In setup_output() we assume stdout has been set up properly
before stderr, hence the stdout we're inheriting from must
be writable (or more precisely, would have been adjusted to be).
Hence no need to duplicate it.
Mike Yuan [Sat, 22 Nov 2025 18:23:53 +0000 (19:23 +0100)]
core/exec-invoke: split out maybe_inherit_stdout_from_stdin(), use exec_input_is_inheritable()
Note that exec_input_is_inheritable() rightfully refuses EXEC_INPUT_FILE,
in which case std_output would have been reset in service_fix_stdio()
already.
While at it, use the generic fallback logic of first trying user manager
stdout when stdin is not writable.
Mike Yuan [Sat, 22 Nov 2025 06:10:09 +0000 (07:10 +0100)]
core/execute-serialize: clean up stdio serialization
* Do not interleave root_directory_as_fd with stdio fields
* Do not use different serialization key for different modes
pointing to same path
* Escape stdio file paths (as per 9be46b1da8b01c3f47e6c050185f2b45484d6300)
Luca Boccassi [Wed, 3 Dec 2025 18:59:34 +0000 (18:59 +0000)]
core: set Result=start-limit-hit when a unit is rate limited
There is currently no way to figure out a rate limit was hit on a unit,
as the last result is stripped in order to keep reporting the first
result, which is useful in case of a watchdog failure, which is the
reason why it was changed as such.
But rate limiting is also an important information to provide to
users, so allow the Result property to reflect it when it
happens.
man/systemd-boot: say that /EFI/systemd/drivers is for hardware
In aad0d11e7c6f1f7dcc7b00173140c74b8abf88cc we stopped supporting XBOOTLDR
with a different fs driver. This was the primary example that comes to mind
when we talk about loading filesystem drivers in the firmware. Since we don't
want people to do load such drivers, use a different example.
docs/BOOT_LOADER_INTERFACE: use full variable names once
We said in the header that "all EFI variables use the vendor UUID 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f", but people not familiar with
UEFI might not know that this is concatenated with the variable name.
Let's use the full form once — when introducing the variable — to
make it easier to grep and search for.
While at it, use sembreaks in the document. This makes subsequent
changes much easier to review. (It also shows that some sentences
are rather long and thus hard to understand.)
Haiyue Wang [Wed, 17 Dec 2025 08:02:31 +0000 (16:02 +0800)]
meson: fix BPF build warnings due to MS extensions
Fix BPF program build warnings on Linux-6.19.0-rc1, more detail is [1]:
A). clang-bpf
[781/2458] Generating src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.unstripped.o with a custom command
In file included from ../src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.c:3:
./vmlinux.h:60263:3: warning: declaration does not declare anything [-Wmissing-declarations]
60263 | struct ns_tree;
| ^~~~~~~~~~~~~~
./vmlinux.h:80251:2: warning: declaration does not declare anything [-Wmissing-declarations]
80251 | struct __fs_path;
| ^~~~~~~~~~~~~~~~
./vmlinux.h:96184:2: warning: declaration does not declare anything [-Wmissing-declarations]
96184 | struct freelist_tid;
| ^~~~~~~~~~~~~~~~~~~
./vmlinux.h:114441:2: warning: declaration does not declare anything [-Wmissing-declarations]
114441 | struct renamedata;
| ^~~~~~~~~~~~~~~~~
./vmlinux.h:118480:2: warning: declaration does not declare anything [-Wmissing-declarations]
118480 | union pipe_index;
| ^~~~~~~~~~~~~~~~
./vmlinux.h:130452:4: warning: declaration does not declare anything [-Wmissing-declarations]
130452 | struct freelist_counters;
| ^~~~~~~~~~~~~~~~~~~~~~~~
6 warnings generated.
B). gcc-bpf
meson setup -Dbpf-compiler=gcc build
[1040/2458] Generating src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.unstripped.o with a custom command
In file included from ../src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.c:3:
./vmlinux.h:60263:31: warning: declaration does not declare anything
60263 | struct ns_tree;
| ^
./vmlinux.h:80251:25: warning: declaration does not declare anything
80251 | struct __fs_path;
| ^
./vmlinux.h:96184:28: warning: declaration does not declare anything
96184 | struct freelist_tid;
| ^
./vmlinux.h:114441:26: warning: declaration does not declare anything
114441 | struct renamedata;
| ^
./vmlinux.h:118480:25: warning: declaration does not declare anything
118480 | union pipe_index;
| ^
./vmlinux.h:130452:49: warning: declaration does not declare anything
130452 | struct freelist_counters;
| ^
[1] https://git.kernel.org/torvalds/c/639f58a0f480
"bpftool: Fix build warnings due to MS extensions"
Andrew Halaney [Mon, 15 Dec 2025 21:47:17 +0000 (15:47 -0600)]
man/systemd.exec: Make EnvironmentFile error conditions more explicit
It is not entirely clear what happens when EnvironmentFile fails in the
prior wording. With the new wording it should now be clear that if it
fails to process the file the service will fail, and if it is prefixed
with "-" all errors are silently ignored.
Signed-off-by: Andrew Halaney <ahalaney@netflix.com>
Luca Boccassi [Tue, 16 Dec 2025 21:44:57 +0000 (21:44 +0000)]
test: fix race condition in TEST-80-NOTIFYACCESS
In some cases systemd is faster to send the SIGHUP
than the script is to start the 'sleep' and background
it, so it never gets interrupted later and the test
is left hanging waiting for it.
[ 5028.410588] systemd[1]: Starting reload-timeout.service...
[ 5028.429544] reload-timeout.sh[165]: + set -o pipefail
[ 5028.429544] reload-timeout.sh[165]: + COUNTER=0
[ 5028.429841] reload-timeout.sh[165]: + trap sighup_handler SIGHUP
[ 5028.429841] reload-timeout.sh[165]: + export SYSTEMD_LOG_LEVEL=debug
[ 5028.429841] reload-timeout.sh[165]: + SYSTEMD_LOG_LEVEL=debug
[ 5028.429841] reload-timeout.sh[165]: + systemd-notify --ready
[ 5028.432891] systemd[1]: reload-timeout.service: Got notification message from PID 165: READY=1
[ 5028.432908] systemd[1]: reload-timeout.service: Changed start -> running
[ 5028.432983] systemd[1]: reload-timeout.service: Job 409 reload-timeout.service/start finished, result=done
[ 5028.432997] systemd[1]: Started reload-timeout.service.
[ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Job for reload-timeout.service finished.
[ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Got result done/Success for job reload-timeout.service.
[ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Bus n/a: changing state RUNNING → CLOSED
[ 5028.436949] TEST-80-NOTIFYACCESS.sh[99]: + systemctl reload --no-block reload-timeout.service
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state UNSET → OPENING
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: sd-bus: starting bus by connecting to /run/systemd/private...
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state OPENING → AUTHENTICATING
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Executing dbus call org.freedesktop.systemd1.Manager ReloadUnit(reload-timeout.service, replace)
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state AUTHENTICATING → RUNNING
[ 5028.445202] reload-timeout.sh[165]: + wait_for_signal
[ 5028.445586] reload-timeout.sh[169]: + sleep infinity
[ 5028.447285] reload-timeout.sh[165]: ++ sighup_handler
[ 5028.447285] reload-timeout.sh[165]: ++ echo hup1
[ 5028.444886] systemd[1]: reload-timeout.service: Trying to enqueue job reload-timeout.service/reload/replace
[ 5028.445228] systemd[1]: reload-timeout.service: Installed new job reload-timeout.service/reload as 491
[ 5028.445240] systemd[1]: reload-timeout.service: Enqueued job reload-timeout.service/reload as 491
[ 5028.446601] systemd[1]: reload-timeout.service: Service has no extensions to reload.
[ 5028.446799] systemd[1]: reload-timeout.service: Changed running -> reload-signal
[ 5028.446881] systemd[1]: Reloading reload-timeout.service...
[ 5028.451343] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state RUNNING → CLOSED
[ 5028.452421] TEST-80-NOTIFYACCESS.sh[99]: + timeout 10 bash -c 'until [[ $(systemctl show reload-timeout.service -P SubState) == "reload-signal" ]]; do sleep .5; done'
[ 5028.460676] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state UNSET → OPENING
[ 5028.460676] TEST-80-NOTIFYACCESS.sh[172]: sd-bus: starting bus by connecting to /run/systemd/private...
[ 5028.462029] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state OPENING → AUTHENTICATING
[ 5028.462029] TEST-80-NOTIFYACCESS.sh[172]: Showing one /org/freedesktop/systemd1/unit/reload_2dtimeout_2eservice
[ 5028.463759] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state AUTHENTICATING → RUNNING
[ 5028.470322] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state RUNNING → CLOSED
[ 5028.472991] TEST-80-NOTIFYACCESS.sh[99]: + sync_in hup1
[ 5028.472991] TEST-80-NOTIFYACCESS.sh[99]: + read -r x
[ 5028.473839] reload-timeout.sh[165]: + wait 169
[ 5028.473996] TEST-80-NOTIFYACCESS.sh[99]: + test hup1 = hup1
[ 5028.473996] TEST-80-NOTIFYACCESS.sh[99]: + timeout 10 bash -c 'until [[ $(systemctl show reload-timeout.service -P SubState) == "reload-notify" ]]; do sleep .5; done'
[ 5038.477383] systemd[1]: TEST-80-NOTIFYACCESS.service: Failed with result 'exit-code'.
(note how the 'wait' is long after SIGHUP has been processed already)
Vivian Wang [Wed, 17 Dec 2025 06:03:30 +0000 (14:03 +0800)]
stub: Use log_debug if addons has no applicable sections
This can happen expectedly if an addon purely provides .dtbauto
sections, and there's no match for this machine. Reduce the log message
of this case to "debug" level.
This fixes extensions refreshing + verity-protected DDIs.
TEST-50-DISSECT previously passed because confext refreshing
is tested after live mount, the latter of which used to
load libcryptsetup in pid1.
rename() may yield ENOTEMPTY rather than EEXIST for existing dir,
so catch that too. Also, both the source and target must be
writable when exchanging.
Test coverage for this logic (i.e. user units with ExecStartPre=)
will be added later.
Mike Yuan [Tue, 16 Dec 2025 00:54:40 +0000 (01:54 +0100)]
process-util: add a flag for retaining dlopen()-ability
While blocking dlopen() in child generally makes sense, it does
also lead to misery - in the very case of extension/cred refreshing
it then enforces loading of libcryptsetup/libacl in pid1, which
are otherwise never used. Let's add a flag to opt out hence, but
still prohibit it in namespace_fork/enter().
* 9e31235211 pacman: Make sure hookdir exists
* 20009b7f48 make_image: log systemd-repart *.conf files at the --debug level
* b94b415db9 run: Increase string limit for strace when debugging sandbox
* 9f6d9405d6 Ring the terminal bell after the last image has been built
* b509b4246d Add glob in default initrd to exclude some exotic drivers
* 189394b8b9 Allow KernelModules= globs to also match relative to modules root dir
* 92bd086e4e zypper: add --force-resolution flag
* 3637749702 kmod: Only add fully resolved fw path if it exists
* d41ac276c9 Add details to KernelModulesInitrd= doc
* 1b6960ddb1 Fix SplitArtifacts=repart-definitions for addons
* 07464f38d6 Add log_step call in build_kernel_modules_initrd
* 18f5885362 Use proper constants for ansi colors
* 454c1602b6 mkosi-obs: add SplitArtifacts=repart-definitions and use it
* 9e57461af6 Copy repart definitions to staging directory
* 1acab18874 Add SplitArtifacts=repart-definitions
* c5c5c225e8 mkosi-obs: always include verity certificate
* ac5babb8e0 Revert "Use Path.relative_to instead of Path.parts"
* cbb1daeb76 action: Use environment variables instead of inputs
* 97c81eef72 portable: support split roothash
PCR 16 is intended for debugging purposes, and is the only PCR that can
be reset by software. Let's prefer that for testing.
PCR 11 has a purpose (i.e. kernel is measured there on UKI systems, as
are the boot phases), hence let's not use that for testing.
That should remove any interference of boot time ordering and testing
our tpm code, as we will write to PCR 16 only, and reset it before we
rely on it.
This likely, kind of fixes #39582, but the issue mixes two things, PCR
11 issues on real-life hardware, and PCR 11 isues in our artificial
tests. Only the latter is addressed by this PR, the other issue needs
more debugging, but without logs we cannot do much.
Mike Yuan [Sat, 13 Dec 2025 16:56:51 +0000 (17:56 +0100)]
core/service: set unit log context in helper processes that bypass cgroup
Since these helper processes aren't spawned in the unit cgroup,
let's explicitly attach unit log context so that all logging gets
attributed to the unit, including the ones done in library calls.
Luca Boccassi [Mon, 15 Dec 2025 22:51:16 +0000 (22:51 +0000)]
ci: remove --quiet from mkosi integration suite run
Given the integration tests take a while to run, it is useful to see
at which point it is while it is running. Sometimes only a test
script or such subset is changed, which means there's no need to
wait for the entire suite to run, especially with the sanitizers
job which is super slow.
Luca Boccassi [Mon, 15 Dec 2025 20:51:04 +0000 (20:51 +0000)]
Translations update from Fedora Weblate (#40097)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Nick Rosbrook [Wed, 10 Dec 2025 21:56:50 +0000 (16:56 -0500)]
mkosi: use qemu from noble-proposed instead of ppa
This is also temporary, but demonstrates that the version of qemu
currently in noble-proposed fixes https://launchpad.net/bugs/2127974,
which will ultimately allow for the fix to be released to noble-updates.
Daan De Meyer [Sun, 14 Dec 2025 12:34:17 +0000 (13:34 +0100)]
namespace: Clone root dir descriptor before use (#39939)
Before doing anything with the root directory file descriptor, let's
make sure we clone it first so that the caller can't mess with mount fd
attributes via mount_setattr() anymore.
We clone during parsing instead of in executor so that the caller can't
mess with the mount fd between invocations.
Daan De Meyer [Fri, 28 Nov 2025 19:28:01 +0000 (20:28 +0100)]
namespace: Clone root dir descriptor before use
Before doing anything with the root directory file descriptor, let's
make sure we clone it first so that the caller can't mess with mount fd
attributes via mount_setattr() anymore.
We clone during parsing instead of in executor so that the caller can't
mess with the mount fd between invocations.
Daan De Meyer [Fri, 28 Nov 2025 18:06:37 +0000 (19:06 +0100)]
mount-util: Add mount_fd_clone() helper
The kernel prevents you from open_tree()'ing an open_tree() fd unless it
was created from the caller's mount namespace. For various use cases, we
want to be able to open_tree() arbitrary mount file descriptors. Turns
out there's a way go get around it by mounting the mount file descriptor
in a throw-away mount namespace and then open_tree()'ing the mount file
descriptor. Let's implement this as a new helper mount_fd_clone() and
add a test for it.
Because move_mount()'ing the original fd makes it pretty useless as it
can't be move_mount()'ed again, we optionally make a second clone which
can replace the original fd so it can be cloned again later.
Kai Lueke [Thu, 11 Dec 2025 10:49:20 +0000 (19:49 +0900)]
sysext: Fix config file support with --root=
Config files for --root= weren't picked up as expected because the
--root= flag got parsed after the config file.
Switch the order of config file and CLI flag parsing while letting the
CLI flags overwrite things set by the config files by tracking state
during parsing.
Daan De Meyer [Wed, 3 Dec 2025 10:08:56 +0000 (11:08 +0100)]
discover-image: Rework image_make()
Currently, image_new() will calculate the image
path as the combination of dir_path and filename,
which is completely broken if filename is absolute
and dir_path is set.
Let's fix this by thoroughly cleaning up the
image_make() interface. Instead of having four
different arguments to pass in the image path,
let's reduce that to two, a file descriptor and a
path. If no file descriptor is provided, we create
own ourselves by opening the given path.
The callsites are updated to pass in an existing file
descriptor when available. Path calculation is moved
to callers instead of image_make().
Daan De Meyer [Thu, 11 Dec 2025 16:21:08 +0000 (17:21 +0100)]
tree-wide: Use meson test -q
meson test output is extremely verbose, printing
a separate line for each successful test. Let's
add -q/--quiet everywhere so it only prints full
lines for skipped and failed tests.
As commented, the unknown values should have been filtered out
in pid1's initial parsing already, and the communication between
pid1 and executor is entirely internal which makes the graceful
practice counterproductive.
Luca Boccassi [Thu, 11 Dec 2025 05:38:26 +0000 (05:38 +0000)]
core: gracefully skip unknown policy designators in RootImagePolicy et al (#40060)
Usually we gracefully ignore unknown configuration parameters, so that
service files can be written by upstreams and used across a variegated
range of distributions with various versions of systemd, to avoid
forcing users to the minimum common denominator and only adding settings
that are supported by the oldest distro supported.
Image policies do not behave like this, and any unknown partition or
policy designator causes the whole unit to fail to parse and a hard
error.
Change it so that parsing RootImagePolicy and friends via unit file or
D-Bus logs but otherwise ignores unknown specifiers, like other options
do.
This allows us to add new specifiers in the future, and users to adopt
them immediately.
Daan De Meyer [Wed, 3 Dec 2025 12:36:52 +0000 (13:36 +0100)]
test: Stop using grep -q in integration test
When a TTY is attached to the test unit, grep -q will generate SIGPIPE
for the previous command in the pipeline which in combo with `pipefail`
will cause the command to fail with exit status 141 which will fail the
test.
Replace with >/dev/null to avoid this from happening.
See also https://www.gnu.org/software/grep/manual/html_node/Usage.html
> There is a related problem with Bash’s set -e -o pipefail. Since grep
> does not always read all its input, a command outputting to a pipe read
> by grep can fail when grep exits before reading all its input, and the
> command’s failure can cause Bash to exit.
tar-util: allow to build without acl support (#39965)
This adds minimal definitions provided by libacl to make tar-util built
without libacl support.
Fixes the following compile error:
```
../src/shared/tar-util.c:62:9: error: unknown type name 'acl_t'
62 | acl_t acl_access, acl_default;
| ^~~~~
```
hwdb: sensor: Remove Lenovo IdeaPad D330 accel mount matrix
Reading values from iio-sensor we are getting bad values. This matrix was added because the panel was a vertical one but the normal position is horizontal and the sensor is not bad oriented.
Removing the matrix ensure we have correct orientation values and prevent from misleads where the incorrect values we were getting messed up.
For example mutter actually is setting incorrect screen rotation for devices with panel orientation quirks.
I'm pretty sure that there are more devices where we have incorrectly "corrected" the sensor values when the only problem was the panel orientation.
Signed-off-by: David Santamaría Rogado <howl.nsp@gmail.com>
resolve: always read /etc/resolv.conf on reload systemd-resolved
When systemd-resolved is used in resolv.conf foreign mode, reloading the
systemd-resolved daemon does not read resolv.conf when not touched since
the last time resolved read the file. Since the DNS servers list is
flushed during a reload, resolved forgets about the servers
in /etc/resolv.conf
When reloading the daemon it is expected that all configuration is
reloaded regardless of the disk timestamps.
Ricardo Salveti [Tue, 9 Dec 2025 19:55:57 +0000 (04:55 +0900)]
boot: handle empty initrd files (#40040)
Commit f8fa4222c9ac3e74e91c64e25e9532c99559cf99 added extra logic to
account for the size of the initrds before allocating the required memory pages,
but missed checking if the initrds were empty before allocating memory.
Extend the initrd options only when the initrd is valid, and add extra
check for validating that there is at least one valid initrd file before
allocating memory, fixing the following crash when booting with empty
initrd files:
projects / thirdparty / systemd.git / log
