Yu Watanabe [Mon, 9 Mar 2026 06:18:24 +0000 (15:18 +0900)]
sd-dhcp-client: several fixlets for sending RELEASE or DECLINE
- Extract common logic to client_send_release_or_decline().
- Do not send DECLINE message on BOOTP protocol.
- Drop redundant assignment of chaddr, as it is already set by
client_message_init() -> dhcp_message_init().
- Do not assign acquired address in ciaddr field of DECLINE message,
but use Requested IP Address option.
- Broadcast DECLINE message, rather than unicast.
- Set server identifier in both cases.
Rodrigo Campos [Fri, 6 Mar 2026 15:54:02 +0000 (16:54 +0100)]
dissect: Don't bypass blkid *_lookup_value() to decide USAGE
After commit "core: reuse existing dm-verity device for single
filesystem images pinned by policy" (0bd766553cbf), when I attach a
portable image (erofs+verity) and try to start a service, it fails with:
Partition root discovered with policy 'unprotected' but 'verity+read-only-on+growfs-off+erofs' was required, refusing.
Failed to dissect image: Operation not possible due to RF-kill
The image does have verity, in fact the RootImagePolicy= field was added
automatically.
The inconsistency between what is found at attach vs when starting the
service comes from the fact that dissect_image() is called with a
different policy as parameter and the recent shortcut added.
At attach we do this:
dissect_image(policy="*")
partition_policy_determine_fstype(policy)
partition_policy_flags_to_string(...) // mask is 0, returns 0
-> returns NULL // root_fstype_string is not set
if (root_fstype_string) // false
sym_blkid_probe_lookup_value()...
At start, as we do have the policy set, we do:
dissect_image(policy="root=verity+...+erofs:root-verity=...")
partition_policy_determine_fstype(policy)
partition_policy_flags_to_string(...) // returns 1
-> sets root_fstype_string to "erofs"
if (root_fstype_string) // true
usage = "filesystem"
Then, the service is blocked to start with the aforementioned error.
It's correct for partition_policy_determine_fstype() to set erofs in
that case, and other callers seem to expect this behavior on similar
cases, but what is not correct is to assume that this means it's a
filesystem. Usage in this case should still be unset.
Let's just always do the lookup, as that gets us the correct answer reliably
and we already did the slow part that is the probe.
The call to `sym_blkid_do_safeprobe()` is a few lines above. The call to
the lookup function isn't very expensive. blkid_probe_lookup_value()[1]
calls __blkid_probe_lookup_value(), which searches on a list[2], IIUC in
memory and no IO is used. It's a linear search of the property.
Daan De Meyer [Tue, 10 Mar 2026 18:57:11 +0000 (19:57 +0100)]
ci: Don't make a single failed review comment fail the entire job
Let's handle failure to post individual review comments gracefully.
Reduces the impact of failures like in
https://github.com/systemd/systemd/actions/runs/22904601370/job/66461528144.
bus_cgroup_set_tasks_max_scale() used a hand-rolled percentage format
that produced values ~10x too small (e.g., "TasksMax=4.0%" instead of
"TasksMax=40.00%").
On daemon-reload, the incorrect value was re-read, silently reducing
the effective TasksMax by ~10x and causing fork rejections on systems
with high thread counts.
Fix by using the existing PERMYRIAD macros, consistent with memory
property handlers (MemoryMax, MemoryHigh, MemoryLow, etc.).
Luca Boccassi [Tue, 10 Mar 2026 17:55:43 +0000 (17:55 +0000)]
Translations update from Fedora Weblate (#41021)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
networkd: fix for networkd crash when client sends Option 82 via SendOption=
When a DHCP client uses SendOption=82:string:..., option_append() calls
the SD_DHCP_OPTION_RELAY_AGENT_INFORMATION case which was written for
the server relay path. It casts optval to sd_dhcp_server* and calls
strlen() on its members, but optval is actually raw binary data from
the client, causing SIGSEGV. The same is applicable when option 43 and
option 77 are passed to SendOption.
Fix by checking optlen > 0 and appending the option as a plain TLV,
skipping the server-specific relay agent logic.
Luca Boccassi [Mon, 9 Mar 2026 11:25:50 +0000 (11:25 +0000)]
nsresourced: downgrade benign log message to debug
This is very noisy as there's a dozen of these message every
time it gets called, and it's not really an error but an
expected situation, so downgrade from info to debug
* 56e0eed69a Update changelog for 260~rc2-1 release
* 36e6a6d247 Install new files
* 692d0ffde5 Install new files for upstream build
* 04e77a9300 Enable getty@ via packaging scriptlets, not static anymore
* 65e7898ab5 Remove build-depend on rsync, meson is new enough
* 1ab5e82a93 Update changelog for 260~rc1-2 release
* 17a8004c53 sd-boot-efi: do not pick up hwids, they are shipped by sd-ukify
* b620f379b3 Update changelog for 260~rc1-1 release
* 8eb95fc404 Drop unused Lintian overrides
* 82a111e7ef Update symbols file for v260~rc1
* 9cb8e0457b Disable remaining deprecated sysv interfaces
* 100d97ba82 Install new files for v260~rc1
* b8e9e50f4d initramfs-tools: copy udev link files from /usr/local/lib/systemd/network too
Yu Watanabe [Tue, 10 Mar 2026 00:18:48 +0000 (09:18 +0900)]
semaphore: use Ubuntu 24.04
Semaphore CI/CD now emits the following error.
```
OS image 'ubuntu2004' for machine type 'e1-standard-2' is currently in a brownout phase.
Please use another OS image.
```
Let's use newer image.
Yu Watanabe [Mon, 9 Mar 2026 04:24:03 +0000 (13:24 +0900)]
sd-device: refuse spurious properties
Properties are set through uevent, udev rules, or program output by IMPORT.
They may contain spurious characters and udev database parsers may be confused.
Let's refuse spurious properties.
When using systemd-mount to create a transient .mount/.automount file
for removable storage, the option to specify the idle timeout on the
commandline using **--timeout-idle-sec=SEC** is not reflected in the
generated .automount file. Instead, the idle timeout is always set to 1
second.
arg_timeout_idle_set was never set to true when passing the argument, so
arg_timeout_idle was always set to 1s.
Daan De Meyer [Mon, 9 Mar 2026 09:33:20 +0000 (10:33 +0100)]
ci: Don't cancel in progress jobs for claude-review workflow
This workflow runs on any comment to a github PR. 99% of the time the
workflow will be skipped yet it will still cancel any previous ongoing
workflows. Let's not cancel in progress workflow but instead queue the
workflow so we don't cancel in progress reviews any time a comment is
posted on a PR that is being reviewed.
Daan De Meyer [Fri, 6 Mar 2026 14:58:06 +0000 (15:58 +0100)]
ci: privilege-separate Claude review workflow
The workflow is split into two jobs for least-privilege:
1. 'review' job — runs Claude with read-only permissions (contents: read,
id-token: write for AWS OIDC, actions: read). Claude produces a structured
JSON review via --json-schema with a 'comments' array and a 'summary'
string. Its tools are restricted to read-only operations (Read, LS, Grep,
Glob, Task, and various Bash prefixes for common read-only commands).
Claude also has access to CI MCP tools to analyze failed workflow runs.
2. 'post' job — only has pull-requests: write. Reads the structured JSON
output from the review job and posts inline comments individually (so
re-runs only add new comments). Maintains a tracking comment with a
<!-- claude-pr-review --> marker that is created on first run and updated
in-place on subsequent runs, preserving existing item order, wording,
and checkbox state. Posts a notification comment when the tracking
comment is updated or left unchanged.
Comment deduplication is handled by Claude in the prompt rather than in
the posting script, allowing for better semantic understanding of whether
two comments address the same issue.
The PR number is resolved via github.event.pull_request.number with a
fallback to github.event.issue.number for issue_comment events where
github.event.pull_request is not populated. The concurrency group uses
the same fallback.
Yu Watanabe [Mon, 9 Mar 2026 02:46:01 +0000 (11:46 +0900)]
network: route bound to a link requires the link is up
We checked if the link is up only when configuring (explicit) nexthop,
but we did not checked that when configuring route which has (implicit)
nexthop.
Let's move the checks from nexthop_is_ready_to_configure() to
gateway_is_ready(), which is called for both implicit and explict
nexthops.
Yu Watanabe [Mon, 9 Mar 2026 02:30:54 +0000 (11:30 +0900)]
network: check if gateway is ready only when the nexthop is bound to link
Currently, we support three types of nexthop:
1. simple nexthop, which is bound to link, may have specific gateway
address,
2. blackhole nexthop, which is global configuration and is not bound to
any links,
3. group nexthop, which is also global configuration and is not bound to
any links.
Thus, gateway_is_ready() is only necessary to call for simple nexthop
case. Let's make the logic simpler.
Luca Boccassi [Sat, 7 Mar 2026 10:55:42 +0000 (10:55 +0000)]
Translations update from Fedora Weblate (#40984)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
A S Alam [Sat, 7 Mar 2026 01:58:35 +0000 (01:58 +0000)]
po: Translated using Weblate (Punjabi)
Currently translated at 34.5% (92 of 266 strings)
Co-authored-by: A S Alam <aalam@users.noreply.translate.fedoraproject.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pa/
Translation: systemd/main
Add a simple fuzzer that verifies our machinery for parsing user records
from JSON works as intended.
The initial corpus was created with the help of Claude, so we have a
bunch of valid user records with as much fields as possible for the
initial corpus.
The fido2_hmac_salt/fido2_hmac_credential/recovery_key fields kept
leaking memory as the array itself wasn't deallocated after deallocating
each of its elements data:
Direct leak of 112 byte(s) in 1 object(s) allocated from:
#0 0x7f56f00e5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 25975f766867e9e604dc5a71a8befeaed3301942)
#1 0x7f56ed869e42 in greedy_realloc ../src/basic/alloc-util.c:65
#2 0x7f56ed7ff5e9 in dispatch_fido2_hmac_salt ../src/shared/user-record.c:836
#3 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#4 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#5 0x7f56ed80100b in dispatch_privileged ../src/shared/user-record.c:998
#6 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#7 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#8 0x7f56ed80622c in user_record_load ../src/shared/user-record.c:1697
#9 0x000000408c15 in display_user ../src/userdb/userdbctl.c:447
#10 0x7f56ed83cc9a in dispatch_verb ../src/shared/verbs.c:137
#11 0x00000041df2b in run ../src/userdb/userdbctl.c:1908
#12 0x00000041dfbe in main ../src/userdb/userdbctl.c:1911
#13 0x7f56ec8105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#14 0x7f56ec810667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#15 0x000000404a44 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/userdbctl+0x404a44) (BuildId: 19e8b7e7b7038d2cea20bc18a55bea2a9e4406d5)
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f56f00e5e4b in realloc.part.0 (/lib64/libasan.so.8+0xe5e4b) (BuildId: 25975f766867e9e604dc5a71a8befeaed3301942)
#1 0x7f56ed869e42 in greedy_realloc ../src/basic/alloc-util.c:65
#2 0x7f56ed7fe779 in dispatch_fido2_hmac_credential_array ../src/shared/user-record.c:775
#3 0x7f56edd73cbc in sd_json_dispatch_full ../src/libsystemd/sd-json/sd-json.c:5204
#4 0x7f56edd745fc in sd_json_dispatch ../src/libsystemd/sd-json/sd-json.c:5276
#5 0x7f56ed80622c in user_record_load ../src/shared/user-record.c:1697
#6 0x000000408c15 in display_user ../src/userdb/userdbctl.c:447
#7 0x7f56ed83cc9a in dispatch_verb ../src/shared/verbs.c:137
#8 0x00000041df2b in run ../src/userdb/userdbctl.c:1908
#9 0x00000041dfbe in main ../src/userdb/userdbctl.c:1911
#10 0x7f56ec8105b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#11 0x7f56ec810667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) (BuildId: 2b5beec0fd24fe9c9f43eddfdd5facf0b8a1b805)
#12 0x000000404a44 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/userdbctl+0x404a44) (BuildId: 19e8b7e7b7038d2cea20bc18a55bea2a9e4406d5)
SUMMARY: AddressSanitizer: 176 byte(s) leaked in 2 allocation(s).
shared/format-table: fix potential memleaks of d->formatted
We don't always return d->formatted, even if it is available. And
depending on the cell type, we'd either overwrite it directly or free
first. Let's always free it upfront and then set unconditionally.
(In this case, we don't need to spend effort on preserving the
existing value. It's just a cache.) Setting the variable directly
allows many temporary variables to be eliminated.
Also use asprintf_safe() to simplify the allocation of the buffer.
This is probably a tiny bit slower than the direct allocation, but
table formatting shouldn't be a hot path.
asprintf is nice to use, but the _documented_ error return convention is
unclear:
> If memory allocation wasn't possible, or some other error occurs,
> these functions will return -1, and the contents of strp are undefined.
What exactly "undefined" means is up for debate: if it was really
undefined, the caller wouldn't be able to meaningfully clean up, because
they wouldn't know if strp is a valid pointer. So far we interpreted
"undefined" — in some parts of the code base — as "either NULL or a
valid pointer that needs to be freed", and — in other parts of the
codebase — as "always NULL". I checked glibc and musl, and they both
uncoditionally set the output pointer to NULL on failure.
There is also no information _why_ asprintf failed. It could be an
allocation error or format string error. But we just don't have this
information.
Let's add a wrapper that either returns a good string or a NULL pointer.
Since there's just one failure result, we don't need a separate return
value and an output argument and can simplify callers.
It's actually only used in one place in libsystemd and moving it even makes
libsystemd smaller (in a non-optimized build):
$ ls -l build/libsystemd.so.0.43.0*
-rwxr-xr-x 1 zbyszek zbyszek 5763336 Mar 3 09:54 build/libsystemd.so.0.43.0-old
-rwxr-xr-x 1 zbyszek zbyszek 5763216 Mar 3 09:54 build/libsystemd.so.0.43.0
Also, move the definitions in the .h file so that similar functions are
grouped together and then move the definitions around in the .c file so
that they are in the same order as in the header.
Daan De Meyer [Fri, 6 Mar 2026 14:06:36 +0000 (15:06 +0100)]
ci: Make claude action review PRs only and fix the instructions
Turns out the claude code action has issues reviewing PRs from forks
(https://github.com/anthropics/claude-code-action/issues/939). Let's
reuse the approach from https://github.com/pzmarzly/demo--claude-bot-reviews
instead (which I've explicitly asked permission for to reuse).
Unlike the linked demo, we still insist on a comment by a maintainer
before claude reviews the PR.
sd-varlink: pin error message while we invoke a reply callback
Let's make sure the parameters/error pointers into the message remain
valid as long as the reply callback is running, even if the reply
otherwise resets the pending message.
Daan De Meyer [Fri, 6 Mar 2026 09:17:01 +0000 (10:17 +0100)]
agent: Minimize the amount of instructions in AGENTS.md
Let's only keep instructions for stuff that we've seen the AI
mess up in practice rather than having a bunch of AI generated
text that it can figure out for itself these days (given it was
trained on systemd's source code in the first place).
Also add a rule to use git worktrees and check out PRs locally when
reviewing them, since I've seen it mess that up in practice.
This will allow maintainers to mention claude in comments on issues and
prs to do stuff like review something or try to reproduce a bug or other
stuff. Let's give it a try and see whether we like it or not.
Daan De Meyer [Fri, 6 Mar 2026 07:54:33 +0000 (08:54 +0100)]
Move AI instructions to AGENTS.md
This seems to be what all the tools are standardizing on, except
claude (https://github.com/anthropics/claude-code/issues/6235) so
add a symlink from CLAUDE.md to AGENTS.md for now until they support
it as well.
Luca Boccassi [Fri, 6 Mar 2026 00:29:03 +0000 (00:29 +0000)]
Translations update from Fedora Weblate (#40968)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Ronan Pigott [Thu, 5 Mar 2026 22:42:30 +0000 (15:42 -0700)]
zsh: fixup some recent zsh completers
These two completers are written in a stacked _arguments style, and some
generic options are valid before or after the verb. If the toplevel
_arguments is permitted to match options after the verb, it will halt
completion prematurely, so stop toplevel matching after the verb.
This corrects the following error:
$ userdbctl --output=class user <TAB> # completes users
$ userdbctl user --output=class <TAB> # completes nothing
Daan De Meyer [Thu, 5 Mar 2026 20:39:14 +0000 (21:39 +0100)]
ci: Add claude code github action
This will allow maintainers to mention claude in comments on issues
and prs to do stuff like review something or try to reproduce a bug
or other stuff. Let's give it a try and see whether we like it or
not.
Suppress warnings like the following from clang tidy:
```
../src/boot/addon.c:11:19: error: function 'efi_main' can be made static to enforce internal linkage [misc-use-internal-linkage,-warnings-as-errors]
11 | EFIAPI EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *system_table);
| ^
```
Some warnings are suppressed simply by setting comments to ignore the warning,
some are by making global variables static, or include a suitable header.
projects / thirdparty / systemd.git / log
