You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1050 lines
50 KiB

  1. Bugfixes:
  2. * the error paths in usbffs_dispatch_ep() leak memory
  3. * copy.c: set the right chattrs before copying files and others after
  4. External:
  5. * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
  6. * wiki: update journal format documentation for lz4 additions
  7. Janitorial Clean-ups:
  8. * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again
  9. * copy.c: set the right chattrs before copying files and others after
  10. * rework mount.c and swap.c to follow proper state enumeration/deserialization
  11. semantics, like we do for device.c now
  12. Features:
  13. * the stop-when-unneded feature should be reworked: there should be a queue of
  14. units, and we should only enqeueu stop jobs from a defer event that processes
  15. queue instead of right-away when we assume that a unit is now unneeded.
  16. * When reloading configuration PID 1 should reset all its properties to the
  17. original defaults before calling parse_config()
  18. * Add OnTimezoneChange= and OnTimeChange= stanzas to .timer units in order to
  19. schedule events based on time and timezone changes.
  20. * nspawn: greater control over selinux label?
  21. * cgroups: figure out if we can somehow communicate in a cleaner way whether a
  22. elogind instance not running in the cgroup root shall or shall not manage the
  23. attributes of its top-level cgroup. Currently it assumes it manages all, but
  24. then might get EPERM due to permission porblems/userns, which is OK, but this
  25. should be revisited to make clearer and also work if the payload elogind runs
  26. with full privs and without userns.
  27. * portables: introduce a new unit file directory /etc/elogind/system.attached/
  28. or so, where we attach portable services to
  29. * cgroups: use inotify to get notified when somebody else modifies cgroups
  30. owned by us, then log a friendly warning.
  31. * beef up log.c with support for stripping ANSI sequences from strings, so that
  32. it is OK to include them in log strings. This would be particularly useful so
  33. that our log messages could contain clickable links for example for unit
  34. files and suchlike we operate on.
  35. * introduce a new SystemCallFilters= group called "@system-service" with a
  36. sensible default set for system services, then make use of them in portable
  37. profiles
  38. * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration)
  39. * add attach --enable and attach --now (for attach+enable+start)
  40. * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the
  41. selected user is resolvable in the service even if it ships its own /etc/passwd)
  42. * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the
  43. other doesn't. What a desaster. Probably to exclude it. Also
  44. DECIMAL_STR_WIDTH should probably add an extra "-" into account for negative
  45. numbers.
  46. * port systemctl, elogind-inhibit, busctl, … over to format-table.[ch]'s table formatters
  47. * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as
  48. usually IN_ATTRIB is the right way to watch deleted files, as the former only
  49. fires when a file is actually removed from disk, i.e. the link count drops to
  50. zero and is not open anymore, while the latter happens when a file is
  51. unlinked from any dir.
  52. * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
  53. * add --vacuum-xyz options to coredumpctl, matching those journalctl already has.
  54. * SuccessExitStatus= and friends should probably also accept symbolic exit
  55. codes names, i.e. error codes from the list maintained in exit-codes.[ch]
  56. * introduce Ephemeral= unit file switch, that creates an ephemeral copy of all
  57. files and directories that are left writable for a unit, and which are
  58. removed after the unit goes down again. A bit like --ephemeral for
  59. elogind-nspawn but for system services. If used together with RootImage= this
  60. should reflink the image file itself.
  61. Related: add Ephemeral=<path1> <path2> … which would allow marking
  62. specific paths only like this.
  63. * add CopyFile= or so as unit file setting that may be used to copy files or
  64. directory trees from the host to te services RootImage= and RootDirectory=
  65. environment. Which we can use for /etc/machine-id and in particular
  66. /etc/resolv.conf. Should be smart and do something useful on read-only
  67. images, for example fallback to read-only bind mounting the file instead.
  68. * nspawn's console TTY should be allocated from within the container, not
  69. mounted in from the outside
  70. * show invocation ID in elogind-run output
  71. * bypass SIGTERM state in unit files if KillSignal is SIGKILL
  72. * tree-wide: ensure we always block the signals we hook into with
  73. sd_event_add_signal() first
  74. * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1
  75. and so on, which would mean we could report errors and such.
  76. * teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4
  77. project quota
  78. * introduce DefaultSlice= or so in system.conf that allows changing where we
  79. place our units by default, i.e. change system.slice to something
  80. else. Similar, ManagerSlice= should exist so that PID1's own scope unit could
  81. be moved somewhere else too. Finally machined and logind should get similar
  82. options so that it is possible to move user session scopes and machines to a
  83. different slice too by default. Usecase: people who want to put resources on
  84. the entire system, with the exception of one specific service. See:
  85. https://lists.freedesktop.org/archives/elogind-devel/2018-February/040369.html
  86. * maybe rework get_user_creds() to query the user database if $SHELL is used
  87. for root, but only then.
  88. * be stricter with fds we receive for the fdstore: close them asynchronously
  89. * calenderspec: add support for week numbers and day numbers within a
  90. year. This would allow us to define "bi-weekly" triggers safely.
  91. * add bpf-based implementation of devices cgroup controller logic for compat
  92. with cgroupsv2 as supported by newest kernel
  93. * introduce sd_id128_get_boot_app_specific() which is like
  94. sd_id128_get_machine_app_specific(). After all on long-running systems both
  95. IDs have similar properties.
  96. * sd-bus: add vtable flag, that may be used to request client creds implicitly
  97. and asynchronously before dispatching the operation
  98. * make use of ethtool veth peer info in machined, for automatically finding out
  99. host-side interface pointing to the container.
  100. * add some special mode to LogsDirectory=/StateDirectory=… that allows
  101. declaring these directories without necessarily pulling in deps for them, or
  102. creating them when starting up. That way, we could declare that
  103. systemd-journald writes to /var/log/journal, which could be useful when we
  104. doing disk usage calculations and so on.
  105. * taint elogind if there are fewer than 65536 users assigned (userns) to the system.
  106. * deprecate PermissionsStartOnly= and RootDirectoryStartOnly= in favour of the ExecStart= prefix chars
  107. * add a new RuntimeDirectoryPreserve= mode that defines a similar lifecycle for
  108. the runtime dir as we maintain for the fdstore: i.e. keep it around as long
  109. as the unit is running or has a job queued.
  110. * support projid-based quota in machinectl for containers, and then drop
  111. implicit btrfs loopback magic in machined
  112. * Add NetworkNamespacePath= to specify a path to a network namespace
  113. * maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks
  114. introduced) as the RTC epoch, instead of the mtime of NEWS.
  115. * add a way to lock down cgroup migration: a boolean, which when set for a unit
  116. makes sure the processes in it can never migrate out of it
  117. * blog about fd store and restartable services
  118. * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document
  119. * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its
  120. magic meaning and is no longer upgraded to something else if set explicitly.
  121. * in the long run: permit a system with /etc/machine-id linked to /dev/null, to
  122. make it lose its identity, i.e. be anonymous. For this we'd have to patch
  123. through the whole tree to make all code deal with the case where no machine
  124. ID is available.
  125. * optionally, collect cgroup resource data, and store it in per-unit RRD files,
  126. suitable for processing with rrdtool. Add bus API to access this data, and
  127. possibly implement a CPULoad property based on it.
  128. * beef up pam_systemd to take unit file settings such as cgroups properties as
  129. parameters
  130. * a new "systemd-analyze security" tool outputting a checklist of security
  131. features a service does and does not implement
  132. * maybe hook of xfs/ext4 quotactl() with services? i.e. automatically manage
  133. the quota of a the user indicated in User= via unit file settings, like the
  134. other resource management concepts. Would mix nicely with DynamicUser=1. Or
  135. alternatively, do this with projids, so that we can also cover services
  136. running as root. Quota should probably cover all the special dirs such as
  137. StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
  138. is set, plus the whole disk space any image configured with RootImage=.
  139. * Introduce "exit" as an EmergencyAction value, and allow to configure a
  140. per-unit success/failure exit code to configure. This would be useful for
  141. running commands inside of services inside of containers, which could then
  142. propagate their failure state all the way up.
  143. * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
  144. disks to see if the UID is already in use.
  145. * add "systemctl wait" or so, which does what "systemd-run --wait" does, but
  146. for all units. It should be both a way to pin units into memory as well as a
  147. wait to retrieve their exit data.
  148. * maybe set a new set of env vars for services, based on RuntimeDirectory=,
  149. StateDirectory=, LogsDirectory=, CacheDirectory= and ConfigurationDirectory=
  150. automatically. For example, there could be $RUNTIME_DIRECTORY,
  151. $STATE_DIRECTORY, $LOGS_DIRECTORY=, $CACHE_DIRECTORY and
  152. $CONFIGURATION_DIRECTORY or so. This could be useful to write services that
  153. can adapt to varying directories for these purposes. Special care has to be
  154. taken if multiple dirs are configured. Maybe avoid setting the env vars in
  155. that case?
  156. * expose IO accounting data on the bus, show it in systemd-run --wait and log
  157. about it in the resource log message
  158. * add "systemctl purge" for flushing out configuration, state, logs, ... of a
  159. unit when it is stopped
  160. * show whether a service has out-of-date configuration in "systemctl status" by
  161. using mtime data of ConfigurationDirectory=.
  162. * replace all uses of fgets() + LINE_MAX by read_line()
  163. * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
  164. creates a static, persistent user rather than a dynamic, transient user. We
  165. can leverage code from sysusers.d for this.
  166. * add some optional flag to ReadWritePaths= and friends, that has the effect
  167. that we create the dir in question when the service is started. Example:
  168. ReadWritePaths=:/var/lib/foobar
  169. * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for
  170. the sd-journal logging socket, and, if the timeout is set to 0, sets
  171. O_NONBLOCK on it. That way people can control if and when to block for
  172. logging.
  173. * hostnamed: populate form factor data from a new hwdb database, so that old
  174. yogas can be recognized as "convertible" too, even if they predate the DMI
  175. "convertible" form factor
  176. * Maybe add a small tool invoked early at boot, that adds in or resizes
  177. partitions automatically, to be used when the media used is actually larger
  178. than the image written onto it is.
  179. * Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing
  180. after all. Be strict however, only support the equivalent of nspawn's
  181. --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such
  182. as MAINPID.
  183. * Add ExecMonitor= setting. May be used multiple times. Forks off a process in
  184. the service cgroup, which is supposed to monitor the service, and when it
  185. exits the service is considered failed by its monitor.
  186. * track the per-service PAM process properly (i.e. as an additional control
  187. process), so that it may be queried on the bus and everything.
  188. * add a new "debug" job mode, that is propagated to unit_start() and for
  189. services results in two things: we raise SIGSTOP right before invoking
  190. execve() and turn off watchdog support. Then, use that to implement
  191. "systemd-gdb" for attaching to the start-up of any system service in its
  192. natural habitat.
  193. * maybe introduce gpt auto discovery for /var/tmp?
  194. * maybe add gpt-partition-based user management: each user gets his own
  195. LUKS-encrypted GPT partition with a new GPT type. A small nss module
  196. enumerates users via udev partition enumeration. UIDs are assigned in a fixed
  197. way: the partition index is added as offset to some fixed base uid. User name
  198. is stored in GPT partition name. A PAM module authenticates the user via the
  199. LUKS partition password. Benefits: strong per-user security, compatibility
  200. with stateless/read-only/verity-enabled root. (other idea: do this based on
  201. loopback files in /home, without GPT involvement)
  202. * gpt-auto logic: introduce support for discovering /var matching an image. For
  203. that, use a partition type UUID that is hashed from the OS name (as encoded
  204. in /etc/os-release), the architecture, and 4 new bits from the gpt flags
  205. field of the root partition. This way can easily support multiple OS
  206. installations on the same GPT partition table, without problems with
  207. unmatched /var partitions.
  208. * gpt-auto logic: related to the above, maybe support a "secondary" root
  209. partition, that is mounted to / and is writable, and where the actual root's
  210. /usr is mounted into.
  211. * gpt-auto logic: support encrypted swap, add kernel cmdline option to force it, and honour a gpt bit about it, plus maybe a configuration file
  212. * drop nss-myhostname in favour of nss-resolve?
  213. * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
  214. then use that for the setting used in user@.service. It should be understood
  215. relative to the configured default value.
  216. * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us
  217. * enable LockMLOCK to take a percentage value relative to physical memory
  218. * Permit masking specific netlink APIs with RestrictAddressFamily=
  219. * nspawn: support that /proc, /sys/, /dev are pre-mounted
  220. * define gpt header bits to select volatility mode
  221. * ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
  222. * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
  223. * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
  224. * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
  225. * ProtectKeyRing= to take keyring calls away
  226. * RemoveKeyRing= to remove all keyring entries of the specified user
  227. * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill
  228. on PID 1 with the relevant signals, and makes relevant files in /sys and
  229. /proc (such as the sysrq stuff) unavailable
  230. * DeviceAllow= should also generate seccomp filters for mknod()
  231. * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
  232. * journalctl: make sure -f ends when the container indicated by -M terminates
  233. * mount: automatically search for "main" partition of an image has multiple
  234. partitions
  235. * expose the "privileged" flag of ExecCommand on the bus, and open it up to
  236. transient units
  237. * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
  238. find a way to map the User=/Group= of the service to the right name. This way
  239. a user/group for a service only has to exist on the host for the right
  240. mapping to work.
  241. * add bus API for creating unit files in /etc, reusing the code for transient units
  242. * add bus API to remove unit files from /etc
  243. * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only)
  244. * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the
  245. kernel doesn't support linkat() that replaces existing files, currently)
  246. * transient units: don't bother with actually setting unit properties, we
  247. reload the unit file anyway
  248. * journald: sigbus API via a signal-handler safe function that people may call
  249. from the SIGBUS handler
  250. * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown
  251. * resolved: when routing queries, make sure only look for the *longest* suffix...
  252. * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
  253. in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
  254. * cache sd_event_now() result from before the first iteration...
  255. * add systemctl stop --job-mode=triggering that follows TRIGGERED_BY deps and adds them to the same transaction
  256. * PID1: find a way how we can reload unit file configuration for
  257. specific units only, without reloading the whole of systemd
  258. * add an explicit parser for LimitRTPRIO= that verifies
  259. the specified range and generates sane error messages for incorrect
  260. specifications.
  261. * when we detect that there are waiting jobs but no running jobs, do something
  262. * push CPUAffinity= also into the "cpuset" cgroup controller (only after the cpuset controller got ported to the unified hierarchy)
  263. * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
  264. * there's probably something wrong with having user mounts below /sys,
  265. as we have for debugfs. for exmaple, src/core/mount.c handles mounts
  266. prefixed with /sys generally special.
  267. http://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html
  268. * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
  269. * docs: bring http://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date
  270. * add a job mode that will fail if a transaction would mean stopping
  271. running units. Use this in timedated to manage the NTP service
  272. state.
  273. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html
  274. * Maybe add support for the equivalent of "ethtool advertise" to .link files?
  275. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030112.html
  276. * The udev blkid built-in should expose a property that reflects
  277. whether media was sensed in USB CF/SD card readers. This should then
  278. be used to control SYSTEMD_READY=1/0 so that USB card readers aren't
  279. picked up by systemd unless they contain a medium. This would mirror
  280. the behaviour we already have for CD drives.
  281. * networkd/udev: implement SR_IOV configuration in .link files:
  282. http://lists.freedesktop.org/archives/systemd-devel/2015-January/027451.html
  283. * hostnamectl: show root image uuid
  284. * sysfs set api in libudev is not const
  285. * Find a solution for SMACK capabilities stuff:
  286. http://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html
  287. * "systemctl preset-all" should probably order the unit files it
  288. operates on lexicographically before starting to work, in order to
  289. ensure deterministic behaviour if two unit files conflict (like DMs
  290. do, for example)
  291. * synchronize console access with BSD locks:
  292. http://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html
  293. * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
  294. http://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html
  295. * in systemctl list-unit-files: show the install value the presets would suggest for a service in a third column
  296. * figure out when we can use the coarse timers
  297. * add "systemctl start -v foobar.service" that shows logs of a service
  298. while the start command runs. This is non-trivial to do without
  299. races though, since we should flush out all journal messages before
  300. returning from the "systemctl stop".
  301. * firstboot: make it useful to be run immediately after yum --installroot to set up a machine. (most specifically, make --copy-root-password work even if /etc/passwd already exists
  302. * maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=
  303. * introduce systemd-timesync-wait.service or so to sync on an NTP fix?
  304. * consider showing the unit names during boot up in the status output, not just the unit descriptions
  305. * maybe allow timer units with an empty Units= setting, so that they
  306. can be used for resuming the system but nothing else.
  307. * what to do about udev db binary stability for apps? (raw access is not an option)
  308. * man: maybe use the word "inspect" rather than "introspect"?
  309. * systemctl: if some operation fails, show log output?
  310. * systemctl edit: use equvalent of cat() to insert existing config as a comment, prepended with #.
  311. Upon editor exit, lines with one # are removed, lines with two # are left with one #, etc.
  312. * exponential backoff in timesyncd when we cannot reach a server
  313. * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM
  314. * merge ~/.local/share and ~/.local/lib into one similar /usr/lib and /usr/share....
  315. * systemd.show_status= should probably have a mode where only failed
  316. units are shown.
  317. * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL
  318. (throughout the codebase, not only PID1)
  319. * resolved:
  320. - mDNS/DNS-SD
  321. - service registration
  322. - service/domain/types browsing
  323. - avahi compat
  324. - DNS-SD service registration from socket units
  325. - resolved should optionally register additional per-interface LLMNR
  326. names, so that for the container case we can establish the same name
  327. (maybe "host") for referencing the server, everywhere.
  328. - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?)
  329. - hook up resolved with machined-based address resolution
  330. * refcounting in sd-resolve is borked
  331. * Add a new verb "systemctl top"
  332. * add new gpt type for btrfs volumes
  333. * support empty /etc boots nicely:
  334. - nspawn/gpt-generator: introduce new gpt partition type for /usr
  335. * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them.
  336. * a way for container managers to turn off getty starting via $container_headless= or so...
  337. * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit
  338. * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services
  339. they run added to the initial transaction and thus confuse Type=idle.
  340. * add bus api to query unit file's X fields.
  341. * gpt-auto-generator:
  342. - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
  343. - Make /home automount rather than mount?
  344. * add generator that pulls in systemd-network from containers when
  345. CAP_NET_ADMIN is set, more than the loopback device is defined, even
  346. when it is otherwise off
  347. * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
  348. * implement Distribute= in socket units to allow running multiple
  349. service instances processing the listening socket, and open this up
  350. for ReusePort=
  351. * socket units: support creating sockets in different namespace,
  352. opening it up for JoinsNamespaceOf=. This would require to fork off
  353. a tiny process that joins the namespace and creates/binds the socket
  354. and passes this back to PID1 via SCM_RIGHTS. This also could be used
  355. to allow Chown/chgrp on sockets without requiring NSS in PID 1.
  356. * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
  357. $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
  358. should SIGSTOP all unit processes in a loop until all processes of
  359. it are fully stopped. This can later be used for app management by
  360. desktop UIs such as gnome-shell to freeze apps that are not visible
  361. on screen, not unlike how job control works on the shell
  362. * cgroups:
  363. - implement per-slice CPUFairScheduling=1 switch
  364. - handle jointly mounted controllers correctly
  365. - introduce high-level settings for RT budget, swappiness
  366. - how to reset dynamically changed unit cgroup attributes sanely?
  367. - when reloading configuration, apply new cgroup configuration
  368. - when recursively showing the cgroup hierarchy, optionally also show
  369. the hierarchies of child processes
  370. * transient units:
  371. - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt
  372. * Automatically configure swap partition to use for hibernation by looking for largest swap partition on the root disk?
  373. * when we detect low battery and no AC on boot, show pretty splash and refuse boot
  374. * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops
  375. * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
  376. * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it
  377. * After coming back from hibernation reset hibernation swap partition using the /dev/snapshot ioctl APIs
  378. * If we try to find a unit via a dangling symlink, generate a clean
  379. error. Currently, we just ignore it and read the unit from the search
  380. path anyway.
  381. * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
  382. * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
  383. * load .d/*.conf dropins for device units
  384. * allow implementation of InaccessibleDirectories=/ plus
  385. ReadOnlyDirectories=... for whitelisting files for a service.
  386. * sd-bus:
  387. - EBADSLT handling
  388. - GetAllProperties() on a non-existing object does not result in a failure currently
  389. - port to sd-resolve for connecting to TCP dbus servers
  390. - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself
  391. - see if we can drop more message validation on the sending side
  392. - add API to clone sd_bus_message objects
  393. - longer term: priority inheritance
  394. - dbus spec updates:
  395. - NameLost/NameAcquired obsolete
  396. - GVariant
  397. - path escaping
  398. - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now
  399. * sd-event
  400. - allow multiple signal handlers per signal?
  401. - document chaining of signal handler for SIGCHLD and child handlers
  402. - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
  403. - generate a failure of a default event loop is executed out-of-thread
  404. - maybe add support for inotify events (which we can do safely now, with O_PATH)
  405. * investigate endianness issues of UUID vs. GUID
  406. * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
  407. should be able to safely try another attempt when the bus call LoadUnit() is invoked.
  408. * add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
  409. * add a pam module that on password changes updates any LUKS slot where the password matches
  410. * maybe add a generator that looks for "systemd.run=" on the kernel cmdline for container usercases...
  411. * test/:
  412. - add unit tests for config_parse_device_allow()
  413. * seems that when we follow symlinks to units we prefer the symlink
  414. destination path over /etc and /usr. We should not do that. Instead
  415. /etc should always override /run+/usr and also any symlink
  416. destination.
  417. * when isolating, try to figure out a way how we implicitly can order
  418. all units we stop before the isolating unit...
  419. * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off})
  420. * BootLoaderSpec: Clarify that the kernel has to be in $BOOT. Clarify
  421. that the boot loader should be installed to the ESP. Define a way
  422. how an installer can figure out whether a BLS compliant boot loader
  423. is installed.
  424. * think about requeuing jobs when daemon-reload is issued? usecase:
  425. the initrd issues a reload after fstab from the host is accessible
  426. and we might want to requeue the mounts local-fs acquired through
  427. that automatically.
  428. * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep()
  429. * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good
  430. * shutdown logging: store to EFI var, and store to USB stick?
  431. * merge unit_kill_common() and unit_kill_context()
  432. * introduce ExecCondition= in services
  433. * EFI:
  434. - honor language efi variables for default language selection (if there are any?)
  435. - honor timezone efi variables for default timezone selection (if there are any?)
  436. - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables
  437. * maybe do not install getty@tty1.service symlink in /etc but in /usr?
  438. * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word
  439. * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units.
  440. * logind:
  441. - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around
  442. - When we update the kernel all kind of hibernation should be prohibited until shutdown/reboot
  443. - logind: wakelock/opportunistic suspend support
  444. - Add pretty name for seats in logind
  445. - logind: allow showing logout dialog from system?
  446. - session scopes/user unit: add RequiresMountsFor for the home directory of the user
  447. - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly.
  448. - if pam_systemd is invoked by su from a process that is outside of a
  449. any session we should probably just become a NOP, since that's
  450. usually not a real user session but just some system code that just
  451. needs setuid().
  452. - logind: make the Suspend()/Hibernate() bus calls wait for the for
  453. the job to be completed. before returning, so that clients can wait
  454. for "systemctl suspend" to finish to know when the suspending is
  455. complete.
  456. - logind: when the power button is pressed short, just popup a
  457. logout dialog. If it is pressed for 1s, do the usual
  458. shutdown. Inspiration are Macs here.
  459. - expose "Locked" property on logind sesison objects
  460. - maybe allow configuration of the StopTimeout for session scopes
  461. - rename session scope so that it includes the UID. THat way
  462. the session scope can be arranged freely in slices and we don't have
  463. make assumptions about their slice anymore.
  464. - follow PropertiesChanged state more closely, to deal with quick logouts and
  465. relogins
  466. * exec: when deinitializating a tty device fix the perms and group, too, not only when initializing. Set access mode/gid to 0620/tty.
  467. * journal:
  468. - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields
  469. - import and delete pstore filesystem content at startup
  470. - journald: also get thread ID from client, plus thread name
  471. - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups
  472. - add API to close/reopen/get fd for journal client fd in libsystemd-journal.
  473. - fallback to /dev/log based logging in libsystemd-journal, if we cannot log natively?
  474. - declare the local journal protocol stable in the wiki interface chart
  475. - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg
  476. - journald: when dropping msgs due to ratelimit make sure to write
  477. "dropped %u messages" not only when we are about to print the next
  478. message that works, but alraedy after a short tiemout
  479. - check if we can make journalctl by default use --follow mode inside of less if called without args?
  480. - maybe add API to send pairs of iovecs via sd_journal_send
  481. - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access
  482. - journactl: support negative filtering, i.e. FOOBAR!="waldo",
  483. and !FOOBAR for events without FOOBAR.
  484. - journal: store timestamp of journal_file_set_offline() int he header,
  485. so it is possible to display when the file was last synced.
  486. - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again.
  487. - journal: find a way to allow dropping history early, based on priority, other rules
  488. - journal: When used on NFS, check payload hashes
  489. - journald: add kernel cmdline option to disable ratelimiting for debug purposes
  490. - refuse taking lower-case variable names in sd_journal_send() and friends.
  491. - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
  492. - journal: deal nicely with byte-by-byte copied files, especially regards header
  493. - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit
  494. - Replace utmp, wtmp, btmp, and lastlog completely with journal
  495. - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax?
  496. - when a kernel driver logs in a tight loop, we should ratelimit that too.
  497. - journald: optionally, log debug messages to /run but everything else to /var
  498. - journald: when we drop syslog messages because the syslog socket is
  499. full, make sure to write how many messages are lost as first thing
  500. to syslog when it works again.
  501. - change systemd-journal-flush into a service that stays around during
  502. boot, and causes the journal to be moved back to /run on shutdown,
  503. so that we do not keep /var busy. This needs to happen synchronously,
  504. hence doing this via signals is not going to work.
  505. - optionally support running journald from the command line for testing purposes in external projects
  506. - journald: allow per-priority and per-service retention times when rotating/vacuuming
  507. - journald: make use of uid-range.h to managed uid ranges to split
  508. journals in.
  509. - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so...
  510. - improve journalctl performance by loading journal files
  511. lazily. Encode just enough information in the file name, so that we
  512. do not have to open it to know that it is not interesting for us, for
  513. the most common operations.
  514. - man: document that corrupted journal files is nothing to act on
  515. - rework journald sigbus stuff to use mutex
  516. - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our
  517. services that run under their own user ids, and use User= (but only
  518. in a world where userns is ubiquitous since otherwise we cannot
  519. invoke those daemons on the host AND in a container anymore). Also,
  520. if LimitNPROC= is used without User= we should warn and refuse
  521. operation.
  522. - journalctl --verify: don't show files that are currently being
  523. written to as FAIL, but instead show that their are being written to.
  524. - add journalctl -H that talks via ssh to a remote peer and passes through
  525. binary logs data
  526. - add a version of --merge which also merges /var/log/journal/remote
  527. - journalctl: -m should access container journals directly by enumerating
  528. them via machined, and also watch containers coming and going.
  529. Benefit: nspawn --ephemeral would start working nicely with the journal.
  530. - assign MESSAGE_ID to log messages about failed services
  531. * add a test if all entries in the catalog are properly formatted.
  532. (Adding dashes in a catalog entry currently results in the catalog entry
  533. being silently skipped. journalctl --update-catalog must warn about this,
  534. and we should also have a unit test to check that all our message are OK.)
  535. * document:
  536. - document that deps in [Unit] sections ignore Alias= fields in
  537. [Install] units of other units, unless those units are disabled
  538. - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets
  539. - document that service reload may be implemented as service reexec
  540. - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr.
  541. - document systemd-journal-flush.service properly
  542. - documentation: recommend to connect the timer units of a service to the service via Also= in [Install]
  543. - man: document the very specific env the shutdown drop-in tools live in
  544. - man: add more examples to man pages
  545. - man: maybe sort directives in man pages, and take sections from --help and apply them to man too
  546. * systemctl:
  547. - add systemctl switch to dump transaction without executing it
  548. - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done
  549. - "systemctl disable" on a static unit prints no message and does
  550. nothing. "systemctl enable" does nothing, and gives a bad message
  551. about it. Should fix both to print nice actionable messages.
  552. - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service
  553. - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible
  554. - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards?
  555. - systemctl: "Journal has been rotated since unit was started." message is misleading
  556. - systemctl status output should include list of triggering units and their status
  557. * unit install:
  558. - "systemctl mask" should find all names by which a unit is accessible
  559. (i.e. by scanning for symlinks to it) and link them all to /dev/null
  560. * timer units:
  561. - timer units should get the ability to trigger when:
  562. o CLOCK_REALTIME makes jumps (TFD_TIMER_CANCEL_ON_SET)
  563. o DST changes
  564. o timezone changes
  565. - Modulate timer frequency based on battery state
  566. * add libsystemd-password or so to query passwords during boot using the password agent logic
  567. * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
  568. * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel
  569. * make repeated alt-ctrl-del presses printing a dump
  570. * hostnamed: before returning information from /etc/machine-info.conf check the modification data and reread. Similar for localed, ...
  571. * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
  572. * nspawn:
  573. - emulate /dev/kmsg using CUSE and turn off the syslog syscall
  574. with seccomp. That should provide us with a useful log buffer that
  575. systemd can log to during early boot, and disconnect container logs
  576. from the kernel's logs.
  577. - as soon as networkd has a bus interface, hook up --network-interface=,
  578. --network-bridge= with networkd, to trigger netdev creation should an
  579. interface be missing
  580. - a nice way to boot up without machine id set, so that it is set at boot
  581. automatically for supporting --ephemeral. Maybe hash the host machine id
  582. together with the machine name to generate the machine id for the container
  583. - fix logic always print a final newline on output.
  584. https://github.com/systemd/systemd/pull/272#issuecomment-113153176
  585. - should optionally support receiving WATCHDOG=1 messages from its payload
  586. PID 1...
  587. - optionally automatically add FORWARD rules to iptables whenever nspawn is
  588. running, remove them when shut down.
  589. - maybe make copying of /etc/resolv.conf optional, and skip it if --read-only
  590. is used
  591. * dissect
  592. - refuse mounting over a mount point
  593. - automatically discover .roothash files in dissect, similarly to nspawn
  594. * machined:
  595. - add an API so that libvirt-lxc can inform us about network interfaces being
  596. removed or added to an existing machine
  597. - "machinectl migrate" or similar to copy a container from or to a
  598. difference host, via ssh
  599. - introduce systemd-nspawn-ephemeral@.service, and hook it into
  600. "machinectl start" with a new --ephemeral switch
  601. - "machinectl status" should also show internal logs of the container in
  602. question
  603. - "machinectl list-images" should show os-release data, as well as
  604. machine-info data (including deployment level)
  605. - "machinectl history"
  606. - "machinectl diff"
  607. - "machinectl commit" that takes a writable snapshot of a tree, invokes a
  608. shell in it, and marks it read-only after use
  609. * importd:
  610. - generate a nice warning if mkfs.btrfs is missing
  611. * cryptsetup:
  612. - cryptsetup-generator: allow specification of passwords in crypttab itself
  613. - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
  614. * hw watchdog: optionally try to use the preset watchdog timeout instead of always overriding it
  615. https://bugs.freedesktop.org/show_bug.cgi?id=54712
  616. * add a dependency on standard-conf.xml and other included files to man pages
  617. * MountFlags=shared acts as MountFlags=slave right now.
  618. * properly handle loop back mounts via fstab, especially regards to fsck/passno
  619. * initialize the hostname from the fs label of /, if /etc/hostname does not exist?
  620. * udev:
  621. - move to LGPL
  622. - kill scsi_id
  623. - add trigger --subsystem-match=usb/usb_device device
  624. - reimport udev db after MOVE events for devices without dev_t
  625. * There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
  626. * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/
  627. * coredump:
  628. - save coredump in Windows/Mozilla minidump format
  629. - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps
  630. * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
  631. * default to actual 32-bit PIDs, via /proc/sys/kernel/pid_max
  632. * be able to specify a forced restart of service A where service B depends on, in case B
  633. needs to be auto-respawned?
  634. * tmpfiles:
  635. - apply "x" on "D" too (see patch from William Douglas)
  636. - replace F with f+.
  637. - instead of ignoring unknown fields, reject them.
  638. - creating new directories/subvolumes/fifos/device nodes
  639. should not follow symlinks. None of the other adjustment or creation
  640. calls follow symlinks.
  641. * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early
  642. * verify that the AF_UNIX sockets of a service in the fs still exist
  643. when we start a service in order to avoid confusion when a user
  644. assumes starting a service is enough to make it accessible
  645. * Make it possible to set the keymap independently from the font on
  646. the kernel cmdline. Right now setting one resets also the other.
  647. * and a dbus call to generate target from current state
  648. * write blog stories about:
  649. - hwdb: what belongs into it, lsusb
  650. - enabling dbus services
  651. - how to make changes to sysctl and sysfs attributes
  652. - remote access
  653. - how to pass throw-away units to systemd, or dynamically change properties of existing units
  654. - testing with Harald's awesome test kit
  655. - auto-restart
  656. - how to develop against journal browsing APIs
  657. - the journal HTTP iface
  658. - non-cgroup resource management
  659. - dynamic resource management with cgroups
  660. - refreshed, longer missions statement
  661. - calendar time events
  662. - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell
  663. - how to create your own target
  664. - instantiated apache, dovecot and so on
  665. - hooking a script into various stages of shutdown/rearly booot
  666. * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support.
  667. * dot output for --test showing the 'initial transaction'
  668. * pid1:
  669. - When logging about multiple units (stopping BoundTo units, conflicts, etc.),
  670. log both units as UNIT=, so that journalctl -u triggers on both.
  671. - generate better errors when people try to set transient properties
  672. that are not supported...
  673. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html
  674. - maybe introduce WantsMountsFor=? Usecase:
  675. http://lists.freedesktop.org/archives/systemd-devel/2015-January/027729.html
  676. - recreate systemd's D-Bus private socket file on SIGUSR2
  677. - move PAM code into its own binary
  678. - when we automatically restart a service, ensure we restart its rdeps, too.
  679. - hide PAM options in fragment parser when compile time disabled
  680. - Support --test based on current system state
  681. - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
  682. - after deserializing sockets in socket.c we should reapply sockopts and things
  683. - drop PID 1 reloading, only do reexecing (difficult: Reload()
  684. currently is properly synchronous, Reexec() is weird, because we
  685. cannot delay the response properly until we are back, so instead of
  686. being properly synchronous we just keep open the fd and close it
  687. when done. That means clients do not get a successful method reply,
  688. but much rather a disconnect on success.
  689. - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
  690. - when a bus name of a service disappears from the bus make sure to queue further activation requests
  691. * unit files:
  692. - allow port=0 in .socket units
  693. - maybe introduce ExecRestartPre=
  694. - add ReloadSignal= for configuring a reload signal to use
  695. - implement Register= switch in .socket units to enable registration
  696. in Avahi, RPC and other socket registration services.
  697. - allow Type=simple with PIDFile=
  698. https://bugzilla.redhat.com/show_bug.cgi?id=723942
  699. - allow writing multiple conditions in unit files on one line
  700. - load-fragment: when loading a unit file via a chain of symlinks
  701. verify that it is not masked via any of the names traversed.
  702. - introduce Type=pid-file
  703. - introduce mix of BindTo and Requisite
  704. - add a concept of RemainAfterExit= to scope units
  705. - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
  706. * udev-link-config:
  707. - Make sure ID_PATH is always exported and complete for
  708. network devices where possible, so we can safely rely
  709. on Path= matching
  710. - check MTUBytes parsing (expecting size_t but we are using unsigned)
  711. * sd-rtnl:
  712. - add support for more attribute types
  713. - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places
  714. * networkd:
  715. - add more keys to [Route] and [Address] sections
  716. - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config)
  717. - add proper initrd support (in particular generate .network/.link files based on /proc/cmdline)
  718. - add reduced [Link] support to .network files
  719. - add Scope= parsing option for [Network]
  720. - properly handle routerless dhcp leases
  721. - work with non-Ethernet devices
  722. - add support for more bond options
  723. - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from?
  724. - the DHCP lease data (such as NTP/DNS) is still made available when
  725. a carrier is lost on a link. It should be removed instantly.
  726. - expose in the API the following bits:
  727. - option 15, domain name and/or option 119, search list
  728. - option 12, host name and/or option 81, fqdn
  729. - option 123, 144, geolocation
  730. - option 252, configure http proxy (PAC/wpad)
  731. - provide a way to define a per-network interface default metric value
  732. for all routes to it. possibly a second default for DHCP routes.
  733. - allow Name= to be specified repeatedly in the [Match] section. Maybe also
  734. support Name=foo*|bar*|baz ?
  735. - duplicate address check for static IPs (like ARPCHECK in network-scripts)
  736. - allow DUID/IAID to be customized, see issue #394.
  737. - whenever uplink info changes, make DHCP server send out FORCERENEW
  738. * networkd-wait-online:
  739. - make operstates to wait for configurable?
  740. * dhcp:
  741. - figure out how much we can increase Maximum Message Size
  742. * dhcp6:
  743. - add functions to set previously stored IPv6 addresses on startup and get
  744. them at shutdown; store them in client->ia_na
  745. - write more test cases
  746. - implement reconfigure support, see 5.3., 15.11. and 22.20.
  747. - implement support for temporary adressess (IA_TA)
  748. - implement dhcpv6 authentication
  749. - investigate the usefulness of Confirm messages; i.e. are there any
  750. situations where the link changes without any loss in carrier detection
  751. or interface down
  752. - some servers don't do rapid commit without a filled in IA_NA, verify
  753. this behavior
  754. - RouteTable= ?
  755. External:
  756. * dbus:
  757. - natively watch for dbus-*.service symlinks (PENDING)
  758. - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service
  759. * fix alsa mixer restore to not print error when no config is stored
  760. * make cryptsetup lower --iter-time
  761. * patch kernel for xattr support in /dev, /proc/, /sys?
  762. * kernel: add device_type = "fb", "fbcon" to class "graphics"
  763. * drop accountsservice's StandardOutput=syslog and Type=dbus fields
  764. * /usr/bin/service should actually show the new command line
  765. * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus=
  766. * fedora: F20: go timer units all the way, leave cron.daily for cron
  767. * neither pkexec nor sudo initialize environ[] from the PAM environment?
  768. * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
  769. * register catalog database signature as file magic
  770. * zsh shell completion:
  771. - <command> <verb> -<TAB> should complete options, but currently does not
  772. - systemctl add-wants,add-requires
  773. Regularly:
  774. * look for close() vs. close_nointr() vs. close_nointr_nofail()
  775. * check for strerror(r) instead of strerror(-r)
  776. * pahole
  777. * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
  778. * use secure_getenv() instead of getenv() where appropriate
  779. * link up selected blog stories from man pages and unit files Documentation= fields