Our goal is to make GNOME OS a daily driver for QA and finalize the migration, but this work will be fundamental to the future of all secure image based / immutable Linux distributions.
Most of the internal process tracking is being changed to use PIDFDs instead of PIDs when the kernel supports it, to improve robustness and reliability.
Gotta run a maintenance command that will take a while? Try running it with systemd-run. You'll be able to manage it with the systemctl commands you already know. Standard output and error will go to the journal by default, so everything will be properly logged with timestamps.
Want to schedule the command like the old at command? Use --on-calendar=TIMESTAMP. Make sure to specify both date and time unless you want the command to run repeatedly.
It appears as though this would put each home directory inside its own LUKS container that would be locked when the user logs out or the hardware suspends. This would be a major improvement to the security profile of #Linux on the desktop!
Currently, on most systems (including Linux) regular user data is only effectively protected by system encryption when the hardware is completely turned off, but not when it is suspended.
If you haven't heard about torcx, don't worry about it. It's a rather specific tool for a very limited use case. Sysexts on the other hand make customising immutable, image-based Linux distros like Flatcar a lot more flexible!
The latest release of Linux PAM depends upon systemd-logind because utmp is not y2038-safe.
So if anyone in the Linux world has a problem with that, they have about 14 years to come up with a fix for utmp or else they will be using systemd and loving every minute of it. #Linux#systemd https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3
If you're a user of WireGuard, Ansible, and systemd-networkd, you may be interested to know that I've just published version 2.0.0 of my 'ansible-systemd-network' roles collection. The addition in this version is a role to manage WireGuard tunnels 🙂
All our images and containers have been updated and adjusted to the latest release of mkosi, if you are interested in trying them, take a look at the https://nspawn.org FAQ and start spawning!
ICYMI: we've recently done some work on the #systemd documentation rendered on freedesktop.org, and now all manpages have a drop-down menu to select the release version to visualize. Also individual options are now tagged with the version they were first introduced in. These improvements should hopefully help readers with understanding what options are available in what version.
I was today days old when I learned about DynamicUser in #systemd courtesy of Navidrome systemd service in #NixOS. Very nifty security concept where we can have ephemeral users created just for a service and thrown away when not needed. I feel like more services should default to this mode of working.
I know people love hating on #systemd but there are so many things that are great about it. The journal is among the best (and the one that people seem to hate the most for reasons I find hard to relate to). Building a service with good logging is literally free, no code required, STDOUT/STDERR goes to the journal, you're done. Ingesting those logs into something like Loki is also free. #linux
Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz#backdoor: