Systemd 249 release candidate includes improved support for immutable operating systems and provisioning images • The Register
Systemd maintainer Lennart Poettering has validated code for RC1 including a large number of new features.
Releases tend to arrive every four months, with the latest being Systemd 248 on March 30. It is an alternative to the Linux boot daemon but with a much larger scope; its documentation describes it as “a basic building block suite for a Linux system”.
Most, but not all, Linux distributions have adopted systemd, including Debian, SUSE, Red Hat (and its Fedora and CentOS variants), and Ubuntu. Debian can be run without systemd, and Devuan is a fork of Debian that specifically avoids it.
Poettering’s post in the news section of systemd’s GitHub repository lists a ton of new features coming in 249 – we counted 76 that the maintainer and co-inventor considered worthy of mention.
One of the themes is better support for immutable operating systems, gaining favor from versions like Silverblue and Kinoite from Red Hat and MicroOS from SUSE. Immutable operating systems are conceptually replaced rather than patched and are inherently more secure.
Systemd 248 has added system expansion images for this purpose. Now in systemd 249, Poettering said: “The operating system image dissection logic (as used by RootImage = in unit files or the –image = switch of systemd-nspawn) has supported identifying and mounting explicit / usr / partitions, which are now defined in the discoverable partition specification. This should be useful for environments where the root filesystem is dynamically generated / formatted / populated on first boot and combined with a vendor supplied / usr / immutable tree. “
Systemd starting a Linux system
The trend towards containers and infrastructure as code means that provisioning new images is a common occurrence, and a number of changes are being designed to make this easier and more secure. There is better support for initializing newly provisioned images through a credential subsystem, including easy setup of user passwords on first boot and the ability to “initialize important system settings on first boot”. first boot of previously unprovisioned images ”.
We were assured that systemd “does not set any password … if the specified root user already exists in the image”.
System-repart, for configuring partitions and deploying system images, has new functionality to create directories inside file systems before saving them to the partition table, meaning that “the image resulting may [be] mounted immediately, even in read-only mode. “It is now also possible to define the variables IMAGE_VERSION and IMAGE_ID via a configuration file.
With this release, user and group definitions can be read from the insert directories / etc / userdb, / run / userdb, run / host / userdb, and / usr / lib / userdb, in JSON format. Poettering said: “This is a simple and powerful mechanism for making additional users available to the system, with full integration into NSS [Network Security Services] including shadow databases. “
A native systemd Journal protocol, which already existed, is now documented. “Customers can talk about this as an alternative to the classic BSD syslog protocol to provide log records locally to the Journal,” said Poettering. Other changes include DHCP enhancements, updated support for FIDO2 (Authentication with Hardware Keys), and more.
The journey from RC1 to the full version is expected to take around a month, judging by previous versions, so we can expect systemd 249 in July. The version of systemd coming soon to Debian Bullseye is 247, so, as always, it will be some time before we see these new features in mainstream distributions. ®