Merge bba2f7a1fe into 5d902cc21f

TODO

@@ -128,13 +128,6 @@ Deprecations and removals:
 
 Features:
 
-* loginctl: show argv[] of "leader" process in tabular list-sessions output
-
-* loginctl: show "service identifier" in tabular list-sessions output, to make
-  run0 sessions easily visible.
-
-* run0: maybe enable utmp for run0 sessions, so that they are easily visible.
-
 * maybe replace nss-machines with logic in networkd that registers records with
   systemd-resolved, based on DHCP leases, so that we gain compat with VMs.
   Implementation idea: encode in an ifaltname the intended local name to expose this

docs/TESTING_WITH_SANITIZERS.md

@@ -18,7 +18,7 @@ compiler you want to use and which part of the test suite you want to run.
 To build with sanitizers in mkosi, create a file `mkosi/mkosi.local.conf` and add the following contents:
 
 ```
-[Build]
+[Content]
 Environment=SANITIZERS=address,undefined
 ```
 

man/bootctl.xml

@@ -398,12 +398,10 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--variables=yes|no</option></term>
+        <term><option>--no-variables</option></term>
-        <listitem><para>Controls whether to touch the firmware's boot loader list stored in EFI variables,
+        <listitem><para>Do not touch the firmware's boot loader list stored in EFI variables.</para>
-        and other EFI variables. If not specified defaults to no when execution in a container runtime is
-        detected, yes otherwise.</para>
 
-        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+        <xi:include href="version-info.xml" xpointer="v220"/></listitem>
       </varlistentry>
 
       <varlistentry>

man/org.freedesktop.systemd1.xml

@@ -477,6 +477,8 @@ node /org/freedesktop/systemd1 {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DefaultCPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly b DefaultBlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DefaultIOAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DefaultIPAccounting = ...;
@@ -717,6 +719,8 @@ node /org/freedesktop/systemd1 {
 
     <!--property DefaultCPUAccounting is not documented!-->
 
+    <!--property DefaultBlockIOAccounting is not documented!-->
+
     <!--property DefaultIOAccounting is not documented!-->
 
     <!--property DefaultIPAccounting is not documented!-->
@@ -1163,6 +1167,8 @@ node /org/freedesktop/systemd1 {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultCPUAccounting"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DefaultBlockIOAccounting"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultIOAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultIPAccounting"/>
@@ -2900,6 +2906,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t CPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupCPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -2930,6 +2940,18 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly b BlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t BlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupBlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIODeviceWeight = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOReadBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOWriteBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -2962,6 +2984,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t MemoryLimit = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -3541,6 +3565,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property StartupCPUWeight is not documented!-->
 
+    <!--property CPUShares is not documented!-->
+
+    <!--property StartupCPUShares is not documented!-->
+
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -3571,6 +3599,18 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
+    <!--property BlockIOAccounting is not documented!-->
+
+    <!--property BlockIOWeight is not documented!-->
+
+    <!--property StartupBlockIOWeight is not documented!-->
+
+    <!--property BlockIODeviceWeight is not documented!-->
+
+    <!--property BlockIOReadBandwidth is not documented!-->
+
+    <!--property BlockIOWriteBandwidth is not documented!-->
+
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -3603,6 +3643,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
+    <!--property MemoryLimit is not documented!-->
+
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -4195,6 +4237,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -4225,6 +4271,18 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -4257,6 +4315,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -5053,6 +5113,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t CPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupCPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -5083,6 +5147,18 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly b BlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t BlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupBlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIODeviceWeight = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOReadBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOWriteBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -5115,6 +5191,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t MemoryLimit = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -5706,6 +5784,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property StartupCPUWeight is not documented!-->
 
+    <!--property CPUShares is not documented!-->
+
+    <!--property StartupCPUShares is not documented!-->
+
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -5736,6 +5818,18 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
+    <!--property BlockIOAccounting is not documented!-->
+
+    <!--property BlockIOWeight is not documented!-->
+
+    <!--property StartupBlockIOWeight is not documented!-->
+
+    <!--property BlockIODeviceWeight is not documented!-->
+
+    <!--property BlockIOReadBandwidth is not documented!-->
+
+    <!--property BlockIOWriteBandwidth is not documented!-->
+
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -5768,6 +5862,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
+    <!--property MemoryLimit is not documented!-->
+
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -6332,6 +6428,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -6362,6 +6462,18 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -6394,6 +6506,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -7022,6 +7136,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t CPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupCPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -7052,6 +7170,18 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly b BlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t BlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupBlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIODeviceWeight = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOReadBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOWriteBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -7084,6 +7214,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t MemoryLimit = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -7605,6 +7737,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property StartupCPUWeight is not documented!-->
 
+    <!--property CPUShares is not documented!-->
+
+    <!--property StartupCPUShares is not documented!-->
+
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -7635,6 +7771,18 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
+    <!--property BlockIOAccounting is not documented!-->
+
+    <!--property BlockIOWeight is not documented!-->
+
+    <!--property StartupBlockIOWeight is not documented!-->
+
+    <!--property BlockIODeviceWeight is not documented!-->
+
+    <!--property BlockIOReadBandwidth is not documented!-->
+
+    <!--property BlockIOWriteBandwidth is not documented!-->
+
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -7667,6 +7815,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
+    <!--property MemoryLimit is not documented!-->
+
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -8147,6 +8297,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -8177,6 +8331,18 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -8209,6 +8375,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -8964,6 +9132,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t CPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupCPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -8994,6 +9166,18 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly b BlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t BlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupBlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIODeviceWeight = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOReadBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOWriteBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -9026,6 +9210,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t MemoryLimit = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -9529,6 +9715,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property StartupCPUWeight is not documented!-->
 
+    <!--property CPUShares is not documented!-->
+
+    <!--property StartupCPUShares is not documented!-->
+
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -9559,6 +9749,18 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
+    <!--property BlockIOAccounting is not documented!-->
+
+    <!--property BlockIOWeight is not documented!-->
+
+    <!--property StartupBlockIOWeight is not documented!-->
+
+    <!--property BlockIODeviceWeight is not documented!-->
+
+    <!--property BlockIOReadBandwidth is not documented!-->
+
+    <!--property BlockIOWriteBandwidth is not documented!-->
+
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -9591,6 +9793,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
+    <!--property MemoryLimit is not documented!-->
+
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -10053,6 +10257,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -10083,6 +10291,18 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -10115,6 +10335,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -10723,6 +10945,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t CPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupCPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -10753,6 +10979,18 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly b BlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t BlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupBlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIODeviceWeight = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOReadBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOWriteBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -10785,6 +11023,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t MemoryLimit = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -10898,6 +11138,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property StartupCPUWeight is not documented!-->
 
+    <!--property CPUShares is not documented!-->
+
+    <!--property StartupCPUShares is not documented!-->
+
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -10928,6 +11172,18 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
+    <!--property BlockIOAccounting is not documented!-->
+
+    <!--property BlockIOWeight is not documented!-->
+
+    <!--property StartupBlockIOWeight is not documented!-->
+
+    <!--property BlockIODeviceWeight is not documented!-->
+
+    <!--property BlockIOReadBandwidth is not documented!-->
+
+    <!--property BlockIOWriteBandwidth is not documented!-->
+
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -10960,6 +11216,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
+    <!--property MemoryLimit is not documented!-->
+
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -11080,6 +11338,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -11110,6 +11372,18 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -11142,6 +11416,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -11293,6 +11569,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t CPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupCPUShares = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -11323,6 +11603,18 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly b BlockIOAccounting = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t BlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t StartupBlockIOWeight = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIODeviceWeight = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOReadBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly a(st) BlockIOWriteBandwidth = [...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -11355,6 +11647,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t MemoryLimit = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -11488,6 +11782,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property StartupCPUWeight is not documented!-->
 
+    <!--property CPUShares is not documented!-->
+
+    <!--property StartupCPUShares is not documented!-->
+
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -11518,6 +11816,18 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
+    <!--property BlockIOAccounting is not documented!-->
+
+    <!--property BlockIOWeight is not documented!-->
+
+    <!--property StartupBlockIOWeight is not documented!-->
+
+    <!--property BlockIODeviceWeight is not documented!-->
+
+    <!--property BlockIOReadBandwidth is not documented!-->
+
+    <!--property BlockIOWriteBandwidth is not documented!-->
+
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -11550,6 +11860,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
+    <!--property MemoryLimit is not documented!-->
+
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -11700,6 +12012,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -11730,6 +12046,18 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -11762,6 +12090,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>

man/systemd.network.xml

@@ -1738,10 +1738,8 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
         <term><varname>FirewallMark=</varname></term>
         <listitem>
           <para>Specifies the iptables firewall mark value to match (a number in the range
-          0…4294967295). Optionally, the firewall mask (also a number between 0…4294967295) can be
+          1…4294967295). Optionally, the firewall mask (also a number between 1…4294967295) can be
-          suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>. When the
+          suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>.</para>
-          mark value is non-zero and no mask is explicitly specified, all bits of the mark are
-          compared. </para>
 
           <xi:include href="version-info.xml" xpointer="v235"/>
         </listitem>

mkosi/mkosi.conf.d/arch/mkosi.conf

@@ -4,7 +4,6 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-libs

mkosi/mkosi.conf.d/arch/mkosi.prepare

@@ -17,7 +17,6 @@ for PACKAGE in "${PACKAGES[@]}"; do
             sed --quiet 's/^Depends On *: //p' # Filter out everything except "Depends On:" line and fetch dependencies from it.
     )"
 
-    if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
     DEPS="$DEPS $(
         pacman --sync --info "$PACKAGE" |
             sed '1,/^$/d' | # Only keep result from first repository (delete everything after first blank line).
@@ -26,7 +25,6 @@ for PACKAGE in "${PACKAGES[@]}"; do
             sed 's/ *\(.*\):.*/\1/' | # Drop descriptions (everything after first colon for all lines).
             tr '\n' ' ' # Transform newlines to whitespace.
     )"
-    fi
 done
 
 echo "$DEPS" |

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -5,7 +5,6 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-boot

mkosi/mkosi.conf.d/centos-fedora/mkosi.prepare

@@ -8,12 +8,7 @@ fi
 
 mapfile -t PACKAGES < <(jq --raw-output .VolatilePackages[] <"$MKOSI_CONFIG")
 
-DEP_TYPES=(--requires)
+for DEPS in --requires --recommends --suggests; do
-if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
-    DEP_TYPES+=(--recommends --suggests)
-fi
-
-for DEPS in "${DEP_TYPES[@]}"; do
     # We need --latest-limit=1 to only consider the newest version of the packages.
     # --latest-limit=1 is per <name>.<arch> so we have to pass --arch= explicitly to make sure i686 packages
     # are not considered on x86-64.

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -5,7 +5,6 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
-PrepareScripts=systemd.prepare
 VolatilePackages=
         libnss-myhostname
         libnss-mymachines

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.prepare

@@ -22,14 +22,9 @@ for PACKAGE in "${PACKAGES[@]}"; do
     # Get all the dependencies of the systemd packages including recommended and suggested dependencies.
     PATTERNS+=(
         "?and(?reverse-depends(?exact-name($PACKAGE)), $COMMON)"
-    )
-
-    if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
-        PATTERNS+=(
         "?and(?reverse-recommends(?exact-name($PACKAGE)), $COMMON)"
         "?and(?reverse-suggests(?exact-name($PACKAGE)), $COMMON)"
     )
-    fi
 done
 
 mkosi-install "${PATTERNS[@]}"

mkosi/mkosi.conf.d/opensuse/mkosi.conf

@@ -11,7 +11,6 @@ Repositories=non-oss
 SandboxTrees=macros.db_backend:/etc/rpm/macros.db_backend
 
 [Content]
-PrepareScripts=systemd.prepare
 VolatilePackages=
         libsystemd0
         libudev1

mkosi/mkosi.conf.d/opensuse/mkosi.prepare

@@ -9,15 +9,11 @@ fi
 mapfile -t PACKAGES < <(jq --raw-output .VolatilePackages[] <"$MKOSI_CONFIG")
 
 DEPS=""
-DEP_TYPES=(--requires)
-if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
-    DEP_TYPES+=(--recommends --suggests)
-fi
 
 for PACKAGE in "${PACKAGES[@]}"; do
     # zypper's output is not machine readable so we make do with sed instead.
     DEPS="$DEPS\n$(
-        zypper info "${DEP_TYPES[@]}" "$PACKAGE" |
+        zypper info --requires --recommends --suggests "$PACKAGE" |
             sed '/Requires/,$!d' | # Remove everything before Requires line
             sed --quiet 's/^    //p' # All indented lines have dependencies
     )"

mkosi/mkosi.images/exitrd/mkosi.conf

@@ -3,9 +3,6 @@
 [Output]
 Format=directory
 
-[Build]
-Environment=SYSTEMD_REQUIRED_DEPS_ONLY=1
-
 [Content]
 Bootable=no
 Locale=C.UTF-8
@@ -14,7 +11,6 @@ CleanPackageMetadata=yes
 MakeInitrd=yes
 
 Packages=
-        coreutils
         bash
 
 [Include]

mkosi/mkosi.images/exitrd/mkosi.conf.d/arch.conf

@@ -4,7 +4,6 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 VolatilePackages=
         systemd
         systemd-libs

mkosi/mkosi.images/exitrd/mkosi.conf.d/centos-fedora.conf

@@ -5,6 +5,5 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 VolatilePackages=
         systemd-standalone-shutdown

mkosi/mkosi.images/exitrd/mkosi.conf.d/debian.conf

@@ -4,6 +4,5 @@
 Distribution=debian
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 VolatilePackages=
         systemd-standalone-shutdown

mkosi/mkosi.images/exitrd/mkosi.conf.d/opensuse.conf

@@ -4,7 +4,6 @@
 Distribution=opensuse
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         diffutils
         grep

mkosi/mkosi.images/exitrd/mkosi.conf.d/ubuntu.conf

@@ -4,7 +4,6 @@
 Distribution=ubuntu
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 VolatilePackages=
         libsystemd-shared
         libsystemd0

mkosi/mkosi.images/initrd/mkosi.conf

@@ -6,14 +6,10 @@ Include=
         %D/mkosi/mkosi.sanitizers
         %D/mkosi/mkosi.coverage
 
-[Build]
-Environment=SYSTEMD_REQUIRED_DEPS_ONLY=1
-
 [Content]
 ExtraTrees=%D/mkosi/mkosi.extra.common
 
 Packages=
-        coreutils
         findutils
         grep
         sed

mkosi/mkosi.images/initrd/mkosi.conf.d/arch.conf

@@ -4,7 +4,6 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 Packages=
         btrfs-progs
         tpm2-tools

mkosi/mkosi.images/initrd/mkosi.conf.d/centos-fedora.conf

@@ -5,7 +5,6 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 Packages=
         tpm2-tools
 

mkosi/mkosi.images/initrd/mkosi.conf.d/debian-ubuntu.conf

@@ -5,7 +5,6 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
         btrfs-progs
         tpm2-tools

mkosi/mkosi.images/initrd/mkosi.conf.d/opensuse.conf

@@ -4,7 +4,6 @@
 Distribution=opensuse
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         btrfs-progs
         kmod

mkosi/mkosi.images/minimal-base/mkosi.conf

@@ -3,9 +3,6 @@
 [Output]
 Format=directory
 
-[Build]
-Environment=SYSTEMD_REQUIRED_DEPS_ONLY=1
-
 [Content]
 Bootable=no
 Locale=C.UTF-8

mkosi/mkosi.images/minimal-base/mkosi.conf.d/arch.conf

@@ -4,7 +4,6 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 Packages=
         inetutils
         iproute

mkosi/mkosi.images/minimal-base/mkosi.conf.d/centos-fedora.conf

@@ -5,7 +5,6 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 Packages=
         hostname
         iproute

mkosi/mkosi.images/minimal-base/mkosi.conf.d/debian-ubuntu.conf

@@ -5,7 +5,6 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
         hostname
         iproute2

mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf

@@ -4,7 +4,6 @@
 Distribution=opensuse
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         diffutils
         grep

src/basic/conf-files.c

@@ -19,6 +19,7 @@
 #include "nulstr-util.h"
 #include "path-util.h"
 #include "set.h"
+#include "sort-util.h"
 #include "stat-util.h"
 #include "string-util.h"
 #include "strv.h"
@@ -121,22 +122,29 @@ static int files_add(
         return 0;
 }
 
+static int base_cmp(char * const *a, char * const *b) {
+        assert(a);
+        assert(b);
+        return path_compare_filename(*a, *b);
+}
+
 static int copy_and_sort_files_from_hashmap(Hashmap *fh, char ***ret) {
         _cleanup_free_ char **sv = NULL;
         char **files;
-        int r;
 
         assert(ret);
 
-        r = hashmap_dump_sorted(fh, (void***) &sv, /* ret_n = */ NULL);
+        sv = hashmap_get_strv(fh);
-        if (r < 0)
+        if (!sv)
-                return r;
+                return -ENOMEM;
 
-        /* The entries in the array given by hashmap_dump_sorted() are still owned by the hashmap. */
+        /* The entries in the array given by hashmap_get_strv() are still owned by the hashmap. */
         files = strv_copy(sv);
         if (!files)
                 return -ENOMEM;
 
+        typesafe_qsort(files, strv_length(files), base_cmp);
+
         *ret = files;
         return 0;
 }
@@ -229,7 +237,7 @@ int conf_files_insert(char ***strv, const char *root, char **dirs, const char *p
         for (i = 0; i < n; i++) {
                 int c;
 
-                c = path_compare_filename((*strv)[i], path);
+                c = base_cmp((char* const*) *strv + i, (char* const*) &path);
                 if (c == 0)
                         /* Oh, there already is an entry with a matching name (the last component). */
                         STRV_FOREACH(dir, dirs) {

src/basic/xattr-util.c

@@ -104,7 +104,7 @@ static ssize_t getxattr_pinned_internal(
         if (n < 0)
                 return -errno;
 
-        assert(size == 0 || (size_t) n <= size);
+        assert((size_t) n <= size);
         return n;
 }
 
@@ -234,7 +234,7 @@ static int listxattr_pinned_internal(
         if (n < 0)
                 return -errno;
 
-        assert(size == 0 || (size_t) n <= size);
+        assert((size_t) n <= size);
 
         if (n > INT_MAX) /* We couldn't return this as 'int' anymore */
                 return -E2BIG;

src/bootctl/bootctl-install.c

@@ -865,6 +865,17 @@ static int install_variables(
         uint16_t slot;
         int r;
 
+        if (arg_root) {
+                log_info("Acting on %s, skipping EFI variable setup.",
+                         arg_image ? "image" : "root directory");
+                return 0;
+        }
+
+        if (!is_efi_boot()) {
+                log_warning("Not booted with EFI, skipping EFI variable setup.");
+                return 0;
+        }
+
         r = chase_and_access(path, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, F_OK, NULL);
         if (r == -ENOENT)
                 return 0;
@@ -1064,7 +1075,7 @@ int verb_install(int argc, char *argv[], void *userdata) {
 
         (void) sync_everything();
 
-        if (!touch_variables())
+        if (!arg_touch_variables)
                 return 0;
 
         if (arg_arch_all) {
@@ -1195,6 +1206,9 @@ static int remove_variables(sd_id128_t uuid, const char *path, bool in_order) {
         uint16_t slot;
         int r;
 
+        if (arg_root || !is_efi_boot())
+                return 0;
+
         r = find_slot(uuid, path, &slot);
         if (r != 1)
                 return 0;
@@ -1313,7 +1327,7 @@ int verb_remove(int argc, char *argv[], void *userdata) {
 
         (void) sync_everything();
 
-        if (!touch_variables())
+        if (!arg_touch_variables)
                 return r;
 
         if (arg_arch_all) {

src/bootctl/bootctl-random-seed.c

@@ -58,9 +58,20 @@ static int set_system_token(void) {
         size_t token_size;
         int r;
 
-        if (!touch_variables())
+        if (!arg_touch_variables)
                 return 0;
 
+        if (arg_root) {
+                log_warning("Acting on %s, skipping EFI variable setup.",
+                             arg_image ? "image" : "root directory");
+                return 0;
+        }
+
+        if (!is_efi_boot()) {
+                log_notice("Not booted with EFI, skipping EFI variable setup.");
+                return 0;
+        }
+
         r = getenv_bool("SYSTEMD_WRITE_SYSTEM_TOKEN");
         if (r < 0) {
                 if (r != -ENXIO)

src/bootctl/bootctl-set-efivar.c

@@ -105,20 +105,11 @@ static int parse_loader_entry_target_arg(const char *arg1, char16_t **ret_target
 int verb_set_efivar(int argc, char *argv[], void *userdata) {
         int r;
 
-        /* Note: changing EFI variables is the primary purpose of these verbs, hence unlike in the other
-         * verbs that might touch EFI variables where we skip things gracefully, here we fail loudly if we
-         * are not run on EFI or EFI variable modifications were turned off. */
-
-        if (arg_touch_variables < 0) {
         if (arg_root)
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                                               "Acting on %s, refusing EFI variable setup.",
+                                       "Acting on %s, skipping EFI variable setup.",
                                        arg_image ? "image" : "root directory");
 
-                if (detect_container() > 0)
-                        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                                               "'%s' operation not supported in a container.",
-                                               argv[0]);
         if (!is_efi_boot())
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                        "Not booted with UEFI.");
@@ -132,9 +123,14 @@ int verb_set_efivar(int argc, char *argv[], void *userdata) {
                 return log_error_errno(errno, "Failed to detect whether boot loader supports '%s' operation: %m", argv[0]);
         }
 
-        } else if (!arg_touch_variables)
+        if (detect_container() > 0)
+                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+                                       "'%s' operation not supported in a container.",
+                                       argv[0]);
+
+        if (!arg_touch_variables)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "'%s' operation cannot be combined with --variables=no.",
+                                       "'%s' operation cannot be combined with --no-variables.",
                                        argv[0]);
 
         const char *variable;

src/bootctl/bootctl.c

@@ -43,7 +43,7 @@ bool arg_print_dollar_boot_path = false;
 bool arg_print_loader_path = false;
 bool arg_print_stub_path = false;
 unsigned arg_print_root_device = 0;
-int arg_touch_variables = -1;
+bool arg_touch_variables = true;
 bool arg_install_random_seed = true;
 PagerFlags arg_pager_flags = 0;
 bool arg_graceful = false;
@@ -213,29 +213,6 @@ static int print_loader_or_stub_path(void) {
         return 0;
 }
 
-bool touch_variables(void) {
-        /* If we run in a container or on a non-EFI system, automatically turn off EFI file system access,
-         * unless explicitly overriden. */
-
-        if (arg_touch_variables >= 0)
-                return arg_touch_variables;
-
-        if (arg_root) {
-                log_once(LOG_NOTICE,
-                         "Operating on %s, skipping EFI variable modifications.",
-                         arg_image ? "image" : "root directory");
-                return false;
-        }
-
-        if (!is_efi_boot()) { /* NB: this internally checks if we run in a container */
-                log_once(LOG_NOTICE,
-                         "Not booted with EFI or running in a container, skipping EFI variable modifications.");
-                return false;
-        }
-
-        return true;
-}
-
 static int help(int argc, char *argv[], void *userdata) {
         _cleanup_free_ char *link = NULL;
         int r;
@@ -294,8 +271,7 @@ static int help(int argc, char *argv[], void *userdata) {
                "                       Specify disk image dissection policy\n"
                "     --install-source=auto|image|host\n"
                "                       Where to pick files when using --root=/--image=\n"
-               "     --variables=yes|no\n"
+               "     --no-variables    Don't touch EFI variables\n"
-               "                       Whether to modify EFI variables\n"
                "     --random-seed=yes|no\n"
                "                       Whether to create random-seed file during install\n"
                "     --no-pager        Do not pipe output into a pager\n"
@@ -351,7 +327,6 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_IMAGE_POLICY,
                 ARG_INSTALL_SOURCE,
                 ARG_VERSION,
-                ARG_VARIABLES,
                 ARG_NO_VARIABLES,
                 ARG_RANDOM_SEED,
                 ARG_NO_PAGER,
@@ -387,8 +362,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "print-loader-path",           no_argument,       NULL, ARG_PRINT_LOADER_PATH           },
                 { "print-stub-path",             no_argument,       NULL, ARG_PRINT_STUB_PATH             },
                 { "print-root-device",           no_argument,       NULL, 'R'                             },
-                { "variables",                   required_argument, NULL, ARG_VARIABLES                   },
+                { "no-variables",                no_argument,       NULL, ARG_NO_VARIABLES                },
-                { "no-variables",                no_argument,       NULL, ARG_NO_VARIABLES                }, /* Compability */
                 { "random-seed",                 required_argument, NULL, ARG_RANDOM_SEED                 },
                 { "no-pager",                    no_argument,       NULL, ARG_NO_PAGER                    },
                 { "graceful",                    no_argument,       NULL, ARG_GRACEFUL                    },
@@ -486,12 +460,6 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_print_root_device++;
                         break;
 
-                case ARG_VARIABLES:
-                        r = parse_tristate_argument("--variables=", optarg, &arg_touch_variables);
-                        if (r < 0)
-                                return r;
-                        break;
-
                 case ARG_NO_VARIABLES:
                         arg_touch_variables = false;
                         break;
@@ -675,6 +643,10 @@ static int run(int argc, char *argv[]) {
 
         log_setup();
 
+        /* If we run in a container, automatically turn off EFI file system access */
+        if (detect_container() > 0)
+                arg_touch_variables = false;
+
         r = parse_argv(argc, argv);
         if (r <= 0)
                 return r;

src/bootctl/bootctl.h

@@ -20,7 +20,7 @@ extern char *arg_xbootldr_path;
 extern bool arg_print_esp_path;
 extern bool arg_print_dollar_boot_path;
 extern unsigned arg_print_root_device;
-extern int arg_touch_variables;
+extern bool arg_touch_variables;
 extern bool arg_install_random_seed;
 extern PagerFlags arg_pager_flags;
 extern bool arg_graceful;
@@ -54,5 +54,3 @@ static inline const char* arg_dollar_boot_path(void) {
 
 int acquire_esp(int unprivileged_mode, bool graceful, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid);
 int acquire_xbootldr(int unprivileged_mode, sd_id128_t *ret_uuid, dev_t *ret_devid);
-
-bool touch_variables(void);

src/core/bpf-devices.c

@@ -261,10 +261,11 @@ int bpf_devices_supported(void) {
         static int supported = -1;
         int r;
 
-        /* Checks whether BPF device controller is supported. For this, we check two things:
+        /* Checks whether BPF device controller is supported. For this, we check five things:
          *
          * a) whether we are privileged
-         * b) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require
+         * b) whether the unified hierarchy is being used
+         * c) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require
          */
 
         if (supported >= 0)
@@ -275,6 +276,14 @@ int bpf_devices_supported(void) {
                 return supported = 0;
         }
 
+        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
+        if (r < 0)
+                return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+        if (r == 0) {
+                log_debug("Not running with unified cgroups, BPF device control is not supported.");
+                return supported = 0;
+        }
+
         r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, "sd_devices", &program);
         if (r < 0) {
                 log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m");
@@ -306,15 +315,38 @@ static int allow_list_device_pattern(
 
         assert(IN_SET(type, 'b', 'c'));
 
+        if (cg_all_unified() > 0) {
                 if (!prog)
                         return 0;
 
                 if (major != UINT_MAX && minor != UINT_MAX)
                         return bpf_prog_allow_list_device(prog, type, major, minor, p);
-        if (major != UINT_MAX)
+                else if (major != UINT_MAX)
                         return bpf_prog_allow_list_major(prog, type, major, p);
-
+                else
                         return bpf_prog_allow_list_class(prog, type, p);
+
+        } else {
+                char buf[2+DECIMAL_STR_MAX(unsigned)*2+2+4];
+                int r;
+
+                if (major != UINT_MAX && minor != UINT_MAX)
+                        xsprintf(buf, "%c %u:%u %s", type, major, minor, cgroup_device_permissions_to_string(p));
+                else if (major != UINT_MAX)
+                        xsprintf(buf, "%c %u:* %s", type, major, cgroup_device_permissions_to_string(p));
+                else
+                        xsprintf(buf, "%c *:* %s", type, cgroup_device_permissions_to_string(p));
+
+                /* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore
+                 * EINVAL here. */
+
+                r = cg_set_attribute("devices", path, "devices.allow", buf);
+                if (r < 0)
+                        log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING,
+                                       r, "Failed to set devices.allow on %s: %m", path);
+
+                return r;
+        }
 }
 
 int bpf_devices_allow_list_device(

src/core/bpf-firewall.c

@@ -845,12 +845,23 @@ int bpf_firewall_supported(void) {
 
         /* Checks whether BPF firewalling is supported. For this, we check the following things:
          *
+         * - whether the unified hierarchy is being used
          * - the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require
          * - the BPF implementation in the kernel supports the BPF_PROG_DETACH call, which we require
          */
         if (supported >= 0)
                 return supported;
 
+        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
+        if (r < 0)
+                return log_error_errno(r, "bpf-firewall: Can't determine whether the unified hierarchy is used: %m");
+        if (r == 0) {
+                bpf_firewall_unsupported_reason =
+                        log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
+                                        "bpf-firewall: Not running with unified cgroup hierarchy, BPF firewalling is not supported.");
+                return supported = BPF_FIREWALL_UNSUPPORTED;
+        }
+
         /* prog_name is NULL since it is supported only starting from v4.15 kernel. */
         r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program);
         if (r < 0) {

src/core/bpf-foreign.h

@@ -4,6 +4,10 @@
 
 #include "unit.h"
 
+static inline int bpf_foreign_supported(void) {
+        return cg_all_unified();
+}
+
 /*
  * Attach cgroup-bpf programs foreign to systemd, i.e. loaded to the kernel by an entity
  * external to systemd.

src/core/bpf-util.c

@@ -13,6 +13,17 @@ bool cgroup_bpf_supported(void) {
         if (supported >= 0)
                 return supported;
 
+        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
+        if (r < 0) {
+                log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+                return (supported = false);
+        }
+
+        if (r == 0) {
+                log_info("Not running with unified cgroup hierarchy, disabling cgroup BPF features.");
+                return (supported = false);
+        }
+
         r = dlopen_bpf();
         if (r < 0) {
                 log_full_errno(in_initrd() ? LOG_DEBUG : LOG_INFO,

src/core/cgroup.h

@@ -34,6 +34,8 @@ typedef struct CGroupDeviceAllow CGroupDeviceAllow;
 typedef struct CGroupIODeviceWeight CGroupIODeviceWeight;
 typedef struct CGroupIODeviceLimit CGroupIODeviceLimit;
 typedef struct CGroupIODeviceLatency CGroupIODeviceLatency;
+typedef struct CGroupBlockIODeviceWeight CGroupBlockIODeviceWeight;
+typedef struct CGroupBlockIODeviceBandwidth CGroupBlockIODeviceBandwidth;
 typedef struct CGroupBPFForeignProgram CGroupBPFForeignProgram;
 typedef struct CGroupSocketBindItem CGroupSocketBindItem;
 typedef struct CGroupRuntime CGroupRuntime;
@@ -96,6 +98,19 @@ struct CGroupIODeviceLatency {
         usec_t target_usec;
 };
 
+struct CGroupBlockIODeviceWeight {
+        LIST_FIELDS(CGroupBlockIODeviceWeight, device_weights);
+        char *path;
+        uint64_t weight;
+};
+
+struct CGroupBlockIODeviceBandwidth {
+        LIST_FIELDS(CGroupBlockIODeviceBandwidth, device_bandwidths);
+        char *path;
+        uint64_t rbps;
+        uint64_t wbps;
+};
+
 struct CGroupBPFForeignProgram {
         LIST_FIELDS(CGroupBPFForeignProgram, programs);
         uint32_t attach_type;
@@ -125,6 +140,7 @@ typedef enum CGroupPressureWatch {
 struct CGroupContext {
         bool cpu_accounting;
         bool io_accounting;
+        bool blockio_accounting;
         bool memory_accounting;
         bool tasks_accounting;
         bool ip_accounting;
@@ -196,6 +212,17 @@ struct CGroupContext {
         Set *restrict_network_interfaces;
         bool restrict_network_interfaces_is_allow_list;
 
+        /* For legacy hierarchies */
+        uint64_t cpu_shares;
+        uint64_t startup_cpu_shares;
+
+        uint64_t blockio_weight;
+        uint64_t startup_blockio_weight;
+        LIST_HEAD(CGroupBlockIODeviceWeight, blockio_device_weights);
+        LIST_HEAD(CGroupBlockIODeviceBandwidth, blockio_device_bandwidths);
+
+        uint64_t memory_limit;
+
         CGroupDevicePolicy device_policy;
         LIST_HEAD(CGroupDeviceAllow, device_allow);
 
@@ -369,6 +396,8 @@ void cgroup_context_free_device_allow(CGroupContext *c, CGroupDeviceAllow *a);
 void cgroup_context_free_io_device_weight(CGroupContext *c, CGroupIODeviceWeight *w);
 void cgroup_context_free_io_device_limit(CGroupContext *c, CGroupIODeviceLimit *l);
 void cgroup_context_free_io_device_latency(CGroupContext *c, CGroupIODeviceLatency *l);
+void cgroup_context_free_blockio_device_weight(CGroupContext *c, CGroupBlockIODeviceWeight *w);
+void cgroup_context_free_blockio_device_bandwidth(CGroupContext *c, CGroupBlockIODeviceBandwidth *b);
 void cgroup_context_remove_bpf_foreign_program(CGroupContext *c, CGroupBPFForeignProgram *p);
 void cgroup_context_remove_socket_bind(CGroupSocketBindItem **head);
 
@@ -388,6 +417,8 @@ static inline int cgroup_context_add_bpf_foreign_program_dup(CGroupContext *c, c
 int cgroup_context_add_io_device_limit_dup(CGroupContext *c, const CGroupIODeviceLimit *l);
 int cgroup_context_add_io_device_weight_dup(CGroupContext *c, const CGroupIODeviceWeight *w);
 int cgroup_context_add_io_device_latency_dup(CGroupContext *c, const CGroupIODeviceLatency *l);
+int cgroup_context_add_block_io_device_weight_dup(CGroupContext *c, const CGroupBlockIODeviceWeight *w);
+int cgroup_context_add_block_io_device_bandwidth_dup(CGroupContext *c, const CGroupBlockIODeviceBandwidth *b);
 int cgroup_context_add_device_allow_dup(CGroupContext *c, const CGroupDeviceAllow *a);
 int cgroup_context_add_socket_bind_item_allow_dup(CGroupContext *c, const CGroupSocketBindItem *i);
 int cgroup_context_add_socket_bind_item_deny_dup(CGroupContext *c, const CGroupSocketBindItem *i);
@@ -407,6 +438,7 @@ void unit_invalidate_cgroup_members_masks(Unit *u);
 
 void unit_add_family_to_cgroup_realize_queue(Unit *u);
 
+const char* unit_get_realized_cgroup_path(Unit *u, CGroupMask mask);
 int unit_default_cgroup_path(const Unit *u, char **ret);
 int unit_set_cgroup_path(Unit *u, const char *path);
 int unit_pick_cgroup_path(Unit *u);

src/core/dbus-cgroup.c

@@ -35,8 +35,6 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_cgroup_device_policy, cgroup_de
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_managed_oom_mode, managed_oom_mode, ManagedOOMMode);
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_managed_oom_preference, managed_oom_preference, ManagedOOMPreference);
 
-static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_blockio_ast, "a(st)", 0);
-
 static int property_get_cgroup_mask(
                 sd_bus *bus,
                 const char *path,
@@ -198,6 +196,72 @@ static int property_get_io_device_latency(
         return sd_bus_message_close_container(reply);
 }
 
+static int property_get_blockio_device_weight(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        CGroupContext *c = ASSERT_PTR(userdata);
+        int r;
+
+        assert(bus);
+        assert(reply);
+
+        r = sd_bus_message_open_container(reply, 'a', "(st)");
+        if (r < 0)
+                return r;
+
+        LIST_FOREACH(device_weights, w, c->blockio_device_weights) {
+                r = sd_bus_message_append(reply, "(st)", w->path, w->weight);
+                if (r < 0)
+                        return r;
+        }
+
+        return sd_bus_message_close_container(reply);
+}
+
+static int property_get_blockio_device_bandwidths(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        CGroupContext *c = ASSERT_PTR(userdata);
+        int r;
+
+        assert(bus);
+        assert(reply);
+
+        r = sd_bus_message_open_container(reply, 'a', "(st)");
+        if (r < 0)
+                return r;
+
+        LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) {
+                uint64_t v;
+
+                if (streq(property, "BlockIOReadBandwidth"))
+                        v = b->rbps;
+                else
+                        v = b->wbps;
+
+                if (v == CGROUP_LIMIT_MAX)
+                        continue;
+
+                r = sd_bus_message_append(reply, "(st)", b->path, v);
+                if (r < 0)
+                        return r;
+        }
+
+        return sd_bus_message_close_container(reply);
+}
+
 static int property_get_device_allow(
                 sd_bus *bus,
                 const char *path,
@@ -386,6 +450,8 @@ const sd_bus_vtable bus_cgroup_vtable[] = {
         SD_BUS_PROPERTY("CPUAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, cpu_accounting), 0),
         SD_BUS_PROPERTY("CPUWeight", "t", NULL, offsetof(CGroupContext, cpu_weight), 0),
         SD_BUS_PROPERTY("StartupCPUWeight", "t", NULL, offsetof(CGroupContext, startup_cpu_weight), 0),
+        SD_BUS_PROPERTY("CPUShares", "t", NULL, offsetof(CGroupContext, cpu_shares), 0),
+        SD_BUS_PROPERTY("StartupCPUShares", "t", NULL, offsetof(CGroupContext, startup_cpu_shares), 0),
         SD_BUS_PROPERTY("CPUQuotaPerSecUSec", "t", bus_property_get_usec, offsetof(CGroupContext, cpu_quota_per_sec_usec), 0),
         SD_BUS_PROPERTY("CPUQuotaPeriodUSec", "t", bus_property_get_usec, offsetof(CGroupContext, cpu_quota_period_usec), 0),
         SD_BUS_PROPERTY("AllowedCPUs", "ay", property_get_cpuset, offsetof(CGroupContext, cpuset_cpus), 0),
@@ -401,6 +467,12 @@ const sd_bus_vtable bus_cgroup_vtable[] = {
         SD_BUS_PROPERTY("IOReadIOPSMax", "a(st)", property_get_io_device_limits, 0, 0),
         SD_BUS_PROPERTY("IOWriteIOPSMax", "a(st)", property_get_io_device_limits, 0, 0),
         SD_BUS_PROPERTY("IODeviceLatencyTargetUSec", "a(st)", property_get_io_device_latency, 0, 0),
+        SD_BUS_PROPERTY("BlockIOAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, blockio_accounting), 0),
+        SD_BUS_PROPERTY("BlockIOWeight", "t", NULL, offsetof(CGroupContext, blockio_weight), 0),
+        SD_BUS_PROPERTY("StartupBlockIOWeight", "t", NULL, offsetof(CGroupContext, startup_blockio_weight), 0),
+        SD_BUS_PROPERTY("BlockIODeviceWeight", "a(st)", property_get_blockio_device_weight, 0, 0),
+        SD_BUS_PROPERTY("BlockIOReadBandwidth", "a(st)", property_get_blockio_device_bandwidths, 0, 0),
+        SD_BUS_PROPERTY("BlockIOWriteBandwidth", "a(st)", property_get_blockio_device_bandwidths, 0, 0),
         SD_BUS_PROPERTY("MemoryAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, memory_accounting), 0),
         SD_BUS_PROPERTY("DefaultMemoryLow", "t", NULL, offsetof(CGroupContext, default_memory_low), 0),
         SD_BUS_PROPERTY("DefaultStartupMemoryLow", "t", NULL, offsetof(CGroupContext, default_startup_memory_low), 0),
@@ -417,6 +489,7 @@ const sd_bus_vtable bus_cgroup_vtable[] = {
         SD_BUS_PROPERTY("MemoryZSwapMax", "t", NULL, offsetof(CGroupContext, memory_zswap_max), 0),
         SD_BUS_PROPERTY("StartupMemoryZSwapMax", "t", NULL, offsetof(CGroupContext, startup_memory_zswap_max), 0),
         SD_BUS_PROPERTY("MemoryZSwapWriteback", "b", bus_property_get_bool, offsetof(CGroupContext, memory_zswap_writeback), 0),
+        SD_BUS_PROPERTY("MemoryLimit", "t", NULL, offsetof(CGroupContext, memory_limit), 0),
         SD_BUS_PROPERTY("DevicePolicy", "s", property_get_cgroup_device_policy, offsetof(CGroupContext, device_policy), 0),
         SD_BUS_PROPERTY("DeviceAllow", "a(ss)", property_get_device_allow, 0, 0),
         SD_BUS_PROPERTY("TasksAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, tasks_accounting), 0),
@@ -440,16 +513,6 @@ const sd_bus_vtable bus_cgroup_vtable[] = {
         SD_BUS_PROPERTY("MemoryPressureThresholdUSec", "t", bus_property_get_usec, offsetof(CGroupContext, memory_pressure_threshold_usec), 0),
         SD_BUS_PROPERTY("NFTSet", "a(iiss)", property_get_cgroup_nft_set, 0, 0),
         SD_BUS_PROPERTY("CoredumpReceive", "b", bus_property_get_bool, offsetof(CGroupContext, coredump_receive), 0),
-        /* deprecated cgroup v1 properties */
-        SD_BUS_PROPERTY("MemoryLimit", "t", bus_property_get_uint64_max, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("CPUShares", "t", bus_property_get_uint64_max, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("StartupCPUShares", "t", bus_property_get_uint64_max, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("BlockIOAccounting", "b", bus_property_get_bool_false, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("BlockIOWeight", "t", bus_property_get_uint64_max, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("StartupBlockIOWeight", "t", bus_property_get_uint64_max, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("BlockIODeviceWeight", "a(st)", property_get_blockio_ast, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("BlockIOReadBandwidth", "a(st)", property_get_blockio_ast, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
-        SD_BUS_PROPERTY("BlockIOWriteBandwidth", "a(st)", property_get_blockio_ast, 0, SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
         SD_BUS_VTABLE_END
 };
 
@@ -714,6 +777,17 @@ static int bus_cgroup_set_transient_property(
                                 return r;
 
                         unit_write_setting(u, flags, name, buf);
+
+                        if (c->bpf_foreign_programs) {
+                                r = bpf_foreign_supported();
+                                if (r < 0)
+                                        return r;
+                                if (r == 0)
+                                        log_full(LOG_DEBUG,
+                                                 "Transient unit %s configures a BPF program pinned to BPF "
+                                                 "filesystem, but the local system does not support that.\n"
+                                                 "Starting this unit will fail!", u->id);
+                        }
                 }
 
                 return 1;
@@ -919,7 +993,9 @@ static int bus_cgroup_set_boolean(
         }
 
 DISABLE_WARNING_TYPE_LIMITS;
+BUS_DEFINE_SET_CGROUP_WEIGHT(cpu_shares, CGROUP_MASK_CPU, CGROUP_CPU_SHARES_IS_OK, CGROUP_CPU_SHARES_INVALID);
 BUS_DEFINE_SET_CGROUP_WEIGHT(io_weight, CGROUP_MASK_IO, CGROUP_WEIGHT_IS_OK, CGROUP_WEIGHT_INVALID);
+BUS_DEFINE_SET_CGROUP_WEIGHT(blockio_weight, CGROUP_MASK_BLKIO, CGROUP_BLKIO_WEIGHT_IS_OK, CGROUP_BLKIO_WEIGHT_INVALID);
 BUS_DEFINE_SET_CGROUP_LIMIT(memory, CGROUP_MASK_MEMORY, physical_memory_scale, 1);
 BUS_DEFINE_SET_CGROUP_LIMIT(memory_protection, CGROUP_MASK_MEMORY, physical_memory_scale, 0);
 BUS_DEFINE_SET_CGROUP_LIMIT(swap, CGROUP_MASK_MEMORY, physical_memory_scale, 0);
@@ -1051,6 +1127,12 @@ int bus_cgroup_set_property(
         if (streq(name, "StartupCPUWeight"))
                 return bus_cgroup_set_cpu_weight(u, name, &c->startup_cpu_weight, message, flags, error);
 
+        if (streq(name, "CPUShares"))
+                return bus_cgroup_set_cpu_shares(u, name, &c->cpu_shares, message, flags, error);
+
+        if (streq(name, "StartupCPUShares"))
+                return bus_cgroup_set_cpu_shares(u, name, &c->startup_cpu_shares, message, flags, error);
+
         if (streq(name, "IOAccounting"))
                 return bus_cgroup_set_boolean(u, name, &c->io_accounting, CGROUP_MASK_IO, message, flags, error);
 
@@ -1060,6 +1142,15 @@ int bus_cgroup_set_property(
         if (streq(name, "StartupIOWeight"))
                 return bus_cgroup_set_io_weight(u, name, &c->startup_io_weight, message, flags, error);
 
+        if (streq(name, "BlockIOAccounting"))
+                return bus_cgroup_set_boolean(u, name, &c->blockio_accounting, CGROUP_MASK_BLKIO, message, flags, error);
+
+        if (streq(name, "BlockIOWeight"))
+                return bus_cgroup_set_blockio_weight(u, name, &c->blockio_weight, message, flags, error);
+
+        if (streq(name, "StartupBlockIOWeight"))
+                return bus_cgroup_set_blockio_weight(u, name, &c->startup_blockio_weight, message, flags, error);
+
         if (streq(name, "MemoryAccounting"))
                 return bus_cgroup_set_boolean(u, name, &c->memory_accounting, CGROUP_MASK_MEMORY, message, flags, error);
 
@@ -1145,6 +1236,9 @@ int bus_cgroup_set_property(
                 return r;
         }
 
+        if (streq(name, "MemoryLimit"))
+                return bus_cgroup_set_memory(u, name, &c->memory_limit, message, flags, error);
+
         if (streq(name, "MemoryMinScale")) {
                 r = bus_cgroup_set_memory_protection_scale(u, name, &c->memory_min, message, flags, error);
                 if (r > 0)
@@ -1185,6 +1279,9 @@ int bus_cgroup_set_property(
         if (streq(name, "MemoryMaxScale"))
                 return bus_cgroup_set_memory_scale(u, name, &c->memory_max, message, flags, error);
 
+        if (streq(name, "MemoryLimitScale"))
+                return bus_cgroup_set_memory_scale(u, name, &c->memory_limit, message, flags, error);
+
         if (streq(name, "MemoryZSwapWriteback"))
                 return bus_cgroup_set_boolean(u, name, &c->memory_zswap_writeback, CGROUP_MASK_MEMORY, message, flags, error);
 
@@ -1525,6 +1622,180 @@ int bus_cgroup_set_property(
 
                 return 1;
 
+        } else if (STR_IN_SET(name, "BlockIOReadBandwidth", "BlockIOWriteBandwidth")) {
+                const char *path;
+                unsigned n = 0;
+                uint64_t u64;
+                bool read;
+
+                read = streq(name, "BlockIOReadBandwidth");
+
+                r = sd_bus_message_enter_container(message, 'a', "(st)");
+                if (r < 0)
+                        return r;
+
+                while ((r = sd_bus_message_read(message, "(st)", &path, &u64)) > 0) {
+
+                        if (!path_is_normalized(path))
+                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path '%s' specified in %s= is not normalized.", name, path);
+
+                        if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
+                                CGroupBlockIODeviceBandwidth *a = NULL;
+
+                                LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths)
+                                        if (path_equal(path, b->path)) {
+                                                a = b;
+                                                break;
+                                        }
+
+                                if (!a) {
+                                        a = new0(CGroupBlockIODeviceBandwidth, 1);
+                                        if (!a)
+                                                return -ENOMEM;
+
+                                        a->rbps = CGROUP_LIMIT_MAX;
+                                        a->wbps = CGROUP_LIMIT_MAX;
+                                        a->path = strdup(path);
+                                        if (!a->path) {
+                                                free(a);
+                                                return -ENOMEM;
+                                        }
+
+                                        LIST_APPEND(device_bandwidths, c->blockio_device_bandwidths, a);
+                                }
+
+                                if (read)
+                                        a->rbps = u64;
+                                else
+                                        a->wbps = u64;
+                        }
+
+                        n++;
+                }
+                if (r < 0)
+                        return r;
+
+                r = sd_bus_message_exit_container(message);
+                if (r < 0)
+                        return r;
+
+                if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
+                        _cleanup_(memstream_done) MemStream m = {};
+                        _cleanup_free_ char *buf = NULL;
+                        FILE *f;
+
+                        if (n == 0)
+                                LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths) {
+                                        if (read)
+                                                a->rbps = CGROUP_LIMIT_MAX;
+                                        else
+                                                a->wbps = CGROUP_LIMIT_MAX;
+                                }
+
+                        unit_invalidate_cgroup(u, CGROUP_MASK_BLKIO);
+
+                        f = memstream_init(&m);
+                        if (!f)
+                                return -ENOMEM;
+
+                        if (read) {
+                                fputs("BlockIOReadBandwidth=\n", f);
+                                LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths)
+                                        if (a->rbps != CGROUP_LIMIT_MAX)
+                                                fprintf(f, "BlockIOReadBandwidth=%s %" PRIu64 "\n", a->path, a->rbps);
+                        } else {
+                                fputs("BlockIOWriteBandwidth=\n", f);
+                                LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths)
+                                        if (a->wbps != CGROUP_LIMIT_MAX)
+                                                fprintf(f, "BlockIOWriteBandwidth=%s %" PRIu64 "\n", a->path, a->wbps);
+                        }
+
+                        r = memstream_finalize(&m, &buf, NULL);
+                        if (r < 0)
+                                return r;
+
+                        unit_write_setting(u, flags, name, buf);
+                }
+
+                return 1;
+
+        } else if (streq(name, "BlockIODeviceWeight")) {
+                const char *path;
+                uint64_t weight;
+                unsigned n = 0;
+
+                r = sd_bus_message_enter_container(message, 'a', "(st)");
+                if (r < 0)
+                        return r;
+
+                while ((r = sd_bus_message_read(message, "(st)", &path, &weight)) > 0) {
+
+                        if (!path_is_normalized(path))
+                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path '%s' specified in %s= is not normalized.", name, path);
+
+                        if (!CGROUP_BLKIO_WEIGHT_IS_OK(weight) || weight == CGROUP_BLKIO_WEIGHT_INVALID)
+                                return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "BlockIODeviceWeight= out of range");
+
+                        if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
+                                CGroupBlockIODeviceWeight *a = NULL;
+
+                                LIST_FOREACH(device_weights, b, c->blockio_device_weights)
+                                        if (path_equal(b->path, path)) {
+                                                a = b;
+                                                break;
+                                        }
+
+                                if (!a) {
+                                        a = new0(CGroupBlockIODeviceWeight, 1);
+                                        if (!a)
+                                                return -ENOMEM;
+
+                                        a->path = strdup(path);
+                                        if (!a->path) {
+                                                free(a);
+                                                return -ENOMEM;
+                                        }
+                                        LIST_APPEND(device_weights, c->blockio_device_weights, a);
+                                }
+
+                                a->weight = weight;
+                        }
+
+                        n++;
+                }
+
+                r = sd_bus_message_exit_container(message);
+                if (r < 0)
+                        return r;
+
+                if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
+                        _cleanup_(memstream_done) MemStream m = {};
+                        _cleanup_free_ char *buf = NULL;
+                        FILE *f;
+
+                        if (n == 0)
+                                while (c->blockio_device_weights)
+                                        cgroup_context_free_blockio_device_weight(c, c->blockio_device_weights);
+
+                        unit_invalidate_cgroup(u, CGROUP_MASK_BLKIO);
+
+                        f = memstream_init(&m);
+                        if (!f)
+                                return -ENOMEM;
+
+                        fputs("BlockIODeviceWeight=\n", f);
+                        LIST_FOREACH(device_weights, a, c->blockio_device_weights)
+                                fprintf(f, "BlockIODeviceWeight=%s %" PRIu64 "\n", a->path, a->weight);
+
+                        r = memstream_finalize(&m, &buf, NULL);
+                        if (r < 0)
+                                return r;
+
+                        unit_write_setting(u, flags, name, buf);
+                }
+
+                return 1;
+
         } else if (streq(name, "DevicePolicy")) {
                 const char *policy;
                 CGroupDevicePolicy p;
@@ -2048,26 +2319,6 @@ int bus_cgroup_set_property(
                 return 1;
         }
 
-        /* deprecated CGroup v1 properties */
-        if (STR_IN_SET(name,
-                       "MemoryLimit",
-                       "MemoryLimitScale",
-                       "CPUShares",
-                       "StartupCPUShares",
-                       "BlockIOAccounting",
-                       "BlockIOWeight",
-                       "StartupBlockIOWeight",
-                       "BlockIODeviceWeight",
-                       "BlockIOReadBandwidth",
-                       "BlockIOWriteBandwidth")) {
-
-                r = sd_bus_message_skip(message, NULL);
-                if (r < 0)
-                        return r;
-
-                return 1;
-        }
-
         /* must be last */
         if (streq(name, "DisableControllers") || (u->transient && u->load_state == UNIT_STUB))
                 return bus_cgroup_set_transient_property(u, c, name, message, flags, error);

src/core/dbus-manager.c

@@ -3057,6 +3057,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
         SD_BUS_PROPERTY("DefaultStartLimitInterval", "t", bus_property_get_usec, offsetof(Manager, defaults.start_limit.interval), SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_HIDDEN),
         SD_BUS_PROPERTY("DefaultStartLimitBurst", "u", bus_property_get_unsigned, offsetof(Manager, defaults.start_limit.burst), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DefaultCPUAccounting", "b", bus_property_get_bool, offsetof(Manager, defaults.cpu_accounting), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("DefaultBlockIOAccounting", "b", bus_property_get_bool, offsetof(Manager, defaults.blockio_accounting), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DefaultIOAccounting", "b", bus_property_get_bool, offsetof(Manager, defaults.io_accounting), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DefaultIPAccounting", "b", bus_property_get_bool, offsetof(Manager, defaults.ip_accounting), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DefaultMemoryAccounting", "b", bus_property_get_bool, offsetof(Manager, defaults.memory_accounting), SD_BUS_VTABLE_PROPERTY_CONST),
@@ -3101,8 +3102,6 @@ const sd_bus_vtable bus_manager_vtable[] = {
         SD_BUS_PROPERTY("DefaultOOMScoreAdjust", "i", property_get_oom_score_adjust, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("CtrlAltDelBurstAction", "s", bus_property_get_emergency_action, offsetof(Manager, cad_burst_action), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SoftRebootsCount", "u", bus_property_get_unsigned, offsetof(Manager, soft_reboots_count), SD_BUS_VTABLE_PROPERTY_CONST),
-        /* deprecated cgroup v1 property */
-        SD_BUS_PROPERTY("DefaultBlockIOAccounting", "b", bus_property_get_bool_false, 0, SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_DEPRECATED|SD_BUS_VTABLE_HIDDEN),
 
         SD_BUS_METHOD_WITH_ARGS("GetUnit",
                                 SD_BUS_ARGS("s", name),

src/core/exec-invoke.c

@@ -4967,7 +4967,7 @@ int exec_invoke(
                         return log_exec_error_errno(context, params, r, "Failed to acquire cgroup path: %m");
                 }
 
-                r = cg_attach(p, 0);
+                r = cg_attach_everywhere(params->cgroup_supported, p, 0);
                 if (r == -EUCLEAN) {
                         *exit_status = EXIT_CGROUP;
                         return log_exec_error_errno(context, params, r,
@@ -5190,7 +5190,7 @@ int exec_invoke(
                 if (params->flags & EXEC_CGROUP_DELEGATE) {
                         _cleanup_free_ char *p = NULL;
 
-                        r = cg_set_access(params->cgroup_path, uid, gid);
+                        r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, params->cgroup_path, uid, gid);
                         if (r < 0) {
                                 *exit_status = EXIT_CGROUP;
                                 return log_exec_error_errno(context, params, r, "Failed to adjust control group access: %m");
@@ -5202,7 +5202,7 @@ int exec_invoke(
                                 return log_exec_error_errno(context, params, r, "Failed to acquire cgroup path: %m");
                         }
                         if (r > 0) {
-                                r = cg_set_access_recursive(p, uid, gid);
+                                r = cg_set_access_recursive(SYSTEMD_CGROUP_CONTROLLER, p, uid, gid);
                                 if (r < 0) {
                                         *exit_status = EXIT_CGROUP;
                                         return log_exec_error_errno(context, params, r, "Failed to adjust control subgroup access: %m");
@@ -5210,7 +5210,7 @@ int exec_invoke(
                         }
                 }
 
-                if (is_pressure_supported() > 0) {
+                if (cg_unified() > 0 && is_pressure_supported() > 0) {
                         if (cgroup_context_want_memory_pressure(cgroup_context)) {
                                 r = cg_get_path("memory", params->cgroup_path, "memory.pressure", &memory_pressure_path);
                                 if (r < 0) {

src/core/execute-serialize.c

@@ -40,6 +40,10 @@ static int exec_cgroup_context_serialize(const CGroupContext *c, FILE *f) {
         if (r < 0)
                 return r;
 
+        r = serialize_bool_elide(f, "exec-cgroup-context-block-io-accounting", c->blockio_accounting);
+        if (r < 0)
+                return r;
+
         r = serialize_bool_elide(f, "exec-cgroup-context-memory-accounting", c->memory_accounting);
         if (r < 0)
                 return r;
@@ -68,6 +72,18 @@ static int exec_cgroup_context_serialize(const CGroupContext *c, FILE *f) {
                         return r;
         }
 
+        if (c->cpu_shares != CGROUP_CPU_SHARES_INVALID) {
+                r = serialize_item_format(f, "exec-cgroup-context-cpu-shares", "%" PRIu64, c->cpu_shares);
+                if (r < 0)
+                        return r;
+        }
+
+        if (c->startup_cpu_shares != CGROUP_CPU_SHARES_INVALID) {
+                r = serialize_item_format(f, "exec-cgroup-context-startup-cpu-shares", "%" PRIu64, c->startup_cpu_shares);
+                if (r < 0)
+                        return r;
+        }
+
         if (c->cpu_quota_per_sec_usec != USEC_INFINITY) {
                 r = serialize_usec(f, "exec-cgroup-context-cpu-quota-per-sec-usec", c->cpu_quota_per_sec_usec);
                 if (r < 0)
@@ -124,6 +140,18 @@ static int exec_cgroup_context_serialize(const CGroupContext *c, FILE *f) {
                         return r;
         }
 
+        if (c->blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID) {
+                r = serialize_item_format(f, "exec-cgroup-context-block-io-weight", "%" PRIu64, c->blockio_weight);
+                if (r < 0)
+                        return r;
+        }
+
+        if (c->startup_blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID) {
+                r = serialize_item_format(f, "exec-cgroup-context-startup-block-io-weight", "%" PRIu64, c->startup_blockio_weight);
+                if (r < 0)
+                        return r;
+        }
+
         if (c->default_memory_min > 0) {
                 r = serialize_item_format(f, "exec-cgroup-context-default-memory-min", "%" PRIu64, c->default_memory_min);
                 if (r < 0)
@@ -206,6 +234,12 @@ static int exec_cgroup_context_serialize(const CGroupContext *c, FILE *f) {
         if (r < 0)
                 return r;
 
+        if (c->memory_limit != CGROUP_LIMIT_MAX) {
+                r = serialize_item_format(f, "exec-cgroup-context-memory-limit", "%" PRIu64, c->memory_limit);
+                if (r < 0)
+                        return r;
+        }
+
         if (c->tasks_max.value != UINT64_MAX) {
                 r = serialize_item_format(f, "exec-cgroup-context-tasks-max-value", "%" PRIu64, c->tasks_max.value);
                 if (r < 0)
@@ -356,6 +390,31 @@ static int exec_cgroup_context_serialize(const CGroupContext *c, FILE *f) {
                                 return r;
                 }
 
+        LIST_FOREACH(device_weights, w, c->blockio_device_weights) {
+                r = serialize_item_format(f, "exec-cgroup-context-blockio-device-weight", "%s %" PRIu64,
+                                          w->path,
+                                          w->weight);
+                if (r < 0)
+                        return r;
+        }
+
+        LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) {
+                if (b->rbps != CGROUP_LIMIT_MAX) {
+                        r = serialize_item_format(f, "exec-cgroup-context-blockio-read-bandwidth", "%s %" PRIu64,
+                                                  b->path,
+                                                  b->rbps);
+                        if (r < 0)
+                                return r;
+                }
+                if (b->wbps != CGROUP_LIMIT_MAX) {
+                        r = serialize_item_format(f, "exec-cgroup-context-blockio-write-bandwidth", "%s %" PRIu64,
+                                                  b->path,
+                                                  b->wbps);
+                        if (r < 0)
+                                return r;
+                }
+        }
+
         SET_FOREACH(iaai, c->ip_address_allow) {
                 r = serialize_item(f,
                                    "exec-cgroup-context-ip-address-allow",
@@ -453,6 +512,11 @@ static int exec_cgroup_context_deserialize(CGroupContext *c, FILE *f) {
                         if (r < 0)
                                 return r;
                         c->io_accounting = r;
+                } else if ((val = startswith(l, "exec-cgroup-context-block-io-accounting="))) {
+                        r = parse_boolean(val);
+                        if (r < 0)
+                                return r;
+                        c->blockio_accounting = r;
                 } else if ((val = startswith(l, "exec-cgroup-context-memory-accounting="))) {
                         r = parse_boolean(val);
                         if (r < 0)
@@ -481,6 +545,14 @@ static int exec_cgroup_context_deserialize(CGroupContext *c, FILE *f) {
                         r = safe_atou64(val, &c->startup_cpu_weight);
                         if (r < 0)
                                 return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-cpu-shares="))) {
+                        r = safe_atou64(val, &c->cpu_shares);
+                        if (r < 0)
+                                return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-startup-cpu-shares="))) {
+                        r = safe_atou64(val, &c->startup_cpu_shares);
+                        if (r < 0)
+                                return r;
                 } else if ((val = startswith(l, "exec-cgroup-context-cpu-quota-per-sec-usec="))) {
                         r = deserialize_usec(val, &c->cpu_quota_per_sec_usec);
                         if (r < 0)
@@ -553,6 +625,14 @@ static int exec_cgroup_context_deserialize(CGroupContext *c, FILE *f) {
                         r = safe_atou64(val, &c->startup_io_weight);
                         if (r < 0)
                                 return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-block-io-weight="))) {
+                        r = safe_atou64(val, &c->blockio_weight);
+                        if (r < 0)
+                                return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-startup-block-io-weight="))) {
+                        r = safe_atou64(val, &c->startup_blockio_weight);
+                        if (r < 0)
+                                return r;
                 } else if ((val = startswith(l, "exec-cgroup-context-default-memory-min="))) {
                         r = safe_atou64(val, &c->default_memory_min);
                         if (r < 0)
@@ -610,6 +690,10 @@ static int exec_cgroup_context_deserialize(CGroupContext *c, FILE *f) {
                         if (r < 0)
                                 return r;
                         c->memory_zswap_writeback = r;
+                } else if ((val = startswith(l, "exec-cgroup-context-memory-limit="))) {
+                        r = safe_atou64(val, &c->memory_limit);
+                        if (r < 0)
+                                return r;
                 } else if ((val = startswith(l, "exec-cgroup-context-tasks-max-value="))) {
                         r = safe_atou64(val, &c->tasks_max.value);
                         if (r < 0)
@@ -828,6 +912,87 @@ static int exec_cgroup_context_deserialize(CGroupContext *c, FILE *f) {
                         r = safe_atou64(limits, &limit->limits[t]);
                         if (r < 0)
                                 return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-block-io-device-weight="))) {
+                        _cleanup_free_ char *path = NULL, *weight = NULL;
+                        CGroupBlockIODeviceWeight *a = NULL;
+
+                        r = extract_many_words(&val, " ", 0, &path, &weight);
+                        if (r < 0)
+                                return r;
+                        if (r != 2)
+                                return -EINVAL;
+
+                        a = new0(CGroupBlockIODeviceWeight, 1);
+                        if (!a)
+                                return log_oom_debug();
+
+                        a->path = TAKE_PTR(path);
+
+                        LIST_PREPEND(device_weights, c->blockio_device_weights, a);
+
+                        r = safe_atou64(weight, &a->weight);
+                        if (r < 0)
+                                return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-block-io-read-bandwidth="))) {
+                        _cleanup_free_ char *path = NULL, *bw = NULL;
+                        CGroupBlockIODeviceBandwidth *a = NULL;
+
+                        r = extract_many_words(&val, " ", 0, &path, &bw);
+                        if (r < 0)
+                                return r;
+                        if (r != 2)
+                                return -EINVAL;
+
+                        LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths)
+                                if (path_equal(b->path, path)) {
+                                        a = b;
+                                        break;
+                                }
+
+                        if (!a) {
+                                a = new0(CGroupBlockIODeviceBandwidth, 1);
+                                if (!a)
+                                        return log_oom_debug();
+
+                                a->path = TAKE_PTR(path);
+                                a->wbps = CGROUP_LIMIT_MAX;
+
+                                LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, a);
+                        }
+
+                        r = safe_atou64(bw, &a->rbps);
+                        if (r < 0)
+                                return r;
+                } else if ((val = startswith(l, "exec-cgroup-context-block-io-write-bandwidth="))) {
+                        _cleanup_free_ char *path = NULL, *bw = NULL;
+                        CGroupBlockIODeviceBandwidth *a = NULL;
+
+                        r = extract_many_words(&val, " ", 0, &path, &bw);
+                        if (r < 0)
+                                return r;
+                        if (r != 2)
+                                return -EINVAL;
+
+                        LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths)
+                                if (path_equal(b->path, path)) {
+                                        a = b;
+                                        break;
+                                }
+
+                        if (!a) {
+                                a = new0(CGroupBlockIODeviceBandwidth, 1);
+                                if (!a)
+                                        return log_oom_debug();
+
+                                a->path = TAKE_PTR(path);
+                                a->rbps = CGROUP_LIMIT_MAX;
+
+                                LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, a);
+                        }
+
+                        r = safe_atou64(bw, &a->wbps);
+                        if (r < 0)
+                                return r;
                 } else if ((val = startswith(l, "exec-cgroup-context-ip-address-allow="))) {
                         struct in_addr_prefix a;
 

src/core/execute.c

@@ -508,7 +508,7 @@ int exec_spawn(
                         /* If there's a subcgroup, then let's create it here now (the main cgroup was already
                          * realized by the unit logic) */
 
-                        r = cg_create(subcgroup_path);
+                        r = cg_create(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path);
                         if (r < 0)
                                 return log_unit_error_errno(unit, r, "Failed to create subcgroup '%s': %m", subcgroup_path);
                 }
@@ -576,7 +576,7 @@ int exec_spawn(
                                   "--log-level", max_log_levels,
                                   "--log-target", log_target_to_string(manager_get_executor_log_target(unit->manager))),
                         environ,
-                        subcgroup_path,
+                        cg_unified() > 0 ? subcgroup_path : NULL,
                         &pidref);
 
         /* Drop the ambient set again, so no processes other than sd-executore spawned from the manager inherit it. */
@@ -593,7 +593,7 @@ int exec_spawn(
          * executed outside of the cgroup) and in the parent (so that we can be sure that when we kill the cgroup the
          * process will be killed too). */
         if (r == 0 && subcgroup_path)
-                (void) cg_attach(subcgroup_path, pidref.pid);
+                (void) cg_attach(SYSTEMD_CGROUP_CONTROLLER, subcgroup_path, pidref.pid);
         /* r > 0: Already in the right cgroup thanks to CLONE_INTO_CGROUP */
 
         log_unit_debug(unit, "Forked %s as " PID_FMT " (%s CLONE_INTO_CGROUP)",

src/core/load-fragment-gperf.gperf.in

@@ -204,8 +204,8 @@
 {{type}}.CPUAccounting,                       config_parse_bool,                                  0,                                  offsetof({{type}}, cgroup_context.cpu_accounting)
 {{type}}.CPUWeight,                           config_parse_cg_cpu_weight,                         0,                                  offsetof({{type}}, cgroup_context.cpu_weight)
 {{type}}.StartupCPUWeight,                    config_parse_cg_cpu_weight,                         0,                                  offsetof({{type}}, cgroup_context.startup_cpu_weight)
-{{type}}.CPUShares,                           config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.CPUShares,                           config_parse_cpu_shares,                            0,                                  offsetof({{type}}, cgroup_context.cpu_shares)
-{{type}}.StartupCPUShares,                    config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.StartupCPUShares,                    config_parse_cpu_shares,                            0,                                  offsetof({{type}}, cgroup_context.startup_cpu_shares)
 {{type}}.CPUQuota,                            config_parse_cpu_quota,                             0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.CPUQuotaPeriodSec,                   config_parse_sec_def_infinity,                      0,                                  offsetof({{type}}, cgroup_context.cpu_quota_period_usec)
 {{type}}.MemoryAccounting,                    config_parse_bool,                                  0,                                  offsetof({{type}}, cgroup_context.memory_accounting)
@@ -224,7 +224,7 @@
 {{type}}.MemoryZSwapMax,                      config_parse_memory_limit,                          0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.StartupMemoryZSwapMax,               config_parse_memory_limit,                          0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.MemoryZSwapWriteback,                config_parse_bool,                                  0,                                  offsetof({{type}}, cgroup_context.memory_zswap_writeback)
-{{type}}.MemoryLimit,                         config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.MemoryLimit,                         config_parse_memory_limit,                          0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.DeviceAllow,                         config_parse_device_allow,                          0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.DevicePolicy,                        config_parse_device_policy,                         0,                                  offsetof({{type}}, cgroup_context.device_policy)
 {{type}}.IOAccounting,                        config_parse_bool,                                  0,                                  offsetof({{type}}, cgroup_context.io_accounting)
@@ -236,12 +236,12 @@
 {{type}}.IOReadIOPSMax,                       config_parse_io_limit,                              0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.IOWriteIOPSMax,                      config_parse_io_limit,                              0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.IODeviceLatencyTargetSec,            config_parse_io_device_latency,                     0,                                  offsetof({{type}}, cgroup_context)
-{{type}}.BlockIOAccounting,                   config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.BlockIOAccounting,                   config_parse_bool,                                  0,                                  offsetof({{type}}, cgroup_context.blockio_accounting)
-{{type}}.BlockIOWeight,                       config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.BlockIOWeight,                       config_parse_blockio_weight,                        0,                                  offsetof({{type}}, cgroup_context.blockio_weight)
-{{type}}.StartupBlockIOWeight,                config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.StartupBlockIOWeight,                config_parse_blockio_weight,                        0,                                  offsetof({{type}}, cgroup_context.startup_blockio_weight)
-{{type}}.BlockIODeviceWeight,                 config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.BlockIODeviceWeight,                 config_parse_blockio_device_weight,                 0,                                  offsetof({{type}}, cgroup_context)
-{{type}}.BlockIOReadBandwidth,                config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.BlockIOReadBandwidth,                config_parse_blockio_bandwidth,                     0,                                  offsetof({{type}}, cgroup_context)
-{{type}}.BlockIOWriteBandwidth,               config_parse_warn_compat,                           DISABLED_LEGACY,                    0
+{{type}}.BlockIOWriteBandwidth,               config_parse_blockio_bandwidth,                     0,                                  offsetof({{type}}, cgroup_context)
 {{type}}.TasksAccounting,                     config_parse_bool,                                  0,                                  offsetof({{type}}, cgroup_context.tasks_accounting)
 {{type}}.TasksMax,                            config_parse_tasks_max,                             0,                                  offsetof({{type}}, cgroup_context.tasks_max)
 {{type}}.Delegate,                            config_parse_delegate,                              0,                                  offsetof({{type}}, cgroup_context)

src/core/load-fragment.c

@@ -153,13 +153,38 @@ DEFINE_CONFIG_PARSE_ENUM(config_parse_oom_policy, oom_policy, OOMPolicy);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_managed_oom_preference, managed_oom_preference, ManagedOOMPreference);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_memory_pressure_watch, cgroup_pressure_watch, CGroupPressureWatch);
 DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(config_parse_ip_tos, ip_tos, int, -1);
+DEFINE_CONFIG_PARSE_PTR(config_parse_blockio_weight, cg_blkio_weight_parse, uint64_t);
 DEFINE_CONFIG_PARSE_PTR(config_parse_cg_weight, cg_weight_parse, uint64_t);
 DEFINE_CONFIG_PARSE_PTR(config_parse_cg_cpu_weight, cg_cpu_weight_parse, uint64_t);
+static DEFINE_CONFIG_PARSE_PTR(config_parse_cpu_shares_internal, cg_cpu_shares_parse, uint64_t);
 DEFINE_CONFIG_PARSE_PTR(config_parse_exec_mount_propagation_flag, mount_propagation_flag_from_string, unsigned long);
 DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(config_parse_numa_policy, mpol, int, -1);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_status_unit_format, status_unit_format, StatusUnitFormat);
 DEFINE_CONFIG_PARSE_ENUM_FULL(config_parse_socket_timestamping, socket_timestamping_from_string_harder, SocketTimestamping);
 
+int config_parse_cpu_shares(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        assert(filename);
+        assert(lvalue);
+        assert(rvalue);
+
+        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                   "Unit uses %s=; please use CPUWeight= instead. Support for %s= will be removed soon.",
+                   lvalue, lvalue);
+
+        return config_parse_cpu_shares_internal(unit, filename, line, section, section_line, lvalue, ltype, rvalue, data, userdata);
+}
+
 bool contains_instance_specifier_superset(const char *s) {
         const char *p, *q;
         bool percent = false;
@@ -3874,6 +3899,10 @@ int config_parse_memory_limit(
         else if (streq(lvalue, "StartupMemoryZSwapMax")) {
                 c->startup_memory_zswap_max = bytes;
                 c->startup_memory_zswap_max_set = true;
+        } else if (streq(lvalue, "MemoryLimit")) {
+                log_syntax(unit, LOG_WARNING, filename, line, 0,
+                           "Unit uses MemoryLimit=; please use MemoryMax= instead. Support for MemoryLimit= will be removed soon.");
+                c->memory_limit = bytes;
         } else
                 return -EINVAL;
 
@@ -4448,6 +4477,177 @@ int config_parse_io_limit(
         return 0;
 }
 
+int config_parse_blockio_device_weight(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        _cleanup_free_ char *path = NULL, *resolved = NULL;
+        CGroupBlockIODeviceWeight *w;
+        CGroupContext *c = data;
+        const char *p = ASSERT_PTR(rvalue);
+        uint64_t u;
+        int r;
+
+        assert(filename);
+        assert(lvalue);
+
+        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                   "Unit uses %s=; please use IO*= settings instead. Support for %s= will be removed soon.",
+                   lvalue, lvalue);
+
+        if (isempty(rvalue)) {
+                while (c->blockio_device_weights)
+                        cgroup_context_free_blockio_device_weight(c, c->blockio_device_weights);
+
+                return 0;
+        }
+
+        r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
+        if (r == -ENOMEM)
+                return log_oom();
+        if (r < 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r,
+                           "Failed to extract device node and weight from '%s', ignoring.", rvalue);
+                return 0;
+        }
+        if (r == 0 || isempty(p)) {
+                log_syntax(unit, LOG_WARNING, filename, line, 0,
+                           "Invalid device node or weight specified in '%s', ignoring.", rvalue);
+                return 0;
+        }
+
+        r = unit_path_printf(userdata, path, &resolved);
+        if (r < 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r,
+                           "Failed to resolve unit specifiers in '%s', ignoring: %m", path);
+                return 0;
+        }
+
+        r = path_simplify_and_warn(resolved, 0, unit, filename, line, lvalue);
+        if (r < 0)
+                return 0;
+
+        r = cg_blkio_weight_parse(p, &u);
+        if (r < 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid block IO weight '%s', ignoring: %m", p);
+                return 0;
+        }
+
+        assert(u != CGROUP_BLKIO_WEIGHT_INVALID);
+
+        w = new0(CGroupBlockIODeviceWeight, 1);
+        if (!w)
+                return log_oom();
+
+        w->path = TAKE_PTR(resolved);
+        w->weight = u;
+
+        LIST_APPEND(device_weights, c->blockio_device_weights, w);
+        return 0;
+}
+
+int config_parse_blockio_bandwidth(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        _cleanup_free_ char *path = NULL, *resolved = NULL;
+        CGroupBlockIODeviceBandwidth *b = NULL;
+        CGroupContext *c = data;
+        const char *p = ASSERT_PTR(rvalue);
+        uint64_t bytes;
+        bool read;
+        int r;
+
+        assert(filename);
+        assert(lvalue);
+
+        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                   "Unit uses %s=; please use IO*= settings instead. Support for %s= will be removed soon.",
+                   lvalue, lvalue);
+
+        read = streq("BlockIOReadBandwidth", lvalue);
+
+        if (isempty(rvalue)) {
+                LIST_FOREACH(device_bandwidths, t, c->blockio_device_bandwidths) {
+                        t->rbps = CGROUP_LIMIT_MAX;
+                        t->wbps = CGROUP_LIMIT_MAX;
+                }
+                return 0;
+        }
+
+        r = extract_first_word(&p, &path, NULL, EXTRACT_UNQUOTE);
+        if (r == -ENOMEM)
+                return log_oom();
+        if (r < 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r,
+                           "Failed to extract device node and bandwidth from '%s', ignoring.", rvalue);
+                return 0;
+        }
+        if (r == 0 || isempty(p)) {
+                log_syntax(unit, LOG_WARNING, filename, line, 0,
+                           "Invalid device node or bandwidth specified in '%s', ignoring.", rvalue);
+                return 0;
+        }
+
+        r = unit_path_printf(userdata, path, &resolved);
+        if (r < 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r,
+                           "Failed to resolve unit specifiers in '%s', ignoring: %m", path);
+                return 0;
+        }
+
+        r = path_simplify_and_warn(resolved, 0, unit, filename, line, lvalue);
+        if (r < 0)
+                return 0;
+
+        r = parse_size(p, 1000, &bytes);
+        if (r < 0 || bytes <= 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid Block IO Bandwidth '%s', ignoring.", p);
+                return 0;
+        }
+
+        LIST_FOREACH(device_bandwidths, t, c->blockio_device_bandwidths)
+                if (path_equal(resolved, t->path)) {
+                        b = t;
+                        break;
+                }
+
+        if (!b) {
+                b = new0(CGroupBlockIODeviceBandwidth, 1);
+                if (!b)
+                        return log_oom();
+
+                b->path = TAKE_PTR(resolved);
+                b->rbps = CGROUP_LIMIT_MAX;
+                b->wbps = CGROUP_LIMIT_MAX;
+
+                LIST_APPEND(device_bandwidths, c->blockio_device_bandwidths, b);
+        }
+
+        if (read)
+                b->rbps = bytes;
+        else
+                b->wbps = bytes;
+
+        return 0;
+}
+
 int config_parse_job_mode_isolate(
                 const char *unit,
                 const char *filename,
@@ -6172,6 +6372,7 @@ void unit_dump_config_items(FILE *f) {
 #endif
                 { config_parse_namespace_flags,       "NAMESPACES" },
                 { config_parse_restrict_filesystems,  "FILESYSTEMS"  },
+                { config_parse_cpu_shares,            "SHARES" },
                 { config_parse_cg_weight,             "WEIGHT" },
                 { config_parse_cg_cpu_weight,         "CPUWEIGHT" },
                 { config_parse_memory_limit,          "LIMIT" },
@@ -6180,6 +6381,9 @@ void unit_dump_config_items(FILE *f) {
                 { config_parse_io_limit,              "LIMIT" },
                 { config_parse_io_device_weight,      "DEVICEWEIGHT" },
                 { config_parse_io_device_latency,     "DEVICELATENCY" },
+                { config_parse_blockio_bandwidth,     "BANDWIDTH" },
+                { config_parse_blockio_weight,        "WEIGHT" },
+                { config_parse_blockio_device_weight, "DEVICEWEIGHT" },
                 { config_parse_long,                  "LONG" },
                 { config_parse_socket_service,        "SERVICE" },
 #if HAVE_SELINUX

src/core/load-fragment.h

@@ -81,6 +81,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_unset_environ);
 CONFIG_PARSER_PROTOTYPE(config_parse_unit_slice);
 CONFIG_PARSER_PROTOTYPE(config_parse_cg_weight);
 CONFIG_PARSER_PROTOTYPE(config_parse_cg_cpu_weight);
+CONFIG_PARSER_PROTOTYPE(config_parse_cpu_shares);
 CONFIG_PARSER_PROTOTYPE(config_parse_memory_limit);
 CONFIG_PARSER_PROTOTYPE(config_parse_tasks_max);
 CONFIG_PARSER_PROTOTYPE(config_parse_delegate);
@@ -94,6 +95,9 @@ CONFIG_PARSER_PROTOTYPE(config_parse_device_allow);
 CONFIG_PARSER_PROTOTYPE(config_parse_io_device_latency);
 CONFIG_PARSER_PROTOTYPE(config_parse_io_device_weight);
 CONFIG_PARSER_PROTOTYPE(config_parse_io_limit);
+CONFIG_PARSER_PROTOTYPE(config_parse_blockio_weight);
+CONFIG_PARSER_PROTOTYPE(config_parse_blockio_device_weight);
+CONFIG_PARSER_PROTOTYPE(config_parse_blockio_bandwidth);
 CONFIG_PARSER_PROTOTYPE(config_parse_job_mode);
 CONFIG_PARSER_PROTOTYPE(config_parse_job_mode_isolate);
 CONFIG_PARSER_PROTOTYPE(config_parse_exec_selinux_context);

src/core/main.c

@@ -794,7 +794,7 @@ static int parse_config_file(void) {
                 { "Manager", "DefaultCPUAccounting",         config_parse_bool,                  0,                        &arg_defaults.cpu_accounting      },
                 { "Manager", "DefaultIOAccounting",          config_parse_bool,                  0,                        &arg_defaults.io_accounting       },
                 { "Manager", "DefaultIPAccounting",          config_parse_bool,                  0,                        &arg_defaults.ip_accounting       },
-                { "Manager", "DefaultBlockIOAccounting",     config_parse_warn_compat,           DISABLED_LEGACY,          NULL                              },
+                { "Manager", "DefaultBlockIOAccounting",     config_parse_bool,                  0,                        &arg_defaults.blockio_accounting  },
                 { "Manager", "DefaultMemoryAccounting",      config_parse_bool,                  0,                        &arg_defaults.memory_accounting   },
                 { "Manager", "DefaultTasksAccounting",       config_parse_bool,                  0,                        &arg_defaults.tasks_accounting    },
                 { "Manager", "DefaultTasksMax",              config_parse_tasks_max,             0,                        &arg_defaults.tasks_max           },

src/core/scope.c

@@ -371,7 +371,7 @@ static int scope_enter_start_chown(Scope *s) {
                         }
                 }
 
-                r = cg_set_access(s->cgroup_runtime->cgroup_path, uid, gid);
+                r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER, s->cgroup_runtime->cgroup_path, uid, gid);
                 if (r < 0) {
                         log_unit_error_errno(UNIT(s), r, "Failed to adjust control group access: %m");
                         _exit(EXIT_CGROUP);

src/core/service.c

@@ -729,6 +729,9 @@ static int service_verify(Service *s) {
         if (s->type == SERVICE_SIMPLE && s->exec_command[SERVICE_EXEC_START_POST] && exec_context_has_credentials(&s->exec_context))
                 log_unit_warning(UNIT(s), "Service uses a combination of Type=simple, ExecStartPost=, and credentials. This could lead to race conditions. Continuing.");
 
+        if (s->exit_type == SERVICE_EXIT_CGROUP && cg_unified() < CGROUP_UNIFIED_SYSTEMD)
+                log_unit_warning(UNIT(s), "Service has ExitType=cgroup set, but we are running with legacy cgroups v1, which might not work correctly. Continuing.");
+
         if (s->restart_max_delay_usec == USEC_INFINITY && s->restart_steps > 0)
                 log_unit_warning(UNIT(s), "Service has RestartSteps= but no RestartMaxDelaySec= setting. Ignoring.");
 

src/core/unit.c

@@ -173,6 +173,7 @@ static void unit_init(Unit *u) {
 
                 cc->cpu_accounting = u->manager->defaults.cpu_accounting;
                 cc->io_accounting = u->manager->defaults.io_accounting;
+                cc->blockio_accounting = u->manager->defaults.blockio_accounting;
                 cc->memory_accounting = u->manager->defaults.memory_accounting;
                 cc->tasks_accounting = u->manager->defaults.tasks_accounting;
                 cc->ip_accounting = u->manager->defaults.ip_accounting;
@@ -1571,6 +1572,9 @@ static int unit_add_oomd_dependencies(Unit *u) {
         if (!wants_oomd)
                 return 0;
 
+        if (!cg_all_unified())
+                return 0;
+
         r = cg_mask_supported(&mask);
         if (r < 0)
                 return log_debug_errno(r, "Failed to determine supported controllers: %m");
@@ -4805,6 +4809,15 @@ int unit_kill_context(Unit *u, KillOperation k) {
 
                 } else if (r > 0) {
 
+                        /* FIXME: For now, on the legacy hierarchy, we will not wait for the cgroup members to die if
+                         * we are running in a container or if this is a delegation unit, simply because cgroup
+                         * notification is unreliable in these cases. It doesn't work at all in containers, and outside
+                         * of containers it can be confused easily by left-over directories in the cgroup — which
+                         * however should not exist in non-delegated units. On the unified hierarchy that's different,
+                         * there we get proper events. Hence rely on them. */
+
+                        if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER) > 0 ||
+                            (detect_container() == 0 && !unit_cgroup_delegate(u)))
                                 wait_for_exit = true;
 
                         if (send_sighup) {
@@ -5405,7 +5418,7 @@ int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef
         (void) ignore_signals(SIGPIPE);
 
         if (crt && crt->cgroup_path) {
-                r = cg_attach(crt->cgroup_path, 0);
+                r = cg_attach_everywhere(u->manager->cgroup_supported, crt->cgroup_path, 0);
                 if (r < 0) {
                         log_unit_error_errno(u, r, "Failed to join unit cgroup %s: %m", empty_to_root(crt->cgroup_path));
                         _exit(EXIT_CGROUP);

src/libsystemd/sd-netlink/netlink-socket.c

@@ -161,13 +161,12 @@ static int socket_recv_message(int fd, void *buf, size_t buf_size, uint32_t *ret
         assert(fd >= 0);
         assert(peek || (buf && buf_size > 0));
 
-        /* Note: this might return successfully, but with a zero size under some transient conditions, such
-         * as the reception of a non-kernel message. In such a case the passed buffer might or might not be
-         * modified. Caller must treat a zero return as "no message, but also not an error". */
-
         n = recvmsg_safe(fd, &msg, peek ? (MSG_PEEK|MSG_TRUNC) : 0);
-        if (ERRNO_IS_NEG_TRANSIENT(n))
+        if (ERRNO_IS_NEG_TRANSIENT(n)) {
-                goto transient;
+                if (ret_mcast_group)
+                        *ret_mcast_group = 0;
+                return 0;
+        }
         if (n == -ENOBUFS)
                 return log_debug_errno(n, "sd-netlink: kernel receive buffer overrun");
         if (n == -ECHRNG)
@@ -182,16 +181,15 @@ static int socket_recv_message(int fd, void *buf, size_t buf_size, uint32_t *ret
                 log_debug("sd-netlink: ignoring message from PID %"PRIu32, sender.nl.nl_pid);
 
                 if (peek) {
-                        /* Drop the message. Note that we ignore ECHRNG/EXFULL errors here, which
+                        /* drop the message */
-                         * recvmsg_safe() returns in case the payload or cdata is truncated. Given we just
-                         * want to drop the message we also don't care if its payload or cdata was
-                         * truncated. */
                         n = recvmsg_safe(fd, &msg, 0);
-                        if (n < 0 && !IN_SET(n, -ECHRNG, -EXFULL))
+                        if (n < 0)
                                 return (int) n;
                 }
 
-                goto transient;
+                if (ret_mcast_group)
+                        *ret_mcast_group = 0;
+                return 0;
         }
 
         if (ret_mcast_group) {
@@ -205,12 +203,6 @@ static int socket_recv_message(int fd, void *buf, size_t buf_size, uint32_t *ret
         }
 
         return (int) n;
-
-transient:
-        if (ret_mcast_group)
-                *ret_mcast_group = 0;
-
-        return 0;
 }
 
 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(

src/network/netdev/l2tp-tunnel.c

@@ -54,11 +54,6 @@ static L2tpSession* l2tp_session_free(L2tpSession *s) {
 
 DEFINE_SECTION_CLEANUP_FUNCTIONS(L2tpSession, l2tp_session_free);
 
-DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
-                l2tp_session_hash_ops_by_section,
-                ConfigSection, config_section_hash_func, config_section_compare_func,
-                L2tpSession, l2tp_session_free);
-
 static int l2tp_session_new_static(L2tpTunnel *t, const char *filename, unsigned section_line, L2tpSession **ret) {
         _cleanup_(config_section_freep) ConfigSection *n = NULL;
         _cleanup_(l2tp_session_freep) L2tpSession *s = NULL;
@@ -89,7 +84,7 @@ static int l2tp_session_new_static(L2tpTunnel *t, const char *filename, unsigned
                 .section = TAKE_PTR(n),
         };
 
-        r = ordered_hashmap_ensure_put(&t->sessions_by_section, &l2tp_session_hash_ops_by_section, s->section, s);
+        r = ordered_hashmap_ensure_put(&t->sessions_by_section, &config_section_hash_ops, s->section, s);
         if (r < 0)
                 return r;
 
@@ -909,7 +904,7 @@ static int netdev_l2tp_tunnel_get_ifindex(NetDev *netdev, const char *name) {
 static void l2tp_tunnel_done(NetDev *netdev) {
         L2tpTunnel *t = L2TP(netdev);
 
-        ordered_hashmap_free(t->sessions_by_section);
+        ordered_hashmap_free_with_destructor(t->sessions_by_section, l2tp_session_free);
         free(t->local_ifname);
 }
 

src/network/netdev/macsec.c

@@ -20,12 +20,6 @@
 #include "string-util.h"
 #include "unaligned.h"
 
-#define SECURITY_ASSOCIATION_NULL               \
-        (SecurityAssociation) {                 \
-                .activate = -1,                 \
-                .use_for_encoding = -1,         \
-        }
-
 static void security_association_clear(SecurityAssociation *sa) {
         if (!sa)
                 return;
@@ -35,6 +29,13 @@ static void security_association_clear(SecurityAssociation *sa) {
         free(sa->key_file);
 }
 
+static void security_association_init(SecurityAssociation *sa) {
+        assert(sa);
+
+        sa->activate = -1;
+        sa->use_for_encoding = -1;
+}
+
 static ReceiveAssociation* macsec_receive_association_free(ReceiveAssociation *c) {
         if (!c)
                 return NULL;
@@ -50,11 +51,6 @@ static ReceiveAssociation* macsec_receive_association_free(ReceiveAssociation *c
 
 DEFINE_SECTION_CLEANUP_FUNCTIONS(ReceiveAssociation, macsec_receive_association_free);
 
-DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
-                receive_association_hash_ops_by_section,
-                ConfigSection, config_section_hash_func, config_section_compare_func,
-                ReceiveAssociation, macsec_receive_association_free);
-
 static int macsec_receive_association_new_static(MACsec *s, const char *filename, unsigned section_line, ReceiveAssociation **ret) {
         _cleanup_(config_section_freep) ConfigSection *n = NULL;
         _cleanup_(macsec_receive_association_freep) ReceiveAssociation *c = NULL;
@@ -82,14 +78,16 @@ static int macsec_receive_association_new_static(MACsec *s, const char *filename
         *c = (ReceiveAssociation) {
                 .macsec = s,
                 .section = TAKE_PTR(n),
-                .sa = SECURITY_ASSOCIATION_NULL,
         };
 
-        r = ordered_hashmap_ensure_put(&s->receive_associations_by_section, &receive_association_hash_ops_by_section, c->section, c);
+        security_association_init(&c->sa);
+
+        r = ordered_hashmap_ensure_put(&s->receive_associations_by_section, &config_section_hash_ops, c->section, c);
         if (r < 0)
                 return r;
 
         *ret = TAKE_PTR(c);
+
         return 0;
 }
 
@@ -112,16 +110,6 @@ static ReceiveChannel* macsec_receive_channel_free(ReceiveChannel *c) {
 
 DEFINE_SECTION_CLEANUP_FUNCTIONS(ReceiveChannel, macsec_receive_channel_free);
 
-DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
-                receive_channel_hash_ops,
-                uint64_t, uint64_hash_func, uint64_compare_func,
-                ReceiveChannel, macsec_receive_channel_free);
-
-DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
-                receive_channel_hash_ops_by_section,
-                ConfigSection, config_section_hash_func, config_section_compare_func,
-                ReceiveChannel, macsec_receive_channel_free);
-
 static int macsec_receive_channel_new(MACsec *s, uint64_t sci, ReceiveChannel **ret) {
         ReceiveChannel *c;
 
@@ -166,11 +154,12 @@ static int macsec_receive_channel_new_static(MACsec *s, const char *filename, un
 
         c->section = TAKE_PTR(n);
 
-        r = ordered_hashmap_ensure_put(&s->receive_channels_by_section, &receive_channel_hash_ops_by_section, c->section, c);
+        r = ordered_hashmap_ensure_put(&s->receive_channels_by_section, &config_section_hash_ops, c->section, c);
         if (r < 0)
                 return r;
 
         *ret = TAKE_PTR(c);
+
         return 0;
 }
 
@@ -189,11 +178,6 @@ static TransmitAssociation* macsec_transmit_association_free(TransmitAssociation
 
 DEFINE_SECTION_CLEANUP_FUNCTIONS(TransmitAssociation, macsec_transmit_association_free);
 
-DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
-                transmit_association_hash_ops_by_section,
-                ConfigSection, config_section_hash_func, config_section_compare_func,
-                TransmitAssociation, macsec_transmit_association_free);
-
 static int macsec_transmit_association_new_static(MACsec *s, const char *filename, unsigned section_line, TransmitAssociation **ret) {
         _cleanup_(config_section_freep) ConfigSection *n = NULL;
         _cleanup_(macsec_transmit_association_freep) TransmitAssociation *a = NULL;
@@ -221,14 +205,16 @@ static int macsec_transmit_association_new_static(MACsec *s, const char *filenam
         *a = (TransmitAssociation) {
                 .macsec = s,
                 .section = TAKE_PTR(n),
-                .sa = SECURITY_ASSOCIATION_NULL,
         };
 
-        r = ordered_hashmap_ensure_put(&s->transmit_associations_by_section, &transmit_association_hash_ops_by_section, a->section, a);
+        security_association_init(&a->sa);
+
+        r = ordered_hashmap_ensure_put(&s->transmit_associations_by_section, &config_section_hash_ops, a->section, a);
         if (r < 0)
                 return r;
 
         *ret = TAKE_PTR(a);
+
         return 0;
 }
 
@@ -1032,7 +1018,7 @@ static int macsec_receive_channel_verify(ReceiveChannel *c) {
                                               "Ignoring [MACsecReceiveChannel] section from line %u",
                                               c->section->filename, c->section->line);
 
-        r = ordered_hashmap_ensure_put(&c->macsec->receive_channels, &receive_channel_hash_ops, &c->sci.as_uint64, c);
+        r = ordered_hashmap_ensure_put(&c->macsec->receive_channels, &uint64_hash_ops, &c->sci.as_uint64, c);
         if (r == -ENOMEM)
                 return log_oom();
         if (r == -EEXIST)
@@ -1122,7 +1108,7 @@ static int macsec_receive_association_verify(ReceiveAssociation *a) {
                 if (r < 0)
                         return log_oom();
 
-                r = ordered_hashmap_ensure_put(&a->macsec->receive_channels, &receive_channel_hash_ops, &new_channel->sci.as_uint64, new_channel);
+                r = ordered_hashmap_ensure_put(&a->macsec->receive_channels, &uint64_hash_ops, &new_channel->sci.as_uint64, new_channel);
                 if (r == -ENOMEM)
                         return log_oom();
                 if (r < 0)
@@ -1217,10 +1203,10 @@ static void macsec_init(NetDev *netdev) {
 static void macsec_done(NetDev *netdev) {
         MACsec *v = MACSEC(netdev);
 
-        ordered_hashmap_free(v->receive_channels);
+        ordered_hashmap_free_with_destructor(v->receive_channels, macsec_receive_channel_free);
-        ordered_hashmap_free(v->receive_channels_by_section);
+        ordered_hashmap_free_with_destructor(v->receive_channels_by_section, macsec_receive_channel_free);
-        ordered_hashmap_free(v->transmit_associations_by_section);
+        ordered_hashmap_free_with_destructor(v->transmit_associations_by_section, macsec_transmit_association_free);
-        ordered_hashmap_free(v->receive_associations_by_section);
+        ordered_hashmap_free_with_destructor(v->receive_associations_by_section, macsec_receive_association_free);
 }
 
 const NetDevVTable macsec_vtable = {

src/network/netdev/wireguard.c

@@ -72,11 +72,6 @@ static WireguardPeer* wireguard_peer_free(WireguardPeer *peer) {
 
 DEFINE_SECTION_CLEANUP_FUNCTIONS(WireguardPeer, wireguard_peer_free);
 
-DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(
-                wireguard_peer_hash_ops_by_section,
-                ConfigSection, config_section_hash_func, config_section_compare_func,
-                WireguardPeer, wireguard_peer_free);
-
 static int wireguard_peer_new_static(Wireguard *w, const char *filename, unsigned section_line, WireguardPeer **ret) {
         _cleanup_(config_section_freep) ConfigSection *n = NULL;
         _cleanup_(wireguard_peer_freep) WireguardPeer *peer = NULL;
@@ -109,7 +104,7 @@ static int wireguard_peer_new_static(Wireguard *w, const char *filename, unsigne
 
         LIST_PREPEND(peers, w->peers, peer);
 
-        r = hashmap_ensure_put(&w->peers_by_section, &wireguard_peer_hash_ops_by_section, peer->section, peer);
+        r = hashmap_ensure_put(&w->peers_by_section, &config_section_hash_ops, peer->section, peer);
         if (r < 0)
                 return r;
 
@@ -1082,7 +1077,7 @@ static void wireguard_done(NetDev *netdev) {
         explicit_bzero_safe(w->private_key, WG_KEY_LEN);
         free(w->private_key_file);
 
-        hashmap_free(w->peers_by_section);
+        hashmap_free_with_destructor(w->peers_by_section, wireguard_peer_free);
 
         set_free(w->routes);
 }

src/network/networkd-routing-policy-rule.c

@@ -615,7 +615,7 @@ static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule
         if (r < 0)
                 return r;
 
-        if (rule->fwmark > 0 || rule->fwmask > 0) {
+        if (rule->fwmark > 0) {
                 r = sd_netlink_message_append_u32(m, FRA_FWMARK, rule->fwmark);
                 if (r < 0)
                         return r;
@@ -1315,12 +1315,14 @@ static int parse_fwmark_fwmask(const char *s, uint32_t *ret_fwmark, uint32_t *re
         if (r < 0)
                 return r;
 
+        if (fwmark > 0) {
                 if (slash) {
                         r = safe_atou32(slash + 1, &fwmask);
                         if (r < 0)
                                 return r;
-        } else if (fwmark > 0)
+                } else
                         fwmask = UINT32_MAX;
+        }
 
         *ret_fwmark = fwmark;
         *ret_fwmask = fwmask;

src/nspawn/nspawn-cgroup.c

@@ -88,9 +88,9 @@ int create_subcgroup(
                 return log_oom();
 
         if (userns_mode != USER_NAMESPACE_MANAGED)
-                r = cg_create_and_attach(payload, pid);
+                r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, payload, pid);
         else
-                r = cg_create(payload);
+                r = cg_create(SYSTEMD_CGROUP_CONTROLLER, payload);
         if (r < 0)
                 return log_error_errno(r, "Failed to create %s subcgroup: %m", payload);
 
@@ -125,13 +125,13 @@ int create_subcgroup(
                 if (!supervisor)
                         return log_oom();
 
-                r = cg_create_and_attach(supervisor, 0);
+                r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, supervisor, 0);
                 if (r < 0)
                         return log_error_errno(r, "Failed to create %s subcgroup: %m", supervisor);
         }
 
         /* Try to enable as many controllers as possible for the new payload. */
-        (void) cg_enable(supported, supported, cgroup, NULL);
+        (void) cg_enable_everywhere(supported, supported, cgroup, NULL);
         return 0;
 }
 

src/oom/test-oomd-util.c

@@ -52,7 +52,7 @@ static void test_oomd_cgroup_kill(void) {
          * by the test so that pid1 doesn't delete it before we can read the xattrs. */
         cgroup = path_join(cgroup_root, "oomdkilltest");
         assert_se(cgroup);
-        assert_se(cg_create(cgroup) >= 0);
+        assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, cgroup) >= 0);
 
         /* If we don't have permissions to set xattrs we're likely in a userns or missing capabilities */
         r = cg_set_xattr(cgroup, "user.oomd_test", "test", 4, 0);
@@ -65,7 +65,7 @@ static void test_oomd_cgroup_kill(void) {
 
                 for (int j = 0; j < 2; j++) {
                         pid[j] = fork_and_sleep(5);
-                        assert_se(cg_attach(cgroup, pid[j]) >= 0);
+                        assert_se(cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup, pid[j]) >= 0);
                 }
 
                 r = oomd_cgroup_kill(cgroup, false /* recurse */, false /* dry run */);
@@ -477,7 +477,7 @@ static void test_oomd_fetch_cgroup_oom_preference(void) {
          * owned by the same user. */
         if (test_xattrs && !empty_or_root(cgroup)) {
                 ctx = oomd_cgroup_context_free(ctx);
-                assert_se(cg_set_access(cgroup, 61183, 0) >= 0);
+                assert_se(cg_set_access(SYSTEMD_CGROUP_CONTROLLER, cgroup, 61183, 0) >= 0);
                 assert_se(oomd_cgroup_context_acquire(cgroup, &ctx) == 0);
 
                 assert_se(oomd_fetch_cgroup_oom_preference(ctx, NULL) == 0);

src/resolve/resolved-dns-question.c

@@ -548,12 +548,3 @@ int dns_question_merge(DnsQuestion *a, DnsQuestion *b, DnsQuestion **ret) {
         *ret = TAKE_PTR(k);
         return 0;
 }
-
-bool dns_question_contains_key_type(DnsQuestion *q, uint16_t type) {
-        DnsResourceKey *t;
-        DNS_QUESTION_FOREACH(t, q)
-                if (t->type == type)
-                        return true;
-
-        return false;
-}

src/resolve/resolved-dns-question.h

@@ -61,8 +61,6 @@ static inline bool dns_question_isempty(DnsQuestion *q) {
 
 int dns_question_merge(DnsQuestion *a, DnsQuestion *b, DnsQuestion **ret);
 
-bool dns_question_contains_key_type(DnsQuestion *q, uint16_t type);
-
 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuestion*, dns_question_unref);
 
 #define _DNS_QUESTION_FOREACH(u, k, q)                                     \

src/resolve/resolved-dns-scope.c

@@ -713,11 +713,6 @@ DnsScopeMatch dns_scope_good_domain(
                 if (!dns_scope_get_dns_server(s))
                         return DNS_SCOPE_NO;
 
-                /* Route DS requests to the parent */
-                const char *route_domain = domain;
-                if (dns_question_contains_key_type(question, DNS_TYPE_DS))
-                        (void) dns_name_parent(&route_domain);
-
                 /* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
                  * we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
                  * won't be considered anymore. */
@@ -726,7 +721,7 @@ DnsScopeMatch dns_scope_good_domain(
                         if (!d->route_only && !dns_name_is_root(d->name))
                                 has_search_domains = true;
 
-                        if (dns_name_endswith(route_domain, d->name) > 0) {
+                        if (dns_name_endswith(domain, d->name) > 0) {
                                 int c;
 
                                 c = dns_name_count_labels(d->name);

src/resolve/resolved-dns-trust-anchor.c

@@ -14,6 +14,7 @@
 #include "resolved-dns-dnssec.h"
 #include "resolved-dns-trust-anchor.h"
 #include "set.h"
+#include "sort-util.h"
 #include "string-util.h"
 #include "strv.h"
 
@@ -414,7 +415,7 @@ static int dns_trust_anchor_load_negative(DnsTrustAnchor *d, const char *path, u
                 return -EINVAL;
         }
 
-        r = set_ensure_consume(&d->negative_by_name, &dns_name_hash_ops_free, TAKE_PTR(domain));
+        r = set_ensure_consume(&d->negative_by_name, &dns_name_hash_ops, TAKE_PTR(domain));
         if (r < 0)
                 return log_oom();
 
@@ -476,6 +477,10 @@ static int dns_trust_anchor_load_files(
         return 0;
 }
 
+static int domain_name_cmp(char * const *a, char * const *b) {
+        return dns_name_compare_func(*a, *b);
+}
+
 static int dns_trust_anchor_dump(DnsTrustAnchor *d) {
         DnsAnswer *a;
 
@@ -498,9 +503,12 @@ static int dns_trust_anchor_dump(DnsTrustAnchor *d) {
         else {
                 _cleanup_free_ char **l = NULL, *j = NULL;
 
-                if (set_dump_sorted(d->negative_by_name, (void***) &l, /* ret_n = */ NULL) < 0)
+                l = set_get_strv(d->negative_by_name);
+                if (!l)
                         return log_oom();
 
+                typesafe_qsort(l, set_size(d->negative_by_name), domain_name_cmp);
+
                 j = strv_join(l, " ");
                 if (!j)
                         return log_oom();

src/shared/bus-get-properties.c

@@ -6,9 +6,6 @@
 #include "stdio-util.h"
 #include "string-util.h"
 
-BUS_DEFINE_PROPERTY_GET_GLOBAL(bus_property_get_bool_false, "b", 0);
-BUS_DEFINE_PROPERTY_GET_GLOBAL(bus_property_get_uint64_max, "t", UINT64_MAX);
-
 int bus_property_get_bool(
                 sd_bus *bus,
                 const char *path,

src/shared/bus-get-properties.h

@@ -5,10 +5,6 @@
 
 #include "macro.h"
 
-/* For deprecated properties. */
-int bus_property_get_bool_false(sd_bus *bus, const char *path, const char *interface, const char *property, sd_bus_message *reply, void *userdata, sd_bus_error *error);
-int bus_property_get_uint64_max(sd_bus *bus, const char *path, const char *interface, const char *property, sd_bus_message *reply, void *userdata, sd_bus_error *error);
-
 int bus_property_get_bool(sd_bus *bus, const char *path, const char *interface, const char *property, sd_bus_message *reply, void *userdata, sd_bus_error *error);
 int bus_property_set_bool(sd_bus *bus, const char *path, const char *interface, const char *property, sd_bus_message *value, void *userdata, sd_bus_error *error);
 int bus_property_get_tristate(sd_bus *bus, const char *path, const char *interface, const char *property, sd_bus_message *reply, void *userdata, sd_bus_error *error);

src/shared/bus-unit-util.c

@@ -126,6 +126,8 @@ DEFINE_BUS_APPEND_PARSE_PTR("i", int32_t, int, ioprio_parse_priority);
 DEFINE_BUS_APPEND_PARSE_PTR("i", int32_t, int, parse_nice);
 DEFINE_BUS_APPEND_PARSE_PTR("i", int32_t, int, safe_atoi);
 DEFINE_BUS_APPEND_PARSE_PTR("t", uint64_t, nsec_t, parse_nsec);
+DEFINE_BUS_APPEND_PARSE_PTR("t", uint64_t, uint64_t, cg_blkio_weight_parse);
+DEFINE_BUS_APPEND_PARSE_PTR("t", uint64_t, uint64_t, cg_cpu_shares_parse);
 DEFINE_BUS_APPEND_PARSE_PTR("t", uint64_t, uint64_t, cg_weight_parse);
 DEFINE_BUS_APPEND_PARSE_PTR("t", uint64_t, uint64_t, cg_cpu_weight_parse);
 DEFINE_BUS_APPEND_PARSE_PTR("t", uint64_t, unsigned long, mount_propagation_flag_from_string);
@@ -570,6 +572,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                               "MemoryAccounting",
                               "MemoryZSwapWriteback",
                               "IOAccounting",
+                              "BlockIOAccounting",
                               "TasksAccounting",
                               "IPAccounting",
                               "CoredumpReceive"))
@@ -583,6 +586,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                               "StartupIOWeight"))
                 return bus_append_cg_weight_parse(m, field, eq);
 
+        if (STR_IN_SET(field, "CPUShares",
+                              "StartupCPUShares"))
+                return bus_append_cg_cpu_shares_parse(m, field, eq);
+
         if (STR_IN_SET(field, "AllowedCPUs",
                               "StartupAllowedCPUs",
                               "AllowedMemoryNodes",
@@ -602,6 +609,10 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                 return bus_append_byte_array(m, field, array, allocated);
         }
 
+        if (STR_IN_SET(field, "BlockIOWeight",
+                              "StartupBlockIOWeight"))
+                return bus_append_cg_blkio_weight_parse(m, field, eq);
+
         if (streq(field, "DisableControllers"))
                 return bus_append_strv(m, "DisableControllers", eq, /* separator= */ NULL, EXTRACT_UNQUOTE);
 
@@ -625,6 +636,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                               "MemoryMax",
                               "MemorySwapMax",
                               "MemoryZSwapMax",
+                              "MemoryLimit",
                               "TasksMax")) {
 
                 if (streq(eq, "infinity")) {
@@ -723,7 +735,9 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                 return 1;
         }
 
-        if (cgroup_io_limit_type_from_string(field) >= 0) {
+        if (cgroup_io_limit_type_from_string(field) >= 0 ||
+            STR_IN_SET(field, "BlockIOReadBandwidth",
+                              "BlockIOWriteBandwidth")) {
 
                 if (isempty(eq))
                         r = sd_bus_message_append(m, "(sv)", field, "a(st)", 0);
@@ -757,7 +771,8 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                 return 1;
         }
 
-        if (streq(field, "IODeviceWeight")) {
+        if (STR_IN_SET(field, "IODeviceWeight",
+                              "BlockIODeviceWeight")) {
                 if (isempty(eq))
                         r = sd_bus_message_append(m, "(sv)", field, "a(st)", 0);
                 else {

src/shared/cgroup-setup.c

@@ -51,6 +51,52 @@ int cg_cpu_weight_parse(const char *s, uint64_t *ret) {
         return cg_weight_parse(s, ret);
 }
 
+int cg_cpu_shares_parse(const char *s, uint64_t *ret) {
+        uint64_t u;
+        int r;
+
+        assert(s);
+        assert(ret);
+
+        if (isempty(s)) {
+                *ret = CGROUP_CPU_SHARES_INVALID;
+                return 0;
+        }
+
+        r = safe_atou64(s, &u);
+        if (r < 0)
+                return r;
+
+        if (u < CGROUP_CPU_SHARES_MIN || u > CGROUP_CPU_SHARES_MAX)
+                return -ERANGE;
+
+        *ret = u;
+        return 0;
+}
+
+int cg_blkio_weight_parse(const char *s, uint64_t *ret) {
+        uint64_t u;
+        int r;
+
+        assert(s);
+        assert(ret);
+
+        if (isempty(s)) {
+                *ret = CGROUP_BLKIO_WEIGHT_INVALID;
+                return 0;
+        }
+
+        r = safe_atou64(s, &u);
+        if (r < 0)
+                return r;
+
+        if (u < CGROUP_BLKIO_WEIGHT_MIN || u > CGROUP_BLKIO_WEIGHT_MAX)
+                return -ERANGE;
+
+        *ret = u;
+        return 0;
+}
+
 static int trim_cb(
                 RecurseDirEvent event,
                 const char *path,
@@ -70,11 +116,13 @@ static int trim_cb(
         return RECURSE_DIR_CONTINUE;
 }
 
-int cg_trim(const char *path, bool delete_root) {
+int cg_trim(const char *controller, const char *path, bool delete_root) {
         _cleanup_free_ char *fs = NULL;
-        int r;
+        int r, q;
 
-        r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
+        assert(controller);
+
+        r = cg_get_path(controller, path, NULL, &fs);
         if (r < 0)
                 return r;
 
@@ -101,17 +149,25 @@ int cg_trim(const char *path, bool delete_root) {
                 RET_GATHER(r, -errno);
         }
 
+        q = cg_hybrid_unified();
+        if (q < 0)
+                return q;
+        if (q > 0 && streq(controller, SYSTEMD_CGROUP_CONTROLLER))
+                (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER_LEGACY, path, delete_root);
+
         return r;
 }
 
 /* Create a cgroup in the hierarchy of controller.
  * Returns 0 if the group already existed, 1 on success, negative otherwise.
  */
-int cg_create(const char *path) {
+int cg_create(const char *controller, const char *path) {
         _cleanup_free_ char *fs = NULL;
         int r;
 
-        r = cg_get_path_and_check(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
+        assert(controller);
+
+        r = cg_get_path_and_check(controller, path, NULL, &fs);
         if (r < 0)
                 return r;
 
@@ -125,18 +181,28 @@ int cg_create(const char *path) {
         if (r < 0)
                 return r;
 
+        r = cg_hybrid_unified();
+        if (r < 0)
+                return r;
+        if (r > 0 && streq(controller, SYSTEMD_CGROUP_CONTROLLER)) {
+                r = cg_create(SYSTEMD_CGROUP_CONTROLLER_LEGACY, path);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to create compat systemd cgroup '%s', ignoring: %m", path);
+        }
+
         return 1;
 }
 
-int cg_attach(const char *path, pid_t pid) {
+int cg_attach(const char *controller, const char *path, pid_t pid) {
         _cleanup_free_ char *fs = NULL;
         char c[DECIMAL_STR_MAX(pid_t) + 2];
         int r;
 
+        assert(controller);
         assert(path);
         assert(pid >= 0);
 
-        r = cg_get_path_and_check(SYSTEMD_CGROUP_CONTROLLER, path, "cgroup.procs", &fs);
+        r = cg_get_path_and_check(controller, path, "cgroup.procs", &fs);
         if (r < 0)
                 return r;
 
@@ -152,6 +218,15 @@ int cg_attach(const char *path, pid_t pid) {
         if (r < 0)
                 return r;
 
+        r = cg_hybrid_unified();
+        if (r < 0)
+                return r;
+        if (r > 0 && streq(controller, SYSTEMD_CGROUP_CONTROLLER)) {
+                r = cg_attach(SYSTEMD_CGROUP_CONTROLLER_LEGACY, path, pid);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to attach "PID_FMT" to compat systemd cgroup '%s', ignoring: %m", pid, path);
+        }
+
         return 0;
 }
 
@@ -169,18 +244,43 @@ int cg_fd_attach(int fd, pid_t pid) {
         return write_string_file_at(fd, "cgroup.procs", c, WRITE_STRING_FILE_DISABLE_BUFFER);
 }
 
-int cg_create_and_attach(const char *path, pid_t pid) {
+int cg_attach_fallback(const char *controller, const char *path, pid_t pid) {
+        int r;
+
+        assert(controller);
+        assert(path);
+        assert(pid >= 0);
+
+        r = cg_attach(controller, path, pid);
+        if (r < 0) {
+                char prefix[strlen(path) + 1];
+
+                /* This didn't work? Then let's try all prefixes of the destination */
+
+                PATH_FOREACH_PREFIX(prefix, path) {
+                        int q;
+
+                        q = cg_attach(controller, prefix, pid);
+                        if (q >= 0)
+                                return q;
+                }
+        }
+
+        return r;
+}
+
+int cg_create_and_attach(const char *controller, const char *path, pid_t pid) {
         int r, q;
 
         /* This does not remove the cgroup on failure */
 
         assert(pid >= 0);
 
-        r = cg_create(path);
+        r = cg_create(controller, path);
         if (r < 0)
                 return r;
 
-        q = cg_attach(path, pid);
+        q = cg_attach(controller, path, pid);
         if (q < 0)
                 return q;
 
@@ -188,31 +288,54 @@ int cg_create_and_attach(const char *path, pid_t pid) {
 }
 
 int cg_set_access(
+                const char *controller,
                 const char *path,
                 uid_t uid,
                 gid_t gid) {
 
-        static const struct {
+        struct Attribute {
                 const char *name;
                 bool fatal;
-        } attributes[] = {
+        };
+
+        /* cgroup v1, aka legacy/non-unified */
+        static const struct Attribute legacy_attributes[] = {
+                { "cgroup.procs",           true  },
+                { "tasks",                  false },
+                { "cgroup.clone_children",  false },
+                {},
+        };
+
+        /* cgroup v2, aka unified */
+        static const struct Attribute unified_attributes[] = {
                 { "cgroup.procs",           true  },
                 { "cgroup.subtree_control", true  },
                 { "cgroup.threads",         false },
                 { "memory.oom.group",       false },
                 { "memory.reclaim",         false },
+                {},
+        };
+
+        static const struct Attribute* const attributes[] = {
+                [false] = legacy_attributes,
+                [true]  = unified_attributes,
         };
 
         _cleanup_free_ char *fs = NULL;
-        int r;
+        const struct Attribute *i;
+        int r, unified;
 
         assert(path);
 
         if (uid == UID_INVALID && gid == GID_INVALID)
                 return 0;
 
+        unified = cg_unified_controller(controller);
+        if (unified < 0)
+                return unified;
+
         /* Configure access to the cgroup itself */
-        r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
+        r = cg_get_path(controller, path, NULL, &fs);
         if (r < 0)
                 return r;
 
@@ -221,17 +344,31 @@ int cg_set_access(
                 return r;
 
         /* Configure access to the cgroup's attributes */
-        FOREACH_ELEMENT(i, attributes) {
+        for (i = attributes[unified]; i->name; i++) {
-                _cleanup_free_ char *a = path_join(fs, i->name);
+                fs = mfree(fs);
-                if (!a)
-                        return -ENOMEM;
 
-                r = chmod_and_chown(a, 0644, uid, gid);
+                r = cg_get_path(controller, path, i->name, &fs);
+                if (r < 0)
+                        return r;
+
+                r = chmod_and_chown(fs, 0644, uid, gid);
                 if (r < 0) {
                         if (i->fatal)
                                 return r;
 
-                        log_debug_errno(r, "Failed to set access on cgroup %s, ignoring: %m", a);
+                        log_debug_errno(r, "Failed to set access on cgroup %s, ignoring: %m", fs);
+                }
+        }
+
+        if (streq(controller, SYSTEMD_CGROUP_CONTROLLER)) {
+                r = cg_hybrid_unified();
+                if (r < 0)
+                        return r;
+                if (r > 0) {
+                        /* Always propagate access mode from unified to legacy controller */
+                        r = cg_set_access(SYSTEMD_CGROUP_CONTROLLER_LEGACY, path, uid, gid);
+                        if (r < 0)
+                                log_debug_errno(r, "Failed to set access on compatibility systemd cgroup %s, ignoring: %m", path);
                 }
         }
 
@@ -268,6 +405,7 @@ static int access_callback(
 }
 
 int cg_set_access_recursive(
+                const char *controller,
                 const char *path,
                 uid_t uid,
                 gid_t gid) {
@@ -276,6 +414,7 @@ int cg_set_access_recursive(
         _cleanup_free_ char *fs = NULL;
         int r;
 
+        assert(controller);
         assert(path);
 
         /* A recursive version of cg_set_access(). But note that this one changes ownership of *all* files,
@@ -285,7 +424,7 @@ int cg_set_access_recursive(
         if (!uid_is_valid(uid) && !gid_is_valid(gid))
                 return 0;
 
-        r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
+        r = cg_get_path(controller, path, NULL, &fs);
         if (r < 0)
                 return r;
 
@@ -313,16 +452,20 @@ int cg_set_access_recursive(
 }
 
 int cg_migrate(
-                const char *from,
+                const char *cfrom,
-                const char *to,
+                const char *pfrom,
+                const char *cto,
+                const char *pto,
                 CGroupFlags flags) {
 
         _cleanup_set_free_ Set *s = NULL;
         bool done;
         int r, ret = 0;
 
-        assert(from);
+        assert(cfrom);
-        assert(to);
+        assert(pfrom);
+        assert(cto);
+        assert(pto);
 
         do {
                 _cleanup_fclose_ FILE *f = NULL;
@@ -330,7 +473,7 @@ int cg_migrate(
 
                 done = true;
 
-                r = cg_enumerate_processes(SYSTEMD_CGROUP_CONTROLLER, from, &f);
+                r = cg_enumerate_processes(cfrom, pfrom, &f);
                 if (r < 0)
                         return RET_GATHER(ret, r);
 
@@ -350,7 +493,7 @@ int cg_migrate(
                         if (pid_is_kernel_thread(pid) > 0)
                                 continue;
 
-                        r = cg_attach(to, pid);
+                        r = cg_attach(cto, pto, pid);
                         if (r < 0) {
                                 if (r != -ESRCH)
                                         RET_GATHER(ret, r);
@@ -370,7 +513,112 @@ int cg_migrate(
         return ret;
 }
 
-int cg_enable(
+int cg_create_everywhere(CGroupMask supported, CGroupMask mask, const char *path) {
+        CGroupController c;
+        CGroupMask done;
+        bool created;
+        int r;
+
+        /* This one will create a cgroup in our private tree, but also
+         * duplicate it in the trees specified in mask, and remove it
+         * in all others.
+         *
+         * Returns 0 if the group already existed in the systemd hierarchy,
+         * 1 on success, negative otherwise.
+         */
+
+        /* First create the cgroup in our own hierarchy. */
+        r = cg_create(SYSTEMD_CGROUP_CONTROLLER, path);
+        if (r < 0)
+                return r;
+        created = r;
+
+        /* If we are in the unified hierarchy, we are done now */
+        r = cg_all_unified();
+        if (r < 0)
+                return r;
+        if (r > 0)
+                return created;
+
+        supported &= CGROUP_MASK_V1;
+        mask = CGROUP_MASK_EXTEND_JOINED(mask);
+        done = 0;
+
+        /* Otherwise, do the same in the other hierarchies */
+        for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++) {
+                CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c);
+                const char *n;
+
+                if (!FLAGS_SET(supported, bit))
+                        continue;
+
+                if (FLAGS_SET(done, bit))
+                        continue;
+
+                n = cgroup_controller_to_string(c);
+                if (FLAGS_SET(mask, bit))
+                        (void) cg_create(n, path);
+
+                done |= CGROUP_MASK_EXTEND_JOINED(bit);
+        }
+
+        return created;
+}
+
+int cg_attach_everywhere(CGroupMask supported, const char *path, pid_t pid) {
+        int r;
+
+        assert(path);
+        assert(pid >= 0);
+
+        r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, path, pid);
+        if (r < 0)
+                return r;
+
+        r = cg_all_unified();
+        if (r < 0)
+                return r;
+        if (r > 0)
+                return 0;
+
+        supported &= CGROUP_MASK_V1;
+        CGroupMask done = 0;
+
+        for (CGroupController c = 0; c < _CGROUP_CONTROLLER_MAX; c++) {
+                CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c);
+
+                if (!FLAGS_SET(supported, bit))
+                        continue;
+
+                if (FLAGS_SET(done, bit))
+                        continue;
+
+                (void) cg_attach_fallback(cgroup_controller_to_string(c), path, pid);
+                done |= CGROUP_MASK_EXTEND_JOINED(bit);
+        }
+
+        return 0;
+}
+
+int cg_trim_everywhere(CGroupMask supported, const char *path, bool delete_root) {
+        int r, q;
+
+        assert(path);
+
+        r = cg_trim(SYSTEMD_CGROUP_CONTROLLER, path, delete_root);
+        if (r < 0)
+                return r;
+
+        q = cg_all_unified();
+        if (q < 0)
+                return q;
+        if (q > 0)
+                return r;
+
+        return cg_trim_v1_controllers(supported, _CGROUP_MASK_ALL, path, delete_root);
+}
+
+int cg_enable_everywhere(
                 CGroupMask supported,
                 CGroupMask mask,
                 const char *p,
@@ -390,6 +638,26 @@ int cg_enable(
                 return 0;
         }
 
+        r = cg_all_unified();
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                /* On the legacy hierarchy there's no concept of "enabling" controllers in cgroups defined. Let's claim
+                 * complete success right away. (If you wonder why we return the full mask here, rather than zero: the
+                 * caller tends to use the returned mask later on to compare if all controllers where properly joined,
+                 * and if not requeues realization. This use is the primary purpose of the return value, hence let's
+                 * minimize surprises here and reduce triggers for re-realization by always saying we fully
+                 * succeeded.) */
+                if (ret_result_mask)
+                        *ret_result_mask = mask & supported & CGROUP_MASK_V2; /* If you wonder why we mask this with
+                                                                               * CGROUP_MASK_V2: The 'supported' mask
+                                                                               * might contain pure-V1 or BPF
+                                                                               * controllers, and we never want to
+                                                                               * claim that we could enable those with
+                                                                               * cgroup.subtree_control */
+                return 0;
+        }
+
         r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, p, "cgroup.subtree_control", &fs);
         if (r < 0)
                 return r;
@@ -458,6 +726,148 @@ int cg_enable(
         return 0;
 }
 
+int cg_migrate_recursive(
+                const char *cfrom,
+                const char *pfrom,
+                const char *cto,
+                const char *pto,
+                CGroupFlags flags) {
+
+        _cleanup_closedir_ DIR *d = NULL;
+        int r, ret = 0;
+        char *fn;
+
+        assert(cfrom);
+        assert(pfrom);
+        assert(cto);
+        assert(pto);
+
+        ret = cg_migrate(cfrom, pfrom, cto, pto, flags);
+
+        r = cg_enumerate_subgroups(cfrom, pfrom, &d);
+        if (r < 0) {
+                if (ret >= 0 && r != -ENOENT)
+                        return r;
+
+                return ret;
+        }
+
+        while ((r = cg_read_subgroup(d, &fn)) > 0) {
+                _cleanup_free_ char *p = NULL;
+
+                p = path_join(empty_to_root(pfrom), fn);
+                free(fn);
+                if (!p)
+                        return -ENOMEM;
+
+                r = cg_migrate_recursive(cfrom, p, cto, pto, flags);
+                if (r != 0 && ret >= 0)
+                        ret = r;
+        }
+
+        if (r < 0 && ret >= 0)
+                ret = r;
+
+        return ret;
+}
+
+int cg_migrate_recursive_fallback(
+                const char *cfrom,
+                const char *pfrom,
+                const char *cto,
+                const char *pto,
+                CGroupFlags flags) {
+
+        int r;
+
+        assert(cfrom);
+        assert(pfrom);
+        assert(cto);
+        assert(pto);
+
+        r = cg_migrate_recursive(cfrom, pfrom, cto, pto, flags);
+        if (r < 0) {
+                char prefix[strlen(pto) + 1];
+
+                /* This didn't work? Then let's try all prefixes of the destination */
+
+                PATH_FOREACH_PREFIX(prefix, pto) {
+                        int q;
+
+                        q = cg_migrate_recursive(cfrom, pfrom, cto, prefix, flags);
+                        if (q >= 0)
+                                return q;
+                }
+        }
+
+        return r;
+}
+
+int cg_migrate_v1_controllers(CGroupMask supported, CGroupMask mask, const char *from, cg_migrate_callback_t to_callback, void *userdata) {
+        CGroupController c;
+        CGroupMask done;
+        int r = 0, q;
+
+        assert(to_callback);
+
+        supported &= CGROUP_MASK_V1;
+        mask = CGROUP_MASK_EXTEND_JOINED(mask);
+        done = 0;
+
+        for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++) {
+                CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c);
+                const char *to = NULL;
+
+                if (!FLAGS_SET(supported, bit))
+                        continue;
+
+                if (FLAGS_SET(done, bit))
+                        continue;
+
+                if (!FLAGS_SET(mask, bit))
+                        continue;
+
+                to = to_callback(bit, userdata);
+
+                /* Remember first error and try continuing */
+                q = cg_migrate_recursive_fallback(SYSTEMD_CGROUP_CONTROLLER, from, cgroup_controller_to_string(c), to, 0);
+                r = (r < 0) ? r : q;
+
+                done |= CGROUP_MASK_EXTEND_JOINED(bit);
+        }
+
+        return r;
+}
+
+int cg_trim_v1_controllers(CGroupMask supported, CGroupMask mask, const char *path, bool delete_root) {
+        CGroupController c;
+        CGroupMask done;
+        int r = 0, q;
+
+        supported &= CGROUP_MASK_V1;
+        mask = CGROUP_MASK_EXTEND_JOINED(mask);
+        done = 0;
+
+        for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++) {
+                CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c);
+
+                if (!FLAGS_SET(supported, bit))
+                        continue;
+
+                if (FLAGS_SET(done, bit))
+                        continue;
+
+                if (FLAGS_SET(mask, bit)) {
+                        /* Remember first error and try continuing */
+                        q = cg_trim(cgroup_controller_to_string(c), path, delete_root);
+                        r = (r < 0) ? r : q;
+                }
+                done |= CGROUP_MASK_EXTEND_JOINED(bit);
+        }
+
+        return r;
+}
+
 int cg_has_legacy(void) {
         struct statfs fs;
 

src/shared/cgroup-setup.h

@@ -9,19 +9,33 @@
 
 int cg_weight_parse(const char *s, uint64_t *ret);
 int cg_cpu_weight_parse(const char *s, uint64_t *ret);
+int cg_cpu_shares_parse(const char *s, uint64_t *ret);
+int cg_blkio_weight_parse(const char *s, uint64_t *ret);
 
-int cg_trim(const char *path, bool delete_root);
+int cg_trim(const char *controller, const char *path, bool delete_root);
 
-int cg_create(const char *path);
+int cg_create(const char *controller, const char *path);
-int cg_attach(const char *path, pid_t pid);
+int cg_attach(const char *controller, const char *path, pid_t pid);
 int cg_fd_attach(int fd, pid_t pid);
-int cg_create_and_attach(const char *path, pid_t pid);
+int cg_attach_fallback(const char *controller, const char *path, pid_t pid);
+int cg_create_and_attach(const char *controller, const char *path, pid_t pid);
 
-int cg_set_access(const char *path, uid_t uid, gid_t gid);
+int cg_set_access(const char *controller, const char *path, uid_t uid, gid_t gid);
-int cg_set_access_recursive(const char *path, uid_t uid, gid_t gid);
+int cg_set_access_recursive(const char *controller, const char *path, uid_t uid, gid_t gid);
 
-int cg_enable(CGroupMask supported, CGroupMask mask, const char *p, CGroupMask *ret_result_mask);
+int cg_create_everywhere(CGroupMask supported, CGroupMask mask, const char *path);
+int cg_attach_everywhere(CGroupMask supported, const char *path, pid_t pid);
+int cg_trim_everywhere(CGroupMask supported, const char *path, bool delete_root);
+int cg_enable_everywhere(CGroupMask supported, CGroupMask mask, const char *p, CGroupMask *ret_result_mask);
 
-int cg_migrate(const char *from, const char *to, CGroupFlags flags);
+int cg_migrate(const char *cfrom, const char *pfrom, const char *cto, const char *pto, CGroupFlags flags);
+
+typedef const char* (*cg_migrate_callback_t)(CGroupMask mask, void *userdata);
+
+/* CGroup V1 specific */
+int cg_migrate_recursive(const char *cfrom, const char *pfrom, const char *cto, const char *pto, CGroupFlags flags);
+int cg_migrate_recursive_fallback(const char *cfrom, const char *pfrom, const char *cto, const char *pto, CGroupFlags flags);
+int cg_migrate_v1_controllers(CGroupMask supported, CGroupMask mask, const char *from, cg_migrate_callback_t to_callback, void *userdata);
+int cg_trim_v1_controllers(CGroupMask supported, CGroupMask mask, const char *path, bool delete_root);
 
 int cg_has_legacy(void);

src/shared/tests.c

@@ -306,7 +306,11 @@ static int enter_cgroup(char **ret_cgroup, bool enter_subroot) {
         /* If this fails, then we don't mind as the later cgroup operations will fail too, and it's fine if
          * we handle any errors at that point. */
 
-        r = cg_create_and_attach(cgroup_subroot, 0);
+        r = cg_create_everywhere(supported, _CGROUP_MASK_ALL, cgroup_subroot);
+        if (r < 0)
+                return r;
+
+        r = cg_attach_everywhere(supported, cgroup_subroot, 0);
         if (r < 0)
                 return r;
 

src/shutdown/shutdown.c

@@ -466,7 +466,7 @@ int main(int argc, char *argv[]) {
                 /* Let's trim the cgroup tree on each iteration so that we leave an empty cgroup tree around,
                  * so that container managers get a nice notify event when we are down */
                 if (cgroup)
-                        (void) cg_trim(cgroup, false);
+                        (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, cgroup, false);
 
                 if (need_umount) {
                         log_info("Unmounting file systems.");

src/test/test-bpf-devices.c

@@ -299,7 +299,8 @@ int main(int argc, char *argv[]) {
         ASSERT_OK(path_extract_directory(cgroup, &parent));
 
         ASSERT_OK(cg_mask_supported(&supported));
-        ASSERT_OK(cg_attach(parent, 0));
+        r = cg_attach_everywhere(supported, parent, 0);
+        ASSERT_OK(r);
 
         return 0;
 }

src/test/test-cgroup.c

@@ -63,32 +63,32 @@ TEST(cg_create) {
         log_info("Paths for test:\n%s\n%s", test_a, test_b);
 
         /* Possibly clean up left-overs from aboted previous runs */
-        (void) cg_trim(test_a, /* delete_root= */ true);
+        (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, test_a, /* delete_root= */ true);
-        (void) cg_trim(test_b, /* delete_root= */ true);
+        (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, test_b, /* delete_root= */ true);
 
-        r = cg_create(test_a);
+        r = cg_create(SYSTEMD_CGROUP_CONTROLLER, test_a);
         if (IN_SET(r, -EPERM, -EACCES, -EROFS)) {
                 log_info_errno(r, "Skipping %s: %m", __func__);
                 return;
         }
 
         ASSERT_OK_EQ(r, 1);
-        ASSERT_OK_ZERO(cg_create(test_a));
+        ASSERT_OK_ZERO(cg_create(SYSTEMD_CGROUP_CONTROLLER, test_a));
-        ASSERT_OK_EQ(cg_create(test_b), 1);
+        ASSERT_OK_EQ(cg_create(SYSTEMD_CGROUP_CONTROLLER, test_b), 1);
-        ASSERT_OK_EQ(cg_create(test_c), 1);
+        ASSERT_OK_EQ(cg_create(SYSTEMD_CGROUP_CONTROLLER, test_c), 1);
-        ASSERT_OK_ZERO(cg_create_and_attach(test_b, 0));
+        ASSERT_OK_ZERO(cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, test_b, 0));
 
         ASSERT_OK_ZERO(cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, getpid_cached(), &path));
         ASSERT_STREQ(path, test_b);
         free(path);
 
-        ASSERT_OK_ZERO(cg_attach(test_a, 0));
+        ASSERT_OK_ZERO(cg_attach(SYSTEMD_CGROUP_CONTROLLER, test_a, 0));
 
         ASSERT_OK_ZERO(cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, getpid_cached(), &path));
         ASSERT_TRUE(path_equal(path, test_a));
         free(path);
 
-        ASSERT_OK_EQ(cg_create_and_attach(test_d, 0), 1);
+        ASSERT_OK_EQ(cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, test_d, 0), 1);
 
         ASSERT_OK_ZERO(cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, getpid_cached(), &path));
         ASSERT_TRUE(path_equal(path, test_d));
@@ -114,8 +114,15 @@ TEST(cg_create) {
         ASSERT_OK_ZERO(cg_kill_recursive(test_a, 0, 0, NULL, NULL, NULL));
         ASSERT_OK_POSITIVE(cg_kill_recursive(test_b, 0, 0, NULL, NULL, NULL));
 
-        ASSERT_OK(cg_trim(test_a, true));
+        ASSERT_OK_POSITIVE(cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, test_b, SYSTEMD_CGROUP_CONTROLLER, test_a, 0));
-        ASSERT_ERROR(cg_trim(test_b, true), EBUSY);
+
+        ASSERT_OK_ZERO(cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, test_a));
+        ASSERT_OK_POSITIVE(cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, test_b));
+
+        ASSERT_OK_POSITIVE(cg_kill_recursive(test_a, 0, 0, NULL, NULL, NULL));
+        ASSERT_OK_ZERO(cg_kill_recursive(test_b, 0, 0, NULL, NULL, NULL));
+
+        ASSERT_OK(cg_trim(SYSTEMD_CGROUP_CONTROLLER, test_b, true));
 }
 
 TEST(id) {

test/test-network/conf/25-routing-policy-rule-test1.network

@@ -48,24 +48,6 @@ From=10.1.0.0/16
 Priority=104
 Table=12
 
-[RoutingPolicyRule]
-IncomingInterface=test1
-FirewallMark=0/1
-Priority=200
-Table=20
-
-[RoutingPolicyRule]
-IncomingInterface=test1
-FirewallMark=7/255
-Priority=201
-Table=21
-
-[RoutingPolicyRule]
-IncomingInterface=test1
-FirewallMark=9999
-Priority=202
-Table=22
-
 # The four routing policy rules below intentionally have the same config
 # excepts for their To= addresses. See issue #35874.
 [RoutingPolicyRule]

test/test-network/systemd-networkd-tests.py

@@ -3890,18 +3890,6 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
         print(output)
         self.assertIn('104:	from 10.1.0.0/16 iif test1 lookup 12 nop', output)
 
-        output = check_output('ip rule list iif test1 priority 200')
-        print(output)
-        self.assertIn('200:	from all fwmark 0/0x1 iif test1 lookup 20', output)
-
-        output = check_output('ip rule list iif test1 priority 201')
-        print(output)
-        self.assertIn('201:	from all fwmark 0x7/0xff iif test1 lookup 21', output)
-
-        output = check_output('ip rule list iif test1 priority 202')
-        print(output)
-        self.assertIn('202:	from all fwmark 0x270f iif test1 lookup 22', output)
-
         output = check_output('ip rule list to 192.0.2.0/26')
         print(output)
         self.assertIn('to 192.0.2.0/26 lookup 1001', output)

test/units/parent-deep.slice

@@ -3,4 +3,4 @@
 Description=Deeper Parent Slice
 
 [Slice]
-MemoryAccounting=yes
+MemoryLimit=3G

test/units/son.service

@@ -6,4 +6,4 @@ Description=Son Service
 Slice=parent.slice
 Type=oneshot
 ExecStart=true
-CPUWeight=100
+CPUShares=100

tools/elf2efi.py

@@ -611,9 +611,7 @@ def elf2efi(args: argparse.Namespace):
 
     coff.Machine = pe_arch
     coff.NumberOfSections = len(sections)
-    coff.TimeDateStamp = int(
+    coff.TimeDateStamp = int(sde if (sde := os.environ.get("SOURCE_DATE_EPOCH")) else time.time())
-        os.environ.get("SOURCE_DATE_EPOCH") if os.environ.get("SOURCE_DATE_EPOCH") else time.time()
-    )
     coff.SizeOfOptionalHeader = sizeof(opt)
     # EXECUTABLE_IMAGE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED|DEBUG_STRIPPED
     # and (32BIT_MACHINE or LARGE_ADDRESS_AWARE)