Systemd 249 release candidate includes better support for immutable OSes and provisioning images
Along with a slew of other new features
Systemd maintainer Lennart Poettering has committed code for RC1 including a huge number of new features.
Releases tend to come around every four months, with the last being Systemd 248 on 30 March. It is an alternative to the Linux init daemon but with much greater scope; its documentation describes it as "a suite of basic building blocks for a Linux system."
Most but not all Linux distros have adopted systemd – including Debian, SUSE, Red Hat (and its variants Fedora and CentOS), and Ubuntu. Debian can be run without systemd, and Devuan is a fork of Debian that specifically avoids it.
Poettering's post to the news section of the systemd GitHub repository lists a ton of new features coming in 249 – we counted 76 which the maintainer and co-inventor considered worth noting.
One theme is better support for immutable operating systems, gaining favour with releases like Red Hat's Silverblue and Kinoite, and SUSE's MicroOS. Immutable operating systems are conceptually replaced rather than patched and are inherently more secure.
- New systemd 248 feature 'extension images' updates immutable file systems without really updating them
- Devuan adds third
initoption in sixth birthday release
- Devuan Beowulf 3.0 release continues to resist the Debian fork's Grendel – systemd
- At last, the fix no one asked for: Portable home directories merged into systemd
Systemd 248 added system extension images for this purpose. Now in systemd 249, Poettering said: "The OS image dissection logic (as used by RootImage= in unit files or systemd-nspawn's --image= switch) has gained support for identifying and mounting explicit /usr/ partitions, which are now defined in the discoverable partition specification. This should be useful for environments where the root file system is generated/formatted/populated dynamically on first boot and combined with an immutable /usr/ tree that is supplied by the vendor."
The trend towards containers and infrastructure as code means that provisioning new images is a frequent occurrence, and there are a number of changes designed to make this easier and more secure. There is better support for initialising newly provisioned images via a credential subsystem, including easy configuration of user passwords during first boot, and the ability "to initialize important system parameters on first boot of previously unprovisioned images."
We were assured that systemd "doesn't set any passwords... if the specified root user exists already in the image."
System-repart, for partition configuration and deploying system images, has new features for creating directories inside file systems before registering them in the partition table, which means that "the resulting image can [be] mounted immediately, even in read-only mode." It is also now possible to set IMAGE_VERSION and IMAGE_ID variables via a configuration file.
With this release, user and group definitions can be read from drop-in directories /etc/userdb, /run/userdb, run/host/userdb and /usr/lib/userdb, in JSON format. Poettering said: "This is a simple and powerful mechanism for making additional users available to the system, with full integration into NSS [Network Security Services] including the shadow databases."
A native systemd Journal protocol, which already existed, has now been documented. "Clients may talk this as alternative to the classic BSD syslog protocol for locally delivering log records to the Journal," Poettering said. Other changes include DHCP improvements, updated FIDO2 (authentication with hardware keys) support, and more.
The journey from RC1 to full release is likely to take a month or so, judging by past releases, so we can expect systemd 249 sometime in July. The version of systemd soon to ship in Debian Bullseye is 247 so, as ever, it will be a while before we see these new features in mainstream distributions. ®