Version 247.1

-container subpackage is for container *management*. Those files are
used *in* the container.

.gitignore

@@ -1,3 +1,4 @@
+*~
 /systemd-*/
 /.build-*.log
 /x86_64/

0001-escape-Fix-help-description-6352.patch

@@ -1,23 +0,0 @@
-From b2954c2fbed0409adba2687b17fb956f002b2bbe Mon Sep 17 00:00:00 2001
-From: Jeremy Bicha <jbicha@ubuntu.com>
-Date: Thu, 13 Jul 2017 10:44:33 -0400
-Subject: [PATCH] escape: Fix help description (#6352)
-
-Resolves: #6351(cherry picked from commit 303608c1bcf9568371625fbbd9442946cadba422)
----
- src/escape/escape.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/escape/escape.c b/src/escape/escape.c
-index af98c98e40..89e885d47c 100644
---- a/src/escape/escape.c
-+++ b/src/escape/escape.c
-@@ -38,7 +38,7 @@ static bool arg_path = false;
- 
- static void help(void) {
-         printf("%s [OPTIONS...] [NAME...]\n\n"
--               "Show system and user paths.\n\n"
-+               "Escape strings for usage in system unit names.\n\n"
-                "  -h --help               Show this help\n"
-                "     --version            Show package version\n"
-                "     --suffix=SUFFIX      Unit suffix to append to escaped strings\n"

0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch

@@ -0,0 +1,70 @@
+From 2e9d763e7cbeb33954bbe3f96fd94de2cd62edf7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 12 Nov 2020 14:28:24 +0100
+Subject: [PATCH] test-path-util: do not fail if the fd_is_mount_point check
+ fails
+
+This test fails on i686 and ppc64le in koji:
+/* test_path */
+Assertion 'fd_is_mount_point(fd, "/", 0) > 0' failed at src/test/test-path-util.c:85, function test_path(). Aborting.
+
+I guess some permission error is the most likely.
+---
+ src/test/test-path-util.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
+index f4f8d0550b..be428334f3 100644
+--- a/src/test/test-path-util.c
++++ b/src/test/test-path-util.c
+@@ -40,8 +40,6 @@ static void test_path_simplify(const char *in, const char *out, const char *out_
+ }
+ 
+ static void test_path(void) {
+-        _cleanup_close_ int fd = -1;
+-
+         log_info("/* %s */", __func__);
+ 
+         test_path_compare("/goo", "/goo", 0);
+@@ -80,10 +78,6 @@ static void test_path(void) {
+         assert_se(streq(basename("/aa///file..."), "file..."));
+         assert_se(streq(basename("file.../"), ""));
+ 
+-        fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
+-        assert_se(fd >= 0);
+-        assert_se(fd_is_mount_point(fd, "/", 0) > 0);
+-
+         test_path_simplify("aaa/bbb////ccc", "aaa/bbb/ccc", "aaa/bbb/ccc");
+         test_path_simplify("//aaa/.////ccc", "/aaa/./ccc", "/aaa/ccc");
+         test_path_simplify("///", "/", "/");
+@@ -120,6 +114,22 @@ static void test_path(void) {
+         assert_se(!path_equal_ptr(NULL, "/a"));
+ }
+ 
++static void test_path_is_mountpoint(void) {
++        _cleanup_close_ int fd = -1;
++        int r;
++
++        log_info("/* %s */", __func__);
++
++        fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
++        assert_se(fd >= 0);
++
++        r = fd_is_mount_point(fd, "/", 0);
++        if (r < 0)
++                log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m");
++        else
++                assert_se(r == 1);
++}
++
+ static void test_path_equal_root(void) {
+         /* Nail down the details of how path_equal("/", ...) works. */
+ 
+@@ -714,6 +724,7 @@ int main(int argc, char **argv) {
+ 
+         test_print_paths();
+         test_path();
++        test_path_is_mountpoint();
+         test_path_equal_root();
+         test_find_executable_full();
+         test_find_executable(argv[0]);

0001-test-path-util-ignore-test-failure.patch

@@ -0,0 +1,33 @@
+From e8bca4ba55f855260eda684a16e8feb5f20b1deb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 12 Nov 2020 15:06:12 +0100
+Subject: [PATCH] test-path-util: ignore test failure
+
+---
+ src/test/test-path-util.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
+index be428334f3..207c659b8b 100644
+--- a/src/test/test-path-util.c
++++ b/src/test/test-path-util.c
+@@ -120,14 +120,17 @@ static void test_path_is_mountpoint(void) {
+ 
+         log_info("/* %s */", __func__);
+ 
++        (void) system("uname -a");
++        (void) system("mountpoint /");
++
+         fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
+         assert_se(fd >= 0);
+ 
+         r = fd_is_mount_point(fd, "/", 0);
+         if (r < 0)
+                 log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m");
+-        else
+-                assert_se(r == 1);
++        else if (r == 0)
++                log_warning("/ is not a mountpoint?");
+ }
+ 
+ static void test_path_equal_root(void) {

0002-build-sys-install-udev-rule-70-joystick.-rules-hwdb-.patch

@@ -1,51 +0,0 @@
-From 33145774d9d41ac306f972e0247c9a073d5dbfc9 Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail@eworm.de>
-Date: Fri, 14 Jul 2017 18:28:28 +0200
-Subject: [PATCH] build-sys: install udev rule 70-joystick.{rules,hwdb} (#6363)
-
-* meson: install udev files 70-joystick.{rules,hwdb}
-* Makefile: install udev file 70-joystick.hwdb
-
-(cherry picked from commit 816be2ba448940e2517dba81492e80b1e6a5954f)
----
- Makefile.am       | 1 +
- hwdb/meson.build  | 1 +
- rules/meson.build | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/Makefile.am b/Makefile.am
-index c16e62280b..b95c93bb98 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -4062,6 +4062,7 @@ dist_udevhwdb_DATA = \
- 	hwdb/60-evdev.hwdb \
- 	hwdb/60-keyboard.hwdb \
- 	hwdb/60-sensor.hwdb \
-+	hwdb/70-joystick.hwdb \
- 	hwdb/70-mouse.hwdb \
- 	hwdb/70-pointingstick.hwdb \
- 	hwdb/70-touchpad.hwdb
-diff --git a/hwdb/meson.build b/hwdb/meson.build
-index 74a93f9ccb..6fceff2b3b 100644
---- a/hwdb/meson.build
-+++ b/hwdb/meson.build
-@@ -12,6 +12,7 @@ hwdb_files = files('''
-         60-evdev.hwdb
-         60-keyboard.hwdb
-         60-sensor.hwdb
-+        70-joystick.hwdb
-         70-mouse.hwdb
-         70-pointingstick.hwdb
-         70-touchpad.hwdb
-diff --git a/rules/meson.build b/rules/meson.build
-index 0f818a506f..7f4725ad65 100644
---- a/rules/meson.build
-+++ b/rules/meson.build
-@@ -12,6 +12,7 @@ rules = files('''
-         60-sensor.rules
-         60-serial.rules
-         64-btrfs.rules
-+        70-joystick.rules
-         70-mouse.rules
-         70-touchpad.rules
-         75-net-description.rules

0003-add-version-argument-to-help-function-6377.patch

@@ -1,22 +0,0 @@
-From a1b21ca91835ec0322ccd0eedf9951ba0e52db80 Mon Sep 17 00:00:00 2001
-From: IPv4v6 <mail.ipv4v6@gmail.com>
-Date: Sat, 15 Jul 2017 13:53:21 +0200
-Subject: [PATCH] add version argument to help function (#6377)
-
-Signed-off-by: Stefan Pietsch <mail.ipv4v6+gh@gmail.com>(cherry picked from commit cb4069d95e447e8a01fc3feee6d6cb99669c4c38)
----
- src/core/main.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/core/main.c b/src/core/main.c
-index 88e2c92504..babcab4978 100644
---- a/src/core/main.c
-+++ b/src/core/main.c
-@@ -1091,6 +1091,7 @@ static int help(void) {
-         printf("%s [OPTIONS...]\n\n"
-                "Starts up and maintains the system or user services.\n\n"
-                "  -h --help                      Show this help\n"
-+               "     --version                   Show version\n"
-                "     --test                      Determine startup sequence, dump it and exit\n"
-                "     --no-pager                  Do not pipe output into a pager\n"
-                "     --dump-configuration-items  Dump understood unit configuration items\n"

0004-seccomp-arm64-x32-do-not-have-_sysctl.patch

@@ -1,79 +0,0 @@
-From 5d56b6fb41fb29cd636e64f079f9a1e1982820be Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sat, 15 Jul 2017 19:28:02 +0000
-Subject: [PATCH] seccomp: arm64/x32 do not have _sysctl
-
-So don't even try to added the filter to reduce noise.
-The test is updated to skip calling _sysctl because the kernel prints
-an oops-like message that is confusing and unhelpful:
-
-Jul 15 21:07:01 rpi3 kernel: test-seccomp[8448]: syscall -10080
-Jul 15 21:07:01 rpi3 kernel: Code: aa0503e4 aa0603e5 aa0703e6 d4000001 (b13ffc1f)
-Jul 15 21:07:01 rpi3 kernel: CPU: 3 PID: 8448 Comm: test-seccomp Tainted: G        W       4.11.8-300.fc26.aarch64 #1
-Jul 15 21:07:01 rpi3 kernel: Hardware name: raspberrypi rpi/rpi, BIOS 2017.05 06/24/2017
-Jul 15 21:07:01 rpi3 kernel: task: ffff80002bb0bb00 task.stack: ffff800036354000
-Jul 15 21:07:01 rpi3 kernel: PC is at 0xffff8669c7c4
-Jul 15 21:07:01 rpi3 kernel: LR is at 0xaaaac64b6750
-Jul 15 21:07:01 rpi3 kernel: pc : [<0000ffff8669c7c4>] lr : [<0000aaaac64b6750>] pstate: 60000000
-Jul 15 21:07:01 rpi3 kernel: sp : 0000ffffdc640fd0
-Jul 15 21:07:01 rpi3 kernel: x29: 0000ffffdc640fd0 x28: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x27: 0000000000000000 x26: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x25: 0000000000000000 x24: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x23: 0000000000000000 x22: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x21: 0000aaaac64b4940 x20: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x19: 0000aaaac64b88f8 x18: 0000000000000020
-Jul 15 21:07:01 rpi3 kernel: x17: 0000ffff8669c7a0 x16: 0000aaaac64d2ee0
-Jul 15 21:07:01 rpi3 kernel: x15: 0000000000000000 x14: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x13: 203a657275746365 x12: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x11: 0000ffffdc640418 x10: 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x9 : 0000000000000005 x8 : 00000000ffffd8a0
-Jul 15 21:07:01 rpi3 kernel: x7 : 7f7f7f7f7f7f7f7f x6 : 7f7f7f7f7f7f7f7f
-Jul 15 21:07:01 rpi3 kernel: x5 : 65736d68716f7277 x4 : 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x3 : 0000000000000008 x2 : 0000000000000000
-Jul 15 21:07:01 rpi3 kernel: x1 : 0000000000000000 x0 : 0000000000000000
-Jul 15 21:07:01 rpi3 kernel:
-
-(cherry picked from commit 1e20e640132c700c23494bb9e2619afb83878380)
-(cherry picked from commit 2e64e8f46d726689a44d4084226fe3e0ea255c29)
----
- src/shared/seccomp-util.c | 4 ++++
- src/test/test-seccomp.c   | 4 ++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
-index 36843d4bf5..1a8bfbe416 100644
---- a/src/shared/seccomp-util.c
-+++ b/src/shared/seccomp-util.c
-@@ -899,6 +899,10 @@ int seccomp_protect_sysctl(void) {
- 
-                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
- 
-+                if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64))
-+                        /* No _sysctl syscall */
-+                        continue;
-+
-                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
-                 if (r < 0)
-                         return r;
-diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
-index efd145e063..50fe24c794 100644
---- a/src/test/test-seccomp.c
-+++ b/src/test/test-seccomp.c
-@@ -244,13 +244,17 @@ static void test_protect_sysctl(void) {
-         assert_se(pid >= 0);
- 
-         if (pid == 0) {
-+#if __NR__sysctl > 0
-                 assert_se(syscall(__NR__sysctl, NULL) < 0);
-                 assert_se(errno == EFAULT);
-+#endif
- 
-                 assert_se(seccomp_protect_sysctl() >= 0);
- 
-+#if __NR__sysctl > 0
-                 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
-                 assert_se(errno == EPERM);
-+#endif
- 
-                 _exit(EXIT_SUCCESS);
-         }

0005-seccomp-arm64-does-not-have-mmap2.patch

@@ -1,40 +0,0 @@
-From e04118bd11f8268e7ee7b893f861f18f03bc6970 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sat, 15 Jul 2017 19:30:01 +0000
-Subject: [PATCH] seccomp: arm64 does not have mmap2
-
-I messed up when adding the definitions in 4278d1f5310f5acb4c6a6788233625234edb5145.
-Unfortunately I didn't have the hardware at hand and went by
-looking at the kernel headers.
-
-(cherry picked from commit 53196fafcb7b24b45ed4f48ab894d00a24a6d871)
-(cherry picked from commit 79873bc850177050baa0c5165b119adafeebb891)
----
- src/shared/seccomp-util.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
-index 1a8bfbe416..637ee8526e 100644
---- a/src/shared/seccomp-util.c
-+++ b/src/shared/seccomp-util.c
-@@ -1223,10 +1223,6 @@ int seccomp_memory_deny_write_execute(void) {
- 
-                         break;
- 
--                case SCMP_ARCH_AARCH64:
--                        block_syscall = SCMP_SYS(mmap);
--                        /* fall through */
--
-                 case SCMP_ARCH_ARM:
-                         filter_syscall = SCMP_SYS(mmap2); /* arm has only mmap2 */
-                         shmat_syscall = SCMP_SYS(shmat);
-@@ -1234,7 +1230,8 @@ int seccomp_memory_deny_write_execute(void) {
- 
-                 case SCMP_ARCH_X86_64:
-                 case SCMP_ARCH_X32:
--                        filter_syscall = SCMP_SYS(mmap); /* amd64 and x32 have only mmap */
-+                case SCMP_ARCH_AARCH64:
-+                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */
-                         shmat_syscall = SCMP_SYS(shmat);
-                         break;
- 

0006-test-seccomp-arm64-does-not-have-access-and-poll.patch

@@ -1,41 +0,0 @@
-From 5a3e65fa2537b31334ccb8b73a28208a3b535076 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sat, 15 Jul 2017 19:30:48 +0000
-Subject: [PATCH] test-seccomp: arm64 does not have access() and poll()
-
-glibc uses faccessat and ppoll, so just add a filters for that.
-
-(cherry picked from commit abc0213839fef92e2e2b98a434914f22ece48490)
-(cherry picked from commit f60a865a496e1e6fde7436b4013dd8ff677f29a1)
----
- src/test/test-seccomp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
-index 50fe24c794..28fe206507 100644
---- a/src/test/test-seccomp.c
-+++ b/src/test/test-seccomp.c
-@@ -529,7 +529,11 @@ static void test_load_syscall_filter_set_raw(void) {
-                 assert_se(poll(NULL, 0, 0) == 0);
- 
-                 assert_se(s = set_new(NULL));
-+#if SCMP_SYS(access) >= 0
-                 assert_se(set_put(s, UINT32_TO_PTR(__NR_access + 1)) >= 0);
-+#else
-+                assert_se(set_put(s, UINT32_TO_PTR(__NR_faccessat + 1)) >= 0);
-+#endif
- 
-                 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN)) >= 0);
- 
-@@ -541,7 +545,11 @@ static void test_load_syscall_filter_set_raw(void) {
-                 s = set_free(s);
- 
-                 assert_se(s = set_new(NULL));
-+#if SCMP_SYS(poll) >= 0
-                 assert_se(set_put(s, UINT32_TO_PTR(__NR_poll + 1)) >= 0);
-+#else
-+                assert_se(set_put(s, UINT32_TO_PTR(__NR_ppoll + 1)) >= 0);
-+#endif
- 
-                 assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUNATCH)) >= 0);
- 

0007-fstab-generator-ignore-x-systemd.device-timeout-for-.patch

@@ -1,31 +0,0 @@
-From 713917bd94272fc65d94016a208b72309ae1320a Mon Sep 17 00:00:00 2001
-From: NeilBrown <neil@brown.name>
-Date: Mon, 17 Jul 2017 18:03:34 +1000
-Subject: [PATCH] fstab-generator: ignore x-systemd.device-timeout for
- non-devices (#6368)
-
-If you specify "x-systemd.device-timeout" for an NFS mount
-point, you get no warning and a meaningless device unit
-dependency created.
-
-Better to have a warning and no dependency.
-(cherry picked from commit c67bd1f758f087496741ce0b3e227d82c6b4a304)
----
- src/shared/generator.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/shared/generator.c b/src/shared/generator.c
-index 6a78ebbda7..6a887e3aad 100644
---- a/src/shared/generator.c
-+++ b/src/shared/generator.c
-@@ -182,6 +182,10 @@ int generator_write_timeouts(
-         node = fstab_node_to_udev_node(what);
-         if (!node)
-                 return log_oom();
-+        if (!is_device_path(node)) {
-+                log_warning("x-systemd.device-timeout ignored for %s", what);
-+                return 0;
-+        }
- 
-         r = unit_name_from_path(node, ".device", &unit);
-         if (r < 0)

0008-core-modify-resource-leak-by-SmackProcessLabel.patch

@@ -1,22 +0,0 @@
-From 83030c7aea991d863591df2e09d41bb19d6e01d0 Mon Sep 17 00:00:00 2001
-From: WaLyong Cho <walyong.cho@samsung.com>
-Date: Thu, 13 Jul 2017 13:06:34 +0900
-Subject: [PATCH] core: modify resource leak by SmackProcessLabel=
-
-(cherry picked from commit 5b8e1b7755092e162bcf0bad8afe2e55dfbbd9e2)
----
- src/core/execute.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/core/execute.c b/src/core/execute.c
-index d72e5bf08c..4ed133fb6a 100644
---- a/src/core/execute.c
-+++ b/src/core/execute.c
-@@ -3099,6 +3099,7 @@ void exec_context_done(ExecContext *c) {
-         c->utmp_id = mfree(c->utmp_id);
-         c->selinux_context = mfree(c->selinux_context);
-         c->apparmor_profile = mfree(c->apparmor_profile);
-+        c->smack_process_label = mfree(c->smack_process_label);
- 
-         c->syscall_filter = set_free(c->syscall_filter);
-         c->syscall_archs = set_free(c->syscall_archs);

0009-core-dump-also-missed-security-context.patch

@@ -1,31 +0,0 @@
-From d8e3c9d25867f7081f060f1491186b6e3b30975b Mon Sep 17 00:00:00 2001
-From: WaLyong Cho <walyong.cho@samsung.com>
-Date: Thu, 13 Jul 2017 13:10:41 +0900
-Subject: [PATCH] core: dump also missed security context
-
-(cherry picked from commit 80c21aea118eeccfb2a0fcc5986b4432588dc857)
----
- src/core/execute.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/core/execute.c b/src/core/execute.c
-index 4ed133fb6a..62faa028a1 100644
---- a/src/core/execute.c
-+++ b/src/core/execute.c
-@@ -3614,6 +3614,16 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
-                         "%sSELinuxContext: %s%s\n",
-                         prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context);
- 
-+        if (c->apparmor_profile)
-+                fprintf(f,
-+                        "%sAppArmorProfile: %s%s\n",
-+                        prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
-+
-+        if (c->smack_process_label)
-+                fprintf(f,
-+                        "%sSmackProcessLabel: %s%s\n",
-+                        prefix, c->smack_process_label_ignore ? "-" : "", c->smack_process_label);
-+
-         if (c->personality != PERSONALITY_INVALID)
-                 fprintf(f,
-                         "%sPersonality: %s\n",

0010-journald-make-sure-we-retain-all-stream-fds-across-r.patch

@@ -1,32 +0,0 @@
-From 3dd07ebf08dd630b0f50dfff3ef6d05628b8708b Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekletar@users.noreply.github.com>
-Date: Mon, 17 Jul 2017 10:04:37 +0200
-Subject: [PATCH] journald: make sure we retain all stream fds across restarts
- (#6348)
-
-Currently we set 4096 as maximum for number of stream connections that
-we accept. However maximum number of file descriptors that systemd is
-willing to accept from us is just 1024. This means we can't retain all
-stream connections that we accepted. Hence bump the limit of fds in a
-unit file so that systemd holds open all stream fds while we are
-restarted.
-
-New limit is set to 4224 (4096 + 128).
-(cherry picked from commit 3c978aca69e0e43d4dd453437ec9c498ea788795)
----
- units/systemd-journald.service.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index 66b7c6a48e..1e86d63648 100644
---- a/units/systemd-journald.service.in
-+++ b/units/systemd-journald.service.in
-@@ -21,7 +21,7 @@ Restart=always
- RestartSec=0
- StandardOutput=null
- WatchdogSec=3min
--FileDescriptorStoreMax=1024
-+FileDescriptorStoreMax=4224
- CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
- MemoryDenyWriteExecute=yes
- RestrictRealtime=yes

0011-Use-config_parse_sec_fix_0-also-for-JobRunningTimeou.patch

@@ -1,37 +0,0 @@
-From d52e2bb9c20216972754c054e8534bca28baab66 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 17 Jul 2017 15:45:44 -0400
-Subject: [PATCH] Use config_parse_sec_fix_0() also for JobRunningTimeoutSec
-
-2d79a0bbb9f651656384a0a86ed814e6306fb5dd did that for TimeoutSec=,
-89beff89edba592366b2960bd830d3f6e602c2c7 did that for JobTimeoutSec=,
-and 0004f698df1410ef8b6ab3fb5f4b41a60c91182c did that for
-x-systemd.device-timeout=. But after parsing x-systemd.device-timeout=xxx
-we write it out as JobRunningTimeoutSec=xxx. Two options:
-- write out JobRunningTimeoutSec=<a very big number>,
-- change JobRunningTimeoutSec= to behave like the other options.
-
-I think it would be confusing for JobRunningTimeoutSec= to have different
-syntax then TimeoutSec= and JobTimeoutSec=, so this patch implements the
-second option.
-
-Fixes #6264, https://bugzilla.redhat.com/show_bug.cgi?id=1462378.
-
-(cherry picked from commit 4a06cbf8387555c7c04a1ee6f0c5a6f858bf4b19)
----
- src/core/load-fragment-gperf.gperf.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
-index 5b5a86250e..7fb39cf948 100644
---- a/src/core/load-fragment-gperf.gperf.m4
-+++ b/src/core/load-fragment-gperf.gperf.m4
-@@ -194,7 +194,7 @@ Unit.OnFailureIsolate,           config_parse_job_mode_isolate,      0,
- Unit.IgnoreOnIsolate,            config_parse_bool,                  0,                             offsetof(Unit, ignore_on_isolate)
- Unit.IgnoreOnSnapshot,           config_parse_warn_compat,           DISABLED_LEGACY,               0
- Unit.JobTimeoutSec,              config_parse_sec_fix_0,             0,                             offsetof(Unit, job_timeout)
--Unit.JobRunningTimeoutSec,       config_parse_sec,                   0,                             offsetof(Unit, job_running_timeout)
-+Unit.JobRunningTimeoutSec,       config_parse_sec_fix_0,             0,                             offsetof(Unit, job_running_timeout)
- Unit.JobTimeoutAction,           config_parse_emergency_action,      0,                             offsetof(Unit, job_timeout_action)
- Unit.JobTimeoutRebootArgument,   config_parse_unit_string_printf,    0,                             offsetof(Unit, job_timeout_reboot_arg)
- Unit.StartLimitIntervalSec,      config_parse_sec,                   0,                             offsetof(Unit, start_limit.interval)

0012-virt-enable-detecting-QEMU-TCG-via-CPUID-6399.patch

@@ -1,31 +0,0 @@
-From e48936b0be085f15a2e2ac88b2e50a91a66782ac Mon Sep 17 00:00:00 2001
-From: Daniel Berrange <berrange@redhat.com>
-Date: Wed, 19 Jul 2017 10:06:07 +0100
-Subject: [PATCH] virt: enable detecting QEMU (TCG) via CPUID (#6399)
-
-QEMU >= 2.10 will include a CPUID leaf with value "TCGTCGTCGTCG"
-on x86 when running with the TCG CPU emulator:
-
-  https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05231.html
-
-Existing methods of detecting QEMU are left unchanged for sake of
-backcompatibility.
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-(cherry picked from commit 5588612e9e8828691f13141e3fcebe08a59201fe)
----
- src/basic/virt.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/basic/virt.c b/src/basic/virt.c
-index 6011744523..5143ac6656 100644
---- a/src/basic/virt.c
-+++ b/src/basic/virt.c
-@@ -46,6 +46,7 @@ static int detect_vm_cpuid(void) {
-         } cpuid_vendor_table[] = {
-                 { "XenVMMXenVMM", VIRTUALIZATION_XEN       },
-                 { "KVMKVMKVM",    VIRTUALIZATION_KVM       },
-+                { "TCGTCGTCGTCG", VIRTUALIZATION_QEMU      },
-                 /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */
-                 { "VMwareVMware", VIRTUALIZATION_VMWARE    },
-                 /* https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs */

0013-test-condition-don-t-assume-that-all-non-root-users-.patch

@@ -1,28 +0,0 @@
-From 8864ff594b43a34e5a593da42336f28e2f30b9f5 Mon Sep 17 00:00:00 2001
-From: Felipe Sateler <fsateler@users.noreply.github.com>
-Date: Wed, 19 Jul 2017 20:48:23 -0400
-Subject: [PATCH] test-condition: don't assume that all non-root users are
- normal users (#6409)
-
-Automated builders may run under a dedicated system user, and this test would fail that
-
-Fixes #6366
-
-(cherry picked from commit 708d423915c4ea48d408b5a3395c11055247b9bc)
----
- src/test/test-condition.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/test/test-condition.c b/src/test/test-condition.c
-index 121345cfd1..b15f1b98c0 100644
---- a/src/test/test-condition.c
-+++ b/src/test/test-condition.c
-@@ -390,7 +390,7 @@ static void test_condition_test_user(void) {
-         assert_se(condition);
-         r = condition_test(condition);
-         log_info("ConditionUser=@system → %i", r);
--        if (geteuid() == 0)
-+        if (getuid() < SYSTEM_UID_MAX || geteuid() < SYSTEM_UID_MAX)
-                 assert_se(r > 0);
-         else
-                 assert_se(r == 0);

0014-call-chase_symlinks-without-the-sysroot-prefix-6411.patch

@@ -1,31 +0,0 @@
-From eca55fbc51056b2a4fa3242917b6fc2f0c02e981 Mon Sep 17 00:00:00 2001
-From: Harald Hoyer <harald@hoyer.xyz>
-Date: Thu, 20 Jul 2017 19:13:09 +0200
-Subject: [PATCH] call chase_symlinks without the /sysroot prefix (#6411)
-
-In case fstab-generator is called in the initrd, chase_symlinks()
-returns with a canonical path "/sysroot/sysroot/<mountpoint>", if the
-"/sysroot" prefix is present in the path.
-
-This patch skips the "/sysroot" prefix for the chase_symlinks() call,
-because "/sysroot" is already the root directory and chase_symlinks()
-prepends the root directory in the canonical path returned.
-
-(cherry picked from commit 98eda38aed6a10c4f6d6ad0cac6e5361e87de52b)
----
- src/fstab-generator/fstab-generator.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
-index 7f23b9fd74..f172e9c07b 100644
---- a/src/fstab-generator/fstab-generator.c
-+++ b/src/fstab-generator/fstab-generator.c
-@@ -537,7 +537,7 @@ static int parse_fstab(bool initrd) {
-                         continue;
-                 }
- 
--                where = initrd ? strappend("/sysroot/", me->mnt_dir) : strdup(me->mnt_dir);
-+                where = strdup(me->mnt_dir);
-                 if (!where)
-                         return log_oom();
- 

0015-nspawn-downgrade-warning-when-we-get-sd_notify-messa.patch

@@ -1,31 +0,0 @@
-From 0e50428d3699e3ad25861f458540d24038cfaa4e Mon Sep 17 00:00:00 2001
-From: Lennart Poettering <lennart@poettering.net>
-Date: Thu, 20 Jul 2017 20:46:58 +0200
-Subject: [PATCH] nspawn: downgrade warning when we get sd_notify() message
- from unexpected process (#6416)
-
-Given that we set NOTIFY_SOCKET unconditionally it's not surprising that
-processes way down the process tree think it's smart to send us a
-notification message.
-
-It's still useful to keep this message, for debugging things, but it
-shouldn't be generated by default.
-
-(cherry picked from commit 8cb574307963d1aeb1c53e1d1fbeee4a2be37259)
----
- src/nspawn/nspawn.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 8a5fedd4b0..0cbd8c3491 100644
---- a/src/nspawn/nspawn.c
-+++ b/src/nspawn/nspawn.c
-@@ -2836,7 +2836,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
-         }
- 
-         if (!ucred || ucred->pid != inner_child_pid) {
--                log_warning("Received notify message without valid credentials. Ignoring.");
-+                log_debug("Received notify message without valid credentials. Ignoring.");
-                 return 0;
-         }
- 

0016-Revert-core-don-t-load-dropin-data-multiple-times-fo.patch

@@ -1,71 +0,0 @@
-From 29d9cfc097586ac79911a5f5035c45b1971a5b1f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sat, 22 Jul 2017 08:39:49 -0400
-Subject: [PATCH] Revert "core: don't load dropin data multiple times for the
- same unit (#5139)"
-
-This reverts commit 2d058a87ffb2d31a50422a8aebd119bbb4427244.
-
-When we add another name to a unit (by following an alias), we need to
-reload all drop-ins. This is necessary to load any additional dropins
-found in the dirs created from the alias name.
-
-Fixes #6334.
-
-(cherry picked from commit 9e4ea9cc34fa032a47c253ddd94ac6c7afda663e)
----
- src/core/unit.c | 23 +++++++----------------
- 1 file changed, 7 insertions(+), 16 deletions(-)
-
-diff --git a/src/core/unit.c b/src/core/unit.c
-index b28eeb2262..9d913e8c64 100644
---- a/src/core/unit.c
-+++ b/src/core/unit.c
-@@ -1098,7 +1098,6 @@ void unit_dump(Unit *u, FILE *f, const char *prefix) {
- 
- /* Common implementation for multiple backends */
- int unit_load_fragment_and_dropin(Unit *u) {
--        Unit *t;
-         int r;
- 
-         assert(u);
-@@ -1111,18 +1110,15 @@ int unit_load_fragment_and_dropin(Unit *u) {
-         if (u->load_state == UNIT_STUB)
-                 return -ENOENT;
- 
--        /* If the unit is an alias and the final unit has already been
--         * loaded, there's no point in reloading the dropins one more time. */
--        t = unit_follow_merge(u);
--        if (t != u && t->load_state != UNIT_STUB)
--                return 0;
--
--        return unit_load_dropin(t);
-+        /* Load drop-in directory data. If u is an alias, we might be reloading the
-+         * target unit needlessly. But we cannot be sure which drops-ins have already
-+         * been loaded and which not, at least without doing complicated book-keeping,
-+         * so let's always reread all drop-ins. */
-+        return unit_load_dropin(unit_follow_merge(u));
- }
- 
- /* Common implementation for multiple backends */
- int unit_load_fragment_and_dropin_optional(Unit *u) {
--        Unit *t;
-         int r;
- 
-         assert(u);
-@@ -1138,13 +1134,8 @@ int unit_load_fragment_and_dropin_optional(Unit *u) {
-         if (u->load_state == UNIT_STUB)
-                 u->load_state = UNIT_LOADED;
- 
--        /* If the unit is an alias and the final unit has already been
--         * loaded, there's no point in reloading the dropins one more time. */
--        t = unit_follow_merge(u);
--        if (t != u && t->load_state != UNIT_STUB)
--                return 0;
--
--        return unit_load_dropin(t);
-+        /* Load drop-in directory data */
-+        return unit_load_dropin(unit_follow_merge(u));
- }
- 
- int unit_add_default_target_dependency(Unit *u, Unit *target) {

0017-bash-completion-use-the-first-argument-instead-of-th.patch

@@ -1,73 +0,0 @@
-From f6441eaf050267c05ef8df8d5614bb598528942f Mon Sep 17 00:00:00 2001
-From: Yu Watanabe <watanabe.yu+github@gmail.com>
-Date: Thu, 27 Jul 2017 20:22:54 +0900
-Subject: [PATCH] bash-completion: use the first argument instead of the global
- variable (#6457)
-
-Without this fix:
-
-$ systemctl start <tab>
-Display all 135 possibilities? (y or n)
-$ __get_startable_units --system | wc -l
-224
-
-the number of the suggestions are quite different, as __get_startable_units --system does
-not filter already started units. With this fix,
-
-$ systemctl start <tab>
-Display all 135 possibilities? (y or n)
-$ __get_startable_units --system | wc -l
-123
-$ __get_template_names --system | wc -l
-12
-
-the number of the suggestions matches one the function returns.
-For consistency with the other internal functions, it should use the first argument
-instead of the global variable $mode.
-
-[zj: add commit message to make it sound like we know what we're doing]
-
-(cherry picked from commit 6bda23dd6aaba50cf8e3e6024248cf736cc443ca)
----
- shell-completion/bash/systemctl.in | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in
-index 0398d09d18..bde28efc3e 100644
---- a/shell-completion/bash/systemctl.in
-+++ b/shell-completion/bash/systemctl.in
-@@ -68,7 +68,7 @@ __filter_units_by_properties () {
-         done
-         for ((i=0; i < ${#units[*]}; i++)); do
-                 for ((j=0; j < ${#conditions[*]}; j++)); do
--                        if [[ "${props[ i * ${#conditions[*]} + j]}" != "${conditions[j]}" ]]; then
-+                        if [[ "${props[i * ${#conditions[*]} + j]}" != "${conditions[j]}" ]]; then
-                                 break
-                         fi
-                 done
-@@ -87,19 +87,19 @@ __get_active_units   () { __systemctl $1 list-units       \
-         | { while read -r a b; do echo " $a"; done; }; }
- __get_startable_units () {
-         # find startable inactive units
--        __filter_units_by_properties $mode ActiveState,CanStart inactive,yes $(
--            { __systemctl $mode list-unit-files --state enabled,enabled-runtime,linked,linked-runtime,static,indirect,disabled,generated,transient | \
-+        __filter_units_by_properties $1 ActiveState,CanStart inactive,yes $(
-+            { __systemctl $1 list-unit-files --state enabled,enabled-runtime,linked,linked-runtime,static,indirect,disabled,generated,transient | \
-                       { while read -r a b; do [[ $a =~ @\. ]] || echo " $a"; done; }
--              __systemctl $mode list-units --state inactive,failed | \
-+              __systemctl $1 list-units --state inactive,failed | \
-                       { while read -r a b c; do [[ $b == "loaded" ]] && echo " $a"; done; }
-             } | sort -u )
- }
- __get_restartable_units () {
-         # filter out masked and not-found
--        __filter_units_by_property $mode CanStart yes $(
--            __systemctl $mode list-unit-files --state enabled,disabled,static | \
-+        __filter_units_by_property $1 CanStart yes $(
-+            __systemctl $1 list-unit-files --state enabled,disabled,static | \
-                     { while read -r a b; do [[ $a =~ @\. ]] || echo " $a"; done; }
--            __systemctl $mode list-units | \
-+            __systemctl $1 list-units | \
-                     { while read -r a b; do echo " $a"; done; } )
- }
- __get_failed_units   () { __systemctl $1 list-units       \

0018-boot-efi-don-t-hard-fail-on-error-for-tpm-measure-64.patch

@@ -1,49 +0,0 @@
-From ea0ff5cd4efb1d67820572fb0d7d1d8da0fc1dc1 Mon Sep 17 00:00:00 2001
-From: Harald Hoyer <harald@hoyer.xyz>
-Date: Fri, 28 Jul 2017 09:46:05 +0200
-Subject: [PATCH] boot/efi: don't hard fail on error for tpm measure (#6473)
-
-Display the error for a small amount of time, but don't fail hard.
-
-In case of a faulty BIOS, a TPM error should not prevent the boot.
-If something cares about the PCM measurement, it will be noticed
-anyway later on.
-
-Especially important now, that TPM measurement is the default now on
-some distribution builds.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1411156
-(cherry picked from commit 522aa9f5f8755d7389131da41bd60b6276917ff2)
----
- src/boot/efi/boot.c | 3 +--
- src/boot/efi/stub.c | 3 +--
- 2 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
-index 1e990b3825..316e95a72b 100644
---- a/src/boot/efi/boot.c
-+++ b/src/boot/efi/boot.c
-@@ -1657,8 +1657,7 @@ static EFI_STATUS image_start(EFI_HANDLE parent_image, const Config *config, con
-                                     loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
-                 if (EFI_ERROR(err)) {
-                         Print(L"Unable to add image options measurement: %r", err);
--                        uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000);
--                        return err;
-+                        uefi_call_wrapper(BS->Stall, 1, 200 * 1000);
-                 }
- #endif
-         }
-diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
-index bab5d46de9..2562228090 100644
---- a/src/boot/efi/stub.c
-+++ b/src/boot/efi/stub.c
-@@ -94,8 +94,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
-                                     loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
-                 if (EFI_ERROR(err)) {
-                         Print(L"Unable to add image options measurement: %r", err);
--                        uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000);
--                        return err;
-+                        uefi_call_wrapper(BS->Stall, 1, 200 * 1000);
-                 }
- #endif
-         }

0019-meson-D-remote-and-D-importd-should-be-combo-options.patch

@@ -1,37 +0,0 @@
-From 9c27ced1fac191139a131d179a25801ce9ca3357 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Wed, 26 Jul 2017 14:11:15 -0400
-Subject: [PATCH] meson: -D remote and -D importd should be "combo" options
-
-The default should be 'auto', and we allow 'true'
-and 'false' too.
-
-Fixes #6445.
-
-(cherry picked from commit b1519d656691e725a8b8950fc0e6cc8d25b1016a)
----
- meson_options.txt | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/meson_options.txt b/meson_options.txt
-index 1594fec41f..b7a45d5806 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -69,7 +69,7 @@ option('timedated', type : 'boolean',
-        description : 'install the systemd-timedated daemon')
- option('timesyncd', type : 'boolean',
-        description : 'install the systemd-timesyncd daemon')
--option('remote', type : 'boolean',
-+option('remote', type : 'combo', choices : ['auto', 'true', 'false'],
-        description : 'support for "journal over the network"')
- option('myhostname', type : 'boolean',
-        description : 'nss-myhostname support')
-@@ -87,7 +87,7 @@ option('sysusers', type : 'boolean',
-        description : 'support for the sysusers configuration')
- option('tmpfiles', type : 'boolean',
-        description : 'support for tmpfiles.d')
--option('importd', type : 'boolean',
-+option('importd', type : 'combo', choices : ['auto', 'true', 'false'],
-        description : 'install the systemd-importd daemon')
- option('hwdb', type : 'boolean',
-        description : 'support for the hardware database')

0020-cryptsetup-fix-infinite-timeout-6486.patch

@@ -1,42 +0,0 @@
-From c64c6a8b259abfbff5ce202d5d5982b120cf928f Mon Sep 17 00:00:00 2001
-From: Andrew Soutar <andrew@andrewsoutar.com>
-Date: Mon, 31 Jul 2017 02:19:16 -0400
-Subject: [PATCH] cryptsetup: fix infinite timeout (#6486)
-
-0004f698d causes `arg_timeout` to be infinity instead of 0 when timeout=0. The
-logic here now matches this change.
-
-Fixes #6381
-
-(cherry picked from commit 0864d311766498563331f486909a0d950ba7de87)
----
- src/cryptsetup/cryptsetup.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
-index 3b4c086162..08ed7e53ba 100644
---- a/src/cryptsetup/cryptsetup.c
-+++ b/src/cryptsetup/cryptsetup.c
-@@ -56,7 +56,7 @@ static bool arg_tcrypt_veracrypt = false;
- static char **arg_tcrypt_keyfiles = NULL;
- static uint64_t arg_offset = 0;
- static uint64_t arg_skip = 0;
--static usec_t arg_timeout = 0;
-+static usec_t arg_timeout = USEC_INFINITY;
- 
- /* Options Debian's crypttab knows we don't:
- 
-@@ -670,10 +670,10 @@ int main(int argc, char *argv[]) {
-                 if (arg_discards)
-                         flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
- 
--                if (arg_timeout > 0)
--                        until = now(CLOCK_MONOTONIC) + arg_timeout;
--                else
-+                if (arg_timeout == USEC_INFINITY)
-                         until = 0;
-+                else
-+                        until = now(CLOCK_MONOTONIC) + arg_timeout;
- 
-                 arg_key_size = (arg_key_size > 0 ? arg_key_size : (256 / 8));
- 

0021-rfkill-fix-erroneous-behavior-when-polling-the-udev-.patch

@@ -1,45 +0,0 @@
-From cb81159ce49380d39c80f803353784633b8f306c Mon Sep 17 00:00:00 2001
-From: "S. Fan" <sfanxiang@gmail.com>
-Date: Mon, 31 Jul 2017 05:10:10 -0500
-Subject: [PATCH] rfkill: fix erroneous behavior when polling the udev monitor
- (#6489)
-
-Comparing udev_device_get_sysname(device) and sysname will always return
-true. We need to check the device received from udev monitor instead.
-
-Also, fd_wait_for_event() sometimes never exits. Better set a timeout
-here.
-
-(cherry picked from commit 8ec1a07998758f6a85f3ea5bf2ed14d87609398f)
----
- src/rfkill/rfkill.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
-index c0f138b4f4..470853d1d2 100644
---- a/src/rfkill/rfkill.c
-+++ b/src/rfkill/rfkill.c
-@@ -138,17 +138,21 @@ static int wait_for_initialized(
-         for (;;) {
-                 _cleanup_udev_device_unref_ struct udev_device *t = NULL;
- 
--                r = fd_wait_for_event(watch_fd, POLLIN, USEC_INFINITY);
-+                r = fd_wait_for_event(watch_fd, POLLIN, EXIT_USEC);
-                 if (r == -EINTR)
-                         continue;
-                 if (r < 0)
-                         return log_error_errno(r, "Failed to watch udev monitor: %m");
-+                if (r == 0) {
-+                        log_error("Timed out wating for udev monitor.");
-+                        return -ETIMEDOUT;
-+                }
- 
-                 t = udev_monitor_receive_device(monitor);
-                 if (!t)
-                         continue;
- 
--                if (streq_ptr(udev_device_get_sysname(device), sysname)) {
-+                if (streq_ptr(udev_device_get_sysname(t), sysname)) {
-                         *ret = udev_device_ref(t);
-                         return 0;
-                 }

0022-core-Do-not-fail-perpetual-mount-units-without-fragm.patch

@@ -1,34 +0,0 @@
-From b56c4c19c8d0adca67eb34e1924d881e7d61b97f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Abd=C3=B3=20Roig-Maranges?= <abdo.roig@gmail.com>
-Date: Mon, 31 Jul 2017 12:32:09 +0200
-Subject: [PATCH] core: Do not fail perpetual mount units without fragment
- (#6459)
-
-mount_load does not require fragment files to be present in order to
-load mount units which are perpetual, or come from /proc/self/mountinfo.
-
-mount_verify should do the same, otherwise a synthesized '-.mount' would
-be marked as failed with "No such file or directory", as it is perpetual
-but not marked to come from /proc/self/mountinfo at this point.
-
-This happens for the user instance, and I suspect it was the cause of #5375
-for the system instance, without gpt-generator.
-
-(cherry picked from commit 1df96fcb31b3bc30c4a983de4734f61ed5a29115)
----
- src/core/mount.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/core/mount.c b/src/core/mount.c
-index 214364d87d..7d9644e305 100644
---- a/src/core/mount.c
-+++ b/src/core/mount.c
-@@ -503,7 +503,7 @@ static int mount_verify(Mount *m) {
-         if (UNIT(m)->load_state != UNIT_LOADED)
-                 return 0;
- 
--        if (!m->from_fragment && !m->from_proc_self_mountinfo)
-+        if (!m->from_fragment && !m->from_proc_self_mountinfo && !UNIT(m)->perpetual)
-                 return -ENOENT;
- 
-         r = unit_name_from_path(m->where, ".mount", &e);

0023-build-sys-bump-xslt-maxdepth-limit.patch

@@ -1,26 +0,0 @@
-From f2618d3474090751ae364ca326f3563797cce54a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 18 Sep 2017 17:09:52 +0200
-Subject: [PATCH] build-sys: bump xslt maxdepth limit
-
-With libxslt-1.30, builds were failing on some recursion depth limit
-with systemd.index.xml. Bumping the limit fixes the issue.
----
- man/meson.build | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/man/meson.build b/man/meson.build
-index 8ddbd5557c..5b6a21fb9f 100644
---- a/man/meson.build
-+++ b/man/meson.build
-@@ -11,6 +11,7 @@ want_html = want_html != 'false' and xsltproc.found()
- xsltproc_flags = [
-         '--nonet',
-         '--xinclude',
-+        '--maxdepth', '9000',
-         '--stringparam', 'man.output.quietly', '1',
-         '--stringparam', 'funcsynopsis.style', 'ansi',
-         '--stringparam', 'man.authors.section.enabled', '0',
--- 
-2.13.5
-

0024-device-make-sure-to-remove-all-device-units-sharing-.patch

@@ -1,44 +0,0 @@
-From 6d0fe8a5809ef5ccc8e92bdf2eea031178b87083 Mon Sep 17 00:00:00 2001
-From: Franck Bui <fbui@suse.com>
-Date: Wed, 30 Aug 2017 17:16:16 +0200
-Subject: [PATCH] device: make sure to remove all device units sharing the same
- sysfs path (#6679)
-
-When a device is unplugged all device units sharing the same sysfs path
-pointing to that device are supposed to be removed.
-
-However it didn't work since while iterating the device unit list containing
-all the relevant units, each unit was removed during each iteration of
-LIST_FOREACH. However LIST_FOREACH doesn't support this use case and
-LIST_FOREACH_SAFE must be use instead.
-
-(cherry picked from commit cc0df6cc35339976c367977dc292278a1939db0c)
----
- src/core/device.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/core/device.c b/src/core/device.c
-index 77601c552..87186f135 100644
---- a/src/core/device.c
-+++ b/src/core/device.c
-@@ -514,7 +514,7 @@ static void device_update_found_one(Device *d, bool add, DeviceFound found, bool
- }
- 
- static int device_update_found_by_sysfs(Manager *m, const char *sysfs, bool add, DeviceFound found, bool now) {
--        Device *d, *l;
-+        Device *d, *l, *n;
- 
-         assert(m);
-         assert(sysfs);
-@@ -523,7 +523,7 @@ static int device_update_found_by_sysfs(Manager *m, const char *sysfs, bool add,
-                 return 0;
- 
-         l = hashmap_get(m->devices_by_sysfs, sysfs);
--        LIST_FOREACH(same_sysfs, d, l)
-+        LIST_FOREACH_SAFE(same_sysfs, d, n, l)
-                 device_update_found_one(d, add, found, now);
- 
-         return 0;
--- 
-2.13.5
-

0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch

@@ -1,51 +0,0 @@
-From 108c060c5521309b9448e3a7905b50dd505f36a8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Fri, 11 Mar 2016 17:06:17 -0500
-Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
-
-If the symlink doesn't exists, and we are being started, let's
-create it to provie name resolution.
-
-If it exists, do nothing. In particular, if it is a broken symlink,
-we cannot really know if the administator configured it to point to
-a location used by some service that hasn't started yet, so we
-don't touch it in that case either.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1313085
----
- src/resolve/resolved.c | 4 ++++
- tmpfiles.d/etc.conf.m4 | 3 ---
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
-index deb75f9ae5..914d3b8a2d 100644
---- a/src/resolve/resolved.c
-+++ b/src/resolve/resolved.c
-@@ -67,6 +67,10 @@ int main(int argc, char *argv[]) {
-                 goto finish;
-         }
- 
-+        r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
-+        if (r < 0 && errno != EEXIST)
-+                log_warning_errno(errno, "Could not create /etc/resolv.conf symlink: %m");
-+
-         /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
-         r = drop_privileges(uid, gid,
-                             (UINT64_C(1) << CAP_NET_RAW)|          /* needed for SO_BINDTODEVICE */
-diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
-index 064eae94f1..928105ea8d 100644
---- a/tmpfiles.d/etc.conf.m4
-+++ b/tmpfiles.d/etc.conf.m4
-@@ -13,9 +13,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
- m4_ifdef(`HAVE_SMACK_RUN_LABEL',
- t /etc/mtab - - - - security.SMACK64=_
- )m4_dnl
--m4_ifdef(`ENABLE_RESOLVED',
--L! /etc/resolv.conf - - - - ../usr/lib/systemd/resolv.conf
--)m4_dnl
- C /etc/nsswitch.conf - - - -
- m4_ifdef(`HAVE_PAM',
- C /etc/pam.d - - - -
--- 
-2.9.2
-

0999-netdev-crypttab.patch

@@ -1,280 +0,0 @@
-From 3acb27df403c9e5772eb1d81aba1c65b6c7acc08 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 5 Sep 2017 09:14:51 +0200
-Subject: [PATCH 1/3] units: order cryptsetup-pre.target before
- cryptsetup.target
-
-Normally this happens automatically, but if it happened that both targets were
-pulled in, even though there were no cryptsetup units, they could be started
-in reverse order, which would be somewhat confusing. Add an explicit ordering
-to avoid this potential issue.
----
- units/cryptsetup-pre.target | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
-index 65353419f..42e35dd4e 100644
---- a/units/cryptsetup-pre.target
-+++ b/units/cryptsetup-pre.target
-@@ -9,3 +9,4 @@
- Description=Encrypted Volumes (Pre)
- Documentation=man:systemd.special(7)
- RefuseManualStart=yes
-+Before=cryptsetup.target
--- 
-2.14.1
-
-
-From 51a012da40e8d0d4d8df931b3bc56ea913c3856a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 5 Sep 2017 10:15:13 +0200
-Subject: [PATCH 2/3] units: add remote-cryptsetup.target and
- remote-cryptsetup-pre.target
-
-The pair is similar to remote-fs.target and remote-fs-pre.target. Any
-cryptsetup devices which require network shall be ordered after
-remote-cryptsetup-pre.target and before remote-cryptsetup.target.
----
- man/systemd.special.xml            | 23 +++++++++++++++++++++++
- units/cryptsetup-pre.target        |  2 +-
- units/cryptsetup.target            |  2 +-
- units/meson.build                  |  3 +++
- units/remote-cryptsetup-pre.target | 15 +++++++++++++++
- units/remote-cryptsetup.target     | 10 ++++++++++
- 6 files changed, 53 insertions(+), 2 deletions(-)
- create mode 100644 units/remote-cryptsetup-pre.target
- create mode 100644 units/remote-cryptsetup.target
-
-diff --git a/man/systemd.special.xml b/man/systemd.special.xml
-index 66c45e39a..7107b8a92 100644
---- a/man/systemd.special.xml
-+++ b/man/systemd.special.xml
-@@ -81,6 +81,8 @@
-     <filename>poweroff.target</filename>,
-     <filename>printer.target</filename>,
-     <filename>reboot.target</filename>,
-+    <filename>remote-cryptsetup-pre.target</filename>,
-+    <filename>remote-cryptsetup.target</filename>,
-     <filename>remote-fs-pre.target</filename>,
-     <filename>remote-fs.target</filename>,
-     <filename>rescue.target</filename>,
-@@ -450,6 +452,27 @@
-           this target unit, for compatibility with SysV.</para>
-         </listitem>
-       </varlistentry>
-+      <varlistentry>
-+        <term><filename>remote-cryptsetup-pre.target</filename></term>
-+        <listitem>
-+          <para>This target unit is automatically ordered before all cryptsetup devices
-+          marked with the <option>_netdev</option>. It can be used to execute additional
-+          units before such devices are set up.</para>
-+
-+          <para>It is ordered after <filename>network.target</filename> and
-+          <filename>network-online.target</filename>, and also pulls the latter in as a
-+          <varname>Wants=</varname> dependency.</para>
-+        </listitem>
-+      </varlistentry>
-+      <varlistentry>
-+        <term><filename>remote-cryptsetup.target</filename></term>
-+        <listitem>
-+          <para>Similar to <filename>cryptsetup.target</filename>, but for encrypted
-+          devices which are accessed over the network. It is used for
-+          <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-+          entries marked with <option>_netdev</option>.</para>
-+        </listitem>
-+      </varlistentry>
-       <varlistentry>
-         <term><filename>remote-fs.target</filename></term>
-         <listitem>
-diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
-index 42e35dd4e..6cb28a61a 100644
---- a/units/cryptsetup-pre.target
-+++ b/units/cryptsetup-pre.target
-@@ -6,7 +6,7 @@
- #  (at your option) any later version.
- 
- [Unit]
--Description=Encrypted Volumes (Pre)
-+Description=Local Encrypted Volumes (Pre)
- Documentation=man:systemd.special(7)
- RefuseManualStart=yes
- Before=cryptsetup.target
-diff --git a/units/cryptsetup.target b/units/cryptsetup.target
-index 25d3e33f6..10b17fd38 100644
---- a/units/cryptsetup.target
-+++ b/units/cryptsetup.target
-@@ -6,5 +6,5 @@
- #  (at your option) any later version.
- 
- [Unit]
--Description=Encrypted Volumes
-+Description=Local Encrypted Volumes
- Documentation=man:systemd.special(7)
-diff --git a/units/meson.build b/units/meson.build
-index e94add6a6..e6351c7a2 100644
---- a/units/meson.build
-+++ b/units/meson.build
-@@ -47,6 +47,9 @@ units = [
-         ['proc-sys-fs-binfmt_misc.mount',       'ENABLE_BINFMT'],
-         ['reboot.target',                       '',
-          'runlevel6.target ctrl-alt-del.target'],
-+        ['remote-cryptsetup-pre.target',        'HAVE_LIBCRYPTSETUP'],
-+        ['remote-cryptsetup.target',            'HAVE_LIBCRYPTSETUP',
-+         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
-         ['remote-fs-pre.target',                ''],
-         ['remote-fs.target',                    '',
-          join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
-diff --git a/units/remote-cryptsetup-pre.target b/units/remote-cryptsetup-pre.target
-new file mode 100644
-index 000000000..a375e6188
---- /dev/null
-+++ b/units/remote-cryptsetup-pre.target
-@@ -0,0 +1,15 @@
-+#  This file is part of systemd.
-+#
-+#  systemd is free software; you can redistribute it and/or modify it
-+#  under the terms of the GNU Lesser General Public License as published by
-+#  the Free Software Foundation; either version 2.1 of the License, or
-+#  (at your option) any later version.
-+
-+[Unit]
-+Description=Remote Encrypted Volumes (Pre)
-+Documentation=man:systemd.special(7)
-+RefuseManualStart=yes
-+Before=remote-cryptsetup.target
-+
-+After=network.target network-online.target
-+Wants=network-online.target
-diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target
-new file mode 100644
-index 000000000..60943bd1c
---- /dev/null
-+++ b/units/remote-cryptsetup.target
-@@ -0,0 +1,10 @@
-+#  This file is part of systemd.
-+#
-+#  systemd is free software; you can redistribute it and/or modify it
-+#  under the terms of the GNU Lesser General Public License as published by
-+#  the Free Software Foundation; either version 2.1 of the License, or
-+#  (at your option) any later version.
-+
-+[Unit]
-+Description=Remote Encrypted Volumes
-+Documentation=man:systemd.special(7)
--- 
-2.14.1
-
-
-From 543a62336565c840bbda22df0eb2a1c19180a8d5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 5 Sep 2017 11:30:33 +0200
-Subject: [PATCH 3/3] cryptsetup-generator: use remote-cryptsetup.target when
- _netdev is present
-
-This allows such devices to depend on the network. Their startup will
-be delayed similarly to network mount units.
-
-Fixes #4642.
----
- man/crypttab.xml                      | 13 +++++++++++++
- src/cryptsetup/cryptsetup-generator.c | 36 ++++++++++++++++++-----------------
- 2 files changed, 32 insertions(+), 17 deletions(-)
-
-diff --git a/man/crypttab.xml b/man/crypttab.xml
-index 17976f370..162377ebc 100644
---- a/man/crypttab.xml
-+++ b/man/crypttab.xml
-@@ -213,6 +213,19 @@
-         <option>size=</option>.</para></listitem>
-       </varlistentry>
- 
-+      <varlistentry>
-+        <term><option>_netdev</option></term>
-+
-+        <listitem><para>Marks this cryptsetup device as requiring network. It will be
-+        started after the network is available, similarly to
-+        <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-+        units marked with <option>_netdev</option>. The service unit to set up this device
-+        will be ordered between <filename>remote-cryptsetup-pre.target</filename> and
-+        <filename>remote-cryptsetup.target</filename>, instead of
-+        <filename>cryptsetup-pre.target</filename> and
-+        <filename>cryptsetup.target</filename>.</para></listitem>
-+      </varlistentry>
-+
-       <varlistentry>
-         <term><option>noauto</option></term>
- 
-diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
-index b58b6db7c..8571ab06e 100644
---- a/src/cryptsetup/cryptsetup-generator.c
-+++ b/src/cryptsetup/cryptsetup-generator.c
-@@ -61,7 +61,7 @@ static int create_disk(
-         _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,
-                 *filtered = NULL;
-         _cleanup_fclose_ FILE *f = NULL;
--        bool noauto, nofail, tmp, swap;
-+        bool noauto, nofail, tmp, swap, netdev;
-         char *from;
-         int r;
- 
-@@ -72,6 +72,7 @@ static int create_disk(
-         nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
-         tmp = fstab_test_option(options, "tmp\0");
-         swap = fstab_test_option(options, "swap\0");
-+        netdev = fstab_test_option(options, "_netdev\0");
- 
-         if (tmp && swap) {
-                 log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
-@@ -102,21 +103,22 @@ static int create_disk(
-         if (!f)
-                 return log_error_errno(errno, "Failed to create unit file %s: %m", p);
- 
--        fputs("# Automatically generated by systemd-cryptsetup-generator\n\n"
--              "[Unit]\n"
--              "Description=Cryptography Setup for %I\n"
--              "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
--              "SourcePath=/etc/crypttab\n"
--              "DefaultDependencies=no\n"
--              "Conflicts=umount.target\n"
--              "BindsTo=dev-mapper-%i.device\n"
--              "IgnoreOnIsolate=true\n"
--              "After=cryptsetup-pre.target\n",
--              f);
-+        fprintf(f,
-+                "# Automatically generated by systemd-cryptsetup-generator\n\n"
-+                "[Unit]\n"
-+                "Description=Cryptography Setup for %%I\n"
-+                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
-+                "SourcePath=/etc/crypttab\n"
-+                "DefaultDependencies=no\n"
-+                "Conflicts=umount.target\n"
-+                "IgnoreOnIsolate=true\n"
-+                "After=%s\n",
-+                netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");
- 
-         if (!nofail)
-                 fprintf(f,
--                        "Before=cryptsetup.target\n");
-+                        "Before=%s\n",
-+                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
- 
-         if (password) {
-                 if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
-@@ -200,10 +202,10 @@ static int create_disk(
-                         return log_error_errno(errno, "Failed to create symlink %s: %m", to);
- 
-                 free(to);
--                if (!nofail)
--                        to = strjoin(arg_dest, "/cryptsetup.target.requires/", n);
--                else
--                        to = strjoin(arg_dest, "/cryptsetup.target.wants/", n);
-+                to = strjoin(arg_dest,
-+                             netdev ? "/remote-cryptsetup" : "/cryptsetup",
-+                             ".target.",
-+                             nofail ? "wants/" : "requires/", n);
-                 if (!to)
-                         return log_oom();
- 
--- 
-2.14.1
-

20-grubby.install

@@ -47,5 +47,5 @@ esac
 
 # skip other installation plugins, if we can't find a boot loader spec conforming setup
 if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
-    exit 77 
+    exit 77
 fi

85-display-manager.preset

@@ -1,11 +0,0 @@
-# We enable all display managers by default. Since only one can
-# actually be enabled at the same time the one which is installed
-# first wins
-
-enable gdm.service
-enable lightdm.service
-enable slim.service
-enable lxdm.service
-enable sddm.service
-enable kdm.service
-enable xdm.service

90-default.preset

@@ -1,126 +0,0 @@
-# Also see:
-# https://fedoraproject.org/wiki/Starting_services_by_default
-
-# On Fedora we deviate from some upstream defaults
-disable systemd-timesyncd.service
-disable systemd-networkd.service
-disable systemd-resolved.service
-
-# System stuff
-enable sshd.service
-enable atd.*
-enable crond.*
-enable chronyd.service
-enable NetworkManager.service
-enable NetworkManager-dispatcher.service
-enable ModemManager.service
-enable auditd.service
-enable restorecond.service
-enable bluetooth.*
-enable avahi-daemon.*
-enable cups.*
-
-# The various syslog implementations
-enable rsyslog.*
-enable syslog-ng.*
-enable sysklogd.*
-
-# Network facing
-enable firewalld.service
-enable libvirtd.service
-enable xinetd.service
-enable ladvd.service
-
-# Storage
-enable multipathd.service
-enable libstoragemgmt.service
-enable lvm2-monitor.*
-enable lvm2-lvmetad.*
-enable dm-event.*
-enable dmraid-activation.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=855372
-enable mdmonitor.service
-enable mdmonitor-takeover.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=876237
-enable spice-vdagentd.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=885406
-enable qemu-guest-agent.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=928726
-enable dnf-makecache.timer
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=929403
-enable initial-setup-graphical.service
-enable initial-setup-text.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=957135
-enable vmtoolsd.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=976315
-enable dkms.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=961878
-enable ipmi.service
-enable ipmievd.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1039351
-enable x509watch.timer
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1060754
-enable dnssec-triggerd.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1095353
-enable uuidd.socket
-
-# Hardware
-enable gpm.*
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1066421
-enable gpsd.socket
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1141607
-enable x2gocleansessions.service
-
-# https://fedoraproject.org/wiki/Changes/UEFISecureBootBlacklistUpdates
-#
-enable dbxtool.service
-
-enable irqbalance.service
-enable lm_sensors.service
-enable mcelog.*
-enable acpid.*
-enable smartd.service
-enable pcscd.socket
-enable rngd.service
-
-# Other stuff
-enable abrtd.service
-enable abrt-ccpp.service
-enable abrt-oops.service
-enable abrt-xorg.service
-enable abrt-vmcore.service
-enable lttng-sessiond.service
-enable ksm.service
-enable ksmtuned.service
-enable rootfs-resize.service
-enable sysstat.service
-enable sysstat-collect.timer
-enable sysstat-summary.timer
-enable uuidd.service
-enable xendomains.service
-enable xenstored.service
-enable xenconsoled.service
-
-# Desktop stuff
-enable accounts-daemon.service
-enable rtkit-daemon.service
-enable upower.service
-enable udisks2.service
-enable polkit.service
-enable packagekit-offline-update.service
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1187072
-enable timedatex.service

99-default-disable.preset

@@ -1 +0,0 @@
-disable *

f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch

@@ -0,0 +1,129 @@
+From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 14 Sep 2020 17:58:03 +0200
+Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1803070
+
+I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different
+than the one we get from /proc/self/fdinfo/. This only matters when both statx and
+name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo:
+
+(gdb) !uname -r
+5.6.19-200.fc31.ppc64le
+
+(gdb) !cat /proc/self/mountinfo
+697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
+700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <==========================================================
+701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel
+702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw
+703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755
+704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel
+705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666
+706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
+720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755
+722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel
+725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
+613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel
+614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate
+615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
+
+The test process does
+name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then
+openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then
+read(open("/proc/self/fdinfo/4", ...)) which gives
+"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n"
+
+and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo.
+
+We could either drop the fallback path (and fail name_to_handle_at() is not
+avaliable) or ignore the error in the test. Not sure what is better. I think
+this issue only occurs sometimes and with older kernels, so probably continuing
+with the current flaky implementation is better than ripping out the fallback.
+
+Another strace:
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603
+) = 28
+name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697
+) = 20
+name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605
+) = 30
+name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703
+) = 23
+name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported)
+openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4</proc/filesystems>
+openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5</proc/20/fdinfo/4>
+fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
+fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
+read(5</proc/20/fdinfo/4>, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36
+read(5</proc/20/fdinfo/4>, "", 1024)    = 0
+close(5</proc/20/fdinfo/4>)             = 0
+close(4</proc/filesystems>)             = 0
+writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725
+) = 42
+writev(2</dev/pts/0>, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc
+) = 39
+writev(2</dev/pts/0>, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.
+) = 109
+rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
+rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
+getpid()                                = 20
+gettid()                                = 20
+tgkill(20, 20, SIGABRT)                 = 0
+rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
+--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} ---
++++ killed by SIGABRT (core dumped) +++
+---
+ src/test/test-mountpoint-util.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
+index 30b00ae4d8b..ffe5144b04a 100644
+--- a/src/test/test-mountpoint-util.c
++++ b/src/test/test-mountpoint-util.c
+@@ -89,8 +89,12 @@ static void test_mnt_id(void) {
+                 /* The ids don't match? If so, then there are two mounts on the same path, let's check if
+                  * that's really the case */
+                 char *t = hashmap_get(h, INT_TO_PTR(mnt_id2));
+-                log_debug("the other path for mnt id %i is %s\n", mnt_id2, t);
+-                assert_se(path_equal(p, t));
++                log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t);
++
++                if (!path_equal(p, t))
++                        /* Apparent kernel bug in /proc/self/fdinfo */
++                        log_warning("Bad mount id given for %s: %d, should be %d",
++                                    p, mnt_id2, mnt_id);
+         }
+ }
+ 

libsystemd-shared.abignore

@@ -0,0 +1,3 @@
+[suppress_file]
+# This shared object is private to systemd
+file_name_regexp=libsystemd-shared-.*.so

macros.sysusers

@@ -0,0 +1,10 @@
+# RPM macros for packages creating system accounts
+#
+# Turn a sysusers.d file into macros specified by
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
+
+%sysusers_requires_compat Requires(pre): shadow-utils
+
+%sysusers_create_compat() \
+%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
+%{nil}

purge-nobody-user

@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+
+if [ $UID -ne 0 ]; then
+    echo "WARNING: This script needs to run as root to be effective"
+    exit 1
+fi
+
+export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
+
+if [ "${1:-}" = "--ignore-journal" ]; then
+    shift
+    ignore_journal=1
+else
+    ignore_journal=0
+fi
+
+echo "Checking processes..."
+if ps h -u 99 | grep .; then
+    echo "ERROR: ps reports processes with UID 99!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking UTMP..."
+if w -h 199 | grep . ; then
+    echo "ERROR: w reports UID 99 as active!"
+    exit 2
+fi
+if w -h nobody | grep . ; then
+    echo "ERROR: w reports user nobody as active!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking the journal..."
+if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
+    echo "ERROR: journalctl reports messages from UID 99 in current boot!"
+    exit 2
+fi
+echo "... not found"
+
+echo "Looking for files in /etc, /run, /tmp, and /var..."
+if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
+    echo "ERROR: found files belonging to UID 99"
+    exit 2
+fi
+echo "... not found"
+
+echo "Checking if nobody is defined correctly..."
+if getent passwd nobody |
+	grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
+then
+    echo "OK, nothing to do."
+    exit 0
+else
+    echo "NOTICE: User nobody is not defined correctly"
+fi
+
+echo "Checking if nfsnobody or something else is using the uid..."
+if getent passwd 65534 | grep . ; then
+    echo "NOTICE: will have to remove this user"
+else
+    echo "... not found"
+fi
+
+if [ "${1:-}" = "-x" ]; then
+    if getent passwd nobody >/dev/null; then
+	# this will remove both the user and the group.
+	( set -x
+   	  userdel nobody
+	)
+    fi
+
+    if getent passwd 65534 >/dev/null; then
+	# Make sure the uid is unused. This should free gid too.
+	name="$(getent passwd 65534 | cut -d: -f1)"
+	( set -x
+	  userdel "$name"
+	)
+    fi
+
+    if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
+	echo "Sleeping, so sss can catch up"
+	sleep 3
+    fi
+
+    if getent group 65534; then
+	# Make sure the gid is unused, even if uid wasn't.
+	name="$(getent group 65534 | cut -d: -f1)"
+	( set -x
+	  groupdel "$name"
+	)
+    fi
+
+    # systemd-sysusers uses the same gid and uid
+    ( set -x
+      systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
+    )
+else
+    echo "Pass '-x' to perform changes"
+fi

sources

@@ -1 +1 @@
-SHA512 (systemd-234.tar.gz) = 762336a7d96c6583cf71cad62efce95a0ed93cd0a0d7251f128d10dba8200c0c8df0e5a7d168179ababa5b221295a231e73b7e7ea2697cb3fb5c1b33538efa68
+SHA512 (systemd-247.1.tar.gz) = 2a737afcee4409c2be073d8cb650c3465a25c101b3c3072ea6e6a0614d06e3ed7ae55c84f9ae60555915ad1480b3a13aa72fef4b9210139afe6b0d7a7629385a

split-files.py

@@ -0,0 +1,143 @@
+import re, sys, os, collections
+
+buildroot = sys.argv[1]
+known_files = sys.stdin.read().splitlines()
+known_files = {line.split()[-1]:line for line in known_files}
+
+def files(root):
+    os.chdir(root)
+    todo = collections.deque(['.'])
+    while todo:
+        n = todo.pop()
+        files = os.scandir(n)
+        for file in files:
+            yield file
+            if file.is_dir() and not file.is_symlink():
+                todo.append(file)
+
+o_libs = open('.file-list-libs', 'w')
+o_udev = open('.file-list-udev', 'w')
+o_pam = open('.file-list-pam', 'w')
+o_rpm_macros = open('.file-list-rpm-macros', 'w')
+o_devel = open('.file-list-devel', 'w')
+o_container = open('.file-list-container', 'w')
+o_networkd = open('.file-list-networkd', 'w')
+o_remote = open('.file-list-remote', 'w')
+o_tests = open('.file-list-tests', 'w')
+o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
+o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
+o_rest = open('.file-list-rest', 'w')
+for file in files(buildroot):
+    n = file.path[1:]
+    if re.match(r'''/usr/(share|include)$|
+                    /usr/share/man(/man.|)$|
+                    /usr/share/zsh(/site-functions|)$|
+                    /usr/share/dbus-1$|
+                    /usr/share/dbus-1/system.d$|
+                    /usr/share/dbus-1/(system-|)services$|
+                    /usr/share/polkit-1(/actions|/rules.d|)$|
+                    /usr/share/pkgconfig$|
+                    /usr/share/bash-completion(/completions|)$|
+                    /usr(/lib|/lib64|/bin|/sbin|)$|
+                    /usr/lib.*/(security|pkgconfig)$|
+                    /usr/lib/rpm(/macros.d|)$|
+                    /usr/lib/firewalld(/services|)$|
+                    /usr/share/(locale|licenses|doc)|             # no $
+                    /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
+                    /etc/(dnf|dnf/protected.d)$|
+                    /usr/(src|lib/debug)|                         # no $
+                    /run$|
+                    /var(/cache|/log|/lib|/run|)$
+    ''', n, re.X):
+        continue
+    if '/security/pam_' in n or '/man8/pam_' in n:
+        o = o_pam
+    elif '/rpm/' in n:
+        o = o_rpm_macros
+    elif '/usr/lib/systemd/tests' in n:
+        o = o_tests
+    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
+        o = o_devel
+    elif re.search(r'''journal-(remote|gateway|upload)|
+                       systemd-remote\.conf|
+                       /usr/share/systemd/gatewayd|
+                       /var/log/journal/remote
+    ''', n, re.X):
+        o = o_remote
+    elif re.search(r'''mymachines|
+                       machinectl|
+                       systemd-nspawn|
+                       import-pubring.gpg|
+                       systemd-(machined|import|pull)|
+                       /machine.slice|
+                       /machines.target|
+                       var-lib-machines.mount|
+                       org.freedesktop.(import|machine)1
+    ''', n, re.X):
+        o = o_container
+    elif re.search(r'''/usr/lib/systemd/network/80-|
+                       networkd|
+                       networkctl|
+                       org.freedesktop.network1
+    ''', n, re.X):
+        o = o_networkd
+    elif '.so.' in n:
+        o = o_libs
+    elif re.search(r'''udev(?!\.pc)|
+                       hwdb|
+                       bootctl|
+                       sd-boot|systemd-boot\.|loader.conf|
+                       bless-boot|
+                       boot-system-token|
+                       kernel-install|
+                       vconsole|
+                       backlight|
+                       rfkill|
+                       random-seed|
+                       modules-load|
+                       timesync|
+                       cryptsetup|
+                       kmod|
+                       quota|
+                       pstore|
+                       sleep|suspend|hibernate|
+                       systemd-tmpfiles-setup-dev|
+                       network/99-default.link|
+                       growfs|makefs|makeswap|mkswap|
+                       fsck|
+                       repart|
+                       gpt-auto|
+                       volatile-root|
+                       verity-setup|
+                       remount-fs|
+                       /boot$|
+                       /boot/efi|
+                       /kernel/|
+                       /kernel$|
+                       /modprobe.d
+    ''', n, re.X):
+        o = o_udev
+    elif n.endswith('.standalone'):
+        if 'tmpfiles' in n:
+            o = o_standalone_tmpfiles
+        elif 'sysusers' in n:
+            o = o_standalone_sysusers
+        else:
+            assert False, 'Found .standalone not belonging to known packages'
+    else:
+        o = o_rest
+
+    if n in known_files:
+        prefix = ' '.join(known_files[n].split()[:-1])
+        if prefix:
+            prefix += ' '
+    elif file.is_dir() and not file.is_symlink():
+        prefix = '%dir '
+    elif n.startswith('/etc'):
+        prefix = '%config(noreplace) '
+    else:
+        prefix = ''
+
+    suffix = '*' if '/man/' in n else ''
+
+    print(f'{prefix}{n}{suffix}', file=o)

systemd-user

@@ -4,9 +4,7 @@
 
 account  include system-auth
 
-m4_ifdef(`HAVE_SELINUX',
 session  required pam_selinux.so close
 session  required pam_selinux.so nottys open
-)m4_dnl
 session  required pam_loginuid.so
 session  include system-auth

systemd.rpmlintrc

@@ -0,0 +1,50 @@
+# Just kill all warnings about README being wrong in every possible way
+addFilter(r'README')
+
+addFilter(r'missing-call-to-(chdir-with-chroot|setgroups-before-setuid)')
+
+addFilter(r'executable-marked-as-config-file /etc/X11/xinit/xinitrc.d/50-systemd-user.sh')
+
+addFilter(r'non-readable /etc/crypttab')
+
+addFilter(r'non-conffile-in-etc /etc/inittab')
+
+addFilter(r'systemd-unit-in-etc /etc/systemd/.*\.wants')
+
+addFilter(r'dangling-relative-symlink /usr/lib/environment.d/99-environment.conf ../../../etc/environment')
+
+addFilter(r'devel-file-in-non-devel-package /usr/share/pkgconfig/(systemd|udev).pc')
+
+addFilter(r'non-standard-dir-perm /var/cache/private 700')
+
+addFilter(r'non-root-group-log-file /var/log/btmp utmp')
+
+addFilter(r'non-standard-dir-perm /var/log/private 700')
+
+addFilter(r'non-root-group-log-file /var/log/wtmp utmp')
+
+addFilter(r'dangerous-command-in-')
+
+addFilter(r'summary-not-capitalized C systemd')
+
+addFilter(r'obsolete-not-provided')
+
+addFilter(r'postin-without-ldconfig')
+
+addFilter(r'systemd-rpm-macros.noarch: W: only-non-binary-in-usr-lib')
+
+addFilter(r'systemd-rpm-macros.noarch: W: no-documentation')
+
+addFilter(r'systemd-tests\..*: W: no-documentation')
+
+addFilter(r'systemd-tests.*: E: zero-length /usr/lib/systemd/tests/testdata/test-umount/empty.mountinfo')
+
+addFilter(r'hardcoded-library-path in.*(firewalld|install.d|lib/systemd)')
+
+# everybody does it this way: systemd, syslog-ng, rsyslog
+addFilter(r'unversioned-explicit-provides syslog')
+
+# systemd-machine-id-setup requires libssl
+addFilter(r'explicit-lib-dependency openssl-libs')
+
+addFilter(r'systemd.src:.*strange-permission')

sysusers.attr

@@ -0,0 +1,2 @@
+%__sysusers_provides	%{_rpmconfigdir}/sysusers.prov
+%__sysusers_path	^%{_sysusersdir}/.*\\.conf$

sysusers.generate-pre.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# This script turns sysuser.d files into scriptlets mandated by Fedora
+# packaging guidelines. The general idea is to define users using the
+# declarative syntax but to turn this into traditional scriptlets.
+
+user() {
+    user="$1"
+    uid="$2"
+    desc="$3"
+    group="$4"
+    home="$5"
+    shell="$6"
+
+[ "$desc" = '-' ] && desc=
+[ "$home" = '-' -o "$home" = '' ] && home=/
+[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin
+
+if [ "$uid" = '-' -o "$uid" = '' ]; then
+    cat <<EOF
+getent passwd '$user' >/dev/null || \\
+    useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user'
+EOF
+else
+    cat <<EOF
+if ! getent passwd '$user' >/dev/null ; then
+    if ! getent passwd '$uid' >/dev/null ; then
+        useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    else
+        useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
+    fi
+fi
+
+EOF
+fi
+}
+
+group() {
+    group="$1"
+    gid="$2"
+if [ "$gid" = '-' ]; then
+    cat <<EOF
+getent group '$group' >/dev/null || groupadd -r '$group'
+EOF
+else
+    cat <<EOF
+getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group'
+EOF
+fi
+}
+
+parse() {
+    while read line || [ "$line" ]; do
+        [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
+        line="${line## *}"
+        [ -z "$line" ] && continue
+        eval arr=( $line )
+        case "${arr[0]}" in
+            ('u')
+                group "${arr[1]}" "${arr[2]}"
+                user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+                # TODO: user:group support
+                ;;
+            ('g')
+                group "${arr[1]}" "${arr[2]}"
+                ;;
+            ('m')
+                group "${arr[2]}" "-"
+                user "${arr[1]}" "-" "" "${arr[2]}"
+                ;;
+        esac
+    done
+}
+
+for fn in "$@"; do
+    [ -e "$fn" ] || continue
+    echo "# generated from $(basename $fn)"
+    parse < "$fn"
+done

sysusers.prov

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+parse() {
+    while read line; do
+        [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
+        line="${line## *}"
+        [ -z "$line" ] && continue
+        set -- $line
+        case "$1" in
+            ('u')
+                echo "user($2)"
+                echo "group($2)"
+                # TODO: user:group support
+                ;;
+            ('g')
+                echo "group($2)"
+                ;;
+            ('m')
+                echo "user($2)"
+                echo "group($3)"
+                ;;
+        esac
+    done
+}
+
+while read fn; do
+    parse < "$fn"
+done

tests/tests-reboot.yml

@@ -0,0 +1,50 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            result=pass
+            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
+            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
+            grep -q '<no matches>' /tmp/avc.log || result=fail
+            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
+            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/test.log
+          - /tmp/avc.log
+          - /tmp/results.yml

triggers.systemd

@@ -1,8 +1,10 @@
 #  -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
+#  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
 #
 #  Copyright 2015 Zbigniew Jędrzejewski-Szmek
+#  Copyright 2018 Neal Gompa
 #
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU Lesser General Public License as published by
@@ -18,47 +20,92 @@
 #  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 
 # The contents of this are an example to be copied into systemd.spec.
+#
+# Minimum rpm version supported: 4.13.0
 
-%transfiletriggerin -P 900900 -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
--- This script will run after any package is initially installed or
--- upgraded. We care about the case where a package is initially
--- installed, because other cases are covered by the *un scriptlets,
--- so sometimes we will reload needlessly.
+%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
+# This script will run after any package is initially installed or
+# upgraded. We care about the case where a package is initially
+# installed, because other cases are covered by the *un scriptlets,
+# so sometimes we will reload needlessly.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemctl daemon-reload
+fi
 
-pid = posix.fork()
-if pid == 0 then
-    assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
-elseif pid > 0 then
-    posix.wait(pid)
-end
+%transfiletriggerun -- /usr/lib/systemd/system /etc/systemd/system
+# On removal, we need to run daemon-reload after any units have been
+# removed. %transfiletriggerpostun would be ideal, but it does not get
+# executed for some reason.
+# On upgrade, we need to run daemon-reload after any new unit files
+# have been installed, but before %postun scripts in packages get
+# executed. %transfiletriggerun gets the right list of files
+# but it is invoked too early (before changes happen).
+# %filetriggerpostun happens at the right time, but it fires for
+# every package.
+# To execute the reload at the right time, we create a state
+# file in %transfiletriggerun and execute the daemon-reload in
+# the first %filetriggerpostun.
 
-%transfiletriggerun -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
--- On removal, we need to run daemon-reload after any units have been
--- removed. %transfiletriggerpostun would be ideal, but it does not get
--- executed for some reason.
--- On upgrade, we need to run daemon-reload after any new unit files
--- have been installed, but before %postun scripts in packages get
--- executed. %transfiletriggerun gets the right list of files
--- but it is invoked too early (before changes happen).
--- %filetriggerpostun happens at the right time, but it fires for
--- every package.
--- To execute the reload at the right time, we create a state
--- file in %transfiletriggerun and execute the daemon-reload in
--- the first %filetriggerpostun.
+if test -d "/run/systemd/system"; then
+    mkdir -p "%{_localstatedir}/lib/rpm-state/systemd"
+    touch "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"
+fi
 
-posix.mkdir("%{_localstatedir}/lib")
-posix.mkdir("%{_localstatedir}/lib/rpm-state")
-posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
-io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+%filetriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
+if test -f "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"; then
+    rm -rf "%{_localstatedir}/lib/rpm-state/systemd"
+    %{_bindir}/systemctl daemon-reload
+fi
 
-%filetriggerpostun -P 1000100 -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
-if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then
-    posix.unlink("%{_localstatedir}/lib/rpm-state/systemd/needs-reload")
-    posix.rmdir("%{_localstatedir}/lib/rpm-state/systemd")
-    pid = posix.fork()
-    if pid == 0 then
-        assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
-    elseif pid > 0 then
-        posix.wait(pid)
-    end
-end
+%transfiletriggerin -P 100700 -- /usr/lib/sysusers.d
+# This script will process files installed in /usr/lib/sysusers.d to create
+# specified users automatically. The priority is set such that it
+# will run before the tmpfiles file trigger.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-sysusers || :
+fi
+
+%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d
+# This script will process files installed in /usr/lib/tmpfiles.d to create
+# tmpfiles automatically. The priority is set such that it will run
+# after the sysusers file trigger, but before any other triggers.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-tmpfiles --create || :
+fi
+
+%transfiletriggerin udev -- /usr/lib/udev/hwdb.d
+# This script will automatically invoke hwdb update if files have been
+# installed or updated in /usr/lib/udev/hwdb.d.
+if test -d /run/systemd/system; then
+  %{_bindir}/systemd-hwdb update || :
+fi
+
+%transfiletriggerin -- /usr/lib/systemd/catalog
+# This script will automatically invoke journal catalog update if files
+# have been installed or updated in /usr/lib/systemd/catalog.
+if test -d /run/systemd/system; then
+  %{_bindir}/journalctl --update-catalog || :
+fi
+
+%transfiletriggerin udev -- /usr/lib/udev/rules.d
+# This script will automatically update udev with new rules if files
+# have been installed or updated in /usr/lib/udev/rules.d.
+if test -e /run/udev/control; then
+  %{_bindir}/udevadm control --reload || :
+fi
+
+%transfiletriggerin -- /usr/lib/sysctl.d
+# This script will automatically apply sysctl rules if files have been
+# installed or updated in /usr/lib/sysctl.d.
+if test -d /run/systemd/system; then
+  /usr/lib/systemd/systemd-sysctl || :
+fi
+
+%transfiletriggerin -- /usr/lib/binfmt.d
+# This script will automatically apply binfmt rules if files have been
+# installed or updated in /usr/lib/binfmt.d.
+if test -d /run/systemd/system; then
+  # systemd-binfmt might fail if binfmt_misc kernel module is not loaded
+  # during install
+  /usr/lib/systemd/systemd-binfmt || :
+fi

use-bfq-scheduler.patch

@@ -0,0 +1,40 @@
+From 223ea50950f97ed4e67311dfcffed7ffc27a7cd3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Aug 2019 15:57:42 +0200
+Subject: [PATCH] udev: use bfq as the default scheduler
+
+As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
+Test results are that bfq seems to behave better and more consistently on
+typical hardware. The kernel does not have a configuration option to set
+the default scheduler, and it currently needs to be set by userspace.
+
+See the bug for more discussion and links.
+---
+ rules.d/60-block-scheduler.rules | 5 +++++
+ rules.d/meson.build              | 1 +
+ 2 files changed, 6 insertions(+)
+ create mode 100644 rules.d/60-block-scheduler.rules
+
+diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
+new file mode 100644
+index 0000000000..480b941761
+--- /dev/null
++++ b/rules.d/60-block-scheduler.rules
+@@ -0,0 +1,5 @@
++# do not edit this file, it will be overwritten on update
++
++ACTION=="add", SUBSYSTEM=="block", \
++  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
++  ATTR{queue/scheduler}="bfq"
+diff --git a/rules.d/meson.build b/rules.d/meson.build
+index ca4445d774..38d6aa6970 100644
+--- a/rules.d/meson.build
++++ b/rules.d/meson.build
+@@ -3,6 +3,7 @@
+ rules = files('''
+         60-autosuspend.rules
+         60-block.rules
++        60-block-scheduler.rules
+         60-cdrom_id.rules
+         60-drm.rules
+         60-evdev.rules