Systemd 256 Rolls Out with Major Changes

Systemd 256 brings major updates, including deprecated support for cgroup v1, phase-out of System V scripts, and new features like systemd-vpick and importctl.

Systemd, a widely adopted system and service manager for Linux, released its latest iteration, v256. The new version introduces several significant updates, feature additions, and deprecations that will impact the future development and maintenance of Linux systems. Here they are.

  • Deprecation of NSCD Caches: The upcoming versions will remove support for automatic flushing of the NSCD user/group database caches, signaling a shift in managing these elements.
  • Cgroup Versioning Update: Systemd will no longer support cgroup v1, considering it obsolete. Future systems will need to operate with cgroup v2, and the existing systems that require cgroup v1 will need to set “SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1” on the kernel command line to continue using it.
  • System V Scripts: To modernize, support for legacy System V service scripts will be dropped. Developers are urged to use native systemd unit files to ensure compatibility.
  • EFI Variable Handling: The “SystemdOptions” EFI variable is also being deprecated, with a shift towards using more secure and modern alternatives like credentials and contexts.
  • Enhancements in systemd-networkd: Changes in handling VLAN IDs and IP forwarding settings underscore systemd’s ongoing improvements in network management.

But, of course, Systemd 256 isn’t just about deprecations. It introduces a plethora of new features and general enhancements aimed at improving system management and security:

  • Configuration File Flexibility: Various systemd programs will now search for configuration files in additional directories beyond the traditional “/etc,” such as “/usr/lib” and “/run,” aligning the search logic for main config files and drop-ins.
  • New Binary systemd-vpick: A new utility has been added to manage files in versioned directories, simplifying the handling of multiple file versions.
  • Encrypted Service Credentials: Enhancements in how encrypted credentials are managed, allowing them to be accessible by unprivileged users, which improves security and usability in multi-user environments.
  • System Manager Enhancements: New settings, like “ProtectSystem=” for the whole system and “WantsMountsFor=” for creating dependencies based on mounts, are introduced, providing finer control over system resources and dependencies.
  • Improved Logging and Device Management: Systemd-journald has enhanced its capabilities to forward journal entries to a socket, and device management has been made more robust with new device symlinks.

We also want to focus on something significant related to the new release. As we informed you in late April, systemd was set to add an exciting new feature called run0, which is intended to be a more secure replacement for the sudo command. Now, with version 256, this feature has been officially introduced. So, let’s explore it in a bit more detail.

It is essentially a variation of systemd-run tailored for executing commands with root privileges in a highly controlled environment. Unlike traditional methods such as sudo, which escalate user privileges, run0 operates by invoking the specified command as a transient unit managed by systemd.

Additionally, run0 does not rely on SETUID binaries or similar mechanisms that traditionally elevate privileges and potentially expose systems to security risks. Instead, it integrates tightly with systemd’s security model, where privileges are managed more transparently and securely.

Authorization is managed via Polkit, an application-level toolkit for defining and handling the policy, allowing unprivileged processes to speak to privileged ones. Moreover, when used interactively, run0 can change the terminal background color to indicate operational status—a reddish tone for root services, which visually cues users to the elevated privilege level.

Does this mean we can now consider retiring sudo? Of course not. Users will just have an additional alternative. Only time will tell if it will be able to achieve wide continuity.

Lastly, the new release also outlines several forward-looking changes aimed at future-proofing and improving the usability of systemd, and more specifically:

  • Service Management Tools: New tools and options like “systemd-firstboot=no” and changes in the service management logic are designed to handle modern hardware and software requirements more effectively.
  • Networking and Boot Improvements: Systemd’s focus on handling modern network environments and secure boot processes has resulted in enhanced capabilities in handling network configurations and boot processes.

For more information about all changes in Systemd 256, visit the full changelog on GitHub.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.