Merge 67ec29d9e4 into 3bb398c299

We already have LOG_CONTEXT_PUSH_EXEC() which with two additions
does exactly the same as the custom logging macros, so let's get rid
of the custom logging macros and use LOG_CONTEXT_PUSH_EXEC() instead.

.github/workflows/build_test.sh

@@ -10,7 +10,7 @@ fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; }
 success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
 
 ARGS=(
-    "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled"
+    "--optimization=0 -Dopenssl=disabled -Dtpm=true -Dtpm2=enabled"
     "--optimization=s -Dutmp=false"
     "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
     "--optimization=3 -Db_lto=true -Ddns-over-tls=false"
@@ -67,7 +67,6 @@ PACKAGES=(
 COMPILER="${COMPILER:?}"
 COMPILER_VERSION="${COMPILER_VERSION:?}"
 LINKER="${LINKER:?}"
-CRYPTOLIB="${CRYPTOLIB:?}"
 RELEASE="$(lsb_release -cs)"
 
 # Note: As we use postfixed clang/gcc binaries, we need to override $AR
@@ -150,7 +149,7 @@ for args in "${ARGS[@]}"; do
          CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
          meson setup \
                -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
-               -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
+               -Dnobody-group=nogroup -Ddebug=false \
                $args build; then
 
         cat build/meson-logs/meson-log.txt

.github/workflows/build_test.yml

@@ -25,11 +25,11 @@ jobs:
       fail-fast: false
       matrix:
         env:
-          - { COMPILER: "gcc",   COMPILER_VERSION: "11", LINKER: "bfd",  CRYPTOLIB: "gcrypt"  }
+          - { COMPILER: "gcc",   COMPILER_VERSION: "11", LINKER: "bfd"  }
-          - { COMPILER: "gcc",   COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
+          - { COMPILER: "gcc",   COMPILER_VERSION: "13", LINKER: "mold" }
-          - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt"  }
+          - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold" }
-          - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd",  CRYPTOLIB: "openssl" }
+          - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd"  }
-          - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld",  CRYPTOLIB: "auto"    }
+          - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld"  }
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout

.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@32105855f386c980069d134d1b0f8fea4db2129e
+      - uses: systemd/mkosi@dbb4020beee2cdf250f93a425794f1cf8b0fe693
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location
@@ -90,7 +90,6 @@ jobs:
           sudo mkosi sandbox -- \
             meson setup \
             --buildtype=debugoptimized \
-            -Dintegration-tests=true \
             build
 
       - name: Build image
@@ -120,7 +119,8 @@ jobs:
             meson test \
             -C build \
             --no-rebuild \
-            --suite integration-tests \
+            --setup=integration \
+            --suite=integration-tests \
             --print-errorlogs \
             --no-stdsplit \
             --num-processes "$(($(nproc) - 1))" \

.github/workflows/mkosi.yml

@@ -120,7 +120,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@32105855f386c980069d134d1b0f8fea4db2129e
+      - uses: systemd/mkosi@dbb4020beee2cdf250f93a425794f1cf8b0fe693
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location
@@ -197,7 +197,6 @@ jobs:
           sudo mkosi sandbox -- \
             meson setup \
             --buildtype=debugoptimized \
-            -Dintegration-tests=true \
             -Dbpf-framework=disabled \
             build
 
@@ -233,7 +232,8 @@ jobs:
             meson test \
             -C build \
             --no-rebuild \
-            --suite integration-tests \
+            --setup=integration \
+            --suite=integration-tests \
             --print-errorlogs \
             --no-stdsplit \
             --num-processes "$(($(nproc) - 1))" \

.github/workflows/unit_tests.sh

@@ -41,7 +41,7 @@ function run_meson() {
 
 set -ex
 
-MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
+MESON_ARGS=()
 
 # (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
 # its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the

.github/workflows/unit_tests.yml

@@ -16,18 +16,15 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     concurrency:
-      group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
+      group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }}
       cancel-in-progress: true
     strategy:
       fail-fast: false
       matrix:
         run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS]
-        cryptolib: [auto]
         include:
           - run_phase: GCC
-            cryptolib: openssl
           - run_phase: CLANG
-            cryptolib: gcrypt
     steps:
       - name: Repository checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -38,8 +35,6 @@ jobs:
           sudo sed -i '/^XDG_/d' /etc/environment
           # Pass only specific env variables through sudo, to avoid having
           # the already existing XDG_* stuff on the "other side"
-          sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
+          sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
       - name: Build & test
-        run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
+        run: sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
-        env:
-          CRYPTOLIB: ${{ matrix.cryptolib }}

.gitignore

@@ -24,8 +24,8 @@ __pycache__/
 /ID
 /build*
 /install-tree
-/mkosi.key
+/mkosi/mkosi.key
-/mkosi.crt
+/mkosi/mkosi.crt
 /mkosi.tools/
 /mkosi.tools.manifest
 /mkosi/mkosi.local.conf

.packit.yml

@@ -39,7 +39,7 @@ jobs:
   trigger: pull_request
   fmf_url: https://src.fedoraproject.org/rpms/systemd
   # This is automatically updated by tools/fetch-distro.py --update fedora
-  fmf_ref: 08ce156d74460867657fb9b201c8be93d31e07de
+  fmf_ref: 6646d13acae64665f63354cd60ecf963ee563b96
   targets:
   - fedora-rawhide-x86_64
   # testing-farm in the Fedora repository is explicitly configured to use testing-farm bare metal runners as

LICENSES/README.md

@@ -32,23 +32,23 @@ The following exceptions apply:
  * some sources under src/udev/ are licensed under **GPL-2.0-or-later**,
    so all udev programs (`systemd-udevd`, `udevadm`, and the udev builtins
    and test programs) are also distributed under **GPL-2.0-or-later**.
- * the header files contained in src/basic/linux/ and src/shared/linux/ are copied
+ * the header files contained in src/basic/include/linux are copied
    verbatim from the Linux kernel source tree and are licensed under **GPL-2.0 WITH
    Linux-syscall-note** and are used within the scope of the Linux-syscall-note
    exception provisions
  * the following sources are licensed under the **LGPL-2.0-or-later** license:
    - src/basic/utf8.c
    - src/shared/initreq.h
- * the src/shared/linux/bpf_insn.h header is copied from the Linux kernel
+ * the src/basic/include/linux/bpf_insn.h header is copied from the Linux kernel
    source tree and is licensed under either **BSD-2-Clause** or **GPL-2.0-only**,
    and thus is included in the systemd build under the BSD-2-Clause license.
- * The src/basic/linux/wireguard.h header is copied from the Linux kernel
+ * The src/basic/include/linux/wireguard.h header is copied from the Linux kernel
    source tree and is licensed under either **MIT** or **GPL-2.0 WITH Linux-syscall-note**,
    and thus is included in the systemd build under the MIT license.
  * the following sources are licensed under the **MIT** license (in case of our
    scripts, to facilitate copying and reuse of those helpers to other projects):
    - hwdb.d/parse_hwdb.py
-   - src/basic/linux/batman_adv.h
+   - src/basic/include/linux/batman_adv.h
    - src/basic/sparse-endian.h
    - tools/catalog-report.py
  * the following sources are licensed under the **CC0-1.0** license:

NEWS

@@ -67,6 +67,12 @@ CHANGES WITH 258 in spe:
           in v255), 'default-hierarchy' (v256), and 'nscd' (v257) have been
           removed.
 
+        * OpenSSL is the only crypto backend for systemd-resolved and
+          systemd-importd, and support for gnutls and gcrypt has been removed.
+          Hence, support for 'dns-over-tls=gnutls' meson option has been
+          removed. Also, 'cryptolib' meson option has been deprecated, and will
+          be removed in a future release.
+
         Announcements of Future Feature Removals:
 
         * The D-Bus method org.freedesktop.systemd1.StartAuxiliaryScope() is
@@ -96,6 +102,9 @@ CHANGES WITH 258 in spe:
           continue to work, update to xf86-input-evdev >= 2.11.0 and
           xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
 
+        * The meson option 'integration-tests' has been deprecated, and will be
+          removed in a future release.
+
         — <place>, <date>
 
 CHANGES WITH 257:

README

@@ -240,8 +240,7 @@ REQUIREMENTS:
         libcurl >= 7.32.0 (optional)
         libidn2 or libidn (optional)
         gnutls >= 3.1.4 (optional)
-               >= 3.6.0 is required to support DNS-over-TLS with gnutls
+        openssl >= 1.1.0 (optional, required to support DNS-over-TLS)
-        openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
         p11-kit >= 0.23.3 (optional)
         libfido2 (optional)
         tpm2-tss (optional)

TODO

@@ -59,8 +59,6 @@ Regularly:
 
 * set_put(), hashmap_put() return values check. i.e. == 0 does not free()!
 
-* use secure_getenv() instead of getenv() where appropriate
-
 * link up selected blog stories from man pages and unit files Documentation= fields
 
 Janitorial Clean-ups:
@@ -130,6 +128,13 @@ Deprecations and removals:
 
 Features:
 
+* loginctl: show argv[] of "leader" process in tabular list-sessions output
+
+* loginctl: show "service identifier" in tabular list-sessions output, to make
+  run0 sessions easily visible.
+
+* run0: maybe enable utmp for run0 sessions, so that they are easily visible.
+
 * maybe replace nss-machines with logic in networkd that registers records with
   systemd-resolved, based on DHCP leases, so that we gain compat with VMs.
   Implementation idea: encode in an ifaltname the intended local name to expose this
@@ -1786,7 +1791,6 @@ Features:
   with matches, then activate app through that passing socket over
 
 * unify on openssl:
-  - kill gnutls support in resolved
   - figure out what to do about libmicrohttpd, which has a hard dependency on
     gnutls
   - port fsprg over to a dlopen lib, then switch it to openssl

coccinelle/run-coccinelle.sh

@@ -5,8 +5,7 @@ set -e
 # Exclude following paths from the Coccinelle transformations
 EXCLUDED_PATHS=(
     "src/boot/efi/*"
-    "src/shared/linux/*"
+    "src/basic/include/linux/*"
-    "src/basic/linux/*"
     # Symlinked to test-bus-vtable-cc.cc, which causes issues with the IN_SET macro
     "src/libsystemd/sd-bus/test-bus-vtable.c"
     "src/libsystemd/sd-journal/lookup3.c"

docs/GROUP_RECORD.md

@@ -20,6 +20,12 @@ they carry some identical (or at least very similar) fields.
 Matches the `gr_name` field of UNIX/glibc NSS `struct group`,
 or the shadow structure `struct sgrp`'s `sg_namp` field.
 
+`uuid` -> A string containing a lowercase UUID that identifies this group.
+The same considerations apply to this field as they do to the corresponding field of user records.
+Users and groups MUST NOT share the same UUID unless they are semantically
+the same security principal e.g. if a system synthesizes a single-user group from
+user records to be the user's primary group.
+
 `realm` → The "realm" the group belongs to, conceptually identical to the same field of user records.
 A string in DNS domain name syntax.
 

docs/TESTING_WITH_SANITIZERS.md

@@ -18,7 +18,7 @@ compiler you want to use and which part of the test suite you want to run.
 To build with sanitizers in mkosi, create a file `mkosi/mkosi.local.conf` and add the following contents:
 
 ```
-[Content]
+[Build]
 Environment=SANITIZERS=address,undefined
 ```
 

docs/USER_RECORD.md

@@ -234,6 +234,13 @@ retrievable and resolvable under every name listed here, pretty much everywhere
 the primary user name is. If logging in is attempted via an alias name it
 should be normalized to the primary name.
 
+`uuid` -> A string containing a lowercase UUID that identifies this user.
+The UUID should be assigned to the user at creation, be the same across multiple machines,
+and never change (even if the user's username, realm or other identifying attributes change).
+When the user database is backed by Microsoft Active Directory, this field should contain
+he value from the [objectGUID](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ada3/937eb5c6-f6b3-4652-a276-5d6bb8979658)
+attribute. The same UUID can be retrieved via `mbr_uid_to_uuid` on macOS.
+
 `blobDirectory` → The absolute path to a world-readable copy of the user's blob
 directory. See [Blob Directories](/USER_RECORD_BLOB_DIRS) for more details.
 

hwdb.d/60-keyboard.hwdb

@@ -383,6 +383,7 @@ evdev:name:gpio-keys:phys:gpio-keys/input0:ev:3:dmi:bvn*:bvr*:bd*:svncube:pni1-T
 ###########################################################
 
 evdev:atkbd:dmi:bvn*:bvr*:bd*:svnDell*:pn*:*
+ KEYBOARD_KEY_68=prog2                                  # G-Mode (Dell-specific)
  KEYBOARD_KEY_81=playpause                              # Play/Pause
  KEYBOARD_KEY_82=stopcd                                 # Stop
  KEYBOARD_KEY_83=previoussong                           # Previous song

man/bootctl.xml

@@ -398,10 +398,12 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--no-variables</option></term>
+        <term><option>--variables=yes|no</option></term>
-        <listitem><para>Do not touch the firmware's boot loader list stored in EFI variables.</para>
+        <listitem><para>Controls whether to touch the firmware's boot loader list stored in EFI variables,
+        and other EFI variables. If not specified defaults to no when execution in a container runtime is
+        detected, yes otherwise.</para>
 
-        <xi:include href="version-info.xml" xpointer="v220"/></listitem>
+        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
       </varlistentry>
 
       <varlistentry>

man/importctl.xml

@@ -182,11 +182,12 @@
         archive, possibly compressed with
         <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
         <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        <citerefentry project='die-net'><refentrytitle>zstd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
         or
         <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
         It will then be unpacked into its own
         subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
-        disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
+        disk image, possibly compressed with xz, gzip, zstd or bzip2. If the second argument (the resulting image
         name) is not specified, it is automatically derived from the file name. If the filename is passed as
         <literal>-</literal>, the image is read from standard input, in which case the second argument is
         mandatory.</para>
@@ -222,6 +223,8 @@
         <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
         if it ends in <literal>.xz</literal>, with
         <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        if it ends in <literal>.zst</literal>, with
+        <citerefentry project='die-net'><refentrytitle>zstd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
         and if it ends in <literal>.bz2</literal>, with
         <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
         If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
@@ -315,8 +318,8 @@
         <listitem><para>When used with the <option>export-tar</option> or <option>export-raw</option>
         commands, specifies the compression format to use for the resulting file. Takes one of
         <literal>uncompressed</literal>, <literal>xz</literal>, <literal>gzip</literal>,
-        <literal>bzip2</literal>. By default, the format is determined automatically from the output image
+        <literal>zst</literal>, <literal>bzip2</literal>. By default, the format is determined
-        file name passed.</para>
+        automatically from the output image file name passed.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
@@ -450,6 +453,7 @@
       <member><citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry project='die-net'><refentrytitle>zstd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
     </simplelist></para>
   </refsect1>

man/machinectl.xml

@@ -872,6 +872,7 @@
       <member><citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry project='die-net'><refentrytitle>zstd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
     </simplelist></para>
   </refsect1>
 

man/org.freedesktop.import1.xml

@@ -214,12 +214,13 @@ node /org/freedesktop/import1 {
       to the tar or raw file to import. It should reference a file on disk, a pipe or a socket. When
       <function>ImportTar()</function>/<function>ImportTarEx()</function> is used the file descriptor should
       refer to a tar file, optionally compressed with <citerefentry project="die-net"><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry project="die-net"><refentrytitle>zstd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
       <citerefentry project="die-net"><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>, or
       <citerefentry project="die-net"><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
       <command>systemd-importd</command> will detect the used compression scheme (if any) automatically. When
       <function>ImportRaw()</function>/<function>ImportRawEx()</function> is used the file descriptor should
       refer to a raw or qcow2 disk image containing an MBR or GPT disk label, also optionally compressed with
-      gzip, bzip2 or xz. In either case, if the file is specified as a file descriptor on disk, progress
+      gzip, zstd, bzip2 or xz. In either case, if the file is specified as a file descriptor on disk, progress
       information is generated for the import operation (as in that case we know the total size on disk). If
       a socket or pipe is specified, progress information is not available. The file descriptor argument is
       followed by a local name for the image. This should be a name suitable as a hostname and will be used
@@ -250,9 +251,9 @@ node /org/freedesktop/import1 {
       name to export as their first parameter, followed by a file descriptor (opened for writing) where the
       tar or raw file will be written. It may either reference a file on disk or a pipe/socket. The third
       argument specifies in which compression format to write the image. It takes one of
-      <literal>uncompressed</literal>, <literal>xz</literal>, <literal>bzip2</literal> or
+      <literal>uncompressed</literal>, <literal>xz</literal>, <literal>bzip2</literal>,
-      <literal>gzip</literal>, depending on which compression scheme is required. The image written to the
+      <literal>gzip</literal> or <literal>zstd</literal>, depending on which compression scheme is required.
-      specified file descriptor will be a tar file in case of
+      The image written to the specified file descriptor will be a tar file in case of
       <function>ExportTar()</function>/<function>ExportTarEx()</function> or a raw disk image in case of
       <function>ExportRaw()</function>/<function>ExportRawEx()</function>. Note that currently raw disk
       images may not be exported as tar files, and vice versa. This restriction might be lifted
@@ -267,8 +268,8 @@ node /org/freedesktop/import1 {
       <function>PullRaw()</function>/<function>PullRawEx()</function> may be used to download, verify and
       import a system image from a URL. They take a URL argument which should point to a tar or raw file on
       the <literal>http://</literal> or <literal>https://</literal> protocols, possibly compressed with xz,
-      bzip2 or gzip. The second argument is a local name for the image. It should be suitable as a hostname,
+      bzip2, gzip or zstd. The second argument is a local name for the image. It should be suitable as a
-      similarly to the matching argument of the
+      hostname, similarly to the matching argument of the
       <function>ImportTar()</function>/<function>ImportTarEx()</function> and
       <function>ImportRaw()</function>/<function>ImportRawEx()</function> methods above. The third argument
       indicates the verification mode for the image. It may be one of <literal>no</literal>,

man/org.freedesktop.systemd1.xml

@@ -477,8 +477,6 @@ node /org/freedesktop/systemd1 {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DefaultCPUAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly b DefaultBlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DefaultIOAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DefaultIPAccounting = ...;
@@ -719,8 +717,6 @@ node /org/freedesktop/systemd1 {
 
     <!--property DefaultCPUAccounting is not documented!-->
 
-    <!--property DefaultBlockIOAccounting is not documented!-->
-
     <!--property DefaultIOAccounting is not documented!-->
 
     <!--property DefaultIPAccounting is not documented!-->
@@ -1167,8 +1163,6 @@ node /org/freedesktop/systemd1 {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultCPUAccounting"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="DefaultBlockIOAccounting"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultIOAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultIPAccounting"/>
@@ -2906,10 +2900,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t CPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupCPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -2940,18 +2930,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly b BlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t BlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupBlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIODeviceWeight = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOReadBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOWriteBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -2984,8 +2962,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t MemoryLimit = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -3565,10 +3541,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property StartupCPUWeight is not documented!-->
 
-    <!--property CPUShares is not documented!-->
-
-    <!--property StartupCPUShares is not documented!-->
-
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -3599,18 +3571,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
-    <!--property BlockIOAccounting is not documented!-->
-
-    <!--property BlockIOWeight is not documented!-->
-
-    <!--property StartupBlockIOWeight is not documented!-->
-
-    <!--property BlockIODeviceWeight is not documented!-->
-
-    <!--property BlockIOReadBandwidth is not documented!-->
-
-    <!--property BlockIOWriteBandwidth is not documented!-->
-
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -3643,8 +3603,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
-    <!--property MemoryLimit is not documented!-->
-
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -4237,10 +4195,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -4271,18 +4225,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -4315,8 +4257,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -5113,10 +5053,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t CPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupCPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -5147,18 +5083,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly b BlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t BlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupBlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIODeviceWeight = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOReadBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOWriteBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -5191,8 +5115,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t MemoryLimit = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -5784,10 +5706,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property StartupCPUWeight is not documented!-->
 
-    <!--property CPUShares is not documented!-->
-
-    <!--property StartupCPUShares is not documented!-->
-
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -5818,18 +5736,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
-    <!--property BlockIOAccounting is not documented!-->
-
-    <!--property BlockIOWeight is not documented!-->
-
-    <!--property StartupBlockIOWeight is not documented!-->
-
-    <!--property BlockIODeviceWeight is not documented!-->
-
-    <!--property BlockIOReadBandwidth is not documented!-->
-
-    <!--property BlockIOWriteBandwidth is not documented!-->
-
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -5862,8 +5768,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
-    <!--property MemoryLimit is not documented!-->
-
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -6428,10 +6332,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -6462,18 +6362,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -6506,8 +6394,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -7136,10 +7022,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t CPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupCPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -7170,18 +7052,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly b BlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t BlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupBlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIODeviceWeight = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOReadBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOWriteBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -7214,8 +7084,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t MemoryLimit = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -7737,10 +7605,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property StartupCPUWeight is not documented!-->
 
-    <!--property CPUShares is not documented!-->
-
-    <!--property StartupCPUShares is not documented!-->
-
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -7771,18 +7635,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
-    <!--property BlockIOAccounting is not documented!-->
-
-    <!--property BlockIOWeight is not documented!-->
-
-    <!--property StartupBlockIOWeight is not documented!-->
-
-    <!--property BlockIODeviceWeight is not documented!-->
-
-    <!--property BlockIOReadBandwidth is not documented!-->
-
-    <!--property BlockIOWriteBandwidth is not documented!-->
-
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -7815,8 +7667,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
-    <!--property MemoryLimit is not documented!-->
-
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -8297,10 +8147,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -8331,18 +8177,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -8375,8 +8209,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -9132,10 +8964,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t CPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupCPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -9166,18 +8994,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly b BlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t BlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupBlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIODeviceWeight = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOReadBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOWriteBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -9210,8 +9026,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t MemoryLimit = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -9715,10 +9529,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property StartupCPUWeight is not documented!-->
 
-    <!--property CPUShares is not documented!-->
-
-    <!--property StartupCPUShares is not documented!-->
-
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -9749,18 +9559,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
-    <!--property BlockIOAccounting is not documented!-->
-
-    <!--property BlockIOWeight is not documented!-->
-
-    <!--property StartupBlockIOWeight is not documented!-->
-
-    <!--property BlockIODeviceWeight is not documented!-->
-
-    <!--property BlockIOReadBandwidth is not documented!-->
-
-    <!--property BlockIOWriteBandwidth is not documented!-->
-
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -9793,8 +9591,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
-    <!--property MemoryLimit is not documented!-->
-
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -10257,10 +10053,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -10291,18 +10083,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -10335,8 +10115,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -10945,10 +10723,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t CPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupCPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -10979,18 +10753,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly b BlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t BlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupBlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIODeviceWeight = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOReadBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOWriteBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -11023,8 +10785,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t MemoryLimit = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -11138,10 +10898,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property StartupCPUWeight is not documented!-->
 
-    <!--property CPUShares is not documented!-->
-
-    <!--property StartupCPUShares is not documented!-->
-
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -11172,18 +10928,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
-    <!--property BlockIOAccounting is not documented!-->
-
-    <!--property BlockIOWeight is not documented!-->
-
-    <!--property StartupBlockIOWeight is not documented!-->
-
-    <!--property BlockIODeviceWeight is not documented!-->
-
-    <!--property BlockIOReadBandwidth is not documented!-->
-
-    <!--property BlockIOWriteBandwidth is not documented!-->
-
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -11216,8 +10960,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
-    <!--property MemoryLimit is not documented!-->
-
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -11338,10 +11080,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -11372,18 +11110,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -11416,8 +11142,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>
@@ -11569,10 +11293,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t StartupCPUWeight = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t CPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupCPUShares = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPerSecUSec = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t CPUQuotaPeriodUSec = ...;
@@ -11603,18 +11323,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(st) IODeviceLatencyTargetUSec = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly b BlockIOAccounting = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t BlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t StartupBlockIOWeight = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIODeviceWeight = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOReadBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly a(st) BlockIOWriteBandwidth = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryAccounting = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t DefaultMemoryLow = ...;
@@ -11647,8 +11355,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b MemoryZSwapWriteback = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
-      readonly t MemoryLimit = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly s DevicePolicy = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly a(ss) DeviceAllow = [...];
@@ -11782,10 +11488,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property StartupCPUWeight is not documented!-->
 
-    <!--property CPUShares is not documented!-->
-
-    <!--property StartupCPUShares is not documented!-->
-
     <!--property CPUQuotaPerSecUSec is not documented!-->
 
     <!--property CPUQuotaPeriodUSec is not documented!-->
@@ -11816,18 +11518,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property IODeviceLatencyTargetUSec is not documented!-->
 
-    <!--property BlockIOAccounting is not documented!-->
-
-    <!--property BlockIOWeight is not documented!-->
-
-    <!--property StartupBlockIOWeight is not documented!-->
-
-    <!--property BlockIODeviceWeight is not documented!-->
-
-    <!--property BlockIOReadBandwidth is not documented!-->
-
-    <!--property BlockIOWriteBandwidth is not documented!-->
-
     <!--property MemoryAccounting is not documented!-->
 
     <!--property DefaultMemoryLow is not documented!-->
@@ -11860,8 +11550,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property MemoryZSwapWriteback is not documented!-->
 
-    <!--property MemoryLimit is not documented!-->
-
     <!--property DevicePolicy is not documented!-->
 
     <!--property DeviceAllow is not documented!-->
@@ -12012,10 +11700,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUWeight"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="CPUShares"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupCPUShares"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPerSecUSec"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="CPUQuotaPeriodUSec"/>
@@ -12046,18 +11730,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IODeviceLatencyTargetUSec"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOAccounting"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="StartupBlockIOWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIODeviceWeight"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOReadBandwidth"/>
-
-    <variablelist class="dbus-property" generated="True" extra-ref="BlockIOWriteBandwidth"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryAccounting"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultMemoryLow"/>
@@ -12090,8 +11762,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="MemoryZSwapWriteback"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="MemoryLimit"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="DevicePolicy"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DeviceAllow"/>

man/systemctl.xml

@@ -506,6 +506,9 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
           <listitem>
             <para>Reload one or more units if they support it. If not, stop and then start them instead. If the units
             are not running yet, they will be started.</para>
+
+            <para>This has a slightly differing functionality when used in combination with <option>--marked</option>,
+            see below.</para>
           </listitem>
         </varlistentry>
         <varlistentry>

man/systemd-ssh-proxy.xml

@@ -24,7 +24,7 @@
 
   <refsynopsisdiv>
     <programlisting>
-Host unix/* vsock/* vsock-mux/*
+Host unix/* unix,* vsock/* vsock,* vsock-mux/* vsock-mux,*
     ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
     ProxyUseFdpass yes
 </programlisting>
@@ -46,7 +46,7 @@ Host unix/* vsock/* vsock-mux/*
     configuration fragment like the following:</para>
 
     <programlisting>
-Host unix/* vsock/* vsock-mux/*
+Host unix/* unix,* vsock/* vsock,* vsock-mux/* vsock-mux,*
     ProxyCommand /usr/lib/systemd/systemd-ssh-proxy %h %p
     ProxyUseFdpass yes
     CheckHostIP no
@@ -69,7 +69,9 @@ Host .host
     direct <constant>AF_VSOCK</constant> communication between the host and guests, and provide their own
     multiplexer over <constant>AF_UNIX</constant> sockets. See
     <ulink url="https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/vsock.md">cloud-hypervisor VSOCK support</ulink>
-    and <ulink url="https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md">Using the Firecracker Virtio-vsock Device</ulink>.</para>
+    and <ulink url="https://github.com/firecracker-microvm/firecracker/blob/main/docs/vsock.md">Using the Firecracker Virtio-vsock Device</ulink>.
+    Note that <literal>,</literal> can be used as a separator instead of <literal>/</literal> to be
+    compatible with tools like <literal>scp</literal> and <literal>rsync</literal>.</para>
 
     <para>Moreover, connecting to <literal>.host</literal> will connect to the local host via SSH, without
     involving networking.</para>
@@ -113,6 +115,12 @@ Host .host
 
       <programlisting>ssh unix/run/ssh-unix-local/socket</programlisting>
     </example>
+
+    <example>
+      <title>Copy local 'foo' file to a local VM with CID 1348</title>
+
+      <programlisting>scp foo vsock,1348:</programlisting>
+    </example>
   </refsect1>
 
   <refsect1>

man/systemd.exec.xml

@@ -3268,23 +3268,30 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
       <varlistentry>
         <term><varname>LogLevelMax=</varname></term>
 
-        <listitem><para>Configures filtering by log level of log messages generated by this unit. Takes a
+        <listitem><para>Overrides the maximum log level of log messages generated by this unit. Takes a
-        <command>syslog</command> log level, one of <option>emerg</option> (lowest log level, only highest priority
+        <command>syslog</command> log level, one of <option>emerg</option> (lowest log level, only highest
-        messages), <option>alert</option>, <option>crit</option>, <option>err</option>, <option>warning</option>,
+        priority messages), <option>alert</option>, <option>crit</option>, <option>err</option>,
-        <option>notice</option>, <option>info</option>, <option>debug</option> (highest log level, also lowest priority
+        <option>warning</option>, <option>notice</option>, <option>info</option>, <option>debug</option>
-        messages). See <citerefentry
+        (highest log level, also lowest priority messages). See <citerefentry
         project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
-        details. By default, no filtering is applied (i.e. the default maximum log level is <option>debug</option>). Use
+        details. By default, no per unit filtering is applied.</para>
-        this option to configure the logging system to drop log messages of a specific service above the specified
+
-        level. For example, set <varname>LogLevelMax=</varname><option>info</option> in order to turn off debug logging
+        <para>This option can be used to configure the logging system to drop log messages of a specific
-        of a particularly chatty unit. Note that the configured level is applied to any log messages written by any
+        service above the specified level. For example, set
-        of the processes belonging to this unit, as well as any log messages written by the system manager process
+        <varname>LogLevelMax=</varname><option>info</option> in order to turn off debug logging of a
-        (PID 1) in reference to this unit, sent via any supported logging protocol. The filtering is applied
+        particularly chatty unit. Alternatively, this option can be used to enable extra logging about a
-        early in the logging pipeline, before any kind of further processing is done. Moreover, messages which pass
+        specific unit by the system or user manager processes without changing the global log level for the
-        through this filter successfully might still be dropped by filters applied at a later stage in the logging
+        system or user manager processes by setting <varname>LogLevelMax=</varname><option>debug</option>.
-        subsystem. For example, <varname>MaxLevelStore=</varname> configured in
+        </para>
-        <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> might
+
-        prohibit messages of higher log levels to be stored on disk, even though the per-unit
+        <para>Note that the configured level is applied to any log messages written by any of the processes
+        belonging to this unit, as well as any log messages written by the system or user manager processes
+        in reference to this unit, sent via any supported logging protocol. The filtering is applied early in
+        the logging pipeline, before any kind of further processing is done. Moreover, messages which pass
+        through this filter successfully might still be dropped by filters applied at a later stage in the
+        logging subsystem. For example, <varname>MaxLevelStore=</varname> configured in
+        <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        might prohibit messages of higher log levels to be stored on disk, even though the per-unit
         <varname>LogLevelMax=</varname> permitted it to be processed.</para>
 
         <xi:include href="version-info.xml" xpointer="v236"/></listitem>

man/systemd.network.xml

@@ -1738,8 +1738,10 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
         <term><varname>FirewallMark=</varname></term>
         <listitem>
           <para>Specifies the iptables firewall mark value to match (a number in the range
-          1…4294967295). Optionally, the firewall mask (also a number between 1…4294967295) can be
+          0…4294967295). Optionally, the firewall mask (also a number between 0…4294967295) can be
-          suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>.</para>
+          suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>. When the
+          mark value is non-zero and no mask is explicitly specified, all bits of the mark are
+          compared. </para>
 
           <xi:include href="version-info.xml" xpointer="v235"/>
         </listitem>

man/udevadm.xml

@@ -769,6 +769,16 @@
             <xi:include href="version-info.xml" xpointer="v258"/>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><option>--revert</option></term>
+          <listitem>
+            <para>Revert settings previously set with <command>udevadm control</command> command. When
+            specified, settings set with <option>-l/--log-level=</option>, <option>--trace</option>,
+            <option>-m/--children-max=</option>, and <option>-p/--property=</option> will be cleared.</para>
+
+            <xi:include href="version-info.xml" xpointer="v258"/>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term><option>-t</option></term>
           <term><option>--timeout=<replaceable>seconds</replaceable></option></term>

meson.build

@@ -13,6 +13,12 @@ project('systemd', 'c',
         meson_version : '>= 0.62.0',
 )
 
+add_test_setup(
+        'default',
+        exclude_suites : ['integration-tests'],
+        is_default : true,
+)
+
 project_major_version = meson.project_version().split('.')[0].split('~')[0]
 if meson.project_version().contains('.')
         project_minor_version = meson.project_version().split('.')[-1].split('~')[0]
@@ -339,7 +345,6 @@ meson_build_sh = find_program('tools/meson-build.sh')
 want_tests = get_option('tests')
 want_slow_tests = want_tests != 'false' and get_option('slow-tests')
 want_fuzz_tests = want_tests != 'false' and get_option('fuzz-tests')
-want_integration_tests = want_tests != 'false' and get_option('integration-tests')
 install_tests = want_tests != 'false' and get_option('install-tests')
 
 if add_languages('cpp', native : false, required : fuzzer_build)
@@ -1477,50 +1482,18 @@ endif
 dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'loongarch64', 'mips', 'riscv64']
 conf.set10('HAVE_DMI', host_machine.cpu_family() in dmi_arches)
 
-# We support one or the other. If gcrypt is available, we assume it's there to
-# be used, and use it in preference.
-opt = get_option('cryptolib')
-if opt == 'openssl' and conf.get('HAVE_OPENSSL') == 0
-        error('openssl requested as the default cryptolib, but not available')
-endif
-conf.set10('PREFER_OPENSSL',
-           opt == 'openssl' or (opt == 'auto' and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_GCRYPT') == 0))
-conf.set10('HAVE_OPENSSL_OR_GCRYPT',
-           conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
-lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error]
-
 dns_over_tls = get_option('dns-over-tls')
-if dns_over_tls != 'false'
+have_openssl = conf.get('HAVE_OPENSSL') == 1
-        if dns_over_tls == 'gnutls' and conf.get('PREFER_OPENSSL') == 1
+if dns_over_tls == 'false'
-                error('Sorry, -Ddns-over-tls=gnutls is not supported when openssl is used as the cryptolib')
-        endif
-
-        if dns_over_tls == 'gnutls'
-                have_openssl = false
-        else
-                have_openssl = conf.get('HAVE_OPENSSL') == 1
-                if dns_over_tls == 'openssl' and not have_openssl
-                        error('DNS-over-TLS support was requested with openssl, but dependencies are not available')
-                endif
-        endif
-        if dns_over_tls == 'openssl' or have_openssl
-                have_gnutls = false
-        else
-                have_gnutls = conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0')
-                if dns_over_tls != 'auto' and not have_gnutls
-                        str = dns_over_tls == 'gnutls' ? ' with gnutls' : ''
-                        error('DNS-over-TLS support was requested@0@, but dependencies are not available'.format(str))
-                endif
-        endif
-        have = have_gnutls or have_openssl
-else
         have = false
-        have_gnutls = false
+elif dns_over_tls == 'auto'
-        have_openssl = false
+        have = have_openssl
+elif have_openssl
+        have = true
+else
+        error('DNS-over-TLS support was requested, but OpenSSL support is disabled.')
 endif
 conf.set10('ENABLE_DNS_OVER_TLS', have)
-conf.set10('DNS_OVER_TLS_USE_GNUTLS', have_gnutls)
-conf.set10('DNS_OVER_TLS_USE_OPENSSL', have_openssl)
 
 default_dns_over_tls = get_option('default-dns-over-tls')
 if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
@@ -1547,8 +1520,8 @@ have = get_option('repart').require(
 conf.set10('ENABLE_REPART', have)
 
 default_dnssec = get_option('default-dnssec')
-if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
+if default_dnssec != 'no' and conf.get('HAVE_OPENSSL') == 0
-        message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
+        message('default-dnssec cannot be set to yes or allow-downgrade when openssl is disabled. Setting default-dnssec to no.')
         default_dnssec = 'no'
 endif
 conf.set('DEFAULT_DNSSEC_MODE',
@@ -1579,7 +1552,7 @@ conf.set10('ENABLE_STORAGETM', get_option('storagetm'))
 
 have = get_option('importd').require(
         conf.get('HAVE_LIBCURL') == 1 and
-        conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and
+        conf.get('HAVE_OPENSSL') == 1 and
         conf.get('HAVE_ZLIB') == 1 and
         conf.get('HAVE_XZ') == 1,
         error_message : 'curl, openssl/grypt, zlib and xz required').allowed()
@@ -1988,11 +1961,12 @@ endif
 conf.set_quoted('VERSION_TAG', version_tag)
 
 vcs_tag = get_option('vcs-tag')
-version_h = vcs_tag(
+version_h = custom_target('version',
+        build_always_stale : vcs_tag,
         input : 'src/version/version.h.in',
         output : 'version.h',
-        fallback : '',
+        capture : true,
-        command : [vcs_tag ? 'tools/vcs-tag.sh' : 'true', get_option('mode')],
+        command : ['tools/vcs-tag.sh', '@INPUT@', get_option('mode'), vcs_tag ? '1' : '0'],
 )
 
 shared_lib_tag = get_option('shared-lib-tag')
@@ -2047,11 +2021,18 @@ boot_stubs = []
 
 build_dir_include = include_directories('.')
 
-basic_includes = include_directories(
+basic_includes = [
+        include_directories(
                 'src/basic',
                 'src/fundamental',
                 'src/systemd',
-        '.')
+                '.',
+        ),
+        include_directories(
+                'src/basic/include',
+                is_system : true,
+        ),
+]
 
 libsystemd_includes = [basic_includes, include_directories(
         'src/libsystemd/sd-bus',
@@ -2660,10 +2641,6 @@ endif
 #####################################################################
 
 mkosi = find_program('mkosi', required : false)
-if want_integration_tests and not mkosi.found()
-        error('Could not find mkosi which is required to run the integration tests')
-endif
-
 mkosi_depends = public_programs
 
 foreach executable : ['systemd-journal-remote', 'systemd-sbsign', 'systemd-keyutil']
@@ -3088,6 +3065,7 @@ foreach tuple : [
 
         # optional features
         ['dmi'],
+        ['DNS-over-TLS'],
         ['idn'],
         ['polkit'],
         ['legacy-pkla',            install_polkit_pkla],
@@ -3152,22 +3130,6 @@ else
         found += 'static-libudev(@0@)'.format(static_libudev)
 endif
 
-if conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and conf.get('PREFER_OPENSSL') == 1
-        found += 'cryptolib(openssl)'
-elif conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1
-        found += 'cryptolib(gcrypt)'
-else
-        missing += 'cryptolib'
-endif
-
-if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1
-        found += 'DNS-over-TLS(gnutls)'
-elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1
-        found += 'DNS-over-TLS(openssl)'
-else
-        missing += 'DNS-over-TLS'
-endif
-
 summary({
         'enabled' :  ', '.join(found),
         'disabled' : ', '.join(missing)},

meson_options.txt

@@ -358,7 +358,7 @@ option('default-llmnr', type : 'combo',
        choices : ['yes', 'resolve', 'no'],
        description : 'default LLMNR mode',
        value : 'yes')
-option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'],
+option('dns-over-tls', type : 'combo', choices : ['auto', 'openssl', 'true', 'false'],
        description : 'DNS-over-TLS support')
 option('dns-servers', type : 'string',
        description : 'space-separated list of default DNS servers',
@@ -434,8 +434,8 @@ option('gnutls', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
        description : 'gnutls support')
 option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'openssl support')
-option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'],
+option('cryptolib', type : 'combo', choices : ['auto', 'openssl'],
-       description : 'whether to use openssl or gcrypt where both are supported')
+       description : 'This option is deprecated and will be removed in a future release')
 option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'p11kit support')
 option('libfido2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
@@ -509,7 +509,7 @@ option('install-tests', type : 'boolean', value : false,
        description : 'install test executables')
 option('log-message-verification', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'do fake printf() calls to verify format strings')
-option('integration-tests', type : 'boolean', value : false,
+option('integration-tests', type : 'boolean', value : false, deprecated : true,
        description : 'run the integration tests')
 
 option('ok-color', type : 'combo',

mkosi/mkosi.conf

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Config]
-MinimumVersion=commit:32105855f386c980069d134d1b0f8fea4db2129e
+MinimumVersion=commit:dbb4020beee2cdf250f93a425794f1cf8b0fe693
 Dependencies=
         exitrd
         initrd
@@ -39,15 +39,11 @@ WithTests=no
 
 [Validation]
 SignExpectedPcr=yes
-SignExpectedPcrKey=../mkosi.key
-SignExpectedPcrCertificate=../mkosi.crt
-VerityKey=../mkosi.key
-VerityCertificate=../mkosi.crt
 
 [Content]
 ExtraTrees=
         mkosi.extra.common
-        ../mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
+        mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
         %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
         %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
         %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig
@@ -82,8 +78,7 @@ KernelCommandLine=
         oops=panic
         panic=-1
         softlockup_panic=1
-        # Disabled due to BTRFS issue, waiting for the fix to become available
+        panic_on_warn=1
-        panic_on_warn=0
         psi=1
         mitigations=off
 
@@ -138,14 +133,14 @@ Packages=
         zstd
 
 [Runtime]
-SshKey=../mkosi.key
-SshCertificate=../mkosi.crt
 Credentials=
         journal.storage=persistent
         tty.serial.hvc0.agetty.autologin=root
         tty.serial.hvc0.login.noauth=yes
         tty.console.agetty.autologin=root
         tty.console.login.noauth=yes
+        tty.virtual.tty1.agetty.autologin=root
+        tty.virtual.tty1.login.noauth=yes
 RuntimeBuildSources=yes
 RuntimeScratch=no
 CPUs=2

mkosi/mkosi.conf.d/arch/mkosi.conf

@@ -4,6 +4,7 @@
 Distribution=arch
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-libs

mkosi/mkosi.conf.d/arch/systemd.prepare

@@ -17,6 +17,7 @@ for PACKAGE in "${PACKAGES[@]}"; do
             sed --quiet 's/^Depends On *: //p' # Filter out everything except "Depends On:" line and fetch dependencies from it.
     )"
 
+    if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
         DEPS="$DEPS $(
             pacman --sync --info "$PACKAGE" |
                 sed '1,/^$/d' | # Only keep result from first repository (delete everything after first blank line).
@@ -25,6 +26,7 @@ for PACKAGE in "${PACKAGES[@]}"; do
                 sed 's/ *\(.*\):.*/\1/' | # Drop descriptions (everything after first colon for all lines).
                 tr '\n' ' ' # Transform newlines to whitespace.
         )"
+    fi
 done
 
 echo "$DEPS" |

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -5,6 +5,7 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-boot

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf.d/pkgenv.conf

@@ -8,5 +8,5 @@ Distribution=|fedora
 Environment=
         GIT_URL=https://src.fedoraproject.org/rpms/systemd.git
         GIT_BRANCH=rawhide
-        GIT_COMMIT=08ce156d74460867657fb9b201c8be93d31e07de
+        GIT_COMMIT=6646d13acae64665f63354cd60ecf963ee563b96
         PKG_SUBDIR=fedora

mkosi/mkosi.conf.d/centos-fedora/systemd.prepare

@@ -8,7 +8,12 @@ fi
 
 mapfile -t PACKAGES < <(jq --raw-output .VolatilePackages[] <"$MKOSI_CONFIG")
 
-for DEPS in --requires --recommends --suggests; do
+DEP_TYPES=(--requires)
+if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
+    DEP_TYPES+=(--recommends --suggests)
+fi
+
+for DEPS in "${DEP_TYPES[@]}"; do
     # We need --latest-limit=1 to only consider the newest version of the packages.
     # --latest-limit=1 is per <name>.<arch> so we have to pass --arch= explicitly to make sure i686 packages
     # are not considered on x86-64.

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -5,6 +5,7 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         libnss-myhostname
         libnss-mymachines

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf.d/pkgenv.conf

@@ -9,5 +9,5 @@ Environment=
         GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
         GIT_SUBDIR=debian
         GIT_BRANCH=debian/master
-        GIT_COMMIT=46432631232015b78071f84e5a3fb944621c83f7
+        GIT_COMMIT=91a4d114e0b5a01385477f8862caedc1056fa68b
         PKG_SUBDIR=debian

mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare

@@ -22,9 +22,14 @@ for PACKAGE in "${PACKAGES[@]}"; do
     # Get all the dependencies of the systemd packages including recommended and suggested dependencies.
     PATTERNS+=(
         "?and(?reverse-depends(?exact-name($PACKAGE)), $COMMON)"
+    )
+
+    if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
+        PATTERNS+=(
             "?and(?reverse-recommends(?exact-name($PACKAGE)), $COMMON)"
             "?and(?reverse-suggests(?exact-name($PACKAGE)), $COMMON)"
         )
+    fi
 done
 
 mkosi-install "${PATTERNS[@]}"

mkosi/mkosi.conf.d/opensuse/mkosi.conf

@@ -11,6 +11,7 @@ Repositories=non-oss
 SandboxTrees=macros.db_backend:/etc/rpm/macros.db_backend
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         libsystemd0
         libudev1

mkosi/mkosi.conf.d/opensuse/systemd.prepare

@@ -9,11 +9,15 @@ fi
 mapfile -t PACKAGES < <(jq --raw-output .VolatilePackages[] <"$MKOSI_CONFIG")
 
 DEPS=""
+DEP_TYPES=(--requires)
+if ! ((SYSTEMD_REQUIRED_DEPS_ONLY)); then
+    DEP_TYPES+=(--recommends --suggests)
+fi
 
 for PACKAGE in "${PACKAGES[@]}"; do
     # zypper's output is not machine readable so we make do with sed instead.
     DEPS="$DEPS\n$(
-        zypper info --requires --recommends --suggests "$PACKAGE" |
+        zypper info "${DEP_TYPES[@]}" "$PACKAGE" |
             sed '/Requires/,$!d' | # Remove everything before Requires line
             sed --quiet 's/^    //p' # All indented lines have dependencies
     )"

mkosi/mkosi.images/build/mkosi.conf.d/arch/mkosi.build.chroot

@@ -22,7 +22,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
     MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(realpath "$(clang --print-runtime-dir)")"
 fi
 
-MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none}"
+MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none} -Dtime-epoch=1744207869"
 if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi

mkosi/mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.build.chroot

@@ -52,7 +52,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
     MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(realpath "$(clang --print-runtime-dir)")"
 fi
 
-MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none}"
+MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none} -Dtime-epoch=1744207869"
 if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi

mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.build.chroot

@@ -22,7 +22,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
     MKOSI_LDFLAGS="$MKOSI_LDFLAGS -Wl,-rpath=$(realpath "$(clang --print-runtime-dir)")"
 fi
 
-MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none}"
+MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none} -Dtime-epoch=1744207869"
 if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi

mkosi/mkosi.images/build/mkosi.conf.d/opensuse/mkosi.build.chroot

@@ -57,7 +57,7 @@ if [[ -z "${MKOSI_LDFLAGS// }" ]]; then
     MKOSI_LDFLAGS="%{nil}"
 fi
 
-MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none}"
+MKOSI_MESON_OPTIONS="-D mode=developer -D vcs-tag=${VCS_TAG:-true} -D b_sanitize=${SANITIZERS:-none} -Dtime-epoch=1744207869"
 if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
     MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi

mkosi/mkosi.images/exitrd/mkosi.conf

@@ -3,6 +3,9 @@
 [Output]
 Format=directory
 
+[Build]
+Environment=SYSTEMD_REQUIRED_DEPS_ONLY=1
+
 [Content]
 Bootable=no
 Locale=C.UTF-8
@@ -11,6 +14,7 @@ CleanPackageMetadata=yes
 MakeInitrd=yes
 
 Packages=
+        coreutils
         bash
 
 [Include]

mkosi/mkosi.images/exitrd/mkosi.conf.d/arch.conf

@@ -4,6 +4,7 @@
 Distribution=arch
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 VolatilePackages=
         systemd
         systemd-libs

mkosi/mkosi.images/exitrd/mkosi.conf.d/centos-fedora.conf

@@ -5,5 +5,6 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 VolatilePackages=
         systemd-standalone-shutdown

mkosi/mkosi.images/exitrd/mkosi.conf.d/debian.conf

@@ -4,5 +4,6 @@
 Distribution=debian
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 VolatilePackages=
         systemd-standalone-shutdown

mkosi/mkosi.images/exitrd/mkosi.conf.d/opensuse.conf

@@ -4,6 +4,7 @@
 Distribution=opensuse
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         diffutils
         grep

mkosi/mkosi.images/exitrd/mkosi.conf.d/ubuntu.conf

@@ -4,6 +4,7 @@
 Distribution=ubuntu
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 VolatilePackages=
         libsystemd-shared
         libsystemd0

mkosi/mkosi.images/initrd/mkosi.conf

@@ -6,10 +6,14 @@ Include=
         %D/mkosi/mkosi.sanitizers
         %D/mkosi/mkosi.coverage
 
+[Build]
+Environment=SYSTEMD_REQUIRED_DEPS_ONLY=1
+
 [Content]
 ExtraTrees=%D/mkosi/mkosi.extra.common
 
 Packages=
+        coreutils
         findutils
         grep
         sed

mkosi/mkosi.images/initrd/mkosi.conf.d/arch.conf

@@ -4,6 +4,7 @@
 Distribution=arch
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 Packages=
         btrfs-progs
         tpm2-tools

mkosi/mkosi.images/initrd/mkosi.conf.d/centos-fedora.conf

@@ -5,6 +5,7 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 Packages=
         tpm2-tools
 

mkosi/mkosi.images/initrd/mkosi.conf.d/debian-ubuntu.conf

@@ -5,6 +5,7 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
         btrfs-progs
         tpm2-tools

mkosi/mkosi.images/initrd/mkosi.conf.d/opensuse.conf

@@ -4,6 +4,7 @@
 Distribution=opensuse
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         btrfs-progs
         kmod

mkosi/mkosi.images/minimal-base/mkosi.conf

@@ -3,6 +3,9 @@
 [Output]
 Format=directory
 
+[Build]
+Environment=SYSTEMD_REQUIRED_DEPS_ONLY=1
+
 [Content]
 Bootable=no
 Locale=C.UTF-8

mkosi/mkosi.images/minimal-base/mkosi.conf.d/arch.conf

@@ -4,6 +4,7 @@
 Distribution=arch
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 Packages=
         inetutils
         iproute

mkosi/mkosi.images/minimal-base/mkosi.conf.d/centos-fedora.conf

@@ -5,6 +5,7 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 Packages=
         hostname
         iproute

mkosi/mkosi.images/minimal-base/mkosi.conf.d/debian-ubuntu.conf

@@ -5,6 +5,7 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
         hostname
         iproute2

mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf

@@ -4,6 +4,7 @@
 Distribution=opensuse
 
 [Content]
+PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         diffutils
         grep

mkosi/mkosi.images/minimal-base/mkosi.extra/etc/os-release

@@ -1 +0,0 @@
-../usr/lib/os-release

mkosi/mkosi.images/minimal-base/mkosi.postinst

@@ -9,3 +9,8 @@ echo "Hello from dummy init, beautiful day, innit?"
 ip link
 EOF
 chmod +x "$BUILDROOT/sbin/init"
+
+# Arch relies on tmpfiles.d/etc.conf but this image isn't booted
+if [ ! -e "$BUILDROOT/etc/os-release" ]; then
+    ln -s ../usr/lib/os-release "$BUILDROOT/etc/os-release"
+fi

mkosi/mkosi.postinst.chroot

@@ -34,8 +34,9 @@ done
 # systemd-journald.
 rm -rf "$BUILDROOT/var/log/journal"
 
+# Make sure our own nsswitch.conf from the repository is used instead of the distribution's by deleting the
+# distribution's and relying on tmpfiles to put ours in place during boot.
 rm -f /etc/nsswitch.conf
-cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
 
 # Remove to make TEST-73-LOCALE pass on Ubuntu.
 rm -f /etc/default/keyboard
@@ -58,8 +59,8 @@ SYSTEMD_REPART_MKFS_OPTIONS_EXT4="" \
     --dry-run=no \
     --size=auto \
     --offline=true \
-    --root test/integration-tests/TEST-24-CRYPTSETUP \
+    --root mkosi/mkosi.credentials \
-    --definitions test/integration-tests/TEST-24-CRYPTSETUP/keydev.repart \
+    --definitions mkosi/keydev.repart \
     "$OUTPUTDIR/keydev.raw"
 
 can_test_pkcs11() {
@@ -132,7 +133,7 @@ EOF
     certtool --generate-self-signed \
       --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
       --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
-      --template "test/integration-tests/TEST-24-CRYPTSETUP/template.cfg" \
+      --template "mkosi/template.cfg" \
       --outder --outfile "/tmp/rsa_test.crt"
 
     pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
@@ -144,7 +145,7 @@ EOF
     certtool --generate-self-signed \
       --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
       --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
-      --template "test/integration-tests/TEST-24-CRYPTSETUP/template.cfg" \
+      --template "mkosi/template.cfg" \
       --outder --outfile "/tmp/ec_test.crt"
 
     pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"

rules.d/70-uaccess.rules.in

@@ -77,6 +77,20 @@ ENV{DDC_DEVICE}=="?*", TAG+="uaccess"
 # media player raw devices (for user-mode drivers, Android SDK, etc.)
 SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="uaccess"
 
+# Android devices (ADB DbC, ADB, Fastboot)
+# Used to interact with devices over Android Debug Bridge and Fastboot protocols, see:
+# * https://developer.android.com/tools/adb
+# * https://source.android.com/docs/setup/test/running
+# * https://source.android.com/docs/setup/test/flash
+#
+# The bInterfaceClass and bInterfaceSubClass used are documented in source code here:
+# * https://android.googlesource.com/platform/packages/modules/adb/+/d0db47dcdf941673f405e1095e6ffb5e565902e5/adb.h#199
+# * https://android.googlesource.com/platform/system/core/+/7199051aaf0ddfa2849650933119307327d8669c/fastboot/fastboot.cpp#244
+#
+# Since it's using a generic vendor specific interface class, this can potentially result
+# in a rare case where non-ADB/Fastboot device ends up with an ID_DEBUG_APPLIANCE="android".
+SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:dc0201:*|*:ff4201:*|*:ff4203:*", ENV{ID_DEBUG_APPLIANCE}="android"
+
 # software-defined radio communication devices
 ENV{ID_SOFTWARE_RADIO}=="?*", TAG+="uaccess"
 
@@ -111,4 +125,7 @@ SUBSYSTEM=="hidraw", ENV{ID_HARDWARE_WALLET}=="1", TAG+="uaccess"
 # As defined in https://en.wikipedia.org/wiki/3Dconnexion
 SUBSYSTEM=="hidraw", ENV{ID_INPUT_3D_MOUSE}=="1", TAG+="uaccess"
 
+# Debug interfaces (e.g. Android Debug Bridge)
+ENV{ID_DEBUG_APPLIANCE}=="?*", TAG+="uaccess"
+
 LABEL="uaccess_end"

shell-completion/bash/importctl

@@ -73,7 +73,7 @@ _importctl() {
                 comps='no checksum signature'
                 ;;
             --format)
-                comps='uncompressed xz gzip bzip2'
+                comps='uncompressed xz gzip bzip2 zstd'
                 ;;
             --class)
                 comps='machine portable sysext confext'

shell-completion/bash/machinectl

@@ -85,7 +85,7 @@ _machinectl() {
                 comps=$( machinectl --verify=help 2>/dev/null )
                 ;;
             --format)
-                comps='uncompressed xz gzip bzip2'
+                comps='uncompressed xz gzip bzip2 zstd'
                 ;;
         esac
         COMPREPLY=( $(compgen -W '$comps' -- "$cur") )

shell-completion/bash/udevadm

@@ -93,7 +93,7 @@ _udevadm() {
                        -g --tag-match -y --sysname-match --name-match -b --parent-match
                        --prioritized-subsystem'
         [SETTLE]='-t --timeout -E --exit-if-exists'
-        [CONTROL_STANDALONE]='-e --exit -s --stop-exec-queue -S --start-exec-queue -R --reload --ping
+        [CONTROL_STANDALONE]='-e --exit -s --stop-exec-queue -S --start-exec-queue -R --reload --ping --revert
                               --load-credentials'
         [CONTROL_ARG]='-l --log-priority -p --property -m --children-max -t --timeout --trace'
         [MONITOR_STANDALONE]='-k --kernel -u --udev -p --property'

shell-completion/zsh/_udevadm

@@ -67,6 +67,7 @@ _udevadm_control(){
         '(-p --property)'{-p,--property=}'[Set a global property for all events.]:KEY=VALUE' \
         '(-m --children-max=)'{-m,--children-max=}'[Set the maximum number of events.]:N' \
         '--trace=[Enable/disable trace logging.]:BOOL' \
+        '--revert[Revert previously set configurations.]' \
         '(-t --timeout=)'{-t,--timeout=}'[The maximum number of seconds to wait for a reply from systemd-udevd.]:SECONDS'
 }
 

src/ac-power/ac-power.c

@@ -5,6 +5,7 @@
 #include "ansi-color.h"
 #include "battery-util.h"
 #include "build.h"
+#include "log.h"
 #include "main-func.h"
 #include "pretty-print.h"
 

src/analyze/analyze-compare-versions.c

@@ -4,6 +4,7 @@
 
 #include "analyze-compare-versions.h"
 #include "compare-operator.h"
+#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 #include "strv.h"

src/analyze/analyze-time-data.h

@@ -3,6 +3,7 @@
 
 #include "sd-bus.h"
 
+#include "memory-util.h"
 #include "time-util.h"
 #include "unit-def.h"
 

src/analyze/analyze-verify-util.c

@@ -31,7 +31,7 @@ static void log_syntax_callback(const char *unit, int level, void *userdata) {
 
         r = set_put_strdup(s, unit);
         if (r < 0) {
-                set_free_free(*s);
+                set_free(*s);
                 *s = POINTER_MAX;
         }
 }
@@ -265,7 +265,7 @@ static int verify_unit(Unit *u, bool check_man, const char *root) {
 static void set_destroy_ignore_pointer_max(Set **s) {
         if (*s == POINTER_MAX)
                 return;
-        set_free_free(*s);
+        set_free(*s);
 }
 
 int verify_units(

src/backlight/backlight.c

@@ -408,35 +408,6 @@ static int read_brightness(sd_device *device, unsigned max_brightness, unsigned
         assert(device);
         assert(ret_brightness);
 
-        if (device_in_subsystem(device, "backlight")) {
-                r = sd_device_get_sysattr_value(device, "actual_brightness", &value);
-                if (r == -ENOENT) {
-                        log_device_debug_errno(device, r, "Failed to read 'actual_brightness' attribute, "
-                                               "fall back to use 'brightness' attribute: %m");
-                        goto use_brightness;
-                }
-                if (r < 0)
-                        return log_device_debug_errno(device, r, "Failed to read 'actual_brightness' attribute: %m");
-
-                r = safe_atou(value, &brightness);
-                if (r < 0) {
-                        log_device_debug_errno(device, r, "Failed to parse 'actual_brightness' attribute, "
-                                               "fall back to use 'brightness' attribute: %s", value);
-                        goto use_brightness;
-                }
-
-                if (brightness > max_brightness) {
-                        log_device_debug(device, "actual_brightness=%u is larger than max_brightness=%u, "
-                                         "fall back to use 'brightness' attribute", brightness, max_brightness);
-                        goto use_brightness;
-                }
-
-                log_device_debug(device, "Current actual_brightness is %u", brightness);
-                *ret_brightness = brightness;
-                return 0;
-        }
-
-use_brightness:
         r = sd_device_get_sysattr_value(device, "brightness", &value);
         if (r < 0)
                 return log_device_debug_errno(device, r, "Failed to read 'brightness' attribute: %m");

src/basic/alloc-util.c

@@ -6,7 +6,6 @@
 
 #include "alloc-util.h"
 #include "macro.h"
-#include "memory-util.h"
 
 void* memdup(const void *p, size_t l) {
         void *ret;

src/basic/alloc-util.h

@@ -7,7 +7,9 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "assert-util.h"
 #include "macro.h"
+#include "memory-util.h"
 
 #if HAS_FEATURE_MEMORY_SANITIZER
 #  include <sanitizer/msan_interface.h>
@@ -266,5 +268,3 @@ _alloc_(2) static inline void *realloc0(void *p, size_t new_size) {
 
         return q;
 }
-
-#include "memory-util.h"

src/basic/argv-util.c

@@ -8,6 +8,7 @@
 #include "argv-util.h"
 #include "capability-util.h"
 #include "errno-util.h"
+#include "log.h"
 #include "missing_sched.h"
 #include "parse-util.h"
 #include "path-util.h"

src/basic/argv-util.h

@@ -3,6 +3,7 @@
 
 #include <stdbool.h>
 
+#include "assert-util.h"
 #include "macro.h"
 
 extern int saved_argc;

src/basic/assert-util.c

@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <stdio.h>
+
+#include "assert-util.h"
+#include "errno-util.h"
+#include "log.h"
+
+static bool assert_return_is_critical = BUILD_MODE_DEVELOPER;
+
+/* Akin to glibc's __abort_msg; which is private and we hence cannot
+ * use here. */
+static char *log_abort_msg = NULL;
+
+void log_set_assert_return_is_critical(bool b) {
+        assert_return_is_critical = b;
+}
+
+bool log_get_assert_return_is_critical(void) {
+        return assert_return_is_critical;
+}
+
+static void log_assert(
+        int level,
+        const char *text,
+        const char *file,
+        int line,
+        const char *func,
+        const char *format) {
+
+        static char buffer[LINE_MAX];
+
+        if (_likely_(LOG_PRI(level) > log_get_max_level()))
+                return;
+
+        DISABLE_WARNING_FORMAT_NONLITERAL;
+        (void) snprintf(buffer, sizeof buffer, format, text, file, line, func);
+        REENABLE_WARNING;
+
+        log_abort_msg = buffer;
+
+        log_dispatch_internal(level, 0, file, line, func, NULL, NULL, NULL, NULL, buffer);
+}
+
+_noreturn_ void log_assert_failed(const char *text, const char *file, int line, const char *func) {
+        log_assert(LOG_CRIT, text, file, line, func,
+                   "Assertion '%s' failed at %s:%u, function %s(). Aborting.");
+        abort();
+}
+
+_noreturn_ void log_assert_failed_unreachable(const char *file, int line, const char *func) {
+        log_assert(LOG_CRIT, "Code should not be reached", file, line, func,
+                   "%s at %s:%u, function %s(). Aborting. 💥");
+        abort();
+}
+
+void log_assert_failed_return(const char *text, const char *file, int line, const char *func) {
+
+        if (assert_return_is_critical)
+                log_assert_failed(text, file, line, func);
+
+        PROTECT_ERRNO;
+        log_assert(LOG_DEBUG, text, file, line, func,
+                   "Assertion '%s' failed at %s:%u, function %s(), ignoring.");
+}

src/basic/assert-util.h

@@ -0,0 +1,84 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include "assert-fundamental.h"
+#include "macro.h"
+
+/* Logging for various assertions */
+
+void log_set_assert_return_is_critical(bool b);
+bool log_get_assert_return_is_critical(void) _pure_;
+
+_noreturn_ void log_assert_failed(const char *text, const char *file, int line, const char *func);
+_noreturn_ void log_assert_failed_unreachable(const char *file, int line, const char *func);
+void log_assert_failed_return(const char *text, const char *file, int line, const char *func);
+
+#ifdef __COVERITY__
+
+/* Use special definitions of assertion macros in order to prevent
+ * false positives of ASSERT_SIDE_EFFECT on Coverity static analyzer
+ * for uses of assert_se() and assert_return().
+ *
+ * These definitions make expression go through a (trivial) function
+ * call to ensure they are not discarded. Also use ! or !! to ensure
+ * the boolean expressions are seen as such.
+ *
+ * This technique has been described and recommended in:
+ * https://community.synopsys.com/s/question/0D534000046Yuzb/suppressing-assertsideeffect-for-functions-that-allow-for-sideeffects
+ */
+
+extern void __coverity_panic__(void);
+
+static inline void __coverity_check__(int condition) {
+        if (!condition)
+                __coverity_panic__();
+}
+
+static inline int __coverity_check_and_return__(int condition) {
+        return condition;
+}
+
+#define assert_message_se(expr, message) __coverity_check__(!!(expr))
+
+#define assert_log(expr, message) __coverity_check_and_return__(!!(expr))
+
+#else  /* ! __COVERITY__ */
+
+#define assert_message_se(expr, message)                                \
+        do {                                                            \
+                if (_unlikely_(!(expr)))                                \
+                        log_assert_failed(message, PROJECT_FILE, __LINE__, __func__); \
+        } while (false)
+
+#define assert_log(expr, message) ((_likely_(expr))                     \
+        ? (true)                                                        \
+        : (log_assert_failed_return(message, PROJECT_FILE, __LINE__, __func__), false))
+
+#endif  /* __COVERITY__ */
+
+#define assert_se(expr) assert_message_se(expr, #expr)
+
+/* We override the glibc assert() here. */
+#undef assert
+#ifdef NDEBUG
+#define assert(expr) ({ if (!(expr)) __builtin_unreachable(); })
+#else
+#define assert(expr) assert_message_se(expr, #expr)
+#endif
+
+#define assert_not_reached()                                            \
+        log_assert_failed_unreachable(PROJECT_FILE, __LINE__, __func__)
+
+#define assert_return(expr, r)                                          \
+        do {                                                            \
+                if (!assert_log(expr, #expr))                           \
+                        return (r);                                     \
+        } while (false)
+
+#define assert_return_errno(expr, r, err)                               \
+        do {                                                            \
+                if (!assert_log(expr, #expr)) {                         \
+                        errno = err;                                    \
+                        return (r);                                     \
+                }                                                       \
+        } while (false)

src/basic/build.c

@@ -6,6 +6,7 @@
 #include "ansi-color.h"
 #include "build.h"
 #include "extract-word.h"
+#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 #include "terminal-util.h"

src/basic/cap-list.c

@@ -8,6 +8,7 @@
 #include "capability-util.h"
 #include "cap-list.h"
 #include "extract-word.h"
+#include "log.h"
 #include "macro.h"
 #include "parse-util.h"
 #include "stdio-util.h"

src/basic/capability-util.c

@@ -20,6 +20,7 @@
 #include "macro.h"
 #include "parse-util.h"
 #include "pidref.h"
+#include "process-util.h"
 #include "stat-util.h"
 #include "user-util.h"
 

src/basic/chattr-util.c

@@ -10,6 +10,7 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fs-util.h"
+#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 

src/basic/compress.c

@@ -27,6 +27,7 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "io-util.h"
+#include "log.h"
 #include "macro.h"
 #include "sparse-endian.h"
 #include "string-table.h"

src/basic/conf-files.c

@@ -19,7 +19,6 @@
 #include "nulstr-util.h"
 #include "path-util.h"
 #include "set.h"
-#include "sort-util.h"
 #include "stat-util.h"
 #include "string-util.h"
 #include "strv.h"
@@ -122,29 +121,22 @@ static int files_add(
         return 0;
 }
 
-static int base_cmp(char * const *a, char * const *b) {
-        assert(a);
-        assert(b);
-        return path_compare_filename(*a, *b);
-}
-
 static int copy_and_sort_files_from_hashmap(Hashmap *fh, char ***ret) {
         _cleanup_free_ char **sv = NULL;
         char **files;
+        int r;
 
         assert(ret);
 
-        sv = hashmap_get_strv(fh);
+        r = hashmap_dump_sorted(fh, (void***) &sv, /* ret_n = */ NULL);
-        if (!sv)
+        if (r < 0)
-                return -ENOMEM;
+                return r;
 
-        /* The entries in the array given by hashmap_get_strv() are still owned by the hashmap. */
+        /* The entries in the array given by hashmap_dump_sorted() are still owned by the hashmap. */
         files = strv_copy(sv);
         if (!files)
                 return -ENOMEM;
 
-        typesafe_qsort(files, strv_length(files), base_cmp);
-
         *ret = files;
         return 0;
 }
@@ -237,7 +229,7 @@ int conf_files_insert(char ***strv, const char *root, char **dirs, const char *p
         for (i = 0; i < n; i++) {
                 int c;
 
-                c = base_cmp((char* const*) *strv + i, (char* const*) &path);
+                c = path_compare_filename((*strv)[i], path);
                 if (c == 0)
                         /* Oh, there already is an entry with a matching name (the last component). */
                         STRV_FOREACH(dir, dirs) {

src/basic/confidential-virt.c

@@ -14,6 +14,7 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
+#include "log.h"
 #include "string-table.h"
 #include "utf8.h"
 

src/basic/dlfcn-util.c

@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "dlfcn-util.h"
+#include "log.h"
 
 static int dlsym_many_or_warnv(void *dl, int log_level, va_list ap) {
         void (**fn)(void);

src/basic/dlfcn-util.h

@@ -3,6 +3,7 @@
 
 #include <dlfcn.h>
 
+#include "assert-util.h"
 #include "macro.h"
 
 static inline void* safe_dlclose(void *dl) {

src/basic/efivars.c

@@ -15,6 +15,7 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "io-util.h"
+#include "log.h"
 #include "macro.h"
 #include "memory-util.h"
 #include "missing_fs.h"

src/basic/env-file.c

@@ -7,6 +7,7 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
+#include "log.h"
 #include "string-util.h"
 #include "strv.h"
 #include "tmpfile-util.h"

src/basic/env-util.c

@@ -11,6 +11,7 @@
 #include "errno-util.h"
 #include "escape.h"
 #include "extract-word.h"
+#include "log.h"
 #include "macro.h"
 #include "parse-util.h"
 #include "path-util.h"
@@ -546,7 +547,7 @@ char* strv_env_get_n(char * const *l, const char *name, size_t k, ReplaceEnvFlag
                         return NULL;
 
                 t = strndupa_safe(name, k);
-                return getenv(t);
+                return secure_getenv(t);
         };
 
         return NULL;
@@ -1105,7 +1106,7 @@ int getenv_steal_erase(const char *name, char **ret) {
          * it from there. Usecase: reading passwords from the env block (which is a bad idea, but useful for
          * testing, and given that people are likely going to misuse this, be thorough) */
 
-        e = getenv(name);
+        e = secure_getenv(name);
         if (!e) {
                 if (ret)
                         *ret = NULL;

src/basic/errno-util.h

@@ -5,6 +5,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "assert-util.h"
 #include "macro.h"
 
 /* strerror(3) says that glibc uses a maximum length of 1024 bytes. */

src/basic/ether-addr-util.c

@@ -8,6 +8,7 @@
 
 #include "ether-addr-util.h"
 #include "hexdecoct.h"
+#include "log.h"
 #include "macro.h"
 #include "string-util.h"
 

src/basic/fd-util.c

@@ -15,6 +15,7 @@
 #include "fileio.h"
 #include "fs-util.h"
 #include "io-util.h"
+#include "log.h"
 #include "macro.h"
 #include "missing_fcntl.h"
 #include "missing_fs.h"
@@ -1001,13 +1002,13 @@ int fd_verify_safe_flags_full(int fd, int extra_flags) {
         if (flags < 0)
                 return -errno;
 
-        unexpected_flags = flags & ~(O_ACCMODE|O_NOFOLLOW|RAW_O_LARGEFILE|extra_flags);
+        unexpected_flags = flags & ~(O_ACCMODE_STRICT|O_NOFOLLOW|RAW_O_LARGEFILE|extra_flags);
         if (unexpected_flags != 0)
                 return log_debug_errno(SYNTHETIC_ERRNO(EREMOTEIO),
                                        "Unexpected flags set for extrinsic fd: 0%o",
                                        (unsigned) unexpected_flags);
 
-        return flags & (O_ACCMODE | extra_flags); /* return the flags variable, but remove the noise */
+        return flags & (O_ACCMODE_STRICT | extra_flags); /* return the flags variable, but remove the noise */
 }
 
 int read_nr_open(void) {
@@ -1132,7 +1133,7 @@ int fds_are_same_mount(int fd1, int fd2) {
 }
 
 const char* accmode_to_string(int flags) {
-        switch (flags & O_ACCMODE) {
+        switch (flags & O_ACCMODE_STRICT) {
         case O_RDONLY:
                 return "ro";
         case O_WRONLY:

src/basic/fd-util.h

@@ -8,6 +8,7 @@
 #include <sys/socket.h>
 
 #include "macro.h"
+#include "memory-util.h"
 #include "missing_fcntl.h"
 #include "stdio-util.h"
 

src/basic/format-ifname.c

@@ -1,6 +1,8 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "format-ifname.h"
+#include "log.h"
+#include "stdio-util.h"
 #include "string-util.h"
 
 assert_cc(STRLEN("%") + DECIMAL_STR_MAX(int) <= IF_NAMESIZE);

src/basic/fs-util.c

@@ -1036,7 +1036,7 @@ int open_mkdir_at_full(int dirfd, const char *path, int flags, XOpenFlags xopen_
 
         if (flags & ~(O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_EXCL|O_NOATIME|O_NOFOLLOW|O_PATH))
                 return -EINVAL;
-        if ((flags & O_ACCMODE) != O_RDONLY)
+        if ((flags & O_ACCMODE_STRICT) != O_RDONLY)
                 return -EINVAL;
 
         /* Note that O_DIRECTORY|O_NOFOLLOW is implied, but we allow specifying it anyway. The following