Notices by Lennart Poettering (pid_eins@mastodon.social)

2️⃣ Here's the 2nd post highlighting key new features of the upcoming v260 release of systemd. #systemd260 #systemd

systemd is adopting the IPC system in more and more places. One nice thing about Varlink is that it is conceptually close to HTTP, in its request/response semantics. This is on purpose to make bridging the web world and the low-level system world easy.

@michaelvogt has beeing working on a Varlink/HTTP bridge in Rust, with various bells and whistles, including…

…space is very scarce too). This opens things up so that we can start measuring more resources. There's one type of resource that is probably the most important one to measure on a modern image-based OSes: the images the OS is composed of, as they are activated.

With v260 we are filling this gap, finally, using a new NvPCR defined for this purpose. Whenever a DDI is activated, we'll ensure the root hash and information about the used signing keys for it are measured. This means the…

It's that time again! The systemd v260 release is coming closer. Let's restart the "what's new" series of posts for this iteration! Hence:

1️⃣ Here's the 1st post highlighting key new features of the upcoming v260 release of systemd. #systemd260 #systemd

In v259 we introduced the concept of "NvPCRs", i.e. additional TPM PCRs, that are implemented based on TPM NV Indexes in PCR mode, rather than true PCRs. PCRs are scarce, and this relieves the pressure a bit (not too much though, NV index…

Here's the third published video of my FOSDEM talks, about the Varlink IPC system:

https://video.fosdem.org/2026/ub2147/NFNKEK-varlink-ipc-system-keynote.av1.webm

This was the last one of the three. Enjoy!

#systemd #fosdem #fosdem2026

I don't often share Phoronix articles, but this one I will:

https://www.phoronix.com/news/Amutable

RE: https://mastodon.social/@amutable/115967747219090945

Today, we announce Amutable, our ✨ new ✨ company. We – @blixtra, @brauner, @davidstrauss, @rodrigo_rata, @michaelvogt, @pothos, @zbyszek, @daandemeyer, @cyphar, @jrocha and yours truly – are building the 🚀 next generation of Linux systems, with integrity, determinism, and verification – every step of the way.

→ https://amutable.com/blog/introducing-amutable ←

#amutable #linux #systemd #⊼mutable #integrity

Are you going to be at FOSDEM next week? I am apparently giving 3 talks there, so there you go, you have 3 reasons to go now, too! ;-) Hope to see you there:

https://fosdem.org/2026/schedule/speaker/lennart_poettering/

Right on time to coincide with the end of the year I finished my #systemd259 series of posts. And I now also prepped a blog story linking to every single one of them here:

https://0pointer.net/blog/mastodon-stories-for-systemd-v259.html

Make sure to stay tuned for the #systemd260 series, most likely starting already in a few weeks!

Also, happy new year! 🎇

2️⃣5️⃣ Here's the 25th and last post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemd

systemd-networkd has a small internal DHCP server, so that it's easy to hand out IP leases to local networks, for example for use in virtual networks (veth tunnel pairs, for example), or for small LANs. With systemd v259 the server gained a new feature, you can now configure with EmitDomain=/Domain= whether and which DNS domain to announce for client use.

2️⃣2️⃣ Here's the 22nd post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemd

In v258 systemd-nspawn gained support for running unpriviled containers from directories owned by the "foreign" UID range. To get container images owned by that you had to manually chown() the images (recursively), for example via systemd-dissect --shift. And while the systemd-nspawn invocation is not privileged, that re-chown()-ing definitely has requires privileges.

2️⃣3️⃣ Here's the 23rd post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemd

As you probably know sysemd-udevd processes notification events received from the kernel ("uevents") with a set of rules that match properties, set properties and execute code. Debugging these can be a bit annoying, since – of course – these notifications are typically result of hardware events, and hence attempts to correctly reproduce any issues in a controlled…

2️⃣1️⃣ Here's the 21st post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemd

In episode 16 we already talked about systemd-firstboot, systemd's little configuration console tool that can run on first boot and ask the user for a few simple basic questions regarding keymap or locale or such.

With v259 it received a small facelift of a kind. First of all, we'll now turn off concurrent log output from the kernel and from PID 1…

1️⃣6️⃣ Here's the 16th post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemd

systemd-firstboot is a small terminal tool that – if enabled – can run on first boot of a freshly installed system and interactively ask a number of very basic but essential configuration questions that are important to operate the system. It can be used in place of a fancier graphical tool, and maybe even act as blueprint for such a tool.

1️⃣5️⃣ Here's the 15th post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemd

Here's a quick one: you might have noticed that whenever a systemd service deactivates we'll log a brief journal message saying the amount of CPU time consumed, and the peak memory used by this unit cycle. With v259 that message is slightly extended: it will now also indicate the wall clock time passed since activation of the unit. This is particularly nice when…

6️⃣ Here's the 6th post highlighting key new features of the upcoming v259 release of systemd. #systemd259 #systemd

Here's a short one: systemd v259 will compile fine with musl libc, out of the box.

Sounds great? Well, it's not as great as it might sound to some. musl has quite some limitations compared to glibc: the primary one is that there's no Name Service Switch (NSS) support. That's the subsystem that allows systemd to make domain names, user names, groups names resolvable via…

RE: https://mastodon.social/@daandemeyer/115565105032166177

4️⃣ Here's the 4th post highlighting key new features of the upcoming v259 release of systemd. #systemd259 #systemd

For this one I am simply going to top-post @daandemeyer's story about run0's new --empower switch, which gives your process capability + polkit privileges, without changing your user ID. Very powerful stuff.

@lwn It's great that OpenSSH now stops placing its agent socket in /tmp/. It's really broken though they opted to place it in $HOME instead. Stuff that is inherently a runtime concept should not be in persistent $HOME, and the assumptions that socket inodes can even be created there is a wrong one.

(In case you wonder, $XDG_RUNTIME_DIR is the place to put per-user sockets, nowhere else).

5️⃣2️⃣ Here's the 52nd post highlighting key new features of the upcoming v258 release of systemd. #systemd258

PrivateUsers= is one of the many sandboxing knobs in service unit files. It configures a minimal user namespace for the service code to run in. So far you could set it to "self", which would set up the user namespace mapping for the service to map the root user and the service's user to itself, and leave everything else unmapped.

4️⃣9️⃣ Here's the 49th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

One of the key features of systemd from day 1 on is socket activation, i.e. a mechanism where systemd binds sockets on behalf of services, watches them and only activates the services themselves later, possibly only at the moment they are actively used.

This has various benefits, for example reduces ahead of time cost of running a large number of services (which improves boot times).

4️⃣7️⃣ Here's the 47th post highlighting key new features of the upcoming v258 release of systemd. #systemd258

In episode 38 of this series we talked about homectl's new commands to manage signing keys for user accounts.

There are two other new commands homectl gained in v258.

First of all there's "homectl adopt". You just pass a path to an existing *.home LUKS disk image, or a *.homedir home directory, and it will make it available locally for login (assuming it carries the…