sysusers: document u! version support

Document at which version the exclamation mark suffix is supported. Version 215 at the end of the list item is a bit misleading.
NEWS: fix typo
2026-03-18 11:04:46 +01:00 · 2026-01-06 07:21:37 +09:00 · 2026-01-05 22:15:29 +01:00 · 2026-01-06 04:54:48 +09:00 · 2026-01-06 04:47:27 +09:00 · 2026-01-06 04:46:34 +09:00
9 changed files with 30 additions and 17 deletions
--- a/2
+++ b/2
@ -4635,7 +4635,7 @@ CHANGES WITH 255:
        * A new component "systemd-storagetm" has been added, which exposes all
          local block devices as NVMe-TCP devices, fully automatically. It's
          hooked into a new target unit storage-target-mode.target that is
-          suppsoed to be booted into via
+          supposed to be booted into via
          rd.systemd.unit=storage-target-mode.target on the kernel command
          line. This is intended to be used for installers and debugging to
          quickly get access to the local disk. It's inspired by MacOS "target
--- a/man/sysusers.d.xml
+++ b/man/sysusers.d.xml
@ -119,13 +119,15 @@ r     -        500-900
          bearing the same name unless the ID field specifies it. The account will be
          created disabled, so that logins are not allowed.</para>
          <xi:include href="version-info.xml" xpointer="v215"/>
          <para>Type <varname>u</varname> may be suffixed with an exclamation mark (<literal>u!</literal>) to
          create a fully locked account. This is recommended, since logins should typically not be allowed
          for system users. With or without the exclamation mark an invalid password is set. For
          <literal>u!</literal>, the account is also locked, which makes a difference for non-password forms
          of authentication, such as SSH or similar.</para>
-          <xi:include href="version-info.xml" xpointer="v215"/></listitem>
+          <xi:include href="version-info.xml" xpointer="v257"/></listitem>
        </varlistentry>
        <varlistentry>
--- a/man/ukify.xml
+++ b/man/ukify.xml
@ -365,7 +365,10 @@
          <listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
          may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
          <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
-          will be picked up from the host system.</para>
+          will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
          is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
          to not be recognized as a UKI by other tools like <command>kernel-install</command>
          and <command>bootctl</command>).</para>
          <xi:include href="version-info.xml" xpointer="v253"/></listitem>
        </varlistentry>
--- a/mkosi/mkosi.tools.conf/mkosi.conf.d/ubuntu/mkosi.sandbox/etc/apt/preferences.d/qemu-noble-proposed.pref
+++ b/mkosi/mkosi.tools.conf/mkosi.conf.d/ubuntu/mkosi.sandbox/etc/apt/preferences.d/qemu-noble-proposed.pref
@ -1,3 +0,0 @@
 Package: src:qemu:any
 Pin: release a=noble-proposed
 Pin-Priority: 550
--- a/mkosi/mkosi.tools.conf/mkosi.conf.d/ubuntu/mkosi.sandbox/etc/apt/sources.list.d/noble-proposed.sources
+++ b/mkosi/mkosi.tools.conf/mkosi.conf.d/ubuntu/mkosi.sandbox/etc/apt/sources.list.d/noble-proposed.sources
@ -1,5 +0,0 @@
 Types: deb deb-src
 URIs: http://archive.ubuntu.com/ubuntu/
 Suites: noble-proposed
 Components: main universe
 Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
    shutil.rmtree(tmp_path)
-def test_inspect(kernel_initrd, tmp_path, capsys):
+def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
    if kernel_initrd is None:
        pytest.skip('linux+initrd not found')
    if not shutil.which('sbsign'):
@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
    output = f'{tmp_path}/signed2.efi'
    uname_arg='1.2.3'
-    osrel_arg='Linux'
+    osrel_arg='Linux' if osrel else ''
    cmdline_arg='ARG1 ARG2 ARG3'
    args = [
@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
    text = capsys.readouterr().out
-    expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
+    if osrel:
-    assert expected_osrel in text
+        expected_osrel = f'.osrel:\n  size: {len(osrel_arg)}'
        assert expected_osrel in text
    else:
        assert '.osrel:' not in text
    expected_cmdline = f'.cmdline:\n  size: {len(cmdline_arg)}'
    assert expected_cmdline in text
    expected_uname = f'.uname:\n  size: {len(uname_arg)}'
@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
    shutil.rmtree(tmp_path)
 def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
    test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
@pytest.mark.skipif(not slow_tests, reason='slow')
 def test_pcr_signing(kernel_initrd, tmp_path):
    if kernel_initrd is None:
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
        '.profile',
    }
    if not opts.os_release:
        to_import.remove('.osrel')
    for profile in opts.join_profiles:
        pe = pefile.PE(profile, fast_load=True)
        prev_len = len(uki.sections)
@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
    opts.os_release = resolve_at_path(opts.os_release)
-    if not opts.os_release and opts.linux:
+    if opts.os_release == '':
        # If --os-release= with an empty string was passed, treat that as
        # explicitly disabling the .osrel section, and do not fallback to the
        # system's os-release files.
        pass
    elif opts.os_release is None and opts.linux:
        p = Path('/etc/os-release')
        if not p.exists():
            p = Path('/usr/lib/os-release')
--- a/test/units/TEST-04-JOURNAL.journal-remote.sh
+++ b/test/units/TEST-04-JOURNAL.journal-remote.sh
@ -61,7 +61,7 @@ openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \
 chown -R systemd-journal-remote /run/systemd/journal-remote-tls
 # Configure journal-upload to upload journals to journal-remote without client certificates
-mkdir -p /run/systemd/journal-{remote,upload}.conf.d
+mkdir -pZ /run/systemd/journal-{remote,upload}.conf.d
 cat >/run/systemd/journal-remote.conf.d/99-test.conf <<EOF
 [Remote]
 SplitMode=host
--- a/test/units/TEST-13-NSPAWN.unpriv.sh
+++ b/test/units/TEST-13-NSPAWN.unpriv.sh
@ -13,6 +13,7 @@ if ! can_do_rootless_nspawn; then
 fi
 at_exit() {
    rm -rf /home/testuser/.local/state/machines/.tar-file* ||:
    rm -rf /home/testuser/.local/state/machines/zurps ||:
    rm -rf /home/testuser/.local/state/machines/nurps ||:
    rm -rf /home/testuser/.local/state/machines/kurps ||:
Author	SHA1	Message	Date
Tobias Stoeckmann	a6ef858850	sysusers: document u! version support Document at which version the exclamation mark suffix is supported. Version 215 at the end of the list item is a bit misleading.	2026-01-06 07:21:37 +09:00
Zbigniew Jędrzejewski-Szmek	4a74a48c23	NEWS: fix typo	2026-01-05 22:15:29 +01:00
Yu Watanabe	fc48bf0c6b	TEST-13-NSPAWN: remove pulled image on exit Otherwise, if the VM is unexpectedly rebooted, then `importctl --user pull-tar` may fail as the file may already exist. ``` [ 123.351751] TEST-13-NSPAWN.sh[3946]: + run0 -u testuser importctl --user pull-tar file:///var/tmp/image-tar/kurps.tar.gz nurps --verify=checksum -m [ 123.541603] TEST-13-NSPAWN.sh[4311]: Enqueued transfer job 3. Press C-c to continue download in background. [ 123.552456] TEST-13-NSPAWN.sh[4311]: Pulling 'file:///var/tmp/image-tar/kurps.tar.gz', saving as 'nurps'. [ 123.552788] TEST-13-NSPAWN.sh[4311]: Operating on image directory '/home/testuser/.local/state/machines'. [ 123.819942] TEST-13-NSPAWN.sh[4311]: Got 1% of file:///var/tmp/image-tar/kurps.tar.gz. [ 124.156557] TEST-13-NSPAWN.sh[4311]: * shutting down connection #0 [ 124.156896] TEST-13-NSPAWN.sh[4311]: * Could not open file /var/tmp/image-tar/kurps.tar.gz.sha256 [ 124.157223] TEST-13-NSPAWN.sh[4311]: * closing connection #-1 [ 124.159198] TEST-13-NSPAWN.sh[4311]: * Could not open file /var/tmp/image-tar/kurps.nspawn [ 124.159493] TEST-13-NSPAWN.sh[4311]: * closing connection #-1 [ 124.159818] TEST-13-NSPAWN.sh[4311]: Acquired 68.5M. [ 124.160395] TEST-13-NSPAWN.sh[4311]: Download of file:///var/tmp/image-tar/kurps.tar.gz complete. [ 124.160664] TEST-13-NSPAWN.sh[4311]: Transfer failed: Could not read a file:// file [ 124.160923] TEST-13-NSPAWN.sh[4311]: Settings file could not be retrieved, proceeding without. [ 124.404733] TEST-13-NSPAWN.sh[4311]: * shutting down connection #1 [ 124.405162] TEST-13-NSPAWN.sh[4311]: Acquired 79B. [ 124.406170] TEST-13-NSPAWN.sh[4311]: Download of file:///var/tmp/image-tar/SHA256SUMS complete. [ 124.406734] TEST-13-NSPAWN.sh[4311]: SHA256 checksum of file:///var/tmp/image-tar/kurps.tar.gz is valid. [ 124.455446] TEST-13-NSPAWN.sh[4311]: Failed to rename to final image name to /home/testuser/.local/state/machines/.tar-file:\x2f\x2f\x2fvar\x2ftmp\x2fimage-tar\x2fkurps\x2etar\x2egz: File exists [ 124.457251] TEST-13-NSPAWN.sh[4311]: Exiting. ``` Workaround for issue #38240.	2026-01-06 04:54:48 +09:00
Nick Rosbrook	0eaddf8c82	mkosi: stop using noble-proposed for qemu The qemu update migrated to noble-updates a couple weeks ago, so it is no longer necessary to enable noble-proposed (or add the associated apt pinning config).	2026-01-06 04:47:27 +09:00
Cathy Hu	57202fd181	journal-remote test: add -Z in mkdir for journal-{remote,upload}.conf.d Otherwise on SELinux enabled systems with the "targeted" policy the type is not set correctly when run via unconfined user and the test fails.	2026-01-06 04:46:34 +09:00
Nick Rosbrook	75890d949f	ukify: omit .osrel section when --os-release= is empty The primary motivation for this is to allow users of ukify to build UKI-like objects, without having them later be detected as a UKI by tools like kernel-install and bootctl. The common code used by these tools to determine if a PE binary is a UKI checks that both .osrel and .linux sections are present. Hence, adding a mechansim to skip .osrel provides a way to avoid being labeled a UKI.	2026-01-06 04:44:43 +09:00