flatcar · krnowak · Oct 17, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
@@ -625,6 +625,7 @@ sys-apps/sed
 sys-apps/semodule-utils
 sys-apps/shadow
 sys-apps/smartmontools
+sys-apps/systemd
 sys-apps/texinfo
 sys-apps/usbutils
 sys-apps/util-linux

@@ -1,13 +1,159 @@
-cros_post_src_install_timesync() {
-  local dir="${D}$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
-  mkdir -p "${dir}"
-  pushd "${dir}"
-  cat <<EOF >flatcar.conf || die
+systemd_meson_args_array=(
+    # Flatcar: Point to our user mailing list.
+    -Dsupport-url='https://groups.google.com/forum/#!forum/flatcar-linux-user'
+
+    # Flatcar: Use our ntp servers.
+    -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
+
+    # Flatcar: Specify this, or meson breaks due to no
+    # /etc/login.defs.
+    -Dsystem-gid-max=999
+    -Dsystem-uid-max=999
+
+    # Flatcar: DBus paths.
+    -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services"
+    -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services"
+
+    # Flatcar: PAM config directory.
+    -Dpamconfdir=/usr/share/pam.d
+
+    # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC 2013. Used by
+    # timesyncd as a sanity check for the minimum acceptable
+    # time. Explicitly set to avoid using the current build time.
+    -Dtime-epoch=1372636800
+
+    # Flatcar: No default name servers.
+    -Ddns-servers=
+
+    # Flatcar: Disable the "First Boot Wizard", it isn't very
+    # applicable to us.
+    -Dfirstboot=false
+
+    # Flatcar: Set latest network interface naming scheme for
+    # https://github.com/flatcar/Flatcar/issues/36
+    -Ddefault-net-naming-scheme=latest
+
+    # Flatcar: Combined log format: name plus description
+    -Dstatus-unit-format-default=combined
+
+    # Flatcar: Disable multicast-dns, Link-Local Multicast Name
+    # Resolution and dnssec
+    -Ddefault-mdns=no
+    -Ddefault-llmnr=no
+    -Ddefault-dnssec=no
+)
+export MYMESONARGS="${systemd_meson_args_array[*]@Q}"
+unset 'systemd_meson_args_array'
+
+# A hack to avoid enabling getty remote-fs targets in pkg_postinst, we
+# already do out ourselves in this file.
+if [[ -z ${flatcar_hacked_systemctl:-} ]]; then
+    flatcar_hacked_systemctl=$(command -v systemctl)
+fi
+systemctl() {
+    ewarn "called our systemctl wrapper with args: ${*@Q}"
+    if [[ ${#} -eq 4 && ${1} = '--root='* && ${2} = 'enable' && ${3} = '[email protected]' && ${4} = 'remote-fs.target' ]]; then
+        ewarn "ignoring"
+        return 0
+    fi
+    ewarn "forwarding to actual systemctl"
+    "${flatcar_hacked_systemctl}" "${@}"
+}
+
+cros_post_src_install_flatcar_stuff() {
+    ewarn 'Dropping systemd-user pam config'
+    # We provide our own systemd-user config file in baselayout.
+    rm "${ED}/usr/share/pam.d/systemd-user" || die
+
+    # Ensure journal directory has correct ownership/mode in inital
+    # image. This is fixed by systemd-tmpfiles *but* journald starts
+    # before that and will create the journal if the filesystem is
+    # already read-write. Conveniently the systemd build system sets
+    # this up completely wrong.
+    ewarn 'Setting up /var/log/journal'
+    local dirinfo=$(stat "${ED}/var/log/journal" 2>/dev/null)
+    ewarn 'Info about existing directory:'
+    ewarn "${dirinfo}"
+    keepdir /var/log/journal
+    fowners root:systemd-journal /var/log/journal
+    fperms 2755 /var/log/journal
+
+    ewarn 'Setting up /var/log/journal/remote'
+    dirinfo=$(stat "${ED}/var/log/journal/remote" 2>/dev/null)
+    ewarn 'Info about existing directory:'
+    ewarn "${dirinfo}"
+    keepdir /var/log/journal/remote
+    fowners systemd-journal-remote:systemd-journal-remote /var/log/journal/remote
+
+    (
+        ewarn 'Setting up tmpfiles.d entry for resolv.conf'
+        insopts -m 0644
+        insinto /usr/lib/tmpfiles.d
+        # Add tmpfiles rule for resolv.conf. This path has changed
+        # after v213 so it must be handled here instead of baselayout
+        # now.
+        newins - systemd-resolv.conf <<'EOF'
+d   /run/systemd/network                -   -   -   -   -
+L   /run/systemd/network/resolv.conf    -   -   -   -   ../resolve/resolv.conf
+EOF
+    )
+
+    ewarn 'Dropping 99-environment.conf'
+    # Don't set any extra environment variables by default.
+    rm "${ED}/usr/lib/environment.d/99-environment.conf" || die
+
+    ewarn 'Invoking systemctl preset-all with --system'
+    # enable system units
+    systemctl --root="${ED}" --system --preset-mode=enable-only preset-all || die
+    mv "${ED}/etc/systemd/system/"* "$(systemd_get_systemunitdir)" || die
+    ewarn 'Invoking systemctl preset-all with --global'
+    # enable user units
+    systemctl --root="${ED}" --global --preset-mode=enable-only preset-all || die
+    mv "${ED}/etc/systemd/user/"* "$(systemd_get_userunitdir)" || die
+
+    ewarn 'Dropping systemd presets'
+    # Use an empty preset file, because systemctl preset-all puts
+    # symlinks in /etc, not in /usr. We don't use /etc, because it is
+    # not autoupdated. We do the "preset" above.
+    rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
+    rm "${ED}/usr/lib/systemd/user-preset/90-systemd.preset" || die
+    (
+        ewarn 'Inserting our own empty preset'
+        insinto /usr/lib/systemd/system-preset
+        newins - 99-default.preset <<'EOF'
+# Do not enable any services if /etc is detected as empty.
+disable *
+EOF
+    )
+
+    ewarn 'Removing /usr/share/factory'
+    # Do not ship distro-specific files (nsswitch.conf pam.d). This
+    # conflicts with our own configuration provided by baselayout.
+    rm -r "${ED}"/usr/share/factory || die
+    ewarn 'Editing etc.conf tmpfiles.d'
+    local contents=$(cat "${ED}"/usr/lib/tmpfiles.d/etc.conf)
+    ewarn 'Contents before edit:'
+    ewarn "${contents}"
+    sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \
+        -e '/^C!* \/etc\/nsswitch\.conf/d' \
+        -e '/^C!* \/etc\/pam\.d/d' \
+        -e '/^C!* \/etc\/issue/d' || die
+    contents=$(cat "${ED}"/usr/lib/tmpfiles.d/etc.conf)
+    ewarn 'Contents after edit:'
+    ewarn "${contents}"
+
+    (
+        ewarn 'Setting up systemd-timesyncd.service drop-in'
+        # Some OEMs prefer chronyd, so allow them to replace
+        # systemd-timesyncd with it.
+        insinto "$(systemd_get_systemunitdir)/systemd-timesyncd.service.d"
+        newins - flatcar.conf <<'EOF'
 # Allow sysexts to ship timesyncd replacements which can have
 # a Conflicts=systemd-timesyncd directive that would result
 # in systemd-timesyncd not being started.
 [Unit]
 After=ensure-sysext.service
 EOF
-  popd
+    )
+    ewarn 'Hook done'
 }
@@ -1,7 +1,7 @@
-From 98cbd0a4576464478f0f9fcd2066efc08bef9491 Mon Sep 17 00:00:00 2001
+From 83043596b6cc74b6f049999fa660afd983dc493a Mon Sep 17 00:00:00 2001
 From: David Michael <[email protected]>
 Date: Tue, 16 Apr 2019 02:44:51 +0000
-Subject: [PATCH 1/8] wait-online: set --any by default
+Subject: [PATCH 1/9] wait-online: set --any by default
 
 The systemd-networkd-wait-online command would normally continue
 waiting after a network interface is usable if other interfaces are
@@ -15,18 +15,18 @@ earlier) for the original implementation.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c
-index 5328bba2d8..95294df607 100644
+index 6f5aef903a..0acb3e76b9 100644
 --- a/src/network/wait-online/wait-online.c
 +++ b/src/network/wait-online/wait-online.c
 @@ -21,7 +21,7 @@ static Hashmap *arg_interfaces = NULL;
  static char **arg_ignore = NULL;
- static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID };
+ static LinkOperationalStateRange arg_required_operstate = LINK_OPERSTATE_RANGE_INVALID;
  static AddressFamily arg_required_family = ADDRESS_FAMILY_NO;
 -static bool arg_any = false;
 +static bool arg_any = true;
 
  STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep);
  STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep);
 -- 
-2.34.1
+2.51.0
 
@@ -1,7 +1,7 @@
-From 0be1b5367c24427e3285d33fb87aa4acdf3c4dce Mon Sep 17 00:00:00 2001
+From 3d6bfde35c8ce5c21ca55104852a319246a92bb8 Mon Sep 17 00:00:00 2001
 From: Alex Crawford <[email protected]>
 Date: Wed, 2 Mar 2016 10:46:33 -0800
-Subject: [PATCH 3/8] needs-update: don't require strictly newer usr
+Subject: [PATCH 2/9] needs-update: don't require strictly newer usr
 
 Updates should be triggered whenever usr changes, not only when it is newer.
 ---
@@ -10,7 +10,7 @@ Updates should be triggered whenever usr changes, not only when it is newer.
  2 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml
-index 3393010ff6..5478baca25 100644
+index 6b863ecff3..c166c5e7ab 100644
 --- a/man/systemd-update-done.service.xml
 +++ b/man/systemd-update-done.service.xml
 @@ -50,7 +50,7 @@
@@ -23,10 +23,10 @@ index 3393010ff6..5478baca25 100644
      This requires that updates to <filename>/usr/</filename> are always
      followed by an update of the modification time of
 diff --git a/src/shared/condition.c b/src/shared/condition.c
-index d3446e8a9d..3f7cc9ea58 100644
+index 1a03fdbe37..8577c35fa0 100644
 --- a/src/shared/condition.c
 +++ b/src/shared/condition.c
-@@ -793,7 +793,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -796,7 +796,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * First, compare seconds as they are always accurate...
           */
          if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec)
@@ -35,7 +35,7 @@ index d3446e8a9d..3f7cc9ea58 100644
 
          /*
           * ...then compare nanoseconds.
-@@ -804,7 +804,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -807,7 +807,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
           * (otherwise the filesystem supports nsec timestamps, see stat(2)).
           */
          if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0)
@@ -44,7 +44,7 @@ index d3446e8a9d..3f7cc9ea58 100644
 
          _cleanup_free_ char *timestamp_str = NULL;
          r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", &timestamp_str);
-@@ -824,7 +824,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
+@@ -827,7 +827,7 @@ static int condition_test_needs_update(Condition *c, char **env) {
                  return true;
          }
 
@@ -54,5 +54,5 @@ index d3446e8a9d..3f7cc9ea58 100644
 
  static bool in_first_boot(void) {
 -- 
-2.34.1
+2.51.0
 
@@ -1,7 +1,7 @@
-From d21ebfcf17ffc1dba635389193f10d2b93eba730 Mon Sep 17 00:00:00 2001
+From 6f691278df570cc87cb863a98fe320a1997c6dad Mon Sep 17 00:00:00 2001
 From: Adrian Vladu <[email protected]>
 Date: Fri, 16 Feb 2024 11:22:08 +0000
-Subject: [PATCH 4/8] core: use max for DefaultTasksMax
+Subject: [PATCH 3/9] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -21,10 +21,10 @@ Signed-off-by: Adrian Vladu <[email protected]>
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index 3c06b65f93..71f38692b6 100644
+index f7b414da5c..9c07e235ab 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
-@@ -501,7 +501,7 @@
+@@ -230,7 +230,7 @@
          <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
          <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details. This setting applies to all unit types that support resource control settings, with the exception
@@ -34,10 +34,10 @@ index 3c06b65f93..71f38692b6 100644
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
          For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 88eebfc626..8992c8c3e3 100644
+index 4ccaba9054..3ab59c5bb3 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -114,7 +114,7 @@
+@@ -117,7 +117,7 @@
  /* How many units and jobs to process of the bus queue before returning to the event loop. */
  #define MANAGER_BUS_MESSAGE_BUDGET 100U
 
@@ -47,10 +47,10 @@ index 88eebfc626..8992c8c3e3 100644
  static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
  static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 05eb681270..94d0365244 100644
+index 1c08aa4d22..2faea3605e 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
-@@ -58,7 +58,7 @@
+@@ -59,7 +59,7 @@
  #DefaultIPAccounting=no
  #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
  #DefaultTasksAccounting=yes
@@ -60,5 +60,5 @@ index 05eb681270..94d0365244 100644
  #DefaultLimitFSIZE=
  #DefaultLimitDATA=
 -- 
-2.34.1
+2.51.0
 
@@ -1,7 +1,7 @@
-From 374cca5b2f9aea1c506352cf58b09db5c216a0d3 Mon Sep 17 00:00:00 2001
+From 78b2d8b1a6df073003d64cffa532c3a320e96ad4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <[email protected]>
 Date: Tue, 20 Dec 2016 16:43:22 +0000
-Subject: [PATCH 5/8] systemd: Disable SELinux permissions checks
+Subject: [PATCH 4/9] systemd: Disable SELinux permissions checks
 
 We don't care about the interaction between systemd and SELinux policy, so
 let's just disable these checks rather than having to incorporate policy
@@ -12,7 +12,7 @@ to limit containers and not anything running directly on the host.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
-index 62181a6309..448f9211d6 100644
+index a67a520a3b..3365b920eb 100644
 --- a/src/core/selinux-access.c
 +++ b/src/core/selinux-access.c
 @@ -2,7 +2,7 @@
@@ -25,5 +25,5 @@ index 62181a6309..448f9211d6 100644
  #include <errno.h>
  #include <selinux/avc.h>
 -- 
-2.34.1
+2.51.0
 
@@ -1,7 +1,7 @@
-From bffb2a48796a2736d7fb7328d2a88b1cbb812b12 Mon Sep 17 00:00:00 2001
+From 8064e1544a2b89f8389c0469ed4879a287a045a7 Mon Sep 17 00:00:00 2001
 From: Sayan Chowdhury <[email protected]>
 Date: Fri, 16 Dec 2022 16:28:26 +0530
-Subject: [PATCH 6/8] Revert "getty: Pass tty to use by agetty via stdin"
+Subject: [PATCH 5/9] Revert "getty: Pass tty to use by agetty via stdin"
 
 This reverts commit b4bf9007cbee7dc0b1356897344ae2a7890df84c.
 
@@ -90,3 +90,6 @@ index 20a5eb2754..ba4cbc0edb 100644
  TTYPath=/dev/%I
  TTYReset=yes
  TTYVHangup=yes
+-- 
+2.51.0
+