test: re-enable journal checks for varlink-idl and so on
Previously, we have checked journal after TEST-XX-YYYYY.sh, but it was
forgotten when we switched to mkosi.
This re-enable the check but through ExecStartPost=, and drops unnecessary
workarounds for end.service. Then, this drops unnecessary end.service
and testsuite.target.
Fixes the following warning:
```
[ 130.968170] H systemd-networkd[4288]: Restart operation initiated.
[ 130.968265] H systemd-networkd[4288]: Serializing...
[ 130.968274] H systemd-networkd[4288]: There is nothing to serialize.
(snip)
[ 130.978756] H systemd[1]: Stopped systemd-networkd.service.
(snip)
[ 130.991407] H systemd[1]: Starting systemd-networkd.service...
(snip)
[ 131.077440] H systemd-networkd[4318]: Enumeration completed.
[ 131.077471] H systemd-networkd[4318]: Deserializing...
[ 131.077491] H systemd-networkd[4318]: Failed to parse json (line=0, column=0): No data available
[ 131.077524] H systemd-networkd[4318]: Failed to deserialize the previous invocation, ignoring: No data available
```
test: do not call GetUserRecord without "service" argument
Otherwise, following debugging log will be saved and the checker for
the varlink-idl log triggers failure:
```
systemd-userwork: processing[3110]: varlink-6-6: Parameters for method
io.systemd.UserDatabase.GetUserRecord() didn't pass validation on field 'service': No anode
```
core/varlink: do not call io.systemd.oom.ReportManagedOOMCGroups() with empty "cgroups" parameter
Fixes the following varlink IDL validation error:
```
systemd-oomd[1687]: varlink-11-11: Parameters for method io.systemd.oom.ReportManagedOOMCGroups()
didn't pass validation on field 'cgroups': No anode
```
Since the commit, the cgroup path is set only when it is realized.
Fixes the following varlink IDL validation failure:
```
systemd-oomd[1687]: Varlink-IDL: Mandatory field 'path' is null or missing on object, refusing.
```
install: Fall back to system presets if there are no initrd presets
We might be operating with a newer systemctl on an image with older
systemd and thus without an initrd-preset directory. Before 4a8c395167c1631224c02d990c847955a2bf23b0, we would use the system
presets, let's make sure we keep doing that if we're operating on an
image without initrd presets.
Fixes the following failure:
```
TEST-87-AUX-UTILS-VM.sh[1196]: + systemd-run --user --wait --pipe -M testuser@.host -- coredumpctl
TEST-87-AUX-UTILS-VM.sh[1840]: Running as unit: run-p1840-i1841.service; invocation ID: 325a026377aa4cffb046c5a63a8906ab
TEST-87-AUX-UTILS-VM.sh[1853]: Hint: You are currently not seeing messages from other users and the system.
TEST-87-AUX-UTILS-VM.sh[1853]: Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
TEST-87-AUX-UTILS-VM.sh[1853]: Pass -q to turn off this notice.
TEST-87-AUX-UTILS-VM.sh[1853]: Journal file /var/log/journal/6835d335b6684b6197bf071ad66f2678/user-4711.journal is truncated, ignoring file.
TEST-87-AUX-UTILS-VM.sh[1853]: No coredumps found.
TEST-87-AUX-UTILS-VM.sh[1840]: Finished with result: exit-code
TEST-87-AUX-UTILS-VM.sh[1840]: Main processes terminated with: code=exited, status=1/FAILURE
TEST-87-AUX-UTILS-VM.sh[1840]: Service runtime: 154ms
TEST-87-AUX-UTILS-VM.sh[1840]: CPU time consumed: 78ms
TEST-87-AUX-UTILS-VM.sh[1840]: Memory peak: 21.9M (swap: 0B)
```
This also add test cases for verifying loopy.service and friends,
which was added by e66047ff62c971eefa32b42373420d61e3f2a9c1 but never
used in integration tests.
core/unit: do not load drop-in configs for masked unit files
Otherwise, ExecXYZ= given by drop-ins may be added to a masked unit,
then commands may be unexpectedly executed. For example, if an ExecStop=
is set in a drop-in for a running unit, then 'systemctl mask --now' for
the unit try to invoke the command specified in ExecStop=.
Yu Watanabe [Sun, 31 Aug 2025 20:08:45 +0000 (05:08 +0900)]
core/transaction: first drop unmergable jobs for anchor jobs
As you can see, something spurious happens in the logs below.
```
initrd-switch-root.target: Trying to enqueue job initrd-switch-root.target/start/isolate
systemd-repart.service: Looking at job systemd-repart.service/stop conflicted_by=no
systemd-repart.service: Looking at job systemd-repart.service/start conflicted_by=no
systemd-repart.service: Fixing conflicting jobs systemd-repart.service/stop,systemd-repart.service/start by deleting job systemd-repart.service/stop
initrd-switch-root.target: Fixing conflicting jobs initrd-switch-root.target/stop,initrd-switch-root.target/start by deleting job initrd-switch-root.target/stop
systemd-repart.service: Deleting job systemd-repart.service/start as dependency of job initrd-switch-root.target/stop
```
The two conflicting jobs for systemd-repart.service are initially queued
as the following:
- initrd-switch-root.target has Wants=initrd-root-fs.target, and
initrd-root-fs.target has Wants=systemd-repart.service (through symlink),
hence starting initrd-switch-root.target tries to start
systemd-repart.service,
- systemd-repart.service has Conflicts=initrd-switch-root.target, hence
starting initrd-switch-root.target tries to stop
systemd-repart.service.
As similar, interestingly(?) starting initrd-switch-root.target tries to
stop initrd-switch-root.target.
So, now there are at least two pairs of conflicting jobs:
- systemd-repart.service: start vs stop,
- initrd-switch-root.target: start vs stop.
As these jobs are induced by starting initrd-switch-root.target, of course
the most important one is the start job for initrd-switch-root.target.
Previously, as you can see in the logs at the beginning, even if
the start job for initrd-switch-root.target is important, we may first
try to resolve the conflict in systemd-repart.service, and may drop the
stop job for systemd-repart.service even if it is relevant to the start
job of initrd-switch-root.target.
This makes first we solve the pair of conflicting jobs for anchor task.
So the stop job for initrd-switch-root.target is dropped first, and the
induced start job for systemd-repart.service is automatically removed,
thus it is not necessary to solve the conflict in systemd-repart.service
anymore.
This is especially important for services that are enabled both in initrd
and after switching root. If a stop job for one of the service is
unexpectedly dropped during switching root, then the service is not stopped
before switching root, and will never start after that.
* 786b8fe1c8 Return false from want_efi() for UKI outputs
* fac86dbc93 mkosi-tools: add qemu/pipewire packages for gui profile for debian
* 3bb98f0e6e Add ncdu to tools tree packages
* 1332b32cb4 config: Fix type for devicetree setting
* eff03569ee initrd: Add intel_pmc_ssram_telemetry module by default
* e04305b030 Make Bootable= determine whether we build a UKI for esp images
* 7252146429 mkosi-obs: use --force also for unzstd
* f58e31e228 mkosi-obs: do not fail if there are no bootloaders in the ESP
* fac3bd4bf1 rhel: Look up entitlement keys and certificates in sandbox
* da814d9634 opensuse: Add support for RISC-V for Tumbleweed
* b1d66c88d0 fedora: Rework rawhide GPG key logic
* b9360f25df Include {sys,conf}ext info in metadata file
* 94c6db6148 Set MakeInitrd=yes in documentation for building custom initrd
* d134013ca8 mkosi-tools: add grub2-common to openSUSE tools tree
* c97d345395 mkosi-tools: virtiofsd is only available on a subset of architectures on debian/ubuntu
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
There's no guarantee that $GIT_BRANCH is always the same across
stable release branches and main. But we still need to make sure
we switch commits if we're switching between main and release branches.
To make this work, let's not check if the current HEAD commit is an
ancestor of the currently configured origin branch. Instead, let's
check if any of the origin branches contains the current HEAD commit.
This still makes sure that we won't switch commits if we're working
on a local branch while making sure that we do switch commits if we're
switching between main and stable release branches with different
git branches configured for the packaging repo checkout.
These options were added in v255 with commit cb341090d061084accc9a45ec4b1d258954adba2, but were not documented as
standalone options in loader.conf. See #29440 for more information.
homed: AddSigningKey: only feed data to OpenSSL _after_ Polkit auth
As a hardening measure it makes sense not to process potentially crafted
data in `openssl_pubkey_to_pem()` before we know that the caller is
authorized to perform the action.
Nick Rosbrook [Fri, 22 Aug 2025 19:00:38 +0000 (15:00 -0400)]
test: use numeric prefixes in resolved.conf.d overrides
There are a lot of resolved.conf.d drop-ins used in these tests. Use
proper numeric prefixes, especially to avoid confusion with sorting
relative to test.conf.
Make the test base config 10-test.conf, and use 90-*.conf elsewhere.
Nick Rosbrook [Fri, 22 Aug 2025 14:46:50 +0000 (10:46 -0400)]
resolve: re-create link unicast scopes on reload
On reload, resolved does not apply new DNSSEC= (or DNSOverTLS=) settings
on links, because the link unicast scopes are not re-created. However,
the servers and link states are updated correctly, so resolvectl and link
state files do show the new setting, leading users to believe the change
took effect immediately, the same way `resolvectl dnssec` does.
Fix this by freeing all of the link unicast scopes during reload, so
that they are re-created with the new settings in link_allocate_scopes().
Yu Watanabe [Mon, 25 Aug 2025 16:43:10 +0000 (01:43 +0900)]
bootctl: do not fail on removing unfied kernel image
A boot loader entry for a unified kernel image has
BootEntry.kernel : path to the image relative to ESP or XBOOTLDR,
BootEntry.path : path to the image.
Hence, these two effectively point to the same file.
Hence, by unlink command, the image is removed by
```
deref_unlink_file(&known_files, e->kernel, e->root);
```
then later tried again by
```
r = chase_and_unlink(e->path, root, ...);
```
and of course it fails with -ENOENT.
Let's ignore the failure there. We already ignore ENOENT on removal
at various places, especially in deref_unlink_file().
nsresourced: use a hashed rather than a mangled name as fallback
If we are asked to come up with our own name for the namespace to
allocate (because client enabled "mangle"), then we so far created a
randomized name if shortening what was proposed didn't work. This broke
polkit authorization however, because when polkit is in the mix, we
process method calls twice, submitting the polkit request on the first
and then assuming a response is known on the second invocation. But if
we generate a randomized name for the two checks we'll not be ablet to
match up the requests because it's going to be different. Let's fix that
by not using a randomized name, but one hashed from the socket
connection we are processing mixed with the client provided name. This
will ensure that for the same method call we'll generate the same name,
but different calls (i.e. calls with different names on the same socket,
or with any name on any socket) we'll end up with different names,
minimizing chance of collision.
This ensures PK starts to work with nsresourced userns registration when
a bad or no name is specified, which previously would end up in a PK
query loop.
Kamil Páral [Mon, 25 Aug 2025 20:00:47 +0000 (22:00 +0200)]
70-mouse.hwdb: Add Razer Basilisk V3, Asus Cerberus, +2 more
All mice were measured using mouse-dpi-tool, and the measurements match vendors
specs, with the exception of Asus Cerberus (it officially has
500/*1000/1500/2500 DPI, but my measurements were quite different, so I opted
to include the real values).
Jan Fooken [Fri, 22 Aug 2025 09:26:25 +0000 (11:26 +0200)]
tmpfiles: don't relabel files in dry run mode
tmpfiles attempts to correct the label of a file during various actions
via the function fd_set_perms(). Currently, said function generally
respects the dry-run mode. However, it attempts to fix the label of a
given file regardless of the state of said dry-run mode.
This causes problems, because a user could attempt to run tmpfiles with
elevated permissions and dry run enabled, expecting the tool to not
modify their system. Instead, tmpfiles would falsely relabel a file,
modifying their system.
This commit explicitly checks for when dry-run is enabled and skips the
file relabelling process. Furthermore, I added logging for both cases.
I found helpful during debugging. That said, I don't think it's
necessary to use the level LOG_INFO on the dry-run path, as it would
always produce an info log.
Yu Watanabe [Thu, 21 Aug 2025 17:06:43 +0000 (02:06 +0900)]
core/unit: use UNIT_FOREACH_DEPENDENCY_SAFE() at several more places
manager_add_job() -> transaction_add_job_and_dependencies() may update
dependencies when a unit is not loaded yet. Hence, we need to restart
dependency loop in that case.
Felix Pehla [Thu, 21 Aug 2025 17:06:07 +0000 (19:06 +0200)]
systemd-boot: don't always log NX_COMPAT info
Commit 70b7e03 introduced 3 calls to log_debug() about the presence or
absence of NX_COMPAT support. Since sd-boot does not yet have the
ability to only print messages above a certain loglevel, these will
always be printed, even on top of the configured splash screen. This
commit removes the log_debug() call after a success and only prints
those for missing firmware support if the UEFI should support them in
the first place (i.e. starting with version 2.10).
Jörg Behrmann [Wed, 20 Aug 2025 13:47:28 +0000 (15:47 +0200)]
tools: ignore root element explicitly in check-version-history
Currently these messages (broken for length)
2025-08-20T12:04:15.9609277Z
/home/runner/work/systemd/systemd/tools/check-version-history.py:26:
FutureWarning: This search incorrectly ignores the root element, and will be fixed in a future version.
If you rely on the current behaviour, change it to './/funcprototype/funcdef/function'
can be seen in CI output. So let's apply the suggestion.
Yu Watanabe [Wed, 20 Aug 2025 18:07:26 +0000 (03:07 +0900)]
TEST-46-HOMED: homectl unregister and friends needs the target is inactive or absent
Hence, we need to wait for the previous operation finished.
Fixes the following failure:
```
TEST-46-HOMED.sh[107]: + homectl unregister signtest
TEST-46-HOMED.sh[1449]: Failed to unregister home: Home signtest is currently being used, or an operation on home signtest is currently being executed.
```
Christopher Head [Thu, 21 Aug 2025 06:52:38 +0000 (23:52 -0700)]
Add Razer Cobra mouse to hwdb
The DPI values are based on the product’s printed documentation. The
frequency values are based on the endpoint descriptor reported by lsusb
(the mouse is a full-speed USB device and bInterval is 1 at all DPI
settings). Both sets of values are for a mouse that has *not* been
touched by the vendor’s configuration tool.
Luca Boccassi [Mon, 18 Aug 2025 12:38:32 +0000 (13:38 +0100)]
Revert "resolved: don't wait for TLS close_notify replies unnecessarily"
This change introduced a regression that stops DNSOverTLS from working
after some time. Revert it for now, as there's no fixup available at
the moment.
Michal Sekletar [Wed, 20 Aug 2025 10:42:30 +0000 (12:42 +0200)]
coredump: drop RestrictSUIDSGID= option (#38640)
systemd-coredump sandbox already has ProtectSystem=strict hence all non
API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy
us much.
On top of that systemd-coredump's EnterNamespace= feature requires
openat2() to work correctly and that is implicitly blocked by
RestrictSUIDSGID=.
But, this is not necessary in most cases, e.g. when chasing
syspath in sd-device (actually this causes regression in umockdev,
see https://github.com/martinpitt/umockdev/issues/271).
Another example is reading unit files, especially .network files,
as automount may trigger mounting network filesystems...
Also, when this is used in NSS plugins, programs that load the
plugins may fail because of spuriously configured seccomp. See #38565.
Let's not trigger automount by default, and do only when explicitly
requested.
This introduces CHASE_TRIGGER_AUTOFS, and use it in
- service manager,
- bootctl and finding ESP/xbootldr,
- sysupdate,
- mountfsd,
- systemd-mount.
There may be several more places we should trigger automount, but let's
do that later.
As commented https://github.com/systemd/systemd/pull/38569#discussion_r2284978273,
the commit makes autofs check bypassed. Before the commit, when
CHASE_NO_AUTOFS is set, we did not shortcut chasing paths, and refused
any autofs mount points in the path. However, with the commit, the flag
was swapped but even when CHASE_AUTOFS is unset, the autofs check may be
skipped.
To fix the issue, rather than swapping the flag, we should introduce
another flag, say CHASE_TRIGGER_AUTOFS. This revert the commit, and in a
later commit, the new flag will be introduced.
Luca Boccassi [Mon, 11 Aug 2025 14:33:35 +0000 (15:33 +0100)]
sd-stub: use memory proto if available and set kernel memory to RX with NX_COMPAT
When NX_COMPAT gets enabled, firmwares will enforce that executable
memory is either writable or executable.
This needs kernel compatibility, when it will happen the kernel will
have the NX_COMPAT bit set. If it is, set the memory buffer to RO.
Note that this must be undone on failure, as EDK2 in some configurations
overwrites memory ranges that are returned with FreePages() with a
fixed pattern, so if the pages are RO it will crash.
This is only an issue with the new custom PE loader, as LoadImage()
and StartImage() will always do the right thing automatically.
Luca Boccassi [Thu, 14 Aug 2025 16:22:30 +0000 (17:22 +0100)]
chase: invert CHASE_NO_AUTOFS and only set it where needed
Since https://github.com/systemd/systemd/commit/c5de7b14ae2e08d267d8d75bc88934ac6aa7dcd6
file searching implies a new mount api syscall by default,
to trigger automounts.
This is problematic in NSS plugins, as they are dlopen'ed inside
processes by glibc, for two reasons.
First of all, potentially searching on a networked filesystem
automount could lead to nasty surprises, such as the process
responsible for setting up the network filesystem trying to
search on that same filesystem.
More importantly, the new mount api syscall was never part of
the filesystem seccomp filter that we provide by default, and
given mounting/remounting/bind mounting is one of the possible
ways to bypass sandboxing it is very likely not allowed when
custom filters are used in sandboxed processes, if they don't
need to do these operations otherwise.
The filesystem seccomp mask we provide has been updated, however
this only takes effect on the next restart of a service. When
systemd is upgraded via a package upgrade, the new nss plugin is
installed and will be immediately dlopen'ed by glibc when needed,
without waiting for the process to restart, which means the existing
seccomp filter applies, causing the filter to trigger.
Given it's not really possible for any arbitrary program to
predict which NSS modules glibc will load, given programs do not
configure that and instead nsswitch is set up by the sysadmin,
it's impossible to handle at each process level. It's also not
possible to know when it will be triggered, given the plugin
is not linked in each binary tools like need-restart cannot
even pre-emptively restart services that may be affected.
This means in practice, upgrading from systemd << v258 to >= v258
requires a reboot to avoid either subtle or catastrophic system
failures.
By avoiding to trigger automounts in nss-systemd we can avoid
both issues.
Note that this happens only when the userdbd service is not running,
as otherwise nss-systemd will go through the varlink IPC, rather than
doing the searches in-process.
So invert CHASE_NO_AUTOFS to CHASE_AUTOFS and set it in the places where
we do want to trigger automounts, like looking for the ESP.
Luca Boccassi [Tue, 19 Aug 2025 11:32:00 +0000 (12:32 +0100)]
test: also edit /etc/os-release if it's not a symlink when patching /usr/lib/os-release (#38628)
mkosi patches up /etc/os-release to add local IDs and fixup certain
issues, so when tests patch /usr/lib/ on the fly, copy to the version in
/etc/ too to avoid test failures when querying
6370s 10/98 systemd:integration-tests / TEST-07-PID1 FAIL 31.03s exit
status 1
6370s 25/98 systemd:integration-tests / TEST-29-PORTABLE FAIL 12.76s
exit status 1
6370s 33/98 systemd:integration-tests / TEST-43-PRIVATEUSER-UNPRIV FAIL
6.57s exit status 1
6370s 37/98 systemd:integration-tests / TEST-50-DISSECT FAIL 16.97s exit
status 1
This is particularly an issue when running these tests on debian unstable,
where mkosi has to fixup os-release to make it valid and avoid further
breakages:
projects / thirdparty / systemd.git / log
