Merge 45ce3cf8e7 into b7eefa1996

cgroup-util: fix memory leak on error
CID#1565824 Follow-up for f6793bbcf0
2024-11-21 12:17:43 +01:00 · 2024-11-21 14:02:34 +09:00 · 2024-11-20 23:36:35 +00:00 · 2024-11-21 04:17:08 +09:00 · 2024-11-21 04:17:08 +09:00 · 2024-11-21 04:17:08 +09:00
66 changed files with 4070 additions and 403 deletions
--- a/14
+++ b/14
@ -129,6 +129,20 @@ Deprecations and removals:

 Features:

+* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
+  users how to connect to the system via the AF_VSOCK, as per:
+  https://github.com/systemd/systemd/issues/35071#issuecomment-2462803142
+
+* maybe introduce an OSC sequence that signals when we ask for a password, so
+  that terminal emulators can maybe connect a password manager or so, and
+  highlight things specially.
+
+* Port pidref_namespace_open() to use PIDFD_GET_MNT_NAMESPACE and related
+  ioctls to get nsfds directly from pidfds.
+
+* start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
+  generically, so that image discovery recognizes bcachefs subvols too.
+
 * format-table: introduce new cell type for strings with ansi sequences in
  them. display them in regular output mode (via strip_tab_ansi()), but
  suppress them in json mode.
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -376,11 +376,12 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svncube:pni1-TF:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svncube:pni7:*
 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1

-# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B)
+# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B/i18D)
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni7Stylus:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni16:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni18B:*
+sensor:modalias:acpi:KIOX000A*:dmi:*:svnALLDOCUBE:pni18D:*
 ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1

 # Cube iWork 10 Flagship
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@ -421,7 +421,7 @@
        <term><varname>rd.systemd.verity=</varname></term>
        <term><varname>systemd.verity_root_data=</varname></term>
        <term><varname>systemd.verity_root_hash=</varname></term>
-        <term><varname>systemd.verity.root_options=</varname></term>
+        <term><varname>systemd.verity_root_options=</varname></term>
        <term><varname>usrhash=</varname></term>
        <term><varname>systemd.verity_usr_data=</varname></term>
        <term><varname>systemd.verity_usr_hash=</varname></term>
--- a/man/version-info.xml
+++ b/man/version-info.xml
@ -81,4 +81,7 @@
  <para id="v255">Added in version 255.</para>
  <para id="v256">Added in version 256.</para>
  <para id="v257">Added in version 257.</para>
+  <para id="v258">Added in version 258.</para>
+  <para id="v259">Added in version 259.</para>
+  <para id="v260">Added in version 260.</para>
 </refsect1>
--- a/mkosi.images/build/mkosi.build.chroot
+++ b/mkosi.images/build/mkosi.build.chroot
@ -0,0 +1,7 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [[ "$1" == "clangd" ]]; then
+    exec "$@"
+fi
--- a/mkosi.images/build/mkosi.conf.d/arch/mkosi.build.chroot
+++ b/mkosi.images/build/mkosi.conf.d/arch/mkosi.build.chroot
@ -2,10 +2,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e

-if [[ "$1" == "clangd" ]]; then
-    exec "$@"
-fi
-
 if [[ ! -f "pkg/$PKG_SUBDIR/PKGBUILD" ]]; then
    echo "PKGBUILD not found at pkg/$PKG_SUBDIR/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
    exit 1
--- a/mkosi.images/build/mkosi.conf.d/arch/mkosi.conf
+++ b/mkosi.images/build/mkosi.conf.d/arch/mkosi.conf
@ -7,7 +7,7 @@ Distribution=arch
 Environment=
        GIT_URL=https://gitlab.archlinux.org/archlinux/packaging/packages/systemd.git
        GIT_BRANCH=main
-        GIT_COMMIT=62c224b60ca150627be58ca2da50f47cc0a5793c
+        GIT_COMMIT=29a73017cd380cd8db070dbd560e229d523b3c79
        PKG_SUBDIR=arch

 [Content]
--- a/mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf
+++ b/mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf
@ -8,7 +8,7 @@ Distribution=|fedora
 Environment=
        GIT_URL=https://src.fedoraproject.org/rpms/systemd.git
        GIT_BRANCH=rawhide
-        GIT_COMMIT=e42eed4afd6267cd954d393d8eec79e0e7573de0
+        GIT_COMMIT=7bd1d09f7fd16d20a041de0eb9af7cc8dbef6a99
        PKG_SUBDIR=fedora

 [Content]
--- a/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.conf
+++ b/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.conf
@ -9,7 +9,7 @@ Environment=
        GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
        GIT_SUBDIR=debian
        GIT_BRANCH=debian/master
-        GIT_COMMIT=48fabbd5d240a70fce6712b6161f29b40b2fc7de
+        GIT_COMMIT=51cd22f3684725a1b199012555e7378f2f468c16
        PKG_SUBDIR=debian

 [Content]
--- a/po/de.po
+++ b/po/de.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-09 20:13+0000\n"
+"PO-Revision-Date: 2024-11-17 15:48+0000\n"
 "Last-Translator: Weblate Translation Memory <noreply-mt-weblate-translation-"
 "memory@weblate.org>\n"
 "Language-Team: German <https://translate.fedoraproject.org/projects/systemd/"
@ -187,9 +187,11 @@ msgstr ""
 "benötigte Speichermedium oder Dateisystem ein."

 #: src/home/pam_systemd_home.c:298
-#, fuzzy, c-format
+#, c-format
 msgid "Too frequent login attempts for user %s, try again later."
-msgstr "Zu häufige Loginversuche für %s. Bitte später erneut probieren."
+msgstr ""
+"Zu viele Anmeldeversuche für Benutzer %s, versuchen Sie es später noch "
+"einmal."

 #: src/home/pam_systemd_home.c:310
 msgid "Password: "
@ -1189,18 +1191,16 @@ msgid "Subscribe query results"
 msgstr "Abfrageergebnisse abonnieren"

 #: src/resolve/org.freedesktop.resolve1.policy:144
-#, fuzzy
 msgid "Authentication is required to subscribe query results."
-msgstr "Legitimierung ist zum Versetzen des Systems in Bereitschaft notwendig."
+msgstr "Legitimierung ist zum Abonnieren von Abfrageergebnissen erforderlich."

 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Dump cache"
 msgstr ""

 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
 msgid "Authentication is required to dump cache."
-msgstr "Legitimierung ist zum Festlegen von Domains notwendig."
+msgstr ""

 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump server state"
@ -1248,20 +1248,21 @@ msgid "Install specific system version"
 msgstr "Spezifische Systemversion installieren"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:56
-#, fuzzy
 msgid ""
 "Authentication is required to update the system to a specific (possibly old) "
 "version."
-msgstr "Legitimierung ist zum Festlegen der Systemzeitzone notwendig."
+msgstr ""
+"Legitimierung ist zum Aktualisieren des Systems auf eine bestimmte ("
+"möglicherweise alte) Version erforderlich."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:65
 msgid "Cleanup old system updates"
 msgstr "Alte Systemaktualisierungen bereinigen"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:66
-#, fuzzy
 msgid "Authentication is required to cleanup old system updates."
-msgstr "Legitimierung ist zum Festlegen der Systemzeit notwendig."
+msgstr ""
+"Legitimierung ist zum Bereinigen alter Systemaktualisierungen erforderlich."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
@ -1269,11 +1270,8 @@ msgstr "Optionale Funktionen verwalten"

 # https://www.freedesktop.org/software/systemd/man/sd-login.html
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Legitimierung ist zur Verwaltung aktiver Sitzungen, Benutzern und "
-"Arbeitsstationen notwendig."
+msgstr "Legitimierung ist zur Verwaltung optionaler Funktionen erforderlich"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/fi.po
+++ b/po/fi.po
@ -3,12 +3,13 @@
 # Finnish translation of systemd.
 # Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2023.
 # Ricky Tigg <ricky.tigg@gmail.com>, 2022, 2024.
+# Jiri Grönroos <jiri.gronroos@iki.fi>, 2024.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-09-12 13:43+0000\n"
-"Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>\n"
 "Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
 "main/fi/>\n"
 "Language: fi\n"
@ -16,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.7.2\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -112,14 +113,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "Todennus vaaditaan käyttäjän kotialueen päivittämiseksi."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "Päivitä kotialue"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "Todennus vaaditaan käyttäjän kotialueen päivittämiseksi."
+msgstr "Todennus vaaditaan kotialueen päivittämiseksi."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1174,14 +1173,11 @@ msgstr "Todennus vaaditaan vanhojen järjestelmäpäivitysten puhdistamiseen."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Hallitse valinnaisia ominaisuuksia"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Todennus vaaditaan aktiivisten istuntojen, käyttäjien ja paikkojen "
-"hallintaan."
+msgstr "Todennus vaaditaan valinnaisten ominaisuuksien hallintaan"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/fr.po
+++ b/po/fr.po
@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-07 09:30+0000\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
 "Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
 "main/fr/>\n"
@ -360,8 +360,8 @@ msgid ""
 "Authentication is required to set the statically configured local hostname, "
 "as well as the pretty hostname."
 msgstr ""
-"Une authentification est requise pour définir le nom d'hôte local de manière "
-"statique, ainsi que le nom d'hôte familier."
+"Une authentification est requise pour définir le nom d'hôte local configuré "
+"de manière statique, ainsi que le nom d'hôte convivial."

 #: src/hostname/org.freedesktop.hostname1.policy:41
 msgid "Set machine information"
--- a/po/he.po
+++ b/po/he.po
@ -1,22 +1,22 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
-# Yaron Shahrabani <sh.yaron@gmail.com>, 2023.
+# Yaron Shahrabani <sh.yaron@gmail.com>, 2023, 2024.
 msgid ""
 msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2023-11-22 00:01+0000\n"
+"PO-Revision-Date: 2024-11-19 07:38+0000\n"
 "Last-Translator: Yaron Shahrabani <sh.yaron@gmail.com>\n"
 "Language-Team: Hebrew <https://translate.fedoraproject.org/projects/systemd/"
-"master/he/>\n"
+"main/he/>\n"
 "Language: he\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=4; plural=(n == 1) ? 0 : ((n == 2) ? 1 : ((n > 10 && "
 "n % 10 == 0) ? 2 : 3));\n"
-"X-Generator: Weblate 5.2\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -106,14 +106,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "נדרש אימות כדי לעדכן אזור בית למשתמש."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
-msgstr "עדכון אזור בית"
+msgstr "עדכון אזור הבית שלך"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "נדרש אימות כדי לעדכן אזור בית למשתמש."
+msgstr "נדרש אימות כדי לעדכן את אזור הבית שלך."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -133,14 +131,12 @@ msgid ""
 msgstr "נדרש אימות כדי להחליף סיסמה של אזור בית למשתמש."

 #: src/home/org.freedesktop.home1.policy:83
-#, fuzzy
 msgid "Activate a home area"
-msgstr "יצירת אזור בית"
+msgstr "הפעלת אזור בית"

 #: src/home/org.freedesktop.home1.policy:84
-#, fuzzy
 msgid "Authentication is required to activate a user's home area."
-msgstr "נדרש אימות כדי ליצור אזור בית למשתמש."
+msgstr "נדרש אימות כדי להפעיל אזור בית של משתמש."

 #: src/home/pam_systemd_home.c:293
 #, c-format
@ -351,46 +347,37 @@ msgid "Authentication is required to get system description."
 msgstr "נדרש אימות כדי למשוך את תיאור המערכת."

 #: src/import/org.freedesktop.import1.policy:22
-#, fuzzy
 msgid "Import a disk image"
-msgstr "לייבא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "ייבוא דמות כונן"

 #: src/import/org.freedesktop.import1.policy:23
-#, fuzzy
 msgid "Authentication is required to import an image."
-msgstr ""
-"נדרש אימות כדי לייבא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "נדרש אימות כדי לייבא דמות."

 #: src/import/org.freedesktop.import1.policy:32
-#, fuzzy
 msgid "Export a disk image"
-msgstr "ייצוא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "ייצוא דמות כונן"

 #: src/import/org.freedesktop.import1.policy:33
-#, fuzzy
 msgid "Authentication is required to export disk image."
-msgstr ""
-"נדרש אימות כדי לייצא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "נדרש אימות כדי לייצא דמות כונן."

 #: src/import/org.freedesktop.import1.policy:42
-#, fuzzy
 msgid "Download a disk image"
-msgstr "הורדת מכונה וירטואלית או דמות מכולה"
+msgstr "הורדת דמות כונן"

 #: src/import/org.freedesktop.import1.policy:43
-#, fuzzy
 msgid "Authentication is required to download a disk image."
-msgstr "נדרש אימות כדי להוריד מכונה וירטואלית או דמות מכולה"
+msgstr "נדרש אימות כדי להוריד דמות כונן."

 #: src/import/org.freedesktop.import1.policy:52
 msgid "Cancel transfer of a disk image"
-msgstr ""
+msgstr "ביטול העברה של דמות כונן"

 #: src/import/org.freedesktop.import1.policy:53
-#, fuzzy
 msgid ""
 "Authentication is required to cancel the ongoing transfer of a disk image."
-msgstr "נדרש אימות כדי להחליף סיסמה של אזור בית למשתמש."
+msgstr "נדרש אימות כדי לבטל העברה של דמות כונן שמתבצעת בזמן אמת."

 #: src/locale/org.freedesktop.locale1.policy:22
 msgid "Set system locale"
@ -732,9 +719,8 @@ msgid "Set a wall message"
 msgstr "הגדרת הודעת קיר"

 #: src/login/org.freedesktop.login1.policy:397
-#, fuzzy
 msgid "Authentication is required to set a wall message."
-msgstr "נדרש אימות כדי להגדיר הודעת קיר"
+msgstr "נדרש אימות כדי להגדיר הודעת קיר."

 #: src/login/org.freedesktop.login1.policy:406
 msgid "Change Session"
@ -804,16 +790,14 @@ msgstr ""
 "נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."

 #: src/machine/org.freedesktop.machine1.policy:95
-#, fuzzy
 msgid "Create a local virtual machine or container"
-msgstr "ניהול מכונות וירטואליות ומכולות מקומיות"
+msgstr "יצירת מכונה וירטואלית או מכולה מקומיות"

 #: src/machine/org.freedesktop.machine1.policy:96
-#, fuzzy
 msgid ""
 "Authentication is required to create a local virtual machine or container."
 msgstr ""
-"נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."
+"נדרש אימות כדי ליצור מכונות וירטואליות (VM) או מכולות (container) מקומיות."

 #: src/machine/org.freedesktop.machine1.policy:106
 msgid "Manage local virtual machine and container images"
@ -965,13 +949,13 @@ msgstr "נדרש אימות כדי להגדיר כרטיס רשת מחדש."

 #: src/network/org.freedesktop.network1.policy:187
 msgid "Specify whether persistent storage for systemd-networkd is available"
-msgstr ""
+msgstr "נא לציין האם יש אחסון קבוע זמין ל־systemd-networkd"

 #: src/network/org.freedesktop.network1.policy:188
 msgid ""
 "Authentication is required to specify whether persistent storage for systemd-"
 "networkd is available."
-msgstr ""
+msgstr "נדרש אימות כדי לציין האם אחסון קבוע זמין ל־systemd-networkd."

 #: src/portable/org.freedesktop.portable1.policy:13
 msgid "Inspect a portable service image"
@ -1004,18 +988,16 @@ msgid "Register a DNS-SD service"
 msgstr "רישום שירות DNS-SD"

 #: src/resolve/org.freedesktop.resolve1.policy:23
-#, fuzzy
 msgid "Authentication is required to register a DNS-SD service."
-msgstr "נדרש אימות כדי לרשום שירות DNS-SD"
+msgstr "נדרש אימות כדי לרשום שירות DNS-SD."

 #: src/resolve/org.freedesktop.resolve1.policy:33
 msgid "Unregister a DNS-SD service"
 msgstr "ביטול רישום שירות DNS-SD"

 #: src/resolve/org.freedesktop.resolve1.policy:34
-#, fuzzy
 msgid "Authentication is required to unregister a DNS-SD service."
-msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD"
+msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD."

 #: src/resolve/org.freedesktop.resolve1.policy:132
 msgid "Revert name resolution settings"
@ -1027,95 +1009,85 @@ msgstr "נדרש אימות כדי לאפס את הגדרות פתרון השמ

 #: src/resolve/org.freedesktop.resolve1.policy:143
 msgid "Subscribe query results"
-msgstr ""
+msgstr "רישום לתוצאות שאילתה"

 #: src/resolve/org.freedesktop.resolve1.policy:144
-#, fuzzy
 msgid "Authentication is required to subscribe query results."
-msgstr "נדרש אימות כדי להשהות את המערכת."
+msgstr "נדרש אימות כדי להירשם לתוצאות שאילתה."

 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Dump cache"
-msgstr ""
+msgstr "היטל המטמון"

 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
 msgid "Authentication is required to dump cache."
-msgstr "נדרש אימות כדי להגדיר שמות תחום."
+msgstr "נדרש אימות כדי להטיל את המטמון."

 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump server state"
-msgstr ""
+msgstr "היטל מצב השרת"

 #: src/resolve/org.freedesktop.resolve1.policy:166
-#, fuzzy
 msgid "Authentication is required to dump server state."
-msgstr "נדרש אימות כדי להגדיר שרתי NTP."
+msgstr "נדרש אימות כדי להטיל את מצב השרת."

 #: src/resolve/org.freedesktop.resolve1.policy:176
 msgid "Dump statistics"
-msgstr ""
+msgstr "היטל סטטיסטיקה"

 #: src/resolve/org.freedesktop.resolve1.policy:177
-#, fuzzy
 msgid "Authentication is required to dump statistics."
-msgstr "נדרש אימות כדי להגדיר שמות תחום."
+msgstr "נדרש אימות כדי להטיל סטטיסטיקה."

 #: src/resolve/org.freedesktop.resolve1.policy:187
 msgid "Reset statistics"
-msgstr ""
+msgstr "איפוס סטטיסטיקה"

 #: src/resolve/org.freedesktop.resolve1.policy:188
-#, fuzzy
 msgid "Authentication is required to reset statistics."
-msgstr "נדרש אימות כדי לאפס הגדרות NTP."
+msgstr "נדרש אימות כדי לאפס סטטיסטיקה."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:35
 msgid "Check for system updates"
-msgstr ""
+msgstr "חיפוש עדכוני מערכת"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:36
-#, fuzzy
 msgid "Authentication is required to check for system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי לחפש עדכוני מערכת."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:45
 msgid "Install system updates"
-msgstr ""
+msgstr "התקנת עדכוני מערכת"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:46
-#, fuzzy
 msgid "Authentication is required to install system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי להתקין עדכוני מערכת."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:55
 msgid "Install specific system version"
-msgstr ""
+msgstr "התקנת גרסת מערכת מסוימת"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:56
-#, fuzzy
 msgid ""
 "Authentication is required to update the system to a specific (possibly old) "
 "version."
-msgstr "נדרש אימות כדי להגדיר את אזור הזמן של המערכת."
+msgstr "נדרש אימות כדי לעדכן את המערכת לגרסה מסוימת (כנראה ישנה)."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:65
 msgid "Cleanup old system updates"
-msgstr ""
+msgstr "ניקוי עדכוני מערכת ישנים"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:66
-#, fuzzy
 msgid "Authentication is required to cleanup old system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי לנקות עדכוני מערכת ישנים."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "ניהול יכולות רשות"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr "נדרש אימות כדי לנהל הפעלות, משתמשים ומושבים פעילים."
+msgstr "נדרש אימות כדי לנהל יכולות רשות"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/ja.po
+++ b/po/ja.po
@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-06 14:42+0000\n"
+"POT-Creation-Date: 2024-11-18 12:55+0900\n"
 "PO-Revision-Date: 2021-09-09 03:04+0000\n"
 "Last-Translator: Takuro Onoue <kusanaginoturugi@gmail.com>\n"
 "Language-Team: Japanese <https://translate.fedoraproject.org/projects/"
@ -106,14 +106,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "ユーザのホーム領域の更新には認証が必要です。"

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "ホーム領域の更新"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "ユーザのホーム領域の更新には認証が必要です。"
+msgstr "ホーム領域の更新には認証が必要です。"

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1120,12 +1118,11 @@ msgstr "過去のシステム更新を削除するには認証が必要です。

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "任意の機能の管理"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr "アクティブなセッションやユーザ，シートを管理するには認証が必要です。"
+msgstr "任意の機能を管理するには認証が必要です。"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/ru.po
+++ b/po/ru.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-07 09:30+0000\n"
+"PO-Revision-Date: 2024-11-17 13:38+0000\n"
 "Last-Translator: \"Sergey A.\" <Ser82-png@yandex.ru>\n"
 "Language-Team: Russian <https://translate.fedoraproject.org/projects/systemd/"
 "main/ru/>\n"
@ -1280,7 +1280,7 @@ msgstr "Управление дополнительными функциями"
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
 msgstr ""
-"Для управления дополнительными функциями необходимо пройти аутентификацию."
+"Для управления дополнительными функциями необходимо пройти аутентификацию"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/sl.po
+++ b/po/sl.po
@ -7,7 +7,7 @@ msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-08-26 19:38+0000\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
 "Last-Translator: Martin Srebotnjak <miles@filmsi.net>\n"
 "Language-Team: Slovenian <https://translate.fedoraproject.org/projects/"
 "systemd/main/sl/>\n"
@ -17,7 +17,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=4; plural=n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || "
 "n%100==4 ? 2 : 3;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -125,16 +125,13 @@ msgstr ""
 "območja."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "Posodobite domače območje"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
 msgstr ""
-"Preverjanje pristnosti je potrebno za posodobitev uporabnikovega domačega "
-"območja."
+"Preverjanje pristnosti je potrebno za posodobitev vašega domačega območja."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1234,14 +1231,12 @@ msgstr ""

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Upravljaj dodatne funkcionalnosti"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
 msgstr ""
-"Preverjanje pristnosti je potrebno za upravljanje aktivnih sej, uporabnikov "
-"in delovišč."
+"Preverjanje pristnosti je potrebno za upravljanje dodatnih funkcionalnosti."

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/uk.po
+++ b/po/uk.po
@ -4,12 +4,13 @@
 # Eugene Melnik <jeka7js@gmail.com>, 2014.
 # Daniel Korostil <ted.korostiled@gmail.com>, 2014, 2016, 2018.
 # Yuri Chornoivan <yurchor@ukr.net>, 2019, 2020, 2021, 2022, 2023, 2024.
+# Dmytro Markevych <hotr1pak@gmail.com>, 2024.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-08-24 10:36+0000\n"
-"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
 "Language: uk\n"
@ -18,7 +19,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
 "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -118,14 +119,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "Для оновлення домашньої теки користувача слід пройти розпізнавання."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
-msgstr "Оновлення домашньої теки"
+msgstr "Оновіть свій домашній простір"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої теки користувача слід пройти розпізнавання."
+msgstr "Для оновлення домашньої області потрібна автентифікація."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1212,14 +1211,11 @@ msgstr "Для вилучення застарілих оновлень сист

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Керування додатковими функціями"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Для того, щоб керувати сеансами, користувачами і робочими місцями, слід "
-"пройти розпізнавання."
+msgstr "Для керування додатковими функціями потрібна автентифікація"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/src/basic/build.h
+++ b/src/basic/build.h
@ -1,6 +1,11 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once

+#include "macro.h"
+#include "version.h"
+
 extern const char* const systemd_features;

+#define PROJECT_VERSION_STR STRINGIFY(PROJECT_VERSION)
+
 int version(void);
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@ -799,16 +799,20 @@ int cg_pid_get_path(const char *controller, pid_t pid, char **ret_path) {
                                continue;
                }

-                char *path = strdup(e + 1);
+                _cleanup_free_ char *path = strdup(e + 1);
                if (!path)
                        return -ENOMEM;

+                /* Refuse cgroup paths from outside our cgroup namespace */
+                if (startswith(path, "/../"))
+                        return -EUNATCH;
+
                /* Truncate suffix indicating the process is a zombie */
                e = endswith(path, " (deleted)");
                if (e)
                        *e = 0;

-                *ret_path = path;
+                *ret_path = TAKE_PTR(path);
                return 0;
        }
 }
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@ -102,8 +102,8 @@ int pid_get_comm(pid_t pid, char **ret) {
        _cleanup_free_ char *escaped = NULL, *comm = NULL;
        int r;

-        assert(ret);
        assert(pid >= 0);
+        assert(ret);

        if (pid == 0 || pid == getpid_cached()) {
                comm = new0(char, TASK_COMM_LEN + 1); /* Must fit in 16 byte according to prctl(2) */
@ -143,6 +143,9 @@ int pidref_get_comm(const PidRef *pid, char **ret) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_comm(pid->pid, &comm);
        if (r < 0)
                return r;
@ -289,6 +292,9 @@ int pidref_get_cmdline(const PidRef *pid, size_t max_columns, ProcessCmdlineFlag
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_cmdline(pid->pid, max_columns, flags, &s);
        if (r < 0)
                return r;
@ -331,6 +337,9 @@ int pidref_get_cmdline_strv(const PidRef *pid, ProcessCmdlineFlags flags, char *
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_cmdline_strv(pid->pid, flags, &args);
        if (r < 0)
                return r;
@ -477,6 +486,9 @@ int pidref_is_kernel_thread(const PidRef *pid) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        result = pid_is_kernel_thread(pid->pid);
        if (result < 0)
                return result;
@ -594,6 +606,9 @@ int pidref_get_uid(const PidRef *pid, uid_t *ret) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_uid(pid->pid, &uid);
        if (r < 0)
                return r;
@ -794,6 +809,9 @@ int pidref_get_start_time(const PidRef *pid, usec_t *ret) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_start_time(pid->pid, ret ? &t : NULL);
        if (r < 0)
                return r;
@ -1093,6 +1111,9 @@ int pidref_is_my_child(const PidRef *pid) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        result = pid_is_my_child(pid->pid);
        if (result < 0)
                return result;
@ -1128,6 +1149,9 @@ int pidref_is_unwaited(const PidRef *pid) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        if (pid->pid == 1 || pidref_is_self(pid))
                return true;

@ -1169,6 +1193,9 @@ int pidref_is_alive(const PidRef *pidref) {
        if (!pidref_is_set(pidref))
                return -ESRCH;

+        if (pidref_is_remote(pidref))
+                return -EREMOTE;
+
        result = pid_is_alive(pidref->pid);
        if (result < 0) {
                assert(result != -ESRCH);
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@ -220,9 +220,9 @@ static int synthesize_user_creds(
                if (ret_gid)
                        *ret_gid = GID_NOBODY;
                if (ret_home)
-                        *ret_home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
+                        *ret_home = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : "/";
                if (ret_shell)
-                        *ret_shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
+                        *ret_shell = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : NOLOGIN;

                return 0;
        }
@ -244,6 +244,7 @@ int get_user_creds(

        assert(username);
        assert(*username);
+        assert((ret_home || ret_shell) || !(flags & (USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_CLEAN)));

        if (!FLAGS_SET(flags, USER_CREDS_PREFER_NSS) ||
            (!ret_home && !ret_shell)) {
@ -315,17 +316,14 @@ int get_user_creds(

        if (ret_home)
                /* Note: we don't insist on normalized paths, since there are setups that have /./ in the path */
-                *ret_home = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
-                             (empty_or_root(p->pw_dir) ||
-                              !path_is_valid(p->pw_dir) ||
-                              !path_is_absolute(p->pw_dir))) ? NULL : p->pw_dir;
+                *ret_home = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && empty_or_root(p->pw_dir)) ||
+                            (FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_dir) || !path_is_absolute(p->pw_dir)))
+                            ? NULL : p->pw_dir;

        if (ret_shell)
-                *ret_shell = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
-                              (isempty(p->pw_shell) ||
-                               !path_is_valid(p->pw_shell) ||
-                               !path_is_absolute(p->pw_shell) ||
-                               is_nologin_shell(p->pw_shell))) ? NULL : p->pw_shell;
+                *ret_shell = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && shell_is_placeholder(p->pw_shell)) ||
+                             (FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_shell) || !path_is_absolute(p->pw_shell)))
+                             ? NULL : p->pw_shell;

        if (patch_username)
                *username = p->pw_name;
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@ -12,6 +12,8 @@
 #include <sys/types.h>
 #include <unistd.h>

+#include "string-util.h"
+
 /* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
 #define HOME_UID_MIN ((uid_t) 60001)
 #define HOME_UID_MAX ((uid_t) 60513)
@ -36,10 +38,20 @@ static inline int parse_gid(const char *s, gid_t *ret_gid) {
 char* getlogname_malloc(void);
 char* getusername_malloc(void);

+const char* default_root_shell_at(int rfd);
+const char* default_root_shell(const char *root);
+
+bool is_nologin_shell(const char *shell);
+
+static inline bool shell_is_placeholder(const char *shell) {
+        return isempty(shell) || is_nologin_shell(shell);
+}
+
 typedef enum UserCredsFlags {
-        USER_CREDS_PREFER_NSS    = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
-        USER_CREDS_ALLOW_MISSING = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
-        USER_CREDS_CLEAN         = 1 << 2,  /* try to clean up shell and home fields with invalid data */
+        USER_CREDS_PREFER_NSS           = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
+        USER_CREDS_ALLOW_MISSING        = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
+        USER_CREDS_CLEAN                = 1 << 2,  /* try to clean up shell and home fields with invalid data */
+        USER_CREDS_SUPPRESS_PLACEHOLDER = 1 << 3,  /* suppress home and/or shell fields if value is placeholder (root/empty/nologin) */
 } UserCredsFlags;

 int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags);
@ -125,10 +137,6 @@ int fgetsgent_sane(FILE *stream, struct sgrp **sg);
 int putsgent_sane(const struct sgrp *sg, FILE *stream);
 #endif

-bool is_nologin_shell(const char *shell);
-const char* default_root_shell_at(int rfd);
-const char* default_root_shell(const char *root);
-
 int is_this_me(const char *username);

 const char* get_home_root(void);
--- a/src/core/core-varlink.c
+++ b/src/core/core-varlink.c
@ -3,13 +3,18 @@
 #include "sd-varlink.h"

 #include "core-varlink.h"
+#include "format-util.h"
 #include "json-util.h"
+#include "manager-json.h"
 #include "mkdir-label.h"
 #include "strv.h"
+#include "unit-json.h"
 #include "user-util.h"
 #include "varlink-internal.h"
+#include "varlink-serialize.h"
 #include "varlink-io.systemd.UserDatabase.h"
 #include "varlink-io.systemd.ManagedOOM.h"
+#include "varlink-io.systemd.Manager.h"
 #include "varlink-util.h"

 typedef struct LookupParameters {
@ -22,6 +27,11 @@ typedef struct LookupParameters {
        const char *service;
 } LookupParameters;

+typedef struct DescribeUnitsParameters {
+        char **states;
+        char **patterns;
+} DescribeUnitsParameters;
+
 static const char* const managed_oom_mode_properties[] = {
        "ManagedOOMSwap",
        "ManagedOOMMemoryPressure",
@ -560,6 +570,139 @@ static int vl_method_get_memberships(sd_varlink *link, sd_json_variant *paramete
        return sd_varlink_error(link, "io.systemd.UserDatabase.NoRecordFound", NULL);
 }

+static int vl_method_describe(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
+        _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
+        Manager *manager = ASSERT_PTR(userdata);
+        int r;
+
+        assert(parameters);
+
+        if (sd_json_variant_elements(parameters) > 0)
+                return sd_varlink_error_invalid_parameter(link, parameters);
+
+        r = manager_build_json(manager, &v);
+        if (r < 0)
+                return log_error_errno(r, "Failed to build manager JSON data: %m");
+
+        return sd_varlink_reply(link, v);
+}
+
+static int vl_method_list_units(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
+
+        static const sd_json_dispatch_field dispatch_table[] = {
+                { "states", SD_JSON_VARIANT_ARRAY, sd_json_dispatch_strv, offsetof(DescribeUnitsParameters, states), SD_JSON_STRICT },
+                { "patterns", SD_JSON_VARIANT_ARRAY, sd_json_dispatch_const_string, offsetof(DescribeUnitsParameters, patterns),  SD_JSON_STRICT },
+                {},
+        };
+
+        Manager *m = ASSERT_PTR(userdata);
+        DescribeUnitsParameters p = {};
+        const char *k;
+        Unit *u;
+        int r;
+
+        assert(parameters);
+
+        if (sd_json_variant_elements(parameters) > 0)
+                return sd_varlink_error_invalid_parameter(link, parameters);
+
+        if (!FLAGS_SET(flags, SD_VARLINK_METHOD_MORE))
+                return sd_varlink_error(link, SD_VARLINK_ERROR_EXPECTED_MORE, NULL);
+
+        r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
+        if (r != 0)
+                return r;
+
+        _cleanup_(sd_json_variant_unrefp) sd_json_variant *previous = NULL;
+        HASHMAP_FOREACH_KEY(u, k, m->units) {
+                if (k != u->id)
+                        continue;
+
+                if (unit_is_filtered(u, p.states, p.patterns))
+                        continue;
+
+                if (previous) {
+                        r = sd_varlink_notifybo(link, SD_JSON_BUILD_PAIR_VARIANT("unit", previous));
+                        if (r < 0)
+                                return r;
+
+                        previous = sd_json_variant_unref(previous);
+                }
+
+                r = unit_build_json(u, &previous);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to build unit JSON data: %m");
+        }
+
+        if (!previous)
+                return sd_varlink_error(link, "io.systemd.Manager.NoSuchUnit", NULL);
+
+        return sd_varlink_replybo(link, SD_JSON_BUILD_PAIR_VARIANT("unit", previous));
+}
+
+static int vl_method_list_jobs(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
+
+        struct p {
+                uint32_t id;
+        } p = {
+                .id = 0,
+        };
+
+        static const sd_json_dispatch_field dispatch_table[] = {
+                { "id", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint32, offsetof(struct p, id), 0 },
+                {},
+        };
+
+        Manager *m = ASSERT_PTR(userdata);
+        Job *j;
+        int r;
+
+        assert(link);
+        assert(parameters);
+
+        r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
+        if (r != 0)
+                return r;
+
+        if (p.id > 0) {
+                _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
+
+                j = hashmap_get(m->jobs, UINT_TO_PTR(p.id));
+                if (!j)
+                        return sd_varlink_error(link, "io.systemd.Manager.NoSuchJob", NULL);
+
+                r = job_build_json(j, &v);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to build job JSON data: %m");
+
+                return sd_varlink_reply(link, v);
+
+        }
+
+        if (!FLAGS_SET(flags, SD_VARLINK_METHOD_MORE))
+                return sd_varlink_error(link, SD_VARLINK_ERROR_EXPECTED_MORE, NULL);
+
+        _cleanup_(sd_json_variant_unrefp) sd_json_variant *previous = NULL;
+        HASHMAP_FOREACH(j, m->jobs) {
+                if (previous) {
+                        r = sd_varlink_notify(link, previous);
+                        if (r < 0)
+                                return r;
+
+                        previous = sd_json_variant_unref(previous);
+                }
+
+                r = job_build_json(j, &previous);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to build job JSON data: %m");
+        }
+
+        if (!previous)
+                return sd_varlink_error(link, "io.systemd.Manager.NoSuchJob", NULL);
+
+        return sd_varlink_reply(link, previous);
+}
+
 static void vl_disconnect(sd_varlink_server *s, sd_varlink *link, void *userdata) {
        Manager *m = ASSERT_PTR(userdata);

@ -579,34 +722,49 @@ int manager_setup_varlink_server(Manager *m) {
        if (m->varlink_server)
                return 0;

-        if (!MANAGER_IS_SYSTEM(m))
-                return -EINVAL;
+        sd_varlink_server_flags_t flags = SD_VARLINK_SERVER_INHERIT_USERDATA;
+        if (MANAGER_IS_SYSTEM(m))
+                flags |= SD_VARLINK_SERVER_ACCOUNT_UID;

-        r = sd_varlink_server_new(&s, SD_VARLINK_SERVER_ACCOUNT_UID|SD_VARLINK_SERVER_INHERIT_USERDATA);
+        r = sd_varlink_server_new(&s, flags);
        if (r < 0)
                return log_debug_errno(r, "Failed to allocate varlink server object: %m");

        sd_varlink_server_set_userdata(s, m);

-        r = sd_varlink_server_add_interface_many(
-                        s,
-                        &vl_interface_io_systemd_UserDatabase,
-                        &vl_interface_io_systemd_ManagedOOM);
+        r = sd_varlink_server_add_interface_many(s, &vl_interface_io_systemd_Manager);
        if (r < 0)
                return log_debug_errno(r, "Failed to add interfaces to varlink server: %m");

        r = sd_varlink_server_bind_method_many(
                        s,
-                        "io.systemd.UserDatabase.GetUserRecord",  vl_method_get_user_record,
-                        "io.systemd.UserDatabase.GetGroupRecord", vl_method_get_group_record,
-                        "io.systemd.UserDatabase.GetMemberships", vl_method_get_memberships,
-                        "io.systemd.ManagedOOM.SubscribeManagedOOMCGroups", vl_method_subscribe_managed_oom_cgroups);
+                        "io.systemd.Manager.Describe",  vl_method_describe,
+                        "io.systemd.Manager.ListUnits", vl_method_list_units,
+                        "io.systemd.Manager.ListJobs",  vl_method_list_jobs);
        if (r < 0)
                return log_debug_errno(r, "Failed to register varlink methods: %m");

-        r = sd_varlink_server_bind_disconnect(s, vl_disconnect);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to register varlink disconnect handler: %m");
+        if (MANAGER_IS_SYSTEM(m)) {
+                r = sd_varlink_server_add_interface_many(
+                                s,
+                                &vl_interface_io_systemd_UserDatabase,
+                                &vl_interface_io_systemd_ManagedOOM);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to add interfaces to varlink server: %m");
+
+                r = sd_varlink_server_bind_method_many(
+                                s,
+                                "io.systemd.UserDatabase.GetUserRecord",  vl_method_get_user_record,
+                                "io.systemd.UserDatabase.GetGroupRecord", vl_method_get_group_record,
+                                "io.systemd.UserDatabase.GetMemberships", vl_method_get_memberships,
+                                "io.systemd.ManagedOOM.SubscribeManagedOOMCGroups", vl_method_subscribe_managed_oom_cgroups);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to register varlink methods: %m");
+
+                r = sd_varlink_server_bind_disconnect(s, vl_disconnect);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to register varlink disconnect handler: %m");
+        }

        r = sd_varlink_server_attach_event(s, m->event, EVENT_PRIORITY_IPC);
        if (r < 0)
@ -632,20 +790,13 @@ static int manager_varlink_init_system(Manager *m) {
        if (!MANAGER_IS_TEST_RUN(m)) {
                (void) mkdir_p_label("/run/systemd/userdb", 0755);

-                FOREACH_STRING(address, "/run/systemd/userdb/io.systemd.DynamicUser", VARLINK_ADDR_PATH_MANAGED_OOM_SYSTEM) {
-                        if (!fresh) {
-                                /* We might have got sockets through deserialization. Do not bind to them twice. */
-
-                                bool found = false;
-                                LIST_FOREACH(sockets, ss, m->varlink_server->sockets)
-                                        if (path_equal(ss->address, address)) {
-                                                found = true;
-                                                break;
-                                        }
-
-                                if (found)
-                                        continue;
-                        }
+                FOREACH_STRING(address,
+                               "/run/systemd/userdb/io.systemd.DynamicUser",
+                               VARLINK_ADDR_PATH_MANAGED_OOM_SYSTEM,
+                               "/run/systemd/io.systemd.Manager") {
+                        /* We might have got sockets through deserialization. Do not bind to them twice. */
+                        if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
+                                continue;

                        r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
                        if (r < 0)
@ -657,6 +808,9 @@ static int manager_varlink_init_system(Manager *m) {
 }

 static int manager_varlink_init_user(Manager *m) {
+        _cleanup_free_ char *address = NULL;
+        int r;
+
        assert(m);

        if (!MANAGER_IS_USER(m))
@ -665,6 +819,22 @@ static int manager_varlink_init_user(Manager *m) {
        if (MANAGER_IS_TEST_RUN(m))
                return 0;

+        r = manager_setup_varlink_server(m);
+        if (r < 0)
+                return log_error_errno(r, "Failed to set up varlink server: %m");
+        bool fresh = r > 0;
+
+        address = path_join(m->prefix[EXEC_DIRECTORY_RUNTIME], "systemd/io.systemd.Manager");
+        if (!address)
+                return -ENOMEM;
+
+        /* We might have got sockets through deserialization. Do not bind to them twice. */
+        if (fresh || !varlink_server_contains_socket(m->varlink_server, address)) {
+                r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
+        }
+
        return manager_varlink_managed_oom_connect(m);
 }

--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -855,9 +855,6 @@ static int get_fixed_user(
        assert(user_or_uid);
        assert(ret_username);

-        /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
-         * (i.e. are "/" or "/bin/nologin"). */
-
        r = get_user_creds(&user_or_uid, ret_uid, ret_gid, ret_home, ret_shell, USER_CREDS_CLEAN);
        if (r < 0)
                return r;
@ -1883,7 +1880,10 @@ static int build_environment(
                }
        }

-        if (home && set_user_login_env) {
+        /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
+         * (i.e. are "/" or "/bin/nologin"). */
+
+        if (home && set_user_login_env && !empty_or_root(home)) {
                x = strjoin("HOME=", home);
                if (!x)
                        return -ENOMEM;
@ -1892,7 +1892,7 @@ static int build_environment(
                our_env[n_env++] = x;
        }

-        if (shell && set_user_login_env) {
+        if (shell && set_user_login_env && !shell_is_placeholder(shell)) {
                x = strjoin("SHELL=", shell);
                if (!x)
                        return -ENOMEM;
@ -3471,20 +3471,16 @@ static int apply_working_directory(
                const ExecContext *context,
                const ExecParameters *params,
                ExecRuntime *runtime,
-                const char *home,
-                int *exit_status) {
+                const char *home) {

        const char *wd;
        int r;

        assert(context);
-        assert(exit_status);

        if (context->working_directory_home) {
-                if (!home) {
-                        *exit_status = EXIT_CHDIR;
+                if (!home)
                        return -ENXIO;
-                }

                wd = home;
        } else
@ -3503,13 +3499,7 @@ static int apply_working_directory(
                if (r >= 0)
                        r = RET_NERRNO(fchdir(dfd));
        }
-
-        if (r < 0 && !context->working_directory_missing_ok) {
-                *exit_status = EXIT_CHDIR;
-                return r;
-        }
-
-        return 0;
+        return context->working_directory_missing_ok ? 0 : r;
 }

 static int apply_root_directory(
@ -3785,7 +3775,7 @@ static int acquire_home(const ExecContext *c, const char **home, char **ret_buf)
        if (!c->working_directory_home)
                return 0;

-        if (c->dynamic_user)
+        if (c->dynamic_user || (c->user && is_this_me(c->user) <= 0))
                return -EADDRNOTAVAIL;

        r = get_home_dir(ret_buf);
@ -4543,7 +4533,7 @@ int exec_invoke(
        r = acquire_home(context, &home, &home_buffer);
        if (r < 0) {
                *exit_status = EXIT_CHDIR;
-                return log_exec_error_errno(context, params, r, "Failed to determine $HOME for user: %m");
+                return log_exec_error_errno(context, params, r, "Failed to determine $HOME for the invoking user: %m");
        }

        /* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */
@ -5382,9 +5372,11 @@ int exec_invoke(
         * running this service might have the correct privilege to change to the working directory. Also, it
         * is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that
         * the cwd cannot be used to pin directories outside of the sandbox. */
-        r = apply_working_directory(context, params, runtime, home, exit_status);
-        if (r < 0)
+        r = apply_working_directory(context, params, runtime, home);
+        if (r < 0) {
+                *exit_status = EXIT_CHDIR;
                return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");
+        }

        if (needs_sandboxing) {
                /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
--- a/src/core/job.c
+++ b/src/core/job.c
@ -14,6 +14,7 @@
 #include "escape.h"
 #include "fileio.h"
 #include "job.h"
+#include "json-util.h"
 #include "log.h"
 #include "macro.h"
 #include "parse-util.h"
@ -1347,6 +1348,39 @@ int job_deserialize(Job *j, FILE *f) {
        return 0;
 }

+int activation_details_build_json(sd_json_variant **ret, const char *name, void *userdata) {
+        _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
+        _cleanup_strv_free_ char **pairs = NULL;
+        ActivationDetails *activation_details = userdata;
+        int r;
+
+        assert(ret);
+
+        r = activation_details_append_pair(activation_details, &pairs);
+        if (r < 0)
+                return r;
+
+        STRV_FOREACH_PAIR(key, value, pairs) {
+                r = sd_json_variant_set_field_string(&v, *key, *value);
+                if (r < 0)
+                        return r;
+        }
+
+        *ret = TAKE_PTR(v);
+        return 0;
+}
+
+int job_build_json(Job *job, sd_json_variant **ret) {
+        assert(job);
+
+        return sd_json_buildo(ret,
+                        SD_JSON_BUILD_PAIR_UNSIGNED("id", job->id),
+                        SD_JSON_BUILD_PAIR_STRING("unit", job->unit->id),
+                        SD_JSON_BUILD_PAIR_STRING("jobType", job_type_to_string(job->type)),
+                        SD_JSON_BUILD_PAIR_STRING("state", job_state_to_string(job->state)),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("activationDetails", activation_details_build_json, job->activation_details));
+}
+
 int job_coldplug(Job *j) {
        int r;
        usec_t timeout_time = USEC_INFINITY;
--- a/src/core/job.h
+++ b/src/core/job.h
@ -5,6 +5,7 @@

 #include "sd-bus.h"
 #include "sd-event.h"
+#include "sd-json.h"

 #include "list.h"
 #include "unit-dependency-atom.h"
@ -185,6 +186,8 @@ void job_uninstall(Job *j);
 void job_dump(Job *j, FILE *f, const char *prefix);
 int job_serialize(Job *j, FILE *f);
 int job_deserialize(Job *j, FILE *f);
+int activation_details_build_json(sd_json_variant **ret, const char *name, void *userdata);
+int job_build_json(Job *job, sd_json_variant **ret);
 int job_coldplug(Job *j);

 JobDependency* job_dependency_new(Job *subject, Job *object, bool matters, bool conflicts);
--- a/src/core/manager-json.c
+++ b/src/core/manager-json.c
@ -0,0 +1,181 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <sys/prctl.h>
+
+#include "build.h"
+#include "confidential-virt.h"
+#include "json-util.h"
+#include "manager-json.h"
+#include "manager.h"
+#include "rlimit-util.h"
+#include "syslog-util.h"
+#include "taint.h"
+#include "version.h"
+#include "virt.h"
+#include "watchdog.h"
+
+int rlimit_build_json(sd_json_variant **ret, const char *name, void *userdata) {
+        struct rlimit *rl = userdata, buf = {};
+
+        assert(name);
+        assert(ret);
+
+        if (rl)
+                buf = *rl;
+        else {
+                const char *p;
+                int z;
+
+                /* Skip over any prefix, such as "Default" */
+                assert_se(p = strstrafter(name, "Limit"));
+
+                z = rlimit_from_string(p);
+                assert(z >= 0);
+
+                (void) getrlimit(z, &buf);
+        }
+
+        if (buf.rlim_cur == RLIM_INFINITY && buf.rlim_max == RLIM_INFINITY)
+                return 0;
+
+        /* rlim_t might have different sizes, let's map RLIMIT_INFINITY to UINT64_MAX, so that it is the same
+         * on all archs */
+        return sd_json_buildo(ret,
+                        JSON_BUILD_PAIR_UNSIGNED_NOT_EQUAL("soft", buf.rlim_cur, RLIM_INFINITY),
+                        JSON_BUILD_PAIR_UNSIGNED_NOT_EQUAL("hard", buf.rlim_max, RLIM_INFINITY));
+}
+
+static int manager_context_build_json(sd_json_variant **ret, const char *name, void *userdata) {
+        Manager *m = ASSERT_PTR(userdata);
+
+        return sd_json_buildo(ASSERT_PTR(ret),
+                        SD_JSON_BUILD_PAIR_STRING("Version", GIT_VERSION),
+                        SD_JSON_BUILD_PAIR_STRING("Features", systemd_features),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("ShowStatus", manager_get_show_status_on(m)),
+                        SD_JSON_BUILD_PAIR_STRV("UnitPath", m->lookup_paths.search_path),
+                        SD_JSON_BUILD_PAIR_INTEGER("LogLevel", m->log_level_overridden ? m->original_log_level : log_get_max_level()),
+                        SD_JSON_BUILD_PAIR_STRING("LogTarget", log_target_to_string(m->log_target_overridden ? m->original_log_target : log_get_target())),
+                        JSON_BUILD_PAIR_STRV_NON_EMPTY("Environment", m->transient_environment),
+                        SD_JSON_BUILD_PAIR_STRING("DefaultStandardOutput", exec_output_to_string(m->defaults.std_output)),
+                        SD_JSON_BUILD_PAIR_STRING("DefaultStandardError", exec_output_to_string(m->defaults.std_error)),
+                        JSON_BUILD_PAIR_FINITE_USEC("RuntimeWatchdogUSec", manager_get_watchdog(m, WATCHDOG_RUNTIME)),
+                        JSON_BUILD_PAIR_FINITE_USEC("RuntimeWatchdogPreUSec", manager_get_watchdog(m, WATCHDOG_PRETIMEOUT)),
+                        JSON_BUILD_PAIR_STRING_NON_EMPTY("RuntimeWatchdogPreGovernor", m->watchdog_pretimeout_governor),
+                        JSON_BUILD_PAIR_FINITE_USEC("RebootWatchdogUSec", manager_get_watchdog(m, WATCHDOG_REBOOT)),
+                        JSON_BUILD_PAIR_FINITE_USEC("KExecWatchdogUSec", manager_get_watchdog(m, WATCHDOG_KEXEC)),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("ServiceWatchdogs", m->service_watchdogs),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultTimerAccuracyUSec", m->defaults.timer_accuracy_usec),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultTimeoutStartUSec", m->defaults.timeout_start_usec),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultTimeoutStopUSec", m->defaults.timeout_stop_usec),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultTimeoutAbortUSec", manager_default_timeout_abort_usec(m)),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultDeviceTimeoutUSec", m->defaults.device_timeout_usec),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultRestartUSec", m->defaults.restart_usec),
+                        JSON_BUILD_PAIR_RATELIMIT("DefaultStartLimit", &m->defaults.start_limit),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultCPUAccounting", m->defaults.cpu_accounting),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultBlockIOAccounting", m->defaults.blockio_accounting),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultIOAccounting", m->defaults.io_accounting),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultIPAccounting", m->defaults.ip_accounting),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultMemoryAccounting", m->defaults.memory_accounting),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultTasksAccounting", m->defaults.tasks_accounting),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitCPU", rlimit_build_json, m->defaults.rlimit[RLIMIT_CPU]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitFSIZE", rlimit_build_json, m->defaults.rlimit[RLIMIT_FSIZE]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitDATA", rlimit_build_json, m->defaults.rlimit[RLIMIT_DATA]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitSTACK", rlimit_build_json, m->defaults.rlimit[RLIMIT_STACK]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitCORE", rlimit_build_json, m->defaults.rlimit[RLIMIT_CORE]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitRSS", rlimit_build_json, m->defaults.rlimit[RLIMIT_RSS]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitNOFILE", rlimit_build_json, m->defaults.rlimit[RLIMIT_NOFILE]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitAS", rlimit_build_json, m->defaults.rlimit[RLIMIT_AS]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitNPROC", rlimit_build_json, m->defaults.rlimit[RLIMIT_NPROC]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitMEMLOCK", rlimit_build_json, m->defaults.rlimit[RLIMIT_MEMLOCK]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitLOCKS", rlimit_build_json, m->defaults.rlimit[RLIMIT_LOCKS]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitSIGPENDING", rlimit_build_json, m->defaults.rlimit[RLIMIT_SIGPENDING]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitMSGQUEUE", rlimit_build_json, m->defaults.rlimit[RLIMIT_MSGQUEUE]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitNICE", rlimit_build_json, m->defaults.rlimit[RLIMIT_NICE]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitRTPRIO", rlimit_build_json, m->defaults.rlimit[RLIMIT_RTPRIO]),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("DefaultLimitRTTIME", rlimit_build_json, m->defaults.rlimit[RLIMIT_RTTIME]),
+                        SD_JSON_BUILD_PAIR_UNSIGNED("DefaultTasksMax", cgroup_tasks_max_resolve(&m->defaults.tasks_max)),
+                        JSON_BUILD_PAIR_FINITE_USEC("DefaultMemoryPressureThresholdUSec", m->defaults.memory_pressure_threshold_usec),
+                        SD_JSON_BUILD_PAIR_STRING("DefaultMemoryPressureWatch", cgroup_pressure_watch_to_string(m->defaults.memory_pressure_watch)),
+                        JSON_BUILD_PAIR_FINITE_USEC("TimerSlackNSec", (uint64_t) prctl(PR_GET_TIMERSLACK)),
+                        SD_JSON_BUILD_PAIR_STRING("DefaultOOMPolicy", oom_policy_to_string(m->defaults.oom_policy)),
+                        SD_JSON_BUILD_PAIR_INTEGER("DefaultOOMScoreAdjust", m->defaults.oom_score_adjust),
+                        SD_JSON_BUILD_PAIR_STRING("CtrlAltDelBurstAction", emergency_action_to_string(m->cad_burst_action)));
+}
+
+static int manager_environment_build_json(sd_json_variant **ret, const char *name, void *userdata) {
+        _cleanup_strv_free_ char **l = NULL;
+        Manager *m = ASSERT_PTR(userdata);
+        int r;
+
+        assert(ret);
+
+        r = manager_get_effective_environment(m, &l);
+        if (r < 0)
+                return r;
+
+        if (strv_isempty(l))
+                return 0;
+
+        return sd_json_variant_new_array_strv(ret, l);
+}
+
+static int manager_runtime_build_json(sd_json_variant **ret, const char *name, void *userdata) {
+        Manager *m = ASSERT_PTR(userdata);
+        dual_timestamp watchdog_last_ping = {
+                .monotonic = watchdog_get_last_ping(CLOCK_MONOTONIC),
+                .realtime = watchdog_get_last_ping(CLOCK_REALTIME),
+        };
+        _cleanup_strv_free_ char **taints = NULL;
+
+        taints = taint_strv();
+        if (!taints)
+                return -ENOMEM;
+
+        return sd_json_buildo(ASSERT_PTR(ret),
+                SD_JSON_BUILD_PAIR_STRING("Architecture", architecture_to_string(uname_architecture())),
+                SD_JSON_BUILD_PAIR_STRING("Virtualization", virtualization_to_string(detect_virtualization())),
+                SD_JSON_BUILD_PAIR_STRING("ConfidentialVirtualization", confidential_virtualization_to_string(detect_confidential_virtualization())),
+                SD_JSON_BUILD_PAIR_STRV("Taints", taints),
+                JSON_BUILD_PAIR_STRING_NON_EMPTY("ConfirmSpawn", manager_get_confirm_spawn(m)),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("FirmwareTimestamp", &m->timestamps[MANAGER_TIMESTAMP_FIRMWARE]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("LoaderTimestamp", &m->timestamps[MANAGER_TIMESTAMP_LOADER]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("KernelTimestamp", &m->timestamps[MANAGER_TIMESTAMP_KERNEL]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("UserspaceTimestamp", &m->timestamps[MANAGER_TIMESTAMP_USERSPACE]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("FinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_FINISH]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("SecurityStartTimestamp", &m->timestamps[MANAGER_TIMESTAMP_SECURITY_START]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("SecurityFinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_SECURITY_FINISH]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("GeneratorsStartTimestamp", &m->timestamps[MANAGER_TIMESTAMP_GENERATORS_START]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("GeneratorsFinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_GENERATORS_FINISH]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("UnitsLoadStartTimestamp", &m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD_START]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("UnitsLoadFinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD_FINISH]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("UnitsLoadTimestamp", &m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDSecurityStartTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD_SECURITY_START]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDSecurityFinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD_SECURITY_FINISH]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDGeneratorsStartTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD_GENERATORS_START]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDGeneratorsFinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD_GENERATORS_FINISH]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDUnitsLoadStartTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD_UNITS_LOAD_START]),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("InitRDUnitsLoadFinishTimestamp", &m->timestamps[MANAGER_TIMESTAMP_INITRD_UNITS_LOAD_FINISH]),
+                SD_JSON_BUILD_PAIR_CONDITION(m->log_level_overridden, "LogLevel", SD_JSON_BUILD_INTEGER(log_get_max_level())),
+                SD_JSON_BUILD_PAIR_CONDITION(m->log_target_overridden, "LogTarget", SD_JSON_BUILD_STRING(log_target_to_string(log_get_target()))),
+                SD_JSON_BUILD_PAIR_UNSIGNED("NNames", hashmap_size(m->units)),
+                SD_JSON_BUILD_PAIR_UNSIGNED("NFailedUnits", set_size(m->failed_units)),
+                SD_JSON_BUILD_PAIR_UNSIGNED("NJobs", hashmap_size(m->jobs)),
+                SD_JSON_BUILD_PAIR_UNSIGNED("NInstalledJobs", m->n_installed_jobs),
+                SD_JSON_BUILD_PAIR_UNSIGNED("NFailedJobs", m->n_failed_jobs),
+                SD_JSON_BUILD_PAIR_REAL("Progress", manager_get_progress(m)),
+                JSON_BUILD_PAIR_CALLBACK_NON_NULL("Environment", manager_environment_build_json, m),
+                JSON_BUILD_PAIR_STRING_NON_EMPTY("WatchdogDevice", watchdog_get_device()),
+                JSON_BUILD_PAIR_DUAL_TIMESTAMP_NON_NULL("WatchdogLastPingTimestamp", &watchdog_last_ping),
+                JSON_BUILD_PAIR_STRING_NON_EMPTY("ControlGroup", m->cgroup_root),
+                SD_JSON_BUILD_PAIR_STRING("SystemState", manager_state_to_string(manager_state(m))),
+                SD_JSON_BUILD_PAIR_UNSIGNED("ExitCode", m->return_value));
+}
+
+int manager_build_json(Manager *m, sd_json_variant **ret) {
+        assert(m);
+
+        return sd_json_buildo(ASSERT_PTR(ret),
+                        SD_JSON_BUILD_PAIR_CALLBACK("Context", manager_context_build_json, m),
+                        SD_JSON_BUILD_PAIR_CALLBACK("Runtime", manager_runtime_build_json, m));
+}
--- a/src/core/manager-json.h
+++ b/src/core/manager-json.h
@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include "sd-json.h"
+
+#include "manager.h"
+
+int rlimit_build_json(sd_json_variant **ret, const char *name, void *userdata);
+int environment_build_json(sd_json_variant **ret, const char *name, void *userdata);
+int manager_build_json(Manager *manager, sd_json_variant **ret);
--- a/src/core/manager-serialize.c
+++ b/src/core/manager-serialize.c
@ -497,7 +497,7 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
                        if (r < 0)
                                return r;
                } else if ((val = startswith(l, "varlink-server-socket-address="))) {
-                        if (!m->varlink_server && MANAGER_IS_SYSTEM(m)) {
+                        if (!m->varlink_server) {
                                r = manager_setup_varlink_server(m);
                                if (r < 0) {
                                        log_warning_errno(r, "Failed to setup varlink server, ignoring: %m");
--- a/src/core/meson.build
+++ b/src/core/meson.build
@ -44,6 +44,7 @@ libcore_sources = files(
        'load-dropin.c',
        'load-fragment.c',
        'manager-dump.c',
+        'manager-json.c',
        'manager-serialize.c',
        'manager.c',
        'mount.c',
@ -62,6 +63,7 @@ libcore_sources = files(
        'transaction.c',
        'unit-dependency-atom.c',
        'unit-printf.c',
+        'unit-json.c',
        'unit-serialize.c',
        'unit.c',
 )
--- a/src/core/unit-json.c
+++ b/src/core/unit-json.c
--- a/src/core/unit-json.h
+++ b/src/core/unit-json.h
@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include "sd-json.h"
+
+#include "unit.h"
+
+int unit_build_json(Unit *unit, sd_json_variant **ret);
--- a/src/cryptenroll/cryptenroll-fido2.c
+++ b/src/cryptenroll/cryptenroll-fido2.c
@ -193,7 +193,7 @@ int enroll_fido2(
                fflush(stdout);

                fprintf(stderr,
-                        "\nPlease save this FIDO2 credential ID. It is required when unloocking the volume\n"
+                        "\nPlease save this FIDO2 credential ID. It is required when unlocking the volume\n"
                        "using the associated FIDO2 keyslot which we just created. To configure automatic\n"
                        "unlocking using this FIDO2 token, add an appropriate entry to your /etc/crypttab\n"
                        "file, see %s for details.\n", link);
--- a/src/cryptenroll/cryptenroll-wipe.c
+++ b/src/cryptenroll/cryptenroll-wipe.c
@ -427,7 +427,10 @@ int wipe_slots(struct crypt_device *cd,
        for (size_t i = n_ordered_slots; i > 0; i--) {
                r = crypt_keyslot_destroy(cd, ordered_slots[i - 1]);
                if (r < 0) {
-                        log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]);
+                        if (r == -ENOENT)
+                                log_warning_errno(r, "Failed to wipe non-existent slot %i, continuing.", ordered_slots[i - 1]);
+                        else
+                                log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]);
                        if (ret == 0)
                                ret = r;
                } else
--- a/src/libsystemd-network/ndisc-option.c
+++ b/src/libsystemd-network/ndisc-option.c
@ -750,7 +750,7 @@ static int ndisc_option_parse_route(Set **options, size_t offset, size_t len, co
        usec_t lifetime = unaligned_be32_sec_to_usec(opt + 4, /* max_as_infinity = */ true);

        struct in6_addr prefix;
-        memcpy(&prefix, opt + 8, len - 8);
+        memcpy_safe(&prefix, opt + 8, len - 8);
        in6_addr_mask(&prefix, prefixlen);

        return ndisc_option_add_route(options, offset, preference, prefixlen, &prefix, lifetime);
--- a/src/libsystemd/libsystemd.sym
+++ b/src/libsystemd/libsystemd.sym
@ -1033,12 +1033,14 @@ global:
        sd_varlink_server_listen_fd;
        sd_varlink_server_loop_auto;
        sd_varlink_server_new;
+        sd_varlink_server_ref;
        sd_varlink_server_set_connections_max;
        sd_varlink_server_set_connections_per_uid_max;
        sd_varlink_server_set_description;
        sd_varlink_server_set_exit_on_idle;
        sd_varlink_server_set_userdata;
        sd_varlink_server_shutdown;
+        sd_varlink_server_unref;
        sd_varlink_set_allow_fd_passing_input;
        sd_varlink_set_allow_fd_passing_output;
        sd_varlink_set_description;
--- a/src/libsystemd/sd-varlink/sd-varlink.c
+++ b/src/libsystemd/sd-varlink/sd-varlink.c
@ -3265,7 +3265,7 @@ static sd_varlink_server* varlink_server_destroy(sd_varlink_server *s) {
        return mfree(s);
 }

-DEFINE_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);
+DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);

 static int validate_connection(sd_varlink_server *server, const struct ucred *ucred) {
        int allowed = -1;
--- a/src/network/netdev/netdev.c
+++ b/src/network/netdev/netdev.c
@ -642,7 +642,7 @@ static bool netdev_can_set_mac(NetDev *netdev, const struct hw_addr_data *hw_add
        if (hw_addr_equal(&link->hw_addr, hw_addr))
                return false; /* Unchanged, not necessary to set. */

-        /* Soem netdevs refuse to update MAC address even if the interface is not running, e.g. ipvlan.
+        /* Some netdevs refuse to update MAC address even if the interface is not running, e.g. ipvlan.
         * Some other netdevs have the IFF_LIVE_ADDR_CHANGE flag and can update update MAC address even if
         * the interface is running, e.g. dummy. For those cases, use custom checkers. */
        if (NETDEV_VTABLE(netdev)->can_set_mac)
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@ -1443,6 +1443,7 @@ int link_reconfigure_impl(Link *link, LinkReconfigurationFlag flags) {
 }

 typedef struct LinkReconfigurationData {
+        Manager *manager;
        Link *link;
        LinkReconfigurationFlag flags;
        sd_bus_message *message;
@ -1473,6 +1474,12 @@ static void link_reconfiguration_data_destroy_callback(LinkReconfigurationData *
                }

                if (!data->counter || *data->counter <= 0) {
+                        /* Update the state files before replying the bus method. Otherwise,
+                         * systemd-networkd-wait-online following networkctl reload/reconfigure may read an
+                         * outdated state file and wrongly handle an interface is already in the configured
+                         * state. */
+                        (void) manager_clean_all(data->manager);
+
                        r = sd_bus_reply_method_return(data->message, NULL);
                        if (r < 0)
                                log_warning_errno(r, "Failed to reply for DBus method, ignoring: %m");
@ -1521,6 +1528,7 @@ int link_reconfigure_full(Link *link, LinkReconfigurationFlag flags, sd_bus_mess
        }

        *data = (LinkReconfigurationData) {
+                .manager = link->manager,
                .link = link_ref(link),
                .flags = flags,
                .message = sd_bus_message_ref(message), /* message may be NULL, but _ref() works fine. */
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@ -1610,7 +1610,7 @@ static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
        return 0;
 }

-static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        uint8_t flags, prefixlen;
        struct in6_addr a;
        int r;
@ -1619,6 +1619,14 @@ static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt) {
        assert(link->network);
        assert(rt);

+        usec_t lifetime_usec;
+        r = sd_ndisc_router_prefix_get_valid_lifetime(rt, &lifetime_usec);
+        if (r < 0)
+                return log_link_warning_errno(link, r, "Failed to get prefix lifetime: %m");
+
+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_prefix_get_address(rt, &a);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get prefix address: %m");
@ -1664,7 +1672,7 @@ static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt) {
        return 0;
 }

-static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        _cleanup_(route_unrefp) Route *route = NULL;
        uint8_t preference, prefixlen;
        struct in6_addr gateway, dst;
@ -1680,6 +1688,9 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get route lifetime from RA: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_route_get_address(rt, &dst);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get route destination address: %m");
@ -1712,10 +1723,6 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
        }

        r = sd_ndisc_router_route_get_preference(rt, &preference);
-        if (r == -EOPNOTSUPP) {
-                log_link_debug_errno(link, r, "Received route prefix with unsupported preference, ignoring: %m");
-                return 0;
-        }
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get router preference from RA: %m");

@ -1759,7 +1766,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_rdnss_compare_func,
                free);

-static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        usec_t lifetime_usec;
        const struct in6_addr *a;
        struct in6_addr router;
@ -1781,6 +1788,9 @@ static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get RDNSS lifetime: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        n = sd_ndisc_router_rdnss_get_addresses(rt, &a);
        if (n < 0)
                return log_link_warning_errno(link, n, "Failed to get RDNSS addresses: %m");
@ -1851,7 +1861,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_dnssl_compare_func,
                free);

-static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        char **l;
        usec_t lifetime_usec;
        struct in6_addr router;
@ -1873,6 +1883,9 @@ static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get DNSSL lifetime: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_dnssl_get_domains(rt, &l);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get DNSSL addresses: %m");
@ -1953,7 +1966,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_captive_portal_compare_func,
                ndisc_captive_portal_free);

-static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        _cleanup_(ndisc_captive_portal_freep) NDiscCaptivePortal *new_entry = NULL;
        _cleanup_free_ char *captive_portal = NULL;
        const char *uri;
@ -1980,6 +1993,9 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt)
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get lifetime of RA message: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_get_captive_portal(rt, &uri);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get captive portal from RA: %m");
@ -2068,7 +2084,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_pref64_compare_func,
                mfree);

-static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        _cleanup_free_ NDiscPREF64 *new_entry = NULL;
        usec_t lifetime_usec;
        struct in6_addr a, router;
@ -2099,6 +2115,9 @@ static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get pref64 prefix lifetime: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        if (lifetime_usec == 0) {
                free(set_remove(link->ndisc_pref64,
                                &(NDiscPREF64) {
@ -2217,7 +2236,7 @@ static int sd_dns_resolver_copy(const sd_dns_resolver *a, sd_dns_resolver *b) {
        return 0;
 }

-static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        int r;

        assert(link);
@ -2240,6 +2259,9 @@ static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get lifetime of RA message: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_encrypted_dns_get_resolver(rt, &res);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get encrypted dns resolvers: %m");
@ -2292,7 +2314,7 @@ static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
        return 0;
 }

-static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        size_t n_captive_portal = 0;
        int r;

@ -2314,19 +2336,19 @@ static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {

                switch (type) {
                case SD_NDISC_OPTION_PREFIX_INFORMATION:
-                        r = ndisc_router_process_prefix(link, rt);
+                        r = ndisc_router_process_prefix(link, rt, zero_lifetime);
                        break;

                case SD_NDISC_OPTION_ROUTE_INFORMATION:
-                        r = ndisc_router_process_route(link, rt);
+                        r = ndisc_router_process_route(link, rt, zero_lifetime);
                        break;

                case SD_NDISC_OPTION_RDNSS:
-                        r = ndisc_router_process_rdnss(link, rt);
+                        r = ndisc_router_process_rdnss(link, rt, zero_lifetime);
                        break;

                case SD_NDISC_OPTION_DNSSL:
-                        r = ndisc_router_process_dnssl(link, rt);
+                        r = ndisc_router_process_dnssl(link, rt, zero_lifetime);
                        break;
                case SD_NDISC_OPTION_CAPTIVE_PORTAL:
                        if (n_captive_portal > 0) {
@ -2336,15 +2358,15 @@ static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {
                                n_captive_portal++;
                                continue;
                        }
-                        r = ndisc_router_process_captive_portal(link, rt);
+                        r = ndisc_router_process_captive_portal(link, rt, zero_lifetime);
                        if (r > 0)
                                n_captive_portal++;
                        break;
                case SD_NDISC_OPTION_PREF64:
-                        r = ndisc_router_process_pref64(link, rt);
+                        r = ndisc_router_process_pref64(link, rt, zero_lifetime);
                        break;
                case SD_NDISC_OPTION_ENCRYPTED_DNS:
-                        r = ndisc_router_process_encrypted_dns(link, rt);
+                        r = ndisc_router_process_encrypted_dns(link, rt, zero_lifetime);
                        break;
                }
                if (r < 0 && r != -EBADMSG)
@ -2652,10 +2674,6 @@ static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return r;

-        r = ndisc_router_process_default(link, rt);
-        if (r < 0)
-                return r;
-
        r = ndisc_router_process_reachable_time(link, rt);
        if (r < 0)
                return r;
@ -2672,7 +2690,15 @@ static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return r;

-        r = ndisc_router_process_options(link, rt);
+        r = ndisc_router_process_options(link, rt, /* zero_lifetime = */ true);
+        if (r < 0)
+                return r;
+
+        r = ndisc_router_process_default(link, rt);
+        if (r < 0)
+                return r;
+
+        r = ndisc_router_process_options(link, rt, /* zero_lifetime = */ false);
        if (r < 0)
                return r;

--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -50,6 +50,7 @@ static int add_syscall_filters(
                { CAP_IPC_LOCK,       "@memlock"                     },

                /* Plus a good set of additional syscalls which are not part of any of the groups above */
+                { 0,                  "arm_fadvise64_64"             },
                { 0,                  "brk"                          },
                { 0,                  "capget"                       },
                { 0,                  "capset"                       },
--- a/src/run/run.c
+++ b/src/run/run.c
@ -2297,7 +2297,8 @@ static int start_transient_scope(sd_bus *bus) {
                uid_t uid;
                gid_t gid;

-                r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_PREFER_NSS);
+                r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell,
+                                   USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS);
                if (r < 0)
                        return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user);

--- a/src/shared/killall.c
+++ b/src/shared/killall.c
@ -46,13 +46,17 @@ static bool argv_has_at(pid_t pid) {
        return c == '@';
 }

-static bool is_survivor_cgroup(const PidRef *pid) {
+static bool is_in_survivor_cgroup(const PidRef *pid) {
        _cleanup_free_ char *cgroup_path = NULL;
        int r;

        assert(pidref_is_set(pid));

        r = cg_pidref_get_path(/* root= */ NULL, pid, &cgroup_path);
+        if (r == -EUNATCH) {
+                log_warning_errno(r, "Process " PID_FMT " appears to originate in foreign namespace, ignoring.", pid->pid);
+                return true;
+        }
        if (r < 0) {
                log_warning_errno(r, "Failed to get cgroup path of process " PID_FMT ", ignoring: %m", pid->pid);
                return false;
@ -86,7 +90,7 @@ static bool ignore_proc(const PidRef *pid, bool warn_rootfs) {
                return true; /* also ignore processes where we can't determine this */

        /* Ignore processes that are part of a cgroup marked with the user.survive_final_kill_signal xattr */
-        if (is_survivor_cgroup(pid))
+        if (is_in_survivor_cgroup(pid))
                return true;

        r = pidref_get_uid(pid, &uid);
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@ -185,6 +185,7 @@ shared_sources = files(
        'varlink-io.systemd.Machine.c',
        'varlink-io.systemd.MachineImage.c',
        'varlink-io.systemd.ManagedOOM.c',
+        'varlink-io.systemd.Manager.c',
        'varlink-io.systemd.MountFileSystem.c',
        'varlink-io.systemd.NamespaceResource.c',
        'varlink-io.systemd.Network.c',
--- a/src/shared/nsflags.c
+++ b/src/shared/nsflags.c
@ -7,6 +7,7 @@
 #include "namespace-util.h"
 #include "nsflags.h"
 #include "string-util.h"
+#include "strv.h"

 int namespace_flags_from_string(const char *name, unsigned long *ret) {
        unsigned long flags = 0;
@ -42,19 +43,17 @@ int namespace_flags_from_string(const char *name, unsigned long *ret) {
 }

 int namespace_flags_to_string(unsigned long flags, char **ret) {
-        _cleanup_free_ char *s = NULL;
-        unsigned i;
+        _cleanup_strv_free_ char **l = NULL;

-        for (i = 0; namespace_info[i].proc_name; i++) {
-                if ((flags & namespace_info[i].clone_flag) != namespace_info[i].clone_flag)
-                        continue;
+        l = namespace_flags_to_strv(flags);
+        if (!l)
+                return -ENOMEM;

-                if (!strextend_with_separator(&s, " ", namespace_info[i].proc_name))
-                        return -ENOMEM;
-        }
-
-        *ret = TAKE_PTR(s);
+        char *s = strv_join(l, NULL);
+        if (!s)
+                return -ENOMEM;

+        *ret = s;
        return 0;
 }

@ -65,3 +64,18 @@ const char* namespace_single_flag_to_string(unsigned long flag) {

        return NULL;
 }
+
+char** namespace_flags_to_strv(unsigned long flags) {
+        _cleanup_strv_free_ char **s = NULL;
+        unsigned i;
+
+        for (i = 0; namespace_info[i].proc_name; i++) {
+                if ((flags & namespace_info[i].clone_flag) != namespace_info[i].clone_flag)
+                        continue;
+
+                if (strv_extend(&s, namespace_info[i].proc_name) < 0)
+                        return NULL;
+        }
+
+        return s ? TAKE_PTR(s) : strv_new(NULL);
+}
--- a/src/shared/nsflags.h
+++ b/src/shared/nsflags.h
@ -21,3 +21,5 @@
 int namespace_flags_from_string(const char *name, unsigned long *ret);
 int namespace_flags_to_string(unsigned long flags, char **ret);
 const char* namespace_single_flag_to_string(unsigned long flag);
+
+char** namespace_flags_to_strv(unsigned long flags);
--- a/src/shared/user-record-show.c
+++ b/src/shared/user-record-show.c
@ -28,21 +28,28 @@ const char* user_record_state_color(const char *state) {
        return NULL;
 }

-static void dump_self_modifiable(const char *heading, char **field, const char **value) {
+static void dump_self_modifiable(
+                const char *heading,
+                char **field,
+                const char **value) {
+
        assert(heading);

        /* Helper function for printing the various self_modifiable_* fields from the user record */

-        if (strv_isempty((char**) value))
-                /* Case 1: the array is explicitly set to be empty by the administrator */
-                printf("%13s %sDisabled by Administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
+        if (!value)
+                /* Case 1: no value is set and no default either */
+                printf("%13s %snone%s\n", heading, ansi_highlight(), ansi_normal());
+        else if (strv_isempty((char**) value))
+                /* Case 2: the array is explicitly set to empty by the administrator */
+                printf("%13s %sdisabled by administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
        else if (!field)
-                /* Case 2: we have values, but the field is NULL. This means that we're using the defaults.
+                /* Case 3: we have values, but the field is NULL. This means that we're using the defaults.
                 * We list them anyways, because they're security-sensitive to the administrator */
                STRV_FOREACH(i, value)
                        printf("%13s %s%s%s\n", i == value ? heading : "", ansi_grey(), *i, ansi_normal());
        else
-                /* Case 3: we have a list provided by the administrator */
+                /* Case 4: we have a list provided by the administrator */
                STRV_FOREACH(i, value)
                        printf("%13s %s\n", i == value ? heading : "", *i);
 }
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@ -2165,8 +2165,15 @@ const char** user_record_self_modifiable_fields(UserRecord *h) {

        assert(h);

+        /* Note: if the self_modifiable_fields field in UserRecord is NULL we'll apply a default, if we have
+         * one. If it is a non-NULL empty strv, we'll report it as explicit empty list. When the field is
+         * NULL and we have no default list we'll return NULL. */
+
        /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_fields ?: (const char**) default_fields;
+        if (h->self_modifiable_fields)
+                return (const char**) h->self_modifiable_fields;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
 }

 const char** user_record_self_modifiable_blobs(UserRecord *h) {
@ -2180,7 +2187,10 @@ const char** user_record_self_modifiable_blobs(UserRecord *h) {
        assert(h);

        /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_blobs ?: (const char**) default_blobs;
+        if (h->self_modifiable_blobs)
+                return (const char**) h->self_modifiable_blobs;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_blobs : NULL;
 }

 const char** user_record_self_modifiable_privileged(UserRecord *h) {
@ -2201,7 +2211,10 @@ const char** user_record_self_modifiable_privileged(UserRecord *h) {
        assert(h);

        /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_privileged ?: (const char**) default_fields;
+        if (h->self_modifiable_privileged)
+                return (const char**) h->self_modifiable_privileged;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
 }

 static int remove_self_modifiable_json_fields_common(UserRecord *current, sd_json_variant **target) {
--- a/src/shared/varlink-io.systemd.Manager.c
+++ b/src/shared/varlink-io.systemd.Manager.c
--- a/src/shared/varlink-io.systemd.Manager.h
+++ b/src/shared/varlink-io.systemd.Manager.h
@ -0,0 +1,6 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include "sd-varlink-idl.h"
+
+extern const sd_varlink_interface vl_interface_io_systemd_Manager;
--- a/src/shared/varlink-serialize.c
+++ b/src/shared/varlink-serialize.c
@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */

 #include "parse-util.h"
+#include "path-util.h"
 #include "varlink-internal.h"
 #include "varlink-serialize.h"

@ -83,3 +84,14 @@ int varlink_server_deserialize_one(sd_varlink_server *s, const char *value, FDSe
        LIST_PREPEND(sockets, s->sockets, TAKE_PTR(ss));
        return 0;
 }
+
+int varlink_server_contains_socket(sd_varlink_server *s, const char *address) {
+        assert(s);
+        assert(address);
+
+        LIST_FOREACH(sockets, ss, s->sockets)
+                if (path_equal(ss->address, address))
+                        return true;
+
+        return false;
+}
--- a/src/shared/varlink-serialize.h
+++ b/src/shared/varlink-serialize.h
@ -9,3 +9,5 @@

 int varlink_server_serialize(sd_varlink_server *s, FILE *f, FDSet *fds);
 int varlink_server_deserialize_one(sd_varlink_server *s, const char *value, FDSet *fds);
+
+int varlink_server_contains_socket(sd_varlink_server *s, const char *address);
--- a/src/ssh-generator/ssh-generator.c
+++ b/src/ssh-generator/ssh-generator.c
@ -245,8 +245,8 @@ static int add_vsock_socket(
        if (r < 0)
                return r;

-        log_info("Binding SSH to AF_VSOCK vsock::22.\n"
-                 "→ connect via 'ssh vsock/%u' from host", local_cid);
+        log_debug("Binding SSH to AF_VSOCK vsock::22.\n"
+                  "→ connect via 'ssh vsock/%u' from host", local_cid);
        return 0;
 }

@ -280,8 +280,8 @@ static int add_local_unix_socket(
        if (r < 0)
                return r;

-        log_info("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
-                 "→ connect via 'ssh .host' locally");
+        log_debug("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
+                  "→ connect via 'ssh .host' locally");
        return 0;
 }

@ -336,8 +336,8 @@ static int add_export_unix_socket(
        if (r < 0)
                return r;

-        log_info("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
-                 "→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host");
+        log_debug("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
+                  "→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host");

        return 0;
 }
@ -387,7 +387,7 @@ static int add_extra_sockets(
                if (r < 0)
                        return r;

-                log_info("Binding SSH to socket %s.", *i);
+                log_debug("Binding SSH to socket %s.", *i);
                n++;
        }

@ -462,7 +462,7 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
        _cleanup_free_ char *sshd_binary = NULL;
        r = find_executable("sshd", &sshd_binary);
        if (r == -ENOENT) {
-                log_info("Disabling SSH generator logic, since sshd is not installed.");
+                log_debug("Disabling SSH generator logic, since sshd is not installed.");
                return 0;
        }
        if (r < 0)
--- a/src/systemctl/systemctl-show.c
+++ b/src/systemctl/systemctl-show.c
@ -724,7 +724,7 @@ static void print_status_info(
                printf("      Tasks: %" PRIu64, i->tasks_current);

                if (i->tasks_max != UINT64_MAX)
-                        printf(" (limit: %" PRIu64 ")\n", i->tasks_max);
+                        printf("%s (limit: %" PRIu64 ")%s\n", ansi_grey(), i->tasks_max, ansi_normal());
                else
                        printf("\n");
        }
--- a/src/test/generate-sym-test.py
+++ b/src/test/generate-sym-test.py
@ -99,15 +99,15 @@ int main(void) {
        printf("Found %zu symbols from source files.\\n", j);

        for (i = 0; symbols_from_sym[i].name; i++) {
-                struct symbol*n = bsearch(symbols_from_sym+i, symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
+                struct symbol *n = bsearch(symbols_from_sym+i, symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
                if (!n)
                        printf("Found in symbol file, but not in sources: %s\\n", symbols_from_sym[i].name);
        }

        for (j = 0; symbols_from_source[j].name; j++) {
-                struct symbol*n = bsearch(symbols_from_source+j, symbols_from_source, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
+                struct symbol *n = bsearch(symbols_from_source+j, symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
                if (!n)
-                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[i].name);
+                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[j].name);
        }

        return i == j ? EXIT_SUCCESS : EXIT_FAILURE;
--- a/src/test/test-audit-util.c
+++ b/src/test/test-audit-util.c
@ -7,24 +7,26 @@ TEST(audit_loginuid_from_pid) {
        _cleanup_(pidref_done) PidRef self = PIDREF_NULL, pid1 = PIDREF_NULL;
        int r;

-        assert_se(pidref_set_self(&self) >= 0);
-        assert_se(pidref_set_pid(&pid1, 1) >= 0);
+        ASSERT_OK(pidref_set_self(&self));
+        ASSERT_OK(pidref_set_pid(&pid1, 1));

        uid_t uid;
        r = audit_loginuid_from_pid(&self, &uid);
-        assert_se(r >= 0 || r == -ENODATA);
+        if (r != -ENODATA)
+                ASSERT_OK(r);
        if (r >= 0)
                log_info("self audit login uid: " UID_FMT, uid);

-        assert_se(audit_loginuid_from_pid(&pid1, &uid) == -ENODATA);
+        ASSERT_ERROR(audit_loginuid_from_pid(&pid1, &uid), ENODATA);

        uint32_t sessionid;
        r = audit_session_from_pid(&self, &sessionid);
-        assert_se(r >= 0 || r == -ENODATA);
+        if (r != -ENODATA)
+                ASSERT_OK(r);
        if (r >= 0)
                log_info("self audit session id: %" PRIu32, sessionid);

-        assert_se(audit_session_from_pid(&pid1, &sessionid) == -ENODATA);
+        ASSERT_ERROR(audit_session_from_pid(&pid1, &sessionid), ENODATA);
 }

 static int intro(void) {
--- a/src/test/test-user-record.c
+++ b/src/test/test-user-record.c
@ -9,7 +9,7 @@
        ({                                      \
                typeof(ret) _r = (ret);         \
                user_record_unref(*_r);         \
-                assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(__VA_ARGS__)) >= 0); \
+                assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(SD_JSON_BUILD_PAIR_STRING("disposition", "regular"), __VA_ARGS__)) >= 0); \
                0;                              \
        })

--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@ -363,7 +363,7 @@ def test_config_priority(tmp_path):
    assert opts.pcr_public_keys == ['PKEY2', 'some/path8']
    assert opts.pcr_banks == ['SHA1', 'SHA256']
    assert opts.signing_engine == 'ENGINE'
-    assert opts.signtool == ukify.SbSign # from args
+    assert opts.signtool == 'sbsign' # from args
    assert opts.sb_key == 'SBKEY' # from args
    assert opts.sb_cert == pathlib.Path('SBCERT') # from args
    assert opts.sb_certdir == 'some/path5' # from config
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@ -267,7 +267,7 @@ class UkifyConfig:
    signing_engine: Optional[str]
    signing_provider: Optional[str]
    certificate_provider: Optional[str]
-    signtool: Optional[type['SignTool']]
+    signtool: Optional[str]
    splash: Optional[Path]
    stub: Path
    summary: bool
@ -466,6 +466,17 @@ class SignTool:
    def verify(opts: UkifyConfig) -> bool:
        raise NotImplementedError()

+    @staticmethod
+    def from_string(name) -> type['SignTool']:
+        if name == 'pesign':
+            return PeSign
+        elif name == 'sbsign':
+            return SbSign
+        elif name == 'systemd-sbsign':
+            return SystemdSbSign
+        else:
+            raise ValueError(f'Invalid sign tool: {name!r}')
+

 class PeSign(SignTool):
    @staticmethod
@ -1141,15 +1152,16 @@ def make_uki(opts: UkifyConfig) -> None:

    if opts.linux and sign_args_present:
        assert opts.signtool is not None
+        signtool = SignTool.from_string(opts.signtool)

        if not sign_kernel:
            # figure out if we should sign the kernel
-            sign_kernel = opts.signtool.verify(opts)
+            sign_kernel = signtool.verify(opts)

        if sign_kernel:
            linux_signed = tempfile.NamedTemporaryFile(prefix='linux-signed')
            linux = Path(linux_signed.name)
-            opts.signtool.sign(os.fspath(opts.linux), os.fspath(linux), opts=opts)
+            signtool.sign(os.fspath(opts.linux), os.fspath(linux), opts=opts)

    if opts.uname is None and opts.linux is not None:
        print('Kernel version not specified, starting autodetection 😖.')
@ -1310,7 +1322,9 @@ def make_uki(opts: UkifyConfig) -> None:

    if sign_args_present:
        assert opts.signtool is not None
-        opts.signtool.sign(os.fspath(unsigned_output), os.fspath(opts.output), opts)
+        signtool = SignTool.from_string(opts.signtool)
+
+        signtool.sign(os.fspath(unsigned_output), os.fspath(opts.output), opts)

        # We end up with no executable bits, let's reapply them
        os.umask(umask := os.umask(0))
@ -1663,26 +1677,6 @@ class ConfigItem:
        return (section_name, key, value)


-class SignToolAction(argparse.Action):
-    def __call__(
-        self,
-        parser: argparse.ArgumentParser,
-        namespace: argparse.Namespace,
-        values: Union[str, Sequence[Any], None] = None,
-        option_string: Optional[str] = None,
-    ) -> None:
-        if values is None:
-            setattr(namespace, 'signtool', None)
-        elif values == 'sbsign':
-            setattr(namespace, 'signtool', SbSign)
-        elif values == 'pesign':
-            setattr(namespace, 'signtool', PeSign)
-        elif values == 'systemd-sbsign':
-            setattr(namespace, 'signtool', SystemdSbSign)
-        else:
-            raise ValueError(f"Unknown signtool '{values}' (this is unreachable)")
-
-
 VERBS = ('build', 'genkey', 'inspect')

 CONFIG_ITEMS = [
@ -1856,7 +1850,6 @@ CONFIG_ITEMS = [
    ConfigItem(
        '--signtool',
        choices=('sbsign', 'pesign', 'systemd-sbsign'),
-        action=SignToolAction,
        dest='signtool',
        help=(
            'whether to use sbsign or pesign. It will also be inferred by the other '
@ -2173,24 +2166,24 @@ def finalize_options(opts: argparse.Namespace) -> None:
        )
    elif bool(opts.sb_key) and bool(opts.sb_cert):
        # both param given, infer sbsign and in case it was given, ensure signtool=sbsign
-        if opts.signtool and opts.signtool not in (SbSign, SystemdSbSign):
+        if opts.signtool and opts.signtool not in ('sbsign', 'systemd-sbsign'):
            raise ValueError(
                f'Cannot provide --signtool={opts.signtool} with --secureboot-private-key= and --secureboot-certificate='  # noqa: E501
            )
        if not opts.signtool:
-            opts.signtool = SbSign
+            opts.signtool = 'sbsign'
    elif bool(opts.sb_cert_name):
        # sb_cert_name given, infer pesign and in case it was given, ensure signtool=pesign
-        if opts.signtool and opts.signtool != PeSign:
+        if opts.signtool and opts.signtool != 'pesign':
            raise ValueError(
                f'Cannot provide --signtool={opts.signtool} with --secureboot-certificate-name='
            )
-        opts.signtool = PeSign
+        opts.signtool = 'pesign'

-    if opts.signing_provider and opts.signtool != SystemdSbSign:
+    if opts.signing_provider and opts.signtool != 'systemd-sbsign':
        raise ValueError('--signing-provider= can only be used with--signtool=systemd-sbsign')

-    if opts.certificate_provider and opts.signtool != SystemdSbSign:
+    if opts.certificate_provider and opts.signtool != 'systemd-sbsign':
        raise ValueError('--certificate-provider= can only be used with--signtool=systemd-sbsign')

    if opts.sign_kernel and not opts.sb_key and not opts.sb_cert_name:
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@ -2182,6 +2182,10 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {

        (void) sd_event_add_signal(event, NULL, (SIGRTMIN+18) | SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, NULL);

+        r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
+        if (r < 0)
+                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+
        /* Exit when the child exits */
        (void) event_add_child_pidref(event, NULL, &child_pidref, WEXITED, on_child_exit, NULL);

--- a/test/test-network/conf/25-veth-router-high2.network
+++ b/test/test-network/conf/25-veth-router-high2.network
@ -1,18 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Match]
-Name=router-low
-
-[Network]
-IPv6AcceptRA=no
-IPv6SendRA=yes
-
-[IPv6SendRA]
-# changed from low to high
-RouterPreference=high
-EmitDNS=no
-EmitDomains=no
-
-[IPv6Prefix]
-Prefix=2002:da8:1:98::/64
-PreferredLifetimeSec=1000s
-ValidLifetimeSec=2100s
--- a/test/test-network/conf/25-veth-router-low2.network
+++ b/test/test-network/conf/25-veth-router-low2.network
@ -1,18 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Match]
-Name=router-high
-
-[Network]
-IPv6AcceptRA=no
-IPv6SendRA=yes
-
-[IPv6SendRA]
-# changed from high to low
-RouterPreference=low
-EmitDNS=no
-EmitDomains=no
-
-[IPv6Prefix]
-Prefix=2002:da8:1:99::/64
-PreferredLifetimeSec=1000s
-ValidLifetimeSec=2100s
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@ -6391,6 +6391,27 @@ class NetworkdRATests(unittest.TestCase, Utilities):

        self.check_ipv6_sysctl_attr('client', 'hop_limit', '43')

+    def check_router_preference(self, suffix, metric_1, preference_1, metric_2, preference_2):
+        self.wait_online('client:routable')
+        self.wait_address('client', f'2002:da8:1:99:1034:56ff:fe78:9a{suffix}/64', ipv='-6', timeout_sec=10)
+        self.wait_address('client', f'2002:da8:1:98:1034:56ff:fe78:9a{suffix}/64', ipv='-6', timeout_sec=10)
+        self.wait_route('client', rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric {metric_1}', ipv='-6', timeout_sec=10)
+        self.wait_route('client', rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric {metric_2}', ipv='-6', timeout_sec=10)
+
+        print('### ip -6 route show dev client default')
+        output = check_output('ip -6 route show dev client default')
+        print(output)
+        self.assertRegex(output, rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric {metric_1} expires [0-9]*sec pref {preference_1}')
+        self.assertRegex(output, rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric {metric_2} expires [0-9]*sec pref {preference_2}')
+
+        for i in [100, 200, 300, 512, 1024, 2048]:
+            if i not in [metric_1, metric_2]:
+                self.assertNotIn(f'metric {i} ', output)
+
+        for i in ['low', 'medium', 'high']:
+            if i not in [preference_1, preference_2]:
+                self.assertNotIn(f'pref {i}', output)
+
    def test_router_preference(self):
        copy_network_unit('25-veth-client.netdev',
                          '25-veth-router-high.netdev',
@ -6409,72 +6430,47 @@ class NetworkdRATests(unittest.TestCase, Utilities):

        networkctl_reconfigure('client')
        self.wait_online('client:routable')
+        self.check_router_preference('00', 512, 'high', 2048, 'low')

-        self.wait_address('client', '2002:da8:1:99:1034:56ff:fe78:9a00/64', ipv='-6', timeout_sec=10)
-        self.wait_address('client', '2002:da8:1:98:1034:56ff:fe78:9a00/64', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 512', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 2048', ipv='-6', timeout_sec=10)
-
-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 512 expires [0-9]*sec pref high')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 2048 expires [0-9]*sec pref low')
-
+        # change the map from preference to metric.
        with open(os.path.join(network_unit_dir, '25-veth-client.network'), mode='a', encoding='utf-8') as f:
            f.write('\n[Link]\nMACAddress=12:34:56:78:9a:01\n[IPv6AcceptRA]\nRouteMetric=100:200:300\n')
-
        networkctl_reload()
-        self.wait_online('client:routable')
-
-        self.wait_address('client', '2002:da8:1:99:1034:56ff:fe78:9a01/64', ipv='-6', timeout_sec=10)
-        self.wait_address('client', '2002:da8:1:98:1034:56ff:fe78:9a01/64', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 100', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 300', ipv='-6', timeout_sec=10)
-
-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 100 expires [0-9]*sec pref high')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 300 expires [0-9]*sec pref low')
-        self.assertNotIn('metric 512', output)
-        self.assertNotIn('metric 2048', output)
+        self.check_router_preference('01', 100, 'high', 300, 'low')

        # swap the preference (for issue #28439)
-        remove_network_unit('25-veth-router-high.network', '25-veth-router-low.network')
-        copy_network_unit('25-veth-router-high2.network', '25-veth-router-low2.network')
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=low\n')
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=high\n')
        networkctl_reload()
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 300', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 100', ipv='-6', timeout_sec=10)
-
-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 300 expires [0-9]*sec pref low')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 100 expires [0-9]*sec pref high')
-        self.assertNotRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 100')
-        self.assertNotRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 300')
-        self.assertNotIn('metric 512', output)
-        self.assertNotIn('metric 2048', output)
+        self.check_router_preference('01', 300, 'low', 100, 'high')

        # Use the same preference, and check if the two routes are not coalesced. See issue #33470.
-        with open(os.path.join(network_unit_dir, '25-veth-router-high2.network'), mode='a', encoding='utf-8') as f:
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
            f.write('\n[IPv6SendRA]\nRouterPreference=medium\n')
-        with open(os.path.join(network_unit_dir, '25-veth-router-low2.network'), mode='a', encoding='utf-8') as f:
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
            f.write('\n[IPv6SendRA]\nRouterPreference=medium\n')
        networkctl_reload()
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 200', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 200', ipv='-6', timeout_sec=10)
+        self.check_router_preference('01', 200, 'medium', 200, 'medium')

-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 200 expires [0-9]*sec pref medium')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 200 expires [0-9]*sec pref medium')
-        self.assertNotIn('pref high', output)
-        self.assertNotIn('pref low', output)
-        self.assertNotIn('metric 512', output)
-        self.assertNotIn('metric 2048', output)
+        # Use route options to configure default routes.
+        # The preference specified in the RA header should be ignored. See issue #33468.
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=high\n[IPv6RoutePrefix]\nRoute=::/0\nLifetimeSec=1200\n')
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=low\n[IPv6RoutePrefix]\nRoute=::/0\nLifetimeSec=1200\n')
+        networkctl_reload()
+        self.check_router_preference('01', 200, 'medium', 200, 'medium')
+
+        # Set zero lifetime to the route options.
+        # The preference specified in the RA header should be used.
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
+            f.write('LifetimeSec=0\n')
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
+            f.write('LifetimeSec=0\n')
+        networkctl_reload()
+        self.check_router_preference('01', 100, 'high', 300, 'low')

    def _test_ndisc_vs_static_route(self, manage_foreign_nexthops):
        if not manage_foreign_nexthops:
--- a/test/units/TEST-07-PID1.working-directory.sh
+++ b/test/units/TEST-07-PID1.working-directory.sh
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+(! systemd-run --wait -p DynamicUser=yes \
+                      -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+                      -p WorkingDirectory='~' true)
+
+assert_eq "$(systemd-run --pipe --uid=root -p WorkingDirectory='~' pwd)" "/root"
+assert_eq "$(systemd-run --pipe --uid=nobody -p WorkingDirectory='~' pwd)" "/"
+assert_eq "$(systemd-run --pipe --uid=testuser -p WorkingDirectory='~' pwd)" "/home/testuser"
+
+(! systemd-run --wait -p DynamicUser=yes -p User=testuser \
+                      -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+                      -p WorkingDirectory='~' true)
--- a/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
+++ b/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
@ -3,6 +3,9 @@
 set -eux
 set -o pipefail

+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
 # Unset $PAGER so we don't have to use --no-pager everywhere
 export PAGER=

@ -160,3 +163,19 @@ done
 varlinkctl info /run/systemd/io.systemd.Hostname
 varlinkctl introspect /run/systemd/io.systemd.Hostname io.systemd.Hostname
 varlinkctl call /run/systemd/io.systemd.Hostname io.systemd.Hostname.Describe '{}'
+
+varlinkctl info /run/systemd/io.systemd.Manager
+varlinkctl introspect /run/systemd/io.systemd.Manager io.systemd.Manager
+
+for _ in $(seq 3); do
+    systemd-run --service-type=oneshot --no-block sleep infinity
+done
+
+varlinkctl call /run/systemd/io.systemd.Manager io.systemd.Manager.Describe '{}'
+JOB="$(varlinkctl call --more /run/systemd/io.systemd.Manager io.systemd.Manager.ListJobs '{}' | jq --slurp .[0].id)"
+assert_eq "$(varlinkctl call /run/systemd/io.systemd.Manager io.systemd.Manager.ListJobs "{\"id\": $JOB}" | jq .id)" "$JOB"
+
+systemctl start user@4711
+varlinkctl info /run/user/4711/systemd/io.systemd.Manager
+varlinkctl introspect /run/user/4711/systemd/io.systemd.Manager
+varlinkctl call /run/user/4711/systemd/io.systemd.Manager io.systemd.Manager.Describe '{}'
--- a/units/systemd-confext.service
+++ b/units/systemd-confext.service
@ -16,6 +16,7 @@ ConditionDirectoryNotEmpty=|/run/confexts
 ConditionDirectoryNotEmpty=|/var/lib/confexts
 ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
 ConditionDirectoryNotEmpty=|/usr/lib/confexts
+ConditionDirectoryNotEmpty=|/.extra/confext

 DefaultDependencies=no
 After=local-fs.target
Author	SHA1	Message	Date
Daan De Meyer	bfaaf5c6d3	Merge `45ce3cf8e7` into `b7eefa1996`	2024-11-21 12:17:43 +01:00
Luca Boccassi	b7eefa1996	cgroup-util: fix memory leak on error CID#1565824 Follow-up for `f6793bbcf0`	2024-11-21 14:02:34 +09:00
Luca Boccassi	2e5b0412f9	network: update state files before replying bus method (#35255 ) Follow-up for `2b07a3211b`. Fixes the failure found in https://autopkgtest.ubuntu.com/results/autopkgtest-noble-upstream-systemd-ci-systemd-ci/noble/amd64/s/systemd-upstream/20241115_182040_92382@/log.gz . Relevant logs: ``` Nov 16 02:48:36 systemd-networkd[2706]: veth99: Reconfiguring with /run/systemd/network/25-dhcp-client-ipv6-only.network. Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Started IPv6 Router Solicitation client Nov 16 02:48:36 systemd-networkd[2706]: veth99: IPv6 Router Discovery is configured and started. Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Sent Router Solicitation, next solicitation in 3s Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Received Router Advertisement from fe80::1034:56ff:fe78:9abd: flags=0xc0(managed, other), preference=medium, lifetime=30min Nov 16 02:48:36 systemd-networkd[2706]: veth99: NDISC: Invoking callback for 'router' event. Nov 16 02:48:36 systemd-networkd[2706]: veth99: link_check_ready(): dynamic addressing protocols are enabled but none of them finished yet. Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: Starting in Solicit mode Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: State changed: stopped -> solicitation Nov 16 02:48:36 systemd-networkd[2706]: veth99: Acquiring DHCPv6 lease on NDisc request Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: Sent Solicit Nov 16 02:48:36 systemd-networkd[2706]: veth99: DHCPv6 client: Next retransmission in 1s Nov 16 02:48:37 systemd-networkd[2706]: veth99: DHCPv6 client: Sent Solicit Nov 16 02:48:37 systemd-networkd[2706]: veth99: DHCPv6 client: Next retransmission in 1s Nov 16 02:48:39 systemd-networkd[2706]: veth99: NDISC: Received Neighbor Advertisement from fe80::1034:56ff:fe78:9abd: Router=yes, Solicited=yes, Override=no Nov 16 02:48:39 systemd-networkd[2706]: veth99: NDISC: Invoking callback for 'neighbor' event. Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: Processed Reply message Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: T1 expires in 50s Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: T2 expires in 55s Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: Valid lifetime expires in 2min Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 client: State changed: solicitation -> bound Nov 16 02:48:39 systemd-networkd[2706]: veth99: DHCPv6 address 2600::15/128 (valid for 1min 59s, preferred for 1min 59s) Nov 16 02:48:41 systemd-networkd[2706]: veth99: Received updated DHCPv6 address (configured): 2600::15/128 (valid for 1min 58s, preferred for 1min 58s), flags: no-prefixroute, scope: global Nov 16 02:48:41 systemd-networkd[2706]: veth99: DHCPv6 addresses and routes set. Nov 16 02:48:41 systemd-networkd[2706]: veth99: link_check_ready(): IPv4LL:no DHCPv4:no DHCPv6:yes DHCP-PD:no NDisc:no Nov 16 02:48:41 systemd-networkd[2706]: veth99: State changed: configuring -> configured ``` The interface veth99 entered the configured state after 5 seconds, but at the same time, the `wait_online()` in the test script considered the test failed. The function `wait_online()` first invokes `systemd-networkd-wait-online` with `--timeout=20`, then check setup states of interfaces with 5 seconds timeout. So, the failure suggests that `systemd-networkd-wait-online` finishes immediately, as the state file was not updated when it is invoked, and thus it handles the interface veth99 already in the configured state.	2024-11-20 23:36:35 +00:00
Martin Srebotnjak	69af4849aa	po: Translated using Weblate (Slovenian) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Martin Srebotnjak <miles@filmsi.net> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sl/ Translation: systemd/main	2024-11-21 04:17:08 +09:00
Jiri Grönroos	18d4e0be89	po: Translated using Weblate (Finnish) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Jiri Grönroos <jiri.gronroos@iki.fi> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fi/ Translation: systemd/main	2024-11-21 04:17:08 +09:00
Dmytro Markevych	7d7b89a015	po: Translated using Weblate (Ukrainian) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Dmytro Markevych <hotr1pak@gmail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/uk/ Translation: systemd/main	2024-11-21 04:17:08 +09:00
Léane GRASSER	8a92365f79	po: Translated using Weblate (French) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Léane GRASSER <leane.grasser@proton.me> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/ Translation: systemd/main	2024-11-21 04:17:08 +09:00
Yu Watanabe	2b397d43ab	test-network: actually check metric and preference Otherwise, nexthop ID may contain e.g. 300, then === AssertionError: '300' unexpectedly found in 'default nhid 3860882700 via fe80::1034:56ff:fe78:9a99 proto ra metric 512 expires 1798sec pref high\n default nhid 2639230080 via fe80::1034:56ff:fe78:9a98 proto ra metric 2048 expires 1798sec pref low' ===	2024-11-21 03:43:35 +09:00
Yu Watanabe	9ad294efd0	network: update state files before replying bus method Follow-up for `2b07a3211b`.	2024-11-21 03:42:06 +09:00
Lennart Poettering	f6793bbcf0	killall: gracefully handle processes inserted into containers via nsenter -a "nsenter -a" doesn't migrate the specified process into the target cgroup (it really should). Thus the cgroup will remain in a cgroup that is (due to cgroup ns) outside our visibility. The kernel will report the cgroup path of such cgroups as starting with "/../". Detect that and print a reasonably error message instead of trying to resolve that.	2024-11-20 18:11:38 +00:00
Mike Yuan	f87863a8ff	process-util: refuse to operate on remote PidRef Follow-up for `7e3e540b88`	2024-11-20 18:10:26 +00:00
Antonio Alvarez Feijoo	58c3c2886d	cryptenroll: fix typo	2024-11-20 18:03:44 +00:00
Daan De Meyer	dbbe895807	test-audit-util: Migrate to new assertion macros	2024-11-20 16:48:55 +00:00
Yu Watanabe	52b0351a15	core/exec-invoke: suppress placeholder home only in build_environment() (#35219 ) Alternative to https://github.com/systemd/systemd/pull/34789 Closes #34789	2024-11-20 17:34:25 +09:00
Luca Boccassi	fe077a1a58	units: add initrd directory to list of conditions for systemd-confext systemd-sysext has the same check, but it was forgotten for confexts. Needed to activate confexts from the ESP in the initrd.	2024-11-20 09:12:24 +01:00
Xuanjun Wen	a526b9ddfc	hwdb: add new Cube Mix Plus (i18D) rotation info Added rotation information for the new version of Cube Mix Plus (i18D).	2024-11-20 05:23:34 +09:00
Mike Yuan	804dd670d1	sd-varlink: mark sd_varlink_server_{ref,unref} as _public_ (#35241 ) Co-authored-by: Thorsten Kukuk <kukuk@suse.com>	2024-11-20 05:21:15 +09:00
Lennart Poettering	d5bb359429	user-record: don't synthesize default list of self-modfiable fields for non-regular users. (#35133 ) A follow-up for `a192250eda` /cc @AdrianVovk	2024-11-19 14:32:21 +01:00
Antonio Alvarez Feijoo	a04d42821b	man/kernel-command-line: fix typo	2024-11-19 13:59:11 +01:00
Luca Boccassi	987156769b	network/ndisc: process zero lifetime options at first (#35212 ) Fixes two issues reported at #33468.	2024-11-19 12:42:03 +00:00
Antonio Alvarez Feijoo	2b251491de	cryptenroll: show better log message if slot to wipe does not exist ``` $ systemd-cryptenroll /dev/vda3 SLOT TYPE 0 password $ systemd-cryptenroll --wipe-slot 1 /dev/vda3 Failed to wipe slot 1, continuing: No such file or directory ```	2024-11-19 12:00:50 +01:00
Lennart Poettering	12b06fef7a	update TODO	2024-11-19 11:03:16 +01:00
Yaron Shahrabani	dd7bc02ee6	po: Translated using Weblate (Hebrew) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/he/ Translation: systemd/main	2024-11-19 19:01:31 +09:00
Mantas Mikulėnas	2424a67c02	ssh-generator: silence "Binding to socket" messages	2024-11-19 11:00:20 +01:00
Lennart Poettering	ebe37f771c	user-record: distinguish explicit and implicit empty modifiable lists case We now distinguish two cases: where the list of self modifiable fields is explicitly set to empty, and where the default is empty. Let's display them differently in the output. When set explicitly to empty let's mention the admin, otherwise just say "none".	2024-11-19 10:15:42 +01:00
Lennart Poettering	ac8e381e26	user-record: only synthesize default list of self-modifiable fields for regular users For system users we should lock things down, hence generate an empty list. This is mostly a safety precaution, but also hides really confusing output of "userdbctl user" for an system user. Follow-up for: `a192250eda`	2024-11-19 10:15:40 +01:00
Zbigniew Jędrzejewski-Szmek	574a04f62a	test: fix generate-sym-test using the wrong array (#35185 ) For my understanding bsearch is searching in the wrong array. Or, if it's the right one, then the size is wrong. In another commit I made the arrays different by mistake and that triggered a SIGSEV during tests.	2024-11-19 10:15:18 +01:00
Lennart Poettering	ec97125a7e	vmspawn: enable memory pressure logic for vmspawn	2024-11-19 10:12:03 +01:00
Lennart Poettering	54646b1ca9	systemctl: grey out tasks limit the same way we grey out the fd store limit in the output "systemctl status systemd-logind" otherwise looks a bit weird, since the tasks and the fdstore lines are so close to each other but formatted quite differently when it comes to coloring.	2024-11-19 10:11:49 +01:00
Federico Giovanardi	0c851a58f7	style: Fix formatting	2024-11-19 09:55:07 +01:00
Mike Yuan	b718b86e1b	core/exec-invoke: suppress placeholder home only in build_environment() Currently, get_fixed_user() employs USER_CREDS_SUPPRESS_PLACEHOLDER, meaning home path is set to NULL if it's empty or root. However, the path is also used for applying WorkingDirectory=~, and we'd spuriously use the invoking user's home as fallback even if User= is changed in that case. Let's instead delegate such suppression to build_environment(), so that home is proper initialized for usage at other steps. shell doesn't actually suffer from such problem, but it's changed too for consistency. Alternative to #34789	2024-11-19 00:38:18 +01:00
Mike Yuan	d911778877	core/exec-invoke: minor cleanup for apply_working_directory() error handling Assign exit_status at the same site where error log is emitted, for readability.	2024-11-19 00:38:18 +01:00
Mike Yuan	eea9d3eb10	basic/user-util: split out placeholder suppression from USER_CREDS_CLEAN into its own flag No functional change, preparation for later commits.	2024-11-19 00:38:18 +01:00
Mike Yuan	579ce77ead	basic/user-util: introduce shell_is_placeholder() helper	2024-11-19 00:38:18 +01:00
Daan De Meyer	70bb29db62	mkosi: Enable clangd execution for all distributions	2024-11-18 23:21:24 +00:00
Lennart Poettering	cc74edd861	update TODO	2024-11-18 23:50:04 +01:00
Yu Watanabe	c295b558bf	test-network: add test case for IPv6 Core Conformance test v6LC.2.2.23	2024-11-19 04:48:39 +09:00
Yu Watanabe	16ccdc3748	test-network: split out check_router_preference() from test_router_preference() This also drop high2.network and low2.network, and edit high.network and low.network during the test.	2024-11-19 04:44:59 +09:00
Yu Watanabe	25688f8d5a	network/ndisc: first process options with zero lifetime Fixes IPv6 Core Conformance test failures reported at #33468. https://www.ipv6ready.org/docs/Core_Conformance.pdf Test v6LC.2.2.23 h and j: Processing Router Advertisement with Route Information Option (Host Only) When a RA contains route option with ::/0 prefix, then previously that may contradict with the default route requested with the RA header. If the route option has zero lifetime, the existing default route should be removed, and a new route based on the RA header should be configured. If the route option has non-zero lifetime, the RA header should be ignored. So, we first need to process options with zero lifetime (not only route option, as the similar reasons), then configure the default route based on the RA, finally process options with non-zero lifetime.	2024-11-19 04:04:14 +09:00
Yu Watanabe	cb3243460b	network/ndisc: sd_ndisc_router_route_get_preference() does not return -EOPNOTSUPP anymore	2024-11-19 04:04:14 +09:00
Yu Watanabe	c8ddd5ff72	ndisc-option: use memcpy_safe() at one more place As 'len' may be 8. Follow-up for `a163404cc8`.	2024-11-19 04:04:14 +09:00
Zbigniew Jędrzejewski-Szmek	5e7e4e4d49	ukify: fix parsing of SignTool configuration option This partially reverts `02eabaffe9`. As noted in https://github.com/systemd/systemd/pull/35211: > The configuration parsing simply stores the string as-is, rather than > creating the appropriate object One way to fix the issue would be to store the "appropriate object", i.e. actually the class. But that makes the code very verbose, with the conversion being done in two places. And that still doesn't fix the issue, because we need to map the class objects back to the original name in error messages. So instead, store the setting as a string and only map it to the class much later. This makes the code simpler and fixes the error messages too. Resolves https://github.com/systemd/systemd/pull/35193	2024-11-18 14:58:41 +00:00
Yu Watanabe	4d9cac56db	man: fix copy-and-paste error Follow-up for `85a1360ecf`.	2024-11-18 15:18:26 +09:00
Yu Watanabe	85a1360ecf	man: add several future version info tags	2024-11-18 15:04:17 +09:00
Yu Watanabe	ec0847f8fb	po: update Japanese translations	2024-11-18 13:01:34 +09:00
Yu Watanabe	efb158a11b	network/netdev: fix typo Follow-up for `09db410606`.	2024-11-18 12:53:21 +09:00
Michał Górny	7fd70a5326	nspawn: Include arm_fadvise64_64 in syscall allow_list Add the `arm_fadvise64_64` syscall to the allow_list, in addition to the existing `fadvise64` and `fadvise64_64` syscalls, as this is the syscall actually defined for `arm` architecture. Adding it fixes the syscall being rejected in arm32 containers. Fixes #35194	2024-11-18 11:43:35 +09:00
Yaron Shahrabani	2b60615a41	po: Translated using Weblate (Hebrew) Currently translated at 89.1% (229 of 257 strings) Co-authored-by: Yaron Shahrabani <sh.yaron@gmail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/he/ Translation: systemd/main	2024-11-18 01:17:40 +09:00
Weblate Translation Memory	d0ac6be44b	po: Translated using Weblate (German) Currently translated at 95.7% (246 of 257 strings) Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main	2024-11-18 01:17:40 +09:00
Ettore Atalan	6b5ce5d6cc	po: Translated using Weblate (German) Currently translated at 95.7% (246 of 257 strings) Co-authored-by: Ettore Atalan <atalanttore@googlemail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main	2024-11-18 01:17:40 +09:00
Sergey A	033ee241b7	po: Translated using Weblate (Russian) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Sergey A <Ser82-png@yandex.ru> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ru/ Translation: systemd/main	2024-11-17 15:50:36 +00:00
Luca Boccassi	72cfd2def6	mkosi: Update packaging specs (#35196 )	2024-11-17 15:49:24 +00:00
Daan De Meyer	ac2cdd8d09	mkosi: update debian commit reference * 51cd22f368 Update changelog for 257~rc2-3 release * 5308c3b905 Backport patch to remove faulty unit test assertion * b7d805151b Update changelog for 257~rc2-2 release * 5afc23b288 Backport patch to fix FTBFS due to failing unit test * 0ca89ce40c Update changelog for 257~rc2-1 release * f27216d493 Update lintian override to ignore false positive typos * 2caa74f473 d/rules: adjust blhc override to account for source files being moved * 6b48328ead systemd-ukify: recommend systemd-repart * 5e01b67f43 systemd-ukify: downgrade dependency on systemd, not mandatory * 3a4dd59e41 Install new systemd-keyutil binary in the systemd-repart package * e64cffab71 Drop all patches, merged upstream * 0fcef228c7 Update upstream source from tag 'upstream/257_rc2' * a01322bb29 d/t/control: add more packages to dummy hint-testsuite-triggers	2024-11-17 13:00:59 +01:00
Daan De Meyer	59cd621733	mkosi: update fedora commit reference * 7bd1d09f7f Change sysusers u! lines to u because we don't have support in rpm * 943bd94cf6 Version 257~rc2 * 6162965002 Disable freezing of user sessions * 0c236cedb9 Upload sources * ea947ce068 Version 257~rc1 * 834ba50e79 Use %posttrans instead of %postun to restart services * 8dafa3810b Disable OpenSSL v3 ENGINE on RHEL * 8f44e8097d Add forgotten patch * 86ca699d18 Backport user manager reexec changes * 009c64d6a2 Use %systemd_preun in systemd-resolved	2024-11-17 13:00:57 +01:00
Daan De Meyer	c36a963956	mkosi: update arch commit reference * 29a73017cd upgpkg: 256.8-1: new upstream release * cda4f7b35e add a hint on my personal testing repository	2024-11-17 13:00:55 +01:00
Federico Giovanardi	55980446c3	test: fix generate-sym-test using the wrong array The second check was searching the symbols into the same array, but using the size of the other. This generated a SIGSEV when they occassionally mismatched.	2024-11-15 17:12:42 +01:00
Daan De Meyer	45ce3cf8e7	WIP	2024-11-05 20:24:39 +01:00
Daan De Meyer	ad4ad82924	core: Expose Job object information via varlink Let's extend pid1's varlink interface and add a DescribeJobs method to get the job information as a streaming list of JSON objects.	2024-11-05 20:24:39 +01:00
Daan De Meyer	8c1bff449c	core: Expose Manager object information via varlink Let's extend pid1's varlink interface and add a Describe method to get the global Manager object information as a JSON object. Because the new varlink interface should be available on both the user managers and the system manager, we also make the necessary changes to expose a varlink server on user managers.	2024-11-05 20:24:39 +01:00