From f4e03c903602c357dbd8a883f8d22068be9236f5 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Wed, 24 Jun 2026 19:10:33 -0400 Subject: [PATCH] import UBI systemd-252-67.el9_8.4 --- ...dUser-Ephemeral-from-settings-file-o.patch | 55 +++ ...29-nspawn-normalize-pivot_root-paths.patch | 32 ++ ...nvalid-chars-in-various-fields-recei.patch | 110 ++++++ SOURCES/1331-udev-fix-review-mixup.patch | 32 ++ ...ck-for-invalid-chars-in-various-fiel.patch | 52 +++ ...support-swap-on-network-block-device.patch | 322 ++++++++++++++++++ SPECS/systemd.spec | 18 +- 7 files changed, 620 insertions(+), 1 deletion(-) create mode 100644 SOURCES/1328-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch create mode 100644 SOURCES/1329-nspawn-normalize-pivot_root-paths.patch create mode 100644 SOURCES/1330-udev-check-for-invalid-chars-in-various-fields-recei.patch create mode 100644 SOURCES/1331-udev-fix-review-mixup.patch create mode 100644 SOURCES/1332-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch create mode 100644 SOURCES/1333-fstab-generator-support-swap-on-network-block-device.patch diff --git a/SOURCES/1328-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch b/SOURCES/1328-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch new file mode 100644 index 0000000..0391203 --- /dev/null +++ b/SOURCES/1328-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch @@ -0,0 +1,55 @@ +From 413d89a2e5896e2fc62de9c73aa62bd2d7da6ea3 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 11 Mar 2026 12:15:26 +0000 +Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if + trusted + +Originally reported on yeswehack.com as: +YWH-PGM9780-116 + +Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df +Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a + +(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40) + +Resolves: RHEL-163870 +--- + src/nspawn/nspawn.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index db45968cd3..39d036ef7e 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -4304,8 +4304,13 @@ static int merge_settings(Settings *settings, const char *path) { + } + + if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 && +- settings->ephemeral >= 0) +- arg_ephemeral = settings->ephemeral; ++ settings->ephemeral >= 0) { ++ ++ if (!arg_settings_trusted) ++ log_warning("Ignoring ephemeral setting, file %s is not trusted.", path); ++ else ++ arg_ephemeral = settings->ephemeral; ++ } + + if ((arg_settings_mask & SETTING_DIRECTORY) == 0 && + settings->root) { +@@ -4473,8 +4478,13 @@ static int merge_settings(Settings *settings, const char *path) { + } + + if ((arg_settings_mask & SETTING_BIND_USER) == 0 && +- !strv_isempty(settings->bind_user)) +- strv_free_and_replace(arg_bind_user, settings->bind_user); ++ !strv_isempty(settings->bind_user)) { ++ ++ if (!arg_settings_trusted) ++ log_warning("Ignoring bind user setting, file %s is not trusted.", path); ++ else ++ strv_free_and_replace(arg_bind_user, settings->bind_user); ++ } + + if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 && + settings->notify_ready >= 0) diff --git a/SOURCES/1329-nspawn-normalize-pivot_root-paths.patch b/SOURCES/1329-nspawn-normalize-pivot_root-paths.patch new file mode 100644 index 0000000..7847f39 --- /dev/null +++ b/SOURCES/1329-nspawn-normalize-pivot_root-paths.patch @@ -0,0 +1,32 @@ +From bd8f4b9ed6ed3ae5f8d4f6f7bce34ea9c2e8e5f4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 11 Mar 2026 13:27:14 +0000 +Subject: [PATCH] nspawn: normalize pivot_root paths + +Originally reported on yeswehack.com as: +YWH-PGM9780-116 + +Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672 + +(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373) + +Resolves: RHEL-163870 +--- + src/nspawn/nspawn-mount.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c +index a54f1464ba..af96d2d1d7 100644 +--- a/src/nspawn/nspawn-mount.c ++++ b/src/nspawn/nspawn-mount.c +@@ -1244,7 +1244,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s + + if (!path_is_absolute(root_new)) + return -EINVAL; +- if (root_old && !path_is_absolute(root_old)) ++ if (!path_is_normalized(root_new)) ++ return -EINVAL; ++ if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old))) + return -EINVAL; + + free_and_replace(*pivot_root_new, root_new); diff --git a/SOURCES/1330-udev-check-for-invalid-chars-in-various-fields-recei.patch b/SOURCES/1330-udev-check-for-invalid-chars-in-various-fields-recei.patch new file mode 100644 index 0000000..04f5c10 --- /dev/null +++ b/SOURCES/1330-udev-check-for-invalid-chars-in-various-fields-recei.patch @@ -0,0 +1,110 @@ +From 87663c17b8529c4b4d216ec996c23c022999789e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 6 Mar 2026 19:32:35 +0000 +Subject: [PATCH] udev: check for invalid chars in various fields received from + the kernel + +(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3) + +Resolves: RHEL-163876 +--- + src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++- + src/udev/scsi_id/scsi_id.c | 5 +++-- + src/udev/udev-builtin-net_id.c | 7 ++++++- + src/udev/v4l_id/v4l_id.c | 5 ++++- + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c +index 1345289219..d833a5989d 100644 +--- a/src/udev/dmi_memory_id/dmi_memory_id.c ++++ b/src/udev/dmi_memory_id/dmi_memory_id.c +@@ -50,6 +50,7 @@ + #include "string-util.h" + #include "udev-util.h" + #include "unaligned.h" ++#include "utf8.h" + #include "version.h" + + #define SUPPORTED_SMBIOS_VER 0x030300 +@@ -185,7 +186,7 @@ static void dmi_memory_device_string( + + str = strdupa_safe(dmi_string(h, s)); + str = strstrip(str); +- if (!isempty(str)) ++ if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL)) + printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str); + } + +diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c +index 364d567705..2a489f4e38 100644 +--- a/src/udev/scsi_id/scsi_id.c ++++ b/src/udev/scsi_id/scsi_id.c +@@ -26,6 +26,7 @@ + #include "strv.h" + #include "strxcpyx.h" + #include "udev-util.h" ++#include "utf8.h" + #include "version.h" + + static const struct option options[] = { +@@ -441,8 +442,8 @@ static int scsi_id(char *maj_min_dev) { + } + if (dev_scsi.tgpt_group[0] != '\0') + printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group); +- if (dev_scsi.unit_serial_number[0] != '\0') +- printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number); ++ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL)) ++ printf("ID_SCSI_SERIAL=%s\n", serial_str); + goto out; + } + +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index e1895a38c0..6bb6465832 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -39,6 +39,7 @@ + #include "strv.h" + #include "strxcpyx.h" + #include "udev-builtin.h" ++#include "utf8.h" + + #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1) + #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1) +@@ -1188,9 +1189,13 @@ static int get_link_info(sd_device *dev, LinkInfo *info) { + return r; + + r = device_get_sysattr_value_filtered(dev, "phys_port_name", &info->phys_port_name); +- if (r >= 0) ++ if (r >= 0) { ++ if (!utf8_is_valid(info->phys_port_name) || string_has_cc(info->phys_port_name, /* ok= */ NULL)) ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name"); ++ + /* Check if phys_port_name indicates virtual device representor */ + (void) sscanf(info->phys_port_name, "pf%*uvf%d", &info->vf_representor_id); ++ } + + r = device_get_sysattr_value_filtered(dev, "address", &s); + if (r < 0 && r != -ENOENT) +diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c +index c2312c7909..ae8459c456 100644 +--- a/src/udev/v4l_id/v4l_id.c ++++ b/src/udev/v4l_id/v4l_id.c +@@ -27,6 +27,8 @@ + #include + + #include "fd-util.h" ++#include "string-util.h" ++#include "utf8.h" + #include "util.h" + + int main(int argc, char *argv[]) { +@@ -66,7 +68,8 @@ int main(int argc, char *argv[]) { + if (ioctl(fd, VIDIOC_QUERYCAP, &v2cap) == 0) { + int capabilities; + printf("ID_V4L_VERSION=2\n"); +- printf("ID_V4L_PRODUCT=%s\n", v2cap.card); ++ if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL)) ++ printf("ID_V4L_PRODUCT=%s\n", v2cap.card); + printf("ID_V4L_CAPABILITIES=:"); + if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS) + capabilities = v2cap.device_caps; diff --git a/SOURCES/1331-udev-fix-review-mixup.patch b/SOURCES/1331-udev-fix-review-mixup.patch new file mode 100644 index 0000000..f549759 --- /dev/null +++ b/SOURCES/1331-udev-fix-review-mixup.patch @@ -0,0 +1,32 @@ +From 62af15ed46544eec6453ad2bac8926e292e5d189 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 13 Mar 2026 11:10:47 +0000 +Subject: [PATCH] udev: fix review mixup + +The previous version in the PR changed variable and sanitized it +in place. The second version switched to skip if CCs are in the +string instead, but didn't move back to the original variable. +Because it's an existing variable, no CI caught it. + +Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3 + +(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820) + +Resolves: RHEL-163876 +--- + src/udev/scsi_id/scsi_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c +index 2a489f4e38..71c5534851 100644 +--- a/src/udev/scsi_id/scsi_id.c ++++ b/src/udev/scsi_id/scsi_id.c +@@ -443,7 +443,7 @@ static int scsi_id(char *maj_min_dev) { + if (dev_scsi.tgpt_group[0] != '\0') + printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group); + if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL)) +- printf("ID_SCSI_SERIAL=%s\n", serial_str); ++ printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number); + goto out; + } + diff --git a/SOURCES/1332-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch b/SOURCES/1332-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch new file mode 100644 index 0000000..89228a4 --- /dev/null +++ b/SOURCES/1332-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch @@ -0,0 +1,52 @@ +From 023f021259fb5fff8b8f40ea53694a36479d26e3 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 10 Apr 2026 19:04:04 +0100 +Subject: [PATCH] udev/scsi-id: check for invalid chars in various fields + received from the kernel + +Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3 + +(cherry picked from commit 5f700d148c44063c0f0dbb9fc136866339cd3fa7) + +Related: RHEL-163876 +--- + src/udev/scsi_id/scsi_id.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c +index 71c5534851..2f2a07891f 100644 +--- a/src/udev/scsi_id/scsi_id.c ++++ b/src/udev/scsi_id/scsi_id.c +@@ -389,6 +389,10 @@ static int set_inq_values(struct scsi_id_device *dev_scsi, const char *path) { + return 0; + } + ++static bool scsi_string_is_valid(const char *s) { ++ return !isempty(s) && utf8_is_valid(s) && !string_has_cc(s, /* ok= */ NULL); ++} ++ + /* + * scsi_id: try to get an id, if one is found, printf it to stdout. + * returns a value passed to exit() - 0 if printed an id, else 1. +@@ -432,17 +436,17 @@ static int scsi_id(char *maj_min_dev) { + udev_replace_chars(serial_str, NULL); + printf("ID_SERIAL_SHORT=%s\n", serial_str); + } +- if (dev_scsi.wwn[0] != '\0') { ++ if (scsi_string_is_valid(dev_scsi.wwn)) { + printf("ID_WWN=0x%s\n", dev_scsi.wwn); +- if (dev_scsi.wwn_vendor_extension[0] != '\0') { ++ if (scsi_string_is_valid(dev_scsi.wwn_vendor_extension)) { + printf("ID_WWN_VENDOR_EXTENSION=0x%s\n", dev_scsi.wwn_vendor_extension); + printf("ID_WWN_WITH_EXTENSION=0x%s%s\n", dev_scsi.wwn, dev_scsi.wwn_vendor_extension); + } else + printf("ID_WWN_WITH_EXTENSION=0x%s\n", dev_scsi.wwn); + } +- if (dev_scsi.tgpt_group[0] != '\0') ++ if (scsi_string_is_valid(dev_scsi.tgpt_group)) + printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group); +- if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL)) ++ if (scsi_string_is_valid(dev_scsi.unit_serial_number)) + printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number); + goto out; + } diff --git a/SOURCES/1333-fstab-generator-support-swap-on-network-block-device.patch b/SOURCES/1333-fstab-generator-support-swap-on-network-block-device.patch new file mode 100644 index 0000000..d091925 --- /dev/null +++ b/SOURCES/1333-fstab-generator-support-swap-on-network-block-device.patch @@ -0,0 +1,322 @@ +From e9dcdc8a757636eb96e7ae99b3b4f55dab289261 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 7 Apr 2026 11:16:42 +0200 +Subject: [PATCH] fstab-generator: support swap on network block devices + +Teach swap units to support the _netdev option as well, which should +make swaps on iSCSI possible. This mirrors the logic we already have for +regular mounts in both the fstab-generator and the core +(mount.c/swap.c). + +Co-developed-by: Claude Opus 4.6 +(cherry picked from commit 3d5bd67a2259e7a4edc27476d4cae049653c4414) + +Resolves: RHEL-166186 +--- + man/systemd.swap.xml | 28 +++++++++-- + src/core/swap.c | 46 ++++++++++++++++--- + src/fstab-generator/fstab-generator.c | 16 +++++-- + src/shared/generator.c | 2 +- + .../systemd-remount-fs.service | 0 + .../sysroot.mount | 0 + .../50-netdev-dependencies.conf | 5 ++ + .../dev-sdx1.swap | 10 ++++ + .../systemd-remount-fs.service | 0 + .../remote-fs.target.requires/dev-sdx1.swap | 1 + + .../50-netdev-dependencies.conf | 5 ++ + .../dev-sdx1.swap | 10 ++++ + .../sysroot.mount | 0 + .../remote-fs.target.requires/dev-sdx1.swap | 1 + + .../test-21-swap-netdev.fstab.input | 1 + + 15 files changed, 111 insertions(+), 14 deletions(-) + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected.container.sysroot/local-fs.target.wants/systemd-remount-fs.service + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected.container/initrd-usr-fs.target.requires/sysroot.mount + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.device.d/50-netdev-dependencies.conf + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.swap + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/local-fs.target.wants/systemd-remount-fs.service + create mode 120000 test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/remote-fs.target.requires/dev-sdx1.swap + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.device.d/50-netdev-dependencies.conf + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.swap + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.expected/initrd-usr-fs.target.requires/sysroot.mount + create mode 120000 test/test-fstab-generator/test-21-swap-netdev.fstab.expected/remote-fs.target.requires/dev-sdx1.swap + create mode 100644 test/test-fstab-generator/test-21-swap-netdev.fstab.input + +diff --git a/man/systemd.swap.xml b/man/systemd.swap.xml +index 8287382eb6..6af8a31021 100644 +--- a/man/systemd.swap.xml ++++ b/man/systemd.swap.xml +@@ -90,9 +90,15 @@ + The following dependencies are added unless DefaultDependencies=no is set: + + +- Swap units automatically acquire a Conflicts= and a ++ Local swap units automatically acquire a Conflicts= and a + Before= dependency on umount.target so that they are deactivated at + shutdown as well as a Before=swap.target dependency. ++ ++ Network swap units (those with in their options) automatically acquire ++ After= dependencies on remote-fs-pre.target and ++ network.target, plus After= and Wants= dependencies ++ on network-online.target, and a Before= dependency on ++ remote-fs.target instead of swap.target. + + + +@@ -124,7 +130,8 @@ + + With , the swap unit + will not be added as a dependency for +- swap.target. This means that it will not ++ swap.target (or remote-fs.target for network swap devices, ++ see below). This means that it will not + be activated automatically during boot, unless it is pulled in + by some other unit. The option has the + opposite meaning and is the default. +@@ -136,8 +143,8 @@ + + With , the swap unit + will be only wanted, not required by +- swap.target. This means that the boot +- will continue even if this swap device is not activated ++ swap.target (or remote-fs.target for network swap ++ devices). This means that the boot will continue even if this swap device is not activated + successfully. + + +@@ -161,6 +168,19 @@ + in systemd.mount5. + + ++ ++ ++ ++ ++ Marks this swap device as requiring network access. This is useful for swap on ++ network block devices (e.g. iSCSI). ++ ++ Network swap units are ordered between remote-fs-pre.target and ++ remote-fs.target, instead of being ordered before ++ swap.target. They also pull in network-online.target and ++ are ordered after it and network.target. ++ ++ + + + +diff --git a/src/core/swap.c b/src/core/swap.c +index 5c83c4780f..10743d4b9d 100644 +--- a/src/core/swap.c ++++ b/src/core/swap.c +@@ -253,6 +253,7 @@ static int swap_add_device_dependencies(Swap *s) { + } + + static int swap_add_default_dependencies(Swap *s) { ++ SwapParameters *p; + int r; + + assert(s); +@@ -266,13 +267,46 @@ static int swap_add_default_dependencies(Swap *s) { + if (detect_container() > 0) + return 0; + +- /* swap units generated for the swap dev links are missing the +- * ordering dep against the swap target. */ +- r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SWAP_TARGET, true, UNIT_DEPENDENCY_DEFAULT); +- if (r < 0) +- return r; ++ p = swap_get_parameters(s); ++ ++ if (p && fstab_test_option(p->options, "_netdev\0")) { ++ /* Network swap devices (those with _netdev in options) are routed through ++ * remote-fs.target instead of swap.target, mirroring how network mounts use ++ * remote-fs.target instead of local-fs.target. This avoids an ordering cycle: ++ * swap.target is pulled in at sysinit.target time, but network-online.target ++ * only comes after basic.target which is after sysinit.target. */ ++ r = unit_add_dependency_by_name(UNIT(s), UNIT_AFTER, SPECIAL_REMOTE_FS_PRE_TARGET, ++ /* add_reference= */ true, UNIT_DEPENDENCY_DEFAULT); ++ if (r < 0) ++ return r; ++ ++ r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_REMOTE_FS_TARGET, ++ /* add_reference= */ true, UNIT_DEPENDENCY_DEFAULT); ++ if (r < 0) ++ return r; ++ ++ /* Pull in and order after network-online.target, analogous to ++ * mount_add_default_network_dependencies() for network mounts. */ ++ r = unit_add_dependency_by_name(UNIT(s), UNIT_AFTER, SPECIAL_NETWORK_TARGET, ++ /* add_reference= */ true, UNIT_DEPENDENCY_DEFAULT); ++ if (r < 0) ++ return r; ++ ++ r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_WANTS, UNIT_AFTER, SPECIAL_NETWORK_ONLINE_TARGET, ++ /* add_reference= */ true, UNIT_DEPENDENCY_DEFAULT); ++ if (r < 0) ++ return r; ++ } else { ++ /* swap units generated for the swap dev links are missing the ++ * ordering dep against the swap target. */ ++ r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SWAP_TARGET, ++ /* add_reference= */ true, UNIT_DEPENDENCY_DEFAULT); ++ if (r < 0) ++ return r; ++ } + +- return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_UMOUNT_TARGET, true, UNIT_DEPENDENCY_DEFAULT); ++ return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_UMOUNT_TARGET, ++ /* add_reference= */ true, UNIT_DEPENDENCY_DEFAULT); + } + + static int swap_verify(Swap *s) { +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index 28677a2f39..7b417dd2d1 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -208,6 +208,7 @@ static int add_swap( + + _cleanup_free_ char *name = NULL; + _cleanup_fclose_ FILE *f = NULL; ++ bool is_network; + int r; + + assert(what); +@@ -227,10 +228,12 @@ static int add_swap( + return true; + } + +- log_debug("Found swap entry what=%s makefs=%s growfs=%s pcrfs=%s noauto=%s nofail=%s", ++ is_network = fstab_test_option(options, "_netdev\0"); ++ ++ log_debug("Found swap entry what=%s makefs=%s growfs=%s pcrfs=%s noauto=%s nofail=%s netdev=%s", + what, + yes_no(flags & MOUNT_MAKEFS), yes_no(flags & MOUNT_GROWFS), yes_no(flags & MOUNT_PCRFS), +- yes_no(flags & MOUNT_NOAUTO), yes_no(flags & MOUNT_NOFAIL)); ++ yes_no(flags & MOUNT_NOAUTO), yes_no(flags & MOUNT_NOFAIL), yes_no(is_network)); + + r = unit_name_from_path(what, ".swap", &name); + if (r < 0) +@@ -271,6 +274,12 @@ static int add_swap( + if (r < 0) + return r; + ++ if (is_network) { ++ r = generator_write_device_deps(arg_dest, what, /* where= */ NULL, options); ++ if (r < 0) ++ return r; ++ } ++ + if (flags & MOUNT_MAKEFS) { + r = generator_hook_up_mkswap(arg_dest, what); + if (r < 0) +@@ -284,7 +293,8 @@ static int add_swap( + log_warning("%s: measuring swap devices is currently unsupported.", what); + + if (!(flags & MOUNT_NOAUTO)) { +- r = generator_add_symlink(arg_dest, SPECIAL_SWAP_TARGET, ++ const char *target = is_network ? SPECIAL_REMOTE_FS_TARGET : SPECIAL_SWAP_TARGET; ++ r = generator_add_symlink(arg_dest, target, + (flags & MOUNT_NOFAIL) ? "wants" : "requires", name); + if (r < 0) + return r; +diff --git a/src/shared/generator.c b/src/shared/generator.c +index a688ba446c..5dc103400b 100644 +--- a/src/shared/generator.c ++++ b/src/shared/generator.c +@@ -428,7 +428,7 @@ int generator_write_device_deps( + _cleanup_free_ char *node = NULL, *unit = NULL; + int r; + +- if (fstab_is_extrinsic(where, opts)) ++ if (where && fstab_is_extrinsic(where, opts)) + return 0; + + if (!fstab_test_option(opts, "_netdev\0")) +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.container.sysroot/local-fs.target.wants/systemd-remount-fs.service b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.container.sysroot/local-fs.target.wants/systemd-remount-fs.service +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.container/initrd-usr-fs.target.requires/sysroot.mount b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.container/initrd-usr-fs.target.requires/sysroot.mount +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.device.d/50-netdev-dependencies.conf b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.device.d/50-netdev-dependencies.conf +new file mode 100644 +index 0000000000..33d814c275 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.device.d/50-netdev-dependencies.conf +@@ -0,0 +1,5 @@ ++# Automatically generated by systemd-fstab-generator ++ ++[Unit] ++After=network-online.target network.target ++Wants=network-online.target +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.swap b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.swap +new file mode 100644 +index 0000000000..32f276c9e1 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/dev-sdx1.swap +@@ -0,0 +1,10 @@ ++# Automatically generated by systemd-fstab-generator ++ ++[Unit] ++Documentation=man:fstab(5) man:systemd-fstab-generator(8) ++SourcePath=/etc/fstab ++After=blockdev@dev-sdx1.target ++ ++[Swap] ++What=/dev/sdx1 ++Options=_netdev +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/local-fs.target.wants/systemd-remount-fs.service b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/local-fs.target.wants/systemd-remount-fs.service +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/remote-fs.target.requires/dev-sdx1.swap b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/remote-fs.target.requires/dev-sdx1.swap +new file mode 120000 +index 0000000000..00f0c5ce66 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected.sysroot/remote-fs.target.requires/dev-sdx1.swap +@@ -0,0 +1 @@ ++../dev-sdx1.swap +\ No newline at end of file +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.device.d/50-netdev-dependencies.conf b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.device.d/50-netdev-dependencies.conf +new file mode 100644 +index 0000000000..33d814c275 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.device.d/50-netdev-dependencies.conf +@@ -0,0 +1,5 @@ ++# Automatically generated by systemd-fstab-generator ++ ++[Unit] ++After=network-online.target network.target ++Wants=network-online.target +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.swap b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.swap +new file mode 100644 +index 0000000000..32f276c9e1 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/dev-sdx1.swap +@@ -0,0 +1,10 @@ ++# Automatically generated by systemd-fstab-generator ++ ++[Unit] ++Documentation=man:fstab(5) man:systemd-fstab-generator(8) ++SourcePath=/etc/fstab ++After=blockdev@dev-sdx1.target ++ ++[Swap] ++What=/dev/sdx1 ++Options=_netdev +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/initrd-usr-fs.target.requires/sysroot.mount b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/initrd-usr-fs.target.requires/sysroot.mount +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/remote-fs.target.requires/dev-sdx1.swap b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/remote-fs.target.requires/dev-sdx1.swap +new file mode 120000 +index 0000000000..00f0c5ce66 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.expected/remote-fs.target.requires/dev-sdx1.swap +@@ -0,0 +1 @@ ++../dev-sdx1.swap +\ No newline at end of file +diff --git a/test/test-fstab-generator/test-21-swap-netdev.fstab.input b/test/test-fstab-generator/test-21-swap-netdev.fstab.input +new file mode 100644 +index 0000000000..5f719a4202 +--- /dev/null ++++ b/test/test-fstab-generator/test-21-swap-netdev.fstab.input +@@ -0,0 +1 @@ ++/dev/sdx1 none swap _netdev 0 0 diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index ca51212..aacdb78 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://systemd.io Version: 252 -Release: 67%{?dist}.2 +Release: 67%{?dist}.4 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -1410,6 +1410,12 @@ Patch1324: 1324-man-fully-adopt-.local-state.patch Patch1325: 1325-core-only-activate-transaction-that-contain-useful-j.patch Patch1326: 1326-manager-fix-scope-for-environment-generators.patch Patch1327: 1327-core-validate-input-cgroup-path-more-prudently.patch +Patch1328: 1328-nspawn-apply-BindUser-Ephemeral-from-settings-file-o.patch +Patch1329: 1329-nspawn-normalize-pivot_root-paths.patch +Patch1330: 1330-udev-check-for-invalid-chars-in-various-fields-recei.patch +Patch1331: 1331-udev-fix-review-mixup.patch +Patch1332: 1332-udev-scsi-id-check-for-invalid-chars-in-various-fiel.patch +Patch1333: 1333-fstab-generator-support-swap-on-network-block-device.patch # Downstream-only patches (9000–9999) @@ -2287,6 +2293,16 @@ systemd-hwdb update &>/dev/null || : %{_prefix}/lib/dracut/modules.d/70rhel-net-naming-sysattrs/* %changelog +* Tue May 12 2026 systemd maintenance team - 252-67.4 +- fstab-generator: support swap on network block devices (RHEL-166186) + +* Thu Apr 16 2026 systemd maintenance team - 252-67.3 +- nspawn: apply BindUser/Ephemeral from settings file only if trusted (RHEL-163870) +- nspawn: normalize pivot_root paths (RHEL-163870) +- udev: check for invalid chars in various fields received from the kernel (RHEL-163876) +- udev: fix review mixup (RHEL-163876) +- udev/scsi-id: check for invalid chars in various fields received from the kernel (RHEL-163876) + * Thu Apr 02 2026 systemd maintenance team - 252-67.2 - core: validate input cgroup path more prudently (RHEL-152082)