NEWS: fix wrong path for sd-stub global extensions directory

stub: check if security override is available before using it (#38295 )
Avoids fallback that requires it if it is not available. Can be dropped once support for shim < 16 is no longer needed Follow-up for 23d56ae890f8e7c8e29ef51e05494e445725d3ff
2025-10-05 19:54:46 +02:00 · 2025-07-23 14:22:08 +01:00 · 2025-07-23 15:16:01 +02:00 · 2025-07-23 15:15:20 +02:00 · 2025-07-23 15:15:20 +02:00 · 2025-07-23 22:13:20 +09:00
101 changed files with 723 additions and 365 deletions
--- a/210
+++ b/210
@ -66,21 +66,22 @@ CHANGES WITH 258 in spe:
        * Support for the SystemdOptions EFI variable has been removed.
-        * The meson options 'split-usr', 'rootlibdir', 'rootprefix' (deprecated
+        * Meson options '-Dsplit-usr=', '-Drootlibdir=', '-Drootprefix='
-          in v255), 'default-hierarchy' (v256), and 'nscd' (v257) have been
+          (deprecated in v255), '-Ddefault-hierarchy=' (deprecated in v256),
-          removed.
+          and '-Dnscd=' (deprecated in v257) have been removed.
        * OpenSSL is now the only supported cryptography backend for
          systemd-resolved and systemd-importd, and support for gnutls and
-          gcrypt has been removed.  Hence, 'gnutls' for 'dns-over-tls=' meson
+          gcrypt has been removed. Hence, 'gnutls' setting for the
-          option has been deprecated. Also, the 'cryptolib' meson option has
+          '-Ddns-over-tls=' meson option has been deprecated. Also, the
-          been deprecated. They will be removed in a future release.
+          '-Dcryptolib=' meson option has been deprecated. They will be removed
          in a future release.
        * systemd-logind's session tracking, which used to be performed via a
-          FIFO installed in the client, has been fully switched to be
+          FIFO installed in the client, now uses PIDFDs. The file descriptor
-          pidfd-based. The fd returned by CreateSession() and related calls is
+          returned by CreateSession() and related calls is therefore unused.
-          therefore unused. Moreover, the exit of session leader process will
+          Moreover, the exit of the session leader process will immediately
-          immediately cause the session to be stopped.
+          cause the session to be stopped.
        * To work around limitations of X11's keyboard handling systemd's
          keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
@ -106,7 +107,7 @@ CHANGES WITH 258 in spe:
          through LLDP protocol, but now emits a deterministic ID,
          cryptographically derived from the machine ID as chassis ID. If you
          want to use the previous behavior, please set
-          SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable to
+          SYSTEMD_LLDP_SEND_MACHINE_ID=1 environment variable for
          systemd-networkd.
        * Support for the !! command line prefix on ExecStart= lines (and
@ -137,11 +138,11 @@ CHANGES WITH 258 in spe:
          of the DeviceAllow= list. The latter behaviour has been removed.
        * The command 'journalctl --follow' now exits with success on
-          SIGTERM/SIGINT, or its pipe STDOUT is disconnected.
+          SIGTERM/SIGINT and when the pipe it is writing to is disconnected.
        * Support for System V style system state control has been removed:
          - The /dev/initctl device node has been removed.
-          - The initctl, runlevel and telinit commands have been removed.
+          - The initctl, runlevel, and telinit commands have been removed.
          - Support for system state control via the init command (e.g.
            'init 3') has been removed.
          - The units runlevel[0-6].target have been removed.
@ -171,8 +172,8 @@ CHANGES WITH 258 in spe:
          managed by "systemd-factory-reset request" and "systemd-factory-reset
          complete".
-        * The meson option 'integration-tests' has been deprecated, and will be
+        * The meson option '-Dintegration-tests=' has been deprecated, and will
-          removed in a future release.
+          be removed in a future release.
        Service manager/PID1:
@ -214,8 +215,8 @@ CHANGES WITH 258 in spe:
        * The security rules enforced by the per-unit AttachProcesses() bus API
          call have been relaxed a bit: unprivileged clients may now use the
          call on arbitrary processes which run in any user namespace owned by
-          the client's UID. Previously, a stricter rule applied, that required
+          the client's UID. Previously, a stricter rule applied that required
-          the UID of the process to move and of the client to match exactly.
+          the UIDs of the process to move and of the client to match exactly.
        * A new per-unit RemoveSubgroup() D-Bus API call has been added that
          makes the service manager attempt to remove a sub-cgroup of units
@ -258,7 +259,7 @@ CHANGES WITH 258 in spe:
        * So far the ConditionHost= condition matched against the local host
          name and machine UUID. It now also matches against the local product
-          ID of the system (as provided by SMBIOS/DMI), and the boot ID.
+          ID of the system (as provided by SMBIOS/DMI) and the boot ID.
        * A new setting DelegateNamespaces= for units has been added, which
          controls which type of Linux namespaces to delegate to the invoked
@ -297,9 +298,8 @@ CHANGES WITH 258 in spe:
          with strong resource management, and support for hierarchial job
          pools (by means of slices).
-        * ExecStart= lines (and the other ExecXYZ= lines) gained a new '|'
+        * ExecStart= lines (and the other ExecXYZ= lines) now support a new '|'
-          special prefix that if specified causes the command line to be
+          prefix that causes the command line to be invoked via a shell.
          invoked via a shell.
        * A basic Varlink API is now implemented in the service manager that
          can be used to determine its current state, and list units and their
@ -371,6 +371,10 @@ CHANGES WITH 258 in spe:
        * A new PrivateBPF= switch has been added for unit files, which may be
          used to mount a private bpffs instance for the unit's processes.
        * New user manager services systemd-nspawn@.service and
          systemd-vmspawn@.service and a machines.target unit to manage them
          have been added.
        systemd-journald & journal-remote:
        * journalctl's --setup-keys command now supports JSON output.
@ -527,6 +531,9 @@ CHANGES WITH 258 in spe:
        * The DHCPv4 client in systemd-networkd now also supports BOOTP (via
          the new BOOTP= setting).
        * The Local= setting in [Tunnel] section gained a new "dhcp_pd" value
          to allow setting the local address based on dhcp-pd addresses.
        sd-varlink & sd-json:
        * An API call sd_varlink_reset_fds() has been added that undoes the
@ -739,12 +746,19 @@ CHANGES WITH 258 in spe:
          once automatic Secure Boot keys have been enrolled, i.e. whether to
          reboot or whether to shut down the system.
-        * There's a new LoaderSysFail EFI environment variable that userspace
+        * Userspace may set a new LoaderSysFail EFI variable. It is used by
-          may set to an entry match pattern for systemd-boot. If set, and the
+          systemd-boot: when set and the system firmware reports some kind of
-          system firmware reports some kind of system failure (for now this is
+          system failure (for now this is pretty much only about failed
-          pretty much only about failed firmware updates) the selected entry is
+          firmware updates), systemd-boot will use the specified entry instead
-          booted into, instead of following the usual entry selection
+          of following the usual fallback entry selection logic. bootctl gained
-          logic. bootctl gained a new "set-sysfail" verb to set this variable.
+          a new "set-sysfail" verb to set this variable.
        * systemd-boot will now set LoaderTpm2ActivePcrBanks EFI variable to
          let the userspace know which TPM2 PCR banks are available. This is
          more reliable then trying to figure this out through sysfs.
        * systemd-stub will now also load global sysexts and confexts from
          ESP/loader/extensions/*.{sysext,confext}.raw.
        systemd-nsresourced & systemd-mountfsd:
@ -818,16 +832,53 @@ CHANGES WITH 258 in spe:
          tweak the shell field of users bound into a container with
          --bind-user=….
        systemd-vmspawn:
        * A new --smbios11= switch may be used to pass an SMBIOS Type #11
          vendor string easily into the booted process. This has various uses,
          one of them is to add additional menu entries to systemd-boot for a
          specific invocation. Example:
          --smbios11=io.systemd.boot.entries-extra:particleos-current.conf=$'title ParticleOS Current\nuki-url http://example.com/somedir/uki.efi'
        * A new switch --grow-image= has been added taking a size in bytes. If
          specified, the image booted into is grown to the specified size if
          found to be smaller.
        * systemd-vmspawn supports unprivileged networking now, using
          systemd-nsresourced's new API to acquire a TAP network device
          unprivileged.
        * systemd-vmspawn now supports --slice and --property= settings,
          matching systemd-nspawn.
        * A new --tpm-state= setting allows precise control of TPM state
          persistency.
        * A new --notify-ready= setting can be used to specify whether to
          expect a READY=1 notification from the guest.
        systemd-machined:
-        * systemd-machined now provides a comprehensive Varlink IPC API to its
+        * systemd-machined now provides a comprehensive Varlink IPC API.
          functionality.
        * The pidfd inode ID of a machine's leader process is now exposed as
          D-Bus property for machine objects, in addition to the PID. The inode
          ID is a 64bit unique identifier for a process that is not vulnerable
          to recycling issues.
        * A new "org.freedesktop.machine1.register-machine" polkit action is
          used when checking for privileges to register a machine. Previously,
          "org.freedesktop.machine1.create-machine" was used for creation and
          registration operations. The policy for the new action is more
          permissive: active users are allowed to perform the action without
          authentication.
        * systemd-machined now also tracks the "supervisor" process of a
          machine, i.e. the host process that manages the payload. This
          information is exposed through the Supervisor/SupervisorPIDFDId D-Bus
          properties and "supervisor"/supervisorProcessId" varlink properties.
        systemd-measure, ukify, systemd-keyutil, systemd-sbsign:
        * systemd-measure gained a new "policy-digest" verb. It's a lot like
@ -966,22 +1017,24 @@ CHANGES WITH 258 in spe:
        * systemd-homed gained two new bus API calls RegisterHome() and
          UnregisterHome() for registering a home locally by providing just the
-          user record, without any logic to actually create the home
+          user record, without any logic to actually create the home directory.
-          directory. homectl gained "register" and "unregister" verbs exposing
+          homectl gained "register" and "unregister" verbs exposing this. This
-          this. This is useful for registering network user accounts locally,
+          is useful for registering network user accounts locally, i.e. where
-          i.e. where some foreign user record and home directory already exists
+          some foreign user record and home directory already exists on some
-          on some server, and just need to be registered locally. This can be
+          server, and just need to be registered locally. This can be used to
-          used like the following to make a local systemd-homed home directory
+          make a local systemd-homed home directory securely accessible from
-          securely accessible from some other system:
+          some other system:
-          homectl update lennart --ssh-authorized-keys=… -N --storage=cifs --cifs-service="//$HOSTNAME/lennart"
+          $ homectl update lennart --ssh-authorized-keys=… -N \
-          homectl get-signing-key | ssh targetsystem homectl add-signing-key --key-name="$HOSTNAME".public
+              --storage=cifs --cifs-service="//$HOSTNAME/lennart"
-          homectl inspect -E lennart | ssh targetsystem homectl register -
+          $ homectl get-signing-key |
-          ssh lennart@targetsystem
+              ssh targetsystem homectl add-signing-key --key-name="$HOSTNAME".public
          $ homectl inspect -E lennart |
              ssh targetsystem homectl register -
          $ ssh lennart@targetsystem
-          There's also a system credential home.register.* now that can execute
+          There's also a new system credential 'home.register.*' that causes
-          the registration operation for a provided user record automatically
+          registration for the provided user record automatically at boot.
          at boot.
        * homectl gained a new switch --seize= taking a boolean argument. If
          true when used together with the "create" or "register" verbs any
@ -1112,7 +1165,8 @@ CHANGES WITH 258 in spe:
          after download. This may be used to boot directly into a disk image
          downloaded via HTTP via a kernel command line like this:
-          rd.systemd.pull=raw,machine,verify=no,blockdev:image:https://192.168.100.1:8081/image.raw root=/dev/disk/by-loop-ref/image.raw-part2
+          rd.systemd.pull=raw,machine,verify=no,blockdev:image:https://192.168.100.1:8081/image.raw \
              root=/dev/disk/by-loop-ref/image.raw-part2
        * systemd.pull=/rd.systemd.pull= also gained support for a new flag
          "bootorigin". If specified and if the system was network booted
@ -1120,7 +1174,8 @@ CHANGES WITH 258 in spe:
          variable, see above), the URL to boot from is now automatically
          formed from the UKI network boot URL with a new suffix. Example:
-          rd.systemd.pull=raw,machine,verify=no,blockdev,bootorigin:rootdisk:image.raw.xz root=/dev/disk/by-loop-ref/rootdisk.raw-part2
+          rd.systemd.pull=raw,machine,verify=no,blockdev,bootorigin:rootdisk:image.raw.xz \
              root=/dev/disk/by-loop-ref/rootdisk.raw-part2
        * The systemd.pull=/rd.systemd.pull= switches now also support a new
          flag "runtime=", taking a boolean argument. If true the downloaded
@ -1135,26 +1190,6 @@ CHANGES WITH 258 in spe:
        * systemd-importd gained support for downloading images compressed with
          zstd now, too. (In addition to .xz, .gz and .bz2.)
        systemd-vmspawn:
        * A new --smbios11= switch may be used to pass an SMBIOS Type #11
          vendor string easily into the booted process. This has various uses,
          one of them is to add additional menu entries to systemd-boot for a
          specific invocation. Example:
          --smbios11=io.systemd.boot.entries-extra:particleos-current.conf=$'title ParticleOS Current\nuki-url http://example.com/somedir/uki.efi'
        * A new switch --grow-image= has been added taking a size in bytes. If
          specified the image booted into is grown to the specified size if
          found to be smaller.
        * systemd-vmspawn supports unprivileged network now, using
          systemd-nsresourced's new API to acquire a TAP network device
          unprivileged.
        * A new --tpm-state= setting allows precise control of TPM state
          persistency.
        Factory Reset:
        * A new tool systemd-factory-reset has been added that may be used to
@ -1208,6 +1243,24 @@ CHANGES WITH 258 in spe:
          partition is not automatically made used of as is, on any OS that
          supports GPT.
        systemd-analyze:
        * systemd-analyze gained a new "chid" verb, which shows the "Computer
          Hardware IDs" (CHIDs) of the local system. This is useful for
          preparing CHID-to-DeviceTree mappings when building UKIs.
        * systemd-analyze gained a new "transient-settings" verb, which shows
          all unit settings one can configure dynamically via the
          "--property="/"-p" switch when invoking transient units.
        * systemd-analyze gained a new "unit-shell" verb that invokes an
          interactive shell inside the namespaces of the main process
          of a specified unit. This is useful for debugging unit sandboxes, and
          getting an idea how things look like from the "inside" of a service.
        * systemd-analyze gained a new "unit-gdb" verb to attach a debugger
          to a unit.
        Other:
        * systemd-ask-password now provides a small Varlink API to
@ -1222,19 +1275,6 @@ CHANGES WITH 258 in spe:
          any of systemd's own service and has the intended effect of enabling
          debug logging if it gets automatically restarted.
        * systemd-analyze gained a new "chid" verb, which shows the "Computer
          Hardware IDs" (CHIDs) of the local system. This is useful for
          preparing CHID-to-DeviceTree mappings when building UKIs.
        * systemd-analyze gained a new "transient-settings" verb, which shows
          all unit settings one can configure dynamically via the "-p" switch
          when invoking transient units.
        * systemd-analyze gained a new "unit-shell" verb that invokes an
          interactive shell inside the namespaces of the main process
          of a specified unit. This is useful for debugging unit sandboxes, and
          getting an idea how things look like from the "inside" of a service.
        * The "package note" specification ELF binaries has been extended to
          cover PE binaries (i.e. UEFI binaries), too.
@ -1263,6 +1303,10 @@ CHANGES WITH 258 in spe:
        * systemd-detect & ConditionVirtualization= now recognize the "Arm
          Confidential Compute Architecture" (cca) confidential virtualization.
        * systemd-detect-virt now correctly distinguishes between bare-metal
          and virtualized machines in Google Compute Engine, and will not
          report the former as virtualized.
        * systemd-sysusers now generates Linux audit records when it adds
          system users.
@ -1742,7 +1786,7 @@ CHANGES WITH 257:
          exposing its functionality. This is an alternative to the
          pre-existing D-Bus interface.
-        systemd-resolved:
+        systemd-resolved and resolvectl:
        * The resolvconf command now supports '-p' switch. If specified, the
          interface will not be used as the default route for domain name
@ -1751,6 +1795,10 @@ CHANGES WITH 257:
        * resolvectl now enables interactive polkit authorization. It gained a
          --no-ask-password option to suppress it.
        * systemd-resolved now implements continuous mDNS querying as per
          RFC6762 §5.2. Clients can subscribe to the notification stream using
          varlink.
        systemd-networkd and networkctl:
        * IPv6 address labels can be also configured in a new [IPv6AddressLabel]
@ -2282,8 +2330,8 @@ CHANGES WITH 256:
          considered obsolete and systemd by default will refuse to boot under
          it. To forcibly reenable cgroup v1 support,
          SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 must be set on kernel command
-          line. The meson option 'default-hierarchy=' is also deprecated, i.e.
+          line. The meson option '-Ddefault-hierarchy=' is also deprecated, and
-          only cgroup v2 ('unified' hierarchy) can be selected as build-time
+          only cgroup v2 ('unified' hierarchy) can be selected as the build-time
          default.
        * Support for System V service scripts is deprecated and will be
--- a/1
+++ b/1
@ -212,6 +212,7 @@ REQUIREMENTS:
        newer though. TL;DR: turn audit off, still.
        glibc >= 2.31
        libxcrypt or glibc (<= 2.38 built with --enable-crypt)
        libcap
        libmount >= 2.30 (from util-linux)
                (util-linux *must* be built without --enable-libmount-support-mtab)
--- a/man/systemd-getty-generator.xml
+++ b/man/systemd-getty-generator.xml
@ -64,11 +64,35 @@
      <varlistentry>
        <term><varname>systemd.getty_auto=</varname></term>
-        <listitem><para>this options take an optional boolean argument, and default to yes.
+        <listitem>
-        The generator is enabled by default, and a false value may be used to disable it.
+          <para>This kernel command line option may be used to control the execution mode of the generator.
-        </para>
+          Takes an optional boolean argument. Since v258, this also takes comma-separated list of special
          values: <literal>credential</literal>, <literal>container</literal>, <literal>console</literal>,
          and <literal>builtin</literal>.</para>
-        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
+          <para>When <literal>credential</literal> is specified, the two credentials
          <varname>getty.ttys.serial</varname> and <varname>getty.ttys.container</varname> will be parsed.
          See System Credentials section below for more details.</para>
          <para>When <literal>container</literal> is specified, <filename>console-getty.service</filename>
          and <filename>container-getty@.service</filename> will be enabled when the system is running in a
          container. This option will be ignored when the system is not in a container.</para>
          <para>When <literal>console</literal> is specified, <filename>serial-getty@.service</filename> for
          active kernel consoles will be enabled. This option will be ignored when the system is running in a
          container.</para>
          <para>When <literal>builtins</literal> is specified, <filename>serial-getty@.service</filename> for
          available virtualizer consoles will be enabled. This option will be ignored when the system is
          running in a container.</para>
          <para>When yes, the above four options will be enabled. When no, all options are disabled and no
          service will be enabled. When the kernel command line option is specified without an argument,
          defaults to yes. The generator is enabled by default, and a false value may be used to disable it.
          </para>
          <xi:include href="version-info.xml" xpointer="v250"/>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@ -80,11 +104,12 @@
      <varlistentry>
        <term><varname>$SYSTEMD_GETTY_AUTO</varname></term>
-        <listitem><para>This variable takes an optional boolean argument, and default to yes.
+        <listitem>
-        The generator is enabled by default, and a false value may be used to disable it.
+          <para>This environment variable may be used to control the execution mode of the generator.
-        </para>
+          Takes the same value as <varname>systemd.getty_auto=</varname> kernel command line option.</para>
-        <xi:include href="version-info.xml" xpointer="v250"/></listitem>
+          <xi:include href="version-info.xml" xpointer="v250"/>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@ -93,6 +118,17 @@
    <title>System Credentials</title>
    <variablelist class='system-credentials'>
      <varlistentry>
        <term><varname>getty.auto</varname></term>
        <listitem>
          <para>The system credential may be used to control the execution mode of the generator.
          Takes the same value as <varname>systemd.getty_auto=</varname> kernel command line option.</para>
          <xi:include href="version-info.xml" xpointer="v258"/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>getty.ttys.serial</varname></term>
        <term><varname>getty.ttys.container</varname></term>
@ -101,7 +137,7 @@
        TTYs. The two credentials should contain a newline-separated list of TTY names to spawn instances of
        <filename>serial-getty@.service</filename> (in case of <varname>getty.ttys.serial</varname>) and
        <filename>container-getty@.service</filename> (in case of <varname>getty.ttys.container</varname>)
-        on.</para>
+        on. Any lines starting with a <literal>#</literal> will be ignored.</para>
        <xi:include href="version-info.xml" xpointer="v254"/></listitem>
      </varlistentry>
--- a/man/systemd.system-credentials.xml
+++ b/man/systemd.system-credentials.xml
@ -287,6 +287,15 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>getty.auto</varname></term>
        <listitem><para>Used for controlling the execution mode of <filename>systemd-getty-generator</filename>. See
        <citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>getty.ttys.serial</varname></term>
        <term><varname>getty.ttys.container</varname></term>
--- a/meson.build
+++ b/meson.build
@ -685,15 +685,22 @@ conf.set('GPERF_LEN_TYPE', gperf_len_type,
 #####################################################################
-if not cc.has_header('sys/capability.h')
+foreach header : [
-        error('POSIX caps headers not found')
+        'crypt.h',
-endif
+        'sys/capability.h',
-foreach header : ['crypt.h',
+]
-                  'sys/sdt.h',
+
-                  'threads.h',
+        if not cc.has_header(header)
-                  'valgrind/memcheck.h',
+                error('Header file @0@ not found.'.format(header))
-                  'valgrind/valgrind.h',
+        endif
-                 ]
+endforeach
 foreach header : [
        'sys/sdt.h',
        'threads.h',
        'valgrind/memcheck.h',
        'valgrind/valgrind.h',
 ]
        conf.set10('HAVE_' + header.underscorify().to_upper(),
                   cc.has_header(header))
@ -989,11 +996,6 @@ threads = dependency('threads')
 librt = cc.find_library('rt')
 libm = cc.find_library('m')
 libdl = cc.find_library('dl')
 libcrypt = dependency('libcrypt', 'libxcrypt', required : false)
 if not libcrypt.found()
        # fallback to use find_library() if libcrypt is provided by glibc, e.g. for LibreELEC.
        libcrypt = cc.find_library('crypt')
 endif
 libcap = dependency('libcap')
 # On some architectures, libatomic is required. But on some installations,
@ -1007,15 +1009,21 @@ else
        libatomic = []
 endif
-crypt_header = conf.get('HAVE_CRYPT_H') == 1 ? '''#include <crypt.h>''' : '''#include <unistd.h>'''
+libcrypt = dependency('libcrypt', 'libxcrypt', required : false)
-foreach ident : [
+if not libcrypt.found()
-        ['crypt_ra',               crypt_header],
+        # fallback to use find_library() if libcrypt is provided by glibc, e.g. for LibreELEC.
-        ['crypt_preferred_method', crypt_header],
+        libcrypt = cc.find_library('crypt')
-        ['crypt_gensalt_ra',       crypt_header]]
+endif
-        have = cc.has_function(ident[0], prefix : ident[1], args : '-D_GNU_SOURCE',
+foreach func : [
        'crypt_ra',               # since libxcrypt-4.0.0
        'crypt_gensalt_ra',       # since libxcrypt-4.0.0
        'crypt_preferred_method', # since libxcrypt-4.4.0
 ]
        have = cc.has_function(func, prefix : '''#include <crypt.h>''', args : '-D_GNU_SOURCE',
                               dependencies : libcrypt)
-        conf.set10('HAVE_' + ident[0].to_upper(), have)
+        conf.set10('HAVE_' + func.to_upper(), have)
 endforeach
 bpf_framework = get_option('bpf-framework')
--- a/src/analyze/analyze-unit-shell.c
+++ b/src/analyze/analyze-unit-shell.c
@ -82,7 +82,7 @@ int verb_unit_shell(int argc, char *argv[], void *userdata) {
                        "(unit-shell-ns)",
                        "(unit-shell)",
                        /* except_fds= */ NULL,
-                        /* n_except_fds */ 0,
+                        /* n_except_fds= */ 0,
                        FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL,
                        pidns_fd,
                        mntns_fd,
--- a/src/basic/conf-files.c
+++ b/src/basic/conf-files.c
@ -291,7 +291,7 @@ static int files_add(
                        if (need_stat) {
                                /* If we need to have stat, skip the entry. */
-                                log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Failed to chase '%s/%s', ignoring: %m",
+                                log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Failed to chase '%s/%s', ignoring.",
                                                root, skip_leading_slash(original_path));
                                continue;
                        }
--- a/src/basic/terminal-util.c
+++ b/src/basic/terminal-util.c
@ -1777,7 +1777,7 @@ int vt_restore(int fd) {
        assert(fd >= 0);
        if (!isatty_safe(fd))
-                return log_debug_errno(SYNTHETIC_ERRNO(ENOTTY), "Asked to restore the VT for an fd that does not refer to a terminal: %m");
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOTTY), "Asked to restore the VT for an fd that does not refer to a terminal.");
        if (ioctl(fd, KDSETMODE, KD_TEXT) < 0)
                RET_GATHER(ret, log_debug_errno(errno, "Failed to set VT to text mode, ignoring: %m"));
@ -1804,7 +1804,7 @@ int vt_release(int fd, bool restore) {
         * VT-switching modes. */
        if (!isatty_safe(fd))
-                return log_debug_errno(SYNTHETIC_ERRNO(ENOTTY), "Asked to release the VT for an fd that does not refer to a terminal: %m");
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOTTY), "Asked to release the VT for an fd that does not refer to a terminal.");
        if (ioctl(fd, VT_RELDISP, 1) < 0)
                return -errno;
--- a/src/bless-boot/bless-boot.c
+++ b/src/bless-boot/bless-boot.c
@ -236,7 +236,7 @@ static int acquire_boot_count_path(
        if (r < 0)
                return log_error_errno(r, "Failed to extract filename from LoaderBootCountPath '%s': %m", path);
        if (r == 0)
-                return log_error_errno(SYNTHETIC_ERRNO(EADDRNOTAVAIL), "LoaderBootCountPath '%s' refers to the root directory: %m", path);
+                return log_error_errno(SYNTHETIC_ERRNO(EADDRNOTAVAIL), "LoaderBootCountPath '%s' refers to the root directory.", path);
        if (strlen(last) > (size_t) r)
                return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "LoaderBootCountPath '%s' refers to directory path, refusing.", path);
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@ -22,6 +22,28 @@
 #define STUB_PAYLOAD_GUID \
        { 0x55c5d1f8, 0x04cd, 0x46b5, { 0x8a, 0x20, 0xe5, 0x6c, 0xbb, 0x30, 0x52, 0xd0 } }
 typedef struct {
        const void *addr;
        size_t len;
        const EFI_DEVICE_PATH *device_path;
 } ValidationContext;
 static bool validate_payload(
                const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) {
        const ValidationContext *payload = ASSERT_PTR(ctx);
        if (device_path != payload->device_path)
                return false;
        /* Security arch (1) protocol does not provide a file buffer. Instead we are supposed to fetch the payload
         * ourselves, which is not needed as we already have everything in memory and the device paths match. */
        if (file_buffer && (file_buffer != payload->addr || file_size != payload->len))
                return false;
        return true;
 }
 static EFI_STATUS load_via_boot_services(
                EFI_HANDLE parent,
                EFI_LOADED_IMAGE_PROTOCOL* parent_loaded_image,
@ -43,6 +65,19 @@ static EFI_STATUS load_via_boot_services(
        _cleanup_free_ EFI_DEVICE_PATH* file_path = device_path_replace_node(parent_loaded_image->FilePath, NULL, &device_node.Header);
        /* When running with shim < v16 and booting a UKI directly from it, without a second stage loader,
         * the shim verify protocol needs to be called or it will raise a security violation when starting
         * the image (e.g.: Fedora Cloud Base UKI). TODO: drop once support for shim < v16 is not needed. */
        if (!shim_loader_available())
                install_security_override(
                                validate_payload,
                                &(ValidationContext) {
                                        .addr = kernel->iov_base,
                                        .len = kernel->iov_len,
                                        .device_path = file_path,
                                });
        err = BS->LoadImage(/* BootPolicy= */false,
                            parent,
                            file_path,
@ -50,6 +85,9 @@ static EFI_STATUS load_via_boot_services(
                            kernel->iov_len,
                            &kernel_image);
        if (!shim_loader_available())
                uninstall_security_override();
        if (err != EFI_SUCCESS)
                return log_error_status(EFI_LOAD_ERROR, "Error loading inner kernel with shim: %m");
@ -131,7 +169,7 @@ EFI_STATUS linux_exec(
         *
         * See https://github.com/rhboot/shim/blob/main/README.md#shim-loader-protocol
         */
-        if (secure_boot_enabled() && shim_loader_available())
+        if (secure_boot_enabled() && (shim_loader_available() || (shim_loaded() && security_override_available())))
                return load_via_boot_services(
                                parent,
                                parent_loaded_image,
--- a/src/boot/pe.c
+++ b/src/boot/pe.c
@ -366,8 +366,8 @@ static void pe_locate_sections(
                                  n_section_table,
                                  section_names,
                                  validate_base,
-                                  /* device_base */ NULL,
+                                  /* device_table = */ NULL,
-                                  /* device */ NULL,
+                                  /* device = */ NULL,
                                  sections);
        /* It doesn't make sense not to provide validate_base here */
@ -386,8 +386,8 @@ static void pe_locate_sections(
                                n_section_table,
                                hwid_section_names,
                                validate_base,
-                                /* device_table */ NULL,
+                                /* device_table = */ NULL,
-                                /* device */ NULL,
+                                /* device = */ NULL,
                                hwids_section);
                if (PE_SECTION_VECTOR_IS_SET(hwids_section)) {
--- a/src/boot/secure-boot.c
+++ b/src/boot/secure-boot.c
@ -120,7 +120,7 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
        err = open_directory(root_dir, path, &dir);
        if (err != EFI_SUCCESS)
-                return log_error_status(err, "Failed opening keys directory %ls: %m", path);
+                return log_error_status(err, "Failed to open keys directory %ls: %m", path);
        struct {
                const char16_t *name;
@ -140,7 +140,7 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
        FOREACH_ELEMENT(sb_var, sb_vars) {
                err = file_read(dir, sb_var->filename, 0, 0, &sb_var->buffer, &sb_var->size);
                if (err != EFI_SUCCESS && sb_var->required) {
-                        log_error_status(err, "Failed reading file %ls\\%ls: %m", path, sb_var->filename);
+                        log_error_status(err, "Failed to read file %ls\\%ls: %m", path, sb_var->filename);
                        goto out_deallocate;
                }
                if (streq16(sb_var->name, u"PK") && sb_var->size > 20) {
@ -161,7 +161,7 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
        }
        if (need_custom_mode && !custom_mode_enabled()) {
-                err = set_custom_mode(/* enable */ true);
+                err = set_custom_mode(/* enable = */ true);
                if (err != EFI_SUCCESS) {
                        log_error_status(err, "Failed to enable custom mode: %m");
                        goto out_deallocate;
@ -262,6 +262,7 @@ static EFIAPI EFI_STATUS security2_hook(
 * of their spec. But there is little else we can do to circumvent secure boot short of implementing our own
 * PE loader. We could replace the firmware instances with our own instance using
 * ReinstallProtocolInterface(), but some firmware will still use the old ones. */
 // TODO: now that there is a custom PE loader, this can be dropped once shim < v16 is no longer supported.
 void install_security_override(security_validator_t validator, const void *validator_ctx) {
        EFI_STATUS err;
@ -292,6 +293,14 @@ void install_security_override(security_validator_t validator, const void *valid
        }
 }
 bool security_override_available(void) {
        EFI_SECURITY_ARCH_PROTOCOL *security;
        EFI_SECURITY2_ARCH_PROTOCOL *security2;
        return BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY_ARCH_PROTOCOL), NULL, (void **) &security) == EFI_SUCCESS &&
               BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY2_ARCH_PROTOCOL), NULL, (void **) &security2) == EFI_SUCCESS;
 }
 void uninstall_security_override(void) {
        if (security_override.original_hook)
                security_override.security->FileAuthenticationState = security_override.original_hook;
--- a/src/boot/secure-boot.h
+++ b/src/boot/secure-boot.h
@ -31,6 +31,7 @@ typedef bool (*security_validator_t)(
 void install_security_override(security_validator_t validator, const void *validator_ctx);
 void uninstall_security_override(void);
 bool security_override_available(void);
 const char* secure_boot_enroll_to_string(secure_boot_enroll e) _const_;
 const char* secure_boot_enroll_action_to_string(secure_boot_enroll_action e) _const_;
--- a/src/bootctl/bootctl-random-seed.c
+++ b/src/bootctl/bootctl-random-seed.c
@ -34,7 +34,7 @@ static int random_seed_verify_permissions(int fd, mode_t expected_type) {
        if (((st.st_mode ^ expected_type) & S_IFMT) != 0)
                return log_error_errno(SYNTHETIC_ERRNO(EBADF),
-                                       "Unexpected inode type when validating random seed access mode on %s: %m", full_path);
+                                       "Unexpected inode type when validating random seed access mode on '%s'.", full_path);
        if ((st.st_mode & 0007) == 0) /* All world bits are off? Then all is good */
                return 0;
--- a/src/core/bpf-restrict-ifaces.c
+++ b/src/core/bpf-restrict-ifaces.c
@ -211,7 +211,7 @@ int bpf_restrict_ifaces_supported(void) {
 int bpf_restrict_ifaces_install(Unit *u) {
        return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
-                        "restrict-interfaces: Failed to install; BPF programs built from source code are not supported: %m");
+                        "restrict-interfaces: Failed to install; BPF programs built from source code are not supported.");
 }
 int bpf_restrict_ifaces_serialize(Unit *u, FILE *f, FDSet *fds) {
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@ -921,7 +921,7 @@ int bus_init_private(Manager *m) {
                r = sockaddr_un_set_path(&sa.un, p);
        }
        if (r < 0)
-                return log_error_errno(r, "Failed set socket path for private bus: %m");
+                return log_error_errno(r, "Failed to set socket path for private bus: %m");
        sa_len = r;
        (void) sockaddr_un_unlink(&sa.un);
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -2791,7 +2791,7 @@ static int apply_exec_quotas(
 #define MAX_PROJ_ID_RETRIES 10
                for (unsigned attempt = 0;; attempt++) {
                        if (attempt >= MAX_PROJ_ID_RETRIES)
-                                return log_debug_errno(SYNTHETIC_ERRNO(EBUSY), "Failed to generate unique project ID for %s: %m", target_dir);
+                                return log_debug_errno(SYNTHETIC_ERRNO(EBUSY), "Failed to generate unique project ID for '%s'.", target_dir);
                        /* Check if project quotas are supported */
                        struct dqblk req;
@ -4608,7 +4608,7 @@ static int setup_delegated_namespaces(
            exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWPID) == delegate) {
                if (params->pidref_transport_fd < 0) {
                        *reterr_exit_status = EXIT_NAMESPACE;
-                        return log_error_errno(SYNTHETIC_ERRNO(ENOTCONN), "PidRef socket is not set up: %m");
+                        return log_error_errno(SYNTHETIC_ERRNO(ENOTCONN), "PidRef socket is not set up.");
                }
                /* If we had CAP_SYS_ADMIN prior to joining the user namespace, then we are privileged and don't need
--- a/src/core/job.c
+++ b/src/core/job.c
@ -1199,7 +1199,7 @@ void job_add_to_run_queue(Job *j) {
        r = prioq_put(j->manager->run_queue, j, &j->run_queue_idx);
        if (r < 0)
-                log_warning_errno(r, "Failed put job in run queue, ignoring: %m");
+                log_warning_errno(r, "Failed to put job in run queue, ignoring: %m");
        else
                j->in_run_queue = true;
--- a/src/core/main.c
+++ b/src/core/main.c
@ -1421,7 +1421,7 @@ static int os_release_status(void) {
                }
        }
-        if (support_end && os_release_support_ended(support_end, /* quiet */ false, NULL) > 0)
+        if (support_end && os_release_support_ended(support_end, /* quiet = */ false, /* ret_eol = */ NULL) > 0)
                /* pretty_name may include the version already, so we'll print the version only if we
                 * have it and we're not using pretty_name. */
                status_printf(ANSI_HIGHLIGHT_RED "  !!  " ANSI_NORMAL, 0,
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@ -79,7 +79,7 @@ int mac_selinux_setup(bool *loaded_policy) {
                if (enforce > 0) {
                        if (!initialized)
                                return log_struct_errno(LOG_EMERG, SYNTHETIC_ERRNO(EIO),
-                                                        LOG_MESSAGE("Failed to load SELinux policy :%m"),
+                                                        LOG_MESSAGE("Failed to load SELinux policy."),
                                                        LOG_MESSAGE_ID(SD_MESSAGE_SELINUX_FAILED_STR));
                        log_notice("Failed to load new SELinux policy. Continuing with old policy.");
--- a/src/core/service.c
+++ b/src/core/service.c
@ -393,7 +393,7 @@ static void service_extend_event_source_timeout(Service *s, sd_event_source *sou
        if (r < 0) {
                const char *desc;
                (void) sd_event_source_get_description(s->timer_event_source, &desc);
-                log_unit_warning_errno(UNIT(s), r, "Failed to set timeout time for event source '%s', ignoring %m", strna(desc));
+                log_unit_warning_errno(UNIT(s), r, "Failed to set timeout time for event source '%s', ignoring: %m", strna(desc));
        }
 }
--- a/src/core/socket.c
+++ b/src/core/socket.c
@ -1578,7 +1578,7 @@ static int socket_address_listen_in_cgroup(
        r = unit_setup_exec_runtime(UNIT(s));
        if (r < 0)
-                return log_unit_error_errno(UNIT(s), r, "Failed acquire runtime: %m");
+                return log_unit_error_errno(UNIT(s), r, "Failed to acquire runtime: %m");
        if (s->exec_context.network_namespace_path &&
            s->exec_runtime &&
--- a/src/cryptenroll/cryptenroll-password.c
+++ b/src/cryptenroll/cryptenroll-password.c
@ -188,7 +188,7 @@ int enroll_password(
                }
        }
-        r = check_password_quality(new_password, /* old */ NULL, /* user */ NULL, &error);
+        r = check_password_quality(new_password, /* old = */ NULL, /* user = */ NULL, &error);
        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
                log_warning("Password quality check is not supported, proceeding anyway.");
        else if (r < 0)
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@ -1556,7 +1556,7 @@ static int action_list_or_mtree_or_copy_or_make_archive(DissectedImage *m, LoopD
                 * the mounts are done in a mount namespace there's not going to be a collision here */
                r = get_common_dissect_directory(&t);
                if (r < 0)
-                        return log_error_errno(r, "Failed generate private mount directory: %m");
+                        return log_error_errno(r, "Failed to generate private mount directory: %m");
                r = dissected_image_mount_and_warn(
                                m,
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@ -824,7 +824,7 @@ static int prompt_root_password(int rfd) {
                        break;
                }
-                r = check_password_quality(*a, /* old */ NULL, "root", &error);
+                r = check_password_quality(*a, /* old = */ NULL, "root", &error);
                if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
                        log_warning("Password quality check is not supported, proceeding anyway.");
                else if (r < 0)
--- a/src/getty-generator/getty-generator.c
+++ b/src/getty-generator/getty-generator.c
@ -21,17 +21,27 @@
 #include "unit-name.h"
 #include "virt.h"
-static const char *arg_dest = NULL;
+typedef enum {
-static bool arg_enabled = true;
+        GETTY_SOURCE_NONE       = 0,
        GETTY_SOURCE_CREDENTIAL = 1 << 0,
        GETTY_SOURCE_CONTAINER  = 1 << 1,
        GETTY_SOURCE_CONSOLE    = 1 << 2,
        GETTY_SOURCE_BUILTIN    = 1 << 3,
        GETTY_SOURCE_ALL        = GETTY_SOURCE_CREDENTIAL | GETTY_SOURCE_CONTAINER | GETTY_SOURCE_CONSOLE | GETTY_SOURCE_BUILTIN,
 } GettySourceFlag;
-static int add_getty_impl(const char *tty, const char *type, const char *unit_path) {
+static const char *arg_dest = NULL;
 static GettySourceFlag arg_getty_sources = GETTY_SOURCE_ALL;
 static int add_getty_impl(const char *tty, const char *path, const char *type, const char *unit_path) {
        int r;
        assert(type);
        assert(path);
        assert(unit_path);
        if (!filename_is_valid(tty)) {
-                log_debug("Invalid %s tty device specified, ignoring: %s", type, tty);
+                log_debug("Invalid %s tty device specified, ignoring: %s", type, path);
                return 0;
        }
@ -45,17 +55,23 @@ static int add_getty_impl(const char *tty, const char *type, const char *unit_pa
        return generator_add_symlink_full(arg_dest, "getty.target", "wants", unit_path, instance);
 }
-static int add_serial_getty(const char *tty) {
+static int add_serial_getty(const char *path) {
-        tty = skip_dev_prefix(ASSERT_PTR(tty));
+        const char *tty = skip_dev_prefix(ASSERT_PTR(path));
-        return add_getty_impl(tty, "serial", SYSTEM_DATA_UNIT_DIR "/serial-getty@.service");
+        return add_getty_impl(tty, path, "serial", SYSTEM_DATA_UNIT_DIR "/serial-getty@.service");
 }
-static int add_container_getty(const char *tty) {
+static int add_container_getty(const char *tty_or_path) {
-        if (is_path(tty))
+        const char *tty;
                /* Check if it is actually a pty. */
                tty = path_startswith(skip_dev_prefix(tty), "pts/");
-        return add_getty_impl(tty, "container", SYSTEM_DATA_UNIT_DIR "/container-getty@.service");
+        assert(tty_or_path);
        if (is_path(tty_or_path))
                /* Check if it is actually a pty. */
                tty = path_startswith(skip_dev_prefix(tty_or_path), "pts/");
        else
                tty = tty_or_path;
        return add_getty_impl(tty, tty_or_path, "container", SYSTEM_DATA_UNIT_DIR "/container-getty@.service");
 }
 static int verify_tty(const char *path) {
@ -159,24 +175,101 @@ static int add_credential_gettys(void) {
        return 0;
 }
 static int parse_getty_sources(const char *s, GettySourceFlag *ret) {
        int r;
        assert(ret);
        if (isempty(s)) {
                *ret = GETTY_SOURCE_ALL;
                return 0;
        }
        r = parse_boolean(s);
        if (r >= 0) {
                *ret = r ? GETTY_SOURCE_ALL : GETTY_SOURCE_NONE;
                return 0;
        }
        static struct {
                GettySourceFlag flag;
                const char *str;
        } table[] = {
                { GETTY_SOURCE_CREDENTIAL, "credential", },
                { GETTY_SOURCE_CONTAINER,  "container",  },
                { GETTY_SOURCE_CONSOLE,    "console",    },
                { GETTY_SOURCE_BUILTIN,    "builtin",    },
        };
        GettySourceFlag flags = 0;
        for (const char *p = s;;) {
                _cleanup_free_ char *word = NULL;
                r = extract_first_word(&p, &word, ",", /* flags = */ 0);
                if (r < 0)
                        return r;
                if (r == 0)
                        break;
                bool found = false;
                FOREACH_ELEMENT(i, table)
                        if (streq(word, i->str)) {
                                flags |= i->flag;
                                found = true;
                                break;
                        }
                if (!found)
                        return -EINVAL;
        }
        *ret = flags;
        return 0;
 }
 static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
        int r;
        assert(key);
        if (proc_cmdline_key_streq(key, "systemd.getty_auto")) {
-                r = value ? parse_boolean(value) : 1;
+                r = parse_getty_sources(value, &arg_getty_sources);
                if (r < 0)
-                        log_warning_errno(r, "Failed to parse getty_auto switch \"%s\", ignoring: %m", value);
+                        log_warning_errno(r, "Failed to parse systemd.getty_auto= kernel command line option, ignoring: %s", value);
                else
                        arg_enabled = r;
        }
        return 0;
 }
 static void parse_env(void) {
        _cleanup_free_ char *value = NULL;
        int r;
        r = getenv_for_pid(1, "SYSTEMD_GETTY_AUTO", &value);
        if (r < 0)
                log_warning_errno(r, "Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: %m");
        else if (r > 0) {
                r = parse_getty_sources(value, &arg_getty_sources);
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: %s", value);
        }
 }
 static void parse_credentials(void) {
        _cleanup_free_ char *value = NULL;
        int r;
        r = read_credential_with_decryption("getty.auto", (void**) &value, /* ret_size = */ NULL);
        if (r < 0)
                log_debug_errno(r, "Failed to read credential 'getty.auto', ignoring: %m");
        else if (r > 0) {
                r = parse_getty_sources(value, &arg_getty_sources);
                if (r < 0)
                        log_warning_errno(r, "Invalid 'getty.auto' credential, ignoring: %s", value);
        }
 }
 static int run(const char *dest, const char *dest_early, const char *dest_late) {
        _cleanup_free_ char *getty_auto = NULL;
        int r;
        assert_se(arg_dest = dest);
@ -190,72 +283,73 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
        if (r < 0)
                log_warning_errno(r, "Failed to parse kernel command line, ignoring: %m");
-        r = getenv_for_pid(1, "SYSTEMD_GETTY_AUTO", &getty_auto);
+        parse_env();
-        if (r < 0)
+        parse_credentials();
                log_warning_errno(r, "Failed to parse $SYSTEMD_GETTY_AUTO environment variable, ignoring: %m");
        else if (r > 0) {
                r = parse_boolean(getty_auto);
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_GETTY_AUTO value \"%s\", ignoring: %m", getty_auto);
                else
                        arg_enabled = r;
        }
-        if (!arg_enabled) {
+        if (arg_getty_sources == GETTY_SOURCE_NONE) {
                log_debug("Disabled, exiting.");
                return 0;
        }
-        r = add_credential_gettys();
+        if (FLAGS_SET(arg_getty_sources, GETTY_SOURCE_CREDENTIAL)) {
-        if (r < 0)
+                r = add_credential_gettys();
                return r;
        if (detect_container() > 0)
                /* Add console shell and look at $container_ttys, but don't do add any
                 * further magic if we are in a container. */
                return run_container();
        /* Automatically add in a serial getty on all active kernel consoles */
        _cleanup_strv_free_ char **consoles = NULL;
        r = get_kernel_consoles(&consoles);
        if (r < 0)
                log_warning_errno(r, "Failed to get active kernel consoles, ignoring: %m");
        else if (r > 0)
                STRV_FOREACH(i, consoles) {
                        /* We assume that gettys on virtual terminals are started via manual configuration
                         * and do this magic only for non-VC terminals. */
                        if (tty_is_vc(*i))
                                continue;
                        if (verify_tty(*i) < 0)
                                continue;
                        r = add_serial_getty(*i);
                        if (r < 0)
                                return r;
                }
        /* Automatically add a serial getty to each available virtualizer console. */
        FOREACH_STRING(j,
                       "hvc0",
                       "xvc0",
                       "hvsi0",
                       "sclp_line0",
                       "ttysclp0",
                       "3270/tty1") {
                _cleanup_free_ char *p = NULL;
                p = path_join("/dev", j);
                if (!p)
                        return log_oom();
                if (access(p, F_OK) < 0)
                        continue;
                r = add_serial_getty(j);
                if (r < 0)
                        return r;
        }
        if (detect_container() > 0) {
                /* Add console shell and look at $container_ttys, but don't do add any
                 * further magic if we are in a container. */
                if (FLAGS_SET(arg_getty_sources, GETTY_SOURCE_CONTAINER))
                        return run_container();
                return 0;
        }
        /* Automatically add in a serial getty on all active kernel consoles */
        if (FLAGS_SET(arg_getty_sources, GETTY_SOURCE_CONSOLE)) {
                _cleanup_strv_free_ char **consoles = NULL;
                r = get_kernel_consoles(&consoles);
                if (r < 0)
                        log_warning_errno(r, "Failed to get active kernel consoles, ignoring: %m");
                else if (r > 0)
                        STRV_FOREACH(i, consoles) {
                                /* We assume that gettys on virtual terminals are started via manual configuration
                                 * and do this magic only for non-VC terminals. */
                                if (tty_is_vc(*i))
                                        continue;
                                if (verify_tty(*i) < 0)
                                        continue;
                                r = add_serial_getty(*i);
                                if (r < 0)
                                        return r;
                        }
        }
        /* Automatically add a serial getty to each available virtualizer console. */
        if (FLAGS_SET(arg_getty_sources, GETTY_SOURCE_BUILTIN))
                FOREACH_STRING(j,
                               "hvc0",
                               "xvc0",
                               "hvsi0",
                               "sclp_line0",
                               "ttysclp0",
                               "3270/tty1") {
                        _cleanup_free_ char *p = NULL;
                        p = path_join("/dev", j);
                        if (!p)
                                return log_oom();
                        if (access(p, F_OK) < 0)
                                continue;
                        r = add_serial_getty(j);
                        if (r < 0)
                                return r;
                }
        return 0;
 }
--- a/src/home/homectl-pkcs11.c
+++ b/src/home/homectl-pkcs11.c
@ -135,7 +135,7 @@ static int add_pkcs11_encrypted_key(
        r = sd_json_variant_append_array(&l, e);
        if (r < 0)
-                return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m");
+                return log_error_errno(r, "Failed to append PKCS#11 encrypted key: %m");
        r = sd_json_variant_set_field(&w, "pkcs11EncryptedKey", l);
        if (r < 0)
--- a/src/home/homectl-recovery-key.c
+++ b/src/home/homectl-recovery-key.c
@ -31,7 +31,7 @@ static int add_privileged(sd_json_variant **v, const char *hashed) {
        r = sd_json_variant_append_array(&l, e);
        if (r < 0)
-                return log_error_errno(r, "Failed append recovery key: %m");
+                return log_error_errno(r, "Failed to append recovery key: %m");
        r = sd_json_variant_set_field(&w, "recoveryKey", l);
        if (r < 0)
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@ -2623,7 +2623,7 @@ static int acquire_group_list(char ***ret) {
                        if (r == -ESRCH)
                                break;
                        if (r < 0)
-                                return log_debug_errno(r, "Failed acquire next group: %m");
+                                return log_debug_errno(r, "Failed to acquire next group: %m");
                        if (group_record_disposition(gr) == USER_REGULAR) {
                                _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
@ -5227,7 +5227,7 @@ static int verb_list_signing_keys(int argc, char *argv[], void *userdata) {
                        _cleanup_free_ void *der = NULL;
                        int n = i2d_PUBKEY(key, (unsigned char**) &der);
                        if (n < 0)
-                                return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to encode key as DER: %m");
+                                return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to encode key as DER.");
                        ssize_t m = base64mem(der, MIN(n, 64), &h);
                        if (m < 0)
--- a/src/home/homework-cifs.c
+++ b/src/home/homework-cifs.c
@ -49,7 +49,7 @@ int home_setup_cifs(
        r = parse_cifs_service(h->cifs_service, &chost, &cservice, &cdir);
        if (r < 0)
-                return log_error_errno(r, "Failed parse CIFS service specification: %m");
+                return log_error_errno(r, "Failed to parse CIFS service specification: %m");
        /* Just the host and service part, without the directory */
        chost_and_service = strjoin("//", chost, "/", cservice);
--- a/src/home/homework-fscrypt.c
+++ b/src/home/homework-fscrypt.c
@ -415,7 +415,7 @@ int home_setup_fscrypt(
                              FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_WAIT|FORK_REOPEN_LOG,
                              NULL);
                if (r < 0)
-                        return log_error_errno(r, "Failed install encryption key in user's keyring: %m");
+                        return log_error_errno(r, "Failed to install encryption key in user's keyring: %m");
                if (r == 0) {
                        /* Child */
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@ -1227,7 +1227,7 @@ static int open_image_file(
        if (!S_ISREG(st.st_mode) && !S_ISBLK(st.st_mode))
                return log_error_errno(
                                S_ISDIR(st.st_mode) ? SYNTHETIC_ERRNO(EISDIR) : SYNTHETIC_ERRNO(EBADFD),
-                                "Image file %s is not a regular file or block device: %m", ip);
+                                "Image file %s is not a regular file or block device.", ip);
        /* Locking block devices doesn't really make sense, as this might interfere with
         * udev's workings, and these locks aren't network propagated anyway, hence not what
@ -2731,7 +2731,7 @@ static int prepare_resize_partition(
        r = sd_id128_from_string(disk_uuid_as_string, &disk_uuid);
        if (r < 0)
-                return log_error_errno(r, "Failed parse disk UUID: %m");
+                return log_error_errno(r, "Failed to parse disk UUID: %m");
        r = fdisk_get_partitions(c, &t);
        if (r < 0)
--- a/src/home/user-record-password-quality.c
+++ b/src/home/user-record-password-quality.c
@ -63,7 +63,7 @@ int user_record_check_password_quality(
                        continue;
                /* If there are no old passwords, let's call check_password_quality() without any. */
-                r = check_password_quality(*pp, /* old */ NULL, hr->user_name, &auxerror);
+                r = check_password_quality(*pp, /* old = */ NULL, hr->user_name, &auxerror);
                if (r <= 0)
                        goto error;
        }
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@ -636,7 +636,7 @@ static const char* fallback_chassis_by_acpi(Context *c) {
        r = device_get_sysattr_unsigned(c->device_acpi, "pm_profile", &t);
        if (r < 0) {
-                log_debug_errno(r, "Failed read/parse ACPI PM profile, ignoring: %m");
+                log_debug_errno(r, "Failed to read/parse ACPI PM profile, ignoring: %m");
                return NULL;
        }
--- a/src/import/import-fs.c
+++ b/src/import/import-fs.c
@ -249,7 +249,7 @@ static int import_fs(int argc, char *argv[], void *userdata) {
                         (arg_read_only ? INSTALL_READ_ONLY : 0) |
                         (arg_sync ? INSTALL_SYNCFS : 0));
        if (r < 0)
-                return log_error_errno(r, "Failed install directory as '%s': %m", final_path);
+                return log_error_errno(r, "Failed to install directory as '%s': %m", final_path);
        temp_path = mfree(temp_path);
--- a/src/import/import-generator.c
+++ b/src/import/import-generator.c
@ -63,14 +63,14 @@ static int parse_pull_expression(const char *v) {
        if (r < 0)
                return log_error_errno(r, "Failed to extract option string from pull expression '%s': %m", v);
        if (r == 0)
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No option string in pull expression '%s': %m", v);
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No option string in pull expression '%s'.", v);
        _cleanup_free_ char *local = NULL;
        r = extract_first_word(&p, &local, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
        if (r < 0)
                return log_error_errno(r, "Failed to extract local name from pull expression '%s': %m", v);
        if (r == 0)
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No local string in pull expression '%s': %m", v);
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No local string in pull expression '%s'.", v);
        _cleanup_free_ char *remote = strdup(p);
        if (!remote)
--- a/src/import/importctl.c
+++ b/src/import/importctl.c
@ -274,7 +274,7 @@ static int import_tar(int argc, char *argv[], void *userdata) {
                        return log_error_errno(r, "Cannot extract container name from filename: %m");
                if (r == O_DIRECTORY)
                        return log_error_errno(SYNTHETIC_ERRNO(EISDIR),
-                                               "Path '%s' refers to directory, but we need a regular file: %m", path);
+                                               "Path '%s' refers to directory, but we need a regular file.", path);
                local = fn;
        }
@ -353,7 +353,7 @@ static int import_raw(int argc, char *argv[], void *userdata) {
                        return log_error_errno(r, "Cannot extract container name from filename: %m");
                if (r == O_DIRECTORY)
                        return log_error_errno(SYNTHETIC_ERRNO(EISDIR),
-                                               "Path '%s' refers to directory, but we need a regular file: %m", path);
+                                               "Path '%s' refers to directory, but we need a regular file.", path);
                local = fn;
        }
--- a/src/import/importd.c
+++ b/src/import/importd.c
@ -713,7 +713,7 @@ static int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_event_set_watchdog(m->event, true);
        if (r < 0)
--- a/src/journal-remote/journal-upload.c
+++ b/src/journal-remote/journal-upload.c
@ -682,7 +682,7 @@ static int parse_config(void) {
                { "Upload",  "TrustedCertificateFile", config_parse_path_or_ignore, 0,                        &arg_trust                },
                { "Upload",  "NetworkTimeoutSec",      config_parse_sec,            0,                        &arg_network_timeout_usec },
                { "Upload",  "Header",                 config_parse_header,         0,                        &arg_headers              },
-                { "Upload",  "Compression",            config_parse_compression,    /* with_level */ true,    &arg_compression          },
+                { "Upload",  "Compression",            config_parse_compression,    /* with_level = */ true,  &arg_compression          },
                { "Upload",  "ForceCompression",       config_parse_bool,           0,                        &arg_force_compression    },
                {}
        };
--- a/src/journal/journald-client.c
+++ b/src/journal/journald-client.c
@ -84,7 +84,7 @@ int client_context_read_log_filter_patterns(ClientContext *c, const char *cgroup
        const char *deny_list_xattr = memchr(xattr, (char)0xff, xattr_size);
        if (!deny_list_xattr)
                return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
-                                       "Missing delimiter in cgroup user.journald_log_filter_patterns attribute: %m");
+                                       "Missing delimiter in cgroup user.journald_log_filter_patterns attribute.");
        _cleanup_set_free_ Set *allow_list = NULL;
        r = client_parse_log_filter_nulstr(xattr, deny_list_xattr - xattr, &allow_list);
--- a/src/journal/journald-config.c
+++ b/src/journal/journald-config.c
@ -377,7 +377,7 @@ int manager_dispatch_reload_signal(sd_event_source *s, const struct signalfd_sig
        manager_reopen_journals(m, &old);
        log_info("Config file reloaded.");
-        (void) sd_notify(/* unset_environment */ false, NOTIFY_READY_MESSAGE);
+        (void) sd_notify(/* unset_environment = */ false, NOTIFY_READY_MESSAGE);
        return 0;
 }
--- a/src/journal/journald-manager.c
+++ b/src/journal/journald-manager.c
@ -1467,7 +1467,7 @@ int manager_relinquish_var(Manager *m) {
        log_debug("Relinquishing %s...", m->system_storage.path);
-        (void) manager_system_journal_open(m, /* flush_requested */ false, /* relinquish_requested=*/ true);
+        (void) manager_system_journal_open(m, /* flush_requested = */ false, /* relinquish_requested = */ true);
        m->system_journal = journal_file_offline_close(m->system_journal);
        ordered_hashmap_clear(m->user_journals);
@ -2290,7 +2290,7 @@ void manager_reopen_journals(Manager *m, const JournalConfig *old) {
        (void) manager_system_journal_open(m, /* flush_requested = */ false, /* relinquish_requested = */ false);
        /* To make the storage related settings applied, vacuum the storage. */
-        manager_vacuum(m, /* verbose */ false);
+        manager_vacuum(m, /* verbose = */ false);
 }
 int manager_new(Manager **ret) {
--- a/src/libsystemd-network/sd-ndisc-redirect.c
+++ b/src/libsystemd-network/sd-ndisc-redirect.c
@ -61,14 +61,14 @@ int ndisc_redirect_parse(sd_ndisc *nd, sd_ndisc_redirect *rd) {
         * The ICMP Destination Address field in the redirect message does not contain a multicast address. */
        if (in6_addr_is_null(&rd->destination_address) || in6_addr_is_multicast(&rd->destination_address))
                return log_ndisc_errno(nd, SYNTHETIC_ERRNO(EBADMSG),
-                                       "Received Redirect message with an invalid destination address, ignoring datagram: %m");
+                                       "Received Redirect message with an invalid destination address, ignoring datagram.");
        /* RFC 4861 section 8.1
         * The ICMP Target Address is either a link-local address (when redirected to a router) or the same
         * as the ICMP Destination Address (when redirected to the on-link destination). */
        if (!in6_addr_is_link_local(&rd->target_address) && !in6_addr_equal(&rd->target_address, &rd->destination_address))
                return log_ndisc_errno(nd, SYNTHETIC_ERRNO(EBADMSG),
-                                       "Received Redirect message with an invalid target address, ignoring datagram: %m");
+                                       "Received Redirect message with an invalid target address, ignoring datagram.");
        r = ndisc_parse_options(rd->packet, &rd->options);
        if (r < 0)
--- a/src/libsystemd-network/test-ndisc-send.c
+++ b/src/libsystemd-network/test-ndisc-send.c
@ -309,7 +309,7 @@ static int parse_argv(int argc, char *argv[]) {
                if (hw_addr.length != sizeof(struct ether_addr))
                        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                                               "Unsupported hardware address length %zu: %m",
+                                               "Unsupported hardware address length %zu.",
                                               hw_addr.length);
                arg_source_mac = hw_addr.ether;
--- a/src/libsystemd/sd-bus/bus-container.c
+++ b/src/libsystemd/sd-bus/bus-container.c
@ -85,11 +85,11 @@ int bus_container_connect_socket(sd_bus *b) {
        if (n > 0) {
                if (n != sizeof(error_buf))
                        return log_debug_errno(SYNTHETIC_ERRNO(EIO),
-                                               "Read error status of unexpected length %zd from (sd-buscntr): %m", n);
+                                               "Read error status of unexpected length %zd from (sd-buscntr).", n);
                if (error_buf < 0)
                        return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
-                                               "Got unexpected error status from (sd-buscntr): %m");
+                                               "Got unexpected error status from (sd-buscntr).");
                if (error_buf == EINPROGRESS)
                        return 1;
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@ -3631,7 +3631,7 @@ static int process_timer(
                         * again. */
                        assert(s->ratelimited);
-                        r = event_source_leave_ratelimit(s, /* run_callback */ true);
+                        r = event_source_leave_ratelimit(s, /* run_callback = */ true);
                        if (r < 0)
                                return r;
                        else if (r == 1)
@ -5116,7 +5116,7 @@ _public_ int sd_event_source_set_ratelimit(sd_event_source *s, uint64_t interval
        /* When ratelimiting is configured we'll always reset the rate limit state first and start fresh,
         * non-ratelimited. */
-        r = event_source_leave_ratelimit(s, /* run_callback */ false);
+        r = event_source_leave_ratelimit(s, /* run_callback = */ false);
        if (r < 0)
                return r;
@ -5179,7 +5179,7 @@ _public_ int sd_event_source_leave_ratelimit(sd_event_source *s) {
        if (!s->ratelimited)
                return 0;
-        r = event_source_leave_ratelimit(s, /* run_callback */ false);
+        r = event_source_leave_ratelimit(s, /* run_callback = */ false);
        if (r < 0)
                return r;
--- a/src/libsystemd/sd-journal/journal-vacuum.c
+++ b/src/libsystemd/sd-journal/journal-vacuum.c
@ -255,7 +255,7 @@ int journal_directory_vacuum(
                r = journal_file_empty(dirfd(d), p);
                if (r < 0) {
-                        log_debug_errno(r, "Failed check if %s is empty, ignoring: %m", p);
+                        log_debug_errno(r, "Failed to check if %s is empty, ignoring: %m", p);
                        continue;
                }
                if (r > 0) {
--- a/src/libsystemd/sd-journal/test-journal-append.c
+++ b/src/libsystemd/sd-journal/test-journal-append.c
@ -134,7 +134,7 @@ static int journal_corrupt_and_append(uint64_t start_offset, uint64_t step) {
                r = journal_append_message(mj, message);
                if (r < 0) {
                        /* We care only about crashes or sanitizer errors,
-                         * failed write without any crash is a success */
+                         * failing to write without any crash is a success */
                        log_info_errno(r, "Failed to write to the journal: %m");
                        break;
                }
--- a/src/libsystemd/sd-varlink/sd-varlink.c
+++ b/src/libsystemd/sd-varlink/sd-varlink.c
@ -3480,7 +3480,7 @@ _public_ int sd_varlink_server_add_connection_pair(
                        ucred = *override_ucred;
                else {
                        if (input_fd != output_fd)
-                                return varlink_server_log_errno(server, SYNTHETIC_ERRNO(EOPNOTSUPP), "Cannot determine peer identity of connection with separate input/output, refusing: %m");
+                                return varlink_server_log_errno(server, SYNTHETIC_ERRNO(EOPNOTSUPP), "Cannot determine peer identity of connection with separate input/output, refusing.");
                        r = getpeercred(input_fd, &ucred);
                        if (r < 0)
--- a/src/locale/localectl.c
+++ b/src/locale/localectl.c
@ -304,7 +304,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {
        f = fopen("/usr/share/X11/xkb/rules/base.lst", "re");
        if (!f)
-                return log_error_errno(errno, "Failed to open keyboard mapping list. %m");
+                return log_error_errno(errno, "Failed to open keyboard mapping list: %m");
        if (streq(argv[0], "list-x11-keymap-models"))
                look_for = MODELS;
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@ -734,7 +734,7 @@ static int session_dispatch_stop_on_idle(sd_event_source *source, uint64_t t, vo
        if (idle) {
                log_info("Session \"%s\" of user \"%s\" is idle, stopping.", s->id, s->user->user_record->user_name);
-                return session_stop(s, /* force */ true);
+                return session_stop(s, /* force = */ true);
        }
        r = sd_event_source_set_time(
--- a/src/login/logind-wall.c
+++ b/src/login/logind-wall.c
@ -107,11 +107,11 @@ static int wall_message_timeout_handler(
        if (next > 0) {
                r = sd_event_source_set_time(s, n + next);
                if (r < 0)
-                        return log_error_errno(r, "sd_event_source_set_time() failed. %m");
+                        return log_error_errno(r, "sd_event_source_set_time() failed: %m");
                r = sd_event_source_set_enabled(s, SD_EVENT_ONESHOT);
                if (r < 0)
-                        return log_error_errno(r, "sd_event_source_set_enabled() failed. %m");
+                        return log_error_errno(r, "sd_event_source_set_enabled() failed: %m");
        }
        return 0;
--- a/src/login/logind.c
+++ b/src/login/logind.c
@ -99,7 +99,7 @@ static int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        (void) sd_event_set_watchdog(m->event, true);
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@ -1812,7 +1812,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                       /* desktop= */ NULL,
                       /* area= */ NULL,
                       &debug,
-                       /* default_capability_bounding_set */ NULL,
+                       /* default_capability_bounding_set= */ NULL,
                       /* default_capability_ambient_set= */ NULL) < 0)
                return PAM_SESSION_ERR;
--- a/src/mountfsd/mountfsd-manager.c
+++ b/src/mountfsd/mountfsd-manager.c
@ -94,7 +94,7 @@ int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_event_set_watchdog(m->event, true);
        if (r < 0)
@ -182,7 +182,7 @@ static int start_one_worker(Manager *m) {
                }
                r = invoke_callout_binary(SYSTEMD_MOUNTWORK_PATH, STRV_MAKE("systemd-mountwork", "xxxxxxxxxxxxxxxx")); /* With some extra space rename_process() can make use of */
-                log_error_errno(r, "Failed start worker process: %m");
+                log_error_errno(r, "Failed to start worker process: %m");
                _exit(EXIT_FAILURE);
        }
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@ -1187,7 +1187,7 @@ static int run(int argc, char *argv[]) {
                                if (r == -ESRCH)
                                        return log_error_errno(r, "Parent already died?");
                                if (r < 0)
-                                        return log_error_errno(r, "Failed to send SIGUSR2 signal to parent. %m");
+                                        return log_error_errno(r, "Failed to send SIGUSR2 signal to parent: %m");
                        }
                }
--- a/src/network/generator/network-generator.c
+++ b/src/network/generator/network-generator.c
@ -887,7 +887,7 @@ static int parse_cmdline_ip_interface(Context *context, const char *value) {
                return log_debug_errno(r < 0 ? r : SYNTHETIC_ERRNO(EINVAL), "Failed to parse interface name in ip=%s: %m", value);
        if (isempty(ifname))
-                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Missing interface name in ip=%s: %m", value);
+                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Missing interface name in ip=%s.", value);
        r = extract_first_word(&p, &dhcp_type, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
        if (r <= 0)
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@ -998,7 +998,7 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
        if (key_len != MACSEC_KEYID_LEN)
                return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
-                                              "Invalid key length (%zu bytes), ignoring: %m", key_len);
+                                              "Invalid key length (%zu bytes), ignoring.", key_len);
        explicit_bzero_safe(sa->key, sa->key_len);
        free_and_replace(sa->key, key);
--- a/src/network/networkctl-config-file.c
+++ b/src/network/networkctl-config-file.c
@ -66,7 +66,7 @@ static int get_config_files_by_name(
        _cleanup_free_ char *path = NULL;
        int r;
-        assert(name);
+        assert(filename_is_valid(name));
        assert(ret_path);
        STRV_FOREACH(i, NETWORK_DIRS) {
@ -520,12 +520,15 @@ int verb_edit(int argc, char *argv[], void *userdata) {
                        continue;
                }
                if (!filename_is_valid(*name))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid config filename: %s", *name);
                if (ENDSWITH_SET(*name, ".network", ".netdev"))
                        reload |= RELOAD_NETWORKD;
                else if (endswith(*name, ".link"))
                        reload |= RELOAD_UDEVD;
                else
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid network config name '%s'.", *name);
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Network config of unknown type: %s", *name);
                r = get_config_files_by_name(*name, /* allow_masked = */ false, &path, &dropins);
                if (r == -ERFKILL)
@ -642,6 +645,9 @@ int verb_cat(int argc, char *argv[], void *userdata) {
                        continue;
                }
                if (!filename_is_valid(*name) || !ENDSWITH_SET(*name, ".network", ".netdev", ".link"))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid network config name: %s", *name);
                _cleanup_strv_free_ char **dropins = NULL;
                _cleanup_free_ char *path = NULL;
@ -682,13 +688,16 @@ int verb_mask(int argc, char *argv[], void *userdata) {
                _cleanup_free_ char *config_path = NULL, *symlink_path = NULL;
                ReloadFlags reload;
                if (!filename_is_valid(*name))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid config filename: %s", *name);
                /* We update the real 'flags' at last, since the operation can be skipped. */
                if (ENDSWITH_SET(*name, ".network", ".netdev"))
                        reload = RELOAD_NETWORKD;
                else if (endswith(*name, ".link"))
                        reload = RELOAD_UDEVD;
                else
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid network config name '%s'.", *name);
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Network config of unknown type: %s", *name);
                r = get_config_files_by_name(*name, /* allow_masked = */ true, &config_path, /* ret_dropins = */ NULL);
                if (r == -ENOENT)
@ -739,12 +748,15 @@ int verb_unmask(int argc, char *argv[], void *userdata) {
                _cleanup_free_ char *path = NULL;
                ReloadFlags reload;
                if (!filename_is_valid(*name))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid config filename: %s", *name);
                if (ENDSWITH_SET(*name, ".network", ".netdev"))
                        reload = RELOAD_NETWORKD;
                else if (endswith(*name, ".link"))
                        reload = RELOAD_UDEVD;
                else
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid network config name '%s'.", *name);
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Network config of unknown type: %s", *name);
                r = get_config_files_by_name(*name, /* allow_masked = */ true, &path, /* ret_dropins = */ NULL);
                if (r == -ENOENT) {
--- a/src/network/networkd-dhcp4.c
+++ b/src/network/networkd-dhcp4.c
@ -1693,7 +1693,7 @@ static int dhcp4_configure(Link *link) {
        if (link->network->dhcp_fallback_lease_lifetime_usec > 0) {
                r = sd_dhcp_client_set_fallback_lease_lifetime(link->dhcp_client, link->network->dhcp_fallback_lease_lifetime_usec);
                if (r < 0)
-                        return log_link_debug_errno(link, r, "DHCPv4 CLIENT: Failed set to lease lifetime: %m");
+                        return log_link_debug_errno(link, r, "DHCPv4 CLIENT: Failed to set fallback lease lifetime: %m");
        }
        return dhcp4_set_client_identifier(link);
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@ -539,7 +539,7 @@ int manager_setup(Manager *m) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_event_add_post(m->event, NULL, manager_post_handler, m);
        if (r < 0)
--- a/src/network/wait-online/wait-online-link.c
+++ b/src/network/wait-online/wait-online-link.c
@ -272,8 +272,7 @@ int link_update_monitor(Link *l) {
        else {
                r = parse_operational_state_range(required_operstate, &l->required_operstate);
                if (r < 0)
-                        ret = log_link_debug_errno(l, SYNTHETIC_ERRNO(EINVAL),
+                        ret = log_link_debug_errno(l, r, "Failed to parse required operational state, ignoring: %m");
                                                   "Failed to parse required operational state, ignoring: %m");
        }
        r = network_link_get_operational_state(l->ifindex, &l->operational_state);
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@ -685,7 +685,7 @@ int mount_all(const char *dest,
                                log_debug_errno(r, "Failed to create directory %s: %m", where);
-                                /* If we failed mkdir() or chown() due to the root directory being read only,
+                                /* If mkdir() or chown() failed due to the root directory being read only,
                                 * attempt to mount this fs anyway and let mount_verbose log any errors */
                                if (r != -EROFS)
                                        continue;
--- a/src/nspawn/nspawn-network.c
+++ b/src/nspawn/nspawn-network.c
@ -1011,7 +1011,7 @@ static int network_iface_pair_parse(const char* iftype, char ***l, const char *p
                        return log_error_errno(r, "Failed to extract first word in %s parameter: %m", iftype);
                if (r == 0)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                               "Short read while reading %s parameter: %m", iftype);
+                                               "Short read while reading %s parameter.", iftype);
                if (!ifname_valid(a))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                               "%s, interface name not valid: %s", iftype, a);
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -1366,7 +1366,7 @@ static int parse_argv(int argc, char *argv[]) {
                        } else {
                                r = read_full_file(optarg, (char**) &p, &l);
                                if (r < 0)
-                                        return log_error_errno(r, "Failed parse root hash signature file '%s': %m", optarg);
+                                        return log_error_errno(r, "Failed to parse root hash signature file '%s': %m", optarg);
                        }
                        free_and_replace(arg_verity_settings.root_hash_sig, p);
@ -5583,7 +5583,7 @@ static int run_container(
        r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        /* Exit when the child exits */
        (void) sd_event_add_signal(event, NULL, SIGCHLD, on_sigchld, pid);
--- a/src/nsresourced/nsresourced-manager.c
+++ b/src/nsresourced/nsresourced-manager.c
@ -114,7 +114,7 @@ int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_event_set_watchdog(m->event, true);
        if (r < 0)
@ -230,7 +230,7 @@ static int start_one_worker(Manager *m) {
                }
                r = invoke_callout_binary(SYSTEMD_NSRESOURCEWORK_PATH, STRV_MAKE("systemd-nsresourcework", "xxxxxxxxxxxxxxxx")); /* With some extra space rename_process() can make use of */
-                log_error_errno(r, "Failed start worker process: %m");
+                log_error_errno(r, "Failed to start worker process: %m");
                _exit(EXIT_FAILURE);
        }
--- a/src/nsresourced/nsresourcework.c
+++ b/src/nsresourced/nsresourcework.c
@ -2069,7 +2069,7 @@ static int run(int argc, char *argv[]) {
                                if (r == -ESRCH)
                                        return log_error_errno(r, "Parent already died?");
                                if (r < 0)
-                                        return log_error_errno(r, "Failed to send SIGUSR2 signal to parent. %m");
+                                        return log_error_errno(r, "Failed to send SIGUSR2 signal to parent: %m");
                        }
                }
--- a/src/nsresourced/userns-restrict.c
+++ b/src/nsresourced/userns-restrict.c
@ -40,7 +40,7 @@ static int make_inner_hash_map(void) {
                        MOUNTS_MAX,
                        NULL);
        if (fd < 0)
-                return log_debug_errno(errno, "Failed allocate inner BPF map: %m");
+                return log_debug_errno(errno, "Failed to allocate inner BPF map: %m");
        return fd;
 }
--- a/src/oom/oomd-util.c
+++ b/src/oom/oomd-util.c
@ -527,13 +527,13 @@ int oomd_system_context_acquire(const char *proc_meminfo_path, OomdSystemContext
        if (mem_available > ctx.mem_total)
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "MemAvailable (%" PRIu64 ") cannot be greater than MemTotal (%" PRIu64 ") %m",
+                                       "MemAvailable (%" PRIu64 ") cannot be greater than MemTotal (%" PRIu64 ")",
                                       mem_available,
                                       ctx.mem_total);
        if (swap_free > ctx.swap_total)
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "SwapFree (%" PRIu64 ") cannot be greater than SwapTotal (%" PRIu64 ") %m",
+                                       "SwapFree (%" PRIu64 ") cannot be greater than SwapTotal (%" PRIu64 ")",
                                       swap_free,
                                       ctx.swap_total);
--- a/src/portable/portabled.c
+++ b/src/portable/portabled.c
@ -50,7 +50,7 @@ static int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        (void) sd_event_set_watchdog(m->event, true);
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@ -7601,7 +7601,7 @@ static int resolve_copy_blocks_auto(
                        }
                }
        } else if (errno != ENOENT)
-                return log_error_errno(errno, "Failed open %s: %m", p);
+                return log_error_errno(errno, "Failed to open %s: %m", p);
        else {
                r = resolve_copy_blocks_auto_candidate(devno, type, restrict_devno, &found_uuid);
                if (r < 0)
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@ -229,7 +229,7 @@ static int manager_process_route(sd_netlink *rtnl, sd_netlink_message *mm, void
        r = sd_netlink_message_get_type(mm, &type);
        if (r < 0) {
-                log_warning_errno(r, "Failed not get message type, ignoring: %m");
+                log_warning_errno(r, "Failed to get rtnl message type, ignoring: %m");
                return 0;
        }
@ -785,23 +785,23 @@ int manager_new(Manager **ret) {
        r = sd_event_add_signal(m->event, /* ret= */ NULL, SIGHUP | SD_EVENT_SIGNAL_PROCMASK, manager_dispatch_reload_signal, m);
        if (r < 0)
-                return log_debug_errno(r, "Failed install SIGHUP handler: %m");
+                return log_debug_errno(r, "Failed to install SIGHUP handler: %m");
        r = sd_event_add_signal(m->event, /* ret= */ NULL, SIGUSR1 | SD_EVENT_SIGNAL_PROCMASK, manager_sigusr1, m);
        if (r < 0)
-                return log_debug_errno(r, "Failed install SIGUSR1 handler: %m");
+                return log_debug_errno(r, "Failed to install SIGUSR1 handler: %m");
        r = sd_event_add_signal(m->event, /* ret= */ NULL, SIGUSR2 | SD_EVENT_SIGNAL_PROCMASK, manager_sigusr2, m);
        if (r < 0)
-                return log_debug_errno(r, "Failed install SIGUSR2 handler: %m");
+                return log_debug_errno(r, "Failed to install SIGUSR2 handler: %m");
        r = sd_event_add_signal(m->event, /* ret= */ NULL, (SIGRTMIN+1) | SD_EVENT_SIGNAL_PROCMASK, manager_sigrtmin1, m);
        if (r < 0)
-                return log_debug_errno(r, "Failed install SIGRTMIN+1 handler: %m");
+                return log_debug_errno(r, "Failed to install SIGRTMIN+1 handler: %m");
        r = sd_event_add_signal(m->event, /* ret= */ NULL, (SIGRTMIN+18) | SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, &m->sigrtmin18_info);
        if (r < 0)
-                return log_debug_errno(r, "Failed install SIGRTMIN+18 handler: %m");
+                return log_debug_errno(r, "Failed to install SIGRTMIN+18 handler: %m");
        manager_cleanup_saved_user(m);
--- a/src/resolve/resolved-mdns.c
+++ b/src/resolve/resolved-mdns.c
@ -384,7 +384,7 @@ static int mdns_goodbye_callback(sd_event_source *s, uint64_t usec, void *userda
        r = mdns_notify_browsers_goodbye(scope);
        if (r < 0)
-                log_warning_errno(r, "mDNS: Failed to notify service subscribers of goodbyes, ignoring:  %m");
+                log_warning_errno(r, "mDNS: Failed to notify service subscribers of goodbyes, ignoring: %m");
        if (dns_cache_expiry_in_one_second(&scope->cache, usec)) {
                r = sd_event_add_time_relative(
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@ -178,7 +178,7 @@ int read_credential_with_decryption(const char *name, void **ret, size_t *ret_si
        if (r >= 0)
                return 1; /* found */
        if (!IN_SET(r, -ENXIO, -ENOENT))
-                return log_error_errno(r, "Failed read unencrypted credential '%s': %m", name);
+                return log_error_errno(r, "Failed to read unencrypted credential '%s': %m", name);
        r = get_encrypted_credentials_dir(&d);
        if (r == -ENXIO)
@ -920,7 +920,7 @@ int encrypt_credential_and_warn(
                        r = tpm2_load_pcr_public_key(tpm2_pubkey_path, &pubkey.iov_base, &pubkey.iov_len);
                        if (r < 0) {
                                if (tpm2_pubkey_path || r != -ENOENT || !sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD, _CRED_AUTO_SCOPED))
-                                        return log_error_errno(r, "Failed read TPM PCR public key: %m");
+                                        return log_error_errno(r, "Failed to read TPM PCR public key: %m");
                                log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
                        }
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@ -3196,7 +3196,7 @@ int image_filter_parse(const char *s, ImageFilter **ret) {
                if (r < 0)
                        return log_debug_errno(r, "Failed to extract designator: %m");
                if (r != 2 || !isempty(x))
-                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to split: %m");
+                        return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to split: %s", word);
                PartitionDesignator d = partition_designator_from_string(designator);
                if (d < 0)
@ -4584,7 +4584,7 @@ int mountfsd_mount_image(
        if (image_policy) {
                r = image_policy_to_string(image_policy, /* simplify= */ false, &ps);
                if (r < 0)
-                        return log_error_errno(r, "Failed format image policy to string: %m");
+                        return log_error_errno(r, "Failed to format image policy to string: %m");
        }
        sd_json_variant *reply = NULL;
--- a/src/shared/find-esp.c
+++ b/src/shared/find-esp.c
@ -103,7 +103,7 @@ static int verify_esp_blkid(
        if (r != 0)
                return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
                                      SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
-                                      "No filesystem found on \"%s\": %m", node);
+                                      "No filesystem found on \"%s\".", node);
        if (!streq(v, "vfat"))
                return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
                                      SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
@ -631,7 +631,7 @@ static int verify_xbootldr_blkid(
        if (r != 0)
                return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
                                      searching ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : SYNTHETIC_ERRNO(EIO),
-                                      "%s: Failed to probe PART_ENTRY_SCHEME: %m", node);
+                                      "%s: Failed to probe PART_ENTRY_SCHEME.", node);
        if (streq(type, "gpt")) {
                errno = 0;
--- a/src/shared/libcrypt-util.c
+++ b/src/shared/libcrypt-util.c
@ -1,20 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
-#if HAVE_CRYPT_H
+#include <crypt.h>
 /* libxcrypt is a replacement for glibc's libcrypt, and libcrypt might be
 * removed from glibc at some point. As part of the removal, defines for
 * crypt(3) are dropped from unistd.h, and we must include crypt.h instead.
 *
 * Newer versions of glibc (v2.0+) already ship crypt.h with a definition
 * of crypt(3) as well, so we simply include it if it is present.  MariaDB,
 * MySQL, PostgreSQL, Perl and some other wide-spread packages do it the
 * same way since ages without any problems.
 */
 #  include <crypt.h>
 #else
 #  include <unistd.h>
 #endif
 #include <stdlib.h>
 #include "alloc-util.h"
--- a/src/shared/password-quality-util-passwdqc.c
+++ b/src/shared/password-quality-util-passwdqc.c
@ -127,7 +127,7 @@ int check_password_quality(
                check_reason = sym_passwdqc_check(&params->qc, password, old, &pw);
        } else
-                check_reason = sym_passwdqc_check(&params->qc, password, old, /* pw */ NULL);
+                check_reason = sym_passwdqc_check(&params->qc, password, old, /* pw = */ NULL);
        if (check_reason) {
                if (ret_error) {
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -1538,7 +1538,7 @@ int seccomp_protect_syslog(void) {
                                0);
                if (r < 0) {
-                        log_debug_errno(r, "Failed to add syslog() rule for architecture %s, skipping %m", seccomp_arch_to_string(arch));
+                        log_debug_errno(r, "Failed to add syslog() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
                        continue;
                }
@ -1546,7 +1546,7 @@ int seccomp_protect_syslog(void) {
                if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
                        return r;
                if (r < 0)
-                        log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping %m",
+                        log_debug_errno(r, "Failed to install syslog protection rules for architecture %s, skipping: %m",
                                        seccomp_arch_to_string(arch));
        }
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@ -1141,7 +1141,7 @@ static int tpm2_credit_random(Tpm2Context *c) {
                r = random_write_entropy(-1, buffer->buffer, buffer->size, /* credit= */ false);
                if (r < 0)
-                        return log_debug_errno(r, "Failed wo write entropy to kernel: %m");
+                        return log_debug_errno(r, "Failed to write entropy to kernel: %m");
                done += buffer->size;
                rps = LESS_BY(rps, buffer->size);
--- a/src/shared/varlink-serialize.c
+++ b/src/shared/varlink-serialize.c
@ -57,11 +57,11 @@ int varlink_server_deserialize_one(sd_varlink_server *s, const char *value, FDSe
        if (v[n] != ' ')
                return varlink_server_log_errno(s, SYNTHETIC_ERRNO(EINVAL),
-                                       "Failed to deserialize sd_varlink_server_socket: %s: %m", value);
+                                       "Failed to deserialize sd_varlink_server_socket: %s", value);
        v = startswith(v + n + 1, "varlink-server-socket-fd=");
        if (!v)
                return varlink_server_log_errno(s, SYNTHETIC_ERRNO(EINVAL),
-                                       "Failed to deserialize VarlinkServerSocket fd %s: %m", value);
+                                       "Failed to deserialize VarlinkServerSocket fd: %s", value);
        n = strcspn(v, " ");
        buf = strndupa_safe(v, n);
@ -71,7 +71,7 @@ int varlink_server_deserialize_one(sd_varlink_server *s, const char *value, FDSe
                return varlink_server_log_errno(s, fd, "Unable to parse VarlinkServerSocket varlink-server-socket-fd=%s: %m", buf);
        if (!fdset_contains(fds, fd))
                return varlink_server_log_errno(s, SYNTHETIC_ERRNO(EBADF),
-                                       "VarlinkServerSocket varlink-server-socket-fd= has unknown fd %d: %m", fd);
+                                       "VarlinkServerSocket varlink-server-socket-fd= has unknown fd: %d", fd);
        ss = new(VarlinkServerSocket, 1);
        if (!ss)
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@ -254,7 +254,7 @@ static int need_reload(
                        const char *extension_reload_manager = NULL;
                        int b;
-                        r = load_extension_release_pairs(arg_root, image_class, *extension, /* relax_extension_release_check */ true, &extension_release);
+                        r = load_extension_release_pairs(arg_root, image_class, *extension, /* relax_extension_release_check = */ true, &extension_release);
                        if (r < 0) {
                                log_debug_errno(r, "Failed to parse extension-release metadata of %s, ignoring: %m", *extension);
                                continue;
@ -1547,7 +1547,7 @@ static int store_info_in_meta(
        /* Make sure the top-level dir has an mtime marking the point we established the merge */
        if (utimensat(AT_FDCWD, meta_path, NULL, AT_SYMLINK_NOFOLLOW) < 0)
-                return log_error_errno(r, "Failed fix mtime of '%s': %m", meta_path);
+                return log_error_errno(r, "Failed to fix mtime of '%s': %m", meta_path);
        return 0;
 }
@ -1731,7 +1731,7 @@ static int merge_subprocess(
                return log_error_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(arg_root));
        if (isempty(host_os_release_id))
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m",
+                                       "'ID' field not found or empty in 'os-release' data of OS tree '%s'.",
                                       empty_to_root(arg_root));
        /* Let's now mount all images */
--- a/src/sysupdate/sysupdate-resource.c
+++ b/src/sysupdate/sysupdate-resource.c
@ -327,7 +327,7 @@ static int download_manifest(
        manifest = fdopen(pfd[0], "r");
        if (!manifest)
-                return log_error_errno(errno, "Failed allocate FILE object for manifest file: %m");
+                return log_error_errno(errno, "Failed to allocate FILE object for manifest file: %m");
        TAKE_FD(pfd[0]);
--- a/src/sysupdate/sysupdate-transfer.c
+++ b/src/sysupdate/sysupdate-transfer.c
@ -409,7 +409,7 @@ static int config_parse_resource_ptype(
        r = gpt_partition_type_from_string(rvalue, &rr->partition_type);
        if (r < 0) {
                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Failed parse partition type, ignoring: %s", rvalue);
+                           "Failed to parse partition type, ignoring: %s", rvalue);
                return 0;
        }
@ -437,7 +437,7 @@ static int config_parse_partition_uuid(
        r = sd_id128_from_string(rvalue, &t->partition_uuid);
        if (r < 0) {
                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Failed parse partition UUID, ignoring: %s", rvalue);
+                           "Failed to parse partition UUID, ignoring: %s", rvalue);
                return 0;
        }
@ -465,7 +465,7 @@ static int config_parse_partition_flags(
        r = safe_atou64(rvalue, &t->partition_flags);
        if (r < 0) {
                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Failed parse partition flags, ignoring: %s", rvalue);
+                           "Failed to parse partition flags, ignoring: %s", rvalue);
                return 0;
        }
--- a/src/sysupdate/sysupdated.c
+++ b/src/sysupdate/sysupdated.c
@ -1738,7 +1738,7 @@ static int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_bus_default_system(&m->bus);
        if (r < 0)
--- a/src/test/test-bpf-foreign-programs.c
+++ b/src/test/test-bpf-foreign-programs.c
@ -249,12 +249,12 @@ static int test_bpf_cgroup_programs(Manager *m, const char *unit_name, const Tes
        ASSERT_OK(unit_patch_contexts(u));
        r = unit_start(u, NULL);
        if (r < 0)
-                return log_error_errno(r, "Unit start failed %m");
+                return log_error_errno(r, "Unit start failed: %m");
        while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) {
                r = sd_event_run(m->event, UINT64_MAX);
                if (r < 0)
-                        return log_error_errno(r, "Event run failed %m");
+                        return log_error_errno(r, "Event run failed: %m");
        }
        cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code;
--- a/src/test/test-bpf-restrict-fs.c
+++ b/src/test/test-bpf-restrict-fs.c
@ -41,12 +41,12 @@ static int test_restrict_filesystems(Manager *m, const char *unit_name, const ch
        ASSERT_OK(unit_patch_contexts(u));
        r = unit_start(u, NULL);
        if (r < 0)
-                return log_error_errno(r, "Unit start failed %m");
+                return log_error_errno(r, "Unit start failed: %m");
        while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) {
                r = sd_event_run(m->event, UINT64_MAX);
                if (r < 0)
-                        return log_error_errno(r, "Event run failed %m");
+                        return log_error_errno(r, "Event run failed: %m");
        }
        cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code;
--- a/src/test/test-btrfs.c
+++ b/src/test/test-btrfs.c
@ -192,11 +192,11 @@ int main(int argc, char *argv[]) {
        r = btrfs_subvol_remove("/xxxquotatest", BTRFS_REMOVE_QUOTA|BTRFS_REMOVE_RECURSIVE);
        if (r < 0)
-                log_error_errno(r, "Failed remove subvolume: %m");
+                log_error_errno(r, "Failed to remove subvolume: %m");
        r = btrfs_subvol_remove("/xxxquotatest2", BTRFS_REMOVE_QUOTA|BTRFS_REMOVE_RECURSIVE);
        if (r < 0)
-                log_error_errno(r, "Failed remove subvolume: %m");
+                log_error_errno(r, "Failed to remove subvolume: %m");
        return 0;
 }
--- a/src/test/test-libcrypt-util.c
+++ b/src/test/test-libcrypt-util.c
@ -1,10 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
-#if HAVE_CRYPT_H
+#include <crypt.h>
 #  include <crypt.h>
 #else
 #  include <unistd.h>
 #endif
 #include "libcrypt-util.h"
 #include "strv.h"
--- a/src/test/test-loop-block.c
+++ b/src/test/test-loop-block.c
@ -90,7 +90,7 @@ static void* thread_func(void *ptr) {
                                DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES,
                                &dissected);
                if (r < 0)
-                        log_error_errno(r, "Failed dissect loopback device %s: %m", loop->node);
+                        log_error_errno(r, "Failed to dissect loopback device %s: %m", loop->node);
                assert_se(r >= 0);
                log_info("Dissected loop device %s", loop->node);
--- a/src/test/test-socket-bind.c
+++ b/src/test/test-socket-bind.c
@ -80,12 +80,12 @@ static int test_socket_bind(
        ASSERT_OK(unit_patch_contexts(u));
        r = unit_start(u, NULL);
        if (r < 0)
-                return log_error_errno(r, "Unit start failed %m");
+                return log_error_errno(r, "Unit start failed: %m");
        while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) {
                r = sd_event_run(m->event, UINT64_MAX);
                if (r < 0)
-                        return log_error_errno(r, "Event run failed %m");
+                        return log_error_errno(r, "Event run failed: %m");
        }
        cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code;
--- a/src/timesync/timesyncd-manager.c
+++ b/src/timesync/timesyncd-manager.c
@ -1143,7 +1143,7 @@ int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_event_set_watchdog(m->event, true);
        if (r < 0)
--- a/src/udev/net/link-config.c
+++ b/src/udev/net/link-config.c
@ -661,7 +661,7 @@ static int link_generate_new_hw_addr(Link *link, struct hw_addr_data *ret) {
                memcpy(p, &result, len);
                if (!hw_addr_is_valid(link, &hw_addr))
                        return log_link_warning_errno(link, SYNTHETIC_ERRNO(EINVAL),
-                                                      "Could not generate valid persistent MAC address: %m");
+                                                      "Could not generate valid persistent MAC address.");
        }
 finalize:
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@ -539,7 +539,7 @@ static int get_device_firmware_node_sun(sd_device *dev, uint32_t *ret) {
        if (r < 0)
                return log_device_debug_errno(dev, r, "Failed to parse firmware_node/sun '%s', ignoring: %m", attr);
        if (sun == 0)
-                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "firmware_node/sun == 0, ignoring: %m");
+                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "firmware_node/sun == 0, ignoring.");
        *ret = sun;
        return 0;
--- a/src/udev/udev-manager.c
+++ b/src/udev/udev-manager.c
@ -861,7 +861,7 @@ static int event_enter_locked(Event *event, const char *whole_disk) {
        if (isempty(whole_disk))
                return log_device_warning_errno(
                                dev, SYNTHETIC_ERRNO(EBADMSG),
-                                "Unexpected notify message received, skipping event (SEQNUM=%"PRIu64", ACTION=%s): %m",
+                                "Unexpected notify message received, skipping event (SEQNUM=%"PRIu64", ACTION=%s).",
                                event->seqnum, strna(device_action_to_string(event->action)));
        _cleanup_free_ char *whole_disk_copy = strdup(whole_disk);
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@ -954,7 +954,7 @@ static int parse_token(
                if (is_case_insensitive)
                        return log_line_invalid_prefix(rule_line, key);
-                r = rule_line_add_token(rule_line, TK_M_PROGRAM, op, value, NULL, /* is_case_insensitive */ false, token_str);
+                r = rule_line_add_token(rule_line, TK_M_PROGRAM, op, value, NULL, /* is_case_insensitive = */ false, token_str);
        } else if (streq(key, "IMPORT")) {
                if (isempty(attr))
                        return log_line_invalid_attr(rule_line, key);
--- a/src/userdb/userdbctl.c
+++ b/src/userdb/userdbctl.c
@ -490,7 +490,7 @@ static int display_user(int argc, char *argv[], void *userdata) {
                                if (r == -EHOSTDOWN)
                                        return log_error_errno(r, "Selected user database service is not available for this request.");
                                if (r < 0)
-                                        return log_error_errno(r, "Failed acquire next user: %m");
+                                        return log_error_errno(r, "Failed to acquire next user: %m");
                                if (draw_separator && arg_output == OUTPUT_FRIENDLY)
                                        putchar('\n');
@ -830,7 +830,7 @@ static int display_group(int argc, char *argv[], void *userdata) {
                                if (r == -EHOSTDOWN)
                                        return log_error_errno(r, "Selected group database service is not available for this request.");
                                if (r < 0)
-                                        return log_error_errno(r, "Failed acquire next group: %m");
+                                        return log_error_errno(r, "Failed to acquire next group: %m");
                                if (draw_separator && arg_output == OUTPUT_FRIENDLY)
                                        putchar('\n');
@ -977,7 +977,7 @@ static int display_memberships(int argc, char *argv[], void *userdata) {
                                if (r == -EHOSTDOWN)
                                        return log_error_errno(r, "Selected membership database service is not available for this request.");
                                if (r < 0)
-                                        return log_error_errno(r, "Failed acquire next membership: %m");
+                                        return log_error_errno(r, "Failed to acquire next membership: %m");
                                r = show_membership(user, group, table);
                                if (r < 0)
@ -1004,7 +1004,7 @@ static int display_memberships(int argc, char *argv[], void *userdata) {
                                if (r == -EHOSTDOWN)
                                        return log_error_errno(r, "Selected membership database service is not available for this request.");
                                if (r < 0)
-                                        return log_error_errno(r, "Failed acquire next membership: %m");
+                                        return log_error_errno(r, "Failed to acquire next membership: %m");
                                r = show_membership(user, group, table);
                                if (r < 0)
--- a/src/userdb/userdbd-manager.c
+++ b/src/userdb/userdbd-manager.c
@ -103,7 +103,7 @@ int manager_new(Manager **ret) {
        r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        r = sd_event_set_watchdog(m->event, true);
        if (r < 0)
@ -198,7 +198,7 @@ static int start_one_worker(Manager *m) {
                }
                r = invoke_callout_binary(SYSTEMD_USERWORK_PATH, STRV_MAKE(SYSTEMD_USERWORK_PATH, "xxxxxxxxxxxxxxxx")); /* With some extra space rename_process() can make use of */
-                log_error_errno(r, "Failed start worker process: %m");
+                log_error_errno(r, "Failed to start worker process: %m");
                _exit(EXIT_FAILURE);
        }
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@ -1616,7 +1616,7 @@ static int grow_image(const char *path, uint64_t size) {
        }
        if (ftruncate(fd, size) < 0)
-                return log_error_errno(errno, "Failed grow image file '%s' from %s to %s: %m", path,
+                return log_error_errno(errno, "Failed to grow image file '%s' from %s to %s: %m", path,
                                       FORMAT_BYTES(st.st_size), FORMAT_BYTES(size));
        r = fsync_full(fd);
@ -2204,7 +2204,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
                else if (S_ISBLK(st.st_mode))
                        driver = "host_device";
                else
-                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Expected regular file or block device, not '%s': %m", *drive);
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Expected regular file or block device, not '%s'.", *drive);
                r = strv_extendf(&cmdline, "driver=raw,cache.direct=off,cache.no-flush=on,file.driver=%s,file.filename=%s,node-name=vmspawn_extra_%zu", driver, escaped_drive, i);
                if (r < 0)
@ -2691,7 +2691,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
        r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
        if (r < 0)
-                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+                log_debug_errno(r, "Failed to allocate memory pressure event source, ignoring: %m");
        /* Exit when the child exits */
        r = event_add_child_pidref(event, /* ret= */ NULL, &child_pidref, WEXITED, on_child_exit, /* userdata= */ NULL);
--- a/test/units/TEST-74-AUX-UTILS.networkctl.sh
+++ b/test/units/TEST-74-AUX-UTILS.networkctl.sh
@ -43,6 +43,7 @@ touch /usr/lib/systemd/network/donotexist.network
 (! networkctl unmask "donotexist.network")
 rm /usr/lib/systemd/network/donotexist.network
 (! networkctl cat "/usr/lib/systemd/network/$NETWORK_NAME")
 networkctl cat "$NETWORK_NAME" | tail -n +2 | cmp - "/usr/lib/systemd/network/$NETWORK_NAME"
 cat >new <<EOF
@ -50,6 +51,7 @@ cat >new <<EOF
 Name=test2
 EOF
 (! networkctl edit "/usr/lib/systemd/network/$NETWORK_NAME")
 EDITOR='mv new' script -ec 'networkctl edit --runtime "$NETWORK_NAME"' /dev/null
 (! networkctl mask --runtime "$NETWORK_NAME")
 printf '%s\n' '[Match]' 'Name=test2' | cmp - "/run/systemd/network/$NETWORK_NAME"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Luca Boccassi	7199811942	NEWS: fix wrong path for sd-stub global extensions directory	2025-07-23 14:22:08 +01:00
Zbigniew Jędrzejewski-Szmek	1fe7ebe8c2	stub: check if security override is available before using it (#38295 ) Avoids fallback that requires it if it is not available. Can be dropped once support for shim < 16 is no longer needed Follow-up for 23d56ae890f8e7c8e29ef51e05494e445725d3ff	2025-07-23 15:16:01 +02:00
Zbigniew Jędrzejewski-Szmek	f1d3241346	NEWS: add new entries The section for systemd-vmspawn is grouped with systemd-nspawn and systemd-machined, and systemd-analyze gets a new section of its own.	2025-07-23 15:15:20 +02:00
Zbigniew Jędrzejewski-Szmek	e62ff1856c	NEWS: adjust style For meson options, say '-Dfoo=' to make them visually different. Adjust grammar and punctuation in various places. Break very long lines where feasible.	2025-07-23 15:15:20 +02:00
Yu Watanabe	fa32f4cd75	meson: crypt.h must always exist We require at least crypt_r() exists, and it is provided since glibc-2.0 (and dropped in glibc-2.39) or by libxcrypt, and the function is provided in crypt.h regardless it is provided by glibc or libxcrypt. Hence, we cannot fallback to unistd.h. This makes the condition about crypt.h more strict, and stop compilation earlier when crypt.h does not exist.	2025-07-23 22:13:20 +09:00
Mike Yuan	a6da6c9050	networkctl-config-file: validate args are valid filenames ... as opposed to full paths Fixes #38288	2025-07-23 22:11:42 +09:00
Luca Boccassi	5115710528	stub: check if security override is available before using it Avoids fallback that requires it if it is not available. Can be dropped once support for shim < 16 is no longer needed Follow-up for 23d56ae890f8e7c8e29ef51e05494e445725d3ff	2025-07-23 10:29:19 +01:00
Zbigniew Jędrzejewski-Szmek	dcccbe049c	tree-wide: several fixlets for log message and comment (#38263 )	2025-07-23 10:17:33 +02:00
Zbigniew Jędrzejewski-Szmek	15b0b6cd71	getty-generator: fine-grained execution control (#38258 ) Closes #37928.	2025-07-23 09:58:27 +02:00
Luca Boccassi	23d56ae890	stub: restore compatibility for shim (< 16.0) -> UKI case It is possible to boot directly a UKI from shim, and Fedora Cloud Base UKI does exactly this. This used to work fine until https://github.com/systemd/systemd/pull/37372 which broke compatibility when shim < 16.0 (no loader protocol override) is used. Shim 15.8 is still in use in several distributions, and will be for a long time. Restore a part of the previous implementation, and if running with secure boot enabled, and with shim but < 16.0, apply a security override. Follow-up for cab9c7b5a42effa8a45611fc6b8556138c869b5f Fixes https://github.com/systemd/systemd/issues/38104	2025-07-23 09:54:09 +02:00
Yu Watanabe	36c3862789	TEST-81-GENERATORS: add test cases for systemd.getty_auto=console and friends	2025-07-23 08:35:51 +09:00
Allison Karlitskaya	3a883e89bc	getty-generator: add support for fine-grained control of execution modes This makes the systemd.getty_auto= kernel command line option and the $SYSTEMD_GETTY_AUTO environment variable takes the list of classes of services: credential, container, console, builtin. This also add getty.auto credential that can take the same value as the kernel command line option. Closes #37928. Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>	2025-07-23 08:35:51 +09:00
Yu Watanabe	4e346e10d2	getty-generator: show original path in the log message This fixes the following log message: Before: ``` Invalid container tty device specified, ignoring: (null) ``` After: ``` Invalid container tty device specified, ignoring: /dev/tty0 ``` If a non-pts device path is passed to add_container_getty(), we call add_getty_impl() with NULL tty, so previously (null) was logged. Let's log the original path when an invalid tty is specified.	2025-07-23 08:32:05 +09:00
Yu Watanabe	de69562623	tree-wide: add missing '=' in short comments for function argument	2025-07-22 03:05:54 +09:00
Yu Watanabe	7f6086d530	tree-wide: do not use %m with SYNTHETIC_ERRNO()	2025-07-22 03:05:54 +09:00
Yu Watanabe	5c34d85c74	tree-wide: normalize usage of %m	2025-07-22 03:05:54 +09:00
Yu Watanabe	5918ba9c69	tree-wide: fix log messages: "Failed VERB" -> "Failed to VERB"	2025-07-22 03:05:33 +09:00