]> git.ipfire.org Git - thirdparty/systemd.git/log
thirdparty/systemd.git
24 hours agovmspawn: clean up OVMF secure boot support check a bit 40652/head
Mike Yuan [Thu, 12 Feb 2026 01:58:35 +0000 (02:58 +0100)] 
vmspawn: clean up OVMF secure boot support check a bit

find_ovmf_config() would do filtering based on arg_secure_boot
already, hence the mismatch can only occur if we're using
user-specified firmware. So be explicit about this in log.

24 hours agovmspawn: use parse_tristate_argument_with_auto()
Mike Yuan [Wed, 11 Feb 2026 22:32:44 +0000 (23:32 +0100)] 
vmspawn: use parse_tristate_argument_with_auto()

24 hours agoparse-argument: make parse_tristate_argument() do something useful
Mike Yuan [Wed, 11 Feb 2026 22:15:24 +0000 (23:15 +0100)] 
parse-argument: make parse_tristate_argument() do something useful

I expressed the issue I have with parse_tristate_argument()
in #37751: it doesn't add any value to direct use of parse_tristate();
on the contrary, it doesn't support means to reset the arg to "auto"/-1 state.
The mere reason it existed is that we need a int type ret param.

Since the previous attempt to address this mess failed, let's
try to make the function more useful by making it accept "auto".
I figure this is useful on its own.

As requested in
https://github.com/systemd/systemd/pull/40652#discussion_r2831833996,
the function name is suffixed with _with_auto() to establish
that "auto" is handled internally.

24 hours agoAdd BNCF NewBook 11 ACCEL_MOUNT_MATRIX to 60-sensor.hwdb
Ryan Zeigler [Fri, 20 Feb 2026 17:26:38 +0000 (12:26 -0500)] 
Add BNCF NewBook 11 ACCEL_MOUNT_MATRIX  to 60-sensor.hwdb

Corrects DE autorotation

Device description: https://www.bncfai.com/product/773/

26 hours agoman/report: fix typo
Yu Watanabe [Fri, 20 Feb 2026 18:00:49 +0000 (03:00 +0900)] 
man/report: fix typo

Follow-up for e83cbc9372e66abacd9a8ecf45e1095010242127.

27 hours agomachine: switch CleanPool to SD_VARLINK_REQUIRES_MORE
Michael Vogt [Fri, 20 Feb 2026 10:20:02 +0000 (11:20 +0100)] 
machine: switch CleanPool to SD_VARLINK_REQUIRES_MORE

The CleanPool requires --more to be set and checks that in
`vl_method_clean_pool`. By switching to SD_VARLINK_REQUIRES_MORE
this will automatically be handled and is more clear to
the varlink users.

Based on the comment from Lennart in
https://github.com/systemd/systemd/pull/40650#discussion_r2832378002
and the work done by Mike in 09388a6b9e4 (thanks!).

27 hours agorepart: Report correct current disk size and error (#39813)
Luca Boccassi [Fri, 20 Feb 2026 17:00:28 +0000 (17:00 +0000)] 
repart: Report correct current disk size and error (#39813)

29 hours agomstack: parse --mkdir option
Antonio Alvarez Feijoo [Fri, 20 Feb 2026 13:06:35 +0000 (14:06 +0100)] 
mstack: parse --mkdir option

```
systemd-mstack: unrecognized option '--mkdir'
```

Follow-up for 8187cd18d61c9459f2fdb7591c9eb7c73afea24d

31 hours agopo: Translated using Weblate (Greek)
Jim Spentzos [Fri, 20 Feb 2026 12:58:25 +0000 (12:58 +0000)] 
po: Translated using Weblate (Greek)

Currently translated at 36.7% (97 of 264 strings)

Co-authored-by: Jim Spentzos <jimspentzos2000@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/el/
Translation: systemd/main

34 hours agorepart-varlink: Consider only managed parititions for size errors 39813/head
Julian Sparber [Thu, 12 Feb 2026 16:32:32 +0000 (17:32 +0100)] 
repart-varlink: Consider only managed parititions for size errors

Report DiskTooSmall only if partitions managed by repart don't fit the
disk. Because if the disk is already full with forigin partitions we
would always report DiskTooSmall instead of InsufficentFreeSpace.

34 hours agorepart-varlink: Calculate the size of foreign partitions
Julian Sparber [Thu, 12 Feb 2026 16:28:43 +0000 (17:28 +0100)] 
repart-varlink: Calculate the size of foreign partitions

To decide whether the disk is to small or has insufficient free space we
need to know how much of the disk is filled with foreign partitions.
The calculated size is used in a future commit.

34 hours agorepart: Sum partitions size to get current disk size instead of using total size
Julian Sparber [Wed, 19 Nov 2025 17:30:04 +0000 (18:30 +0100)] 
repart: Sum partitions size to get current disk size instead of using total size

When working on disks the disk may have a total size bigger then the
actual allocated size, therefore sum up the current partitions to
calculate the current disk size instead of asuming that the entire disk
is currently allocated.

34 hours agoSeveral fixlets for issues found by Coverity (#40765)
Yu Watanabe [Fri, 20 Feb 2026 10:13:37 +0000 (19:13 +0900)] 
Several fixlets for issues found by Coverity (#40765)

35 hours agosystemd-report: show some love (#40735)
Lennart Poettering [Fri, 20 Feb 2026 09:21:31 +0000 (10:21 +0100)] 
systemd-report: show some love (#40735)

37 hours agoVarious improvements (#40759)
Yu Watanabe [Fri, 20 Feb 2026 07:31:38 +0000 (16:31 +0900)] 
Various improvements (#40759)

37 hours agoupdate TODO 40735/head
Lennart Poettering [Wed, 18 Feb 2026 13:10:15 +0000 (14:10 +0100)] 
update TODO

37 hours agoreport: install systemd-report binary to /usr/lib/systemd/ for now
Lennart Poettering [Wed, 18 Feb 2026 15:04:28 +0000 (16:04 +0100)] 
report: install systemd-report binary to /usr/lib/systemd/ for now

The tool should not be considered stable, and those things we usually
place in /usr/lib/systemd, and not in $PATH.

We can move that to $PATH once we are confident it's gonna stay the way
it is.

37 hours agoci: add proper CI test for systemd-report
Lennart Poettering [Wed, 18 Feb 2026 14:16:14 +0000 (15:16 +0100)] 
ci: add proper CI test for systemd-report

37 hours agoreport: use JSON-SEQ when outputing a series of json objects
Lennart Poettering [Wed, 18 Feb 2026 14:48:46 +0000 (15:48 +0100)] 
report: use JSON-SEQ when outputing a series of json objects

We do this in our other tools that output a large number of JSON objects
in a potentially streamable way, hence do so here too.

37 hours agoreport: fix log level of connection log messages
Lennart Poettering [Wed, 18 Feb 2026 14:35:13 +0000 (15:35 +0100)] 
report: fix log level of connection log messages

Let's also rename the "metric_prefix" to "name", because it's actually
the servce name, and by giving it this generic name we can use it
reasonably in log messages.

37 hours agoreport: add --no-legend
Lennart Poettering [Wed, 18 Feb 2026 14:34:44 +0000 (15:34 +0100)] 
report: add --no-legend

Like most of our other tools, add a --no-legend switch.

37 hours agoreport: implement filtering for metrics
Lennart Poettering [Wed, 18 Feb 2026 13:53:08 +0000 (14:53 +0100)] 
report: implement filtering for metrics

37 hours agoreport: tighten rules on metrics names
Lennart Poettering [Wed, 18 Feb 2026 13:43:07 +0000 (14:43 +0100)] 
report: tighten rules on metrics names

Let's stay close to Varlink's naming rules and insist that metrics
prefixes must be valid varlink interface names, and suffixes are valid
varlink field names.

The former rule is clear: because a metric <x>.<y> can only be provided
by a varlink service <x>, it is obvious we should validate them the
same way. Validating the suffix via varlink field rules is not that
obvious, but I think it makes sense to stay close to Varlink naming
rules if we already started out at one place.

37 hours agoreport: we don't use inline in .c files, the compiler can figure this out better...
Lennart Poettering [Wed, 18 Feb 2026 13:13:47 +0000 (14:13 +0100)] 
report: we don't use inline in .c files, the compiler can figure this out better on its own

37 hours agoreport: add -j shortcut
Lennart Poettering [Wed, 18 Feb 2026 13:07:45 +0000 (14:07 +0100)] 
report: add -j shortcut

json output is going to be used very frequently, hence provide a
shortcut for it, like many our tools do it.

37 hours agoreport: also dump metrics in tabular output
Lennart Poettering [Wed, 18 Feb 2026 13:08:42 +0000 (14:08 +0100)] 
report: also dump metrics in tabular output

JSON output is great, but let's show the metrics by default in a more
human readable fashion.

37 hours agoreport: add 'list-sources' verb for enumerating metrics sources
Lennart Poettering [Wed, 18 Feb 2026 10:37:58 +0000 (11:37 +0100)] 
report: add 'list-sources' verb for enumerating metrics sources

37 hours agoreport: split out service enumeration logic
Lennart Poettering [Wed, 18 Feb 2026 10:47:31 +0000 (11:47 +0100)] 
report: split out service enumeration logic

We want to reuse it later to list all services, hence make it generic.

(Also, allow symlinked services too)

37 hours agoreport: switch to "verbs" command line interface, and add 'describe-metrics'
Lennart Poettering [Wed, 18 Feb 2026 10:19:35 +0000 (11:19 +0100)] 
report: switch to "verbs" command line interface, and add 'describe-metrics'

Let's prepare for a future where the "systemd-report" tool can do more
than enumerate metrics: let's introduce our usual "verbs" style
interface.

Let's also add a second command right-away: "describe-metrics" shows the
description of the metrics.

37 hours agomstack: coding style cleanups 40765/head
Yu Watanabe [Fri, 20 Feb 2026 07:22:00 +0000 (16:22 +0900)] 
mstack: coding style cleanups

37 hours agomstack: fix resource leak on failure path
Yu Watanabe [Fri, 20 Feb 2026 07:18:07 +0000 (16:18 +0900)] 
mstack: fix resource leak on failure path

This makes the mstack_load() requires 'ret', as clearing the loaded
mstack without use is meaningless. All callers already pass non-NULL for
the argument.

Follow-up for 8343032a86b62f62780de85a696ab8f9d2632244.
Fixes CID#1645105.

37 hours agoreport: adjust indentation to our usual style
Lennart Poettering [Wed, 18 Feb 2026 10:38:11 +0000 (11:38 +0100)] 
report: adjust indentation to our usual style

37 hours agoreport: add comment explaining that metric_startswith_prefix() does a true prefix...
Lennart Poettering [Thu, 19 Feb 2026 07:47:51 +0000 (08:47 +0100)] 
report: add comment explaining that metric_startswith_prefix() does a true prefix match

37 hours agometrics: show metrics 'keys' before 'values'
Lennart Poettering [Wed, 18 Feb 2026 10:38:40 +0000 (11:38 +0100)] 
metrics: show metrics 'keys' before 'values'

In a way, metrics are a key-value concept, where the key is a triplet of
metrics family name, object name, and "fields". Let's put them together
in the varlink call, and put the value last, separately from that.

Also, update docs a bit, i.e be explicit about the metrics *family* name
everyhwere.

37 hours agoformat-table: add a new JSON cell type
Lennart Poettering [Wed, 18 Feb 2026 12:45:52 +0000 (13:45 +0100)] 
format-table: add a new JSON cell type

This formats the specified json variant as a string, and displays it in
a cell.

37 hours agojson: add json_variant_compare() helper for comparint two json variants by order
Lennart Poettering [Wed, 18 Feb 2026 12:45:22 +0000 (13:45 +0100)] 
json: add json_variant_compare() helper for comparint two json variants by order

37 hours agoimport: fix NULL pointer dereference
Yu Watanabe [Fri, 20 Feb 2026 07:11:50 +0000 (16:11 +0900)] 
import: fix NULL pointer dereference

Follow-up for a9f6ba04969d6eb2e629e30299fab7538ef42a57.
Fixes CID#1645106.

47 hours agohwdb: fix typos
David Santamaría Rogado [Thu, 19 Feb 2026 20:48:38 +0000 (21:48 +0100)] 
hwdb: fix typos

2 days agouid-range: Handle same userns in uid_range_load_userns_by_fd() 40759/head
Daan De Meyer [Wed, 18 Feb 2026 18:30:12 +0000 (19:30 +0100)] 
uid-range: Handle same userns in uid_range_load_userns_by_fd()

If we're asked to look up our own user namespace mapping, don't go
via fd as trying to setns() to our own user namespace in
userns_enter_and_pin() would fail with EPERM as the kernel doesn't
allow switching to your own userns.

2 days agouserns-restrict: Remove unused inode argument and rename function
Daan De Meyer [Tue, 17 Feb 2026 22:40:33 +0000 (23:40 +0100)] 
userns-restrict: Remove unused inode argument and rename function

2 days agotest-userns-restrict: Migrate to new assertion macros
Daan De Meyer [Mon, 9 Feb 2026 20:58:48 +0000 (21:58 +0100)] 
test-userns-restrict: Migrate to new assertion macros

We also inline the test functions so we get proper line information
in the failure coredumps.

2 days agossh-proxy: Support ssh machine/xxx for nspawn containers
Daan De Meyer [Thu, 19 Feb 2026 09:54:07 +0000 (10:54 +0100)] 
ssh-proxy: Support ssh machine/xxx for nspawn containers

2 days agohwdb: sensor: hp use board product name as hp-wmi
David Santamaría Rogado [Thu, 19 Feb 2026 17:38:13 +0000 (18:38 +0100)] 
hwdb: sensor: hp use board product name as hp-wmi

Doing it made also to include the 14t-fh000, the product name initial
units of the omnibook ultra flip 14 had, this is intended.

Order the entries by product name.

Follow up: fadb0b53f7d8d2d9e9d8dd141bc05de9116b083a.

2 days agoci: Simplify musl build setup
Daan De Meyer [Wed, 18 Feb 2026 11:46:16 +0000 (12:46 +0100)] 
ci: Simplify musl build setup

No need to setup symlink farms, we can just use the host's /usr/include
now.

2 days agomeson: Explicitly check for musl for gshadow and nss
Daan De Meyer [Wed, 18 Feb 2026 11:45:10 +0000 (12:45 +0100)] 
meson: Explicitly check for musl for gshadow and nss

This allows building with musl on glibc systems as follows:

env \
    CC=musl-gcc \
    CXX=musl-gcc \
    CFLAGS="-idirafter /usr/include" \
    CXXFLAGS="-idirafter /usr/include" \
        meson setup --auto-features=disabled -Dlibc=musl musl

2 days agorepart: return 1 from probe_sector_size_prefer_ioctl() on block device success
Nandakumar Raghavan [Thu, 19 Feb 2026 13:42:19 +0000 (13:42 +0000)] 
repart: return 1 from probe_sector_size_prefer_ioctl() on block device success

probe_sector_size() returns 1 when it successfully determines the sector size,
0 when falling back to the default. blockdev_get_sector_size() returns 0 on
success. probe_sector_size_prefer_ioctl() was passing blockdev_get_sector_size()
return value through directly, so caller is checking r > 0 to detect a
successfully probed sector size never saw it for block devices.

In context_load_partition_table(), this caused fs_secsz to stay at 4096 bytes
even on 512-byte sector block devices, making verity hash partition sizes wrong
unless --sector-size=512 was passed explicitly.

Fix by returning 1 on success from the block device path to match probe_sector_size()
convention.

2 days agoPython modernization followups (#40755)
Yu Watanabe [Thu, 19 Feb 2026 16:33:07 +0000 (01:33 +0900)] 
Python modernization followups (#40755)

2 days agoNEWS: move and extend entry for PTP device permission
Yu Watanabe [Thu, 19 Feb 2026 16:24:57 +0000 (01:24 +0900)] 
NEWS: move and extend entry for PTP device permission

Follow-up for 1e6854e112e9723be6108b83f6935ec7e04cea17.

2 days agoman: fix typo
Yu Watanabe [Thu, 19 Feb 2026 16:16:54 +0000 (01:16 +0900)] 
man: fix typo

Follow-up for 6b22ac31afcfab53dc9b51d6b5f7862e52607923.

2 days agoman: fix typo
Yu Watanabe [Thu, 19 Feb 2026 16:15:44 +0000 (01:15 +0900)] 
man: fix typo

Follow-up for eb581ff6d9556d29f1b9b57d6a40c4adefde16a6.

2 days agomstack: fix typo
Yu Watanabe [Thu, 19 Feb 2026 16:14:27 +0000 (01:14 +0900)] 
mstack: fix typo

Follow-up for 8343032a86b62f62780de85a696ab8f9d2632244.

2 days agoimport: fix typo
Yu Watanabe [Thu, 19 Feb 2026 16:12:50 +0000 (01:12 +0900)] 
import: fix typo

Follow-up for a9f6ba04969d6eb2e629e30299fab7538ef42a57.

2 days agoTODO: fix typo
Yu Watanabe [Thu, 19 Feb 2026 16:11:27 +0000 (01:11 +0900)] 
TODO: fix typo

Follow-up for 3bbada87e290f3f0c2ca17f4f10396ec037b03c9.

2 days agoimportd: add support for downloading OCI images (#39621)
Lennart Poettering [Thu, 19 Feb 2026 15:43:11 +0000 (16:43 +0100)] 
importd: add support for downloading OCI images (#39621)

This adds the ability to download OCI images via importd.

Not a fan of the OCI format tbh, in particular its security properties
are a bit sad. But I guess it exists and is very popular, hence we might
as well add support for it, even if it comes at much weaker security
properties than DDIs.

Fixes #36447

2 days agoBring Bash profile for reporting context via Operating System Commands (OSC) into...
Lennart Poettering [Thu, 19 Feb 2026 14:50:24 +0000 (15:50 +0100)] 
Bring Bash profile for reporting context via Operating System Commands (OSC) into compliance with specifications (#40696)

This script fails to comply with the spec it's designed to implement,
[UAPI.15 OSC 3008: Hierarchical Context
Signalling](https://uapi-group.org/specifications/specs/osc_context/),
and fails the correctly utilize the specs provided by
[POSIX.1-2024](https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/mindex.html)
and [man 1
bash](https://www.man7.org/linux/man-pages//man1/bash.1.html); improve
compliance.

Changes are made in small atomic commits, with more detailed
descriptions of the work done in each message.

2 days agoelf2efi: modernize typing annotations 40755/head
Zbigniew Jędrzejewski-Szmek [Thu, 19 Feb 2026 13:22:18 +0000 (14:22 +0100)] 
elf2efi: modernize typing annotations

We still need Union and Optional as long as compat with Python 3.9
is needed.

2 days agoelf2efi: make mypy-clean
Zbigniew Jędrzejewski-Szmek [Thu, 19 Feb 2026 13:17:29 +0000 (14:17 +0100)] 
elf2efi: make mypy-clean

2 days agoelf2efi: import whole module, not individual symbols
Zbigniew Jędrzejewski-Szmek [Thu, 19 Feb 2026 12:32:31 +0000 (13:32 +0100)] 
elf2efi: import whole module, not individual symbols

When reading the code, it was hard to figure out if the given name was
imported or a local class. And the renaming of imports also made it
harder to look things up online. Arguably, the deeply nested import
structure and inconsistent naming in elftools is partially to blame:
there is just no good way to make this look nice. But anyway, let's use
the usual style of importing the module and using names prefixed with
the module path so that the origin of imported names is clear.

elfutils.elf.elffile is importered separately, because a) it needs to be
imported separately anyway bxecause the module does lazy imports
internally, a) the name already indicates the origin, c) is used in
quite a few places so the shorter name is nice.

2 days agogenerate-sym-test: skip everything that is not a file
Zbigniew Jędrzejewski-Szmek [Thu, 19 Feb 2026 12:01:01 +0000 (13:01 +0100)] 
generate-sym-test: skip everything that is not a file

The generator looks for files in the filesystem, and it sometimes fails
on emacs "lock files" which are a symlink. Ignore those.

2 days agometrics: fix casing for metrics names (take 2)
Yaping Li [Wed, 18 Feb 2026 21:58:11 +0000 (13:58 -0800)] 
metrics: fix casing for metrics names (take 2)

Change the casing for metrics names to mimic properties exposed via
varlink/dbus: Use PascalCase.

2 days agomachine: Fix cid passed to machine_add_from_params()
Daan De Meyer [Thu, 19 Feb 2026 09:16:37 +0000 (10:16 +0100)] 
machine: Fix cid passed to machine_add_from_params()

The default value is VMADDR_CID_ANY, not zero.

2 days agoupdate TODO 39621/head
Lennart Poettering [Wed, 18 Feb 2026 23:01:03 +0000 (00:01 +0100)] 
update TODO

2 days agoci: drop 'Ex' suffix from transient props
Lennart Poettering [Tue, 17 Feb 2026 14:03:07 +0000 (15:03 +0100)] 
ci: drop 'Ex' suffix from transient props

The "Ex" is mostly internal, and our parsers will append it
automatically when needed

2 days agoci: add test for OCI downloading
Lennart Poettering [Wed, 26 Nov 2025 08:07:28 +0000 (09:07 +0100)] 
ci: add test for OCI downloading

2 days agoman: document everything we just added
Lennart Poettering [Thu, 27 Nov 2025 08:36:34 +0000 (09:36 +0100)] 
man: document everything we just added

2 days agomountpoint-util: fix typo in comment
Lennart Poettering [Wed, 18 Feb 2026 07:29:13 +0000 (08:29 +0100)] 
mountpoint-util: fix typo in comment

2 days agoportable: fix log levels
Lennart Poettering [Mon, 16 Feb 2026 08:39:40 +0000 (09:39 +0100)] 
portable: fix log levels

portable_extract_by_path() and install_image() can't agree whether to be
of the "logging" or "non-logging" kind

2 days agodiscover-image: make sure we can remove mstacks
Lennart Poettering [Fri, 28 Nov 2025 17:26:56 +0000 (18:26 +0100)] 
discover-image: make sure we can remove mstacks

2 days agocore: introduce PinnedResource
Lennart Poettering [Thu, 27 Nov 2025 07:07:31 +0000 (08:07 +0100)] 
core: introduce PinnedResource

This introduces PinnedResources as a structure combining pinned
references to a root directory, root image, or root mstack. This is not
only easier to work with, but essential to make certain unpriv things
work, as we need some mechanism to pin resources before we drop into a
userns which might possibly not provide access anymore to those
resources.

Hence this does two things: introduce the new structure, and immediately
hook it up so that we pin things properly before dropping into userns,
and then makes use of this after dropping the right way, and enables
unpriv userns operation.

The concept is generic enough to eventually implement extension images +
mount images with the same structure, but in order to keep the changes
managable this is left for another time.

(This also makes one further clean-up: client-side verity-reuse checks
are moved server side if we are unpriv. Previously we'd do them client
side, but they were doomed to fail because of lack of privs. Hence let's
drop the client side if we are unpriv and purely do them server-side in
that case.)

2 days agomountfsd,nsresource: allow recycling mountfsd/nsresourced client connections
Lennart Poettering [Fri, 28 Nov 2025 15:28:42 +0000 (16:28 +0100)] 
mountfsd,nsresource: allow recycling mountfsd/nsresourced client connections

So far we opened a new Varlink connection for every mountfsd/nsresourced
method call. Given each tool only does a very small number of calls
(usually 1…5) on them and the connections are cheap this is not too
wasteful. Nonetheless, let's do something about it, and allow reusing
the connection for multiple calls.

This not only makes things a bit more efficient, but has one more
important benefit: Varlink connections pin the security context of the
client when connecting. This means that varlink method calls done with a
connection established while some code was privileged will still operate
as privieged once privs are dropped, until the connection is closed.
This pinning effect is really nice, as it gives us behaviour in a
"capability system" like scheme. Later code is going to use that to
continue doing certain priv userns ops even after unsharing userns and
becoming fully unpriv.

2 days agonamespace: extend bind mount ignore field to permission issues
Lennart Poettering [Fri, 28 Nov 2025 15:18:07 +0000 (16:18 +0100)] 
namespace: extend bind mount ignore field to permission issues

A later commit will add transient allocation of user namespaces with
dynamic UID range assignment. That creates certain permission issues.
Let's hence allow them to be handled gracefully in case the 'ignore'
field is set for a mount.

2 days agonamespace: port mount_private_apivfs() to fsopen() and friends
Lennart Poettering [Fri, 28 Nov 2025 11:21:41 +0000 (12:21 +0100)] 
namespace: port mount_private_apivfs() to fsopen() and friends

This is not just refactoring, but has the big benefit that it makes us
indepdendent from a temporary directory we might not have enough access
to create. (This matters with the new PrivateUsers=managed).

2 days agoprivate
Lennart Poettering [Thu, 19 Feb 2026 14:03:50 +0000 (15:03 +0100)] 
private

2 days agocore: add PrivateUsers=managed
Lennart Poettering [Thu, 27 Nov 2025 07:58:26 +0000 (08:58 +0100)] 
core: add PrivateUsers=managed

2 days agoimportctl: add 'pull-oci' client API
Lennart Poettering [Tue, 25 Nov 2025 14:32:23 +0000 (15:32 +0100)] 
importctl: add 'pull-oci' client API

2 days agoimportd: add bus/varlink api for downloading OCIs
Lennart Poettering [Tue, 25 Nov 2025 14:33:36 +0000 (15:33 +0100)] 
importd: add bus/varlink api for downloading OCIs

2 days agorun: support RootMStack= on the client side for systemd-run
Lennart Poettering [Tue, 25 Nov 2025 08:01:58 +0000 (09:01 +0100)] 
run: support RootMStack= on the client side for systemd-run

2 days agoportable: support .mstack images
Lennart Poettering [Tue, 25 Nov 2025 08:01:36 +0000 (09:01 +0100)] 
portable: support .mstack images

2 days agopid1: introduce RootMStack= for using an mstack as root dir for a service
Lennart Poettering [Mon, 24 Nov 2025 21:23:41 +0000 (22:23 +0100)] 
pid1: introduce RootMStack= for using an mstack as root dir for a service

2 days agotree-wide: move logging from varlink clients in nsresource.c/dissect-image.c into...
Lennart Poettering [Mon, 16 Feb 2026 08:37:58 +0000 (09:37 +0100)] 
tree-wide: move logging from varlink clients in nsresource.c/dissect-image.c into callers

These calls are "library-like", hence better should only debug log on
their own, not more.

2 days agonspawn: add support for running mstack container images
Lennart Poettering [Wed, 12 Nov 2025 15:46:59 +0000 (16:46 +0100)] 
nspawn: add support for running mstack container images

2 days agodiscover-image: add support for discovering mstack images
Lennart Poettering [Wed, 12 Nov 2025 15:47:57 +0000 (16:47 +0100)] 
discover-image: add support for discovering mstack images

2 days agoadd mstack tool for accessing mstacks from the command line
Lennart Poettering [Mon, 10 Nov 2025 11:13:11 +0000 (12:13 +0100)] 
add mstack tool for accessing mstacks from the command line

2 days agovpick: add generic definition for mstack image pick filters
Lennart Poettering [Tue, 18 Nov 2025 21:33:59 +0000 (22:33 +0100)] 
vpick: add generic definition for mstack image pick filters

2 days agomstack: introduce "mstack" concept
Lennart Poettering [Sun, 9 Nov 2025 20:16:44 +0000 (21:16 +0100)] 
mstack: introduce "mstack" concept

2 days agopull: add OCI support
Lennart Poettering [Fri, 7 Nov 2025 07:35:59 +0000 (08:35 +0100)] 
pull: add OCI support

2 days agocore: introduce exec_context_with_rootfs_strict() as a stricter version of exec_conte...
Lennart Poettering [Tue, 17 Feb 2026 14:46:45 +0000 (15:46 +0100)] 
core: introduce exec_context_with_rootfs_strict() as a stricter version of exec_context_with_rootfs()

We have two very similar checks in place: in some contexts we want to
know if *any* RootDirectory= is configured, in the other we want to
suppress if it is configured to our regular root. Let's add a helper for
both (even if we only need it once), to make the mirrored behaviour
clear.

2 days agocore: use exec_context_with_rootfs() at one more place
Lennart Poettering [Tue, 17 Feb 2026 14:46:58 +0000 (15:46 +0100)] 
core: use exec_context_with_rootfs() at one more place

2 days agotar-util: add support for extracting OCI compatible whiteouts, and turn them into...
Lennart Poettering [Fri, 7 Nov 2025 07:33:32 +0000 (08:33 +0100)] 
tar-util: add support for extracting OCI compatible whiteouts, and turn them into overlayfs whiteouts

2 days agopull-job: make sure pull_job_restart() can be used to fetch the same resource again...
Lennart Poettering [Fri, 7 Nov 2025 07:32:39 +0000 (08:32 +0100)] 
pull-job: make sure pull_job_restart() can be used to fetch the same resource again, just with new headers

Let's flush out all response state from the job, but let's keep the
request data previously configured, in particular the headers set. This
is useful to re-request a resource, just with a slightly modified or
identical URL.

2 days agopull-job: add helpers to detect requests for authentication, and accept bearer tokens
Lennart Poettering [Fri, 7 Nov 2025 07:31:34 +0000 (08:31 +0100)] 
pull-job: add helpers to detect requests for authentication, and accept bearer tokens

2 days agopull-job: add 'description' field to PullJob
Lennart Poettering [Thu, 6 Nov 2025 09:46:07 +0000 (10:46 +0100)] 
pull-job: add 'description' field to PullJob

This is shown in the output in place of the URL if non-NULL. This is
useful for OCI's hash-based URLs, which alone are very opaque to read.

2 days agopull-job: optionally free userdata when we destroy a PullJob
Lennart Poettering [Thu, 6 Nov 2025 08:32:56 +0000 (09:32 +0100)] 
pull-job: optionally free userdata when we destroy a PullJob

2 days agopull-job: add interface for controlling Accept: header sent to http server
Lennart Poettering [Wed, 5 Nov 2025 15:48:46 +0000 (16:48 +0100)] 
pull-job: add interface for controlling Accept: header sent to http server

2 days agopull-job: keep track of content type reported by server
Lennart Poettering [Wed, 5 Nov 2025 15:47:59 +0000 (16:47 +0100)] 
pull-job: keep track of content type reported by server

2 days agouid-range: add uid_range_base() that returns the lowest entry
Lennart Poettering [Thu, 19 Feb 2026 14:02:48 +0000 (15:02 +0100)] 
uid-range: add uid_range_base() that returns the lowest entry

2 days agobasic: define Architecture typedef in basic-forward.h
Lennart Poettering [Mon, 16 Feb 2026 08:34:37 +0000 (09:34 +0100)] 
basic: define Architecture typedef in basic-forward.h

2 days agoudev: grant read access to PTP devices for unprivileged users
Carolina Jubran [Mon, 16 Feb 2026 09:24:53 +0000 (11:24 +0200)] 
udev: grant read access to PTP devices for unprivileged users

Change the default udev rule for /dev/ptp* from 0660 to 0664,
allowing unprivileged users read-only access.

NIC telemetry and hardware logs often use device timestamps that must
be correlated with host time via read-only PTP ioctls (e.g.
cross-timestamp queries). Requiring privileged access makes these
workflows unnecessarily restrictive.

Older kernels lacked proper permission checks in some PTP ioctls.
Kernel commit b4e53b15c04e3852949003752f48f7a14ae39e86 ("ptp: Add PHC
file mode checks. Allow RO adjtime() without FMODE_WRITE.") introduces
the necessary file mode validation, ensuring that read access does not
permit clock modification or configuration changes, which still require
write permissions.

This commit has been backported to all actively maintained stable
kernel branches.

Related to #31034

2 days agoNEWS: mention python requirement bump
Yu Watanabe [Thu, 19 Feb 2026 13:23:04 +0000 (22:23 +0900)] 
NEWS: mention python requirement bump

2 days agoopenssl-util: pass the UI callback for interactive PIN prompts
Kai Lüke [Thu, 19 Feb 2026 07:01:06 +0000 (16:01 +0900)] 
openssl-util: pass the UI callback for interactive PIN prompts

Observed with the tpm2 provider and the tpm2tss engine was that the
auth process failed because the provider/engine could not ask for the
PIN through the callback, resulting in:
  "Failed to load private key from ...: Input/output error"
Apparently the default UI method is not enough and the key setup
functions expect an explicit method.
Pass the existing UI method through as callback for the key setup.