From 043ef47f5bba9e736bd91f20255c084e5fa59945 Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Thu, 2 Sep 2021 09:04:56 +0000 Subject: [PATCH] sys-apps/systemd: Apply Flatcar patches Signed-off-by: Sayan Chowdhury --- .../0004-wait-online-set-any-by-default.patch | 32 +++ ...fault-to-kernel-IPForwarding-setting.patch | 24 ++ ...ate-don-t-require-strictly-newer-usr.patch | 58 +++++ ...007-core-use-max-for-DefaultTasksMax.patch | 65 +++++ ...d-Disable-SELinux-permissions-checks.patch | 29 +++ ...e-handle-lookup-paths-being-symlinks.patch | 84 ++++++ .../sys-apps/systemd/files/99-default.preset | 2 + .../systemd/files/systemd-flatcar.conf | 14 + .../systemd/files/systemd-resolv.conf | 2 + .../sys-apps/systemd/systemd-9999.ebuild | 240 +++++++++++++----- 10 files changed, 484 insertions(+), 66 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch new file mode 100644 index 0000000000..2e3d001c64 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-wait-online-set-any-by-default.patch @@ -0,0 +1,32 @@ +From eb00b0bf1014fd9da26fc1ed2612c579cbcf09ce Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 16 Apr 2019 02:44:51 +0000 +Subject: [PATCH 1/5] wait-online: set --any by default + +The systemd-networkd-wait-online command would normally continue +waiting after a network interface is usable if other interfaces are +still configuring. There is a new flag --any to change this. + +Preserve previous Container Linux behavior for compatibility by +setting the --any flag by default. See patches from v241 (or +earlier) for the original implementation. +--- + src/network/wait-online/wait-online.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index 1b24b6f1a6..dedbd50725 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -20,7 +20,7 @@ static Hashmap *arg_interfaces = NULL; + static char **arg_ignore = NULL; + static LinkOperationalStateRange arg_required_operstate = { _LINK_OPERSTATE_INVALID, _LINK_OPERSTATE_INVALID }; + static AddressFamily arg_required_family = ADDRESS_FAMILY_NO; +-static bool arg_any = false; ++static bool arg_any = true; + + STATIC_DESTRUCTOR_REGISTER(arg_interfaces, hashmap_free_free_freep); + STATIC_DESTRUCTOR_REGISTER(arg_ignore, strv_freep); +-- +2.30.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch new file mode 100644 index 0000000000..ac52e2cf5b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0005-networkd-default-to-kernel-IPForwarding-setting.patch @@ -0,0 +1,24 @@ +From 9acb14187bacd1d716adaed491813ea1cde12237 Mon Sep 17 00:00:00 2001 +From: Nick Owens +Date: Tue, 2 Jun 2015 18:22:32 -0700 +Subject: [PATCH 2/5] networkd: default to "kernel" IPForwarding setting + +--- + src/network/networkd-network.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 850b4f449e..951c2d0815 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -398,6 +398,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi + .ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID, + + .ipv4_accept_local = -1, ++ .ip_forward = _ADDRESS_FAMILY_INVALID, + .ipv4_route_localnet = -1, + .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO, + .ipv6_accept_ra = -1, +-- +2.30.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch new file mode 100644 index 0000000000..c8f1460902 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0006-needs-update-don-t-require-strictly-newer-usr.patch @@ -0,0 +1,58 @@ +From e073ce40241db173d160d5d9986129820a98270a Mon Sep 17 00:00:00 2001 +From: Alex Crawford +Date: Wed, 2 Mar 2016 10:46:33 -0800 +Subject: [PATCH 3/5] needs-update: don't require strictly newer usr + +Updates should be triggered whenever usr changes, not only when it is newer. +--- + man/systemd-update-done.service.xml | 2 +- + src/shared/condition.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-update-done.service.xml b/man/systemd-update-done.service.xml +index 3393010ff6..5478baca25 100644 +--- a/man/systemd-update-done.service.xml ++++ b/man/systemd-update-done.service.xml +@@ -50,7 +50,7 @@ + ConditionNeedsUpdate= (see + systemd.unit5) + condition to make sure to run when /etc/ or +- /var/ are older than /usr/ ++ /var/ aren't the same age as /usr/ + according to the modification times of the files described above. + This requires that updates to /usr/ are always + followed by an update of the modification time of +diff --git a/src/shared/condition.c b/src/shared/condition.c +index b2ec690bc3..4cf6523b90 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -593,7 +593,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * First, compare seconds as they are always accurate... + */ + if (usr.st_mtim.tv_sec != other.st_mtim.tv_sec) +- return usr.st_mtim.tv_sec > other.st_mtim.tv_sec; ++ return true; + + /* + * ...then compare nanoseconds. +@@ -604,7 +604,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + * (otherwise the filesystem supports nsec timestamps, see stat(2)). + */ + if (usr.st_mtim.tv_nsec == 0 || other.st_mtim.tv_nsec > 0) +- return usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec; ++ return usr.st_mtim.tv_nsec != other.st_mtim.tv_nsec; + + _cleanup_free_ char *timestamp_str = NULL; + r = parse_env_file(NULL, p, "TIMESTAMP_NSEC", ×tamp_str); +@@ -623,7 +623,7 @@ static int condition_test_needs_update(Condition *c, char **env) { + return true; + } + +- return timespec_load_nsec(&usr.st_mtim) > timestamp; ++ return timespec_load_nsec(&usr.st_mtim) != timestamp; + } + + static int condition_test_first_boot(Condition *c, char **env) { +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch new file mode 100644 index 0000000000..00625b1496 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-core-use-max-for-DefaultTasksMax.patch @@ -0,0 +1,65 @@ +From 3acaafc6fcd34b272e5249c49e498ff7facb564e Mon Sep 17 00:00:00 2001 +From: Sayan Chowdhury +Date: Thu, 22 Apr 2021 20:08:33 +0530 +Subject: [PATCH] core: use max for DefaultTasksMax + +Since systemd v228, systemd has a DefaultTasksMax which defaulted +to 512, later 15% of the system's maximum number of PIDs. This +limit is low and a change in behavior that people running services +in containers will hit frequently, so revert to previous behavior. + +Though later the TasksMax was changed in the a dynamic property to +accommodate stale values. + +This change is built on previous patch by David Michael(dm0-). + +Signed-off-by: Sayan Chowdhury +--- + man/systemd-system.conf.xml | 2 +- + src/core/main.c | 2 +- + src/core/system.conf.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index d39928ec23..4d89a68b16 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -376,7 +376,7 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 100% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. + For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, +diff --git a/src/core/main.c b/src/core/main.c +index 0ddd629851..5e25a1b4b7 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -91,7 +91,7 @@ + #include + #endif + +-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((TasksMax) { 100U, 100U }) /* 100% */ + + static enum { + ACTION_RUN, +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index fa6fb690c7..1e6df17d94 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -55,7 +55,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@ + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=100% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.30.2 + + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch new file mode 100644 index 0000000000..e4891b4f70 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0008-systemd-Disable-SELinux-permissions-checks.patch @@ -0,0 +1,29 @@ +From f83a1a190139d6f7752e0d7c86396330f845b261 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 20 Dec 2016 16:43:22 +0000 +Subject: [PATCH 5/5] systemd: Disable SELinux permissions checks + +We don't care about the interaction between systemd and SELinux policy, so +let's just disable these checks rather than having to incorporate policy +support. This has no impact on our SELinux use-case, which is purely intended +to limit containers and not anything running directly on the host. +--- + src/core/selinux-access.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index 1d52b5ff04..1653d241f6 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -2,7 +2,7 @@ + + #include "selinux-access.h" + +-#if HAVE_SELINUX ++#if 0 + + #include + #include +-- +2.26.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch new file mode 100644 index 0000000000..6bed0f164b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0009-core-handle-lookup-paths-being-symlinks.patch @@ -0,0 +1,84 @@ +From 67d9962aa637401a1332069b6c8ad99a54e2b451 Mon Sep 17 00:00:00 2001 +From: Sayan Chowdhury +Date: Wed, 8 Sep 2021 12:10:35 +0530 +Subject: [PATCH] core: handle lookup paths being symlinks + +With a recent change paths leaving the statically known lookup paths +would be treated differently then those that remained within those. That +was done (AFAIK) to consistently handle alias names. Unfortunately that +means that on some distributions, especially those where /etc/ consists +mostly of symlinks, would trigger that new detection for every single +unit in /etc/systemd/system. The reason for that is that the units +directory itself is already a symlink. + +Original Patch from: https://github.com/systemd/systemd/pull/20479 + +Signed-off-by: Sayan Chowdhury +--- + src/basic/unit-file.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c +index 884a0674a9..3ae2a115d0 100644 +--- a/src/basic/unit-file.c ++++ b/src/basic/unit-file.c +@@ -254,6 +254,7 @@ int unit_file_build_name_map( + + _cleanup_hashmap_free_ Hashmap *ids = NULL, *names = NULL; + _cleanup_set_free_free_ Set *paths = NULL; ++ _cleanup_strv_free_ char **expanded_search_paths = NULL; + uint64_t timestamp_hash; + char **dir; + int r; +@@ -273,6 +274,34 @@ int unit_file_build_name_map( + return log_oom(); + } + ++ /* Go over all our search paths, chase their symlinks and store the ++ * result in the expanded_search_paths list. ++ * ++ * This is important for cases where any of the unit directories itself ++ * are symlinks into other directories and would therefore cause all of ++ * the unit files to be recognized as linked units. ++ * ++ * This is important for distributions such as NixOS where most paths ++ * in /etc/ are symlinks to some other location on the filesystem (e.g. ++ * into /nix/store/). ++ */ ++ STRV_FOREACH(dir, (char**) lp->search_path) { ++ _cleanup_free_ char *resolved_dir = NULL; ++ r = strv_extend(&expanded_search_paths, *dir); ++ if (r < 0) ++ return log_oom(); ++ ++ r = chase_symlinks(*dir, NULL, 0, &resolved_dir, NULL); ++ if (r < 0) { ++ if (r != -ENOENT) ++ log_warning_errno(r, "Failed to resolve symlink %s, ignoring: %m", *dir); ++ continue; ++ } ++ ++ if (strv_consume(&expanded_search_paths, TAKE_PTR(resolved_dir)) < 0) ++ return log_oom(); ++ } ++ + STRV_FOREACH(dir, (char**) lp->search_path) { + struct dirent *de; + _cleanup_closedir_ DIR *d = NULL; +@@ -351,11 +380,11 @@ int unit_file_build_name_map( + continue; + } + +- /* Check if the symlink goes outside of our search path. ++ /* Check if the symlink goes outside of our (expanded) search path. + * If yes, it's a linked unit file or mask, and we don't care about the target name. + * Let's just store the link source directly. + * If not, let's verify that it's a good symlink. */ +- char *tail = path_startswith_strv(simplified, lp->search_path); ++ char *tail = path_startswith_strv(simplified, expanded_search_paths); + if (!tail) { + log_debug("%s: linked unit file: %s → %s", + __func__, filename, simplified); +-- +2.30.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset new file mode 100644 index 0000000000..d2545d5d1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/99-default.preset @@ -0,0 +1,2 @@ +# Do not enable any services if /etc is detected as empty. +disable * diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf new file mode 100644 index 0000000000..17587de5aa --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf @@ -0,0 +1,14 @@ +d /etc/binfmt.d - - - - - +d /etc/kernel/install.d - - - - - +d /etc/modules-load.d - - - - - +d /etc/sysctl.d - - - - - +d /etc/systemd - - - - - +d /etc/systemd/network - - - - - +d /etc/systemd/system - - - - - +d /etc/systemd/user - - - - - +d /etc/tmpfiles.d - - - - - +d /etc/sysusers.d - - - - - +d /etc/udev/hwdb.d - - - - - +d /etc/udev/rules.d - - - - - +d /var/lib/systemd - - - - - +d /var/log/journal/remote - systemd-journal-remote systemd-journal-remote - - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf new file mode 100644 index 0000000000..32b7e9d214 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-resolv.conf @@ -0,0 +1,2 @@ +d /run/systemd/network - - - - - +L /run/systemd/network/resolv.conf - - - - ../resolve/resolv.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild index 3683686fc0..e2fb46fa05 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-9999.ebuild @@ -2,7 +2,8 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{8..10} ) +# Flatcar: We still have python 3.6. +PYTHON_COMPAT=( python3_{5,6,7} ) if [[ ${PV} == 9999 ]]; then EGIT_REPO_URI="https://github.com/systemd/systemd.git" @@ -17,17 +18,19 @@ else MY_P=${MY_PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv sparc x86" fi -inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev usr-ldscript +# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript +inherit bash-completion-r1 linux-info meson-multilib pam python-any-r1 systemd toolchain-funcs udev user DESCRIPTION="System and service manager for Linux" HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux split-usr static-libs +sysv-utils test tpm vanilla xkb +zstd" +# Flatcar: Dropped static-libs, we don't care about static libraries. +IUSE="acl apparmor audit build cgroup-hybrid cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi homed http +hwdb idn importd +kmod +lz4 lzma nat pam pcre pkcs11 policykit pwquality qrcode repart +resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd" REQUIRED_USE=" homed? ( cryptsetup pam ) @@ -84,35 +87,22 @@ DEPEND="${COMMON_DEPEND} gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) " -# baselayout-2.2 has /run +# Flatcar: We drop a few of the acct-group and acct-user as the gid provided by +# the upstream does not match with the ones we carry in baselayout. RDEPEND="${COMMON_DEPEND} >=acct-group/adm-0-r1 >=acct-group/wheel-0-r1 >=acct-group/kmem-0-r1 >=acct-group/tty-0-r1 >=acct-group/utmp-0-r1 - >=acct-group/audio-0-r1 - >=acct-group/cdrom-0-r1 - >=acct-group/dialout-0-r1 - >=acct-group/disk-0-r1 - >=acct-group/input-0-r1 >=acct-group/kvm-0-r1 - >=acct-group/lp-0-r1 - >=acct-group/render-0-r1 acct-group/sgx - >=acct-group/tape-0-r1 acct-group/users - >=acct-group/video-0-r1 - >=acct-group/systemd-journal-0-r1 >=acct-user/root-0-r1 acct-user/nobody - >=acct-user/systemd-journal-remote-0-r1 >=acct-user/systemd-coredump-0-r1 - >=acct-user/systemd-network-0-r1 acct-user/systemd-oom - >=acct-user/systemd-resolve-0-r1 >=acct-user/systemd-timesync-0-r1 - >=sys-apps/baselayout-2.2 selinux? ( sec-policy/selinux-base-policy[systemd] ) sysv-utils? ( !sys-apps/openrc[sysv-utils(-)] @@ -131,9 +121,10 @@ RDEPEND="${COMMON_DEPEND} " # sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +# +# Flatcar: We don't have sys-fs/udev-init-scripts-34, so it's dropped. PDEPEND=">=sys-apps/dbus-1.9.8[systemd] hwdb? ( sys-apps/hwids[systemd(+),udev] ) - >=sys-fs/udev-init-scripts-34 policykit? ( sys-auth/polkit ) !vanilla? ( sys-apps/gentoo-systemd-integration )" @@ -222,15 +213,27 @@ src_prepare() { # Add local patches here PATCHES+=( + # Flatcar: Adding our own patches here. + "${FILESDIR}/249-libudev-static.patch" + "${FILESDIR}/0004-wait-online-set-any-by-default.patch" + "${FILESDIR}/0005-networkd-default-to-kernel-IPForwarding-setting.patch" + "${FILESDIR}/0006-needs-update-don-t-require-strictly-newer-usr.patch" + "${FILESDIR}/0007-core-use-max-for-DefaultTasksMax.patch" + "${FILESDIR}/0008-systemd-Disable-SELinux-permissions-checks.patch" + "${FILESDIR}/0009-core-handle-lookup-paths-being-symlinks.patch" ) - if ! use vanilla; then - PATCHES+=( - "${FILESDIR}/gentoo-generator-path-r2.patch" - "${FILESDIR}/gentoo-systemctl-disable-sysv-sync-r1.patch" - "${FILESDIR}/gentoo-journald-audit.patch" - ) - fi + # Flatcar: We carry our own patches, we don't use the ones + # from Gentoo. Thus we dropped the `if ! use vanilla` code + # here. + + # Flatcar: The Kubelet takes /etc/resolv.conf for, e.g., CoreDNS which has dnsPolicy "default", but unless + # the kubelet --resolv-conf flag is set to point to /run/systemd/resolve/resolv.conf this won't work with + # /etc/resolv.conf pointing to /run/systemd/resolve/stub-resolv.conf which configures 127.0.0.53. + # See https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues + # This means that users who need split DNS to work should point /etc/resolv.conf back to /run/systemd/resolve/stub-resolv.conf + # (and if using K8s configure the kubelet resolvConf variable/--resolv-conf flag to /run/systemd/resolve/resolv.conf). + sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/etc.conf.in || die default } @@ -247,7 +250,8 @@ src_configure() { multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" - -Dsupport-url="https://gentoo.org/support/" + # Flatcar: Point to our user mailing list. + -Dsupport-url="https://groups.google.com/forum/#!forum/flatcar-linux-user" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" @@ -258,7 +262,6 @@ multilib_src_configure() { -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" # Avoid infinite exec recursion, bug 642724 -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" - # no deps -Dima=true -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) # Optional components/dependencies @@ -298,9 +301,11 @@ multilib_src_configure() { $(meson_native_use_bool tpm tpm2) $(meson_native_use_bool test dbus) $(meson_native_use_bool xkb xkbcommon) - -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Flatcar: Use our ntp servers. + -Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org" # Breaks screen, tmux, etc. -Ddefault-kill-user-processes=false + # Flatcar: TODO: Investigate if we want this. -Dcreate-log-dirs=false # multilib options @@ -324,8 +329,42 @@ multilib_src_configure() { $(meson_native_true tmpfiles) $(meson_native_true vconsole) - # static-libs - $(meson_use static-libs static-libudev) + # Flatcar: Specify this, or meson breaks due to no + # /etc/login.defs. + -Dsystem-gid-max=999 + -Dsystem-uid-max=999 + + # Flatcar: DBus paths. + -Ddbussessionservicedir="${EPREFIX}/usr/share/dbus-1/services" + -Ddbussystemservicedir="${EPREFIX}/usr/share/dbus-1/system-services" + + # Flatcar: PAM config directory. + -Dpamconfdir=/usr/share/pam.d + + # Flatcar: The CoreOS epoch, Mon Jul 1 00:00:00 UTC + # 2013. Used by timesyncd as a sanity check for the + # minimum acceptable time. Explicitly set to avoid + # using the current build time. + -Dtime-epoch=1372636800 + + # Flatcar: No default name servers. + -Ddns-servers= + + # Flatcar: Disable the "First Boot Wizard", it isn't + # very applicable to us. + -Dfirstboot=false + + # Flatcar: Set latest network interface naming scheme + # for + # https://github.com/flatcar-linux/Flatcar/issues/36 + -Ddefault-net-naming-scheme=latest + + # Flatcar: Unported options, still needed? + -Defi-cc="$(tc-getCC)" + -Dquotaon-path=/usr/sbin/quotaon + -Dquotacheck-path=/usr/sbin/quotacheck + + # Flatcar: No static libs. ) meson_src_configure "${myconf[@]}" @@ -343,7 +382,8 @@ multilib_src_install_all() { mv "${ED}"/usr/share/doc/{systemd,${PF}} || die einstalldocs - dodoc "${FILESDIR}"/nsswitch.conf + # Flatcar: Do not install sample nsswitch.conf, we don't + # provide it. if ! use resolvconf; then rm -f "${ED}${rootprefix}"/sbin/resolvconf || die @@ -362,31 +402,11 @@ multilib_src_install_all() { rmdir "${ED}${rootprefix}"/sbin || die fi - # https://bugs.gentoo.org/761763 - rm -r "${ED}"/usr/lib/sysusers.d || die - - # Preserve empty dirs in /etc & /var, bug #437008 - keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} - keepdir /etc/kernel/install.d - keepdir /etc/systemd/{network,system,user} - keepdir /etc/udev/rules.d - - if use hwdb; then - keepdir /etc/udev/hwdb.d - fi - - keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} - keepdir /usr/lib/{binfmt.d,modules-load.d} - keepdir /usr/lib/systemd/user-generators - keepdir /var/lib/systemd - keepdir /var/log/journal - - # Symlink /etc/sysctl.conf for easy migration. - dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf - - if use pam; then - newpamd "${FILESDIR}"/systemd-user.pam systemd-user - fi + # Flatcar: Upstream uses keepdir commands to keep some empty + # directories. + # + # Flatcar: TODO: Consider using that instead of + # systemd_dotmpfilesd "${FILESDIR}"/systemd-flatcar.conf below. if use hwdb; then rm -r "${ED}${rootprefix}"/lib/udev/hwdb.d || die @@ -398,7 +418,100 @@ multilib_src_install_all() { dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown fi - gen_usr_ldscript -a systemd udev + # Flatcar: Ensure journal directory has correct ownership/mode + # in inital image. This is fixed by systemd-tmpfiles *but* + # journald starts before that and will create the journal if + # the filesystem is already read-write. Conveniently the + # systemd Makefile sets this up completely wrong. + # + # Flatcar: TODO: Is this still a problem? + dodir /var/log/journal + fowners root:systemd-journal /var/log/journal + fperms 2755 /var/log/journal + + # Flatcar: Don't prune systemd dirs. + # + # Flatcar: TODO: Upstream probably fixed it in different way - + # it's using some keepdir commands. + systemd_dotmpfilesd "${FILESDIR}"/systemd-flatcar.conf + # Flatcar: Add tmpfiles rule for resolv.conf. This path has + # changed after v213 so it must be handled here instead of + # baselayout now. + systemd_dotmpfilesd "${FILESDIR}"/systemd-resolv.conf + + # Flatcar: Don't default to graphical.target. + local unitdir=$(builddir_systemd_get_systemunitdir) + dosym multi-user.target "${unitdir}"/default.target + + # Flatcar: Don't set any extra environment variables by default. + rm "${ED}/usr/lib/environment.d/99-environment.conf" || die + + # Flatcar: These lines more or less follow the systemd's + # preset file (90-systemd.preset). We do it that way, to avoid + # putting symlink in /etc. Please keep the lines in the same + # order as the "enable" lines appear in the preset file. + builddir_systemd_enable_service multi-user.target remote-fs.target + builddir_systemd_enable_service multi-user.target remote-cryptsetup.target + builddir_systemd_enable_service multi-user.target machines.target + # Flatcar: getty@.service is enabled manually below. + builddir_systemd_enable_service sysinit.target systemd-timesyncd.service + builddir_systemd_enable_service multi-user.target systemd-networkd.service + # Flatcar: For systemd-networkd.service, it has it in Also, which also + # needs to be enabled + builddir_systemd_enable_service sockets.target systemd-networkd.socket + # Flatcar: For systemd-networkd.service, it has it in Also, which also + # needs to be enabled + builddir_systemd_enable_service network-online.target systemd-networkd-wait-online.service + builddir_systemd_enable_service multi-user.target systemd-resolved.service + if use homed; then + builddir_systemd_enable_service multi-user.target systemd-homed.target + # Flatcar: systemd-homed.target has + # Also=systemd-userdbd.service, but the service has no + # WantedBy entry. It's likely going to be executed through + # systemd-userdbd.socket, which is enabled in upstream's + # presets file. + builddir_systemd_enable_service sockets.target systemd-userdbd.socket + fi + builddir_systemd_enable_service sysinit.target systemd-pstore.service + # Flatcar: not enabling reboot.target - it has no WantedBy + # entry. + + # Flatcar: Enable getty manually. + dodir "${unitdir}/getty.target.wants" + dosym ../getty@.service "${unitdir}/getty.target.wants/getty@tty1.service" + + # Flatcar: Use an empty preset file, because systemctl + # preset-all puts symlinks in /etc, not in /usr. We don't use + # /etc, because it is not autoupdated. We do the "preset" above. + rm "${ED}$(usex split-usr '' /usr)/lib/systemd/system-preset/90-systemd.preset" || die + insinto $(usex split-usr '' /usr)/lib/systemd/system-preset + doins "${FILESDIR}"/99-default.preset + + # Flatcar: Do not ship distro-specific files (nsswitch.conf + # pam.d). This conflicts with our own configuration provided + # by baselayout. + rm -rf "${ED}"/usr/share/factory + sed -i "${ED}"/usr/lib/tmpfiles.d/etc.conf \ + -e '/^C!* \/etc\/nsswitch\.conf/d' \ + -e '/^C!* \/etc\/pam\.d/d' \ + -e '/^C!* \/etc\/issue/d' + + # Flatcar: gen_usr_ldscript is likely for static libs, so we + # dropped it. +} + +builddir_systemd_enable_service() { + ( + export SYSROOT="${ED}" + systemd_enable_service "$@" + ) +} + +builddir_systemd_get_systemunitdir() { + ( + export SYSROOT="${ED}" + systemd_get_systemunitdir + ) } migrate_locale() { @@ -478,13 +591,8 @@ pkg_postinst() { # between OpenRC & systemd migrate_locale - if [[ -z ${REPLACING_VERSIONS} ]]; then - if type systemctl &>/dev/null; then - systemctl --root="${ROOT:-/}" enable getty@.service remote-fs.target || FAIL=1 - fi - elog "To enable a useful set of services, run the following:" - elog " systemctl preset-all --preset-mode=enable-only" - fi + # Flatcar: We enable getty and remote-fs targets in /usr + # ourselves above. if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then rm "${EROOT}/var/lib/systemd/timesync"