Add Conflicts for older systemd and systemd-udev versions

(cherry picked from commit b24b99d669)
(cherry picked from commit 52e7bf2892)

0001-test-login-skip-consistency-checks-when-logind-is-no.patch

@@ -1,169 +0,0 @@
-From aee1d734a5034d47005a339ec5b2b39583795039 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 16 Dec 2020 15:56:44 +0100
-Subject: [PATCH] test-login: skip consistency checks when logind is not active
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There are two ways in swich sd_login_* functions acquire data:
-some are derived from the cgroup path, but others use the data serialized
-by logind.
-
-When the tests are executed under Fedora's mock, without systemd-spawn
-but instead in a traditional chroot, test-login gets confused:
-the "outside" cgroup path is visible, so sd_pid_get_unit() and
-sd_pid_get_session() work, but sd_session_is_active() and other functions
-that need logind data fail.
-
-Such a buildroot setup is fairly bad, but it can be encountered in the wild, so
-let's just skip the tests in that case.
-
-/* Information printed is from the live system */
-sd_pid_get_unit(0, …) → "session-237.scope"
-sd_pid_get_user_unit(0, …) → "n/a"
-sd_pid_get_slice(0, …) → "user-1000.slice"
-sd_pid_get_session(0, …) → "237"
-sd_pid_get_owner_uid(0, …) → 1000
-sd_pid_get_cgroup(0, …) → "/user.slice/user-1000.slice/session-237.scope"
-sd_uid_get_display(1000, …) → "(null)"
-sd_uid_get_sessions(1000, …) → [0] ""
-sd_uid_get_seats(1000, …) → [0] ""
-Assertion 'r >= 0' failed at src/libsystemd/sd-login/test-login.c:104, function test_login(). Aborting.
----
- src/libsystemd/sd-login/test-login.c | 98 +++++++++++++++-------------
- 1 file changed, 52 insertions(+), 46 deletions(-)
-
-diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c
-index 5b2ff93e1c..f762b8475b 100644
---- a/src/libsystemd/sd-login/test-login.c
-+++ b/src/libsystemd/sd-login/test-login.c
-@@ -112,68 +112,74 @@ static void test_login(void) {
- 
-         if (session) {
-                 r = sd_session_is_active(session);
--                assert_se(r >= 0);
--                log_info("sd_session_is_active(\"%s\") → %s", session, yes_no(r));
-+                if (r == -ENXIO)
-+                        log_notice("sd_session_is_active failed with ENXIO, it seems logind is not running.");
-+                else {
-+                        /* All those tests will fail with ENXIO, so let's skip them. */
- 
--                r = sd_session_is_remote(session);
--                assert_se(r >= 0);
--                log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r));
-+                        assert_se(r >= 0);
-+                        log_info("sd_session_is_active(\"%s\") → %s", session, yes_no(r));
- 
--                r = sd_session_get_state(session, &state);
--                assert_se(r == 0);
--                log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state);
-+                        r = sd_session_is_remote(session);
-+                        assert_se(r >= 0);
-+                        log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r));
- 
--                assert_se(sd_session_get_uid(session, &u) >= 0);
--                log_info("sd_session_get_uid(\"%s\") → "UID_FMT, session, u);
--                assert_se(u == u2);
-+                        r = sd_session_get_state(session, &state);
-+                        assert_se(r == 0);
-+                        log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state);
- 
--                assert_se(sd_session_get_type(session, &type) >= 0);
--                log_info("sd_session_get_type(\"%s\") → \"%s\"", session, type);
-+                        assert_se(sd_session_get_uid(session, &u) >= 0);
-+                        log_info("sd_session_get_uid(\"%s\") → "UID_FMT, session, u);
-+                        assert_se(u == u2);
- 
--                assert_se(sd_session_get_class(session, &class) >= 0);
--                log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class);
-+                        assert_se(sd_session_get_type(session, &type) >= 0);
-+                        log_info("sd_session_get_type(\"%s\") → \"%s\"", session, type);
- 
--                r = sd_session_get_display(session, &display);
--                assert_se(IN_SET(r, 0, -ENODATA));
--                log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display));
-+                        assert_se(sd_session_get_class(session, &class) >= 0);
-+                        log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class);
- 
--                r = sd_session_get_remote_user(session, &remote_user);
--                assert_se(IN_SET(r, 0, -ENODATA));
--                log_info("sd_session_get_remote_user(\"%s\") → \"%s\"",
--                         session, strna(remote_user));
-+                        r = sd_session_get_display(session, &display);
-+                        assert_se(IN_SET(r, 0, -ENODATA));
-+                        log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display));
- 
--                r = sd_session_get_remote_host(session, &remote_host);
--                assert_se(IN_SET(r, 0, -ENODATA));
--                log_info("sd_session_get_remote_host(\"%s\") → \"%s\"",
--                         session, strna(remote_host));
-+                        r = sd_session_get_remote_user(session, &remote_user);
-+                        assert_se(IN_SET(r, 0, -ENODATA));
-+                        log_info("sd_session_get_remote_user(\"%s\") → \"%s\"",
-+                                 session, strna(remote_user));
- 
--                r = sd_session_get_seat(session, &seat);
--                if (r >= 0) {
--                        assert_se(seat);
-+                        r = sd_session_get_remote_host(session, &remote_host);
-+                        assert_se(IN_SET(r, 0, -ENODATA));
-+                        log_info("sd_session_get_remote_host(\"%s\") → \"%s\"",
-+                                 session, strna(remote_host));
- 
--                        log_info("sd_session_get_seat(\"%s\") → \"%s\"", session, seat);
-+                        r = sd_session_get_seat(session, &seat);
-+                        if (r >= 0) {
-+                                assert_se(seat);
-+
-+                                log_info("sd_session_get_seat(\"%s\") → \"%s\"", session, seat);
- 
- #pragma GCC diagnostic push
- #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
--                        r = sd_seat_can_multi_session(seat);
-+                                r = sd_seat_can_multi_session(seat);
- #pragma GCC diagnostic pop
--                        assert_se(r == 1);
--                        log_info("sd_session_can_multi_seat(\"%s\") → %s", seat, yes_no(r));
-+                                assert_se(r == 1);
-+                                log_info("sd_session_can_multi_seat(\"%s\") → %s", seat, yes_no(r));
- 
--                        r = sd_seat_can_tty(seat);
--                        assert_se(r >= 0);
--                        log_info("sd_session_can_tty(\"%s\") → %s", seat, yes_no(r));
-+                                r = sd_seat_can_tty(seat);
-+                                assert_se(r >= 0);
-+                                log_info("sd_session_can_tty(\"%s\") → %s", seat, yes_no(r));
- 
--                        r = sd_seat_can_graphical(seat);
--                        assert_se(r >= 0);
--                        log_info("sd_session_can_graphical(\"%s\") → %s", seat, yes_no(r));
--                } else {
--                        log_info_errno(r, "sd_session_get_seat(\"%s\"): %m", session);
--                        assert_se(r == -ENODATA);
-+                                r = sd_seat_can_graphical(seat);
-+                                assert_se(r >= 0);
-+                                log_info("sd_session_can_graphical(\"%s\") → %s", seat, yes_no(r));
-+                        } else {
-+                                log_info_errno(r, "sd_session_get_seat(\"%s\"): %m", session);
-+                                assert_se(r == -ENODATA);
-+                        }
-+
-+                        assert_se(sd_uid_get_state(u, &state2) == 0);
-+                        log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2);
-                 }
--
--                assert_se(sd_uid_get_state(u, &state2) == 0);
--                log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2);
-         }
- 
-         if (seat) {
-@@ -214,7 +220,7 @@ static void test_login(void) {
-         assert_se(sd_get_seats(NULL) == r);
- 
-         r = sd_seat_get_active(NULL, &t, NULL);
--        assert_se(IN_SET(r, 0, -ENODATA));
-+        assert_se(IN_SET(r, 0, -ENODATA, -ENXIO));
-         log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t));
-         free(t);
- 

0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch

@@ -1,70 +0,0 @@
-From 2e9d763e7cbeb33954bbe3f96fd94de2cd62edf7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Thu, 12 Nov 2020 14:28:24 +0100
-Subject: [PATCH] test-path-util: do not fail if the fd_is_mount_point check
- fails
-
-This test fails on i686 and ppc64le in koji:
-/* test_path */
-Assertion 'fd_is_mount_point(fd, "/", 0) > 0' failed at src/test/test-path-util.c:85, function test_path(). Aborting.
-
-I guess some permission error is the most likely.
----
- src/test/test-path-util.c | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
-index f4f8d0550b..be428334f3 100644
---- a/src/test/test-path-util.c
-+++ b/src/test/test-path-util.c
-@@ -40,8 +40,6 @@ static void test_path_simplify(const char *in, const char *out, const char *out_
- }
- 
- static void test_path(void) {
--        _cleanup_close_ int fd = -1;
--
-         log_info("/* %s */", __func__);
- 
-         test_path_compare("/goo", "/goo", 0);
-@@ -80,10 +78,6 @@ static void test_path(void) {
-         assert_se(streq(basename("/aa///file..."), "file..."));
-         assert_se(streq(basename("file.../"), ""));
- 
--        fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
--        assert_se(fd >= 0);
--        assert_se(fd_is_mount_point(fd, "/", 0) > 0);
--
-         test_path_simplify("aaa/bbb////ccc", "aaa/bbb/ccc", "aaa/bbb/ccc");
-         test_path_simplify("//aaa/.////ccc", "/aaa/./ccc", "/aaa/ccc");
-         test_path_simplify("///", "/", "/");
-@@ -120,6 +114,22 @@ static void test_path(void) {
-         assert_se(!path_equal_ptr(NULL, "/a"));
- }
- 
-+static void test_path_is_mountpoint(void) {
-+        _cleanup_close_ int fd = -1;
-+        int r;
-+
-+        log_info("/* %s */", __func__);
-+
-+        fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
-+        assert_se(fd >= 0);
-+
-+        r = fd_is_mount_point(fd, "/", 0);
-+        if (r < 0)
-+                log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m");
-+        else
-+                assert_se(r == 1);
-+}
-+
- static void test_path_equal_root(void) {
-         /* Nail down the details of how path_equal("/", ...) works. */
- 
-@@ -714,6 +724,7 @@ int main(int argc, char **argv) {
- 
-         test_print_paths();
-         test_path();
-+        test_path_is_mountpoint();
-         test_path_equal_root();
-         test_find_executable_full();
-         test_find_executable(argv[0]);

0001-test-path-util-ignore-test-failure.patch

@@ -1,33 +0,0 @@
-From e8bca4ba55f855260eda684a16e8feb5f20b1deb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Thu, 12 Nov 2020 15:06:12 +0100
-Subject: [PATCH] test-path-util: ignore test failure
-
----
- src/test/test-path-util.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
-index be428334f3..207c659b8b 100644
---- a/src/test/test-path-util.c
-+++ b/src/test/test-path-util.c
-@@ -120,14 +120,17 @@ static void test_path_is_mountpoint(void) {
- 
-         log_info("/* %s */", __func__);
- 
-+        (void) system("uname -a");
-+        (void) system("mountpoint /");
-+
-         fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
-         assert_se(fd >= 0);
- 
-         r = fd_is_mount_point(fd, "/", 0);
-         if (r < 0)
-                 log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m");
--        else
--                assert_se(r == 1);
-+        else if (r == 0)
-+                log_warning("/ is not a mountpoint?");
- }
- 
- static void test_path_equal_root(void) {

10-oomd-defaults.conf

@@ -1,2 +1,2 @@
 [OOM]
-DefaultMemoryPressureDurationSec=10s
+DefaultMemoryPressureDurationSec=20s

10-oomd-user-service-defaults.conf

@@ -1,3 +1,3 @@
 [Service]
 ManagedOOMMemoryPressure=kill
-ManagedOOMMemoryPressureLimit=10%
+ManagedOOMMemoryPressureLimit=50%

18892.patch

@@ -1,495 +0,0 @@
-From e0ae456a554d0fce250f9a009c561b97f20c41f8 Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Fri, 5 Mar 2021 17:47:45 +0100
-Subject: [PATCH 1/6] dns-query: export CNAME_MAX, so that we can use it in
- other files, too
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Let's rename it a bit, to be more explanatory while exporting it.
-
-(And let's bump the CNAME limit to 16 — 8 just sounded so little)
----
- src/resolve/resolved-dns-query.c | 3 +--
- src/resolve/resolved-dns-query.h | 2 ++
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
-index 7554d1e82f4..aa9d65d4a82 100644
---- a/src/resolve/resolved-dns-query.c
-+++ b/src/resolve/resolved-dns-query.c
-@@ -10,7 +10,6 @@
- #include "resolved-etc-hosts.h"
- #include "string-util.h"
- 
--#define CNAME_MAX 8
- #define QUERIES_MAX 2048
- #define AUXILIARY_QUERIES_MAX 64
- 
-@@ -977,7 +976,7 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
-         assert(q);
- 
-         q->n_cname_redirects++;
--        if (q->n_cname_redirects > CNAME_MAX)
-+        if (q->n_cname_redirects > CNAME_REDIRECT_MAX)
-                 return -ELOOP;
- 
-         r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
-diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h
-index ea296167b61..5d12171b0a1 100644
---- a/src/resolve/resolved-dns-query.h
-+++ b/src/resolve/resolved-dns-query.h
-@@ -145,3 +145,5 @@ static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
-                                       dns_query_fully_confidential(q)) |
-                 (q->answer_query_flags & (SD_RESOLVED_FROM_MASK|SD_RESOLVED_SYNTHETIC));
- }
-+
-+#define CNAME_REDIRECT_MAX 16
-
-From d29958261a3df80f5cf0e98b1cd307790a92b13b Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Fri, 5 Mar 2021 17:48:43 +0100
-Subject: [PATCH 2/6] resolved: tighten checks in
- dns_resource_record_get_cname_target()
-
-Let's refuse to consider CNAME/DNAME replies matching for RR types where
-that is not really conceptually allow (i.e. on CNAME/DNAME lookups
-themselves).
-
-(And add a similar check to dns_resource_key_match_cname_or_dname() too,
-which implements a smilar match)
----
- src/resolve/resolved-dns-rr.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
-index 823117e5c92..7e76e0c6cc0 100644
---- a/src/resolve/resolved-dns-rr.c
-+++ b/src/resolve/resolved-dns-rr.c
-@@ -244,6 +244,9 @@ int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsRe
-         if (cname->class != key->class && key->class != DNS_CLASS_ANY)
-                 return 0;
- 
-+        if (!dns_type_may_redirect(key->type))
-+                return 0;
-+
-         if (cname->type == DNS_TYPE_CNAME)
-                 r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname));
-         else if (cname->type == DNS_TYPE_DNAME)
-@@ -1743,9 +1746,16 @@ int dns_resource_record_get_cname_target(DnsResourceKey *key, DnsResourceRecord
-         assert(key);
-         assert(cname);
- 
-+        /* Checks if the RR `cname` is a CNAME/DNAME RR that matches the specified `key`. If so, returns the
-+         * target domain. If not, returns -EUNATCH */
-+
-         if (key->class != cname->key->class && key->class != DNS_CLASS_ANY)
-                 return -EUNATCH;
- 
-+        if (!dns_type_may_redirect(key->type)) /* This key type is not subject to CNAME/DNAME redirection?
-+                                                * Then let's refuse right-away */
-+                return -EUNATCH;
-+
-         if (cname->key->type == DNS_TYPE_CNAME) {
-                 r = dns_name_equal(dns_resource_key_name(key),
-                                    dns_resource_key_name(cname->key));
-
-From 4838dc4f2be1d29da9ce9a930c48717a4491d70e Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Fri, 5 Mar 2021 17:53:31 +0100
-Subject: [PATCH 3/6] resolved: handle multiple CNAME redirects in a single
- reply from upstream
-
-www.netflix.com responds with a chain of CNAMEs in the same packet.
-Let's handle that properly (so far we only followed CNAMEs a single step
-when in the same packet)
-
-Fixes: #18819
----
- src/resolve/resolved-dns-stub.c | 105 +++++++++++++++++---------------
- 1 file changed, 57 insertions(+), 48 deletions(-)
-
-diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
-index c2734e57b9b..c3a28d390a4 100644
---- a/src/resolve/resolved-dns-stub.c
-+++ b/src/resolve/resolved-dns-stub.c
-@@ -162,79 +162,88 @@ static int dns_stub_collect_answer_by_question(
-                 bool with_rrsig) { /* Add RRSIG RR matching each RR */
- 
-         _cleanup_(dns_resource_key_unrefp) DnsResourceKey *redirected_key = NULL;
-+        unsigned n_cname_redirects = 0;
-         DnsAnswerItem *item;
-         int r;
- 
-         assert(reply);
- 
--        /* Copies all RRs from 'answer' into 'reply', if they match 'question'. */
-+        /* Copies all RRs from 'answer' into 'reply', if they match 'question'. There might be direct and
-+         * indirect matches (i.e. via CNAME/DNAME). If they have an indirect one, remember where we need to
-+         * go, and restart the loop */
-+
-+        for (;;) {
-+                _cleanup_(dns_resource_key_unrefp) DnsResourceKey *next_redirected_key = NULL;
-+
-+                DNS_ANSWER_FOREACH_ITEM(item, answer) {
-+                        DnsResourceKey *k = NULL;
-+
-+                        if (redirected_key) {
-+                                /* There was a redirect in this packet, let's collect all matching RRs for the redirect */
-+                                r = dns_resource_key_match_rr(redirected_key, item->rr, NULL);
-+                                if (r < 0)
-+                                        return r;
-+
-+                                k = redirected_key;
-+                        } else if (question) {
-+                                /* We have a question, let's see if this RR matches it */
-+                                r = dns_question_matches_rr(question, item->rr, NULL);
-+                                if (r < 0)
-+                                        return r;
-+
-+                                k = question->keys[0];
-+                        } else
-+                                r = 1; /* No question, everything matches */
- 
--        DNS_ANSWER_FOREACH_ITEM(item, answer) {
--                if (question) {
--                        r = dns_question_matches_rr(question, item->rr, NULL);
--                        if (r < 0)
--                                return r;
-                         if (r == 0) {
-                                 _cleanup_free_ char *target = NULL;
- 
-                                 /* OK, so the RR doesn't directly match. Let's see if the RR is a matching
-                                  * CNAME or DNAME */
- 
--                                r = dns_resource_record_get_cname_target(
--                                                question->keys[0],
--                                                item->rr,
--                                                &target);
-+                                assert(k);
-+
-+                                r = dns_resource_record_get_cname_target(k, item->rr, &target);
-                                 if (r == -EUNATCH)
-                                         continue; /* Not a CNAME/DNAME or doesn't match */
-                                 if (r < 0)
-                                         return r;
- 
--                                dns_resource_key_unref(redirected_key);
-+                                /* Oh, wow, this is a redirect. Let's remember where this points, and store
-+                                 * it in 'next_redirected_key'. Once we finished iterating through the rest
-+                                 * of the RR's we'll start again, with the redirected RR key. */
-+
-+                                n_cname_redirects++;
-+                                if (n_cname_redirects > CNAME_REDIRECT_MAX) /* don't loop forever */
-+                                        return -ELOOP;
-+
-+                                dns_resource_key_unref(next_redirected_key);
- 
-                                 /* There can only be one CNAME per name, hence no point in storing more than one here */
--                                redirected_key = dns_resource_key_new(question->keys[0]->class, question->keys[0]->type, target);
--                                if (!redirected_key)
-+                                next_redirected_key = dns_resource_key_new(k->class, k->type, target);
-+                                if (!next_redirected_key)
-                                         return -ENOMEM;
-                         }
--                }
- 
--                /* Mask the section info, we want the primary answers to always go without section info, so
--                 * that it is added to the answer section when we synthesize a reply. */
-+                        /* Mask the section info, we want the primary answers to always go without section info, so
-+                         * that it is added to the answer section when we synthesize a reply. */
- 
--                r = reply_add_with_rrsig(
--                                reply,
--                                item->rr,
--                                item->ifindex,
--                                item->flags & ~DNS_ANSWER_MASK_SECTIONS,
--                                item->rrsig,
--                                with_rrsig);
--                if (r < 0)
--                        return r;
--        }
--
--        if (!redirected_key)
--                return 0;
--
--        /* This is a CNAME/DNAME answer. In this case also append where the redirections point to to the main
--         * answer section */
--
--        DNS_ANSWER_FOREACH_ITEM(item, answer) {
-+                        r = reply_add_with_rrsig(
-+                                        reply,
-+                                        item->rr,
-+                                        item->ifindex,
-+                                        item->flags & ~DNS_ANSWER_MASK_SECTIONS,
-+                                        item->rrsig,
-+                                        with_rrsig);
-+                        if (r < 0)
-+                                return r;
-+                }
- 
--                r = dns_resource_key_match_rr(redirected_key, item->rr, NULL);
--                if (r < 0)
--                        return r;
--                if (r == 0)
--                        continue;
-+                if (!next_redirected_key)
-+                        break;
- 
--                r = reply_add_with_rrsig(
--                                reply,
--                                item->rr,
--                                item->ifindex,
--                                item->flags & ~DNS_ANSWER_MASK_SECTIONS,
--                                item->rrsig,
--                                with_rrsig);
--                if (r < 0)
--                        return r;
-+                dns_resource_key_unref(redirected_key);
-+                redirected_key = TAKE_PTR(next_redirected_key);
-         }
- 
-         return 0;
-
-From 39005e187095062718621880e5d8ad707ac8fe8f Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Fri, 5 Mar 2021 18:01:27 +0100
-Subject: [PATCH 4/6] resolved: split out helper that checks whether we shall
- reply with EDNS0 DO
-
-Just some refactoring, no actual code changes.
----
- src/resolve/resolved-dns-stub.c | 22 ++++++++++++++--------
- 1 file changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
-index c3a28d390a4..b4df5837aad 100644
---- a/src/resolve/resolved-dns-stub.c
-+++ b/src/resolve/resolved-dns-stub.c
-@@ -561,6 +561,19 @@ static int dns_stub_send(
-         return 0;
- }
- 
-+static int dns_stub_reply_with_edns0_do(DnsQuery *q) {
-+         assert(q);
-+
-+        /* Reply with DNSSEC DO set? Only if client supports it; and we did any DNSSEC verification
-+         * ourselves, or consider the data fully authenticated because we generated it locally, or the client
-+         * set cd */
-+
-+         return DNS_PACKET_DO(q->request_packet) &&
-+                 (q->answer_dnssec_result >= 0 ||        /* we did proper DNSSEC validation … */
-+                  dns_query_fully_authenticated(q) ||    /* … or we considered it authentic otherwise … */
-+                  DNS_PACKET_CD(q->request_packet));     /* … or client set CD */
-+}
-+
- static int dns_stub_send_reply(
-                 DnsQuery *q,
-                 int rcode) {
-@@ -571,14 +584,7 @@ static int dns_stub_send_reply(
- 
-         assert(q);
- 
--        /* Reply with DNSSEC DO set? Only if client supports it; and we did any DNSSEC verification
--         * ourselves, or consider the data fully authenticated because we generated it locally, or
--         * the client set cd */
--        edns0_do =
--                DNS_PACKET_DO(q->request_packet) &&
--                (q->answer_dnssec_result >= 0 ||        /* we did proper DNSSEC validation … */
--                 dns_query_fully_authenticated(q) ||    /* … or we considered it authentic otherwise … */
--                 DNS_PACKET_CD(q->request_packet));     /* … or client set CD */
-+        edns0_do = dns_stub_reply_with_edns0_do(q); /* let's check if we shall reply with EDNS0 DO? */
- 
-         r = dns_stub_assign_sections(
-                         q,
-
-From b97fc57178932689bdcb9030e1e2bf299d49ce0b Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Fri, 5 Mar 2021 16:50:04 +0100
-Subject: [PATCH 5/6] resolved: fully follow CNAMEs in the DNS stub after all
-
-In 2f4d8e577ca7bc51fb054b8c2c8dd57c2e188a41 I argued that following
-CNAMEs in the stub is not necessary anymore. However, I think it' better
-to revert to the status quo ante and follow it after all, given it is
-easy for us and makes sure our D-Bus/varlink replies are more similar to
-our DNS stub replies that way, and we save clients potential roundtrips.
-
-Hence, whenever we hit a CNAME/DNAME redirect, let's restart the query
-like we do for the D-Bus/Varlink case, and collect replies as we go.
----
- src/resolve/resolved-dns-stub.c | 38 +++++++++++++++++++++++----------
- 1 file changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
-index b4df5837aad..85c4eda469c 100644
---- a/src/resolve/resolved-dns-stub.c
-+++ b/src/resolve/resolved-dns-stub.c
-@@ -586,13 +586,6 @@ static int dns_stub_send_reply(
- 
-         edns0_do = dns_stub_reply_with_edns0_do(q); /* let's check if we shall reply with EDNS0 DO? */
- 
--        r = dns_stub_assign_sections(
--                        q,
--                        q->request_packet->question,
--                        edns0_do);
--        if (r < 0)
--                return log_debug_errno(r, "Failed to assign sections: %m");
--
-         r = dns_stub_make_reply_packet(
-                         &reply,
-                         DNS_PACKET_PAYLOAD_SIZE_MAX(q->request_packet),
-@@ -743,13 +736,37 @@ static void dns_stub_query_complete(DnsQuery *q) {
-                 }
-         }
- 
--        /* Note that we don't bother with following CNAMEs here. We propagate the authoritative/additional
--         * sections from the upstream answer however, hence if the upstream server collected that information
--         * already we don't have to collect it ourselves anymore. */
-+        /* Take all data from the current reply, and merge it into the three reply sections we are building
-+         * up. We do this before processing CNAME redirects, so that we gradually build up our sections, and
-+         * and keep adding all RRs in the CNAME chain. */
-+        r = dns_stub_assign_sections(
-+                        q,
-+                        q->request_packet->question,
-+                        dns_stub_reply_with_edns0_do(q));
-+        if (r < 0) {
-+                log_debug_errno(r, "Failed to assign sections: %m");
-+                dns_query_free(q);
-+                return;
-+        }
- 
-         switch (q->state) {
- 
-         case DNS_TRANSACTION_SUCCESS:
-+                r = dns_query_process_cname(q);
-+                if (r == -ELOOP) { /* CNAME loop, let's send what we already have */
-+                        log_debug_errno(r, "Detected CNAME loop, returning what we already have.");
-+                        (void) dns_stub_send_reply(q, q->answer_rcode);
-+                        break;
-+                }
-+                if (r < 0) {
-+                        log_debug_errno(r, "Failed to process CNAME: %m");
-+                        break;
-+                }
-+                if (r == DNS_QUERY_RESTARTED)
-+                        return;
-+
-+                _fallthrough_;
-+
-         case DNS_TRANSACTION_RCODE_FAILURE:
-                 (void) dns_stub_send_reply(q, q->answer_rcode);
-                 break;
-@@ -888,7 +905,6 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea
-                 r = dns_query_new(m, &q, p->question, p->question, NULL, 0,
-                                   SD_RESOLVED_PROTOCOLS_ALL|
-                                   SD_RESOLVED_NO_SEARCH|
--                                  SD_RESOLVED_NO_CNAME|
-                                   (DNS_PACKET_DO(p) ? SD_RESOLVED_REQUIRE_PRIMARY : 0)|
-                                   SD_RESOLVED_CLAMP_TTL);
-         if (r < 0) {
-
-From 5d7da51ee1d27e86a0487a4b2abc3cfb0ed44c23 Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Fri, 5 Mar 2021 18:20:59 +0100
-Subject: [PATCH 6/6] resolved: when synthesizing stub replies from multiple
- upstream packet, let's avoid RR duplicates
-
-If we synthesize a stub reply from multiple upstream packet (i.e. a
-series of CNAME/DNAME redirects), it might happen that we add the same
-RR to a different reply section at a different CNAME/DNAME redirect
-chain element. Let's clean this up once we are about to send the reply
-message to the client: let's remove sections from "lower-priority"
-sections when they are already listed in a "higher-priority" section.
----
- src/resolve/resolved-dns-answer.c | 25 +++++++++++++++++++++++++
- src/resolve/resolved-dns-answer.h |  1 +
- src/resolve/resolved-dns-stub.c   | 20 ++++++++++++++++++++
- 3 files changed, 46 insertions(+)
-
-diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c
-index ce3cbce308d..a667ab5ede4 100644
---- a/src/resolve/resolved-dns-answer.c
-+++ b/src/resolve/resolved-dns-answer.c
-@@ -640,6 +640,31 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) {
-         return 1;
- }
- 
-+int dns_answer_remove_by_answer_keys(DnsAnswer **a, DnsAnswer *b) {
-+        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *prev = NULL;
-+        DnsAnswerItem *item;
-+        int r;
-+
-+        /* Removes all items from '*a' that have a matching key in 'b' */
-+
-+        DNS_ANSWER_FOREACH_ITEM(item, b) {
-+
-+                if (prev && dns_resource_key_equal(item->rr->key, prev)) /* Skip this one, we already looked at it */
-+                        continue;
-+
-+                r = dns_answer_remove_by_key(a, item->rr->key);
-+                if (r < 0)
-+                        return r;
-+
-+                /* Let's remember this entry's RR key, to optimize the loop a bit: if we have an RRset with
-+                 * more than one item then we don't need to remove the key multiple times */
-+                dns_resource_key_unref(prev);
-+                prev = dns_resource_key_ref(item->rr->key);
-+        }
-+
-+        return 0;
-+}
-+
- int dns_answer_copy_by_key(
-                 DnsAnswer **a,
-                 DnsAnswer *source,
-diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h
-index c2fd0c078f4..7d19eee4e2b 100644
---- a/src/resolve/resolved-dns-answer.h
-+++ b/src/resolve/resolved-dns-answer.h
-@@ -68,6 +68,7 @@ int dns_answer_reserve_or_clone(DnsAnswer **a, size_t n_free);
- 
- int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key);
- int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr);
-+int dns_answer_remove_by_answer_keys(DnsAnswer **a, DnsAnswer *b);
- 
- int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig);
- int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig);
-diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
-index 85c4eda469c..8e781dd7389 100644
---- a/src/resolve/resolved-dns-stub.c
-+++ b/src/resolve/resolved-dns-stub.c
-@@ -574,6 +574,24 @@ static int dns_stub_reply_with_edns0_do(DnsQuery *q) {
-                   DNS_PACKET_CD(q->request_packet));     /* … or client set CD */
- }
- 
-+static void dns_stub_suppress_duplicate_section_rrs(DnsQuery *q) {
-+        /* If we follow a CNAME/DNAME chain we might end up populating our sections with redundant RRs
-+         * because we built up the sections from multiple reply packets (one from each CNAME/DNAME chain
-+         * element). E.g. it could be that an RR that was included in the first reply's additional section
-+         * ends up being relevant as main answer in a subsequent reply in the chain. Let's clean this up, and
-+         * remove everything in the "higher priority" sections from the "lower priority" sections.
-+         *
-+         * Note that this removal matches by RR keys instead of the full RRs. This is because RRsets should
-+         * always end up in one section fully or not at all, but never be split among sections.
-+         *
-+         * Specifically: we remove ANSWER section RRs from the AUTHORITATIVE and ADDITIONAL sections, as well
-+         * as AUTHORITATIVE section RRs from the ADDITIONAL section. */
-+
-+        dns_answer_remove_by_answer_keys(&q->reply_authoritative, q->reply_answer);
-+        dns_answer_remove_by_answer_keys(&q->reply_additional, q->reply_answer);
-+        dns_answer_remove_by_answer_keys(&q->reply_additional, q->reply_authoritative);
-+}
-+
- static int dns_stub_send_reply(
-                 DnsQuery *q,
-                 int rcode) {
-@@ -594,6 +612,8 @@ static int dns_stub_send_reply(
-         if (r < 0)
-                 return log_debug_errno(r, "Failed to build reply packet: %m");
- 
-+        dns_stub_suppress_duplicate_section_rrs(q);
-+
-         r = dns_stub_add_reply_packet_body(
-                         reply,
-                         q->reply_answer,

18915.patch

@@ -1,154 +0,0 @@
-From 8b0f54c9290564e8c27c9c8ac464cdcc2c659ad5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sat, 6 Mar 2021 19:06:08 +0100
-Subject: [PATCH 1/3] pid1: return varlink error on the right connection
-
----
- src/core/core-varlink.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c
-index d695106658b..b3df8cd893c 100644
---- a/src/core/core-varlink.c
-+++ b/src/core/core-varlink.c
-@@ -142,7 +142,7 @@ static int vl_method_subscribe_managed_oom_cgroups(
-         /* We only take one subscriber for this method so return an error if there's already an existing one.
-          * This shouldn't happen since systemd-oomd is the only client of this method. */
-         if (FLAGS_SET(flags, VARLINK_METHOD_MORE) && m->managed_oom_varlink_request)
--                return varlink_error(m->managed_oom_varlink_request, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL);
-+                return varlink_error(link, VARLINK_ERROR_SUBSCRIPTION_TAKEN, NULL);
- 
-         r = json_build(&arr, JSON_BUILD_EMPTY_ARRAY);
-         if (r < 0)
-@@ -188,6 +188,7 @@ static int vl_method_subscribe_managed_oom_cgroups(
-         if (!FLAGS_SET(flags, VARLINK_METHOD_MORE))
-                 return varlink_reply(link, v);
- 
-+        assert(!m->managed_oom_varlink_request);
-         m->managed_oom_varlink_request = varlink_ref(link);
-         return varlink_notify(m->managed_oom_varlink_request, v);
- }
-@@ -475,8 +476,7 @@ void manager_varlink_done(Manager *m) {
-         assert(m);
- 
-         /* Send the final message if we still have a subscribe request open. */
--        if (m->managed_oom_varlink_request)
--                m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request);
-+        m->managed_oom_varlink_request = varlink_close_unref(m->managed_oom_varlink_request);
- 
-         m->varlink_server = varlink_server_unref(m->varlink_server);
- }
-
-From 39ad3f1c092b5dffcbb4b1d12eb9ca407f010a3c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sun, 7 Mar 2021 16:42:35 +0100
-Subject: [PATCH 2/3] varlink: avoid using dangling ref in
- varlink_close_unref()
-
-Fixes #18025, https://bugzilla.redhat.com/show_bug.cgi?id=1931034.
-
-We drop the reference stored in Manager.managed_oom_varlink_request in two code paths:
-vl_disconnect() which is installed as a disconnect callback, and in manager_varlink_done().
-But we also make a disconnect from manager_varlink_done(). So we end up with the following
-call stack:
-
-(gdb) bt
- 0  vl_disconnect (s=0x112c7b0, link=0xea0070, userdata=0xe9bcc0) at ../src/core/core-varlink.c:414
- 1  0x00007f1366e9d5ac in varlink_detach_server (v=0xea0070) at ../src/shared/varlink.c:1210
- 2  0x00007f1366e9d664 in varlink_close (v=0xea0070) at ../src/shared/varlink.c:1228
- 3  0x00007f1366e9d6b5 in varlink_close_unref (v=0xea0070) at ../src/shared/varlink.c:1240
- 4  0x0000000000524629 in manager_varlink_done (m=0xe9bcc0) at ../src/core/core-varlink.c:479
- 5  0x000000000048ef7b in manager_free (m=0xe9bcc0) at ../src/core/manager.c:1357
- 6  0x000000000042602c in main (argc=5, argv=0x7fff439c43d8) at ../src/core/main.c:2909
-
-When we enter vl_disconnect(), m->managed_oom_varlink_request.n_ref==1.
-When we exit from vl_discconect(), m->managed_oom_varlink_request==NULL. But
-varlink_close_unref() has a copy of the pointer in *v. When we continue executing
-varlink_close_unref(), this pointer is dangling, and the call to varlink_unref()
-is done with an invalid pointer.
----
- src/shared/varlink.c | 33 +++++++++++++++++++++++++--------
- 1 file changed, 25 insertions(+), 8 deletions(-)
-
-diff --git a/src/shared/varlink.c b/src/shared/varlink.c
-index 31128e02e06..6ed72075ba5 100644
---- a/src/shared/varlink.c
-+++ b/src/shared/varlink.c
-@@ -1206,8 +1206,9 @@ int varlink_close(Varlink *v) {
- 
-         varlink_set_state(v, VARLINK_DISCONNECTED);
- 
--        /* Let's take a reference first, since varlink_detach_server() might drop the final (dangling) ref
--         * which would destroy us before we can call varlink_clear() */
-+        /* Let's take a reference first, since varlink_detach_server() might drop the final ref from the
-+         * disconnect callback, which would invalidate the pointer we are holding before we can call
-+         * varlink_clear(). */
-         varlink_ref(v);
-         varlink_detach_server(v);
-         varlink_clear(v);
-@@ -1220,17 +1221,33 @@ Varlink* varlink_close_unref(Varlink *v) {
-         if (!v)
-                 return NULL;
- 
--        (void) varlink_close(v);
-+        /* A reference is given to us to be destroyed. But when calling varlink_close(), a callback might
-+         * also drop a reference. We allow this, and will hold a temporary reference to the object to make
-+         * sure that the object still exists when control returns to us. If there's just one reference
-+         * remaining after varlink_close(), even though there were at least two right before, we'll handle
-+         * that gracefully instead of crashing.
-+         *
-+         * In other words, this call drops the donated reference, but if the internal call to varlink_close()
-+         * dropped a reference to, we don't drop the reference afain. This allows the caller to say:
-+         *     global_object->varlink = varlink_close_unref(global_object->varlink);
-+         * even though there is some callback which has access to global_object and may drop the reference
-+         * stored in global_object->varlink. Without this step, the same code would have to be written as:
-+         *     Varlink *t = TAKE_PTR(global_object->varlink);
-+         *     varlink_close_unref(t);
-+         */
-+                                   /* n_ref >= 1 */
-+        varlink_ref(v);            /* n_ref >= 2 */
-+        varlink_close(v);          /* n_ref >= 1 */
-+        if (v->n_ref > 1)
-+                v->n_ref--;        /* n_ref >= 1 */
-         return varlink_unref(v);
- }
- 
- Varlink* varlink_flush_close_unref(Varlink *v) {
--        if (!v)
--                return NULL;
-+        if (v)
-+                varlink_flush(v);
- 
--        (void) varlink_flush(v);
--        (void) varlink_close(v);
--        return varlink_unref(v);
-+        return varlink_close_unref(v);
- }
- 
- static int varlink_enqueue_json(Varlink *v, JsonVariant *m) {
-
-From a19c1a4baaa1dadc80885e3ad41f19a6c6c450fd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 8 Mar 2021 09:21:25 +0100
-Subject: [PATCH 3/3] oomd: "downgrade" level of message
-
-PID1 already logs about the service being started, so this line isn't necessary
-in normal use. Also, by the time it is emitted, the service has already
-signalled readiness, so let's not say "starting" but "started".
----
- src/oom/oomd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/oom/oomd.c b/src/oom/oomd.c
-index 674d53fdcfe..6e2a5889d1e 100644
---- a/src/oom/oomd.c
-+++ b/src/oom/oomd.c
-@@ -170,7 +170,7 @@ static int run(int argc, char *argv[]) {
- 
-         notify_msg = notify_start(NOTIFY_READY, NOTIFY_STOPPING);
- 
--        log_info("systemd-oomd starting%s!", arg_dry_run ? " in dry run mode" : "");
-+        log_debug("systemd-oomd started%s.", arg_dry_run ? " in dry run mode" : "");
- 
-         r = sd_event_loop(m->event);
-         if (r < 0)

9cc6a94790eecfc808335b759355a4005d66f6e3.patch

@@ -1,102 +0,0 @@
-From 9cc6a94790eecfc808335b759355a4005d66f6e3 Mon Sep 17 00:00:00 2001
-From: "Jonathan G. Underwood" <jonathan.underwood@gmail.com>
-Date: Tue, 22 Dec 2020 20:04:52 +0000
-Subject: [PATCH] cryptsetup: add support for workqueue options
-
-This commit adds support for disabling the read and write
-workqueues with the new crypttab options no-read-workqueue
-and no-write-workqueue. These correspond to the cryptsetup
-options --perf-no_read_workqueue and --perf-no_write_workqueue
-respectively.
----
- man/crypttab.xml             | 19 +++++++++++++++++++
- src/cryptsetup/cryptsetup.c  | 12 ++++++++++++
- src/shared/cryptsetup-util.h |  8 ++++++++
- 3 files changed, 39 insertions(+)
-
-diff --git a/man/crypttab.xml b/man/crypttab.xml
-index 2062a5b8e70..72fe2e692da 100644
---- a/man/crypttab.xml
-+++ b/man/crypttab.xml
-@@ -342,6 +342,25 @@
-         </listitem>
-       </varlistentry>
- 
-+      <varlistentry>
-+        <term><option>no-read-workqueue</option></term>
-+
-+        <listitem><para>Bypass dm-crypt internal workqueue and process read requests synchronously. The
-+        default is to queue these requests and process them asynchronously.</para>
-+
-+        <para>This requires kernel 5.9 or newer.</para>
-+        </listitem>
-+      </varlistentry>
-+      <varlistentry>
-+        <term><option>no-write-workqueue</option></term>
-+
-+        <listitem><para>Bypass dm-crypt internal workqueue and process write requests synchronously. The
-+        default is to queue these requests and process them asynchronously.</para>
-+
-+        <para>This requires kernel 5.9 or newer.</para>
-+        </listitem>
-+      </varlistentry>
-+
-       <varlistentry>
-         <term><option>skip=</option></term>
- 
-diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
-index 7b21a7457a1..65cbd1aec83 100644
---- a/src/cryptsetup/cryptsetup.c
-+++ b/src/cryptsetup/cryptsetup.c
-@@ -60,6 +60,8 @@ static bool arg_verify = false;
- static bool arg_discards = false;
- static bool arg_same_cpu_crypt = false;
- static bool arg_submit_from_crypt_cpus = false;
-+static bool arg_no_read_workqueue = false;
-+static bool arg_no_write_workqueue = false;
- static bool arg_tcrypt_hidden = false;
- static bool arg_tcrypt_system = false;
- static bool arg_tcrypt_veracrypt = false;
-@@ -236,6 +238,10 @@ static int parse_one_option(const char *option) {
-                 arg_same_cpu_crypt = true;
-         else if (streq(option, "submit-from-crypt-cpus"))
-                 arg_submit_from_crypt_cpus = true;
-+        else if (streq(option, "no-read-workqueue"))
-+                arg_no_read_workqueue = true;
-+        else if (streq(option, "no-write-workqueue"))
-+                arg_no_write_workqueue = true;
-         else if (streq(option, "luks"))
-                 arg_type = ANY_LUKS;
- /* since cryptsetup 2.3.0 (Feb 2020) */
-@@ -1352,6 +1358,12 @@ static uint32_t determine_flags(void) {
-         if (arg_submit_from_crypt_cpus)
-                 flags |= CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS;
- 
-+        if (arg_no_read_workqueue)
-+                flags |= CRYPT_ACTIVATE_NO_READ_WORKQUEUE;
-+
-+        if (arg_no_write_workqueue)
-+                flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
-+
- #ifdef CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF
-         /* Try to decrease the risk of OOM event if memory hard key derivation function is in use */
-         /* https://gitlab.com/cryptsetup/cryptsetup/issues/446/ */
-diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
-index fa2d2f65f3c..afac5cd46bd 100644
---- a/src/shared/cryptsetup-util.h
-+++ b/src/shared/cryptsetup-util.h
-@@ -7,6 +7,14 @@
- #if HAVE_LIBCRYPTSETUP
- #include <libcryptsetup.h>
- 
-+/* These next two are defined in libcryptsetup.h from cryptsetup version 2.3.4 forwards. */
-+#ifndef CRYPT_ACTIVATE_NO_READ_WORKQUEUE
-+#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24)
-+#endif
-+#ifndef CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE
-+#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25)
-+#endif
-+
- extern int (*sym_crypt_activate_by_passphrase)(struct crypt_device *cd, const char *name, int keyslot, const char *passphrase, size_t passphrase_size, uint32_t flags);
- #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
- extern int (*sym_crypt_activate_by_signed_key)(struct crypt_device *cd, const char *name, const char *volume_key, size_t volume_key_size, const char *signature, size_t signature_size, uint32_t flags);

owner-check.sh

@@ -1,7 +1,11 @@
 #!/bin/bash
 set -e
 
-[ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1 }
+verb="$1"
+
+[ "$verb" = "-s" ] && do_send=1 || do_send=
+
+[ -n "$do_send" ] && [ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1; }
 
 header=
 from=systemd-maint@fedoraproject.org
@@ -11,26 +15,39 @@ port=587
 
 for user in "$@"; do
     echo "checking $user…"
-    t=$(git shortlog --all --author $user --since "@{$time}" | wc -l)
+
+    p=$(git log -1 --all --author "$user")
+    if [ -z "$p" ]; then
+	echo "No commits from $user, check spelling"
+	exit 1
+    fi
+
+    t=$(git shortlog --all --author "$user" --since "@{$time}" | wc -l)
     if [ $t != 0 ]; then
 	echo "$t commits in the last two years, OK"
+	echo
 	continue
     fi
 
+    echo "$p" | head -n6
+    echo ".. adding to list"
+
     if [ -z "$header" ]; then
 	echo '$USER$;$EMAIL$' >.mail.list
 	header=done
     fi
 
     echo "$user;$user@fedoraproject.org" >>.mail.list
+    echo
 done
 
 [ -z "$header" ] && exit 0
+[ -n "$do_send" ] || exit 0
 
 echo "Sending mails…"
 set -x
-massmail -F $from \
-	 -C $from \
+massmail -F "$from" \
+	 -C "$from" \
 	 -S 'write access to the fedora systemd package' \
-	 -z $server -u $login -P $port \
+	 -z "$server" -u "$login" -P "$port" \
 	 .mail.list <owner-check.template

sources

@@ -1 +1 @@
-SHA512 (systemd-248-rc2.tar.gz) = e637bdf781dc87c83f0e45f65a1060189279e2cdabd2c53e3ff8155d321ca9cafb8be1010e0899c0ed6cf42dc1834b756d98bca0b7443e02c83bfacdee4ce256
+SHA512 (systemd-248.10.tar.gz) = b3cd0183a28d1b0b25f0e601dbe0a62933bbc67cd24df56a03503561cb3b7517d93c5bb3597161971f23c9daa7eb04deee8c0ed97c61d0cffa2aaafb891034ad

split-files.py

@@ -84,6 +84,7 @@ for file in files(buildroot):
         o = o_networkd
     elif '.so.' in n:
         o = o_libs
+
     elif re.search(r'''udev(?!\.pc)|
                        hwdb|
                        bootctl|
@@ -97,6 +98,7 @@ for file in files(buildroot):
                        random-seed|
                        modules-load|
                        timesync|
+                       crypttab|
                        cryptsetup|
                        kmod|
                        quota|
@@ -109,17 +111,27 @@ for file in files(buildroot):
                        repart|
                        gpt-auto|
                        volatile-root|
-                       verity-setup|
+                       veritysetup|
+                       integritysetup|
+                       integritytab|
                        remount-fs|
                        /boot$|
                        /boot/efi|
                        /kernel/|
                        /kernel$|
-                       /modprobe.d
-    ''', n, re.X):
+                       /modprobe.d|
+                       binfmt|
+                       sysctl|
+                       coredump|
+                       homed|home1|
+                       portabled|portable1
+    ''', n, re.X):     # coredumpctl, homectl, portablectl are included in the main package because
+                       # they can be used to interact with remote daemons. Also, the user could be
+                       # confused if those user-facing binaries are not available.
         o = o_udev
     elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
         o = o_oomd_defaults
+
     elif n.endswith('.standalone'):
         if 'tmpfiles' in n:
             o = o_standalone_tmpfiles
@@ -127,6 +139,7 @@ for file in files(buildroot):
             o = o_standalone_sysusers
         else:
             assert False, 'Found .standalone not belonging to known packages'
+
     else:
         o = o_rest
 
@@ -136,6 +149,8 @@ for file in files(buildroot):
             prefix += ' '
     elif file.is_dir() and not file.is_symlink():
         prefix = '%dir '
+    elif 'README' in n:
+        prefix = '%doc '
     elif n.startswith('/etc'):
         prefix = '%config(noreplace) '
     else:

systemd.spec

@@ -1,7 +1,7 @@
 #global commit c4b843473a75fb38ed5bf54e9d3cfb1cb3719efa
 %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
 
-#global stable 1
+%global stable 1
 
 # We ship a .pc file but don't want to have a dep on pkg-config. We
 # strip the automatically generated dep here and instead co-own the
@@ -12,6 +12,11 @@
 %global system_unit_dir %{pkgdir}/system
 %global user_unit_dir %{pkgdir}/user
 
+%if 0%{?__isa_bits} == 64
+%global elf_bits (64bit)
+%global elf_suffix ()%{elf_bits}
+%endif
+
 # Bootstrap may be needed to break intercircular dependencies with
 # cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump.
 %bcond_with    bootstrap
@@ -20,8 +25,8 @@
 
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
-Version:        248~rc2
-Release:        5%{?dist}
+Version:        248.10
+Release:        1%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -71,12 +76,11 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 %endif
 
 # Backports of patches from upstream (0000–0499)
+#
+# Any patches which are "in preparation" upstream should be listed
+# here, rather than in the next section. Packit CI will drop any
+# patches in this range before applying upstream pull requests.
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1933433
-Patch0000:      https://github.com/systemd/systemd/pull/18892.patch
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1931034
-Patch0001:      https://github.com/systemd/systemd/pull/18915.patch
 
 # Downstream-only patches (5000–9999)
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
@@ -103,8 +107,9 @@ BuildRequires:  audit-libs-devel
 BuildRequires:  cryptsetup-devel
 %endif
 BuildRequires:  dbus-devel
+BuildRequires:  /usr/sbin/sfdisk
 # /usr/bin/getfacl is needed by test-acl-util
-BuildRequires:  acl
+BuildRequires:  /usr/bin/getfacl
 BuildRequires:  libacl-devel
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  libblkid-devel
@@ -127,6 +132,9 @@ BuildRequires:  libmicrohttpd-devel
 BuildRequires:  libxkbcommon-devel
 BuildRequires:  iptables-devel
 BuildRequires:  pkgconfig(libfido2)
+BuildRequires:  pkgconfig(tss2-esys)
+BuildRequires:  pkgconfig(tss2-rc)
+BuildRequires:  pkgconfig(tss2-mu)
 BuildRequires:  libxslt
 BuildRequires:  docbook-style-xsl
 BuildRequires:  pkgconfig
@@ -176,6 +184,8 @@ Provides:       system-setup-keyboard = 0.9
 Obsoletes:      systemd-sysv < 206
 # self-obsoletes so that dnf will install new subpackages on upgrade (#1260394)
 Obsoletes:      %{name} < 246.6-2
+# https://bugzilla.redhat.com/show_bug.cgi?id=2051019
+Conflicts:      %{name}-udev < %{version}-%{release}
 Provides:       systemd-sysv = 206
 Conflicts:      initscripts < 9.56.1
 %if 0%{?fedora}
@@ -189,14 +199,20 @@ Conflicts:      %{name}-standalone-sysusers < %{version}-%{release}^
 Obsoletes:      %{name}-standalone-sysusers < %{version}-%{release}^
 
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
-Recommends:     libcryptsetup.so.12()(64bit)
-Recommends:     libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit)
-Recommends:     libidn2.so.0()(64bit)
-Recommends:     libidn2.so.0(IDN2_0.0.0)(64bit)
-Recommends:     libpcre2-8.so.0()(64bit)
-Recommends:     libpwquality.so.1()(64bit)
-Recommends:     libpwquality.so.1(LIBPWQUALITY_1.0)(64bit)
-Recommends:     libqrencode.so.4()(64bit)
+Recommends:     libcryptsetup.so.12%{?elf_suffix}
+Recommends:     libcryptsetup.so.12(CRYPTSETUP_2.0)%{?elf_bits}
+Recommends:     libidn2.so.0%{?elf_suffix}
+Recommends:     libidn2.so.0(IDN2_0.0.0)%{?elf_bits}
+Recommends:     libpcre2-8.so.0%{?elf_suffix}
+Recommends:     libpwquality.so.1%{?elf_suffix}
+Recommends:     libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits}
+Recommends:     libqrencode.so.4%{?elf_suffix}
+Recommends:     libbpf.so.0%{?elf_suffix}
+Recommends:     libbpf.so.0(LIBBPF_0.4.0)%{?elf_bits}
+
+# used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home
+Recommends:     libcryptsetup.so.12%{?elf_suffix}
+Recommends:     libcryptsetup.so.12(CRYPTSETUP_2.4)%{?elf_bits}
 
 %description
 systemd is a system and service manager that runs as PID 1 and starts
@@ -281,6 +297,19 @@ Obsoletes:      systemd < 245.6-1
 Provides:       udev = %{version}
 Provides:       udev%{_isa} = %{version}
 Obsoletes:      udev < 183
+# https://bugzilla.redhat.com/show_bug.cgi?id=2051019
+Conflicts:      %{name} < %{version}-%{release}
+
+# Recommends to replace normal Requires deps for stuff that is dlopen()ed
+# used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home
+Recommends:     libcryptsetup.so.12%{?elf_suffix}
+Recommends:     libcryptsetup.so.12(CRYPTSETUP_2.4)%{?elf_bits}
+
+# used by home, cryptsetup, cryptenroll
+Recommends:     libfido2.so.1%{?elf_suffix}
+Recommends:     libtss2-esys.so.0%{?elf_suffix}
+Recommends:     libtss2-mu.so.0%{?elf_suffix}
+Recommends:     libtss2-rc.so.0%{?elf_suffix}
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9
 Suggests:       systemd-bootchart
@@ -300,6 +329,9 @@ This package contains systemd-udev and the rules and hardware database
 needed to manage device nodes. This package is necessary on physical
 machines and in virtual machines, but not in containers.
 
+It also contains tools to manage encrypted home areas and secrets bound to the
+machine.
+
 %package container
 # Name is the same as in Debian
 Summary: Tools for containers and VMs
@@ -441,6 +473,7 @@ CONFIGURE_OPTS=(
         -Defi=true
         -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false}
         -Dtpm=true
+        -Dtpm2=true
         -Dhwdb=true
         -Dsysusers=true
         -Dstandalone-binaries=true
@@ -608,11 +641,11 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
 %ghost %attr(0664,root,utmp) /run/utmp
 %ghost %attr(0664,root,utmp) /var/log/wtmp
-%ghost %attr(0600,root,utmp) /var/log/btmp
+%ghost %attr(0660,root,utmp) /var/log/btmp
 %ghost %config(noreplace) /etc/hostname
 %ghost %config(noreplace) /etc/localtime
 %ghost %config(noreplace) /etc/locale.conf
-%ghost %config(noreplace) /etc/machine-id
+%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
 %ghost %config(noreplace) /etc/machine-info
 %ghost %attr(0700,root,root) %dir /var/cache/private
 %ghost %attr(0700,root,root) %dir /var/lib/private
@@ -628,7 +661,7 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %dir /var/lib/systemd/linger
 %ghost /var/lib/systemd/random-seed
 %ghost %dir /var/lib/systemd/rfkill
-%ghost %dir /var/log/journal
+%ghost %dir %attr(2755, root, systemd-journal) %verify(not mode) /var/log/journal
 %ghost %dir /var/log/journal/remote
 %ghost %attr(0700,root,root) %dir /var/log/private
 EOF
@@ -647,9 +680,10 @@ getent group cdrom &>/dev/null || groupadd -r -g 11 cdrom &>/dev/null || :
 getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || :
 getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || :
 getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || :
-getent group input &>/dev/null || groupadd -r input &>/dev/null || :
+getent group input &>/dev/null || groupadd -r -g 104 input &>/dev/null || :
 getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || :
-getent group render &>/dev/null || groupadd -r render &>/dev/null || :
+getent group render &>/dev/null || groupadd -r -g 105 render &>/dev/null || :
+getent group sgx &>/dev/null || groupadd -r -g 106 sgx &>/dev/null || :
 getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || :
 
 getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || :
@@ -795,10 +829,16 @@ function mod_nss() {
                 ' "$1" &>/dev/null || :
 
         # Add nss-resolve to hosts
-        grep -E -q '^hosts:.* resolve' "$1" ||
-        sed -i.bak -r -e '
-                s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 files\3 resolve [!UNAVAIL=return] myhostname dns/
+        if grep -E -q '^hosts:.* resolve' "$1"; then
+            sed -i.bak -r -e '
+                s/^(hosts):(.*) files( .*) myhostname dns/\1:\2 files myhostname\3 dns/
                 ' "$1" &>/dev/null || :
+
+        else
+            sed -i.bak -r -e '
+                s/^(hosts):(.*) files( mdns4_minimal .NOTFOUND=return.)? dns myhostname/\1:\2 files myhostname\3 resolve [!UNAVAIL=return] dns/
+                ' "$1" &>/dev/null || :
+        fi
     fi
 }
 
@@ -898,7 +938,20 @@ getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2
 getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || :
 
 %post networkd
-%systemd_post systemd-networkd.service systemd-networkd-wait-online.service
+# systemd-networkd was split out in systemd-246.6-2.
+# Ideally, we would have a trigger scriptlet to record enablement
+# state when upgrading from systemd <= systemd-246.6-1. But, AFAICS,
+# rpm doesn't allow us to trigger on another package, short of
+# querying the rpm database ourselves, which seems risky. For rpm,
+# systemd and systemd-networkd are completely unrelated.  So let's use
+# a hack to detect if an old systemd version is currently present in
+# the file system.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1943263
+if [ $1 -eq 1 ] && ls /usr/lib/systemd/libsystemd-shared-24[0-6].so &>/dev/null; then
+    echo "Skipping presets for systemd-networkd.service, seems we are upgrading from old systemd."
+else
+    %systemd_post systemd-networkd.service systemd-networkd-wait-online.service
+fi
 
 %preun networkd
 %systemd_preun systemd-networkd.service systemd-networkd-wait-online.service
@@ -924,6 +977,7 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net
 %ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants
 %ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants
 %ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants
+%ghost %dir %attr(0700,-,-) /var/lib/portables
 %ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd
 
 %files libs -f .file-list-libs
@@ -938,6 +992,7 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net
 %files udev -f .file-list-udev
 
 %files container -f .file-list-container
+%ghost %dir %attr(0700,-,-) /var/lib/machines
 
 %files journal-remote -f .file-list-remote
 
@@ -952,6 +1007,129 @@ getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-net
 %files standalone-sysusers -f .file-list-standalone-sysusers
 
 %changelog
+* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.10-1
+- Add Conflicts for older systemd and systemd-udev versions to fix issue with
+  files being moved between subpackages (rhbz#2051019)
+
+* Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.10-1
+- Latest upstream bugfix release: fixes for the manager, sd-boot,
+  systemd-networkd, systemd-resolved, systemd-journald, systemd-homed,
+  unusual protocols are disabled in systemd-importd, utmp entries, nss
+  modules, VirtualBox virtualization detection, various documentation
+  updates
+- Users logged in locally get access to media nodes (webcams and such).
+- Make systemd-xdg-autostart-service ignore missing condition check binary
+  (related to #2038750, but does not fix it)
+- Allow mprotect(2), arch_prctl(2) in @default seccomp filter
+- Fix sysusers without /proc (#2036217)
+- Ordering of various units during early boot and shutdown is adjusted to fix
+  some corner cases
+- Maximum numbers of files are bumped for /dev and /tmp
+- CVE-2021-3997, #2039383: systemd-tmpfiles would exhaust the stack and crash
+  during excessive recursion on a very deeply nested directory structure
+
+* Thu Jan 13 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.9-1
+- Add missing requirements for libfido2 and libtss2 (#1975827)
+
+* Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.9-1
+- Rebuild of 248.8 with one patch removed (causing #2013386) and one patch
+  added (for #1998488).
+
+* Tue Oct 12 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.8-1
+- Latest bugfix release: fix for systemctl enable, documentation,
+  systemd-networkd, -coredump, -timesyncd, -udev, -nspawn, -oomd,
+  -repart, -resolved, systemd itself, seccomp filters, bootctl,
+  journalctl, TPM2, sd-event, sd-journal, nss-systemd, compatibility
+  with the latest kernels.
+
+* Fri Aug  6 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.7-1
+- Latest bugfix release: improved compatibility with latest glibc,
+  various small documentation fixes, and fixes for systemd-networkd bridging,
+  other minor fixes.
+- systemctl set-property accepts glob patterns now (#1986258)
+
+* Thu Jul 22 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.6-1
+- Create 'sgx' group (and also use soft-static uids for input and render,
+  see https://pagure.io/setup/c/df3194a7295c2ca3cfa923981b046f4bd2754825
+  and https://pagure.io/packaging-committee/issue/1078 (#1965815)
+- Various bugfixes (#1963428, #1975564)
+- Fix for a regression introduced in the previous release with
+  sd-event abort (#1984651)
+
+* Tue Jul 20 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.5-1
+- Various minor documentation and correctness fixes.
+- CVE-2021-33910, #1984020: an unchecked stack allocation could be used to
+  crash systemd and cause the system to reboot by creating a very long
+  fuse mountpoint path.
+
+* Mon Jul 12 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.4-1
+- Assorted fixes (some systemd-resolved crashes, invalid
+  systemd-tmpfiles assertion, etc.)
+- systemd-networkd workaround for TALOS-2020-1142, CVE-2020-13529.
+- A big update of hardware descriptions.
+
+* Sat May 15 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.3-1
+- A fix for resolved crashes (#1946386, #1960227, #1950241)
+- Some minor fixes for documentation, systemd-networkd, systemd-run, bootctl.
+
+* Fri May  7 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.2-1
+- Pull in some more patches from upstream (#1944646, #1885090, #1941340)
+- Adjust modes of some %%ghost files (#1956059)
+
+* Thu May  6 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248.1-1
+- Latest stable version: a long list of minor correctness fixes all around
+  (#1955475, #911766, #1958167, #1952919)
+- Enable tpm2-tss dependency (#1949505)
+
+* Tue Apr 06 2021 Adam Williamson <awilliam@redhat.com> - 248-2
+- Re-enable resolved caching, we hope all major bugs are resolved now
+
+* Wed Mar 31 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248-1
+- Latest upstream release, see
+  https://github.com/systemd/systemd/blob/v248/NEWS.
+- The changes since -rc4 are rather small, various fixes all over the place.
+  A fix to how systemd-oomd selects a candidate to kill, and more debug logging
+  to make this more transparent.
+
+* Tue Mar 30 2021 Anita Zhang <the.anitazha@gmail.com> - 248~rc4-6
+- Increase oomd user memory pressure limit to 50% (#1941170)
+
+* Fri Mar 26 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248~rc4-5
+- Do not preset systemd-networkd.service and systemd-networkd-wait-online.service
+  on upgrades from before systemd-networkd was split out (#1943263)
+- In nsswitch.conf, move nss-myhostname to the front, before nss-mdns4 (#1943199)
+
+* Wed Mar 24 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248~rc4-4
+- Revert patch that seems to cause problems with dns resolution
+  (see comments on https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb)
+
+* Mon Mar 22 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248~rc4-3
+- Fix hang when processing timers during DST switch in Europe/Dublin timezone (#1941335)
+- Fix returning combined IPv4/IPv6 responses from systemd-resolved cache (#1940715)
+  (But note that the disablement of caching added previously is
+  retained until we can do more testing.)
+- Minor fix to interface naming by udev
+- Fix for systemd-repart --size
+
+* Fri Mar 19 2021 Adam Williamson <awilliam@redhat.com> - 248~rc4-2
+- Disable resolved cache via config snippet (#1940715)
+
+* Thu Mar 18 2021 Yu Watanabe <yuwatana@redhat.com> - 248~rc4-1
+- Latest upstream prelease, see
+  https://github.com/systemd/systemd/blob/v248-rc4/NEWS.
+- A bunch of documentation updates, correctness fixes, and systemd-networkd
+  features.
+- Resolves #1933137, #1935084, #1933873, #1931181, #1933335, #1935062, #1927148.
+
+* Tue Mar 16 2021 Adam Williamson <awilliam@redhat.com> - 248~rc2-8
+- Drop the resolved cache disablement config snippet
+
+* Tue Mar 16 2021 Adam Williamson <awilliam@redhat.com> - 248~rc2-7
+- Backport PR #19009 to fix CNAME redirect resolving some more (#1933433)
+
+* Fri Mar 12 2021 Adam Williamson <awilliam@redhat.com> - 248~rc2-6
+- Disable resolved cache via config snippet (#1933433)
+
 * Thu Mar 11 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 248~rc2-5
 - Fix crash in pid1 during daemon-reexec (#1931034)
 

sysusers.prov

@@ -1,5 +1,40 @@
 #!/bin/bash
 
+process_u() {
+    if [ ! -z "${2##*[!0-9]*}" ]; then
+        # Single shared static ID.
+        echo "user($1) = $2"
+        echo "group($1) = $2"
+    elif [[ $2 == *:* ]]; then
+        # UID:<group>.
+        uid=$(echo $2 | cut -d':' -f1 -)
+        group=$(echo $2 | cut -d':' -f2 -)
+        if [ ! -z "${group##*[!0-9]*}" ]; then
+            # UID:GID.
+            echo "user($1) = ${uid}"
+            echo "group($1) = ${group}"
+        else
+            # UID:<groupname>.
+            echo "user($1) = ${uid}"
+            echo "group(${group})"
+        fi
+    else
+        # Dynamic (or something else uninteresting).
+        echo "user($1)"
+        echo "group($1)"
+    fi
+}
+
+process_g() {
+    if [ ! -z "${2##*[!0-9]*}" ]; then
+        # Static GID.
+        echo "group($1) = $2"
+    else
+        # Dynamic (or something else uninteresting).
+        echo "group($1)"
+    fi
+}
+
 parse() {
     while read line; do
         [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
@@ -8,12 +43,10 @@ parse() {
         set -- $line
         case "$1" in
             ('u')
-                echo "user($2)"
-                echo "group($2)"
-                # TODO: user:group support
+                process_u "$2" "$3"
                 ;;
             ('g')
-                echo "group($2)"
+                process_g "$2" "$3"
                 ;;
             ('m')
                 echo "user($2)"