daandemeyer · daandemeyer · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
@@ -679,6 +679,11 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
   string format. Overrides the default maximum allowed size for a file-descriptor
   based input record to be stored in the journal.
 
+* `$SYSTEMD_JOURNAL_REMOTE_CONFIG_FILE` – path to a configuration file for
+  `systemd-journal-remote`. When set, the specified file is used instead of the
+  default configuration file and drop-in directories. If set to `/dev/null`,
+  configuration file parsing is skipped entirely.
+
 * `$SYSTEMD_CATALOG` – path to the compiled catalog database file to use for
   `journalctl -x`, `journalctl --update-catalog`, `journalctl --list-catalog`
   and related calls.

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
@@ -1565,6 +1565,33 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
         <xi:include href="version-info.xml" xpointer="v187"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--forward-journal=</option></term>
+
+        <listitem><para>Forward the container's journal to the host by starting
+        <citerefentry><refentrytitle>systemd-journal-remote</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        listening on a Unix socket that is bind-mounted into the container. The container's
+        <citerefentry><refentrytitle>systemd-journald</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        connects to the socket via the <varname>journal.forward_to_socket</varname> credential and streams
+        journal entries to the host in real-time. Takes a path to a journal file or directory where the received
+        entries will be stored. If the path ends in <literal>.journal</literal>, entries are written to a single
+        file; otherwise, entries are split per host into the specified directory.</para>
+
+        <xi:include href="version-info.xml" xpointer="v261"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--forward-journal-config=</option></term>
+
+        <listitem><para>Specifies a configuration file for the
+        <citerefentry><refentrytitle>systemd-journal-remote</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        instance started by <option>--forward-journal=</option>. When not specified, defaults to
+        <filename>/dev/null</filename>, causing <command>systemd-journal-remote</command> to ignore its default
+        configuration files.</para>
+
+        <xi:include href="version-info.xml" xpointer="v261"/></listitem>
+      </varlistentry>
+
     </variablelist>
 
     </refsect2><refsect2>
@@ -1922,6 +1949,18 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
     <title>Other</title>
 
     <variablelist>
+      <varlistentry>
+        <term><option>--runtime-scope=</option></term>
+
+        <listitem><para>Takes either <literal>system</literal> or <literal>user</literal> to specify whether
+        to interact with the user service manager or the system service manager and whether to register with
+        the user machined instance or the system machined instance. If unspecified, the system service manager
+        and machined instance will be used when running as root, otherwise the user service manager and machined
+        instance will be used.</para>
+
+        <xi:include href="version-info.xml" xpointer="v261"/></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="no-pager" />
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />

diff --git a/man/systemd-vmspawn.xml b/man/systemd-vmspawn.xml
@@ -70,13 +70,13 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>--system</option></term>
-        <term><option>--user</option></term>
+        <term><option>--runtime-scope=</option></term>
 
-        <listitem><para>Specify whether to interact with the user manager or the system manager and whether
-        to register with the user machined instance or the system machined instance. If
-        unspecified, the system manager and machined instance will be used when running as root, otherwise
-        the user manager and machined instance will be used.</para>
+        <listitem><para>Takes either <literal>system</literal> or <literal>user</literal> to specify whether
+        to interact with the user service manager or the system service manager and whether to register with
+        the user machined instance or the system machined instance. If unspecified, the system service manager
+        and machined instance will be used when running as root, otherwise the user service manager and machined
+        instance will be used.</para>
 
         <xi:include href="version-info.xml" xpointer="v260"/></listitem>
       </varlistentry>
@@ -131,8 +131,9 @@
           <listitem><para>Specifies the disk type to use for the root disk passed to <option>--image=</option>.
           Extra drives added via <option>--extra-drive=</option> inherit this disk type unless overridden
           with an explicit disk type prefix. Takes one of <literal>virtio-blk</literal>,
-          <literal>virtio-scsi</literal>, or <literal>nvme</literal>. Defaults to
-          <literal>virtio-blk</literal>.</para>
+          <literal>virtio-scsi</literal>, <literal>nvme</literal>, or <literal>scsi-cd</literal>. Defaults to
+          <literal>virtio-blk</literal>. When <literal>scsi-cd</literal> is specified, the disk is attached
+          as a read-only CD-ROM drive.</para>
 
           <xi:include href="version-info.xml" xpointer="v261"/></listitem>
         </varlistentry>
@@ -166,10 +167,12 @@
         </varlistentry>
 
         <varlistentry>
-          <term><option>--ram=<replaceable>BYTES</replaceable></option></term>
+          <term><option>--ram=<replaceable>BYTES</replaceable>[:<replaceable>MAXBYTES</replaceable>[:<replaceable>SLOTS</replaceable>]]</option></term>
 
-          <listitem><para>The amount of memory to start the virtual machine with.
-          Defaults to 2G.</para>
+          <listitem><para>The amount of memory to start the virtual machine with. Defaults to 2G.
+          If a maximum size is specified after a colon, memory hotplug is enabled with the given
+          upper limit. The number of hotplug slots can optionally be specified after a second colon
+          and defaults to 1.</para>
 
           <xi:include href="version-info.xml" xpointer="v255"/>
           </listitem>
@@ -184,6 +187,15 @@
           <xi:include href="version-info.xml" xpointer="v255"/></listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term><option>--cxl=<replaceable>BOOL</replaceable></option></term>
+
+          <listitem><para>Controls whether to enable CXL (Compute Express Link) support in the virtual
+          machine. Only supported on x86 and ARM architectures.</para>
+
+          <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+        </varlistentry>
+
         <varlistentry>
           <term><option>--vsock=<replaceable>BOOL</replaceable></option></term>
 
@@ -661,6 +673,18 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term><option>--forward-journal-config=<replaceable>PATH</replaceable></option></term>
+
+          <listitem><para>Specifies a configuration file for
+          <citerefentry><refentrytitle>systemd-journal-remote</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+          to use when forwarding journal entries from the VM. If not specified,
+          <filename>/dev/null</filename> is used, which causes
+          <command>systemd-journal-remote</command> to ignore its default configuration files.</para>
+
+          <xi:include href="version-info.xml" xpointer="v261"/></listitem>
+        </varlistentry>
+
         <varlistentry>
           <term><option>--pass-ssh-key=<replaceable>BOOL</replaceable></option></term>
 

diff --git a/shell-completion/bash/systemd-vmspawn b/shell-completion/bash/systemd-vmspawn
@@ -30,8 +30,8 @@ _systemd_vmspawn() {
 
     local -A OPTS=(
         [STANDALONE]='-h --help --version -q --quiet --no-pager -n --network-tap --network-user-mode --user --system -x --ephemeral'
-        [PATH]='-D --directory -i --image --linux --initrd --extra-drive --forward-journal --efi-nvram-template'
-        [BOOL]='--kvm --vsock --tpm --discard-disk --register --pass-ssh-key'
+        [PATH]='-D --directory -i --image --linux --initrd --extra-drive --forward-journal --forward-journal-config --efi-nvram-template'
+        [BOOL]='--kvm --cxl --vsock --tpm --discard-disk --register --pass-ssh-key'
         [SECURE_BOOT]='--secure-boot'
         [FIRMWARE]='--firmware'
         [FIRMWARE_FEATURES]='--firmware-features'

diff --git a/src/basic/escape.c b/src/basic/escape.c
@@ -447,10 +447,10 @@ char* escape_non_printable_full(const char *str, size_t console_width, XEscapeFl
                                                       FLAGS_SET(flags, XESCAPE_FORCE_ELLIPSIS));
 }
 
-char* octescape(const char *s, size_t len) {
+char* octescape_full(const char *s, size_t len, const char *bad) {
         char *buf, *t;
 
-        /* Escapes \ and " chars, in \nnn style escaping. */
+        /* Escapes all chars in bad, in addition to \ and " chars, in \nnn octal style escaping. */
 
         assert(s || len == 0);
 
@@ -467,7 +467,7 @@ char* octescape(const char *s, size_t len) {
         for (size_t i = 0; i < len; i++) {
                 uint8_t u = (uint8_t) s[i];
 
-                if (u < ' ' || u >= 127 || IN_SET(u, '\\', '"')) {
+                if (u < ' ' || u >= 127 || IN_SET(u, '\\', '"') || (bad && strchr(bad, u))) {
                         *(t++) = '\\';
                         *(t++) = '0' + (u >> 6);
                         *(t++) = '0' + ((u >> 3) & 7);

diff --git a/src/basic/escape.h b/src/basic/escape.h
@@ -59,7 +59,10 @@ char* xescape_full(const char *s, const char *bad, size_t console_width, XEscape
 static inline char* xescape(const char *s, const char *bad) {
         return xescape_full(s, bad, SIZE_MAX, 0);
 }
-char* octescape(const char *s, size_t len);
+char* octescape_full(const char *s, size_t len, const char *bad);
+static inline char* octescape(const char *s, size_t len) {
+        return octescape_full(s, len, NULL);
+}
 char* decescape(const char *s, size_t len, const char *bad) _nonnull_if_nonzero_(1, 2);
 char* escape_non_printable_full(const char *str, size_t console_width, XEscapeFlags flags);
 

diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c
@@ -22,6 +22,7 @@
 #include "main-func.h"
 #include "microhttpd-util.h"
 #include "parse-argument.h"
+#include "path-util.h"
 #include "parse-helpers.h"
 #include "parse-util.h"
 #include "pretty-print.h"
@@ -828,6 +829,22 @@ static int parse_config(void) {
                 {}
         };
 
+        const char *config_file = getenv("SYSTEMD_JOURNAL_REMOTE_CONFIG_FILE");
+        if (config_file) {
+                if (path_equal(config_file, "/dev/null"))
+                        return 0;
+
+                return config_parse(
+                                /* unit= */ NULL,
+                                config_file,
+                                /* f= */ NULL,
+                                "Remote\0",
+                                config_item_table_lookup, items,
+                                CONFIG_PARSE_WARN,
+                                /* userdata= */ NULL,
+                                /* ret_stat= */ NULL);
+        }
+
         return config_parse_standard_file_with_dropins(
                         "systemd/journal-remote.conf",
                         "Remote\0",

diff --git a/src/libsystemd/sd-path/path-lookup.c b/src/libsystemd/sd-path/path-lookup.c
@@ -5,8 +5,10 @@
 #include "alloc-util.h"
 #include "fs-util.h"
 #include "log.h"
+#include "mkdir.h"
 #include "path-lookup.h"
 #include "path-util.h"
+#include "random-util.h"
 #include "stat-util.h"
 #include "string-util.h"
 #include "strv.h"
@@ -101,6 +103,40 @@ int runtime_directory(RuntimeScope scope, const char *fallback_suffix, char **re
         return 1;
 }
 
+int runtime_directory_make(RuntimeScope scope, const char *prefix, char **ret_dir, char **ret_dir_destroy) {
+        _cleanup_free_ char *subdir = NULL, *dir = NULL;
+        int r;
+
+        assert(prefix);
+        assert(ret_dir);
+
+        if (asprintf(&subdir, "systemd/%s.%" PRIx64, prefix, random_u64()) < 0)
+                return -ENOMEM;
+
+        r = runtime_directory(scope, subdir, &dir);
+        if (r < 0)
+                return r;
+
+        if (r > 0) {
+                r = mkdir_p(dir, 0755);
+                if (r < 0)
+                        return r;
+
+                if (ret_dir_destroy) {
+                        char *copy = strdup(dir);
+                        if (!copy)
+                                return -ENOMEM;
+                        *ret_dir_destroy = copy;
+                }
+        } else {
+                if (ret_dir_destroy)
+                        *ret_dir_destroy = NULL;
+        }
+
+        *ret_dir = TAKE_PTR(dir);
+        return 0;
+}
+
 static const char* const user_data_unit_paths[] = {
         "/usr/local/lib/systemd/user",
         "/usr/local/share/systemd/user",

diff --git a/src/libsystemd/sd-path/path-lookup.h b/src/libsystemd/sd-path/path-lookup.h
@@ -60,6 +60,7 @@ void lookup_paths_done(LookupPaths *p);
 int config_directory_generic(RuntimeScope scope, const char *suffix, char **ret);
 int runtime_directory_generic(RuntimeScope scope, const char *suffix, char **ret);
 int runtime_directory(RuntimeScope scope, const char *fallback_suffix, char **ret);
+int runtime_directory_make(RuntimeScope scope, const char *prefix, char **ret_dir, char **ret_dir_destroy);
 
 /* We don't treat /etc/xdg/systemd/ in these functions as the xdg base dir spec suggests because we assume
  * that is a link to /etc/systemd/ anyway. */