New upstream version 245.2

NEWS

@@ -281,6 +281,20 @@ CHANGES WITH 245:
           to combine attachment with enablement and invocation, or detachment
           with stopping and disablement.
 
+        * UPGRADE ISSUE: a bug where some jobs were trimmed as redundant was
+          fixed, which in turn exposed bugs in unit configuration of services
+          which have Type=oneshot and should only run once, but do not have
+          RemainAfterExit=yes set. Without RemainAfterExit=yes, a one-shot
+          service may be started again after exiting successfully, for example
+          as a dependency in another transaction. Affected services included
+          some internal systemd services (most notably
+          systemd-vconsole-setup.service, which was updated to have
+          RemainAfterExit=yes), and plymouth-start.service. Please ensure that
+          plymouth has been suitably updated or patched before upgrading to
+          this systemd release. See
+          https://bugzilla.redhat.com/show_bug.cgi?id=1807771 for some
+          additional discussion.
+
         Contributions from: AJ Bagwell, Alin Popa, Andreas Rammhold, Anita
         Zhang, Ansgar Burchardt, Antonio Russo, Arian van Putten, Ashley Davis,
         Balint Reczey, Bart Willems, Bastien Nocera, Benjamin Dahlhoff, Charles

catalog/systemd.hr.catalog.in

@@ -289,11 +289,11 @@ DNS zahtjev ili snimak resursa nije prošao DNSSEC provjeru. To uobičajeno
 označava da je komunikacijski kanal mijenjan.
 
 -- 4d4408cfd0d144859184d1e65d7c8a65
-Subject: DNSSEC pouzdano sidro je opozvano
+Subject: DNSSEC pouzdano sidrište je opozvano
 Defined-By: systemd
 Support: %SUPPORT_URL%
 Documentation: man:systemd-resolved.service(8)
 
-A DNSSEC trust anchor has been revoked. A new trust anchor has to be
+DNSSEC pouzdano sidrište je opozvano. Novo pouzdano sidrište mora biti
-configured, or the operating system needs to be updated, to provide an updated
+podešeno, ili operativni sustav mora biti nadopunjen kako bi omogućio nadopunjeno
-DNSSEC trust anchor.
+DNSSEC pouzdano sidrište.

man/bootup.xml

@@ -220,7 +220,7 @@ emergency.service    |              |              |
     so no filesystems can be mounted before the check is complete.
 
     When the root device becomes available,
-    <filename>initd-root-device.target</filename> is reached.
+    <filename>initrd-root-device.target</filename> is reached.
     If the root device can be mounted at
     <filename>/sysroot</filename>, the
     <filename>sysroot.mount</filename> unit becomes active and

man/systemd-homed.service.xml

@@ -18,7 +18,7 @@
   <refnamediv>
     <refname>systemd-homed.service</refname>
     <refname>systemd-homed</refname>
-    <refpurpose>Home Directory/User Account Manager</refpurpose>
+    <refpurpose>Home Area/User Account Manager</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
@@ -30,13 +30,14 @@
     <title>Description</title>
 
     <para><command>systemd-homed</command> is a system service that may be used to create, remove, change or
-    inspect home directories.</para>
+    inspect home areas (directories and network mounts and real or loopback block devices with a filesystem,
+    optionally encrypted).</para>
 
     <para>Most of <command>systemd-homed</command>'s functionality is accessible through the
     <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> command.</para>
 
     <para>See the <ulink url="https://systemd.io/HOME_DIRECTORY">Home Directories</ulink> documentation for
-    details about the format and design of home directories managed by
+    details about the format and design of home areas managed by
     <filename>systemd-homed.service</filename>.</para>
 
     <para>Each home directory managed by <filename>systemd-homed.service</filename> synthesizes a local user

man/systemd.preset.xml

@@ -70,8 +70,11 @@
     either the word <literal>enable</literal> or
     <literal>disable</literal> followed by a space and a unit name
     (possibly with shell style wildcards), separated by newlines.
-    Empty lines and lines whose first non-whitespace character is # or
+    Empty lines and lines whose first non-whitespace character is <literal>#</literal> or
-    ; are ignored.</para>
+    <literal>;</literal> are ignored. Multiple instance names for unit
+    templates may be specified as a space separated list at the end of
+    the line instead of the customary position between <literal>@</literal>
+    and the unit suffix.</para>
 
     <para>Presets must refer to the "real" unit file, and not to any aliases. See
     <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
@@ -123,6 +126,17 @@ disable *</programlisting>
     <literal>99-</literal>, it will be read last and hence can easily
     be overridden by spin or administrator preset policy.</para>
 
+    <example>
+      <title>Enable multiple template instances</title>
+
+      <programlisting># /usr/lib/systemd/system-preset/80-dirsrv.preset
+
+enable dirsrv@.service foo bar baz</programlisting>
+    </example>
+
+    <para>This enables all three of <filename>dirsrv@foo.service</filename>,
+    <filename>dirsrv@bar.service</filename> and <filename>dirsrv@baz.service</filename>.</para>
+
     <example>
       <title>A GNOME spin</title>
 

man/tmpfiles.d.xml

@@ -94,7 +94,7 @@ A+    /path-or-glob/to/append/acls/recursively -    -    -     -           POSIX
     <filename>systemd-tmpfiles-cleanup.service</filename>, and associated units.</para>
 
     <para>System daemons frequently require private runtime directories below <filename>/run</filename> to
-    store communication sockets and similar. For these, is is better to use
+    store communication sockets and similar. For these, it is better to use
     <varname>RuntimeDirectory=</varname> in their unit files (see
     <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
     details), if the flexibility provided by <filename>tmpfiles.d</filename> is not required. The advantages

src/analyze/analyze.c

@@ -1114,7 +1114,7 @@ static int analyze_blame(int argc, char *argv[], void *userdata) {
                         continue;
 
                 r = table_add_many(table,
-                                   TABLE_TIMESPAN_MSEC, &u->time,
+                                   TABLE_TIMESPAN_MSEC, u->time,
                                    TABLE_STRING, u->name);
                 if (r < 0)
                         return table_log_add_error(r);
@@ -1862,9 +1862,9 @@ static int dump_timespan(int argc, char *argv[], void *userdata) {
                         return table_log_add_error(r);
 
                 r = table_add_many(table,
-                                   TABLE_UINT64, &output_usecs,
+                                   TABLE_UINT64, output_usecs,
                                    TABLE_STRING, "Human:",
-                                   TABLE_TIMESPAN, &output_usecs,
+                                   TABLE_TIMESPAN, output_usecs,
                                    TABLE_SET_COLOR, ansi_highlight());
                 if (r < 0)
                         return table_log_add_error(r);
@@ -1917,7 +1917,7 @@ static int test_timestamp_one(const char *p) {
                            TABLE_STRING, "Original form:",
                            TABLE_STRING, p,
                            TABLE_STRING, "Normalized form:",
-                           TABLE_TIMESTAMP, &usec,
+                           TABLE_TIMESTAMP, usec,
                            TABLE_SET_COLOR, ansi_highlight_blue());
         if (r < 0)
                 return table_log_add_error(r);
@@ -1925,7 +1925,7 @@ static int test_timestamp_one(const char *p) {
         if (!in_utc_timezone()) {
                 r = table_add_many(table,
                                    TABLE_STRING, "(in UTC):",
-                                   TABLE_TIMESTAMP_UTC, &usec);
+                                   TABLE_TIMESTAMP_UTC, usec);
                 if (r < 0)
                         return table_log_add_error(r);
         }
@@ -1946,7 +1946,7 @@ static int test_timestamp_one(const char *p) {
 
         r = table_add_many(table,
                            TABLE_STRING, "From now:",
-                           TABLE_TIMESTAMP_RELATIVE, &usec);
+                           TABLE_TIMESTAMP_RELATIVE, usec);
         if (r < 0)
                 return table_log_add_error(r);
 
@@ -2042,7 +2042,7 @@ static int test_calendar_one(usec_t n, const char *p) {
                 if (i == 0) {
                         r = table_add_many(table,
                                            TABLE_STRING, "Next elapse:",
-                                           TABLE_TIMESTAMP, &next,
+                                           TABLE_TIMESTAMP, next,
                                            TABLE_SET_COLOR, ansi_highlight_blue());
                         if (r < 0)
                                 return table_log_add_error(r);
@@ -2059,7 +2059,7 @@ static int test_calendar_one(usec_t n, const char *p) {
                                 return table_log_add_error(r);
 
                         r = table_add_many(table,
-                                           TABLE_TIMESTAMP, &next,
+                                           TABLE_TIMESTAMP, next,
                                            TABLE_SET_COLOR, ansi_highlight_blue());
                         if (r < 0)
                                 return table_log_add_error(r);
@@ -2068,14 +2068,14 @@ static int test_calendar_one(usec_t n, const char *p) {
                 if (!in_utc_timezone()) {
                         r = table_add_many(table,
                                            TABLE_STRING, "(in UTC):",
-                                           TABLE_TIMESTAMP_UTC, &next);
+                                           TABLE_TIMESTAMP_UTC, next);
                         if (r < 0)
                                 return table_log_add_error(r);
                 }
 
                 r = table_add_many(table,
                                    TABLE_STRING, "From now:",
-                                   TABLE_TIMESTAMP_RELATIVE, &next);
+                                   TABLE_TIMESTAMP_RELATIVE, next);
                 if (r < 0)
                         return table_log_add_error(r);
 

src/basic/path-util.c

@@ -1125,3 +1125,19 @@ bool path_strv_contains(char **l, const char *path) {
 
         return false;
 }
+
+bool prefixed_path_strv_contains(char **l, const char *path) {
+        char **i, *j;
+
+        STRV_FOREACH(i, l) {
+                j = *i;
+                if (*j == '-')
+                        j++;
+                if (*j == '+')
+                        j++;
+                if (path_equal(j, path))
+                        return true;
+        }
+
+        return false;
+}

src/basic/path-util.h

@@ -173,3 +173,4 @@ static inline const char *empty_to_root(const char *path) {
 }
 
 bool path_strv_contains(char **l, const char *path);
+bool prefixed_path_strv_contains(char **l, const char *path);

src/boot/efi/meson.build

@@ -155,6 +155,8 @@ if have_gnu_efi
         elif efi_arch == 'ia32'
                 compile_args += ['-mno-sse',
                                  '-mno-mmx']
+        elif efi_arch == 'arm'
+                compile_args += ['-mgeneral-regs-only']
         endif
         if get_option('werror') == true
                 compile_args += ['-Werror']

src/core/cgroup.c

@@ -678,8 +678,8 @@ static int lookup_block_device(const char *p, dev_t *ret) {
                         return log_warning_errno(r, "Failed to determine block device backing btrfs file system '%s': %m", p);
         }
 
-        /* If this is a LUKS device, try to get the originating block device */
+        /* If this is a LUKS/DM device, recursively try to get the originating block device */
-        (void) block_get_originating(*ret, ret);
+        while (block_get_originating(*ret, ret) > 0);
 
         /* If this is a partition, try to get the originating block device */
         (void) block_get_whole_disk(*ret, ret);

src/core/execute.c

@@ -2247,7 +2247,7 @@ static int setup_exec_directory(
 
                         if (type != EXEC_DIRECTORY_CONFIGURATION &&
                             readlink_and_make_absolute(p, &target) >= 0) {
-                                _cleanup_free_ char *q = NULL;
+                                _cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
 
                                 /* This already exists and is a symlink? Interesting. Maybe it's one created
                                  * by DynamicUser=1 (see above)?
@@ -2256,13 +2256,22 @@ static int setup_exec_directory(
                                  * since they all support the private/ symlink logic at least in some
                                  * configurations, see above. */
 
+                                r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
+                                if (r < 0)
+                                        goto fail;
+
                                 q = path_join(params->prefix[type], "private", *rt);
                                 if (!q) {
                                         r = -ENOMEM;
                                         goto fail;
                                 }
 
-                                if (path_equal(q, target)) {
+                                /* /var/lib or friends may be symlinks. So, let's chase them also. */
+                                r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
+                                if (r < 0)
+                                        goto fail;
+
+                                if (path_equal(q_resolved, target_resolved)) {
 
                                         /* Hmm, apparently DynamicUser= was once turned on for this service,
                                          * but is no longer. Let's move the directory back up. */

src/core/namespace.c

@@ -1192,7 +1192,7 @@ static bool root_read_only(
         if (protect_system == PROTECT_SYSTEM_STRICT)
                 return true;
 
-        if (path_strv_contains(read_only_paths, "/"))
+        if (prefixed_path_strv_contains(read_only_paths, "/"))
                 return true;
 
         return false;
@@ -1217,9 +1217,9 @@ static bool home_read_only(
         if (protect_home != PROTECT_HOME_NO)
                 return true;
 
-        if (path_strv_contains(read_only_paths, "/home") ||
+        if (prefixed_path_strv_contains(read_only_paths, "/home") ||
-            path_strv_contains(inaccessible_paths, "/home") ||
+            prefixed_path_strv_contains(inaccessible_paths, "/home") ||
-            path_strv_contains(empty_directories, "/home"))
+            prefixed_path_strv_contains(empty_directories, "/home"))
                 return true;
 
         for (i = 0; i < n_temporary_filesystems; i++)

src/core/service.c

@@ -3501,6 +3501,12 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
                                 break;
 
                         case SERVICE_STOP_POST:
+
+                                if (control_pid_good(s) <= 0)
+                                        service_enter_signal(s, SERVICE_FINAL_SIGTERM, f);
+
+                                break;
+
                         case SERVICE_FINAL_SIGTERM:
                         case SERVICE_FINAL_SIGKILL:
 
@@ -3650,6 +3656,10 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
                                 break;
 
                         case SERVICE_STOP_POST:
+                                if (main_pid_good(s) <= 0)
+                                        service_enter_signal(s, SERVICE_FINAL_SIGTERM, f);
+                                break;
+
                         case SERVICE_FINAL_SIGTERM:
                         case SERVICE_FINAL_SIGKILL:
                                 if (main_pid_good(s) <= 0)

src/home/pam_systemd_home.c

@@ -36,7 +36,7 @@ static int parse_argv(
         for (i = 0; i < argc; i++) {
                 const char *v;
 
-                if ((v = startswith(argv[1], "suspend="))) {
+                if ((v = startswith(argv[i], "suspend="))) {
                         int k;
 
                         k = parse_boolean(v);

src/journal/sd-journal.c

@@ -435,7 +435,7 @@ _public_ void sd_journal_flush_matches(sd_journal *j) {
         detach_location(j);
 }
 
-_pure_ static int compare_with_location(JournalFile *f, Location *l) {
+_pure_ static int compare_with_location(const JournalFile *f, const Location *l, const JournalFile *current_file) {
         int r;
 
         assert(f);
@@ -448,7 +448,8 @@ _pure_ static int compare_with_location(JournalFile *f, Location *l) {
             l->realtime_set &&
             f->current_realtime == l->realtime &&
             l->xor_hash_set &&
-            f->current_xor_hash == l->xor_hash)
+            f->current_xor_hash == l->xor_hash &&
+            f != current_file)
                 return 0;
 
         if (l->seqnum_set &&
@@ -787,7 +788,7 @@ static int next_beyond_location(sd_journal *j, JournalFile *f, direction_t direc
                 if (j->current_location.type == LOCATION_DISCRETE) {
                         int k;
 
-                        k = compare_with_location(f, &j->current_location);
+                        k = compare_with_location(f, &j->current_location, j->current_file);
 
                         found = direction == DIRECTION_DOWN ? k > 0 : k < 0;
                 } else

src/shared/ask-password-api.c

@@ -469,7 +469,7 @@ int ask_password_tty(
                 (void) loop_write(ttyfd, message, strlen(message), false);
                 (void) loop_write(ttyfd, " ", 1, false);
 
-                if (!(flags & ASK_PASSWORD_SILENT)) {
+                if (!(flags & ASK_PASSWORD_SILENT) && !(flags & ASK_PASSWORD_ECHO)) {
                         if (use_color)
                                 (void) loop_write(ttyfd, ANSI_GREY, STRLEN(ANSI_GREY), false);
                         (void) loop_write(ttyfd, PRESS_TAB, strlen(PRESS_TAB), false);

src/shared/dissect-image.c

@@ -425,10 +425,11 @@ int dissect_image(
 
                         m->encrypted = streq_ptr(fstype, "crypto_LUKS");
 
-                        r = loop_wait_for_partitions_to_appear(fd, d, 0, flags, &e);
+                        if (!streq(usage, "filesystem")) {
-                        if (r < 0)
+                                r = loop_wait_for_partitions_to_appear(fd, d, 0, flags, &e);
-                                return r;
+                                if (r < 0)
-
+                                        return r;
+                        }
                         *ret = TAKE_PTR(m);
 
                         return 0;

src/shared/format-table.c

@@ -1010,6 +1010,24 @@ int table_set_empty_string(Table *t, const char *empty) {
         return free_and_strdup(&t->empty_string, empty);
 }
 
+int table_set_display_all(Table *t) {
+        size_t allocated;
+
+        assert(t);
+
+        allocated = t->n_display_map;
+
+        if (!GREEDY_REALLOC(t->display_map, allocated, MAX(t->n_columns, allocated)))
+                return -ENOMEM;
+
+        for (size_t i = 0; i < t->n_columns; i++)
+                t->display_map[i] = i;
+
+        t->n_display_map = t->n_columns;
+
+        return 0;
+}
+
 int table_set_display(Table *t, size_t first_column, ...) {
         size_t allocated, column;
         va_list ap;
@@ -1069,6 +1087,34 @@ int table_set_sort(Table *t, size_t first_column, ...) {
         return 0;
 }
 
+int table_hide_column_from_display(Table *t, size_t column) {
+        size_t allocated, cur = 0;
+        int r;
+
+        assert(t);
+        assert(column < t->n_columns);
+
+        /* If the display map is empty, initialize it with all available columns */
+        if (!t->display_map) {
+                r = table_set_display_all(t);
+                if (r < 0)
+                        return r;
+        }
+
+        allocated = t->n_display_map;
+
+        for (size_t i = 0; i < allocated; i++) {
+                if (t->display_map[i] == column)
+                        continue;
+
+                t->display_map[cur++] = t->display_map[i];
+        }
+
+        t->n_display_map = cur;
+
+        return 0;
+}
+
 static int cell_data_compare(TableData *a, size_t index_a, TableData *b, size_t index_b) {
         assert(a);
         assert(b);

src/shared/format-table.h

@@ -101,9 +101,11 @@ void table_set_header(Table *table, bool b);
 void table_set_width(Table *t, size_t width);
 void table_set_cell_height_max(Table *t, size_t height);
 int table_set_empty_string(Table *t, const char *empty);
+int table_set_display_all(Table *t);
 int table_set_display(Table *t, size_t first_column, ...);
 int table_set_sort(Table *t, size_t first_column, ...);
 int table_set_reverse(Table *t, size_t column, bool b);
+int table_hide_column_from_display(Table *t, size_t column);
 
 int table_print(Table *t, FILE *f);
 int table_format(Table *t, char **ret);

src/shared/json-internal.h

@@ -26,21 +26,34 @@ assert_cc(sizeof(JsonValue) == 16U);
 /* We use fake JsonVariant objects for some special values, in order to avoid memory allocations for them. Note that
  * effectively this means that there are multiple ways to encode the same objects: via these magic values or as
  * properly allocated JsonVariant. We convert between both on-the-fly as necessary. */
-#define JSON_VARIANT_MAGIC_TRUE ((JsonVariant*) 1)
+enum
-#define JSON_VARIANT_MAGIC_FALSE ((JsonVariant*) 2)
+{
-#define JSON_VARIANT_MAGIC_NULL ((JsonVariant*) 3)
+ _JSON_VARIANT_MAGIC_TRUE = 1,
-#define JSON_VARIANT_MAGIC_ZERO_INTEGER ((JsonVariant*) 4)
+#define JSON_VARIANT_MAGIC_TRUE ((JsonVariant*) _JSON_VARIANT_MAGIC_TRUE)
-#define JSON_VARIANT_MAGIC_ZERO_UNSIGNED ((JsonVariant*) 5)
+ _JSON_VARIANT_MAGIC_FALSE,
-#define JSON_VARIANT_MAGIC_ZERO_REAL ((JsonVariant*) 6)
+#define JSON_VARIANT_MAGIC_FALSE ((JsonVariant*) _JSON_VARIANT_MAGIC_FALSE)
-#define JSON_VARIANT_MAGIC_EMPTY_STRING ((JsonVariant*) 7)
+ _JSON_VARIANT_MAGIC_NULL,
-#define JSON_VARIANT_MAGIC_EMPTY_ARRAY ((JsonVariant*) 8)
+#define JSON_VARIANT_MAGIC_NULL ((JsonVariant*) _JSON_VARIANT_MAGIC_NULL)
-#define JSON_VARIANT_MAGIC_EMPTY_OBJECT ((JsonVariant*) 9)
+ _JSON_VARIANT_MAGIC_ZERO_INTEGER,
-#define _JSON_VARIANT_MAGIC_MAX ((JsonVariant*) 10)
+#define JSON_VARIANT_MAGIC_ZERO_INTEGER ((JsonVariant*) _JSON_VARIANT_MAGIC_ZERO_INTEGER)
+ _JSON_VARIANT_MAGIC_ZERO_UNSIGNED,
+#define JSON_VARIANT_MAGIC_ZERO_UNSIGNED ((JsonVariant*) _JSON_VARIANT_MAGIC_ZERO_UNSIGNED)
+ _JSON_VARIANT_MAGIC_ZERO_REAL,
+#define JSON_VARIANT_MAGIC_ZERO_REAL ((JsonVariant*) _JSON_VARIANT_MAGIC_ZERO_REAL)
+ _JSON_VARIANT_MAGIC_EMPTY_STRING,
+#define JSON_VARIANT_MAGIC_EMPTY_STRING ((JsonVariant*) _JSON_VARIANT_MAGIC_EMPTY_STRING)
+ _JSON_VARIANT_MAGIC_EMPTY_ARRAY,
+#define JSON_VARIANT_MAGIC_EMPTY_ARRAY ((JsonVariant*) _JSON_VARIANT_MAGIC_EMPTY_ARRAY)
+ _JSON_VARIANT_MAGIC_EMPTY_OBJECT,
+#define JSON_VARIANT_MAGIC_EMPTY_OBJECT ((JsonVariant*) _JSON_VARIANT_MAGIC_EMPTY_OBJECT)
+ __JSON_VARIANT_MAGIC_MAX
+#define _JSON_VARIANT_MAGIC_MAX ((JsonVariant*) __JSON_VARIANT_MAGIC_MAX)
+};
 
 /* This is only safe as long as we don't define more than 4K magic pointers, i.e. the page size of the simplest
  * architectures we support. That's because we rely on the fact that malloc() will never allocate from the first memory
  * page, as it is a faulting page for catching NULL pointer dereferences. */
-assert_cc((uintptr_t) _JSON_VARIANT_MAGIC_MAX < 4096U);
+assert_cc((unsigned) __JSON_VARIANT_MAGIC_MAX < 4096U);
 
 enum { /* JSON tokens */
         JSON_TOKEN_END,

src/systemctl/systemctl.c

@@ -400,6 +400,12 @@ static int output_units_list(const UnitInfo *unit_infos, unsigned c) {
                 return log_oom();
 
         table_set_header(table, !arg_no_legend);
+        if (arg_no_legend) {
+                /* Hide the 'glyph' column when --no-legend is requested */
+                r = table_hide_column_from_display(table, 0);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to hide column: %m");
+        }
         if (arg_full)
                 table_set_width(table, 0);
 
@@ -461,12 +467,9 @@ static int output_units_list(const UnitInfo *unit_infos, unsigned c) {
 
         if (job_count == 0) {
                 /* There's no data in the JOB column, so let's hide it */
-                /* Also, convert all number constants to size_t so va_arg()
+                r = table_hide_column_from_display(table, 5);
-                 * in table_set_display() fetches a correct number of bytes from
-                 * the stack */
-                r = table_set_display(table, (size_t) 0, (size_t) 1, (size_t) 2, (size_t) 3, (size_t) 4, (size_t) 6, (size_t) -1);
                 if (r < 0)
-                        return log_error_errno(r, "Failed to set columns to display: %m");
+                        return log_error_errno(r, "Failed to hide column: %m");
         }
 
         r = table_print(table, NULL);
@@ -1980,6 +1983,12 @@ static int output_machines_list(struct machine_info *machine_infos, unsigned n)
                 return log_oom();
 
         table_set_header(table, !arg_no_legend);
+        if (arg_no_legend) {
+                /* Hide the 'glyph' column when --no-legend is requested */
+                r = table_hide_column_from_display(table, 0);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to hide column: %m");
+        }
         if (arg_full)
                 table_set_width(table, 0);
 

src/test/test-execute.c

@@ -561,6 +561,7 @@ static void test_exec_dynamicuser(Manager *m) {
 
         test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
         test(__func__, m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
+        test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
 
         (void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
         (void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);

src/udev/udev-rules.c

@@ -921,7 +921,7 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp
                         op = OP_ASSIGN;
                 }
 
-                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, NULL);
+                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, attr);
         } else if (streq(key, "RUN")) {
                 if (is_match || op == OP_REMOVE)
                         return log_token_invalid_op(rules, key);

test/TEST-47-ISSUE-14566/Makefile

@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile

test/TEST-47-ISSUE-14566/repro.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sleep infinity &
+echo $! > /leakedtestpid
+wait $!

test/TEST-47-ISSUE-14566/test.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -e
+TEST_DESCRIPTION="Test that KillMode=mixed does not leave left over proccesses with ExecStopPost="
+. $TEST_BASE_DIR/test-functions
+
+test_setup() {
+    create_empty_image_rootdir
+
+    (
+        LOG_LEVEL=5
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+        setup_basic_environment
+        mask_supporting_services
+
+        # setup the testsuite service
+        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+
+[Service]
+ExecStart=/testsuite.sh
+Type=oneshot
+EOF
+        cat > $initdir/etc/systemd/system/issue_14566_test.service << EOF
+[Unit]
+Description=Issue 14566 Repro
+
+[Service]
+ExecStart=/repro.sh
+ExecStopPost=/bin/true
+KillMode=mixed
+EOF
+
+        cp testsuite.sh $initdir/
+        cp repro.sh $initdir/
+
+        setup_testsuite
+    )
+    setup_nspawn_root
+}
+
+do_test "$@"

test/TEST-47-ISSUE-14566/testsuite.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -ex
+set -o pipefail
+
+systemd-analyze log-level debug
+systemd-analyze log-target console
+
+systemctl start issue_14566_test
+sleep 1
+systemctl status issue_14566_test
+
+leaked_pid=$(cat /leakedtestpid)
+
+systemctl stop issue_14566_test
+
+# Leaked PID will still be around if we're buggy.
+# I personally prefer to see 42.
+ps -p "$leaked_pid" && exit 42
+
+systemd-analyze log-level info
+
+echo OK > /testok
+
+exit 0

test/test-execute/exec-capabilityboundingset-invert.service

@@ -2,7 +2,7 @@
 Description=Test for CapabilityBoundingSet
 
 [Service]
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
 Type=oneshot
 CapabilityBoundingSet=~CAP_CHOWN

test/test-execute/exec-privatedevices-no-capability-mknod.service

@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
 
 [Service]
 PrivateDevices=no
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
 Type=oneshot

test/test-execute/exec-privatedevices-no-capability-sys-rawio.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
 
 [Service]
 PrivateDevices=no
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
 Type=oneshot

test/test-execute/exec-privatedevices-yes-capability-mknod.service

@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
 
 [Service]
 PrivateDevices=yes
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
 Type=oneshot

test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
 
 [Service]
 PrivateDevices=yes
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
 Type=oneshot

test/test-execute/exec-protectkernellogs-no-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=no
 
 [Service]
 ProtectKernelLogs=no
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
 Type=oneshot

test/test-execute/exec-protectkernellogs-yes-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
 
 [Service]
 ProtectKernelLogs=yes
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
 Type=oneshot

test/test-execute/exec-protectkernelmodules-no-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
 
 [Service]
 ProtectKernelModules=no
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
 Type=oneshot

test/test-execute/exec-protectkernelmodules-yes-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
 
 [Service]
 ProtectKernelModules=yes
-# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
+# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
 Type=oneshot

units/systemd-homed.service.in

@@ -8,7 +8,7 @@
 #  (at your option) any later version.
 
 [Unit]
-Description=Home Manager
+Description=Home Area Manager
 Documentation=man:systemd-homed.service(8)
 RequiresMountsFor=/home