systemd 253 RC1 Released With New «ukify» Tool


Systemd developers today released their first release candidate of the upcoming systemd 253 feature release, which introduces a new «ukify» tool and has many other changes for this dominant Linux init system.

Systemd 253 is another big release… Beyond the ukify tool introduction there is a lot of changes and improvements to existing systemd components. Some of the systemd 253-rc1 highlights to catch my attention include:

– A new tool with systemd 253 is the «ukify» tool to build, measure, and sign Unified Kernel Images (UKIs). The intent is for systemd ukify to replace functionality currently provided by «dracut –uefi» while providing more functionality as part of the new UKI / trusted boot philosophy.

– Initrd environments not on a temporary file-system are now supported.

– A new MemoryZSwapMax= option to configure the memory.zswap.max cgroup properties.

– Systemd scope units now support the OOMPolicy= option with login session scopes now defaulting to OOMPolicy=continue so they survive the OOM killer terminating some processes in the scope.

– The maximum rate at which daemon reloads are executed can now be controlled via the ReloadLimitIntervalSec= and ReloadLimitBurst= options.

– Systemd now executes generators in a «sandbox» mount namespace with most of the file-system being read-only and then just write access for output directories and a temporary /tmp mount point.

– A new unit type of Type=notify-reload where when a unit is reloaded via signal, the manager will wait until receiving a «READ=1» notification from the unit.

– A new environment variable $SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST can be used for overriding the mount units burst rate limiting for parsing /proc/self/mountinfo, with a default value of 5.

– Systemd-boot now passes its random seed directly to the kernel’s RNG via the LINUX_EFI_RANDOM_SEED_TABLE_GUID configuration table.

– Systemd-boot can now be loaded from a direct kernel boot under QEMU, when embedded into the firmware, or other non-ESP scenarios.

– «systemctl kexec» now supports Xen.

– Various new options for systemd-dissect and systemd-repart.

– systemd-cryptenroll now supports unlocking via FIDO2 tokens.

systemd logo

The lengthy list of systemd 253-rc1 changes and downloads for the systemd source code are available from GitHub.