]> git.ipfire.org Git - thirdparty/systemd.git/log
thirdparty/systemd.git
4 days agodissect: Use must_be_root() 40212/head
Daan De Meyer [Thu, 12 Feb 2026 08:44:29 +0000 (09:44 +0100)] 
dissect: Use must_be_root()

4 days agoshift-uid: Add debug logging
Daan De Meyer [Thu, 5 Feb 2026 20:42:48 +0000 (21:42 +0100)] 
shift-uid: Add debug logging

4 days agodissect: Allow --shift for users with CAP_CHOWN
Daan De Meyer [Thu, 5 Feb 2026 20:42:27 +0000 (21:42 +0100)] 
dissect: Allow --shift for users with CAP_CHOWN

4 days agodissect: Introduce --copy-ownership= to configure chown behavior
DaanDeMeyer [Sat, 27 Dec 2025 19:37:02 +0000 (20:37 +0100)] 
dissect: Introduce --copy-ownership= to configure chown behavior

Currently, if we're copying a file, we won't copy the owner UID/GID
from the source. If we're copying a directory, we will copy the owner
UID/GID from the source. Let's give users a bit more control over this
behavior by introducing --copy-ownership= which will default to the
current behavior but allows users to explicitly enable/disable copying
of ownership.

4 days agodissect: Make --mount/--unmount/--with work unprivileged
DaanDeMeyer [Fri, 26 Dec 2025 21:18:29 +0000 (22:18 +0100)] 
dissect: Make --mount/--unmount/--with work unprivileged

Let's check for CAP_SYS_ADMIN instead of root for these, and make
unmounting more graceful if we can't access the backing loop device
because of permission issues. This allows mounting and unmounting images
from an unprvileged mount namespace. The actual files in the image will
end up owned by nobody:nobody because we'll be in an unprivileged user
namespace, but assuming the directory permissions are not too strict, this
still allows interacting with the image in useful ways.

4 days agodissect: Fix wrong errno passed to log message
DaanDeMeyer [Fri, 26 Dec 2025 21:36:39 +0000 (22:36 +0100)] 
dissect: Fix wrong errno passed to log message

4 days agodissect: Fix segmentation fault if loop device is not provided
DaanDeMeyer [Fri, 26 Dec 2025 21:36:21 +0000 (22:36 +0100)] 
dissect: Fix segmentation fault if loop device is not provided

4 days agodissect: Fix logging in (with)
DaanDeMeyer [Fri, 26 Dec 2025 21:36:08 +0000 (22:36 +0100)] 
dissect: Fix logging in (with)

4 days agodissect: Don't use private userns for --copy-to/--copy-from
DaanDeMeyer [Fri, 26 Dec 2025 20:51:00 +0000 (21:51 +0100)] 
dissect: Don't use private userns for --copy-to/--copy-from

These actions interact with the host. The former needs privileges to
write into the image, the latter needs privileges to write on the host.
Neither will have the privileges required if the image is attached under
a private userns, hence, don't use one.

5 days agosd-varlink: Allow using sd_varlink_reply() in streaming methods (#40546)
Daan De Meyer [Wed, 11 Feb 2026 13:58:12 +0000 (14:58 +0100)] 
sd-varlink: Allow using sd_varlink_reply() in streaming methods (#40546)

5 days agobootctl: Drop SD_VARLINK_NULLABLE from ListBootEntries IDL 40546/head
Daan De Meyer [Sun, 8 Feb 2026 21:16:52 +0000 (22:16 +0100)] 
bootctl: Drop SD_VARLINK_NULLABLE from ListBootEntries IDL

9e10f3a7e800ad67be8d8b14ae158a27438814f0 changed the implementation
to report an error instead of an empty object but the IDL was not
adjusted. Let's fix that.

5 days agotree-wide: Migrate to varlink_set_sentinel()
Daan De Meyer [Tue, 3 Feb 2026 11:51:46 +0000 (12:51 +0100)] 
tree-wide: Migrate to varlink_set_sentinel()

5 days agoresolve: Make sure we free varlink subscription sets
Daan De Meyer [Tue, 3 Feb 2026 08:42:15 +0000 (09:42 +0100)] 
resolve: Make sure we free varlink subscription sets

5 days agosd-varlink: Introduce varlink_set_sentinel()
Daan De Meyer [Mon, 2 Feb 2026 13:23:40 +0000 (14:23 +0100)] 
sd-varlink: Introduce varlink_set_sentinel()

Streaming methods which are not used as a continuous subscription but
instead only send a series of objects all end up with the same workaround
to be able to figure out when to send sd_varlink_reply() or sd_varlink_notify().
Let's generalize this in sd-varlink itself.

Let's introduce the concept of a sentinel, which is a reply that will be sent
by sd-varlink if no other reply was queued by a method callback. The sentinel
is configured with varlink_set_sentinel(). If a sentinel is configured,
sd_varlink_reply() can be used more than once in streaming methods to queue
multiple values to stream to the client. The last queued reply is not sent
until the callback finishes. When the callback finishes, the last reply is
sent without "continues: more". If no reply was queued, the sentinel is sent.

This always using only sd_varlink_reply() in such streaming methods and
leaves sd_varlink_notify() available solely for continuous subscription
streaming methods, where we never use sd_varlink_reply() and instead disconnect
when the server exits.

5 days agosd-varlink: Move code around
Daan De Meyer [Mon, 2 Feb 2026 11:59:06 +0000 (12:59 +0100)] 
sd-varlink: Move code around

Preparation for next commits

5 days agovarlink-unit: Coding style cleanups
Daan De Meyer [Wed, 11 Feb 2026 08:39:04 +0000 (09:39 +0100)] 
varlink-unit: Coding style cleanups

5 days agoMetrics: Refactor to drop usage of strv
Yaping Li [Mon, 9 Feb 2026 14:47:27 +0000 (06:47 -0800)] 
Metrics: Refactor to drop usage of strv

This addresses Daan's feedback on #39202

6 days agoterminal-util: handle the case where no system console is active (#40630)
Mike Yuan [Tue, 10 Feb 2026 22:59:07 +0000 (23:59 +0100)] 
terminal-util: handle the case where no system console is active (#40630)

/dev/console might have no backing driver, in which case
/sys/class/tty/console/active is empty. Unlike get_kernel_consoles()
resolve_dev_console() currently proceeds with empty devnode, resulting
in setup_input() -> acquire_terminal() emitting -EISDIR as we're trying
to open /dev/. Let's catch this and report -ENXIO.

6 days agoterminal-util: also protect from empty /sys/class/tty/tty0/active 40630/head
Mike Yuan [Tue, 10 Feb 2026 21:21:25 +0000 (22:21 +0100)] 
terminal-util: also protect from empty /sys/class/tty/tty0/active

6 days agoterminal-util: handle the case where no system console is active
Mike Yuan [Fri, 6 Feb 2026 01:07:05 +0000 (02:07 +0100)] 
terminal-util: handle the case where no system console is active

/dev/console might have no backing driver, in which case
/sys/class/tty/console/active is empty. Unlike get_kernel_consoles()
resolve_dev_console() currently proceeds with empty devnode,
resulting in setup_input() -> acquire_terminal() emitting -EISDIR
as we're trying to open /dev/. Let's catch this and report -ENXIO.

6 days agobootctl: decouple "list", "unlink", "cleanup"
Lennart Poettering [Mon, 9 Feb 2026 13:20:27 +0000 (14:20 +0100)] 
bootctl: decouple "list", "unlink", "cleanup"

These operations to quite different things, they just share 2 common
funcs. Let's split them out into separate files.

This also splits up verb_list() into separate calls for the three
operations. This actually fixes issues, as for status/list we want
"unpriv" ESP discovery logic, but for the other two we really should
have privileged discovery logic.

This is preparation for adding "bootctl link" later, but this makes
sense either way, I am sure.

6 days agoTwo mkosi fixes (#40625)
Luca Boccassi [Tue, 10 Feb 2026 17:07:11 +0000 (17:07 +0000)] 
Two mkosi fixes (#40625)

6 days agomkosi: Grow the root partition on boot 40625/head
Daan De Meyer [Tue, 10 Feb 2026 15:32:05 +0000 (16:32 +0100)] 
mkosi: Grow the root partition on boot

Let's make sure the root partition takes up all the allocated space
on boot.

6 days agomkosi: Move generic disk partition before root partition
Daan De Meyer [Tue, 10 Feb 2026 15:31:22 +0000 (16:31 +0100)] 
mkosi: Move generic disk partition before root partition

Otherwise we can't grow the root partition.

6 days agoFix order of class/type in resolve man page
Christopher Head [Tue, 10 Feb 2026 01:22:12 +0000 (17:22 -0800)] 
Fix order of class/type in resolve man page

For each RR `ResolveRecord` returns, it returns the class before the
type, not after.

6 days agosysupdate: Split update into acquire and install verbs (#40236)
Luca Boccassi [Tue, 10 Feb 2026 13:11:52 +0000 (13:11 +0000)] 
sysupdate: Split update into acquire and install verbs (#40236)

Using roughly the approach described in
https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/2004#note_2145880.
Basically, copying in-progress downloads to a file/partition with a
predictable prefix, and then moving to a predictable ‘pending’ prefix
when ready to install.

Helps: https://github.com/systemd/systemd/issues/34814

6 days agobootctl: install tweaks (#40622)
Luca Boccassi [Tue, 10 Feb 2026 13:04:48 +0000 (13:04 +0000)] 
bootctl: install tweaks (#40622)

6 days agorepart: Discard only once
Kai Lüke [Thu, 5 Feb 2026 17:51:07 +0000 (18:51 +0100)] 
repart: Discard only once

The indirect discard in mkfs.btrfs on the loop device mapped to the
region on disk can hang and fail the first-boot creation of the rootfs.
Since there already is a discard done we anyway don't need to do it
twice. This might help for most cases to avoid the failure in
mkfs.btrfs.
Keep track if the direct discard worked and then skip the mkfs.btrfs
discard if it did. This still leaves the case where mkfs.btrfs can hang
when the direct discard couldn't succeed and mkfs.btrfs tries again but
since the conditions are rather the same it might be that this case is
not easy to trigger. If the problem still shows up and the kernel won't
be fixed soon we can still disable the mkfs discard for at least btrfs.

6 days agoupdate TODO
Lennart Poettering [Tue, 10 Feb 2026 11:39:13 +0000 (12:39 +0100)] 
update TODO

6 days agobootctl: rearrange if branches in vl_method_install() 40622/head
Lennart Poettering [Tue, 10 Feb 2026 10:47:33 +0000 (11:47 +0100)] 
bootctl: rearrange if branches in vl_method_install()

6 days agobootctl: toughen fd validation in Install() handler
Lennart Poettering [Tue, 10 Feb 2026 10:46:58 +0000 (11:46 +0100)] 
bootctl: toughen fd validation in Install() handler

Let's also check the fd flags. Just in case.

6 days agobootctl: fix varlink IDL for rootDirectory field
Lennart Poettering [Tue, 10 Feb 2026 10:48:25 +0000 (11:48 +0100)] 
bootctl: fix varlink IDL for rootDirectory field

6 days agodiscover-image: restore compatibility with C9S and overlayfs directories (#40616)
Zbigniew Jędrzejewski-Szmek [Tue, 10 Feb 2026 06:56:48 +0000 (07:56 +0100)] 
discover-image: restore compatibility with C9S and overlayfs directories (#40616)

5817c73391b5f3599c50df2c0873b26ea426f848 broke compatibility with CentOS
9 and overlayfs directories, the following fails with -EOPTNOTSUPP:

mount -t overlay overlay -o lowerdir=/tmp/app1:/tmp/rootdir /tmp/overlay
portablectl attach --copy=symlink --now --runtime /tmp/overlay app1

name_to_handle_at() fails both with and without AT_HANDLE_MNT_ID_UNIQUE.

Restore the fallback to path_get_mnt_id_at() that was removed. Fixes
TEST-29-PORTABLE.directory

Follow-up for 5817c73391b5f3599c50df2c0873b26ea426f848

7 days agomkosi: isc-dhcp-server was dropped from debian testing/unstable 40616/head
Luca Boccassi [Mon, 9 Feb 2026 20:03:38 +0000 (20:03 +0000)] 
mkosi: isc-dhcp-server was dropped from debian testing/unstable

7 days agodiscover-image: restore compatibility with C9S and overlayfs directories
Luca Boccassi [Mon, 9 Feb 2026 19:19:27 +0000 (19:19 +0000)] 
discover-image: restore compatibility with C9S and overlayfs directories

5817c73391b5f3599c50df2c0873b26ea426f848 broke compatibility with
CentOS 9 and overlayfs directories, the following fails with -EOPTNOTSUPP:

mount -t overlay overlay -o lowerdir=/tmp/app1:/tmp/rootdir /tmp/overlay
portablectl attach --copy=symlink --now --runtime /tmp/overlay app1

name_to_handle_at() fails both with and without AT_HANDLE_MNT_ID_UNIQUE.

Restore the fallback to path_get_mnt_id_at() that was removed.
Fixes TEST-29-PORTABLE.directory

Follow-up for 5817c73391b5f3599c50df2c0873b26ea426f848

7 days agomeson: guard symlinks in sysconfdir behind install_sysconfidr
nikstur [Sun, 8 Feb 2026 13:22:28 +0000 (14:22 +0100)] 
meson: guard symlinks in sysconfdir behind install_sysconfidr

Symlinks to files inside sysconfdir are now only installed if
ìnstall_sysconfdir=true (which is the default).

If sshconfdir,sshdconfdir,shellprofiledir are not inside sysconfdir and
install_sysconfidr=false, these symlinks are still installed to the
configured directory.

7 days agotest: Add basic tests for path_split_prefix_filename()
Philip Withnall [Mon, 9 Feb 2026 12:13:51 +0000 (12:13 +0000)] 
test: Add basic tests for path_split_prefix_filename()

These aren’t anything comprehensive, but provide some basic assurances
that it’s working correctly. In particular, they test its behaviour when
*both* the prefix and filename components are requested.

Split out from the original version of this function which was part
of #40236.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
7 days agojournald: set a lower size limit for FDs from unpriv processes
Luca Boccassi [Thu, 5 Feb 2026 00:39:35 +0000 (00:39 +0000)] 
journald: set a lower size limit for FDs from unpriv processes

Unprivileged processes can send 768M in a FD-based message to journald,
which will be malloc'ed in one go, likely causing memory issues.
Set the limit for unprivileged users to 24M.

Allow coredumps as an exception, since we always allowed storing
up to the 768M max core files in the journal.

Reported on yeswehack.com as #YWH-PGM9780-48

7 days agotest: Expand sysupdate test to cover split acquire/install updates 40236/head
Philip Withnall [Mon, 12 Jan 2026 16:43:46 +0000 (16:43 +0000)] 
test: Expand sysupdate test to cover split acquire/install updates

This essentially means the sysupdate tests are now run twice: once with
a monolithic update (`sysupdate update`) and once with a split update
(`sysupdate acquire; sysupdate install`).

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
7 days agosysupdate: Add some more debug output
Philip Withnall [Mon, 12 Jan 2026 16:43:20 +0000 (16:43 +0000)] 
sysupdate: Add some more debug output

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
7 days agosysupdate: Add acquire and install verbs
Philip Withnall [Wed, 31 Dec 2025 00:48:54 +0000 (00:48 +0000)] 
sysupdate: Add acquire and install verbs

These expose the two parts of ‘update’, so that update sets can be
acquired (downloaded) and installed (applied) in separate actions at
different times. For example, this could allow a load of update sets to
be acquired when online, and later applied when offline.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Split the update verb into two parts internally
Philip Withnall [Wed, 31 Dec 2025 00:46:25 +0000 (00:46 +0000)] 
sysupdate: Split the update verb into two parts internally

An ‘acquire’ (download) part, and an ‘install’ (apply) part.

Following commits will expose these as separate verbs and D-Bus methods,
but this commit is the one which rearranges the internals.

If doing an ‘install’, a mirror version of the ‘acquire’ has to happen
first to make sure the transfer’s internal state is correct.

‘Acquire’ can require an internet connection, but ‘install’ will always
work with `--offline` specified.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Add partial/pending flags to UpdateSet
Philip Withnall [Wed, 31 Dec 2025 00:42:17 +0000 (00:42 +0000)] 
sysupdate: Add partial/pending flags to UpdateSet

This commit adds the flags and some basic formatting/printing of them.
Following commits will integrate them into the update/acquire/install
logic.

`UPDATE_PARTIAL` is set if any of the instances in the `UpdateSet` are
partial, i.e. have been partially downloaded.

`UPDATE_PENDING` is set if any of the instances in the `UpdateSet` are
pending, i.e. have been acquired (downloaded) but not yet installed.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Factor out temporary path computation for transfers
Philip Withnall [Wed, 31 Dec 2025 00:36:22 +0000 (00:36 +0000)] 
sysupdate: Factor out temporary path computation for transfers

This helper function will be reused in a following commit.

This introduces no functional changes.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Vacuum partial/pending instances first
Philip Withnall [Wed, 31 Dec 2025 00:05:05 +0000 (00:05 +0000)] 
sysupdate: Vacuum partial/pending instances first

Modify the vacuum implementation to preferentially vacuum partial or
pending transfers first (unless protected) as they are meant to be
fairly transitory, and ones which are hanging around have probably been
forgotten about and/or are out of date.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Implement acquire and install steps for transfers
Philip Withnall [Wed, 31 Dec 2025 00:02:06 +0000 (00:02 +0000)] 
sysupdate: Implement acquire and install steps for transfers

Instead of using a random temporary path for file transfers, use a
predictable one which indicates whether the transfer is partially
complete or pending installation. Similarly for partitions.

This is another step towards being able to split the ‘update’ step into
‘acquire’ and ‘install’.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Factor out a vacuum helper function
Philip Withnall [Tue, 30 Dec 2025 23:56:22 +0000 (23:56 +0000)] 
sysupdate: Factor out a vacuum helper function

This will be reused in an upcoming commit.

This commit introduces no functional changes.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Allow instances to be partial or pending
Philip Withnall [Tue, 30 Dec 2025 23:49:47 +0000 (23:49 +0000)] 
sysupdate: Allow instances to be partial or pending

If we allow target instances to be partial or pending, we can build on
top of this to allow updates to be split into two phases: ‘acquire’ (which
takes an available source instance and copies it (temporarily partial) to
a pending target instance; and ‘install’ (which takes a pending target
instance and installs it as an installed target instance).

This commit introduces a file/directory and partition prefix naming
scheme to identify partial and pending instances.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agosysupdate: Split context_apply() into acquire and install steps
Philip Withnall [Mon, 17 Nov 2025 15:14:19 +0000 (15:14 +0000)] 
sysupdate: Split context_apply() into acquire and install steps

This introduces no functional changes at the moment, but will be used in
upcoming commits.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814

7 days agokernel-install refactorings (#40610)
Lennart Poettering [Mon, 9 Feb 2026 10:54:36 +0000 (11:54 +0100)] 
kernel-install refactorings (#40610)

This contains the first two commits from #38764. While @daandemeyer
convinced me to base systemd-sysinstall on a new "bootctl link" rather
than "kernel-install", I think the refactorings I prepped as part of the
original work still make a lot of sense on their own, and I hope I
didn't do them for /dev/null.

7 days agotree-wide: symlink well-known Varlink service entry point sockets into /run/varlink...
Lennart Poettering [Mon, 9 Feb 2026 10:54:15 +0000 (11:54 +0100)] 
tree-wide: symlink well-known Varlink service entry point sockets into /run/varlink/registry/ (#40590)

This is generally useful, but is particularly useful in context of
https://github.com/mvo5/varlink-proxy-rs which can expose a set of local
Varlink services via a HTTP bridge. The idea is that the sockets linked
into /run/varlink/registry/ are candidates for being exposed like that.

/cc @mvo5

7 days agopath-util: unify path_extract_filename/directory into path_split_prefix_filename...
Mike Yuan [Mon, 9 Feb 2026 10:03:14 +0000 (11:03 +0100)] 
path-util: unify path_extract_filename/directory into path_split_prefix_filename() (#40608)

7 days agoTwo cleanups (#40587)
Zbigniew Jędrzejewski-Szmek [Mon, 9 Feb 2026 10:02:41 +0000 (11:02 +0100)] 
Two cleanups (#40587)

7 days agohwdb: quote invalid patterns in error messages 40587/head
Zbigniew Jędrzejewski-Szmek [Fri, 6 Feb 2026 14:28:48 +0000 (15:28 +0100)] 
hwdb: quote invalid patterns in error messages

If the pattern is invalid, we don't quite know how it looks, so it's
safer to quote it.

Also simplify the call to sorted().

7 days agoFix wording in two places
Zbigniew Jędrzejewski-Szmek [Fri, 6 Feb 2026 14:24:43 +0000 (15:24 +0100)] 
Fix wording in two places

Noticed this while going through the stable series…
Also update location after 97318131fd06a5bc35454da81dcbbc84f16d9940.

7 days agoupdate TODO 40590/head
Lennart Poettering [Fri, 6 Feb 2026 17:08:07 +0000 (18:08 +0100)] 
update TODO

7 days agotest: add superficial test for list-registry
Lennart Poettering [Fri, 6 Feb 2026 16:13:11 +0000 (17:13 +0100)] 
test: add superficial test for list-registry

7 days agoman: document new varlinkctl feature
Lennart Poettering [Fri, 6 Feb 2026 16:07:14 +0000 (17:07 +0100)] 
man: document new varlinkctl feature

7 days agovarlinkctl: add 'list-registry' command
Lennart Poettering [Fri, 6 Feb 2026 14:04:48 +0000 (15:04 +0100)] 
varlinkctl: add 'list-registry' command

7 days agochase: add new flag CHASE_MUST_BE_SOCKET
Lennart Poettering [Fri, 6 Feb 2026 14:03:23 +0000 (15:03 +0100)] 
chase: add new flag CHASE_MUST_BE_SOCKET

Just like CHASE_MUST_BE_DIRECTORY and CHASE_MUST_BE_REGULAR, but test if
the inode is a socket.

7 days agostat-util: add stat_verify_socket() helper
Lennart Poettering [Fri, 6 Feb 2026 14:02:45 +0000 (15:02 +0100)] 
stat-util: add stat_verify_socket() helper

7 days agounits: symlink well-known Varlink services into /run/varlink/registry/
Lennart Poettering [Fri, 6 Feb 2026 14:04:11 +0000 (15:04 +0100)] 
units: symlink well-known Varlink services into /run/varlink/registry/

So far we didn't provide any concept to enumerate local Varlink
services. Let's change that.

Let's define very light-weight scheme for this: provide a well-known dir
/run/varlink/registry/ where services that implement public interfaces
can link their sockets into. When enumerating services it's thus
sufficient to enumerate inodes in that directory.

The usecase for this is twofold:

1. It's simply very useful to be able to see which public services are
   bound on the local system, for debugging/admin/development purposes.

2. At Amutable we'd like to optionally provide a HTTP-to-Varlink bridge
   on individual nodes, that allows remote peers (after authentication)
   to access local Varlink services. For that it's essential we know the
   list of services and their entrypoints to expose, it would be
   security-wise highly problematic for clients to provide AF_UNIX
   entrypoint paths when connecting. hence: let's instead just have a
   dir with the public stuff, and let's ensure the HTTP-to-Varlink
   bridge simply exposes that stuff, and nothing else.

Non-public interfaces (such as the oomd interfaces between PID 1 and
oomd), and interfaces with multiple implementors (such as the resolved
hook interface, or the metrics collection stuff) should not be linked
in.

This is inspired by the Varlink.org "registry" concept, briefly
explained here:

https://varlink.org/FAQ#how-do-i-find-the-service-which-implements-a-local-interface

Note however that the described Varlink interface is not actually
implemented here, the directory is introduced however in a fashion that
conceptually matches the registry defined there, and would allow us to
implement the registry interface on top of it. (One of the reason the
registry Varlink API is not implemented right now is that the URI format
it relies on is entirely unspecified in the Varlink docs right now. Some
research needs to be done to extract what's implemented in the reference
implementation and to determine how it maps to the Varlink entrypoint
address format systemd's own tooling currently uses)

This primarily installs the symlinks via Symlinks= in unit files and via
a new tmpfiles.d/ drop-in. But since we touch all .socket units relating
to Varlink this also sets the FileDescriptorName= to varlink for each,
just to minimize diffrences and make things work more alike (the
services in questin don't care about the name, so this doesn't change).
In one case we replace a pair of separate sockets for two closely
related varlink services by a socket and a symlink, so that we can
safely use Symlinks= to also install the registry symlinks.

7 days agomountfsd: don't cross mount boundaries when looking for owner of foreign UID owned...
Lennart Poettering [Mon, 9 Feb 2026 09:36:22 +0000 (10:36 +0100)] 
mountfsd: don't cross mount boundaries when looking for owner of foreign UID owned tree (#40578)

7 days agoupdate TODO 40578/head
Lennart Poettering [Thu, 5 Feb 2026 16:00:10 +0000 (17:00 +0100)] 
update TODO

7 days agomountfsd: do not cross mount boundaries when looking for parent of foreign UID range...
Lennart Poettering [Thu, 5 Feb 2026 15:51:56 +0000 (16:51 +0100)] 
mountfsd: do not cross mount boundaries when looking for parent of foreign UID range owned dirs

This is primarily paranoia: it might be possible for unpriv users to set
up mount hierarchies in unexpected ways when using userns. Hence let's
make protections more rigid: when looking for a parent dir of a foreign
UID owned dir tree, refuse to cross mount boundaries.

7 days agostat-util: add statx_verify_directory() helper, similar to stat_verify_directory...
Lennart Poettering [Thu, 5 Feb 2026 15:42:20 +0000 (16:42 +0100)] 
stat-util: add statx_verify_directory() helper, similar to stat_verify_directory() but for statx

7 days agomountpoint-util: use xstatx() a bit more
Lennart Poettering [Thu, 5 Feb 2026 15:41:50 +0000 (16:41 +0100)] 
mountpoint-util: use xstatx() a bit more

7 days agodirent-util: use xstatx_full() some more
Lennart Poettering [Thu, 5 Feb 2026 15:40:57 +0000 (16:40 +0100)] 
dirent-util: use xstatx_full() some more

7 days agoreport: many smaller clean-ups/tweaks to systemd-report (#40598)
Zbigniew Jędrzejewski-Szmek [Mon, 9 Feb 2026 09:28:29 +0000 (10:28 +0100)] 
report: many smaller clean-ups/tweaks to systemd-report (#40598)

/cc @keszybz

7 days agokernel-install: allocate "Context" object only in verb_xyz() functions, not already... 40610/head
Lennart Poettering [Mon, 8 Sep 2025 08:40:43 +0000 (10:40 +0200)] 
kernel-install: allocate "Context" object only in verb_xyz() functions, not already in run()

We soon want to add a Varlink interface to this, but that means that the
various paramaters for the Context object will be sourced from a Varlink
message not from the command line. Hence split apart the parsing logic
so that we alway parse the command line into arg_xyz first, and then,
inside the verb_abc() calls copy the data from there into the Context
object.

This matches a similar pattern in bootctl.

7 days agokernel-install: rework in preparation for varlink
Lennart Poettering [Fri, 5 Sep 2025 20:12:48 +0000 (22:12 +0200)] 
kernel-install: rework in preparation for varlink

This reworks things a bit, so that the "Context" object can later be
allocated for each Varlink call separately. For example we define a
more precise CONTEXT_NULL that invalidates truly all fields, so that we
can discern "defaults" from "unspecified" later on.

Other minor rearrangements too

7 days agobootctl parts of installer PR (#40447)
Daan De Meyer [Mon, 9 Feb 2026 08:46:39 +0000 (09:46 +0100)] 
bootctl parts of installer PR (#40447)

This contains the "bootctl install" related work from the #38764 split
out, but also includes the preparatory work already split out into
#40446.

I'll rebase this PR once the prep work is merged.

This has a simple CI test already, and has docs

7 days agojournal-send: check if $LOG_NAMESPACE denotes our /run/systemd/journal/ is already...
Mike Yuan [Sat, 7 Feb 2026 20:22:56 +0000 (21:22 +0100)] 
journal-send: check if $LOG_NAMESPACE denotes our /run/systemd/journal/ is already namespaced properly

7 days agodocs: note step to update obs workflow file on release
Luca Boccassi [Fri, 6 Feb 2026 17:22:15 +0000 (17:22 +0000)] 
docs: note step to update obs workflow file on release

7 days agoREADME: note that we now have packages built from stable branch too
Luca Boccassi [Fri, 6 Feb 2026 17:05:37 +0000 (17:05 +0000)] 
README: note that we now have packages built from stable branch too

7 days agomeson: use printf instead of echo
Mike Gilbert [Mon, 9 Feb 2026 00:12:30 +0000 (19:12 -0500)] 
meson: use printf instead of echo

The echo builtin provided by some shells (mksh) will interpret \x2d as
an escape sequence. This causes meson to fail:

```
test/fuzz/meson.build:93:52: ERROR: File fuzz-unit-file/dm-back-slash.swap does not exist.
```

Bug: https://bugs.gentoo.org/969789

7 days agoupdate TODO
Lennart Poettering [Mon, 9 Feb 2026 08:33:07 +0000 (09:33 +0100)] 
update TODO

7 days agotree-wide: use path_split_prefix_filename() where appropriate 40608/head
Mike Yuan [Mon, 9 Feb 2026 01:30:38 +0000 (02:30 +0100)] 
tree-wide: use path_split_prefix_filename() where appropriate

7 days agopath-util: unify path_extract_filename/directory into path_split_prefix_filename()
Mike Yuan [Mon, 9 Feb 2026 00:25:39 +0000 (01:25 +0100)] 
path-util: unify path_extract_filename/directory into path_split_prefix_filename()

7 days agopath-util: drop redundant condition in path_find_last_component()
Mike Yuan [Sun, 8 Feb 2026 23:29:18 +0000 (00:29 +0100)] 
path-util: drop redundant condition in path_find_last_component()

Follow-up for 3a7ba9f6b9d9a80c7f909bfbf24b5fc8c99a3176

7 days agosnapshot-util: include shared-forward.h
Mike Yuan [Wed, 4 Feb 2026 18:57:42 +0000 (19:57 +0100)] 
snapshot-util: include shared-forward.h

7 days agooomd: implement a prekill hook (#38584)
Lennart Poettering [Mon, 9 Feb 2026 07:43:13 +0000 (08:43 +0100)] 
oomd: implement a prekill hook (#38584)

When a cgroup is selected for termination, send varlink messages to
hooks registered in `/run/systemd/oomd.prekill-hooks/`.
oomd waits up to `PreKillTimeoutSec=` seconds for response before
proceeding with the kill.

7 days agodocs/INCOMPATIBILITIES: fix typo
Mike Yuan [Tue, 3 Feb 2026 23:39:34 +0000 (00:39 +0100)] 
docs/INCOMPATIBILITIES: fix typo

7 days agomailmap: deduplicate Lennart and Daan @Amutable
Mike Yuan [Wed, 4 Feb 2026 18:59:57 +0000 (19:59 +0100)] 
mailmap: deduplicate Lennart and Daan @Amutable

7 days agooomd: implement a prekill varlink event 38584/head
Matteo Croce [Mon, 25 Aug 2025 15:13:00 +0000 (17:13 +0200)] 
oomd: implement a prekill varlink event

When a cgroup is selected for termination, send varlink messages
to hooks registered in `/run/systemd/oomd.prekill-hooks/`.
oomd waits up to `PreKillHookTimeoutSec=` seconds for response
before proceeding with the kill.

7 days agoRevert "oomd: move check if processes can be killed into oomd_cgroup_kill()"
Matteo Croce [Mon, 24 Nov 2025 11:58:07 +0000 (12:58 +0100)] 
Revert "oomd: move check if processes can be killed into oomd_cgroup_kill()"

This reverts commit 332bce5bd7a9294c3b414b6da72b09986af69d6b.

The revert is needed because with the PreKill hook, oomd_cgroup_kill()
is not goint to really kill processes but it just creates the callbacks.
So the check is deferred to the real kill.

7 days agooomd: Make OomdCGroupContext reference counted
Daan De Meyer [Tue, 28 Oct 2025 12:02:32 +0000 (13:02 +0100)] 
oomd: Make OomdCGroupContext reference counted

Preparation for adding oomd hooks.

8 days agoudev: Introduce uaccess for remote graphical sessions (#38516)
Lennart Poettering [Sun, 8 Feb 2026 20:41:21 +0000 (21:41 +0100)] 
udev: Introduce uaccess for remote graphical sessions (#38516)

When systemd is compiled with group-render-mode=0660, only the active
seat gets access to the render devices through uaccess. Remote desktop
sessions like gnome-remote-desktop would be left with no hardware
rendering, because those sessions are not associated with a seat.

We solve the issue by granting uaccess to specifically tagged devices on
session start, if the session is marked with
XDG_SESSION_EXTRA_DEVICE_ACCESS.

udev-builtin-uaccess is refactored to grant multiple users access to a
device, taking into account the device's seat and all the active
EXTRA_DEVICE_ACCESS sessions.

8 days agomkosi: always install util-linux-script in Fedora
Luca Boccassi [Sun, 8 Feb 2026 13:29:23 +0000 (13:29 +0000)] 
mkosi: always install util-linux-script in Fedora

F41 is EOL, so we can unconditionally install this package, so that we
don't have to add a new version every time a new release is branched

Fixes test issues such as:

TEST-74-AUX-UTILS.sh[1363]: .//usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.networkctl.sh: line 55: script: command not found

9 days agoTODO: add some items about report/metrics 40598/head
Lennart Poettering [Sat, 7 Feb 2026 22:55:23 +0000 (23:55 +0100)] 
TODO: add some items about report/metrics

9 days agoman: add super basic man page
Lennart Poettering [Sat, 7 Feb 2026 22:34:09 +0000 (23:34 +0100)] 
man: add super basic man page

9 days agoreport: rework limits logic
Lennart Poettering [Sat, 7 Feb 2026 22:26:21 +0000 (23:26 +0100)] 
report: rework limits logic

Let's count how many sources we skip, and output that as a summary, and
return an error exit code in this case.

Let's also put a limit on the metrics collected, not just the sources.

Also, our macros that put limits on things are usually called XYZ_MAX,
follow the same scheme here.

9 days agoreport: don't claim no reporting sockets were found, when it's no metrics that were...
Lennart Poettering [Sat, 7 Feb 2026 22:12:30 +0000 (23:12 +0100)] 
report: don't claim no reporting sockets were found, when it's no metrics that were found

Let's add a proper message about missing sources, and call them
"sources", i.e. take a more high-level view on things.

9 days agoreport: keep track of varlink connections inside of Context object
Lennart Poettering [Sat, 7 Feb 2026 22:10:54 +0000 (23:10 +0100)] 
report: keep track of varlink connections inside of Context object

Let's also move the Varlink connection management into the Context
object. Let's also switch to Set* for it, so that we get get
auto-expanding behaviour.

9 days agoreport: move event loop object into Context
Lennart Poettering [Sat, 7 Feb 2026 22:01:00 +0000 (23:01 +0100)] 
report: move event loop object into Context

It's one of the primary objects that make up the program "context"
conceptually, hence it also should be part of the Context object. This
allows us to just have it available if the Context object is seen.

9 days agoreport: pass Context as first argument to metrics_call()
Lennart Poettering [Sat, 7 Feb 2026 21:57:41 +0000 (22:57 +0100)] 
report: pass Context as first argument to metrics_call()

Typically the context object should be the first one. And the return
parameters should be the last ones.

9 days agoreport: -p is not defined
Lennart Poettering [Fri, 6 Feb 2026 22:43:31 +0000 (23:43 +0100)] 
report: -p is not defined

9 days agoreport: do not treat an empty report dir as an issue
Lennart Poettering [Fri, 6 Feb 2026 22:42:36 +0000 (23:42 +0100)] 
report: do not treat an empty report dir as an issue

We should permit that the report varlink dir is created on the fly when
the first socket is bound there. Hence, let's treat a non-existant dir
equivalent to an empty one.

We usually do this in our tree like this, do it here too.

9 days agoreport: use sd_json_variant_unref_many()
Lennart Poettering [Fri, 6 Feb 2026 22:42:15 +0000 (23:42 +0100)] 
report: use sd_json_variant_unref_many()

9 days agoreport: add the usual --json= argument
Lennart Poettering [Fri, 6 Feb 2026 22:42:02 +0000 (23:42 +0100)] 
report: add the usual --json= argument