update TODO

Let's not run user code outside of user context, that's not how things
are deployed, and means we cannot test the session setup properly

TODO

@@ -128,6 +128,15 @@ Deprecations and removals:
 
 Features:
 
+* Add ELF section to make systemd main binary recognizable cleanly, the same
+  way as we make sd-boot recognizable via PE section.
+
+* Add knob to cryptsetup, to trigger automatic reboot on failure to unlock
+  disk. Enable this by default for rootfs, also in gpt-auto-generator
+
+* Add RebootUptimeMinSec= knob to PID 1, that makes systemd-shutdown sleep
+  until the specified uptime has passed, to lengthen tight boot loops.
+
 * replace bootctl's PE version check to actually use APIs from pe-binary.[ch]
   to find binary version.
 
@@ -166,8 +175,6 @@ Features:
 
 * nspawn: map foreign UID range through 1:1
 
-* replace most calls to sd_bus_send() by sd_bus_message_send()
-
 * replace all uses of fopen_temporary() by fopen_tmpfile_linkable() +
   flink_tmpfile() and then get rid of fopen_temporary(). Benefit: use O_TMPFILE
   pervasively, and avoid rename() wherever we can.
@@ -357,13 +364,6 @@ Features:
 * also parse out primary GPT disk label uuid from gpt partition device path at
   boot and pass it as efi var to OS.
 
-* maybe rework invocation of stub's inner PE payload: since we already parse PE
-  anyway, maybe jump directly into the image, after finding the linux UEFI
-  entrypoint. After all we invest quite some effort to disable
-  validation/measurement of the inner image, i.e. we want nothing from UEFI's
-  own image loading code paths. Given that everything's statically linked
-  anyway on UEFI it should be easy to just jump into the already loaded image.
-
 * storagetm: maybe also serve the specified disk via HTTP? we have glue for
   microhttpd anyway already. Idea would also be serve currently booted UKI as
   separate HTTP resource, so that EFI http boot on another system could
@@ -433,10 +433,6 @@ Features:
 * Allocate UIDs/GIDs automatically in userdbctl load-credentials if none are
   included in the user/group record credentials
 
-* the ordering cycle log messages in transaction_verify_order_one() should
-  really be recognizable via a message id and come with an explanatory catalog
-  message
-
 * introduce new ANSI sequence for communicating log level and structured error
   metadata to terminals.
 
@@ -460,10 +456,6 @@ Features:
 
 * resolved: make resolved process DNR DHCP info
 
-* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
-  users how to connect to the system via the AF_VSOCK, as per:
-  https://github.com/systemd/systemd/issues/35071#issuecomment-2462803142
-
 * maybe introduce an OSC sequence that signals when we ask for a password, so
   that terminal emulators can maybe connect a password manager or so, and
   highlight things specially.
@@ -726,12 +718,6 @@ Features:
   a program is invoked, and its output captured, with correct EOF handling and
   exit code propagation
 
-* new systemd-analyze "join" verb or so, for debugging services. Would be
-  nsenter on steroids, i.e invoke a shell or command line in an environment as
-  close as we can make it for the MainPID of a service. Should be built around
-  pidfd, so that we can reasonably robustly do this. Would only cover the
-  execution environment like namespaces, but not the privilege settings.
-
 * Introduce a CGroupRef structure, inspired by PidRef. Should contain cgroup
   path, cgroup id, and cgroup fd. Use it to continuously pin all v2 cgroups via
   a cgroup_ref field in the CGroupRuntime structure. Eventually switch things
@@ -840,8 +826,6 @@ Features:
 
 * systemd-pcrmachine should probably also measure the SMBIOS system UUID.
 
-* sd-boot: allow synthesizing additional type1 entries via SMBIOS vendor strings
-
 * storagetm:
   - add USB mass storage device logic, so that all local disks are also exposed
     as mass storage devices on systems that have a USB controller that can
@@ -1163,9 +1147,6 @@ Features:
   access to due to the userns + nfs semantics of the user. Alternatively: use
   the seccomp log action, and allow it.
 
-* maybe: systemd-loop-generator that sets up loopback devices if requested via kernel
-  cmdline. use case: include encrypted/verity root fs in UKI.
-
 * systemd-gpt-auto-generator: add kernel cmdline option to override block
   device to dissect. also support dissecting a regular file. useccase: include
   encrypted/verity root fs in UKI.
@@ -1828,8 +1809,6 @@ Features:
 * add growvol and makevol options for /etc/crypttab, similar to
   x-systemd.growfs and x-systemd-makefs.
 
-* userdb: allow uid/gid range checks
-
 * userdb: allow existence checks
 
 * pid1: activation by journal search expression
@@ -2021,14 +2000,6 @@ Features:
 * beef up pam_systemd to take unit file settings such as cgroups properties as
   parameters
 
-* maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage
-  the quota of the user indicated in User= via unit file settings, like the
-  other resource management concepts. Would mix nicely with DynamicUser=1. Or
-  alternatively, do this with projids, so that we can also cover services
-  running as root. Quota should probably cover all the special dirs such as
-  StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it
-  is set, plus the whole disk space any image configured with RootImage=.
-
 * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant
   disks to see if the UID is already in use.
 
@@ -2054,9 +2025,6 @@ Features:
   "systemd-gdb" for attaching to the start-up of any system service in its
   natural habitat.
 
-* gpt-auto logic: support encrypted swap, add kernel cmdline option to force
-  it, and honour a gpt bit about it, plus maybe a configuration file
-
 * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and
   then use that for the setting used in user@.service. It should be understood
   relative to the configured default value.
@@ -2193,7 +2161,6 @@ Features:
 * add bus api to query unit file's X fields.
 
 * gpt-auto-generator:
-  - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap?
   - Make /home automount rather than mount?
 
 * add generator that pulls in systemd-network from containers when

src/machine/machinectl.c

@@ -484,7 +484,7 @@ static int print_uid_shift(sd_bus *bus, const char *name) {
         if (shift == 0) /* Don't show trivial mappings */
                 return 0;
 
-        printf("       UID Shift: %" PRIu32 "\n", shift);
+        printf("\tID Shift: %" PRIu32 "\n", shift);
         return 0;
 }
 

src/nspawn/nspawn-register.c

@@ -266,7 +266,7 @@ int allocate_scope(
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         _cleanup_(bus_wait_for_jobs_freep) BusWaitForJobs *w = NULL;
         _cleanup_free_ char *scope = NULL;
-        const char *description, *object;
+        const char *object;
         int r;
 
         assert(bus);
@@ -292,12 +292,14 @@ int allocate_scope(
         if (r < 0)
                 return bus_log_create_error(r);
 
-        description = strjoina("Container ", machine_name);
-
         r = bus_append_scope_pidref(m, pid, FLAGS_SET(flags, ALLOCATE_SCOPE_ALLOW_PIDFD));
         if (r < 0)
                 return bus_log_create_error(r);
 
+        _cleanup_free_ char *description = strjoin("Container ", machine_name);
+        if (!description)
+                return log_oom();
+
         r = sd_bus_message_append(m, "(sv)(sv)(sv)(sv)(sv)",
                                   "Description", "s", description,
                                   "Delegate", "b", 1,
@@ -387,11 +389,11 @@ int terminate_scope(
         _cleanup_free_ char *scope = NULL;
         int r;
 
-        r = unit_name_mangle_with_suffix(machine_name, "to terminate", 0, ".scope", &scope);
+        r = unit_name_mangle_with_suffix(machine_name, "to terminate", /* flags= */ 0, ".scope", &scope);
         if (r < 0)
                 return log_error_errno(r, "Failed to mangle scope name: %m");
 
-        r = bus_call_method(bus, bus_systemd_mgr, "AbandonScope", &error, NULL, "s", scope);
+        r = bus_call_method(bus, bus_systemd_mgr, "AbandonScope", &error, /* ret_reply= */ NULL, "s", scope);
         if (r < 0) {
                 log_debug_errno(r, "Failed to abandon scope '%s', ignoring: %s", scope, bus_error_message(&error, r));
                 sd_bus_error_free(&error);
@@ -412,7 +414,7 @@ int terminate_scope(
                 sd_bus_error_free(&error);
         }
 
-        r = bus_call_method(bus, bus_systemd_mgr, "UnrefUnit", &error, NULL, "s", scope);
+        r = bus_call_method(bus, bus_systemd_mgr, "UnrefUnit", &error, /* ret_reply= */ NULL, "s", scope);
         if (r < 0)
                 log_debug_errno(r, "Failed to drop reference to scope '%s', ignoring: %s", scope, bus_error_message(&error, r));
 

src/nspawn/nspawn.c

@@ -1332,11 +1332,10 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_NOTIFY_READY:
-                        r = parse_boolean(optarg);
+                        r = parse_boolean_argument("--notify-ready=", optarg, &arg_notify_ready);
                         if (r < 0)
-                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                                       "%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg);
-                        arg_notify_ready = r;
+                                return r;
+
                         arg_settings_mask |= SETTING_NOTIFY_READY;
                         break;
 
@@ -5483,13 +5482,13 @@ static int run_container(
 
                 r = sd_bus_match_signal_async(
                                 bus,
-                                NULL,
+                                /* ret= */ NULL,
                                 "org.freedesktop.systemd1",
-                                NULL,
+                                /* path= */ NULL,
                                 "org.freedesktop.systemd1.Scope",
                                 "RequestStop",
                                 on_request_stop,
-                                NULL,
+                                /* install_callback= */ NULL,
                                 pid);
                 if (r < 0)
                         return log_error_errno(r, "Failed to request RequestStop match: %m");

src/vmspawn/vmspawn.c

@@ -727,9 +727,12 @@ static int read_vsock_notify(NotifyConnectionData *d, int fd) {
 
         p = strv_find_startswith(tags, "EXIT_STATUS=");
         if (p) {
-                r = safe_atoi(p, d->exit_status);
+                uint8_t k = 0;
+                r = safe_atou8(p, &k);
                 if (r < 0)
                         log_warning_errno(r, "Failed to parse exit status from %s, ignoring: %m", p);
+                else
+                        *d->exit_status = k;
         }
 
         return 1; /* done */

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -1271,20 +1271,20 @@ testcase_unpriv() {
     create_dummy_ddi "$tmpdir" "$name"
     chown --recursive testuser: "$tmpdir"
 
-    systemd-run \
+    run0 --pipe -u testuser systemd-run \
+        --user \
         --pipe \
-        --uid=testuser \
         --property=Delegate=yes \
         -- \
         systemd-nspawn --pipe --private-network --register=no --keep-unit --image="$tmpdir/$name.raw" echo hello >"$tmpdir/stdout.txt"
     echo hello | cmp "$tmpdir/stdout.txt" -
 
     # Make sure per-user search path logic works
-    systemd-run --pipe --uid=testuser mkdir -p /home/testuser/.local/state/machines
-    systemd-run --pipe --uid=testuser ln -s "$tmpdir/$name.raw" /home/testuser/.local/state/machines/"x$name.raw"
-    systemd-run \
+    run0 -u testuser --pipe mkdir -p /home/testuser/.local/state/machines
+    run0 -u testuser --pipe ln -s "$tmpdir/$name.raw" /home/testuser/.local/state/machines/"x$name.raw"
+    run0 --pipe -u testuser systemd-run \
+        --user \
         --pipe \
-        --uid=testuser \
         --property=Delegate=yes \
         -- \
         systemd-nspawn --pipe --private-network --register=no --keep-unit --machine="x$name" echo hello >"$tmpdir/stdout.txt"
@@ -1351,9 +1351,9 @@ testcase_unpriv_fuse() {
     create_dummy_ddi "$tmpdir" "$name"
     chown --recursive testuser: "$tmpdir"
 
-    [[ "$(systemd-run \
+    [[ "$(run0 -u testuser --pipe systemd-run \
+              --user \
               --pipe \
-              --uid=testuser \
               --property=Delegate=yes \
               --setenv=SYSTEMD_LOG_LEVEL \
               --setenv=SYSTEMD_LOG_TARGET \