Systemd, a widely adopted system and service manager for Linux, has released its latest iteration, v258, which introduces significant changes that administrators should be aware of.
Probably the headline change is that support for cgroup v1—the so-called “legacy” and “hybrid” hierarchies—has been removed. From now on, only cgroup v2 is mounted during boot and inside systemd-nspawn containers.
Another notable move is the bump in the minimum kernel requirement. The baseline is now Linux 5.4, first released back in 2019, with 5.7 listed as the recommended version. That means older distributions or kernels simply won’t be able to run systemd 258.
Security changes are also in play. By default, tty/pts device nodes now get mode 0600 instead of the old 0620, which effectively means “mesg n” is the new normal. On the crypto side, OpenSSL has become the only supported backend for systemd-resolved and systemd-importd, dropping support for both GnuTLS and libgcrypt.
Session handling has been reworked, too. systemd-logind now assigns system jobs like cron tasks or FTP sessions to new “light” classes by default. That way, they won’t spin up a full per-user service manager unless explicitly configured. PAM sessions tied to normal users remain unchanged.
Admins maintaining old setups should also take note: support for System V–style init scripts is officially deprecated and scheduled for removal in systemd 259. The same goes for the legacy /run/lock/ directory, and for iptables support in networkd and nspawn, which will rely solely on nftables from the next release.
On the features side, there’s plenty. A new PrivateUsers=full option maps the entire 32-bit UID space, while ProtectHostname=private lets units change their own hostname in a contained namespace. systemd also adds concurrency limits for slices, per-service directory quotas, and a ConditionVersion= directive that checks versions of multiple components, not just the kernel.
Networking and device management see improvements as well. systemd-resolved introduces DNS delegate zones for more flexible routing, and udev now enforces stricter rules on OWNER=/GROUP= settings. Networkd shortens IPv4 Duplicate Address Detection to 200 ms by default, adds MPLS routing, BOOTP support, and new options for bridges, VXLAN, and HSR devices.
Lastly, regarding the boot process, systemd-boot now understands new UKI stanzas, and a fresh utility, systemd-factory-reset, makes it possible to trigger or cancel a reset directly from userspace. TPM2 handling also changes: enrollments are no longer bound to PCR7 by default, and users are encouraged to rely on systemd-pcrlock with signed policies.
For more information about all changes in Systemd 258, visit the full changelog on GitHub.
