Update to 232-1

11 files changed, 297 insertions, 84 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 8de863194b54..7f5a4188cd03 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,9 +1,9 @@
 # Generated by mksrcinfo v8
-# Sat Sep 24 11:29:13 UTC 2016
+# Tue Jan 17 04:07:23 UTC 2017
 pkgbase = systemd-knock
-	pkgver = 231
+	pkgver = 232
 	pkgrel = 1
-	url = http://www.freedesktop.org/wiki/Software/systemd
+	url = https://www.github.com/systemd/systemd
 	arch = i686
 	arch = x86_64
 	arch = armv7h
@@ -30,8 +30,7 @@ pkgbase = systemd-knock
 	makedepends = shadow
 	makedepends = git
 	options = strip
-	options = debug
-	source = git://github.com/systemd/systemd.git#tag=v231
+	source = git://github.com/systemd/systemd.git#tag=v232
 	source = https://repo.parabola.nu/other/knock/patches/systemd/0001-adds-TCP-Stealth-support-to-systemd-231.patch
 	source = https://repo.parabola.nu/other/knock/patches/systemd/0001-adds-TCP-Stealth-support-to-systemd-231.patch.sig
 	source = https://repo.parabola.nu/other/systemd/splash-parabola.bmp
@@ -41,7 +40,13 @@ pkgbase = systemd-knock
 	source = initcpio-install-udev
 	source = parabola.conf
 	source = loader.conf
+	source = systemd-user.pam
+	source = systemd-sysusers.hook
+	source = systemd-tmpfiles.hook
 	source = udev-hwdb.hook
+	source = 0001-disable-RestrictAddressFamilies-on-i686.patch
+	source = 0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
+	source = 0001-nspawn-don-t-hide-bind-tmp-mounts.patch
 	source = 0001-FSDG-man-Refer-to-the-operating-system-as-GNU-Linux.patch
 	source = 0002-FSDG-os-release-Default-to-PRETTY_NAME-GNU-Linux-ins.patch
 	source = 0003-FSDG-os-release-Default-to-NAME-GNU-Linux-instead-of.patch
@@ -50,25 +55,31 @@ pkgbase = systemd-knock
 	source = 0006-FSDG-man-Use-FSDG-operating-systems-as-examples.patch
 	source = https://repo.parabola.nu/other/systemd/splash-parabola.bmp
 	source = https://repo.parabola.nu/other/systemd/splash-parabola.bmp.sig
-	md5sums = SKIP
-	md5sums = 62b46565502f4e6e696fa0a8708fea34
-	md5sums = SKIP
-	md5sums = f8253cd3c0f249591338fbb4c223d249
-	md5sums = SKIP
-	md5sums = 90ea67a7bb237502094914622a39e281
-	md5sums = bee7fd6ccda39582259708e3f262ea6d
-	md5sums = 1b3aa3a0551b08af9305d33f85b5c2fc
-	md5sums = 36ee74767ac8734dede1cbd0f4f275d7
-	md5sums = 9b9f4a58e4c4009bf5290c5b297600c3
-	md5sums = a475a5ed8f03fb0f6b58b4684998d05c
-	md5sums = 92a4bb5e527e1e956743c1ffa622adc7
-	md5sums = 397e2262bf96df3bc1762a3b0bef2f75
-	md5sums = e592f6778c12627d46982ddfe0698361
-	md5sums = c4c559f9916806f5162ccff3e7c433e8
-	md5sums = 5166fe700ef5991c2da3876206c699fb
-	md5sums = 166ce41b60d4eaa7738486f7aab5ebd8
-	md5sums = f8253cd3c0f249591338fbb4c223d249
-	md5sums = SKIP
+	sha512sums = SKIP
+	sha512sums = 67a41a4aa49cc038b3e0d8a53d745de2713e19bd23ae273f6c9f665b6400a3b84ac08a3e38e0515b1b16f45c51367fe4510f0574356a3ecfe5234d464848dc58
+	sha512sums = SKIP
+	sha512sums = a50bc85061a9a16d776235099867bc1a17c17dddb74c1ecf5614c849735a9779c5e34e5ddca8ca6af4b59a40f57c08ecf219b98cab09476ddb0f110e6a35e45c
+	sha512sums = SKIP
+	sha512sums = f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73
+	sha512sums = 52af734947a768758d5eb3f18e31a1cfec6699eca6fa10e40b90c7f11991509186c0a696e3490af3eaba80064ea4cb93e041579abf05addf072d294300aa4b28
+	sha512sums = fec639de0d99967ed3e67289eff5ff78fff0c5829d350e73bed536a8391f1daa1d118d72dbdc1f480ffd33fc22b72f4817d0973bd09ec7f182fd26ad87b24355
+	sha512sums = 70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8
+	sha512sums = 6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9
+	sha512sums = b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19
+	sha512sums = 9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22
+	sha512sums = 0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067
+	sha512sums = 888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862
+	sha512sums = 89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f
+	sha512sums = b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219
+	sha512sums = 68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35
+	sha512sums = 50888d94636427ca97bfa5355226163fb6458f2a60303967cf74a8fd085f3c450d276b7c556fea93da387c6bb6f5ecbdb6d9b2a571b6723f27a41c8fb612d27b
+	sha512sums = fc8b874279db428a342387147ef6a849c0621eb0326ad5c4eb12c2ceb98b46477ed1e07c076a8b0abae6b323d4d7f4c70d45998c3338fb89903f51b3f653458b
+	sha512sums = fd928f5d10a5f95bdbab7720b465cbea8b47cf1a376e1ba292c4759d3f1473c80bd4444729dc5b6f6d884e342db7d07a5dad093d345ccccf2c5fb22dfcdacbd8
+	sha512sums = 723db0e4980727594c88d2fc92ffde10cf7c5cd05fbd88a31dadb813a3c839c3a92b3e5789f936de356b9f5e2d43d67e95fd02627be53ffa46b3d86dfabc4e5b
+	sha512sums = 77161e2f57237ca589d576924ec0877f379047c6fd90ca47cb6686e4f22cc9e2171ae4306bd5a9fd8e707e297b826e0f7df52dcdcb04e99df7ebd0eb45ac89eb
+	sha512sums = caa5eb7e52b83549bc7d00e343bbb204334b49f2d14005ac1fb592c6f17c6c860edafd88abe619fe54cb0086725385c1f48fd437670a31a08abdac8485ed2073
+	sha512sums = a50bc85061a9a16d776235099867bc1a17c17dddb74c1ecf5614c849735a9779c5e34e5ddca8ca6af4b59a40f57c08ecf219b98cab09476ddb0f110e6a35e45c
+	sha512sums = SKIP
 	makedepends_i686 = gnu-efi-libs
 	makedepends_x86_64 = gnu-efi-libs
 
@@ -99,9 +110,9 @@ pkgname = systemd-knock
 	optdepends = quota-tools: kernel-level quota management
 	optdepends = systemd-knock-sysvcompat: symlink package to provide sysvinit binaries
 	optdepends = polkit: allow administration as unprivileged user
-	provides = systemd-tools=231
-	provides = udev=231
-	provides = systemd=231
+	provides = systemd-tools=232
+	provides = udev=232
+	provides = systemd=232
 	conflicts = systemd-tools
 	conflicts = udev
 	conflicts = systemd
@@ -127,14 +138,14 @@ pkgname = libsystemd-knock
 	depends = nss-knock-myhostname
 	depends = nss-knock-mymachines
 	depends = nss-knock-resolve
-	provides = libsystemd=231
+	provides = libsystemd=232
 	conflicts = libsystemd
 
 pkgname = systemd-knock-sysvcompat
 	pkgdesc = sysvinit compat for systemd-knock
 	license = GPL2
 	depends = systemd-knock
-	provides = systemd-sysvcompat=231
+	provides = systemd-sysvcompat=232
 	conflicts = sysvinit
 	conflicts = systemd-sysvcompat
 
@@ -147,7 +158,7 @@ pkgname = libsystemd-knock-standalone
 	depends = lz4
 	depends = xz
 	provides = libsystemd.so
-	provides = libsystemd-standalone=231
+	provides = libsystemd-standalone=232
 	conflicts = libsystemd-standalone
 
 pkgname = libudev-knock
@@ -156,7 +167,7 @@ pkgname = libudev-knock
 	depends = glibc
 	depends = libcap
 	provides = libudev.so
-	provides = libudev=231
+	provides = libudev=232
 	conflicts = libudev
 
 pkgname = nss-knock-myhostname
@@ -164,7 +175,7 @@ pkgname = nss-knock-myhostname
 	license = GPL2
 	depends = glibc
 	depends = libcap
-	provides = nss-myhostname=231
+	provides = nss-myhostname=232
 	conflicts = nss-myhostname
 
 pkgname = nss-knock-mymachines
@@ -172,7 +183,7 @@ pkgname = nss-knock-mymachines
 	license = GPL2
 	depends = glibc
 	depends = libcap
-	provides = nss-mymachines=231
+	provides = nss-mymachines=232
 	conflicts = nss-mymachines
 
 pkgname = nss-knock-resolve
@@ -180,6 +191,6 @@ pkgname = nss-knock-resolve
 	license = GPL2
 	depends = glibc
 	depends = libcap
-	provides = nss-resolve=231
+	provides = nss-resolve=232
 	conflicts = nss-resolve
 
diff --git a/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch b/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
new file mode 100644
index 000000000000..5d47d01a463c
--- /dev/null
+++ b/0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch
@@ -0,0 +1,62 @@
+From 481712d9ee88395042f0640f272c1f87142bc0a8 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Wed, 9 Nov 2016 11:14:03 -0500
+Subject: [PATCH] Revert "nspawn: try to bind mount resolved's resolv.conf
+ snippet into the container"
+
+This reverts commit 3539724c26a1b2b00c4eb3c004b635a4b8647de6.
+---
+ src/nspawn/nspawn.c | 27 ++++++++-------------------
+ 1 file changed, 8 insertions(+), 19 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index c8b18bc..93df7c6 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -1309,35 +1309,24 @@ static int setup_resolv_conf(const char *dest) {
+         /* Fix resolv.conf, if possible */
+         where = prefix_roota(dest, "/etc/resolv.conf");
+ 
+-        if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) {
+-                /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
+-                 * container, so that the container can use the host's resolver. Given that network namespacing is
+-                 * disabled it's only natural of the container also uses the host's resolver. It also has the big
+-                 * advantage that the container will be able to follow the host's DNS server configuration changes
+-                 * transparently. */
+-
+-                r = mount_verbose(LOG_WARNING, "/usr/lib/systemd/resolv.conf", where, NULL, MS_BIND, NULL);
+-                if (r >= 0)
+-                        return mount_verbose(LOG_ERR, NULL, where, NULL,
+-                                             MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL);
+-        }
+-
+-        /* If that didn't work, let's copy the file */
+         r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0);
+         if (r < 0) {
+-                /* If the file already exists as symlink, let's suppress the warning, under the assumption that
+-                 * resolved or something similar runs inside and the symlink points there.
++                /* If the file already exists as symlink, let's
++                 * suppress the warning, under the assumption that
++                 * resolved or something similar runs inside and the
++                 * symlink points there.
+                  *
+-                 * If the disk image is read-only, there's also no point in complaining.
++                 * If the disk image is read-only, there's also no
++                 * point in complaining.
+                  */
+                 log_full_errno(IN_SET(r, -ELOOP, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
+-                               "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where);
++                               "Failed to copy /etc/resolv.conf to %s: %m", where);
+                 return 0;
+         }
+ 
+         r = userns_lchown(where, 0, 0);
+         if (r < 0)
+-                log_warning_errno(r, "Failed to chown /etc/resolv.conf, ignoring: %m");
++                log_warning_errno(r, "Failed to chown /etc/resolv.conf: %m");
+ 
+         return 0;
+ }
+-- 
+2.10.2
+
diff --git a/0001-disable-RestrictAddressFamilies-on-i686.patch b/0001-disable-RestrictAddressFamilies-on-i686.patch
new file mode 100644
index 000000000000..27e6f4fb0819
--- /dev/null
+++ b/0001-disable-RestrictAddressFamilies-on-i686.patch
@@ -0,0 +1,30 @@
+From ff59e06f9423af0532aaeedf931474823f764875 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Wed, 9 Nov 2016 08:00:26 -0500
+Subject: [PATCH] disable RestrictAddressFamilies on i686
+
+Shit's broke, yo.
+
+https://github.com/systemd/systemd/issues/4575
+---
+ src/core/execute.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index f666f7c..7d09154 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -1254,6 +1254,10 @@ static int apply_address_families(const Unit* u, const ExecContext *c) {
+         Iterator i;
+         int r;
+ 
++#if defined(__i386__)
++        return 0;
++#endif
++
+         assert(c);
+ 
+         if (skip_seccomp_unavailable(u, "RestrictAddressFamilies="))
+-- 
+2.10.2
+
diff --git a/0001-nspawn-don-t-hide-bind-tmp-mounts.patch b/0001-nspawn-don-t-hide-bind-tmp-mounts.patch
new file mode 100644
index 000000000000..a5336ece5730
--- /dev/null
+++ b/0001-nspawn-don-t-hide-bind-tmp-mounts.patch
@@ -0,0 +1,26 @@
+From 7ec42a45410cb27140292d85ebb0e4b6dcea5555 Mon Sep 17 00:00:00 2001
+From: Dave Reisner <dreisner@archlinux.org>
+Date: Wed, 7 Dec 2016 13:45:48 -0500
+Subject: [PATCH] nspawn: don't hide --bind=/tmp/* mounts
+
+This is a v232-applicable version of upstream c9fd987279a462e.
+---
+ src/nspawn/nspawn-mount.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index 115de64..2dabe2a 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -382,7 +382,7 @@ int mount_all(const char *dest,
+                 { "tmpfs",               "/dev",                "tmpfs", "mode=755",  MS_NOSUID|MS_STRICTATIME,                                  true,  false, false },
+                 { "tmpfs",               "/dev/shm",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,                         true,  false, false },
+                 { "tmpfs",               "/run",                "tmpfs", "mode=755",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,                         true,  false, false },
+-                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            true,  true,  false },
++                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            true,  false,  false },
+ #ifdef HAVE_SELINUX
+                 { "/sys/fs/selinux",     "/sys/fs/selinux",     NULL,     NULL,       MS_BIND,                                                   false, false, false },  /* Bind mount first */
+                 { NULL,                  "/sys/fs/selinux",     NULL,     NULL,       MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false },  /* Then, make it r/o */
+-- 
+2.10.2
+
diff --git a/0006-FSDG-man-Use-FSDG-operating-systems-as-examples.patch b/0006-FSDG-man-Use-FSDG-operating-systems-as-examples.patch
index 82d60ec94052..9a8ce15eab3f 100644
--- a/0006-FSDG-man-Use-FSDG-operating-systems-as-examples.patch
+++ b/0006-FSDG-man-Use-FSDG-operating-systems-as-examples.patch
@@ -9,7 +9,7 @@ Subject: [PATCH 6/6] FSDG: man/: Use FSDG operating systems as examples.
  2 files changed, 38 insertions(+), 48 deletions(-)
 
 diff --git a/man/os-release.xml b/man/os-release.xml
-index 79eb402..a70ba1a 100644
+index caf60f4..2811f43 100644
 --- a/man/os-release.xml
 +++ b/man/os-release.xml
 @@ -122,7 +122,7 @@
@@ -55,7 +55,7 @@ index 79eb402..a70ba1a 100644
          assignment of <literal>ID_LIKE=debian</literal> is
          appropriate.</para></listitem>
        </varlistentry>
-@@ -183,8 +183,8 @@
+@@ -199,8 +199,8 @@
          identifying the operating system version, excluding any OS
          name information or release code name, and suitable for
          processing by scripts or usage in generated filenames. This
@@ -66,7 +66,7 @@ index 79eb402..a70ba1a 100644
        </varlistentry>
  
        <varlistentry>
-@@ -195,8 +195,8 @@
+@@ -211,8 +211,8 @@
          a release code name or OS version of some kind, as suitable.
          If not set, defaults to
          <literal>PRETTY_NAME="GNU/Linux"</literal>. Example:
@@ -77,7 +77,7 @@ index 79eb402..a70ba1a 100644
        </varlistentry>
  
        <varlistentry>
-@@ -219,7 +219,7 @@
+@@ -235,7 +235,7 @@
          <ulink url="http://scap.nist.gov/specifications/cpe/">Common
          Platform Enumeration Specification</ulink> as proposed by the
          NIST. This field is optional. Example:
@@ -86,7 +86,7 @@ index 79eb402..a70ba1a 100644
          </para></listitem>
        </varlistentry>
  
-@@ -254,8 +254,8 @@
+@@ -270,8 +270,8 @@
          one URL shall be listed in each setting. If multiple resources
          need to be referenced, it is recommended to provide an online
          landing page linking all available resources. Examples:
@@ -97,7 +97,7 @@ index 79eb402..a70ba1a 100644
        </varlistentry>
  
        <varlistentry>
-@@ -330,21 +330,22 @@
+@@ -346,21 +346,22 @@
      recommended to prefix new fields with an OS specific
      name in order to avoid name clashes. Applications
      reading this file must ignore unknown fields. Example:
@@ -131,18 +131,18 @@ index 79eb402..a70ba1a 100644
  
    <refsect1>
 diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
-index 86cdb4e..bd7392c 100644
+index cd0a90d..ab35580 100644
 --- a/man/systemd-nspawn.xml
 +++ b/man/systemd-nspawn.xml
-@@ -912,46 +912,35 @@
+@@ -1004,46 +1004,35 @@
      <title>Examples</title>
  
      <example>
 -      <title>Download a Fedora image and start a shell in it</title>
 +      <title>Build and boot a minimal BLAG distribution in a container</title>
  
--      <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
--# systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting>
+-      <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/24/CloudImages/x86_64/images/Fedora-Cloud-Base-24-1.2.x86_64.raw.xz
+-# systemd-nspawn -M Fedora-Cloud-Base-24-1.2.x86_64.raw</programlisting>
 -
 -      <para>This downloads an image using
 -      <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
@@ -164,11 +164,11 @@ index 86cdb4e..bd7392c 100644
  
      <example>
 -      <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>
-+      <title>Spawn a shell in a container of a minimal gNewSense unstable distribution</title>
++      <title>Spawn a shell in a container of a minimal gNewSense Ucclia distribution</title>
  
 -      <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
 -# systemd-nspawn -D ~/debian-tree/</programlisting>
-+      <programlisting># debootstrap --arch=amd64 unstable ~/gnewsense-tree/
++      <programlisting># debootstrap --arch=amd64 ucclia ~/gnewsense-tree/
 +# systemd-nspawn -D ~/gnewsense-tree/</programlisting>
  
 -      <para>This installs a minimal Debian unstable distribution into
@@ -180,7 +180,7 @@ index 86cdb4e..bd7392c 100644
  
      <example>
 -      <title>Boot a minimal Arch Linux distribution in a container</title>
-+      <title>Boot a minimal Parabola GNU/Linux-libre distribution in a container</title>
++      <title>Boot a minimal Parabola distribution in a container</title>
  
 -      <programlisting># pacstrap -c -d ~/arch-tree/ base
 -# systemd-nspawn -bD ~/arch-tree/</programlisting>
@@ -189,7 +189,7 @@ index 86cdb4e..bd7392c 100644
  
 -      <para>This installs a minimal Arch Linux distribution into the
 -      directory <filename>~/arch-tree/</filename> and then boots an OS
-+      <para>This installs a minimal Parabola GNU/Linux-libre distribution into the
++      <para>This installs a minimal Parabola distribution into the
 +      directory <filename>~/parabola-tree/</filename> and then boots an OS
        in a namespace container in it.</para>
      </example>
diff --git a/PKGBUILD b/PKGBUILD
index 2649ecb40e3a..590ff3bfbd15 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,17 +8,17 @@ _pkgbase=systemd
 pkgbase=systemd-knock
 pkgname=('systemd-knock' 'libsystemd-knock' 'systemd-knock-sysvcompat'
          'libsystemd-knock-standalone' 'libudev-knock' 'nss-knock-myhostname' 'nss-knock-mymachines' 'nss-knock-resolve')
-pkgver=231
+pkgver=232
 pkgrel=1
 arch=('i686' 'x86_64' 'armv7h')
-url="http://www.freedesktop.org/wiki/Software/systemd"
+url="https://www.github.com/systemd/systemd"
 makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf'
              'intltool' 'iptables' 'kmod' 'libcap' 'libidn' 'libgcrypt'
              'libmicrohttpd' 'libxslt' 'util-linux' 'linux-libre-api-headers'
              'python-lxml' 'quota-tools' 'shadow' 'git')
 makedepends_i686=('gnu-efi-libs')
 makedepends_x86_64=('gnu-efi-libs')
-options=('strip' 'debug')
+options=('strip')
 source=("git://github.com/systemd/systemd.git#tag=v$pkgver"
         #'0001-adds-TCP-Stealth-support-to-systemd.patch::https://gnunet.org/sites/default/files/systemd-knock-patch.diff'
         "https://repo.parabola.nu/other/knock/patches/systemd/0001-adds-TCP-Stealth-support-to-systemd-231.patch"{,.sig}
@@ -28,7 +28,13 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver"
         'initcpio-install-udev'
         'parabola.conf'
         'loader.conf'
+        'systemd-user.pam'
+        'systemd-sysusers.hook'
+        'systemd-tmpfiles.hook'
         'udev-hwdb.hook'
+        '0001-disable-RestrictAddressFamilies-on-i686.patch'
+        '0001-Revert-nspawn-try-to-bind-mount-resolved-s-resolv.co.patch'
+        '0001-nspawn-don-t-hide-bind-tmp-mounts.patch'
         '0001-FSDG-man-Refer-to-the-operating-system-as-GNU-Linux.patch'
         '0002-FSDG-os-release-Default-to-PRETTY_NAME-GNU-Linux-ins.patch'
         '0003-FSDG-os-release-Default-to-NAME-GNU-Linux-instead-of.patch'
@@ -36,41 +42,84 @@ source=("git://github.com/systemd/systemd.git#tag=v$pkgver"
         '0005-FSDG-systemd-resolved-Default-to-hostname-gnu-linux-.patch'
         '0006-FSDG-man-Use-FSDG-operating-systems-as-examples.patch'
         "https://repo.parabola.nu/other/systemd/splash-parabola.bmp"{,.sig})
-md5sums=('SKIP'
-         '62b46565502f4e6e696fa0a8708fea34'
-         'SKIP'
-         'f8253cd3c0f249591338fbb4c223d249'
-         'SKIP'
-         '90ea67a7bb237502094914622a39e281'
-         'bee7fd6ccda39582259708e3f262ea6d'
-         '1b3aa3a0551b08af9305d33f85b5c2fc'
-         '36ee74767ac8734dede1cbd0f4f275d7'
-         '9b9f4a58e4c4009bf5290c5b297600c3'
-         'a475a5ed8f03fb0f6b58b4684998d05c'
-         '92a4bb5e527e1e956743c1ffa622adc7'
-         '397e2262bf96df3bc1762a3b0bef2f75'
-         'e592f6778c12627d46982ddfe0698361'
-         'c4c559f9916806f5162ccff3e7c433e8'
-         '5166fe700ef5991c2da3876206c699fb'
-         '166ce41b60d4eaa7738486f7aab5ebd8'
-         'f8253cd3c0f249591338fbb4c223d249'
-         'SKIP')
+sha512sums=('SKIP'
+            '67a41a4aa49cc038b3e0d8a53d745de2713e19bd23ae273f6c9f665b6400a3b84ac08a3e38e0515b1b16f45c51367fe4510f0574356a3ecfe5234d464848dc58'
+            'SKIP'
+            'a50bc85061a9a16d776235099867bc1a17c17dddb74c1ecf5614c849735a9779c5e34e5ddca8ca6af4b59a40f57c08ecf219b98cab09476ddb0f110e6a35e45c'
+            'SKIP'
+            'f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73'
+            '52af734947a768758d5eb3f18e31a1cfec6699eca6fa10e40b90c7f11991509186c0a696e3490af3eaba80064ea4cb93e041579abf05addf072d294300aa4b28'
+            'fec639de0d99967ed3e67289eff5ff78fff0c5829d350e73bed536a8391f1daa1d118d72dbdc1f480ffd33fc22b72f4817d0973bd09ec7f182fd26ad87b24355'
+            '70b3f1d6aaa9cd4b6b34055a587554770c34194100b17b2ef3aaf4f16f68da0865f6b3ae443b3252d395e80efabd412b763259ffb76c902b60e23b6b522e3cc8'
+            '6c6f579644ea2ebb6b46ee274ab15110718b0de40def8c30173ba8480b045d403f2aedd15b50ad9b96453f4ad56920d1350ff76563755bb9a80b10fa7f64f1d9'
+            'b90c99d768dc2a4f020ba854edf45ccf1b86a09d2f66e475de21fe589ff7e32c33ef4aa0876d7f1864491488fd7edb2682fc0d68e83a6d4890a0778dc2d6fe19'
+            '9d27d97f172a503f5b7044480a0b9ccc0c4ed5dbb2eb3b2b1aa929332c3bcfe38ef0c0310b6566f23b34f9c05b77035221164a7ab7677784c4a54664f12fca22'
+            '0f4efddd25256e09c42b953caeee4b93eb49ecc6eaebf02e616b4dcbfdac9860c3d8a3d1a106325b2ebc4dbc6e08ac46702abcb67a06737227ccb052aaa2a067'
+            '888ab01bc6e09beb08d7126472c34c9e1aa35ea34e62a09e900ae34c93b1de2fcc988586efd8d0dc962393974f45c77b206d59a86cf53e370f061bf9a1b1a862'
+            '89f9b2d3918c679ce4f76c2b10dc7fcb7e04f1925a5f92542f06891de2a123a91df7eb67fd4ce71506a8132f5440b3560b7bb667e1c1813944b115c1dfe35e3f'
+            'b993a42c5534582631f7b379d54f6abc37e3aaa56ecf869a6d86ff14ae5a52628f4e447b6a30751bc1c14c30cec63a5c6d0aa268362d235ed477b639cac3a219'
+            '68478403433aafc91a03fda5d83813d2ed1dfc6ab7416b2927a803314ecf826edcb6c659587e74df65de3ccb1edf958522f56ff9ac461a1f696b6dede1d4dd35'
+            '50888d94636427ca97bfa5355226163fb6458f2a60303967cf74a8fd085f3c450d276b7c556fea93da387c6bb6f5ecbdb6d9b2a571b6723f27a41c8fb612d27b'
+            'fc8b874279db428a342387147ef6a849c0621eb0326ad5c4eb12c2ceb98b46477ed1e07c076a8b0abae6b323d4d7f4c70d45998c3338fb89903f51b3f653458b'
+            'fd928f5d10a5f95bdbab7720b465cbea8b47cf1a376e1ba292c4759d3f1473c80bd4444729dc5b6f6d884e342db7d07a5dad093d345ccccf2c5fb22dfcdacbd8'
+            '723db0e4980727594c88d2fc92ffde10cf7c5cd05fbd88a31dadb813a3c839c3a92b3e5789f936de356b9f5e2d43d67e95fd02627be53ffa46b3d86dfabc4e5b'
+            '77161e2f57237ca589d576924ec0877f379047c6fd90ca47cb6686e4f22cc9e2171ae4306bd5a9fd8e707e297b826e0f7df52dcdcb04e99df7ebd0eb45ac89eb'
+            'caa5eb7e52b83549bc7d00e343bbb204334b49f2d14005ac1fb592c6f17c6c860edafd88abe619fe54cb0086725385c1f48fd437670a31a08abdac8485ed2073'
+            'a50bc85061a9a16d776235099867bc1a17c17dddb74c1ecf5614c849735a9779c5e34e5ddca8ca6af4b59a40f57c08ecf219b98cab09476ddb0f110e6a35e45c'
+            'SKIP')
 validpgpkeys=(
-              '684D54A189305A9CC95446D36B888913DDB59515' # Márcio Silva
-              'C92BAA713B8D53D3CAE63FC9E6974752F9704456' # André Silva
+  '63CDA1E5D3FC22B998D20DD6327F26951A015CC4'  # Lennart Poettering
+  '684D54A189305A9CC95446D36B888913DDB59515'  # Márcio Silva
+  'C92BAA713B8D53D3CAE63FC9E6974752F9704456'  # André Silva
 )
 
 _backports=(
+  '843d5baf6aad6c53fc00ea8d95d83209a4f92de1'  # core: don't use the unified hierarchy for the systemd cgroup yet (#4628)
+  'abd67ce74858491565cde157c7b08fda43d3279c'  # basic/virt: fix userns check on CONFIG_USER_NS=n kernel (#4651)
+  '4318abe8d26e969ebdb97744a63ab900233a0185'  # build-sys: do not install ctrl-alt-del.target symlink twice
+  'd112eae7da77899be245ab52aa1747d4675549f1'  # device: Avoid calling unit_free(NULL) in device setup logic (#4748)
+  'cfed63f60dd7412c199652825ed172c319b02b3c'  # nspawn: fix exit code for --help and --version (#4609)
+  '3099caf2b5bb9498b1d0227c40926435ca81f26f'  # journal: make sure to initially populate the space info cache (#4807)
+  '3d4cf7de48a74726694abbaa09f9804b845ff3ba'  # build-sys: check for lz4 in the old and new numbering scheme (#4717)
 )
 
+#_validate_tag() {
+#  local success fingerprint trusted status tag=v$pkgver
+#
+#  parse_gpg_statusfile /dev/stdin < <(git verify-tag --raw "$tag" 2>&1)
+#
+#  if (( ! success )); then
+#    error 'failed to validate tag %s\n' "$tag"
+#    return 1
+#  fi
+#
+#  if ! in_array "$fingerprint" "${validpgpkeys[@]}" && (( ! trusted )); then
+#    error 'unknown or untrusted public key: %s\n' "$fingerprint"
+#    return 1
+#  fi
+#
+#  case $status in
+#    'expired')
+#      warning 'the signature has expired'
+#      ;;
+#    'expiredkey')
+#      warning 'the key has expired'
+#      ;;
+#  esac
+#
+#  return 0
+#}
+
 prepare() {
   cd "$_pkgbase"
 
+#  _validate_tag || return
+
   if (( ${#_backports[*]} > 0 )); then
     git cherry-pick -n "${_backports[@]}"
   fi
 
-  # apply FSDG and Knock patches
+  # apply FSDG, Knock and another patches
   local patchfile
   for patchfile in "$srcdir"/*.patch; do
     patch -Np1 -i "$patchfile"
@@ -213,9 +262,6 @@ package_systemd-knock() {
   # we'll create this on installation
   rmdir "$pkgdir/var/log/journal/remote"
 
-  # fix pam file
-  sed 's|system-auth|system-login|g' -i "$pkgdir/etc/pam.d/systemd-user"
-
   # ship default policy to leave services disabled
   echo 'disable *' >"$pkgdir"/usr/lib/systemd/system-preset/99-default.preset
 
@@ -224,7 +270,12 @@ package_systemd-knock() {
   install -Dm644 "$srcdir/loader.conf" "$pkgdir"/usr/share/systemd/bootctl/loader.conf
   install -Dm644 "$srcdir/splash-parabola.bmp" "$pkgdir"/usr/share/systemd/bootctl/splash-parabola.bmp
 
+  install -Dm644 "$srcdir/systemd-sysusers.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-sysusers.hook"
+  install -Dm644 "$srcdir/systemd-tmpfiles.hook" "$pkgdir/usr/share/libalpm/hooks/systemd-tmpfiles.hook"
   install -Dm644 "$srcdir/udev-hwdb.hook" "$pkgdir/usr/share/libalpm/hooks/udev-hwdb.hook"
+
+  # overwrite the systemd-user PAM configuration with our own
+  install -Dm644 systemd-user.pam "$pkgdir/etc/pam.d/systemd-user"
 }
 
 package_libsystemd-knock() {
diff --git a/initcpio-install-systemd b/initcpio-install-systemd
index b57661b3ea92..f6d0afdb8285 100644
--- a/initcpio-install-systemd
+++ b/initcpio-install-systemd
@@ -147,6 +147,7 @@ build() {
             systemd-journald.service \
             systemd-journald-audit.socket \
             systemd-journald-dev-log.socket \
+            systemd-modules-load.service \
             systemd-tmpfiles-setup-dev.service \
             systemd-udev-trigger.service \
             systemd-udevd-control.socket \
@@ -172,12 +173,19 @@ build() {
 ExecStart=
 ExecStart=/usr/lib/systemd/systemd-udevd --resolve-names=never
 EOF
+
+    add_dir "/etc/modules-load.d"
+    (
+      . "$_f_config"
+      set -f
+      printf "%s\n" $MODULES >"$BUILDROOT/etc/modules-load.d/MODULES.conf"
+    )
 }
 
 help() {
     cat <<HELPEOF
 This will install a basic systemd setup in your initramfs, and is meant to
-replace the 'base', 'usr', 'udev' and 'timestamp' hooks. Other hooks with runtime
+replace the 'base', 'usr', 'udev' and 'resume' hooks. Other hooks with runtime
 components will need to be ported, and will not work as intended. You also may
 wish to still include the 'base' hook (before this hook) to ensure that a
 rescue shell exists on your initramfs.
diff --git a/systemd-sysusers.hook b/systemd-sysusers.hook
new file mode 100644
index 000000000000..b0888d7cf94b
--- /dev/null
+++ b/systemd-sysusers.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Type = File
+Operation = Install
+Operation = Upgrade
+Target = usr/lib/sysusers.d/*.conf
+
+[Action]
+Description = Updating system user accounts...
+When = PostTransaction
+Exec = /bin/sh -c 'while read -r f; do /usr/bin/systemd-sysusers "/$f" ; done'
+NeedsTargets
diff --git a/systemd-tmpfiles.hook b/systemd-tmpfiles.hook
new file mode 100644
index 000000000000..a2c5e3ef07ad
--- /dev/null
+++ b/systemd-tmpfiles.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Type = File
+Operation = Install
+Operation = Upgrade
+Target = usr/lib/tmpfiles.d/*.conf
+
+[Action]
+Description = Creating temporary files...
+When = PostTransaction
+Exec = /bin/sh -c 'while read -r f; do /usr/bin/systemd-tmpfiles --create "/$f"; done'
+NeedsTargets
diff --git a/systemd-user.pam b/systemd-user.pam
new file mode 100644
index 000000000000..83f762696e0e
--- /dev/null
+++ b/systemd-user.pam
@@ -0,0 +1,5 @@
+# Used by systemd --user instances.
+
+account  include system-login
+session  required pam_loginuid.so
+session  include system-login
diff --git a/systemd.install b/systemd.install
index f2978d9738f4..b59de2008a1c 100644
--- a/systemd.install
+++ b/systemd.install
@@ -10,12 +10,6 @@ add_journal_acls() {
   :
 }
 
-maybe_reexec() {
-  if sd_booted; then
-    systemctl --system daemon-reexec
-  fi
-}
-
 post_common() {
   systemd-sysusers
   journalctl --update-catalog
@@ -63,7 +57,11 @@ post_install() {
 post_upgrade() {
   post_common "$@"
 
-  maybe_reexec "$@"
+  # don't reexec if the old version is 231-1 or 231-2.
+  # https://github.com/systemd/systemd/commit/bd64d82c1c
+  if [[ $1 != 231-[12] ]] && sd_booted; then
+    systemctl --system daemon-reexec
+  fi
 
   local v upgrades=(
     216-2