Merge 3630477261 into bbec1c87d3

Continuation of 4ebbb5bfe8.
Closes #35307.

.github/workflows/linter.yml

@@ -37,7 +37,7 @@ jobs:
           VALIDATE_GITHUB_ACTIONS: true
 
       - name: Check that tabs are not used in Python code
-        run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py'
+        run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py test/integration-test-wrapper.py'
 
       - name: Install ruff and mypy
         run: |
@@ -47,14 +47,14 @@ jobs:
       - name: Run mypy
         run: |
           python3 -m mypy --version
-          python3 -m mypy src/ukify/ukify.py
+          python3 -m mypy src/ukify/ukify.py test/integration-test-wrapper.py
 
       - name: Run ruff check
         run: |
           ruff --version
-          ruff check src/ukify/ukify.py
+          ruff check src/ukify/ukify.py test/integration-test-wrapper.py
 
       - name: Run ruff format
         run: |
           ruff --version
-          ruff format --check src/ukify/ukify.py
+          ruff format --check src/ukify/ukify.py test/integration-test-wrapper.py

.github/workflows/mkosi.yml

@@ -105,7 +105,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@8976a0abb19221e65300222f2d33067970cca0f1
+      - uses: systemd/mkosi@0825cca8084674ec8fa27502134b1bc601f79e0c
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location

NEWS

@@ -764,6 +764,9 @@ CHANGES WITH 257 in spe:
           other cases EnterNamespace= might be an suitable approach to acquire
           symbolized backtraces.)
 
+        Special thanks to Nick Owens for bringing attention to and testing
+        fixes for issue #34516.
+
         Contributions from: 12paper, A. Wilcox, Abderrahim Kitouni,
         Adrian Vovk, Alain Greppin, Allison Karlitskaya, Alyssa Ross,
         Anders Jonsson, Andika Triwidada, Andres Beltran, Anouk Ceyssens,

hwdb.d/60-sensor.hwdb

@@ -295,6 +295,10 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
  ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
 
+# Chuwi Hi10 X1
+sensor:modalias:acpi:NSA2513*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X1:*
+ ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
+
 # Chuwi Hi10 Go
 sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
@@ -953,6 +957,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
 
+#########################################
+# Pine64
+#########################################
+
+# PineTab2
+
+sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
+ ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
+
 #########################################
 # Pipo
 #########################################

man/daemon.xml

@@ -684,6 +684,15 @@ fi</programlisting>
     <citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
   </refsect1>
 
+  <refsect1>
+    <title>Notes</title>
+
+    <para>
+       All example codes in this page are licensed under <literal>MIT No Attribution</literal>
+      (SPDX-License-Identifier: MIT-0).
+    </para>
+  </refsect1>
+
   <refsect1>
     <title>See Also</title>
     <para><simplelist type="inline">

man/environment.d.xml

@@ -114,10 +114,10 @@
     invoked, for example from the system service manager or via a PAM module.</para>
 
     <para>Specifically, for ssh logins, the
-    <citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    <citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     service builds an environment that is a combination of variables forwarded from the remote system and
     defined by <command>sshd</command>, see the discussion in
-    <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+    <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
     A graphical display session will have an analogous mechanism to define the environment. Note that some
     managers query the systemd user instance for the exported environment and inject this configuration into
     programs they start, using <command>systemctl show-environment</command> or the underlying D-Bus call.

man/file-hierarchy.xml

@@ -215,8 +215,8 @@
         below this directory is subject to specifications that ensure interoperability.</para>
 
         <para>Note that resources placed in this directory typically are under shared ownership,
-        i.e. multiple different packages have provide and consume these resources, on equal footing, without
+        i.e. multiple different packages have provided and consumed these resources, on equal footing, without
-        any obvious primary owner. This makes makes things systematically different from
+        any obvious primary owner. This makes things systematically different from
         <filename>/usr/lib/</filename>, where ownership is generally not shared.</para></listitem>
       </varlistentry>
 

man/homectl.xml

@@ -378,7 +378,7 @@
 
         <listitem><para>Takes a comma- or colon-separated list of languages preferred by the user, ordered
         by descending priority. The <varname>$LANG</varname> and <varname>$LANGUAGE</varname> environment
-        variables are initialized from this value on login, and thus values suitible for these environment
+        variables are initialized from this value on login, and thus values suitable for these environment
         variables are accepted here, for example <option>--language=de_DE.UTF-8</option>. This option may
         be used more than once, in which case the language lists are concatenated.</para>
 

man/importctl.xml

@@ -40,7 +40,7 @@
     <citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
 
     <para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
-    file-system-level images (tarballs). It supports disk images are one of the four following
+    file-system-level images (tarballs). It supports disk images in one of the four following
     classes:</para>
 
     <itemizedlist>
@@ -50,7 +50,7 @@
       managed via
       <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
 
-      <listitem><para>Portable service images, that may be attached an managed via
+      <listitem><para>Portable service images, that may be attached and managed via
       <citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
 
       <listitem><para>System extension (sysext) images, that may be activated via
@@ -128,12 +128,13 @@
 
         <para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
         a read-only subvolume/directory in the image directory that is named after the specified URL and its
-        HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
+        HTTP etag (see <ulink url="https://en.wikipedia.org/wiki/HTTP_ETag">HTTP ETag</ulink> for more
+        information). A writable snapshot is then taken from this subvolume, and named after the specified local
         name. This behavior ensures that creating multiple instances of the same URL is efficient, as
         multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
         its writable snapshot, specify <literal>-</literal> as local name.</para>
 
-        <para>Note that pressing C-c during execution of this command will not abort the download. Use
+        <para>Note that pressing Control-c during execution of this command will not abort the download. Use
         <command>cancel-transfer</command>, described below.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
@@ -145,14 +146,14 @@
         <listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
         available under the specified local name in the image directory for the selected
         <option>--class=</option>. The URL must be of type <literal>http://</literal> or
-        <literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
+        <literal>https://</literal>. The image must either be a qcow2 or raw disk
         image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
         <filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
         component of the URL, with its suffix removed.</para>
 
         <para>Image verification is identical for raw and tar images (see above).</para>
 
-        <para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
+        <para>If the downloaded image is in qcow2 format it is converted into a raw
         image file before it is made available.</para>
 
         <para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
@@ -162,7 +163,7 @@
         necessary. In order to create only the read-only image, and avoid creating its writable copy,
         specify <literal>-</literal> as local name.</para>
 
-        <para>Note that pressing C-c during execution of this command will not abort the download. Use
+        <para>Note that pressing Control-c during execution of this command will not abort the download. Use
         <command>cancel-transfer</command>, described below.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
@@ -174,8 +175,14 @@
 
         <listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
         directory for the image class selected via <option>--class=</option>. When
-        <command>import-tar</command> is used, the file specified as the first argument should be a tar
+        <command>import-tar</command> is used, the file specified as the first argument should be a
-        archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
+        <citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        archive, possibly compressed with
+        <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        or
+        <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+        It will then be unpacked into its own
         subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
         disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
         name) is not specified, it is automatically derived from the file name. If the filename is passed as
@@ -196,7 +203,9 @@
         <listitem><para>Imports an image stored in a local directory into the image directory for the image
         class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
         or <command>import-raw</command>, but the first argument is the source directory. If supported, this
-        command will create a btrfs snapshot or subvolume for the new image.</para>
+        command will create a
+        <citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        snapshot or subvolume for the new image.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
@@ -207,9 +216,13 @@
 
         <listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
         should be an image name. The second parameter should be a file path the TAR or RAW
-        image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
+        image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with
-        it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
+        <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-        the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
+        if it ends in <literal>.xz</literal>, with
+        <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        and if it ends in <literal>.bz2</literal>, with
+        <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+        If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
         is written to standard output. The compression may also be explicitly selected with the
         <option>--format=</option> switch. This is in particular useful if the second parameter is left
         unspecified.</para>

man/pam_systemd.xml

@@ -113,11 +113,11 @@
               </row>
               <row>
                 <entry><constant>user-early</constant></entry>
-                <entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
+                <entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
               </row>
               <row>
                 <entry><constant>user-incomplete</constant></entry>
-                <entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
+                <entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
               </row>
               <row>
                 <entry><constant>greeter</constant></entry>
@@ -129,15 +129,15 @@
               </row>
               <row>
                 <entry><constant>background</constant></entry>
-                <entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
+                <entry>Used for background sessions, such as those invoked by <citerefentry project='die-net'><refentrytitle>cron</refentrytitle><manvolnum>8</manvolnum></citerefentry> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
               </row>
               <row>
                 <entry><constant>background-light</constant></entry>
-                <entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
+                <entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
               </row>
               <row>
                 <entry><constant>manager</constant></entry>
-                <entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
+                <entry>The <citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> service of the user is registered under this session class. (Added in v256.)</entry>
               </row>
               <row>
                 <entry><constant>manager-early</constant></entry>
@@ -445,6 +445,8 @@ session   required   pam_unix.so</programlisting>
     <title>See Also</title>
     <para><simplelist type="inline">
       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-user-sessions.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>user@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>

man/pam_systemd_loadkey.xml

@@ -28,7 +28,9 @@
     <title>Description</title>
 
     <para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
-    and sets the last password in the list as the PAM authtok.</para>
+    and sets the last password in the list as the PAM authtok, which can be used by e.g.
+    <citerefentry project='man-pages'><refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+    </para>
 
     <para>The password list is supposed to be stored in the "user" keyring of the root user,
     by an earlier call to
@@ -112,7 +114,8 @@
     during boot.</para>
 
     <para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
-    Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>
+    Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g.
+    <filename>sddm-autologin</filename>):</para>
 
     <programlisting>
 -auth       optional    pam_systemd_loadkey.so
@@ -131,8 +134,9 @@ KeyringMode=inherit
     <para>In this setup, early during the boot process,
     <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
-    Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
+    Then when the display manager does the autologin, <command>pam_systemd_loadkey</command> will read the passphrase
-    set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
+    from the kernel keyring, set it as the PAM authtok, and then <command>pam_gnome_keyring</command> and
+    <command>pam_kwallet5</command> will unlock with the same passphrase.</para>
   </refsect1>
 
 </refentry>

man/portablectl.xml

@@ -48,7 +48,7 @@
     and transfer them as a whole between systems. When these images are attached to the local system, the contained units
     may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
     depending on the selected configuration. For more details, see
-    <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.</para>
+    <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para>
 
     <para>Portable service images may be of the following kinds:</para>
 
@@ -417,7 +417,7 @@
         <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
         Images can be block images, btrfs subvolumes or directories. For more information on portable
         services with extensions, see the <literal>Extension Images</literal> paragraph on
-        <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services Documentation</ulink>.
+        <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.
         </para>
 
         <para>Note that the same extensions have to be specified, in the same order, when attaching

man/repart.d.xml

@@ -606,7 +606,8 @@
         <varname>Subvolumes=</varname>.</para>
 
         <para>Note that this option only takes effect if the target filesystem supports subvolumes, such as
-        <literal>btrfs</literal>.</para>
+        <citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+        </para>
 
         <para>Note that this option is only supported in combination with <option>--offline=yes</option>
         since btrfs-progs 6.11 or newer.</para>
@@ -686,7 +687,7 @@
 
         <listitem><para>Configures the data block size of the generated verity hash partition. Must be between 512 and
         4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
-        block device sector size, or 4K if systemd-repart is not operating on a block device.
+        block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
         </para>
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
@@ -697,7 +698,7 @@
 
         <listitem><para>Configures the hash block size of the generated verity hash partition. Must be between 512 and
         4096 bytes and must be a power of 2. Defaults to the sector size if configured explicitly, or the underlying
-        block device sector size, or 4K if systemd-repart is not operating on a block device.
+        block device sector size, or 4K if <command>systemd-repart</command> is not operating on a block device.
         </para>
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
@@ -807,7 +808,9 @@
         mount options. These fields correspond to the second and fourth column of the
         <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
         format. This setting may be specified multiple times to mount the partition multiple times. This can
-        be used to add mounts for different btrfs subvolumes located on the same btrfs partition.</para>
+        be used to add mounts for different
+        <citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        subvolumes located on the same btrfs partition.</para>
 
         <para>Note that this setting is only taken into account when <option>--generate-fstab=</option> is
         specified on the <command>systemd-repart</command> command line.</para>
@@ -818,7 +821,7 @@
       <varlistentry>
         <term><varname>EncryptedVolume=</varname></term>
 
-        <listitem><para>Specify how the encrypted partition should be set up. Takes at least one and at most
+        <listitem><para>Specifies how the encrypted partition should be set up. Takes at least one and at most
         three fields separated with a colon (<literal>:</literal>). The first field specifies the encrypted
         volume name under <filename>/dev/mapper/</filename>. If not specified, <literal>luks-UUID</literal>
         will be used where <literal>UUID</literal> is the LUKS UUID. The second field specifies the keyfile
@@ -837,13 +840,14 @@
       <varlistentry>
         <term><varname>Compression=</varname></term>
 
-        <listitem><para>Specify the compression algorithm to use for the filesystem configured with
+        <listitem><para>Specifies the compression algorithm to use for the filesystem configured with
         <varname>Format=</varname>. Takes a single argument specifying the compression algorithm.</para>
 
         <para>Note that this setting is only taken into account when the filesystem configured with
-        <varname>Format=</varname> supports compression (btrfs, squashfs, erofs). Here's an incomplete list
+        <varname>Format=</varname> supports compression (
-        of compression algorithms supported by the filesystems known to
+        <citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-        <command>systemd-repart</command>:</para>
+        squashfs, erofs). Here's an incomplete list of compression algorithms supported by the filesystems
+        known to <command>systemd-repart</command>:</para>
 
         <table>
           <title>File System Compression Algorithms</title>
@@ -883,7 +887,7 @@
       <varlistentry>
         <term><varname>CompressionLevel=</varname></term>
 
-        <listitem><para>Specify the compression level to use for the filesystem configured with
+        <listitem><para>Specifies the compression level to use for the filesystem configured with
         <varname>Format=</varname>. Takes a single argument specifying the compression level to use for the
         configured compression algorithm. The possible compression levels and their meaning are filesystem
         specific (refer to the filesystem's documentation for the exact meaning of a particular compression

man/resolvectl.xml

@@ -485,7 +485,7 @@
 
         <listitem><para>Takes a boolean parameter; used in conjunction with <command>query</command>. If
         true, rules regarding routing of single-label names are relaxed. Defaults to false. By default,
-        lookups of single label names are assumed to refer to local hosts to be resolved via local resolution
+        lookups of single-label names are assumed to refer to local hosts to be resolved via local resolution
         such as LLMNR or via search domain qualification and are not routed to upstream servers as is. If
         this option is enabled these rules are disabled and the queries are routed upstream anyway. Also see
         the <varname>ResolveUnicastSingleLabel=</varname> option in

man/run0.xml

@@ -61,7 +61,10 @@
     <literal>systemd-run0</literal> PAM stack.</para>
 
     <para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
-    <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
+    <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>. That is,
+    <command>run0</command> is a symbolic link to <command>systemd-run</command> executable file, and it
+    behaves as <command>run0</command> if it is invoked through the symbolic link, otherwise behaves as
+    <command>systemd-run</command>.</para>
   </refsect1>
 
   <refsect1>
@@ -81,7 +84,7 @@
       <varlistentry>
         <term><option>--property=</option></term>
 
-        <listitem><para>Sets a property on the service unit that is created. This option takes an assignment
+        <listitem><para>Sets a property of the service unit that is created. This option takes an assignment
         in the same format as
         <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
         <command>set-property</command> command.</para>
@@ -225,7 +228,7 @@
         <term><option>--machine=</option></term>
 
         <listitem>
-          <para>Execute operation on a local container. Specify a container name to connect to.</para>
+          <para>Execute operation in a local container. Specify a container name to connect to.</para>
 
           <xi:include href="version-info.xml" xpointer="v256"/>
         </listitem>

man/systemctl.xml

@@ -1397,7 +1397,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
             <para>Note that this shows the <emphasis>effective</emphasis> block, i.e. the combination of
             environment variables configured via configuration files, environment generators and via IPC
             (i.e. via the <command>set-environment</command> described below). At the moment a unit process
-            is forked off this combined environment block will be further combined with per-unit environment
+            is forked off, this combined environment block will be further combined with per-unit environment
             variables, which are not visible in this command.</para>
           </listitem>
         </varlistentry>

man/systemd-boot.xml

@@ -54,7 +54,7 @@
 
       <listitem><para>The EFI Shell binary, if installed.</para></listitem>
 
-      <listitem><para>A <literal>Reboot Into Firmware Interface option</literal>, if supported by the UEFI
+      <listitem><para>A <literal>Reboot Into Firmware Interface</literal> option, if supported by the UEFI
       firmware.</para></listitem>
 
       <listitem><para>Secure Boot variables enrollment if the UEFI firmware is in setup-mode and files are provided

man/systemd-cryptenroll.xml

@@ -299,7 +299,7 @@
       <varlistentry>
         <term><option>--unlock-tpm2-device=<replaceable>PATH</replaceable></option></term>
 
-        <listitem><para>Use a TPM2 device instead of a password/passhprase read from stdin to unlock the
+        <listitem><para>Use a TPM2 device instead of a password/passphrase read from stdin to unlock the
         volume. Expects a device node path referring to the TPM2 chip (e.g. <filename>/dev/tpmrm0</filename>).
         Alternatively the special value <literal>auto</literal> may be specified, in order to automatically
         determine the device node of a currently discovered TPM2 device (of which there must be exactly one).

man/systemd-cryptsetup.xml

@@ -32,7 +32,7 @@
       <arg choice="plain">VOLUME</arg>
       <arg choice="plain">SOURCE-DEVICE</arg>
       <arg choice="opt">KEY-FILE</arg>
-      <arg choice="opt">CONFIG</arg>
+      <arg choice="opt">CRYPTTAB-OPTIONS</arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -150,7 +150,7 @@
       <varlistentry>
         <term><varname>cryptsetup.luks2-pin</varname></term>
 
-        <listitem><para>This credential specifies the PIN requested by generic LUKS2 token modules.</para>
+        <listitem><para>This credential specifies the pin requested by generic LUKS2 token modules.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>

man/systemd-fsck@.service.xml

@@ -57,7 +57,9 @@
     last check, number of mounts, unclean unmount, etc.</para>
 
     <para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
-    will activate <filename>reboot.target</filename> if <command>fsck</command> returns the "System
+    will activate <filename>reboot.target</filename> if
+    <citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    returns the "System
     should reboot" condition, or <filename>emergency.target</filename> if <command>fsck</command>
     returns the "Filesystem errors left uncorrected" condition.</para>
 

man/systemd-journald.service.xml

@@ -164,9 +164,10 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
     used to view the log stream of a specific namespace. If the switch is not used the log stream of the
     default namespace is shown, i.e. log data from other namespaces is not visible.</para>
 
-    <para>Services associated with a specific log namespace may log via syslog, the native logging protocol
+    <para>Services associated with a specific log namespace may log via
-    of the journal and via stdout/stderr; the logging from all three transports is associated with the
+    <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-    namespace.</para>
+    the native logging protocol of the journal and via stdout/stderr; the logging from all three transports
+    is associated with the namespace.</para>
 
     <para>By default only the default namespace will collect kernel and audit log messages.</para>
 
@@ -288,8 +289,11 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
         <term><varname>systemd.journald.max_level_socket=</varname></term>
 
         <listitem><para>Controls the maximum log level of messages that are stored in the journal, forwarded
-        to syslog, kmsg, the console, the wall, or a socket. This kernel command line options override the
+        to
-        settings of the same names in the
+        <citerefentry project='man-pages'><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+        kmsg, the console,
+        <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        or a socket. This kernel command line options override the settings of the same names in the
         <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
         file.</para>
 

man/systemd-machined.service.xml

@@ -136,6 +136,7 @@
       <member><citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>org.freedesktop.machine1</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+      <member><citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
     </simplelist></para>
   </refsect1>
 

man/systemd-mountfsd.service.xml

@@ -57,7 +57,9 @@
     <para>The returned mounts are automatically allowlisted in the per-user-namespace allowlist maintained by
     <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
 
-    <para>The file systems are automatically fsck'ed before mounting.</para>
+    <para>The file systems are automatically
+    <citerefentry project='man-pages'><refentrytitle>fsck</refentrytitle><manvolnum>8</manvolnum></citerefentry>'ed
+    before mounting.</para>
   </refsect1>
 
   <refsect1>

man/systemd-nspawn.xml

@@ -140,7 +140,7 @@
     <para>When running in unprivileged mode, some needed functionality is provided via
     <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     and
-    <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></para>
+    <citerefentry><refentrytitle>systemd-nsresourced.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
   </refsect1>
 
   <refsect1>

man/systemd-pcrlock.xml

@@ -106,7 +106,7 @@
 
         <listitem><para>This reads the combined TPM2 event log and writes it to STDOUT in <ulink
         url="https://trustedcomputinggroup.org/resource/canonical-event-log-format/">TCG Canonical Event Log
-        Format (CEL-JSON)</ulink> format.</para>
+        Format (CEL-JSON)</ulink>.</para>
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
       </varlistentry>
@@ -387,8 +387,10 @@
 
         <listitem><para>Generates/removes a <filename>.pcrlock</filename> file based on a kernel initrd cpio
         archive. This is useful for predicting measurements the Linux kernel makes to PCR 9
-        ("kernel-initrd"). Do not use for <command>systemd-stub</command> UKIs, as the initrd is combined
+        ("kernel-initrd"). Do not use for
-        dynamically from various sources and hence does not take a single input, like this command.</para>
+        <citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        UKIs, as the initrd is combined dynamically from various sources and hence does not take a single
+        input, like this command.</para>
 
         <para>This writes/removes the file
         <filename>/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock</filename>.</para>
@@ -521,7 +523,7 @@
       <varlistentry>
         <term><option>--pcrlock=</option></term>
 
-        <listitem><para>Takes a file system path as argument. If specified overrides where to write the
+        <listitem><para>Takes a file system path as argument. If specified, configures where to write the
         generated pcrlock data to. Honoured by the various <command>lock-*</command> commands. If not
         specified, a default path is generally used, as documented above.</para>
 
@@ -531,7 +533,7 @@
       <varlistentry>
         <term><option>--policy=</option></term>
 
-        <listitem><para>Takes a file system path as argument. If specified overrides where to write pcrlock
+        <listitem><para>Takes a file system path as argument. If specified, configures where to write pcrlock
         policy metadata to. If not specified defaults to
         <filename>/var/lib/systemd/pcrlock.json</filename>.</para>
 

man/systemd-poweroff.service.xml

@@ -53,7 +53,7 @@
     might be broken — the running PID 1 could still depend on libraries which are not available any more,
     thus keeping the file system busy, which then cannot be re-mounted read-only.</para>
 
-    <para>Shortly before executing the actual system power-off/halt/reboot/kexec
+    <para>Shortly before executing the actual system power-off/halt/reboot/kexec,
     <filename>systemd-shutdown</filename> will run all executables in
     <filename>/usr/lib/systemd/system-shutdown/</filename> and pass one arguments to them: either
     <literal>poweroff</literal>, <literal>halt</literal>, <literal>reboot</literal>, or

man/systemd-repart.xml

@@ -569,7 +569,7 @@
         (sysext, see
         <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>
         for details), configuration extension (confext) or <ulink
-        url="https://systemd.io/PORTABLE_SERVICES">portable service</ulink>. The generated image will consist
+        url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>. The generated image will consist
         of a signed Verity <literal>erofs</literal> file system as root partition. In this mode of operation
         the partition definitions in <filename>/usr/lib/repart.d/*.conf</filename> and related directories
         are not read, and <option>--definitions=</option> is not supported, as appropriate definitions for
@@ -605,10 +605,11 @@
       <varlistentry>
         <term><option>--generate-fstab=<replaceable>PATH</replaceable></option></term>
 
-        <listitem><para>Specifies a path where to write fstab entries for the mountpoints configured with
+        <listitem><para>Specifies a path where to write
-        <option>MountPoint=</option> in the root directory specified with <option>--copy-source=</option> or
+        <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        <option>--root=</option> or in the host's root directory if neither is specified. Disabled by
+        entries for the mountpoints configured with <option>MountPoint=</option> in the root directory
-        default.</para>
+        specified with <option>--copy-source=</option> or <option>--root=</option> or in the host's root
+        directory if neither is specified. Disabled by default.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
@@ -680,7 +681,7 @@ systemd-confext refresh</programlisting>
       <title>Generate a system extension image and sign it via PKCS11</title>
 
       <para>The following creates a system extension DDI (sysext) for an
-      <filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11.</para>
+      <filename>/usr/foo</filename> update and signs it with a hardware token via PKCS11:</para>
 
       <programlisting>mkdir -p tree/usr/lib/extension-release.d
 echo "Hello World" >tree/usr/foo

man/systemd-resolved.service.xml

@@ -343,10 +343,10 @@ search foobar.com barbar.com
       <listitem><para><command>systemd-resolved</command> maintains the
       <filename>/run/systemd/resolve/stub-resolv.conf</filename> file for compatibility with traditional
       Linux programs. This file lists the 127.0.0.53 DNS stub (see above) as the only DNS server. It also
-      contains a list of search domains that are in use by systemd-resolved. The list of search domains is
+      contains a list of search domains that are in use by <command>systemd-resolved</command>. The list of
-      always kept up-to-date. Note that <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not
+      search domains is always kept up-to-date. Note that
-      be used directly by applications, but only through a symlink from
+      <filename>/run/systemd/resolve/stub-resolv.conf</filename> should not be used directly by applications,
-      <filename>/etc/resolv.conf</filename>. This file may be symlinked from
+      but only through a symlink from <filename>/etc/resolv.conf</filename>. This file may be symlinked from
       <filename>/etc/resolv.conf</filename> in order to connect all local clients that bypass local DNS APIs
       to <command>systemd-resolved</command> with correct search domains settings. This mode of operation is
       recommended.</para></listitem>

man/systemd-rfkill.service.xml

@@ -41,8 +41,10 @@
   <refsect1>
     <title>Kernel Command Line</title>
 
-    <para><filename>systemd-rfkill</filename> understands the
+    <para>
-    following kernel command line parameter:</para>
+      <command>systemd-rfkill</command> understands the following kernel command line parameter. See also
+      <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+    </para>
 
     <variablelist class='kernel-commandline-options'>
       <varlistentry>

man/systemd-soft-reboot.service.xml

@@ -139,7 +139,8 @@ DefaultDependencies=no</programlisting>
       <varname>Conflicts=umount.target</varname>)</para></listitem>
 
       <listitem><para>If the unit publishes a service over D-Bus, the connection needs to be re-established
-      after soft-reboot as the D-Bus broker will be stopped and then started again. When using the sd-bus
+      after soft-reboot as the D-Bus broker will be stopped and then started again. When using the
+      <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>
       library this can be achieved by adapting the following example.
       <programlisting><xi:include href="sd_bus_service_reconnect.c" parse="text"/></programlisting>
       </para></listitem>

man/systemd-ssh-generator.xml

@@ -34,9 +34,9 @@
 
     <para><command>systemd-ssh-generator</command> binds a socket-activated SSH server to local
     <constant>AF_VSOCK</constant> and <constant>AF_UNIX</constant> sockets under certain conditions. It only
-    has an effect if the <citerefentry
+    has an effect if the
-    project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> binary is
+    <citerefentry project="man-pages"><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-    installed. Specifically, it does the following:</para>
+    binary is installed. Specifically, it does the following:</para>
 
     <itemizedlist>
       <listitem><para>If invoked in a VM with <constant>AF_VSOCK</constant> support, a socket-activated SSH
@@ -71,14 +71,14 @@
     <para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
     exists, and otherwise generate a suitable service template file.</para>
 
-    <para><filename>systemd-ssh-generator</filename> implements
+    <para><command>systemd-ssh-generator</command> implements
     <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
   </refsect1>
 
   <refsect1>
     <title>Kernel Command Line</title>
 
-    <para><filename>systemd-ssh-generator</filename> understands the following
+    <para><command>systemd-ssh-generator</command> understands the following
     <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
     parameters:</para>
 
@@ -102,8 +102,9 @@
         times to bind multiple sockets. The syntax should follow the one of <varname>ListenStream=</varname>,
         see
         <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        for details. This functionality supports all socket families systemd supports, including
+        for details. This functionality supports all socket families
-        <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
+        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> supports,
+        including <constant>AF_INET</constant> and <constant>AF_INET6</constant>.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>

man/systemd-ssh-proxy.xml

@@ -77,7 +77,7 @@ Host .host
     <para>This tool is supposed to be used together with
     <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
     which when run inside a VM or container will bind SSH to suitable
-    addresses. <command>systemd-ssh-generator</command> is supposed to run in the container of VM guest, and
+    addresses. <command>systemd-ssh-generator</command> is supposed to run in the container or VM guest, and
     <command>systemd-ssh-proxy</command> is run on the host, in order to connect to the container or VM
     guest.</para>
   </refsect1>

man/systemd-stdio-bridge.xml

@@ -43,7 +43,7 @@
 
     <para><citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry> uses
     <command>systemd-stdio-bridge</command> to forward D-Bus connections over
-    <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+    <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
     or to connect to the bus of a different user, see
     <citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
     </para>

man/systemd-stub.xml

@@ -209,7 +209,7 @@
       images to the initrd. See
       <citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
       details on configuration extension images. The generated <command>cpio</command> archive containing
-      these system extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
+      these configuration extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
 
       <listitem><para>Similarly, files
       <filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as

man/systemd-sysext.xml

@@ -141,7 +141,7 @@
     but the used architecture identifiers are the same as for <varname>ConditionArchitecture=</varname>
     described in <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
     <varname>EXTENSION_RELOAD_MANAGER=</varname> can be set to 1 if the extension requires a service manager reload after application
-    of the extension. Note that for the reasons mentioned earlier:
+    of the extension. Note that for the reasons mentioned earlier,
     <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink> remain
     the recommended way to ship system services.
 
@@ -206,13 +206,13 @@
     the underlying host <filename>/usr/</filename> is managed as immutable disk image or is a traditional
     package manager controlled (i.e. writable) tree.</para>
 
-    <para>With systemd-confext one can perform runtime reconfiguration of OS services.
+    <para>With <command>systemd-confext</command> one can perform runtime reconfiguration of OS services.
     Sometimes, there is a need to swap certain configuration parameter values or restart only a specific
     service without deployment of new code or a complete OS deployment. In other words, we want to be able
     to tie the most frequently configured options to runtime updateable flags that can be changed without a
     system reboot. This will help reduce servicing times when there is a need for changing the OS configuration.
     It also provides a reliable tool for managing configuration because all old configuration files disappear when
-    the systemd-confext image is removed.</para></refsect1>
+    the <command>systemd-confext</command> image is removed.</para></refsect1>
 
   <refsect1>
     <title>Mutability</title>

man/systemd-system.conf.xml

@@ -302,7 +302,7 @@
         and running in an initrd equivalent to true, otherwise false. This implements a restricted subset of
         the per-unit setting of the same name, see
         <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
-        details: currently, the <literal>full</literal> or <literal>struct</literal> values are not
+        details: currently, the <literal>full</literal> or <literal>strict</literal> values are not
         supported.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>

man/systemd-tpm2-generator.xml

@@ -30,7 +30,7 @@
   <refsect1>
     <title>Description</title>
 
-    <para><filename>systemd-tpm2-generator</filename> is a generator that adds a <varname>Wants=</varname>
+    <para><command>systemd-tpm2-generator</command> is a generator that adds a <varname>Wants=</varname>
     dependency from <filename>sysinit.target</filename> to <filename>tpm2.target</filename> when it detects
     that the firmware discovered a TPM2 device but the OS kernel so far did
     not. <filename>tpm2.target</filename> is supposed to act as synchronization point for all services that
@@ -45,7 +45,7 @@
     for it yet. The latter might be useful in environments where a suitable TPM2 driver for the available
     hardware is not available.</para>
 
-    <para><filename>systemd-tpm2-generator</filename> implements
+    <para><command>systemd-tpm2-generator</command> implements
     <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
   </refsect1>
 

man/systemd-vmspawn.xml

@@ -45,7 +45,7 @@
     file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal>
     respectively.</para>
 
-    <para>Note: on Ubuntu/Debian derivatives systemd-vmspawn requires the user to be in the
+    <para>Note: on Ubuntu/Debian derivatives <command>systemd-vmspawn</command> requires the user to be in the
     <literal>kvm</literal> group to use the VSOCK options.</para>
   </refsect1>
 
@@ -420,7 +420,8 @@
           for more information.</para>
 
           <para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
-          may also be useful if the VM has a particularly old version of <command>sshd</command>.</para>
+          may also be useful if the VM has a particularly old version of
+          <citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
 
           <xi:include href="version-info.xml" xpointer="v256"/>
           </listitem>

man/systemd-vpick.xml

@@ -46,7 +46,7 @@
 
     <para>If the specified path does not reference a <literal>.v/</literal> path (i.e. neither the final
     component ends in <literal>.v</literal>, nor the penultimate does or the final one does contain a triple
-    underscore) it specified path is written unmodified to standard output.</para>
+    underscore) its specified path is written unmodified to standard output.</para>
   </refsect1>
 
   <refsect1>

man/systemd.link.xml

@@ -378,7 +378,7 @@
 
           <para>This setting is useful to configure the <literal>ID_NET_MANAGED_BY=</literal> property which
           declares which network management service shall manage the interface, which is respected by
-          systemd-networkd and others. Use
+          <command>systemd-networkd</command> and others. Use
           <programlisting>Property=ID_NET_MANAGED_BY=io.systemd.Network</programlisting>
           to declare explicitly that <command>systemd-networkd</command> shall manage the interface, or set
           the property to something else to declare explicitly it shall not do so. See
@@ -974,10 +974,10 @@
         <listitem>
           <para>Configures Receive Packet Steering (RPS) list of CPUs to which RPS may forward traffic.
           Takes a list of CPU indices or ranges separated by either whitespace or commas. Alternatively,
-          takes the special value <literal>all</literal> in which will include all available CPUs in the mask.
+          takes the special value <literal>all</literal>, which will include all available CPUs in the mask.
           CPU ranges are specified by the lower and upper CPU indices separated by a dash (e.g. <literal>2-6</literal>).
-          This option may be specified more than once, in which case the specified CPU affinity masks are merged.
+          This option may be specified more than once, in which case the specified list of CPU ranges are merged.
-          If an empty string is assigned, the mask is reset, all assignments prior to this will have no effect.
+          If an empty string is assigned, the list is reset, all assignments prior to this will have no effect.
           Defaults to unset and RPS CPU list is unchanged. To disable RPS when it was previously enabled, use the
           special value <literal>disable</literal>.</para>
 

man/systemd.mount.xml

@@ -293,7 +293,7 @@
         comes from unit fragments, i.e. generated from <filename>/etc/fstab</filename> by <citerefentry>
         <refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> or loaded from
         a manually configured mount unit, a combination of <varname>Requires=</varname> and <varname>StopPropagatedFrom=</varname>
-        dependencies is set on the backing device. If doesn't, only <varname>Requires=</varname> is used.</para>
+        dependencies is set on the backing device, otherwise only <varname>Requires=</varname> is used.</para>
 
         <xi:include href="version-info.xml" xpointer="v233"/></listitem>
       </varlistentry>
@@ -556,7 +556,7 @@
         for details. This setting is optional.</para>
 
         <para>If the type is <literal>overlay</literal>, and <literal>upperdir=</literal> or
-        <literal>workdir=</literal> are specified as options and they don't exist, they will be created.
+        <literal>workdir=</literal> are specified as options and the directories don't exist, they will be created.
         </para></listitem>
       </varlistentry>
 

man/systemd.net-naming-scheme.xml

@@ -27,18 +27,19 @@
     attributes and the use of this information is configured. This page describes interface naming, i.e. what
     possible names may be generated. Those names are generated by the
     <citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-    builtin <command>net_id</command> and exported as udev properties
+    builtin <command>net_id</command> and exported as
-    (<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
+    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+    properties (<varname>ID_NET_NAME_ONBOARD=</varname>, <varname>ID_NET_LABEL_ONBOARD=</varname>,
     <varname>ID_NET_NAME_PATH=</varname>, <varname>ID_NET_NAME_SLOT=</varname>).</para>
 
     <para>Names and MAC addresses are derived from various stable device metadata attributes. Newer versions
-    of udev take more of these attributes into account, improving (and thus possibly changing) the names and
+    of <command>systemd-udevd</command> take more of these attributes into account, improving (and thus
-    addresses used for the same devices. Different versions of those generation rules are called "naming
+    possibly changing) the names and addresses used for the same devices. Different versions of those
-    schemes". The default naming scheme is chosen at compilation time. Usually this will be the latest
+    generation rules are called "naming schemes". The default naming scheme is chosen at compilation time.
-    implemented version, but it is also possible to set one of the older versions to preserve
+    Usually this will be the latest implemented version, but it is also possible to set one of the older
-    compatibility. This may be useful for example for distributions, which may introduce new versions of
+    versions to preserve compatibility. This may be useful for example for distributions, which may introduce
-    systemd in stable releases without changing the naming scheme. The naming scheme may also be overridden
+    new versions of systemd in stable releases without changing the naming scheme. The naming scheme may also
-    using the <varname>net.naming_scheme=</varname> kernel command line switch, see
+    be overridden using the <varname>net.naming_scheme=</varname> kernel command line switch, see
     <citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
     Available naming schemes are described below.</para>
 
@@ -521,7 +522,8 @@
           change introduced in <constant>v254</constant> by default.</para>
 
           <para>If we detect that a PCI device associated with a slot is a PCI bridge, we no longer set
-          <varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in v251.</para>
+          <varname>ID_NET_NAME_SLOT</varname>, reverting a change that was introduced in
+          <constant>v251</constant>.</para>
 
           <xi:include href="version-info.xml" xpointer="v255"/>
           </listitem>
@@ -708,6 +710,7 @@ net:naming:drvirtio_net:*
     <para><simplelist type="inline">
       <member><citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-udevd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
       <member><ulink url="https://systemd.io/PREDICTABLE_INTERFACE_NAMES">Predictable Network Interface Names</ulink></member>
       <member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
     </simplelist></para>

man/systemd.netdev.xml

@@ -34,10 +34,16 @@
     for a general description of the syntax.</para>
 
     <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
-    other extensions are ignored. Virtual network devices are created as soon as networkd is
+    other extensions are ignored. Virtual network devices are created as soon as
-    started. If a netdev with the specified name already exists, networkd will use that as-is rather
+    <command>systemd-networkd</command> is started if possible. If a netdev with the specified name already
-    than create its own. Note that the settings of the pre-existing netdev will not be changed by
+    exists, <command>systemd-networkd</command> will try to update the config if the kind of the existing
-    networkd.</para>
+    netdev is equivalent to the requested one, otherwise (e.g. when bridge device <filename>foo</filename>
+    exists but bonding device with the same name is configured in a .netdev file) use the existing netdev
+    as-is rather than replacing with the requested netdev. Note, several settings (e.g. vlan ID) cannot be
+    changed after the netdev is created. To change such settings, it is necessary to first remove the
+    existing netdev, and then run <command>networkctl reload</command> command or restart
+    <command>systemd-networkd</command>. See also
+    <citerefentry><refentrytitle>networkctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
 
     <para>The <filename>.netdev</filename> files are read from the files located in the system network
     directory <filename>/usr/lib/systemd/network</filename> and
@@ -588,7 +594,7 @@
           <para>Controls the threshold for broadcast queueing of the macvlan device. Takes the special value
           <literal>no</literal>, or an integer in the range 0…2147483647. When <literal>no</literal> is
           specified, the broadcast queueing is disabled altogether. When an integer is specified, a multicast
-          address will be queued as broadcast if the number of devices using it is greater than the given
+          address will be queued as broadcast if the number of devices using the macvlan is greater than the given
           value. Defaults to unset, and the kernel default will be used.</para>
 
           <xi:include href="version-info.xml" xpointer="v256"/>
@@ -1929,7 +1935,8 @@
           the <command>wg genkey</command> command
           (see <citerefentry project='man-pages'><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
           Specially, if the specified key is prefixed with <literal>@</literal>, it is interpreted as
-          the name of the credential from which the actual key shall be read. <command>systemd-networkd.service</command>
+          the name of the credential from which the actual key shall be read.
+          <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
           automatically imports credentials matching <literal>network.wireguard.*</literal>. For more details
           on credentials, refer to
           <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
@@ -2083,7 +2090,7 @@
           i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in
           the first place, an appropriate route needs to be added as well — either in the
           <literal>[Routes]</literal> section on the <literal>.network</literal> matching the wireguard
-          interface, or externally to <filename>systemd-networkd</filename>.</para>
+          interface, or externally to <command>systemd-networkd</command>.</para>
 
           <xi:include href="version-info.xml" xpointer="v237"/>
         </listitem>
@@ -2970,7 +2977,7 @@ Independent=yes</programlisting>
     <title>See Also</title>
     <para><simplelist type="inline">
       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
-      <member><citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>

man/systemd.network.xml

@@ -887,7 +887,7 @@ DuplicateAddressDetection=none</programlisting></para>
           from the network interface will be appear as coming from the local host. Typically, this should be
           enabled on the downstream interface of routers. Takes one of <literal>ipv4</literal>,
           <literal>ipv6</literal>, <literal>both</literal>, or <literal>no</literal>. Defaults to
-          <literal>no</literal>. Note. Any positive boolean values such as <literal>yes</literal> or
+          <literal>no</literal>. Note that any positive boolean values such as <literal>yes</literal> or
           <literal>true</literal> are now deprecated. Please use one of the values above. Specifying
           <literal>ipv4</literal> or <literal>both</literal> implies <varname>IPv4Forwarding=</varname>
           settings in both .network file for this interface and the global
@@ -928,8 +928,8 @@ DuplicateAddressDetection=none</programlisting></para>
           <para>Takes a boolean. Controls IPv6 Router Advertisement (RA) reception support for the interface.
           If true, RAs are accepted; if false, RAs are ignored. When RAs are accepted, they may trigger the
           start of the DHCPv6 client if the relevant flags are set in the RA data, or if no routers are found
-          on the link. Defaults to false for bridge devices, when IP forwarding is enabled,
+          on the link. Defaults to false for bridge devices, when <varname>IPv6Forwarding=</varname>,
-          <varname>IPv6SendRA=</varname> or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
+          <varname>IPv6SendRA=</varname>, or <varname>KeepMaster=</varname> is enabled. Otherwise, enabled by
           default. Cannot be enabled on devices aggregated in a bond device or when link-local addressing is
           disabled.</para>
 
@@ -993,9 +993,9 @@ DuplicateAddressDetection=none</programlisting></para>
           whether the <emphasis>source</emphasis> of the packet would be routed through the interface it came in. If there is no
           route to the source on that interface, the machine will drop the packet. Takes one of
           <literal>no</literal>, <literal>strict</literal>, or <literal>loose</literal>. When <literal>no</literal>,
-          no source validation will be done. When <literal>strict</literal>, mode each incoming packet is tested against the FIB and
+          no source validation will be done. When <literal>strict</literal>, each incoming packet is tested against the FIB and
           if the incoming interface is not the best reverse path, the packet check will fail. By default failed packets are discarded.
-          When <literal>loose</literal>,  mode each incoming packet's source address is tested against the FIB. The packet is dropped
+          When <literal>loose</literal>, each incoming packet's source address is tested against the FIB. The packet is dropped
           only if the source address is not reachable via any interface on that router.
           See <ulink url="https://tools.ietf.org/html/rfc1027">RFC 3704</ulink>.
           When unset, the kernel's default will be used.</para>
@@ -1084,9 +1084,10 @@ DuplicateAddressDetection=none</programlisting></para>
           Advertisement messages intended for another machine by offering its own MAC address as
           destination. Unlike proxy ARP for IPv4, it is not enabled globally, but will only send
           Neighbour Advertisement messages for addresses in the IPv6 neighbor proxy table, which can
-          also be shown by <command>ip -6 neighbour show proxy</command>. systemd-networkd will control
+          also be shown by <command>ip -6 neighbour show proxy</command>.
-          the per-interface `proxy_ndp` switch for each configured interface depending on this option.
+          <command>systemd-networkd</command> will control the per-interface `proxy_ndp` switch for each
-          When unset, the kernel's default will be used.</para>
+          configured interface depending on this option. When unset, the kernel's default will be used.
+          </para>
 
           <xi:include href="version-info.xml" xpointer="v234"/>
         </listitem>
@@ -1096,7 +1097,7 @@ DuplicateAddressDetection=none</programlisting></para>
         <term><varname>IPv6ProxyNDPAddress=</varname></term>
         <listitem>
           <para>An IPv6 address, for which Neighbour Advertisement messages will be proxied. This
-          option may be specified more than once. systemd-networkd will add the
+          option may be specified more than once. <command>systemd-networkd</command> will add the
           <varname>IPv6ProxyNDPAddress=</varname> entries to the kernel's IPv6 neighbor proxy table.
           This setting implies <varname>IPv6ProxyNDP=yes</varname> but has no effect if
           <varname>IPv6ProxyNDP=</varname> has been set to false. When unset, the kernel's default will
@@ -1225,9 +1226,9 @@ DuplicateAddressDetection=none</programlisting></para>
       <varlistentry>
         <term><varname>ConfigureWithoutCarrier=</varname></term>
         <listitem>
-          <para>Takes a boolean. Allows networkd to configure a specific link even if it has no
+          <para>Takes a boolean. Allows <command>systemd-networkd</command> to configure a specific link even
-          carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname> setting
+          if it has no carrier. Defaults to false. If enabled, and the <varname>IgnoreCarrierLoss=</varname>
-          is not explicitly set, then it is enabled as well.</para>
+          setting is not explicitly set, then it is enabled as well.</para>
 
           <para>With this enabled, to make the interface enter the <literal>configured</literal> state,
           which is required to make <command>systemd-networkd-wait-online</command> work properly for the
@@ -1455,11 +1456,11 @@ DuplicateAddressDetection=none</programlisting></para>
           <command>ip maddr</command> command would not work if we have an Ethernet switch that does
           IGMP snooping since the switch would not replicate multicast packets on  ports that did not
           have IGMP reports for the multicast addresses. Linux vxlan interfaces created via
-          <command>ip link add vxlan</command> or networkd's netdev kind vxlan have the group option
+          <command>ip link add vxlan</command> or <command>systemd-networkd</command>'s netdev kind vxlan
-          that enables them to do the required join. By extending <command>ip address</command> command
+          have the group option that enables them to do the required join. By extending
-          with option <literal>autojoin</literal> we can get similar functionality for openvswitch (OVS)
+          <command>ip address</command> command with option <literal>autojoin</literal> we can get similar
-          vxlan interfaces as well as other tunneling mechanisms that need to receive multicast traffic.
+          functionality for openvswitch (OVS) vxlan interfaces as well as other tunneling mechanisms that
-          Defaults to <literal>no</literal>.</para>
+          need to receive multicast traffic. Defaults to <literal>no</literal>.</para>
 
           <xi:include href="version-info.xml" xpointer="v232"/>
         </listitem>
@@ -1785,7 +1786,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
       <varlistentry>
         <term><varname>L3MasterDevice=</varname></term>
         <listitem>
-          <para>A boolean. Specifies whether the rule is to direct lookups to the tables associated with
+          <para>Takes a boolean. Specifies whether the rule is to direct lookups to the tables associated with
           level 3 master devices (also known as Virtual Routing and Forwarding or VRF devices).
           For further details see <ulink url="https://docs.kernel.org/networking/vrf.html">
           Virtual Routing and Forwarding (VRF)</ulink>. Defaults to false.</para>
@@ -2903,7 +2904,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
           Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
           ignored.</para>
           <para>Note that this filters only DHCP offers, so the filtering might not work when
-          <varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> in the above.
+          <varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> above.
           </para>
 
           <xi:include href="version-info.xml" xpointer="v246"/>
@@ -3339,7 +3340,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
         <term><varname>UseRedirect=</varname></term>
         <listitem>
           <para>When true (the default), Redirect message sent by the current first-hop router will be
-          accepted, and configures routes to redirected nodes will be configured.</para>
+          accepted, and routes to redirected nodes will be configured.</para>
 
           <xi:include href="version-info.xml" xpointer="v256"/>
         </listitem>
@@ -4076,7 +4077,8 @@ ServerAddress=192.168.0.1/24</programlisting>
           <para>Takes a boolean. When true, the DHCP server will load and save leases in the persistent
           storage. When false, the DHCP server will neither load nor save leases in the persistent storage.
           Hence, bound leases will be lost when the interface is reconfigured e.g. by
-          <command>networkctl reconfigure</command>, or <filename>systemd-networkd.service</filename>
+          <command>networkctl reconfigure</command>, or
+          <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
           is restarted. That may cause address conflict on the network. So, please take an extra care when
           disable this setting. When unspecified, the value specified in the same setting in
           <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
@@ -4260,7 +4262,7 @@ ServerAddress=192.168.0.1/24</programlisting>
       <varlistentry>
         <term><varname>HomeAgent=</varname></term>
 
-        <listitem><para>Takes a boolean. Specifies that IPv6 router advertisements which indicate to hosts that
+        <listitem><para>Takes a boolean. Specifies that IPv6 router advertisements indicate to hosts that
         the router acts as a Home Agent and includes a Home Agent option. Defaults to false. See
         <ulink url="https://tools.ietf.org/html/rfc6275">RFC 6275</ulink> for further details.</para>
 
@@ -4584,10 +4586,9 @@ ServerAddress=192.168.0.1/24</programlisting>
       <varlistentry>
         <term><varname>Priority=</varname></term>
         <listitem>
-          <para>Sets the "priority" of sending packets on this interface.
+          <para>Sets the "priority" of sending packets on this interface. Each port in a bridge may have a
-          Each port in a bridge may have a different priority which is used
+          different priority which is used to decide which link to use. Lower value means higher priority.
-          to decide which link to use. Lower value means higher priority.
+          It is an integer value between 0 to 63. <command>systemd-networkd</command> does not set any
-          It is an integer value between 0 to 63. Networkd does not set any
           default, meaning the kernel default value of 32 is used.</para>
 
           <xi:include href="version-info.xml" xpointer="v234"/>

man/systemd.resource-control.xml

@@ -896,7 +896,7 @@ CPUWeight=20   DisableControllers=cpu              /          \
         <listitem>
           <para>Configures restrictions on the ability of unit processes to invoke <citerefentry
           project='man-pages'><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry> on a
-          socket. Both allow and deny rules may defined that restrict which addresses a socket may be bound
+          socket. Both allow and deny rules to be defined that restrict which addresses a socket may be bound
           to.</para>
 
           <para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>,
@@ -1673,7 +1673,8 @@ DeviceAllow=/dev/loop-control
         <para>When <command>systemd-coredump</command> is handling a coredump for a process from a container,
         if the container's leader process is a descendant of a cgroup with <varname>CoredumpReceive=yes</varname>
         and <varname>Delegate=yes</varname>, then <command>systemd-coredump</command> will attempt to forward
-        the coredump to <command>systemd-coredump</command> within the container.</para>
+        the coredump to <command>systemd-coredump</command> within the container. See also
+        <citerefentry><refentrytitle>systemd-coredump</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
       </varlistentry>

man/systemd.service.xml

@@ -1437,7 +1437,7 @@
     <para>The command line accepts <literal>%</literal> specifiers as described in
     <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
 
-    <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal></para>
+    <para>An argument solely consisting of <literal>;</literal> must be escaped, i.e. specified as <literal>\;</literal>.</para>
 
     <para>Basic environment variable substitution is supported. Use
     <literal>${FOO}</literal> as part of a word, or as a word of its

man/systemd.time.xml

@@ -120,9 +120,8 @@
     <para>The timezone defaults to the current timezone if not specified explicitly.
     It may be given after a space, like above, in which case it can be:
     <literal>UTC</literal>,
-    an entry in the installed IANA timezone database (<literal>CET</literal>, <literal>Asia/Tokyo</literal>, &amp;c.;
+    an entry in the installed IANA timezone database (e.g. <literal>CET</literal>, <literal>Asia/Tokyo</literal>,
-    complete list obtainable with <literal>timedatectl
+    where the complete list can be obtained with <command>timedatectl list-timezones</command> (see
-    list-timezones</literal> (see
     <citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>)),
     or <literal>±<replaceable>05</replaceable></literal>,
     <literal>±<replaceable>05</replaceable><replaceable>30</replaceable></literal>,

man/systemd.xml

@@ -1238,9 +1238,9 @@
       </itemizedlist>
 
       <para>Signals sent to PID 1 before this message is sent might not be handled correctly yet. A consumer
-      of these messages should parse the value as an unsigned integer indication the level of support. For
+      of these messages should parse the value as an unsigned integer that indicates the level of support.
-      now only the mentioned level 2 is defined, but later on additional levels might be defined with higher
+      For now only the mentioned level 2 is defined, but later on additional levels might be defined with
-      integers, that will implement a superset of the currently defined behaviour.</para>
+      higher integers, that will implement a superset of the currently defined behaviour.</para>
 
       <xi:include href="version-info.xml" xpointer="v256"/></listitem>
 
@@ -1389,8 +1389,8 @@
           <term><option>--crash-action=</option></term>
 
           <listitem><para>Specify what to do when the system manager (PID 1) crashes. This switch has no
-          effect when systemd is running as user instance. See <varname>systemd.crash_action=</varname>
+          effect when <command>systemd</command> is running as user instance. See
-          above.</para>
+          <varname>systemd.crash_action=</varname> above.</para>
 
           <xi:include href="version-info.xml" xpointer="v256"/></listitem>
         </varlistentry>

man/ukify.xml

@@ -220,7 +220,8 @@
           <para>For the <command>inspect</command> verb, the second syntax is used.
           The section <replaceable>NAME</replaceable> will be inspected (if found).
           If the second argument is <literal>text</literal>, the contents will be printed.
-          If the third argument is given, the contents will be saved to file <replaceable>PATH</replaceable>.
+          If the third argument is given, the contents will be saved to the file named
+          <replaceable>PATH</replaceable>.
           </para>
 
           <para>Note that the name is used as-is, and if the section name should start with a dot, it must be
@@ -393,9 +394,9 @@
           <listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
           whole groups of UKIs or addons with a single, static policy update that does not take space in
           DBX/MOKX. If not specified manually, a default metadata entry consisting of
-          <literal>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</literal>
+          <programlisting>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</programlisting>
           for UKIs and
-          <literal>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</literal>
+          <programlisting>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</programlisting>
           for addons will be used, to ensure it is always possible to revoke them. For more information on
           SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
           </para>

man/user@.service.xml

@@ -52,7 +52,7 @@
     <para>User processes may be started by the <filename>user@.service</filename> instance, in which
     case they will be part of that unit in the system hierarchy. They may also be started elsewhere,
     for example by
-    <citerefentry project='die-net'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
+    <citerefentry project='man-pages'><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> or a
     display manager like <command>gdm</command>, in which case they form a .scope unit (see
     <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
     Both <filename>user@<replaceable>UID</replaceable>.service</filename> and the scope units are
@@ -145,7 +145,7 @@ Control group /:
 …</programlisting>
       <para>User with UID 1000 is logged in using <command>gdm</command> (<filename
       index="false">session-4.scope</filename>) and
-      <citerefentry project='die-net'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      <citerefentry project='man-pages'><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>
       (<filename index="false">session-19.scope</filename>), and also has a user manager instance
       running (<filename index="false">user@1000.service</filename>).  User with UID 1001 is logged
       in using <command>ssh</command> (<filename index="false">session-20.scope</filename>) and

man/userdbctl.xml

@@ -416,7 +416,7 @@
     <para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
     contained in a user record available to the SSH daemon for authentication. For that configure the
     following in <citerefentry
-    project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
+    project='man-pages'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
 
     <programlisting>…
 AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u

mkosi.clangd

@@ -1,12 +1,18 @@
 #!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-MKOSI_CONFIG="$(mkosi --json summary | jq -r .Images[-1])"
+if command -v flatpak-spawn >/dev/null; then
+    SPAWN=(flatpak-spawn --host)
+else
+    SPAWN=()
+fi
+
+MKOSI_CONFIG="$("${SPAWN[@]}" --host mkosi --json summary | jq -r .Images[-1])"
 DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")"
 RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")"
 ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")"
 
-exec mkosi \
+exec "${SPAWN[@]}" mkosi \
     --incremental=strict \
     --build-sources-ephemeral=no \
     --format=none \

mkosi.conf

@@ -38,9 +38,8 @@ SignExpectedPcr=yes
 
 [Content]
 ExtraTrees=
+        mkosi.extra.common
         mkosi.crt:/usr/lib/verity.d/mkosi.crt # sysext verification key
-        mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
-        mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
         %O/minimal-0.root-%a.raw:/usr/share/minimal_0.raw
         %O/minimal-0.root-%a-verity.raw:/usr/share/minimal_0.verity
         %O/minimal-0.root-%a-verity-sig.raw:/usr/share/minimal_0.verity.sig

mkosi.conf.d/05-tools/mkosi.conf.d/arch.conf

@@ -6,10 +6,12 @@ ToolsTreeDistribution=arch
 [Build]
 ToolsTreePackages=
         cryptsetup
+        github-cli
         libcap
         libmicrohttpd
         python-jinja
         python-pytest
         ruff
+        shellcheck
         tpm2-tss
         util-linux-libs

mkosi.conf.d/05-tools/mkosi.conf.d/centos-fedora.conf

@@ -16,3 +16,4 @@ ToolsTreePackages=
         tpm2-tss-devel
         python3-jinja2
         python3-pytest
+        shellcheck

mkosi.conf.d/05-tools/mkosi.conf.d/debian-ubuntu.conf

@@ -6,6 +6,7 @@ ToolsTreeDistribution=|ubuntu
 
 [Build]
 ToolsTreePackages=
+        gh
         libblkid-dev
         libcap-dev
         libcryptsetup-dev
@@ -16,3 +17,4 @@ ToolsTreePackages=
         libtss2-dev
         python3-jinja2
         python3-pytest
+        shellcheck

mkosi.conf.d/05-tools/mkosi.conf.d/fedora.conf

@@ -5,4 +5,5 @@ ToolsTreeDistribution=fedora
 
 [Build]
 ToolsTreePackages=
+        gh
         ruff

mkosi.conf.d/05-tools/mkosi.conf.d/opensuse.conf

@@ -5,6 +5,7 @@ ToolsTreeDistribution=opensuse
 
 [Build]
 ToolsTreePackages=
+        gh
         pkgconfig(blkid)
         pkgconfig(libcap)
         pkgconfig(libcryptsetup)
@@ -16,3 +17,4 @@ ToolsTreePackages=
         tss2-devel
         python3-jinja2
         python3-pytest
+        ShellCheck

mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -13,6 +13,7 @@ Environment=
 
 [Content]
 Packages=
+        clang-devel
         compiler-rt
         gdb
         git-core

mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -15,6 +15,7 @@ Environment=
 [Content]
 Packages=
         apt
+        clangd
         erofs-utils
         git-core
         libclang-rt-dev

mkosi.images/build/mkosi.conf.d/opensuse/mkosi.conf

@@ -12,6 +12,7 @@ Environment=
 
 [Content]
 Packages=
+        clang
         diffutils
         erofs-utils
         gcc-c++

mkosi.images/initrd/mkosi.conf

@@ -6,9 +6,7 @@ Include=
         %D/mkosi.sanitizers
 
 [Content]
-ExtraTrees=
+ExtraTrees=%D/mkosi.extra.common
-        %D/mkosi.leak-sanitizer-suppressions:/usr/lib/systemd/leak-sanitizer-suppressions
-        %D/mkosi.coredump-journal-storage.conf:/usr/lib/systemd/coredump.conf.d/10-coredump-journal-storage.conf
 
 Packages=
         findutils

mkosi.sanitizers/mkosi.postinst

@@ -57,6 +57,8 @@ wrap=(
     delv
     dhcpd
     dig
+    dnf
+    dnf5
     dmsetup
     dnsmasq
     findmnt
@@ -93,7 +95,7 @@ wrap=(
 )
 
 for bin in "${wrap[@]}"; do
-    if ! mkosi-chroot command -v "$bin" >/dev/null; then
+    if ! mkosi-chroot bash -c "command -v $bin" >/dev/null; then
         continue
     fi
 
@@ -103,7 +105,7 @@ for bin in "${wrap[@]}"; do
         enable_lsan=0
     fi
 
-    target="$(mkosi-chroot command -v "$bin")"
+    target="$(mkosi-chroot bash -c "command -v $bin")"
 
     mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig"
 

po/fr.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"PO-Revision-Date: 2024-11-23 10:38+0000\n"
 "Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
 "main/fr/>\n"
@@ -1258,7 +1258,7 @@ msgstr ""
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr "Gérer les fonctionnalités en option"
+msgstr "Gérer les fonctionnalités facultatives"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"

src/basic/fileio.c

@@ -289,7 +289,8 @@ int write_string_file_full(
                 const char *fn,
                 const char *line,
                 WriteStringFileFlags flags,
-                const struct timespec *ts) {
+                const struct timespec *ts,
+                const char *label_fn) {
 
         bool call_label_ops_post = false, made_file = false;
         _cleanup_fclose_ FILE *f = NULL;
@@ -321,7 +322,8 @@ int write_string_file_full(
         mode_t mode = write_string_file_flags_to_mode(flags);
 
         if (FLAGS_SET(flags, WRITE_STRING_FILE_LABEL|WRITE_STRING_FILE_CREATE)) {
-                r = label_ops_pre(dir_fd, fn, mode);
+                const char *lookup = label_fn ? label_fn : fn;
+                r = label_ops_pre(dir_fd, lookup, mode);
                 if (r < 0)
                         goto fail;
 

src/basic/fileio.h

@@ -51,12 +51,13 @@ int write_string_stream_full(FILE *f, const char *line, WriteStringFileFlags fla
 static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) {
         return write_string_stream_full(f, line, flags, /* ts= */ NULL);
 }
-int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts);
+
+int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
 static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
-        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL);
+        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
 }
 static inline int write_string_file_at(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags) {
-        return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL);
+        return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
 }
 int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
 

src/basic/linux/auto_fs.h

@@ -21,7 +21,7 @@
 #define AUTOFS_MIN_PROTO_VERSION	3
 #define AUTOFS_MAX_PROTO_VERSION	5
 
-#define AUTOFS_PROTO_SUBVERSION		5
+#define AUTOFS_PROTO_SUBVERSION		6
 
 /*
  * The wait_queue_token (autofs_wqt_t) is part of a structure which is passed

src/basic/linux/bpf.h

@@ -1121,6 +1121,9 @@ enum bpf_attach_type {
 
 #define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
 
+/* Add BPF_LINK_TYPE(type, name) in bpf_types.h to keep bpf_link_type_strs[]
+ * in sync with the definitions below.
+ */
 enum bpf_link_type {
 	BPF_LINK_TYPE_UNSPEC = 0,
 	BPF_LINK_TYPE_RAW_TRACEPOINT = 1,
@@ -2851,7 +2854,7 @@ union bpf_attr {
  * 		  **TCP_SYNCNT**, **TCP_USER_TIMEOUT**, **TCP_NOTSENT_LOWAT**,
  * 		  **TCP_NODELAY**, **TCP_MAXSEG**, **TCP_WINDOW_CLAMP**,
  * 		  **TCP_THIN_LINEAR_TIMEOUTS**, **TCP_BPF_DELACK_MAX**,
- * 		  **TCP_BPF_RTO_MIN**.
+ *		  **TCP_BPF_RTO_MIN**, **TCP_BPF_SOCK_OPS_CB_FLAGS**.
  * 		* **IPPROTO_IP**, which supports *optname* **IP_TOS**.
  * 		* **IPPROTO_IPV6**, which supports the following *optname*\ s:
  * 		  **IPV6_TCLASS**, **IPV6_AUTOFLOWLABEL**.
@@ -5519,11 +5522,12 @@ union bpf_attr {
  *		**-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
  *		invalid arguments are passed.
  *
- * void *bpf_kptr_xchg(void *map_value, void *ptr)
+ * void *bpf_kptr_xchg(void *dst, void *ptr)
  *	Description
- *		Exchange kptr at pointer *map_value* with *ptr*, and return the
+ *		Exchange kptr at pointer *dst* with *ptr*, and return the old value.
- *		old value. *ptr* can be NULL, otherwise it must be a referenced
+ *		*dst* can be map value or local kptr. *ptr* can be NULL, otherwise
- *		pointer which will be released when this helper is called.
+ *		it must be a referenced pointer which will be released when this helper
+ *		is called.
  *	Return
  *		The old value of kptr (which can be NULL). The returned pointer
  *		if not NULL, is a reference which must be released using its
@@ -6046,11 +6050,6 @@ enum {
 	BPF_F_MARK_ENFORCE		= (1ULL << 6),
 };
 
-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
-enum {
-	BPF_F_INGRESS			= (1ULL << 0),
-};
-
 /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
 enum {
 	BPF_F_TUNINFO_IPV6		= (1ULL << 0),
@@ -6197,10 +6196,12 @@ enum {
 	BPF_F_BPRM_SECUREEXEC	= (1ULL << 0),
 };
 
-/* Flags for bpf_redirect_map helper */
+/* Flags for bpf_redirect and bpf_redirect_map helpers */
 enum {
-	BPF_F_BROADCAST		= (1ULL << 3),
+	BPF_F_INGRESS		= (1ULL << 0), /* used for skb path */
-	BPF_F_EXCLUDE_INGRESS	= (1ULL << 4),
+	BPF_F_BROADCAST		= (1ULL << 3), /* used for XDP path */
+	BPF_F_EXCLUDE_INGRESS	= (1ULL << 4), /* used for XDP path */
+#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
 };
 
 #define __bpf_md_ptr(type, name)	\
@@ -7080,6 +7081,7 @@ enum {
 	TCP_BPF_SYN		= 1005, /* Copy the TCP header */
 	TCP_BPF_SYN_IP		= 1006, /* Copy the IP[46] and TCP header */
 	TCP_BPF_SYN_MAC         = 1007, /* Copy the MAC, IP[46], and TCP header */
+	TCP_BPF_SOCK_OPS_CB_FLAGS = 1008, /* Get or Set TCP sock ops flags */
 };
 
 enum {
@@ -7512,4 +7514,13 @@ struct bpf_iter_num {
 	__u64 __opaque[1];
 } __attribute__((aligned(8)));
 
+/*
+ * Flags to control BPF kfunc behaviour.
+ *     - BPF_F_PAD_ZEROS: Pad destination buffer with zeros. (See the respective
+ *       helper documentation for details.)
+ */
+enum bpf_kfunc_flags {
+	BPF_F_PAD_ZEROS = (1ULL << 0),
+};
+
 #endif /* __LINUX_BPF_H__ */

src/basic/linux/const.h

@@ -28,6 +28,23 @@
 #define _BITUL(x)	(_UL(1) << (x))
 #define _BITULL(x)	(_ULL(1) << (x))
 
+#if !defined(__ASSEMBLY__)
+/*
+ * Missing __asm__ support
+ *
+ * __BIT128() would not work in the __asm__ code, as it shifts an
+ * 'unsigned __init128' data type as direct representation of
+ * 128 bit constants is not supported in the gcc compiler, as
+ * they get silently truncated.
+ *
+ * TODO: Please revisit this implementation when gcc compiler
+ * starts representing 128 bit constants directly like long
+ * and unsigned long etc. Subsequently drop the comment for
+ * GENMASK_U128() which would then start supporting __asm__ code.
+ */
+#define _BIT128(x)	((unsigned __int128)(1) << (x))
+#endif
+
 #define __ALIGN_KERNEL(x, a)		__ALIGN_KERNEL_MASK(x, (__typeof__(x))(a) - 1)
 #define __ALIGN_KERNEL_MASK(x, mask)	(((x) + (mask)) & ~(mask))
 

src/basic/linux/ethtool.h

@@ -2531,4 +2531,20 @@ struct ethtool_link_settings {
 	 * __u32 map_lp_advertising[link_mode_masks_nwords];
 	 */
 };
+
+/**
+ * enum phy_upstream - Represents the upstream component a given PHY device
+ * is connected to, as in what is on the other end of the MII bus. Most PHYs
+ * will be attached to an Ethernet MAC controller, but in some cases, there's
+ * an intermediate PHY used as a media-converter, which will driver another
+ * MII interface as its output.
+ * @PHY_UPSTREAM_MAC: Upstream component is a MAC (a switch port,
+ *		      or ethernet controller)
+ * @PHY_UPSTREAM_PHY: Upstream component is a PHY (likely a media converter)
+ */
+enum phy_upstream {
+	PHY_UPSTREAM_MAC,
+	PHY_UPSTREAM_PHY,
+};
+
 #endif /* _LINUX_ETHTOOL_H */

src/basic/linux/fib_rules.h

@@ -67,6 +67,7 @@ enum {
 	FRA_IP_PROTO,	/* ip proto */
 	FRA_SPORT_RANGE, /* sport */
 	FRA_DPORT_RANGE, /* dport */
+	FRA_DSCP,	/* dscp */
 	__FRA_MAX
 };
 

src/basic/linux/if_packet.h

@@ -230,8 +230,8 @@ struct tpacket_hdr_v1 {
 	 * ts_first_pkt:
 	 *		Is always the time-stamp when the block was opened.
 	 *		Case a)	ZERO packets
-	 *			No packets to deal with but atleast you know the
+	 *			No packets to deal with but at least you know
-	 *			time-interval of this block.
+	 *			the time-interval of this block.
 	 *		Case b) Non-zero packets
 	 *			Use the ts of the first packet in the block.
 	 *
@@ -265,7 +265,8 @@ enum tpacket_versions {
    - struct tpacket_hdr
    - pad to TPACKET_ALIGNMENT=16
    - struct sockaddr_ll
-   - Gap, chosen so that packet data (Start+tp_net) alignes to TPACKET_ALIGNMENT=16
+   - Gap, chosen so that packet data (Start+tp_net) aligns to
+     TPACKET_ALIGNMENT=16
    - Start+tp_mac: [ Optional MAC header ]
    - Start+tp_net: Packet data, aligned to TPACKET_ALIGNMENT=16.
    - Pad to align to TPACKET_ALIGNMENT=16

src/basic/linux/in.h

@@ -141,7 +141,7 @@ struct in_addr {
  */
 #define IP_PMTUDISC_INTERFACE		4
 /* weaker version of IP_PMTUDISC_INTERFACE, which allows packets to get
- * fragmented if they exeed the interface mtu
+ * fragmented if they exceed the interface mtu
  */
 #define IP_PMTUDISC_OMIT		5
 

src/basic/linux/libc-compat.h

@@ -140,25 +140,6 @@
 
 #endif /* _NETINET_IN_H */
 
-/* Coordinate with glibc netipx/ipx.h header. */
-#if defined(__NETIPX_IPX_H)
-
-#define __UAPI_DEF_SOCKADDR_IPX			0
-#define __UAPI_DEF_IPX_ROUTE_DEFINITION		0
-#define __UAPI_DEF_IPX_INTERFACE_DEFINITION	0
-#define __UAPI_DEF_IPX_CONFIG_DATA		0
-#define __UAPI_DEF_IPX_ROUTE_DEF		0
-
-#else /* defined(__NETIPX_IPX_H) */
-
-#define __UAPI_DEF_SOCKADDR_IPX			1
-#define __UAPI_DEF_IPX_ROUTE_DEFINITION		1
-#define __UAPI_DEF_IPX_INTERFACE_DEFINITION	1
-#define __UAPI_DEF_IPX_CONFIG_DATA		1
-#define __UAPI_DEF_IPX_ROUTE_DEF		1
-
-#endif /* defined(__NETIPX_IPX_H) */
-
 /* Definitions for xattr.h */
 #if defined(_SYS_XATTR_H)
 #define __UAPI_DEF_XATTR		0
@@ -240,23 +221,6 @@
 #define __UAPI_DEF_IP6_MTUINFO		1
 #endif
 
-/* Definitions for ipx.h */
-#ifndef __UAPI_DEF_SOCKADDR_IPX
-#define __UAPI_DEF_SOCKADDR_IPX			1
-#endif
-#ifndef __UAPI_DEF_IPX_ROUTE_DEFINITION
-#define __UAPI_DEF_IPX_ROUTE_DEFINITION		1
-#endif
-#ifndef __UAPI_DEF_IPX_INTERFACE_DEFINITION
-#define __UAPI_DEF_IPX_INTERFACE_DEFINITION	1
-#endif
-#ifndef __UAPI_DEF_IPX_CONFIG_DATA
-#define __UAPI_DEF_IPX_CONFIG_DATA		1
-#endif
-#ifndef __UAPI_DEF_IPX_ROUTE_DEF
-#define __UAPI_DEF_IPX_ROUTE_DEF		1
-#endif
-
 /* Definitions for xattr.h */
 #ifndef __UAPI_DEF_XATTR
 #define __UAPI_DEF_XATTR		1

src/basic/linux/netfilter/nf_tables.h

@@ -436,7 +436,7 @@ enum nft_set_elem_flags {
  * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
  * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
  * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
- * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64)
  * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
  * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
  * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
@@ -1694,7 +1694,7 @@ enum nft_flowtable_flags {
  *
  * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
  * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
+ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
  * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
  * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
  * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)

src/basic/linux/nexthop.h

@@ -16,10 +16,15 @@ struct nhmsg {
 struct nexthop_grp {
 	__u32	id;	  /* nexthop id - must exist */
 	__u8	weight;   /* weight of this nexthop */
-	__u8	resvd1;
+	__u8	weight_high;	/* high order bits of weight */
 	__u16	resvd2;
 };
 
+static __inline__ __u16 nexthop_grp_weight(const struct nexthop_grp *entry)
+{
+	return ((entry->weight_high << 8) | entry->weight) + 1;
+}
+
 enum {
 	NEXTHOP_GRP_TYPE_MPATH,  /* hash-threshold nexthop group
 				  * default type if not specified
@@ -33,6 +38,9 @@ enum {
 #define NHA_OP_FLAG_DUMP_STATS		BIT(0)
 #define NHA_OP_FLAG_DUMP_HW_STATS	BIT(1)
 
+/* Response OP_FLAGS. */
+#define NHA_OP_FLAG_RESP_GRP_RESVD_0	BIT(31)	/* Dump clears resvd fields. */
+
 enum {
 	NHA_UNSPEC,
 	NHA_ID,		/* u32; id for nexthop. id == 0 means auto-assign */

src/basic/missing_namespace.h

@@ -0,0 +1,12 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+/* Root namespace inode numbers, as per include/linux/proc_ns.h in the kernel source tree, since v3.8:
+ * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98f842e675f96ffac96e6c50315790912b2812be */
+
+#define PROC_IPC_INIT_INO    ((ino_t) UINT32_C(0xEFFFFFFF))
+#define PROC_UTS_INIT_INO    ((ino_t) UINT32_C(0xEFFFFFFE))
+#define PROC_USER_INIT_INO   ((ino_t) UINT32_C(0xEFFFFFFD))
+#define PROC_PID_INIT_INO    ((ino_t) UINT32_C(0xEFFFFFFC))
+#define PROC_CGROUP_INIT_INO ((ino_t) UINT32_C(0xEFFFFFFB))
+#define PROC_TIME_INIT_INO   ((ino_t) UINT32_C(0xEFFFFFFA))

src/basic/namespace-util.c

@@ -12,6 +12,7 @@
 #include "fileio.h"
 #include "missing_fs.h"
 #include "missing_magic.h"
+#include "missing_namespace.h"
 #include "missing_sched.h"
 #include "missing_syscall.h"
 #include "mountpoint-util.h"
@@ -23,17 +24,17 @@
 #include "user-util.h"
 
 const struct namespace_info namespace_info[_NAMESPACE_TYPE_MAX + 1] = {
-        [NAMESPACE_CGROUP] =  { "cgroup", "ns/cgroup", CLONE_NEWCGROUP,                          },
+        [NAMESPACE_CGROUP] =  { "cgroup", "ns/cgroup", CLONE_NEWCGROUP, PROC_CGROUP_INIT_INO     },
-        [NAMESPACE_IPC]    =  { "ipc",    "ns/ipc",    CLONE_NEWIPC,                             },
+        [NAMESPACE_IPC]    =  { "ipc",    "ns/ipc",    CLONE_NEWIPC,    PROC_IPC_INIT_INO        },
-        [NAMESPACE_NET]    =  { "net",    "ns/net",    CLONE_NEWNET,                             },
+        [NAMESPACE_NET]    =  { "net",    "ns/net",    CLONE_NEWNET,    0                        },
         /* So, the mount namespace flag is called CLONE_NEWNS for historical
          * reasons. Let's expose it here under a more explanatory name: "mnt".
          * This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
-        [NAMESPACE_MOUNT]  =  { "mnt",    "ns/mnt",    CLONE_NEWNS,                              },
+        [NAMESPACE_MOUNT]  =  { "mnt",    "ns/mnt",    CLONE_NEWNS,     0                        },
-        [NAMESPACE_PID]    =  { "pid",    "ns/pid",    CLONE_NEWPID,                             },
+        [NAMESPACE_PID]    =  { "pid",    "ns/pid",    CLONE_NEWPID,    PROC_PID_INIT_INO        },
-        [NAMESPACE_USER]   =  { "user",   "ns/user",   CLONE_NEWUSER,                            },
+        [NAMESPACE_USER]   =  { "user",   "ns/user",   CLONE_NEWUSER,   PROC_USER_INIT_INO       },
-        [NAMESPACE_UTS]    =  { "uts",    "ns/uts",    CLONE_NEWUTS,                             },
+        [NAMESPACE_UTS]    =  { "uts",    "ns/uts",    CLONE_NEWUTS,    PROC_UTS_INIT_INO        },
-        [NAMESPACE_TIME]   =  { "time",   "ns/time",   CLONE_NEWTIME,                            },
+        [NAMESPACE_TIME]   =  { "time",   "ns/time",   CLONE_NEWTIME,   PROC_TIME_INIT_INO       },
         { /* Allow callers to iterate over the array without using _NAMESPACE_TYPE_MAX. */       },
 };
 
@@ -479,6 +480,28 @@ int namespace_open_by_type(NamespaceType type) {
         return fd;
 }
 
+int namespace_is_init(NamespaceType type) {
+        int r;
+
+        assert(type >= 0);
+        assert(type <= _NAMESPACE_TYPE_MAX);
+
+        if (namespace_info[type].root_inode == 0)
+                return -EBADR; /* Cannot answer this question */
+
+        const char *p = pid_namespace_path(0, type);
+
+        struct stat st;
+        r = RET_NERRNO(stat(p, &st));
+        if (r == -ENOENT)
+                /* If the /proc/ns/<type> API is not around in /proc/ then ns is off in the kernel and we are in the init ns */
+                return proc_mounted() == 0 ? -ENOSYS : true;
+        if (r < 0)
+                return r;
+
+        return st.st_ino == namespace_info[type].root_inode;
+}
+
 int is_our_namespace(int fd, NamespaceType request_type) {
         int clone_flag;
 
@@ -531,20 +554,24 @@ int is_idmapping_supported(const char *path) {
         userns_fd = userns_acquire(uid_map, gid_map);
         if (ERRNO_IS_NEG_NOT_SUPPORTED(userns_fd) || ERRNO_IS_NEG_PRIVILEGE(userns_fd))
                 return false;
+        if (userns_fd == -ENOSPC) {
+                log_debug_errno(userns_fd, "Failed to acquire new user namespace, user.max_user_namespaces seems to be exhausted or maybe even zero, assuming ID-mapping is not supported: %m");
+                return false;
+        }
         if (userns_fd < 0)
-                return log_debug_errno(userns_fd, "ID-mapping supported namespace acquire failed for '%s' : %m", path);
+                return log_debug_errno(userns_fd, "Failed to acquire new user namespace for checking if '%s' supports ID-mapping: %m", path);
 
         dir_fd = RET_NERRNO(open(path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
         if (ERRNO_IS_NEG_NOT_SUPPORTED(dir_fd))
                 return false;
         if (dir_fd < 0)
-                return log_debug_errno(dir_fd, "ID-mapping supported open failed for '%s' : %m", path);
+                return log_debug_errno(dir_fd, "Failed to open '%s', cannot determine if ID-mapping is supported: %m", path);
 
         mount_fd = RET_NERRNO(open_tree(dir_fd, "", AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC));
         if (ERRNO_IS_NEG_NOT_SUPPORTED(mount_fd) || ERRNO_IS_NEG_PRIVILEGE(mount_fd) || mount_fd == -EINVAL)
                 return false;
         if (mount_fd < 0)
-                return log_debug_errno(mount_fd, "ID-mapping supported open_tree failed for '%s' : %m", path);
+                return log_debug_errno(mount_fd, "Failed to open mount tree '%s', cannot determine if ID-mapping is supported: %m", path);
 
         r = RET_NERRNO(mount_setattr(mount_fd, "", AT_EMPTY_PATH,
                        &(struct mount_attr) {
@@ -554,7 +581,7 @@ int is_idmapping_supported(const char *path) {
         if (ERRNO_IS_NEG_NOT_SUPPORTED(r) || ERRNO_IS_NEG_PRIVILEGE(r) || r == -EINVAL)
                 return false;
         if (r < 0)
-                return log_debug_errno(r, "ID-mapping supported setattr failed for '%s' : %m", path);
+                return log_debug_errno(r, "Failed to set mount attribute to '%s', cannot determine if ID-mapping is supported: %m", path);
 
         return true;
 }

src/basic/namespace-util.h

@@ -24,6 +24,7 @@ extern const struct namespace_info {
         const char *proc_name;
         const char *proc_path;
         unsigned int clone_flag;
+        ino_t root_inode;
 } namespace_info[_NAMESPACE_TYPE_MAX + 1];
 
 int pidref_namespace_open(
@@ -74,6 +75,8 @@ int parse_userns_uid_range(const char *s, uid_t *ret_uid_shift, uid_t *ret_uid_r
 
 int namespace_open_by_type(NamespaceType type);
 
+int namespace_is_init(NamespaceType type);
+
 int is_our_namespace(int fd, NamespaceType type);
 
 int is_idmapping_supported(const char *path);

src/basic/virt.c

@@ -585,6 +585,14 @@ static int running_in_cgroupns(void) {
         if (!cg_ns_supported())
                 return false;
 
+        r = namespace_is_init(NAMESPACE_CGROUP);
+        if (r < 0)
+                log_debug_errno(r, "Failed to test if in root cgroup namespace, ignoring: %m");
+        else if (r > 0)
+                return false;
+
+        // FIXME: We really should drop the heuristics below.
+
         r = cg_all_unified();
         if (r < 0)
                 return r;
@@ -645,6 +653,16 @@ static int running_in_cgroupns(void) {
         }
 }
 
+static int running_in_pidns(void) {
+        int r;
+
+        r = namespace_is_init(NAMESPACE_PID);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to test if in root PID namespace, ignoring: %m");
+
+        return !r;
+}
+
 static Virtualization detect_container_files(void) {
         static const struct {
                 const char *file_path;
@@ -790,12 +808,21 @@ check_files:
 
         r = running_in_cgroupns();
         if (r > 0) {
+                log_debug("Running in a cgroup namespace, assuming unknown container manager.");
                 v = VIRTUALIZATION_CONTAINER_OTHER;
                 goto finish;
         }
         if (r < 0)
                 log_debug_errno(r, "Failed to detect cgroup namespace: %m");
 
+        /* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so
+         * if all else fails we can check the inode number of our pid namespace and compare it. */
+        if (running_in_pidns() > 0) {
+                log_debug("Running in a pid namespace, assuming unknown container manager.");
+                v = VIRTUALIZATION_CONTAINER_OTHER;
+                goto finish;
+        }
+
         /* If none of that worked, give up, assume no container manager. */
         v = VIRTUALIZATION_NONE;
         goto finish;
@@ -863,6 +890,14 @@ int running_in_userns(void) {
         _cleanup_free_ char *line = NULL;
         int r;
 
+        r = namespace_is_init(NAMESPACE_USER);
+        if (r < 0)
+                log_debug_errno(r, "Failed to test if in root user namespace, ignoring: %m");
+        else if (r > 0)
+                return false;
+
+        // FIXME: We really should drop the heuristics below.
+
         r = userns_has_mapping("/proc/self/uid_map");
         if (r != 0)
                 return r;

src/core/device.c

@@ -1048,9 +1048,6 @@ static void device_enumerate(Manager *m) {
                 _cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
                 Device *d;
 
-                if (device_is_processed(dev) <= 0)
-                        continue;
-
                 if (device_setup_units(m, dev, &ready_units, &not_ready_units) < 0)
                         continue;
 

src/cryptsetup/cryptsetup-pkcs11.c

@@ -16,6 +16,7 @@
 #include "fileio.h"
 #include "format-util.h"
 #include "hexdecoct.h"
+#include "iovec-util.h"
 #include "macro.h"
 #include "memory-util.h"
 #include "parse-util.h"
@@ -31,8 +32,7 @@ int decrypt_pkcs11_key(
                 const char *key_file,         /* We either expect key_file and associated parameters to be set (for file keys) … */
                 size_t key_file_size,
                 uint64_t key_file_offset,
-                const void *key_data,         /* … or key_data and key_data_size (for literal keys) */
+                const struct iovec *key_data, /* … or literal keys via key_data */
-                size_t key_data_size,
                 usec_t until,
                 AskPasswordFlags askpw_flags,
                 void **ret_decrypted_key,
@@ -47,15 +47,15 @@ int decrypt_pkcs11_key(
 
         assert(friendly_name);
         assert(pkcs11_uri);
-        assert(key_file || key_data);
+        assert(key_file || iovec_is_set(key_data));
         assert(ret_decrypted_key);
         assert(ret_decrypted_key_size);
 
         /* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
 
-        if (key_data) {
+        if (iovec_is_set(key_data)) {
-                data.encrypted_key = (void*) key_data;
+                data.encrypted_key = (void*) key_data->iov_base;
-                data.encrypted_key_size = key_data_size;
+                data.encrypted_key_size = key_data->iov_len;
 
                 data.free_encrypted_key = false;
         } else {

src/cryptsetup/cryptsetup-pkcs11.h

@@ -16,8 +16,7 @@ int decrypt_pkcs11_key(
                 const char *key_file,
                 size_t key_file_size,
                 uint64_t key_file_offset,
-                const void *key_data,
+                const struct iovec *key_data,
-                size_t key_data_size,
                 usec_t until,
                 AskPasswordFlags askpw_flags,
                 void **ret_decrypted_key,
@@ -39,8 +38,7 @@ static inline int decrypt_pkcs11_key(
                 const char *key_file,
                 size_t key_file_size,
                 uint64_t key_file_offset,
-                const void *key_data,
+                const struct iovec *key_data,
-                size_t key_data_size,
                 usec_t until,
                 AskPasswordFlags askpw_flags,
                 void **ret_decrypted_key,

src/cryptsetup/cryptsetup.c

@@ -1471,8 +1471,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                 struct crypt_device *cd,
                 const char *name,
                 const char *key_file,
-                const void *key_data,
+                const struct iovec *key_data,
-                size_t key_data_size,
                 usec_t until,
                 uint32_t flags,
                 bool pass_volume_key) {
@@ -1489,7 +1488,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
         assert(name);
         assert(arg_fido2_device || arg_fido2_device_auto);
 
-        if (arg_fido2_cid && !key_file && !key_data)
+        if (arg_fido2_cid && !key_file && !iovec_is_set(key_data))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                         "FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
 
@@ -1513,7 +1512,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                                                 arg_fido2_rp_id,
                                                 arg_fido2_cid, arg_fido2_cid_size,
                                                 key_file, arg_keyfile_size, arg_keyfile_offset,
-                                                key_data, key_data_size,
+                                                key_data,
                                                 until,
                                                 arg_fido2_manual_flags,
                                                 "cryptsetup.fido2-pin",
@@ -1623,8 +1622,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
                 struct crypt_device *cd,
                 const char *name,
                 const char *key_file,
-                const void *key_data,
+                const struct iovec *key_data,
-                size_t key_data_size,
                 usec_t until,
                 uint32_t flags,
                 bool pass_volume_key) {
@@ -1635,6 +1633,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
         _cleanup_(erase_and_freep) void *decrypted_key = NULL;
         _cleanup_(sd_event_unrefp) sd_event *event = NULL;
         _cleanup_free_ void *discovered_key = NULL;
+        struct iovec discovered_key_data = {};
         int keyslot = arg_key_slot, r;
         const char *uri = NULL;
         bool use_libcryptsetup_plugin = use_token_plugins();
@@ -1653,13 +1652,13 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
                                 return r;
 
                         uri = discovered_uri;
-                        key_data = discovered_key;
+                        discovered_key_data = IOVEC_MAKE(discovered_key, discovered_key_size);
-                        key_data_size = discovered_key_size;
+                        key_data = &discovered_key_data;
                 }
         } else {
                 uri = arg_pkcs11_uri;
 
-                if (!key_file && !key_data)
+                if (!key_file && !iovec_is_set(key_data))
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
         }
 
@@ -1682,7 +1681,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
                                         friendly,
                                         uri,
                                         key_file, arg_keyfile_size, arg_keyfile_offset,
-                                        key_data, key_data_size,
+                                        key_data,
                                         until,
                                         arg_ask_password_flags,
                                         &decrypted_key, &decrypted_key_size);
@@ -2231,9 +2230,9 @@ static int attach_luks_or_plain_or_bitlk(
         if (token_type == TOKEN_TPM2)
                 return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
         if (token_type == TOKEN_FIDO2)
-                return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
+                return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data, until, flags, pass_volume_key);
         if (token_type == TOKEN_PKCS11)
-                return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
+                return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data, until, flags, pass_volume_key);
         if (key_data)
                 return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
         if (key_file)

src/fsck/fsck.c

@@ -98,16 +98,11 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                 }
         }
 
-#if HAVE_SYSV_COMPAT
+        else if (streq(key, "fastboot") && !value)
-        else if (streq(key, "fastboot") && !value) {
-                log_warning("Please pass 'fsck.mode=skip' rather than 'fastboot' on the kernel command line.");
                 arg_skip = true;
 
-        } else if (streq(key, "forcefsck") && !value) {
+        else if (streq(key, "forcefsck") && !value)
-                log_warning("Please pass 'fsck.mode=force' rather than 'forcefsck' on the kernel command line.");
                 arg_force = true;
-        }
-#endif
 
         return 0;
 }

src/import/curl-util.c

@@ -75,6 +75,10 @@ static int curl_glue_socket_callback(CURL *curl, curl_socket_t s, int action, vo
                 return 0;
         }
 
+        /* Don't configure io event source anymore when the event loop is dead already. */
+        if (g->event && sd_event_get_state(g->event) == SD_EVENT_FINISHED)
+                return 0;
+
         r = hashmap_ensure_allocated(&g->ios, &trivial_hash_ops);
         if (r < 0) {
                 log_oom();

src/libsystemd/sd-varlink/sd-varlink.c

@@ -1698,7 +1698,8 @@ _public_ int sd_varlink_get_events(sd_varlink *v) {
                 ret |= EPOLLIN;
 
         if (!v->write_disconnected &&
-            v->output_buffer_size > 0)
+            (v->output_queue ||
+             v->output_buffer_size > 0))
                 ret |= EPOLLOUT;
 
         return ret;

src/libsystemd/sd-varlink/varlink-util.c

@@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
 
         int pidfd = sd_varlink_get_peer_pidfd(v);
         if (pidfd < 0) {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                         return pidfd;
 
                 pid_t pid;

src/measure/measure.c

@@ -108,6 +108,7 @@ static int help(int argc, char *argv[], void *userdata) {
                "     --ucode=PATH        Path to microcode image file               %7$s .ucode\n"
                "     --splash=PATH       Path to splash bitmap file                 %7$s .splash\n"
                "     --dtb=PATH          Path to DeviceTree file                    %7$s .dtb\n"
+               "     --dtbauto=PATH      Path to DeviceTree file for auto selection %7$s .dtbauto\n"
                "     --uname=PATH        Path to 'uname -r' file                    %7$s .uname\n"
                "     --sbat=PATH         Path to SBAT file                          %7$s .sbat\n"
                "     --pcrpkey=PATH      Path to public key for PCR signatures      %7$s .pcrpkey\n"

src/nspawn/nspawn.c

@@ -2280,10 +2280,9 @@ static int copy_devnode_one(const char *dest, const char *node, bool ignore_mkno
         r = path_extract_directory(from, &parent);
         if (r < 0)
                 return log_error_errno(r, "Failed to extract directory from %s: %m", from);
-        if (!path_equal(parent, "/dev/")) {
+        r = userns_mkdir(dest, parent, 0755, 0, 0);
-                if (userns_mkdir(dest, parent, 0755, 0, 0) < 0)
+        if (r < 0)
                 return log_error_errno(r, "Failed to create directory %s: %m", parent);
-        }
 
         if (mknod(to, st.st_mode, st.st_rdev) < 0) {
                 r = -errno; /* Save the original error code. */
@@ -4654,7 +4653,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
 
         ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
         if (!ucred || ucred->pid != inner_child_pid) {
-                log_debug("Received notify message without valid credentials. Ignoring.");
+                log_debug("Received notify message from process that is not the payload's PID 1. Ignoring.");
                 return 0;
         }
 

src/quotacheck/quotacheck.c

@@ -36,14 +36,9 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                         arg_skip = true;
                 else
                         log_warning("Invalid quotacheck.mode= value, ignoring: %s", value);
-        }
 
-#if HAVE_SYSV_COMPAT
+        } else if (streq(key, "forcequotacheck") && !value)
-        else if (streq(key, "forcequotacheck") && !value) {
-                log_warning("Please use 'quotacheck.mode=force' rather than 'forcequotacheck' on the kernel command line. Proceeding anyway.");
                 arg_force = true;
-        }
-#endif
 
         return 0;
 }

src/shared/cryptsetup-fido2.c

@@ -24,8 +24,7 @@ int acquire_fido2_key(
                 const char *key_file,
                 size_t key_file_size,
                 uint64_t key_file_offset,
-                const void *key_data,
+                const struct iovec *key_data,
-                size_t key_data_size,
                 usec_t until,
                 Fido2EnrollFlags required,
                 const char *askpw_credential,
@@ -45,10 +44,10 @@ int acquire_fido2_key(
                                         "Local verification is required to unlock this volume, but the 'headless' parameter was set.");
 
         assert(cid);
-        assert(key_file || key_data);
+        assert(key_file || iovec_is_set(key_data));
 
-        if (key_data)
+        if (iovec_is_set(key_data))
-                salt = IOVEC_MAKE(key_data, key_data_size);
+                salt = *key_data;
         else {
                 if (key_file_size > 0)
                         log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
@@ -252,7 +251,7 @@ int acquire_fido2_key_auto(
                                 /* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
                                 /* key_file_size= */ 0,
                                 /* key_file_offset= */ 0,
-                                salt, salt_size,
+                                &IOVEC_MAKE(salt, salt_size),
                                 until,
                                 required,
                                 "cryptsetup.fido2-pin",