diff --git a/0001-Revert-machined-add-varlink-interface-for-registerin.patch b/0001-Revert-machined-add-varlink-interface-for-registerin.patch
new file mode 100644
index 0000000..01946d6
--- /dev/null
+++ b/0001-Revert-machined-add-varlink-interface-for-registerin.patch
@@ -0,0 +1,217 @@
+From c93a24119977a11791aab0f3df5e5cb9973a34de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 11 May 2024 13:27:12 +0200
+Subject: [PATCH] Revert "machined: add varlink interface for registering
+ machines"
+
+This reverts commit 5b44c81ff868a4d1b78a74e4770f7a8b2f1d0f91.
+---
+ man/systemd-machined.service.xml | 6 +--
+ src/machine/machine-varlink.h | 6 ---
+ src/machine/machined-varlink.c | 62 ++-----------------------
+ src/machine/machined.c | 5 +-
+ src/machine/machined.h | 3 +-
+ src/machine/meson.build | 1 -
+ src/shared/meson.build | 1 -
+ src/shared/varlink-io.systemd.Machine.h | 6 ---
+ 8 files changed, 8 insertions(+), 82 deletions(-)
+ delete mode 100644 src/machine/machine-varlink.h
+ delete mode 100644 src/shared/varlink-io.systemd.Machine.h
+
+diff --git a/man/systemd-machined.service.xml b/man/systemd-machined.service.xml
+index b2899ff0fd..f3d7755973 100644
+--- a/man/systemd-machined.service.xml
++++ b/man/systemd-machined.service.xml
+@@ -100,12 +100,10 @@
+
+ <para>The daemon provides both a C library interface
+ (which is shared with <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
+- as well as a D-Bus interface and a Varlink interface.
++ as well as a D-Bus interface.
+ The library interface may be used to introspect and watch the state of virtual machines/containers.
+ The bus interface provides the same but in addition may also be used to register or terminate
+- machines. The Varlink interface may be used to register machines with optional extensions, e.g. with an
+- SSH key / address; it can be queried with
+- <command>varlinkctl introspect /run/systemd/machine/io.systemd.Machine io.systemd.Machine</command>.
++ machines.
+ For more information please consult
+ <citerefentry><refentrytitle>sd-login</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ and
+diff --git a/src/machine/machine-varlink.h b/src/machine/machine-varlink.h
+deleted file mode 100644
+index ce4ec54dc1..0000000000
+--- a/src/machine/machine-varlink.h
++++ /dev/null
+@@ -1,6 +0,0 @@
+-/* SPDX-License-Identifier: LGPL-2.1-or-later */
+-#pragma once
+-
+-#include "varlink.h"
+-
+-int vl_method_register(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata);
+diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
+index 0d3ae627c1..6ca98e27cf 100644
+--- a/src/machine/machined-varlink.c
++++ b/src/machine/machined-varlink.c
+@@ -1,12 +1,10 @@
+ /* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+ #include "format-util.h"
+-#include "machine-varlink.h"
+ #include "machined-varlink.h"
+ #include "mkdir.h"
+ #include "user-util.h"
+ #include "varlink.h"
+-#include "varlink-io.systemd.Machine.h"
+ #include "varlink-io.systemd.UserDatabase.h"
+
+ typedef struct LookupParameters {
+@@ -380,13 +378,13 @@ static int vl_method_get_memberships(Varlink *link, JsonVariant *parameters, Var
+ return varlink_error(link, "io.systemd.UserDatabase.NoRecordFound", NULL);
+ }
+
+-static int manager_varlink_init_userdb(Manager *m) {
++int manager_varlink_init(Manager *m) {
+ _cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
+ int r;
+
+ assert(m);
+
+- if (m->varlink_userdb_server)
++ if (m->varlink_server)
+ return 0;
+
+ r = varlink_server_new(&s, VARLINK_SERVER_ACCOUNT_UID|VARLINK_SERVER_INHERIT_USERDATA);
+@@ -417,64 +415,12 @@ static int manager_varlink_init_userdb(Manager *m) {
+ if (r < 0)
+ return log_error_errno(r, "Failed to attach varlink connection to event loop: %m");
+
+- m->varlink_userdb_server = TAKE_PTR(s);
+- return 0;
+-}
+-
+-static int manager_varlink_init_machine(Manager *m) {
+- _cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
+- int r;
+-
+- assert(m);
+-
+- if (m->varlink_machine_server)
+- return 0;
+-
+- r = varlink_server_new(&s, VARLINK_SERVER_ROOT_ONLY|VARLINK_SERVER_INHERIT_USERDATA);
+- if (r < 0)
+- return log_error_errno(r, "Failed to allocate varlink server object: %m");
+-
+- varlink_server_set_userdata(s, m);
+-
+- r = varlink_server_add_interface(s, &vl_interface_io_systemd_Machine);
+- if (r < 0)
+- return log_error_errno(r, "Failed to add UserDatabase interface to varlink server: %m");
+-
+- r = varlink_server_bind_method(s, "io.systemd.Machine.Register", vl_method_register);
+- if (r < 0)
+- return log_error_errno(r, "Failed to register varlink methods: %m");
+-
+- (void) mkdir_p("/run/systemd/machine", 0755);
+-
+- r = varlink_server_listen_address(s, "/run/systemd/machine/io.systemd.Machine", 0666);
+- if (r < 0)
+- return log_error_errno(r, "Failed to bind to varlink socket: %m");
+-
+- r = varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
+- if (r < 0)
+- return log_error_errno(r, "Failed to attach varlink connection to event loop: %m");
+-
+- m->varlink_machine_server = TAKE_PTR(s);
+- return 0;
+-}
+-
+-int manager_varlink_init(Manager *m) {
+- int r;
+-
+- r = manager_varlink_init_userdb(m);
+- if (r < 0)
+- return r;
+-
+- r = manager_varlink_init_machine(m);
+- if (r < 0)
+- return r;
+-
++ m->varlink_server = TAKE_PTR(s);
+ return 0;
+ }
+
+ void manager_varlink_done(Manager *m) {
+ assert(m);
+
+- m->varlink_userdb_server = varlink_server_unref(m->varlink_userdb_server);
+- m->varlink_machine_server = varlink_server_unref(m->varlink_machine_server);
++ m->varlink_server = varlink_server_unref(m->varlink_server);
+ }
+diff --git a/src/machine/machined.c b/src/machine/machined.c
+index d7087e4672..2638ed572e 100644
+--- a/src/machine/machined.c
++++ b/src/machine/machined.c
+@@ -316,10 +316,7 @@ static bool check_idle(void *userdata) {
+ if (m->operations)
+ return false;
+
+- if (varlink_server_current_connections(m->varlink_userdb_server) > 0)
+- return false;
+-
+- if (varlink_server_current_connections(m->varlink_machine_server) > 0)
++ if (varlink_server_current_connections(m->varlink_server) > 0)
+ return false;
+
+ manager_gc(m, true);
+diff --git a/src/machine/machined.h b/src/machine/machined.h
+index 67abed0fd6..280c32bab6 100644
+--- a/src/machine/machined.h
++++ b/src/machine/machined.h
+@@ -40,8 +40,7 @@ struct Manager {
+ sd_event_source *nscd_cache_flush_event;
+ #endif
+
+- VarlinkServer *varlink_userdb_server;
+- VarlinkServer *varlink_machine_server;
++ VarlinkServer *varlink_server;
+ };
+
+ int manager_add_machine(Manager *m, const char *name, Machine **_machine);
+diff --git a/src/machine/meson.build b/src/machine/meson.build
+index 3150b33de5..c82a32589d 100644
+--- a/src/machine/meson.build
++++ b/src/machine/meson.build
+@@ -3,7 +3,6 @@
+ libmachine_core_sources = files(
+ 'image-dbus.c',
+ 'machine-dbus.c',
+- 'machine-varlink.c',
+ 'machine.c',
+ 'machined-core.c',
+ 'machined-dbus.c',
+diff --git a/src/shared/meson.build b/src/shared/meson.build
+index d01367a159..17313aefed 100644
+--- a/src/shared/meson.build
++++ b/src/shared/meson.build
+@@ -180,7 +180,6 @@ shared_sources = files(
+ 'varlink-io.systemd.Credentials.c',
+ 'varlink-io.systemd.Hostname.c',
+ 'varlink-io.systemd.Journal.c',
+- 'varlink-io.systemd.Machine.c',
+ 'varlink-io.systemd.ManagedOOM.c',
+ 'varlink-io.systemd.MountFileSystem.c',
+ 'varlink-io.systemd.NamespaceResource.c',
+diff --git a/src/shared/varlink-io.systemd.Machine.h b/src/shared/varlink-io.systemd.Machine.h
+deleted file mode 100644
+index c9fc85f150..0000000000
+--- a/src/shared/varlink-io.systemd.Machine.h
++++ /dev/null
+@@ -1,6 +0,0 @@
+-/* SPDX-License-Identifier: LGPL-2.1-or-later */
+-#pragma once
+-
+-#include "varlink-idl.h"
+-
+-extern const VarlinkInterface vl_interface_io_systemd_Machine;
diff --git a/0001-tmpfiles-make-purge-hard-to-mis-use.patch b/0001-tmpfiles-make-purge-hard-to-mis-use.patch
new file mode 100644
index 0000000..87b5fa5
--- /dev/null
+++ b/0001-tmpfiles-make-purge-hard-to-mis-use.patch
@@ -0,0 +1,63 @@
+From f62d1f6ea55fc0dcccbe60582804c9b033f8ad0e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 18 Jun 2024 20:32:10 +0200
+Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use
+
+Follow-up for https://github.com/systemd/systemd/pull/33383.
+---
+ src/tmpfiles/tmpfiles.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 5841db293e..9b0f744ba9 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -4195,6 +4195,7 @@ static int parse_argv(int argc, char *argv[]) {
+ ARG_IMAGE_POLICY,
+ ARG_REPLACE,
+ ARG_DRY_RUN,
++ ARG_DESTROY_DATA,
+ ARG_NO_PAGER,
+ };
+
+@@ -4218,10 +4219,18 @@ static int parse_argv(int argc, char *argv[]) {
+ { "replace", required_argument, NULL, ARG_REPLACE },
+ { "dry-run", no_argument, NULL, ARG_DRY_RUN },
+ { "no-pager", no_argument, NULL, ARG_NO_PAGER },
++
++ /* This is not documented on purpose.
++ * If you think --purge should be allowed without jumping through hoops,
++ * consider opening a bug report with the description of the use case.
++ */
++ { "destroy-data", no_argument, NULL, ARG_DESTROY_DATA },
++
+ {}
+ };
+
+ int c, r;
++ bool destroy_data = false;
+
+ assert(argc >= 0);
+ assert(argv);
+@@ -4328,6 +4337,10 @@ static int parse_argv(int argc, char *argv[]) {
+ arg_dry_run = true;
+ break;
+
++ case ARG_DESTROY_DATA:
++ destroy_data = true;
++ break;
++
+ case ARG_NO_PAGER:
+ arg_pager_flags |= PAGER_DISABLE;
+ break;
+@@ -4347,6 +4360,10 @@ static int parse_argv(int argc, char *argv[]) {
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without specification of a configuration file.");
+
++ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data)
++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
++ "Refusing --purge without --destroy-data.");
++
+ if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Option --replace= is not supported with --cat-config/--tldr.");
diff --git a/26494.patch b/26494.patch
index 3c8f7a7..19bc67b 100644
--- a/26494.patch
+++ b/26494.patch
@@ -14,7 +14,7 @@ Fixes #26488.
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
-index 7b394794b0d4d..306477c6e6c2d 100644
+index 7b394794b0d4..306477c6e6c2 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
diff --git a/systemd.spec b/systemd.spec
index 9740349..adc7aed 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-#global commit c4b843473a75fb38ed5bf54e9d3cfb1cb3719efa
+#global commit 1781de18ab8ebc3e42a607851d8effb3b0355c87
%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
%if 0%{?facebook}
@@ -38,9 +38,16 @@
# Build from git main
%bcond upstream 0
+# When bootstrap, libcryptsetup is disabled
+# but auto-features causes many options to be turned on
+# that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed)
+%if %{with bootstrap}
+%global __meson_auto_features disabled
+%endif
+
Name: systemd
-Url: https://pagure.io/centos-sig-hyperscale/systemd
-# Allow users to specify the version and release when building the rpm by
+Url: https://systemd.io
+# Allow users to specify the version and release when building the rpm by
# setting the %%version_override and %%release_override macros.
Version: %{?version_override}%{!?version_override:255.5}
Release: %{?release_override}%{!?release_override:1.4}%{?dist}
@@ -58,16 +65,17 @@ Source0: %{url}/archive/%{commit}/%{name}-hs%{?facebook:+fb}-%{version}.t
Source1: triggers.systemd
Source2: split-files.py
Source3: purge-nobody-user
+Source4: test_sysusers_defined.py
# Prevent accidental removal of the systemd package
-Source4: yum-protect-systemd.conf
-
-Source5: inittab
-Source6: sysctl.conf.README
-Source7: systemd-journal-remote.xml
-Source8: systemd-journal-gatewayd.xml
-Source9: 20-yama-ptrace.conf
-Source10: systemd-udev-trigger-no-reload.conf
+Source5: yum-protect-systemd.conf
+
+Source6: inittab
+Source7: sysctl.conf.README
+Source8: systemd-journal-remote.xml
+Source9: systemd-journal-gatewayd.xml
+Source10: 20-yama-ptrace.conf
+Source11: systemd-udev-trigger-no-reload.conf
# https://fedoraproject.org/wiki/How_to_filter_libabigail_reports
Source13: .abignore
@@ -100,17 +108,24 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# applying upstream pull requests.
%if %{without upstream}
+# Drop varlink method call until selinux policy is updated,
+# see https://bodhi.fedoraproject.org/updates/FEDORA-2024-d5c99f5063,
+# https://bugzilla.redhat.com/show_bug.cgi?id=2279923.
+# Reverts https://github.com/systemd/systemd/commit/5b44c81ff868a4d1b78a74e4770f7a8b2f1d0f91.
+Patch0001: 0001-Revert-machined-add-varlink-interface-for-registerin.patch
+%if 0%{?fedora} < 41
# Work-around for dracut issue: run generators directly when we are in initrd
# https://bugzilla.redhat.com/show_bug.cgi?id=2164404
# Drop when dracut-060 is available.
-Patch0001: https://github.com/systemd/systemd/pull/26494.patch
-
+Patch0010: https://github.com/systemd/systemd/pull/26494.patch
+%endif
-# Those are downstream-only patches, but we don't want them in packit builds:
# https://bugzilla.redhat.com/show_bug.cgi?id=2251843
Patch0491: https://github.com/systemd/systemd/pull/30846.patch
+# Soft-disable tmpfiles --purge until a good use case comes up.
+Patch0492: 0001-tmpfiles-make-purge-hard-to-mis-use.patch
%endif
# Adjust upstream config to use our shared stack
@@ -205,7 +220,6 @@ BuildRequires: firewalld-filesystem
BuildRequires: libseccomp-devel
BuildRequires: meson >= 0.43
BuildRequires: gettext
-BuildRequires: rsync
# We use RUNNING_ON_VALGRIND in tests, so the headers need to be available
%ifarch %{valgrind_arches}
BuildRequires: valgrind-devel
@@ -253,8 +267,21 @@ Conflicts: initscripts < 9.56.1
%if 0%{?fedora}
Conflicts: fedora-release < 23-0.12
%endif
-# Make sure that dracut supports systemd-executor and the renames done for v255
+%if 0%{?fedora} >= 41
+BuildRequires: setup >= 2.15.0-3
+BuildRequires: python3
+Conflicts: setup < 2.15.0-3
+Conflicts: selinux-policy-any < 41.1
+%endif
+
+%if 0%{?fedora} >= 41
+# Make sure that dracut supports systemd-executor and the renames done for v255,
+# and dlopen libraries and read-only fs in initrd.
+Conflicts: dracut < 060-2
+%else
+# Make sure that dracut supports systemd-executor and the renames done for v255.
Conflicts: dracut < 059-16
+%endif
Obsoletes: timedatex < 0.6-3
Provides: timedatex = 0.6-3
@@ -713,6 +740,7 @@ CONFIGURE_OPTS=(
-Delfutils=enabled
-Dlibcryptsetup=%[%{with bootstrap}?"disabled":"enabled"]
-Delfutils=enabled
+ -Drepart=enabled
-Dpwquality=enabled
-Dqrencode=%[%{defined rhel}?"disabled":"enabled"]
-Dgnutls=%[%{with gnutls}?"enabled":"disabled"]
@@ -849,11 +877,13 @@ touch %{buildroot}/etc/systemd/coredump.conf \
%{buildroot}/etc/udev/udev.conf \
%{buildroot}/etc/udev/iocost.conf
+install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
+
# /etc/initab
-install -Dm0644 -t %{buildroot}/etc/ %{SOURCE5}
+install -Dm0644 -t %{buildroot}/etc/ %{SOURCE6}
# /etc/sysctl.conf compat
-install -Dm0644 %{SOURCE6} %{buildroot}/etc/sysctl.conf
+install -Dm0644 %{SOURCE7} %{buildroot}/etc/sysctl.conf
ln -s ../sysctl.conf %{buildroot}/etc/sysctl.d/99-sysctl.conf
# Make sure these directories are properly owned
@@ -906,21 +936,19 @@ touch %{buildroot}%{_localstatedir}/lib/systemd/timesync/clock
touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state
# Install yum protection fragment
-install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf
+install -Dm0644 %{SOURCE5} %{buildroot}/etc/dnf/protected.d/systemd.conf
-install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8}
+install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE8} %{SOURCE9}
# Install additional docs
# https://bugzilla.redhat.com/show_bug.cgi?id=1234951
-install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9}
+install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE10}
# https://bugzilla.redhat.com/show_bug.cgi?id=1378974
-install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE10}
+install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE11}
install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13}
-install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
-
# systemd-oomd default configuration
install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14}
install -Dm0644 -t %{buildroot}%{system_unit_dir}/system.slice.d/ %{SOURCE15}
@@ -949,6 +977,13 @@ install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/network/ %{SOURCE25}
mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/
%endif
+%if 0%{?fedora} >= 41
+# This requires https://pagure.io/setup/pull-request/50
+# and https://src.fedoraproject.org/rpms/setup/pull-request/10.
+%{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf
+rm %{buildroot}/usr/lib/sysusers.d/basic.conf
+%endif
+
%find_lang %{name}
# Split files in build root into rpms
@@ -1004,7 +1039,7 @@ fi
# FIXME: systemd-logind.service is excluded (https://github.com/systemd/systemd/pull/17558)
-# This is the explanded form of %%systemd_user_daemon_reexec. We
+# This is the expanded form of %%systemd_user_daemon_reexec. We
# can't use the macro because we define it ourselves.
if [ $1 -ge 1 ] && [ -x "/usr/lib/systemd/systemd-update-helper" ]; then
# Package upgrade, not uninstall
diff --git a/test_sysusers_defined.py b/test_sysusers_defined.py
new file mode 100755
index 0000000..2754578
--- /dev/null
+++ b/test_sysusers_defined.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+
+import sys
+
+def parse_sysusers_file(filename):
+ users, groups = set(), set()
+
+ for line in open(filename):
+ line = line.strip()
+ if not line or line.startswith('#'):
+ continue
+ words = line.split()
+ match words[0]:
+ case 'u':
+ users.add(words[1])
+ case 'g':
+ groups.add(words[1])
+ case 'm'|'r':
+ continue
+ case _:
+ assert False
+ return users, groups
+
+setup_users, setup_groups = parse_sysusers_file(sys.argv[1])
+setup_users2, setup_groups2 = parse_sysusers_file(sys.argv[2])
+setup_users |= setup_users2
+setup_groups |= setup_groups2
+
+basic_users, basic_groups = parse_sysusers_file(sys.argv[3])
+
+if d := basic_users - setup_users:
+ exit(f'We have new users: {d}')
+if d := basic_groups - setup_groups:
+ exit(f'We have new groups: {d}')