diff --git a/CVE-2019-3804.patch b/CVE-2019-3804.patch
deleted file mode 100644
index 19b5ffae8ef4c329938116a7f3b8d3df5986dc1e..0000000000000000000000000000000000000000
--- a/CVE-2019-3804.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From c51f6177576d7e12614c64d316cf0b67addd17c9 Mon Sep 17 00:00:00 2001
-From: Stef Walter <stefw@redhat.com>
-Date: Thu, 13 Dec 2018 15:12:44 +0100
-Subject: [PATCH] ws: Fix bug parsing invalid base64 headers
-
-The len parameter to g_base64_decode_inplace() is a inout
-parameter, and needs to be initialized. Lets just use
-the simpler g_base64_decode() function. This fixes a segfault.
-
-Closes #10819
----
- src/ws/cockpitauth.c | 13 ++++++++-----
- src/ws/test-auth.c   |  6 ++++++
- 2 files changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
-index 474e13c..963f7a7 100644
---- a/src/ws/cockpitauth.c
-+++ b/src/ws/cockpitauth.c
-@@ -1159,16 +1159,19 @@ cockpit_auth_class_init (CockpitAuthClass *klass)
-   cockpit_authorize_logger (authorize_logger, 0);
- }
- 
--static char *
-+static gchar *
- base64_decode_string (const char *enc)
- {
-+  gchar *dec;
-+  gsize len;
-+
-   if (enc == NULL)
-     return NULL;
- 
--  char *dec = g_strdup (enc);
--  gsize len;
--  g_base64_decode_inplace (dec, &len);
--  dec[len] = '\0';
-+  dec = (gchar *)g_base64_decode (enc, &len);
-+  if (dec)
-+    dec[len] = '\0';
-+
-   return dec;
- }
- 
-diff --git a/src/ws/test-auth.c b/src/ws/test-auth.c
-index 6f84b01..57d9462 100644
---- a/src/ws/test-auth.c
-+++ b/src/ws/test-auth.c
-@@ -286,6 +286,12 @@ test_headers_bad (Test *test,
-   if (cockpit_auth_check_cookie (test->auth, "/cockpit", headers))
-       g_assert_not_reached ();
-
-+  /* Bad encoding */
-+  g_hash_table_remove_all (headers);
-+  g_hash_table_insert (headers, g_strdup ("Cookie"), g_strdup ("cockpit=d"));
-+  if (cockpit_auth_check_cookie (test->auth, "/cockpit", headers))
-+      g_assert_not_reached ();
-+
-   g_hash_table_destroy (headers);
- }
- 
--- 
-2.19.1
-
diff --git a/backport-0001-CVE-2021-3660.patch b/backport-0001-CVE-2021-3660.patch
deleted file mode 100644
index e76e2ace1d82137320194f19ea8d23adcd52ea8c..0000000000000000000000000000000000000000
--- a/backport-0001-CVE-2021-3660.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From b0b57c8093f180fa7d67fdd4efa2f1a13e296930 Mon Sep 17 00:00:00 2001
-From: Martin Pitt <mpitt@redhat.com>
-Date: Tue, 14 Sep 2021 11:03:32 +0200
-Subject: [PATCH] bridge: Robust JSON object comparison in test-httpstream.c
-
-Comparing the received control message JSON against the expected value
-in string form has always been brittle: It assumes a
-predictable/reproducible GLib dictionary serialization. This will break
-across different GLib versions once we add a new static header.
-
-So change the tests to compare the control message with
-`cockpit_assert_json_eq()` (which will do parsing and deep object
-comparison) instead of plain string comparison. Introduce a new
-assert_channel_response() helper for this.
-
-Conflict:NA
-Reference:https://github.com/cockpit-project/cockpit/pull/16348/commits/b0b57c8093f180fa7d67fdd4efa2f1a13e296930
----
- src/bridge/test-httpstream.c | 69 ++++++++++++++++++++----------------
- 1 file changed, 38 insertions(+), 31 deletions(-)
-
-diff --git a/src/bridge/test-httpstream.c b/src/bridge/test-httpstream.c
-index 53cd7bf..47af9ea 100644
---- a/src/bridge/test-httpstream.c
-+++ b/src/bridge/test-httpstream.c
-@@ -30,6 +30,9 @@
- 
- #include <string.h>
- 
-+/* JSON dict snippet for headers that are present in every request */
-+#define STATIC_HEADERS "\"Cross-Origin-Resource-Policy\":\"same-origin\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"X-DNS-Prefetch-Control\":\"off\""
-+
- static void
- on_closed_set_flag (CockpitChannel *channel,
-                     const gchar *problem,
-@@ -64,6 +67,24 @@ non_local_ip (void)
-   return str;
- }
- 
-+/* Compare subsequent "{ control JSON }" and "body" channel messages against expected values. */
-+static void
-+assert_channel_response (MockTransport *transport,
-+                         const gchar *channel_id,
-+                         const gchar *expected_control,
-+                         const gchar *expected_body)
-+{
-+  GBytes *data;
-+
-+  data = mock_transport_pop_channel (transport, channel_id);
-+  JsonNode *node = cockpit_json_parse (g_bytes_get_data (data, NULL), -1, NULL);
-+  cockpit_assert_json_eq (json_node_get_object (node), expected_control);
-+  json_node_unref (node);
-+
-+  data = mock_transport_pop_channel (transport, channel_id);
-+  cockpit_assert_bytes_eq (data, expected_body, -1);
-+}
-+
- static void
- setup_general (TestGeneral *tt,
-                gconstpointer host_fixture)
-@@ -116,8 +137,6 @@ test_host_header (TestGeneral *tt,
-   JsonObject *options;
-   const gchar *control;
-   gboolean closed;
--  GBytes *data;
--  guint count;
- 
-   if (tt->host == NULL)
-     {
-@@ -154,11 +173,9 @@ test_host_header (TestGeneral *tt,
-   g_signal_connect (channel, "closed", G_CALLBACK (on_closed_set_flag), &closed);
-   while (!closed)
-     g_main_context_iteration (NULL, TRUE);
--
--  data = mock_transport_combine_output (tt->transport, "444", &count);
--  cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Da Da Da", -1);
--  g_assert_cmpuint (count, ==, 2);
--  g_bytes_unref (data);
-+  assert_channel_response (tt->transport, "444",
-+                         "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
-+                         "Da Da Da");
- }
- 
- static gboolean
-@@ -340,11 +357,8 @@ test_http_chunked (void)
-   TestResult *tr = g_slice_new (TestResult);
- 
-   GBytes *bytes = NULL;
--  GBytes *data = NULL;
- 
-   const gchar *control;
--  gchar *expected = g_strdup_printf ("{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}%0*d", MAGIC_NUMBER, 0);
--  guint count;
-   guint port;
- 
-   web_server = cockpit_web_server_new (NULL, 0, NULL, NULL, NULL);
-@@ -387,12 +401,11 @@ test_http_chunked (void)
-     g_main_context_iteration (NULL, TRUE);
-   g_assert_cmpstr (tr->problem, ==, NULL);
- 
--  data = mock_transport_combine_output (transport, "444", &count);
--  cockpit_assert_bytes_eq (data, expected, -1);
--  g_assert_cmpuint (count, ==, 2);
-+  g_autofree gchar *expected_body = g_strdup_printf ("%0*d", MAGIC_NUMBER, 0);
- 
--  g_bytes_unref (data);
--  g_free (expected);
-+  assert_channel_response (transport, "444",
-+                           "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
-+                           expected_body);
- 
-   g_object_unref (transport);
-   g_object_add_weak_pointer (G_OBJECT (channel), (gpointer *)&channel);
-@@ -509,7 +522,6 @@ test_tls_basic (TestTls *test,
-   JsonObject *options;
-   const gchar *control;
-   GBytes *bytes;
--  GBytes *data;
- 
-   options = json_object_new ();
-   json_object_set_int_member (options, "port", test->port);
-@@ -537,10 +549,9 @@ test_tls_basic (TestTls *test,
-   while (closed == FALSE)
-     g_main_context_iteration (NULL, TRUE);
- 
--  data = mock_transport_combine_output (test->transport, "444", NULL);
--  cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Oh Marmalaade!", -1);
--
--  g_bytes_unref (data);
-+  assert_channel_response (test->transport, "444",
-+                           "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
-+                           "Oh Marmalaade!");
- 
-   g_object_add_weak_pointer (G_OBJECT (channel), (gpointer *)&channel);
-   g_object_unref (channel);
-@@ -668,7 +679,6 @@ test_tls_certificate (TestTls *test,
-   GTlsCertificate *cert;
-   const gchar *control;
-   GBytes *bytes;
--  GBytes *data;
- 
-   tls = cockpit_json_parse_object (json, -1, &error);
-   g_assert_no_error (error);
-@@ -699,10 +709,9 @@ test_tls_certificate (TestTls *test,
-   while (closed == FALSE)
-     g_main_context_iteration (NULL, TRUE);
- 
--  data = mock_transport_combine_output (test->transport, "444", NULL);
--  cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Oh Marmalaade!", -1);
--
--  g_bytes_unref (data);
-+  assert_channel_response (test->transport, "444",
-+                           "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
-+                           "Oh Marmalaade!");
- 
-   g_assert (test->peer != NULL);
- 
-@@ -733,7 +742,6 @@ test_tls_authority_good (TestTls *test,
-   GError *error = NULL;
-   const gchar *control;
-   GBytes *bytes;
--  GBytes *data;
- 
-   tls = cockpit_json_parse_object (json, -1, &error);
-   g_assert_no_error (error);
-@@ -763,11 +771,10 @@ test_tls_authority_good (TestTls *test,
- 
-   while (closed == FALSE)
-     g_main_context_iteration (NULL, TRUE);
--
--  data = mock_transport_combine_output (test->transport, "444", NULL);
--  cockpit_assert_bytes_eq (data, "{\"status\":200,\"reason\":\"OK\",\"headers\":{\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\"}}Oh Marmalaade!", -1);
--
--  g_bytes_unref (data);
-+  
-+  assert_channel_response (test->transport, "444",
-+                           "{\"status\":200,\"reason\":\"OK\",\"headers\":{" STATIC_HEADERS "}}",
-+                           "Oh Marmalaade!");
- 
-   g_object_add_weak_pointer (G_OBJECT (channel), (gpointer *)&channel);
-   g_object_unref (channel);
--- 
-2.27.0
-
diff --git a/backport-0002-CVE-2021-3660.patch b/backport-0002-CVE-2021-3660.patch
deleted file mode 100644
index 64814572ead286f137d270314a473e88559e8b5b..0000000000000000000000000000000000000000
--- a/backport-0002-CVE-2021-3660.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 25a8a5c6e47268933b9b4433a9590ccfd9c04c83 Mon Sep 17 00:00:00 2001
-From: Martin Pitt <mpitt@redhat.com>
-Date: Tue, 14 Sep 2021 09:02:33 +0200
-Subject: [PATCH] common: Restrict frame embedding to same origin
-
-Declare `X-Frame-Options: sameorigin` [1] so that cockpit frames can
-only be embedded into pages coming from the same origin. This is similar
-to setting CORP in commit 2b38b8de92f9a (which applies to `<script>`,
-`<img>`, etc.).
-
-The main use case for embedding is to run cockpit-ws behind a reverse
-proxy, while also serving other pages. Cross-origin embedding is
-discouraged these days to prevent "clickjacking".
-
-Cross-origin embedding already did not work in most cases: Frames would
-always just show the login page.  However, this looks confusing and is
-unclean. With X-Frame-Options, the browser instead shows an explanatory
-error page.
-
-Mention the same origin requirement in the embedding documentation.
-
-Fixes #16122
-https://bugzilla.redhat.com/show_bug.cgi?id=1980688
-CVE-2021-3660
-
-[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
-
-Conflict:NA
-Reference:https://github.com/cockpit-project/cockpit/pull/16342/commits/25a8a5c6e47268933b9b4433a9590ccfd9c04c83
----
- doc/guide/embedding.xml         | 4 +++-
- src/bridge/test-httpstream.c    | 2 +-
- src/bridge/test-packages.c      | 3 +++
- src/common/cockpitwebresponse.c | 6 ++++++
- src/common/test-webresponse.c   | 3 +++
- src/ws/test-channelresponse.c   | 3 +++
- 6 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/doc/guide/embedding.xml b/doc/guide/embedding.xml
-index 99b30dc..7fe8aa9 100644
---- a/doc/guide/embedding.xml
-+++ b/doc/guide/embedding.xml
-@@ -5,7 +5,9 @@
-   <title>Embedding and Integrating Cockpit</title>
- 
-   <para>Cockpit can be embedded in other web applications either as a whole or specific
--    Cockpit components can be integrated.</para>
-+    Cockpit components can be integrated. Due to frame security policy restrictions,
-+    this only works if Cockpit and the web application have the <emphasis>same origin</emphasis>;
-+    this is commonly achieved by running both from a common reverse proxy.</para>
- 
-   <section id="embedding-full">
-     <title>Embedding the Cockpit Interface</title>
-diff --git a/src/bridge/test-httpstream.c b/src/bridge/test-httpstream.c
-index 47af9ea..6844f72 100644
---- a/src/bridge/test-httpstream.c
-+++ b/src/bridge/test-httpstream.c
-@@ -31,7 +31,7 @@
- #include <string.h>
- 
- /* JSON dict snippet for headers that are present in every request */
--#define STATIC_HEADERS "\"Cross-Origin-Resource-Policy\":\"same-origin\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"X-DNS-Prefetch-Control\":\"off\""
-+#define STATIC_HEADERS "\"Cross-Origin-Resource-Policy\":\"same-origin\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"X-DNS-Prefetch-Control\":\"off\",\"X-Frame-Options\":\"sameorigin\""
- 
- static void
- on_closed_set_flag (CockpitChannel *channel,
-diff --git a/src/bridge/test-packages.c b/src/bridge/test-packages.c
-index 769c51c..b96a3b4 100644
---- a/src/bridge/test-packages.c
-+++ b/src/bridge/test-packages.c
-@@ -45,6 +45,9 @@
- #define CHECKSUM_RELOAD_UPDATED "0d1c0b7c6133cc7c3956197fd8a76bef68b158bd78beac75cfa80b75c36aa827"
- #define CHECKSUM_CSP            "25cab69451c3667cb9ed33f006fc7003c248f1029dae4a763bbadb0c4cafaf8d"
- 
-+/* JSON dict snippet for headers that are present in every request */
-+#define STATIC_HEADERS "\"X-DNS-Prefetch-Control\":\"off\",\"Referrer-Policy\":\"no-referrer\",\"X-Content-Type-Options\":\"nosniff\",\"Cross-Origin-Resource-Policy\": \"same-origin\",\"X-Frame-Options\": \"sameorigin\""
-+
- extern const gchar **cockpit_bridge_data_dirs;
- extern const gchar *cockpit_bridge_local_address;
- extern gint cockpit_bridge_packages_port;
-diff --git a/src/common/cockpitwebresponse.c b/src/common/cockpitwebresponse.c
-index 0e757f3..ddf1911 100644
---- a/src/common/cockpitwebresponse.c
-+++ b/src/common/cockpitwebresponse.c
-@@ -735,6 +735,7 @@ enum {
-     HEADER_CACHE_CONTROL = 1 << 3,
-     HEADER_DNS_PREFETCH_CONTROL = 1 << 4,
-     HEADER_REFERRER_POLICY = 1 << 5,
-+    HEADER_X_FRAME_OPTIONS = 1 << 8,
- };
- 
- static GString *
-@@ -773,6 +774,8 @@ append_header (GString *string,
-     return HEADER_DNS_PREFETCH_CONTROL;
-   if (g_ascii_strcasecmp ("Referrer-Policy", name) == 0)
-     return HEADER_REFERRER_POLICY;
-+   if (g_ascii_strcasecmp ("X-Frame-Options", name) == 0)
-+    return HEADER_X_FRAME_OPTIONS;
-   else if (g_ascii_strcasecmp ("Connection", name) == 0)
-     g_critical ("Don't set Connection header manually. This is a programmer error.");
-   return 0;
-@@ -875,6 +878,9 @@ finish_headers (CockpitWebResponse *self,
-     g_string_append (string, "X-DNS-Prefetch-Control: off\r\n");
-   if ((seen & HEADER_REFERRER_POLICY) == 0)
-     g_string_append (string, "Referrer-Policy: no-referrer\r\n");
-+  /* This is the counterpart for iframe embedding, line of defence against clickjacking */
-+  if ((seen & HEADER_X_FRAME_OPTIONS) == 0)
-+    g_string_append (string, "X-Frame-Options: sameorigin\r\n");
- 
-   g_string_append (string, "\r\n");
-   return g_string_free_to_bytes (string);
-diff --git a/src/common/test-webresponse.c b/src/common/test-webresponse.c
-index ab59c13..a797f2b 100644
---- a/src/common/test-webresponse.c
-+++ b/src/common/test-webresponse.c
-@@ -34,6 +34,9 @@
- #include <stdlib.h>
- #include <string.h>
- 
-+/* headers that are present in every request */
-+#define STATIC_HEADERS "X-DNS-Prefetch-Control: off\r\nReferrer-Policy: no-referrer\r\nX-Content-Type-Options: nosniff\r\nCross-Origin-Resource-Policy: same-origin\r\nX-Frame-Options: sameorigin\r\n\r\n"
-+
- static gchar *srcdir;
- 
- typedef struct {
-diff --git a/src/ws/test-channelresponse.c b/src/ws/test-channelresponse.c
-index 86c0fff..763913b 100644
---- a/src/ws/test-channelresponse.c
-+++ b/src/ws/test-channelresponse.c
-@@ -51,6 +51,9 @@
- 
- #define PASSWORD "this is the password"
- 
-+/* headers that are present in every request */
-+#define STATIC_HEADERS "X-Content-Type-Options: nosniff\r\nX-DNS-Prefetch-Control: off\r\nReferrer-Policy: no-referrer\r\nCross-Origin-Resource-Policy: same-origin\r\nX-Frame-Options: sameorigin\r\n"
-+
- typedef struct {
-   CockpitWebService *service;
-   GIOStream *io;
--- 
-2.27.0
-
diff --git a/cockpit-178.tar.xz b/cockpit-254.tar.xz
similarity index 43%
rename from cockpit-178.tar.xz
rename to cockpit-254.tar.xz
index 9e6ca00a0c6752aea46a27b59f164fddf373d0fc..97849d8eb47e676318566ff5a54f1842af00c56b 100644
Binary files a/cockpit-178.tar.xz and b/cockpit-254.tar.xz differ
diff --git a/cockpit.spec b/cockpit.spec
index e10c5e9700fda6b2aa3e8a09832bdf65d021fab5..20ce81b2ffaad69f1a0d7998e6346e4fe12fc012 100644
--- a/cockpit.spec
+++ b/cockpit.spec
@@ -1,26 +1,25 @@
-%bcond_with pcp
+%global         __requires_exclude_from     ^%{_libexecdir}/cockpit-client$
+%bcond_with     pcp
+
 Name:           cockpit
-Version:        178
-Release:        9
+Version:        254
+Release:        1
 Summary:        A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
 License:        LGPLv2+
 URL:            https://cockpit-project.org/
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz
 
-Patch6000:      CVE-2019-3804.patch
-Patch6001:      backport-0001-CVE-2021-3660.patch
-Patch6002:      backport-0002-CVE-2021-3660.patch
-
+BuildRequires:  gcc
 BuildRequires:  pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel
 BuildRequires:  autoconf automake python3 intltool libssh-devel >= 0.7.1 openssl-devel zlib-devel krb5-devel
-BuildRequires:  libxslt-devel docbook-style-xsl glib-networking sed glib2-devel >= 2.37.4
-BuildRequires:  systemd-devel krb5-server gdb xmlto
+BuildRequires:  libxslt-devel docbook-style-xsl glib-networking sed glib2-devel >= 2.50.0
+BuildRequires:  systemd-devel krb5-server xmlto gnutls-devel >= 3.6.0
 
 %if %{with pcp}
-BuildRequires: pcp-libs-devel
+BuildRequires:  pcp-libs-devel
 %endif
 
-Requires:       glib-networking shadow-utils grep libpwquality coreutils NetworkManager kexec-tools openssl glib2 >= 2.37.4
+Requires:       glib-networking shadow-utils grep libpwquality coreutils NetworkManager kexec-tools openssl glib2 >= 2.50.0
 Requires:       python3 python3-dbus systemd udisks2 >= 2.6 libvirt libvirt-client PackageKit
 
 Provides:       %{name}-networkmanager %{name}-selinux %{name}-sosreport %{name}-dashboard = %{version}-%{release}
@@ -83,7 +82,8 @@ man help files.
 %autosetup -n %{name}-%{version} -p1
 
 %build
-%configure --disable-silent-rules --with-cockpit-user=cockpit-ws --with-selinux-config-type=etc_t\
+%configure --disable-silent-rules --with-cockpit-user=cockpit-ws --with-selinux-config-type=etc_t \
+  --with-cockpit-ws-instance-user=cockpit-wsinstance \
   --with-appstream-data-packages='[ "appstream-data" ]' --with-nfs-client-package='"nfs-utils"' --with-vdo-package='"vdo"' \
 %if %{without pcp}
   --disable-pcp
@@ -101,21 +101,35 @@ man help files.
 make install-tests DESTDIR=%{buildroot}
 
 install -Dpm644 tools/cockpit.pam %{buildroot}%{_sysconfdir}/pam.d/cockpit
+strip %{buildroot}/%{_prefix}/lib/cockpit-test-assets/mock-pam-conv-mod.so
 
 echo '{ "linguas": null }' > %{buildroot}%{_datadir}/cockpit/shell/override.json
 
 %find_lang %{name}
 
-tar -C %{buildroot}/usr/src/debug%{_datadir}/%{name}/playground -cf - . | tar -C %{buildroot}%{_datadir}/%{name}/playground -xf -
-
 %pre
 getent group cockpit-ws >/dev/null || groupadd -r cockpit-ws
 getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d / -s /sbin/nologin -c "User for cockpit-ws" cockpit-ws
+getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
+getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d / -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
 
 %post
-%systemd_post cockpit.socket
-test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
+if [ ! -f "%{_sysconfdir}/%{name}/ws-certs.d/0-self-signed.key" ]; then
+    # The certificate is not available when upgrading from an older version and needs to be recreated
+    %{__rm} -f %{_sysconfdir}/%{name}/ws-certs.d/{0-self-signed.cert,0-self-signed-ca.pem}
+fi
+
+%tmpfiles_create cockpit-tempfiles.conf
+%systemd_post cockpit.socket cockpit.service
 # cannot use systemctl because it might be out of sync with reality
+test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
+# check for deprecated PAM config
+if grep --color=auto pam_cockpit_cert %{_sysconfdir}/pam.d/cockpit; then
+    echo '**** WARNING:'
+    echo '**** WARNING: pam_cockpit_cert is a no-op and will be removed in a'
+    echo '**** WARNING: future release; remove it from your /etc/pam.d/cockpit.'
+    echo '**** WARNING:'
+fi
 
 %if %{with pcp}
 %post pcp
@@ -123,7 +137,7 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
 %endif
 
 %preun
-%systemd_preun cockpit.socket
+%systemd_preun cockpit.socket cockpit.service
 
 %postun
 %systemd_postun_with_restart cockpit.socket
@@ -133,31 +147,39 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
 %if %{without pcp}
 %exclude %{_datadir}/cockpit/pcp/*
 %endif
-%exclude %{_prefix}/lib/firewalld/services/cockpit.xml
-%exclude %{_datadir}/%{name}/{subscriptions,docker,kubernetes}
 %exclude %{_datadir}/pixmaps/cockpit-sosreport.png
-%exclude %{_libexecdir}/{cockpit-kube-auth,cockpit-kube-launch,cockpit-stub}
 %exclude %{_metainfodir}/{org.cockpit-project.cockpit-sosreport.metainfo.xml,org.cockpit-project.cockpit-kdump.metainfo.xml,org.cockpit-project.cockpit-selinux.metainfo.xml}
+%exclude %{_metainfodir}/{org.cockpit-project.cockpit-storaged.metainfo.xml}
 %doc AUTHORS COPYING README.md
+%dir %{_sysconfdir}/cockpit
 %config(noreplace) %{_sysconfdir}/cockpit/ws-certs.d
 %config(noreplace) %{_sysconfdir}/pam.d/cockpit
 %config %{_sysconfdir}/issue.d/cockpit.issue
 %config %{_sysconfdir}/motd.d/cockpit
 %{_datadir}/metainfo/cockpit.appdata.xml
-%{_datadir}/applications/cockpit.desktop
 %{_datadir}/pixmaps/cockpit.png
 %{_datadir}/%{name}/motd/{update-motd,inactive.motd}
 %{_datadir}/%{name}/{static,branding}
-%{_datadir}/%{name}/{base1,ssh,dashboard,realmd,tuned,shell,systemd,users,kdump,sosreport,storaged,networkmanager,packagekit,apps,machines,ovirt,selinux}/*
+%{_datadir}/%{name}/{base1,ssh,dashboard,realmd,tuned,shell,systemd,users,metrics,kdump,sosreport,storaged,networkmanager,packagekit,apps,machines,ovirt,selinux}/*
 %{_unitdir}/{cockpit.service,cockpit-motd.service,cockpit.socket}
+%{_unitdir}/cockpit-wsinstance-http-redirect.service
+%{_unitdir}/cockpit-wsinstance-http-redirect.socket
+%{_unitdir}/cockpit-wsinstance-http.service
+%{_unitdir}/cockpit-wsinstance-http.socket
+%{_unitdir}/cockpit-wsinstance-https-factory.socket
+%{_unitdir}/cockpit-wsinstance-https-factory@.service
+%{_unitdir}/cockpit-wsinstance-https@.service
+%{_unitdir}/cockpit-wsinstance-https@.socket
+%{_unitdir}/system-cockpithttps.slice
 %{_sysconfdir}/%{name}/machines.d
 %{_prefix}/lib/tmpfiles.d/cockpit-tempfiles.conf
-%attr(0775,-,wheel) %{_localstatedir}/lib/cockpit
 %{_libdir}/security/pam_ssh_add.so
-%{_libexecdir}/{cockpit-askpass,cockpit-ws,cockpit-ssh}
-%attr(4750,root,cockpit-ws) %{_libexecdir}/cockpit-session
-%{_sbindir}/remotectl
+%{_libdir}/security/pam_cockpit_cert.so
+%{_libexecdir}/{cockpit-askpass,cockpit-ws,cockpit-ssh,cockpit-wsinstance-factory,cockpit-tls,cockpit-client}
+%{_libexecdir}/{cockpit-client.ui,cockpit-desktop,cockpit-certificate-ensure,cockpit-certificate-helper}
+%attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
 %{_bindir}/cockpit-bridge
+%{_datadir}/polkit-1/actions/org.cockpit-project.cockpit-bridge.policy
 
 %if %{with pcp}
 %files pcp
@@ -167,18 +189,23 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
 %endif
 
 %files devel
-%config(noreplace) %{_sysconfdir}/cockpit/cockpit.conf
 %{_datadir}/cockpit/playground
 %{_prefix}/lib/cockpit-test-assets
 
 %files help
 %{_docdir}/cockpit
 %exclude %{_docdir}/cockpit/{AUTHORS,COPYING,README.md}
-%doc %{_mandir}/man1/{cockpit.1.gz,cockpit-bridge.1.gz}
+%doc %{_mandir}/man1/{cockpit.1.gz,cockpit-bridge.1.gz,cockpit-desktop.1.gz}
 %doc %{_mandir}/man5/cockpit.conf.5.gz
-%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz}
+%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz,cockpit-tls.8.gz}
 
 %changelog
+* Tue Mar 01 2022 herengui <herengui@uniontech.com> - 254-1
+- Type:NA
+- ID:NA
+- SUG:NA
+- DESC:Update to upstream 254 release
+
 * Fri Sep 24 2021 wangkerong <wangkerong@huawei.com> - 178-9
 - Type:CVE
 - Id:CVE-2021-3660