systemd Knowledge Patch (v255--v260)
Claude knows systemd unit files, journalctl, systemctl, and basic service management through systemd 254. This skill covers systemd v255 (December 2023) through v260 (February 2026).
Index
| Topic | Reference | Key features | |-------|-----------|--------------| | Breaking Changes | references/breaking-changes.md | cgroup v1 removed, SysV init removed, journal default persistent, IPForward deprecated, uaccess rules | | Unit File Settings | references/unit-file-settings.md | PrivatePIDs, ProtectControlGroups, BindNetworkInterface, MemoryTHP, RestartMode=debug, DeferReactivation | | journald & networkd | references/journald-and-networkd.md | Invocation tracking, ForwardToSocket, MobileNetwork section |
Breaking Changes at a Glance
| Change | Version | Impact |
|--------|---------|--------|
| cgroup v1 removed | v258 | Only cgroup v2 (unified hierarchy) supported |
| SysV init scripts removed | v260 | systemd-sysv-generator, rc-local.service gone; native units required |
| !! ExecStart prefix removed | v258 | Ambient capabilities compat prefix silently ignored |
| Journal default persistent | v259 | Was auto; override with Storage= in journald.conf |
| IPForward= deprecated | v256 | Use IPv4Forwarding=/IPv6Forwarding= in .network or networkd.conf |
| uaccess tag requires ACTION!="remove" | v258 | Rules using ACTION=="add" no longer work |
| TTY default mode 0600 | v258 | mesg n is default; restore with -Dtty-mode=0620 |
| KeepConfiguration=dynamic | v257 | Replaces dhcp; preserves DHCPv4/v6, NDISC, IPv4LL |
IPForward= Migration (v256)
Replace IPForward= in .network files with explicit per-family settings:
# Old (.network file):
[Network]
IPForward=yes
# New (.network file -- per-link):
[Network]
IPv4Forwarding=yes
IPv6Forwarding=yes
Or set globally in networkd.conf:
# /etc/systemd/networkd.conf
[Network]
IPv4Forwarding=yes
IPv6Forwarding=yes
Note: IPv6SendRA= and IPMasquerade= now imply per-link forwarding, not global sysctl.
uaccess udev Rules Fix (v258)
Rules using ACTION=="add" for the uaccess tag silently stopped working:
# Broken since v258:
ACTION=="add", SUBSYSTEM=="hidraw", TAG+="uaccess"
# Correct:
ACTION!="remove", SUBSYSTEM=="hidraw", TAG+="uaccess"
See references/breaking-changes.md for all breaking changes.
Quick Reference -- Essential New Settings
PrivatePIDs= (v257)
Run processes as PID 1 in their own PID namespace with isolated /proc/:
[Service]
PrivatePIDs=yes
BindNetworkInterface= (v260)
Bind all sockets created by the unit to a specific interface (useful for VRF):
[Service]
BindNetworkInterface=eth0
ProtectControlGroups= extended (v257)
private creates a new cgroup namespace; strict also mounts cgroupfs read-only:
[Service]
ProtectControlGroups=strict
RestartMode=debug (v257)
On failure, restart with $DEBUG_INVOCATION=1 and LogLevelMax=debug:
[Service]
RestartMode=debug
Restart=on-failure
DeferReactivation= (v257)
For calendar timers, skip immediate reactivation if the service is still running:
[Timer]
OnCalendar=hourly
DeferReactivation=yes
StateDirectory= read-only suffix (v257)
Make managed directories read-only with :ro suffix:
[Service]
StateDirectory=myapp:ro
PrivateUsers= new modes (v257/v260)
identity(v257) -- identity-maps the first 65536 UIDs/GIDs in a user namespacemanaged(v260) -- auto-assigns a dynamic transient 65K range viasystemd-nsresourced
MemoryTHP= (v260)
Per-service Transparent Huge Pages control:
[Service]
MemoryTHP=always
SurviveFinalKillSignal= (v255)
Skip the unit during shutdown's final SIGTERM/SIGKILL. Required for soft-reboot survival:
[Service]
SurviveFinalKillSignal=yes
PassFileDescriptorsToExec= (v256)
Pass socket FDs to ExecStartPost=/ExecStopPre=/ExecStopPost= via $LISTEN_FDS:
[Socket]
PassFileDescriptorsToExec=yes
See references/unit-file-settings.md for the full list including CPUSchedulingPolicy=ext, PrivateTmp=disconnected, WantsMountsFor=, RefreshOnReload=, and fstab options.
journalctl Invocation Tracking (v257)
List and filter by service invocations (analogous to --list-boots/--boot):
journalctl --list-invocations -u myservice # list all invocations
journalctl -I 2 -u myservice # 2nd-to-last invocation
journald ForwardToSocket= (v256)
Forward journal entries to a remote socket in Journal Export Format:
[Journal]
ForwardToSocket=tcp:192.168.1.100:5555
MaxLevelSocket=info
networkd MobileNetwork Section (v260)
ModemManager integration for cellular connections in .network files:
# /etc/systemd/network/50-mobile.network
[Match]
Type=wwan
[MobileNetwork]
APN=internet
AllowRoaming=no
IPFamily=both
| Setting | Values | Purpose |
|---------|--------|---------|
| APN= | string | Access Point Name for the carrier |
| AllowRoaming= | yes/no | Allow data roaming |
| IPFamily= | ipv4/ipv6/both | IP protocol family |
New Settings Summary
| Setting | Version | Section | Purpose |
|---------|---------|---------|---------|
| PrivatePIDs= | v257 | [Service] | PID namespace isolation |
| ProtectControlGroups=private\|strict | v257 | [Service] | cgroup namespace / read-only cgroupfs |
| StateDirectory=…:ro | v257 | [Service] | Read-only managed directories |
| DeferReactivation= | v257 | [Timer] | Skip reactivation if service running |
| RestartMode=debug | v257 | [Service] | Debug restart with verbose logging |
| BindNetworkInterface= | v260 | [Service] | Bind sockets to interface |
| MemoryTHP= | v260 | [Service] | Per-service THP control |
| CPUSchedulingPolicy=ext | v260 | [Service] | SCHED_EXT scheduler |
| PassFileDescriptorsToExec= | v256 | [Socket] | Pass FDs to Exec*Post/Pre |
| PrivateUsers=identity | v257 | [Service] | Identity-mapped user namespace |
| PrivateUsers=managed | v260 | [Service] | Auto-assigned UID/GID range |
| PrivateTmp=disconnected | v257 | [Service] | Separate tmpfs (not shared) |
| WantsMountsFor= | v256 | [Unit] | Wants= for mount dependencies |
| SurviveFinalKillSignal= | v255 | [Service] | Survive shutdown kill |
| RefreshOnReload= | v260 | [Service] | Refresh extensions/credentials on reload |
| x-systemd.wants= | v257 | fstab | Wants= dependency from fstab |