Systemd 249 release candidate includes better support for immutable OSes and provisioning images

Along with a slew of other new features

Systemd maintainer Lennart Poettering has committed code for RC1 including a huge number of new features.

Releases tend to come around every four months, with the last being Systemd 248 on 30 March. It is an alternative to the Linux init daemon but with much greater scope; its documentation describes it as "a suite of basic building blocks for a Linux system."

Most but not all Linux distros have adopted systemd – including Debian, SUSE, Red Hat (and its variants Fedora and CentOS), and Ubuntu. Debian can be run without systemd, and Devuan is a fork of Debian that specifically avoids it.

Poettering's post to the news section of the systemd GitHub repository lists a ton of new features coming in 249 – we counted 76 which the maintainer and co-inventor considered worth noting.

One theme is better support for immutable operating systems, gaining favour with releases like Red Hat's Silverblue and Kinoite, and SUSE's MicroOS. Immutable operating systems are conceptually replaced rather than patched and are inherently more secure.

Systemd 248 added system extension images for this purpose. Now in systemd 249, Poettering said: "The OS image dissection logic (as used by RootImage= in unit files or systemd-nspawn's --image= switch) has gained support for identifying and mounting explicit /usr/ partitions, which are now defined in the discoverable partition specification. This should be useful for environments where the root file system is generated/formatted/populated dynamically on first boot and combined with an immutable /usr/ tree that is supplied by the vendor."

Systemd starting up a Linux system

Systemd starting up a Linux system

The trend towards containers and infrastructure as code means that provisioning new images is a frequent occurrence, and there are a number of changes designed to make this easier and more secure. There is better support for initialising newly provisioned images via a credential subsystem, including easy configuration of user passwords during first boot, and the ability "to initialize important system parameters on first boot of previously unprovisioned images."

We were assured that systemd "doesn't set any passwords... if the specified root user exists already in the image."

System-repart, for partition configuration and deploying system images, has new features for creating directories inside file systems before registering them in the partition table, which means that "the resulting image can [be] mounted immediately, even in read-only mode." It is also now possible to set IMAGE_VERSION and IMAGE_ID variables via a configuration file.

With this release, user and group definitions can be read from drop-in directories /etc/userdb, /run/userdb, run/host/userdb and /usr/lib/userdb, in JSON format. Poettering said: "This is a simple and powerful mechanism for making additional users available to the system, with full integration into NSS [Network Security Services] including the shadow databases."

A native systemd Journal protocol, which already existed, has now been documented. "Clients may talk this as alternative to the classic BSD syslog protocol for locally delivering log records to the Journal," Poettering said. Other changes include DHCP improvements, updated FIDO2 (authentication with hardware keys) support, and more.

The journey from RC1 to full release is likely to take a month or so, judging by past releases, so we can expect systemd 249 sometime in July. The version of systemd soon to ship in Debian Bullseye is 247 so, as ever, it will be a while before we see these new features in mainstream distributions. ®

Similar topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022