NEWS: more v245 preparation

1 files changed, 78 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 2e8c1f4e49c..e000e43ebba 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,53 @@ systemd System and Service Manager
 
 CHANGES WITH 245 in spe:
 
+        * A new tool "systemd-repart" has been added, that operates as an
+          idempotent, robust, incremental, elastic and declarative
+          repartitioner. It takes inspiration from
+          systemd-tmpfiles/systemd-sysusers but applies the algorithmic
+          concepts to GPT partition tables. Specifically, a set of partitions
+          that must or may exist can be configured via drop-in files, and
+          during every boot the partition table on disk is compared with these
+          files, creating missing partitions or growing existing ones based on
+          configurable relative and absolute size constraints. The tool is
+          strictly incremental, i.e. does not delete, shrink or move
+          partitions, but only adds and grows them. The primary use-case is OS
+          images that shall ship in minimized form, with only a minimal boot
+          and root partition, that on first boot is grown to the size of the
+          underlying block device or augmented with additional partitions. For
+          example, the root partition could be extended to cover the whole
+          disk, or a swap or /home partitions could be added implicitly on
+          first boot. It also has uses on systems that use an A/B update scheme
+          to allow shipping minimal images with just the A set of partition,
+          and with the B set added on first boot. The tool is primarily
+          intended to be run in the initrd, shortly before transitioning into
+          the host OS, but also can be run after the transition took place. It
+          automatically discovers the disk backing the root file system, and
+          should hence not require any additional configuration besides the
+          partition definition drop-ins.
+
+        * A new component "userdb" has been added, along with a small daemon
+          "systemd-userdb.service" and a client tool "userdbctl". The framework
+          allows defining rich user and group records in a JSON format,
+          extending on the classic "struct passwd" and "struct group"
+          structures. Various components in systemd have been updated to
+          process records in this format, including systemd-logind and
+          pam-systemd. The user records are intended to be extensible, and
+          allow setting various resource management, security and runtime
+          parameters that shall be applied to processes and sessions of the
+          user as they log in. This facility is intended to allow associating
+          such metadata directly with user/group records so that they can be
+          produced, extended and consumed in unified form. We hope that
+          eventually frameworks such as sssd will generate records this way, so
+          that for the first time resource management and various other
+          per-user settings can be configured in LDAP directories and then
+          provided to systemd (specifically to systemd-logind and pam-system)
+          to enforce on log-in. For further details see:
+
+          https://systemd.io/USER_RECORD
+          https://systemd.io/GROUP_RECORD
+          https://systemd.io/USER_GROUP_API
+
         * When systemd-tmpfiles copies a file tree using the 'C' line type it
           will now implicitly label every copied file matching the SELinux
           database.
@@ -90,6 +137,11 @@ CHANGES WITH 245 in spe:
           encryption of volumes to YubiKeys.This is exposed in the new
           pkcs11-uri= option in /etc/crypttab.
 
+        * The /etc/fstab support in systemd now supports two new mount options
+          x-systemd.{required,wanted}-by=, for explicitly configuring the units
+          that the specified mount shall be pulled in by, in place of
+          the usual local-fs.target/remote-fs.target.
+
         * The https://systemd.io/ web site has been relaunched, directly
           populated with most of the documentation included in the systemd
           repository. In particular, systemd acquired a new logo, thanks to
@@ -118,8 +170,20 @@ CHANGES WITH 245 in spe:
           be requested by selecting a different naming scheme than the v245
           one, via the net.naming-scheme= kernel command line option.
 
-        * PrivateUsers= now works in services run by the systemd --user
-          per-user instance of the service manager.
+        * PrivateUsers= in service files now works in services run by the
+          systemd --user per-user instance of the service manager.
+
+        * A new per-service sandboxing option ProtectClock= has been added that
+          locks down write access to the system clock. It takes away device
+          node access to /dev/rtc as well as the system calls that allow to set
+          the system clock. It also removes the CAP_SYS_TIME and CAP_WAKE_ALARM
+          capabilities. Note that this option does not affect access to
+          auxiliary services that allow changing the clock, for example access
+          to systemd-timedated.
+
+        * The systemd-id128 tool gained a new "show" verb for listing or
+          resolving a number of well-known UUIDs/128bit IDs, currently mostly
+          GPT partition table types.
 
         * The Discoverable Partitions Specification has been updated to support
           /var and /var/tmp partition discovery. Support for this has been
@@ -131,6 +195,10 @@ CHANGES WITH 245 in spe:
           with the suggested enablement state based on the vendor preset files
           for the respective units.
 
+        * "systemctl" gained a new option "--with-dependencies". If specified
+          commands such as "systemctl status" or "systemctl cat" will now show
+          all specified units along with all units they depend on.
+
         * networkctl gained support for showing per-interface logs in its
           "status" output.
 
@@ -139,6 +207,14 @@ CHANGES WITH 245 in spe:
           permanent MAC address of a network device even if a randomized MAC
           address is used.
 
+       * systemd-logind will now validate access to the operation for changing
+         virtual terminals via a PolicyKit action. By default only users with
+         at least one session on a local VT will get access to the method call.
+
+       * When systemd sets up PAM sessions that invoked service processes shall
+         run in, the pam_setcred() API is now invoked, thus permitting PAM
+         modules to set additional credentials for the processes.
+
         …
 
 CHANGES WITH 244: