8 files changed, 138 insertions, 48 deletions

diff --git a/man/machine-id.xml b/man/machine-id.xml
index d318ec54ec..a722649de4 100644
--- a/man/machine-id.xml
+++ b/man/machine-id.xml
@@ -53,30 +53,31 @@
   <refsect1>
     <title>Description</title>
 
-    <para>The <filename>/etc/machine-id</filename> file contains the
-    unique machine ID of the local system that is set during
-    installation. The machine ID is a single newline-terminated,
-    hexadecimal, 32-character, lowercase machine ID string. When
-    decoded from hexadecimal, this corresponds with a 16-byte/128-bit
-    string.</para>
+    <para>The <filename>/etc/machine-id</filename> file contains the unique machine ID of the local
+    system that is set during installation. The machine ID is a single newline-terminated,
+    hexadecimal, 32-character, lowercase ID. When decoded from hexadecimal, this corresponds to a
+    16-byte/128-bit value.</para>
 
     <para>The machine ID is usually generated from a random source
     during system installation and stays constant for all subsequent
     boots. Optionally, for stateless systems, it is generated during
     runtime at early boot if it is found to be empty.</para>
 
-    <para>The machine ID does not change based on user configuration
-    or when hardware is replaced.</para>
+    <para>The machine ID does not change based on local or network configuration or when hardware is
+    replaced. Due to this and its greater length, it is a more useful replacement for the
+    <citerefentry project='man-pages'><refentrytitle>gethostid</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    call that POSIX specifies.</para>
 
     <para>This machine ID adheres to the same format and logic as the
     D-Bus machine ID.</para>
 
-    <para>Programs may use this ID to identify the host with a
-    globally unique ID in the network, which does not change even if
-    the local network configuration changes. Due to this and its
-    greater length, it is a more useful replacement for the
-    <citerefentry project='man-pages'><refentrytitle>gethostid</refentrytitle><manvolnum>3</manvolnum></citerefentry>
-    call that POSIX specifies.</para>
+    <para>This ID uniquely identifies the host. It should be considered "confidential", and must not
+    be exposed in untrusted environments, in particular on the network. If a stable unique
+    identifier that is tied to the machine is needed for some application, the machine ID or any
+    part of it must not be used directly. Instead the machine ID should be hashed with a
+    cryptographic, keyed hash function, using a fixed, application-specific key. That way the ID
+    will be properly unique, and derived in a constant way from the machine ID but there will be no
+    way to retrieve the original machine ID from the application-specific one.</para>
 
     <para>The
     <citerefentry><refentrytitle>systemd-machine-id-setup</refentrytitle><manvolnum>1</manvolnum></citerefentry>
diff --git a/man/systemctl.xml b/man/systemctl.xml
index dfa00e0c03..08c3a268bd 100644
--- a/man/systemctl.xml
+++ b/man/systemctl.xml
@@ -209,6 +209,10 @@
           <varname>RequiresMountsFor=</varname>). Both explicitly
           and implicitly introduced dependencies are shown with
           <command>list-dependencies</command>.</para>
+
+          <para>When passed to the <command>list-jobs</command> command, for each printed job show which other jobs are
+          waiting for it. May be combined with <option>--before</option> to show both the jobs waiting for each job as
+          well as all jobs each job is waiting for.</para>
         </listitem>
       </varlistentry>
 
@@ -220,6 +224,10 @@
           units that are ordered after the specified unit. In other
           words, recursively list units following the
           <varname>Before=</varname> dependency.</para>
+
+          <para>When passed to the <command>list-jobs</command> command, for each printed job show which other jobs it
+          is waiting for. May be combined with <option>--after</option> to show both the jobs waiting for each job as
+          well as all jobs each job is waiting for.</para>
         </listitem>
       </varlistentry>
 
@@ -1388,6 +1396,10 @@ kobject-uevent 1 systemd-udevd-kernel.socket systemd-udevd.service
             <para>List jobs that are in progress. If one or more
             <replaceable>PATTERN</replaceable>s are specified, only
             jobs for units matching one of them are shown.</para>
+
+            <para>When combined with <option>--after</option> or <option>--before</option> the list is augmented with
+            information on which other job each job is waiting for, and which other jobs are waiting for it, see
+            above.</para>
           </listitem>
         </varlistentry>
         <varlistentry>
diff --git a/man/systemd-gpt-auto-generator.xml b/man/systemd-gpt-auto-generator.xml
index d26206710f..3af423b553 100644
--- a/man/systemd-gpt-auto-generator.xml
+++ b/man/systemd-gpt-auto-generator.xml
@@ -123,6 +123,11 @@
             <entry>On 64-bit ARM systems, the first ARM root partition on the disk the EFI ESP is located on is mounted to the root directory <filename>/</filename>.</entry>
           </row>
           <row>
+            <entry>993d8d3d-f80e-4225-855a-9daf8ed7ea97</entry>
+            <entry><filename>Root Partition (Itanium/IA-64)</filename></entry>
+            <entry>On Itanium systems, the first Itanium root partition on the disk the EFI ESP is located on is mounted to the root directory <filename>/</filename>.</entry>
+          </row>
+          <row>
             <entry>933ac7e1-2eb4-4f13-b844-0e14e2aef915</entry>
             <entry>Home Partition</entry>
             <entry>The first home partition on the disk the root partition is located on is mounted to <filename>/home</filename>.</entry>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3b39a9c912..2ea4a53d18 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -952,13 +952,19 @@
         assigned to this option, the specific list is reset, and all prior assignments have no effect.</para>
 
         <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and
-        <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be ignored
-        when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to
-        the host (propagation in the opposite direction continues to work). This means that this setting may not be used
-        for services which shall be able to install mount points in the main mount namespace. Note that the effect of
-        these settings may be undone by privileged processes. In order to set up an effective sandboxed environment for
-        a unit it is thus recommended to combine these settings with either
-        <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or <varname>SystemCallFilter=~@mount</varname>.</para></listitem>
+        <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be
+        ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root
+        directory of the unit, as configured with <varname>RootDirectory=</varname>, instead of relative to the root
+        directory of the host (see above). When combining <literal>-</literal> and <literal>+</literal> on the same
+        path make sure to specify <literal>-</literal> first, and <literal>+</literal> second.</para>
+
+        <para>Note that using this setting will disconnect propagation of mounts from the service to the host
+        (propagation in the opposite direction continues to work). This means that this setting may not be used for
+        services which shall be able to install mount points in the main mount namespace. Note that the effect of these
+        settings may be undone by privileged processes. In order to set up an effective sandboxed environment for a
+        unit it is thus recommended to combine these settings with either
+        <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or
+        <varname>SystemCallFilter=~@mount</varname>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -999,7 +1005,11 @@
         using <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> of
         <filename>/dev/zero</filename> instead of using <constant>MAP_ANON</constant>. This setting is implied if
         <varname>DynamicUser=</varname> is set. For this setting the same restrictions regarding mount propagation and
-        privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.</para></listitem>
+        privileges apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
+        If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
+        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
+        is implied.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1090,9 +1100,35 @@
         mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for
         most services. For this setting the same restrictions regarding mount propagation and privileges apply as for
         <varname>ReadOnlyPaths=</varname> and related calls, see above. Defaults to off.
-        Note that this option does not prevent kernel tuning through IPC interfaces and external programs. However
-        <varname>InaccessiblePaths=</varname> can be used to make some IPC file system objects
-        inaccessible.</para></listitem>
+        If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
+        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
+        is implied. Note that this option does not prevent kernel tuning through IPC interfaces
+        and external programs. However <varname>InaccessiblePaths=</varname> can be used to
+        make some IPC file system objects inaccessible.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>ProtectKernelModules=</varname></term>
+
+        <listitem><para>Takes a boolean argument. If true, explicit module loading will
+        be denied. This allows to turn off module load and unload operations on modular
+        kernels. It is recommended to turn this on for most services that do not need special
+        file systems or extra kernel modules to work. Default to off. Enabling this option
+        removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
+        the unit, and installs a system call filter to block module system calls,
+        also <filename>/usr/lib/modules</filename> is made inaccessible. For this
+        setting the same restrictions regarding mount propagation and privileges
+        apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
+        Note that limited automatic module loading due to user configuration or kernel
+        mapping tables might still happen as side effect of requested user operations,
+        both privileged and unprivileged. To disable module auto-load feature please see
+        <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        <constant>kernel.modules_disabled</constant> mechanism and
+        <filename>/proc/sys/kernel/modules_disabled</filename> documentation.
+        If turned on and if running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
+        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
+        is implied.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1237,7 +1273,7 @@
         <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
         never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
         capabilities). This is the simplest and most effective way to ensure that a process and its children can never
-        elevate privileges again. Defaults to false, but in the user manager instance certain settings force
+        elevate privileges again. Defaults to false, but certain settings force
         <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.  This is the case when
         <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
         <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
@@ -1482,27 +1518,11 @@
         <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
         the specified flags parameters into account. Note that — if this option is used — in addition to restricting
         creation and switching of the specified types of namespaces (or all of them, if true) access to the
-        <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><varname>ProtectKernelModules=</varname></term>
-
-        <listitem><para>Takes a boolean argument. If true, explicit module loading will
-        be denied. This allows to turn off module load and unload operations on modular
-        kernels. It is recommended to turn this on for most services that do not need special
-        file systems or extra kernel modules to work. Default to off. Enabling this option
-        removes <constant>CAP_SYS_MODULE</constant> from the capability bounding set for
-        the unit, and installs a system call filter to block module system calls,
-        also <filename>/usr/lib/modules</filename> is made inaccessible. For this
-        setting the same restrictions regarding mount propagation and privileges
-        apply as for <varname>ReadOnlyPaths=</varname> and related calls, see above.
-        Note that limited automatic module loading due to user configuration or kernel
-        mapping tables might still happen as side effect of requested user operations,
-        both privileged and unprivileged. To disable module auto-load feature please see
-        <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        <constant>kernel.modules_disabled</constant> mechanism and
-        <filename>/proc/sys/kernel/modules_disabled</filename> documentation.</para></listitem>
+        <function>setns()</function> system call with a zero flags parameter is prohibited.
+        If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
+        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
+        is implied.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1563,6 +1583,9 @@
         that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
         use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
         harder for software exploits to change running code dynamically.
+        If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
+        capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
+        is implied.
         </para></listitem>
       </varlistentry>
 
@@ -1573,7 +1596,10 @@
         the unit are refused. This restricts access to realtime task scheduling policies such as
         <constant>SCHED_FIFO</constant>, <constant>SCHED_RR</constant> or <constant>SCHED_DEADLINE</constant>. See
         <citerefentry project='man-pages'><refentrytitle>sched</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about
-        these scheduling policies. Realtime scheduling policies may be used to monopolize CPU time for longer periods
+        these scheduling policies. If running in user mode, or in system mode, but
+        without the <constant>CAP_SYS_ADMIN</constant> capability
+        (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname>
+        is implied. Realtime scheduling policies may be used to monopolize CPU time for longer periods
         of time, and may hence be used to lock up or otherwise trigger Denial-of-Service situations on the system. It
         is hence recommended to restrict access to realtime scheduling to the few programs that actually require
         them. Defaults to off.</para></listitem>
diff --git a/man/systemd.link.xml b/man/systemd.link.xml
index 8edbe758d9..023e24eeb3 100644
--- a/man/systemd.link.xml
+++ b/man/systemd.link.xml
@@ -359,6 +359,20 @@
         </listitem>
       </varlistentry>
       <varlistentry>
+        <term><varname>AutoNegotiation=</varname></term>
+        <listitem>
+          <para>Enables or disables automatic negotiation of transmission parameters.
+          Autonegotiation is a procedure by which two connected ethernet devices choose
+          common transmission parameters, such as speed, duplex mode, and flow control.
+          Takes a boolean value. Unset by default, which means that the kernel default
+          will be used.</para>
+
+          <para>Note that if autonegotiation is enabled, speed and duplex settings are
+          read-only. If autonegotation is disabled, speed and duplex settings are writable
+          if the driver supports multiple link modes.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term><varname>WakeOnLan=</varname></term>
         <listitem>
           <para>The Wake-on-LAN policy to set for the device. The
diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml
index b0f156f6df..68ff6f8f1c 100644
--- a/man/systemd.mount.xml
+++ b/man/systemd.mount.xml
@@ -241,6 +241,25 @@
       </varlistentry>
 
       <varlistentry>
+        <term><option>x-systemd.mount-timeout=</option></term>
+
+        <listitem><para>Configure how long systemd should wait for the
+        mount command to finish before giving up on an entry from
+        <filename>/etc/fstab</filename>. Specify a time in seconds or
+        explicitly append a unit such as <literal>s</literal>,
+        <literal>min</literal>, <literal>h</literal>,
+        <literal>ms</literal>.</para>
+
+        <para>Note that this option can only be used in
+        <filename>/etc/fstab</filename>, and will be
+        ignored when part of the <varname>Options=</varname>
+        setting in a unit file.</para>
+
+        <para>See <varname>TimeoutSec=</varname> below for
+        details.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term><option>noauto</option></term>
         <term><option>auto</option></term>
 
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 2fb4907634..99283813fd 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -984,6 +984,13 @@
             </para>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term><varname>ListenPort=</varname></term>
+          <listitem>
+            <para>Allow setting custom port for the DHCP client to listen on.</para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect1>
 
diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 5c65957bda..3ba6ab34db 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -663,6 +663,12 @@
         or signal is specified in
         <varname>RestartForceExitStatus=</varname> (see below).</para>
 
+        <para>Note that service restart is subject to unit start rate
+        limiting configured with <varname>StartLimitIntervalSec=</varname>
+        and <varname>StartLimitBurst=</varname>, see
+        <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for details.</para>
+
         <para>Setting this to <option>on-failure</option> is the
         recommended choice for long-running services, in order to
         increase reliability by attempting automatic recovery from