Systemd 261 has been released with major updates to the init system, service manager, boot tools, networking, TPM support, containers, virtual machines, and system update tools.
A key addition is the new cloud Instance Metadata Service subsystem. Systemd now includes systemd-imdsd, a local Varlink-based service that enables local programs to access cloud metadata through a unified interface, instead of connecting directly to each cloud provider’s metadata service.
This subsystem uses a hardware database file, hwdb.d/40-imds.hwdb, to identify public cloud platforms via SMBIOS information. Supported platforms include Amazon EC2, Microsoft Azure, Google Compute Engine, Hetzner, Oracle Cloud, Scaleway, Tencent Cloud, Alibaba ECS, and Vultr.
The release also adds an option to restrict network access to cloud metadata services for recognized clouds. The release notes recommend this for secure installations, but note it may conflict with traditional IMDS clients like cloud-init, which expect direct access to the metadata endpoint.
TPM support receives several updates. Systemd 261 introduces ConditionSecurity=measured-os, a new unit condition that checks if the system booted with measured-boot semantics. This is similar to ConditionSecurity=measured-uki but is more generic and applies to systems where TPM functionality is provided at the OS level.
Moreover, systemd-boot and systemd-stub now measure SMBIOS Type 1, Type 2, and Type 11 data into PCR 1, addressing cases where firmware does not perform these measurements.
The service manager now supports the kernel’s Live Update Orchestration and Kexec Handover mechanisms when available, so system units can preserve file descriptor stores across kexec if the kernel supports it and FileDescriptorStorePreserve=yes is set.
User session managers now support persisting user units’ file descriptor stores. Combined with kexec handover support, this allows certain user services to retain state across session restarts and kexec reboots.
Systemd 261 also introduces new controls and interfaces for service management. The new ReloadCount property is available over D-Bus and Varlink, incrementing after each successful daemon-reload and resetting after daemon-reexec. Additional Varlink methods allow starting transient service units and requesting system shutdown operations.
Additionally, the release adds ConditionFraction=, a new unit condition for staged rollouts across machine fleets. It uses the system’s machine ID and a tag string to determine if a unit should run on a specified percentage of systems, enabling administrators to roll out units gradually.
systemd-networkd also receives several updates. The new networkctl dhcp-lease INTERFACE command displays acquired DHCP lease information, including options received from the server. networkd now exposes Varlink methods for describing, reconfiguring, renewing, and force-renewing links, and networkctl prefers these methods when possible.
On top of that, systemd-resolved now supports static DNS resource records from JSON drop-in files under systemd/resolve/static.d/. This extends the role of /etc/hosts by enabling more flexible local DNS data through the drop-in configuration model. The resolver also adds cache size settings for DNS, MulticastDNS, and LLMNR, and now re-reads /etc/hosts entries on reload.
Regarding boot-related tools, systemd-stub now maintains a “boot secret” derived from a persistent EFI variable, to serve as fallback key material when a TPM is unavailable. It also detects the active EFI serial console and passes the corresponding console= parameter to the kernel command line, simplifying serial-console deployments with Unified Kernel Images.
systemd-boot now stores the existing binary as a fallback when installing a new version and creates a fallback UEFI boot entry. Plus, systemd-sysupdate is now installed in /usr/bin/ with other user-facing tools and is no longer experimental.
Containers and virtual machines receive updates as well. systemd-nspawn adds options for forwarding journal entries from the payload to selected journal sockets. It also supports preserving the payload system manager’s file descriptor store across container restarts when configured.
systemd-vmspawn introduces new features such as bind-volume support, headless console operation, EFI NVRAM state handling, direct kernel boot without UEFI firmware, selectable image disk types, and runtime storage manipulation through the io.systemd.MachineInstance Varlink interface.
Finally, the release also notes planned removals in systemd 262. Support for /run/boot-loader-entries/ and related interfaces will be removed, but UAPI.1 Boot Loader Specification support will remain. Additionally, the experimental systemd-sysupdated D-Bus API will also be removed, and clients should use Varlink to communicate directly with systemd-sysupdate.
For additional details, see the full changelog.
