Apply the same column width for different option groups
This feel a bit like a hack, but it works OK. The width of the first
column of verbs or options in different sections is measured and
applied to the other tables. This makes the second column aligned.
libtss2-tcti-device0 is not installed by default in the openSUSE
image, but is now required when building the test image. Without it,
the build fails with
```
Shared library 'libtss2-tcti-device.so.0' is not available:
libtss2-tcti-device.so.0: cannot open shared object file: No such file or directory
```
Yu Watanabe [Mon, 23 Mar 2026 05:55:57 +0000 (14:55 +0900)]
networkd: replace D-Bus with Varlink in networkctl (#40780)
networkctl previously called networkd over D-Bus for several operations.
This replaces all of those calls with Varlink, making it the sole IPC
mechanism between networkctl and networkd.
New Varlink methods added to networkd:
- io.systemd.Network.Link (new sub-interface for link-specific
operations):
Supporting changes:
- link_get_bit_rates() extracted from networkd-link.c into
networkd-speed-meter.c
- BitRates added to link_build_json() so Link.Describe returns them
inline
alongside the existing interface description, replacing a separate D-Bus
read
- link_reconfigure_full() and manager_reload() extended to accept
sd_varlink*
for deferred async replies (consistent with existing sd_bus_message*
path)
- DHCP lease display (networkctl status) uses Link.Describe instead of
DHCPServer.Leases; falls back to ClientId when hostname is not present
mips: Fix conditional inclusion of <asm/sgidefs.h>
systemd now has a system call wrapper that does a long series of #ifdef's to
differentiate between architectures and ABIs. This wrapper has two problems.
1. On mips, it needs to differentiate between O32, N32, N64 ABI. It does that
via a code block in src/include/override/sys/generate-syscall.py (and derived
files):
Now the _MIPS_SIM* constants stem from a vendor-specific header file sgidefs.h,
which is included with glibc, but not with musl. It is however always present
in the Linux kernel headers as asm/sgidefs.h ...
2. To work around this, the syscall wrapper already has a block
Turns out, ARCH_MIPS is defined nowhere in Gentoo, neither on glibc nor on musl.
As a result the code (by accident, probably sgidefs.h is included transitively
somehow) works on glibc, but not on musl.
The simplest fix is to replace line 47 in the generator and the derived file
with
47 #ifdef __mips__
Two other source code files require a similar fix since they rely on the
constants.
Bug: https://github.com/systemd/systemd/issues/41239
Bug: https://bugs.gentoo.org/971376 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
Yu Watanabe [Sun, 22 Mar 2026 14:39:38 +0000 (23:39 +0900)]
dhcp: fix user class and vendor specific option assignment
The commit 6d7cb9a6b8361d2b327222bc12872a3676358bc3 fixes the assignment
of the these options when specified through SendOption=. However, it
breaks when specified through UserClass= or SendVendorOption=.
When UserClass= or SendVendorOption= is specified, the option length is
calculated from the sd_dhcp_client.user_class or .vendor_options. Hence,
we can use 0 for the length in that case.
options: only consume "--" immediately after an option that stops parsing
The behaviour that was implemented in systemd-dissect was that
both '--exec -- cmd' and '--exec cmd' result in 'cmd' as the command,
and '--' anywhere later is as a positional argument, so nesting is
possible, e.g.:
--exec -- cmd --opt -- another-cmd --another-opt
This is not obvious, so add some tests for this and keep it as a separate
commit.
test-options: add tests for option macros and flags
Add tests for OPTION_STOPS_PARSING, OPTION_GROUP_MARKER, and
OPTION_OPTIONAL_ARG flags with manual Option arrays, and a separate
test exercising the OPTION, OPTION_LONG, OPTION_SHORT, OPTION_FULL,
and OPTION_GROUP macros via FOREACH_OPTION_FULL in a switch statement,
as they would be used in real code.
Co-developed-by: Claude Opus 4.6 <noreply@anthropic.com>
Michael Vogt [Sat, 21 Mar 2026 21:36:20 +0000 (22:36 +0100)]
core: allow unset pidref in manager_log_caller
This commit allows unset pidref when calling manager_log_caller().
With that we can log manager calls even if we cannot resolve the
caller. Currently when we cannot resolve the caller we are just
not logging anything. With this commit we at least log the call
(even though we don't know what caller it was).
Michael Vogt [Sat, 21 Mar 2026 21:12:02 +0000 (22:12 +0100)]
core: extract varlink_log_caller() helper
Extract a common helper varlink_log_caller() and use in the varlink
code when logging the caller of a method. It also logs the method
now that was tried (but failed) to be logged with log_notice just
like manager_log_caller() would do.
I was looking into modifying `manager_log_caller` instead and
accept a NULL pidref but could not log more than the method without
pidref and would make the manager_log_caller slightly less nice.
This adds the low-level io.systemd.Manager shutdown support. This
is (much) simpler than the logind one. It mimics dbus but uses
a shared helper for the simple cases.
Note that this is more restrictive than the dbus version. The
dbus version uses SD_BUS_VTABLE_CAPABILITY(CAP_SYS_BOOT) but
the varlink version uses varlink_check_privileged_peer(link).
This is mostly because I'm not sure how to do the equivalent
in a race-free way.
Oblivionsage [Sat, 21 Mar 2026 16:43:50 +0000 (17:43 +0100)]
dns-packet: move p->more unref into the free path
dns_packet_unref() unconditionally unrefs p->more on every call,
even when n_ref > 1. But dns_packet_ref() doesn't ref p->more.
This means if a packet with a ->more chain gets ref'd and unref'd
multiple times, the chain gets freed too early while the parent
still holds a dangling pointer.
Move the p->more unref into the n_ref == 1 block so the chain
only gets cleaned up when the packet is actually being freed.
Yu Watanabe [Tue, 10 Mar 2026 23:50:24 +0000 (08:50 +0900)]
sd-dhcp-client: drop disabled FORCERENEW message support
FORCERENEW message support has been disabled so long time for security
concern. Most other implementations of DHCP server/client neither
support FORCERENEW. Let's completely drop relevant code.
Daan De Meyer [Fri, 20 Mar 2026 20:52:00 +0000 (21:52 +0100)]
reboot-util: Make clang-tidy happy if xenctrl is not installed
xenctrl is another library that's not widely available across distributions.
Let's make sure clang-tidy is happy with reboot-util.c if it is not
available.
Daan De Meyer [Fri, 20 Mar 2026 20:38:27 +0000 (21:38 +0100)]
selinux-util: Make clang-tidy happy if selinux is not available
Most of our libraries are available on all distributions so we don't
bother with making clang-tidy happy if the library is not available.
The one exception is selinux which isn't available on Arch. Let's
conditionalize the includes in selinux-util.c so that clang-tidy is
still happy on Arch where we can't install libselinux.
vlefebvre [Fri, 20 Mar 2026 14:25:09 +0000 (15:25 +0100)]
kmod-setup: load vsock_loopback alongside vsock
Loading vmw_vsock_virtio_transport early at boot causes vsock to be
resident before any application opens an AF_VSOCK socket. Because the
kernel skips autoloading when the vsock module is already present,
vsock_loopback never gets loaded automatically, and any subsequent
bind() to VMADDR_CID_LOCAL fails with EADDRNOTAVAIL.
Fix this by explicitly loading vsock_loopback on virtio or VMWare
machines via the new may_have_vsock_looopback() helper, wich covers both
vmw_vsock_virtio_transport and vmware_vsock_vmci_transport case.
vsock_loopback is the only module that registers a transport for
VMADDR_CID_LOCAL (CID 1) and has no hard dependency from any of the
vsock transport modules.
Daan De Meyer [Fri, 20 Mar 2026 13:14:28 +0000 (14:14 +0100)]
mountfsd: Add CAP_SYS_PTRACE and CAP_SYS_CHROOT
CAP_SYS_PTRACE for making sure we can open mount namespaces of
peers via /proc/<pid>/ns and CAP_SYS_CHROOT for making sure we can
join those mount namespaces.
test-option-parser: "translate" test-getopt for the new parser
The test cases are the same in both files. To make the test
more through, add case where "--" is used more than once and
also when options are present after "--".
Add "option parser" infrastracture that helps with cmdline option parsing
The basic idea is that we'll have "one source of truth" for the list of
options. Currently, this is split between:
1. struct option options[] array for long options
2. the short option parameter to getopt_long()
3. --help
so it is easy to forget to add or update one of those places where
appropriate.
An option is defined through a macro that includes the option short
and long codes, and also the metavar and help. Those four items can
be used to generate the help string automatically.
The code is easier to read when various parts are written in the same
order.
We can define common options through a macro in the header file,
reducing boilerplate repeated in different files. Over time, if we
discover that the same pattern is used in multiple files, we can add
another "common option".
The macro is defined in a way that the editor can indent it like a
normal case statement.
The error message for ambiguous options is formatted a bit differently:
$ systemd-id128 --no-
systemd-id128: option '--no-' is ambiguous; possibilities: '--no-pager' '--no-legend'
$ build/systemd-id128 --no-
option '--no-' is ambiguous; possibilities: --no-pager, --no-legend
I think the formatting without commas is ugly, but OTOH, the quotes
around option names are superfluous, real option names are easy to
distinguish.
David Tardon [Fri, 27 Feb 2026 12:29:44 +0000 (13:29 +0100)]
integritysetup: regularize conversion of integrity alg.
The number of integrity algorithms we handle whose names differ between
integritysetup and dm-integrity continually increases, so let's drop the
ad hoc conversion and use string tables.
In one of the reviews one of the LLMs noticed that the pragma is set but
never unset, so it remains in effect for the rest of the translation
unit. From the comment, it's not clear how old those "old compilers"
were, so let's try if things work without this workaround.
Nick Rosbrook [Fri, 20 Mar 2026 15:23:39 +0000 (11:23 -0400)]
socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()
It has been observed on some systems[1] that ssh-issue may print out:
Try contacting this VM's SSH server via 'ssh vsock%4294967295' from host.
i.e. it suggests connecting with VMADDR_CID_ANY, which is not valid. It
seems that IOCTL_VM_SOCKETS_GET_LOCAL_CID may return VMADDR_CID_ANY in
some cases, e.g. when vsock is not full initialized or so.
Treat VMADDR_CID_ANY as special in vsock_get_local_cid(), the same as
VMADDR_CID_LOCAL and VMADDR_CID_HOST, and return an error.
Nick Rosbrook [Fri, 20 Mar 2026 15:13:28 +0000 (11:13 -0400)]
ssh-proxy: return an error if user supplies VMADDR_CID_ANY
Right now, if a user tries to pass VMADDR_CID_ANY to systemd-ssh-proxy,
an assert is triggered:
$ ssh vsock%4294967295
Assertion 'cid != VMADDR_CID_ANY' failed at src/ssh-generator/ssh-proxy.c:21, function process_vsock_cid(). Aborting.
mm_receive_fd: recvmsg: expected received 1 got 0
proxy dialer did not pass back a connection
This is becauase the value returned from vsock_parse_cid is not checked
before being passed to process_vsock_string. Add a check to prevent
that.
sd-json: when parsing optionally insist top-level variant is object or array
Typically, the top-level JSON object has to be an object, in any json
document we parse, hence let's add a simple way to enforce that.
Make use of this in various places.
(Note, various other JSON parsers insist on this logic right from the
beginning, but I actually thinking making this insisting optional like
this patch does it is the cleaner approach)
Also, in general we prefer variables that are always defined over
checking with #ifdef, so #if defined(HAVE_NO_STACK_PROTECTOR_ATTRIBUTE)
is something that we want to avoid.
When Clang is used (which sets CONFIG_PAHOLE_HAS_BTF_TAG), btf_type_tag
support is enabled. As a result, an rcu type tag is added to
task_struct::cred:
meson: disable __attribute__((__retain__)) on old compilers
This attribute was introduced in gcc 11, and our baseline is currently
8.4. So let's allow using _retain_ everywhere, but make it into a noop
if not supported.
Using __has_attribute was suggested, but with gcc-11.5.0-14.el9.x86_64,
__has__attribute(__retain__) is true, but we get a warning when the
attribute is actually used.
Luca Boccassi [Fri, 20 Mar 2026 00:43:26 +0000 (00:43 +0000)]
test: skip D-Bus FD truncation test with dbus-daemon
dbus-daemon intentionally disconnects peers when FDs get
truncated. Detect it and skip it in that case, as the purpose
of the test is not to exercise the D-Bus implementation, but
our library.
When running with dbus-broker (Fedora, etc) we'll get full
coverage.
firstboot: permit setting the static hostname via a system credential
For the IMDS case there's value in being able to set the static
hostname, instead of just the transient one. Let's introduce
firstboot.hostname, which only applies to first boot, and write the
static hostname. This is different from system.hostname which applies to
any boot, and writes the transient hostname.
udev: tag DMI id device with "systemd", so that we can order units after it
For various usecases it is useful to read relevant data from the DMI
udev device, but this means we need a way to wait for it for this to be
probed to be race-free. Hence tag it with "systemd", so that
sys-devices-virtual-dmi-id.device can be used as synchronization point.
This is very similar to write_string_file_atomic(), but is intentionally
kept separate (after long consideration). It focusses on arbitrary
struct iovec data, not just strings, and hence also doesn't do stdio at
all. It's hence a lot more low-level.
We might want to consider moving write_string_file*() on top of
write_data_file_atomic_at(), but for now don't.
Michael Vogt [Wed, 18 Mar 2026 10:38:48 +0000 (11:38 +0100)]
shared: extract `socket_forward_new()` helper from socket-proxyd
This commit extracts the socket forwarding code from the existing
socket-proxyd into a new shared helper that will be used by the
varlinkctl protocol upgrade support code and is used as is in
the socket-proxyd.c.
It tries to keep the changes as small as possible, its mostly
renaming like:
* connection_create_pipes -> socket_forward_create_pipes
* connection_shovel -> socket_forward_shovel
* connection_enable_event_sources -> socket_forward_enable_event_sources
* traffic_cb -> socket_forward_traffic_cb
and a new socket_forward_new() that creates/starts the forwarding.
All log_error_errno() got downgraded to log_debug_errno().
Michael Vogt [Thu, 19 Mar 2026 15:05:52 +0000 (16:05 +0100)]
units: allow io.systemd.Hostname to be available earlier
Currently the varlink interface for hostname is only available
after sysinit. This means it is not available until systemd-firstboot
is finished. But there is information like the boot-id in there that
is useful to get early.
My use-case is to query the system early via the varlink-http-bridge
and currently I can't get data from io.systemd.Hostname until
systemd-firstboot is completed which is a bit limiting.
So to fix it this commit sets DefaultDependencies=no on both the socket
and service units.
It also changes hostnamed.c to use
bus_open_system_watch_bind_with_description() which means we will
reconnect once dbus is available. This mimics what resolved-bus.c
is doing (and which was originally introduced in d7afd945b).
tests: drop _weak_ from the SYSTEMD_TEST_TABLE definition
This will cause test binaries that reference SYSTEMD_TEST_TABLE,
e.g. by trying to iterate over the test list, to fail if no tests are
defined. I think this is the correct thing to do, as the lack of tests
indicates some kind of mistake.
This file was a bit strange… It was shoehorning a manual test into
the intro block and not using the rest of the TEST machinery. Let's
convert it into a normal executable with a run function as we do
in other similar cases.
systemd-timesyncd always runs as an unprivileged user via the service
file, so the code to resolve the systemd-timesync user, drop privileges
adjust file ownership/permissions, or even create the directory cannot
do anything useful and is unnecessary.
With the planned extraction of the socket-forward code its useful
to have a basic way to validate the functionality. So add a basic
test that ensures at least base functionality is intact.
test-time-util: restore relaxation of check is special timezones
Fixup for 514fa9d39ae9935ef1e014a3dd48dd5856007df2. We are now getting
failures in CI i386 builds in Fedora rawhide:
TZ=Europe/Lisbon, tzname[0]=WET, tzname[1]=WEST
@212545617716594 → Sun 1976-09-26 00:26:57 WET → @212542017000000 → Sun 1976-09-26 00:26:57 CET
src/test/test-time-util.c:450: Assertion failed: Expected "ignore" to be true
Restore the conditionalization for CAT, EAT, WET that was removed
in the refactoring.
Chris Down [Thu, 19 Mar 2026 13:15:44 +0000 (21:15 +0800)]
dissect-image: Consolidate verity validation and setup
The verity consistency checks and verity setup code also have parallel
blocks for root and usr that do basically identical work. Let's
consolidate them and reduce the footprint for bugs or deviance to
manifest.
Chris Down [Thu, 19 Mar 2026 13:10:21 +0000 (21:10 +0800)]
dissect-image: Merge partition handler code
dissect-image has six(!) different branches with basically the same
code. Let's avoid that and reduce the spaces for bugs or differing
behaviour to subtly creep in.
noxiouz [Thu, 19 Mar 2026 11:50:26 +0000 (11:50 +0000)]
network: add unmanaged interface checks to Link.Renew and Link.ForceRenew Varlink methods
The D-Bus counterparts (bus_link_method_renew, bus_link_method_force_renew)
reject calls on unmanaged interfaces with BUS_ERROR_UNMANAGED_INTERFACE,
but the Varlink methods silently succeed. Add the same guard to both
Varlink methods, returning io.systemd.Network.Link.InterfaceUnmanaged,
and declare the error in the IDL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
In one of the reviews one of the LLMs noticed that the pragma is set but
never unset, so it remains in effect for the rest of the translation
unit. From the comment, it's not clear how old those "old compilers" were,
so let's try if things work without this workaround.
Daan De Meyer [Thu, 19 Mar 2026 10:34:25 +0000 (11:34 +0100)]
ci: Update prompt to reduce time spent re-checking comments
I noticed looking at the logs that claude spends a lot of time re-checking
existing comments, so let's update the prompt to hopefully reduce
the amount of comments that it re-checks.
Luca Boccassi [Wed, 18 Mar 2026 23:04:03 +0000 (23:04 +0000)]
userdb: add birthDate field to JSON user records (#40954)
Add an optional field that can be used to store a user's birth date.
userdb already stores personal metadata (`emailAddress`, `realName`,
`location`) so `birthDate` is a natural fit.
projects / thirdparty / systemd.git / log
