Daan De Meyer [Sat, 14 Feb 2026 15:04:08 +0000 (16:04 +0100)]
tools: Fix changelog generation (again)
Using --first-parent --no-merges seems to exclude not just the merge
commits but all the commits from the merge as well. Let's use only
--no-merges to get just the commits without merges.
Daan De Meyer [Fri, 13 Feb 2026 21:21:35 +0000 (22:21 +0100)]
mkosi: Mark minimal images as Incremental=relaxed
Building these over and over again is extremely wasteful. Let's just
build them once and not touch them again unless -ff is specified or
their cache is out-of-date, which is exactly what Incremental=relaxed
does.
This means mkosi.extra/ and such changes won't be picked up for these
anymore unless -ff is used, but that slight annoyance is totally
outweighed by the time saved building the images.
Daan De Meyer [Fri, 13 Feb 2026 21:19:28 +0000 (22:19 +0100)]
mkosi: Use mkosi.initrd.conf
A more straightforward way to extend the default initrd rather than
using a subimage. This mainly allows us to take advantage of mkosi
automatically figuring out whether the initrd needs to be built or not,
speeding up builds when building directory images as the initrd can be
skipped in that case.
* d6ddc66acb Use python3.12 as interpreter in CentOS Stream 9 zipapp
* 89d876c86f tests: fix running pytest on undetected distro
* 61a47eeb1c centos: Fix EPEL repositories for RHEL 10
* e5aa19e2bc oci: allow user defined labels and annotations
* 1680fc5789 man: be more precise that the tools tree distribution is decided by the host distribution
* 7025b8e67d Support resizing output image
Luca Boccassi [Fri, 13 Feb 2026 21:37:56 +0000 (21:37 +0000)]
test: do not fail when parsing PID that isn't thread-group leader (#40677)
```
TEST-02-UNITTESTS.sh[4382]: [ 707.393188] test-cgroup-util[426]: Failed to open pidfd for pid 414: Invalid argument
TEST-02-UNITTESTS.sh[4382]: [ 707.393193] test-cgroup-util[426]: src/test/test-cgroup-util.c:249: Assertion failed: Expected "r = proc_dir_read_pidref(d, &pid)" to succeed, but got error: -22/EINVAL
```
The kernel can return EINVAL on pidfd_open() when the selected PID is
not a thread group leader. Don't fail the test, as we are iterating on
everything, so this can seldomly happen.
Michael Vogt [Wed, 11 Feb 2026 15:01:18 +0000 (16:01 +0100)]
varlinkctl: add pluggable protocol support to sd-varlink
When sd_varlink_connect_url() gets an unknown URL we now
check if there is a `$LIBEXECDIR/varlink-bridges/$scheme`
binary and execute it (with the url as the first arguments).
This makes varlink more flexible as it provides a way to
dynamically add "bridges" in LIBEXECDIR/varlink-bridges/. This is
conceptually similar to the libvarlink `varlink --bridge` command
and allows to e.g. call varlink over http{,s} via e.g. the new
varlink-http-bridge.
With a running varlink-http-bridge [0] one can do:
```console
$ varlinkctl call http://localhost:8080/ws/sockets/io.systemd.Hostname \
io.systemd.Hostname.Describe {}
{
"Hostname" : "top",
...
```
homectl: drop --and-resize and --and-change-password
The two options are were not documented or ever used in the codebase.
Additionally, the parser expected an argumentless option, while the option
table declared a required argument. So I think this was added for debugging
and never excercised properly. Since there was no public documentation for
those, it's as if they never existed, so it should be fine to drop them.
Luca Boccassi [Fri, 13 Feb 2026 00:21:06 +0000 (00:21 +0000)]
repart: set r/o GPT flag on verity sig partition too
The default image policy for the verity sig partition expects
the r/o flag to be set, but repart so far did not add it by
default if unset, like it does for the verity partition
Yu Watanabe [Tue, 3 Feb 2026 07:59:49 +0000 (16:59 +0900)]
kmod-setup: fix loading virtio related drivers
It seems the device with modalias e.g. virtio:d00000013v, only appears
after the relevant module is loaded. So, we cannot use the string to
determine if we should load the module.
Daan De Meyer [Thu, 12 Feb 2026 19:34:27 +0000 (20:34 +0100)]
TEST-72-SYSUPDATE: Use some very long partition names
To catch issues like https://github.com/systemd/systemd/issues/40658.
The commit that fixes that issue can make the name even longer to ensure
we don't regress again in this regard.
Daan De Meyer [Thu, 12 Feb 2026 15:17:36 +0000 (16:17 +0100)]
sysupdate: Compute temporary paths before vacuuming
We don't want to vacuum anything if we're just going to fail just
afterwards because a GPT partition label exceeds the maximum size
so let's compute the temporary paths for all transfers before we do
any vacuuming or acquiring.
Han Sol Jin [Mon, 9 Feb 2026 10:23:03 +0000 (02:23 -0800)]
Revert "hwdb: fix arrow keys on HP Elite Dragonfly G3"
Prior to this commit, the behaviour looked like this:
| Keypress | Result |
| -------- | ------------ |
| Up | KEY_PAGEUP |
| Down | KEY_PAGEDOWN |
| Left | KEY_LEFT |
| Right | KEY_RIGHT |
| Fn+Up | KEY_UP |
| Fn+Down | KEY_DOWN |
| Fn+Left | KEY_HOME |
| Fn+Right | KEY_END |
This commit would fix it so that PGUP/PGDN would also require the Fn
key so that the arrow keys behave identically depending on whether Fn
was pressed.
Presumably after a BIOS update, HP seems to have fixed the order. This
now means this commit is now behaving exactly as the table above.
Revert the commit to restore the intended behaviour:
| Keypress | Result |
| -------- | ------------ |
| Up | KEY_UP |
| Down | KEY_DOWN |
| Left | KEY_LEFT |
| Right | KEY_RIGHT |
| Fn+Up | KEY_PAGEUP |
| Fn+Down | KEY_PAGEDOWN |
| Fn+Left | KEY_HOME |
| Fn+Right | KEY_END |
DaanDeMeyer [Sat, 27 Dec 2025 19:37:02 +0000 (20:37 +0100)]
dissect: Introduce --copy-ownership= to configure chown behavior
Currently, if we're copying a file, we won't copy the owner UID/GID
from the source. If we're copying a directory, we will copy the owner
UID/GID from the source. Let's give users a bit more control over this
behavior by introducing --copy-ownership= which will default to the
current behavior but allows users to explicitly enable/disable copying
of ownership.
DaanDeMeyer [Fri, 26 Dec 2025 21:18:29 +0000 (22:18 +0100)]
dissect: Make --mount/--unmount/--with work unprivileged
Let's check for CAP_SYS_ADMIN instead of root for these, and make
unmounting more graceful if we can't access the backing loop device
because of permission issues. This allows mounting and unmounting images
from an unprvileged mount namespace. The actual files in the image will
end up owned by nobody:nobody because we'll be in an unprivileged user
namespace, but assuming the directory permissions are not too strict, this
still allows interacting with the image in useful ways.
DaanDeMeyer [Fri, 26 Dec 2025 20:51:00 +0000 (21:51 +0100)]
dissect: Don't use private userns for --copy-to/--copy-from
These actions interact with the host. The former needs privileges to
write into the image, the latter needs privileges to write on the host.
Neither will have the privileges required if the image is attached under
a private userns, hence, don't use one.
Daan De Meyer [Mon, 2 Feb 2026 13:23:40 +0000 (14:23 +0100)]
sd-varlink: Introduce varlink_set_sentinel()
Streaming methods which are not used as a continuous subscription but
instead only send a series of objects all end up with the same workaround
to be able to figure out when to send sd_varlink_reply() or sd_varlink_notify().
Let's generalize this in sd-varlink itself.
Let's introduce the concept of a sentinel, which is a reply that will be sent
by sd-varlink if no other reply was queued by a method callback. The sentinel
is configured with varlink_set_sentinel(). If a sentinel is configured,
sd_varlink_reply() can be used more than once in streaming methods to queue
multiple values to stream to the client. The last queued reply is not sent
until the callback finishes. When the callback finishes, the last reply is
sent without "continues: more". If no reply was queued, the sentinel is sent.
This always using only sd_varlink_reply() in such streaming methods and
leaves sd_varlink_notify() available solely for continuous subscription
streaming methods, where we never use sd_varlink_reply() and instead disconnect
when the server exits.
The line to set opterr=0 was added in the initial commit in 3d090cc6f34e5970765dd1e7ee5e648a056d180d. But afaict, this never worked as
intended, because ':' must be the first char in optstring given to
getopt_long() for it to return ':' for a missing option value. Since
this wasn't set, getopt_long() would return '?', and the missing value
would be handled as an unknown option:
$ build/systemd-journal-upload --key
Unknown option --key.
$ build/systemd-journal-upload --asdf
Unknown option --asdf.
Let's just do the standard thing:
$ build/systemd-journal-upload --key
build/systemd-journal-upload: option '--key' requires an argument
$ build/systemd-journal-upload --asdf
build/systemd-journal-upload: unrecognized option '--asdf'
When we say '-n --iterations=N' in --help, this means that the program
can be invoked with '-n N' or '--iterations=N' or '--iterations N'.
(The short option is specified without the argument.)
Here we tried to use '-p --order=path' to mean that the program can be
invoked with '-p' or '--order=path', but that is incompatible with the
established convention.
Justification similar as in the previous commit. The check is only
partially connected to the intended purpose and breaks backwards compat
without a sufficient reason.
The original change was done to clean up a situation where we added a
new group, but the group could already have been used for some other
purposes, and now the some unexpected entity would own the device.
Unfortunately, this check doesn't really address the issue, since the
existing account might as well be a system account, which might be
equally bad. In addition, this change is a big compatiblity break,
causing existing rules to stop working. Since quite a lot of systems
have local configuration to assign devices to users for various
purposes, this is very noticable to users. In a way, the original change
to add a new group was the compat break, and follow-up patch to cahnge
the rule parsing evolved a small compat break into a much bigger one.
There is merit to the change though, since device nodes shouldn't be
owned by users and groups and different mechanisms should be used
instead. To avoid breaking users systems, and since the original goal
cannot be achieved by this patch, let's downgrade this to a warning
to guide users towards different solutions.
Mike Yuan [Tue, 10 Feb 2026 22:59:07 +0000 (23:59 +0100)]
terminal-util: handle the case where no system console is active (#40630)
/dev/console might have no backing driver, in which case
/sys/class/tty/console/active is empty. Unlike get_kernel_consoles()
resolve_dev_console() currently proceeds with empty devnode, resulting
in setup_input() -> acquire_terminal() emitting -EISDIR as we're trying
to open /dev/. Let's catch this and report -ENXIO.
Mike Yuan [Fri, 6 Feb 2026 01:07:05 +0000 (02:07 +0100)]
terminal-util: handle the case where no system console is active
/dev/console might have no backing driver, in which case
/sys/class/tty/console/active is empty. Unlike get_kernel_consoles()
resolve_dev_console() currently proceeds with empty devnode,
resulting in setup_input() -> acquire_terminal() emitting -EISDIR
as we're trying to open /dev/. Let's catch this and report -ENXIO.
Mike Yuan [Sun, 14 Dec 2025 16:55:04 +0000 (17:55 +0100)]
core/service: if RefreshOnReload= is explicitly enabled, allow reload even without exec/notify-reload
This was originally brought up by @poettering. If the process
loads stuff on demand and flushes them out after each use,
or actively monitors file changes, they can be reloaded
by merely refreshing the resources.
Mike Yuan [Sun, 14 Dec 2025 17:20:36 +0000 (18:20 +0100)]
core/service: introduce RefreshOnReload= setting
This allows controlling resources to be refreshed before performing
reload, with one extra benefit that in the future we can permit
"seemless reload"s, i.e. no active signaling is done to the main process
after refreshing get updated. This could come in handy for programs
that loads stuff on demand or watches changes via inotify.
Typically when entering a namespace the userns is handled last,
because we assume our process is more privileged than the userns.
However, that assumption no longer holds for user managers, which
have no privilege over initial userns and all other namespaces
are actually owned by the userns unshared first (in executor).
Hence, let's add another flavor namespace_enter_delegated() to
accommodate that use case.
Mike Yuan [Sat, 13 Dec 2025 16:37:26 +0000 (17:37 +0100)]
core/exec-credential: stop removing empty credentials dir
Starting from cfbf7538d87023840c5574fa5b0452e5b0f42149 we'd always
install the credentials dir regardless of whether it's empty,
with the correct permissions. Hence the problem stated in the comment
should no longer be a concern. Moreover, this ensures later in
setup_namespace() the mountpoint would be in-place. This is important
for credential reloading as it saves the trouble of remounting
the upper tmpfs as rw again and create the mountpoint.
Mike Yuan [Sat, 13 Dec 2025 17:11:07 +0000 (18:11 +0100)]
core/exec-credential: treat credentials dir as populated if it's mounted
We should only fall back to the dir_is_empty() check if
it's a plain dir, where we can't reasonably differentiate
populated yet empty vs not set up. Otherwise let's stick
to the existing mount if we're told to reuse it.
Yes, this is a minor compat break, but with the to-be-introduced
credential reloading support it should fulfill the goal of
keeping the passed set of credentials stable better, while
still allowing things to be refreshed when requested.
These operations to quite different things, they just share 2 common
funcs. Let's split them out into separate files.
This also splits up verb_list() into separate calls for the three
operations. This actually fixes issues, as for status/list we want
"unpriv" ESP discovery logic, but for the other two we really should
have privileged discovery logic.
This is preparation for adding "bootctl link" later, but this makes
sense either way, I am sure.
projects / thirdparty / systemd.git / log
