.

        * .network files gained a new Unmanaged= boolean setting for explicitly
          excluding one or more interfaces from management by systemd-networkd.

        * The systemd-networkd ProxyARP= option has been renamed to
          IPV4ProxyARP=. Similarly, VXLAN-specific option ARPProxy= has been
          renamed to ReduceARPProxy=. The old names continue to be available
          for compatibility.

        * systemd-networkd gained support for configuring IPv6 Proxy NDP
          addresses via the new IPv6ProxyNDPAddress= .network file setting.

        * systemd-networkd's bonding device support gained support for two new
          configuration options ActiveSlave= and PrimarySlave=.

        * The various options in the [Match] section of .network files gained
          support for negative matching.

        * New systemd-specific mount options are now understood in /etc/fstab:

          x-systemd.mount-timeout= may be used to configure the maximum
          permitted runtime of the mount command.

          x-systemd.device-bound may be set to bind a mount point to its
          backing device unit, in order to automatically remove a mount point
          if its backing device is unplugged. This option may also be
          configured through the new SYSTEMD_MOUNT_DEVICE_BOUND udev property
          on the block device, which is now automatically set for all CDROM
          drives, so that mounted CDs are automatically unmounted when they are
          removed from the drive.

          x-systemd.after= and x-systemd.before= may be used to explicitly
          order a mount after or before another unit or mount point.

        * Enqueued start jobs for device units are now automatically garbage
          collected if there are no jobs waiting for them anymore.

        * systemctl list-jobs gained two new switches: with --after, for every
          queued job the jobs it's waiting for are shown; with --before the
          jobs which it's blocking are shown.

        * systemd-nspawn gained support for ephemeral boots from disk images
          (or in other words: --ephemeral and --image= may now be
          combined). Moreover, ephemeral boots are now supported for normal
          directories, even if the backing file system is not btrfs. Of course,
          if the file system does not support file system snapshots or
          reflinks, the initial copy operation will be relatively expensive, but
          this should still be suitable for many use cases.

        * Calendar time specifications in .timer units now support
          specifications relative to the end of a month by using "~" instead of
          "-" as separator between month and day. For example, "*-02~03" means
          "the third last day in February". In addition a new syntax for
          repeated events has been added using the "/" character. For example,
          "9..17/2:00" means "every two hours from 9am to 5pm".

        * systemd-socket-proxyd gained a new parameter --connections-max= for
          configuring the maximum number of concurrent connections.

        * sd-id128 gained a new API for generating unique IDs for the host in a
          way that does not leak the machine ID. Specifically,
          sd_id128_get_machine_app_specific() derives an ID based on the
          machine ID in a well-defined, non-reversible, stable way. This is
          useful whenever an identifier for the host is needed but where the
          identifier shall not be useful to identify the system beyond the
          scope of the application itself. (Internally this uses HMAC-SHA256 as
          keyed hash function using the machine ID as input.)

        * NotifyAccess= gained a new supported value "exec". When set
          notifications are accepted from all processes systemd itself invoked,
          including all control processes.

        * .nspawn files gained support for defining overlay mounts using the
          Overlay= and OverlayReadOnly= options. Previously this functionality
          was only available on the systemd-nspawn command line.

        * systemd-nspawn's --bind= and --overlay= options gained support for
          bind/overlay mounts whose source lies within the container tree by
          prefixing the source path with "+".

        * systemd-nspawn's --bind= and --overlay= options gained support for
          automatically allocating a temporary source directory in /var/tmp
          that is removed when the container dies. Specifically, if the source
          directory is specified as empty string this mechanism is selected. An
          example usage is --overlay=+/var::/var, which creates an overlay
          mount based on the original /var contained in the image, overlaid
          with a temporary directory in the host's /var/tmp. This way changes
          to /var are automatically flushed when the container shuts down.

        * systemd-nspawn --image= option does now permit raw file system block
          devices (in addition to images containing partition tables, as
          before).

        * The disk image dissection logic in systemd-nspawn gained support for
          automatically setting up LUKS encrypted as well as Verity protected
          partitions. When a container is booted from an encrypted image the
          passphrase is queried at start-up time. When a container with Verity
          data is started, the root hash is search in a ".roothash" file
          accompanying the disk image (alternatively, pass the root hash via
          the new --root-hash= command line option).

        * A new tool /usr/lib/systemd/systemd-dissect has been added that may
          be used to dissect disk images the same way as systemd-nspawn does
          it, following the Bootable Partition Specification. It may even be
          used to mount disk images with complex partition setups (including
          LUKS and Verity partitions) to a local host directory, in order to
          inspect them. This tool is not considered public API (yet), and is
          thus not installed into /usr/bin. Please do not rely on its
          existence, since it might go away or be changed in later systemd
          versions.

        * A new generator "systemd-verity-generator" has been added, similar in
          style to "systemd-cryptsetup-generator", permitting automatic setup of
          Verity root partitions when systemd boots up. In order to make use of
          this your partition setup should follow the Discoverable Partitions
          Specification, and the GPT partition ID of the root file system
          partition should be identical to the upper 128-bit of the Verity root
          hash. The GPT partition ID of the Verity partition protecting it
          should be the lower 128-bit of the Verity root hash. If the partition
          image follows this model it is sufficient to specify a single
          "roothash=" kernel command line argument to both configure which root
          image and verity partition to use as well as the root hash for
          it. Note that systemd-nspawn's Verity support follows the same
          semantics, meaning that disk images with proper Verity data in place
          may be booted in containers with systemd-nspawn as well as on
          physical systems via the verity generator. Also note that the "mkosi"
          tool available at https://github.com/systemd/mkosi has been updated
          to generate Verity protected disk images following this scheme. In
          fact, it has been updated to generate disk images that optionally
          implement a complete UEFI SecureBoot trust chain, involving a signed
          kernel and initrd image that incorporates such a root hash as well as
          a Verity-enabled root partition.

        * The hardware database (hwdb) udev supports has been updated to carry
          accelerometer quirks.

        * All system services are now run with a fresh kernel keyring set up
          for them. The invocation ID is stored by default in it, thus
          providing a safe, non-overridable way to determine the invocation
          ID of each service.

        * Service unit files gained new BindPaths= and BindReadOnlyPaths=
          options for bind mounting arbitrary paths in a service-specific
          way. When these options are used, arbitrary host or service files and
          directories may be mounted to arbitrary locations in the service's
          view.

        * Documentation has been added that lists all of systemd's low-level
          environment variables:

          https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md

        * sd-daemon gained a new API sd_is_socket_sockaddr() for determining
          whether a specific socket file descriptor matches a specified socket
          address.

        * systemd-firstboot has been updated to check for the
          systemd.firstboot= kernel command line option. It accepts a boolean
          and when set to false the first boot questions are skipped.

        * systemd-fstab-generator has been updated to check for the
          systemd.volatile= kernel command line option, which either takes an
          optional boolean parameter or the special value "state". If used the
          system may be booted in a "volatile" boot mode. Specifically,
          "systemd.volatile" is used, the root directory will be mounted as
          tmpfs, and only /usr is mounted from the actual root file system. If
          "systemd.volatile=state" is used, the root directory will be mounted
          as usual, but /var is mounted as tmpfs. This concept provides similar
          functionality as systemd-nspawn's --volatile= option, but provides it
          on physical boots. Use this option for implementing stateless
          systems, or testing systems with all state and/or configuration reset
          to the defaults. (Note though that many distributions are not
          prepared to boot up without a populated /etc or /var, though.)

        * systemd-gpt-auto-generator gained support for LUKS encrypted root
          partitions. Previously it only supported LUKS encrypted partitions
          for all other uses, except for the root partition itself.

        * Socket units gained support for listening on AF_VSOCK sockets for
          communication in virtualized QEMU environments.

        * The "configure" script gained a new option --with-fallback-hostname=
          for specifying the fallback hostname to use if none is configured in
          /etc/hostname. For example, by specifying
          --with-fallback-hostname=fedora it is possible to default to a
          hostname of "fedora" on pristine installations.

        * systemd-cgls gained support for a new --unit= switch for listing only
          the control groups of a specific unit. Similar --user-unit= has been
          added for listing only the control groups of a specific user unit.

        * systemd-mount gained a new --umount switch for unmounting a mount or
          automount point (and all mount/automount points below it).

        * systemd will now refuse full configuration reloads (via systemctl
          daemon-reload and related calls) unless at least 16MiB of free space
          are available in /run. This is a safety precaution in order to ensure
          that generators can safely operate after the reload completed.

        * A new unit file option RootImage= has been added, which has a similar
          effect as RootDirectory= but mounts the service's root directory from
          a disk image instead of plain directory. This logic reuses the same
          image dissection and mount logic that systemd-nspawn already uses,
          and hence supports any disk images systemd-nspawn supports, including
          those following the Discoverable Partition Specification, as well as
          Verity enabled images. This option enables systemd to run system
          services directly off disk images acting as resource bundles,
          possibly even including full integrity data.

        * A new MountAPIVFS= unit file option has been added, taking a boolean
          argument. If enabled /proc, /sys and /dev (collectively called the
          "API VFS") will be mounted for the service. This is only relevant if
          RootDirectory= or RootImage= is used for the service, as these mounts
          are of course in place in the host mount namespace anyway.

        * systemd-nspawn gained support for a new --pivot-root= switch. If
          specified the root directory within the container image is pivoted to
          the specified mount point, while the original root disk is moved to a
          different place. This option enables booting of ostree images
          directly with systemd-nspawn.

        * The systemd build scripts will no longer complain if the NTP server
          addresses are not changed from the defaults. Google now supports
          these NTP servers officially. We still recommend downstreams to
          properly register an NTP pool with the NTP pool project though.

        * coredumpctl gained a new "--reverse" option for printing the list
          of coredumps in reverse order.

        * coredumpctl will now show additional information about truncated and
          inaccessible coredumps, as well as coredumps that are still being
          processed. It also gained a new --quiet switch for suppressing
          additional informational message in its output.

        * coredumpctl gained support for only showing coredumps newer and/or
          older than specific timestamps, using the new --since= and --until=
          options, reminiscent of journalctl's options by the same name.

        * The systemd-coredump logic has been improved so that it may be reused
          to collect backtraces in non-compiled languages, for example in
          scripting languages such as Python.

        * machinectl will now show the UID shift of local containers, if user
          namespacing is enabled for them.

        * systemd will now optionally run "environment generator" binaries at
          configuration load time. They may be used to add environment
          variables to the environment block passed to services invoked. One
          user environment generator is shipped by default that sets up
          environment variables based on files dropped into /etc/environment.d
          and ~/.config/environment.d/.

        * systemd-resolved now includes the new, recently published 2017 DNSSEC
          root key (KSK).

        * hostnamed has been updated to report a new chassis type of
          "convertible" to cover "foldable" laptops that can both act as a
          tablet and as a laptop, such as various Lenovo Yoga devices.

        Contributions from: Adrián López, Alexander Galanin, Alexander
        Kochetkov, Alexandros Frantzis, Andrey Ulanov, Antoine Eiche, Baruch
        Siach, Bastien Nocera, Benjamin Robin, Björn, Brandon Philips, Cédric
        Schieli, Charles (Chas) Williams, Christian Hesse, Daniele Medri,
        Daniel Drake, Daniel Rusek, Daniel Wagner, Dan Streetman, Dave Reisner,
        David Glasser, David Herrmann, David Michael, Djalal Harouni, Dmitry
        Khlebnikov, Dmitry Rozhkov, Dongsu Park, Douglas Christman, Earnestly,
        Emil Soleyman, Eric Cook, Evgeny Vereshchagin, Felipe Sateler, Fionn
        Cleary, Florian Klink, Francesco Brozzu, Franck Bui, Gabriel Rauter,
        Gianluca Boiano, Giedrius Statkevičius, Graeme Lawes, Hans de Goede,
        Harald Hoyer, Ian Kelling, Ivan Shapovalov, Jakub Wilk, Janne Heß, Jan
        Synacek, Jason Reeder, Jonathan Boulle, Jörg Thalheim, Jouke Witteveen,
        Karl Kraus, Kees Cook, Keith Busch, Kieran Colford, kilian-k, Lennart
        Poettering, Lubomir Rintel, Lucas Werkmeister, Lukas Rusak, Maarten de
        Vries, Maks Naumov, Mantas Mikulėnas, Marc-Andre Lureau, Marcin Bachry,
        Mark Stosberg, Martin Ejdestig, Martin Pitt, Mauricio Faria de
        Oliveira, micah, Michael Biebl, Michael Shields, Michal Schmidt, Michal
        Sekletar, Michel Kraus, Mike Gilbert, Mikko Ylinen, Mirza Krak,
        Namhyung Kim, nikolaof, peoronoob, Peter Hutterer, Peter Körner, Philip
        Withnall, Piotr Drąg, Ray Strode, Reverend Homer, Rike-Benjamin
        Schuppner, Robert Kreuzer, Ronny Chevalier, Ruslan Bilovol, sammynx,
        Sergey Ptashnick, Sergiusz Urbaniak, Stefan Berger, Stefan Hajnoczi,
        Stefan Schweter, Stuart McLaren, Susant Sahani, Sylvain Plantefève,
        Taylor Smock, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tibor
        Nagy, Tobias Stoeckmann, Tom Gundersen, Torstein Husebø, Viktar
        Vaŭčkievič, Viktor Mihajlovski, Vitaly Sulimov, Waldemar Brodkorb,
        Walter Garcia-Fontes, Wim de With, Yassine Imounachen, Yi EungJun,
        YunQiang Su, Yu Watanabe, Zbigniew Jędrzejewski-Szmek, Александр
        Тихонов

        — Berlin, 2017-03-01

CHANGES WITH 232:

        * udev now runs with MemoryDenyWriteExecute=, RestrictRealtime= and
          RestrictAddressFamilies= enabled. These sandboxing options should
          generally be compatible with the various external udev call-out
          binaries we are aware of, however there may be exceptions, in
          particular when exotic languages for these call-outs are used. In
          this case, consider turning off these settings locally.

        * The new RemoveIPC= option can be used to remove IPC objects owned by
          the user or group of a service when that service exits.

        * The new ProtectKernelModules= option can be used to disable explicit
          load and unload operations of kernel modules by a service. In
          addition access to /usr/lib/modules is removed if this option is set.

        * ProtectSystem= option gained a new value "strict", which causes the
          whole file system tree with the exception of /dev, /proc, and /sys,
          to be remounted read-only for a service.

        * The new ProtectKernelTunables= option can be used to disable
          modification of configuration files in /sys and /proc by a service.
          Various directories and files are remounted read-only, so access is
          restricted even if the file permissions would allow it.

        * The new ProtectControlGroups= option can be used to disable write
          access by a service to /sys/fs/cgroup.

        * Various systemd services have been hardened with
          ProtectKernelTunables=yes, ProtectControlGroups=yes,
          RestrictAddressFamilies=.

        * Support for dynamically creating users for the lifetime of a service
          has been added. If DynamicUser=yes is specified, user and group IDs
          will be allocated from the range 61184…65519 for the lifetime of the
          service. They can be resolved using the new nss-systemd.so NSS
          module. The module must be enabled in /etc/nsswitch.conf. Services
          started in this way have PrivateTmp= and RemoveIPC= enabled, so that
          any resources allocated by the service will be cleaned up when the
          service exits. They also have ProtectHome=read-only and
          ProtectSystem=strict enabled, so they are not able to make any
          permanent modifications to the system.

        * The nss-systemd module also always resolves root and nobody, making
          it possible to have no /etc/passwd or /etc/group files in minimal
          container or chroot environments.

        * Services may be started with their own user namespace using the new
          boolean PrivateUsers= option. Only root, nobody, and the uid/gid
          under which the service is running are mapped. All other users are
          mapped to nobody.

        * Support for the cgroup namespace has been added to systemd-nspawn. If
          supported by kernel, the container system started by systemd-nspawn
          will have its own view of the cgroup hierarchy. This new behaviour
          can be disabled using $SYSTEMD_NSPAWN_USE_CGNS environment variable.

        * The new MemorySwapMax= option can be used to limit the maximum swap
          usage under the unified cgroup hierarchy.

        * Support for the CPU controller in the unified cgroup hierarchy has
          been added, via the CPUWeight=, CPUStartupWeight=, CPUAccounting=
          options. This controller requires out-of-tree patches for the kernel
          and the support is provisional.

        * Mount and automount units may now be created transiently
          (i.e. dynamically at runtime via the bus API, instead of requiring
          unit files in the file system).

        * systemd-mount is a new tool which may mount file systems – much like
          mount(8), optionally pulling in additional dependencies through
          transient .mount and .automount units. For example, this tool
          automatically runs fsck on a backing block device before mounting,
          and allows the automount logic to be used dynamically from the
          command line for establishing mount points. This tool is particularly
          useful when dealing with removable media, as it will ensure fsck is
          run – if necessary – before the first access and that the file system
          is quickly unmounted after each access by utilizing the automount
          logic. This maximizes the chance that the file system on the
          removable media stays in a clean state, and if it isn't in a clean
          state is fixed automatically.

        * LazyUnmount=yes option for mount units has been added to expose the
          umount --lazy option. Similarly, ForceUnmount=yes exposes the --force
          option.

        * /efi will be used as the mount point of the EFI boot partition, if
          the directory is present, and the mount point was not configured
          through other means (e.g. fstab). If /efi directory does not exist,
          /boot will be used as before. This makes it easier to automatically
          mount the EFI partition on systems where /boot is used for something
          else.

        * When operating on GPT disk images for containers, systemd-nspawn will
          now mount the ESP to /boot or /efi according to the same rules as PID
          1 running on a host. This allows tools like "bootctl" to operate
          correctly within such containers, in order to make container images
          bootable on physical systems.

        * disk/by-id and disk/by-path symlinks are now created for NVMe drives.

        * Two new user session targets have been added to support running
          graphical sessions under the systemd --user instance:
          graphical-session.target and graphical-session-pre.target. See
          systemd.special(7) for a description of how those targets should be
          used.

        * The vconsole initialization code has been significantly reworked to
          use KD_FONT_OP_GET/SET ioctls instead of KD_FONT_OP_COPY and better
          support unicode keymaps. Font and keymap configuration will now be
          copied to all allocated virtual consoles.

        * FreeBSD's bhyve virtualization is now detected.

        * Information recorded in the journal for core dumps now includes the
          contents of /proc/mountinfo and the command line of the process at
          the top of the process hierarchy (which is usually the init process
          of the container).

        * systemd-journal-gatewayd learned the --directory= option to serve
          files from the specified location.

        * journalctl --root=… can be used to peruse the journal in the
          /var/log/ directories inside of a container tree. This is similar to
          the existing --machine= option, but does not require the container to
          be active.

        * The hardware database has been extended to support
          ID_INPUT_TRACKBALL, used in addition to ID_INPUT_MOUSE to identify
          trackball devices.

          MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL hwdb property has been added to
          specify the click rate for mice which include a horizontal wheel with
          a click rate that is different than the one for the vertical wheel.

        * systemd-run gained a new --wait option that makes service execution
          synchronous. (Specifically, the command will not return until the
          specified service binary exited.)

        * systemctl gained a new --wait option that causes the start command to
          wait until the units being started have terminated again.

        * A new journal output mode "short-full" has been added which displays
          timestamps with abbreviated English day names and adds a timezone
          suffix. Those timestamps include more information than the default
          "short" output mode, and can be passed directly to journalctl's
          --since= and --until= options.

        * /etc/resolv.conf will be bind-mounted into containers started by
          systemd-nspawn, if possible, so any changes to resolv.conf contents
          are automatically propagated to the container.

        * The number of instances for socket-activated services originating
          from a single IP address can be limited with
          MaxConnectionsPerSource=, extending the existing setting of
          MaxConnections=.

        * systemd-networkd gained support for vcan ("Virtual CAN") interface
          configuration.

        * .netdev and .network configuration can now be extended through
          drop-ins.

        * UDP Segmentation Offload, TCP Segmentation Offload, Generic
          Segmentation Offload, Generic Receive Offload, Large Receive Offload
          can be enabled and disabled using the new UDPSegmentationOffload=,
          TCPSegmentationOffload=, GenericSegmentationOffload=,
          GenericReceiveOffload=, LargeReceiveOffload= options in the
          [Link] section of .link files.

        * The Spanning Tree Protocol, Priority, Aging Time, and the Default
          Port VLAN ID can be configured for bridge devices using the new STP=,
          Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge]
          section of .netdev files.

        * The route table to which routes received over DHCP or RA should be
          added can be configured with the new RouteTable= option in the [DHCP]
          and [IPv6AcceptRA] sections of .network files.

        * The Address Resolution Protocol can be disabled on links managed by
          systemd-networkd using the ARP=no setting in the [Link] section of
          .network files.

        * New environment variables $SERVICE_RESULT, $EXIT_CODE and
          $EXIT_STATUS are set for ExecStop= and ExecStopPost= commands, and
          encode information about the result and exit codes of the current
          service runtime cycle.

        * systemd-sysctl will now configure kernel parameters in the order
          they occur in the configuration files. This matches what sysctl
          has been traditionally doing.

        * kernel-install "plugins" that are executed to perform various
          tasks after a new kernel is added and before an old one is removed
          can now return a special value to terminate the procedure and
          prevent any later plugins from running.

        * Journald's SplitMode=login setting has been deprecated. It has been
          removed from documentation, and its use is discouraged. In a future
          release it will be completely removed, and made equivalent to current
          default of SplitMode=uid.

        * Storage=both option setting in /etc/systemd/coredump.conf has been
          removed. With fast LZ4 compression storing the core dump twice is not
          useful.

        * The --share-system systemd-nspawn option has been replaced with an
          (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
          this functionality is discouraged. In addition the variables
          $SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID,
          $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
          individual namespaces.

        * "machinectl list" now shows the IP address of running containers in
          the output, as well as OS release information.

        * "loginctl list" now shows the TTY of each session in the output.

        * sd-bus gained new API calls sd_bus_track_set_recursive(),
          sd_bus_track_get_recursive(), sd_bus_track_count_name(),
          sd_bus_track_count_sender(). They permit usage of sd_bus_track peer
          tracking objects in a "recursive" mode, where a single client can be
          counted multiple times, if it takes multiple references.

        * sd-bus gained new API calls sd_bus_set_exit_on_disconnect() and
          sd_bus_get_exit_on_disconnect(). They may be used to make a
          process using sd-bus automatically exit if the bus connection is
          severed.

        * Bus clients of the service manager may now "pin" loaded units into
          memory, by taking an explicit reference on them. This is useful to
          ensure the client can retrieve runtime data about the service even
          after the service completed execution. Taking such a reference is
          available only for privileged clients and should be helpful to watch
          running services in a race-free manner, and in particular collect
          information about exit statuses and results.

        * The nss-resolve module has been changed to strictly return UNAVAIL
          when communication via D-Bus with resolved failed, and NOTFOUND when
          a lookup completed but was negative. This means it is now possible to
          neatly configure fallbacks using nsswitch.conf result checking
          expressions. Taking benefit of this, the new recommended
          configuration line for the "hosts" entry in /etc/nsswitch.conf is:

              hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

        * A new setting CtrlAltDelBurstAction= has been added to
          /etc/systemd/system.conf which may be used to configure the precise
          behaviour if the user on the console presses Ctrl-Alt-Del more often
          than 7 times in 2s. Previously this would unconditionally result in
          an expedited, immediate reboot. With this new setting the precise
          operation may be configured in more detail, and also turned off
          entirely.

        * In .netdev files two new settings RemoteChecksumTx= and
          RemoteChecksumRx= are now understood that permit configuring the
          remote checksumming logic for VXLAN networks.

        * The service manager learnt a new "invocation ID" concept for invoked
          services. Each runtime cycle of a service will get a new invocation
          ID (a 128-bit random UUID) assigned that identifies the current
          run of the service uniquely and globally. A new invocation ID
          is generated each time a service starts up. The journal will store
          the invocation ID of a service along with any logged messages, thus
          making the invocation ID useful for matching the online runtime of a
          service with the offline log data it generated in a safe way without
          relying on synchronized timestamps. In many ways this new service
          invocation ID concept is similar to the kernel's boot ID concept that
          uniquely and globally identifies the runtime of each boot. The
          invocation ID of a service is passed to the service itself via an
          environment variable ($INVOCATION_ID). A new bus call
          GetUnitByInvocationID() has been added that is similar to GetUnit()
          but instead of retrieving the bus path for a unit by its name
          retrieves it by its invocation ID. The returned path is valid only as
          long as the passed invocation ID is current.

        * systemd-resolved gained a new "DNSStubListener" setting in
          resolved.conf. It either takes a boolean value or the special values
          "udp" and "tcp", and configures whether to enable the stub DNS
          listener on 127.0.0.53:53.

        * IP addresses configured via networkd may now carry additional
          configuration settings supported by the kernel. New options include:
          HomeAddress=, DuplicateAddressDetection=, ManageTemporaryAddress=,
          PrefixRoute=, AutoJoin=.

        * The PAM configuration fragment file for "user@.service" shipped with
          systemd (i.e. the --user instance of systemd) has been stripped to
          the minimum necessary to make the system boot. Previously, it
          contained Fedora-specific stanzas that did not apply to other
          distributions. It is expected that downstream distributions add
          additional configuration lines, matching their needs to this file,
          using it only as rough template of what systemd itself needs. Note
          that this reduced fragment does not even include an invocation of
          pam_limits which most distributions probably want to add, even though
          systemd itself does not need it. (There's also the new build time
          option --with-pamconfdir=no to disable installation of the PAM
          fragment entirely.)

        * If PrivateDevices=yes is set for a service the CAP_SYS_RAWIO
          capability is now also dropped from its set (in addition to
          CAP_SYS_MKNOD as before).

        * In service unit files it is now possible to connect a specific named
          file descriptor with stdin/stdout/stdout of an executed service. The
          name may be specified in matching .socket units using the
          FileDescriptorName= setting.

        * A number of journal settings may now be configured on the kernel
          command line. Specifically, the following options are now understood:
          systemd.journald.max_level_console=,
          systemd.journald.max_level_store=,
          systemd.journald.max_level_syslog=, systemd.journald.max_level_kmsg=,
          systemd.journald.max_level_wall=.

        * "systemctl is-enabled --full" will now show by which symlinks a unit
          file is enabled in the unit dependency tree.

        * Support for VeraCrypt encrypted partitions has been added to the
          "cryptsetup" logic and /etc/crypttab.

        * systemd-detect-virt gained support for a new --private-users switch
          that checks whether the invoking processes are running inside a user
          namespace. Similar, a new special value "private-users" for the
          existing ConditionVirtualization= setting has been added, permitting
          skipping of specific units in user namespace environments.

        Contributions from: Alban Crequy, Alexander Kuleshov, Alfie John,
        Andreas Henriksson, Andrew Jeddeloh, Balázs Úr, Bart Rulon, Benjamin
        Richter, Ben Gamari, Ben Harris, Brian J. Murrell, Christian Brauner,
        Christian Rebischke, Clinton Roy, Colin Walters, Cristian Rodríguez,
        Daniel Hahler, Daniel Mack, Daniel Maixner, Daniel Rusek, Dan Dedrick,
        Davide Cavalca, David Herrmann, David Michael, Dennis Wassenberg,
        Djalal Harouni, Dongsu Park, Douglas Christman, Elias Probst, Eric
        Cook, Erik Karlsson, Evgeny Vereshchagin, Felipe Sateler, Felix Zhang,
        Franck Bui, George Hilliard, Giuseppe Scrivano, HATAYAMA Daisuke,
        Heikki Kemppainen, Hendrik Brueckner, hi117, Ismo Puustinen, Ivan
        Shapovalov, Jakub Filak, Jakub Wilk, Jan Synacek, Jason Kölker,
        Jean-Sébastien Bour, Jiří Pírko, Jonathan Boulle, Jorge Niedbalski,
        Keith Busch, kristbaum, Kyle Russell, Lans Zhang, Lennart Poettering,
        Leonardo Brondani Schenkel, Lucas Werkmeister, Luca Bruno, Lukáš
        Nykrýn, Maciek Borzecki, Mantas Mikulėnas, Marc-Antoine Perennou,
        Marcel Holtmann, Marcos Mello, Martin Ejdestig, Martin Pitt, Matej
        Habrnal, Maxime de Roucy, Michael Biebl, Michael Chapman, Michael Hoy,
        Michael Olbrich, Michael Pope, Michal Sekletar, Michal Soltys, Mike
        Gilbert, Nick Owens, Patrik Flykt, Paweł Szewczyk, Peter Hutterer,
        Piotr Drąg, Reid Price, Richard W.M. Jones, Roman Stingler, Ronny
        Chevalier, Seraphime Kirkovski, Stefan Schweter, Steve Muir, Susant
        Sahani, Tejun Heo, Thomas Blume, Thomas H. P. Andersen, Tiago Levit,
        Tobias Jungel, Tomáš Janoušek, Topi Miettinen, Torstein Husebø, Umut
        Tezduyar Lindskog, Vito Caputo, WaLyong Cho, Wilhelm Schuster, Yann
        E. MORIN, Yi EungJun, Yuki Inoguchi, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek, Zeal Jagannatha

        — Santa Fe, 2016-11-03

CHANGES WITH 231:

        * In service units the various ExecXYZ= settings have been extended
          with an additional special character as first argument of the
          assigned value: if the character '+' is used the specified command
          line it will be run with full privileges, regardless of User=,
          Group=, CapabilityBoundingSet= and similar options. The effect is
          similar to the existing PermissionsStartOnly= option, but allows
          configuration of this concept for each executed command line
          independently.

        * Services may now alter the service watchdog timeout at runtime by
          sending a WATCHDOG_USEC= message via sd_notify().

        * MemoryLimit= and related unit settings now optionally take percentage
          specifications. The percentage is taken relative to the amount of
          physical memory in the system (or in case of containers, the assigned
          amount of memory). This allows scaling service resources neatly with
          the amount of RAM available on the system. Similarly, systemd-logind's
          RuntimeDirectorySize= option now also optionally takes percentage
          values.

        * In similar fashion TasksMax= takes percentage values now, too. The
          value is taken relative to the configured maximum number of processes
          on the system. The per-service task maximum has been changed to 15%
          using this functionality. (Effectively this is an increase of 512 →
          4915 for service units, given the kernel's default pid_max setting.)

        * Calendar time specifications in .timer units now understand a ".."
          syntax for time ranges. Example: "4..7:10" may now be used for
          defining a timer that is triggered at 4:10am, 5:10am, 6:10am and
          7:10am every day.

        * The InaccessableDirectories=, ReadOnlyDirectories= and
          ReadWriteDirectories= unit file settings have been renamed to
          InaccessablePaths=, ReadOnlyPaths= and ReadWritePaths= and may now be
          applied to all kinds of file nodes, and not just directories, with
          the exception of symlinks. Specifically these settings may now be
          used on block and character device nodes, UNIX sockets and FIFOS as
          well as regular files. The old names of these settings remain
          available for compatibility.

        * systemd will now log about all service processes it kills forcibly
          (using SIGKILL) because they remained after the clean shutdown phase
          of the service completed. This should help identifying services that
          shut down uncleanly. Moreover if KillUserProcesses= is enabled in
          systemd-logind's configuration a similar log message is generated for
          processes killed at the end of each session due to this setting.

        * systemd will now set the $JOURNAL_STREAM environment variable for all
          services whose stdout/stderr are connected to the Journal (which
          effectively means by default: all services). The variable contains
          the device and inode number of the file descriptor used for
          stdout/stderr. This may be used by invoked programs to detect whether
          their stdout/stderr is connected to the Journal, in which case they
          can switch over to direct Journal communication, thus being able to
          pass extended, structured metadata along with their log messages. As
          one example, this is now used by glib's logging primitives.

        * When using systemd's default tmp.mount unit for /tmp, the mount point
          will now be established with the "nosuid" and "nodev" options. This
          avoids privilege escalation attacks that put traps and exploits into
          /tmp. However, this might cause problems if you e.g. put container
          images or overlays into /tmp; if you need this, override tmp.mount's
          "Options=" with a drop-in, or mount /tmp from /etc/fstab with your
          desired options.

        * systemd now supports the "memory" cgroup controller also on
          cgroup v2.

        * The systemd-cgtop tool now optionally takes a control group path as
          command line argument. If specified, the control group list shown is
          limited to subgroups of that group.

        * The SystemCallFilter= unit file setting gained support for
          pre-defined, named system call filter sets. For example
          SystemCallFilter=@clock is now an effective way to make all clock
          changing-related system calls unavailable to a service. A number of
          similar pre-defined groups are defined. Writing system call filters
          for system services is simplified substantially with this new
          concept. Accordingly, all of systemd's own, long-running services now
          enable system call filtering based on this, by default.

        * A new service setting MemoryDenyWriteExecute= has been added, taking
          a boolean value. If turned on, a service may no longer create memory
          mappings that are writable and executable at the same time. This
          enhances security for services where this is enabled as it becomes
          harder to dynamically write and then execute memory in exploited
          service processes. This option has been enabled for all of systemd's
          own long-running services.

        * A new RestrictRealtime= service setting has been added, taking a
          boolean argument. If set the service's processes may no longer
          acquire realtime scheduling. This improves security as realtime
          scheduling may otherwise be used to easily freeze the system.

        * systemd-nspawn gained a new switch --notify-ready= taking a boolean
          value. This may be used for requesting that the system manager inside
          of the container reports start-up completion to nspawn which then
          propagates this notification further to the service manager
          supervising nspawn itself. A related option NotifyReady= in .nspawn
          files has been added too. This functionality allows ordering of the
          start-up of multiple containers using the usual systemd ordering
          primitives.

        * machinectl gained a new command "stop" that is an alias for
          "terminate".

        * systemd-resolved gained support for contacting DNS servers on
          link-local IPv6 addresses.

        * If systemd-resolved receives the SIGUSR2 signal it will now flush all
          its caches. A method call for requesting the same operation has been
          added to the bus API too, and is made available via "systemd-resolve
          --flush-caches".

        * systemd-resolve gained a new --status switch. If passed a brief
          summary of the used DNS configuration with per-interface information
          is shown.

        * resolved.conf gained a new Cache= boolean option, defaulting to
          on. If turned off local DNS caching is disabled. This comes with a
          performance penalty in particular when DNSSEC is enabled. Note that
          resolved disables its internal caching implicitly anyway, when the
          configured DNS server is on a host-local IP address such as ::1 or
          127.0.0.1, thus automatically avoiding double local caching.

        * systemd-resolved now listens on the local IP address 127.0.0.53:53
          for DNS requests. This improves compatibility with local programs
          that do not use the libc NSS or systemd-resolved's bus APIs for name
          resolution. This minimal DNS service is only available to local
          programs and does not implement the full DNS protocol, but enough to
          cover local DNS clients. A new, static resolv.conf file, listing just
          this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is
          now recommended to make /etc/resolv.conf a symlink to this file in
          order to route all DNS lookups to systemd-resolved, regardless if
          done via NSS, the bus API or raw DNS packets. Note that this local
          DNS service is not as fully featured as the libc NSS or
          systemd-resolved's bus APIs. For example, as unicast DNS cannot be
          used to deliver link-local address information (as this implies
          sending a local interface index along), LLMNR/mDNS support via this
          interface is severely restricted. It is thus strongly recommended for
          all applications to use the libc NSS API or native systemd-resolved
          bus API instead.

        * systemd-networkd's bridge support learned a new setting
          VLANFiltering= for controlling VLAN filtering. Moreover a new section
          in .network files has been added for configuring VLAN bridging in
          more detail: VLAN=, EgressUntagged=, PVID= in [BridgeVLAN].

        * systemd-networkd's IPv6 Router Advertisement code now makes use of
          the DNSSL and RDNSS options. This means IPv6 DNS configuration may
          now be acquired without relying on DHCPv6. Two new options
          UseDomains= and UseDNS= have been added to configure this behaviour.

        * systemd-networkd's IPv6AcceptRouterAdvertisements= option has been
          renamed IPv6AcceptRA=, without altering its behaviour. The old
          setting name remains available for compatibility reasons.

        * The systemd-networkd VTI/VTI6 tunneling support gained new options
          Key=, InputKey= and OutputKey=.

        * systemd-networkd gained support for VRF ("Virtual Routing Function")
          interface configuration.

        * "systemctl edit" may now be used to create new unit files by
          specifying the --force switch.

        * sd-event gained a new function sd_event_get_iteration() for
          requesting the current iteration counter of the event loop. It starts
          at zero and is increased by one with each event loop iteration.

        * A new rpm macro %systemd_ordering is provided by the macros.systemd
          file. It can be used in lieu of %systemd_requires in packages which
          don't use any systemd functionality and are intended to be installed
          in minimal containers without systemd present. This macro provides
          ordering dependencies to ensure that if the package is installed in
          the same rpm transaction as systemd, systemd will be installed before
          the scriptlets for the package are executed, allowing unit presets
          to be handled.

          New macros %_systemdgeneratordir and %_systemdusergeneratordir have
          been added to simplify packaging of generators.

        * The os-release file gained VERSION_CODENAME field for the
          distribution nickname (e.g. VERSION_CODENAME=woody).

        * New udev property UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG=1
          can be set to disable parsing of metadata and the creation
          of persistent symlinks for that device.

        * The v230 change to tag framebuffer devices (/dev/fb*) with "uaccess"
          to make them available to logged-in users has been reverted.

        * Much of the common code of the various systemd components is now
          built into an internal shared library libsystemd-shared-231.so
          (incorporating the systemd version number in the name, to be updated
          with future releases) that the components link to. This should
          decrease systemd footprint both in memory during runtime and on
          disk. Note that the shared library is not for public use, and is
          neither API nor ABI stable, but is likely to change with every new
          released update. Packagers need to make sure that binaries
          linking to libsystemd-shared.so are updated in step with the
          library.

        * Configuration for "mkosi" is now part of the systemd
          repository. mkosi is a tool to easily build legacy-free OS images,
          and is available on github: https://github.com/systemd/mkosi. If
          "mkosi" is invoked in the build tree a new raw OS image is generated
          incorporating the systemd sources currently being worked on and a
          clean, fresh distribution installation. The generated OS image may be
          booted up with "systemd-nspawn -b -i", qemu-kvm or on any physical
          UEFI PC. This functionality is particularly useful to easily test
          local changes made to systemd in a pristine, defined environment. See
          doc/HACKING for details.

        * configure learned the --with-support-url= option to specify the
          distribution's bugtracker.

        Contributions from: Alban Crequy, Alessandro Puccetti, Alessio Igor
        Bogani, Alexander Kuleshov, Alexander Kurtz, Alex Gaynor, Andika
        Triwidada, Andreas Pokorny, Andreas Rammhold, Andrew Jeddeloh, Ansgar
        Burchardt, Atrotors, Benjamin Drung, Brian Boylston, Christian Hesse,
        Christian Rebischke, Daniele Medri, Daniel Mack, Dave Reisner, David
        Herrmann, David Michael, Djalal Harouni, Douglas Christman, Elias
        Probst, Evgeny Vereshchagin, Federico Mena Quintero, Felipe Sateler,
        Franck Bui, Harald Hoyer, Ian Lee, Ivan Shapovalov, Jakub Wilk, Jan
        Janssen, Jean-Sébastien Bour, John Paul Adrian Glaubitz, Jouke
        Witteveen, Kai Ruhnau, kpengboy, Kyle Walker, Lénaïc Huard, Lennart
        Poettering, Luca Bruno, Lukas Lösche, Lukáš Nykrýn, mahkoh, Marcel
        Holtmann, Martin Pitt, Marty Plummer, Matthieu Codron, Max Prokhorov,
        Michael Biebl, Michael Karcher, Michael Olbrich, Michał Bartoszkiewicz,
        Michal Sekletar, Michal Soltys, Minkyung, Muhammet Kara, mulkieran,
        Otto Wallenius, Pablo Lezaeta Reyes, Peter Hutterer, Ronny Chevalier,
        Rusty Bird, Stef Walter, Susant Sahani, Tejun Heo, Thomas Blume, Thomas
        Haller, Thomas H. P. Andersen, Tobias Jungel, Tom Gundersen, Tom Yan,
        Topi Miettinen, Torstein Husebø, Valentin Vidić, Viktar Vaŭčkievič,
        WaLyong Cho, Weng Xuetian, Werner Fink, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2016-07-25

CHANGES WITH 230:

        * DNSSEC is now turned on by default in systemd-resolved (in
          "allow-downgrade" mode), but may be turned off during compile time by
          passing "--with-default-dnssec=no" to "configure" (and of course,
          during runtime with DNSSEC= in resolved.conf). We recommend
          downstreams to leave this on at least during development cycles and
          report any issues with the DNSSEC logic upstream. We are very
          interested in collecting feedback about the DNSSEC validator and its
          limitations in the wild. Note however, that DNSSEC support is
          probably nothing downstreams should turn on in stable distros just
          yet, as it might create incompatibilities with a few DNS servers and
          networks. We tried hard to make sure we downgrade to non-DNSSEC mode
          automatically whenever we detect such incompatible setups, but there
          might be systems we do not cover yet. Hence: please help us testing
          the DNSSEC code, leave this on where you can, report back, but then
          again don't consider turning this on in your stable, LTS or
          production release just yet. (Note that you have to enable
          nss-resolve in /etc/nsswitch.conf, to actually use systemd-resolved
          and its DNSSEC mode for hostname resolution from local
          applications.)

        * systemd-resolve conveniently resolves DANE records with the --tlsa
          option and OPENPGPKEY records with the --openpgp option. It also
          supports dumping raw DNS record data via the new --raw= switch.

        * systemd-logind will now by default terminate user processes that are
          part of the user session scope unit (session-XX.scope) when the user
          logs out. This behavior is controlled by the KillUserProcesses=
          setting in logind.conf, and the previous default of "no" is now
          changed to "yes". This means that user sessions will be properly
          cleaned up after, but additional steps are necessary to allow
          intentionally long-running processes to survive logout.

          While the user is logged in at least once, user@.service is running,
          and any service that should survive the end of any individual login
          session can be started at a user service or scope using systemd-run.
          systemd-run(1) man page has been extended with an example which shows
          how to run screen in a scope unit underneath user@.service. The same
          command works for tmux.

          After the user logs out of all sessions, user@.service will be
          terminated too, by default, unless the user has "lingering" enabled.
          To effectively allow users to run long-term tasks even if they are
          logged out, lingering must be enabled for them. See loginctl(1) for
          details. The default polkit policy was modified to allow users to
          set lingering for themselves without authentication.

          Previous defaults can be restored at compile time by the
          --without-kill-user-processes option to "configure".

        * systemd-logind gained new configuration settings SessionsMax= and
          InhibitorsMax=, both with a default of 8192. It will not register new
          user sessions or inhibitors above this limit.

        * systemd-logind will now reload configuration on SIGHUP.

        * The unified cgroup hierarchy added in Linux 4.5 is now supported.
          Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to
          enable. Also, support for the "io" cgroup controller in the unified
          hierarchy has been added, so that the "memory", "pids" and "io" are
          now the controllers that are supported on the unified hierarchy.

          WARNING: it is not possible to use previous systemd versions with
          systemd.unified_cgroup_hierarchy=1 and the new kernel. Therefore it
          is necessary to also update systemd in the initramfs if using the
          unified hierarchy. An updated SELinux policy is also required.

        * LLDP support has been extended, and both passive (receive-only) and
          active (sender) modes are supported. Passive mode ("routers-only") is
          enabled by default in systemd-networkd. Active LLDP mode is enabled
          by default for containers on the internal network. The "networkctl
          lldp" command may be used to list information gathered. "networkctl
          status" will also show basic LLDP information on connected peers now.

        * The IAID and DUID unique identifier sent in DHCP requests may now be
          configured for the system and each .network file managed by
          systemd-networkd using the DUIDType=, DUIDRawData=, IAID= options.

        * systemd-networkd gained support for configuring proxy ARP support for
          each interface, via the ProxyArp= setting in .network files. It also
          gained support for configuring the multicast querier feature of
          bridge devices, via the new MulticastQuerier= setting in .netdev
          files. Similarly, snooping on the IGMP traffic can be controlled
          via the new setting MulticastSnooping=.

          A new setting PreferredLifetime= has been added for addresses
          configured in .network file to configure the lifetime intended for an
          address.

          The systemd-networkd DHCP server gained the option EmitRouter=, which
          defaults to yes, to configure whether the DHCP Option 3 (Router)
          should be emitted.

        * The testing tool /usr/lib/systemd/systemd-activate is renamed to
          systemd-socket-activate and installed into /usr/bin. It is now fully
          supported.

        * systemd-journald now uses separate threads to flush changes to disk
          when closing journal files, thus reducing impact of slow disk I/O on
          logging performance.

        * The sd-journal API gained two new calls
          sd_journal_open_directory_fd() and sd_journal_open_files_fd() which
          can be used to open journal files using file descriptors instead of
          file or directory paths. sd_journal_open_container() has been
          deprecated, sd_journal_open_directory_fd() should be used instead
          with the flag SD_JOURNAL_OS_ROOT.

        * journalctl learned a new output mode "-o short-unix" that outputs log
          lines prefixed by their UNIX time (i.e. seconds since Jan 1st, 1970
          UTC). It also gained support for a new --no-hostname setting to
          suppress the hostname column in the family of "short" output modes.

        * systemd-ask-password now optionally skips printing of the password to
          stdout with --no-output which can be useful in scripts.

        * Framebuffer devices (/dev/fb*) and 3D printers and scanners
          (devices tagged with ID_MAKER_TOOL) are now tagged with
          "uaccess" and are available to logged in users.

        * The DeviceAllow= unit setting now supports specifiers (with "%").

        * "systemctl show" gained a new --value switch, which allows print a
          only the contents of a specific unit property, without also printing
          the property's name. Similar support was added to "show*" verbs
          of loginctl and machinectl that output "key=value" lists.

        * A new unit type "generated" was added for files dynamically generated
          by generator tools. Similarly, a new unit type "transient" is used
          for unit files created using the runtime API. "systemctl enable" will
          refuse to operate on such files.

        * A new command "systemctl revert" has been added that may be used to
          revert to the vendor version of a unit file, in case local changes
          have been made by adding drop-ins or overriding the unit file.

        * "machinectl clean" gained a new verb to automatically remove all or
          just hidden container images.

        * systemd-tmpfiles gained support for a new line type "e" for emptying
          directories, if they exist, without creating them if they don't.

        * systemd-nspawn gained support for automatically patching the UID/GIDs
          of the owners and the ACLs of all files and directories in a
          container tree to match the UID/GID user namespacing range selected
          for the container invocation. This mode is enabled via the new
          --private-users-chown switch. It also gained support for
          automatically choosing a free, previously unused UID/GID range when
          starting a container, via the new --private-users=pick setting (which
          implies --private-users-chown). Together, these options for the first
          time make user namespacing for nspawn containers fully automatic and
          thus deployable. The systemd-nspawn@.service template unit file has
          been changed to use this functionality by default.

        * systemd-nspawn gained a new --network-zone= switch, that allows
          creating ad-hoc virtual Ethernet links between multiple containers,
          that only exist as long as at least one container referencing them is
          running. This allows easy connecting of multiple containers with a
          common link that implements an Ethernet broadcast domain. Each of
          these network "zones" may be named relatively freely by the user, and
          may be referenced by any number of containers, but each container may
          only reference one of these "zones". On the lower level, this is
          implemented by an automatically managed bridge network interface for
          each zone, that is created when the first container referencing its
          zone is created and removed when the last one referencing its zone
          terminates.

        * The default start timeout may now be configured on the kernel command
          line via systemd.default_timeout_start_sec=. It was already
          configurable via the DefaultTimeoutStartSec= option in
          /etc/systemd/system.conf.

        * Socket units gained a new TriggerLimitIntervalSec= and
          TriggerLimitBurst= setting to configure a limit on the activation
          rate of the socket unit.

        * The LimitNICE= setting now optionally takes normal UNIX nice values
          in addition to the raw integer limit value. If the specified
          parameter is prefixed with "+" or "-" and is in the range -20…19 the
          value is understood as UNIX nice value. If not prefixed like this it
          is understood as raw RLIMIT_NICE limit.

        * Note that the effect of the PrivateDevices= unit file setting changed
          slightly with this release: the per-device /dev file system will be
          mounted read-only from this version on, and will have "noexec"
          set. This (minor) change of behavior might cause some (exceptional)
          legacy software to break, when PrivateDevices=yes is set for its
          service. Please leave PrivateDevices= off if you run into problems
          with this.

        * systemd-bootchart has been split out to a separate repository:
          https://github.com/systemd/systemd-bootchart

        * systemd-bus-proxyd has been removed, as kdbus is unlikely to still be
          merged into the kernel in its current form.

        * The compatibility libraries libsystemd-daemon.so,
          libsystemd-journal.so, libsystemd-id128.so, and libsystemd-login.so
          which have been deprecated since systemd-209 have been removed along
          with the corresponding pkg-config files. All symbols provided by
          those libraries are provided by libsystemd.so.

        * The Capabilities= unit file setting has been removed (it is ignored
          for backwards compatibility). AmbientCapabilities= and
          CapabilityBoundingSet= should be used instead.

        * A new special target has been added, initrd-root-device.target,
          which creates a synchronization point for dependencies of the root
          device in early userspace. Initramfs builders must ensure that this
          target is now included in early userspace.

        Contributions from: Alban Crequy, Alexander Kuleshov, Alexander Shopov,
        Alex Crawford, Andre Klärner, Andrew Eikum, Beniamino Galvani, Benjamin
        Robin, Biao Lu, Bjørnar Ness, Calvin Owens, Christian Hesse, Clemens
        Gruber, Colin Guthrie, Daniel Drake, Daniele Medri, Daniel J Walsh,
        Daniel Mack, Dan Nicholson, daurnimator, David Herrmann, David
        R. Hedges, Elias Probst, Emmanuel Gil Peyrot, EMOziko, Evgeny
        Vereshchagin, Federico, Felipe Sateler, Filipe Brandenburger, Franck
        Bui, frankheckenbach, gdamjan, Georgia Brikis, Harald Hoyer, Hendrik
        Brueckner, Hristo Venev, Iago López Galeiras, Ian Kelling, Ismo
        Puustinen, Jakub Wilk, Jaroslav Škarvada, Jeff Huang, Joel Holdsworth,
        John Paul Adrian Glaubitz, Jonathan Boulle, kayrus, Klearchos
        Chaloulos, Kyle Russell, Lars Uebernickel, Lennart Poettering, Lubomir
        Rintel, Lukáš Nykrýn, Mantas Mikulėnas, Marcel Holtmann, Martin Pitt,
        Michael Biebl, michaelolbrich, Michał Bartoszkiewicz, Michal Koutný,
        Michal Sekletar, Mike Frysinger, Mike Gilbert, Mingcong Bai, Ming Lin,
        mulkieran, muzena, Nalin Dahyabhai, Naohiro Aota, Nathan McSween,
        Nicolas Braud-Santoni, Patrik Flykt, Peter Hutterer, Peter Mattern,
        Petr Lautrbach, Petros Angelatos, Piotr Drąg, Rabin Vincent, Robert
        Węcławski, Ronny Chevalier, Samuel Tardieu, Stefan Saraev, Stefan
        Schallenberg aka nafets227, Steven Siloti, Susant Sahani, Sylvain
        Plantefève, Taylor Smock, Tejun Heo, Thomas Blume, Thomas Haller,
        Thomas H. P. Andersen, Tobias Klauser, Tom Gundersen, topimiettinen,
        Torstein Husebø, Umut Tezduyar Lindskog, Uwe Kleine-König, Victor Toso,
        Vinay Kulkarni, Vito Caputo, Vittorio G (VittGam), Vladimir Panteleev,
        Wieland Hoffmann, Wouter Verhelst, Yu Watanabe, Zbigniew
        Jędrzejewski-Szmek

        — Fairfax, 2016-05-21

CHANGES WITH 229:

        * The systemd-resolved DNS resolver service has gained a substantial
          set of new features, most prominently it may now act as a DNSSEC
          validating stub resolver. DNSSEC mode is currently turned off by
          default, but is expected to be turned on by default in one of the
          next releases. For now, we invite everybody to test the DNSSEC logic
          by setting DNSSEC=allow-downgrade in /etc/systemd/resolved.conf. The
          service also gained a full set of D-Bus interfaces, including calls
          to configure DNS and DNSSEC settings per link (for use by external
          network management software). systemd-resolved and systemd-networkd
          now distinguish between "search" and "routing" domains. The former
          are used to qualify single-label names, the latter are used purely
          for routing lookups within certain domains to specific links.
          resolved now also synthesizes RRs for all entries from /etc/hosts.

        * The systemd-resolve tool (which is a client utility for
          systemd-resolved) has been improved considerably and is now fully
          supported and documented. Hence it has moved from /usr/lib/systemd to
          /usr/bin.

        * /dev/disk/by-path/ symlink support has been (re-)added for virtio
          devices.

        * The coredump collection logic has been reworked: when a coredump is
          collected it is now written to disk, compressed and processed
          (including stacktrace extraction) from a new instantiated service
          systemd-coredump@.service, instead of directly from the
          /proc/sys/kernel/core_pattern hook we provide. This is beneficial as
          processing large coredumps can take up a substantial amount of
          resources and time, and this previously happened entirely outside of
          systemd's service supervision. With the new logic the core_pattern
          hook only does minimal metadata collection before passing off control
          to the new instantiated service, which is configured with a time
          limit, a nice level and other settings to minimize negative impact on
          the rest of the system. Also note that the new logic will honour the
          RLIMIT_CORE setting of the crashed process, which now allows users
          and processes to turn off coredumping for their processes by setting
          this limit.

        * The RLIMIT_CORE resource limit now defaults to "unlimited" for PID 1
          and all forked processes by default. Previously, PID 1 would leave
          the setting at "0" for all processes, as set by the kernel. Note that
          the resource limit traditionally has no effect on the generated
          coredumps on the system if the /proc/sys/kernel/core_pattern hook
          logic is used. Since the limit is now honoured (see above) its
          default has been changed so that the coredumping logic is enabled by
          default for all processes, while allowing specific opt-out.

        * When the stacktrace is extracted from processes of system users, this
          is now done as "systemd-coredump" user, in order to sandbox this
          potentially security sensitive parsing operation. (Note that when
          processing coredumps of normal users this is done under the user ID
          of process that crashed, as before.) Packagers should take notice
          that it is now necessary to create the "systemd-coredump" system user
          and group at package installation time.

        * The systemd-activate socket activation testing tool gained support
          for SOCK_DGRAM and SOCK_SEQPACKET sockets using the new --datagram
          and --seqpacket switches. It also has been extended to support both
          new-style and inetd-style file descriptor passing. Use the new
          --inetd switch to request inetd-style file descriptor passing.

        * Most systemd tools now honor a new $SYSTEMD_COLORS environment
          variable, which takes a boolean value. If set to false, ANSI color
          output is disabled in the tools even when run on a terminal that
          supports it.

        * The VXLAN support in networkd now supports two new settings
          DestinationPort= and PortRange=.

        * A new systemd.machine_id= kernel command line switch has been added,
          that may be used to set the machine ID in /etc/machine-id if it is
          not initialized yet. This command line option has no effect if the
          file is already initialized.

        * systemd-nspawn gained a new --as-pid2 switch that invokes any
          specified command line as PID 2 rather than PID 1 in the
          container. In this mode PID 1 is a minimal stub init process that
          implements the special POSIX and Linux semantics of PID 1 regarding
          signal and child process management. Note that this stub init process
          is implemented in nspawn itself and requires no support from the
          container image. This new logic is useful to support running
          arbitrary commands in the container, as normal processes are
          generally not prepared to run as PID 1.

        * systemd-nspawn gained a new --chdir= switch for setting the current
          working directory for the process started in the container.

        * "journalctl /dev/sda" will now output all kernel log messages for
          specified device from the current boot, in addition to all devices
          that are parents of it. This should make log output about devices
          pretty useful, as long as kernel drivers attach enough metadata to
          the log messages. (The usual SATA drivers do.)

        * The sd-journal API gained two new calls
          sd_journal_has_runtime_files() and sd_journal_has_persistent_files()
          that report whether log data from /run or /var has been found.

        * journalctl gained a new switch "--fields" that prints all journal
          record field names currently in use in the journal. This is backed
          by two new sd-journal API calls sd_journal_enumerate_fields() and
          sd_journal_restart_fields().

        * Most configurable timeouts in systemd now expect an argument of
          "infinity" to turn them off, instead of "0" as before. The semantics
          from now on is that a timeout of "0" means "now", and "infinity"
          means "never". To maintain backwards compatibility, "0" continues to
          turn off previously existing timeout settings.

        * "systemctl reload-or-try-restart" has been renamed to "systemctl
          try-reload-or-restart" to clarify what it actually does: the "try"
          logic applies to both reloading and restarting, not just restarting.
          The old name continues to be accepted for compatibility.

        * On boot-up, when PID 1 detects that the system clock is behind the
          release date of the systemd version in use, the clock is now set
          to the latter. Previously, this was already done in timesyncd, in order
          to avoid running with clocks set to the various clock epochs such as
          1902, 1938 or 1970. With this change the logic is now done in PID 1
          in addition to timesyncd during early boot-up, so that it is enforced
          before the first process is spawned by systemd. Note that the logic
          in timesyncd remains, as it is more comprehensive and ensures
          clock monotonicity by maintaining a persistent timestamp file in
          /var. Since /var is generally not available in earliest boot or the
          initrd, this part of the logic remains in timesyncd, and is not done
          by PID 1.

        * Support for tweaking details in net_cls.class_id through the
          NetClass= configuration directive has been removed, as the kernel
          people have decided to deprecate that controller in cgroup v2.
          Userspace tools such as nftables are moving over to setting rules
          that are specific to the full cgroup path of a task, which obsoletes
          these controllers anyway. The NetClass= directive is kept around for
          legacy compatibility reasons. For a more in-depth description of the
          kernel change, please refer to the respective upstream commit:

            https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671

        * A new service setting RuntimeMaxSec= has been added that may be used
          to specify a maximum runtime for a service. If the timeout is hit, the
          service is terminated and put into a failure state.

        * A new service setting AmbientCapabilities= has been added. It allows
          configuration of additional Linux process capabilities that are
          passed to the activated processes. This is only available on very
          recent kernels.

        * The process resource limit settings in service units may now be used
          to configure hard and soft limits individually.

        * The various libsystemd APIs such as sd-bus or sd-event now publicly
          expose support for gcc's __attribute__((cleanup())) C extension.
          Specifically, for many object destructor functions alternative
          versions have been added that have names suffixed with "p" and take a
          pointer to a pointer to the object to destroy, instead of just a
          pointer to the object itself. This is useful because these destructor
          functions may be used directly as parameters to the cleanup
          construct. Internally, systemd has been a heavy user of this GCC
          extension for a long time, and with this change similar support is
          now available to consumers of the library outside of systemd. Note
          that by using this extension in your sources compatibility with old
          and strictly ANSI compatible C compilers is lost. However, all gcc or
          LLVM versions of recent years support this extension.

        * Timer units gained support for a new setting RandomizedDelaySec= that
          allows configuring some additional randomized delay to the configured
          time. This is useful to spread out timer events to avoid load peaks in
          clusters or larger setups.

        * Calendar time specifications now support sub-second accuracy.

        * Socket units now support listening on SCTP and UDP-lite protocol
          sockets.

        * The sd-event API now comes with a full set of man pages.

        * Older versions of systemd contained experimental support for
          compressing journal files and coredumps with the LZ4 compressor that
          was not compatible with the lz4 binary (due to API limitations of the
          lz4 library). This support has been removed; only support for files
          compatible with the lz4 binary remains. This LZ4 logic is now
          officially supported and no longer considered experimental.

        * The dkr image import logic has been removed again from importd. dkr's
          micro-services focus doesn't fit into the machine image focus of
          importd, and quickly got out of date with the upstream dkr API.

        * Creation of the /run/lock/lockdev/ directory was dropped from
          tmpfiles.d/legacy.conf. Better locking mechanisms like flock() have
          been available for many years. If you still need this, you need to
          create your own tmpfiles.d config file with:

                  d /run/lock/lockdev 0775 root lock -

        * The settings StartLimitBurst=, StartLimitInterval=, StartLimitAction=
          and RebootArgument= have been moved from the [Service] section of
          unit files to [Unit], and they are now supported on all unit types,
          not just service units. Of course, systemd will continue to
          understand these settings also at the old location, in order to
          maintain compatibility.

        Contributions from: Abdo Roig-Maranges, Alban Crequy, Aleksander
        Adamowski, Alexander Kuleshov, Andreas Pokorny, Andrei Borzenkov,
        Andrew Wilcox, Arthur Clement, Beniamino Galvani, Casey Schaufler,
        Chris Atkinson, Chris Mayo, Christian Hesse, Damjan Georgievski, Dan
        Dedrick, Daniele Medri, Daniel J Walsh, Daniel Korostil, Daniel Mack,
        David Herrmann, Dimitri John Ledkov, Dominik Hannen, Douglas Christman,
        Evgeny Vereshchagin, Filipe Brandenburger, Franck Bui, Gabor Kelemen,
        Harald Hoyer, Hayden Walles, Helmut Grohne, Henrik Kaare Poulsen,
        Hristo Venev, Hui Wang, Indrajit Raychaudhuri, Ismo Puustinen, Jakub
        Wilk, Jan Alexander Steffens (heftig), Jan Engelhardt, Jan Synacek,
        Joost Bremmer, Jorgen Schaefer, Karel Zak, Klearchos Chaloulos,
        lc85446, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel
        Holtmann, Martin Pitt, Michael Biebl, Michael Olbrich, Michael Scherer,
        Michał Górny, Michal Sekletar, Nicolas Cornu, Nicolas Iooss, Nils
        Carlson, nmartensen, nnz1024, Patrick Ohly, Peter Hutterer, Phillip Sz,
        Ronny Chevalier, Samu Kallio, Shawn Landden, Stef Walter, Susant
        Sahani, Sylvain Plantefève, Tadej Janež, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito
        Caputo, WaLyong Cho, Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2016-02-11

CHANGES WITH 228:

        * A number of properties previously only settable in unit
          files are now also available as properties to set when
          creating transient units programmatically via the bus, as it
          is exposed with systemd-run's --property=
          setting. Specifically, these are: SyslogIdentifier=,
          SyslogLevelPrefix=, TimerSlackNSec=, OOMScoreAdjust=,
          EnvironmentFile=, ReadWriteDirectories=,
          ReadOnlyDirectories=, InaccessibleDirectories=,
          ProtectSystem=, ProtectHome=, RuntimeDirectory=.

        * When creating transient services via the bus API it is now
          possible to pass in a set of file descriptors to use as
          STDIN/STDOUT/STDERR for the invoked process.

        * Slice units may now be created transiently via the bus APIs,
          similar to the way service and scope units may already be
          created transiently.

        * Wherever systemd expects a calendar timestamp specification
          (like in journalctl's --since= and --until= switches) UTC
          timestamps are now supported. Timestamps suffixed with "UTC"
          are now considered to be in Universal Time Coordinated
          instead of the local timezone. Also, timestamps may now
          optionally be specified with sub-second accuracy. Both of
          these additions also apply to recurring calendar event
          specification, such as OnCalendar= in timer units.

        * journalctl gained a new "--sync" switch that asks the
          journal daemon to write all so far unwritten log messages to
          disk and sync the files, before returning.

        * systemd-tmpfiles learned two new line types "q" and "Q" that
          operate like "v", but also set up a basic btrfs quota
          hierarchy when used on a btrfs file system with quota
          enabled.

        * tmpfiles' "v", "q" and "Q" will now create a plain directory
          instead of a subvolume (even on a btrfs file system) if the
          root directory is a plain directory, and not a
          subvolume. This should simplify things with certain chroot()
          environments which are not aware of the concept of btrfs
          subvolumes.

        * systemd-detect-virt gained a new --chroot switch to detect
          whether execution takes place in a chroot() environment.

        * CPUAffinity= now takes CPU index ranges in addition to
          individual indexes.

        * The various memory-related resource limit settings (such as
          LimitAS=) now understand the usual K, M, G, … suffixes to
          the base of 1024 (IEC). Similar, the time-related resource
          limit settings understand the usual min, h, day, … suffixes
          now.

        * There's a new system.conf setting DefaultTasksMax= to
          control the default TasksMax= setting for services and
          scopes running on the system. (TasksMax= is the primary
          setting that exposes the "pids" cgroup controller on systemd
          and was introduced in the previous systemd release.) The
          setting now defaults to 512, which means services that are
          not explicitly configured otherwise will only be able to
          create 512 processes or threads at maximum, from this
          version on. Note that this means that thread- or
          process-heavy services might need to be reconfigured to set
          TasksMax= to a higher value. It is sufficient to set
          TasksMax= in these specific unit files to a higher value, or
          even "infinity". Similar, there's now a logind.conf setting
          UserTasksMax= that defaults to 4096 and limits the total
          number of processes or tasks each user may own
          concurrently. nspawn containers also have the TasksMax=
          value set by default now, to 8192. Note that all of this
          only has an effect if the "pids" cgroup controller is
          enabled in the kernel. The general benefit of these changes
          should be a more robust and safer system, that provides a
          certain amount of per-service fork() bomb protection.

        * systemd-nspawn gained the new --network-veth-extra= switch
          to define additional and arbitrarily-named virtual Ethernet
          links between the host and the container.

        * A new service execution setting PassEnvironment= has been
          added that allows importing select environment variables
          from PID1's environment block into the environment block of
          the service.

        * Timer units gained support for a new RemainAfterElapse=
          setting which takes a boolean argument. It defaults to on,
          exposing behaviour unchanged to previous releases. If set to
          off, timer units are unloaded after they elapsed if they
          cannot elapse again. This is particularly useful for
          transient timer units, which shall not stay around longer
          than until they first elapse.

        * systemd will now bump the net.unix.max_dgram_qlen to 512 by
          default now (the kernel default is 16). This is beneficial
          for avoiding blocking on AF_UNIX/SOCK_DGRAM sockets since it
          allows substantially larger numbers of queued
          datagrams. This should increase the capability of systemd to
          parallelize boot-up, as logging and sd_notify() are unlikely
          to stall execution anymore. If you need to change the value
          from the new defaults, use the usual sysctl.d/ snippets.

        * The compression framing format used by the journal or
          coredump processing has changed to be in line with what the
          official LZ4 tools generate. LZ4 compression support in
          systemd was considered unsupported previously, as the format
          was not compatible with the normal tools. With this release
          this has changed now, and it is hence safe for downstream
          distributions to turn it on. While not compressing as well
          as the XZ, LZ4 is substantially faster, which makes
          it a good default choice for the compression logic in the
          journal and in coredump handling.

        * Any reference to /etc/mtab has been dropped from
          systemd. The file has been obsolete since a while, but
          systemd refused to work on systems where it was incorrectly
          set up (it should be a symlink or non-existent). Please make
          sure to update to util-linux 2.27.1 or newer in conjunction
          with this systemd release, which also drops any reference to
          /etc/mtab. If you maintain a distribution make sure that no
          software you package still references it, as this is a
          likely source of bugs. There's also a glibc bug pending,
          asking for removal of any reference to this obsolete file:

          https://sourceware.org/bugzilla/show_bug.cgi?id=19108

          Note that only util-linux versions built with
          --enable-libmount-force-mountinfo are supported.

        * Support for the ".snapshot" unit type has been removed. This
          feature turned out to be little useful and little used, and
          has now been removed from the core and from systemctl.

        * The dependency types RequiresOverridable= and
          RequisiteOverridable= have been removed from systemd. They
          have been used only very sparingly to our knowledge and
          other options that provide a similar effect (such as
          systemctl --mode=ignore-dependencies) are much more useful
          and commonly used. Moreover, they were only half-way
          implemented as the option to control behaviour regarding
          these dependencies was never added to systemctl. By removing
          these dependency types the execution engine becomes a bit
          simpler. Unit files that use these dependencies should be
          changed to use the non-Overridable dependency types
          instead. In fact, when parsing unit files with these
          options, that's what systemd will automatically convert them
          too, but it will also warn, asking users to fix the unit
          files accordingly. Removal of these dependency types should
          only affect a negligible number of unit files in the wild.

        * Behaviour of networkd's IPForward= option changed
          (again). It will no longer maintain a per-interface setting,
          but propagate one way from interfaces where this is enabled
          to the global kernel setting. The global setting will be
          enabled when requested by a network that is set up, but
          never be disabled again. This change was made to make sure
          IPv4 and IPv6 behaviour regarding packet forwarding is
          similar (as the Linux IPv6 stack does not support
          per-interface control of this setting) and to minimize
          surprises.

        * In unit files the behaviour of %u, %U, %h, %s has
          changed. These specifiers will now unconditionally resolve
          to the various user database fields of the user that the
          systemd instance is running as, instead of the user
          configured in the specific unit via User=. Note that this
          effectively doesn't change much, as resolving of these
          specifiers was already turned off in the --system instance
          of systemd, as we cannot do NSS lookups from PID 1. In the
          --user instance of systemd these specifiers where correctly
          resolved, but hardly made any sense, since the user instance
          lacks privileges to do user switches anyway, and User= is
          hence useless. Moreover, even in the --user instance of
          systemd behaviour was awkward as it would only take settings
          from User= assignment placed before the specifier into
          account. In order to unify and simplify the logic around
          this the specifiers will now always resolve to the
          credentials of the user invoking the manager (which in case
          of PID 1 is the root user).

        Contributions from: Andrew Jones, Beniamino Galvani, Boyuan
        Yang, Daniel Machon, Daniel Mack, David Herrmann, David
        Reynolds, David Strauss, Dongsu Park, Evgeny Vereshchagin,
        Felipe Sateler, Filipe Brandenburger, Franck Bui, Hristo
        Venev, Iago López Galeiras, Jan Engelhardt, Jan Janssen, Jan
        Synacek, Jesus Ornelas Aguayo, Karel Zak, kayrus, Kay Sievers,
        Lennart Poettering, Liu Yuan Yuan, Mantas Mikulėnas, Marcel
        Holtmann, Marcin Bachry, Marcos Alano, Marcos Mello, Mark
        Theunissen, Martin Pitt, Michael Marineau, Michael Olbrich,
        Michal Schmidt, Michal Sekletar, Mirco Tischler, Nick Owens,
        Nicolas Cornu, Patrik Flykt, Peter Hutterer, reverendhomer,
        Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Shawn Landden,
        Susant Sahani, Thomas Haller, Thomas Hindoe Paaboel Andersen,
        Tom Gundersen, Torstein Husebø, Vito Caputo, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2015-11-18

CHANGES WITH 227:

        * systemd now depends on util-linux v2.27. More specifically,
          the newly added mount monitor feature in libmount now
          replaces systemd's former own implementation.

        * libmount mandates /etc/mtab not to be regular file, and
          systemd now enforces this condition at early boot.
          /etc/mtab has been deprecated and warned about for a very
          long time, so systems running systemd should already have
          stopped having this file around as anything else than a
          symlink to /proc/self/mounts.

        * Support for the "pids" cgroup controller has been added. It
          allows accounting the number of tasks in a cgroup and
          enforcing limits on it. This adds two new setting
          TasksAccounting= and TasksMax= to each unit, as well as a
          global option DefaultTasksAccounting=.

        * Support for the "net_cls" cgroup controller has been added.
          It allows assigning a net class ID to each task in the
          cgroup, which can then be used in firewall rules and traffic
          shaping configurations. Note that the kernel netfilter net
          class code does not currently work reliably for ingress
          packets on unestablished sockets.

          This adds a new config directive called NetClass= to CGroup
          enabled units. Allowed values are positive numbers for fixed
          assignments and "auto" for picking a free value
          automatically.

        * 'systemctl is-system-running' now returns 'offline' if the
          system is not booted with systemd. This command can now be
          used as a substitute for 'systemd-notify --booted'.

        * Watchdog timeouts have been increased to 3 minutes for all
          in-tree service files. Apparently, disk IO issues are more
          frequent than we hoped, and user reported >1 minute waiting
          for disk IO.

        * 'machine-id-commit' functionality has been merged into
          'machine-id-setup --commit'. The separate binary has been
          removed.

        * The WorkingDirectory= directive in unit files may now be set
          to the special value '~'. In this case, the working
          directory is set to the home directory of the user
          configured in User=.

        * "machinectl shell" will now open the shell in the home
          directory of the selected user by default.

        * The CrashChVT= configuration file setting is renamed to
          CrashChangeVT=, following our usual logic of not
          abbreviating unnecessarily. The old directive is still
          supported for compat reasons. Also, this directive now takes
          an integer value between 1 and 63, or a boolean value. The
          formerly supported '-1' value for disabling stays around for
          compat reasons.

        * The PrivateTmp=, PrivateDevices=, PrivateNetwork=,
          NoNewPrivileges=, TTYPath=, WorkingDirectory= and
          RootDirectory= properties can now be set for transient
          units.

        * The systemd-analyze tool gained a new "set-log-target" verb
          to change the logging target the system manager logs to
          dynamically during runtime. This is similar to how
          "systemd-analyze set-log-level" already changes the log
          level.

        * In nspawn /sys is now mounted as tmpfs, with only a selected
          set of subdirectories mounted in from the real sysfs. This
          enhances security slightly, and is useful for ensuring user
          namespaces work correctly.

        * Support for USB FunctionFS activation has been added. This
          allows implementation of USB gadget services that are
          activated as soon as they are requested, so that they don't
          have to run continuously, similar to classic socket
          activation.

        * The "systemctl exit" command now optionally takes an
          additional parameter that sets the exit code to return from
          the systemd manager when exiting. This is only relevant when
          running the systemd user instance, or when running the
          system instance in a container.

        * sd-bus gained the new API calls sd_bus_path_encode_many()
          and sd_bus_path_decode_many() that allow easy encoding and
          decoding of multiple identifier strings inside a D-Bus
          object path. Another new call sd_bus_default_flush_close()
          has been added to flush and close per-thread default
          connections.

        * systemd-cgtop gained support for a -M/--machine= switch to
          show the control groups within a certain container only.

        * "systemctl kill" gained support for an optional --fail
          switch. If specified the requested operation will fail of no
          processes have been killed, because the unit had no
          processes attached, or similar.

        * A new systemd.crash_reboot=1 kernel command line option has
          been added that triggers a reboot after crashing. This can
          also be set through CrashReboot= in systemd.conf.

        * The RuntimeDirectory= setting now understands unit
          specifiers like %i or %f.

        * A new (still internal) library API sd-ipv4acd has been added,
          that implements address conflict detection for IPv4. It's
          based on code from sd-ipv4ll, and will be useful for
          detecting DHCP address conflicts.

        * File descriptors passed during socket activation may now be
          named. A new API sd_listen_fds_with_names() is added to
          access the names. The default names may be overridden,
          either in the .socket file using the FileDescriptorName=
          parameter, or by passing FDNAME= when storing the file
          descriptors using sd_notify().

        * systemd-networkd gained support for:

            - Setting the IPv6 Router Advertisement settings via
              IPv6AcceptRouterAdvertisements= in .network files.

            - Configuring the HelloTimeSec=, MaxAgeSec= and
              ForwardDelaySec= bridge parameters in .netdev files.

            - Configuring PreferredSource= for static routes in
              .network files.

        * The "ask-password" framework used to query for LUKS harddisk
          passwords or SSL passwords during boot gained support for
          caching passwords in the kernel keyring, if it is
          available. This makes sure that the user only has to type in
          a passphrase once if there are multiple objects to unlock
          with the same one. Previously, such password caching was
          available only when Plymouth was used; this moves the
          caching logic into the systemd codebase itself. The
          "systemd-ask-password" utility gained a new --keyname=
          switch to control which kernel keyring key to use for
          caching a password in. This functionality is also useful for
          enabling display managers such as gdm to automatically
          unlock the user's GNOME keyring if its passphrase, the
          user's password and the harddisk password are the same, if
          gdm-autologin is used.

        * When downloading tar or raw images using "machinectl
          pull-tar" or "machinectl pull-raw", a matching ".nspawn"
          file is now also downloaded, if it is available and stored
          next to the image file.

        * Units of type ".socket" gained a new boolean setting
          Writable= which is only useful in conjunction with
          ListenSpecial=. If true, enables opening the specified
          special file in O_RDWR mode rather than O_RDONLY mode.

        * systemd-rfkill has been reworked to become a singleton
          service that is activated through /dev/rfkill on each rfkill
          state change and saves the settings to disk. This way,
          systemd-rfkill is now compatible with devices that exist
          only intermittendly, and even restores state if the previous
          system shutdown was abrupt rather than clean.

        * The journal daemon gained support for vacuuming old journal
          files controlled by the number of files that shall remain,
          in addition to the already existing control by size and by
          date. This is useful as journal interleaving performance
          degrades with too many separate journal files, and allows
          putting an effective limit on them. The new setting defaults
          to 100, but this may be changed by setting SystemMaxFiles=
          and RuntimeMaxFiles= in journald.conf. Also, the
          "journalctl" tool gained the new --vacuum-files= switch to
          manually vacuum journal files to leave only the specified
          number of files in place.

        * udev will now create /dev/disk/by-path links for ATA devices
          on kernels where that is supported.

        * Galician, Serbian, Turkish and Korean translations were added.

        Contributions from: Aaro Koskinen, Alban Crequy, Beniamino
        Galvani, Benjamin Robin, Branislav Blaskovic, Chen-Han Hsiao
        (Stanley), Daniel Buch, Daniel Machon, Daniel Mack, David
        Herrmann, David Milburn, doubleodoug, Evgeny Vereshchagin,
        Felipe Franciosi, Filipe Brandenburger, Fran Dieguez, Gabriel
        de Perthuis, Georg Müller, Hans de Goede, Hendrik Brueckner,
        Ivan Shapovalov, Jacob Keller, Jan Engelhardt, Jan Janssen,
        Jan Synacek, Jens Kuske, Karel Zak, Kay Sievers, Krzesimir
        Nowak, Krzysztof Kotlenga, Lars Uebernickel, Lennart
        Poettering, Lukas Nykryn, Łukasz Stelmach, Maciej Wereski,
        Marcel Holtmann, Marius Thesing, Martin Pitt, Michael Biebl,
        Michael Gebetsroither, Michal Schmidt, Michal Sekletar, Mike
        Gilbert, Muhammet Kara, nazgul77, Nicolas Cornu, NoXPhasma,
        Olof Johansson, Patrik Flykt, Pawel Szewczyk, reverendhomer,
        Ronny Chevalier, Sangjung Woo, Seong-ho Cho, Susant Sahani,
        Sylvain Plantefève, Thomas Haller, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Tom Lyon, Viktar Vauchkevich,
        Zbigniew Jędrzejewski-Szmek, Марко М. Костић

        — Berlin, 2015-10-07

CHANGES WITH 226:

        * The DHCP implementation of systemd-networkd gained a set of
          new features:

          - The DHCP server now supports emitting DNS and NTP
            information. It may be enabled and configured via
            EmitDNS=, DNS=, EmitNTP=, and NTP=. If transmission of DNS
            and NTP information is enabled, but no servers are
            configured, the corresponding uplink information (if there
            is any) is propagated.

          - Server and client now support transmission and reception
            of timezone information. It can be configured via the
            newly introduced network options UseTimezone=,
            EmitTimezone=, and Timezone=. Transmission of timezone
            information is enabled between host and containers by
            default now: the container will change its local timezone
            to what the host has set.

          - Lease timeouts can now be configured via
            MaxLeaseTimeSec= and DefaultLeaseTimeSec=.

          - The DHCP server improved on the stability of
            leases. Clients are more likely to get the same lease
            information back, even if the server loses state.

          - The DHCP server supports two new configuration options to
            control the lease address pool metrics, PoolOffset= and
            PoolSize=.

        * The encapsulation limit of tunnels in systemd-networkd may
          now be configured via 'EncapsulationLimit='. It allows
          modifying the maximum additional levels of encapsulation
          that are permitted to be prepended to a packet.

        * systemd now supports the concept of user buses replacing
          session buses, if used with dbus-1.10 (and enabled via dbus
          --enable-user-session). It previously only supported this on
          kdbus-enabled systems, and this release expands this to
          'dbus-daemon' systems.

        * systemd-networkd now supports predictable interface names
          for virtio devices.

        * systemd now optionally supports the new Linux kernel
          "unified" control group hierarchy. If enabled via the kernel
          command-line option 'systemd.unified_cgroup_hierarchy=1',
          systemd will try to mount the unified cgroup hierarchy
          directly on /sys/fs/cgroup. If not enabled, or not
          available, systemd will fall back to the legacy cgroup
          hierarchy setup, as before. Host system and containers can
          mix and match legacy and unified hierarchies as they
          wish. nspawn understands the $UNIFIED_CGROUP_HIERARCHY
          environment variable to individually select the hierarchy to
          use for executed containers. By default, nspawn will use the
          unified hierarchy for the containers if the host uses the
          unified hierarchy, and the legacy hierarchy otherwise.
          Please note that at this point the unified hierarchy is an
          experimental kernel feature and is likely to change in one
          of the next kernel releases. Therefore, it should not be
          enabled by default in downstream distributions yet. The
          minimum required kernel version for the unified hierarchy to
          work is 4.2. Note that when the unified hierarchy is used
          for the first time delegated access to controllers is
          safe. Because of this systemd-nspawn containers will get
          access to controllers now, as will systemd user
          sessions. This means containers and user sessions may now
          manage their own resources, partitioning up what the system
          grants them.

        * A new special scope unit "init.scope" has been introduced
          that encapsulates PID 1 of the system. It may be used to
          determine resource usage and enforce resource limits on PID
          1 itself. PID 1 hence moved out of the root of the control
          group tree.

        * The cgtop tool gained support for filtering out kernel
          threads when counting tasks in a control group. Also, the
          count of processes is now recursively summed up by
          default. Two options -k and --recursive= have been added to
          revert to old behaviour. The tool has also been updated to
          work correctly in containers now.

        * systemd-nspawn's --bind= and --bind-ro= options have been
          extended to allow creation of non-recursive bind mounts.

        * libsystemd gained two new calls sd_pid_get_cgroup() and
          sd_peer_get_cgroup() which return the control group path of
          a process or peer of a connected AF_UNIX socket. This
          function call is particularly useful when implementing
          delegated subtrees support in the control group hierarchy.

        * The "sd-event" event loop API of libsystemd now supports
          correct dequeuing of real-time signals, without losing
          signal events.

        * When systemd requests a polkit decision when managing units it
          will now add additional fields to the request, including unit
          name and desired operation. This enables more powerful polkit
          policies, that make decisions depending on these parameters.

        * nspawn learnt support for .nspawn settings files, that may
          accompany the image files or directories of containers, and
          may contain additional settings for the container. This is
          an alternative to configuring container parameters via the
          nspawn command line.

        Contributions from: Cristian Rodríguez, Daniel Mack, David
        Herrmann, Eugene Yakubovich, Evgeny Vereshchagin, Filipe
        Brandenburger, Hans de Goede, Jan Alexander Steffens, Jan
        Synacek, Kay Sievers, Lennart Poettering, Mangix, Marcel
        Holtmann, Martin Pitt, Michael Biebl, Michael Chapman, Michal
        Sekletar, Peter Hutterer, Piotr Drąg, reverendhomer, Robin
        Hack, Susant Sahani, Sylvain Pasche, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Torstein Husebø

        — Berlin, 2015-09-08

CHANGES WITH 225:

        * machinectl gained a new verb 'shell' which opens a fresh
          shell on the target container or the host. It is similar to
          the existing 'login' command of machinectl, but spawns the
          shell directly without prompting for username or
          password. The pseudo machine '.host' now refers to the local
          host and is used by default. Hence, 'machinectl shell' can
          be used as replacement for 'su -' which spawns a session as
          a fresh systemd unit in a way that is fully isolated from
          the originating session.

        * systemd-networkd learned to cope with private-zone DHCP
          options and allows other programs to query the values.

        * SELinux access control when enabling/disabling units is no
          longer enforced with this release. The previous implementation
          was incorrect, and a new corrected implementation is not yet
          available. As unit file operations are still protected via
          polkit and D-Bus policy this is not a security problem. Yet,
          distributions which care about optimal SELinux support should
          probably not stabilize on this release.

        * sd-bus gained support for matches of type "arg0has=", that
          test for membership of strings in string arrays sent in bus
          messages.

        * systemd-resolved now dumps the contents of its DNS and LLMNR
          caches to the logs on reception of the SIGUSR1 signal. This
          is useful to debug DNS behaviour.

        * The coredumpctl tool gained a new --directory= option to
          operate on journal files in a specific directory.

        * "systemctl reboot" and related commands gained a new
          "--message=" option which may be used to set a free-text
          wall message when shutting down or rebooting the
          system. This message is also logged, which is useful for
          figuring out the reason for a reboot or shutdown a
          posteriori.

        * The "systemd-resolve-host" tool's -i switch now takes
          network interface numbers as alternative to interface names.

        * A new unit file setting for services has been introduced:
          UtmpMode= allows configuration of how precisely systemd
          handles utmp and wtmp entries for the service if this is
          enabled. This allows writing services that appear similar to
          user sessions in the output of the "w", "who", "last" and
          "lastlog" tools.

        * systemd-resolved will now locally synthesize DNS resource
          records for the "localhost" and "gateway" domains as well as
          the local hostname. This should ensure that clients querying
          RRs via resolved will get similar results as those going via
          NSS, if nss-myhostname is enabled.

        Contributions from: Alastair Hughes, Alex Crawford, Daniel
        Mack, David Herrmann, Dimitri John Ledkov, Eric Kostrowski,
        Evgeny Vereshchagin, Felipe Sateler, HATAYAMA Daisuke, Jan
        Pokorný, Jan Synacek, Johnny Robeson, Karel Zak, Kay Sievers,
        Kefeng Wang, Lennart Poettering, Major Hayden, Marcel
        Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt, Matt
        Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim,
        Nicolas Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer,
        reverendhomer, Richard Maw, Ronny Chevalier, Seth Jennings,
        Stef Walter, Susant Sahani, Thomas Blume, Thomas Hindoe
        Paaboel Andersen, Thomas Meyer, Tom Gundersen, Vincent Batts,
        WaLyong Cho, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-08-27

CHANGES WITH 224:

        * The systemd-efi-boot-generator functionality was merged into
          systemd-gpt-auto-generator.

        * systemd-networkd now supports Group Policy for vxlan
          devices. It can be enabled via the new boolean configuration
          option called 'GroupPolicyExtension='.

        Contributions from: Andreas Kempf, Christian Hesse, Daniel Mack, David
        Herrmann, Herman Fries, Johannes Nixdorf, Kay Sievers, Lennart
        Poettering, Peter Hutterer, Susant Sahani, Tom Gundersen

        — Berlin, 2015-07-31

CHANGES WITH 223:

        * The python-systemd code has been removed from the systemd repository.
          A new repository has been created which accommodates the code from
          now on, and we kindly ask distributions to create a separate package
          for this: https://github.com/systemd/python-systemd

        * The systemd daemon will now reload its main configuration
          (/etc/systemd/system.conf) on daemon-reload.

        * sd-dhcp now exposes vendor specific extensions via
          sd_dhcp_lease_get_vendor_specific().

        * systemd-networkd gained a number of new configuration options.

          - A new boolean configuration option for TAP devices called
            'VNetHeader='. If set, the IFF_VNET_HDR flag is set for the
            device, thus allowing to send and receive GSO packets.

          - A new tunnel configuration option called 'CopyDSCP='.
            If enabled, the DSCP field of ip6 tunnels is copied into the
            decapsulated packet.

          - A set of boolean bridge configuration options were added.
            'UseBPDU=', 'HairPin=', 'FastLeave=', 'AllowPortToBeRoot=',
            and 'UnicastFlood=' are now parsed by networkd and applied to the
            respective bridge link device via the respective IFLA_BRPORT_*
            netlink attribute.

          - A new string configuration option to override the hostname sent
            to a DHCP server, called 'Hostname='. If set and 'SendHostname='
            is true, networkd will use the configured hostname instead of the
            system hostname when sending DHCP requests.

          - A new tunnel configuration option called 'IPv6FlowLabel='. If set,
            networkd will configure the IPv6 flow-label of the tunnel device
            according to RFC2460.

          - The 'macvtap' virtual network devices are now supported, similar to
            the already supported 'macvlan' devices.

        * systemd-resolved now implements RFC5452 to improve resilience against
          cache poisoning. Additionally, source port randomization is enabled
          by default to further protect against DNS spoofing attacks.

        * nss-mymachines now supports translating UIDs and GIDs of running
          containers with user-namespaces enabled. If a container 'foo'
          translates a host uid 'UID' to the container uid 'TUID', then
          nss-mymachines will also map uid 'UID' to/from username 'vu-foo-TUID'
          (with 'foo' and 'TUID' replaced accordingly). Similarly, groups are
          mapped as 'vg-foo-TGID'.

        Contributions from: Beniamino Galvani, cee1, Christian Hesse, Daniel
        Buch, Daniel Mack, daurnimator, David Herrmann, Dimitri John Ledkov,
        HATAYAMA Daisuke, Ivan Shapovalov, Jan Alexander Steffens (heftig),
        Johan Ouwerkerk, Jose Carlos Venegas Munoz, Karel Zak, Kay Sievers,
        Lennart Poettering, Lidong Zhong, Martin Pitt, Michael Biebl, Michael
        Olbrich, Michal Schmidt, Michal Sekletar, Mike Gilbert, Namhyung Kim,
        Nick Owens, Peter Hutterer, Richard Maw, Steven Allen, Sungbae Yoo,
        Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel Andersen, Tom
        Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Vito Caputo,
        Vivenzio Pagliari, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-07-29

CHANGES WITH 222:

        * udev does not longer support the WAIT_FOR_SYSFS= key in udev rules.
          There are no known issues with current sysfs, and udev does not need
          or should be used to work around such bugs.

        * udev does no longer enable USB HID power management. Several reports
          indicate, that some devices cannot handle that setting.

        * The udev accelerometer helper was removed. The functionality
          is now fully included in iio-sensor-proxy. But this means,
          older iio-sensor-proxy versions will no longer provide
          accelerometer/orientation data with this systemd version.
          Please upgrade iio-sensor-proxy to version 1.0.

        * networkd gained a new configuration option IPv6PrivacyExtensions=
          which enables IPv6 privacy extensions (RFC 4941, "Privacy Extensions
          for Stateless Address") on selected networks.

        * For the sake of fewer build-time dependencies and less code in the
          main repository, the python bindings are about to be removed in the
          next release. A new repository has been created which accommodates
          the code from now on, and we kindly ask distributions to create a
          separate package for this. The removal will take place in v223.

            https://github.com/systemd/python-systemd

        Contributions from: Abdo Roig-Maranges, Andrew Eikum, Bastien Nocera,
        Cédric Delmas, Christian Hesse, Christos Trochalakis, Daniel Mack,
        daurnimator, David Herrmann, Dimitri John Ledkov, Eric Biggers, Eric
        Cook, Felipe Sateler, Geert Jansen, Gerd Hoffmann, Gianpaolo Macario,
        Greg Kroah-Hartman, Iago López Galeiras, Jan Alexander Steffens
        (heftig), Jan Engelhardt, Jay Strict, Kay Sievers, Lennart Poettering,
        Markus Knetschke, Martin Pitt, Michael Biebl, Michael Marineau, Michal
        Sekletar, Miguel Bernal Marin, Peter Hutterer, Richard Maw, rinrinne,
        Susant Sahani, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
        Husebø, Vedran Miletić, WaLyong Cho, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-07-07

CHANGES WITH 221:

        * The sd-bus.h and sd-event.h APIs have now been declared
          stable and have been added to the official interface of
          libsystemd.so. sd-bus implements an alternative D-Bus client
          library, that is relatively easy to use, very efficient and
          supports both classic D-Bus as well as kdbus as transport
          backend. sd-event is a generic event loop abstraction that
          is built around Linux epoll, but adds features such as event
          prioritization or efficient timer handling. Both APIs are good
          choices for C programs looking for a bus and/or event loop
          implementation that is minimal and does not have to be
          portable to other kernels.

        * kdbus support is no longer compile-time optional. It is now
          always built-in. However, it can still be disabled at
          runtime using the kdbus=0 kernel command line setting, and
          that setting may be changed to default to off, by specifying
          --disable-kdbus at build-time. Note though that the kernel
          command line setting has no effect if the kdbus.ko kernel
          module is not installed, in which case kdbus is (obviously)
          also disabled. We encourage all downstream distributions to
          begin testing kdbus by adding it to the kernel images in the
          development distributions, and leaving kdbus support in
          systemd enabled.

        * The minimal required util-linux version has been bumped to
          2.26.

        * Support for chkconfig (--enable-chkconfig) was removed in
          favor of calling an abstraction tool
          /lib/systemd/systemd-sysv-install. This needs to be
          implemented for your distribution. See "SYSV INIT.D SCRIPTS"
          in README for details.

        * If there's a systemd unit and a SysV init script for the
          same service name, and the user executes "systemctl enable"
          for it (or a related call), then this will now enable both
          (or execute the related operation on both), not just the
          unit.

        * The libudev API documentation has been converted from gtkdoc
          into man pages.

        * gudev has been removed from the systemd tree, it is now an
          external project.

        * The systemd-cgtop tool learnt a new --raw switch to generate
          "raw" (machine parsable) output.

        * networkd's IPForwarding= .network file setting learnt the
          new setting "kernel", which ensures that networkd does not
          change the IP forwarding sysctl from the default kernel
          state.

        * The systemd-logind bus API now exposes a new boolean
          property "Docked" that reports whether logind considers the
          system "docked", i.e. connected to a docking station or not.

        Contributions from: Alex Crawford, Andreas Pokorny, Andrei
        Borzenkov, Charles Duffy, Colin Guthrie, Cristian Rodríguez,
        Daniele Medri, Daniel Hahler, Daniel Mack, David Herrmann,
        David Mohr, Dimitri John Ledkov, Djalal Harouni, dslul, Ed
        Swierk, Eric Cook, Filipe Brandenburger, Gianpaolo Macario,
        Harald Hoyer, Iago López Galeiras, Igor Vuk, Jan Synacek,
        Jason Pleau, Jason S. McMullan, Jean Delvare, Jeff Huang,
        Jonathan Boulle, Karel Zak, Kay Sievers, kloun, Lennart
        Poettering, Marc-Antoine Perennou, Marcel Holtmann, Mario
        Limonciello, Martin Pitt, Michael Biebl, Michael Olbrich,
        Michal Schmidt, Mike Gilbert, Nick Owens, Pablo Lezaeta Reyes,
        Patrick Donnelly, Pavel Odvody, Peter Hutterer, Philip
        Withnall, Ronny Chevalier, Simon McVittie, Susant Sahani,
        Thomas Hindoe Paaboel Andersen, Tom Gundersen, Torstein
        Husebø, Umut Tezduyar Lindskog, Viktar Vauchkevich, Werner
        Fink, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-06-19

CHANGES WITH 220:

        * The gudev library has been extracted into a separate repository
          available at: https://git.gnome.org/browse/libgudev/
          It is now managed as part of the Gnome project. Distributions
          are recommended to pass --disable-gudev to systemd and use
          gudev from the Gnome project instead. gudev is still included
          in systemd, for now. It will be removed soon, though. Please
          also see the announcement-thread on systemd-devel:
          https://lists.freedesktop.org/archives/systemd-devel/2015-May/032070.html

        * systemd now exposes a CPUUsageNSec= property for each
          service unit on the bus, that contains the overall consumed
          CPU time of a service (the sum of what each process of the
          service consumed). This value is only available if
          CPUAccounting= is turned on for a service, and is then shown
          in the "systemctl status" output.

        * Support for configuring alternative mappings of the old SysV
          runlevels to systemd targets has been removed. They are now
          hardcoded in a way that runlevels 2, 3, 4 all map to
          multi-user.target and 5 to graphical.target (which
          previously was already the default behaviour).

        * The auto-mounter logic gained support for mount point
          expiry, using a new TimeoutIdleSec= setting in .automount
          units. (Also available as x-systemd.idle-timeout= in /etc/fstab).

        * The EFI System Partition (ESP) as mounted to /boot by
          systemd-efi-boot-generator will now be unmounted
          automatically after 2 minutes of not being used. This should
          minimize the risk of ESP corruptions.

        * New /etc/fstab options x-systemd.requires= and
          x-systemd.requires-mounts-for= are now supported to express
          additional dependencies for mounts. This is useful for
          journaling file systems that support external journal
          devices or overlay file systems that require underlying file
          systems to be mounted.

        * systemd does not support direct live-upgrades (via systemctl
          daemon-reexec) from versions older than v44 anymore. As no
          distribution we are aware of shipped such old versions in a
          stable release this should not be problematic.

        * When systemd forks off a new per-connection service instance
          it will now set the $REMOTE_ADDR environment variable to the
          remote IP address, and $REMOTE_PORT environment variable to
          the remote IP port. This behaviour is similar to the
          corresponding environment variables defined by CGI.

        * systemd-networkd gained support for uplink failure
          detection. The BindCarrier= option allows binding interface
          configuration dynamically to the link sense of other
          interfaces. This is useful to achieve behaviour like in
          network switches.

        * systemd-networkd gained support for configuring the DHCP
          client identifier to use when requesting leases.

        * systemd-networkd now has a per-network UseNTP= option to
          configure whether NTP server information acquired via DHCP
          is passed on to services like systemd-timesyncd.

        * systemd-networkd gained support for vti6 tunnels.

        * Note that systemd-networkd manages the sysctl variable
          /proc/sys/net/ipv[46]/conf/*/forwarding for each interface
          it is configured for since v219. The variable controls IP
          forwarding, and is a per-interface alternative to the global
          /proc/sys/net/ipv[46]/ip_forward. This setting is
          configurable in the IPForward= option, which defaults to
          "no". This means if networkd is used for an interface it is
          no longer sufficient to set the global sysctl option to turn
          on IP forwarding! Instead, the .network file option
          IPForward= needs to be turned on! Note that the
          implementation of this behaviour was broken in v219 and has
          been fixed in v220.

        * Many bonding and vxlan options are now configurable in
          systemd-networkd.

        * systemd-nspawn gained a new --property= setting to set unit
          properties for the container scope. This is useful for
          setting resource parameters (e.g. "CPUShares=500") on
          containers started from the command line.

        * systemd-nspawn gained a new --private-users= switch to make
          use of user namespacing available on recent Linux kernels.

        * systemd-nspawn may now be called as part of a shell pipeline
          in which case the pipes used for stdin and stdout are passed
          directly to the process invoked in the container, without
          indirection via a pseudo tty.

        * systemd-nspawn gained a new switch to control the UNIX
          signal to use when killing the init process of the container
          when shutting down.

        * systemd-nspawn gained a new --overlay= switch for mounting
          overlay file systems into the container using the new kernel
          overlayfs support.

        * When a container image is imported via systemd-importd and
          the host file system is not btrfs, a loopback block device
          file is created in /var/lib/machines.raw with a btrfs file
          system inside. It is then mounted to /var/lib/machines to
          enable btrfs features for container management. The loopback
          file and btrfs file system is grown as needed when container
          images are imported via systemd-importd.

        * systemd-machined/systemd-importd gained support for btrfs
          quota, to enforce container disk space limits on disk. This
          is exposed in "machinectl set-limit".

        * systemd-importd now can import containers from local .tar,
          .raw and .qcow2 images, and export them to .tar and .raw. It
          can also import dkr v2 images now from the network (on top
          of v1 as before).

        * systemd-importd gained support for verifying downloaded
          images with gpg2 (previously only gpg1 was supported).

        * systemd-machined, systemd-logind, systemd: most bus calls are
          now accessible to unprivileged processes via polkit. Also,
          systemd-logind will now allow users to kill their own sessions
          without further privileges or authorization.

        * systemd-shutdownd has been removed. This service was
          previously responsible for implementing scheduled shutdowns
          as exposed in /usr/bin/shutdown's time parameter. This
          functionality has now been moved into systemd-logind and is
          accessible via a bus interface.

        * "systemctl reboot" gained a new switch --firmware-setup that
          can be used to reboot into the EFI firmware setup, if that
          is available. systemd-logind now exposes an API on the bus
          to trigger such reboots, in case graphical desktop UIs want
          to cover this functionality.

        * "systemctl enable", "systemctl disable" and "systemctl mask"
          now support a new "--now" switch. If specified the units
          that are enabled will also be started, and the ones
          disabled/masked also stopped.

        * The Gummiboot EFI boot loader tool has been merged into
          systemd, and renamed to "systemd-boot". The bootctl tool has been
          updated to support systemd-boot.

        * An EFI kernel stub has been added that may be used to create
          kernel EFI binaries that contain not only the actual kernel,
          but also an initrd, boot splash, command line and OS release
          information. This combined binary can then be signed as a
          single image, so that the firmware can verify it all in one
          step. systemd-boot has special support for EFI binaries created
          like this and can extract OS release information from them
          and show them in the boot menu. This functionality is useful
          to implement cryptographically verified boot schemes.

        * Optional support has been added to systemd-fsck to pass
          fsck's progress report to an AF_UNIX socket in the file
          system.

        * udev will no longer create device symlinks for all block devices by
          default. A deny list for excluding special block devices from this
          logic has been turned into an allow list that requires picking block
          devices explicitly that require device symlinks.

        * A new (currently still internal) API sd-device.h has been
          added to libsystemd. This modernized API is supposed to
          replace libudev eventually. In fact, already much of libudev
          is now just a wrapper around sd-device.h.

        * A new hwdb database for storing metadata about pointing
          stick devices has been added.

        * systemd-tmpfiles gained support for setting file attributes
          similar to the "chattr" tool with new 'h' and 'H' lines.

        * systemd-journald will no longer unconditionally set the
          btrfs NOCOW flag on new journal files. This is instead done
          with tmpfiles snippet using the new 'h' line type. This
          allows easy disabling of this logic, by masking the
          journal-nocow.conf tmpfiles file.

        * systemd-journald will now translate audit message types to
          human-readable identifiers when writing them to the
          journal. This should improve readability of audit messages.

        * The LUKS logic gained support for the offset= and skip=
          options in /etc/crypttab, as previously implemented by
          Debian.

        * /usr/lib/os-release gained a new optional field VARIANT= for
          distributions that support multiple variants (such as a
          desktop edition, a server edition, …)

        Contributions from: Aaro Koskinen, Adam Goode, Alban Crequy,
        Alberto Fanjul Alonso, Alexander Sverdlin, Alex Puchades, Alin
        Rauta, Alison Chaiken, Andrew Jones, Arend van Spriel,
        Benedikt Morbach, Benjamin Franzke, Benjamin Tissoires, Blaž
        Tomažič, Chris Morgan, Chris Morin, Colin Walters, Cristian
        Rodríguez, Daniel Buch, Daniel Drake, Daniele Medri, Daniel
        Mack, Daniel Mustieles, daurnimator, Davide Bettio, David
        Herrmann, David Strauss, Didier Roche, Dimitri John Ledkov,
        Eric Cook, Gavin Li, Goffredo Baroncelli, Hannes Reinecke,
        Hans de Goede, Hans-Peter Deifel, Harald Hoyer, Iago López
        Galeiras, Ivan Shapovalov, Jan Engelhardt, Jan Janssen, Jan
        Pazdziora, Jan Synacek, Jasper St. Pierre, Jay Faulkner, John
        Paul Adrian Glaubitz, Jonathon Gilbert, Karel Zak, Kay
        Sievers, Koen Kooi, Lennart Poettering, Lubomir Rintel, Lucas
        De Marchi, Lukas Nykryn, Lukas Rusak, Lukasz Skalski, Łukasz
        Stelmach, Mantas Mikulėnas, Marc-Antoine Perennou, Marcel
        Holtmann, Martin Pitt, Mathieu Chevrier, Matthew Garrett,
        Michael Biebl, Michael Marineau, Michael Olbrich, Michal
        Schmidt, Michal Sekletar, Mirco Tischler, Nir Soffer, Patrik
        Flykt, Pavel Odvody, Peter Hutterer, Peter Lemenkov, Peter
        Waller, Piotr Drąg, Raul Gutierrez S, Richard Maw, Ronny
        Chevalier, Ross Burton, Sebastian Rasmussen, Sergey Ptashnick,
        Seth Jennings, Shawn Landden, Simon Farnsworth, Stefan Junker,
        Stephen Gallagher, Susant Sahani, Sylvain Plantefève, Thomas
        Haller, Thomas Hindoe Paaboel Andersen, Tobias Hunger, Tom
        Gundersen, Torstein Husebø, Umut Tezduyar Lindskog, Will
        Woods, Zachary Cook, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-05-22

CHANGES WITH 219:

        * Introduce a new API "sd-hwdb.h" for querying the hardware
          metadata database. With this minimal interface one can query
          and enumerate the udev hwdb, decoupled from the old libudev
          library. libudev's interface for this is now only a wrapper
          around sd-hwdb. A new tool systemd-hwdb has been added to
          interface with and update the database.

        * When any of systemd's tools copies files (for example due to
          tmpfiles' C lines) a btrfs reflink will attempted first,
          before bytewise copying is done.

        * systemd-nspawn gained a new --ephemeral switch. When
          specified a btrfs snapshot is taken of the container's root
          directory, and immediately removed when the container
          terminates again. Thus, a container can be started whose
          changes never alter the container's root directory, and are
          lost on container termination. This switch can also be used
          for starting a container off the root file system of the
          host without affecting the host OS. This switch is only
          available on btrfs file systems.

        * systemd-nspawn gained a new --template= switch. It takes the
          path to a container tree to use as template for the tree
          specified via --directory=, should that directory be
          missing. This allows instantiating containers dynamically,
          on first run. This switch is only available on btrfs file
          systems.

        * When a .mount unit refers to a mount point on which multiple
          mounts are stacked, and the .mount unit is stopped all of
          the stacked mount points will now be unmounted until no
          mount point remains.

        * systemd now has an explicit notion of supported and
          unsupported unit types. Jobs enqueued for unsupported unit
          types will now fail with an "unsupported" error code. More
          specifically .swap, .automount and .device units are not
          supported in containers, .busname units are not supported on
          non-kdbus systems. .swap and .automount are also not
          supported if their respective kernel compile time options
          are disabled.

        * machinectl gained support for two new "copy-from" and
          "copy-to" commands for copying files from a running
          container to the host or vice versa.

        * machinectl gained support for a new "bind" command to bind
          mount host directories into local containers. This is
          currently only supported for nspawn containers.

        * networkd gained support for configuring bridge forwarding
          database entries (fdb) from .network files.

        * A new tiny daemon "systemd-importd" has been added that can
          download container images in tar, raw, qcow2 or dkr formats,
          and make them available locally in /var/lib/machines, so
          that they can run as nspawn containers. The daemon can GPG
          verify the downloads (not supported for dkr, since it has no
          provisions for verifying downloads). It will transparently
          decompress bz2, xz, gzip compressed downloads if necessary,
          and restore sparse files on disk. The daemon uses privilege
          separation to ensure the actual download logic runs with
          fewer privileges than the daemon itself. machinectl has
          gained new commands "pull-tar", "pull-raw" and "pull-dkr" to
          make the functionality of importd available to the
          user. With this in place the Fedora and Ubuntu "Cloud"
          images can be downloaded and booted as containers unmodified
          (the Fedora images lack the appropriate GPG signature files
          currently, so they cannot be verified, but this will change
          soon, hopefully). Note that downloading images is currently
          only fully supported on btrfs.

        * machinectl is now able to list container images found in
          /var/lib/machines, along with some metadata about sizes of
          disk and similar. If the directory is located on btrfs and
          quota is enabled, this includes quota display. A new command
          "image-status" has been added that shows additional
          information about images.

        * machinectl is now able to clone container images
          efficiently, if the underlying file system (btrfs) supports
          it, with the new "machinectl clone" command. It also
          gained commands for renaming and removing images, as well as
          marking them read-only or read-write (supported also on
          legacy file systems).

        * networkd gained support for collecting LLDP network
          announcements, from hardware that supports this. This is
          shown in networkctl output.

        * systemd-run gained support for a new -t (--pty) switch for
          invoking a binary on a pty whose input and output is
          connected to the invoking terminal. This allows executing
          processes as system services while interactively
          communicating with them via the terminal. Most interestingly
          this is supported across container boundaries. Invoking
          "systemd-run -t /bin/bash" is an alternative to running a
          full login session, the difference being that the former
          will not register a session, nor go through the PAM session
          setup.

        * tmpfiles gained support for a new "v" line type for creating
          btrfs subvolumes. If the underlying file system is a legacy
          file system, this automatically degrades to creating a
          normal directory. Among others /var/lib/machines is now
          created like this at boot, should it be missing.

        * The directory /var/lib/containers/ has been deprecated and
          been replaced by /var/lib/machines. The term "machines" has
          been used in the systemd context as generic term for both
          VMs and containers, and hence appears more appropriate for
          this, as the directory can also contain raw images bootable
          via qemu/kvm.

        * systemd-nspawn when invoked with -M but without --directory=
          or --image= is now capable of searching for the container
          root directory, subvolume or disk image automatically, in
          /var/lib/machines. systemd-nspawn@.service has been updated
          to make use of this, thus allowing it to be used for raw
          disk images, too.

        * A new machines.target unit has been introduced that is
          supposed to group all containers/VMs invoked as services on
          the system. systemd-nspawn@.service has been updated to
          integrate with that.

        * machinectl gained a new "start" command, for invoking a
          container as a service. "machinectl start foo" is mostly
          equivalent to "systemctl start systemd-nspawn@foo.service",
          but handles escaping in a nicer way.

        * systemd-nspawn will now mount most of the cgroupfs tree
          read-only into each container, with the exception of the
          container's own subtree in the name=systemd hierarchy.

        * journald now sets the special FS_NOCOW file flag for its
          journal files. This should improve performance on btrfs, by
          avoiding heavy fragmentation when journald's write-pattern
          is used on COW file systems. It degrades btrfs' data
          integrity guarantees for the files to the same levels as for
          ext3/ext4 however. This should be OK though as journald does
          its own data integrity checks and all its objects are
          checksummed on disk. Also, journald should handle btrfs disk
          full events a lot more gracefully now, by processing SIGBUS
          errors, and not relying on fallocate() anymore.

        * When journald detects that journal files it is writing to
          have been deleted it will immediately start new journal
          files.

        * systemd now provides a way to store file descriptors
          per-service in PID 1. This is useful for daemons to ensure
          that fds they require are not lost during a daemon
          restart. The fds are passed to the daemon on the next
          invocation in the same way socket activation fds are
          passed. This is now used by journald to ensure that the
          various sockets connected to all the system's stdout/stderr
          are not lost when journald is restarted. File descriptors
          may be stored in PID 1 via the sd_pid_notify_with_fds() API,
          an extension to sd_notify(). Note that a limit is enforced
          on the number of fds a service can store in PID 1, and it
          defaults to 0, so that no fds may be stored, unless this is
          explicitly turned on.

        * The default TERM variable to use for units connected to a
          terminal, when no other value is explicitly is set is now
          vt220 rather than vt102. This should be fairly safe still,
          but allows PgUp/PgDn work.

        * The /etc/crypttab option header= as known from Debian is now
          supported.

        * "loginctl user-status" and "loginctl session-status" will
          now show the last 10 lines of log messages of the
          user/session following the status output. Similar,
          "machinectl status" will show the last 10 log lines
          associated with a virtual machine or container
          service. (Note that this is usually not the log messages
          done in the VM/container itself, but simply what the
          container manager logs. For nspawn this includes all console
          output however.)

        * "loginctl session-status" without further argument will now
          show the status of the session of the caller. Similar,
          "lock-session", "unlock-session", "activate",
          "enable-linger", "disable-linger" may now be called without
          session/user parameter in which case they apply to the
          caller's session/user.

        * An X11 session scriptlet is now shipped that uploads
          $DISPLAY and $XAUTHORITY into the environment of the systemd
          --user daemon if a session begins. This should improve
          compatibility with X11 enabled applications run as systemd
          user services.

        * Generators are now subject to masking via /etc and /run, the
          same way as unit files.

        * networkd .network files gained support for configuring
          per-link IPv4/IPv6 packet forwarding as well as IPv4
          masquerading. This is by default turned on for veth links to
          containers, as registered by systemd-nspawn. This means that
          nspawn containers run with --network-veth will now get
          automatic routed access to the host's networks without any
          further configuration or setup, as long as networkd runs on
          the host.

        * systemd-nspawn gained the --port= (-p) switch to expose TCP
          or UDP posts of a container on the host. With this in place
          it is possible to run containers with private veth links
          (--network-veth), and have their functionality exposed on
          the host as if their services were running directly on the
          host.

        * systemd-nspawn's --network-veth switch now gained a short
          version "-n", since with the changes above it is now truly
          useful out-of-the-box. The systemd-nspawn@.service has been
          updated to make use of it too by default.

        * systemd-nspawn will now maintain a per-image R/W lock, to
          ensure that the same image is not started more than once
          writable. (It's OK to run an image multiple times
          simultaneously in read-only mode.)

        * systemd-nspawn's --image= option is now capable of
          dissecting and booting MBR and GPT disk images that contain
          only a single active Linux partition. Previously it
          supported only GPT disk images with proper GPT type
          IDs. This allows running cloud images from major
          distributions directly with systemd-nspawn, without
          modification.

        * In addition to collecting mouse dpi data in the udev
          hardware database, there's now support for collecting angle
          information for mouse scroll wheels. The database is
          supposed to guarantee similar scrolling behavior on mice
          that it knows about. There's also support for collecting
          information about Touchpad types.

        * udev's input_id built-in will now also collect touch screen
          dimension data and attach it to probed devices.

        * /etc/os-release gained support for a Distribution Privacy
          Policy link field.

        * networkd gained support for creating "ipvlan", "gretap",
          "ip6gre", "ip6gretap" and "ip6tnl" network devices.

        * systemd-tmpfiles gained support for "a" lines for setting
          ACLs on files.

        * systemd-nspawn will now mount /tmp in the container to
          tmpfs, automatically.

        * systemd now exposes the memory.usage_in_bytes cgroup
          attribute and shows it for each service in the "systemctl
          status" output, if available.

        * When the user presses Ctrl-Alt-Del more than 7x within 2s an
          immediate reboot is triggered. This useful if shutdown is
          hung and is unable to complete, to expedite the
          operation. Note that this kind of reboot will still unmount
          all file systems, and hence should not result in fsck being
          run on next reboot.

        * A .device unit for an optical block device will now be
          considered active only when a medium is in the drive. Also,
          mount units are now bound to their backing devices thus
          triggering automatic unmounting when devices become
          unavailable. With this in place systemd will now
          automatically unmount left-over mounts when a CD-ROM is
          ejected or a USB stick is yanked from the system.

        * networkd-wait-online now has support for waiting for
          specific interfaces only (with globbing), and for giving up
          after a configurable timeout.

        * networkd now exits when idle. It will be automatically
          restarted as soon as interfaces show up, are removed or
          change state. networkd will stay around as long as there is
          at least one DHCP state machine or similar around, that keep
          it non-idle.

        * networkd may now configure IPv6 link-local addressing in
          addition to IPv4 link-local addressing.

        * The IPv6 "token" for use in SLAAC may now be configured for
          each .network interface in networkd.

        * Routes configured with networkd may now be assigned a scope
          in .network files.

        * networkd's [Match] sections now support globbing and lists
          of multiple space-separated matches per item.

        Contributions from: Alban Crequy, Alin Rauta, Andrey Chaser,
        Bastien Nocera, Bruno Bottazzini, Carlos Garnacho, Carlos
        Morata Castillo, Chris Atkinson, Chris J. Arges, Christian
        Kirbach, Christian Seiler, Christoph Brill, Colin Guthrie,
        Colin Walters, Cristian Rodríguez, Daniele Medri, Daniel Mack,
        Dave Reisner, David Herrmann, Djalal Harouni, Erik Auerswald,
        Filipe Brandenburger, Frank Theile, Gabor Kelemen, Gabriel de
        Perthuis, Harald Hoyer, Hui Wang, Ivan Shapovalov, Jan
        Engelhardt, Jan Synacek, Jay Faulkner, Johannes Hölzl, Jonas
        Ådahl, Jonathan Boulle, Josef Andersson, Kay Sievers, Ken
        Werner, Lennart Poettering, Lucas De Marchi, Lukas Märdian,
        Lukas Nykryn, Lukasz Skalski, Luke Shumaker, Mantas Mikulėnas,
        Manuel Mendez, Marcel Holtmann, Marc Schmitzer, Marko
        Myllynen, Martin Pitt, Maxim Mikityanskiy, Michael Biebl,
        Michael Marineau, Michael Olbrich, Michal Schmidt, Mindaugas
        Baranauskas, Moez Bouhlel, Naveen Kumar, Patrik Flykt, Paul
        Martin, Peter Hutterer, Peter Mattern, Philippe De Swert,
        Piotr Drąg, Rafael Ferreira, Rami Rosen, Robert Milasan, Ronny
        Chevalier, Sangjung Woo, Sebastien Bacher, Sergey Ptashnick,
        Shawn Landden, Stéphane Graber, Susant Sahani, Sylvain
        Plantefève, Thomas Hindoe Paaboel Andersen, Tim JP, Tom
        Gundersen, Topi Miettinen, Torstein Husebø, Umut Tezduyar
        Lindskog, Veres Lajos, Vincent Batts, WaLyong Cho, Wieland
        Hoffmann, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2015-02-16

CHANGES WITH 218:

        * When querying unit file enablement status (for example via
          "systemctl is-enabled"), a new state "indirect" is now known
          which indicates that a unit might not be enabled itself, but
          another unit listed in its Also= setting might be.

        * Similar to the various existing ConditionXYZ= settings for
          units, there are now matching AssertXYZ= settings. While
          failing conditions cause a unit to be skipped, but its job
          to succeed, failing assertions declared like this will cause
          a unit start operation and its job to fail.

        * hostnamed now knows a new chassis type "embedded".

        * systemctl gained a new "edit" command. When used on a unit
          file, this allows extending unit files with .d/ drop-in
          configuration snippets or editing the full file (after
          copying it from /usr/lib to /etc). This will invoke the
          user's editor (as configured with $EDITOR), and reload the
          modified configuration after editing.

        * "systemctl status" now shows the suggested enablement state
          for a unit, as declared in the (usually vendor-supplied)
          system preset files.

        * nss-myhostname will now resolve the single-label hostname
          "gateway" to the locally configured default IP routing
          gateways, ordered by their metrics. This assigns a stable
          name to the used gateways, regardless which ones are
          currently configured. Note that the name will only be
          resolved after all other name sources (if nss-myhostname is
          configured properly) and should hence not negatively impact
          systems that use the single-label hostname "gateway" in
          other contexts.

        * systemd-inhibit now allows filtering by mode when listing
          inhibitors.

        * Scope and service units gained a new "Delegate" boolean
          property, which, when set, allows processes running inside the
          unit to further partition resources. This is primarily
          useful for systemd user instances as well as container
          managers.

        * journald will now pick up audit messages directly from
          the kernel, and log them like any other log message. The
          audit fields are split up and fully indexed. This means that
          journalctl in many ways is now a (nicer!) alternative to
          ausearch, the traditional audit client. Note that this
          implements only a minimal audit client. If you want the
          special audit modes like reboot-on-log-overflow, please use
          the traditional auditd instead, which can be used in
          parallel to journald.

        * The ConditionSecurity= unit file option now understands the
          special string "audit" to check whether auditing is
          available.

        * journalctl gained two new commands --vacuum-size= and
          --vacuum-time= to delete old journal files until the
          remaining ones take up no more than the specified size on disk,
          or are not older than the specified time.

        * A new, native PPPoE library has been added to sd-network,
          systemd's library of lightweight networking protocols. This
          library will be used in a future version of networkd to
          enable PPPoE communication without an external pppd daemon.

        * The busctl tool now understands a new "capture" verb that
          works similar to "monitor", but writes a packet capture
          trace to STDOUT that can be redirected to a file which is
          compatible with libcap's capture file format. This can then
          be loaded in Wireshark and similar tools to inspect bus
          communication.

        * The busctl tool now understands a new "tree" verb that shows
          the object trees of a specific service on the bus, or of all
          services.

        * The busctl tool now understands a new "introspect" verb that
          shows all interfaces and members of objects on the bus,
          including their signature and values. This is particularly
          useful to get more information about bus objects shown by
          the new "busctl tree" command.

        * The busctl tool now understands new verbs "call",
          "set-property" and "get-property" for invoking bus method
          calls, setting and getting bus object properties in a
          friendly way.

        * busctl gained a new --augment-creds= argument that controls
          whether the tool shall augment credential information it
          gets from the bus with data from /proc, in a possibly
          race-ful way.

        * nspawn's --link-journal= switch gained two new values
          "try-guest" and "try-host" that work like "guest" and
          "host", but do not fail if the host has no persistent
          journaling enabled. -j is now equivalent to
          --link-journal=try-guest.

        * macvlan network devices created by nspawn will now have
          stable MAC addresses.

        * A new SmackProcessLabel= unit setting has been added, which
          controls the SMACK security label processes forked off by
          the respective unit shall use.

        * If compiled with --enable-xkbcommon, systemd-localed will
          verify x11 keymap settings by compiling the given keymap. It
          will spew out warnings if the compilation fails. This
          requires libxkbcommon to be installed.

        * When a coredump is collected, a larger number of metadata
          fields is now collected and included in the journal records
          created for it. More specifically, control group membership,
          environment variables, memory maps, working directory,
          chroot directory, /proc/$PID/status, and a list of open file
          descriptors is now stored in the log entry.

        * The udev hwdb now contains DPI information for mice. For
          details see:

          http://who-t.blogspot.de/2014/12/building-a-dpi-database-for-mice.html

        * All systemd programs that read standalone configuration
          files in /etc now also support a corresponding series of
          .conf.d configuration directories in /etc/, /run/,
          /usr/local/lib/, /usr/lib/, and (if configured with
          --enable-split-usr) /lib/. In particular, the following
          configuration files now have corresponding configuration
          directories: system.conf user.conf, logind.conf,
          journald.conf, sleep.conf, bootchart.conf, coredump.conf,
          resolved.conf, timesyncd.conf, journal-remote.conf, and
          journal-upload.conf. Note that distributions should use the
          configuration directories in /usr/lib/; the directories in
          /etc/ are reserved for the system administrator.

        * systemd-rfkill will no longer take the rfkill device name
          into account when storing rfkill state on disk, as the name
          might be dynamically assigned and not stable. Instead, the
          ID_PATH udev variable combined with the rfkill type (wlan,
          bluetooth, …) is used.

        * A new service systemd-machine-id-commit.service has been
          added. When used on systems where /etc is read-only during
          boot, and /etc/machine-id is not initialized (but an empty
          file), this service will copy the temporary machine ID
          created as replacement into /etc after the system is fully
          booted up. This is useful for systems that are freshly
          installed with a non-initialized machine ID, but should get
          a fixed machine ID for subsequent boots.

        * networkd's .netdev files now provide a large set of
          configuration parameters for VXLAN devices. Similarly, the
          bridge port cost parameter is now configurable in .network
          files. There's also new support for configuring IP source
          routing. networkd .link files gained support for a new
          OriginalName= match that is useful to match against the
          original interface name the kernel assigned. .network files
          may include MTU= and MACAddress= fields for altering the MTU
          and MAC address while being connected to a specific network
          interface.

        * The LUKS logic gained supported for configuring
          UUID-specific key files. There's also new support for naming
          LUKS device from the kernel command line, using the new
          luks.name= argument.

        * Timer units may now be transiently created via the bus API
          (this was previously already available for scope and service
          units). In addition it is now possible to create multiple
          transient units at the same time with a single bus call. The
          "systemd-run" tool has been updated to make use of this for
          running commands on a specified time, in at(1)-style.

        * tmpfiles gained support for "t" lines, for assigning
          extended attributes to files. Among other uses this may be
          used to assign SMACK labels to files.

        Contributions from: Alin Rauta, Alison Chaiken, Andrej
        Manduch, Bastien Nocera, Chris Atkinson, Chris Leech, Chris
        Mayo, Colin Guthrie, Colin Walters, Cristian Rodríguez,
        Daniele Medri, Daniel Mack, Dan Williams, Dan Winship, Dave
        Reisner, David Herrmann, Didier Roche, Felipe Sateler, Gavin
        Li, Hans de Goede, Harald Hoyer, Iago López Galeiras, Ivan
        Shapovalov, Jakub Filak, Jan Janssen, Jan Synacek, Joe
        Lawrence, Josh Triplett, Kay Sievers, Lennart Poettering,
        Lukas Nykryn, Łukasz Stelmach, Maciej Wereski, Mantas
        Mikulėnas, Marcel Holtmann, Martin Pitt, Maurizio Lombardi,
        Michael Biebl, Michael Chapman, Michael Marineau, Michal
        Schmidt, Michal Sekletar, Olivier Brunel, Patrik Flykt, Peter
        Hutterer, Przemyslaw Kedzierski, Rami Rosen, Ray Strode,
        Richard Schütz, Richard W.M. Jones, Ronny Chevalier, Ross
        Lagerwall, Sean Young, Stanisław Pitucha, Susant Sahani,
        Thomas Haller, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
        Torstein Husebø, Umut Tezduyar Lindskog, Vicente Olivert
        Riera, WaLyong Cho, Wesley Dawson, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-12-10

CHANGES WITH 217:

        * journalctl gained the new options -t/--identifier= to match
          on the syslog identifier (aka "tag"), as well as --utc to
          show log timestamps in the UTC timezone. journalctl now also
          accepts -n/--lines=all to disable line capping in a pager.

        * journalctl gained a new switch, --flush, that synchronously
          flushes logs from /run/log/journal to /var/log/journal if
          persistent storage is enabled. systemd-journal-flush.service
          now waits until the operation is complete.

        * Services can notify the manager before they start a reload
          (by sending RELOADING=1) or shutdown (by sending
          STOPPING=1). This allows the manager to track and show the
          internal state of daemons and closes a race condition when
          the process is still running but has closed its D-Bus
          connection.

        * Services with Type=oneshot do not have to have any ExecStart
          commands anymore.

        * User units are now loaded also from
          $XDG_RUNTIME_DIR/systemd/user/. This is similar to the
          /run/systemd/user directory that was already previously
          supported, but is under the control of the user.

        * Job timeouts (i.e. timeouts on the time a job that is
          queued stays in the run queue) can now optionally result in
          immediate reboot or power-off actions (JobTimeoutAction= and
          JobTimeoutRebootArgument=). This is useful on ".target"
          units, to limit the maximum time a target remains
          undispatched in the run queue, and to trigger an emergency
          operation in such a case. This is now used by default to
          turn off the system if boot-up (as defined by everything in
          basic.target) hangs and does not complete for at least
          15min. Also, if power-off or reboot hang for at least 30min
          an immediate power-off/reboot operation is triggered. This
          functionality is particularly useful to increase reliability
          on embedded devices, but also on laptops which might
          accidentally get powered on when carried in a backpack and
          whose boot stays stuck in a hard disk encryption passphrase
          question.

        * systemd-logind can be configured to also handle lid switch
          events even when the machine is docked or multiple displays
          are attached (HandleLidSwitchDocked= option).

        * A helper binary and a service have been added which can be
          used to resume from hibernation in the initramfs. A
          generator will parse the resume= option on the kernel
          command line to trigger resume.

        * A user console daemon systemd-consoled has been
          added. Currently, it is a preview, and will so far open a
          single terminal on each session of the user marked as
          Desktop=systemd-console.

        * Route metrics can be specified for DHCP routes added by
          systemd-networkd.

        * The SELinux context of socket-activated services can be set
          from the information provided by the networking stack
          (SELinuxContextFromNet= option).

        * Userspace firmware loading support has been removed and
          the minimum supported kernel version is thus bumped to 3.7.

        * Timeout for udev workers has been increased from 1 to 3
          minutes, but a warning will be printed after 1 minute to
          help diagnose kernel modules that take a long time to load.

        * Udev rules can now remove tags on devices with TAG-="foobar".

        * systemd's readahead implementation has been removed. In many
          circumstances it didn't give expected benefits even for
          rotational disk drives and was becoming less relevant in the
          age of SSDs. As none of the developers has been using
          rotating media anymore, and nobody stepped up to actively
          maintain this component of systemd it has now been removed.

        * Swap units can use Options= to specify discard options.
          Discard options specified for swaps in /etc/fstab are now
          respected.

        * Docker containers are now detected as a separate type of
          virtualization.

        * The Password Agent protocol gained support for queries where
          the user input is shown, useful e.g. for user names.
          systemd-ask-password gained a new --echo option to turn that
          on.

        * The default sysctl.d/ snippets will now set:

                net.core.default_qdisc = fq_codel

          This selects Fair Queuing Controlled Delay as the default
          queuing discipline for network interfaces. fq_codel helps
          fight the network bufferbloat problem. It is believed to be
          a good default with no tuning required for most workloads.
          Downstream distributions may override this choice. On 10Gbit
          servers that do not do forwarding, "fq" may perform better.
          Systems without a good clocksource should use "pfifo_fast".

        * If kdbus is enabled during build a new option BusPolicy= is
          available for service units, that allows locking all service
          processes into a stricter bus policy, in order to limit
          access to various bus services, or even hide most of them
          from the service's view entirely.

        * networkctl will now show the .network and .link file
          networkd has applied to a specific interface.

        * sd-login gained a new API call sd_session_get_desktop() to
          query which desktop environment has been selected for a
          session.

        * UNIX utmp support is now compile-time optional to support
          legacy-free systems.

        * systemctl gained two new commands "add-wants" and
          "add-requires" for pulling in units from specific targets
          easily.

        * If the word "rescue" is specified on the kernel command line
          the system will now boot into rescue mode (aka
          rescue.target), which was previously available only by
          specifying "1" or "systemd.unit=rescue.target" on the kernel
          command line. This new kernel command line option nicely
          mirrors the already existing "emergency" kernel command line
          option.

        * New kernel command line options mount.usr=, mount.usrflags=,
          mount.usrfstype= have been added that match root=, rootflags=,
          rootfstype= but allow mounting a specific file system to
          /usr.

        * The $NOTIFY_SOCKET is now also passed to control processes of
          services, not only the main process.

        * This version reenables support for fsck's -l switch. This
          means at least version v2.25 of util-linux is required for
          operation, otherwise dead-locks on device nodes may
          occur. Again: you need to update util-linux to at least
          v2.25 when updating systemd to v217.

        * The "multi-seat-x" tool has been removed from systemd, as
          its functionality has been integrated into X servers 1.16,
          and the tool is hence redundant. It is recommended to update
          display managers invoking this tool to simply invoke X
          directly from now on, again.

        * Support for the new ALLOW_INTERACTIVE_AUTHORIZATION D-Bus
          message flag has been added for all of systemd's polkit
          authenticated method calls has been added. In particular this
          now allows optional interactive authorization via polkit for
          many of PID1's privileged operations such as unit file
          enabling and disabling.

        * "udevadm hwdb --update" learnt a new switch "--usr" for
          placing the rebuilt hardware database in /usr instead of
          /etc. When used only hardware database entries stored in
          /usr will be used, and any user database entries in /etc are
          ignored. This functionality is useful for vendors to ship a
          pre-built database on systems where local configuration is
          unnecessary or unlikely.

        * Calendar time specifications in .timer units now also
          understand the strings "semi-annually", "quarterly" and
          "minutely" as shortcuts (in addition to the preexisting
          "annually", "hourly", …).

        * systemd-tmpfiles will now correctly create files in /dev
          at boot which are marked for creation only at boot. It is
          recommended to always create static device nodes with 'c!'
          and 'b!', so that they are created only at boot and not
          overwritten at runtime.

        * When the watchdog logic is used for a service (WatchdogSec=)
          and the watchdog timeout is hit the service will now be
          terminated with SIGABRT (instead of just SIGTERM), in order
          to make sure a proper coredump and backtrace is
          generated. This ensures that hanging services will result in
          similar coredump/backtrace behaviour as services that hit a
          segmentation fault.

        Contributions from: Andreas Henriksson, Andrei Borzenkov,
        Angus Gibson, Ansgar Burchardt, Ben Wolsieffer, Brandon L.
        Black, Christian Hesse, Cristian Rodríguez, Daniel Buch,
        Daniele Medri, Daniel Mack, Dan Williams, Dave Reisner, David
        Herrmann, David Sommerseth, David Strauss, Emil Renner
        Berthing, Eric Cook, Evangelos Foutras, Filipe Brandenburger,
        Gustavo Sverzut Barbieri, Hans de Goede, Harald Hoyer, Hristo
        Venev, Hugo Grostabussiat, Ivan Shapovalov, Jan Janssen, Jan
        Synacek, Jonathan Liu, Juho Son, Karel Zak, Kay Sievers, Klaus
        Purer, Koen Kooi, Lennart Poettering, Lukas Nykryn, Lukasz
        Skalski, Łukasz Stelmach, Mantas Mikulėnas, Marcel Holtmann,
        Marius Tessmann, Marko Myllynen, Martin Pitt, Michael Biebl,
        Michael Marineau, Michael Olbrich, Michael Scherer, Michal
        Schmidt, Michal Sekletar, Miroslav Lichvar, Patrik Flykt,
        Philippe De Swert, Piotr Drąg, Rahul Sundaram, Richard
        Weinberger, Robert Milasan, Ronny Chevalier, Ruben Kerkhof,
        Santiago Vila, Sergey Ptashnick, Simon McVittie, Sjoerd
        Simons, Stefan Brüns, Steven Allen, Steven Noonan, Susant
        Sahani, Sylvain Plantefève, Thomas Hindoe Paaboel Andersen,
        Timofey Titovets, Tobias Hunger, Tom Gundersen, Torstein
        Husebø, Umut Tezduyar Lindskog, WaLyong Cho, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2014-10-28

CHANGES WITH 216:

        * timedated no longer reads NTP implementation unit names from
          /usr/lib/systemd/ntp-units.d/*.list. Alternative NTP
          implementations should add a

            Conflicts=systemd-timesyncd.service

          to their unit files to take over and replace systemd's NTP
          default functionality.

        * systemd-sysusers gained a new line type "r" for configuring
          which UID/GID ranges to allocate system users/groups
          from. Lines of type "u" may now add an additional column
          that specifies the home directory for the system user to be
          created. Also, systemd-sysusers may now optionally read user
          information from STDIN instead of a file. This is useful for
          invoking it from RPM preinst scriptlets that need to create
          users before the first RPM file is installed since these
          files might need to be owned by them. A new
          %sysusers_create_inline RPM macro has been introduced to do
          just that. systemd-sysusers now updates the shadow files as
          well as the user/group databases, which should enhance
          compatibility with certain tools like grpck.

        * A number of bus APIs of PID 1 now optionally consult polkit to
          permit access for otherwise unprivileged clients under certain
          conditions. Note that this currently doesn't support
          interactive authentication yet, but this is expected to be
          added eventually, too.

        * /etc/machine-info now has new fields for configuring the
          deployment environment of the machine, as well as the
          location of the machine. hostnamectl has been updated with
          new command to update these fields.

        * systemd-timesyncd has been updated to automatically acquire
          NTP server information from systemd-networkd, which might
          have been discovered via DHCP.

        * systemd-resolved now includes a caching DNS stub resolver
          and a complete LLMNR name resolution implementation. A new
          NSS module "nss-resolve" has been added which can be used
          instead of glibc's own "nss-dns" to resolve hostnames via
          systemd-resolved. Hostnames, addresses and arbitrary RRs may
          be resolved via systemd-resolved D-Bus APIs. In contrast to
          the glibc internal resolver systemd-resolved is aware of
          multi-homed system, and keeps DNS server and caches separate
          and per-interface. Queries are sent simultaneously on all
          interfaces that have DNS servers configured, in order to
          properly handle VPNs and local LANs which might resolve
          separate sets of domain names. systemd-resolved may acquire
          DNS server information from systemd-networkd automatically,
          which in turn might have discovered them via DHCP. A tool
          "systemd-resolve-host" has been added that may be used to
          query the DNS logic in resolved. systemd-resolved implements
          IDNA and automatically uses IDNA or UTF-8 encoding depending
          on whether classic DNS or LLMNR is used as transport. In the
          next releases we intend to add a DNSSEC and mDNS/DNS-SD
          implementation to systemd-resolved.

        * A new NSS module nss-mymachines has been added, that
          automatically resolves the names of all local registered
          containers to their respective IP addresses.

        * A new client tool "networkctl" for systemd-networkd has been
          added. It currently is entirely passive and will query
          networking configuration from udev, rtnetlink and networkd,
          and present it to the user in a very friendly
          way. Eventually, we hope to extend it to become a full
          control utility for networkd.

        * .socket units gained a new DeferAcceptSec= setting that
          controls the kernels' TCP_DEFER_ACCEPT sockopt for
          TCP. Similarly, support for controlling TCP keep-alive
          settings has been added (KeepAliveTimeSec=,
          KeepAliveIntervalSec=, KeepAliveProbes=). Also, support for
          turning off Nagle's algorithm on TCP has been added
          (NoDelay=).

        * logind learned a new session type "web", for use in projects
          like Cockpit which register web clients as PAM sessions.

        * timer units with at least one OnCalendar= setting will now
          be started only after time-sync.target has been
          reached. This way they will not elapse before the system
          clock has been corrected by a local NTP client or
          similar. This is particular useful on RTC-less embedded
          machines, that come up with an invalid system clock.

        * systemd-nspawn's --network-veth= switch should now result in
          stable MAC addresses for both the outer and the inner side
          of the link.

        * systemd-nspawn gained a new --volatile= switch for running
          container instances with /etc or /var unpopulated.

        * The kdbus client code has been updated to use the new Linux
          3.17 memfd subsystem instead of the old kdbus-specific one.

        * systemd-networkd's DHCP client and server now support
          FORCERENEW. There are also new configuration options to
          configure the vendor client identifier and broadcast mode
          for DHCP.

        * systemd will no longer inform the kernel about the current
          timezone, as this is necessarily incorrect and racy as the
          kernel has no understanding of DST and similar
          concepts. This hence means FAT timestamps will be always
          considered UTC, similar to what Android is already
          doing. Also, when the RTC is configured to the local time
          (rather than UTC) systemd will never synchronize back to it,
          as this might confuse Windows at a later boot.

        * systemd-analyze gained a new command "verify" for offline
          validation of unit files.

        * systemd-networkd gained support for a couple of additional
          settings for bonding networking setups. Also, the metric for
          statically configured routes may now be configured. For
          network interfaces where this is appropriate the peer IP
          address may now be configured.

        * systemd-networkd's DHCP client will no longer request
          broadcasting by default, as this tripped up some networks.
          For hardware where broadcast is required the feature should
          be switched back on using RequestBroadcast=yes.

        * systemd-networkd will now set up IPv4LL addresses (when
          enabled) even if DHCP is configured successfully.

        * udev will now default to respect network device names given
          by the kernel when the kernel indicates that these are
          predictable. This behavior can be tweaked by changing
          NamePolicy= in the relevant .link file.

        * A new library systemd-terminal has been added that
          implements full TTY stream parsing and rendering. This
          library is supposed to be used later on for implementing a
          full userspace VT subsystem, replacing the current kernel
          implementation.

        * A new tool systemd-journal-upload has been added to push
          journal data to a remote system running
          systemd-journal-remote.

        * journald will no longer forward all local data to another
          running syslog daemon. This change has been made because
          rsyslog (which appears to be the most commonly used syslog
          implementation these days) no longer makes use of this, and
          instead pulls the data out of the journal on its own. Since
          forwarding the messages to a non-existent syslog server is
          more expensive than we assumed we have now turned this
          off. If you run a syslog server that is not a recent rsyslog
          version, you have to turn this option on again
          (ForwardToSyslog= in journald.conf).

        * journald now optionally supports the LZ4 compressor for
          larger journal fields. This compressor should perform much
          better than XZ which was the previous default.

        * machinectl now shows the IP addresses of local containers,
          if it knows them, plus the interface name of the container.

        * A new tool "systemd-escape" has been added that makes it
          easy to escape strings to build unit names and similar.

        * sd_notify() messages may now include a new ERRNO= field
          which is parsed and collected by systemd and shown among the
          "systemctl status" output for a service.

        * A new component "systemd-firstboot" has been added that
          queries the most basic systemd information (timezone,
          hostname, root password) interactively on first
          boot. Alternatively it may also be used to provision these
          things offline on OS images installed into directories.

        * The default sysctl.d/ snippets will now set

                net.ipv4.conf.default.promote_secondaries=1

          This has the benefit of no flushing secondary IP addresses
          when primary addresses are removed.

        Contributions from: Ansgar Burchardt, Bastien Nocera, Colin
        Walters, Dan Dedrick, Daniel Buch, Daniel Korostil, Daniel
        Mack, Dan Williams, Dave Reisner, David Herrmann, Denis
        Kenzior, Eelco Dolstra, Eric Cook, Hannes Reinecke, Harald
        Hoyer, Hong Shick Pak, Hui Wang, Jean-André Santoni, Jóhann
        B. Guðmundsson, Jon Severinsson, Karel Zak, Kay Sievers, Kevin
        Wells, Lennart Poettering, Lukas Nykryn, Mantas Mikulėnas,
        Marc-Antoine Perennou, Martin Pitt, Michael Biebl, Michael
        Marineau, Michael Olbrich, Michal Schmidt, Michal Sekletar,
        Miguel Angel Ajo, Mike Gilbert, Olivier Brunel, Robert
        Schiele, Ronny Chevalier, Simon McVittie, Sjoerd Simons, Stef
        Walter, Steven Noonan, Susant Sahani, Tanu Kaskinen, Thomas
        Blume, Thomas Hindoe Paaboel Andersen, Timofey Titovets,
        Tobias Geerinckx-Rice, Tomasz Torcz, Tom Gundersen, Umut
        Tezduyar Lindskog, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-08-19

CHANGES WITH 215:

        * A new tool systemd-sysusers has been added. This tool
          creates system users and groups in /etc/passwd and
          /etc/group, based on static declarative system user/group
          definitions in /usr/lib/sysusers.d/. This is useful to
          enable factory resets and volatile systems that boot up with
          an empty /etc directory, and thus need system users and
          groups created during early boot. systemd now also ships
          with two default sysusers.d/ files for the most basic
          users and groups systemd and the core operating system
          require.

        * A new tmpfiles snippet has been added that rebuilds the
          essential files in /etc on boot, should they be missing.

        * A directive for ensuring automatic clean-up of
          /var/cache/man/ has been removed from the default
          configuration. This line should now be shipped by the man
          implementation. The necessary change has been made to the
          man-db implementation. Note that you need to update your man
          implementation to one that ships this line, otherwise no
          automatic clean-up of /var/cache/man will take place.

        * A new condition ConditionNeedsUpdate= has been added that
          may conditionalize services to only run when /etc or /var
          are "older" than the vendor operating system resources in
          /usr. This is useful for reconstructing or updating /etc
          after an offline update of /usr or a factory reset, on the
          next reboot. Services that want to run once after such an
          update or reset should use this condition and order
          themselves before the new systemd-update-done.service, which
          will mark the two directories as fully updated. A number of
          service files have been added making use of this, to rebuild
          the udev hardware database, the journald message catalog and
          dynamic loader cache (ldconfig). The systemd-sysusers tool
          described above also makes use of this now. With this in
          place it is now possible to start up a minimal operating
          system with /etc empty cleanly. For more information on the
          concepts involved see this recent blog story:

          https://0pointer.de/blog/projects/stateless.html

        * A new system group "input" has been introduced, and all
          input device nodes get this group assigned. This is useful
          for system-level software to get access to input devices. It
          complements what is already done for "audio" and "video".

        * systemd-networkd learnt minimal DHCPv4 server support in
          addition to the existing DHCPv4 client support. It also
          learnt DHCPv6 client and IPv6 Router Solicitation client
          support. The DHCPv4 client gained support for static routes
          passed in from the server. Note that the [DHCPv4] section
          known in older systemd-networkd versions has been renamed to
          [DHCP] and is now also used by the DHCPv6 client. Existing
          .network files using settings of this section should be
          updated, though compatibility is maintained. Optionally, the
          client hostname may now be sent to the DHCP server.

        * networkd gained support for vxlan virtual networks as well
          as tun/tap and dummy devices.

        * networkd gained support for automatic allocation of address
          ranges for interfaces from a system-wide pool of
          addresses. This is useful for dynamically managing a large
          number of interfaces with a single network configuration
          file. In particular this is useful to easily assign
          appropriate IP addresses to the veth links of a large number
          of nspawn instances.

        * RPM macros for processing sysusers, sysctl and binfmt
          drop-in snippets at package installation time have been
          added.

        * The /etc/os-release file should now be placed in
          /usr/lib/os-release. The old location is automatically
          created as symlink. /usr/lib is the more appropriate
          location of this file, since it shall actually describe the
          vendor operating system shipped in /usr, and not the
          configuration stored in /etc.

        * .mount units gained a new boolean SloppyOptions= setting
          that maps to mount(8)'s -s option which enables permissive
          parsing of unknown mount options.

        * tmpfiles learnt a new "L+" directive which creates a symlink
          but (unlike "L") deletes a pre-existing file first, should
          it already exist and not already be the correct
          symlink. Similarly, "b+", "c+" and "p+" directives have been
          added as well, which create block and character devices, as
          well as fifos in the filesystem, possibly removing any
          pre-existing files of different types.

        * For tmpfiles' "L", "L+", "C" and "C+" directives the final
          'argument' field (which so far specified the source to
          symlink/copy the files from) is now optional. If omitted the
          same file os copied from /usr/share/factory/ suffixed by the
          full destination path. This is useful for populating /etc
          with essential files, by copying them from vendor defaults
          shipped in /usr/share/factory/etc.

        * A new command "systemctl preset-all" has been added that
          applies the service preset settings to all installed unit
          files. A new switch --preset-mode= has been added that
          controls whether only enable or only disable operations
          shall be executed.

        * A new command "systemctl is-system-running" has been added
          that allows checking the overall state of the system, for
          example whether it is fully up and running.

        * When the system boots up with an empty /etc, the equivalent
          to "systemctl preset-all" is executed during early boot, to
          make sure all default services are enabled after a factory
          reset.

        * systemd now contains a minimal preset file that enables the
          most basic services systemd ships by default.

        * Unit files' [Install] section gained a new DefaultInstance=
          field for defining the default instance to create if a
          template unit is enabled with no instance specified.

        * A new passive target cryptsetup-pre.target has been added
          that may be used by services that need to make they run and
          finish before the first LUKS cryptographic device is set up.

        * The /dev/loop-control and /dev/btrfs-control device nodes
          are now owned by the "disk" group by default, opening up
          access to this group.

        * systemd-coredump will now automatically generate a
          stack trace of all core dumps taking place on the system,
          based on elfutils' libdw library. This stack trace is logged
          to the journal.

        * systemd-coredump may now optionally store coredumps directly
          on disk (in /var/lib/systemd/coredump, possibly compressed),
          instead of storing them unconditionally in the journal. This
          mode is the new default. A new configuration file
          /etc/systemd/coredump.conf has been added to configure this
          and other parameters of systemd-coredump.

        * coredumpctl gained a new "info" verb to show details about a
          specific coredump. A new switch "-1" has also been added
          that makes sure to only show information about the most
          recent entry instead of all entries. Also, as the tool is
          generally useful now the "systemd-" prefix of the binary
          name has been removed. Distributions that want to maintain
          compatibility with the old name should add a symlink from
          the old name to the new name.

        * journald's SplitMode= now defaults to "uid". This makes sure
          that unprivileged users can access their own coredumps with
          coredumpctl without restrictions.

        * New kernel command line options "systemd.wants=" (for
          pulling an additional unit during boot), "systemd.mask="
          (for masking a specific unit for the boot), and
          "systemd.debug-shell" (for enabling the debug shell on tty9)
          have been added. This is implemented in the new generator
          "systemd-debug-generator".

        * systemd-nspawn will now by default filter a couple of
          syscalls for containers, among them those required for
          kernel module loading, direct x86 IO port access, swap
          management, and kexec. Most importantly though
          open_by_handle_at() is now prohibited for containers,
          closing a hole similar to a recently discussed vulnerability
          in docker regarding access to files on file hierarchies the
          container should normally not have access to. Note that, for
          nspawn, we generally make no security claims anyway (and
          this is explicitly documented in the man page), so this is
          just a fix for one of the most obvious problems.

        * A new man page file-hierarchy(7) has been added that
          contains a minimized, modernized version of the file system
          layout systemd expects, similar in style to the FHS
          specification or hier(5). A new tool systemd-path(1) has
          been added to query many of these paths for the local
          machine and user.

        * Automatic time-based clean-up of $XDG_RUNTIME_DIR is no
          longer done. Since the directory now has a per-user size
          limit, and is cleaned on logout this appears unnecessary,
          in particular since this now brings the lifecycle of this
          directory closer in line with how IPC objects are handled.

        * systemd.pc now exports a number of additional directories,
          including $libdir (which is useful to identify the library
          path for the primary architecture of the system), and a
          couple of drop-in directories.

        * udev's predictable network interface names now use the dev_port
          sysfs attribute, introduced in linux 3.15 instead of dev_id to
          distinguish between ports of the same PCI function. dev_id should
          only be used for ports using the same HW address, hence the need
          for dev_port.

        * machined has been updated to export the OS version of a
          container (read from /etc/os-release and
          /usr/lib/os-release) on the bus. This is now shown in
          "machinectl status" for a machine.

        * A new service setting RestartForceExitStatus= has been
          added. If configured to a set of exit signals or process
          return values, the service will be restarted when the main
          daemon process exits with any of them, regardless of the
          Restart= setting.

        * systemctl's -H switch for connecting to remote systemd
          machines has been extended so that it may be used to
          directly connect to a specific container on the
          host. "systemctl -H root@foobar:waldi" will now connect as
          user "root" to host "foobar", and then proceed directly to
          the container named "waldi". Note that currently you have to
          authenticate as user "root" for this to work, as entering
          containers is a privileged operation.

        Contributions from: Andreas Henriksson, Benjamin Steinwender,
        Carl Schaefer, Christian Hesse, Colin Ian King, Cristian
        Rodríguez, Daniel Mack, Dave Reisner, David Herrmann, Eugene
        Yakubovich, Filipe Brandenburger, Frederic Crozat, Hristo
        Venev, Jan Engelhardt, Jonathan Boulle, Kay Sievers, Lennart
        Poettering, Luke Shumaker, Mantas Mikulėnas, Marc-Antoine
        Perennou, Marcel Holtmann, Michael Marineau, Michael Olbrich,
        Michał Bartoszkiewicz, Michal Sekletar, Patrik Flykt, Ronan Le
        Martret, Ronny Chevalier, Ruediger Oertel, Steven Noonan,
        Susant Sahani, Thadeu Lima de Souza Cascardo, Thomas Hindoe
        Paaboel Andersen, Tom Gundersen, Tom Hirst, Umut Tezduyar
        Lindskog, Uoti Urpala, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-07-03

CHANGES WITH 214:

        * As an experimental feature, udev now tries to lock the
          disk device node (flock(LOCK_SH|LOCK_NB)) while it
          executes events for the disk or any of its partitions.
          Applications like partitioning programs can lock the
          disk device node (flock(LOCK_EX)) and claim temporary
          device ownership that way; udev will entirely skip all event
          handling for this disk and its partitions. If the disk
          was opened for writing, the close will trigger a partition
          table rescan in udev's "watch" facility, and if needed
          synthesize "change" events for the disk and all its partitions.
          This is now unconditionally enabled, and if it turns out to
          cause major problems, we might turn it on only for specific
          devices, or might need to disable it entirely. Device Mapper
          devices are excluded from this logic.

        * We temporarily dropped the "-l" switch for fsck invocations,
          since they collide with the flock() logic above. util-linux
          upstream has been changed already to avoid this conflict,
          and we will re-add "-l" as soon as util-linux with this
          change has been released.

        * The dependency on libattr has been removed. Since a long
          time, the extended attribute calls have moved to glibc, and
          libattr is thus unnecessary.

        * Virtualization detection works without privileges now. This
          means the systemd-detect-virt binary no longer requires
          CAP_SYS_PTRACE file capabilities, and our daemons can run
          with fewer privileges.

        * systemd-networkd now runs under its own "systemd-network"
          user. It retains the CAP_NET_ADMIN, CAP_NET_BIND_SERVICE,
          CAP_NET_BROADCAST, CAP_NET_RAW capabilities though, but
          loses the ability to write to files owned by root this way.

        * Similarly, systemd-resolved now runs under its own
          "systemd-resolve" user with no capabilities remaining.

        * Similarly, systemd-bus-proxyd now runs under its own
          "systemd-bus-proxy" user with only CAP_IPC_OWNER remaining.

        * systemd-networkd gained support for setting up "veth"
          virtual Ethernet devices for container connectivity, as well
          as GRE and VTI tunnels.

        * systemd-networkd will no longer automatically attempt to
          manually load kernel modules necessary for certain tunnel
          transports. Instead, it is assumed the kernel loads them
          automatically when required. This only works correctly on
          very new kernels. On older kernels, please consider adding
          the kernel modules to /etc/modules-load.d/ as a work-around.

        * The resolv.conf file systemd-resolved generates has been
          moved to /run/systemd/resolve/. If you have a symlink from
          /etc/resolv.conf, it might be necessary to correct it.

        * Two new service settings, ProtectHome= and ProtectSystem=,
          have been added. When enabled, they will make the user data
          (such as /home) inaccessible or read-only and the system
          (such as /usr) read-only, for specific services. This allows
          very lightweight per-service sandboxing to avoid
          modifications of user data or system files from
          services. These two new switches have been enabled for all
          of systemd's long-running services, where appropriate.

        * Socket units gained new SocketUser= and SocketGroup=
          settings to set the owner user and group of AF_UNIX sockets
          and FIFOs in the file system.

        * Socket units gained a new RemoveOnStop= setting. If enabled,
          all FIFOS and sockets in the file system will be removed
          when the specific socket unit is stopped.

        * Socket units gained a new Symlinks= setting. It takes a list
          of symlinks to create to file system sockets or FIFOs
          created by the specific Unix sockets. This is useful to
          manage symlinks to socket nodes with the same lifecycle as
          the socket itself.

        * The /dev/log socket and /dev/initctl FIFO have been moved to
          /run, and have been replaced by symlinks. This allows
          connecting to these facilities even if PrivateDevices=yes is
          used for a service (which makes /dev/log itself unavailable,
          but /run is left). This also has the benefit of ensuring
          that /dev only contains device nodes, directories and
          symlinks, and nothing else.

        * sd-daemon gained two new calls sd_pid_notify() and
          sd_pid_notifyf(). They are similar to sd_notify() and
          sd_notifyf(), but allow overriding of the source PID of
          notification messages if permissions permit this. This is
          useful to send notify messages on behalf of a different
          process (for example, the parent process). The
          systemd-notify tool has been updated to make use of this
          when sending messages (so that notification messages now
          originate from the shell script invoking systemd-notify and
          not the systemd-notify process itself. This should minimize
          a race where systemd fails to associate notification
          messages to services when the originating process already
          vanished.

        * A new "on-abnormal" setting for Restart= has been added. If
          set, it will result in automatic restarts on all "abnormal"
          reasons for a process to exit, which includes unclean
          signals, core dumps, timeouts and watchdog timeouts, but
          does not include clean and unclean exit codes or clean
          signals. Restart=on-abnormal is an alternative for
          Restart=on-failure for services that shall be able to
          terminate and avoid restarts on certain errors, by
          indicating so with an unclean exit code. Restart=on-failure
          or Restart=on-abnormal is now the recommended setting for
          all long-running services.

        * If the InaccessibleDirectories= service setting points to a
          mount point (or if there are any submounts contained within
          it), it is now attempted to completely unmount it, to make
          the file systems truly unavailable for the respective
          service.

        * The ReadOnlyDirectories= service setting and
          systemd-nspawn's --read-only parameter are now recursively
          applied to all submounts, too.

        * Mount units may now be created transiently via the bus APIs.

        * The support for SysV and LSB init scripts has been removed
          from the systemd daemon itself. Instead, it is now
          implemented as a generator that creates native systemd units
          from these scripts when needed. This enables us to remove a
          substantial amount of legacy code from PID 1, following the
          fact that many distributions only ship a very small number
          of LSB/SysV init scripts nowadays.

        * Privileged Xen (dom0) domains are not considered
          virtualization anymore by the virtualization detection
          logic. After all, they generally have unrestricted access to
          the hardware and usually are used to manage the unprivileged
          (domU) domains.

        * systemd-tmpfiles gained a new "C" line type, for copying
          files or entire directories.

        * systemd-tmpfiles "m" lines are now fully equivalent to "z"
          lines. So far, they have been non-globbing versions of the
          latter, and have thus been redundant. In future, it is
          recommended to only use "z". "m" has hence been removed
          from the documentation, even though it stays supported.

        * A tmpfiles snippet to recreate the most basic structure in
          /var has been added. This is enough to create the /var/run →
          /run symlink and create a couple of structural
          directories. This allows systems to boot up with an empty or
          volatile /var. Of course, while with this change, the core OS
          now is capable with dealing with a volatile /var, not all
          user services are ready for it. However, we hope that sooner
          or later, many service daemons will be changed upstream so
          that they are able to automatically create their necessary
          directories in /var at boot, should they be missing. This is
          the first step to allow state-less systems that only require
          the vendor image for /usr to boot.

        * systemd-nspawn has gained a new --tmpfs= switch to mount an
          empty tmpfs instance to a specific directory. This is
          particularly useful for making use of the automatic
          reconstruction of /var (see above), by passing --tmpfs=/var.

        * Access modes specified in tmpfiles snippets may now be
          prefixed with "~", which indicates that they shall be masked
          by whether the existing file or directory is currently
          writable, readable or executable at all. Also, if specified,
          the sgid/suid/sticky bits will be masked for all
          non-directories.

        * A new passive target unit "network-pre.target" has been
          added which is useful for services that shall run before any
          network is configured, for example firewall scripts.

        * The "floppy" group that previously owned the /dev/fd*
          devices is no longer used. The "disk" group is now used
          instead. Distributions should probably deprecate usage of
          this group.

        Contributions from: Camilo Aguilar, Christian Hesse, Colin Ian
        King, Cristian Rodríguez, Daniel Buch, Dave Reisner, David
        Strauss, Denis Tikhomirov, John, Jonathan Liu, Kay Sievers,
        Lennart Poettering, Mantas Mikulėnas, Mark Eichin, Ronny
        Chevalier, Susant Sahani, Thomas Blume, Thomas Hindoe Paaboel
        Andersen, Tom Gundersen, Umut Tezduyar Lindskog, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2014-06-11

CHANGES WITH 213:

        * A new "systemd-timesyncd" daemon has been added for
          synchronizing the system clock across the network. It
          implements an SNTP client. In contrast to NTP
          implementations such as chrony or the NTP reference server,
          this only implements a client side, and does not bother with
          the full NTP complexity, focusing only on querying time from
          one remote server and synchronizing the local clock to
          it. Unless you intend to serve NTP to networked clients or
          want to connect to local hardware clocks, this simple NTP
          client should be more than appropriate for most
          installations. The daemon runs with minimal privileges, and
          has been hooked up with networkd to only operate when
          network connectivity is available. The daemon saves the
          current clock to disk every time a new NTP sync has been
          acquired, and uses this to possibly correct the system clock
          early at bootup, in order to accommodate for systems that
          lack an RTC such as the Raspberry Pi and embedded devices,
          and to make sure that time monotonically progresses on these
          systems, even if it is not always correct. To make use of
          this daemon, a new system user and group "systemd-timesync"
          needs to be created on installation of systemd.

        * The queue "seqnum" interface of libudev has been disabled, as
          it was generally incompatible with device namespacing as
          sequence numbers of devices go "missing" if the devices are
          part of a different namespace.

        * "systemctl list-timers" and "systemctl list-sockets" gained
          a --recursive switch for showing units of these types also
          for all local containers, similar in style to the already
          supported --recursive switch for "systemctl list-units".

        * A new RebootArgument= setting has been added for service
          units, which may be used to specify a kernel reboot argument
          to use when triggering reboots with StartLimitAction=.

        * A new FailureAction= setting has been added for service
          units which may be used to specify an operation to trigger
          when a service fails. This works similarly to
          StartLimitAction=, but unlike it, controls what is done
          immediately rather than only after several attempts to
          restart the service in question.

        * hostnamed got updated to also expose the kernel name,
          release, and version on the bus. This is useful for
          executing commands like hostnamectl with the -H switch.
          systemd-analyze makes use of this to properly display
          details when running non-locally.

        * The bootchart tool can now show cgroup information in the
          graphs it generates.

        * The CFS CPU quota cgroup attribute is now exposed for
          services. The new CPUQuota= switch has been added for this
          which takes a percentage value. Setting this will have the
          result that a service may never get more CPU time than the
          specified percentage, even if the machine is otherwise idle.

        * systemd-networkd learned IPIP and SIT tunnel support.

        * LSB init scripts exposing a dependency on $network will now
          get a dependency on network-online.target rather than simply
          network.target. This should bring LSB handling closer to
          what it was on SysV systems.

        * A new fsck.repair= kernel option has been added to control
          how fsck shall deal with unclean file systems at boot.

        * The (.ini) configuration file parser will now silently ignore
          sections whose names begin with "X-". This may be used to maintain
          application-specific extension sections in unit files.

        * machined gained a new API to query the IP addresses of
          registered containers. "machinectl status" has been updated
          to show these addresses in its output.

        * A new call sd_uid_get_display() has been added to the
          sd-login APIs for querying the "primary" session of a
          user. The "primary" session of the user is elected from the
          user's sessions and generally a graphical session is
          preferred over a text one.

        * A minimal systemd-resolved daemon has been added. It
          currently simply acts as a companion to systemd-networkd and
          manages resolv.conf based on per-interface DNS
          configuration, possibly supplied via DHCP. In the long run
          we hope to extend this into a local DNSSEC enabled DNS and
          mDNS cache.

        * The systemd-networkd-wait-online tool is now enabled by
          default. It will delay network-online.target until a network
          connection has been configured. The tool primarily integrates
          with networkd, but will also make a best effort to make sense
          of network configuration performed in some other way.

        * Two new service options StartupCPUShares= and
          StartupBlockIOWeight= have been added that work similarly to
          CPUShares= and BlockIOWeight= however only apply during
          system startup. This is useful to prioritize certain services
          differently during bootup than during normal runtime.

        * hostnamed has been changed to prefer the statically
          configured hostname in /etc/hostname (unless set to
          'localhost' or empty) over any dynamic one supplied by
          dhcp. With this change, the rules for picking the hostname
          match more closely the rules of other configuration settings
          where the local administrator's configuration in /etc always
          overrides any other settings.

        Contributions from: Ali H. Caliskan, Alison Chaiken, Bas van
        den Berg, Brandon Philips, Cristian Rodríguez, Daniel Buch,
        Dan Kilman, Dave Reisner, David Härdeman, David Herrmann,
        David Strauss, Dimitris Spingos, Djalal Harouni, Eelco
        Dolstra, Evan Nemerson, Florian Albrechtskirchinger, Greg
        Kroah-Hartman, Harald Hoyer, Holger Hans Peter Freyther, Jan
        Engelhardt, Jani Nikula, Jason St. John, Jeffrey Clark,
        Jonathan Boulle, Kay Sievers, Lennart Poettering, Lukas
        Nykryn, Lukasz Skalski, Łukasz Stelmach, Mantas Mikulėnas,
        Marcel Holtmann, Martin Pitt, Matthew Monaco, Michael
        Marineau, Michael Olbrich, Michal Sekletar, Mike Gilbert, Nis
        Martensen, Patrik Flykt, Philip Lorenz, poma, Ray Strode,
        Reyad Attiyat, Robert Milasan, Scott Thrasher, Stef Walter,
        Steven Siloti, Susant Sahani, Tanu Kaskinen, Thomas Bächler,
        Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar
        Lindskog, WaLyong Cho, Will Woods, Zbigniew
        Jędrzejewski-Szmek

        — Beijing, 2014-05-28

CHANGES WITH 212:

        * When restoring the screen brightness at boot, stay away from
          the darkest setting or from the lowest 5% of the available
          range, depending on which is the larger value of both. This
          should effectively protect the user from rebooting into a
          black screen, should the brightness have been set to minimum
          by accident.

        * sd-login gained a new sd_machine_get_class() call to
          determine the class ("vm" or "container") of a machine
          registered with machined.

        * sd-login gained new calls
          sd_peer_get_{session,owner_uid,unit,user_unit,slice,machine_name}(),
          to query the identity of the peer of a local AF_UNIX
          connection. They operate similarly to their sd_pid_get_xyz()
          counterparts.

        * PID 1 will now maintain a system-wide system state engine
          with the states "starting", "running", "degraded",
          "maintenance", "stopping". These states are bound to system
          startup, normal runtime, runtime with at least one failed
          service, rescue/emergency mode and system shutdown. This
          state is shown in the "systemctl status" output when no unit
          name is passed. It is useful to determine system state, in
          particularly when doing so for many systems or containers at
          once.

        * A new command "list-machines" has been added to "systemctl"
          that lists all local OS containers and shows their system
          state (see above), if systemd runs inside of them.

        * systemctl gained a new "-r" switch to recursively enumerate
          units on all local containers, when used with the
          "list-unit" command (which is the default one that is
          executed when no parameters are specified).

        * The GPT automatic partition discovery logic will now honour
          two GPT partition flags: one may be set on a partition to
          cause it to be mounted read-only, and the other may be set
          on a partition to ignore it during automatic discovery.

        * Two new GPT type UUIDs have been added for automatic root
          partition discovery, for 32-bit and 64-bit ARM. This is not
          particularly useful for discovering the root directory on
          these architectures during bare-metal boots (since UEFI is
          not common there), but still very useful to allow booting of
          ARM disk images in nspawn with the -i option.

        * MAC addresses of interfaces created with nspawn's
          --network-interface= switch will now be generated from the
          machine name, and thus be stable between multiple invocations
          of the container.

        * logind will now automatically remove all IPC objects owned
          by a user if she or he fully logs out. This makes sure that
          users who are logged out cannot continue to consume IPC
          resources. This covers SysV memory, semaphores and message
          queues as well as POSIX shared memory and message
          queues. Traditionally, SysV and POSIX IPC had no lifecycle
          limits. With this functionality, that is corrected. This may
          be turned off by using the RemoveIPC= switch of logind.conf.

        * The systemd-machine-id-setup and tmpfiles tools gained a
          --root= switch to operate on a specific root directory,
          instead of /.

        * journald can now forward logged messages to the TTYs of all
          logged in users ("wall"). This is the default for all
          emergency messages now.

        * A new tool systemd-journal-remote has been added to stream
          journal log messages across the network.

        * /sys/fs/cgroup/ is now mounted read-only after all cgroup
          controller trees are mounted into it. Note that the
          directories mounted beneath it are not read-only. This is a
          security measure and is particularly useful because glibc
          actually includes a search logic to pick any tmpfs it can
          find to implement shm_open() if /dev/shm is not available
          (which it might very well be in namespaced setups).

        * machinectl gained a new "poweroff" command to cleanly power
          down a local OS container.

        * The PrivateDevices= unit file setting will now also drop the
          CAP_MKNOD capability from the capability bound set, and
          imply DevicePolicy=closed.

        * PrivateDevices=, PrivateNetwork= and PrivateTmp= is now used
          comprehensively on all long-running systemd services where
          this is appropriate.

        * systemd-udevd will now run in a disassociated mount
          namespace. To mount directories from udev rules, make sure to
          pull in mount units via SYSTEMD_WANTS properties.

        * The kdbus support gained support for uploading policy into
          the kernel. sd-bus gained support for creating "monitoring"
          connections that can eavesdrop into all bus communication
          for debugging purposes.

        * Timestamps may now be specified in seconds since the UNIX
          epoch Jan 1st, 1970 by specifying "@" followed by the value
          in seconds.

        * Native tcpwrap support in systemd has been removed. tcpwrap
          is old code, not really maintained anymore and has serious
          shortcomings, and better options such as firewalls
          exist. For setups that require tcpwrap usage, please
          consider invoking your socket-activated service via tcpd,
          like on traditional inetd.

        * A new system.conf configuration option
          DefaultTimerAccuracySec= has been added that controls the
          default AccuracySec= setting of .timer units.

        * Timer units gained a new WakeSystem= switch. If enabled,
          timers configured this way will cause the system to resume
          from system suspend (if the system supports that, which most
          do these days).

        * Timer units gained a new Persistent= switch. If enabled,
          timers configured this way will save to disk when they have
          been last triggered. This information is then used on next
          reboot to possible execute overdue timer events, that
          could not take place because the system was powered off.
          This enables simple anacron-like behaviour for timer units.

        * systemctl's "list-timers" will now also list the time a
          timer unit was last triggered in addition to the next time
          it will be triggered.

        * systemd-networkd will now assign predictable IPv4LL
          addresses to its local interfaces.

        Contributions from: Brandon Philips, Daniel Buch, Daniel Mack,
        Dave Reisner, David Herrmann, Gerd Hoffmann, Greg
        Kroah-Hartman, Hendrik Brueckner, Jason St. John, Josh
        Triplett, Kay Sievers, Lennart Poettering, Marc-Antoine
        Perennou, Michael Marineau, Michael Olbrich, Miklos Vajna,
        Patrik Flykt, poma, Sebastian Thorarensen, Thomas Bächler,
        Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom Gundersen,
        Umut Tezduyar Lindskog, Wieland Hoffmann, Zbigniew
        Jędrzejewski-Szmek

        — Berlin, 2014-03-25

CHANGES WITH 211:

        * A new unit file setting RestrictAddressFamilies= has been
          added to restrict which socket address families unit
          processes gain access to. This takes address family names
          like "AF_INET" or "AF_UNIX", and is useful to minimize the
          attack surface of services via exotic protocol stacks. This
          is built on seccomp system call filters.

        * Two new unit file settings RuntimeDirectory= and
          RuntimeDirectoryMode= have been added that may be used to
          manage a per-daemon runtime directories below /run. This is
          an alternative for setting up directory permissions with
          tmpfiles snippets, and has the advantage that the runtime
          directory's lifetime is bound to the daemon runtime and that
          the daemon starts up with an empty directory each time. This
          is particularly useful when writing services that drop
          privileges using the User= or Group= setting.

        * The DeviceAllow= unit setting now supports globbing for
          matching against device group names.

        * The systemd configuration file system.conf gained new
          settings DefaultCPUAccounting=, DefaultBlockIOAccounting=,
          DefaultMemoryAccounting= to globally turn on/off accounting
          for specific resources (cgroups) for all units. These
          settings may still be overridden individually in each unit
          though.

        * systemd-gpt-auto-generator is now able to discover /srv and
          root partitions in addition to /home and swap partitions. It
          also supports LUKS-encrypted partitions now. With this in
          place, automatic discovery of partitions to mount following
          the Discoverable Partitions Specification
          (https://systemd.io/DISCOVERABLE_PARTITIONS/)
          is now a lot more complete. This allows booting without
          /etc/fstab and without root= on the kernel command line on
          systems prepared appropriately.

        * systemd-nspawn gained a new --image= switch which allows
          booting up disk images and Linux installations on any block
          device that follow the Discoverable Partitions Specification
          (see above). This means that installations made with
          appropriately updated installers may now be started and
          deployed using container managers, completely
          unmodified. (We hope that libvirt-lxc will add support for
          this feature soon, too.)

        * systemd-nspawn gained a new --network-macvlan= setting to
          set up a private macvlan interface for the
          container. Similarly, systemd-networkd gained a new
          Kind=macvlan setting in .netdev files.

        * systemd-networkd now supports configuring local addresses
          using IPv4LL.

        * A new tool systemd-network-wait-online has been added to
          synchronously wait for network connectivity using
          systemd-networkd.

        * The sd-bus.h bus API gained a new sd_bus_track object for
          tracking the lifecycle of bus peers. Note that sd-bus.h is
          still not a public API though (unless you specify
          --enable-kdbus on the configure command line, which however
          voids your warranty and you get no API stability guarantee).

        * The $XDG_RUNTIME_DIR runtime directories for each user are
          now individual tmpfs instances, which has the benefit of
          introducing separate pools for each user, with individual
          size limits, and thus making sure that unprivileged clients
          can no longer negatively impact the system or other users by
          filling up their $XDG_RUNTIME_DIR. A new logind.conf setting
          RuntimeDirectorySize= has been introduced that allows
          controlling the default size limit for all users. It
          defaults to 10% of the available physical memory. This is no
          replacement for quotas on tmpfs though (which the kernel
          still does not support), as /dev/shm and /tmp are still
          shared resources used by both the system and unprivileged
          users.

        * logind will now automatically turn off automatic suspending
          on laptop lid close when more than one display is
          connected. This was previously expected to be implemented
          individually in desktop environments (such as GNOME),
          however has been added to logind now, in order to fix a
          boot-time race where a desktop environment might not have
          been started yet and thus not been able to take an inhibitor
          lock at the time where logind already suspends the system
          due to a closed lid.

        * logind will now wait at least 30s after each system
          suspend/resume cycle, and 3min after system boot before
          suspending the system due to a closed laptop lid. This
          should give USB docking stations and similar enough time to
          be probed and configured after system resume and boot in
          order to then act as suspend blocker.

        * systemd-run gained a new --property= setting which allows
          initialization of resource control properties (and others)
          for the created scope or service unit. Example: "systemd-run
          --property=BlockIOWeight=10 updatedb" may be used to run
          updatedb at a low block IO scheduling weight.

        * systemd-run's --uid=, --gid=, --setenv=, --setenv= switches
          now also work in --scope mode.

        * When systemd is compiled with kdbus support, basic support
          for enforced policies is now in place. (Note that enabling
          kdbus still voids your warranty and no API compatibility
          promises are made.)

        Contributions from: Andrey Borzenkov, Ansgar Burchardt, Armin
        K., Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
        Harald Hoyer, Henrik Grindal Bakken, Jasper St. Pierre, Kay
        Sievers, Kieran Clancy, Lennart Poettering, Lukas Nykryn,
        Mantas Mikulėnas, Marcel Holtmann, Mark Oteiza, Martin Pitt,
        Mike Gilbert, Peter Rajnoha, poma, Samuli Suominen, Stef
        Walter, Susant Sahani, Tero Roponen, Thomas Andersen, Thomas
        Bächler, Thomas Hindoe Paaboel Andersen, Tomasz Torcz, Tom
        Gundersen, Umut Tezduyar Lindskog, Uoti Urpala, Zachary Cook,
        Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-03-12

CHANGES WITH 210:

        * systemd will now relabel /dev after loading the SMACK policy
          according to SMACK rules.

        * A new unit file option AppArmorProfile= has been added to
          set the AppArmor profile for the processes of a unit.

        * A new condition check ConditionArchitecture= has been added
          to conditionalize units based on the system architecture, as
          reported by uname()'s "machine" field.

        * systemd-networkd now supports matching on the system
          virtualization, architecture, kernel command line, hostname
          and machine ID.

        * logind is now a lot more aggressive when suspending the
          machine due to a closed laptop lid. Instead of acting only
          on the lid close action, it will continuously watch the lid
          status and act on it. This is useful for laptops where the
          power button is on the outside of the chassis so that it can
          be reached without opening the lid (such as the Lenovo
          Yoga). On those machines, logind will now immediately
          re-suspend the machine if the power button has been
          accidentally pressed while the laptop was suspended and in a
          backpack or similar.

        * logind will now watch SW_DOCK switches and inhibit reaction
          to the lid switch if it is pressed. This means that logind
          will not suspend the machine anymore if the lid is closed
          and the system is docked, if the laptop supports SW_DOCK
          notifications via the input layer. Note that ACPI docking
          stations do not generate this currently. Also note that this
          logic is usually not fully sufficient and Desktop
          Environments should take a lid switch inhibitor lock when an
          external display is connected, as systemd will not watch
          this on its own.

        * nspawn will now make use of the devices cgroup controller by
          default, and only permit creation of and access to the usual
          API device nodes like /dev/null or /dev/random, as well as
          access to (but not creation of) the pty devices.

        * We will now ship a default .network file for
          systemd-networkd that automatically configures DHCP for
          network interfaces created by nspawn's --network-veth or
          --network-bridge= switches.

        * systemd will now understand the usual M, K, G, T suffixes
          according to SI conventions (i.e. to the base 1000) when
          referring to throughput and hardware metrics. It will stay
          with IEC conventions (i.e. to the base 1024) for software
          metrics, according to what is customary according to
          Wikipedia. We explicitly document which base applies for
          each configuration option.

        * The DeviceAllow= setting in unit files now supports a syntax to
          allow-list an entire group of devices node majors at once, based on
          the /proc/devices listing. For example, with the string "char-pts",
          it is now possible to allow-list all current and future pseudo-TTYs
          at once.

        * sd-event learned a new "post" event source. Event sources of
          this type are triggered by the dispatching of any event
          source of a type that is not "post". This is useful for
          implementing clean-up and check event sources that are
          triggered by other work being done in the program.

        * systemd-networkd is no longer statically enabled, but uses
          the usual [Install] sections so that it can be
          enabled/disabled using systemctl. It still is enabled by
          default however.

        * When creating a veth interface pair with systemd-nspawn, the
          host side will now be prefixed with "vb-" if
          --network-bridge= is used, and with "ve-" if --network-veth
          is used. This way, it is easy to distinguish these cases on
          the host, for example to apply different configuration to
          them with systemd-networkd.

        * The compatibility libraries for libsystemd-journal.so,
          libsystem-id128.so, libsystemd-login.so and
          libsystemd-daemon.so do not make use of IFUNC
          anymore. Instead, we now build libsystemd.so multiple times
          under these alternative names. This means that the footprint
          is drastically increased, but given that these are
          transitional compatibility libraries, this should not matter
          much. This change has been made necessary to support the ARM
          platform for these compatibility libraries, as the ARM
          toolchain is not really at the same level as the toolchain
          for other architectures like x86 and does not support
          IFUNC. Please make sure to use --enable-compat-libs only
          during a transitional period!

        * The .include syntax has been deprecated and is not documented
          anymore. Drop-in files in .d directories should be used instead.

        Contributions from: Andreas Fuchs, Armin K., Colin Walters,
        Daniel Mack, Dave Reisner, David Herrmann, Djalal Harouni,
        Holger Schurig, Jason A. Donenfeld, Jason St. John, Jasper
        St. Pierre, Kay Sievers, Lennart Poettering, Łukasz Stelmach,
        Marcel Holtmann, Michael Scherer, Michal Sekletar, Mike
        Gilbert, Samuli Suominen, Thomas Bächler, Thomas Hindoe
        Paaboel Andersen, Tom Gundersen, Umut Tezduyar Lindskog,
        Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-02-24

CHANGES WITH 209:

        * A new component "systemd-networkd" has been added that can
          be used to configure local network interfaces statically or
          via DHCP. It is capable of bringing up bridges, VLANs, and
          bonding. Currently, no hook-ups for interactive network
          configuration are provided. Use this for your initrd,
          container, embedded, or server setup if you need a simple,
          yet powerful, network configuration solution. This
          configuration subsystem is quite nifty, as it allows wildcard
          hotplug matching in interfaces. For example, with a single
          configuration snippet, you can configure that all Ethernet
          interfaces showing up are automatically added to a bridge,
          or similar. It supports link-sensing and more.

        * A new tool "systemd-socket-proxyd" has been added which can
          act as a bidirectional proxy for TCP sockets. This is
          useful for adding socket activation support to services that
          do not actually support socket activation, including virtual
          machines and the like.

        * Add a new tool to save/restore rfkill state on
          shutdown/boot.

        * Save/restore state of keyboard backlights in addition to
          display backlights on shutdown/boot.

        * udev learned a new SECLABEL{} construct to label device
          nodes with a specific security label when they appear. For
          now, only SECLABEL{selinux} is supported, but the syntax is
          prepared for additional security frameworks.

        * udev gained a new scheme to configure link-level attributes
          from files in /etc/systemd/network/*.link. These files can
          match against MAC address, device path, driver name and type,
          and will apply attributes like the naming policy, link speed,
          MTU, duplex settings, Wake-on-LAN settings, MAC address, MAC
          address assignment policy (randomized, …).

        * The configuration of network interface naming rules for
          "permanent interface names" has changed: a new NamePolicy=
          setting in the [Link] section of .link files determines the
          priority of possible naming schemes (onboard, slot, MAC,
          path). The default value of this setting is determined by
          /usr/lib/net/links/99-default.link. Old
          80-net-name-slot.rules udev configuration file has been
          removed, so local configuration overriding this file should
          be adapted to override 99-default.link instead.

        * When the User= switch is used in a unit file, also
          initialize $SHELL= based on the user database entry.

        * systemd no longer depends on libdbus. All communication is
          now done with sd-bus, systemd's low-level bus library
          implementation.

        * kdbus support has been added to PID 1 itself. When kdbus is
          enabled, this causes PID 1 to set up the system bus and
          enable support for a new ".busname" unit type that
          encapsulates bus name activation on kdbus. It works a little
          bit like ".socket" units, except for bus names. A new
          generator has been added that converts classic dbus1 service
          activation files automatically into native systemd .busname
          and .service units.

        * sd-bus: add a lightweight vtable implementation that allows
          defining objects on the bus with a simple static const
          vtable array of its methods, signals and properties.

        * systemd will not generate or install static dbus
          introspection data anymore to /usr/share/dbus-1/interfaces,
          as the precise format of these files is unclear, and
          nothing makes use of it.

        * A proxy daemon is now provided to proxy clients connecting
          via classic D-Bus AF_UNIX sockets to kdbus, to provide full
          compatibility with classic D-Bus.

        * A bus driver implementation has been added that supports the
          classic D-Bus bus driver calls on kdbus, also for
          compatibility purposes.

        * A new API "sd-event.h" has been added that implements a
          minimal event loop API built around epoll. It provides a
          couple of features that direct epoll usage is lacking:
          prioritization of events, scales to large numbers of timer
          events, per-event timer slack (accuracy), system-wide
          coalescing of timer events, exit handlers, watchdog
          supervision support using systemd's sd_notify() API, child
          process handling.

        * A new API "sd-rntl.h" has been added that provides an API
          around the route netlink interface of the kernel, similar in
          style to "sd-bus.h".

        * A new API "sd-dhcp-client.h" has been added that provides a
          small DHCPv4 client-side implementation. This is used by
          "systemd-networkd".

        * There is a new kernel command line option
          "systemd.restore_state=0|1". When set to "0", none of the
          systemd tools will restore saved runtime state to hardware
          devices. More specifically, the rfkill and backlight states
          are not restored.

        * The FsckPassNo= compatibility option in mount/service units
          has been removed. The fstab generator will now add the
          necessary dependencies automatically, and does not require
          PID1's support for that anymore.

        * journalctl gained a new switch, --list-boots, that lists
          recent boots with their times and boot IDs.

        * The various tools like systemctl, loginctl, timedatectl,
          busctl, systemd-run, … have gained a new switch "-M" to
          connect to a specific, local OS container (as direct
          connection, without requiring SSH). This works on any
          container that is registered with machined, such as those
          created by libvirt-lxc or nspawn.

        * systemd-run and systemd-analyze also gained support for "-H"
          to connect to remote hosts via SSH. This is particularly
          useful for systemd-run because it enables queuing of jobs
          onto remote systems.

        * machinectl gained a new command "login" to open a getty
          login in any local container. This works with any container
          that is registered with machined (such as those created by
          libvirt-lxc or nspawn), and which runs systemd inside.

        * machinectl gained a new "reboot" command that may be used to
          trigger a reboot on a specific container that is registered
          with machined. This works on any container that runs an init
          system of some kind.

        * systemctl gained a new "list-timers" command to print a nice
          listing of installed timer units with the times they elapse
          next.

        * Alternative reboot() parameters may now be specified on the
          "systemctl reboot" command line and are passed to the
          reboot() system call.

        * systemctl gained a new --job-mode= switch to configure the
          mode to queue a job with. This is a more generic version of
          --fail, --irreversible, and --ignore-dependencies, which are
          still available but not advertised anymore.

        * /etc/systemd/system.conf gained new settings to configure
          various default timeouts of units, as well as the default
          start limit interval and burst. These may still be overridden
          within each Unit.

        * PID1 will now export on the bus profile data of the security
          policy upload process (such as the SELinux policy upload to
          the kernel).

        * journald: when forwarding logs to the console, include
          timestamps (following the setting in
          /sys/module/printk/parameters/time).

        * OnCalendar= in timer units now understands the special
          strings "yearly" and "annually". (Both are equivalent)

        * The accuracy of timer units is now configurable with the new
          AccuracySec= setting. It defaults to 1min.

        * A new dependency type JoinsNamespaceOf= has been added that
          allows running two services within the same /tmp and network
          namespace, if PrivateNetwork= or PrivateTmp= are used.

        * A new command "cat" has been added to systemctl. It outputs
          the original unit file of a unit, and concatenates the
          contents of additional "drop-in" unit file snippets, so that
          the full configuration is shown.

        * systemctl now supports globbing on the various "list-xyz"
          commands, like "list-units" or "list-sockets", as well as on
          those commands which take multiple unit names.

        * journalctl's --unit= switch gained support for globbing.

        * All systemd daemons now make use of the watchdog logic so
          that systemd automatically notices when they hang.

        * If the $container_ttys environment variable is set,
          getty-generator will automatically spawn a getty for each
          listed tty. This is useful for container managers to request
          login gettys to be spawned on as many ttys as needed.

        * %h, %s, %U specifier support is not available anymore when
          used in unit files for PID 1. This is because NSS calls are
          not safe from PID 1. They stay available for --user
          instances of systemd, and as special case for the root user.

        * loginctl gained a new "--no-legend" switch to turn off output
          of the legend text.

        * The "sd-login.h" API gained three new calls:
          sd_session_is_remote(), sd_session_get_remote_user(),
          sd_session_get_remote_host() to query information about
          remote sessions.

        * The udev hardware database now also carries vendor/product
          information of SDIO devices.

        * The "sd-daemon.h" API gained a new sd_watchdog_enabled() to
          determine whether watchdog notifications are requested by
          the system manager.

        * Socket-activated per-connection services now include a
          short description of the connection parameters in the
          description.

        * tmpfiles gained a new "--boot" option. When this is not used,
          only lines where the command character is not suffixed with
          "!" are executed. When this option is specified, those
          options are executed too. This partitions tmpfiles
          directives into those that can be safely executed at any
          time, and those which should be run only at boot (for
          example, a line that creates /run/nologin).

        * A new API "sd-resolve.h" has been added which provides a simple
          asynchronous wrapper around glibc NSS hostname resolution
          calls, such as getaddrinfo(). In contrast to glibc's
          getaddrinfo_a(), it does not use signals. In contrast to most
          other asynchronous name resolution libraries, this one does
          not reimplement DNS, but reuses NSS, so that alternate
          hostname resolution systems continue to work, such as mDNS,
          LDAP, etc. This API is based on libasyncns, but it has been
          cleaned up for inclusion in systemd.

        * The APIs "sd-journal.h", "sd-login.h", "sd-id128.h",
          "sd-daemon.h" are no longer found in individual libraries
          libsystemd-journal.so, libsystemd-login.so,
          libsystemd-id128.so, libsystemd-daemon.so. Instead, we have
          merged them into a single library, libsystemd.so, which
          provides all symbols. The reason for this is cyclic
          dependencies, as these libraries tend to use each other's
          symbols. So far, we have managed to workaround that by linking
          a copy of a good part of our code into each of these
          libraries again and again, which, however, makes certain
          things hard to do, like sharing static variables. Also, it
          substantially increases footprint. With this change, there
          is only one library for the basic APIs systemd
          provides. Also, "sd-bus.h", "sd-memfd.h", "sd-event.h",
          "sd-rtnl.h", "sd-resolve.h", "sd-utf8.h" are found in this
          library as well, however are subject to the --enable-kdbus
          switch (see below). Note that "sd-dhcp-client.h" is not part
          of this library (this is because it only consumes, never
          provides, services of/to other APIs). To make the transition
          easy from the separate libraries to the unified one, we
          provide the --enable-compat-libs compile-time switch which
          will generate stub libraries that are compatible with the
          old ones but redirect all calls to the new one.

        * All of the kdbus logic and the new APIs "sd-bus.h",
          "sd-memfd.h", "sd-event.h", "sd-rtnl.h", "sd-resolve.h",
          and "sd-utf8.h" are compile-time optional via the
          "--enable-kdbus" switch, and they are not compiled in by
          default. To make use of kdbus, you have to explicitly enable
          the switch. Note however, that neither the kernel nor the
          userspace API for all of this is considered stable yet. We
          want to maintain the freedom to still change the APIs for
          now. By specifying this build-time switch, you acknowledge
          that you are aware of the instability of the current
          APIs.

        * Also, note that while kdbus is pretty much complete,
          it lacks one thing: proper policy support. This means you
          can build a fully working system with all features; however,
          it will be highly insecure. Policy support will be added in
          one of the next releases, at the same time that we will
          declare the APIs stable.

        * When the kernel command line argument "kdbus" is specified,
          systemd will automatically load the kdbus.ko kernel module. At
          this stage of development, it is only useful for testing kdbus
          and should not be used in production. Note: if "--enable-kdbus"
          is specified, and the kdbus.ko kernel module is available, and
          "kdbus" is added to the kernel command line, the entire system
          runs with kdbus instead of dbus-daemon, with the above mentioned
          problem of missing the system policy enforcement. Also a future
          version of kdbus.ko or a newer systemd will not be compatible with
          each other, and will unlikely be able to boot the machine if only
          one of them is updated.

        * systemctl gained a new "import-environment" command which
          uploads the caller's environment (or parts thereof) into the
          service manager so that it is inherited by services started
          by the manager. This is useful to upload variables like
          $DISPLAY into the user service manager.

        * A new PrivateDevices= switch has been added to service units
          which allows running a service with a namespaced /dev
          directory that does not contain any device nodes for
          physical devices. More specifically, it only includes devices
          such as /dev/null, /dev/urandom, and /dev/zero which are API
          entry points.

        * logind has been extended to support behaviour like VT
          switching on seats that do not support a VT. This makes
          multi-session available on seats that are not the first seat
          (seat0), and on systems where kernel support for VTs has
          been disabled at compile-time.

        * If a process holds a delay lock for system sleep or shutdown
          and fails to release it in time, we will now log its
          identity. This makes it easier to identify processes that
          cause slow suspends or power-offs.

        * When parsing /etc/crypttab, support for a new key-slot=
          option as supported by Debian is added. It allows indicating
          which LUKS slot to use on disk, speeding up key loading.

        * The sd_journal_sendv() API call has been checked and
          officially declared to be async-signal-safe so that it may
          be invoked from signal handlers for logging purposes.

        * Boot-time status output is now enabled automatically after a
          short timeout if boot does not progress, in order to give
          the user an indication what she or he is waiting for.

        * The boot-time output has been improved to show how much time
          remains until jobs expire.

        * The KillMode= switch in service units gained a new possible
          value "mixed". If set, and the unit is shut down, then the
          initial SIGTERM signal is sent only to the main daemon
          process, while the following SIGKILL signal is sent to
          all remaining processes of the service.

        * When a scope unit is registered, a new property "Controller"
          may be set. If set to a valid bus name, systemd will send a
          RequestStop() signal to this name when it would like to shut
          down the scope. This may be used to hook manager logic into
          the shutdown logic of scope units. Also, scope units may now
          be put in a special "abandoned" state, in which case the
          manager process which created them takes no further
          responsibilities for it.

        * When reading unit files, systemd will now verify
          the access mode of these files, and warn about certain
          suspicious combinations. This has been added to make it
          easier to track down packaging bugs where unit files are
          marked executable or world-writable.

        * systemd-nspawn gained a new "--setenv=" switch to set
          container-wide environment variables. The similar option in
          systemd-activate was renamed from "--environment=" to
          "--setenv=" for consistency.

        * systemd-nspawn has been updated to create a new kdbus domain
          for each container that is invoked, thus allowing each
          container to have its own set of system and user buses,
          independent of the host.

        * systemd-nspawn gained a new --drop-capability= switch to run
          the container with less capabilities than the default. Both
          --drop-capability= and --capability= now take the special
          string "all" for dropping or keeping all capabilities.

        * systemd-nspawn gained new switches for executing containers
          with specific SELinux labels set.

        * systemd-nspawn gained a new --quiet switch to not generate
          any additional output but the container's own console
          output.

        * systemd-nspawn gained a new --share-system switch to run a
          container without PID namespacing enabled.

        * systemd-nspawn gained a new --register= switch to control
          whether the container is registered with systemd-machined or
          not. This is useful for containers that do not run full
          OS images, but only specific apps.

        * systemd-nspawn gained a new --keep-unit which may be used
          when invoked as the only program from a service unit, and
          results in registration of the unit service itself in
          systemd-machined, instead of a newly opened scope unit.

        * systemd-nspawn gained a new --network-interface= switch for
          moving arbitrary interfaces to the container. The new
          --network-veth switch creates a virtual Ethernet connection
          between host and container. The new --network-bridge=
          switch then allows assigning the host side of this virtual
          Ethernet connection to a bridge device.

        * systemd-nspawn gained a new --personality= switch for
          setting the kernel personality for the container. This is
          useful when running a 32-bit container on a 64-bit host. A
          similar option Personality= is now also available for service
          units to use.

        * logind will now also track a "Desktop" identifier for each
          session which encodes the desktop environment of it. This is
          useful for desktop environments that want to identify
          multiple running sessions of itself easily.

        * A new SELinuxContext= setting for service units has been
          added that allows setting a specific SELinux execution
          context for a service.

        * Most systemd client tools will now honour $SYSTEMD_LESS for
          settings of the "less" pager. By default, these tools will
          override $LESS to allow certain operations to work, such as
          jump-to-the-end. With $SYSTEMD_LESS, it is possible to
          influence this logic.

        * systemd's "seccomp" hook-up has been changed to make use of
          the libseccomp library instead of using its own
          implementation. This has benefits for portability among
          other things.

        * For usage together with SystemCallFilter=, a new
          SystemCallErrorNumber= setting has been introduced that
          allows configuration of a system error number to be returned
          on filtered system calls, instead of immediately killing the
          process. Also, SystemCallArchitectures= has been added to
          limit access to system calls of a particular architecture
          (in order to turn off support for unused secondary
          architectures). There is also a global
          SystemCallArchitectures= setting in system.conf now to turn
          off support for non-native system calls system-wide.

        * systemd requires a kernel with a working name_to_handle_at(),
          please see the kernel config requirements in the README file.

        Contributions from: Adam Williamson, Alex Jia, Anatol Pomozov,
        Ansgar Burchardt, AppleBloom, Auke Kok, Bastien Nocera,
        Chengwei Yang, Christian Seiler, Colin Guthrie, Colin Walters,
        Cristian Rodríguez, Daniel Buch, Daniele Medri, Daniel J
        Walsh, Daniel Mack, Dan McGee, Dave Reisner, David Coppa,
        David Herrmann, David Strauss, Djalal Harouni, Dmitry Pisklov,
        Elia Pinto, Florian Weimer, George McCollister, Goffredo
        Baroncelli, Greg Kroah-Hartman, Hendrik Brueckner, Igor
        Zhbanov, Jan Engelhardt, Jan Janssen, Jason A. Donenfeld,
        Jason St. John, Jasper St. Pierre, Jóhann B. Guðmundsson, Jose
        Ignacio Naranjo, Karel Zak, Kay Sievers, Kristian Høgsberg,
        Lennart Poettering, Lubomir Rintel, Lukas Nykryn, Lukasz
        Skalski, Łukasz Stelmach, Luke Shumaker, Mantas Mikulėnas,
        Marc-Antoine Perennou, Marcel Holtmann, Marcos Felipe Rasia de
        Mello, Marko Myllynen, Martin Pitt, Matthew Monaco, Michael
        Marineau, Michael Scherer, Michał Górny, Michal Sekletar,
        Michele Curti, Oleksii Shevchuk, Olivier Brunel, Patrik Flykt,
        Pavel Holica, Raudi, Richard Marko, Ronny Chevalier, Sébastien
        Luttringer, Sergey Ptashnick, Shawn Landden, Simon Peeters,
        Stefan Beller, Susant Sahani, Sylvain Plantefeve, Sylvia Else,
        Tero Roponen, Thomas Bächler, Thomas Hindoe Paaboel Andersen,
        Tom Gundersen, Umut Tezduyar Lindskog, Unai Uribarri, Václav
        Pavlín, Vincent Batts, WaLyong Cho, William Giokas, Yang
        Zhiyong, Yin Kangkai, Yuxuan Shui, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2014-02-20

CHANGES WITH 208:

        * logind has gained support for facilitating privileged input
          and drm device access for unprivileged clients. This work is
          useful to allow Wayland display servers (and similar
          programs, such as kmscon) to run under the user's ID and
          access input and drm devices which are normally
          protected. When this is used (and the kernel is new enough)
          logind will "mute" IO on the file descriptors passed to
          Wayland as long as it is in the background and "unmute" it
          if it returns into the foreground. This allows secure
          session switching without allowing background sessions to
          eavesdrop on input and display data. This also introduces
          session switching support if VT support is turned off in the
          kernel, and on seats that are not seat0.

        * A new kernel command line option luks.options= is understood
          now which allows specifying LUKS options for usage for LUKS
          encrypted partitions specified with luks.uuid=.

        * tmpfiles.d(5) snippets may now use specifier expansion in
          path names. More specifically %m, %b, %H, %v, are now
          replaced by the local machine id, boot id, hostname, and
          kernel version number.

        * A new tmpfiles.d(5) command "m" has been introduced which
          may be used to change the owner/group/access mode of a file
          or directory if it exists, but do nothing if it does not.

        * This release removes high-level support for the
          MemorySoftLimit= cgroup setting. The underlying kernel
          cgroup attribute memory.soft_limit= is currently badly
          designed and likely to be removed from the kernel API in its
          current form, hence we should not expose it for now.

        * The memory.use_hierarchy cgroup attribute is now enabled for
          all cgroups systemd creates in the memory cgroup
          hierarchy. This option is likely to be come the built-in
          default in the kernel anyway, and the non-hierarchical mode
          never made much sense in the intrinsically hierarchical
          cgroup system.

        * A new field _SYSTEMD_SLICE= is logged along with all journal
          messages containing the slice a message was generated
          from. This is useful to allow easy per-customer filtering of
          logs among other things.

        * systemd-journald will no longer adjust the group of journal
          files it creates to the "systemd-journal" group. Instead we
          rely on the journal directory to be owned by the
          "systemd-journal" group, and its setgid bit set, so that the
          kernel file system layer will automatically enforce that
          journal files inherit this group assignment. The reason for
          this change is that we cannot allow NSS look-ups from
          journald which would be necessary to resolve
          "systemd-journal" to a numeric GID, because this might
          create deadlocks if NSS involves synchronous queries to
          other daemons (such as nscd, or sssd) which in turn are
          logging clients of journald and might block on it, which
          would then dead lock. A tmpfiles.d(5) snippet included in
          systemd will make sure the setgid bit and group are
          properly set on the journal directory if it exists on every
          boot. However, we recommend adjusting it manually after
          upgrades too (or from RPM scriptlets), so that the change is
          not delayed until next reboot.

        * Backlight and random seed files in /var/lib/ have moved into
          the /var/lib/systemd/ directory, in order to centralize all
          systemd generated files in one directory.

        * Boot time performance measurements (as displayed by
          "systemd-analyze" for example) will now read ACPI 5.0 FPDT
          performance information if that's available to determine how
          much time BIOS and boot loader initialization required. With
          a sufficiently new BIOS you hence no longer need to boot
          with Gummiboot to get access to such information.

        Contributions from: Andrey Borzenkov, Chen Jie, Colin Walters,
        Cristian Rodríguez, Dave Reisner, David Herrmann, David
        Mackey, David Strauss, Eelco Dolstra, Evan Callicoat, Gao
        feng, Harald Hoyer, Jimmie Tauriainen, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas, Martin Pitt,
        Michael Scherer, Michał Górny, Mike Gilbert, Patrick McCarty,
        Sebastian Ott, Tom Gundersen, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2013-10-02

CHANGES WITH 207:

        * The Restart= option for services now understands a new
          on-watchdog setting, which will restart the service
          automatically if the service stops sending out watchdog keep
          alive messages (as configured with WatchdogSec=).

        * The getty generator (which is responsible for bringing up a
          getty on configured serial consoles) will no longer only
          start a getty on the primary kernel console but on all
          others, too. This makes the order in which console= is
          specified on the kernel command line less important.

        * libsystemd-logind gained a new sd_session_get_vt() call to
          retrieve the VT number of a session.

        * If the option "tries=0" is set for an entry of /etc/crypttab
          its passphrase is queried indefinitely instead of any
          maximum number of tries.

        * If a service with a configure PID file terminates its PID
          file will now be removed automatically if it still exists
          afterwards. This should put an end to stale PID files.

        * systemd-run will now also take relative binary path names
          for execution and no longer insists on absolute paths.

        * InaccessibleDirectories= and ReadOnlyDirectories= now take
          paths that are optionally prefixed with "-" to indicate that
          it should not be considered a failure if they do not exist.

        * journalctl -o (and similar commands) now understands a new
          output mode "short-precise", it is similar to "short" but
          shows timestamps with usec accuracy.

        * The option "discard" (as known from Debian) is now
          synonymous to "allow-discards" in /etc/crypttab. In fact,
          "discard" is preferred now (since it is easier to remember
          and type).

        * Some licensing clean-ups were made, so that more code is now
          LGPL-2.1 licensed than before.

        * A minimal tool to save/restore the display backlight
          brightness across reboots has been added. It will store the
          backlight setting as late as possible at shutdown, and
          restore it as early as possible during reboot.

        * A logic to automatically discover and enable home and swap
          partitions on GPT disks has been added. With this in place
          /etc/fstab becomes optional for many setups as systemd can
          discover certain partitions located on the root disk
          automatically. Home partitions are recognized under their
          GPT type ID 933ac7e12eb44f13b8440e14e2aef915. Swap
          partitions are recognized under their GPT type ID
          0657fd6da4ab43c484e50933c84b4f4f.

        * systemd will no longer pass any environment from the kernel
          or initrd to system services. If you want to set an
          environment for all services, do so via the kernel command
          line systemd.setenv= assignment.

        * The systemd-sysctl tool no longer natively reads the file
          /etc/sysctl.conf. If desired, the file should be symlinked
          from /etc/sysctl.d/99-sysctl.conf. Apart from providing
          legacy support by a symlink rather than built-in code, it
          also makes the otherwise hidden order of application of the
          different files visible. (Note that this partly reverts to a
          pre-198 application order of sysctl knobs!)

        * The "systemctl set-log-level" and "systemctl dump" commands
          have been moved to systemd-analyze.

        * systemd-run learned the new --remain-after-exit switch,
          which causes the scope unit not to be cleaned up
          automatically after the process terminated.

        * tmpfiles learned a new --exclude-prefix= switch to exclude
          certain paths from operation.

        * journald will now automatically flush all messages to disk
          as soon as a message at the log level CRIT, ALERT or EMERG
          is received.

        Contributions from: Andrew Cook, Brandon Philips, Christian
        Hesse, Christoph Junghans, Colin Walters, Daniel Schaal,
        Daniel Wallace, Dave Reisner, David Herrmann, Gao feng, George
        McCollister, Giovanni Campagna, Hannes Reinecke, Harald Hoyer,
        Herczeg Zsolt, Holger Hans Peter Freyther, Jan Engelhardt,
        Jesper Larsen, Kay Sievers, Khem Raj, Lennart Poettering,
        Lukas Nykryn, Maciej Wereski, Mantas Mikulėnas, Marcel
        Holtmann, Martin Pitt, Michael Biebl, Michael Marineau,
        Michael Scherer, Michael Stapelberg, Michal Sekletar, Michał
        Górny, Olivier Brunel, Ondrej Balaz, Ronny Chevalier, Shawn
        Landden, Steven Hiscocks, Thomas Bächler, Thomas Hindoe
        Paaboel Andersen, Tom Gundersen, Umut Tezduyar, WANG Chao,
        William Giokas, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2013-09-13

CHANGES WITH 206:

        * The documentation has been updated to cover the various new
          concepts introduced with 205.

        * Unit files now understand the new %v specifier which
          resolves to the kernel version string as returned by "uname
          -r".

        * systemctl now supports filtering the unit list output by
          load state, active state and sub state, using the new
          --state= parameter.

        * "systemctl status" will now show the results of the
          condition checks (like ConditionPathExists= and similar) of
          the last start attempts of the unit. They are also logged to
          the journal.

        * "journalctl -b" may now be used to look for boot output of a
          specific boot. Try "journalctl -b -1" for the previous boot,
          but the syntax is substantially more powerful.

        * "journalctl --show-cursor" has been added which prints the
          cursor string the last shown log line. This may then be used
          with the new "journalctl --after-cursor=" switch to continue
          browsing logs from that point on.

        * "journalctl --force" may now be used to force regeneration
          of an FSS key.

        * Creation of "dead" device nodes has been moved from udev
          into kmod and tmpfiles. Previously, udev would read the kmod
          databases to pre-generate dead device nodes based on meta
          information contained in kernel modules, so that these would
          be auto-loaded on access rather then at boot. As this
          does not really have much to do with the exposing actual
          kernel devices to userspace this has always been slightly
          alien in the udev codebase. Following the new scheme kmod
          will now generate a runtime snippet for tmpfiles from the
          module meta information and it now is tmpfiles' job to the
          create the nodes. This also allows overriding access and
          other parameters for the nodes using the usual tmpfiles
          facilities. As side effect this allows us to remove the
          CAP_SYS_MKNOD capability bit from udevd entirely.

        * logind's device ACLs may now be applied to these "dead"
          devices nodes too, thus finally allowing managed access to
          devices such as /dev/snd/sequencer without loading the
          backing module right-away.

        * A new RPM macro has been added that may be used to apply
          tmpfiles configuration during package installation.

        * systemd-detect-virt and ConditionVirtualization= now can
          detect User-Mode-Linux machines (UML).

        * journald will now implicitly log the effective capabilities
          set of processes in the message metadata.

        * systemd-cryptsetup has gained support for TrueCrypt volumes.

        * The initrd interface has been simplified (more specifically,
          support for passing performance data via environment
          variables and fsck results via files in /run has been
          removed). These features were non-essential, and are
          nowadays available in a much nicer way by having systemd in
          the initrd serialize its state and have the hosts systemd
          deserialize it again.

        * The udev "keymap" data files and tools to apply keyboard
          specific mappings of scan to key codes, and force-release
          scan code lists have been entirely replaced by a udev
          "keyboard" builtin and a hwdb data file.

        * systemd will now honour the kernel's "quiet" command line
          argument also during late shutdown, resulting in a
          completely silent shutdown when used.

        * There's now an option to control the SO_REUSEPORT socket
          option in .socket units.

        * Instance units will now automatically get a per-template
          subslice of system.slice unless something else is explicitly
          configured. For example, instances of sshd@.service will now
          implicitly be placed in system-sshd.slice rather than
          system.slice as before.

        * Test coverage support may now be enabled at build time.

        Contributions from: Dave Reisner, Frederic Crozat, Harald
        Hoyer, Holger Hans Peter Freyther, Jan Engelhardt, Jan
        Janssen, Jason St. John, Jesper Larsen, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Maciej Wereski, Martin Pitt, Michael
        Olbrich, Ramkumar Ramachandra, Ross Lagerwall, Shawn Landden,
        Thomas H.P. Andersen, Tom Gundersen, Tomasz Torcz, William
        Giokas, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2013-07-23

CHANGES WITH 205:

        * Two new unit types have been introduced:

          Scope units are very similar to service units, however, are
          created out of pre-existing processes — instead of PID 1
          forking off the processes. By using scope units it is
          possible for system services and applications to group their
          own child processes (worker processes) in a powerful way
          which then maybe used to organize them, or kill them
          together, or apply resource limits on them.

          Slice units may be used to partition system resources in an
          hierarchical fashion and then assign other units to them. By
          default there are now three slices: system.slice (for all
          system services), user.slice (for all user sessions),
          machine.slice (for VMs and containers).

          Slices and scopes have been introduced primarily in
          context of the work to move cgroup handling to a
          single-writer scheme, where only PID 1
          creates/removes/manages cgroups.

        * There's a new concept of "transient" units. In contrast to
          normal units these units are created via an API at runtime,
          not from configuration from disk. More specifically this
          means it is now possible to run arbitrary programs as
          independent services, with all execution parameters passed
          in via bus APIs rather than read from disk. Transient units
          make systemd substantially more dynamic then it ever was,
          and useful as a general batch manager.

        * logind has been updated to make use of scope and slice units
          for managing user sessions. As a user logs in he will get
          his own private slice unit, to which all sessions are added
          as scope units. We also added support for automatically
          adding an instance of user@.service for the user into the
          slice. Effectively logind will no longer create cgroup
          hierarchies on its own now, it will defer entirely to PID 1
          for this by means of scope, service and slice units. Since
          user sessions this way become entities managed by PID 1
          the output of "systemctl" is now a lot more comprehensive.

        * A new mini-daemon "systemd-machined" has been added which
          may be used by virtualization managers to register local
          VMs/containers. nspawn has been updated accordingly, and
          libvirt will be updated shortly. machined will collect a bit
          of meta information about the VMs/containers, and assign
          them their own scope unit (see above). The collected
          meta-data is then made available via the "machinectl" tool,
          and exposed in "ps" and similar tools. machined/machinectl
          is compile-time optional.

        * As discussed earlier, the low-level cgroup configuration
          options ControlGroup=, ControlGroupModify=,
          ControlGroupPersistent=, ControlGroupAttribute= have been
          removed. Please use high-level attribute settings instead as
          well as slice units.

        * A new bus call SetUnitProperties() has been added to alter
          various runtime parameters of a unit. This is primarily
          useful to alter cgroup parameters dynamically in a nice way,
          but will be extended later on to make more properties
          modifiable at runtime. systemctl gained a new set-properties
          command that wraps this call.

        * A new tool "systemd-run" has been added which can be used to
          run arbitrary command lines as transient services or scopes,
          while configuring a number of settings via the command
          line. This tool is currently very basic, however already
          very useful. We plan to extend this tool to even allow
          queuing of execution jobs with time triggers from the
          command line, similar in fashion to "at".

        * nspawn will now inform the user explicitly that kernels with
          audit enabled break containers, and suggest the user to turn
          off audit.

        * Support for detecting the IMA and AppArmor security
          frameworks with ConditionSecurity= has been added.

        * journalctl gained a new "-k" switch for showing only kernel
          messages, mimicking dmesg output; in addition to "--user"
          and "--system" switches for showing only user's own logs
          and system logs.

        * systemd-delta can now show information about drop-in
          snippets extending unit files.

        * libsystemd-bus has been substantially updated but is still
          not available as public API.

        * systemd will now look for the "debug" argument on the kernel
          command line and enable debug logging, similar to what
          "systemd.log_level=debug" already did before.

        * "systemctl set-default", "systemctl get-default" has been
          added to configure the default.target symlink, which
          controls what to boot into by default.

        * "systemctl set-log-level" has been added as a convenient
          way to raise and lower systemd logging threshold.

        * "systemd-analyze plot" will now show the time the various
          generators needed for execution, as well as information
          about the unit file loading.

        * libsystemd-journal gained a new sd_journal_open_files() call
          for opening specific journal files. journactl also gained a
          new switch to expose this new functionality. Previously we
          only supported opening all files from a directory, or all
          files from the system, as opening individual files only is
          racy due to journal file rotation.

        * systemd gained the new DefaultEnvironment= setting in
          /etc/systemd/system.conf to set environment variables for
          all services.

        * If a privileged process logs a journal message with the
          OBJECT_PID= field set, then journald will automatically
          augment this with additional OBJECT_UID=, OBJECT_GID=,
          OBJECT_COMM=, OBJECT_EXE=, … fields. This is useful if
          system services want to log events about specific client
          processes. journactl/systemctl has been updated to make use
          of this information if all log messages regarding a specific
          unit is requested.

        Contributions from: Auke Kok, Chengwei Yang, Colin Walters,
        Cristian Rodríguez, Daniel Albers, Daniel Wallace, Dave
        Reisner, David Coppa, David King, David Strauss, Eelco
        Dolstra, Gabriel de Perthuis, Harald Hoyer, Jan Alexander
        Steffens, Jan Engelhardt, Jan Janssen, Jason St. John, Johan
        Heikkilä, Karel Zak, Karol Lewandowski, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas, Marius Vollmer,
        Martin Pitt, Michael Biebl, Michael Olbrich, Michael Tremer,
        Michal Schmidt, Michał Bartoszkiewicz, Nirbheek Chauhan,
        Pierre Neidhardt, Ross Burton, Ross Lagerwall, Sean McGovern,
        Thomas Hindoe Paaboel Andersen, Tom Gundersen, Umut Tezduyar,
        Václav Pavlín, Zachary Cook, Zbigniew Jędrzejewski-Szmek,
        Łukasz Stelmach, 장동준

CHANGES WITH 204:

        * The Python bindings gained some minimal support for the APIs
          exposed by libsystemd-logind.

        * ConditionSecurity= gained support for detecting SMACK. Since
          this condition already supports SELinux and AppArmor we only
          miss IMA for this. Patches welcome!

        Contributions from: Karol Lewandowski, Lennart Poettering,
        Zbigniew Jędrzejewski-Szmek

CHANGES WITH 203:

        * systemd-nspawn will now create /etc/resolv.conf if
          necessary, before bind-mounting the host's file onto it.

        * systemd-nspawn will now store meta information about a
          container on the container's cgroup as extended attribute
          fields, including the root directory.

        * The cgroup hierarchy has been reworked in many ways. All
          objects any of the components systemd creates in the cgroup
          tree are now suffixed. More specifically, user sessions are
          now placed in cgroups suffixed with ".session", users in
          cgroups suffixed with ".user", and nspawn containers in
          cgroups suffixed with ".nspawn". Furthermore, all cgroup
          names are now escaped in a simple scheme to avoid collision
          of userspace object names with kernel filenames. This work
          is preparation for making these objects relocatable in the
          cgroup tree, in order to allow easy resource partitioning of
          these objects without causing naming conflicts.

        * systemctl list-dependencies gained the new switches
          --plain, --reverse, --after and --before.

        * systemd-inhibit now shows the process name of processes that
          have taken an inhibitor lock.

        * nss-myhostname will now also resolve "localhost"
          implicitly. This makes /etc/hosts an optional file and
          nicely handles that on IPv6 ::1 maps to both "localhost" and
          the local hostname.

        * libsystemd-logind.so gained a new call
          sd_get_machine_names() to enumerate running containers and
          VMs (currently only supported by very new libvirt and
          nspawn). sd_login_monitor can now be used to watch
          VMs/containers coming and going.

        * .include is not allowed recursively anymore, and only in
          unit files. Usually it is better to use drop-in snippets in
          .d/*.conf anyway, as introduced with systemd 198.

        * systemd-analyze gained a new "critical-chain" command that
          determines the slowest chain of units run during system
          boot-up. It is very useful for tracking down where
          optimizing boot time is the most beneficial.

        * systemd will no longer allow manipulating service paths in
          the name=systemd:/system cgroup tree using ControlGroup= in
          units. (But is still fine with it in all other dirs.)

        * There's a new systemd-nspawn@.service service file that may
          be used to easily run nspawn containers as system
          services. With the container's root directory in
          /var/lib/container/foobar it is now sufficient to run
          "systemctl start systemd-nspawn@foobar.service" to boot it.

        * systemd-cgls gained a new parameter "--machine" to list only
          the processes within a certain container.

        * ConditionSecurity= now can check for "apparmor". We still
          are lacking checks for SMACK and IMA for this condition
          check though. Patches welcome!

        * A new configuration file /etc/systemd/sleep.conf has been
          added that may be used to configure which kernel operation
          systemd is supposed to execute when "suspend", "hibernate"
          or "hybrid-sleep" is requested. This makes the new kernel
          "freeze" state accessible to the user.

        * ENV{SYSTEMD_WANTS} in udev rules will now implicitly escape
          the passed argument if applicable.

        Contributions from: Auke Kok, Colin Guthrie, Colin Walters,
        Cristian Rodríguez, Daniel Buch, Daniel Wallace, Dave Reisner,
        Evangelos Foutras, Greg Kroah-Hartman, Harald Hoyer, Josh
        Triplett, Kay Sievers, Lennart Poettering, Lukas Nykryn,
        MUNEDA Takahiro, Mantas Mikulėnas, Mirco Tischler, Nathaniel
        Chen, Nirbheek Chauhan, Ronny Chevalier, Ross Lagerwall, Tom
        Gundersen, Umut Tezduyar, Ville Skyttä, Zbigniew
        Jędrzejewski-Szmek

CHANGES WITH 202:

        * The output of 'systemctl list-jobs' got some polishing. The
          '--type=' argument may now be passed more than once. A new
          command 'systemctl list-sockets' has been added which shows
          a list of kernel sockets systemd is listening on with the
          socket units they belong to, plus the units these socket
          units activate.

        * The experimental libsystemd-bus library got substantial
          updates to work in conjunction with the (also experimental)
          kdbus kernel project. It works well enough to exchange
          messages with some sophistication. Note that kdbus is not
          ready yet, and the library is mostly an elaborate test case
          for now, and not installable.

        * systemd gained a new unit 'systemd-static-nodes.service'
          that generates static device nodes earlier during boot, and
          can run in conjunction with udev.

        * libsystemd-login gained a new call sd_pid_get_user_unit()
          to retrieve the user systemd unit a process is running
          in. This is useful for systems where systemd is used as
          session manager.

        * systemd-nspawn now places all containers in the new /machine
          top-level cgroup directory in the name=systemd
          hierarchy. libvirt will soon do the same, so that we get a
          uniform separation of /system, /user and /machine for system
          services, user processes and containers/virtual
          machines. This new cgroup hierarchy is also useful to stick
          stable names to specific container instances, which can be
          recognized later this way (this name may be controlled
          via systemd-nspawn's new -M switch). libsystemd-login also
          gained a new call sd_pid_get_machine_name() to retrieve the
          name of the container/VM a specific process belongs to.

        * bootchart can now store its data in the journal.

        * libsystemd-journal gained a new call
          sd_journal_add_conjunction() for AND expressions to the
          matching logic. This can be used to express more complex
          logical expressions.

        * journactl can now take multiple --unit= and --user-unit=
          switches.

        * The cryptsetup logic now understands the "luks.key=" kernel
          command line switch for specifying a file to read the
          decryption key from. Also, if a configured key file is not
          found the tool will now automatically fall back to prompting
          the user.

        * Python systemd.journal module was updated to wrap recently
          added functions from libsystemd-journal. The interface was
          changed to bring the low level interface in s.j._Reader
          closer to the C API, and the high level interface in
          s.j.Reader was updated to wrap and convert all data about
          an entry.

        Contributions from: Anatol Pomozov, Auke Kok, Harald Hoyer,
        Henrik Grindal Bakken, Josh Triplett, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas Marius Vollmer,
        Martin Jansa, Martin Pitt, Michael Biebl, Michal Schmidt,
        Mirco Tischler, Pali Rohar, Simon Peeters, Steven Hiscocks,
        Tom Gundersen, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 201:

        * journalctl --update-catalog now understands a new --root=
          option to operate on catalogs found in a different root
          directory.

        * During shutdown after systemd has terminated all running
          services a final killing loop kills all remaining left-over
          processes. We will now print the name of these processes
          when we send SIGKILL to them, since this usually indicates a
          problem.

        * If /etc/crypttab refers to password files stored on
          configured mount points automatic dependencies will now be
          generated to ensure the specific mount is established first
          before the key file is attempted to be read.

        * 'systemctl status' will now show information about the
          network sockets a socket unit is listening on.

        * 'systemctl status' will also shown information about any
          drop-in configuration file for units. (Drop-In configuration
          files in this context are files such as
          /etc/systemd/system/foobar.service.d/*.conf)

        * systemd-cgtop now optionally shows summed up CPU times of
          cgroups. Press '%' while running cgtop to switch between
          percentage and absolute mode. This is useful to determine
          which cgroups use up the most CPU time over the entire
          runtime of the system. systemd-cgtop has also been updated
          to be 'pipeable' for processing with further shell tools.

        * 'hostnamectl set-hostname' will now allow setting of FQDN
          hostnames.

        * The formatting and parsing of time span values has been
          changed. The parser now understands fractional expressions
          such as "5.5h". The formatter will now output fractional
          expressions for all time spans under 1min, i.e. "5.123456s"
          rather than "5s 123ms 456us". For time spans under 1s
          millisecond values are shown, for those under 1ms
          microsecond values are shown. This should greatly improve
          all time-related output of systemd.

        * libsystemd-login and libsystemd-journal gained new
          functions for querying the poll() events mask and poll()
          timeout value for integration into arbitrary event
          loops.

        * localectl gained the ability to list available X11 keymaps
          (models, layouts, variants, options).

        * 'systemd-analyze dot' gained the ability to filter for
          specific units via shell-style globs, to create smaller,
          more useful graphs. I.e. it is now possible to create simple
          graphs of all the dependencies between only target units, or
          of all units that Avahi has dependencies with.

        Contributions from: Cristian Rodríguez, Dr. Tilmann Bubeck,
        Harald Hoyer, Holger Hans Peter Freyther, Kay Sievers, Kelly
        Anderson, Koen Kooi, Lennart Poettering, Maksim Melnikau,
        Marc-Antoine Perennou, Marius Vollmer, Martin Pitt, Michal
        Schmidt, Oleksii Shevchuk, Ronny Chevalier, Simon McVittie,
        Steven Hiscocks, Thomas Weißschuh, Umut Tezduyar, Václav
        Pavlín, Zbigniew Jędrzejewski-Szmek, Łukasz Stelmach

CHANGES WITH 200:

        * The boot-time readahead implementation for rotating media
          will now read the read-ahead data in multiple passes which
          consist of all read requests made in equidistant time
          intervals. This means instead of strictly reading read-ahead
          data in its physical order on disk we now try to find a
          middle ground between physical and access time order.

        * /etc/os-release files gained a new BUILD_ID= field for usage
          on operating systems that provide continuous builds of OS
          images.

        Contributions from: Auke Kok, Eelco Dolstra, Kay Sievers,
        Lennart Poettering, Lukas Nykryn, Martin Pitt, Václav Pavlín
        William Douglas, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 199:

        * systemd-python gained an API exposing libsystemd-daemon.

        * The SMACK setup logic gained support for uploading CIPSO
          security policy.

        * Behaviour of PrivateTmp=, ReadWriteDirectories=,
          ReadOnlyDirectories= and InaccessibleDirectories= has
          changed. The private /tmp and /var/tmp directories are now
          shared by all processes of a service (which means
          ExecStartPre= may now leave data in /tmp that ExecStart= of
          the same service can still access). When a service is
          stopped its temporary directories are immediately deleted
          (normal clean-up with tmpfiles is still done in addition to
          this though).

        * By default, systemd will now set a couple of sysctl
          variables in the kernel: the safe sysrq options are turned
          on, IP route verification is turned on, and source routing
          disabled. The recently added hardlink and softlink
          protection of the kernel is turned on. These settings should
          be reasonably safe, and good defaults for all new systems.

        * The predictable network naming logic may now be turned off
          with a new kernel command line switch: net.ifnames=0.

        * A new libsystemd-bus module has been added that implements a
          pretty complete D-Bus client library. For details see:

          https://lists.freedesktop.org/archives/systemd-devel/2013-March/009797.html

        * journald will now explicitly flush the journal files to disk
          at the latest 5min after each write. The file will then also
          be marked offline until the next write. This should increase
          reliability in case of a crash. The synchronization delay
          can be configured via SyncIntervalSec= in journald.conf.

        * There's a new remote-fs-setup.target unit that can be used
          to pull in specific services when at least one remote file
          system is to be mounted.

        * There are new targets timers.target and paths.target as
          canonical targets to pull user timer and path units in
          from. This complements sockets.target with a similar
          purpose for socket units.

        * libudev gained a new call udev_device_set_attribute_value()
          to set sysfs attributes of a device.

        * The udev daemon now sets the default number of worker
          processes executed in parallel based on the number of available
          CPUs instead of the amount of available RAM. This is supposed
          to provide a more reliable default and limit a too aggressive
          parallelism for setups with 1000s of devices connected.

        Contributions from: Auke Kok, Colin Walters, Cristian
        Rodríguez, Daniel Buch, Dave Reisner, Frederic Crozat, Hannes
        Reinecke, Harald Hoyer, Jan Alexander Steffens, Jan
        Engelhardt, Josh Triplett, Kay Sievers, Lennart Poettering,
        Mantas Mikulėnas, Martin Pitt, Mathieu Bridon, Michael Biebl,
        Michal Schmidt, Michal Sekletar, Miklos Vajna, Nathaniel Chen,
        Oleksii Shevchuk, Ozan Çağlayan, Thomas Hindoe Paaboel
        Andersen, Tollef Fog Heen, Tom Gundersen, Umut Tezduyar,
        Zbigniew Jędrzejewski-Szmek

CHANGES WITH 198:

        * Configuration of unit files may now be extended via drop-in
          files without having to edit/override the unit files
          themselves. More specifically, if the administrator wants to
          change one value for a service file foobar.service he can
          now do so by dropping in a configuration snippet into
          /etc/systemd/system/foobar.service.d/*.conf. The unit logic
          will load all these snippets and apply them on top of the
          main unit configuration file, possibly extending or
          overriding its settings. Using these drop-in snippets is
          generally nicer than the two earlier options for changing
          unit files locally: copying the files from
          /usr/lib/systemd/system/ to /etc/systemd/system/ and editing
          them there; or creating a new file in /etc/systemd/system/
          that incorporates the original one via ".include". Drop-in
          snippets into these .d/ directories can be placed in any
          directory systemd looks for units in, and the usual
          overriding semantics between /usr/lib, /etc and /run apply
          for them too.

        * Most unit file settings which take lists of items can now be
          reset by assigning the empty string to them. For example,
          normally, settings such as Environment=FOO=BAR append a new
          environment variable assignment to the environment block,
          each time they are used. By assigning Environment= the empty
          string the environment block can be reset to empty. This is
          particularly useful with the .d/*.conf drop-in snippets
          mentioned above, since this adds the ability to reset list
          settings from vendor unit files via these drop-ins.

        * systemctl gained a new "list-dependencies" command for
          listing the dependencies of a unit recursively.

        * Inhibitors are now honored and listed by "systemctl
          suspend", "systemctl poweroff" (and similar) too, not only
          GNOME. These commands will also list active sessions by
          other users.

        * Resource limits (as exposed by the various control group
          controllers) can now be controlled dynamically at runtime
          for all units. More specifically, you can now use a command
          like "systemctl set-cgroup-attr foobar.service cpu.shares
          2000" to alter the CPU shares a specific service gets. These
          settings are stored persistently on disk, and thus allow the
          administrator to easily adjust the resource usage of
          services with a few simple commands. This dynamic resource
          management logic is also available to other programs via the
          bus. Almost any kernel cgroup attribute and controller is
          supported.

        * systemd-vconsole-setup will now copy all font settings to
          all allocated VTs, where it previously applied them only to
          the foreground VT.

        * libsystemd-login gained the new sd_session_get_tty() API
          call.

        * This release drops support for a few legacy or
          distribution-specific LSB facility names when parsing init
          scripts: $x-display-manager, $mail-transfer-agent,
          $mail-transport-agent, $mail-transfer-agent, $smtp,
          $null. Also, the mail-transfer-agent.target unit backing
          this has been removed. Distributions which want to retain
          compatibility with this should carry the burden for
          supporting this themselves and patch support for these back
          in, if they really need to. Also, the facilities $syslog and
          $local_fs are now ignored, since systemd does not support
          early-boot LSB init scripts anymore, and these facilities
          are implied anyway for normal services. syslog.target has
          also been removed.

        * There are new bus calls on PID1's Manager object for
          cancelling jobs, and removing snapshot units. Previously,
          both calls were only available on the Job and Snapshot
          objects themselves.

        * systemd-journal-gatewayd gained SSL support.

        * The various "environment" files, such as /etc/locale.conf
          now support continuation lines with a backslash ("\") as
          last character in the line, similarly in style (but different)
          to how this is supported in shells.

        * For normal user processes the _SYSTEMD_USER_UNIT= field is
          now implicitly appended to every log entry logged. systemctl
          has been updated to filter by this field when operating on a
          user systemd instance.

        * nspawn will now implicitly add the CAP_AUDIT_WRITE and
          CAP_AUDIT_CONTROL capabilities to the capabilities set for
          the container. This makes it easier to boot unmodified
          Fedora systems in a container, which however still requires
          audit=0 to be passed on the kernel command line. Auditing in
          kernel and userspace is unfortunately still too broken in
          context of containers, hence we recommend compiling it out
          of the kernel or using audit=0. Hopefully this will be fixed
          one day for good in the kernel.

        * nspawn gained the new --bind= and --bind-ro= parameters to
          bind mount specific directories from the host into the
          container.

        * nspawn will now mount its own devpts file system instance
          into the container, in order not to leak pty devices from
          the host into the container.

        * systemd will now read the firmware boot time performance
          information from the EFI variables, if the used boot loader
          supports this, and takes it into account for boot performance
          analysis via "systemd-analyze". This is currently supported
          only in conjunction with Gummiboot, but could be supported
          by other boot loaders too. For details see:

          https://systemd.io/BOOT_LOADER_INTERFACE

        * A new generator has been added that automatically mounts the
          EFI System Partition (ESP) to /boot, if that directory
          exists, is empty, and no other file system has been
          configured to be mounted there.

        * logind will now send out PrepareForSleep(false) out
          unconditionally, after coming back from suspend. This may be
          used by applications as asynchronous notification for
          system resume events.

        * "systemctl unlock-sessions" has been added, that allows
          unlocking the screens of all user sessions at once, similar
          to how "systemctl lock-sessions" already locked all users
          sessions. This is backed by a new D-Bus call UnlockSessions().

        * "loginctl seat-status" will now show the master device of a
          seat. (i.e. the device of a seat that needs to be around for
          the seat to be considered available, usually the graphics
          card).

        * tmpfiles gained a new "X" line type, that allows
          configuration of files and directories (with wildcards) that
          shall be excluded from automatic cleanup ("aging").

        * udev default rules set the device node permissions now only
          at "add" events, and do not change them any longer with a
          later "change" event.

        * The log messages for lid events and power/sleep keypresses
          now carry a message ID.

        * We now have a substantially larger unit test suite, but this
          continues to be work in progress.

        * udevadm hwdb gained a new --root= parameter to change the
          root directory to operate relative to.

        * logind will now issue a background sync() request to the kernel
          early at shutdown, so that dirty buffers are flushed to disk early
          instead of at the last moment, in order to optimize shutdown
          times a little.

        * A new bootctl tool has been added that is an interface for
          certain boot loader operations. This is currently a preview
          and is likely to be extended into a small mechanism daemon
          like timedated, localed, hostnamed, and can be used by
          graphical UIs to enumerate available boot options, and
          request boot into firmware operations.

        * systemd-bootchart has been relicensed to LGPLv2.1+ to match
          the rest of the package. It also has been updated to work
          correctly in initrds.

        * polkit previously has been runtime optional, and is now also
          compile time optional via a configure switch.

        * systemd-analyze has been reimplemented in C. Also "systemctl
          dot" has moved into systemd-analyze.

        * "systemctl status" with no further parameters will now print
          the status of all active or failed units.

        * Operations such as "systemctl start" can now be executed
          with a new mode "--irreversible" which may be used to queue
          operations that cannot accidentally be reversed by a later
          job queuing. This is by default used to make shutdown
          requests more robust.

        * The Python API of systemd now gained a new module for
          reading journal files.

        * A new tool kernel-install has been added that can install
          kernel images according to the Boot Loader Specification:

          https://systemd.io/BOOT_LOADER_SPECIFICATION

        * Boot time console output has been improved to provide
          animated boot time output for hanging jobs.

        * A new tool systemd-activate has been added which can be used
          to test socket activation with, directly from the command
          line. This should make it much easier to test and debug
          socket activation in daemons.

        * journalctl gained a new "--reverse" (or -r) option to show
          journal output in reverse order (i.e. newest line first).

        * journalctl gained a new "--pager-end" (or -e) option to jump
          to immediately jump to the end of the journal in the
          pager. This is only supported in conjunction with "less".

        * journalctl gained a new "--user-unit=" option, that works
          similarly to "--unit=" but filters for user units rather than
          system units.

        * A number of unit files to ease adoption of systemd in
          initrds has been added. This moves some minimal logic from
          the various initrd implementations into systemd proper.

        * The journal files are now owned by a new group
          "systemd-journal", which exists specifically to allow access
          to the journal, and nothing else. Previously, we used the
          "adm" group for that, which however possibly covers more
          than just journal/log file access. This new group is now
          already used by systemd-journal-gatewayd to ensure this
          daemon gets access to the journal files and as little else
          as possible. Note that "make install" will also set FS ACLs
          up for /var/log/journal to give "adm" and "wheel" read
          access to it, in addition to "systemd-journal" which owns
          the journal files. We recommend that packaging scripts also
          add read access to "adm" + "wheel" to /var/log/journal, and
          all existing/future journal files. To normal users and
          administrators little changes, however packagers need to
          ensure to create the "systemd-journal" system group at
          package installation time.

        * The systemd-journal-gatewayd now runs as unprivileged user
          systemd-journal-gateway:systemd-journal-gateway. Packaging
          scripts need to create these system user/group at
          installation time.

        * timedated now exposes a new boolean property CanNTP that
          indicates whether a local NTP service is available or not.

        * systemd-detect-virt will now also detect xen PVs

        * The pstore file system is now mounted by default, if it is
          available.

        * In addition to the SELinux and IMA policies we will now also
          load SMACK policies at early boot.

        Contributions from: Adel Gadllah, Aleksander Morgado, Auke
        Kok, Ayan George, Bastien Nocera, Colin Walters, Daniel Buch,
        Daniel Wallace, Dave Reisner, David Herrmann, David Strauss,
        Eelco Dolstra, Enrico Scholz, Frederic Crozat, Harald Hoyer,
        Jan Janssen, Jonathan Callen, Kay Sievers, Lennart Poettering,
        Lukas Nykryn, Mantas Mikulėnas, Marc-Antoine Perennou, Martin
        Pitt, Mauro Dreissig, Max F. Albrecht, Michael Biebl, Michael
        Olbrich, Michal Schmidt, Michal Sekletar, Michal Vyskocil,
        Michał Bartoszkiewicz, Mirco Tischler, Nathaniel Chen, Nestor
        Ovroy, Oleksii Shevchuk, Paul W. Frields, Piotr Drąg, Rob
        Clark, Ryan Lortie, Simon McVittie, Simon Peeters, Steven
        Hiscocks, Thomas Hindoe Paaboel Andersen, Tollef Fog Heen, Tom
        Gundersen, Umut Tezduyar, William Giokas, Zbigniew
        Jędrzejewski-Szmek, Zeeshan Ali (Khattak)

CHANGES WITH 197:

        * Timer units now support calendar time events in addition to
          monotonic time events. That means you can now trigger a unit
          based on a calendar time specification such as "Thu,Fri
          2013-*-1,5 11:12:13" which refers to 11:12:13 of the first
          or fifth day of any month of the year 2013, given that it is
          a Thursday or a Friday. This brings timer event support
          considerably closer to cron's capabilities. For details on
          the supported calendar time specification language see
          systemd.time(7).

        * udev now supports a number of different naming policies for
          network interfaces for predictable names, and a combination
          of these policies is now the default. Please see this wiki
          document for details:

          https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html

        * Auke Kok's bootchart implementation has been added to the
          systemd tree. It is an optional component that can graph the
          boot in quite some detail. It is one of the best bootchart
          implementations around and minimal in its code and
          dependencies.

        * nss-myhostname has been integrated into the systemd source
          tree. nss-myhostname guarantees that the local hostname
          always stays resolvable via NSS. It has been a weak
          requirement of systemd-hostnamed since a long time, and
          since its code is actually trivial we decided to just
          include it in systemd's source tree. It can be turned off
          with a configure switch.

        * The read-ahead logic is now capable of properly detecting
          whether a btrfs file system is on SSD or rotating media, in
          order to optimize the read-ahead scheme. Previously, it was
          only capable of detecting this on traditional file systems
          such as ext4.

        * In udev, additional device properties are now read from the
          IAB in addition to the OUI database. Also, Bluetooth company
          identities are attached to the devices as well.

        * In service files %U may be used as specifier that is
          replaced by the configured user name of the service.

        * nspawn may now be invoked without a controlling TTY. This
          makes it suitable for invocation as its own service. This
          may be used to set up a simple containerized server system
          using only core OS tools.

        * systemd and nspawn can now accept socket file descriptors
          when they are started for socket activation. This enables
          implementation of socket activated nspawn
          containers. i.e. think about autospawning an entire OS image
          when the first SSH or HTTP connection is received. We expect
          that similar functionality will also be added to libvirt-lxc
          eventually.

        * journalctl will now suppress ANSI color codes when
          presenting log data.

        * systemctl will no longer show control group information for
          a unit if the control group is empty anyway.

        * logind can now automatically suspend/hibernate/shutdown the
          system on idle.

        * /etc/machine-info and hostnamed now also expose the chassis
          type of the system. This can be used to determine whether
          the local system is a laptop, desktop, handset or
          tablet. This information may either be configured by the
          user/vendor or is automatically determined from ACPI and DMI
          information if possible.

        * A number of polkit actions are now bound together with "imply"
          rules. This should simplify creating UIs because many actions
          will now authenticate similar ones as well.

        * Unit files learnt a new condition ConditionACPower= which
          may be used to conditionalize a unit depending on whether an
          AC power source is connected or not, of whether the system
          is running on battery power.

        * systemctl gained a new "is-failed" verb that may be used in
          shell scripts and suchlike to check whether a specific unit
          is in the "failed" state.

        * The EnvironmentFile= setting in unit files now supports file
          globbing, and can hence be used to easily read a number of
          environment files at once.

        * systemd will no longer detect and recognize specific
          distributions. All distribution-specific #ifdeffery has been
          removed, systemd is now fully generic and
          distribution-agnostic. Effectively, not too much is lost as
          a lot of the code is still accessible via explicit configure
          switches. However, support for some distribution specific
          legacy configuration file formats has been dropped. We
          recommend distributions to simply adopt the configuration
          files everybody else uses now and convert the old
          configuration from packaging scripts. Most distributions
          already did that. If that's not possible or desirable,
          distributions are welcome to forward port the specific
          pieces of code locally from the git history.

        * When logging a message about a unit systemd will now always
          log the unit name in the message meta data.

        * localectl will now also discover system locale data that is
          not stored in locale archives, but directly unpacked.

        * logind will no longer unconditionally use framebuffer
          devices as seat masters, i.e. as devices that are required
          to be existing before a seat is considered preset. Instead,
          it will now look for all devices that are tagged as
          "seat-master" in udev. By default, framebuffer devices will
          be marked as such, but depending on local systems, other
          devices might be marked as well. This may be used to
          integrate graphics cards using closed source drivers (such
          as NVidia ones) more nicely into logind. Note however, that
          we recommend using the open source NVidia drivers instead,
          and no udev rules for the closed-source drivers will be
          shipped from us upstream.

        Contributions from: Adam Williamson, Alessandro Crismani, Auke
        Kok, Colin Walters, Daniel Wallace, Dave Reisner, David
        Herrmann, David Strauss, Dimitrios Apostolou, Eelco Dolstra,
        Eric Benoit, Giovanni Campagna, Hannes Reinecke, Henrik
        Grindal Bakken, Hermann Gausterer, Kay Sievers, Lennart
        Poettering, Lukas Nykryn, Mantas Mikulėnas, Marcel Holtmann,
        Martin Pitt, Matthew Monaco, Michael Biebl, Michael Terry,
        Michal Schmidt, Michal Sekletar, Michał Bartoszkiewicz, Oleg
        Samarin, Pekka Lundstrom, Philip Nilsson, Ramkumar
        Ramachandra, Richard Yao, Robert Millan, Sami Kerola, Shawn
        Landden, Thomas Hindoe Paaboel Andersen, Thomas Jarosch,
        Tollef Fog Heen, Tom Gundersen, Umut Tezduyar, Zbigniew
        Jędrzejewski-Szmek

CHANGES WITH 196:

        * udev gained support for loading additional device properties
          from an indexed database that is keyed by vendor/product IDs
          and similar device identifiers. For the beginning this
          "hwdb" is populated with data from the well-known PCI and
          USB database, but also includes PNP, ACPI and OID data. In
          the longer run this indexed database shall grow into
          becoming the one central database for non-essential
          userspace device metadata. Previously, data from the PCI/USB
          database was only attached to select devices, since the
          lookup was a relatively expensive operation due to O(n) time
          complexity (with n being the number of entries in the
          database). Since this is now O(1), we decided to add in this
          data for all devices where this is available, by
          default. Note that the indexed database needs to be rebuilt
          when new data files are installed. To achieve this you need
          to update your packaging scripts to invoke "udevadm hwdb
          --update" after installation of hwdb data files. For
          RPM-based distributions we introduced the new
          %udev_hwdb_update macro for this purpose.

        * The Journal gained support for the "Message Catalog", an
          indexed database to link up additional information with
          journal entries. For further details please check:

          https://systemd.io/CATALOG

          The indexed message catalog database also needs to be
          rebuilt after installation of message catalog files. Use
          "journalctl --update-catalog" for this. For RPM-based
          distributions we introduced the %journal_catalog_update
          macro for this purpose.

        * The Python Journal bindings gained support for the standard
          Python logging framework.

        * The Journal API gained new functions for checking whether
          the underlying file system of a journal file is capable of
          properly reporting file change notifications, or whether
          applications that want to reflect journal changes "live"
          need to recheck journal files continuously in appropriate
          time intervals.

        * It is now possible to set the "age" field for tmpfiles
          entries to 0, indicating that files matching this entry
          shall always be removed when the directories are cleaned up.

        * coredumpctl gained a new "gdb" verb which invokes gdb
          right-away on the selected coredump.

        * There's now support for "hybrid sleep" on kernels that
          support this, in addition to "suspend" and "hibernate". Use
          "systemctl hybrid-sleep" to make use of this.

        * logind's HandleSuspendKey= setting (and related settings)
          now gained support for a new "lock" setting to simply
          request the screen lock on all local sessions, instead of
          actually executing a suspend or hibernation.

        * systemd will now mount the EFI variables file system by
          default.

        * Socket units now gained support for configuration of the
          SMACK security label.

        * timedatectl will now output the time of the last and next
          daylight saving change.

        * We dropped support for various legacy and distro-specific
          concepts, such as insserv, early-boot SysV services
          (i.e. those for non-standard runlevels such as 'b' or 'S')
          or ArchLinux /etc/rc.conf support. We recommend the
          distributions who still need support this to either continue
          to maintain the necessary patches downstream, or find a
          different solution. (Talk to us if you have questions!)

        * Various systemd components will now bypass polkit checks for
          root and otherwise handle properly if polkit is not found to
          be around. This should fix most issues for polkit-less
          systems. Quite frankly this should have been this way since
          day one. It is absolutely our intention to make systemd work
          fine on polkit-less systems, and we consider it a bug if
          something does not work as it should if polkit is not around.

        * For embedded systems it is now possible to build udev and
          systemd without blkid and/or kmod support.

        * "systemctl switch-root" is now capable of switching root
          more than once. I.e. in addition to transitions from the
          initrd to the host OS it is now possible to transition to
          further OS images from the host. This is useful to implement
          offline updating tools.

        * Various other additions have been made to the RPM macros
          shipped with systemd. Use %udev_rules_update() after
          installing new udev rules files. %_udevhwdbdir,
          %_udevrulesdir, %_journalcatalogdir, %_tmpfilesdir,
          %_sysctldir are now available which resolve to the right
          directories for packages to place various data files in.

        * journalctl gained the new --full switch (in addition to
          --all, to disable ellipsation for long messages.

        Contributions from: Anders Olofsson, Auke Kok, Ben Boeckel,
        Colin Walters, Cosimo Cecchi, Daniel Wallace, Dave Reisner,
        Eelco Dolstra, Holger Hans Peter Freyther, Kay Sievers,
        Chun-Yi Lee, Lekensteyn, Lennart Poettering, Mantas Mikulėnas,
        Marti Raudsepp, Martin Pitt, Mauro Dreissig, Michael Biebl,
        Michal Schmidt, Michal Sekletar, Miklos Vajna, Nis Martensen,
        Oleksii Shevchuk, Olivier Brunel, Ramkumar Ramachandra, Thomas
        Bächler, Thomas Hindoe Paaboel Andersen, Tom Gundersen, Tony
        Camuso, Umut Tezduyar, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 195:

        * journalctl gained new --since= and --until= switches to
          filter by time. It also now supports nice filtering for
          units via --unit=/-u.

        * Type=oneshot services may use ExecReload= and do the
          right thing.

        * The journal daemon now supports time-based rotation and
          vacuuming, in addition to the usual disk-space based
          rotation.

        * The journal will now index the available field values for
          each field name. This enables clients to show pretty drop
          downs of available match values when filtering. The bash
          completion of journalctl has been updated
          accordingly. journalctl gained a new switch -F to list all
          values a certain field takes in the journal database.

        * More service events are now written as structured messages
          to the journal, and made recognizable via message IDs.

        * The timedated, localed and hostnamed mini-services which
          previously only provided support for changing time, locale
          and hostname settings from graphical DEs such as GNOME now
          also have a minimal (but very useful) text-based client
          utility each. This is probably the nicest way to changing
          these settings from the command line now, especially since
          it lists available options and is fully integrated with bash
          completion.

        * There's now a new tool "systemd-coredumpctl" to list and
          extract coredumps from the journal.

        * We now install a README each in /var/log/ and
          /etc/rc.d/init.d explaining where the system logs and init
          scripts went. This hopefully should help folks who go to
          that dirs and look into the otherwise now empty void and
          scratch their heads.

        * When user-services are invoked (by systemd --user) the
          $MANAGERPID env var is set to the PID of systemd.

        * SIGRTMIN+24 when sent to a --user instance will now result
          in immediate termination of systemd.

        * gatewayd received numerous feature additions such as a
          "follow" mode, for live syncing and filtering.

        * browse.html now allows filtering and showing detailed
          information on specific entries. Keyboard navigation and
          mouse screen support has been added.

        * gatewayd/journalctl now supports HTML5/JSON
          Server-Sent-Events as output.

        * The SysV init script compatibility logic will now
          heuristically determine whether a script supports the
          "reload" verb, and only then make this available as
          "systemctl reload".

        * "systemctl status --follow" has been removed, use "journalctl
          -u" instead.

        * journald.conf's RuntimeMinSize=, PersistentMinSize= settings
          have been removed since they are hardly useful to be
          configured.

        * And I'd like to take the opportunity to specifically mention
          Zbigniew for his great contributions. Zbigniew, you rock!

        Contributions from: Andrew Eikum, Christian Hesse, Colin
        Guthrie, Daniel J Walsh, Dave Reisner, Eelco Dolstra, Ferenc
        Wágner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Mantas
        Mikulėnas, Martin Mikkelsen, Martin Pitt, Michael Olbrich,
        Michael Stapelberg, Michal Schmidt, Sebastian Ott, Thomas
        Bächler, Umut Tezduyar, Will Woods, Wulf C. Krueger, Zbigniew
        Jędrzejewski-Szmek, Сковорода Никита Андреевич

CHANGES WITH 194:

        * If /etc/vconsole.conf is non-existent or empty we will no
          longer load any console font or key map at boot by
          default. Instead the kernel defaults will be left
          intact. This is definitely the right thing to do, as no
          configuration should mean no configuration, and hard-coding
          font names that are different on all archs is probably a bad
          idea. Also, the kernel default key map and font should be
          good enough for most cases anyway, and mostly identical to
          the userspace fonts/key maps we previously overloaded them
          with. If distributions want to continue to default to a
          non-kernel font or key map they should ship a default
          /etc/vconsole.conf with the appropriate contents.

        Contributions from: Colin Walters, Daniel J Walsh, Dave
        Reisner, Kay Sievers, Lennart Poettering, Lukas Nykryn, Tollef
        Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 193:

        * journalctl gained a new --cursor= switch to show entries
          starting from the specified location in the journal.

        * We now enforce a size limit on journal entry fields exported
          with "-o json" in journalctl. Fields larger than 4K will be
          assigned null. This can be turned off with --all.

        * An (optional) journal gateway daemon is now available as
          "systemd-journal-gatewayd.service". This service provides
          access to the journal via HTTP and JSON. This functionality
          will be used to implement live log synchronization in both
          pull and push modes, but has various other users too, such
          as easy log access for debugging of embedded devices. Right
          now it is already useful to retrieve the journal via HTTP:

          # systemctl start systemd-journal-gatewayd.service
          # wget http://localhost:19531/entries

          This will download the journal contents in a
          /var/log/messages compatible format. The same as JSON:

          # curl -H"Accept: application/json" http://localhost:19531/entries

          This service is also accessible via a web browser where a
          single static HTML5 app is served that uses the JSON logic
          to enable the user to do some basic browsing of the
          journal. This will be extended later on. Here's an example
          screenshot of this app in its current state:

          https://0pointer.de/public/journal-gatewayd

        Contributions from: Kay Sievers, Lennart Poettering, Robert
        Milasan, Tom Gundersen

CHANGES WITH 192:

        * The bash completion logic is now available for journalctl
          too.

        * We do not mount the "cpuset" controller anymore together with
          "cpu" and "cpuacct", as "cpuset" groups generally cannot be
          started if no parameters are assigned to it. "cpuset" hence
          broke code that assumed it could create "cpu" groups and
          just start them.

        * journalctl -f will now subscribe to terminal size changes,
          and line break accordingly.

        Contributions from: Dave Reisner, Kay Sievers, Lennart
        Poettering, Lukas Nykrynm, Mirco Tischler, Václav Pavlín

CHANGES WITH 191:

        * nspawn will now create a symlink /etc/localtime in the
          container environment, copying the host's timezone
          setting. Previously this has been done via a bind mount, but
          since symlinks cannot be bind mounted this has now been
          changed to create/update the appropriate symlink.

        * journalctl -n's line number argument is now optional, and
          will default to 10 if omitted.

        * journald will now log the maximum size the journal files may
          take up on disk. This is particularly useful if the default
          built-in logic of determining this parameter from the file
          system size is used. Use "systemctl status
          systemd-journald.service" to see this information.

        * The multi-seat X wrapper tool has been stripped down. As X
          is now capable of enumerating graphics devices via udev in a
          seat-aware way the wrapper is not strictly necessary
          anymore. A stripped down temporary stop-gap is still shipped
          until the upstream display managers have been updated to
          fully support the new X logic. Expect this wrapper to be
          removed entirely in one of the next releases.

        * HandleSleepKey= in logind.conf has been split up into
          HandleSuspendKey= and HandleHibernateKey=. The old setting
          is not available anymore. X11 and the kernel are
          distinguishing between these keys and we should too. This
          also means the inhibition lock for these keys has been split
          into two.

        Contributions from: Dave Airlie, Eelco Dolstra, Lennart
        Poettering, Lukas Nykryn, Václav Pavlín

CHANGES WITH 190:

        * Whenever a unit changes state we will now log this to the
          journal and show along the unit's own log output in
          "systemctl status".

        * ConditionPathIsMountPoint= can now properly detect bind
          mount points too. (Previously, a bind mount of one file
          system to another place in the same file system could not be
          detected as mount, since they shared struct stat's st_dev
          field.)

        * We will now mount the cgroup controllers cpu, cpuacct,
          cpuset and the controllers net_cls, net_prio together by
          default.

        * nspawn containers will now have a virtualized boot
          ID. (i.e. /proc/sys/kernel/random/boot_id is now mounted
          over with a randomized ID at container initialization). This
          has the effect of making "journalctl -b" do the right thing
          in a container.

        * The JSON output journal serialization has been updated not
          to generate "endless" list objects anymore, but rather one
          JSON object per line. This is more in line how most JSON
          parsers expect JSON objects. The new output mode
          "json-pretty" has been added to provide similar output, but
          neatly aligned for readability by humans.

        * We dropped all explicit sync() invocations in the shutdown
          code. The kernel does this implicitly anyway in the kernel
          reboot() syscall. halt(8)'s -n option is now a compatibility
          no-op.

        * We now support virtualized reboot() in containers, as
          supported by newer kernels. We will fall back to exit() if
          CAP_SYS_REBOOT is not available to the container. Also,
          nspawn makes use of this now and will actually reboot the
          container if the containerized OS asks for that.

        * journalctl will only show local log output by default
          now. Use --merge (-m) to show remote log output, too.

        * libsystemd-journal gained the new sd_journal_get_usage()
          call to determine the current disk usage of all journal
          files. This is exposed in the new "journalctl --disk-usage"
          command.

        * journald gained a new configuration setting SplitMode= in
          journald.conf which may be used to control how user journals
          are split off. See journald.conf(5) for details.

        * A new condition type ConditionFileNotEmpty= has been added.

        * tmpfiles' "w" lines now support file globbing, to write
          multiple files at once.

        * We added Python bindings for the journal submission
          APIs. More Python APIs for a number of selected APIs will
          likely follow. Note that we intend to add native bindings
          only for the Python language, as we consider it common
          enough to deserve bindings shipped within systemd. There are
          various projects outside of systemd that provide bindings
          for languages such as PHP or Lua.

        * Many conditions will now resolve specifiers such as %i. In
          addition, PathChanged= and related directives of .path units
          now support specifiers as well.

        * There's now a new RPM macro definition for the system preset
          dir: %_presetdir.

        * journald will now warn if it ca not forward a message to the
          syslog daemon because its socket is full.

        * timedated will no longer write or process /etc/timezone,
          except on Debian. As we do not support late mounted /usr
          anymore /etc/localtime always being a symlink is now safe,
          and hence the information in /etc/timezone is not necessary
          anymore.

        * logind will now always reserve one VT for a text getty (VT6
          by default). Previously if more than 6 X sessions where
          started they took up all the VTs with auto-spawned gettys,
          so that no text gettys were available anymore.

        * udev will now automatically inform the btrfs kernel logic
          about btrfs RAID components showing up. This should make
          simple hotplug based btrfs RAID assembly work.

        * PID 1 will now increase its RLIMIT_NOFILE to 64K by default
          (but not for its children which will stay at the kernel
          default). This should allow setups with a lot more listening
          sockets.

        * systemd will now always pass the configured timezone to the
          kernel at boot. timedated will do the same when the timezone
          is changed.

        * logind's inhibition logic has been updated. By default,
          logind will now handle the lid switch, the power and sleep
          keys all the time, even in graphical sessions. If DEs want
          to handle these events on their own they should take the new
          handle-power-key, handle-sleep-key and handle-lid-switch
          inhibitors during their runtime. A simple way to achieve
          that is to invoke the DE wrapped in an invocation of:

          systemd-inhibit --what=handle-power-key:handle-sleep-key:handle-lid-switch …

        * Access to unit operations is now checked via SELinux taking
          the unit file label and client process label into account.

        * systemd will now notify the administrator in the journal
          when he over-mounts a non-empty directory.

        * There are new specifiers that are resolved in unit files,
          for the hostname (%H), the machine ID (%m) and the boot ID
          (%b).

        Contributions from: Allin Cottrell, Auke Kok, Brandon Philips,
        Colin Guthrie, Colin Walters, Daniel J Walsh, Dave Reisner,
        Eelco Dolstra, Jan Engelhardt, Kay Sievers, Lennart
        Poettering, Lucas De Marchi, Lukas Nykryn, Mantas Mikulėnas,
        Martin Pitt, Matthias Clasen, Michael Olbrich, Pierre Schmitz,
        Shawn Landden, Thomas Hindoe Paaboel Andersen, Tom Gundersen,
        Václav Pavlín, Yin Kangkai, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 189:

        * Support for reading structured kernel messages from
          /dev/kmsg has now been added and is enabled by default.

        * Support for reading kernel messages from /proc/kmsg has now
          been removed. If you want kernel messages in the journal
          make sure to run a recent kernel (>= 3.5) that supports
          reading structured messages from /dev/kmsg (see
          above). /proc/kmsg is now exclusive property of classic
          syslog daemons again.

        * The libudev API gained the new
          udev_device_new_from_device_id() call.

        * The logic for file system namespace (ReadOnlyDirectory=,
          ReadWriteDirectoy=, PrivateTmp=) has been reworked not to
          require pivot_root() anymore. This means fewer temporary
          directories are created below /tmp for this feature.

        * nspawn containers will now see and receive all submounts
          made on the host OS below the root file system of the
          container.

        * Forward Secure Sealing is now supported for Journal files,
          which provide cryptographical sealing of journal files so
          that attackers cannot alter log history anymore without this
          being detectable. Lennart will soon post a blog story about
          this explaining it in more detail.

        * There are two new service settings RestartPreventExitStatus=
          and SuccessExitStatus= which allow configuration of exit
          status (exit code or signal) which will be excepted from the
          restart logic, resp. consider successful.

        * journalctl gained the new --verify switch that can be used
          to check the integrity of the structure of journal files and
          (if Forward Secure Sealing is enabled) the contents of
          journal files.

        * nspawn containers will now be run with /dev/stdin, /dev/fd/
          and similar symlinks pre-created. This makes running shells
          as container init process a lot more fun.

        * The fstab support can now handle PARTUUID= and PARTLABEL=
          entries.

        * A new ConditionHost= condition has been added to match
          against the hostname (with globs) and machine ID. This is
          useful for clusters where a single OS image is used to
          provision a large number of hosts which shall run slightly
          different sets of services.

        * Services which hit the restart limit will now be placed in a
          failure state.

        Contributions from: Bertram Poettering, Dave Reisner, Huang
        Hang, Kay Sievers, Lennart Poettering, Lukas Nykryn, Martin
        Pitt, Simon Peeters, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 188:

        * When running in --user mode systemd will now become a
          subreaper (PR_SET_CHILD_SUBREAPER). This should make the ps
          tree a lot more organized.

        * A new PartOf= unit dependency type has been introduced that
          may be used to group services in a natural way.

        * "systemctl enable" may now be used to enable instances of
          services.

        * journalctl now prints error log levels in red, and
          warning/notice log levels in bright white. It also supports
          filtering by log level now.

        * cgtop gained a new -n switch (similar to top), to configure
          the maximum number of iterations to run for. It also gained
          -b, to run in batch mode (accepting no input).

        * The suffix ".service" may now be omitted on most systemctl
          command lines involving service unit names.

        * There's a new bus call in logind to lock all sessions, as
          well as a loginctl verb for it "lock-sessions".

        * libsystemd-logind.so gained a new call sd_journal_perror()
          that works similar to libc perror() but logs to the journal
          and encodes structured information about the error number.

        * /etc/crypttab entries now understand the new keyfile-size=
          option.

        * shutdown(8) now can send a (configurable) wall message when
          a shutdown is cancelled.

        * The mount propagation mode for the root file system will now
          default to "shared", which is useful to make containers work
          nicely out-of-the-box so that they receive new mounts from
          the host. This can be undone locally by running "mount
          --make-rprivate /" if needed.

        * The prefdm.service file has been removed. Distributions
          should maintain this unit downstream if they intend to keep
          it around. However, we recommend writing normal unit files
          for display managers instead.

        * Since systemd is a crucial part of the OS we will now
          default to a number of compiler switches that improve
          security (hardening) such as read-only relocations, stack
          protection, and suchlike.

        * The TimeoutSec= setting for services is now split into
          TimeoutStartSec= and TimeoutStopSec= to allow configuration
          of individual time outs for the start and the stop phase of
          the service.

        Contributions from: Artur Zaprzala, Arvydas Sidorenko, Auke
        Kok, Bryan Kadzban, Dave Reisner, David Strauss, Harald Hoyer,
        Jim Meyering, Kay Sievers, Lennart Poettering, Mantas
        Mikulėnas, Martin Pitt, Michal Schmidt, Michal Sekletar, Peter
        Alfredsen, Shawn Landden, Simon Peeters, Terence Honles, Tom
        Gundersen, Zbigniew Jędrzejewski-Szmek

CHANGES WITH 187:

        * The journal and id128 C APIs are now fully documented as man
          pages.

        * Extra safety checks have been added when transitioning from
          the initial RAM disk to the main system to avoid accidental
          data loss.

        * /etc/crypttab entries now understand the new keyfile-offset=
          option.

        * systemctl -t can now be used to filter by unit load state.

        * The journal C API gained the new sd_journal_wait() call to
          make writing synchronous journal clients easier.

        * journalctl gained the new -D switch to show journals from a
          specific directory.

        * journalctl now displays a special marker between log
          messages of two different boots.

        * The journal is now explicitly flushed to /var via a service
          systemd-journal-flush.service, rather than implicitly simply
          by seeing /var/log/journal to be writable.

        * journalctl (and the journal C APIs) can now match for much
          more complex expressions, with alternatives and
          disjunctions.

        * When transitioning from the initial RAM disk to the main
          system we will now kill all processes in a killing spree to
          ensure no processes stay around by accident.

        * Three new specifiers may be used in unit files: %u, %h, %s
          resolve to the user name, user home directory resp. user
          shell. This is useful for running systemd user instances.

        * We now automatically rotate journal files if their data
          object hash table gets a fill level > 75%. We also size the
          hash table based on the configured maximum file size. This
          together should lower hash collisions drastically and thus
          speed things up a bit.

        * journalctl gained the new "--header" switch to introspect
          header data of journal files.

        * A new setting SystemCallFilters= has been added to services which may
          be used to apply deny lists or allow lists to system calls. This is
          based on SECCOMP Mode 2 of Linux 3.5.

        * nspawn gained a new --link-journal= switch (and quicker: -j)
          to link the container journal with the host. This makes it
          very easy to centralize log viewing on the host for all
          guests while still keeping the journal files separated.

        * Many bugfixes and optimizations

        Contributions from: Auke Kok, Eelco Dolstra, Harald Hoyer, Kay
        Sievers, Lennart Poettering, Malte Starostik, Paul Menzel, Rex
        Tsai, Shawn Landden, Tom Gundersen, Ville Skyttä, Zbigniew
        Jędrzejewski-Szmek

CHANGES WITH 186:

        * Several tools now understand kernel command line arguments,
          which are only read when run in an initial RAM disk. They
          usually follow closely their normal counterparts, but are
          prefixed with rd.

        * There's a new tool to analyze the readahead files that are
          automatically generated at boot. Use:

          /usr/lib/systemd/systemd-readahead analyze /.readahead

        * We now provide an early debug shell on tty9 if this enabled. Use:

          systemctl enable debug-shell.service

        * All plymouth related units have been moved into the Plymouth
          package. Please make sure to upgrade your Plymouth version
          as well.

        * systemd-tmpfiles now supports getting passed the basename of
          a configuration file only, in which case it will look for it
          in all appropriate directories automatically.

        * udevadm info now takes a /dev or /sys path as argument, and
          does the right thing. Example:

          udevadm info /dev/sda
          udevadm info /sys/class/block/sda

        * systemctl now prints a warning if a unit is stopped but a
          unit that might trigger it continues to run. Example: a
          service is stopped but the socket that activates it is left
          running.

        * "systemctl status" will now mention if the log output was
          shortened due to rotation since a service has been started.

        * The journal API now exposes functions to determine the
          "cutoff" times due to rotation.

        * journald now understands SIGUSR1 and SIGUSR2 for triggering
          immediately flushing of runtime logs to /var if possible,
          resp. for triggering immediate rotation of the journal
          files.

        * It is now considered an error if a service is attempted to
          be stopped that is not loaded.

        * XDG_RUNTIME_DIR now uses numeric UIDs instead of usernames.

        * systemd-analyze now supports Python 3

        * tmpfiles now supports cleaning up directories via aging
          where the first level dirs are always kept around but
          directories beneath it automatically aged. This is enabled
          by prefixing the age field with '~'.

        * Seat objects now expose CanGraphical, CanTTY properties
          which is required to deal with very fast bootups where the
          display manager might be running before the graphics drivers
          completed initialization.

        * Seat objects now expose a State property.

        * We now include RPM macros for service enabling/disabling
          based on the preset logic. We recommend RPM based
          distributions to make use of these macros if possible. This
          makes it simpler to reuse RPM spec files across
          distributions.

        * We now make sure that the collected systemd unit name is
          always valid when services log to the journal via
          STDOUT/STDERR.

        * There's a new man page kernel-command-line(7) detailing all
          command line options we understand.

        * The fstab generator may now be disabled at boot by passing
          fstab=0 on the kernel command line.

        * A new kernel command line option modules-load= is now understood
          to load a specific kernel module statically, early at boot.

        * Unit names specified on the systemctl command line are now
          automatically escaped as needed. Also, if file system or
          device paths are specified they are automatically turned
          into the appropriate mount or device unit names. Example:

          systemctl status /home
          systemctl status /dev/sda

        * The SysVConsole= configuration option has been removed from
          system.conf parsing.

        * The SysV search path is no longer exported on the D-Bus
          Manager object.

        * The Names= option has been removed from unit file parsing.

        * There's a new man page bootup(7) detailing the boot process.

        * Every unit and every generator we ship with systemd now
          comes with full documentation. The self-explanatory boot is
          complete.

        * A couple of services gained "systemd-" prefixes in their
          name if they wrap systemd code, rather than only external
          code. Among them fsck@.service which is now
          systemd-fsck@.service.

        * The HaveWatchdog property has been removed from the D-Bus
          Manager object.

        * systemd.confirm_spawn= on the kernel command line should now
          work sensibly.

        * There's a new man page crypttab(5) which details all options
          we actually understand.

        * systemd-nspawn gained a new --capability= switch to pass
          additional capabilities to the container.

        * timedated will now read known NTP implementation unit names
          from /usr/lib/systemd/ntp-units.d/*.list,
          systemd-timedated-ntp.target has been removed.

        * journalctl gained a new switch "-b" that lists log data of
          the current boot only.

        * The notify socket is in the abstract namespace again, in
          order to support daemons which chroot() at start-up.

        * There is a new Storage= configuration option for journald
          which allows configuration of where log data should go. This
          also provides a way to disable journal logging entirely, so
          that data collected is only forwarded to the console, the
          kernel log buffer or another syslog implementation.

        * Many bugfixes and optimizations

        Contributions from: Auke Kok, Colin Guthrie, Dave Reisner,
        David Strauss, Eelco Dolstra, Kay Sievers, Lennart Poettering,
        Lukas Nykryn, Michal Schmidt, Michal Sekletar, Paul Menzel,
        Shawn Landden, Tom Gundersen

CHANGES WITH 185:

        * "systemctl help <unit>" now shows the man page if one is
          available.

        * Several new man pages have been added.

        * MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=,
          MaxLevelConsole= can now be specified in
          journald.conf. These options allow reducing the amount of
          data stored on disk or forwarded by the log level.

        * TimerSlackNSec= can now be specified in system.conf for
          PID1. This allows system-wide power savings.

        Contributions from: Dave Reisner, Kay Sievers, Lauri Kasanen,
        Lennart Poettering, Malte Starostik, Marc-Antoine Perennou,
        Matthias Clasen

CHANGES WITH 184:

        * logind is now capable of (optionally) handling power and
          sleep keys as well as the lid switch.

        * journalctl now understands the syntax "journalctl
          /usr/bin/avahi-daemon" to get all log output of a specific
          daemon.

        * CapabilityBoundingSet= in system.conf now also influences
          the capability bound set of usermode helpers of the kernel.

        Contributions from: Daniel Drake, Daniel J. Walsh, Gert
        Michael Kulyk, Harald Hoyer, Jean Delvare, Kay Sievers,
        Lennart Poettering, Matthew Garrett, Matthias Clasen, Paul
        Menzel, Shawn Landden, Tero Roponen, Tom Gundersen

CHANGES WITH 183:

        * Note that we skipped 139 releases here in order to set the
          new version to something that is greater than both udev's
          and systemd's most recent version number.

        * udev: all udev sources are merged into the systemd source tree now.
          All future udev development will happen in the systemd tree. It
          is still fully supported to use the udev daemon and tools without
          systemd running, like in initramfs or other init systems. Building
          udev though, will require the *build* of the systemd tree, but
          udev can be properly *run* without systemd.

        * udev: /lib/udev/devices/ are not read anymore; systemd-tmpfiles
          should be used to create dead device nodes as workarounds for broken
          subsystems.

        * udev: RUN+="socket:…"  and udev_monitor_new_from_socket() is
          no longer supported. udev_monitor_new_from_netlink() needs to be
          used to subscribe to events.

        * udev: when udevd is started by systemd, processes which are left
          behind by forking them off of udev rules, are unconditionally cleaned
          up and killed now after the event handling has finished. Services or
          daemons must be started as systemd services. Services can be
          pulled-in by udev to get started, but they can no longer be directly
          forked by udev rules.

        * udev: the daemon binary is called systemd-udevd now and installed
          in /usr/lib/systemd/. Standalone builds or non-systemd systems need
          to adapt to that, create symlink, or rename the binary after building
          it.

        * libudev no longer provides these symbols:
            udev_monitor_from_socket()
            udev_queue_get_failed_list_entry()
            udev_get_{dev,sys,run}_path()
          The versions number was bumped and symbol versioning introduced.

        * systemd-loginctl and systemd-journalctl have been renamed
          to loginctl and journalctl to match systemctl.

        * The config files: /etc/systemd/systemd-logind.conf and
          /etc/systemd/systemd-journald.conf have been renamed to
          logind.conf and journald.conf. Package updates should rename
          the files to the new names on upgrade.

        * For almost all files the license is now LGPL2.1+, changed
          from the previous GPL2.0+. Exceptions are some minor stuff
          of udev (which will be changed to LGPL2.1 eventually, too),
          and the MIT licensed sd-daemon.[ch] library that is suitable
          to be used as drop-in files.

        * systemd and logind now handle system sleep states, in
          particular suspending and hibernating.

        * logind now implements a sleep/shutdown/idle inhibiting logic
          suitable for a variety of uses. Soonishly Lennart will blog
          about this in more detail.

        * var-run.mount and var-lock.mount are no longer provided
          (which previously bind mounted these directories to their new
          places). Distributions which have not converted these
          directories to symlinks should consider stealing these files
          from git history and add them downstream.

        * We introduced the Documentation= field for units and added
          this to all our shipped units. This is useful to make it
          easier to explore the boot and the purpose of the various
          units.

        * All smaller setup units (such as
          systemd-vconsole-setup.service) now detect properly if they
          are run in a container and are skipped when
          appropriate. This guarantees an entirely noise-free boot in
          Linux container environments such as systemd-nspawn.

        * A framework for implementing offline system updates is now
          integrated, for details see:
          https://www.freedesktop.org/software/systemd/man/systemd.offline-updates.html

        * A new service type Type=idle is available now which helps us
          avoiding ugly interleaving of getty output and boot status
          messages.

        * There's now a system-wide CapabilityBoundingSet= option to
          globally reduce the set of capabilities for the
          system. This is useful to drop CAP_SYS_MKNOD, CAP_SYS_RAWIO,
          CAP_NET_RAW, CAP_SYS_MODULE, CAP_SYS_TIME, CAP_SYS_PTRACE or
          even CAP_NET_ADMIN system-wide for secure systems.

        * There are now system-wide DefaultLimitXXX= options to
          globally change the defaults of the various resource limits
          for all units started by PID 1.

        * Harald Hoyer's systemd test suite has been integrated into
          systemd which allows easy testing of systemd builds in qemu
          and nspawn. (This is really awesome! Ask us for details!)

        * The fstab parser is now implemented as generator, not inside
          of PID 1 anymore.

        * systemctl will now warn you if .mount units generated from
          /etc/fstab are out of date due to changes in fstab that
          have not been read by systemd yet.

        * systemd is now suitable for usage in initrds. Dracut has
          already been updated to make use of this. With this in place
          initrds get a slight bit faster but primarily are much
          easier to introspect and debug since "systemctl status" in
          the host system can be used to introspect initrd services,
          and the journal from the initrd is kept around too.

        * systemd-delta has been added, a tool to explore differences
          between user/admin configuration and vendor defaults.

        * PrivateTmp= now affects both /tmp and /var/tmp.

        * Boot time status messages are now much prettier and feature
          proper english language. Booting up systemd has never been
          so sexy.

        * Read-ahead pack files now include the inode number of all
          files to pre-cache. When the inode changes the pre-caching
          is not attempted. This should be nicer to deal with updated
          packages which might result in changes of read-ahead
          patterns.

        * We now temporaritly lower the kernel's read_ahead_kb variable
          when collecting read-ahead data to ensure the kernel's
          built-in read-ahead does not add noise to our measurements
          of necessary blocks to pre-cache.

        * There's now RequiresMountsFor= to add automatic dependencies
          for all mounts necessary for a specific file system path.

        * MountAuto= and SwapAuto= have been removed from
          system.conf. Mounting file systems at boot has to take place
          in systemd now.

        * nspawn now learned a new switch --uuid= to set the machine
          ID on the command line.

        * nspawn now learned the -b switch to automatically search
          for an init system.

        * vt102 is now the default TERM for serial TTYs, upgraded from
          vt100.

        * systemd-logind now works on VT-less systems.

        * The build tree has been reorganized. The individual
          components now have directories of their own.

        * A new condition type ConditionPathIsReadWrite= is now available.

        * nspawn learned the new -C switch to create cgroups for the
          container in other hierarchies.

        * We now have support for hardware watchdogs, configurable in
          system.conf.

        * The scheduled shutdown logic now has a public API.

        * We now mount /tmp as tmpfs by default, but this can be
          masked and /etc/fstab can override it.

        * Since udisks does not make use of /media anymore we are not
          mounting a tmpfs on it anymore.

        * journalctl gained a new --local switch to only interleave
          locally generated journal files.

        * We can now load the IMA policy at boot automatically.

        * The GTK tools have been split off into a systemd-ui.

        Contributions from: Andreas Schwab, Auke Kok, Ayan George,
        Colin Guthrie, Daniel Mack, Dave Reisner, David Ward, Elan
        Ruusamäe, Frederic Crozat, Gergely Nagy, Guillermo Vidal,
        Hannes Reinecke, Harald Hoyer, Javier Jardón, Kay Sievers,
        Lennart Poettering, Lucas De Marchi, Léo Gillot-Lamure,
        Marc-Antoine Perennou, Martin Pitt, Matthew Monaco, Maxim
        A. Mikityanskiy, Michael Biebl, Michael Olbrich, Michal
        Schmidt, Nis Martensen, Patrick McCarty, Roberto Sassu, Shawn
        Landden, Sjoerd Simons, Sven Anders, Tollef Fog Heen, Tom
        Gundersen

CHANGES WITH 44:

        * This is mostly a bugfix release

        * Support optional initialization of the machine ID from the
          KVM or container configured UUID.

        * Support immediate reboots with "systemctl reboot -ff"

        * Show /etc/os-release data in systemd-analyze output

        * Many bugfixes for the journal, including endianness fixes and
          ensuring that disk space enforcement works

        * sd-login.h is C++ compatible again

        * Extend the /etc/os-release format on request of the Debian
          folks

        * We now refuse non-UTF8 strings used in various configuration
          and unit files. This is done to ensure we do not pass invalid
          data over D-Bus or expose it elsewhere.

        * Register Mimo USB Screens as suitable for automatic seat
          configuration

        * Read SELinux client context from journal clients in a race
          free fashion

        * Reorder configuration file lookup order. /etc now always
          overrides /run in order to allow the administrator to always
          and unconditionally override vendor-supplied or
          automatically generated data.

        * The various user visible bits of the journal now have man
          pages. We still lack man pages for the journal API calls
          however.

        * We now ship all man pages in HTML format again in the
          tarball.

        Contributions from: Dave Reisner, Dirk Eibach, Frederic
        Crozat, Harald Hoyer, Kay Sievers, Lennart Poettering, Marti
        Raudsepp, Michal Schmidt, Shawn Landden, Tero Roponen, Thierry
        Reding

CHANGES WITH 43:

        * This is mostly a bugfix release

        * systems lacking /etc/os-release  are no longer supported.

        * Various functionality updates to libsystemd-login.so

        * Track class of PAM logins to distinguish greeters from
          normal user logins.

        Contributions from: Kay Sievers, Lennart Poettering, Michael
        Biebl

CHANGES WITH 42:

        * This is an important bugfix release for v41.

        * Building man pages is now optional which should be useful
          for those building systemd from git but unwilling to install
          xsltproc.

        * Watchdog support for supervising services is now usable. In
          a future release support for hardware watchdogs
          (i.e. /dev/watchdog) will be added building on this.

        * Service start rate limiting is now configurable and can be
          turned off per service. When a start rate limit is hit a
          reboot can automatically be triggered.

        * New CanReboot(), CanPowerOff() bus calls in systemd-logind.

        Contributions from: Benjamin Franzke, Bill Nottingham,
        Frederic Crozat, Lennart Poettering, Michael Olbrich, Michal
        Schmidt, Michał Górny, Piotr Drąg

CHANGES WITH 41:

        * The systemd binary is installed /usr/lib/systemd/systemd now;
          An existing /sbin/init symlink needs to be adapted with the
          package update.

        * The code that loads kernel modules has been ported to invoke
          libkmod directly, instead of modprobe. This means we do not
          support systems with module-init-tools anymore.

        * Watchdog support is now already useful, but still not
          complete.

        * A new kernel command line option systemd.setenv= is
          understood to set system wide environment variables
          dynamically at boot.

        * We now limit the set of capabilities of systemd-journald.

        * We now set SIGPIPE to ignore by default, since it only is
          useful in shell pipelines, and has little use in general
          code. This can be disabled with IgnoreSIPIPE=no in unit
          files.

        Contributions from: Benjamin Franzke, Kay Sievers, Lennart
        Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen,
        William Douglas

CHANGES WITH 40:

        * This is mostly a bugfix release

        * We now expose the reason why a service failed in the
          "Result" D-Bus property.

        * Rudimentary service watchdog support (will be completed over
          the next few releases.)

        * When systemd forks off in order execute some service we will
          now immediately changes its argv[0] to reflect which process
          it will execute. This is useful to minimize the time window
          with a generic argv[0], which makes bootcharts more useful

        Contributions from: Alvaro Soliverez, Chris Paulson-Ellis, Kay
        Sievers, Lennart Poettering, Michael Olbrich, Michal Schmidt,
        Mike Kazantsev, Ray Strode

CHANGES WITH 39:

        * This is mostly a test release, but incorporates many
          bugfixes.

        * New systemd-cgtop tool to show control groups by their
          resource usage.

        * Linking against libacl for ACLs is optional again. If
          disabled, support tracking device access for active logins
          goes becomes unavailable, and so does access to the user
          journals by the respective users.

        * If a group "adm" exists, journal files are automatically
          owned by them, thus allow members of this group full access
          to the system journal as well as all user journals.

        * The journal now stores the SELinux context of the logging
          client for all entries.

        * Add C++ inclusion guards to all public headers

        * New output mode "cat" in the journal to print only text
          messages, without any meta data like date or time.

        * Include tiny X server wrapper as a temporary stop-gap to
          teach XOrg udev display enumeration. This is used by display
          managers such as gdm, and will go away as soon as XOrg
          learned native udev hotplugging for display devices.

        * Add new systemd-cat tool for executing arbitrary programs
          with STDERR/STDOUT connected to the journal. Can also act as
          BSD logger replacement, and does so by default.

        * Optionally store all locally generated coredumps in the
          journal along with meta data.

        * systemd-tmpfiles learnt four new commands: n, L, c, b, for
          writing short strings to files (for usage for /sys), and for
          creating symlinks, character and block device nodes.

        * New unit file option ControlGroupPersistent= to make cgroups
          persistent, following the mechanisms outlined in
          https://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups

        * Support multiple local RTCs in a sane way

        * No longer monopolize IO when replaying readahead data on
          rotating disks, since we might starve non-file-system IO to
          death, since fanotify() will not see accesses done by blkid,
          or fsck.

        * Do not show kernel threads in systemd-cgls anymore, unless
          requested with new -k switch.

        Contributions from: Dan Horák, Kay Sievers, Lennart
        Poettering, Michal Schmidt

CHANGES WITH 38:

        * This is mostly a test release, but incorporates many
          bugfixes.

        * The git repository moved to:
          git://anongit.freedesktop.org/systemd/systemd
          ssh://git.freedesktop.org/git/systemd/systemd

        * First release with the journal
          https://0pointer.de/blog/projects/the-journal.html

        * The journal replaces both systemd-kmsg-syslogd and
          systemd-stdout-bridge.

        * New sd_pid_get_unit() API call in libsystemd-logind

        * Many systemadm clean-ups

        * Introduce remote-fs-pre.target which is ordered before all
          remote mounts and may be used to start services before all
          remote mounts.

        * Added Mageia support

        * Add bash completion for systemd-loginctl

        * Actively monitor PID file creation for daemons which exit in
          the parent process before having finished writing the PID
          file in the daemon process. Daemons which do this need to be
          fixed (i.e. PID file creation must have finished before the
          parent exits), but we now react a bit more gracefully to them.

        * Add colourful boot output, mimicking the well-known output
          of existing distributions.

        * New option PassCredentials= for socket units, for
          compatibility with a recent kernel ABI breakage.

        * /etc/rc.local is now hooked in via a generator binary, and
          thus will no longer act as synchronization point during
          boot.

        * systemctl list-unit-files now supports --root=.

        * systemd-tmpfiles now understands two new commands: z, Z for
          relabelling files according to the SELinux database. This is
          useful to apply SELinux labels to specific files in /sys,
          among other things.

        * Output of SysV services is now forwarded to both the console
          and the journal by default, not only just the console.

        * New man pages for all APIs from libsystemd-login.

        * The build tree got reorganized and the build system is a
          lot more modular allowing embedded setups to specifically
          select the components of systemd they are interested in.

        * Support for Linux systems lacking the kernel VT subsystem is
          restored.

        * configure's --with-rootdir= got renamed to
          --with-rootprefix= to follow the naming used by udev and
          kmod

        * Unless specified otherwise we will now install to /usr instead
          of /usr/local by default.

        * Processes with '@' in argv[0][0] are now excluded from the
          final shut-down killing spree, following the logic explained
          in:
          https://systemd.io/ROOT_STORAGE_DAEMONS/

        * All processes remaining in a service cgroup when we enter
          the START or START_PRE states are now killed with
          SIGKILL. That means it is no longer possible to spawn
          background processes from ExecStart= lines (which was never
          supported anyway, and bad style).

        * New PropagateReloadTo=/PropagateReloadFrom= options to bind
          reloading of units together.

        Contributions from: Bill Nottingham, Daniel J. Walsh, Dave
        Reisner, Dexter Morgan, Gregs Gregs, Jonathan Nieder, Kay
        Sievers, Lennart Poettering, Michael Biebl, Michal Schmidt,
        Michał Górny, Ran Benita, Thomas Jarosch, Tim Waugh, Tollef
        Fog Heen, Tom Gundersen, Zbigniew Jędrzejewski-Szmek