summaryrefslogtreecommitdiffstats
path: root/units
diff options
context:
space:
mode:
Diffstat (limited to 'units')
-rw-r--r--units/capsule.slice13
-rw-r--r--units/capsule@.service.in33
-rw-r--r--units/dev-hugepages.mount2
-rw-r--r--units/dev-mqueue.mount2
-rw-r--r--units/emergency.service.in2
-rw-r--r--units/exit.target2
-rw-r--r--units/halt.target2
-rw-r--r--units/initrd-parse-etc.service.in4
-rw-r--r--units/kexec.target2
-rw-r--r--units/meson.build81
-rw-r--r--units/proc-sys-fs-binfmt_misc.automount2
-rw-r--r--units/proc-sys-fs-binfmt_misc.mount2
-rw-r--r--units/quotaon-root.service.in24
-rw-r--r--units/quotaon@.service.in (renamed from units/quotaon.service.in)8
-rw-r--r--units/rescue.service.in2
-rw-r--r--units/ssh-access.target12
-rw-r--r--units/sys-fs-fuse-connections.mount2
-rw-r--r--units/sys-kernel-config.mount2
-rw-r--r--units/sys-kernel-debug.mount2
-rw-r--r--units/sys-kernel-tracing.mount2
-rw-r--r--units/syslog.socket4
-rw-r--r--units/systemd-battery-check.service.in1
-rw-r--r--units/systemd-binfmt.service.in2
-rw-r--r--units/systemd-boot-check-no-failures.service.in2
-rw-r--r--units/systemd-bootctl.socket21
-rw-r--r--units/systemd-bootctl@.service20
-rw-r--r--units/systemd-coredump.socket1
-rw-r--r--units/systemd-creds.socket21
-rw-r--r--units/systemd-creds@.service19
-rw-r--r--units/systemd-hibernate-clear.service.in24
-rw-r--r--units/systemd-homed-firstboot.service28
-rw-r--r--units/systemd-homed.service.in3
-rw-r--r--units/systemd-hostnamed.service.in3
-rw-r--r--units/systemd-hostnamed.socket19
-rw-r--r--units/systemd-importd.service.in1
-rw-r--r--units/systemd-journal-flush.service5
-rw-r--r--units/systemd-journald-sync@.service24
-rw-r--r--units/systemd-journald.service.in10
-rw-r--r--units/systemd-journald.socket2
-rw-r--r--units/systemd-journald@.service.in5
-rw-r--r--units/systemd-journald@.socket5
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-logind.service.in2
-rw-r--r--units/systemd-machine-id-commit.service4
-rw-r--r--units/systemd-mountfsd.service.in46
-rw-r--r--units/systemd-mountfsd.socket22
-rw-r--r--units/systemd-network-generator.service.in3
-rw-r--r--units/systemd-networkd-persistent-storage.service27
-rw-r--r--units/systemd-networkd.service.in3
-rw-r--r--units/systemd-nsresourced.service.in47
-rw-r--r--units/systemd-nsresourced.socket23
-rw-r--r--units/systemd-pcrextend.socket4
-rw-r--r--units/systemd-pcrextend@.service.in3
-rw-r--r--units/systemd-pcrfs-root.service.in4
-rw-r--r--units/systemd-pcrfs@.service.in4
-rw-r--r--units/systemd-pcrlock-file-system.service.in3
-rw-r--r--units/systemd-pcrlock-firmware-code.service.in4
-rw-r--r--units/systemd-pcrlock-firmware-config.service.in4
-rw-r--r--units/systemd-pcrlock-machine-id.service.in3
-rw-r--r--units/systemd-pcrlock-make-policy.service.in3
-rw-r--r--units/systemd-pcrlock-secureboot-authority.service.in3
-rw-r--r--units/systemd-pcrlock-secureboot-policy.service.in3
-rw-r--r--units/systemd-pcrlock.socket25
-rw-r--r--units/systemd-pcrlock@.service.in21
-rw-r--r--units/systemd-pcrmachine.service.in3
-rw-r--r--units/systemd-pcrphase-initrd.service.in3
-rw-r--r--units/systemd-pcrphase-sysinit.service.in4
-rw-r--r--units/systemd-pcrphase.service.in4
-rw-r--r--units/systemd-quotacheck-root.service.in25
-rw-r--r--units/systemd-quotacheck@.service.in (renamed from units/systemd-quotacheck.service.in)8
-rw-r--r--units/systemd-remount-fs.service.in2
-rw-r--r--units/systemd-repart.service (renamed from units/systemd-repart.service.in)4
-rw-r--r--units/systemd-resolved.service.in6
-rw-r--r--units/systemd-rfkill.service.in2
-rw-r--r--units/systemd-sysext.socket3
-rw-r--r--units/systemd-sysext@.service2
-rw-r--r--units/systemd-sysupdate.timer2
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-tpm2-setup-early.service.in2
-rw-r--r--units/systemd-tpm2-setup.service.in4
-rw-r--r--units/systemd-udev-load-credentials.service29
-rw-r--r--units/systemd-udevd.service.in1
-rw-r--r--units/systemd-vmspawn@.service.in34
-rw-r--r--units/tmp.mount2
-rw-r--r--units/tpm2.target16
-rw-r--r--units/user-runtime-dir@.service.in1
-rw-r--r--units/user/capsule@.target15
-rw-r--r--units/user/meson.build1
-rw-r--r--units/user@.service.in2
89 files changed, 779 insertions, 80 deletions
diff --git a/units/capsule.slice b/units/capsule.slice
new file mode 100644
index 0000000..cb8995a
--- /dev/null
+++ b/units/capsule.slice
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Capsule Slice
+Documentation=man:systemd.special(7)
+Before=slices.target
diff --git a/units/capsule@.service.in b/units/capsule@.service.in
new file mode 100644
index 0000000..f2bb9e3
--- /dev/null
+++ b/units/capsule@.service.in
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Capsule Service Manager for %i
+Documentation=man:capsule@.service(5)
+After=dbus.service systemd-oomd.service
+
+[Service]
+User=c-%i
+DynamicUser=yes
+Type=notify-reload
+ExecStart={{LIBEXECDIR}}/systemd --user --unit=capsule@%i.target
+Environment=HOME=/var/lib/capsules/%i
+Environment=XDG_RUNTIME_DIR=/run/capsules/%i
+StateDirectory=capsules/%i
+RuntimeDirectory=capsules/%i
+LogExtraFields=CAPSULE=%i
+Slice=capsule.slice
+KillMode=mixed
+Delegate=pids memory cpu
+DelegateSubgroup=init.scope
+TasksMax=infinity
+TimeoutStopSec={{ DEFAULT_USER_TIMEOUT_SEC*4//3 }}s
+KeyringMode=inherit
+OOMScoreAdjust=100
+MemoryPressureWatch=skip
diff --git a/units/dev-hugepages.mount b/units/dev-hugepages.mount
index 88cd89d..f836282 100644
--- a/units/dev-hugepages.mount
+++ b/units/dev-hugepages.mount
@@ -10,7 +10,7 @@
[Unit]
Description=Huge Pages File System
Documentation=https://docs.kernel.org/admin-guide/mm/hugetlbpage.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
Before=sysinit.target
ConditionPathExists=/sys/kernel/mm/hugepages
diff --git a/units/dev-mqueue.mount b/units/dev-mqueue.mount
index 02683a9..1fd9cc2 100644
--- a/units/dev-mqueue.mount
+++ b/units/dev-mqueue.mount
@@ -10,7 +10,7 @@
[Unit]
Description=POSIX Message Queue File System
Documentation=man:mq_overview(7)
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
Before=sysinit.target
ConditionPathExists=/proc/sys/fs/mqueue
diff --git a/units/emergency.service.in b/units/emergency.service.in
index 8f70cbe..25aa8ec 100644
--- a/units/emergency.service.in
+++ b/units/emergency.service.in
@@ -19,7 +19,7 @@ Before=rescue.service
[Service]
Environment=HOME=/root
WorkingDirectory=-/root
-ExecStartPre=-{{BINDIR}}/plymouth --wait quit
+ExecStartPre=-plymouth --wait quit
ExecStart=-{{LIBEXECDIR}}/systemd-sulogin-shell emergency
Type=idle
StandardInput=tty-force
diff --git a/units/exit.target b/units/exit.target
index f8a22e5..046dc03 100644
--- a/units/exit.target
+++ b/units/exit.target
@@ -14,6 +14,8 @@ DefaultDependencies=no
Requires=systemd-exit.service
After=systemd-exit.service
AllowIsolate=yes
+JobTimeoutSec=30min
+JobTimeoutAction=exit-force
[Install]
Alias=ctrl-alt-del.target
diff --git a/units/halt.target b/units/halt.target
index bfa5f23..c19865f 100644
--- a/units/halt.target
+++ b/units/halt.target
@@ -14,6 +14,8 @@ DefaultDependencies=no
Requires=systemd-halt.service
After=systemd-halt.service
AllowIsolate=yes
+JobTimeoutSec=30min
+JobTimeoutAction=halt-force
[Install]
Alias=ctrl-alt-del.target
diff --git a/units/initrd-parse-etc.service.in b/units/initrd-parse-etc.service.in
index 3dadab1..1eef2bd 100644
--- a/units/initrd-parse-etc.service.in
+++ b/units/initrd-parse-etc.service.in
@@ -23,9 +23,7 @@ OnFailureJobMode=replace-irreversibly
[Service]
Type=oneshot
-# FIXME: once dracut is patched to install the symlink, change to:
-# ExecStart={{LIBEXECDIR}}/systemd-sysroot-fstab-check
-ExecStart=@{{SYSTEM_GENERATOR_DIR}}/systemd-fstab-generator systemd-sysroot-fstab-check
+ExecStart={{LIBEXECDIR}}/systemd-sysroot-fstab-check
# We want to enqueue initrd-cleanup.service/start after we finished the part
# above. It can't be part of the initial transaction, because non-oneshot units
diff --git a/units/kexec.target b/units/kexec.target
index 5d8f8cd..dee7d20 100644
--- a/units/kexec.target
+++ b/units/kexec.target
@@ -14,6 +14,8 @@ DefaultDependencies=no
Requires=systemd-kexec.service
After=systemd-kexec.service
AllowIsolate=yes
+JobTimeoutSec=30min
+JobTimeoutAction=kexec-force
[Install]
Alias=ctrl-alt-del.target
diff --git a/units/meson.build b/units/meson.build
index e7bfb7f..b231341 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -7,6 +7,8 @@ units = [
{ 'file' : 'blockdev@.target' },
{ 'file' : 'bluetooth.target' },
{ 'file' : 'boot-complete.target' },
+ { 'file' : 'capsule@.service.in' },
+ { 'file' : 'capsule.slice' },
{ 'file' : 'console-getty.service.in' },
{ 'file' : 'container-getty@.service.in' },
{
@@ -161,7 +163,11 @@ units = [
'conditions' : ['ENABLE_BINFMT'],
},
{
- 'file' : 'quotaon.service.in',
+ 'file' : 'quotaon@.service.in',
+ 'conditions' : ['ENABLE_QUOTACHECK'],
+ },
+ {
+ 'file' : 'quotaon-root.service.in',
'conditions' : ['ENABLE_QUOTACHECK'],
},
{
@@ -199,6 +205,7 @@ units = [
{ 'file' : 'sockets.target' },
{ 'file' : 'soft-reboot.target' },
{ 'file' : 'sound.target' },
+ { 'file' : 'ssh-access.target' },
{
'file' : 'suspend-then-hibernate.target',
'conditions' : ['ENABLE_HIBERNATE'],
@@ -268,6 +275,15 @@ units = [
'conditions' : ['ENABLE_BOOTLOADER'],
},
{
+ 'file' : 'systemd-bootctl@.service',
+ 'conditions' : ['ENABLE_BOOTLOADER'],
+ },
+ {
+ 'file' : 'systemd-bootctl.socket',
+ 'conditions' : ['ENABLE_BOOTLOADER'],
+ 'symlinks' : ['sockets.target.wants/'],
+ },
+ {
'file' : 'systemd-confext.service',
'conditions' : ['ENABLE_SYSEXT'],
},
@@ -280,6 +296,11 @@ units = [
'file' : 'systemd-coredump@.service.in',
'conditions' : ['ENABLE_COREDUMP'],
},
+ {
+ 'file' : 'systemd-creds.socket',
+ 'symlinks' : ['sockets.target.wants/'],
+ },
+ { 'file' : 'systemd-creds@.service' },
{ 'file' : 'systemd-exit.service' },
{
'file' : 'systemd-firstboot.service',
@@ -292,6 +313,11 @@ units = [
{ 'file' : 'systemd-growfs@.service.in' },
{ 'file' : 'systemd-halt.service' },
{
+ 'file' : 'systemd-hibernate-clear.service.in',
+ 'conditions' : ['ENABLE_HIBERNATE', 'ENABLE_EFI'],
+ 'symlinks' : ['sysinit.target.wants/'],
+ },
+ {
'file' : 'systemd-hibernate-resume.service.in',
'conditions' : ['ENABLE_HIBERNATE'],
},
@@ -304,6 +330,10 @@ units = [
'conditions' : ['ENABLE_HOMED'],
},
{
+ 'file' : 'systemd-homed-firstboot.service',
+ 'conditions' : ['ENABLE_HOMED'],
+ },
+ {
'file' : 'systemd-homed.service.in',
'conditions' : ['ENABLE_HOMED'],
},
@@ -313,6 +343,11 @@ units = [
'symlinks' : ['dbus-org.freedesktop.hostname1.service'],
},
{
+ 'file' : 'systemd-hostnamed.socket',
+ 'conditions' : ['ENABLE_HOSTNAMED'],
+ 'symlinks' : ['sockets.target.wants/'],
+ },
+ {
'file' : 'systemd-hwdb-update.service.in',
'conditions' : ['ENABLE_HWDB'],
'symlinks' : ['sysinit.target.wants/'],
@@ -368,6 +403,7 @@ units = [
'file' : 'systemd-journald-dev-log.socket',
'symlinks' : ['sockets.target.wants/'],
},
+ { 'file' : 'systemd-journald-sync@.service' },
{ 'file' : 'systemd-journald-varlink@.socket' },
{
'file' : 'systemd-journald.service.in',
@@ -406,6 +442,10 @@ units = [
},
{ 'file' : 'systemd-network-generator.service.in' },
{
+ 'file' : 'systemd-networkd-persistent-storage.service',
+ 'conditions' : ['ENABLE_NETWORKD'],
+ },
+ {
'file' : 'systemd-networkd-wait-online.service.in',
'conditions' : ['ENABLE_NETWORKD'],
},
@@ -423,6 +463,10 @@ units = [
},
{ 'file' : 'systemd-nspawn@.service.in' },
{
+ 'file' : 'systemd-vmspawn@.service.in',
+ 'conditions' : ['ENABLE_VMSPAWN'],
+ },
+ {
'file' : 'systemd-oomd.service.in',
'conditions' : ['ENABLE_OOMD'],
},
@@ -506,6 +550,15 @@ units = [
'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
},
{
+ 'file' : 'systemd-pcrlock@.service.in',
+ 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
+ },
+ {
+ 'file' : 'systemd-pcrlock.socket',
+ 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'],
+ 'symlinks' : ['sockets.target.wants/'],
+ },
+ {
'file' : 'systemd-portabled.service.in',
'conditions' : ['ENABLE_PORTABLED'],
'symlinks' : ['dbus-org.freedesktop.portable1.service'],
@@ -516,7 +569,11 @@ units = [
'conditions' : ['ENABLE_PSTORE'],
},
{
- 'file' : 'systemd-quotacheck.service.in',
+ 'file' : 'systemd-quotacheck@.service.in',
+ 'conditions' : ['ENABLE_QUOTACHECK'],
+ },
+ {
+ 'file' : 'systemd-quotacheck-root.service.in',
'conditions' : ['ENABLE_QUOTACHECK'],
},
{
@@ -527,7 +584,7 @@ units = [
{ 'file' : 'systemd-reboot.service' },
{ 'file' : 'systemd-remount-fs.service.in' },
{
- 'file' : 'systemd-repart.service.in',
+ 'file' : 'systemd-repart.service',
'conditions' : ['ENABLE_REPART'],
'symlinks' : ['sysinit.target.wants/', 'initrd-root-fs.target.wants/'],
},
@@ -632,6 +689,7 @@ units = [
'conditions' : ['ENABLE_TMPFILES'],
'symlinks' : ['sysinit.target.wants/'],
},
+ { 'file' : 'systemd-udev-load-credentials.service' },
{ 'file' : 'systemd-udev-settle.service' },
{
'file' : 'systemd-udev-trigger.service',
@@ -677,6 +735,22 @@ units = [
'conditions' : ['ENABLE_USERDB'],
},
{
+ 'file' : 'systemd-mountfsd.service.in',
+ 'conditions' : ['ENABLE_MOUNTFSD'],
+ },
+ {
+ 'file' : 'systemd-mountfsd.socket',
+ 'conditions' : ['ENABLE_MOUNTFSD'],
+ },
+ {
+ 'file' : 'systemd-nsresourced.service.in',
+ 'conditions' : ['ENABLE_NSRESOURCED'],
+ },
+ {
+ 'file' : 'systemd-nsresourced.socket',
+ 'conditions' : ['ENABLE_NSRESOURCED'],
+ },
+ {
'file' : 'systemd-vconsole-setup.service.in',
'conditions' : ['ENABLE_VCONSOLE'],
},
@@ -691,6 +765,7 @@ units = [
'file' : 'tmp.mount',
'symlinks' : ['local-fs.target.wants/'],
},
+ { 'file' : 'tpm2.target' },
{ 'file' : 'umount.target' },
{ 'file' : 'usb-gadget.target' },
{ 'file' : 'user-runtime-dir@.service.in' },
diff --git a/units/proc-sys-fs-binfmt_misc.automount b/units/proc-sys-fs-binfmt_misc.automount
index 5d21201..7ec21e7 100644
--- a/units/proc-sys-fs-binfmt_misc.automount
+++ b/units/proc-sys-fs-binfmt_misc.automount
@@ -10,7 +10,7 @@
[Unit]
Description=Arbitrary Executable File Formats File System Automount Point
Documentation=https://docs.kernel.org/admin-guide/binfmt-misc.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
ConditionPathExists=/proc/sys/fs/binfmt_misc/
ConditionPathIsReadWrite=/proc/sys/
diff --git a/units/proc-sys-fs-binfmt_misc.mount b/units/proc-sys-fs-binfmt_misc.mount
index 88a7748..9518708 100644
--- a/units/proc-sys-fs-binfmt_misc.mount
+++ b/units/proc-sys-fs-binfmt_misc.mount
@@ -10,7 +10,7 @@
[Unit]
Description=Arbitrary Executable File Formats File System
Documentation=https://docs.kernel.org/admin-guide/binfmt-misc.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
[Mount]
diff --git a/units/quotaon-root.service.in b/units/quotaon-root.service.in
new file mode 100644
index 0000000..cd308f4
--- /dev/null
+++ b/units/quotaon-root.service.in
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Enable Root File System Quotas
+Documentation=man:quotaon(8)
+
+ConditionPathExists=!/etc/initrd-release
+
+DefaultDependencies=no
+After=systemd-quotacheck-root.service
+Before=local-fs.target shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{QUOTAON}} -ug /
diff --git a/units/quotaon.service.in b/units/quotaon@.service.in
index 7fa7061..23f365a 100644
--- a/units/quotaon.service.in
+++ b/units/quotaon@.service.in
@@ -12,13 +12,15 @@ Description=Enable File System Quotas
Documentation=man:quotaon(8)
ConditionPathExists={{QUOTAON}}
+ConditionPathExists=!/etc/initrd-release
DefaultDependencies=no
-After=systemd-quotacheck.service
-Before=remote-fs.target
+BindsTo=%i.mount
+After=systemd-quotacheck@%i.service %i.mount
Before=shutdown.target
+Conflicts=shutdown.target
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{QUOTAON}} -aug
+ExecStart={{QUOTAON}} -ug %f
diff --git a/units/rescue.service.in b/units/rescue.service.in
index 5113408..add6047 100644
--- a/units/rescue.service.in
+++ b/units/rescue.service.in
@@ -18,7 +18,7 @@ Before=shutdown.target
[Service]
Environment=HOME=/root
WorkingDirectory=-/root
-ExecStartPre=-{{BINDIR}}/plymouth --wait quit
+ExecStartPre=-plymouth --wait quit
ExecStart=-{{LIBEXECDIR}}/systemd-sulogin-shell rescue
Type=idle
StandardInput=tty-force
diff --git a/units/ssh-access.target b/units/ssh-access.target
new file mode 100644
index 0000000..f9b6a4c
--- /dev/null
+++ b/units/ssh-access.target
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=SSH Access Available
+Documentation=man:systemd.special(7)
diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount
index 929d8e3..bd3f22a 100644
--- a/units/sys-fs-fuse-connections.mount
+++ b/units/sys-fs-fuse-connections.mount
@@ -10,7 +10,7 @@
[Unit]
Description=FUSE Control File System
Documentation=https://docs.kernel.org/filesystems/fuse.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
ConditionPathExists=/sys/fs/fuse/connections
ConditionCapability=CAP_SYS_ADMIN
diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount
index dca94a8..26ee160 100644
--- a/units/sys-kernel-config.mount
+++ b/units/sys-kernel-config.mount
@@ -10,7 +10,7 @@
[Unit]
Description=Kernel Configuration File System
Documentation=https://docs.kernel.org/filesystems/configfs.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
ConditionPathExists=/sys/kernel/config
ConditionCapability=CAP_SYS_RAWIO
diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount
index 6c77ef5..5f0a75b 100644
--- a/units/sys-kernel-debug.mount
+++ b/units/sys-kernel-debug.mount
@@ -10,7 +10,7 @@
[Unit]
Description=Kernel Debug File System
Documentation=https://docs.kernel.org/filesystems/debugfs.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
ConditionPathExists=/sys/kernel/debug
ConditionCapability=CAP_SYS_RAWIO
diff --git a/units/sys-kernel-tracing.mount b/units/sys-kernel-tracing.mount
index f3cd47f..ed8f948 100644
--- a/units/sys-kernel-tracing.mount
+++ b/units/sys-kernel-tracing.mount
@@ -10,7 +10,7 @@
[Unit]
Description=Kernel Trace File System
Documentation=https://docs.kernel.org/trace/ftrace.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
ConditionVirtualization=!lxc
ConditionPathExists=/sys/kernel/tracing
diff --git a/units/syslog.socket b/units/syslog.socket
index ff76bc5..26b691c 100644
--- a/units/syslog.socket
+++ b/units/syslog.socket
@@ -10,7 +10,7 @@
[Unit]
Description=Syslog Socket
Documentation=man:systemd.special(7)
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/syslog
+Documentation=https://systemd.io/SYSLOG
DefaultDependencies=no
Before=sockets.target
@@ -44,4 +44,4 @@ ReceiveBuffer=8M
# [Install]
# Alias=syslog.service
#
-# See https://www.freedesktop.org/wiki/Software/systemd/syslog for details.
+# See https://systemd.io/SYSLOG for details.
diff --git a/units/systemd-battery-check.service.in b/units/systemd-battery-check.service.in
index a5f532d..ee87118 100644
--- a/units/systemd-battery-check.service.in
+++ b/units/systemd-battery-check.service.in
@@ -12,6 +12,7 @@ Description=Check battery level during early boot
Documentation=man:systemd-battery-check.service(8)
ConditionVirtualization=no
ConditionDirectoryNotEmpty=/sys/class/power_supply/
+ConditionKernelCommandLine=!systemd.battery_check=0
ConditionKernelCommandLine=!systemd.battery-check=0
AssertPathExists=/etc/initrd-release
DefaultDependencies=no
diff --git a/units/systemd-binfmt.service.in b/units/systemd-binfmt.service.in
index 6861c76..318bf8e 100644
--- a/units/systemd-binfmt.service.in
+++ b/units/systemd-binfmt.service.in
@@ -11,7 +11,7 @@
Description=Set Up Additional Binary Formats
Documentation=man:systemd-binfmt.service(8) man:binfmt.d(5)
Documentation=https://docs.kernel.org/admin-guide/binfmt-misc.html
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
Conflicts=shutdown.target
After=proc-sys-fs-binfmt_misc.automount
diff --git a/units/systemd-boot-check-no-failures.service.in b/units/systemd-boot-check-no-failures.service.in
index eaadd0e..2e17cb9 100644
--- a/units/systemd-boot-check-no-failures.service.in
+++ b/units/systemd-boot-check-no-failures.service.in
@@ -12,8 +12,6 @@ Description=Check if Any System Units Failed
Documentation=man:systemd-boot-check-no-failures.service(8)
After=default.target graphical.target multi-user.target
Before=boot-complete.target
-Conflicts=shutdown.target
-Before=shutdown.target
[Service]
Type=oneshot
diff --git a/units/systemd-bootctl.socket b/units/systemd-bootctl.socket
new file mode 100644
index 0000000..59151ba
--- /dev/null
+++ b/units/systemd-bootctl.socket
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Boot Entries Service Socket
+Documentation=man:bootctl(1)
+DefaultDependencies=no
+After=local-fs.target
+Before=sockets.target
+
+[Socket]
+ListenStream=/run/systemd/io.systemd.BootControl
+FileDescriptorName=varlink
+SocketMode=0600
+Accept=yes
diff --git a/units/systemd-bootctl@.service b/units/systemd-bootctl@.service
new file mode 100644
index 0000000..5de6156
--- /dev/null
+++ b/units/systemd-bootctl@.service
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Boot Entries Service
+Documentation=man:bootctl(1)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=local-fs.target
+Before=shutdown.target
+
+[Service]
+Environment=LISTEN_FDNAMES=varlink
+ExecStart=bootctl
diff --git a/units/systemd-coredump.socket b/units/systemd-coredump.socket
index a2d457f..c78eacd 100644
--- a/units/systemd-coredump.socket
+++ b/units/systemd-coredump.socket
@@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump
SocketMode=0600
Accept=yes
MaxConnections=16
+MaxConnectionsPerSource=8
diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket
new file mode 100644
index 0000000..bf13c11
--- /dev/null
+++ b/units/systemd-creds.socket
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Credential Encryption/Decryption
+Documentation=man:systemd-creds(1)
+DefaultDependencies=no
+Before=sockets.target
+
+[Socket]
+ListenStream=/run/systemd/io.systemd.Credentials
+FileDescriptorName=varlink
+SocketMode=0666
+Accept=yes
+MaxConnectionsPerSource=16
diff --git a/units/systemd-creds@.service b/units/systemd-creds@.service
new file mode 100644
index 0000000..d565836
--- /dev/null
+++ b/units/systemd-creds@.service
@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Credential Encryption/Decryption
+Documentation=man:systemd-creds(1)
+DefaultDependencies=no
+Conflicts=shutdown.target initrd-switch-root.target
+Before=shutdown.target initrd-switch-root.target
+
+[Service]
+Environment=LISTEN_FDNAMES=varlink
+ExecStart=-systemd-creds
diff --git a/units/systemd-hibernate-clear.service.in b/units/systemd-hibernate-clear.service.in
new file mode 100644
index 0000000..2e8587e
--- /dev/null
+++ b/units/systemd-hibernate-clear.service.in
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Clear Stale Hibernate Storage Info
+Documentation=man:systemd-hibernate-clear.service(8)
+
+ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67
+ConditionPathExists=!/etc/initrd-release
+
+DefaultDependencies=no
+Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{LIBEXECDIR}}/systemd-hibernate-resume --clear
diff --git a/units/systemd-homed-firstboot.service b/units/systemd-homed-firstboot.service
new file mode 100644
index 0000000..3615940
--- /dev/null
+++ b/units/systemd-homed-firstboot.service
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=First Boot Home Area Wizard
+Documentation=man:homectl(1)
+ConditionFirstBoot=yes
+After=home.mount systemd-homed.service
+Before=systemd-user-sessions.service first-boot-complete.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=homectl firstboot --prompt-new-user
+StandardOutput=tty
+StandardInput=tty
+StandardError=tty
+ImportCredential=home.*
+
+[Install]
+WantedBy=systemd-homed.service
+Also=systemd-homed.service
diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in
index e629048..b54e5d3 100644
--- a/units/systemd-homed.service.in
+++ b/units/systemd-homed.service.in
@@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6
RestrictNamespaces=mnt user
RestrictRealtime=yes
StateDirectory=systemd/home
+CacheDirectory=systemd/home
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service @mount quotactl
@@ -39,4 +40,4 @@ TimeoutStopSec=3min
[Install]
WantedBy=multi-user.target
Alias=dbus-org.freedesktop.home1.service
-Also=systemd-homed-activate.service systemd-userdbd.service
+Also=systemd-homed-activate.service
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 31b45e0..ab00c24 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -15,6 +15,7 @@ Documentation=man:machine-info(5)
Documentation=man:org.freedesktop.hostname1(5)
[Service]
+Type=notify
BusName=org.freedesktop.hostname1
CapabilityBoundingSet=CAP_SYS_ADMIN
ExecStart={{LIBEXECDIR}}/systemd-hostnamed
@@ -22,7 +23,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
-PrivateDevices=yes
+DeviceAllow=/dev/vsock r
PrivateNetwork=yes
PrivateTmp=yes
ProtectProc=invisible
diff --git a/units/systemd-hostnamed.socket b/units/systemd-hostnamed.socket
new file mode 100644
index 0000000..2a2cfce
--- /dev/null
+++ b/units/systemd-hostnamed.socket
@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Hostname Service Socket
+Documentation=man:systemd-hostnamed.service(8)
+Documentation=man:hostname(5)
+Documentation=man:machine-info(5)
+
+[Socket]
+ListenStream=/run/systemd/io.systemd.Hostname
+FileDescriptorName=varlink
+SocketMode=0666
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index fc24a05..daa9377 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -13,6 +13,7 @@ Documentation=man:systemd-importd.service(8)
Documentation=man:org.freedesktop.import1(5)
[Service]
+Type=notify
ExecStart={{LIBEXECDIR}}/systemd-importd
BusName=org.freedesktop.import1
KillMode=mixed
diff --git a/units/systemd-journal-flush.service b/units/systemd-journal-flush.service
index 8c01587..bd098e6 100644
--- a/units/systemd-journal-flush.service
+++ b/units/systemd-journal-flush.service
@@ -14,12 +14,15 @@ Documentation=man:systemd-journald.service(8) man:journald.conf(5)
ConditionPathExists=!/etc/initrd-release
DefaultDependencies=no
-After=systemd-remount-fs.service
+After=systemd-remount-fs.service systemd-quotacheck-root.service
Before=systemd-tmpfiles-setup.service
Wants=systemd-journald.service
After=systemd-journald.service
RequiresMountsFor=/var/log/journal
+Before=soft-reboot.target systemd-soft-reboot.service
+Conflicts=soft-reboot.target
+
[Service]
ExecStart=journalctl --flush
ExecStop=journalctl --smart-relinquish-var
diff --git a/units/systemd-journald-sync@.service b/units/systemd-journald-sync@.service
new file mode 100644
index 0000000..3eafcd0
--- /dev/null
+++ b/units/systemd-journald-sync@.service
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Sync Journal for Namespace %i
+Documentation=man:systemd-journald.service(8) man:journald.conf(5)
+
+# At the time when journalctl in ExecStop= is invoked,
+# systemd-journald@.service may not be started yet. Hence, both socket
+# units must be active when journalctl is invoked.
+Requires=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
+After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
+StopWhenUnneeded=yes
+
+[Service]
+ExecStop=journalctl --namespace=%i --sync
+Type=oneshot
+RemainAfterExit=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 37eeabc..4404af9 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -17,7 +17,10 @@ Before=sysinit.target
# To avoid journald SIGKILLed during soft-reboot and corrupting journals.
# See https://github.com/systemd/systemd/issues/30195
-Before=soft-reboot.target
+# Note, typically soft-reboot.target will be never reached,
+# and systemd-soft-reboot.service will trigger soft-reboot.
+# Hence, this must be stopped before systemd-soft-reboot.service.
+Before=soft-reboot.target systemd-soft-reboot.service
Conflicts=soft-reboot.target
# Mount and swap units need the journal socket units. If they were removed by
@@ -29,6 +32,9 @@ IgnoreOnIsolate=yes
DeviceAllow=char-* rw
ExecStart={{LIBEXECDIR}}/systemd-journald
FileDescriptorStoreMax=4224
+# Ensure services using StandardOutput=journal do not break when journald is stopped
+FileDescriptorStorePreserve=yes
+ImportCredential=journal.*
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
@@ -37,7 +43,7 @@ OOMScoreAdjust=-250
ProtectClock=yes
Restart=always
RestartSec=0
-RestrictAddressFamilies=AF_UNIX AF_NETLINK
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_VSOCK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
diff --git a/units/systemd-journald.socket b/units/systemd-journald.socket
index 1e2178e..e2ffb96 100644
--- a/units/systemd-journald.socket
+++ b/units/systemd-journald.socket
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Journal Socket
+Description=Journal Sockets
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Before=sockets.target
diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in
index c3bcb08..b705ce0 100644
--- a/units/systemd-journald@.service.in
+++ b/units/systemd-journald@.service.in
@@ -13,11 +13,6 @@ Documentation=man:systemd-journald.service(8) man:journald.conf(5)
Requires=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
-# To avoid journald SIGKILLed during soft-reboot and corrupting journals.
-# See https://github.com/systemd/systemd/issues/30195
-Before=soft-reboot.target
-Conflicts=soft-reboot.target
-
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
DevicePolicy=closed
diff --git a/units/systemd-journald@.socket b/units/systemd-journald@.socket
index 60c025f..65813a5 100644
--- a/units/systemd-journald@.socket
+++ b/units/systemd-journald@.socket
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Journal Socket for Namespace %i
+Description=Journal Sockets for Namespace %i
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
StopWhenUnneeded=yes
@@ -22,3 +22,6 @@ PassCredentials=yes
PassSecurity=yes
ReceiveBuffer=8M
SendBuffer=8M
+
+[Install]
+WantedBy=sockets.target
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 19383ae..4de89aa 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -15,6 +15,7 @@ Documentation=man:vconsole.conf(5)
Documentation=man:org.freedesktop.locale1(5)
[Service]
+Type=notify
BusName=org.freedesktop.locale1
CapabilityBoundingSet=
ExecStart={{LIBEXECDIR}}/systemd-localed
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 39dc0c2..cc1b6be 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -31,7 +31,7 @@ DeviceAllow=char-input rw
DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw
ExecStart={{LIBEXECDIR}}/systemd-logind
-FileDescriptorStoreMax=512
+FileDescriptorStoreMax=768
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
diff --git a/units/systemd-machine-id-commit.service b/units/systemd-machine-id-commit.service
index 89e0613..97b9186 100644
--- a/units/systemd-machine-id-commit.service
+++ b/units/systemd-machine-id-commit.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Commit a transient machine-id on disk
+Description=Save Transient machine-id to Disk
Documentation=man:systemd-machine-id-commit.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
@@ -21,4 +21,4 @@ ConditionPathIsMountPoint=/etc/machine-id
Type=oneshot
RemainAfterExit=yes
ExecStart=systemd-machine-id-setup --commit
-TimeoutSec=30s
+TimeoutSec=90s
diff --git a/units/systemd-mountfsd.service.in b/units/systemd-mountfsd.service.in
new file mode 100644
index 0000000..20a9b42
--- /dev/null
+++ b/units/systemd-mountfsd.service.in
@@ -0,0 +1,46 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=DDI File System Mounter
+Documentation=man:systemd-mountfsd.service(8)
+Requires=systemd-mountfsd.socket
+After=systemd-mountfsd.socket
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+DefaultDependencies=no
+
+[Service]
+#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID
+ExecStart={{LIBEXECDIR}}/systemd-mountfsd
+IPAddressDeny=any
+LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+ProtectProc=invisible
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service @mount
+Type=notify
+NotifyAccess=all
+FileDescriptorStoreMax=4096
+{{SERVICE_WATCHDOG}}
+
+[Install]
+Also=systemd-mountfsd.socket
diff --git a/units/systemd-mountfsd.socket b/units/systemd-mountfsd.socket
new file mode 100644
index 0000000..cd88003
--- /dev/null
+++ b/units/systemd-mountfsd.socket
@@ -0,0 +1,22 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=DDI File System Mounter Socket
+Documentation=man:systemd-mountfsd.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=sockets.target shutdown.target
+
+[Socket]
+ListenStream=/run/systemd/io.systemd.MountFileSystem
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/units/systemd-network-generator.service.in b/units/systemd-network-generator.service.in
index d87e1a4..f7d13d3 100644
--- a/units/systemd-network-generator.service.in
+++ b/units/systemd-network-generator.service.in
@@ -21,6 +21,9 @@ Before=shutdown.target initrd-switch-root.target
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-network-generator
+ImportCredential=network.netdev.*
+ImportCredential=network.link.*
+ImportCredential=network.network.*
[Install]
WantedBy=sysinit.target
diff --git a/units/systemd-networkd-persistent-storage.service b/units/systemd-networkd-persistent-storage.service
new file mode 100644
index 0000000..308f66a
--- /dev/null
+++ b/units/systemd-networkd-persistent-storage.service
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Enable Persistent Storage in systemd-networkd
+Documentation=man:networkctl(1)
+ConditionCapability=CAP_NET_ADMIN
+DefaultDependencies=no
+After=systemd-remount-fs.service systemd-networkd.service
+BindsTo=systemd-networkd.service
+Conflicts=shutdown.target
+Before=shutdown.target
+ConditionPathExists=!/etc/initrd-release
+
+[Service]
+Type=oneshot
+User=systemd-network
+ExecStart=networkctl persistent-storage yes
+ExecStop=networkctl persistent-storage no
+StateDirectory=systemd/network
+RemainAfterExit=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 3608458..6141fdb 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -17,7 +17,7 @@ DefaultDependencies=no
After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
Before=network.target multi-user.target shutdown.target initrd-switch-root.target
Conflicts=shutdown.target initrd-switch-root.target
-Wants=systemd-networkd.socket network.target
+Wants=systemd-networkd.socket network.target systemd-networkd-persistent-storage.service
[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
@@ -26,6 +26,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
DeviceAllow=char-* rw
ExecStart=!!{{LIBEXECDIR}}/systemd-networkd
FileDescriptorStoreMax=512
+ImportCredential=network.wireguard.*
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
diff --git a/units/systemd-nsresourced.service.in b/units/systemd-nsresourced.service.in
new file mode 100644
index 0000000..3c92705
--- /dev/null
+++ b/units/systemd-nsresourced.service.in
@@ -0,0 +1,47 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Namespace Resource Manager
+Documentation=man:systemd-nsresourced.service(8)
+Requires=systemd-nsresourced.socket
+After=systemd-nsresourced.socket
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+DefaultDependencies=no
+
+[Service]
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER
+ExecStart={{LIBEXECDIR}}/systemd-nsresourced
+IPAddressDeny=any
+LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectProc=invisible
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service bpf perf_event_open open_by_handle_at
+Type=notify
+NotifyAccess=all
+FileDescriptorStoreMax=4096
+{{SERVICE_WATCHDOG}}
+
+[Install]
+Also=systemd-nsresourced.socket
diff --git a/units/systemd-nsresourced.socket b/units/systemd-nsresourced.socket
new file mode 100644
index 0000000..2e3c8e9
--- /dev/null
+++ b/units/systemd-nsresourced.socket
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Namespace Resource Manager Socket
+Documentation=man:systemd-nsresourced.service(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=sockets.target shutdown.target
+
+[Socket]
+ListenStream=/run/systemd/io.systemd.NamespaceResource
+Symlinks=/run/systemd/userdb/io.systemd.NamespaceResource
+SocketMode=0666
+
+[Install]
+WantedBy=sockets.target
diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket
index 6d7b8ff..4f74748 100644
--- a/units/systemd-pcrextend.socket
+++ b/units/systemd-pcrextend.socket
@@ -8,9 +8,10 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Extension (Varlink)
+Description=TPM PCR Measurements
Documentation=man:systemd-pcrextend(8)
DefaultDependencies=no
+After=tpm2.target
Before=sockets.target
ConditionSecurity=measured-uki
@@ -19,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend
FileDescriptorName=varlink
SocketMode=0600
Accept=yes
+MaxConnectionsPerSource=16
[Install]
WantedBy=sockets.target
diff --git a/units/systemd-pcrextend@.service.in b/units/systemd-pcrextend@.service.in
index 2305b1c..68b71d4 100644
--- a/units/systemd-pcrextend@.service.in
+++ b/units/systemd-pcrextend@.service.in
@@ -8,9 +8,10 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Extension (Varlink)
+Description=TPM PCR Measurements
Documentation=man:systemd-pcrphase.service(8)
DefaultDependencies=no
+After=tpm2.target
Conflicts=shutdown.target initrd-switch-root.target
Before=shutdown.target initrd-switch-root.target
diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in
index 11dc747..5b40a91 100644
--- a/units/systemd-pcrfs-root.service.in
+++ b/units/systemd-pcrfs-root.service.in
@@ -8,11 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Root File System Measurement
+Description=TPM PCR Root File System Measurement
Documentation=man:systemd-pcrfs-root.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
-After=systemd-pcrmachine.service
+After=tpm2.target systemd-pcrmachine.service
Before=shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in
index fbaec4b..203d7b9 100644
--- a/units/systemd-pcrfs@.service.in
+++ b/units/systemd-pcrfs@.service.in
@@ -8,12 +8,12 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR File System Measurement of %f
+Description=TPM PCR File System Measurement of %f
Documentation=man:systemd-pcrfs@.service(8)
DefaultDependencies=no
BindsTo=%i.mount
Conflicts=shutdown.target
-After=%i.mount systemd-pcrfs-root.service
+After=%i.mount tpm2.target systemd-pcrfs-root.service
Before=shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-file-system.service.in b/units/systemd-pcrlock-file-system.service.in
index d68a42e..807ebc2 100644
--- a/units/systemd-pcrlock-file-system.service.in
+++ b/units/systemd-pcrlock-file-system.service.in
@@ -8,11 +8,12 @@
# (at your option) any later version.
[Unit]
-Description=Lock File Systems to TPM2 PCR Policy
+Description=Lock File Systems to TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service
+After=systemd-remount-fs.service var.mount
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-firmware-code.service.in b/units/systemd-pcrlock-firmware-code.service.in
index a24f2ba..cae8179 100644
--- a/units/systemd-pcrlock-firmware-code.service.in
+++ b/units/systemd-pcrlock-firmware-code.service.in
@@ -8,11 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=Lock Firmware Code to TPM2 PCR Policy
+Description=Lock Firmware Code to TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
-After=systemd-tpm2-setup.service
+After=systemd-tpm2-setup.service systemd-remount-fs.service var.mount
Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-firmware-config.service.in b/units/systemd-pcrlock-firmware-config.service.in
index 64e63f8..7484504 100644
--- a/units/systemd-pcrlock-firmware-config.service.in
+++ b/units/systemd-pcrlock-firmware-config.service.in
@@ -8,11 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=Lock Firmware Configuration to TPM2 PCR Policy
+Description=Lock Firmware Configuration to TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
-After=systemd-tpm2-setup.service
+After=systemd-tpm2-setup.service systemd-remount-fs.service var.mount
Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-machine-id.service.in b/units/systemd-pcrlock-machine-id.service.in
index 0ff22c5..c82c358 100644
--- a/units/systemd-pcrlock-machine-id.service.in
+++ b/units/systemd-pcrlock-machine-id.service.in
@@ -8,11 +8,12 @@
# (at your option) any later version.
[Unit]
-Description=Lock Machine ID to TPM2 PCR Policy
+Description=Lock Machine ID to TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service
+After=systemd-remount-fs.service var.mount
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-make-policy.service.in b/units/systemd-pcrlock-make-policy.service.in
index 4127cc7..4dd18ec 100644
--- a/units/systemd-pcrlock-make-policy.service.in
+++ b/units/systemd-pcrlock-make-policy.service.in
@@ -8,12 +8,13 @@
# (at your option) any later version.
[Unit]
-Description=Make TPM2 PCR Policy
+Description=Make TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
After=systemd-tpm2-setup.service
Before=sysinit.target shutdown.target
+After=systemd-remount-fs.service var.mount
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-secureboot-authority.service.in b/units/systemd-pcrlock-secureboot-authority.service.in
index a8d55ba..9f6c1a4 100644
--- a/units/systemd-pcrlock-secureboot-authority.service.in
+++ b/units/systemd-pcrlock-secureboot-authority.service.in
@@ -8,12 +8,13 @@
# (at your option) any later version.
[Unit]
-Description=Lock UEFI SecureBoot Authority to TPM2 PCR Policy
+Description=Lock UEFI SecureBoot Authority to TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
After=systemd-tpm2-setup.service
Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service
+After=systemd-remount-fs.service var.mount
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock-secureboot-policy.service.in b/units/systemd-pcrlock-secureboot-policy.service.in
index 10e603c..0975aca 100644
--- a/units/systemd-pcrlock-secureboot-policy.service.in
+++ b/units/systemd-pcrlock-secureboot-policy.service.in
@@ -8,12 +8,13 @@
# (at your option) any later version.
[Unit]
-Description=Lock UEFI SecureBoot Policy to TPM2 PCR Policy
+Description=Lock UEFI SecureBoot Policy to TPM PCR Policy
Documentation=man:systemd-pcrlock(8)
DefaultDependencies=no
Conflicts=shutdown.target
After=systemd-tpm2-setup.service
Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service
+After=systemd-remount-fs.service var.mount
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrlock.socket b/units/systemd-pcrlock.socket
new file mode 100644
index 0000000..17a56f7
--- /dev/null
+++ b/units/systemd-pcrlock.socket
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Make TPM PCR Policy
+Documentation=man:systemd-pcrlock(8)
+DefaultDependencies=no
+After=tpm2.target
+Before=sockets.target
+ConditionSecurity=measured-uki
+
+[Socket]
+ListenStream=/run/systemd/io.systemd.PCRLock
+FileDescriptorName=varlink
+SocketMode=0600
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/units/systemd-pcrlock@.service.in b/units/systemd-pcrlock@.service.in
new file mode 100644
index 0000000..3528c56
--- /dev/null
+++ b/units/systemd-pcrlock@.service.in
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Make TPM PCR Policy
+Documentation=man:systemd-pcrlock(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-tpm2-setup.service
+Before=sysinit.target shutdown.target
+After=systemd-remount-fs.service var.mount
+
+[Service]
+Environment=LISTEN_FDNAMES=varlink
+ExecStart={{LIBEXECDIR}}/systemd-pcrlock --location=770
diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in
index fb7d3ce..65caf2e 100644
--- a/units/systemd-pcrmachine.service.in
+++ b/units/systemd-pcrmachine.service.in
@@ -8,10 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Machine ID Measurement
+Description=TPM PCR Machine ID Measurement
Documentation=man:systemd-pcrmachine.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
+After=tpm2.target
Before=sysinit.target shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in
index b337d60..6fcf94d 100644
--- a/units/systemd-pcrphase-initrd.service.in
+++ b/units/systemd-pcrphase-initrd.service.in
@@ -8,10 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Barrier (initrd)
+Description=TPM PCR Barrier (initrd)
Documentation=man:systemd-pcrphase-initrd.service(8)
DefaultDependencies=no
Conflicts=shutdown.target initrd-switch-root.target
+After=tpm2.target
Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service
ConditionPathExists=/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in
index 08f7397..8c0c0c8 100644
--- a/units/systemd-pcrphase-sysinit.service.in
+++ b/units/systemd-pcrphase-sysinit.service.in
@@ -8,11 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Barrier (Initialization)
+Description=TPM PCR Barrier (Initialization)
Documentation=man:systemd-pcrphase-sysinit.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
-After=sysinit.target
+After=sysinit.target tpm2.target
Before=basic.target shutdown.target
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in
index c94ad75..04ace12 100644
--- a/units/systemd-pcrphase.service.in
+++ b/units/systemd-pcrphase.service.in
@@ -8,9 +8,9 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 PCR Barrier (User)
+Description=TPM PCR Barrier (User)
Documentation=man:systemd-pcrphase.service(8)
-After=remote-fs.target remote-cryptsetup.target
+After=remote-fs.target remote-cryptsetup.target tpm2.target
Before=systemd-user-sessions.service
ConditionPathExists=!/etc/initrd-release
ConditionSecurity=measured-uki
diff --git a/units/systemd-quotacheck-root.service.in b/units/systemd-quotacheck-root.service.in
new file mode 100644
index 0000000..a182059
--- /dev/null
+++ b/units/systemd-quotacheck-root.service.in
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Root File System Quota Check
+Documentation=man:systemd-quotacheck.service(8)
+
+ConditionPathExists=!/etc/initrd-release
+
+DefaultDependencies=no
+After=systemd-remount-fs.service
+Before=local-fs.target shutdown.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart={{LIBEXECDIR}}/systemd-quotacheck /
+TimeoutSec=infinity
diff --git a/units/systemd-quotacheck.service.in b/units/systemd-quotacheck@.service.in
index 0f94e38..f2b8db7 100644
--- a/units/systemd-quotacheck.service.in
+++ b/units/systemd-quotacheck@.service.in
@@ -12,14 +12,16 @@ Description=File System Quota Check
Documentation=man:systemd-quotacheck.service(8)
ConditionPathExists={{QUOTACHECK}}
+ConditionPathExists=!/etc/initrd-release
DefaultDependencies=no
-After=systemd-remount-fs.service
-Before=remote-fs.target
+BindsTo=%i.mount
+After=%i.mount
Before=shutdown.target
+Conflicts=shutdown.target
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{LIBEXECDIR}}/systemd-quotacheck
+ExecStart={{LIBEXECDIR}}/systemd-quotacheck %f
TimeoutSec=infinity
diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in
index fe3c31b..4ac8978 100644
--- a/units/systemd-remount-fs.service.in
+++ b/units/systemd-remount-fs.service.in
@@ -10,7 +10,7 @@
[Unit]
Description=Remount Root and Kernel File Systems
Documentation=man:systemd-remount-fs.service(8)
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
DefaultDependencies=no
After=systemd-fsck-root.service
diff --git a/units/systemd-repart.service.in b/units/systemd-repart.service
index 2b57b93..1f7e2a6 100644
--- a/units/systemd-repart.service.in
+++ b/units/systemd-repart.service
@@ -21,7 +21,7 @@ ConditionDirectoryNotEmpty=|/sysusr/usr/local/lib/repart.d
DefaultDependencies=no
Wants=modprobe@loop.service modprobe@dm_mod.service
-After=initrd-usr-fs.target modprobe@loop.service modprobe@dm_mod.service
+After=initrd-usr-fs.target modprobe@loop.service modprobe@dm_mod.service systemd-tpm2-setup-early.service
Before=initrd-root-fs.target
Conflicts=shutdown.target initrd-switch-root.target
Before=shutdown.target initrd-switch-root.target
@@ -29,7 +29,7 @@ Before=shutdown.target initrd-switch-root.target
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart={{BINDIR}}/systemd-repart --dry-run=no
+ExecStart=systemd-repart --dry-run=no
# The tool returns 76 if it can't find the root block device
SuccessExitStatus=76
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 820aecf..4aa0788 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -11,8 +11,8 @@
Description=Network Name Resolution
Documentation=man:systemd-resolved.service(8)
Documentation=man:org.freedesktop.resolve1(5)
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
+Documentation=https://systemd.io/WRITING_NETWORK_CONFIGURATION_MANAGERS
+Documentation=https://systemd.io/WRITING_RESOLVER_CLIENTS
DefaultDependencies=no
After=systemd-sysctl.service systemd-sysusers.service
@@ -48,7 +48,7 @@ RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
-Type=notify
+Type=notify-reload
User=systemd-resolve
ImportCredential=network.dns
ImportCredential=network.search_domains
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index c6b32a1..072ae64 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -22,5 +22,5 @@ Before=shutdown.target
ExecStart={{LIBEXECDIR}}/systemd-rfkill
NoNewPrivileges=yes
StateDirectory=systemd/rfkill
-TimeoutSec=30s
+TimeoutSec=90s
Type=notify
diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket
index ad870c5..78475cf 100644
--- a/units/systemd-sysext.socket
+++ b/units/systemd-sysext.socket
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=System Extension Image Management (Varlink)
+Description=System Extension Image Management
Documentation=man:systemd-sysext(8)
DefaultDependencies=no
After=local-fs.target
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext
FileDescriptorName=varlink
SocketMode=0600
Accept=yes
+MaxConnectionsPerSource=16
[Install]
WantedBy=sockets.target
diff --git a/units/systemd-sysext@.service b/units/systemd-sysext@.service
index 544e22f..9dcbf9f 100644
--- a/units/systemd-sysext@.service
+++ b/units/systemd-sysext@.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=System Extension Image Management (Varlink)
+Description=System Extension Image Management
Documentation=man:systemd-sysext(8)
DefaultDependencies=no
After=local-fs.target
diff --git a/units/systemd-sysupdate.timer b/units/systemd-sysupdate.timer
index 6ecd98d..b2c7cd4 100644
--- a/units/systemd-sysupdate.timer
+++ b/units/systemd-sysupdate.timer
@@ -19,7 +19,7 @@ ConditionVirtualization=!container
# Trigger the update 15min after boot, and then – on average – every 6h, but
# randomly distributed in a 2h…6h interval. In addition trigger things
# persistently once on each Saturday, to ensure that even on systems that are
-# never booted up for long we have a chance to to do the update.
+# never booted up for long we have a chance to do the update.
OnBootSec=15min
OnUnitActiveSec=2h
OnCalendar=Sat
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 00f6643..06c3306 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -14,6 +14,7 @@ Documentation=man:localtime(5)
Documentation=man:org.freedesktop.timedate1(5)
[Service]
+Type=notify
BusName=org.freedesktop.timedate1
CapabilityBoundingSet=CAP_SYS_TIME
DeviceAllow=char-rtc r
diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 6996efe..9982c84 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 SRK Setup (Early)
+Description=Early TPM SRK Setup
Documentation=man:systemd-tpm2-setup.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
index 8c1851f..0af7292 100644
--- a/units/systemd-tpm2-setup.service.in
+++ b/units/systemd-tpm2-setup.service.in
@@ -8,11 +8,11 @@
# (at your option) any later version.
[Unit]
-Description=TPM2 SRK Setup
+Description=TPM SRK Setup
Documentation=man:systemd-tpm2-setup.service(8)
DefaultDependencies=no
Conflicts=shutdown.target
-After=systemd-tpm2-setup-early.service systemd-remount-fs.service
+After=tpm2.target systemd-tpm2-setup-early.service systemd-remount-fs.service
Before=sysinit.target shutdown.target
RequiresMountsFor=/var/lib/systemd/tpm2-srk-public-key.pem
ConditionSecurity=measured-uki
diff --git a/units/systemd-udev-load-credentials.service b/units/systemd-udev-load-credentials.service
new file mode 100644
index 0000000..70f69dc
--- /dev/null
+++ b/units/systemd-udev-load-credentials.service
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Load udev Rules from Credentials
+Documentation=man:udevadm(8)
+Documentation=man:udev(7)
+Documentation=man:systemd.system-credentials(7)
+
+DefaultDependencies=no
+Before=systemd-udevd.service
+Conflicts=shutdown.target initrd-switch-root.target
+Before=shutdown.target initrd-switch-root.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=udevadm control --load-credentials
+ImportCredential=udev.conf.*
+ImportCredential=udev.rules.*
+
+[Install]
+WantedBy=sysinit.target
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index b59fdef..f4a4482 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -13,6 +13,7 @@ Documentation=man:systemd-udevd.service(8) man:udev(7)
DefaultDependencies=no
After=systemd-sysusers.service systemd-hwdb-update.service
Before=sysinit.target
+Wants=systemd-udev-load-credentials.service
ConditionPathIsReadWrite=/sys
[Service]
diff --git a/units/systemd-vmspawn@.service.in b/units/systemd-vmspawn@.service.in
new file mode 100644
index 0000000..6080020
--- /dev/null
+++ b/units/systemd-vmspawn@.service.in
@@ -0,0 +1,34 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Virtual Machine %i
+Documentation=man:systemd-vmspawn(1)
+PartOf=machines.target
+Before=machines.target
+After=network.target modprobe@tun.service
+RequiresMountsFor=/var/lib/machines/%i
+
+[Service]
+ExecStart=systemd-vmspawn --quiet --network-tap --machine=%i
+KillMode=mixed
+Type=notify
+Slice=machine.slice
+
+{# Enforce a strict device policy. Make sure to keep these policies in sync if you change them! #}
+DevicePolicy=closed
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=char-pts rw
+
+# vmspawn itself needs access to /dev/kvm and /dev/vhost-vsock
+DeviceAllow=/dev/kvm rw
+DeviceAllow=/dev/vhost-vsock rw
+
+[Install]
+WantedBy=machines.target
diff --git a/units/tmp.mount b/units/tmp.mount
index 734acea..8960405 100644
--- a/units/tmp.mount
+++ b/units/tmp.mount
@@ -11,7 +11,7 @@
Description=Temporary Directory /tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
-Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+Documentation=https://systemd.io/API_FILE_SYSTEMS
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
diff --git a/units/tpm2.target b/units/tpm2.target
new file mode 100644
index 0000000..ba51d57
--- /dev/null
+++ b/units/tpm2.target
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Trusted Platform Module
+Documentation=man:systemd.special(7)
+
+# Make this a synchronization point on the first TPM device found
+After=dev-tpmrm0.device
+Wants=dev-tpmrm0.device
diff --git a/units/user-runtime-dir@.service.in b/units/user-runtime-dir@.service.in
index 0641dd0..5fb5cad 100644
--- a/units/user-runtime-dir@.service.in
+++ b/units/user-runtime-dir@.service.in
@@ -11,7 +11,6 @@
Description=User Runtime Directory /run/user/%i
Documentation=man:user@.service(5)
After=dbus.service
-StopWhenUnneeded=yes
IgnoreOnIsolate=yes
[Service]
diff --git a/units/user/capsule@.target b/units/user/capsule@.target
new file mode 100644
index 0000000..986e3ad
--- /dev/null
+++ b/units/user/capsule@.target
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Main Capsule Target for %i
+Documentation=man:systemd.special(7)
+Requires=basic.target
+After=basic.target
+AllowIsolate=yes
diff --git a/units/user/meson.build b/units/user/meson.build
index 850ac2c..21070f7 100644
--- a/units/user/meson.build
+++ b/units/user/meson.build
@@ -5,6 +5,7 @@ units = [
'background.slice',
'basic.target',
'bluetooth.target',
+ 'capsule@.target',
'default.target',
'exit.target',
'graphical-session-pre.target',
diff --git a/units/user@.service.in b/units/user@.service.in
index da5f98c..5efb12a 100644
--- a/units/user@.service.in
+++ b/units/user@.service.in
@@ -10,8 +10,8 @@
[Unit]
Description=User Manager for UID %i
Documentation=man:user@.service(5)
+BindsTo=user-runtime-dir@%i.service
After=user-runtime-dir@%i.service dbus.service systemd-oomd.service
-Requires=user-runtime-dir@%i.service
IgnoreOnIsolate=yes
[Service]