From 0b98937ab1f5d4757a4b5c18beab8ff2f4745b9c Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 17 Oct 2025 11:32:42 +0200 Subject: [PATCH 01/11] overlay sys-apps/systemd: Some cleanups and diff minimization - Drop unused systemd-256.9 ebuild. - Drop unused patches and regenerate the rest. - Pull in a patch from Gentoo. - Drop Flatcar modifications related to split-usr. We kept those because SDK used to use split-dir. - Drop meson options related to quota utilities - the values we specified were the same as systemd's defaults. - Disable LLMNR and DNSSEC by default - we are disabling it with drop-ins in the init repo. We probably could just drop them. - Preserved keepdir for directories inside /usr and /var. For the latter, dropped the related entries from our tmpfiles - we are generating tmpfiles for directories inside /var during image build. Signed-off-by: Krzesimir Nowak --- .../coreos-overlay/sys-apps/systemd/Manifest | 1 - .../0001-wait-online-set-any-by-default.patch | 10 +- ...te-don-t-require-strictly-newer-usr.patch} | 16 +- ...03-core-use-max-for-DefaultTasksMax.patch} | 18 +- ...-Disable-SELinux-permissions-checks.patch} | 8 +- ...Pass-tty-to-use-by-agetty-via-stdin.patch} | 7 +- ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 95 -- ...-Keep-using-old-journal-file-format.patch} | 16 +- ...trd-parse-etc-override-argv-0-to-av.patch} | 8 +- .../files/0008-sysext-Mutable-overlays.patch | 1310 ----------------- ...lso-check-ifindex-iftype-and-kind-wh.patch | 119 -- ...ck-ID_NET_MANAGED_BY-property-on-rec.patch | 146 -- .../sys-apps/systemd/files/256-bpf-gcc.patch | 26 - .../files/systemd-257-cred-util-tpm2.patch | 69 + .../systemd/files/systemd-flatcar.conf | 8 - .../sys-apps/systemd/systemd-256.9-r1.ebuild | 773 ---------- ...d-257.7.ebuild => systemd-257.7-r1.ebuild} | 126 +- 17 files changed, 167 insertions(+), 2589 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0003-needs-update-don-t-require-strictly-newer-usr.patch => 0002-needs-update-don-t-require-strictly-newer-usr.patch} (84%) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0004-core-use-max-for-DefaultTasksMax.patch => 0003-core-use-max-for-DefaultTasksMax.patch} (90%) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0005-systemd-Disable-SELinux-permissions-checks.patch => 0004-systemd-Disable-SELinux-permissions-checks.patch} (80%) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch => 0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch} (95%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0007-units-Keep-using-old-journal-file-format.patch => 0006-units-Keep-using-old-journal-file-format.patch} (75%) rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/{0009-initrd-parse-etc.service.patch => 0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch} (85%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild rename sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/{systemd-257.7.ebuild => systemd-257.7-r1.ebuild} (88%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest index 146d6845ade..4c8c2478b9f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest @@ -1,2 +1 @@ -DIST systemd-256.9.tar.gz 15774953 BLAKE2B caeff33d0906583094a44ab89fe9a9c1832a665f8cc768f86c55c5100bdd5c2b1500b2cd65e9519ef21d79bff92d1da3e84240793099a0e0c508afba3669c46e SHA512 aba7a0f7149fe3d28d9f930f244d5b997c28721e93e6f0768b0f0f1c918c87a0e8b7b347cffb2faa4740ca3ee3b04984454e85757365090a2cf32aba09f70681 DIST systemd-257.7.tar.gz 16327096 BLAKE2B 59a28ce9b355b98f718f26489400640f3d732bbf73c00ea0571302dfc6dfb3585bf07ec56af06d74c5aa033b06a6220c3c839af6dba5ab7f8bde1aef4b58f0f6 SHA512 fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch index 7171955041f..50671ce19e7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ -From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001 +From e228bd8a939e77f4ebc37aa029f8a89e8b9d4807 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/8] wait-online: set --any by default +Subject: [PATCH 1/7] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are @@ -15,12 +15,12 @@ earlier) for the original implementation. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c -index 5328bba2d8..95294df607 100644 +index 6f5aef903a..0acb3e76b9 100644 --- a/src/network/wait-online/wait-online.c +++ b/src/network/wait-online/wait-online.c @@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL; static char **arg_ignore = NULL; - static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; + static LinkOperationalStateRange arg_required_operstate = LINK_OPERSTATE_RANGE_INVALID; static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; -static bool arg_any = false; +static bool arg_any = true; @@ -28,5 +28,5 @@ index 5328bba2d8..95294df607 100644 STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch index 400cb96e05d..f538682a5b1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ -From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001 +From b8139561768e6745405461e1a765b262ece8f959 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 3/8] needs-update: don't require strictly newer usr +Subject: [PATCH 2/7] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- @@ -10,7 +10,7 @@ Updates should be triggered whenever usr changes, not only when it is newer. 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml -index 3393010ff6..5478baca25 100644 +index 6b863ecff3..c166c5e7ab 100644 --- a/man/systemd-update-done.service.xml +++ b/man/systemd-update-done.service.xml @@ -50,7 +50,7 @@ @@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644 This requires that updates to /usr/ are always followed by an update of the modification time of diff --git a/src/shared/condition.c b/src/shared/condition.c -index d3446e8a9d..3f7cc9ea58 100644 +index 1a03fdbe37..8577c35fa0 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * First, compare seconds as they are always accurate... */ if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) @@ -35,7 +35,7 @@ index d3446e8a9d..3f7cc9ea58 100644 /* * ...then compare nanoseconds. -@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) { * (otherwise the filesystem supports nsec timestamps, see stat(2)). */ if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) @@ -44,7 +44,7 @@ index d3446e8a9d..3f7cc9ea58 100644 _cleanup_free_ char *timestamp_str = NULL; r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); -@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) { +@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) { return true; } @@ -54,5 +54,5 @@ index d3446e8a9d..3f7cc9ea58 100644 static bool in_first_boot(void) { -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch index a25e8f17ac3..9ebd5e31298 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ -From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001 +From f5635c6b5153d894cf1bf6dca92219150d4252d5 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 -Subject: [PATCH 4/8] core: use max for DefaultTasksMax +Subject: [PATCH 3/7] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This @@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml -index 3c06b65f93..71f38692b6 100644 +index f7b414da5c..9c07e235ab 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml -@@ -501,7 +501,7 @@ +@@ -230,7 +230,7 @@ Configure the default value for the per-unit TasksMax= setting. See systemd.resource-control5 for details. This setting applies to all unit types that support resource control settings, with the exception @@ -34,10 +34,10 @@ index 3c06b65f93..71f38692b6 100644 Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. For example, with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, diff --git a/src/core/manager.c b/src/core/manager.c -index 88eebfc626..8992c8c3e3 100644 +index 4ccaba9054..3ab59c5bb3 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -114,7 +114,7 @@ +@@ -117,7 +117,7 @@ /* How many units and jobs to process of the bus queue before returning to the event loop. */ #define MANAGER_BUS_MESSAGE_BUDGET 100U @@ -47,10 +47,10 @@ index 88eebfc626..8992c8c3e3 100644 static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata); diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 05eb681270..94d0365244 100644 +index 1c08aa4d22..2faea3605e 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in -@@ -58,7 +58,7 @@ +@@ -59,7 +59,7 @@ #DefaultIPAccounting=no #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} #DefaultTasksAccounting=yes @@ -60,5 +60,5 @@ index 05eb681270..94d0365244 100644 #DefaultLimitFSIZE= #DefaultLimitDATA= -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch index 648e3fa3082..445fdc27285 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ -From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001 +From f55e6415307ce77b3376a2bf9cc96b924c6ec52e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks +Subject: [PATCH 4/7] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy @@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c -index 62181a6309..448f9211d6 100644 +index a67a520a3b..3365b920eb 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -2,7 +2,7 @@ @@ -25,5 +25,5 @@ index 62181a6309..448f9211d6 100644 #include #include -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index 6f81ae8b68e..f189765e9a5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ -From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001 +From cf500f14557926259b58ee641fffb38b707494d6 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH 5/7] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. @@ -90,3 +90,6 @@ index 20a5eb2754..ba4cbc0edb 100644 TTYPath=/dev/%I TTYReset=yes TTYVHangup=yes +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch deleted file mode 100644 index 7baa379d346..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ /dev/null @@ -1,95 +0,0 @@ -From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001 -From: Sayan Chowdhury -Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin" - -This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. - -This is to work around a SELinux denial that happens when setting up standard -input for serial consoles (which is used for SSH connections). - -Signed-off-by: Sayan Chowdhury ---- - units/console-getty.service.in | 4 +--- - units/container-getty@.service.in | 4 +--- - units/getty@.service.in | 4 +--- - units/serial-getty@.service.in | 4 +--- - 4 files changed, 4 insertions(+), 12 deletions(-) - -diff --git a/units/console-getty.service.in b/units/console-getty.service.in -index d64112be5e..b908708d8c 100644 ---- a/units/console-getty.service.in -+++ b/units/console-getty.service.in -@@ -22,12 +22,10 @@ ConditionPathExists=/dev/console - [Service] - # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), - # followed by '--' for safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud - 115200,38400,9600 $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud console 115200,38400,9600 $TERM - Type=idle - Restart=always - UtmpIdentifier=cons --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/console - TTYReset=yes - TTYVHangup=yes -diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in -index 8847d735fb..8be25663f5 100644 ---- a/units/container-getty@.service.in -+++ b/units/container-getty@.service.in -@@ -27,13 +27,11 @@ Before=rescue.service - [Service] - # The '-o' option value tells agetty to replace 'login' arguments with an option to preserve environment (-p), - # followed by '--' for safety, and then the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear --keep-baud pts/%I 115200,38400,9600 $TERM - Type=idle - Restart=always - RestartSec=0 - UtmpIdentifier=pts/%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/pts/%I - TTYReset=yes - TTYVHangup=yes -diff --git a/units/getty@.service.in b/units/getty@.service.in -index 80b8f3e922..b57666c123 100644 ---- a/units/getty@.service.in -+++ b/units/getty@.service.in -@@ -38,13 +38,11 @@ ConditionPathExists=/dev/tty0 - # The '-o' option value tells agetty to replace 'login' arguments with an - # option to preserve environment (-p), followed by '--' for safety, and then - # the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear - $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --noclear %I $TERM - Type=idle - Restart=always - RestartSec=0 - UtmpIdentifier=%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes -diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in -index 6bf101eac9..479b8759a9 100644 ---- a/units/serial-getty@.service.in -+++ b/units/serial-getty@.service.in -@@ -33,12 +33,10 @@ Before=rescue.service - # The '-o' option value tells agetty to replace 'login' arguments with an - # option to preserve environment (-p), followed by '--' for safety, and then - # the entered username. --ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 - $TERM -+ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,57600,38400,9600 %I $TERM - Type=idle - Restart=always - UtmpIdentifier=%I --StandardInput=tty --StandardOutput=tty - TTYPath=/dev/%I - TTYReset=yes - TTYVHangup=yes --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch similarity index 75% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch index 8471991893d..033ccf2f5f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch @@ -1,7 +1,7 @@ -From 6a4c6f97742afc9ca5de40335b2d041095990aa2 Mon Sep 17 00:00:00 2001 +From 1bf0301376df8e82593efccb80cd4e43638666c0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 -Subject: [PATCH 7/8] units: Keep using old journal file format +Subject: [PATCH 6/7] units: Keep using old journal file format Systemd 252 made an incompatible change in journal file format. Temporarily force journald to use the old journal format to give logging containers more @@ -14,22 +14,22 @@ Signed-off-by: Adrian Vladu 2 files changed, 2 insertions(+) diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index 37eeabc510..e5030a81bd 100644 +index 4404af963b..323af7cfb0 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in -@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes +@@ -30,6 +30,7 @@ IgnoreOnIsolate=yes [Service] DeviceAllow=char-* rw +Environment=SYSTEMD_JOURNAL_COMPACT=0 ExecStart={{LIBEXECDIR}}/systemd-journald FileDescriptorStoreMax=4224 - IPAddressDeny=any + # Ensure services using StandardOutput=journal do not break when journald is stopped diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in -index c3bcb08533..8780783cf6 100644 +index b705ce08ff..874701dac4 100644 --- a/units/systemd-journald@.service.in +++ b/units/systemd-journald@.service.in -@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target +@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket [Service] CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE DevicePolicy=closed @@ -38,5 +38,5 @@ index c3bcb08533..8780783cf6 100644 FileDescriptorStoreMax=4224 Group=systemd-journal -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-initrd-parse-etc.service.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-initrd-parse-etc.service.patch rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch index e3f00be4e3f..4c12dc2f6ed 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-initrd-parse-etc.service.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch @@ -1,8 +1,8 @@ -From 65e3f4e837001f6f00359a779b6c5801566aa750 Mon Sep 17 00:00:00 2001 +From 93775241c5f873a5862c2e7b06532bd3969341a0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Wed, 25 Sep 2024 15:51:02 +0000 -Subject: [PATCH] Revert "Revert "initrd-parse-etc: override argv[0] to avoid - dracut issue"" +Subject: [PATCH 7/7] Revert "Revert "initrd-parse-etc: override argv[0] to + avoid dracut issue"" This reverts commit 1c585a4ccda3258088d7bc27b27a314e7ed8be80. --- @@ -25,5 +25,5 @@ index 1eef2bd9be..3dadab1123 100644 # We want to enqueue initrd-cleanup.service/start after we finished the part # above. It can't be part of the initial transaction, because non-oneshot units -- -2.34.1 +2.51.0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch deleted file mode 100644 index f6fb957cd2f..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-sysext-Mutable-overlays.patch +++ /dev/null @@ -1,1310 +0,0 @@ -From b3e3257bfa07ae9ff63f5a139a1f7b72353a456b Mon Sep 17 00:00:00 2001 -From: Krzesimir Nowak -Date: Mon, 22 Apr 2024 16:43:38 +0200 -Subject: [PATCH 8/8] sysext: Mutable overlays - ---- - src/basic/path-util.c | 12 + - src/basic/path-util.h | 3 +- - src/shared/mount-util.c | 10 + - src/shared/mount-util.h | 1 + - src/sysext/sysext.c | 954 +++++++++++++++++++++++++++++++++++++--- - 5 files changed, 913 insertions(+), 67 deletions(-) - -diff --git a/src/basic/path-util.c b/src/basic/path-util.c -index 6810bf66aa..b21c7b66a3 100644 ---- a/src/basic/path-util.c -+++ b/src/basic/path-util.c -@@ -525,6 +525,18 @@ int path_compare_filename(const char *a, const char *b) { - return strcmp(fa, fb); - } - -+int path_equal_or_inode_same_full(const char *a, const char *b, int flags) { -+ /* Returns true if paths are of the same entry, false if not, <0 on error. */ -+ -+ if (path_equal(a, b)) -+ return 1; -+ -+ if (!a || !b) -+ return 0; -+ -+ return inode_same(a, b, flags); -+} -+ - char* path_extend_internal(char **x, ...) { - size_t sz, old_sz; - char *q, *nx; -diff --git a/src/basic/path-util.h b/src/basic/path-util.h -index 6d943e967f..19d42c56bc 100644 ---- a/src/basic/path-util.h -+++ b/src/basic/path-util.h -@@ -68,8 +68,9 @@ static inline bool path_equal_filename(const char *a, const char *b) { - return path_compare_filename(a, b) == 0; - } - -+int path_equal_or_inode_same_full(const char *a, const char *b, int flags); - static inline bool path_equal_or_inode_same(const char *a, const char *b, int flags) { -- return path_equal(a, b) || inode_same(a, b, flags) > 0; -+ return path_equal_or_inode_same_full(a, b, flags) > 0; - } - - char* path_extend_internal(char **x, ...); -diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c -index 4f2acce513..dd9a995fb6 100644 ---- a/src/shared/mount-util.c -+++ b/src/shared/mount-util.c -@@ -453,6 +453,16 @@ int bind_remount_one_with_mountinfo( - return 0; - } - -+int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask) { -+ _cleanup_fclose_ FILE *proc_self_mountinfo = NULL; -+ -+ proc_self_mountinfo = fopen("/proc/self/mountinfo", "re"); -+ if (!proc_self_mountinfo) -+ return log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m"); -+ -+ return bind_remount_one_with_mountinfo(path, new_flags, flags_mask, proc_self_mountinfo); -+} -+ - static int mount_switch_root_pivot(int fd_newroot, const char *path) { - assert(fd_newroot >= 0); - assert(path); -diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h -index ef31104900..679c94c950 100644 ---- a/src/shared/mount-util.h -+++ b/src/shared/mount-util.h -@@ -26,6 +26,7 @@ static inline int bind_remount_recursive(const char *prefix, unsigned long new_f - } - - int bind_remount_one_with_mountinfo(const char *path, unsigned long new_flags, unsigned long flags_mask, FILE *proc_self_mountinfo); -+int bind_remount_one(const char *path, unsigned long new_flags, unsigned long flags_mask); - - int mount_switch_root_full(const char *path, unsigned long mount_propagation_flag, bool force_ms_move); - static inline int mount_switch_root(const char *path, unsigned long mount_propagation_flag) { -diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c -index 8dc515e4d5..7c364e5bc7 100644 ---- a/src/sysext/sysext.c -+++ b/src/sysext/sysext.c -@@ -39,15 +39,41 @@ - #include "pager.h" - #include "parse-argument.h" - #include "parse-util.h" -+#include "path-util.h" - #include "pretty-print.h" - #include "process-util.h" -+#include "rm-rf.h" - #include "sort-util.h" -+#include "string-table.h" -+#include "string-util.h" - #include "terminal-util.h" - #include "user-util.h" - #include "varlink.h" - #include "varlink-io.systemd.sysext.h" - #include "verbs.h" - -+typedef enum MutableMode { -+ MUTABLE_NO, -+ MUTABLE_YES, -+ MUTABLE_AUTO, -+ MUTABLE_IMPORT, -+ MUTABLE_EPHEMERAL, -+ MUTABLE_EPHEMERAL_IMPORT, -+ _MUTABLE_MAX, -+ _MUTABLE_INVALID = -EINVAL, -+} MutableMode; -+ -+static const char* const mutable_mode_table[_MUTABLE_MAX] = { -+ [MUTABLE_NO] = "no", -+ [MUTABLE_YES] = "yes", -+ [MUTABLE_AUTO] = "auto", -+ [MUTABLE_IMPORT] = "import", -+ [MUTABLE_EPHEMERAL] = "ephemeral", -+ [MUTABLE_EPHEMERAL_IMPORT] = "ephemeral-import", -+}; -+ -+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(mutable_mode, MutableMode, MUTABLE_YES); -+ - static char **arg_hierarchies = NULL; /* "/usr" + "/opt" by default for sysext and /etc by default for confext */ - static char *arg_root = NULL; - static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; -@@ -58,10 +84,13 @@ static bool arg_no_reload = false; - static int arg_noexec = -1; - static ImagePolicy *arg_image_policy = NULL; - static bool arg_varlink = false; -+static MutableMode arg_mutable = MUTABLE_NO; - - /* Is set to IMAGE_CONFEXT when systemd is called with the confext functionality instead of the default */ - static ImageClass arg_image_class = IMAGE_SYSEXT; - -+#define MUTABLE_EXTENSIONS_BASE_DIR "/var/lib/extensions.mutable" -+ - STATIC_DESTRUCTOR_REGISTER(arg_hierarchies, strv_freep); - STATIC_DESTRUCTOR_REGISTER(arg_root, freep); - STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); -@@ -75,6 +104,7 @@ static const struct { - const char *level_env; - const char *scope_env; - const char *name_env; -+ const char *mode_env; - const ImagePolicy *default_image_policy; - unsigned long default_mount_flags; - } image_class_info[_IMAGE_CLASS_MAX] = { -@@ -86,6 +116,7 @@ static const struct { - .level_env = "SYSEXT_LEVEL", - .scope_env = "SYSEXT_SCOPE", - .name_env = "SYSTEMD_SYSEXT_HIERARCHIES", -+ .mode_env = "SYSTEMD_SYSEXT_MUTABLE_MODE", - .default_image_policy = &image_policy_sysext, - .default_mount_flags = MS_RDONLY|MS_NODEV, - }, -@@ -97,11 +128,16 @@ static const struct { - .level_env = "CONFEXT_LEVEL", - .scope_env = "CONFEXT_SCOPE", - .name_env = "SYSTEMD_CONFEXT_HIERARCHIES", -+ .mode_env = "SYSTEMD_CONFEXT_MUTABLE_MODE", - .default_image_policy = &image_policy_confext, - .default_mount_flags = MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC, - } - }; - -+static int parse_mutable_mode(const char *p) { -+ return mutable_mode_from_string(p); -+} -+ - static int is_our_mount_point( - ImageClass image_class, - const char *p) { -@@ -150,7 +186,7 @@ static int is_our_mount_point( - return log_error_errno(r, "Failed to parse device major/minor stored in '%s/dev' file on '%s': %m", image_class_info[image_class].dot_directory_name, p); - - if (lstat(p, &st) < 0) -- return log_error_errno(r, "Failed to stat %s: %m", p); -+ return log_error_errno(errno, "Failed to stat %s: %m", p); - - if (st.st_dev != dev) { - log_debug("Hierarchy '%s' reports a different device major/minor than what we are seeing, assuming offline copy.", p); -@@ -248,11 +284,22 @@ static int unmerge_hierarchy( - ImageClass image_class, - const char *p) { - -+ _cleanup_free_ char *dot_dir = NULL, *work_dir_info_file = NULL; - int r; - - assert(p); - -+ dot_dir = path_join(p, image_class_info[image_class].dot_directory_name); -+ if (!dot_dir) -+ return log_oom(); -+ -+ work_dir_info_file = path_join(dot_dir, "work_dir"); -+ if (!work_dir_info_file) -+ return log_oom(); -+ - for (;;) { -+ _cleanup_free_ char *escaped_work_dir_in_root = NULL, *work_dir = NULL; -+ - /* We only unmount /usr/ if it is a mount point and really one of ours, in order not to break - * systems where /usr/ is a mount point of its own already. */ - -@@ -262,9 +309,40 @@ static int unmerge_hierarchy( - if (r == 0) - break; - -+ r = read_one_line_file(work_dir_info_file, &escaped_work_dir_in_root); -+ if (r < 0) { -+ if (r != -ENOENT) -+ return log_error_errno(r, "Failed to read '%s': %m", work_dir_info_file); -+ } else { -+ _cleanup_free_ char *work_dir_in_root = NULL; -+ ssize_t l; -+ -+ l = cunescape_length(escaped_work_dir_in_root, r, 0, &work_dir_in_root); -+ if (l < 0) -+ return log_error_errno(l, "Failed to unescape work directory path: %m"); -+ work_dir = path_join(arg_root, work_dir_in_root); -+ if (!work_dir) -+ return log_oom(); -+ } -+ -+ r = umount_verbose(LOG_DEBUG, dot_dir, MNT_DETACH|UMOUNT_NOFOLLOW); -+ if (r < 0) { -+ /* EINVAL is possibly "not a mount point". Let it slide as it's expected to occur if -+ * the whole hierarchy was read-only, so the dot directory inside it was not -+ * bind-mounted as read-only. */ -+ if (r != -EINVAL) -+ return log_error_errno(r, "Failed to unmount '%s': %m", dot_dir); -+ } -+ - r = umount_verbose(LOG_ERR, p, MNT_DETACH|UMOUNT_NOFOLLOW); - if (r < 0) -- return log_error_errno(r, "Failed to unmount file system '%s': %m", p); -+ return r; -+ -+ if (work_dir) { -+ r = rm_rf(work_dir, REMOVE_ROOT | REMOVE_MISSING_OK | REMOVE_PHYSICAL); -+ if (r < 0) -+ return log_error_errno(r, "Failed to remove '%s': %m", work_dir); -+ } - - log_info("Unmerged '%s'.", p); - } -@@ -448,7 +526,7 @@ static int verb_status(int argc, char **argv, void *userdata) { - return log_oom(); - - if (stat(*p, &st) < 0) -- return log_error_errno(r, "Failed to stat() '%s': %m", *p); -+ return log_error_errno(errno, "Failed to stat() '%s': %m", *p); - - r = table_add_many( - t, -@@ -474,11 +552,38 @@ static int verb_status(int argc, char **argv, void *userdata) { - return ret; - } - -+static int append_overlayfs_path_option( -+ char **options, -+ const char *separator, -+ const char *option, -+ const char *path) { -+ -+ _cleanup_free_ char *escaped = NULL; -+ -+ assert(options); -+ assert(separator); -+ assert(path); -+ -+ escaped = shell_escape(path, ",:"); -+ if (!escaped) -+ return log_oom(); -+ -+ if (option) { -+ if (!strextend(options, separator, option, "=", escaped)) -+ return log_oom(); -+ } else if (!strextend(options, separator, escaped)) -+ return log_oom(); -+ -+ return 0; -+} -+ - static int mount_overlayfs( - ImageClass image_class, - int noexec, - const char *where, -- char **layers) { -+ char **layers, -+ const char *upper_dir, -+ const char *work_dir) { - - _cleanup_free_ char *options = NULL; - bool separator = false; -@@ -486,20 +591,16 @@ static int mount_overlayfs( - int r; - - assert(where); -+ assert((upper_dir && work_dir) || (!upper_dir && !work_dir)); - - options = strdup("lowerdir="); - if (!options) - return log_oom(); - - STRV_FOREACH(l, layers) { -- _cleanup_free_ char *escaped = NULL; -- -- escaped = shell_escape(*l, ",:"); -- if (!escaped) -- return log_oom(); -- -- if (!strextend(&options, separator ? ":" : "", escaped)) -- return log_oom(); -+ r = append_overlayfs_path_option(&options, separator ? ":" : "", NULL, *l); -+ if (r < 0) -+ return r; - - separator = true; - } -@@ -508,6 +609,22 @@ static int mount_overlayfs( - if (noexec >= 0) - SET_FLAG(flags, MS_NOEXEC, noexec); - -+ if (upper_dir && work_dir) { -+ r = append_overlayfs_path_option(&options, ",", "upperdir", upper_dir); -+ if (r < 0) -+ return r; -+ -+ flags &= ~MS_RDONLY; -+ -+ r = append_overlayfs_path_option(&options, ",", "workdir", work_dir); -+ if (r < 0) -+ return r; -+ /* redirect_dir=on and noatime prevent unnecessary upcopies, metacopy=off prevents broken -+ * files from partial upcopies after umount. */ -+ if (!strextend(&options, ",redirect_dir=on,noatime,metacopy=off")) -+ return log_oom(); -+ } -+ - /* Now mount the actual overlayfs */ - r = mount_nofollow_verbose(LOG_ERR, image_class_info[image_class].short_identifier, where, "overlay", flags, options); - if (r < 0) -@@ -516,62 +633,277 @@ static int mount_overlayfs( - return 0; - } - --static int merge_hierarchy( -- ImageClass image_class, -+static char *hierarchy_as_single_path_component(const char *hierarchy) { -+ /* We normally expect hierarchy to be /usr, /opt or /etc, but for debugging purposes the hierarchy -+ * could very well be like /foo/bar/baz/. So for a given hierarchy we generate a directory name by -+ * stripping the leading and trailing separators and replacing the rest of separators with dots. This -+ * makes the generated name to be the same for /foo/bar/baz and for /foo/bar.baz, but, again, -+ * speciyfing a different hierarchy is a debugging feature, so non-unique mapping should not be an -+ * issue in general case. */ -+ const char *stripped = hierarchy; -+ _cleanup_free_ char *dir_name = NULL; -+ -+ assert(hierarchy); -+ -+ stripped += strspn(stripped, "/"); -+ -+ dir_name = strdup(stripped); -+ if (!dir_name) -+ return NULL; -+ delete_trailing_chars(dir_name, "/"); -+ string_replace_char(dir_name, '/', '.'); -+ return TAKE_PTR(dir_name); -+} -+ -+static int paths_on_same_fs(const char *path1, const char *path2) { -+ struct stat st1, st2; -+ -+ assert(path1); -+ assert(path2); -+ -+ if (stat(path1, &st1) < 0) -+ return log_error_errno(errno, "Failed to stat '%s': %m", path1); -+ -+ if (stat(path2, &st2) < 0) -+ return log_error_errno(errno, "Failed to stat '%s': %m", path2); -+ -+ return st1.st_dev == st2.st_dev; -+} -+ -+static int work_dir_for_hierarchy( - const char *hierarchy, -- int noexec, -- char **extensions, -- char **paths, -- const char *meta_path, -- const char *overlay_path) { -+ const char *resolved_upper_dir, -+ char **ret_work_dir) { -+ -+ _cleanup_free_ char *parent = NULL; -+ int r; -+ -+ assert(hierarchy); -+ assert(resolved_upper_dir); -+ assert(ret_work_dir); -+ -+ r = path_extract_directory(resolved_upper_dir, &parent); -+ if (r < 0) -+ return log_error_errno(r, "Failed to get parent directory of upperdir '%s': %m", resolved_upper_dir); -+ -+ /* TODO: paths_in_same_superblock? partition? device? */ -+ r = paths_on_same_fs(resolved_upper_dir, parent); -+ if (r < 0) -+ return r; -+ if (!r) -+ return log_error_errno(SYNTHETIC_ERRNO(EXDEV), "Unable to find a suitable workdir location for upperdir '%s' for host hierarchy '%s' - parent directory of the upperdir is in a different filesystem", resolved_upper_dir, hierarchy); -+ -+ _cleanup_free_ char *f = NULL, *dir_name = NULL; -+ -+ f = hierarchy_as_single_path_component(hierarchy); -+ if (!f) -+ return log_oom(); -+ dir_name = strjoin(".systemd-", f, "-workdir"); -+ if (!dir_name) -+ return log_oom(); -+ -+ free(f); -+ f = path_join(parent, dir_name); -+ if (!f) -+ return log_oom(); -+ -+ *ret_work_dir = TAKE_PTR(f); -+ return 0; -+} -+ -+typedef struct OverlayFSPaths { -+ char *hierarchy; -+ mode_t hierarchy_mode; -+ char *resolved_hierarchy; -+ char *resolved_mutable_directory; -+ -+ /* NULL if merged fs is read-only */ -+ char *upper_dir; -+ /* NULL if merged fs is read-only */ -+ char *work_dir; -+ /* lowest index is top lowerdir, highest index is bottom lowerdir */ -+ char **lower_dirs; -+} OverlayFSPaths; -+ -+static OverlayFSPaths *overlayfs_paths_free(OverlayFSPaths *op) { -+ if (!op) -+ return NULL; -+ -+ free(op->hierarchy); -+ free(op->resolved_hierarchy); -+ free(op->resolved_mutable_directory); -+ -+ free(op->upper_dir); -+ free(op->work_dir); -+ strv_free(op->lower_dirs); -+ -+ free(op); -+ return NULL; -+} -+DEFINE_TRIVIAL_CLEANUP_FUNC(OverlayFSPaths *, overlayfs_paths_free); - -- _cleanup_free_ char *resolved_hierarchy = NULL, *f = NULL, *buf = NULL; -- _cleanup_strv_free_ char **layers = NULL; -+static int resolve_hierarchy(const char *hierarchy, char **ret_resolved_hierarchy) { -+ _cleanup_free_ char *resolved_path = NULL; -+ int r; -+ -+ assert(hierarchy); -+ assert(ret_resolved_hierarchy); -+ -+ r = chase(hierarchy, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); -+ if (r < 0 && r != -ENOENT) -+ return log_error_errno(r, "Failed to resolve hierarchy '%s': %m", hierarchy); -+ -+ *ret_resolved_hierarchy = TAKE_PTR(resolved_path); -+ return 0; -+} -+ -+static int mutable_directory_mode_matches_hierarchy( -+ const char *root_or_null, -+ const char *path, -+ mode_t hierarchy_mode) { -+ -+ _cleanup_free_ char *path_in_root = NULL; - struct stat st; -+ mode_t actual_mode; -+ -+ assert(path); -+ -+ path_in_root = path_join(root_or_null, path); -+ if (!path_in_root) -+ return log_oom(); -+ -+ if (stat(path_in_root, &st) < 0) { -+ if (errno == ENOENT) -+ return 0; -+ return log_error_errno(errno, "Failed to stat mutable directory '%s': %m", path_in_root); -+ } -+ -+ actual_mode = st.st_mode & 0777; -+ if (actual_mode != hierarchy_mode) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mutable directory '%s' has mode %04o, ought to have mode %04o", path_in_root, actual_mode, hierarchy_mode); -+ -+ return 0; -+} -+ -+static int resolve_mutable_directory( -+ const char *hierarchy, -+ mode_t hierarchy_mode, -+ const char *workspace, -+ char **ret_resolved_mutable_directory) { -+ -+ _cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL; -+ const char *root = arg_root, *base = MUTABLE_EXTENSIONS_BASE_DIR; - int r; - - assert(hierarchy); -- assert(meta_path); -- assert(overlay_path); -+ assert(ret_resolved_mutable_directory); - -- /* Resolve the path of the host's version of the hierarchy, i.e. what we want to use as lowest layer -- * in the overlayfs stack. */ -- r = chase(hierarchy, arg_root, CHASE_PREFIX_ROOT, &resolved_hierarchy, NULL); -- if (r == -ENOENT) -- log_debug_errno(r, "Hierarchy '%s' on host doesn't exist, not merging.", hierarchy); -- else if (r < 0) -- return log_error_errno(r, "Failed to resolve host hierarchy '%s': %m", hierarchy); -- else { -- r = dir_is_empty(resolved_hierarchy, /* ignore_hidden_or_backup= */ false); -- if (r < 0) -- return log_error_errno(r, "Failed to check if host hierarchy '%s' is empty: %m", resolved_hierarchy); -- if (r > 0) { -- log_debug("Host hierarchy '%s' is empty, not merging.", resolved_hierarchy); -- resolved_hierarchy = mfree(resolved_hierarchy); -- } -+ if (arg_mutable == MUTABLE_NO) { -+ log_debug("Mutability for hierarchy '%s' is disabled, not resolving mutable directory.", hierarchy); -+ *ret_resolved_mutable_directory = NULL; -+ return 0; - } - -- /* Let's generate a metadata file that lists all extensions we took into account for this -- * hierarchy. We include this in the final fs, to make things nicely discoverable and -- * recognizable. */ -- f = path_join(meta_path, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural); -- if (!f) -+ if (IN_SET(arg_mutable, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) { -+ /* We create mutable directory inside the temporary tmpfs workspace, which is a fixed -+ * location that ignores arg_root. */ -+ root = NULL; -+ base = workspace; -+ } -+ -+ dir_name = hierarchy_as_single_path_component(hierarchy); -+ if (!dir_name) - return log_oom(); - -- buf = strv_join(extensions, "\n"); -- if (!buf) -+ path = path_join(base, dir_name); -+ if (!path) - return log_oom(); - -- r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755); -+ if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_AUTO)) { -+ /* If there already is a mutable directory, check if its mode matches hierarchy. Merged -+ * hierarchy will have the same mode as the mutable directory, so we want no surprising mode -+ * changes here. */ -+ r = mutable_directory_mode_matches_hierarchy(root, path, hierarchy_mode); -+ if (r < 0) -+ return r; -+ } -+ -+ if (IN_SET(arg_mutable, MUTABLE_YES, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) { -+ _cleanup_free_ char *path_in_root = NULL; -+ -+ path_in_root = path_join(root, path); -+ if (!path_in_root) -+ return log_oom(); -+ -+ r = mkdir_p(path_in_root, 0700); -+ if (r < 0) -+ return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root); -+ } -+ -+ r = chase(path, root, CHASE_PREFIX_ROOT, &resolved_path, NULL); -+ if (r < 0 && r != -ENOENT) -+ return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); -+ -+ *ret_resolved_mutable_directory = TAKE_PTR(resolved_path); -+ return 0; -+} -+ -+static int overlayfs_paths_new(const char *hierarchy, const char *workspace_path, OverlayFSPaths **ret_op) { -+ _cleanup_free_ char *hierarchy_copy = NULL, *resolved_hierarchy = NULL, *resolved_mutable_directory = NULL; -+ mode_t hierarchy_mode; -+ -+ int r; -+ -+ assert (hierarchy); -+ assert (ret_op); -+ -+ hierarchy_copy = strdup(hierarchy); -+ if (!hierarchy_copy) -+ return log_oom(); -+ -+ r = resolve_hierarchy(hierarchy, &resolved_hierarchy); - if (r < 0) -- return log_error_errno(r, "Failed to write extension meta file '%s': %m", f); -+ return r; - -- /* Put the meta path (i.e. our synthesized stuff) at the top of the layer stack */ -- layers = strv_new(meta_path); -- if (!layers) -+ if (resolved_hierarchy) { -+ struct stat st; -+ -+ if (stat(resolved_hierarchy, &st) < 0) -+ return log_error_errno(errno, "Failed to stat '%s': %m", resolved_hierarchy); -+ hierarchy_mode = st.st_mode & 0777; -+ } else -+ hierarchy_mode = 0755; -+ -+ r = resolve_mutable_directory(hierarchy, hierarchy_mode, workspace_path, &resolved_mutable_directory); -+ if (r < 0) -+ return r; -+ -+ OverlayFSPaths *op; -+ op = new(OverlayFSPaths, 1); -+ if (!op) - return log_oom(); - -- /* Put the extensions in the middle */ -+ *op = (OverlayFSPaths) { -+ .hierarchy = TAKE_PTR(hierarchy_copy), -+ .hierarchy_mode = hierarchy_mode, -+ .resolved_hierarchy = TAKE_PTR(resolved_hierarchy), -+ .resolved_mutable_directory = TAKE_PTR(resolved_mutable_directory), -+ }; -+ -+ *ret_op = TAKE_PTR(op); -+ return 0; -+} -+ -+static int determine_used_extensions(const char *hierarchy, char **paths, char ***ret_used_paths, size_t *ret_extensions_used) { -+ _cleanup_strv_free_ char **used_paths = NULL; -+ size_t n = 0; -+ int r; -+ -+ assert(hierarchy); -+ assert(paths); -+ assert(ret_used_paths); -+ assert(ret_extensions_used); -+ - STRV_FOREACH(p, paths) { - _cleanup_free_ char *resolved = NULL; - -@@ -591,54 +923,514 @@ static int merge_hierarchy( - continue; - } - -- r = strv_consume(&layers, TAKE_PTR(resolved)); -+ r = strv_consume_with_size (&used_paths, &n, TAKE_PTR(resolved)); - if (r < 0) - return log_oom(); - } - -- if (!layers[1]) /* No extension with files in this hierarchy? Then don't do anything. */ -+ *ret_used_paths = TAKE_PTR(used_paths); -+ *ret_extensions_used = n; -+ return 0; -+} -+ -+static int maybe_import_mutable_directory(OverlayFSPaths *op) { -+ int r; -+ -+ assert(op); -+ -+ /* If importing mutable layer and it actually exists and is not a hierarchy itself, add it just below -+ * the meta path */ -+ -+ if (arg_mutable != MUTABLE_IMPORT || !op->resolved_mutable_directory) - return 0; - -- if (resolved_hierarchy) { -- /* Add the host hierarchy as last (lowest) layer in the stack */ -- r = strv_consume(&layers, TAKE_PTR(resolved_hierarchy)); -+ r = path_equal_or_inode_same_full(op->resolved_hierarchy, op->resolved_mutable_directory, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(ELOOP), "Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); -+ -+ r = strv_extend(&op->lower_dirs, op->resolved_mutable_directory); -+ if (r < 0) -+ return log_oom(); -+ -+ return 0; -+} -+ -+static int maybe_import_ignored_mutable_directory(OverlayFSPaths *op) { -+ _cleanup_free_ char *dir_name = NULL, *path = NULL, *resolved_path = NULL; -+ int r; -+ -+ assert(op); -+ -+ /* If importing the ignored mutable layer and it actually exists and is not a hierarchy itself, add -+ * it just below the meta path */ -+ if (arg_mutable != MUTABLE_EPHEMERAL_IMPORT) -+ return 0; -+ -+ dir_name = hierarchy_as_single_path_component(op->hierarchy); -+ if (!dir_name) -+ return log_oom(); -+ -+ path = path_join(MUTABLE_EXTENSIONS_BASE_DIR, dir_name); -+ if (!path) -+ return log_oom(); -+ -+ r = chase(path, arg_root, CHASE_PREFIX_ROOT, &resolved_path, NULL); -+ if (r == -ENOENT) { -+ log_debug("Mutable directory for %s does not exist, not importing", op->hierarchy); -+ return 0; -+ } -+ if (r < 0) -+ return log_error_errno(r, "Failed to resolve mutable directory '%s': %m", path); -+ -+ r = path_equal_or_inode_same_full(op->resolved_hierarchy, resolved_path, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); -+ -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(ELOOP), "Not importing mutable directory for hierarchy %s as a lower dir, because it points to the hierarchy itself", op->hierarchy); -+ -+ r = strv_consume(&op->lower_dirs, TAKE_PTR(resolved_path)); -+ if (r < 0) -+ return log_oom(); -+ -+ return 0; -+} -+ -+static int determine_top_lower_dirs(OverlayFSPaths *op, const char *meta_path) { -+ int r; -+ -+ assert(op); -+ assert(meta_path); -+ -+ /* Put the meta path (i.e. our synthesized stuff) at the top of the layer stack */ -+ r = strv_extend(&op->lower_dirs, meta_path); -+ if (r < 0) -+ return log_oom(); -+ -+ r = maybe_import_mutable_directory(op); -+ if (r < 0) -+ return r; -+ -+ r = maybe_import_ignored_mutable_directory(op); -+ if (r < 0) -+ return r; -+ -+ return 0; -+} -+ -+static int determine_middle_lower_dirs(OverlayFSPaths *op, char **paths) { -+ int r; -+ -+ assert(op); -+ assert(paths); -+ -+ /* The paths were already determined in determine_used_extensions, so we just take them as is. */ -+ r = strv_extend_strv(&op->lower_dirs, paths, false); -+ if (r < 0) -+ return log_oom (); -+ -+ return 0; -+} -+ -+static int hierarchy_as_lower_dir(OverlayFSPaths *op) { -+ int r; -+ -+ /* return 0 if hierarchy should be used as lower dir, >0, if not */ -+ -+ assert(op); -+ -+ if (!op->resolved_hierarchy) { -+ log_debug("Host hierarchy '%s' does not exist, will not be used as lowerdir", op->hierarchy); -+ return 1; -+ } -+ -+ r = dir_is_empty(op->resolved_hierarchy, /* ignore_hidden_or_backup= */ false); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check if host hierarchy '%s' is empty: %m", op->resolved_hierarchy); -+ if (r > 0) { -+ log_debug("Host hierarchy '%s' is empty, will not be used as lower dir.", op->resolved_hierarchy); -+ return 1; -+ } -+ -+ if (arg_mutable == MUTABLE_IMPORT) { -+ log_debug("Mutability for host hierarchy '%s' is disabled, so host hierarchy will be a lowerdir", op->resolved_hierarchy); -+ return 0; -+ } -+ -+ if (arg_mutable == MUTABLE_EPHEMERAL_IMPORT) { -+ log_debug("Mutability for host hierarchy '%s' is ephemeral, so host hierarchy will be a lowerdir", op->resolved_hierarchy); -+ return 0; -+ } -+ -+ if (!op->resolved_mutable_directory) { -+ log_debug("No mutable directory found, so host hierarchy '%s' will be used as lowerdir", op->resolved_hierarchy); -+ return 0; -+ } -+ -+ r = path_equal_or_inode_same_full(op->resolved_hierarchy, op->resolved_mutable_directory, 0); -+ if (r < 0) -+ return log_error_errno(r, "Failed to check equality of hierarchy %s and its mutable directory %s: %m", op->resolved_hierarchy, op->resolved_mutable_directory); -+ if (r > 0) { -+ log_debug("Host hierarchy '%s' will serve as upperdir.", op->resolved_hierarchy); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+static int determine_bottom_lower_dirs(OverlayFSPaths *op) { -+ int r; -+ -+ assert(op); -+ -+ r = hierarchy_as_lower_dir(op); -+ if (r < 0) -+ return r; -+ if (!r) { -+ r = strv_extend(&op->lower_dirs, op->resolved_hierarchy); - if (r < 0) - return log_oom(); - } - -+ return 0; -+} -+ -+static int determine_lower_dirs( -+ OverlayFSPaths *op, -+ char **paths, -+ const char *meta_path) { -+ -+ int r; -+ -+ assert(op); -+ assert(paths); -+ assert(meta_path); -+ -+ r = determine_top_lower_dirs(op, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = determine_middle_lower_dirs(op, paths); -+ if (r < 0) -+ return r; -+ -+ r = determine_bottom_lower_dirs(op); -+ if (r < 0) -+ return r; -+ -+ return 0; -+} -+ -+static int determine_upper_dir(OverlayFSPaths *op) { -+ int r; -+ -+ assert(op); -+ assert(!op->upper_dir); -+ -+ if (arg_mutable == MUTABLE_IMPORT) { -+ log_debug("Mutability is disabled, there will be no upperdir for host hierarchy '%s'", op->hierarchy); -+ return 0; -+ } -+ -+ if (!op->resolved_mutable_directory) { -+ log_debug("No mutable directory found for host hierarchy '%s', there will be no upperdir", op->hierarchy); -+ return 0; -+ } -+ -+ /* Require upper dir to be on writable filesystem if it's going to be used as an actual overlayfs -+ * upperdir, instead of a lowerdir as an imported path. */ -+ r = path_is_read_only_fs(op->resolved_mutable_directory); -+ if (r < 0) -+ return log_error_errno(r, "Failed to determine if mutable directory '%s' is on read-only filesystem: %m", op->resolved_mutable_directory); -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(EROFS), "Can't use '%s' as an upperdir as it is read-only.", op->resolved_mutable_directory); -+ -+ op->upper_dir = strdup(op->resolved_mutable_directory); -+ if (!op->upper_dir) -+ return log_oom(); -+ -+ return 0; -+} -+ -+static int determine_work_dir(OverlayFSPaths *op) { -+ _cleanup_free_ char *work_dir = NULL; -+ int r; -+ -+ assert(op); -+ assert(!op->work_dir); -+ -+ if (!op->upper_dir) -+ return 0; -+ -+ if (arg_mutable == MUTABLE_IMPORT) -+ return 0; -+ -+ r = work_dir_for_hierarchy(op->hierarchy, op->upper_dir, &work_dir); -+ if (r < 0) -+ return r; -+ -+ op->work_dir = TAKE_PTR(work_dir); -+ return 0; -+} -+ -+static int mount_overlayfs_with_op( -+ OverlayFSPaths *op, -+ ImageClass image_class, -+ int noexec, -+ const char *overlay_path, -+ const char *meta_path) { -+ -+ int r; -+ const char *top_layer = NULL; -+ -+ assert(op); -+ assert(overlay_path); -+ - r = mkdir_p(overlay_path, 0700); - if (r < 0) - return log_error_errno(r, "Failed to make directory '%s': %m", overlay_path); - -- r = mount_overlayfs(image_class, noexec, overlay_path, layers); -+ r = mkdir_p(meta_path, 0700); -+ if (r < 0) -+ return log_error_errno(r, "Failed to make directory '%s': %m", meta_path); -+ -+ if (op->upper_dir && op->work_dir) { -+ r = mkdir_p(op->work_dir, 0700); -+ if (r < 0) -+ return log_error_errno(r, "Failed to make directory '%s': %m", op->work_dir); -+ top_layer = op->upper_dir; -+ } else { -+ assert(!strv_isempty(op->lower_dirs)); -+ top_layer = op->lower_dirs[0]; -+ } -+ -+ /* Overlayfs merged directory has the same mode as the top layer (either first lowerdir in options in -+ * read-only case, or upperdir for mutable case. Set up top overlayfs layer to the same mode as the -+ * unmerged hierarchy, otherwise we might end up with merged hierarchy owned by root and with mode -+ * being 0700. */ -+ if (chmod(top_layer, op->hierarchy_mode) < 0) -+ return log_error_errno(errno, "Failed to set permissions of '%s' to %04o: %m", top_layer, op->hierarchy_mode); -+ -+ r = mount_overlayfs(image_class, noexec, overlay_path, op->lower_dirs, op->upper_dir, op->work_dir); - if (r < 0) - return r; - -- /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra turbo safety 😎 */ -- r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); -+ return 0; -+} -+ -+static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) { -+ _cleanup_free_ char *f = NULL, *buf = NULL; -+ int r; -+ -+ assert(extensions); -+ assert(meta_path); -+ -+ /* Let's generate a metadata file that lists all extensions we took into account for this -+ * hierarchy. We include this in the final fs, to make things nicely discoverable and -+ * recognizable. */ -+ f = path_join(meta_path, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural); -+ if (!f) -+ return log_oom(); -+ -+ buf = strv_join(extensions, "\n"); -+ if (!buf) -+ return log_oom(); -+ -+ r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755); - if (r < 0) -- return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); -+ return log_error_errno(r, "Failed to write extension meta file '%s': %m", f); -+ -+ return 0; -+} -+ -+static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) { -+ _cleanup_free_ char *f = NULL; -+ struct stat st; -+ int r; -+ -+ assert(meta_path); -+ assert(overlay_path); - - /* Now we have mounted the new file system. Let's now figure out its .st_dev field, and make that - * available in the metadata directory. This is useful to detect whether the metadata dir actually - * belongs to the fs it is found on: if .st_dev of the top-level mount matches it, it's pretty likely - * we are looking at a live tree, and not an unpacked tar or so of one. */ - if (stat(overlay_path, &st) < 0) -- return log_error_errno(r, "Failed to stat mount '%s': %m", overlay_path); -+ return log_error_errno(errno, "Failed to stat mount '%s': %m", overlay_path); - -- free(f); - f = path_join(meta_path, image_class_info[image_class].dot_directory_name, "dev"); - if (!f) - return log_oom(); - -+ /* Modifying the underlying layers while the overlayfs is mounted is technically undefined, but at -+ * least it won't crash or deadlock, as per the kernel docs about overlayfs: -+ * https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#changes-to-underlying-filesystems */ - r = write_string_file(f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE); - if (r < 0) - return log_error_errno(r, "Failed to write '%s': %m", f); - -+ return 0; -+} -+ -+static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) { -+ _cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL; -+ char *work_dir_in_root = NULL; -+ int r; -+ -+ assert(meta_path); -+ -+ if (!work_dir) -+ return 0; -+ -+ /* Do not store work dir path for ephemeral mode, it will be gone once this process is done. */ -+ if (IN_SET(arg_mutable, MUTABLE_EPHEMERAL, MUTABLE_EPHEMERAL_IMPORT)) -+ return 0; -+ -+ work_dir_in_root = path_startswith(work_dir, empty_to_root(arg_root)); -+ if (!work_dir_in_root) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Workdir '%s' must not be outside root '%s'", work_dir, empty_to_root(arg_root)); -+ -+ f = path_join(meta_path, image_class_info[image_class].dot_directory_name, "work_dir"); -+ if (!f) -+ return log_oom(); -+ -+ /* Paths can have newlines for whatever reason, so better escape them to really get a single -+ * line file. */ -+ escaped_work_dir_in_root = cescape(work_dir_in_root); -+ if (!escaped_work_dir_in_root) -+ return log_oom(); -+ r = write_string_file(f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE); -+ if (r < 0) -+ return log_error_errno(r, "Failed to write '%s': %m", f); -+ -+ return 0; -+} -+ -+static int store_info_in_meta( -+ ImageClass image_class, -+ char **extensions, -+ const char *meta_path, -+ const char *overlay_path, -+ const char *work_dir) { -+ -+ int r; -+ -+ assert(extensions); -+ assert(meta_path); -+ assert(overlay_path); -+ /* work_dir may be NULL */ -+ -+ r = write_extensions_file(image_class, extensions, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = write_dev_file(image_class, meta_path, overlay_path); -+ if (r < 0) -+ return r; -+ -+ r = write_work_dir_file(image_class, meta_path, work_dir); -+ if (r < 0) -+ return r; -+ - /* Make sure the top-level dir has an mtime marking the point we established the merge */ - if (utimensat(AT_FDCWD, meta_path, NULL, AT_SYMLINK_NOFOLLOW) < 0) - return log_error_errno(r, "Failed fix mtime of '%s': %m", meta_path); - -+ return 0; -+} -+ -+static int make_mounts_read_only(ImageClass image_class, const char *overlay_path, bool mutable) { -+ int r; -+ -+ assert(overlay_path); -+ -+ if (mutable) { -+ /* Bind mount the meta path as read-only on mutable overlays to avoid accidental -+ * modifications of the contents of meta directory, which could lead to systemd thinking that -+ * this hierarchy is not our mount. */ -+ _cleanup_free_ char *f = NULL; -+ -+ f = path_join(overlay_path, image_class_info[image_class].dot_directory_name); -+ if (!f) -+ return log_oom(); -+ -+ r = mount_nofollow_verbose(LOG_ERR, f, f, NULL, MS_BIND, NULL); -+ if (r < 0) -+ return r; -+ -+ r = bind_remount_one(f, MS_RDONLY, MS_RDONLY); -+ if (r < 0) -+ return log_error_errno(r, "Failed to remount '%s' as read-only: %m", f); -+ } else { -+ /* The overlayfs superblock is read-only. Let's also mark the bind mount read-only. Extra -+ * turbo safety 😎 */ -+ r = bind_remount_recursive(overlay_path, MS_RDONLY, MS_RDONLY, NULL); -+ if (r < 0) -+ return log_error_errno(r, "Failed to make bind mount '%s' read-only: %m", overlay_path); -+ } -+ -+ return 0; -+} -+ -+static int merge_hierarchy( -+ ImageClass image_class, -+ const char *hierarchy, -+ int noexec, -+ char **extensions, -+ char **paths, -+ const char *meta_path, -+ const char *overlay_path, -+ const char *workspace_path) { -+ -+ _cleanup_(overlayfs_paths_freep) OverlayFSPaths *op = NULL; -+ _cleanup_strv_free_ char **used_paths = NULL; -+ size_t extensions_used = 0; -+ int r; -+ -+ assert(hierarchy); -+ assert(extensions); -+ assert(paths); -+ assert(meta_path); -+ assert(overlay_path); -+ assert(workspace_path); -+ -+ r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used); -+ if (r < 0) -+ return r; -+ -+ if (extensions_used == 0) /* No extension with files in this hierarchy? Then don't do anything. */ -+ return 0; -+ -+ r = overlayfs_paths_new(hierarchy, workspace_path, &op); -+ if (r < 0) -+ return r; -+ -+ r = determine_lower_dirs(op, used_paths, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = determine_upper_dir(op); -+ if (r < 0) -+ return r; -+ -+ r = determine_work_dir(op); -+ if (r < 0) -+ return r; -+ -+ r = mount_overlayfs_with_op(op, image_class, noexec, overlay_path, meta_path); -+ if (r < 0) -+ return r; -+ -+ r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir); -+ if (r < 0) -+ return r; -+ -+ r = make_mounts_read_only(image_class, overlay_path, op->upper_dir && op->work_dir); -+ if (r < 0) -+ return r; -+ - return 1; - } - -@@ -908,7 +1700,7 @@ static int merge_subprocess( - - /* Create overlayfs mounts for all hierarchies */ - STRV_FOREACH(h, hierarchies) { -- _cleanup_free_ char *meta_path = NULL, *overlay_path = NULL; -+ _cleanup_free_ char *meta_path = NULL, *overlay_path = NULL, *merge_hierarchy_workspace = NULL; - - meta_path = path_join(workspace, "meta", *h); /* The place where to store metadata about this instance */ - if (!meta_path) -@@ -918,6 +1710,11 @@ static int merge_subprocess( - if (!overlay_path) - return log_oom(); - -+ /* Temporary directory for merge_hierarchy needs, like ephemeral directories. */ -+ merge_hierarchy_workspace = path_join(workspace, "mh_workspace", *h); -+ if (!merge_hierarchy_workspace) -+ return log_oom(); -+ - r = merge_hierarchy( - image_class, - *h, -@@ -925,7 +1722,8 @@ static int merge_subprocess( - extensions, - paths, - meta_path, -- overlay_path); -+ overlay_path, -+ merge_hierarchy_workspace); - if (r < 0) - return r; - } -@@ -954,7 +1752,8 @@ static int merge_subprocess( - if (r < 0) - return log_error_errno(r, "Failed to create hierarchy mount point '%s': %m", resolved); - -- r = mount_nofollow_verbose(LOG_ERR, p, resolved, NULL, MS_BIND, NULL); -+ /* Using MS_REC to potentially bring in our read-only bind mount of metadata. */ -+ r = mount_nofollow_verbose(LOG_ERR, p, resolved, NULL, MS_BIND|MS_REC, NULL); - if (r < 0) - return r; - -@@ -992,9 +1791,10 @@ static int merge(ImageClass image_class, - r = wait_for_terminate_and_check("(sd-merge)", pid, WAIT_LOG_ABNORMAL); - if (r < 0) - return r; -- - if (r == 123) /* exit code 123 means: didn't do anything */ - return 0; -+ if (r > 0) -+ return log_error_errno(SYNTHETIC_ERRNO(EPROTO), "Failed to merge hierarchies"); - - r = need_reload(image_class, hierarchies, no_reload); - if (r < 0) -@@ -1373,6 +2173,8 @@ static int verb_help(int argc, char **argv, void *userdata) { - " -h --help Show this help\n" - " --version Show package version\n" - "\n%3$sOptions:%4$s\n" -+ " --mutable=yes|no|auto|import|ephemeral|ephemeral-import\n" -+ " Specify a mutability mode of the merged hierarchy\n" - " --no-pager Do not pipe output into a pager\n" - " --no-legend Do not show the headers and footers\n" - " --root=PATH Operate relative to root path\n" -@@ -1406,6 +2208,7 @@ static int parse_argv(int argc, char *argv[]) { - ARG_IMAGE_POLICY, - ARG_NOEXEC, - ARG_NO_RELOAD, -+ ARG_MUTABLE, - }; - - static const struct option options[] = { -@@ -1419,6 +2222,7 @@ static int parse_argv(int argc, char *argv[]) { - { "image-policy", required_argument, NULL, ARG_IMAGE_POLICY }, - { "noexec", required_argument, NULL, ARG_NOEXEC }, - { "no-reload", no_argument, NULL, ARG_NO_RELOAD }, -+ { "mutable", required_argument, NULL, ARG_MUTABLE }, - {} - }; - -@@ -1482,6 +2286,13 @@ static int parse_argv(int argc, char *argv[]) { - arg_no_reload = true; - break; - -+ case ARG_MUTABLE: -+ r = parse_mutable_mode(optarg); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse argument to --mutable=: %s", optarg); -+ arg_mutable = r; -+ break; -+ - case '?': - return -EINVAL; - -@@ -1514,12 +2325,23 @@ static int sysext_main(int argc, char *argv[]) { - } - - static int run(int argc, char *argv[]) { -+ const char *env_var; - int r; - - log_setup(); - - arg_image_class = invoked_as(argv, "systemd-confext") ? IMAGE_CONFEXT : IMAGE_SYSEXT; - -+ env_var = getenv(image_class_info[arg_image_class].mode_env); -+ if (env_var) { -+ r = parse_mutable_mode(env_var); -+ if (r < 0) -+ log_warning("Failed to parse %s environment variable value '%s'. Ignoring.", -+ image_class_info[arg_image_class].mode_env, env_var); -+ else -+ arg_mutable = r; -+ } -+ - r = parse_argv(argc, argv); - if (r <= 0) - return r; --- -2.34.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch deleted file mode 100644 index bcdf2a3f759..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 7136aa7db4423432392a0fe6055c48a922a4aad4 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Tue, 10 Sep 2024 00:12:41 +0900 -Subject: [PATCH] network/netdev: also check ifindex, iftype, and kind when - assigning NetDev to Link - -Even when a NetDev object with the same name found, its iftype or kind -may be different. For safety, let's also check them. - -(cherry picked from commit 1788c3462853e8bb955ff656007e20f402dd9af2) - -Signed-off-by: Jeremi Piotrowski ---- - src/network/netdev/netdev.c | 37 +++++++++++++++++++++++++++++++++++++ - src/network/netdev/netdev.h | 1 + - src/network/networkd-link.c | 10 ++-------- - 3 files changed, 40 insertions(+), 8 deletions(-) - -diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c -index 2b411425ba..9a528137ea 100644 ---- a/src/network/netdev/netdev.c -+++ b/src/network/netdev/netdev.c -@@ -265,6 +265,43 @@ int netdev_get(Manager *manager, const char *name, NetDev **ret) { - return 0; - } - -+void link_assign_netdev(Link *link) { -+ _unused_ _cleanup_(netdev_unrefp) NetDev *old = NULL; -+ NetDev *netdev; -+ -+ assert(link); -+ assert(link->manager); -+ assert(link->ifname); -+ -+ old = TAKE_PTR(link->netdev); -+ -+ if (netdev_get(link->manager, link->ifname, &netdev) < 0) -+ return; -+ -+ if (netdev->ifindex != link->ifindex) -+ return; -+ -+ if (NETDEV_VTABLE(netdev)->iftype != link->iftype) -+ return; -+ -+ if (!NETDEV_VTABLE(netdev)->skip_netdev_kind_check) { -+ const char *kind; -+ -+ if (netdev->kind == NETDEV_KIND_TAP) -+ kind = "tun"; /* the kernel does not distinguish between tun and tap */ -+ else -+ kind = netdev_kind_to_string(netdev->kind); -+ -+ if (!streq_ptr(kind, link->kind)) -+ return; -+ } -+ -+ link->netdev = netdev_ref(netdev); -+ -+ if (netdev != old) -+ log_link_debug(link, "Found matching .netdev file: %s", netdev->filename); -+} -+ - void netdev_enter_failed(NetDev *netdev) { - netdev->state = NETDEV_STATE_FAILED; - } -diff --git a/src/network/netdev/netdev.h b/src/network/netdev/netdev.h -index cb8cc8c6a9..1a03a9b592 100644 ---- a/src/network/netdev/netdev.h -+++ b/src/network/netdev/netdev.h -@@ -206,6 +206,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(NetDev*, netdev_unref); - - bool netdev_is_managed(NetDev *netdev); - int netdev_get(Manager *manager, const char *name, NetDev **ret); -+void link_assign_netdev(Link *link); - int netdev_set_ifindex(NetDev *netdev, sd_netlink_message *newlink); - int netdev_generate_hw_addr(NetDev *netdev, Link *link, const char *name, - const struct hw_addr_data *hw_addr, struct hw_addr_data *ret); -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index 8f21504d92..c3a5dc1f0d 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -1317,7 +1317,6 @@ static int link_get_network(Link *link, Network **ret) { - - int link_reconfigure_impl(Link *link, bool force) { - Network *network = NULL; -- NetDev *netdev = NULL; - int r; - - assert(link); -@@ -1326,13 +1325,11 @@ int link_reconfigure_impl(Link *link, bool force) { - if (link->manager->state != MANAGER_RUNNING) - return 0; - -+ link_assign_netdev(link); -+ - if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER)) - return 0; - -- r = netdev_get(link->manager, link->ifname, &netdev); -- if (r < 0 && r != -ENOENT) -- return r; -- - r = link_get_network(link, &network); - if (r < 0 && r != -ENOENT) - return r; -@@ -1397,9 +1394,6 @@ int link_reconfigure_impl(Link *link, bool force) { - link_free_engines(link); - link->network = network_unref(link->network); - -- netdev_unref(link->netdev); -- link->netdev = netdev_ref(netdev); -- - if (!network) { - link_set_state(link, LINK_STATE_UNMANAGED); - return 0; --- -2.39.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch deleted file mode 100644 index 3ab34f08b67..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 916523aabc7fcb3b5b9362100a5e3417aae00cb2 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Wed, 11 Jun 2025 18:05:46 +0900 -Subject: [PATCH] network: also check ID_NET_MANAGED_BY property on - reconfigure - -Previously, the property was checked only when an uevent is received, -so even if an interface has ID_NET_MANAGED_BY property, the interface -will be configured by networkd when reconfiguration is triggered e.g. -when interface state is changed. - -Follow-up for ba87a61d05d637be9f0b21707f7fe3b0a74c5a05. -Fixes #36997. - -(cherry picked from commit 78f8d5ed71ecc16ad36d1c215d2d57433d127679) - -Signed-off-by: Jeremi Piotrowski ---- - src/network/networkd-link.c | 44 ++++++++++++++----- - .../test-network/conf/11-dummy-unmanaged.link | 8 ++++ - test/test-network/systemd-networkd-tests.py | 11 +++++ - 3 files changed, 53 insertions(+), 10 deletions(-) - create mode 100644 test/test-network/conf/11-dummy-unmanaged.link - -diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index c3a5dc1f0d..3ed1584807 100644 ---- a/src/network/networkd-link.c -+++ b/src/network/networkd-link.c -@@ -1315,6 +1315,32 @@ static int link_get_network(Link *link, Network **ret) { - return -ENOENT; - } - -+static int link_managed_by_us(Link *link) { -+ int r; -+ -+ assert(link); -+ -+ if (!link->dev) -+ return true; -+ -+ const char *s; -+ r = sd_device_get_property_value(link->dev, "ID_NET_MANAGED_BY", &s); -+ if (r == -ENOENT) -+ return true; -+ if (r < 0) -+ return log_link_warning_errno(link, r, "Failed to get ID_NET_MANAGED_BY udev property: %m"); -+ -+ if (streq(s, "io.systemd.Network")) -+ return true; -+ -+ if (link->state == LINK_STATE_UNMANAGED) -+ return false; /* Already in unmanaged state */ -+ -+ log_link_debug(link, "Interface is requested to be managed by '%s', unmanaging the interface.", s); -+ link_set_state(link, LINK_STATE_UNMANAGED); -+ return false; -+} -+ - int link_reconfigure_impl(Link *link, bool force) { - Network *network = NULL; - int r; -@@ -1330,6 +1356,10 @@ int link_reconfigure_impl(Link *link, bool force) { - if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER)) - return 0; - -+ r = link_managed_by_us(link); -+ if (r <= 0) -+ return r; -+ - r = link_get_network(link, &network); - if (r < 0 && r != -ENOENT) - return r; -@@ -1584,6 +1614,10 @@ static int link_initialized(Link *link, sd_device *device) { - * or sysattrs) may be outdated. */ - device_unref_and_replace(link->dev, device); - -+ r = link_managed_by_us(link); -+ if (r <= 0) -+ return r; -+ - if (link->dhcp_client) { - r = sd_dhcp_client_attach_device(link->dhcp_client, link->dev); - if (r < 0) -@@ -1651,7 +1685,6 @@ static int link_check_initialized(Link *link) { - - int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t action) { - int r, ifindex; -- const char *s; - Link *link; - - assert(m); -@@ -1686,15 +1719,6 @@ int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t - return 0; - } - -- r = sd_device_get_property_value(device, "ID_NET_MANAGED_BY", &s); -- if (r < 0 && r != -ENOENT) -- log_device_debug_errno(device, r, "Failed to get ID_NET_MANAGED_BY udev property, ignoring: %m"); -- if (r >= 0 && !streq(s, "io.systemd.Network")) { -- log_device_debug(device, "Interface is requested to be managed by '%s', not managing the interface.", s); -- link_set_state(link, LINK_STATE_UNMANAGED); -- return 0; -- } -- - r = link_initialized(link, device); - if (r < 0) - link_enter_failed(link); -diff --git a/test/test-network/conf/11-dummy-unmanaged.link b/test/test-network/conf/11-dummy-unmanaged.link -new file mode 100644 -index 0000000000..99c07a72ce ---- /dev/null -+++ b/test/test-network/conf/11-dummy-unmanaged.link -@@ -0,0 +1,8 @@ -+# SPDX-License-Identifier: MIT-0 -+[Match] -+Kind=dummy -+OriginalName=test1 -+ -+[Link] -+NamePolicy=keep -+Property=ID_NET_MANAGED_BY=hoge -diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py -index d8acf538f0..391d219de8 100755 ---- a/test/test-network/systemd-networkd-tests.py -+++ b/test/test-network/systemd-networkd-tests.py -@@ -2735,6 +2735,17 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): - def tearDown(self): - tear_down_common() - -+ def test_ID_NET_MANAGED_BY(self): -+ copy_network_unit('11-dummy.netdev', '11-dummy-unmanaged.link', '11-dummy.network') -+ start_networkd() -+ self.wait_online('test1:off', setup_state='unmanaged') -+ -+ check_output('ip link set dev test1 up') -+ self.wait_online('test1:degraded', setup_state='unmanaged') -+ -+ check_output('ip link set dev test1 down') -+ self.wait_online('test1:off', setup_state='unmanaged') -+ - def verify_address_static( - self, - label1: str, --- -2.39.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch deleted file mode 100644 index 0570695d397..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/256-bpf-gcc.patch +++ /dev/null @@ -1,26 +0,0 @@ -https://github.com/systemd/systemd/commit/dde6f1d7456db7aa72d24b1d6956b419b6f9945c - -From dde6f1d7456db7aa72d24b1d6956b419b6f9945c Mon Sep 17 00:00:00 2001 -From: Sam James -Date: Sat, 24 Aug 2024 13:09:47 +0100 -Subject: [PATCH] meson: search for 'bpf-unknown-none' too - -We currently search for 'bpf-gcc' and 'bpf-none-gcc'. Gentoo's -sys-devel/bpf-toolchain package uses 'bpf-unknown-none-gcc', as does Fedora's -cross-binutils. Search for this name too. ---- - meson.build | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/meson.build b/meson.build -index 5e0b666c64b17..fbc2bbdf2f22f 100644 ---- a/meson.build -+++ b/meson.build -@@ -1109,6 +1109,7 @@ else - elif bpf_compiler == 'gcc' - bpf_gcc = find_program('bpf-gcc', - 'bpf-none-gcc', -+ 'bpf-unknown-none-gcc', - required : true, - version : '>= 13.1.0') - bpf_gcc_found = bpf_gcc.found() diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch new file mode 100644 index 00000000000..a4f798dc4e2 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch @@ -0,0 +1,69 @@ +https://bugs.gentoo.org/956681 +https://github.com/systemd/systemd/pull/37017 + +From fd9c4b4f49990f0656092035464b85256a0ba6e3 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Fri, 4 Apr 2025 21:40:41 -0700 +Subject: [PATCH] shared/cred-util: Ensure TPM code is used with HAVE_TPM2 + guards +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Building with no TPM2 we end up with following error + +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’ +In function ‘memcpy’, + inlined from ‘encrypt_credential_and_warn’ at ../git/src/shared/creds-util.c:1091:17: +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: error: argument 2 null where non-null expected [-Werror=nonnull] + 29 | return __builtin___memcpy_chk (__dest, __src, __len, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 30 | __glibc_objsize0 (__dest)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~ +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’ +cc1: some warnings being treated as errors 29 | return __builtin___memcpy_chk (__dest, __src, __len, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 30 | __glibc_objsize0 (__dest)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is because code referencing tpm2 data structures is still used while the +initialization of the function has been compiled out since its conditional on HAVE_TPM2 + +We add needed guards in places where it is missing to fix this problem + +Signed-off-by: Khem Raj +--- + src/shared/creds-util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c +index ca8e15d4c9d1e..e074c8b24680a 100644 +--- a/src/shared/creds-util.c ++++ b/src/shared/creds-util.c +@@ -804,7 +804,9 @@ int encrypt_credential_and_warn( + _cleanup_(iovec_done_erase) struct iovec tpm2_key = {}, output = {}, host_key = {}; + _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; + _cleanup_free_ struct metadata_credential_header *m = NULL; ++#if HAVE_TPM2 + uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0; ++#endif + struct encrypted_credential_header *h; + int ksz, bsz, ivsz, tsz, added, r; + uint8_t md[SHA256_DIGEST_LENGTH]; +@@ -1078,6 +1080,7 @@ int encrypt_credential_and_warn( + + p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz); + ++#if HAVE_TPM2 + if (iovec_is_set(&tpm2_key)) { + struct tpm2_credential_header *t; + +@@ -1092,7 +1095,7 @@ int encrypt_credential_and_warn( + + p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob.iov_len + tpm2_policy_hash.iov_len); + } +- ++#endif + if (iovec_is_set(&pubkey)) { + struct tpm2_public_key_credential_header *z; + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf index 2b72383153a..8a5df37ce26 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf @@ -1,10 +1,2 @@ -# The list of directories is taken from Gentoo ebuild, where they use -# keepdir. The list isn't sorted, but tries to preserve the order of -# keepdir lines from Gentoo ebuild for easier comparisons. We skip the -# directories in /usr, though. -d /var/lib/systemd - - - - - -d /var/log/journal - - - - - -d /etc/sysctl.d - - - - - - # This seems to be our own addition. d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild deleted file mode 100644 index ed6aaf1aaa5..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild +++ /dev/null @@ -1,773 +0,0 @@ -# Copyright 2011-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 -PYTHON_COMPAT=( python3_{10..13} ) - -# Avoid QA warnings -TMPFILES_OPTIONAL=1 -UDEV_OPTIONAL=1 - -QA_PKGCONFIG_VERSION=$(ver_cut 1) - -if [[ ${PV} == 9999 ]]; then - EGIT_REPO_URI="https://github.com/systemd/systemd.git" - inherit git-r3 -else - MY_PV=${PV/_/-} - MY_P=${PN}-${MY_PV} - S=${WORKDIR}/${MY_P} - SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" - - if [[ ${PV} != *rc* ]] ; then - # Flatcar: mark as stable - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" - fi -fi - -inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 -inherit secureboot systemd tmpfiles toolchain-funcs udev - -DESCRIPTION="System and service manager for Linux" -HOMEPAGE="https://systemd.io/" - -LICENSE="GPL-2 LGPL-2.1 MIT public-domain" -SLOT="0/2" -IUSE=" - acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils - fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod - +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode - +resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd -" -REQUIRED_USE=" - ${PYTHON_REQUIRED_USE} - dns-over-tls? ( || ( gnutls openssl ) ) - fido2? ( cryptsetup openssl ) - homed? ( cryptsetup pam openssl ) - importd? ( curl lzma || ( gcrypt openssl ) ) - pwquality? ( homed ) - boot? ( kernel-install ) - ukify? ( boot ) -" -RESTRICT="!test? ( test )" - -MINKV="4.15" - -COMMON_DEPEND=" - >=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}] - sys-libs/libcap:0=[${MULTILIB_USEDEP}] - virtual/libcrypt:=[${MULTILIB_USEDEP}] - acl? ( sys-apps/acl:0= ) - apparmor? ( >=sys-libs/libapparmor-2.13:0= ) - audit? ( >=sys-process/audit-2:0= ) - bpf? ( >=dev-libs/libbpf-1.4.0:0= ) - cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) - curl? ( >=net-misc/curl-7.32.0:0= ) - elfutils? ( >=dev-libs/elfutils-0.158:0= ) - fido2? ( dev-libs/libfido2:0= ) - gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) - gnutls? ( >=net-libs/gnutls-3.6.0:0= ) - http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) - idn? ( net-dns/libidn2:= ) - importd? ( - app-arch/bzip2:0= - sys-libs/zlib:0= - ) - kmod? ( >=sys-apps/kmod-15:0= ) - lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) - lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) - iptables? ( net-firewall/iptables:0= ) - openssl? ( >=dev-libs/openssl-1.1.0:0= ) - pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) - pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= ) - pcre? ( dev-libs/libpcre2 ) - pwquality? ( >=dev-libs/libpwquality-1.4.1:0= ) - qrcode? ( >=media-gfx/qrencode-3:0= ) - seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) - selinux? ( >=sys-libs/libselinux-2.1.9:0= ) - tpm? ( app-crypt/tpm2-tss:0= ) - xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) - zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) -" - -# Newer linux-headers needed by ia64, bug #480218 -DEPEND="${COMMON_DEPEND} - >=sys-kernel/linux-headers-${MINKV} -" - -PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' - -# baselayout-2.2 has /run -# -# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use -# flag). The image stage fails with "Failed to resolve -# typeattributeset statement at -# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120" -# -# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary -# needed by dracut's systemd-vconsole-setup module. -RDEPEND="${COMMON_DEPEND} - >=acct-group/adm-0-r1 - >=acct-group/wheel-0-r1 - >=acct-group/kmem-0-r1 - >=acct-group/tty-0-r1 - >=acct-group/utmp-0-r1 - >=acct-group/audio-0-r1 - >=acct-group/cdrom-0-r1 - >=acct-group/dialout-0-r1 - >=acct-group/disk-0-r1 - >=acct-group/input-0-r1 - >=acct-group/kvm-0-r1 - >=acct-group/lp-0-r1 - >=acct-group/render-0-r1 - acct-group/sgx - >=acct-group/tape-0-r1 - acct-group/users - >=acct-group/video-0-r1 - >=acct-group/systemd-journal-0-r1 - >=acct-user/root-0-r1 - acct-user/nobody - >=acct-user/systemd-journal-remote-0-r1 - >=acct-user/systemd-coredump-0-r1 - >=acct-user/systemd-network-0-r1 - acct-user/systemd-oom - >=acct-user/systemd-resolve-0-r1 - >=acct-user/systemd-timesync-0-r1 - >=sys-apps/baselayout-2.2 - sys-apps/kbd - ukify? ( - ${PYTHON_DEPS} - $(python_gen_cond_dep "${PEFILE_DEPEND}") - ) - selinux? ( - sec-policy/selinux-base-policy[systemd] - ) - sysv-utils? ( - !sys-apps/openrc[sysv-utils(-)] - !sys-apps/openrc-navi[sysv-utils(-)] - !sys-apps/sysvinit - ) - !sysv-utils? ( sys-apps/sysvinit ) - resolvconf? ( !net-dns/openresolv ) - !sys-auth/nss-myhostname - !sys-fs/eudev - !sys-fs/udev -" - -# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) -PDEPEND=">=sys-apps/dbus-1.9.8[systemd] - >=sys-fs/udev-init-scripts-34 - policykit? ( sys-auth/polkit ) - !vanilla? ( sys-apps/gentoo-systemd-integration )" - -BDEPEND=" - app-arch/xz-utils:0 - dev-util/gperf - >=dev-build/meson-0.46 - >=sys-apps/coreutils-8.16 - sys-devel/gettext - virtual/pkgconfig - bpf? ( - dev-util/bpftool - sys-devel/bpf-toolchain - ) - test? ( - app-text/tree - dev-lang/perl - sys-apps/dbus - ) - app-text/docbook-xml-dtd:4.2 - app-text/docbook-xml-dtd:4.5 - app-text/docbook-xsl-stylesheets - dev-libs/libxslt:0 - ${PYTHON_DEPS} - $(python_gen_cond_dep " - dev-python/jinja2[\${PYTHON_USEDEP}] - dev-python/lxml[\${PYTHON_USEDEP}] - boot? ( - >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] - test? ( ${PEFILE_DEPEND} ) - ) - ") -" - -QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" -QA_EXECSTACK="usr/lib/systemd/boot/efi/*" - -pkg_pretend() { - # Flatcar: We keep using split-usr for SDK. - # if use split-usr; then - # eerror "Please complete the migration to merged-usr." - # eerror "https://wiki.gentoo.org/wiki/Merge-usr" - # die "systemd no longer supports split-usr" - # fi - if [[ ${MERGE_TYPE} != buildonly ]]; then - local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS - ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE - ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS - ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS - ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH - ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED - ~!SYSFS_DEPRECATED_V2" - - use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" - use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF" - use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" - - if kernel_is -ge 5 10 20; then - CONFIG_CHECK+=" ~KCMP" - else - CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" - fi - - if kernel_is -ge 4 18; then - CONFIG_CHECK+=" ~AUTOFS_FS" - else - CONFIG_CHECK+=" ~AUTOFS4_FS" - fi - - if linux_config_exists; then - local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) - if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then - ewarn "It's recommended to set an empty value to the following kernel config option:" - ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" - fi - if linux_chkconfig_present X86; then - CONFIG_CHECK+=" ~DMIID" - fi - fi - - if kernel_is -lt ${MINKV//./ }; then - ewarn "Kernel version at least ${MINKV} required" - fi - - check_extra_config - fi -} - -pkg_setup() { - use boot && secureboot_pkg_setup -} - -src_unpack() { - default - [[ ${PV} != 9999 ]] || git-r3_src_unpack -} - -src_prepare() { - local PATCHES=( - "${FILESDIR}/systemd-test-process-util.patch" - "${FILESDIR}/256-bpf-gcc.patch" - # Flatcar: Adding our own patches here. - "${FILESDIR}/0001-wait-online-set-any-by-default.patch" - "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" - "${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch" - "${FILESDIR}/0009-initrd-parse-etc.service.patch" - "${FILESDIR}/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch" - "${FILESDIR}/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch" - ) - - if ! use vanilla; then - PATCHES+=( - "${FILESDIR}/gentoo-journald-audit-r1.patch" - ) - fi - - # Fails with split-usr. - sed -i -e '2i exit 77' test/test-rpm-macros.sh || die - - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., - # CoreDNS which has dnsPolicy "default", but unless the - # kubelet --resolv-conf flag is set to point to - # /run/systemd/resolve/resolv.conf this won't work with - # /etc/resolv.conf pointing to - # /run/systemd/resolve/stub-resolv.conf which configures - # 127.0.0.53. See - # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues - # This means that users who need split DNS to work should - # point /etc/resolv.conf back to - # /run/systemd/resolve/stub-resolv.conf (and if using K8s - # configure the kubelet resolvConf variable/--resolv-conf flag - # to /run/systemd/resolve/resolv.conf). - sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die - default -} - -src_configure() { - # Prevent conflicts with i686 cross toolchain, bug 559726 - tc-export AR CC NM OBJCOPY RANLIB - - python_setup - - multilib-minimal_src_configure -} - -# Flatcar: Our function, we use it in some places below. -get_rootprefix() { - usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" -} - -multilib_src_configure() { - local myconf=( - --localstatedir="${EPREFIX}/var" - # default is developer, bug 918671 - -Dmode=release - # Flatcar: Point to our user mailing list. - -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" - -Dpamlibdir="$(getpam_mod_dir)" - # avoid bash-completion dep - -Dbashcompletiondir="$(get_bashcompdir)" - # Flatcar: We keep using split-usr in SDK. - $(meson_use split-usr) - # Flatcar: Always set split-bin to true, we always - # have separate bin and sbin directories - -Dsplit-bin=true - # Flatcar: Use get_rootprefix. No functional change - # from upstream, just refactoring the common code used - # in some places. - # - # TODO: Drop -Drootprefix and -Drootlibdir we get rid - # of split-usr in SDK - -Drootprefix="$(get_rootprefix)" - -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" - # Disable compatibility with sysvinit - -Dsysvinit-path= - -Dsysvrcnd-path= - # no deps - -Dima=true - # Match /etc/shells, bug 919749 - -Ddebug-shell="${EPREFIX}/bin/sh" - -Ddefault-user-shell="${EPREFIX}/bin/bash" - # Optional components/dependencies - $(meson_native_use_bool acl) - $(meson_native_use_bool apparmor) - $(meson_native_use_bool audit) - $(meson_native_use_bool boot bootloader) - $(meson_native_use_bool bpf bpf-framework) - -Dbpf-compiler=gcc - $(meson_native_use_bool cryptsetup libcryptsetup) - $(meson_native_use_bool curl libcurl) - $(meson_native_use_bool dns-over-tls dns-over-tls) - $(meson_native_use_bool elfutils) - $(meson_native_use_bool fido2 libfido2) - $(meson_use gcrypt) - $(meson_native_use_bool gnutls) - $(meson_native_use_bool homed) - $(meson_native_use_bool http microhttpd) - $(meson_native_use_bool idn) - $(meson_native_use_bool importd) - $(meson_native_use_bool importd bzip2) - $(meson_native_use_bool importd zlib) - $(meson_native_use_bool kernel-install) - $(meson_native_use_bool kmod) - $(meson_use lz4) - $(meson_use lzma xz) - $(meson_use test tests) - $(meson_use zstd) - $(meson_native_use_bool iptables libiptc) - $(meson_native_use_bool openssl) - $(meson_use pam) - $(meson_native_use_bool pkcs11 p11kit) - $(meson_native_use_bool pcre pcre2) - $(meson_native_use_bool policykit polkit) - $(meson_native_use_bool pwquality) - $(meson_native_use_bool qrcode qrencode) - $(meson_native_use_bool seccomp) - $(meson_native_use_bool selinux) - $(meson_native_use_bool tpm tpm2) - $(meson_native_use_bool test dbus) - $(meson_native_use_bool ukify) - $(meson_native_use_bool xkb xkbcommon) - # Flatcar: Use our ntp servers. - -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" - # Breaks screen, tmux, etc. - -Ddefault-kill-user-processes=false - # Flatcar: TODO: Investigate if we want this. - -Dcreate-log-dirs=false - - # multilib options - $(meson_native_true backlight) - $(meson_native_true binfmt) - $(meson_native_true coredump) - $(meson_native_true environment-d) - $(meson_native_true firstboot) - $(meson_native_true hibernate) - $(meson_native_true hostnamed) - $(meson_native_true ldconfig) - $(meson_native_true localed) - $(meson_native_true man) - $(meson_native_true networkd) - $(meson_native_true quotacheck) - $(meson_native_true randomseed) - $(meson_native_true rfkill) - $(meson_native_true sysusers) - $(meson_native_true timedated) - $(meson_native_true timesyncd) - $(meson_native_true tmpfiles) - $(meson_native_true vconsole) - $(meson_native_enabled vmspawn) - # Flatcar: Specify this, or meson breaks due to no - # /etc/login.defs. - -Dsystem-gid-max=999 - -Dsystem-uid-max=999 - - # Flatcar: DBus paths. - -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" - -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" - - # Flatcar: PAM config directory. - -Dpamconfdir=/usr/share/pam.d - - # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC - # 2013. Used by timesyncd as a sanity check for the - # minimum acceptable time. Explicitly set to avoid - # using the current build time. - -Dtime-epoch=1372636800 - - # Flatcar: No default name servers. - -Ddns-servers= - - # Flatcar: Disable the "First Boot Wizard", it isn't - # very applicable to us. - -Dfirstboot=false - - # Flatcar: Set latest network interface naming scheme - # for https://github.com/flatcar/Flatcar/issues/36 - -Ddefault-net-naming-scheme=latest - - # Flatcar: Combined log format: name plus description - -Dstatus-unit-format-default=combined - - # Flatcar: Unported options, still needed? - -Dquotaon-path=/usr/sbin/quotaon - -Dquotacheck-path=/usr/sbin/quotacheck - -Ddefault-mdns=no - ) - - case $(tc-arch) in - amd64|arm|arm64|ppc|ppc64|s390|x86) - # src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE - myconf+=( $(meson_native_enabled vmspawn) ) ;; - *) - myconf+=( -Dvmspawn=disabled ) ;; - esac - - meson_src_configure "${myconf[@]}" -} - -multilib_src_test() { - ( - unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR - export COLUMNS=80 - addpredict /dev - addpredict /proc - addpredict /run - addpredict /sys/fs/cgroup - meson_src_test --timeout-multiplier=10 - ) || die -} - -multilib_src_install_all() { - # meson doesn't know about docdir - mv "${ED}"/usr/share/doc/{systemd,${PF}} || die - - einstalldocs - # Flatcar: Do not install sample nsswitch.conf, we don't - # provide it. - # dodoc "${FILESDIR}"/nsswitch.conf - - insinto /usr/lib/tmpfiles.d - doins "${FILESDIR}"/legacy.conf - - if ! use resolvconf; then - rm -f "${ED}"/usr/bin/resolvconf || die - fi - - if ! use sysv-utils; then - rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die - rm "${ED}"/usr/share/man/man1/init.1 || die - rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die - fi - - # https://bugs.gentoo.org/761763 - rm -r "${ED}"/usr/lib/sysusers.d || die - - # Flatcar: Upstream uses keepdir commands to keep some empty - # directories. We use tmpfiles. - # Preserve empty dirs in /etc & /var, bug #437008 - keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} - keepdir /etc/kernel/install.d - keepdir /etc/systemd/{network,system,user} - keepdir /etc/udev/rules.d - - keepdir /etc/udev/hwdb.d - - # keepdir /usr/lib/systemd/{system-sleep,system-shutdown} - # keepdir /usr/lib/{binfmt.d,modules-load.d} - # keepdir /usr/lib/systemd/user-generators - # keepdir /var/lib/systemd - # keepdir /var/log/journal - - # if use pam; then - # if use selinux; then - # newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user - # else - # newpamd "${FILESDIR}"/systemd-user.pam systemd-user - # fi - # fi - - if use kernel-install; then - # Dummy config, remove to make room for sys-kernel/installkernel - rm "${ED}/usr/lib/kernel/install.conf" || die - fi - # Flatcar: Ensure journal directory has correct ownership/mode - # in inital image. This is fixed by systemd-tmpfiles *but* - # journald starts before that and will create the journal if - # the filesystem is already read-write. Conveniently the - # systemd Makefile sets this up completely wrong. - # - # Flatcar: TODO: Is this still a problem? - dodir /var/log/journal - fowners root:systemd-journal /var/log/journal - fperms 2755 /var/log/journal - - # Flatcar: Don't prune systemd dirs. - dotmpfiles "${FILESDIR}"/systemd-flatcar.conf - # Flatcar: Add tmpfiles rule for resolv.conf. This path has - # changed after v213 so it must be handled here instead of - # baselayout now. - dotmpfiles "${FILESDIR}"/systemd-resolv.conf - - # Flatcar: Don't default to graphical.target. - local unitdir=$(builddir_systemd_get_systemunitdir) - dosym multi-user.target "${unitdir}"/default.target - - # Flatcar: Don't set any extra environment variables by default. - rm "${ED}/usr/lib/environment.d/99-environment.conf" || die - - # Flatcar: These lines more or less follow the systemd's - # preset file (90-systemd.preset). We do it that way, to avoid - # putting symlinks in /etc. Please keep the lines in the same - # order as the "enable" lines appear in the preset file. For a - # single enable line in preset, there may be more lines if the - # unit file had Also: clause which has units we enable here - # too. - - # Flatcar: enable remote-fs.target - builddir_systemd_enable_service multi-user.target remote-fs.target - # Flatcar: enable remote-cryptsetup.target - if use cryptsetup; then - builddir_systemd_enable_service multi-user.target remote-cryptsetup.target - fi - # Flatcar: enable machines.target - builddir_systemd_enable_service multi-user.target machines.target - # Flatcar: enable getty@.service - dodir "${unitdir}/getty.target.wants" - dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" - # Flatcar: enable systemd-timesyncd.service - builddir_systemd_enable_service sysinit.target systemd-timesyncd.service - # Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service) - builddir_systemd_enable_service multi-user.target systemd-networkd.service - builddir_systemd_enable_service sockets.target systemd-networkd.socket - builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service - # Flatcar: enable systemd-network-generator.service - builddir_systemd_enable_service sysinit.target systemd-network-generator.service - # Flatcar: enable systemd-resolved.service - builddir_systemd_enable_service multi-user.target systemd-resolved.service - # Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry]) - if use homed; then - builddir_systemd_enable_service multi-user.target systemd-homed.target - fi - # Flatcar: enable systemd-userdbd.socket - builddir_systemd_enable_service sockets.target systemd-userdbd.socket - # Flatcar: enable systemd-pstore.service - builddir_systemd_enable_service sysinit.target systemd-pstore.service - # Flatcar: enable systemd-boot-update.service - if use boot; then - builddir_systemd_enable_service sysinit.target systemd-boot-update.service - fi - # Flatcar: enable reboot.target (not enabled - has no WantedBy - # entry) - - # Flatcar: enable systemd-sysext.service by default - builddir_systemd_enable_service sysinit.target systemd-sysext.service - - # Flatcar: Use an empty preset file, because systemctl - # preset-all puts symlinks in /etc, not in /usr. We don't use - # /etc, because it is not autoupdated. We do the "preset" above. - rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die - insinto /usr/lib/systemd/system-preset - doins "${FILESDIR}"/99-default.preset - - # Flatcar: Do not ship distro-specific files (nsswitch.conf - # pam.d). This conflicts with our own configuration provided - # by baselayout. - rm -rf "${ED}"/usr/share/factory - sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ - -e '/^C!* \/etc\/nsswitch\.conf/d' \ - -e '/^C!* \/etc\/pam\.d/d' \ - -e '/^C!* \/etc\/issue/d' - - use ukify && python_fix_shebang "${ED}" - use boot && secureboot_auto_sign -} - -# Flatcar: Our own version of systemd_get_systemunitdir, that returns -# a path inside /usr, not /etc. -builddir_systemd_get_systemunitdir() { - echo "$(get_rootprefix)/lib/systemd/system" -} - -# Flatcar: Our own version of systemd_enable_service, that does -# operations inside /usr, not /etc. -builddir_systemd_enable_service() { - local target=${1} - local service=${2} - local ud=$(builddir_systemd_get_systemunitdir) - local destname=${service##*/} - - dodir "${ud}"/"${target}".wants && \ - dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}" - - if use boot; then - python_fix_shebang "${ED}" - secureboot_auto_sign - fi -} -migrate_locale() { - local envd_locale_def="${EROOT}/etc/env.d/02locale" - local envd_locale=( "${EROOT}"/etc/env.d/??locale ) - local locale_conf="${EROOT}/etc/locale.conf" - - if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then - # If locale.conf does not exist... - if [[ -e ${envd_locale} ]]; then - # ...either copy env.d/??locale if there's one - ebegin "Moving ${envd_locale} to ${locale_conf}" - mv "${envd_locale}" "${locale_conf}" - eend ${?} || FAIL=1 - else - # ...or create a dummy default - ebegin "Creating ${locale_conf}" - cat > "${locale_conf}" <<-EOF - # This file has been created by the sys-apps/systemd ebuild. - # See locale.conf(5) and localectl(1). - - # LANG=${LANG} - EOF - eend ${?} || FAIL=1 - fi - fi - - if [[ ! -L ${envd_locale} ]]; then - # now, if env.d/??locale is not a symlink (to locale.conf)... - if [[ -e ${envd_locale} ]]; then - # ...warn the user that he has duplicate locale settings - ewarn - ewarn "To ensure consistent behavior, you should replace ${envd_locale}" - ewarn "with a symlink to ${locale_conf}. Please migrate your settings" - ewarn "and create the symlink with the following command:" - ewarn "ln -s -n -f ../locale.conf ${envd_locale}" - ewarn - else - # ...or just create the symlink if there's nothing here - ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" - ln -n -s ../locale.conf "${envd_locale_def}" - eend ${?} || FAIL=1 - fi - fi -} - -pkg_preinst() { - if [[ -e ${EROOT}/etc/sysctl.conf ]]; then - # Symlink /etc/sysctl.conf for easy migration. - dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf - fi - - # Flatcar: This used to be in upstream ebuild, but now it's - # gone. We should drop it once we get rid of split-usr in SDK. - if ! use split-usr; then - local dir - # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list. - for dir in bin sbin lib; do - if [[ ! -L ${EROOT}/${dir} ]]; then - eerror "'${EROOT}/${dir}' is not a symbolic link." - FAIL=1 - fi - done - if [[ ${FAIL} ]]; then - eerror "Migration to system layout with merged directories must be performed before" - eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." - die "System layout with split directories still used" - fi - fi - if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then - ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." - ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." - fi -} - -pkg_postinst() { - systemd_update_catalog - - # Keep this here in case the database format changes so it gets updated - # when required. - systemd-hwdb --root="${ROOT}" update - - udev_reload || FAIL=1 - - # Bug 465468, make sure locales are respected, and ensure consistency - # between OpenRC & systemd - migrate_locale - - # Flatcar: We enable getty and remote-fs targets in /usr - # ourselves above. - # if [[ -z ${REPLACING_VERSIONS} ]]; then - # if type systemctl &>/dev/null; then - # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 - # fi - # elog "To enable a useful set of services, run the following:" - # elog " systemctl preset-all --preset-mode=enable-only" - # fi - - if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then - rm "${EROOT}/var/lib/systemd/timesync" - fi - - if [[ -z ${ROOT} && -d /run/systemd/system ]]; then - ebegin "Reexecuting system manager (systemd)" - systemctl daemon-reexec - eend $? || FAIL=1 - - # https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html - ebegin "Signaling user managers to reexec" - systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service' - eend $? - fi - - if [[ ${FAIL} ]]; then - eerror "One of the postinst commands failed. Please check the postinst output" - eerror "for errors. You may need to clean up your system and/or try installing" - eerror "systemd again." - eerror - fi - - if use boot; then - optfeature "installing kernels in systemd-boot's native layout and update loader entries" \ - "sys-kernel/installkernel[systemd-boot]" - fi - if use ukify; then - optfeature "generating unified kernel image on each kernel installation" \ - "sys-kernel/installkernel[ukify]" - fi -} - -pkg_prerm() { - # If removing systemd completely, remove the catalog database. - if [[ ! ${REPLACED_BY_VERSION} ]]; then - rm -f -v "${EROOT}"/var/lib/systemd/catalog/database - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index e4075f6c2a4..a315604985f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=8 -PYTHON_COMPAT=( python3_{10..13} ) +PYTHON_COMPAT=( python3_{11..13} ) # Avoid QA warnings TMPFILES_OPTIONAL=1 @@ -20,12 +20,12 @@ else SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" if [[ ${PV} != *rc* ]] ; then - # Flatcar: mark as stable - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86" fi fi inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 +# Flatcar: Inherited tmpfiles inherit secureboot systemd tmpfiles toolchain-funcs udev DESCRIPTION="System and service manager for Linux" @@ -144,11 +144,11 @@ RDEPEND="${COMMON_DEPEND} ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] - !sys-apps/openrc-navi[sysv-utils(-)] !sys-apps/sysvinit ) !sysv-utils? ( sys-apps/sysvinit ) resolvconf? ( !net-dns/openresolv ) + !sys-apps/hwids[udev] !sys-auth/nss-myhostname !sys-fs/eudev !sys-fs/udev @@ -168,7 +168,7 @@ BDEPEND=" sys-devel/gettext virtual/pkgconfig bpf? ( - dev-util/bpftool + >=dev-util/bpftool-7.0.0 sys-devel/bpf-toolchain ) test? ( @@ -194,13 +194,38 @@ BDEPEND=" QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" QA_EXECSTACK="usr/lib/systemd/boot/efi/*" +check_cgroup_layout() { + # https://bugs.gentoo.org/935261 + [[ ${MERGE_TYPE} != buildonly ]] || return + [[ -z ${ROOT} ]] || return + [[ -e /sys/fs/cgroup/unified ]] || return + grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return + + eerror "This system appears to be booted with the 'hybrid' cgroup layout." + eerror "This layout obsolete and is disabled in systemd." + + if grep -qF 'systemd.unified_cgroup_hierarchy'; then + eerror "Remove the systemd.unified_cgroup_hierarchy option" + eerror "from the kernel command line and reboot." + die "hybrid cgroup layout detected" + fi +} + pkg_pretend() { - # Flatcar: We keep using split-usr for SDK. - # if use split-usr; then - # eerror "Please complete the migration to merged-usr." - # eerror "https://wiki.gentoo.org/wiki/Merge-usr" - # die "systemd no longer supports split-usr" - # fi + if use split-usr; then + eerror "Please complete the migration to merged-usr." + eerror "https://wiki.gentoo.org/wiki/Merge-usr" + die "systemd no longer supports split-usr" + fi + + check_cgroup_layout + + if use cgroup-hybrid; then + eerror "Disable the 'cgroup-hybrid' USE flag." + eerror "Rebuild any initramfs images after rebuilding systemd." + die "cgroup-hybrid is no longer supported" + fi + if [[ ${MERGE_TYPE} != buildonly ]]; then local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE @@ -256,14 +281,15 @@ src_unpack() { src_prepare() { local PATCHES=( + "${FILESDIR}"/systemd-257-cred-util-tpm2.patch # Flatcar: Adding our own patches here. "${FILESDIR}/0001-wait-online-set-any-by-default.patch" - "${FILESDIR}/0003-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0004-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin-257.patch" - "${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch" - "${FILESDIR}/0009-initrd-parse-etc.service.patch" + "${FILESDIR}/0002-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0003-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0004-systemd-Disable-SELinux-permissions-checks.patch" + "${FILESDIR}/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" + "${FILESDIR}/0006-units-Keep-using-old-journal-file-format.patch" + "${FILESDIR}/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch" ) if ! use vanilla; then @@ -272,9 +298,6 @@ src_prepare() { ) fi - # Fails with split-usr. - sed -i -e '2i exit 77' test/test-rpm-macros.sh || die - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., # CoreDNS which has dnsPolicy "default", but unless the # kubelet --resolv-conf flag is set to point to @@ -301,14 +324,10 @@ src_configure() { multilib-minimal_src_configure } -# Flatcar: Our function, we use it in some places below. -get_rootprefix() { - usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr" -} - multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" + -Ddocdir="share/doc/${PF}" # default is developer, bug 918671 -Dmode=release # Flatcar: Point to our user mailing list. @@ -316,19 +335,7 @@ multilib_src_configure() { -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" - # Flatcar: We keep using split-usr in SDK. - $(meson_use split-usr) - # Flatcar: Always set split-bin to true, we always - # have separate bin and sbin directories - -Dsplit-bin=true - # Flatcar: Use get_rootprefix. No functional change - # from upstream, just refactoring the common code used - # in some places. - # - # TODO: Drop -Drootprefix and -Drootlibdir we get rid - # of split-usr in SDK - -Drootprefix="$(get_rootprefix)" - -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" + -Dsplit-bin=false # Disable compatibility with sysvinit -Dsysvinit-path= -Dsysvrcnd-path= @@ -381,7 +388,6 @@ multilib_src_configure() { -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false - # Flatcar: TODO: Investigate if we want this. -Dcreate-log-dirs=false # multilib options @@ -404,7 +410,6 @@ multilib_src_configure() { $(meson_native_true timesyncd) $(meson_native_true tmpfiles) $(meson_native_true vconsole) - $(meson_native_enabled vmspawn) # Flatcar: Specify this, or meson breaks due to no # /etc/login.defs. -Dsystem-gid-max=999 @@ -437,10 +442,10 @@ multilib_src_configure() { # Flatcar: Combined log format: name plus description -Dstatus-unit-format-default=combined - # Flatcar: Unported options, still needed? - -Dquotaon-path=/usr/sbin/quotaon - -Dquotacheck-path=/usr/sbin/quotacheck + # Flatcar: Disable multicast-dns, Link-Local Multicast Name Resolution and dnssec -Ddefault-mdns=no + -Ddefault-llmnr=no + -Ddefault-dnssec=no ) case $(tc-arch) in @@ -467,9 +472,6 @@ multilib_src_test() { } multilib_src_install_all() { - # meson doesn't know about docdir - mv "${ED}"/usr/share/doc/{systemd,${PF}} || die - einstalldocs # Flatcar: Do not install sample nsswitch.conf, we don't # provide it. @@ -491,8 +493,6 @@ multilib_src_install_all() { # https://bugs.gentoo.org/761763 rm -r "${ED}"/usr/lib/sysusers.d || die - # Flatcar: Upstream uses keepdir commands to keep some empty - # directories. We use tmpfiles. # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} keepdir /etc/kernel/install.d @@ -501,12 +501,13 @@ multilib_src_install_all() { keepdir /etc/udev/hwdb.d - # keepdir /usr/lib/systemd/{system-sleep,system-shutdown} - # keepdir /usr/lib/{binfmt.d,modules-load.d} - # keepdir /usr/lib/systemd/user-generators - # keepdir /var/lib/systemd - # keepdir /var/log/journal + keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + # Flatcar: We provide our own systemd-user config file in baselayout. # if use pam; then # if use selinux; then # newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user @@ -614,7 +615,7 @@ multilib_src_install_all() { # Flatcar: Our own version of systemd_get_systemunitdir, that returns # a path inside /usr, not /etc. builddir_systemd_get_systemunitdir() { - echo "$(get_rootprefix)/lib/systemd/system" + echo "${EPREFIX}/usr/lib/systemd/system" } # Flatcar: Our own version of systemd_enable_service, that does @@ -683,23 +684,6 @@ pkg_preinst() { dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf fi - # Flatcar: This used to be in upstream ebuild, but now it's - # gone. We should drop it once we get rid of split-usr in SDK. - if ! use split-usr; then - local dir - # Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list. - for dir in bin sbin lib; do - if [[ ! -L ${EROOT}/${dir} ]]; then - eerror "'${EROOT}/${dir}' is not a symbolic link." - FAIL=1 - fi - done - if [[ ${FAIL} ]]; then - eerror "Migration to system layout with merged directories must be performed before" - eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." - die "System layout with split directories still used" - fi - fi if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." From 874281c02680d57dfaae2d8ab5d760f2659bca9f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:17:08 +0200 Subject: [PATCH 02/11] overlay sys-apps/systemd: Move patches to user-patches Add two more patches that replace some modifications we did inside the ebuild. Signed-off-by: Krzesimir Nowak --- .../0001-wait-online-set-any-by-default.patch | 2 +- ...ate-don-t-require-strictly-newer-usr.patch | 2 +- ...003-core-use-max-for-DefaultTasksMax.patch | 2 +- ...d-Disable-SELinux-permissions-checks.patch | 2 +- ...-Pass-tty-to-use-by-agetty-via-stdin.patch | 2 +- ...s-Keep-using-old-journal-file-format.patch | 2 +- ...itrd-parse-etc-override-argv-0-to-av.patch | 2 +- ...NS-issues-with-default-k8s-configura.patch | 36 +++++++++++++++++++ ...multi-user.target-the-default-target.patch | 35 ++++++++++++++++++ .../user-patches/sys-apps/systemd/README.md | 23 ++++++++++++ .../sys-apps/systemd/systemd-257.7-r1.ebuild | 26 -------------- 11 files changed, 101 insertions(+), 33 deletions(-) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0001-wait-online-set-any-by-default.patch (95%) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0002-needs-update-don-t-require-strictly-newer-usr.patch (97%) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0003-core-use-max-for-DefaultTasksMax.patch (98%) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0004-systemd-Disable-SELinux-permissions-checks.patch (92%) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch (98%) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0006-units-Keep-using-old-journal-file-format.patch (96%) rename sdk_container/src/third_party/coreos-overlay/{sys-apps/systemd/files => coreos/user-patches/sys-apps/systemd}/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch (94%) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index 50671ce19e7..7ebfbe6b1f1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,7 +1,7 @@ From e228bd8a939e77f4ebc37aa029f8a89e8b9d4807 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 -Subject: [PATCH 1/7] wait-online: set --any by default +Subject: [PATCH 1/9] wait-online: set --any by default The systemd-networkd-wait-online command would normally continue waiting after a network interface is usable if other interfaces are diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch index f538682a5b1..3684985fe84 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0002-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,7 +1,7 @@ From b8139561768e6745405461e1a765b262ece8f959 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 -Subject: [PATCH 2/7] needs-update: don't require strictly newer usr +Subject: [PATCH 2/9] needs-update: don't require strictly newer usr Updates should be triggered whenever usr changes, not only when it is newer. --- diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch index 9ebd5e31298..fc40376e7aa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0003-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,7 +1,7 @@ From f5635c6b5153d894cf1bf6dca92219150d4252d5 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 -Subject: [PATCH 3/7] core: use max for DefaultTasksMax +Subject: [PATCH 3/9] core: use max for DefaultTasksMax Since systemd v228, systemd has a DefaultTasksMax which defaulted to 512, later 15% of the system's maximum number of PIDs. This diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch index 445fdc27285..a66305caa66 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,7 +1,7 @@ From f55e6415307ce77b3376a2bf9cc96b924c6ec52e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 -Subject: [PATCH 4/7] systemd: Disable SELinux permissions checks +Subject: [PATCH 4/9] systemd: Disable SELinux permissions checks We don't care about the interaction between systemd and SELinux policy, so let's just disable these checks rather than having to incorporate policy diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index f189765e9a5..eeb66a75ffe 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,7 +1,7 @@ From cf500f14557926259b58ee641fffb38b707494d6 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 -Subject: [PATCH 5/7] Revert "getty: Pass tty to use by agetty via stdin" +Subject: [PATCH 5/9] Revert "getty: Pass tty to use by agetty via stdin" This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch index 033ccf2f5f7..8e76b1b1b1a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch @@ -1,7 +1,7 @@ From 1bf0301376df8e82593efccb80cd4e43638666c0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 -Subject: [PATCH 6/7] units: Keep using old journal file format +Subject: [PATCH 6/9] units: Keep using old journal file format Systemd 252 made an incompatible change in journal file format. Temporarily force journald to use the old journal format to give logging containers more diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch rename to sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch index 4c12dc2f6ed..e399b5401c7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch @@ -1,7 +1,7 @@ From 93775241c5f873a5862c2e7b06532bd3969341a0 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Wed, 25 Sep 2024 15:51:02 +0000 -Subject: [PATCH 7/7] Revert "Revert "initrd-parse-etc: override argv[0] to +Subject: [PATCH 7/9] Revert "Revert "initrd-parse-etc: override argv[0] to avoid dracut issue"" This reverts commit 1c585a4ccda3258088d7bc27b27a314e7ed8be80. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch new file mode 100644 index 00000000000..66ec8d3311a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch @@ -0,0 +1,36 @@ +From 3938b8d561e747ef1dea83afc9f254d594291dc1 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Wed, 22 Oct 2025 10:39:42 +0200 +Subject: [PATCH 8/9] tmpfiles.d: Fix DNS issues with default k8s configuration + +The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy +"default", but unless the kubelet `--resolv-conf` flag is set to point to +`/run/systemd/resolve/resolv.conf` this won't work with `/etc/resolv.conf` +pointing to `/run/systemd/resolve/stub-resolv.conf` which configures +`127.0.0.53`. See: + +https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues + +This means that users who need split DNS to work should point +`/etc/resolv.conf` back to `/run/systemd/resolve/stub-resolv.conf` (and if +using K8s configure the kubelet `resolvConf` variable/`--resolv-conf` flag to +`/run/systemd/resolve/resolv.conf`). + +Signed-off-by: Krzesimir Nowak +--- + tmpfiles.d/systemd-resolve.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +index be5edc98e0..bea686682a 100644 +--- a/tmpfiles.d/systemd-resolve.conf ++++ b/tmpfiles.d/systemd-resolve.conf +@@ -7,4 +7,4 @@ + + # See tmpfiles.d(5) for details. + +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf ++L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch new file mode 100644 index 00000000000..93a640f4143 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch @@ -0,0 +1,35 @@ +From 946db05da46d3c453b129c6413d1fd0b3794d038 Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Fri, 24 Oct 2025 11:06:57 +0200 +Subject: [PATCH 9/9] units: Make multi-user.target the default target + +Signed-off-by: Krzesimir Nowak +--- + units/meson.build | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 96f4852741..4b1efbc4b1 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -46,7 +46,7 @@ units = [ + }, + { + 'file' : 'graphical.target', +- 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []), ++ 'symlinks' : with_runlevels ? ['runlevel5.target'] : [], + }, + { 'file' : 'halt.target' }, + { +@@ -140,7 +140,7 @@ units = [ + { 'file' : 'modprobe@.service' }, + { + 'file' : 'multi-user.target', +- 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [], ++ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : []), + }, + { 'file' : 'network-online.target' }, + { 'file' : 'network-pre.target' }, +-- +2.51.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md new file mode 100644 index 00000000000..c81b881d9fa --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/README.md @@ -0,0 +1,23 @@ +Most of these patches are not really upstreamable. + +- `0001-wait-online-set-any-by-default.patch` + - backward compat stuff +- `0002-needs-update-don-t-require-strictly-newer-usr.patch` + - trigger updates only when /usr changes +- `0003-core-use-max-for-DefaultTasksMax.patch` + - increase the too-low limits +- `0004-systemd-Disable-SELinux-permissions-checks.patch` + - disable interactions between systemd and SELinux policies + - this will be dropped when we increase SELinux coverage also to a host system +- `0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch` + - SELinux denial workaround + - this will be dropped when we increase SELinux coverage also to a host system +- `0006-units-Keep-using-old-journal-file-format.patch` + - backward compat stuff +- `0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch` + - dracut issue workaround + - should be dropped when we update dracut to a version without the issue +- `0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch` + - workaround for issues with default k8s coredns config +- `0009-units-Make-multi-user.target-the-default-target.patch` + - change default.target to a suitable symlink for Flatcar diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index a315604985f..54a029ac1c6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -282,14 +282,6 @@ src_unpack() { src_prepare() { local PATCHES=( "${FILESDIR}"/systemd-257-cred-util-tpm2.patch - # Flatcar: Adding our own patches here. - "${FILESDIR}/0001-wait-online-set-any-by-default.patch" - "${FILESDIR}/0002-needs-update-don-t-require-strictly-newer-usr.patch" - "${FILESDIR}/0003-core-use-max-for-DefaultTasksMax.patch" - "${FILESDIR}/0004-systemd-Disable-SELinux-permissions-checks.patch" - "${FILESDIR}/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch" - "${FILESDIR}/0006-units-Keep-using-old-journal-file-format.patch" - "${FILESDIR}/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch" ) if ! use vanilla; then @@ -298,20 +290,6 @@ src_prepare() { ) fi - # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., - # CoreDNS which has dnsPolicy "default", but unless the - # kubelet --resolv-conf flag is set to point to - # /run/systemd/resolve/resolv.conf this won't work with - # /etc/resolv.conf pointing to - # /run/systemd/resolve/stub-resolv.conf which configures - # 127.0.0.53. See - # https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues - # This means that users who need split DNS to work should - # point /etc/resolv.conf back to - # /run/systemd/resolve/stub-resolv.conf (and if using K8s - # configure the kubelet resolvConf variable/--resolv-conf flag - # to /run/systemd/resolve/resolv.conf). - sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die default } @@ -538,10 +516,6 @@ multilib_src_install_all() { # baselayout now. dotmpfiles "${FILESDIR}"/systemd-resolv.conf - # Flatcar: Don't default to graphical.target. - local unitdir=$(builddir_systemd_get_systemunitdir) - dosym multi-user.target "${unitdir}"/default.target - # Flatcar: Don't set any extra environment variables by default. rm "${ED}/usr/lib/environment.d/99-environment.conf" || die From 9d63ff5d37d5f908c6f4349a23f0022d155f509b Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:21:14 +0200 Subject: [PATCH 03/11] overlay sys-apps/systemd: Move the sys-apps/kbd dep to sys-kernel/coreos-kernel Signed-off-by: Krzesimir Nowak --- .../coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild | 4 ---- .../sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index 54a029ac1c6..4ef4cdc5dcd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -103,9 +103,6 @@ PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' # flag). The image stage fails with "Failed to resolve # typeattributeset statement at # /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120" -# -# Flatcar: Added a dep on sys-apps/kbd. It provides a loadkeys binary -# needed by dracut's systemd-vconsole-setup module. RDEPEND="${COMMON_DEPEND} >=acct-group/adm-0-r1 >=acct-group/wheel-0-r1 @@ -134,7 +131,6 @@ RDEPEND="${COMMON_DEPEND} >=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-timesync-0-r1 >=sys-apps/baselayout-2.2 - sys-apps/kbd ukify? ( ${PYTHON_DEPS} $(python_gen_cond_dep "${PEFILE_DEPEND}") diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild index 77094b324d5..2acaea741ca 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.54.ebuild @@ -32,6 +32,7 @@ DEPEND=" sys-apps/grep sys-apps/ignition:= sys-apps/iproute2 + sys-apps/kbd sys-apps/less sys-apps/nvme-cli sys-apps/sed From 458b992d958d9e3099e26f848dd4d6cc735983df Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:25:56 +0200 Subject: [PATCH 04/11] overlay sys-apps/systemd: Drop dep on sec-policy/selinux-ntp in a different way We can add sec-policy/selinux-ntp to package.provided in overlay profiles - that way we don't need to modify the dependencies of the sys-apps/systemd package. Signed-off-by: Krzesimir Nowak --- .../coreos-overlay/profiles/coreos/base/package.provided | 5 +++++ .../coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild | 6 +----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided index 8a8430c5c5c..3bcb7981d2f 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.provided @@ -18,3 +18,8 @@ sys-devel/bpf-toolchain-14.2.0_p1 # Pulled by app-crypt/sbsigntools - we never needed it and it pulls a # ton of other packages. dev-perl/Locale-gettext-1.70.0_p20181130 + +# Pulled in by sys-apps/systemd, breaks the build - the image stage +# fails with "Failed to resolve typeattributeset statement at +# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120" +sec-policy/selinux-ntp-2.20250618-r1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index 4ef4cdc5dcd..58c53da5152 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -98,11 +98,6 @@ DEPEND="${COMMON_DEPEND} PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' # baselayout-2.2 has /run -# -# Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use -# flag). The image stage fails with "Failed to resolve -# typeattributeset statement at -# /var/lib/selinux/mcs/tmp/modules/400/ntp/cil:120" RDEPEND="${COMMON_DEPEND} >=acct-group/adm-0-r1 >=acct-group/wheel-0-r1 @@ -137,6 +132,7 @@ RDEPEND="${COMMON_DEPEND} ) selinux? ( sec-policy/selinux-base-policy[systemd] + sec-policy/selinux-ntp ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] From c5bc473cd342af669f27f7e7e7c1b90db4f89992 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:28:52 +0200 Subject: [PATCH 05/11] overlay sys-apps/systemd: Move our modifications to config overrides Biggest change here is to drop our manual service enabling in favor of parsing the preset files and Install sections of the unit files to enable the units inside /usr/lib/systemd. Signed-off-by: Krzesimir Nowak --- .../coreos/config/env/sys-apps/systemd | 362 +++++++++++++++++- .../sys-apps/systemd/systemd-257.7-r1.ebuild | 185 +-------- 2 files changed, 374 insertions(+), 173 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd index 3806da9f578..f54063e223e 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -1,13 +1,363 @@ -cros_post_src_install_timesync() { - local dir="${D}$(systemd_get_systemunitdir)/systemd-timesyncd.service.d" - mkdir -p "${dir}" - pushd "${dir}" - cat <flatcar.conf || die +systemd_meson_args_array=( + # Flatcar: Point to our user mailing list. + -Dsupport-url='https://groups.google.com/forum/#!forum/flatcar-linux-user' + + # Flatcar: Use our ntp servers. + -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" + + # Flatcar: Specify this, or meson breaks due to no + # /etc/login.defs. + -Dsystem-gid-max=999 + -Dsystem-uid-max=999 + + # Flatcar: DBus paths. + -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" + -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" + + # Flatcar: PAM config directory. + -Dpamconfdir=/usr/share/pam.d + + # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by + # timesyncd as a sanity check for the minimum acceptable + # time. Explicitly set to avoid using the current build time. + -Dtime-epoch=1372636800 + + # Flatcar: No default name servers. + -Ddns-servers= + + # Flatcar: Disable the "First Boot Wizard", it isn't very + # applicable to us. + -Dfirstboot=false + + # Flatcar: Set latest network interface naming scheme for + # https://github.com/flatcar/Flatcar/issues/36 + -Ddefault-net-naming-scheme=latest + + # Flatcar: Combined log format: name plus description + -Dstatus-unit-format-default=combined + + # Flatcar: Disable multicast-dns, Link-Local Multicast Name + # Resolution and dnssec + -Ddefault-mdns=no + -Ddefault-llmnr=no + -Ddefault-dnssec=no +) +export MYMESONARGS="${systemd_meson_args_array[*]@Q}" +unset 'systemd_meson_args_array' + +# A hack to avoid enabling getty remote-fs targets in pkg_postinst, we +# already do out ourselves in this file. +if [[ -z ${flatcar_hacked_systemctl:-} ]]; then + flatcar_hacked_systemctl=$(command -v systemctl) +fi +systemctl() { + if [[ ${#} -eq 4 && ${1} = '--root='* && ${2} = 'enable' && ${3} = 'getty@.service' && ${4} = 'remote-fs.target' ]]; then + return 0 + fi + "${flatcar_hacked_systemctl}" "${@}" +} + +# 1 - path to a preset file ("${ED}/usr/lib/systemd/system-preset/90-systemd.preset") +# 2 - scope ("system" or "user") +flatcar_preset_all_enable() { + local preset_file=${1}; shift + local scope=${1}; shift + + local -r systemd_dir=/usr/lib/systemd + + # matches empty line or line with whitespaces only + local -r empty_regexp='^[[:space:]]*$' + # matches comment lines (starting with # or ;) + local -r comment_regexp='^[[:space:]]*[#;]' + # matches [Foo] + local -r section_regexp='^[[:space:]]'"'['"'[[:space:]]*([^[:space:]]+)[[:space:]]*'"']'"'[[:space:]]*$' + # matches Foo = Bar + local -r key_value_regexp='^[[:space:]]*([^=[:space:]]+)[[:space:]]*=[[:space:]]*([^[:space:]]*([[:space:]]+[^[:space:]])*)[[:space:]]*$' + + local -a tokens units BASH_REMATCH + local unit_name unit_path in_install line + local in_continuation continuation_key continuation_value handle_finished_continuation + + local -a unit_type_pairs + local default_instance + local -a tmp_array + local tmp_value + + local this_desc pair_desc + local related_unit_name related_unit_type + local this_unit_name_to_use related_unit_name_to_use do_by_dir + + while read -r -a tokens; do + if [[ ${#tokens[@]} -eq 0 || ${tokens[0]} != 'enable' ]]; then + continue + fi + + units=( "${tokens[@]:1}" ) + tokens=() + + while [[ ${#units[@]} -gt 0 ]]; do + unit_name=${units[0]} + units=( "${units[@]:1}" ) + unit_path=${ED}/${systemd_dir}/${scope}/${unit_name} + if [[ ! -e ${unit_path} ]]; then + die "${unit_name} not found at ${systemd_dir}/${scope}/${unit_name}" + fi + # If we are in [Install] section. Affects handling of + # finished continuations. + in_install='' + # If we are in continuation of the key-value entry, like: + # + # Also = unit_one \ + # unit_two \ + # unit_three + in_continuation='' + # Key of the continuation, in the example above, it's + # Also. If it's empty during continuation, it means we + # don't care about the key-value pair, because it is + # outside the Install section. + continuation_key='' + # Value of the continuation, in the example above, it + # starts with "unit_one", ends up eventually with + # "unit_one unit_two unit_three". + continuation_value='' + # If continuation has finished, we have the whole value + # for key-value pair, so handle it - this only happens for + # continuations inside the [Install] section + handle_finished_continuation='' + # Holds pairs of unit names and types (being basically + # keys from key-value pairs), for example: + # + # multi-user.target WantedBy dbus-org.freedesktop.network1.service Alias + unit_type_pairs=() + + while read -r line; do + if [[ ${line} =~ ${empty_regexp} ]]; then + # empty line, finish continuation if there's any + if [[ -n ${in_continuation} ]]; then + if [[ -n ${continuation_key} ]]; then + handle_finished_continuation=x + fi + in_continuation='' + fi + elif [[ ${line} =~ ${comment_regexp} ]]; then + # comment, just skip, does not affect continuation state + continue + elif [[ -n ${in_continuation} ]]; then + # we are in continuation, either continue it if + # line ends with backslash, otherwise finish the + # continuation (and handle it if we care about it) + if [[ -n ${continuation_key} ]]; then + continuation_value+=" ${line}" + if [[ ${continuation_value} = *'\' ]]; then + continuation_value=${continuation_value%'\'} + else + in_continuation='' + handle_finished_continuation=x + fi + elif [[ ${line} != *'\' ]]; then + in_continuation='' + fi + elif [[ ${line} =~ ${section_regexp} ]]; then + if [[ ${BASH_REMATCH[1]} = 'Install' ]]; then + in_install=x + else + in_install='' + fi + elif [[ ${line} =~ ${key_value_regexp} ]]; then + continuation_key=${BASH_REMATCH[1]} + continuation_value=${BASH_REMATCH[2]} + if [[ ${continuation_value} = *'\' ]]; then + in_continuation=x + if [[ -n ${in_install} ]]; then + continuation_value=${continuation_value%'\'} + else + # we are in continuation, but outside the + # [Install] section, so clear key and + # value to show that we don't care about + # them + continuation_key='' + continuation_value='' + fi + elif [[ -n ${in_install} ]]; then + handle_finished_continuation=x + fi + else + die "Malformed line in ${unit_path}: ${line}" + fi + + if [[ -n ${handle_finished_continuation} ]]; then + handle_finished_continuation='' + # simplify whitespace + read -r -a tmp_array <<<"${continuation_value}" + case ${continuation_key} in + 'Alias'|'WantedBy'|'RequiredBy'|'UpheldBy') + for tmp_value in "${tmp_array[@]}"; do + unit_type_pairs+=( "${tmp_value}" "${continuation_key}" ) + done + ;; + 'Also') + units+=( "${tmp_array[@]}" ) + ;; + 'DefaultInstance') + if [[ ${#tmp_array[@]} -gt 1 ]]; then + ewarn "DefaultInstance value (${tmp_array[*]}) in ${unit_path} looks wrong" + fi + default_instance=${tmp_array[*]} + ;; + *) + einfo "Ignoring unknown option ${continuation_key@Q} in Install section of ${unit_path}" + ;; + esac + fi + done <"${unit_path}" + + # 1. if this unit is a template and related unit is also a + # template -> symlink from related template to this + # template + # + # 2. if this unit is a template and related unit is not -> + # symlink from related unit to this template with default + # instance + # + # 3. if this unit is not a template and related unit is a + # template -> symlink from the related template with the + # default instance to this unit (not implemented - would + # need to acquire default instance information from the + # related unit, didn't bother as this scenario does not + # currently happen in the presets; I'm also not sure if it + # makes any sense) + # + # 4. if this unit is not a template and related unit is + # also not a template -> symlink from related unit to this + # unit + + if [[ ${unit_name%.*} = *'@' ]]; then this_desc='t'; else this_desc='n'; fi + + while [[ ${#unit_type_pairs[@]} -gt 1 ]]; do + related_unit_name=${unit_type_pairs[0]} + related_unit_type=${unit_type_pairs[1]} + unit_type_pairs=( "${unit_type_pairs[@]:2}" ) + + pair_desc=${this_desc} + if [[ ${related_unit_name%.*} = *'@' ]]; then pair_desc+='t'; else pair_desc+='n'; fi + + case ${pair_desc} in + 'tt') # 1. + this_unit_name_to_use=${unit_name} + related_unit_name_to_use=${related_unit_name} + ;; + 'tn') # 2. + this_unit_name_to_use=${unit_name%.*}${default_instance}.${unit_name##*.} + related_unit_name_to_use=${related_unit_name} + ;; + 'nt') # 3. + die "Case 3. not implemented, need to acquire default instance of the related unit, I was too lazy to implement that; if you have hit this case, congratulations - you get to implement it (debug info: unit name: ${unit_name}, related unit name: ${related_unit_name}, relation: ${related_unit_type}, scope: ${scope}" + ;; + 'nn') # 4. + this_unit_name_to_use=${unit_name} + related_unit_name_to_use=${related_unit_name} + ;; + *) + die "Should not happen" + ;; + esac + + # this_unit_name_to_use (getty@tty1.service) can be + # used for symlink name, but not for the target - we + # want the symlink to point to the actual file (like + # getty@.service) + + do_by_dir='' + case ${related_unit_type} in + 'Alias') + dosym "${unit_name}" "${systemd_dir}/${scope}/${related_unit_name_to_use}" + ;; + 'WantedBy') do_by_dir='wants';; + 'RequiredBy') do_by_dir='requires';; + 'UpheldBy') do_by_dir='upholds';; + *) die "Should not happen";; + esac + if [[ -n ${do_by_dir} ]]; then + dodir "${systemd_dir}/${scope}/${related_unit_name_to_use}.${do_by_dir}" + dosym "../${unit_name}" "${systemd_dir}/${scope}/${related_unit_name_to_use}.${do_by_dir}/${this_unit_name_to_use}" + fi + done + done + done <"${preset_file}" +} + +cros_post_src_install_flatcar_stuff() { + # We provide our own systemd-user config file in baselayout. + rm "${ED}/usr/share/pam.d/systemd-user" || die + + # Ensure journal directory has correct ownership/mode in inital + # image. This is fixed by systemd-tmpfiles *but* journald starts + # before that and will create the journal if the filesystem is + # already read-write. Conveniently the systemd build system sets + # this up completely wrong. + keepdir /var/log/journal + fowners root:systemd-journal /var/log/journal + fperms 2755 /var/log/journal + + keepdir /var/log/journal/remote + fowners systemd-journal-remote:systemd-journal-remote /var/log/journal/remote + + ( + insopts -m 0644 + insinto /usr/lib/tmpfiles.d + # Add tmpfiles rule for resolv.conf. This path has changed + # after v213 so it must be handled here instead of baselayout + # now. + newins - systemd-resolv.conf <<'EOF' +d /run/systemd/network - - - - - +L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf +EOF + ) + + # Don't set any extra environment variables by default. + rm "${ED}/usr/lib/environment.d/99-environment.conf" || die + + # enable system units + flatcar_preset_all_enable "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" system + # enable user units + flatcar_preset_all_enable "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" user + + # Use an empty preset file, because systemctl preset-all puts + # symlinks in /etc, not in /usr. We don't use /etc, because it is + # not autoupdated. We do the "preset" above. + rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die + rm "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" || die + ( + insinto /usr/lib/systemd/system-preset + newins - 99-default.preset <<'EOF' +# Do not enable any services if /etc is detected as empty. +disable * +EOF + insinto /usr/lib/systemd/user-preset + newins - 99-default.preset <<'EOF' +# Do not enable any services if /etc is detected as empty. +disable * +EOF + ) + + # Do not ship distro-specific files (nsswitch.conf pam.d). This + # conflicts with our own configuration provided by baselayout. + rm -r "${ED}"/usr/share/factory || die + sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ + -e '/^C!* \/etc\/nsswitch\.conf/d' \ + -e '/^C!* \/etc\/pam\.d/d' \ + -e '/^C!* \/etc\/issue/d' || die + + ( + # Some OEMs prefer chronyd, so allow them to replace + # systemd-timesyncd with it. + insinto "$(systemd_get_systemunitdir)/systemd-timesyncd.service.d" + newins - flatcar.conf <<'EOF' # Allow sysexts to ship timesyncd replacements which can have # a Conflicts=systemd-timesyncd directive that would result # in systemd-timesyncd not being started. [Unit] After=ensure-sysext.service EOF - popd + ) } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild index 58c53da5152..e4e8dd78919 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild @@ -25,8 +25,7 @@ else fi inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 -# Flatcar: Inherited tmpfiles -inherit secureboot systemd tmpfiles toolchain-funcs udev +inherit secureboot systemd toolchain-funcs udev DESCRIPTION="System and service manager for Linux" HOMEPAGE="https://systemd.io/" @@ -300,8 +299,7 @@ multilib_src_configure() { -Ddocdir="share/doc/${PF}" # default is developer, bug 918671 -Dmode=release - # Flatcar: Point to our user mailing list. - -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" + -Dsupport-url="https://gentoo.org/support/" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" @@ -354,8 +352,7 @@ multilib_src_configure() { $(meson_native_use_feature test dbus) $(meson_native_use_feature ukify) $(meson_native_use_feature xkb xkbcommon) - # Flatcar: Use our ntp servers. - -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false -Dcreate-log-dirs=false @@ -380,42 +377,6 @@ multilib_src_configure() { $(meson_native_true timesyncd) $(meson_native_true tmpfiles) $(meson_native_true vconsole) - # Flatcar: Specify this, or meson breaks due to no - # /etc/login.defs. - -Dsystem-gid-max=999 - -Dsystem-uid-max=999 - - # Flatcar: DBus paths. - -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" - -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" - - # Flatcar: PAM config directory. - -Dpamconfdir=/usr/share/pam.d - - # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC - # 2013. Used by timesyncd as a sanity check for the - # minimum acceptable time. Explicitly set to avoid - # using the current build time. - -Dtime-epoch=1372636800 - - # Flatcar: No default name servers. - -Ddns-servers= - - # Flatcar: Disable the "First Boot Wizard", it isn't - # very applicable to us. - -Dfirstboot=false - - # Flatcar: Set latest network interface naming scheme - # for https://github.com/flatcar/Flatcar/issues/36 - -Ddefault-net-naming-scheme=latest - - # Flatcar: Combined log format: name plus description - -Dstatus-unit-format-default=combined - - # Flatcar: Disable multicast-dns, Link-Local Multicast Name Resolution and dnssec - -Ddefault-mdns=no - -Ddefault-llmnr=no - -Ddefault-dnssec=no ) case $(tc-arch) in @@ -443,9 +404,7 @@ multilib_src_test() { multilib_src_install_all() { einstalldocs - # Flatcar: Do not install sample nsswitch.conf, we don't - # provide it. - # dodoc "${FILESDIR}"/nsswitch.conf + dodoc "${FILESDIR}"/nsswitch.conf insinto /usr/lib/tmpfiles.d doins "${FILESDIR}"/legacy.conf @@ -477,129 +436,23 @@ multilib_src_install_all() { keepdir /var/lib/systemd keepdir /var/log/journal - # Flatcar: We provide our own systemd-user config file in baselayout. - # if use pam; then - # if use selinux; then - # newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user - # else - # newpamd "${FILESDIR}"/systemd-user.pam systemd-user - # fi - # fi + if use pam; then + if use selinux; then + newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user + else + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi + fi if use kernel-install; then # Dummy config, remove to make room for sys-kernel/installkernel rm "${ED}/usr/lib/kernel/install.conf" || die fi - # Flatcar: Ensure journal directory has correct ownership/mode - # in inital image. This is fixed by systemd-tmpfiles *but* - # journald starts before that and will create the journal if - # the filesystem is already read-write. Conveniently the - # systemd Makefile sets this up completely wrong. - # - # Flatcar: TODO: Is this still a problem? - dodir /var/log/journal - fowners root:systemd-journal /var/log/journal - fperms 2755 /var/log/journal - - # Flatcar: Don't prune systemd dirs. - dotmpfiles "${FILESDIR}"/systemd-flatcar.conf - # Flatcar: Add tmpfiles rule for resolv.conf. This path has - # changed after v213 so it must be handled here instead of - # baselayout now. - dotmpfiles "${FILESDIR}"/systemd-resolv.conf - - # Flatcar: Don't set any extra environment variables by default. - rm "${ED}/usr/lib/environment.d/99-environment.conf" || die - - # Flatcar: These lines more or less follow the systemd's - # preset file (90-systemd.preset). We do it that way, to avoid - # putting symlinks in /etc. Please keep the lines in the same - # order as the "enable" lines appear in the preset file. For a - # single enable line in preset, there may be more lines if the - # unit file had Also: clause which has units we enable here - # too. - - # Flatcar: enable remote-fs.target - builddir_systemd_enable_service multi-user.target remote-fs.target - # Flatcar: enable remote-cryptsetup.target - if use cryptsetup; then - builddir_systemd_enable_service multi-user.target remote-cryptsetup.target - fi - # Flatcar: enable machines.target - builddir_systemd_enable_service multi-user.target machines.target - # Flatcar: enable getty@.service - dodir "${unitdir}/getty.target.wants" - dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" - # Flatcar: enable systemd-timesyncd.service - builddir_systemd_enable_service sysinit.target systemd-timesyncd.service - # Flatcar: enable systemd-networkd.service (Also: systemd-networkd.socket, systemd-networkd-wait-online.service) - builddir_systemd_enable_service multi-user.target systemd-networkd.service - builddir_systemd_enable_service sockets.target systemd-networkd.socket - builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service - # Flatcar: enable systemd-network-generator.service - builddir_systemd_enable_service sysinit.target systemd-network-generator.service - # Flatcar: enable systemd-resolved.service - builddir_systemd_enable_service multi-user.target systemd-resolved.service - # Flatcar: enable systemd-homed.service (Also: systemd-userdbd.service [not enabled - has no WantedBy entry]) - if use homed; then - builddir_systemd_enable_service multi-user.target systemd-homed.target - fi - # Flatcar: enable systemd-userdbd.socket - builddir_systemd_enable_service sockets.target systemd-userdbd.socket - # Flatcar: enable systemd-pstore.service - builddir_systemd_enable_service sysinit.target systemd-pstore.service - # Flatcar: enable systemd-boot-update.service - if use boot; then - builddir_systemd_enable_service sysinit.target systemd-boot-update.service - fi - # Flatcar: enable reboot.target (not enabled - has no WantedBy - # entry) - - # Flatcar: enable systemd-sysext.service by default - builddir_systemd_enable_service sysinit.target systemd-sysext.service - - # Flatcar: Use an empty preset file, because systemctl - # preset-all puts symlinks in /etc, not in /usr. We don't use - # /etc, because it is not autoupdated. We do the "preset" above. - rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die - insinto /usr/lib/systemd/system-preset - doins "${FILESDIR}"/99-default.preset - - # Flatcar: Do not ship distro-specific files (nsswitch.conf - # pam.d). This conflicts with our own configuration provided - # by baselayout. - rm -rf "${ED}"/usr/share/factory - sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ - -e '/^C!* \/etc\/nsswitch\.conf/d' \ - -e '/^C!* \/etc\/pam\.d/d' \ - -e '/^C!* \/etc\/issue/d' use ukify && python_fix_shebang "${ED}" use boot && secureboot_auto_sign } -# Flatcar: Our own version of systemd_get_systemunitdir, that returns -# a path inside /usr, not /etc. -builddir_systemd_get_systemunitdir() { - echo "${EPREFIX}/usr/lib/systemd/system" -} - -# Flatcar: Our own version of systemd_enable_service, that does -# operations inside /usr, not /etc. -builddir_systemd_enable_service() { - local target=${1} - local service=${2} - local ud=$(builddir_systemd_get_systemunitdir) - local destname=${service##*/} - - dodir "${ud}"/"${target}".wants && \ - dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}" - - if use boot; then - python_fix_shebang "${ED}" - secureboot_auto_sign - fi -} migrate_locale() { local envd_locale_def="${EROOT}/etc/env.d/02locale" local envd_locale=( "${EROOT}"/etc/env.d/??locale ) @@ -669,15 +522,13 @@ pkg_postinst() { # between OpenRC & systemd migrate_locale - # Flatcar: We enable getty and remote-fs targets in /usr - # ourselves above. - # if [[ -z ${REPLACING_VERSIONS} ]]; then - # if type systemctl &>/dev/null; then - # systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 - # fi - # elog "To enable a useful set of services, run the following:" - # elog " systemctl preset-all --preset-mode=enable-only" - # fi + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then rm "${EROOT}/var/lib/systemd/timesync" From d005038ce1f445419ef91d20f7873b7933dac6ee Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:32:20 +0200 Subject: [PATCH 06/11] overlay sys-apps/systemd: Move to portage-stable Signed-off-by: Krzesimir Nowak --- .../{coreos-overlay => portage-stable}/sys-apps/systemd/Manifest | 0 .../sys-apps/systemd/files/99-default.preset | 0 .../sys-apps/systemd/files/gentoo-generator-path-r2.patch | 0 .../sys-apps/systemd/files/gentoo-journald-audit-r1.patch | 0 .../sys-apps/systemd/files/legacy.conf | 0 .../sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch | 0 .../sys-apps/systemd/files/systemd-flatcar.conf | 0 .../sys-apps/systemd/files/systemd-resolv.conf | 0 .../sys-apps/systemd/files/systemd-test-process-util.patch | 0 .../sys-apps/systemd/metadata.xml | 0 .../sys-apps/systemd/systemd-257.7-r1.ebuild | 0 11 files changed, 0 insertions(+), 0 deletions(-) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/Manifest (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/99-default.preset (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/gentoo-generator-path-r2.patch (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/gentoo-journald-audit-r1.patch (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/legacy.conf (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/systemd-flatcar.conf (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/systemd-resolv.conf (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/files/systemd-test-process-util.patch (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/metadata.xml (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/systemd/systemd-257.7-r1.ebuild (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/99-default.preset similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/99-default.preset diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-generator-path-r2.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-generator-path-r2.patch rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-generator-path-r2.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit-r1.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r1.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit-r1.patch rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r1.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/legacy.conf b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/legacy.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/legacy.conf rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/legacy.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-257-cred-util-tpm2.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-flatcar.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-flatcar.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-resolv.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-resolv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-test-process-util.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-test-process-util.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-test-process-util.patch rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-test-process-util.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/metadata.xml similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-257.7-r1.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-257.7-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-257.7-r1.ebuild From f7c4cd2251ef7d3d5e25df2ba5d7b7a477f42393 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:33:08 +0200 Subject: [PATCH 07/11] sys-apps/systemd: Sync with Gentoo It's from Gentoo commit fb9c9753a1649cf9c5310fec774b3b38a76b4253. Signed-off-by: Krzesimir Nowak --- .../portage-stable/sys-apps/systemd/Manifest | 3 +- .../sys-apps/systemd/files/99-default.preset | 2 - .../files/gentoo-journald-audit-r2.patch | 51 ++ .../sys-apps/systemd/files/nsswitch.conf | 27 + .../files/systemd-258-curl-warnings.patch | 38 ++ ...8-resolve-undo-change-to-return-code.patch | 31 + ...md-258-shared-add-missing-alloc-util.patch | 24 + .../systemd/files/systemd-flatcar.conf | 2 - .../systemd/files/systemd-resolv.conf | 2 - .../systemd/files/systemd-user-selinux.pam | 7 + .../sys-apps/systemd/files/systemd-user.pam | 5 + .../sys-apps/systemd/metadata.xml | 4 +- ...d-257.7-r1.ebuild => systemd-257.9.ebuild} | 0 .../sys-apps/systemd/systemd-258-r1.ebuild | 579 ++++++++++++++++++ .../sys-apps/systemd/systemd-9999.ebuild | 576 +++++++++++++++++ 15 files changed, 1343 insertions(+), 8 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/99-default.preset create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/nsswitch.conf create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-curl-warnings.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-resolve-undo-change-to-return-code.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-shared-add-missing-alloc-util.patch delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-flatcar.conf delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-resolv.conf create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user-selinux.pam create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user.pam rename sdk_container/src/third_party/portage-stable/sys-apps/systemd/{systemd-257.7-r1.ebuild => systemd-257.9.ebuild} (100%) create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-258-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest index 4c8c2478b9f..56482468857 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/Manifest @@ -1 +1,2 @@ -DIST systemd-257.7.tar.gz 16327096 BLAKE2B 59a28ce9b355b98f718f26489400640f3d732bbf73c00ea0571302dfc6dfb3585bf07ec56af06d74c5aa033b06a6220c3c839af6dba5ab7f8bde1aef4b58f0f6 SHA512 fdc7c0153432b261ad8018c869dc714ce1d6d2a8428bdec46f7c5f120b196d3a553a375ae433f0c166c57b6e8b3c56549f585349b7b6ff83c2a86a32982d8411 +DIST systemd-257.9.tar.gz 16401765 BLAKE2B c3ad528d37b89de8f82548807e950b59aab43f875a533ad983169eb539594e5e8230b6b562caee5297dcec4572e27df0e53ebee04f79e85f429f47862031592e SHA512 23b3d2764e0f990d8373068ccb41177793413bc193f7bd34e38b03d6fc3cd32d07c86e9dcbf07e32904075bb5eeca208f65beab04d628ac0e0b81ba87a975c1b +DIST systemd-258.tar.gz 16976853 BLAKE2B c63bc09bff11ba4cf6e87bef689250a6b354bf8f5bfb5af6d2a173fa1e1838aa457a8a7db66f7aad20dae25b7a0defddcb052d53f18a688a2dd6d5f323d4692a SHA512 c488354da1c170ad02e10926f561d1985c3c3393fec878562f295ef764fdf3a1b2877c3b2549253f19bf23e357be6e443a50b937f60f4677f286d3402d611b85 diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/99-default.preset b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/99-default.preset deleted file mode 100644 index d2545d5d1d1..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/99-default.preset +++ /dev/null @@ -1,2 +0,0 @@ -# Do not enable any services if /etc is detected as empty. -disable * diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch new file mode 100644 index 00000000000..0b1b16e6969 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/gentoo-journald-audit-r2.patch @@ -0,0 +1,51 @@ +From 7b9ee7375ca9a1521ff36dd9ceb8a26e59572a6e Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Wed, 17 Sep 2025 15:40:57 -0400 +Subject: [PATCH] journald: do not change the kernel audit setting by default + +Bug: https://bugs.gentoo.org/736910 +--- + man/journald.conf.xml | 2 +- + src/journal/journald-config.c | 2 +- + src/journal/journald.conf | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/journald.conf.xml b/man/journald.conf.xml +index 1a68ba8698..a9a77a51d1 100644 +--- a/man/journald.conf.xml ++++ b/man/journald.conf.xml +@@ -482,7 +482,7 @@ + kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor + disable it, leaving the previous state unchanged. This means if another tool turns on auditing even + if systemd-journald left it off, it will still collect the generated +- messages. Defaults to on in the default journal namespace, and unset otherwise. ++ messages. + + Note that this option does not control whether systemd-journald collects + generated audit records, it just controls whether it tells the kernel to generate them. If you need +diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c +index dd2e29e296..4160fa2ab9 100644 +--- a/src/journal/journald-config.c ++++ b/src/journal/journald-config.c +@@ -122,7 +122,7 @@ void manager_merge_configs(Manager *m) { + MERGE_NON_NEGATIVE(read_kmsg, !m->namespace); + /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by + * non-default namespace instances. */ +- MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true); ++ MERGE_NON_NEGATIVE(set_audit, -1); + MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC); + + /* TODO: also merge them when comdline or credentials support to configure them. */ +diff --git a/src/journal/journald.conf b/src/journal/journald.conf +index 9a12ca7657..e42efbcf84 100644 +--- a/src/journal/journald.conf ++++ b/src/journal/journald.conf +@@ -47,4 +47,4 @@ + #MaxLevelSocket=debug + #LineMax=48K + #ReadKMsg=yes +-#Audit=yes ++#Audit= +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/nsswitch.conf b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/nsswitch.conf new file mode 100644 index 00000000000..91dbe757f9f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/nsswitch.conf @@ -0,0 +1,27 @@ +# Sample nss configuration for systemd + +# systemd-specific modules +# See the manual pages fore further information. +# nss-myhostname - host resolution for the local hostname +# nss-mymachines - host, user, group resolution for containers +# nss-resolve - host resolution using resolved +# nss-systemd - dynamic user/group resolution (DynamicUser in unit files) + +passwd: files mymachines systemd +shadow: files +group: files mymachines systemd +gshadow: files + +hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname +networks: files + +services: db files +protocols: db files +rpc: db files +ethers: db files +netmasks: files +netgroup: files +bootparams: files + +automount: files +aliases: files diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-curl-warnings.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-curl-warnings.patch new file mode 100644 index 00000000000..1b190b4dff2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-curl-warnings.patch @@ -0,0 +1,38 @@ +https://bugs.gentoo.org/963528 + +From 1403faeb152e24ef74230891cc6bf1875292324f Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 19 Sep 2025 11:29:36 +0200 +Subject: [PATCH] tree-wide: Fix two curl warnings + +--- + src/import/pull-job.c | 2 +- + src/journal-remote/journal-upload.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/import/pull-job.c b/src/import/pull-job.c +index a0b0ef54061b9..b457c39ed1800 100644 +--- a/src/import/pull-job.c ++++ b/src/import/pull-job.c +@@ -759,7 +759,7 @@ int pull_job_begin(PullJob *j) { + if (curl_easy_setopt(j->curl, CURLOPT_XFERINFODATA, j) != CURLE_OK) + return -EIO; + +- if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK) ++ if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0L) != CURLE_OK) + return -EIO; + + r = curl_glue_add(j->glue, j->curl); +diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c +index d669d27274f6a..05f0dad038449 100644 +--- a/src/journal-remote/journal-upload.c ++++ b/src/journal-remote/journal-upload.c +@@ -308,7 +308,7 @@ int start_upload(Uploader *u, + } + + if (STRPTR_IN_SET(arg_trust, "-", "all")) +- easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0, ++ easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L, + LOG_ERR, return -EUCLEAN); + else if (arg_trust || startswith(u->url, "https://")) + easy_setopt(curl, CURLOPT_CAINFO, arg_trust ?: TRUST_FILE, diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-resolve-undo-change-to-return-code.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-resolve-undo-change-to-return-code.patch new file mode 100644 index 00000000000..f0c55dae6d5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-resolve-undo-change-to-return-code.patch @@ -0,0 +1,31 @@ +https://bugs.gentoo.org/963560 +https://github.com/systemd/systemd/pull/39119 + +From 6cae201ca1b0bf4a136bdf1002b4bc7983f0ceee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= +Date: Thu, 25 Sep 2025 22:52:18 +0300 +Subject: [PATCH] resolve: undo change to return code of next_search_domain() + (#39119) + +This caused resolved to only consider the 1st search domain of every +interface and ignore the rest. + +Fixes a regression caused by 81ae2237c1792943a1ec712ae2e630bcc592175b (v258). +Fixes #39118. +--- + src/resolve/resolved-dns-query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 8ad7bff398d85..4e11ad87bf545 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -147,7 +147,7 @@ static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) { + dns_search_domain_unref(c->search_domain); + c->search_domain = dns_search_domain_ref(next); + +- return 0; ++ return 1; + } + + static int dns_query_candidate_add_transaction( diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-shared-add-missing-alloc-util.patch b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-shared-add-missing-alloc-util.patch new file mode 100644 index 00000000000..f384b3fece5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-258-shared-add-missing-alloc-util.patch @@ -0,0 +1,24 @@ +https://bugs.gentoo.org/963481 +https://github.com/systemd/systemd/pull/39149 + +From 3df39cedda01dec35e49f1ab5632cf9f325e5320 Mon Sep 17 00:00:00 2001 +From: Xarblu +Date: Fri, 26 Sep 2025 21:40:50 +0200 +Subject: [PATCH] shared: add missing alloc-util.h include + +Needed for _cleanup_free_ +--- + src/shared/password-quality-util-passwdqc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/password-quality-util-passwdqc.c b/src/shared/password-quality-util-passwdqc.c +index d74e0fb7f2370..844068a4d64a3 100644 +--- a/src/shared/password-quality-util-passwdqc.c ++++ b/src/shared/password-quality-util-passwdqc.c +@@ -1,5 +1,6 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + ++#include "alloc-util.h" + #include "dlfcn-util.h" + #include "errno-util.h" + #include "log.h" diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-flatcar.conf deleted file mode 100644 index 8a5df37ce26..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-flatcar.conf +++ /dev/null @@ -1,2 +0,0 @@ -# This seems to be our own addition. -d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-resolv.conf b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-resolv.conf deleted file mode 100644 index 32b7e9d2144..00000000000 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-resolv.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /run/systemd/network - - - - - -L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user-selinux.pam b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user-selinux.pam new file mode 100644 index 00000000000..0d5d6beb34d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user-selinux.pam @@ -0,0 +1,7 @@ +account include system-auth + +session required pam_selinux.so close +session required pam_selinux.so nottys open +session required pam_loginuid.so +session include system-auth +session optional pam_systemd.so diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user.pam b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user.pam new file mode 100644 index 00000000000..38ae3211f8d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/files/systemd-user.pam @@ -0,0 +1,5 @@ +account include system-auth + +session required pam_loginuid.so +session include system-auth +session optional pam_systemd.so diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/metadata.xml index c9b8604a3c6..b4a8e30ee3d 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/metadata.xml @@ -11,6 +11,7 @@ Enable support for sys-process/audit Enable EFI boot manager and stub loader + Enable BPF support for sandboxing and firewalling. Default to hybrid (legacy) cgroup hierarchy instead of unified (modern). Enable support for uploading journals Enable cryptsetup tools (includes unit generator for crypttab) @@ -26,8 +27,9 @@ Enable kernel module loading via sys-apps/kmod Enable lz4 compression for the journal Enable use of dev-libs/openssl for various features + Use sys-auth/passwdqc for password checking in homed Enable PKCS#11 support for cryptsetup and homed - Enable password quality checking in homed + Use dev-libs/libpwquality for password checking in homed Enable qrcode output support in journal Install resolvconf symlink for systemd-resolve Install sysvinit compatibility symlinks and manpages for init, telinit, halt, poweroff, reboot, runlevel, and shutdown diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-257.7-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-257.9.ebuild similarity index 100% rename from sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-257.7-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-257.9.ebuild diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-258-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-258-r1.ebuild new file mode 100644 index 00000000000..448bbe2d954 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-258-r1.ebuild @@ -0,0 +1,579 @@ +# Copyright 2011-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +PYTHON_COMPAT=( python3_{11..13} ) + +# Avoid QA warnings +TMPFILES_OPTIONAL=1 +UDEV_OPTIONAL=1 + +QA_PKGCONFIG_VERSION=$(ver_cut 1) + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 +else + MY_PV=${PV/_/-} + MY_P=${PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" + + if [[ ${PV} != *rc* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + fi +fi + +inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 +inherit secureboot systemd toolchain-funcs udev + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="https://systemd.io/" + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE=" + acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod + +lz4 lzma +openssl pam passwdqc pcre pkcs11 policykit pwquality qrcode + +resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd +" +REQUIRED_USE=" + ${PYTHON_REQUIRED_USE} + dns-over-tls? ( openssl ) + fido2? ( cryptsetup openssl ) + homed? ( cryptsetup pam openssl ) + importd? ( curl lzma openssl ) + ?? ( passwdqc pwquality ) + passwdqc? ( homed ) + pwquality? ( homed ) + boot? ( kernel-install ) + ukify? ( boot ) +" +RESTRICT="!test? ( test )" + +MINKV="4.15" + +COMMON_DEPEND=" + >=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + virtual/libcrypt:=[${MULTILIB_USEDEP}] + acl? ( sys-apps/acl:0= ) + apparmor? ( >=sys-libs/libapparmor-2.13:0= ) + audit? ( >=sys-process/audit-2:0= ) + bpf? ( >=dev-libs/libbpf-1.4.0:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) + curl? ( >=net-misc/curl-7.32.0:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + fido2? ( + dev-libs/libfido2:0= + ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + gnutls? ( >=net-libs/gnutls-3.6.0:0= ) + http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) + idn? ( net-dns/libidn2:= ) + importd? ( + app-arch/bzip2:0= + sys-libs/zlib:0= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + iptables? ( net-firewall/iptables:0= ) + openssl? ( >=dev-libs/openssl-1.1.0:0= ) + pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) + passwdqc? ( sys-auth/passwdqc:0= ) + pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= ) + pcre? ( dev-libs/libpcre2 ) + pwquality? ( >=dev-libs/libpwquality-1.4.1:0= ) + qrcode? ( >=media-gfx/qrencode-3:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( >=sys-libs/libselinux-2.1.9:0= ) + tpm? ( app-crypt/tpm2-tss:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) + zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) +" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-${MINKV} +" + +PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=acct-group/adm-0-r1 + >=acct-group/wheel-0-r1 + >=acct-group/kmem-0-r1 + >=acct-group/tty-0-r1 + >=acct-group/utmp-0-r1 + >=acct-group/audio-0-r1 + >=acct-group/cdrom-0-r1 + acct-group/clock + >=acct-group/dialout-0-r1 + >=acct-group/disk-0-r1 + >=acct-group/input-0-r1 + >=acct-group/kvm-0-r1 + >=acct-group/lp-0-r1 + >=acct-group/render-0-r1 + acct-group/sgx + >=acct-group/tape-0-r1 + acct-group/users + >=acct-group/video-0-r1 + >=acct-group/systemd-journal-0-r1 + >=acct-user/root-0-r1 + acct-user/nobody + >=acct-user/systemd-journal-remote-0-r1 + >=acct-user/systemd-coredump-0-r1 + >=acct-user/systemd-network-0-r1 + acct-user/systemd-oom + >=acct-user/systemd-resolve-0-r1 + >=acct-user/systemd-timesync-0-r1 + >=sys-apps/baselayout-2.2 + ukify? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep "${PEFILE_DEPEND}") + ) + selinux? ( + sec-policy/selinux-base-policy[systemd] + sec-policy/selinux-ntp + ) + sysv-utils? ( + !sys-apps/openrc[sysv-utils(-)] + !sys-apps/sysvinit + ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !sys-apps/hwids[udev] + !sys-auth/nss-myhostname + !sys-fs/eudev + !sys-fs/udev +" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-fs/udev-init-scripts-34 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +BDEPEND=" + app-arch/xz-utils:0 + dev-util/gperf + >=dev-build/meson-0.46 + >=sys-apps/coreutils-8.16 + sys-devel/gettext + virtual/pkgconfig + bpf? ( + >=dev-util/bpftool-7.0.0 + sys-devel/bpf-toolchain + ) + test? ( + app-text/tree + dev-lang/perl + sys-apps/dbus + ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + ${PYTHON_DEPS} + $(python_gen_cond_dep " + dev-python/jinja2[\${PYTHON_USEDEP}] + dev-python/lxml[\${PYTHON_USEDEP}] + boot? ( + >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] + test? ( ${PEFILE_DEPEND} ) + ) + ") +" + +QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" +QA_EXECSTACK="usr/lib/systemd/boot/efi/*" + +check_cgroup_layout() { + # https://bugs.gentoo.org/935261 + [[ ${MERGE_TYPE} != buildonly ]] || return + [[ -z ${ROOT} ]] || return + [[ -e /sys/fs/cgroup/unified ]] || return + grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return + + eerror "This system appears to be booted with the 'hybrid' cgroup layout." + eerror "This layout obsolete and is disabled in systemd." + + if grep -qF 'systemd.unified_cgroup_hierarchy'; then + eerror "Remove the systemd.unified_cgroup_hierarchy option" + eerror "from the kernel command line and reboot." + die "hybrid cgroup layout detected" + fi +} + +pkg_pretend() { + if use split-usr; then + eerror "Please complete the migration to merged-usr." + eerror "https://wiki.gentoo.org/wiki/Merge-usr" + die "systemd no longer supports split-usr" + fi + + check_cgroup_layout + + if use cgroup-hybrid; then + eerror "Disable the 'cgroup-hybrid' USE flag." + eerror "Rebuild any initramfs images after rebuilding systemd." + die "cgroup-hybrid is no longer supported" + fi + + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS + ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + + if kernel_is -ge 5 10 20; then + CONFIG_CHECK+=" ~KCMP" + else + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + fi + + if kernel_is -ge 4 18; then + CONFIG_CHECK+=" ~AUTOFS_FS" + else + CONFIG_CHECK+=" ~AUTOFS4_FS" + fi + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + use boot && secureboot_pkg_setup +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + local PATCHES=( + "${FILESDIR}/systemd-258-shared-add-missing-alloc-util.patch" + "${FILESDIR}/systemd-258-resolve-undo-change-to-return-code.patch" + "${FILESDIR}/systemd-258-curl-warnings.patch" + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-journald-audit-r2.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Ddocdir="share/doc/${PF}" + # default is developer, bug 918671 + -Dmode=release + -Dsupport-url="https://gentoo.org/support/" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + -Dsplit-bin=false + # Disable compatibility with sysvinit + -Dsysvinit-path= + -Dsysvrcnd-path= + # no deps + -Dima=true + # Match /etc/shells, bug 919749 + -Ddebug-shell="${EPREFIX}/bin/sh" + -Ddefault-user-shell="${EPREFIX}/bin/bash" + # Optional components/dependencies + $(meson_native_use_feature acl) + $(meson_native_use_feature apparmor) + $(meson_native_use_feature audit) + $(meson_native_use_feature boot bootloader) + $(meson_native_use_feature bpf bpf-framework) + -Dbpf-compiler=gcc + $(meson_native_use_feature cryptsetup libcryptsetup) + $(meson_native_use_feature curl libcurl) + $(meson_native_use_bool dns-over-tls dns-over-tls) + $(meson_native_use_feature elfutils) + $(meson_native_use_feature fido2 libfido2) + $(meson_feature gcrypt) + $(meson_native_use_feature gnutls) + $(meson_native_use_feature homed) + $(meson_native_use_feature http microhttpd) + $(meson_native_use_bool idn) + $(meson_native_use_feature importd) + $(meson_native_use_feature importd bzip2) + $(meson_native_use_feature importd zlib) + $(meson_native_use_bool kernel-install) + $(meson_native_use_feature kmod) + $(meson_feature lz4) + $(meson_feature lzma xz) + $(meson_use test tests) + $(meson_feature zstd) + $(meson_native_use_feature iptables libiptc) + $(meson_native_use_feature openssl) + $(meson_feature pam) + $(meson_native_use_feature passwdqc) + $(meson_native_use_feature pkcs11 p11kit) + $(meson_native_use_feature pcre pcre2) + $(meson_native_use_feature policykit polkit) + $(meson_native_use_feature pwquality) + $(meson_native_use_feature qrcode qrencode) + $(meson_native_use_feature seccomp) + $(meson_native_use_feature selinux) + $(meson_native_use_feature tpm tpm2) + $(meson_native_use_feature test dbus) + $(meson_native_use_feature ukify) + $(meson_native_use_feature xkb xkbcommon) + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + -Dcreate-log-dirs=false + + # multilib options + $(meson_native_true backlight) + $(meson_native_true binfmt) + $(meson_native_true coredump) + $(meson_native_true environment-d) + $(meson_native_true firstboot) + $(meson_native_true hibernate) + $(meson_native_true hostnamed) + $(meson_native_true ldconfig) + $(meson_native_true localed) + $(meson_native_enabled man) + $(meson_native_true networkd) + $(meson_native_true quotacheck) + $(meson_native_true randomseed) + $(meson_native_true rfkill) + $(meson_native_true sysusers) + $(meson_native_true timedated) + $(meson_native_true timesyncd) + $(meson_native_true tmpfiles) + $(meson_native_true vconsole) + ) + + case $(tc-arch) in + amd64|arm|arm64|loong|ppc|ppc64|riscv|s390|x86) + # src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE + myconf+=( $(meson_native_enabled vmspawn) ) ;; + *) + myconf+=( -Dvmspawn=disabled ) ;; + esac + + meson_src_configure "${myconf[@]}" +} + +multilib_src_test() { + ( + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + export COLUMNS=80 + addpredict /dev + addpredict /proc + addpredict /run + addpredict /sys/fs/cgroup + meson_src_test --timeout-multiplier=10 + ) || die +} + +multilib_src_install_all() { + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + insinto /usr/lib/tmpfiles.d + doins "${FILESDIR}"/legacy.conf + + if ! use resolvconf; then + rm -f "${ED}"/usr/bin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die + fi + + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,system,user} + keepdir /etc/udev/rules.d + + keepdir /etc/udev/hwdb.d + + keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + + if use pam; then + if use selinux; then + newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user + else + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi + fi + + if use kernel-install; then + # Dummy config, remove to make room for sys-kernel/installkernel + rm "${ED}/usr/lib/kernel/install.conf" || die + fi + + use ukify && python_fix_shebang "${ED}" + use boot && secureboot_auto_sign +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_preinst() { + if [[ -e ${EROOT}/etc/sysctl.conf ]]; then + # Symlink /etc/sysctl.conf for easy migration. + dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + fi + + if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then + ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." + ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." + fi +} + +pkg_postinst() { + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. + systemd-hwdb --root="${ROOT}" update + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respected, and ensure consistency + # between OpenRC & systemd + migrate_locale + + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi + + if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then + rm "${EROOT}/var/lib/systemd/timesync" + fi + + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then + ebegin "Reexecuting system manager (systemd)" + systemctl daemon-reexec + eend $? || FAIL=1 + + # https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html + ebegin "Signaling user managers to reexec" + systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service' + eend $? + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi + + if use boot; then + optfeature "installing kernels in systemd-boot's native layout and update loader entries" \ + "sys-kernel/installkernel[systemd-boot]" + fi + if use ukify; then + optfeature "generating unified kernel image on each kernel installation" \ + "sys-kernel/installkernel[ukify]" + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild new file mode 100644 index 00000000000..c43a7c67038 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/systemd/systemd-9999.ebuild @@ -0,0 +1,576 @@ +# Copyright 2011-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +PYTHON_COMPAT=( python3_{11..13} ) + +# Avoid QA warnings +TMPFILES_OPTIONAL=1 +UDEV_OPTIONAL=1 + +QA_PKGCONFIG_VERSION=$(ver_cut 1) + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git" + inherit git-r3 +else + MY_PV=${PV/_/-} + MY_P=${PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/${PN}/archive/refs/tags/v${MY_PV}.tar.gz -> ${MY_P}.tar.gz" + + if [[ ${PV} != *rc* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + fi +fi + +inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1 +inherit secureboot systemd toolchain-funcs udev + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="https://systemd.io/" + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE=" + acl apparmor audit boot bpf cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod + +lz4 lzma +openssl pam passwdqc pcre pkcs11 policykit pwquality qrcode + +resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd +" +REQUIRED_USE=" + ${PYTHON_REQUIRED_USE} + dns-over-tls? ( openssl ) + fido2? ( cryptsetup openssl ) + homed? ( cryptsetup pam openssl ) + importd? ( curl lzma openssl ) + ?? ( passwdqc pwquality ) + passwdqc? ( homed ) + pwquality? ( homed ) + boot? ( kernel-install ) + ukify? ( boot ) +" +RESTRICT="!test? ( test )" + +MINKV="4.15" + +COMMON_DEPEND=" + >=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + virtual/libcrypt:=[${MULTILIB_USEDEP}] + acl? ( sys-apps/acl:0= ) + apparmor? ( >=sys-libs/libapparmor-2.13:0= ) + audit? ( >=sys-process/audit-2:0= ) + bpf? ( >=dev-libs/libbpf-1.4.0:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) + curl? ( >=net-misc/curl-7.32.0:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + fido2? ( + dev-libs/libfido2:0= + ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + gnutls? ( >=net-libs/gnutls-3.6.0:0= ) + http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) + idn? ( net-dns/libidn2:= ) + importd? ( + app-arch/bzip2:0= + sys-libs/zlib:0= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + iptables? ( net-firewall/iptables:0= ) + openssl? ( >=dev-libs/openssl-1.1.0:0= ) + pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) + passwdqc? ( sys-auth/passwdqc:0= ) + pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= ) + pcre? ( dev-libs/libpcre2 ) + pwquality? ( >=dev-libs/libpwquality-1.4.1:0= ) + qrcode? ( >=media-gfx/qrencode-3:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( >=sys-libs/libselinux-2.1.9:0= ) + tpm? ( app-crypt/tpm2-tss:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) + zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) +" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-${MINKV} +" + +PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=acct-group/adm-0-r1 + >=acct-group/wheel-0-r1 + >=acct-group/kmem-0-r1 + >=acct-group/tty-0-r1 + >=acct-group/utmp-0-r1 + >=acct-group/audio-0-r1 + >=acct-group/cdrom-0-r1 + acct-group/clock + >=acct-group/dialout-0-r1 + >=acct-group/disk-0-r1 + >=acct-group/input-0-r1 + >=acct-group/kvm-0-r1 + >=acct-group/lp-0-r1 + >=acct-group/render-0-r1 + acct-group/sgx + >=acct-group/tape-0-r1 + acct-group/users + >=acct-group/video-0-r1 + >=acct-group/systemd-journal-0-r1 + >=acct-user/root-0-r1 + acct-user/nobody + >=acct-user/systemd-journal-remote-0-r1 + >=acct-user/systemd-coredump-0-r1 + >=acct-user/systemd-network-0-r1 + acct-user/systemd-oom + >=acct-user/systemd-resolve-0-r1 + >=acct-user/systemd-timesync-0-r1 + >=sys-apps/baselayout-2.2 + ukify? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep "${PEFILE_DEPEND}") + ) + selinux? ( + sec-policy/selinux-base-policy[systemd] + sec-policy/selinux-ntp + ) + sysv-utils? ( + !sys-apps/openrc[sysv-utils(-)] + !sys-apps/sysvinit + ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !sys-apps/hwids[udev] + !sys-auth/nss-myhostname + !sys-fs/eudev + !sys-fs/udev +" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-fs/udev-init-scripts-34 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +BDEPEND=" + app-arch/xz-utils:0 + dev-util/gperf + >=dev-build/meson-0.46 + >=sys-apps/coreutils-8.16 + sys-devel/gettext + virtual/pkgconfig + bpf? ( + >=dev-util/bpftool-7.0.0 + sys-devel/bpf-toolchain + ) + test? ( + app-text/tree + dev-lang/perl + sys-apps/dbus + ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + ${PYTHON_DEPS} + $(python_gen_cond_dep " + dev-python/jinja2[\${PYTHON_USEDEP}] + dev-python/lxml[\${PYTHON_USEDEP}] + boot? ( + >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] + test? ( ${PEFILE_DEPEND} ) + ) + ") +" + +QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" +QA_EXECSTACK="usr/lib/systemd/boot/efi/*" + +check_cgroup_layout() { + # https://bugs.gentoo.org/935261 + [[ ${MERGE_TYPE} != buildonly ]] || return + [[ -z ${ROOT} ]] || return + [[ -e /sys/fs/cgroup/unified ]] || return + grep -q 'SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1' /proc/cmdline && return + + eerror "This system appears to be booted with the 'hybrid' cgroup layout." + eerror "This layout obsolete and is disabled in systemd." + + if grep -qF 'systemd.unified_cgroup_hierarchy'; then + eerror "Remove the systemd.unified_cgroup_hierarchy option" + eerror "from the kernel command line and reboot." + die "hybrid cgroup layout detected" + fi +} + +pkg_pretend() { + if use split-usr; then + eerror "Please complete the migration to merged-usr." + eerror "https://wiki.gentoo.org/wiki/Merge-usr" + die "systemd no longer supports split-usr" + fi + + check_cgroup_layout + + if use cgroup-hybrid; then + eerror "Disable the 'cgroup-hybrid' USE flag." + eerror "Rebuild any initramfs images after rebuilding systemd." + die "cgroup-hybrid is no longer supported" + fi + + if [[ ${MERGE_TYPE} != buildonly ]]; then + local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS + ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use bpf && CONFIG_CHECK+=" ~BPF ~BPF_SYSCALL ~BPF_LSM ~DEBUG_INFO_BTF" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + + if kernel_is -ge 5 10 20; then + CONFIG_CHECK+=" ~KCMP" + else + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + fi + + if kernel_is -ge 4 18; then + CONFIG_CHECK+=" ~AUTOFS_FS" + else + CONFIG_CHECK+=" ~AUTOFS4_FS" + fi + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + use boot && secureboot_pkg_setup +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + local PATCHES=( + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-journald-audit-r2.patch" + ) + fi + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Ddocdir="share/doc/${PF}" + # default is developer, bug 918671 + -Dmode=release + -Dsupport-url="https://gentoo.org/support/" + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + -Dsplit-bin=false + # Disable compatibility with sysvinit + -Dsysvinit-path= + -Dsysvrcnd-path= + # no deps + -Dima=true + # Match /etc/shells, bug 919749 + -Ddebug-shell="${EPREFIX}/bin/sh" + -Ddefault-user-shell="${EPREFIX}/bin/bash" + # Optional components/dependencies + $(meson_native_use_feature acl) + $(meson_native_use_feature apparmor) + $(meson_native_use_feature audit) + $(meson_native_use_feature boot bootloader) + $(meson_native_use_feature bpf bpf-framework) + -Dbpf-compiler=gcc + $(meson_native_use_feature cryptsetup libcryptsetup) + $(meson_native_use_feature curl libcurl) + $(meson_native_use_bool dns-over-tls dns-over-tls) + $(meson_native_use_feature elfutils) + $(meson_native_use_feature fido2 libfido2) + $(meson_feature gcrypt) + $(meson_native_use_feature gnutls) + $(meson_native_use_feature homed) + $(meson_native_use_feature http microhttpd) + $(meson_native_use_bool idn) + $(meson_native_use_feature importd) + $(meson_native_use_feature importd bzip2) + $(meson_native_use_feature importd zlib) + $(meson_native_use_bool kernel-install) + $(meson_native_use_feature kmod) + $(meson_feature lz4) + $(meson_feature lzma xz) + $(meson_use test tests) + $(meson_feature zstd) + $(meson_native_use_feature iptables libiptc) + $(meson_native_use_feature openssl) + $(meson_feature pam) + $(meson_native_use_feature passwdqc) + $(meson_native_use_feature pkcs11 p11kit) + $(meson_native_use_feature pcre pcre2) + $(meson_native_use_feature policykit polkit) + $(meson_native_use_feature pwquality) + $(meson_native_use_feature qrcode qrencode) + $(meson_native_use_feature seccomp) + $(meson_native_use_feature selinux) + $(meson_native_use_feature tpm tpm2) + $(meson_native_use_feature test dbus) + $(meson_native_use_feature ukify) + $(meson_native_use_feature xkb xkbcommon) + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + -Dcreate-log-dirs=false + + # multilib options + $(meson_native_true backlight) + $(meson_native_true binfmt) + $(meson_native_true coredump) + $(meson_native_true environment-d) + $(meson_native_true firstboot) + $(meson_native_true hibernate) + $(meson_native_true hostnamed) + $(meson_native_true ldconfig) + $(meson_native_true localed) + $(meson_native_enabled man) + $(meson_native_true networkd) + $(meson_native_true quotacheck) + $(meson_native_true randomseed) + $(meson_native_true rfkill) + $(meson_native_true sysusers) + $(meson_native_true timedated) + $(meson_native_true timesyncd) + $(meson_native_true tmpfiles) + $(meson_native_true vconsole) + ) + + case $(tc-arch) in + amd64|arm|arm64|loong|ppc|ppc64|riscv|s390|x86) + # src/vmspawn/vmspawn-util.h: QEMU_MACHINE_TYPE + myconf+=( $(meson_native_enabled vmspawn) ) ;; + *) + myconf+=( -Dvmspawn=disabled ) ;; + esac + + meson_src_configure "${myconf[@]}" +} + +multilib_src_test() { + ( + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + export COLUMNS=80 + addpredict /dev + addpredict /proc + addpredict /run + addpredict /sys/fs/cgroup + meson_src_test --timeout-multiplier=10 + ) || die +} + +multilib_src_install_all() { + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + insinto /usr/lib/tmpfiles.d + doins "${FILESDIR}"/legacy.conf + + if ! use resolvconf; then + rm -f "${ED}"/usr/bin/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die + fi + + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,system,user} + keepdir /etc/udev/rules.d + + keepdir /etc/udev/hwdb.d + + keepdir /usr/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + + if use pam; then + if use selinux; then + newpamd "${FILESDIR}"/systemd-user-selinux.pam systemd-user + else + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi + fi + + if use kernel-install; then + # Dummy config, remove to make room for sys-kernel/installkernel + rm "${ED}/usr/lib/kernel/install.conf" || die + fi + + use ukify && python_fix_shebang "${ED}" + use boot && secureboot_auto_sign +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_preinst() { + if [[ -e ${EROOT}/etc/sysctl.conf ]]; then + # Symlink /etc/sysctl.conf for easy migration. + dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + fi + + if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then + ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." + ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." + fi +} + +pkg_postinst() { + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. + systemd-hwdb --root="${ROOT}" update + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respected, and ensure consistency + # between OpenRC & systemd + migrate_locale + + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi + + if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then + rm "${EROOT}/var/lib/systemd/timesync" + fi + + if [[ -z ${ROOT} && -d /run/systemd/system ]]; then + ebegin "Reexecuting system manager (systemd)" + systemctl daemon-reexec + eend $? || FAIL=1 + + # https://lists.freedesktop.org/archives/systemd-devel/2024-June/050466.html + ebegin "Signaling user managers to reexec" + systemctl kill --kill-whom='main' --signal='SIGRTMIN+25' 'user@*.service' + eend $? + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi + + if use boot; then + optfeature "installing kernels in systemd-boot's native layout and update loader entries" \ + "sys-kernel/installkernel[systemd-boot]" + fi + if use ukify; then + optfeature "generating unified kernel image on each kernel installation" \ + "sys-kernel/installkernel[ukify]" + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +} From f35ec73ffb7f622707775594725e9d533be95a81 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:37:40 +0200 Subject: [PATCH 08/11] .github: Add sys-apps/systemd to automation Signed-off-by: Krzesimir Nowak --- .github/workflows/portage-stable-packages-list | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 263fc25f23d..be2dcf3ce96 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -625,6 +625,7 @@ sys-apps/sed sys-apps/semodule-utils sys-apps/shadow sys-apps/smartmontools +sys-apps/systemd sys-apps/texinfo sys-apps/usbutils sys-apps/util-linux From 701ec7dbc95482f730cf25444c56aa5244d92887 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:45:03 +0200 Subject: [PATCH 09/11] overlay coreos/user-patches: Regenerate patches for sys-apps/systemd Signed-off-by: Krzesimir Nowak --- .../systemd/0001-wait-online-set-any-by-default.patch | 2 +- .../0002-needs-update-don-t-require-strictly-newer-usr.patch | 2 +- .../systemd/0003-core-use-max-for-DefaultTasksMax.patch | 2 +- .../0004-systemd-Disable-SELinux-permissions-checks.patch | 2 +- ...005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch | 2 +- .../0006-units-Keep-using-old-journal-file-format.patch | 2 +- ...Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch | 2 +- ...tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch | 2 +- ...0009-units-Make-multi-user.target-the-default-target.patch | 4 ++-- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch index 7ebfbe6b1f1..2402cb08d81 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0001-wait-online-set-any-by-default.patch @@ -1,4 +1,4 @@ -From e228bd8a939e77f4ebc37aa029f8a89e8b9d4807 Mon Sep 17 00:00:00 2001 +From 83043596b6cc74b6f049999fa660afd983dc493a Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 16 Apr 2019 02:44:51 +0000 Subject: [PATCH 1/9] wait-online: set --any by default diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch index 3684985fe84..9a995bd2539 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0002-needs-update-don-t-require-strictly-newer-usr.patch @@ -1,4 +1,4 @@ -From b8139561768e6745405461e1a765b262ece8f959 Mon Sep 17 00:00:00 2001 +From 3d6bfde35c8ce5c21ca55104852a319246a92bb8 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 2 Mar 2016 10:46:33 -0800 Subject: [PATCH 2/9] needs-update: don't require strictly newer usr diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch index fc40376e7aa..eb480af69f8 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0003-core-use-max-for-DefaultTasksMax.patch @@ -1,4 +1,4 @@ -From f5635c6b5153d894cf1bf6dca92219150d4252d5 Mon Sep 17 00:00:00 2001 +From 6f691278df570cc87cb863a98fe320a1997c6dad Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:22:08 +0000 Subject: [PATCH 3/9] core: use max for DefaultTasksMax diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch index a66305caa66..fb35b011257 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0004-systemd-Disable-SELinux-permissions-checks.patch @@ -1,4 +1,4 @@ -From f55e6415307ce77b3376a2bf9cc96b924c6ec52e Mon Sep 17 00:00:00 2001 +From 78b2d8b1a6df073003d64cffa532c3a320e96ad4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 20 Dec 2016 16:43:22 +0000 Subject: [PATCH 4/9] systemd: Disable SELinux permissions checks diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch index eeb66a75ffe..802f5f7429e 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0005-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch @@ -1,4 +1,4 @@ -From cf500f14557926259b58ee641fffb38b707494d6 Mon Sep 17 00:00:00 2001 +From 8064e1544a2b89f8389c0469ed4879a287a045a7 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 16 Dec 2022 16:28:26 +0530 Subject: [PATCH 5/9] Revert "getty: Pass tty to use by agetty via stdin" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch index 8e76b1b1b1a..297827a0145 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0006-units-Keep-using-old-journal-file-format.patch @@ -1,4 +1,4 @@ -From 1bf0301376df8e82593efccb80cd4e43638666c0 Mon Sep 17 00:00:00 2001 +From c2924cc57c9e4aa836021ec2567c0fdbebecf944 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Fri, 16 Feb 2024 11:29:04 +0000 Subject: [PATCH 6/9] units: Keep using old journal file format diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch index e399b5401c7..ed3c634f05c 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0007-Revert-Revert-initrd-parse-etc-override-argv-0-to-av.patch @@ -1,4 +1,4 @@ -From 93775241c5f873a5862c2e7b06532bd3969341a0 Mon Sep 17 00:00:00 2001 +From 620fd756d449b45e792e42b0000ddb60ec3ab9f4 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Wed, 25 Sep 2024 15:51:02 +0000 Subject: [PATCH 7/9] Revert "Revert "initrd-parse-etc: override argv[0] to diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch index 66ec8d3311a..e741c517058 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0008-tmpfiles.d-Fix-DNS-issues-with-default-k8s-configura.patch @@ -1,4 +1,4 @@ -From 3938b8d561e747ef1dea83afc9f254d594291dc1 Mon Sep 17 00:00:00 2001 +From f7484b8e2d94114825cba25fa937b23ab1159b4f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 22 Oct 2025 10:39:42 +0200 Subject: [PATCH 8/9] tmpfiles.d: Fix DNS issues with default k8s configuration diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch index 93a640f4143..d0f6e68c523 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-apps/systemd/0009-units-Make-multi-user.target-the-default-target.patch @@ -1,4 +1,4 @@ -From 946db05da46d3c453b129c6413d1fd0b3794d038 Mon Sep 17 00:00:00 2001 +From b67d9415cd9d50c34b5b5e7e1f2af556e59f16b7 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 11:06:57 +0200 Subject: [PATCH 9/9] units: Make multi-user.target the default target @@ -9,7 +9,7 @@ Signed-off-by: Krzesimir Nowak 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/units/meson.build b/units/meson.build -index 96f4852741..4b1efbc4b1 100644 +index ef18dcae4a..887231840f 100644 --- a/units/meson.build +++ b/units/meson.build @@ -46,7 +46,7 @@ units = [ From d22d3cdd649cc278131d9705c085a867feee4941 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Fri, 24 Oct 2025 14:54:43 +0200 Subject: [PATCH 10/11] debug Signed-off-by: Krzesimir Nowak --- .../coreos/config/env/sys-apps/systemd | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd index f54063e223e..c5b4e114f47 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-apps/systemd @@ -51,9 +51,12 @@ if [[ -z ${flatcar_hacked_systemctl:-} ]]; then flatcar_hacked_systemctl=$(command -v systemctl) fi systemctl() { + ewarn "called our systemctl wrapper with args: ${*@Q}" if [[ ${#} -eq 4 && ${1} = '--root='* && ${2} = 'enable' && ${3} = 'getty@.service' && ${4} = 'remote-fs.target' ]]; then + ewarn "ignoring" return 0 fi + ewarn "forwarding to actual systemctl" "${flatcar_hacked_systemctl}" "${@}" } @@ -287,6 +290,7 @@ flatcar_preset_all_enable() { } cros_post_src_install_flatcar_stuff() { + ewarn 'Dropping systemd-user pam config' # We provide our own systemd-user config file in baselayout. rm "${ED}/usr/share/pam.d/systemd-user" || die @@ -295,14 +299,23 @@ cros_post_src_install_flatcar_stuff() { # before that and will create the journal if the filesystem is # already read-write. Conveniently the systemd build system sets # this up completely wrong. + ewarn 'Setting up /var/log/journal' + local dirinfo=$(stat "${ED}/var/log/journal" 2>/dev/null) + ewarn 'Info about existing directory:' + ewarn "${dirinfo}" keepdir /var/log/journal fowners root:systemd-journal /var/log/journal fperms 2755 /var/log/journal + ewarn 'Setting up /var/log/journal/remote' + dirinfo=$(stat "${ED}/var/log/journal/remote" 2>/dev/null) + ewarn 'Info about existing directory:' + ewarn "${dirinfo}" keepdir /var/log/journal/remote fowners systemd-journal-remote:systemd-journal-remote /var/log/journal/remote ( + ewarn 'Setting up tmpfiles.d entry for resolv.conf' insopts -m 0644 insinto /usr/lib/tmpfiles.d # Add tmpfiles rule for resolv.conf. This path has changed @@ -314,25 +327,31 @@ L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf EOF ) + ewarn 'Dropping 99-environment.conf' # Don't set any extra environment variables by default. rm "${ED}/usr/lib/environment.d/99-environment.conf" || die + ewarn 'Doing preset of system units' # enable system units flatcar_preset_all_enable "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" system + ewarn 'Doing preset of user units' # enable user units flatcar_preset_all_enable "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" user + ewarn 'Dropping systemd presets' # Use an empty preset file, because systemctl preset-all puts # symlinks in /etc, not in /usr. We don't use /etc, because it is # not autoupdated. We do the "preset" above. rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die rm "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" || die ( + ewarn 'Inserting our own empty system preset' insinto /usr/lib/systemd/system-preset newins - 99-default.preset <<'EOF' # Do not enable any services if /etc is detected as empty. disable * EOF + ewarn 'Inserting our own empty user preset' insinto /usr/lib/systemd/user-preset newins - 99-default.preset <<'EOF' # Do not enable any services if /etc is detected as empty. @@ -340,15 +359,24 @@ disable * EOF ) + ewarn 'Removing /usr/share/factory' # Do not ship distro-specific files (nsswitch.conf pam.d). This # conflicts with our own configuration provided by baselayout. rm -r "${ED}"/usr/share/factory || die + ewarn 'Editing etc.conf tmpfiles.d' + local contents=$(cat "${ED}"/usr/lib/tmpfiles.d/etc.conf) + ewarn 'Contents before edit:' + ewarn "${contents}" sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ -e '/^C!* \/etc\/nsswitch\.conf/d' \ -e '/^C!* \/etc\/pam\.d/d' \ -e '/^C!* \/etc\/issue/d' || die + contents=$(cat "${ED}"/usr/lib/tmpfiles.d/etc.conf) + ewarn 'Contents after edit:' + ewarn "${contents}" ( + ewarn 'Setting up systemd-timesyncd.service drop-in' # Some OEMs prefer chronyd, so allow them to replace # systemd-timesyncd with it. insinto "$(systemd_get_systemunitdir)/systemd-timesyncd.service.d" @@ -360,4 +388,5 @@ EOF After=ensure-sysext.service EOF ) + ewarn 'Hook done' } From dfad927165a27e7691bffa353050309cbd9f8dba Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 28 Oct 2025 11:46:54 +0100 Subject: [PATCH 11/11] overlay profiles: Drop obsolete accept keywords for sys-apps/systemd Signed-off-by: Krzesimir Nowak --- .../profiles/coreos/base/package.accept_keywords | 3 --- 1 file changed, 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index df8b8390dcb..15a5933e5df 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -99,9 +99,6 @@ dev-cpp/azure-security-keyvault-keys # latest version of the package with the unstable keywords. sys-apps/azure-vm-utils -# Bump systemd v257 from SDK to base. -=sys-apps/systemd-257.7 ~amd64 ~arm64 - # Keep versions on both arches in sync. =sys-apps/zram-generator-1.2.1 ~arm64 =sys-auth/sssd-2.9.7 ~arm64