TODO

@@ -83,8 +83,6 @@ Janitorial Clean-ups:
 
 Features:
 
-* PAM: pick auf one authentication token from credentials
-
 * tpm2: figure out if we need to do anything for TPM2 parameter encryption? And
   if so, what precisely?
 
@@ -94,6 +92,8 @@ Features:
   data in the image, make sure the image filename actually matches this, so
   that images cannot be misused.
 
+* use credentials logic/TPM2 logic to store homed signing key
+
 * New udev block device symlink names:
   /dev/disk/by-parttypelabel/<pttype>/<ptlabel>. Use case: if pt label is used
   as partition image version string, this is a safe way to reference a specific
@@ -1199,36 +1199,46 @@ Features:
   - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
     so that mounts propagate down but not up - eg, user A setting up a backup volume
     doesn't mean user B sees it
-  - use credentials logic/TPM2 logic to store homed signing key
+
-  - during login resize fs automatically towards size goal. Specifically,
+* homed: during login resize fs automatically towards size goal. Specifically,
-    resize to diskSize if possible, but leave a certain amount (configured by a
+  resize to diskSize if possible, but leave a certain amount (configured by a
-    new value diskLeaveFreeSize) of space free on the backing fs.
+  new value diskLeaveFreeSize) of space free on the backing fs.
-  - permit multiple user record signing keys to be used locally, and pick
+
-    the right one for signing records automatically depending on a pre-existing
+* homed: permit multiple user record signing keys to be used locally, and pick
-    signature
+  the right one for signing records automatically depending on a pre-existing
-  - add a way to "adopt" a home directory, i.e. strip foreign signatures
+  signature
-    and insert a local signature instead.
+
-  - as an extension to the directory+subvolume backend: if located on
+* homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
-    especially marked fs, then sync down password into LUKS header of that fs,
+  and insert a local signature instead.
-    and always verify passwords against it too. Bootstrapping is a problem
+
-    though: if no one is logged in (or no other user even exists yet), how do you
+* homed: as an extension to the directory+subvolume backend: if located on
-    unlock the volume in order to create the first user and add the first pw.
+  especially marked fs, then sync down password into LUKS header of that fs,
-  - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
+  and always verify passwords against it too. Bootstrapping is a problem
-  - maybe pre-create ~/.cache as subvol so that it can have separate quota
+  though: if no one is logged in (or no other user even exists yet), how do you
-    easily?
+  unlock the volume in order to create the first user and add the first pw.
-  - if kernel 5.12 uid mapping mounts exist, use that instead of recursive
+
-    chowns.
+* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
-  - add a switch to homectl (maybe called --first-boot) where it will check if
+
-    any non-system users exist, and if not prompts interactively for basic user
+* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
-    info, mimicking systemd-firstboot. Then, place this in a service that runs
+  easily?
-    after systemd-homed, but before gdm and friends, as a simple, barebones
+
-    fallback logic to get a regular user created on uninitialized systems.
+* homed: if kernel 5.12 uid mapping mounts exist, use that instead of recursive
-  - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
+  chowns.
-    systemd-cryptsetup, so that it can unlock homed volumes
+
-  - try to unmount in regular intervals when home dir was busy when we
+* add a switch to homectl (maybe called --first-boot) where it will check if
-    tried because idle.
+  any non-system users exist, and if not prompts interactively for basic user
-  - keep an fd to the homedir open at all times, to keep the fs pinned
+  info, mimicking systemd-firstboot. Then, place this in a service that runs
-    (autofs and such) while user is logged in.
+  after systemd-homed, but before gdm and friends, as a simple, barebones
+  fallback logic to get a regular user created on uninitialized systems.
+
+* homed: store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
+  systemd-cryptsetup, so that it can unlock homed volumes
+
+* homed: try to unmount in regular intervals when home dir was busy when we
+  tried because idle.
+
+* homed: keep an fd to the homedir open at all times, to keep the fs pinned
+  (autofs and such) while user is logged in.
 
 * add a new switch --auto-definitions=yes/no or so to systemd-repart. If
   specified, synthesize a definition automatically if we can: enlarge last

src/core/job.c

@@ -705,51 +705,19 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult
 
         if (!console_only) {  /* Skip printing if output goes to the console, and job_print_status_message()
                                * will actually print something to the console. */
-                Condition *c;
+
                 const char *mid = job_done_mid(t, result);  /* mid may be NULL. log_unit_struct() will ignore it. */
+                const char *msg_fmt = strjoina("MESSAGE=", format);
 
-                c = t == JOB_START && result == JOB_DONE ? unit_find_failed_condition(u) : NULL;
+                DISABLE_WARNING_FORMAT_NONLITERAL;
-                if (c) {
+                log_unit_struct(u, job_done_messages[result].log_level,
-                        /* Special case units that were skipped because of a failed condition check so that
+                                msg_fmt, ident,
-                         * we can add more information to the message. */
+                                "JOB_ID=%" PRIu32, job_id,
-                        if (c->trigger)
+                                "JOB_TYPE=%s", job_type_to_string(t),
-                                log_unit_struct(
+                                "JOB_RESULT=%s", job_result_to_string(result),
-                                        u,
+                                LOG_UNIT_INVOCATION_ID(u),
-                                        job_done_messages[result].log_level,
+                                mid);
-                                        "MESSAGE=%s was skipped because all trigger condition checks failed.",
+                REENABLE_WARNING;
-                                        ident,
-                                        "JOB_ID=%" PRIu32, job_id,
-                                        "JOB_TYPE=%s", job_type_to_string(t),
-                                        "JOB_RESULT=%s", job_result_to_string(result),
-                                        LOG_UNIT_INVOCATION_ID(u),
-                                        mid);
-                        else
-                                log_unit_struct(
-                                        u,
-                                        job_done_messages[result].log_level,
-                                        "MESSAGE=%s was skipped because of a failed condition check (%s=%s%s).",
-                                        ident,
-                                        condition_type_to_string(c->type),
-                                        c->negate ? "!" : "",
-                                        c->parameter,
-                                        "JOB_ID=%" PRIu32, job_id,
-                                        "JOB_TYPE=%s", job_type_to_string(t),
-                                        "JOB_RESULT=%s", job_result_to_string(result),
-                                        LOG_UNIT_INVOCATION_ID(u),
-                                        mid);
-                } else {
-                        const char *msg_fmt = strjoina("MESSAGE=", format);
-
-                        DISABLE_WARNING_FORMAT_NONLITERAL;
-                        log_unit_struct(u, job_done_messages[result].log_level,
-                                        msg_fmt, ident,
-                                        "JOB_ID=%" PRIu32, job_id,
-                                        "JOB_TYPE=%s", job_type_to_string(t),
-                                        "JOB_RESULT=%s", job_result_to_string(result),
-                                        LOG_UNIT_INVOCATION_ID(u),
-                                        mid);
-                        REENABLE_WARNING;
-                }
         }
 
         if (do_console) {

src/core/unit.c

@@ -5848,25 +5848,6 @@ int unit_thaw_vtable_common(Unit *u) {
         return unit_cgroup_freezer_action(u, FREEZER_THAW);
 }
 
-Condition *unit_find_failed_condition(Unit *u) {
-        Condition *c, *failed_trigger = NULL;
-        bool has_succeeded_trigger = false;
-
-        if (u->condition_result)
-                return NULL;
-
-        LIST_FOREACH(conditions, c, u->conditions)
-                if (c->trigger) {
-                        if (c->result == CONDITION_SUCCEEDED)
-                                 has_succeeded_trigger = true;
-                        else if (!failed_trigger)
-                                 failed_trigger = c;
-                } else if (c->result != CONDITION_SUCCEEDED)
-                        return c;
-
-        return failed_trigger && !has_succeeded_trigger ? failed_trigger : NULL;
-}
-
 static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
         [COLLECT_INACTIVE] = "inactive",
         [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",

src/core/unit.h

@@ -984,8 +984,6 @@ void unit_thawed(Unit *u);
 int unit_freeze_vtable_common(Unit *u);
 int unit_thaw_vtable_common(Unit *u);
 
-Condition *unit_find_failed_condition(Unit *u);
-
 /* Macros which append UNIT= or USER_UNIT= to the message */
 
 #define log_unit_full_errno_zerook(unit, level, error, ...)             \