bootctl: accept makeEntryDirectory in Install Varlink method
The CLI defaults --make-entry-directory to off and lets callers opt in
or request auto mode. The Varlink Install method always ran in auto
mode with no way to override it. Expose the tri-state so IPC callers
can match the CLI behaviour.
bootctl: accept espPath/xbootldrPath in Varlink methods
The CLI verbs have --esp-path/--boot-path but the Varlink methods
always auto-discover the partitions, so callers that mount the ESP
or XBOOTLDR at a non-standard location have to fall back to the
SYSTEMD_ESP_PATH/SYSTEMD_XBOOTLDR_PATH environment variables.
Allow to specify the paths when calling Install/Unlink/Link/LinkAuto
so the Varlink API is on par with the CLI.
Nick Rosbrook [Fri, 26 Jun 2026 14:00:21 +0000 (10:00 -0400)]
test: reduce number of disks in TEST-64-UDEV-STORAGE-simultaneous_events on Debian/Ubuntu
This test never finishes in Ubuntu autopkgtest with the current values,
and is currently skipped all together on Debian. When running on either,
reduce the number of disks to make the test more reliable.
dongshengyuan [Wed, 24 Jun 2026 05:01:32 +0000 (13:01 +0800)]
sd-journal: rate-limit tail timestamp refresh during iteration
journal_file_read_tail_timestamp() is called unconditionally in
next_beyond_location() for every file on every iteration step,
resulting in O(N x files) volatile mmap reads. For large queries
like 'journalctl -n 1000000' this makes the command unusably slow
(~5 minutes on systems with many journal files).
Rather than suppressing the call entirely (which would make the
inotify path fully load-bearing for cross-boot ordering), rate-limit
it to at most once per second per file. This reduces the overhead
from O(N x files) to O(T x files) where T is the iteration time in
seconds, while still providing periodic refresh as a fallback for
any missed inotify events and keeping cross-boot ordering
reasonably fresh.
Embed a RateLimit struct in JournalFile for this purpose.
Measured improvement on a real system: 5:24 -> 2:39 (-51%) for
'journalctl -n 1000000'.
Shihao Ren [Tue, 30 Jun 2026 06:18:14 +0000 (14:18 +0800)]
man: fix wrong KillUserProcesses= default in systemd-run(1)
systemd-run(1) hard-coded "the default" wording for KillUserProcesses=, but the
actual compile-time default is determined by the -Ddefault-kill-user-processes=
meson build option, which distributions set differently at packaging time.
Luca Boccassi [Mon, 29 Jun 2026 17:07:01 +0000 (18:07 +0100)]
ptyfwd: avoid touching forwarder after exit drain
on_exit_event() can synchronously drain buffered data through
shovel_force(). If that completes the drain, pty_forward_done() runs
the hangup handler and may free the forwarder, so do not call
pty_forward_done() again afterwards.
[ 25.052879] TEST-74-AUX-UTILS.sh[909]: ==909==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ccc8a5e0b41 at pc 0x7efc8cde106e bp 0x7ffd668629b0 sp 0x7ffd668629a8
[ 25.053136] TEST-74-AUX-UTILS.sh[909]: READ of size 1 at 0x7ccc8a5e0b41 thread T0
[ 25.092784] TEST-74-AUX-UTILS.sh[909]: #0 0x7efc8cde106d in pty_forward_done ../src/src/shared/ptyfwd.c:187
[ 25.093920] TEST-74-AUX-UTILS.sh[909]: #1 0x7efc8cdedba1 in on_exit_event ../src/src/shared/ptyfwd.c:904
[ 25.094148] TEST-74-AUX-UTILS.sh[909]: #2 0x7efc8d375eff in source_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4301
[ 25.095074] TEST-74-AUX-UTILS.sh[909]: #3 0x7efc8d378032 in dispatch_exit ../src/src/libsystemd/sd-event/sd-event.c:4431
[ 25.095295] TEST-74-AUX-UTILS.sh[909]: #4 0x7efc8d37e932 in sd_event_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4896
[ 25.095467] TEST-74-AUX-UTILS.sh[909]: #5 0x7efc8d37fc8c in sd_event_run ../src/src/libsystemd/sd-event/sd-event.c:4971
[ 25.095647] TEST-74-AUX-UTILS.sh[909]: #6 0x7efc8d3800ad in sd_event_loop ../src/src/libsystemd/sd-event/sd-event.c:4992
[ 25.097174] TEST-74-AUX-UTILS.sh[909]: #7 0x56049b541aba in start_transient_service ../src/src/run/run.c:2479
[ 25.097403] TEST-74-AUX-UTILS.sh[909]: #8 0x56049b552a65 in run ../src/src/run/run.c:3288
[ 25.097569] TEST-74-AUX-UTILS.sh[909]: #9 0x56049b552cb0 in main ../src/src/run/run.c:3291
[ 25.097780] TEST-74-AUX-UTILS.sh[909]: #10 0x7efc8b882300 in __libc_start_call_main (/lib64/libc.so.6+0x7d300) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[ 25.097952] TEST-74-AUX-UTILS.sh[909]: #11 0x7efc8b882417 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x7d417) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[ 25.098139] TEST-74-AUX-UTILS.sh[909]: #12 0x56049b51cf54 in _start (/usr/bin/systemd-run+0x19f54) (BuildId: 0daacdb9f20151f3517312ee99e489a9b8f4989c)
[ 25.098316] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0b41 is located 193 bytes inside of 2384-byte region [0x7ccc8a5e0a80,0x7ccc8a5e13d0)
[ 25.099202] TEST-74-AUX-UTILS.sh[909]: freed by thread T0 here:
[ 25.099410] TEST-74-AUX-UTILS.sh[909]: #0 0x7efc8e76420f in free.part.0 (/lib64/libasan.so.8+0x16420f) (BuildId: 173395e60f171589489dde2b7a156d0ae380734b)
[ 25.099557] TEST-74-AUX-UTILS.sh[909]: #1 0x7efc8cdf14d1 in pty_forward_free ../src/src/shared/ptyfwd.c:1122
[ 25.099691] TEST-74-AUX-UTILS.sh[909]: #2 0x56049b535328 in pty_forward_handler ../src/src/run/run.c:1952
[ 25.100063] TEST-74-AUX-UTILS.sh[909]: #3 0x7efc8cde138c in pty_forward_done ../src/src/shared/ptyfwd.c:196
[ 25.100197] TEST-74-AUX-UTILS.sh[909]: #4 0x7efc8cdec757 in shovel ../src/src/shared/ptyfwd.c:813
[ 25.101144] TEST-74-AUX-UTILS.sh[909]: #5 0x7efc8cdecc1f in shovel_force ../src/src/shared/ptyfwd.c:828
[ 25.102273] TEST-74-AUX-UTILS.sh[909]: #6 0x7efc8cdedb82 in on_exit_event ../src/src/shared/ptyfwd.c:899
[ 25.103564] TEST-74-AUX-UTILS.sh[909]: #7 0x7efc8d375eff in source_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4301
[ 25.103712] TEST-74-AUX-UTILS.sh[909]: #8 0x7efc8d378032 in dispatch_exit ../src/src/libsystemd/sd-event/sd-event.c:4431
[ 25.104081] TEST-74-AUX-UTILS.sh[909]: #9 0x7efc8d37e932 in sd_event_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4896
[ 25.104954] TEST-74-AUX-UTILS.sh[909]: #10 0x7efc8d37fc8c in sd_event_run ../src/src/libsystemd/sd-event/sd-event.c:4971
[ 25.105160] TEST-74-AUX-UTILS.sh[909]: #11 0x7efc8d3800ad in sd_event_loop ../src/src/libsystemd/sd-event/sd-event.c:4992
[ 25.105310] TEST-74-AUX-UTILS.sh[909]: #12 0x56049b541aba in start_transient_service ../src/src/run/run.c:2479
[ 25.105454] TEST-74-AUX-UTILS.sh[909]: #13 0x56049b552a65 in run ../src/src/run/run.c:3288
[ 25.105572] TEST-74-AUX-UTILS.sh[909]: #14 0x56049b552cb0 in main ../src/src/run/run.c:3291
[ 25.106136] TEST-74-AUX-UTILS.sh[909]: #15 0x7efc8b882300 in __libc_start_call_main (/lib64/libc.so.6+0x7d300) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[ 25.106263] TEST-74-AUX-UTILS.sh[909]: #16 0x7efc8b882417 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x7d417) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[ 25.106385] TEST-74-AUX-UTILS.sh[909]: #17 0x56049b51cf54 in _start (/usr/bin/systemd-run+0x19f54) (BuildId: 0daacdb9f20151f3517312ee99e489a9b8f4989c)
[ 25.106792] TEST-74-AUX-UTILS.sh[909]: previously allocated by thread T0 here:
[ 25.106957] TEST-74-AUX-UTILS.sh[909]: #0 0x7efc8e76515f in malloc (/lib64/libasan.so.8+0x16515f) (BuildId: 173395e60f171589489dde2b7a156d0ae380734b)
[ 25.108013] TEST-74-AUX-UTILS.sh[909]: #1 0x7efc8cddebed in malloc_multiply ../src/src/basic/alloc-util.h:92
[ 25.108188] TEST-74-AUX-UTILS.sh[909]: #2 0x7efc8cdee47b in pty_forward_new ../src/src/shared/ptyfwd.c:955
[ 25.108324] TEST-74-AUX-UTILS.sh[909]: #3 0x56049b538700 in run_context_setup_ptyfwd ../src/src/run/run.c:2130
[ 25.108472] TEST-74-AUX-UTILS.sh[909]: #4 0x56049b5419f9 in start_transient_service ../src/src/run/run.c:2465
[ 25.109152] TEST-74-AUX-UTILS.sh[909]: #5 0x56049b552a65 in run ../src/src/run/run.c:3288
[ 25.109311] TEST-74-AUX-UTILS.sh[909]: #6 0x56049b552cb0 in main ../src/src/run/run.c:3291
[ 25.109450] TEST-74-AUX-UTILS.sh[909]: #7 0x7efc8b882300 in __libc_start_call_main (/lib64/libc.so.6+0x7d300) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[ 25.109847] TEST-74-AUX-UTILS.sh[909]: #8 0x7efc8b882417 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x7d417) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[ 25.110760] TEST-74-AUX-UTILS.sh[909]: #9 0x56049b51cf54 in _start (/usr/bin/systemd-run+0x19f54) (BuildId: 0daacdb9f20151f3517312ee99e489a9b8f4989c)
[ 25.110911] TEST-74-AUX-UTILS.sh[909]: SUMMARY: AddressSanitizer: heap-use-after-free ../src/src/shared/ptyfwd.c:187 in pty_forward_done
[ 25.111054] TEST-74-AUX-UTILS.sh[909]: Shadow bytes around the buggy address:
[ 25.111213] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[ 25.111378] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[ 25.111520] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[ 25.112210] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[ 25.112399] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[ 25.112767] TEST-74-AUX-UTILS.sh[909]: =>0x7ccc8a5e0b00: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
[ 25.112901] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[ 25.113789] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[ 25.113906] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[ 25.114046] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[ 25.114159] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[ 25.114278] TEST-74-AUX-UTILS.sh[909]: Shadow byte legend (one shadow byte represents 8 application bytes):
[ 25.114400] TEST-74-AUX-UTILS.sh[909]: Addressable: 00
[ 25.115099] TEST-74-AUX-UTILS.sh[909]: Partially addressable: 01 02 03 04 05 06 07
[ 25.115246] TEST-74-AUX-UTILS.sh[909]: Heap left redzone: fa
[ 25.115365] TEST-74-AUX-UTILS.sh[909]: Freed heap region: fd
[ 25.115483] TEST-74-AUX-UTILS.sh[909]: Stack left redzone: f1
[ 25.115618] TEST-74-AUX-UTILS.sh[909]: Stack mid redzone: f2
[ 25.115882] TEST-74-AUX-UTILS.sh[909]: Stack right redzone: f3
[ 25.116735] TEST-74-AUX-UTILS.sh[909]: Stack after return: f5
[ 25.116857] TEST-74-AUX-UTILS.sh[909]: Stack use after scope: f8
[ 25.116974] TEST-74-AUX-UTILS.sh[909]: Global redzone: f9
[ 25.117108] TEST-74-AUX-UTILS.sh[909]: Global init order: f6
[ 25.117257] TEST-74-AUX-UTILS.sh[909]: Poisoned by user: f7
[ 25.118128] TEST-74-AUX-UTILS.sh[909]: Container overflow: fc
[ 25.118288] TEST-74-AUX-UTILS.sh[909]: Array cookie: ac
[ 25.118433] TEST-74-AUX-UTILS.sh[909]: Intra object redzone: bb
[ 25.118546] TEST-74-AUX-UTILS.sh[909]: ASan internal: fe
[ 25.118684] TEST-74-AUX-UTILS.sh[909]: Left alloca redzone: ca
[ 25.118792] TEST-74-AUX-UTILS.sh[909]: Right alloca redzone: cb
[ 25.119282] TEST-74-AUX-UTILS.sh[909]: Command: systemd-run --quiet --pty -- bash -c echo PTY_FORWARD_READY; exec sleep 60
[ 25.119395] TEST-74-AUX-UTILS.sh[909]: ==909==ABORTING
dongshengyuan [Tue, 30 Jun 2026 01:47:22 +0000 (09:47 +0800)]
boot/random-seed: create \loader\ dir if missing when seeding
When the random seed file doesn't exist but we have good entropy
(seeded_by_efi=true), we attempt to create it. This requires a handle
to the \loader\ directory, which may not exist on systems using
UKI+EFISTUB without systemd-boot installed.
Obtain the directory handle by first trying a read-only open; if that
returns EFI_NOT_FOUND, create the directory. We deliberately avoid
requesting write access on an already-present directory because some
firmware implementations return EFI_INVALID_PARAMETER for a
WRITE|CREATE open on an existing directory — this would be logged at
LOG_ERR and abort seed creation on systems where \loader\ exists but
random-seed does not (the normal systemd-boot layout).
Once a handle to \loader\ is obtained, open the seed file relative to
that handle rather than using the full path from root.
Introduced-by: c0e7046c17 ("boot: log about RO I/O errors at debug level.") Fixes: #42801 Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
Luca Boccassi [Mon, 29 Jun 2026 14:05:51 +0000 (15:05 +0100)]
env-util: ensure NUL termination of the replace_env_argv() output array
The output array is allocated with new() and left uninitialized, but a
bare unset "$VAR" token expands to nothing and writes no terminator.
When such a token leads or is the only word, the returned strv is left
without a trailing NULL.
dongshengyuan [Tue, 30 Jun 2026 09:13:10 +0000 (17:13 +0800)]
resolvectl: fix JSON reply cleanup in varlink_dump_dns_configuration
varlink_call_and_log() does not hand out a new reference for the reply
object, so the caller should not unref it. The _cleanup_(sd_json_variant_unrefp)
on reply was therefore wrong from the start.
The original TAKE_PTR(reply) was working around this incorrect cleanup
by preventing it from firing, but that left reply's refcount one too
high after sd_json_variant_ref(v) incremented the parent's count.
Fix by dropping _cleanup_(sd_json_variant_unrefp) from the reply
variable declaration entirely, as suggested by Lennart Poettering.
dongshengyuan [Tue, 30 Jun 2026 09:11:32 +0000 (17:11 +0800)]
exec-invoke: fix wrong errno in log_error_errno for setenv failure
When setenv("CREDENTIALS_DIRECTORY") fails, log_error_errno() was
called with the stale return value of exec_context_get_credential_directory()
(which is >= 0 on success) instead of errno.
The %m in the format string correctly expands from libc's errno, so
the human-readable log message was unaffected. However, the structured
journal field ERRNO= received an incorrect value (0 or positive),
making automated log analysis and alerting on this failure unreliable.
Ronan Pigott [Mon, 29 Jun 2026 19:14:58 +0000 (12:14 -0700)]
run: do not munge user.slice with --slice-inherit
When using --slice-inherit, setting arg_slice would inadvertently munge
user.slice into the current user slice, usually producing a slice name
like user-1000-user.slice. This is treated as a user-UID slice by
user-.slice.d/10-defaults.conf, resulting in a strange description:
literally "User slice for UID user" (instead of an actual user UID).
Keep arg_slice empty when using --slice-inherit so that we actually
inherit from the relevant slice instead of a munged version.
portable: leave room for trailing NUL in metadata receive buffer
receive_portable_metadata() reads each item into a stack buffer of
PATH_MAX + NAME_MAX + 2 bytes, passes the full sizeof() as the recv
iovec length, and then NUL-terminates with iov_buffer[n] = 0. recvmsg()
can return n equal to the buffer size, so the terminator is written one
byte past the end.
Grow the buffer by one byte and cap the iovec at sizeof - 1, so a full
record is still received and the trailing NUL always fits, matching the
coredump-receive.c reader.
dongshengyuan [Mon, 29 Jun 2026 05:24:51 +0000 (13:24 +0800)]
man: document that $XDG_CONFIG_HOME affects environment.d lookup path
Align the documentation with the actual behavior: if $XDG_CONFIG_HOME is
set to an absolute path in the user service manager environment, it takes
precedence over the default ~/.config/ when locating environment.d files.
Also note the bootstrapping limitation that variables defined inside
environment.d files are not yet available when the generator runs.
Luca Boccassi [Mon, 29 Jun 2026 10:56:30 +0000 (11:56 +0100)]
test: make TEST-07-PID1.issue-14566 more robust
The test slept a fixed 4s after starting the service, then read the
child PID from /leakedtestpid. On a loaded host the executor had not
exec'd the script yet:
Make the service Type=notify and notify readiness after writing the PID
file, and wait for the service to go inactive in a timeout loop instead
of fixed sleeps.
wangzhaohui [Wed, 24 Jun 2026 03:10:56 +0000 (11:10 +0800)]
shell-completion: add missing commands and options to timedatectl zsh
The zsh completion for timedatectl was missing three commands ('show',
'ntp-servers', 'revert') and five options (--monitor, -p/--property=,
-a/--all, --value, -P) that are already present in the bash completion,
documented in the man page, and implemented in the binary.
dongshengyuan [Mon, 29 Jun 2026 06:54:51 +0000 (14:54 +0800)]
logind: fix typo in reboot-to-boot-loader-entry path
SetRebootToBootLoaderEntry on non-EFI systems wrote the boot loader
entry name to /run/systemd/reboot-boot-to-loader-entry (wrong order),
while the getter and unlink both use the correct path
/run/systemd/reboot-to-boot-loader-entry.
The written value was never read back, silently breaking the feature
on non-EFI systems.
dongshengyuan [Mon, 29 Jun 2026 06:53:35 +0000 (14:53 +0800)]
journal-verify: fix offset reported for tail hash mismatch
After walking a hash chain, the loop exits with p == 0. The error()
call for a tail_hash_offset mismatch passed p as the file offset,
printing 0000000000000000 instead of the actual last data object.
Pass 'last' instead, which holds the offset of the final chain entry.
The file is located outside mkosi/ subdirectory, hence currently unused.
If this is moved to mkosi/ subdirectory, the config conflicts with
TEST-58-REPART. Let's remove it at least now, and reintroduce it later
at correct place with test adjustment if this is really useful.
Ronan Pigott [Wed, 17 Jun 2026 19:36:16 +0000 (12:36 -0700)]
run: make custom slice imply XDG_SESSION_CLASS=none
--slice and --slice-inherit are intended to make the new service unit
part of a specific slice. Logind is incompatible with that goal, as a
session of any kind will prompt logind to immediately yoink the new
command from the service unit into a new session scope, which does not
inherit from run0's own slice. The use can still explicitly request a
session with --setenv=XDG_SESSION_CLASS=<class>.
Also make --slice and --slice-inherit conflict with --lightweight and
--area, which depend on logind to be effective.
dongshengyuan [Mon, 22 Jun 2026 02:55:13 +0000 (10:55 +0800)]
numa: add support for preferred-many and weighted-interleave policies
Add support for two newer NUMA memory policies:
- MPOL_PREFERRED_MANY (Linux 5.15): like MPOL_PREFERRED but accepts
a set of nodes instead of a single node, falling back to all nodes
if preferred nodes cannot satisfy the allocation.
- MPOL_WEIGHTED_INTERLEAVE (Linux 6.9): like MPOL_INTERLEAVE but
distributes pages across nodes proportionally to per-node weights
configured via /sys/kernel/mm/mempolicy/weighted_interleave/.
On kernels that do not support the requested policy, set_mempolicy()
returns EINVAL. We convert EINVAL to EOPNOTSUPP only for the two new
policies (MPOL_PREFERRED_MANY, MPOL_WEIGHTED_INTERLEAVE), so that a
bad NUMAMask= for already-supported policies still fails the service
rather than being silently ignored.
The NUMA subsystem being absent (ENOSYS) continues to be handled
silently at debug level, as before.
Varlink serialization uses json_underscorify() on an owned copy of
the policy name string to convert hyphenated names to the underscore
form declared in the IDL enum, avoiding mutation of the read-only
static string table.
Frantisek Sumsal [Sat, 27 Jun 2026 17:08:06 +0000 (19:08 +0200)]
vmspawn: complain loudly if we can't prepare a unix socket for virtiofsd
I couldn't convince vmspawn to start a VM on a Fedora image I just
downloaded, and it was pretty light on any useful details:
$ build/systemd-vmspawn --image ~/Downloads/Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x86_64.qcow2 --image-format=qcow2 --bind-ro=/tmp/bar; echo $?
░ Spawning VM Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x8664.qcow2 on /home/mrc0mmand/Downloads/Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x86_64.qcow2.
░ Press Ctrl-] three times within 1s to kill VM.
1
Turns out that the unix socket path vmspawn generates for the virtiofsd
socket is too long. Let's relay this information to the user as well to
make debugging this a little less painful:
$ build/systemd-vmspawn --image ~/Downloads/Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x86_64.qcow2 --image-format=qcow2 --bind-ro=/tmp/bar
░ Spawning VM Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x8664.qcow2 on /home/mrc0mmand/Downloads/Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x86_64.qcow2.
░ Press Ctrl-] three times within 1s to kill VM.
Failed to prepare unix socket '/run/user/1000/systemd/vmspawn/Fedora-Server-Guest-Generic-Rawhide-20260627.n.0.x8664.qcow2/sock-9594581dcf598992': File name too long
test: cover the io.systemd.CryptEnroll Varlink interface
Extend the existing systemd-cryptenroll test with varlinkctl invocations
equivalent to the command line ones: enrolling a recovery key and passwords
(unlocking via a key file by path and via a passed file descriptor), listing
slots, combining enrollment with a type-based wipe, and the negative cases
(ListSlots without 'more', and the pkcs11/tpm2 mechanisms that are not part of
the EnrollMechanism allowlist).
Add a --firstboot mode that interactively walks the user through enrolling a
passphrase, a recovery key, or a FIDO2 token, with one menu entry per suitable
token currently plugged in (driven by a new fido2_enumerate_devices() helper).
Pressing enter at the top-level menu leaves the volume unchanged; for each
already-enrolled credential type the wizard offers to wipe it as part of the
operation. It populates the same EnrollContext the command line and Varlink
paths use, so the actual enrollment goes through the shared enroll_now() path.
A companion --prompt-suppress= option takes a list of slot types: if a slot of
any listed type already exists, the wizard does nothing and exits successfully.
This lets it be hooked into the boot process while staying quiet once the
system has been set up.
The accompanying systemd-cryptenroll-firstboot.service runs this from the
initrd, after systemd-repart has created the encrypted volume but before we
transition to the host, suppressing itself once a password, recovery key or
FIDO2 token is enrolled. To make that work, determine_default_node() now looks
below /sysroot/ when running in the initrd, since the host file systems aren't
at their final location yet.
While the wizard is active it draws the same installer-style chrome (blue bars
at the top and bottom of the terminal) as systemd-sysinstall, using the shared
prompt_loop_yes_no() helper for its wipe confirmations.
Honours the systemd.firstboot= kernel command line option.
cryptenroll: expose enrollment as an io.systemd.CryptEnroll Varlink service
Add a Varlink interface for systemd-cryptenroll, building on the EnrollContext
introduced previously. A single Enroll method covers password, recovery-key and
FIDO2 enrollment; PKCS#11 and TPM2 are not exposed for now (they are not
part of the EnrollMechanism allowlist, so the generic InvalidParameter error
applies). A ListSlots method enumerates the currently enrolled keyslots.
The dispatcher populates the same EnrollContext the command line uses and then
runs the shared enroll_now()/prepare_luks()/wipe_slots() paths, so both
front-ends behave identically. FIDO2 enrollment that requires user presence
reports an imminent touch via a non-terminating "state":"touch" reply when the
caller passes 'more'. Credential material (password, FIDO2 PIN, recovery key)
is handled as sensitive, and key files may be passed either by path or as an
fd index.
The server is allocated root-only plus caller's-own-UID, with the listening
socket created in 0644 mode.
cryptenroll: collect all enrollment parameters in an EnrollContext
Introduce an EnrollContext structure that carries everything the enrollment
and unlocking helpers need, and route all enroll_*()/load_volume_key_*()/
wipe_slots() calls through it. The command line still populates the existing
arg_* globals as before; once parsing is complete they are copied into a
self-contained EnrollContext (which owns its strings/arrays) and the rest of
the code only ever reads from the context.
This is preparation for the upcoming varlinkification of systemd-cryptenroll:
a Varlink dispatcher (and later an interactive first-boot wizard) can populate
the very same EnrollContext without going through the arg_* parsing layer.
To support non-interactive (e.g. Varlink) callers, the context carries an
'interactive' flag: when false, every credential prompt is disabled and the
helpers fail with -ENOPKG (the established "querying disabled via headless"
code) instead of blocking on a tty. Passwords, FIDO2 PINs and PKCS#11 PINs are
all covered, and an optional FIDO2 PIN can be supplied directly via the
context. enroll_recovery() additionally grows a quiet mode that returns the
recovery key instead of printing it.
This also adds one new field to EnrollContext which didn't exist before:
the unlock_password is useful for the Varlink hookup later.
Factor a yes/no variant of prompt_loop() out into prompt-util.[ch], so the
various interactive tools can share a single implementation, and convert
systemd-sysinstall's installation confirmation question over to it.
Yu Watanabe [Mon, 22 Jun 2026 10:32:01 +0000 (19:32 +0900)]
tree-wide: drop gcrypt dependency from all binaries except for unit tests
With this change, gcrypt dependency is not mandatory. Hence, allow to build
systemd even when -D gcrypt=enabled but gcrypt devel package is not installed.
Yu Watanabe [Thu, 25 Jun 2026 14:38:16 +0000 (23:38 +0900)]
sd-journal: drop libgcrypt dependency from libsystemd
This introduce a vtable for journal tagging feature in sd-journal,
and makes libgcrypt dependent features loaded by users (journald,
journalctl, journal-remote, and unit tests) when necessary.
Yu Watanabe [Thu, 25 Jun 2026 16:26:21 +0000 (01:26 +0900)]
sd-journal: introduce JournalAuthContext
Then, move several components for journal tagging in JournalFile
to JournalAuthContext.
This also introduces wrapper functions that checks gcrypt support.
* 0b390d2683 One more fixup for d/copyright
* 91d3dadcb5 Update changelog for 261.1-1 release
* 3c287e1f86 d/copyright: update to add new licenses
* a82117f9a3 Install new files for upstream build
* 020caeb149 Override new Lintian false positive
* d55b67b66e d/control: demote libnss-{myhostname,resolve} to Suggests for systemd-resolved
* 1c537705ec Update changelog for 261-2 release
* 6235897bbc Note new package split in NEWS
* a440cb2c4a Install new files for upstream build
* 7eaa21ad05 Split tpm tools into new systemd-tpm package
* 52b28b74f3 Split metrics reporting tools into new systemd-report package
* de2f367f22 Split imds tools into new systemd-imds package
* 2d0a07f5ae d/t/control: do not install xserver-xorg-video-dummy on loong64
* c886c3efc8 Install new files for upstream build
* 0efa66b4af Update changelog for 261-1 release
* e36cf82a1d lintian-overrides: override error about derivative.ubuntu build profile
* fbd38c36ea d/control: do not build systemd-boot-efi-*-signed-template on ubuntu
Observerd on Ubuntu 24.04 with GCC 13 on arm64 architecture.
```
../src/shared/journal-importer.c: In function ‘journal_importer_process_data’:
../src/shared/journal-importer.c:344:30: error: ‘line’ may be used uninitialized [-Werror=maybe-uninitialized]
344 | if (!journal_field_valid(line, n - 1, true)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/shared/journal-importer.c:295:23: note: ‘line’ was declared here
295 | char *line, *sep;
| ^~~~
cc1: all warnings being treated as errors
```
Yu Watanabe [Sat, 27 Jun 2026 03:21:19 +0000 (12:21 +0900)]
resolvectl: use more varlink (#41840)
There are already varlink methods for `ResolveHostname`,
`ResolveAddress`, and `ResolveRecord`. Use those in `resolvectl` instead
of the dbus equivalents.
sysupdate: Address review feedback on CheckNew varlink scaffolding
Follow-up to #42422:
- Rename process_image() to context_process_image(), since it now
operates on a Context object.
- Use IN_SET() in image_type_can_sysupdate() instead of a switch.
- Name the return parameters of context_list_components() ret_xyz, per
our coding style.
- Drop a redundant "else" after a return in vl_method_check_new().
sysupdate: Add a stub varlink interface and implement CheckNew (#42422)
This puts the scaffolding in place for a varlink interface, but so far
it only adds a `io.systemd.Sysupdate.CheckNew()` method. Varlinkifying
the other verbs on `systemd-sysupdate` will happen in follow-up PRs, but
I thought I’d try and land this one early to:
* Get review of the overall varlinkification scaffolding
* Lower the chance of big merge conflicts with others’ work by getting
the more invasive changes out of the way
* Get the scaffolding in place so others can start to build on it if
they wish (although I am currently working on porting the other existing
verbs)
It rearranges how the `Context` struct is allocated so that it’ll be
easier to add per-method/verb context structs which contain it in
future. It also changes all the `sysupdate.c` code to use arguments from
`Context` rather than `arg_*` globals, allowing them to be specified as
varlink parameters in future.
It also moves the existing `systemd-sysupdate.{timer,service}` units
(which periodically run `systemd-sysupdate update`) to
`systemd-sysupdate-update.{timer,service}` to clear space for a
`systemd-sysupdate@.service` and `systemd-sysupdate.socket` to act as a
varlink entry point.
Currently, TEST-92-TPM2-SWTPM is skipped as it requires the following:
https://github.com/systemd/systemd/pull/42760
https://gitlab.alpinelinux.org/alpine/aports/-/work_items/18293
Nick Rosbrook [Fri, 19 Jun 2026 19:01:00 +0000 (15:01 -0400)]
resolve: add query string field to io.systemd.Resolve.DNSError
This is preparation for using varlink methods more in resolvectl. In
particular, this is helpful for proving more accurate error messages,
and maintaining compatibility with existing error messages from the
DBus API.