systemd 248 adds system extension images and improves support for encryption

system

system 248 is already among us to continue with the evolution of init o framework system that has established itself as one of the essential parts of most large Linux distributions. As is common with every release of this component, we encountered a large number of changes that span many areas, including networking, memory, and encrypted volumes.

The first thing that stands out from systemd 248 is the introduction of “A concept of system extension images, which can be used to extend the ‘/ usr’ and ‘/ opt’ directory hierarchies at runtime with additional files, even if the filesystem is read-only.

When a system extension image is activated, its ‘/ usr’ and ‘/ opt’ hierarchies and ‘os-realese’ information are combined via ‘overlayfs’ with the filesystem hierarchy of the host operating system. . With the new tool ‘systemd-sysext’ you can merge, separate, list and update the system extension hierarchies.

system-networkd‘, the daemon from systemd created to manage network configurations, has gained support for the “BATMAN advanced” wireless routing protocol, which operates only on ISO / OSI layer 2 and uses Ethernet frames to route or bridge packets.

The ‘systemd-networkd’ configuration files have also gained new capabilities covering things like the ability to select the routing policy table, the ability to ignore or accept route advertisements from routers that match the prefixes specified in ‘ IPv6AcceptRA ‘and the ability to ignore the IP address provided by DHCPv6.

Another new feature of systemd 248 is the incorporation of a new special option at the command line level for the kernel: ‘root = tmpfs’. When specified, a tmpfs, which is a temporary file storage paradigm implemented in many Unix-like operating systems, is mounted on the root, while ‘mount.usr =’ must be used to point to the implementation of the operating system.

systemd-cryptsetup‘has gained support for processing detached LUKS headers specified on the kernel command line via the’ header = ‘parameter of the kernel option’ luks.options ‘, while the new tool’systemd-cryptenroll‘has been added to register PM2, FIDO2 and PKCS # 11 security tokens to LUKS volumes, as well as being able to list and destroy them.

systemd-homed‘, the feature that is intended to “make it easier” to manage home directories, now supports the ability to unlock user directories with FIDO2 security tokens that support the’ hmac-secret ‘extension, which adds to existing support for unlocking PKCS # 11 security tokens.

The new ‘ConditionCPUFeature =’ setting can be used to condition systemd units to only run if they match certain processor characteristics. “For example, ‘ConditionCPUFeature = rdrand’ will condition a unit (of systemd) to run only when the system processor of the system supports the RDRAND opcode”.

‘systemd-oomd’, the service that refers to out-of-memory daemon and which has been designed to take corrective measures when free memory is running low, it has incorporated a new setting, ‘DefaultMemoryPressureDurationSec =’, which allows you to adjust the time that a unit’s cgroup needs to exceed the memory pressure limits before action is taken, while setting ‘ManagedOOMPreference = none | avoid | omit’ prevents killing certain systemd units. On the other hand, ‘systemd-oomd’ has been found to be fully supported and swap is not required for the operation, although it is still recommended.

And many more things can be mentioned from systemd 248, such as the fact that the Intel SGX link device nodes are now owned by a new system security group called ‘sgx’, the setting of the environment variable ‘$ SYSTEMD_EXEC_PID ‘for the generated processes towards the PID of the process itself and the fact that it has been renamed from the “master” branch to “main” in the Git repository.

All the details about systemd 248 can be found from the release notes and those who want to use it can compile it from its source code. However, this route is very unfriendly, so the most comfortable thing is to use a distribution rolling release like Arch Linux and wait for it to arrive, although updating this component is usually not a priority for most users.

Leave a Comment