After four months of development is represented System Manager Release SystemD 248 . The new release provides support for image catalogs, / etc / veritytab configuration file, SystemD-Cryptenrol utilities, unlocking LUKS2 using TPM2 chips and FIDO2 token, running unit in an isolated IPC identifier space, B.A.t.m.n.n.n.n. For Mesh-Networks, Backend NFTables for
SYSTEMD-NSPAWN. Stabilized SystemD-Oomd.
Basic Changes :
- implemented the system of system expansion images (System Extension), which can be used to extend the / usr / and / OPT / hierarchy, and add additional files during operation, even if the specified directories are configured in read-only mode. When you connect the image extension image, its contents are applied to the Hierarchy / USR / and / OPT / using overlayfs.
To connect, disconnect, view and update the system extensions, a new utility SystemD-SysExt . To automatically connect already installed images during the download, the SystemD-SysExt.Service service has been added. The OS-Release file added the “SYSEXT_LEVEL =” file to determine the level of supported system extensions.
- For Unit, the ExtensionImages setting is implemented, which can be used to bind the image expansion images to the Space Hierarchy of the FS of Separate Insulated Services.
- Added configuration file / etc / veritytab to configure data verification at block level using the DM-VERITY module. File format is similar to / etc / crypttab – “Device_name_name_Dela_Heash_Text device_Tela_Khesh_Tejer option. To configure the DM-VERITY behavior for the root device, the command line parameter of the SystemD.Verity.root_Options kernel is added.
- in SystemD-CryptSetUp Added the ability to extract the URI token PKCS # 11 and encrypted key from the LUKS2 metadata header in JSON format, which allows you to integrate information about opening an encrypted device into the device itself without attracting external files.
- in SystemD-CryptSetup provides support for unlocking the encrypted sections of LUKS2 using the TPM2 chips and FIDO2 tokens, in addition to previously supported PKCS # 11 tokens. Looping LIBFIDO2 is carried out via dlopen (), i.e. The presence is checked on the fly, and not in the form of a rigidly tied dependence.
- in / etc / crypttab For SystemD-CryptSetup, new options “No-Write-WorkQueue” and “No-read-workQueue” have been added to enable synchronous I / O processing associated with encryption and decoding.
- In the SystemD-Repart utility, the ability to activate encrypted partitions using TPM2 chips, for example, to create an encrypted / var on the first boot, is added.
- Added